How to clean Zimbra mail queue as root user

You may come across a problem when trying to clean Zimbra mail queue as Zimbra user as lack of privileges.

When trying to log in as Zimbra and run the command below, I came across a privilege’s problem as Zimbra user was unable to run postsuper command:

[zimbra@mailmachine root]$  mailq | tail -n +2 | awk 'BEGIN { RS = "" } / spam.user@spammer.net/ { print $1 }' | tr -d '*!' | postsuper -d -
postsuper: fatal: use of this command is reserved for the superuser

If you check mail queue as root user, you won’t see Zimbra messages. What you can do, is use binaries of Zimbra. Here is how I was able to clean mail queue with root user for Zimbra:

[root@mailmachine sbin]# /opt/zimbra/common/sbin/mailq | tail -n +2 | awk 'BEGIN { RS = "" } / spam.user@spammer.net/ { print $1 }' | tr -d '*!' | /opt/zimbra/common/sbin/postsuper -d -
postsuper: F22125044F450: removed
postsuper: F24D45044B05C: removed
postsuper: F31595048D7A0: removed
postsuper: F307B50478E75: removed
postsuper: F155F5049BCF0: removed
postsuper: F3A22504CAC00: removed
postsuper: F40E2504A3B49: removed
...

This will successfully clean Zimbra mail queue – messages from user spam.user@spammer.net. You may have different paths to your mailq and postsuper. I noticed that on some installations, path is “/opt/zimbra/postfix/sbin/postsuper”.

Migrate email accounts to different user account on the same cPanel server

Maybe you’ll want to merge two separate cPanel accounts on the same server, but you won’t be able to, because you can’t simply just delete domain from the first account, and you can’t add domain to the second account because it exists on the first one :).

You can migrate email and other user data simply, by creating backup of user account and delete it from cPanel. Below, I will show how to migrate just email. But you can also migrate websites like this.

  1. Make copy of primary user account (if websites, also make sure to dump databases of that user)
    root@cpanel [/home]# cp -rp useraccount1  useraccount1.bak
  2. Make copy of email aliases of primary account so they wont get lost after delete of primary account
    cp /etc/valiases/userdomain.com /etc/valiases/userdomain.com.bak
  3. Delete primary user account in cPanel – useraccount1 in our case
  4. Add domain of primary account to secondary account (useraccount2). Now you’ll be able to, because domain don’t exist on the system anymore.
  5. Copy settings from primary account from backup to secondary one (the one you added domain to) and set right permissions:
    root@cpanel [/home]# cp -rp /home/useraccount1.bak/etc/userdomain.com  /home/useraccount2/etc/userdomain.com
    chown -R useraccount2: /home/useraccount2/etc/userdomain.com
  6. Copy all email accounts to new account and set right permissions
     cp -rp /home/useraccount1.bak/mail/userdomain.com /home/useraccount2/mail/userdomain.com
    
    chown useraccount2:mail /home/useraccount2/mail/userdomain.com
    
    chown -R useraccount2: /home/useraccount2/mail/userdomain.com/*
  7. Recreate alliases
    cp /etc/valiases/userdomain.com.bak  /etc/valiases/userdomain.com

That’s it. You should be able to see email accounts for userdomain.com in new cPanel account. All passwords should remain the same as before.

Change email password on Directadmin with CLI / command line

It can happen that you don’t have access to Direcadmin’s GUI, but you have root access. I had this situation with one installation with very old OS on which the license was unable to update. So because of invalid license, control panel was not accessible. You can change email password from command line like this.

  • Go to virtual directory where passwords are saved
    myDA:~# cd /etc/virtual/mydomain.com/
    myDA:/etc/virtual/mydomain.com# 
  • You can generate new crypted passowrd like bellow. “mynewpassword” is new password.
    [root@server ~]# openssl passwd -1 -salt saltsalt mynewpassword
    $1$saltsalt$XCrU04m/7D.n5Ami6FbHo/
  • Copy generated hash from previous step and change it inside  /etc/virtual/mydomain.com/passwd

That’s it. You should be able to log in into the email account with a new password.

Found this here. Thank you very much!

SNI support for Dovecot and Postfix

If you are in position that you need multiple SSL certificates for different domains on single mail server, you can do it with SNI. Of corse, on very old versions this is not supported. Check documentation first, if its supported for your version of Dovecot and Postfix.

Dovecot:

In case of incoming mailserver Dovecot it’s easy as listed bellow. I made file ssl-sni.conf in which I add SNI configurations for my domains. Then I included ssl-sni.conf in main dovecot config.

Create ssl-sni.conf and add your SNI definitions in it:

local_name mail.domain1.com {
ssl_cert = </etc/ssl/certs/domain1/fullchain.pem
ssl_key = </etc/ssl/certs/domain1/privkey.pem
}

local_name pop3.domain2.com {
ssl_cert = </etc/ssl/certs/domain2/fullchain.pem
ssl_key = </etc/ssl/certs/domain2/privkey.pem
}
...

Then include this in main dovecot config (you can add those configurations directly in dovecot.conf or 00-ssl.conf also. I just prefer separate this):

# SNI include
!include ssl-sni.conf

Postfix:

As for Postfix, configuration is also simple:

Inside /etc/postfix/, create file domain_ssl.map and add ssl definitions in it:

mail.domain1.com /etc/ssl/certs/domain1/privkey.pem /etc/ssl/certs/domain1/fullchain.pem
smtp.domain2.net /etc/ssl/certs/domain2/privkey.pem /etc/ssl/certs/domain2/fullchain.pem

Run postmap and restart Postfix:

[root@mail postfix]# postmap -F domain_ssl.map which will create domain_ssl.map.db
[root@mail postfix]# systemctl restart postfix

If everything is OK, you should now have SNI supported mail server.

Directadmin – Unrouteable address error on incoming mail

I had this stupid error the other day on Directadmin. I upgraded Exim to the latest version and then all mail sent to address@email.com which was on this server was bounced with the error “Unrouteable address”. From the past, I knew that errors like this can be due to exceeded mail limit. But in this case, this was happening only for one mail out of 50 others, and no limits were reached.

After some searching, I found out that there was an alias pointing to the email address itself, which was causing this error. I removed the forwarder (alias) and incoming mail started to work again on this mailbox.

2021-05-09 20:53:28 H=([1.1.1.1]) [2.2.2.2] F=<us11-99cb50d256-903kjsd32113@inbound.mailchimp.com> rejected RCPT <address@email.com>: Unrouteable address

So I had mail forwarder like:
address@email.com -> address@email.com

So when dealing with such an error, just remove the alias like described above.

Slow email sending from cPanel SMTP

I received a few complaints from different people, that sending of email messages is really slow. This didn’t make any sense, because no modifications were made on the server.

After an hour, I found that this was caused by Exim setting “Delay SMTP Transaction”. Quoting cPanel: The SMTP receiver will wait a few additional seconds for a connection when it detects spam messages in order to reduce inbound spam. 

So it’s another weapon to fight spam mail, but it makes sending slower.

You can disable this feature in Exim Configuration Manager -> ACL Options -> Introduce a delay into the SMTP transaction for unknown hosts and messages detected as spam.

When disabled, your emails should be fast again.

Directadmin – get disk size information for every email account on your server/user

If you want to get information about how much of disk is consuming every email account on your Directadmin server, then you can use this command.

[root@post ~]# find /home/*/imap/*/*/ -maxdepth 1 -type d -exec du -sh {} \; | awk -F '/' {'print $6"@"$5 " -> " $1'}
info@domain1.si -> 60K
test@domain1.si -> 60K
lala@domain1.ba -> 529M
info@somedomain.ba -> 529M
igor@somedomain.eu -> 772K
...

If you would want for every email account of some specific user, than you can use this:

[root@post ~]# find /home/user1/imap/*/*/ -maxdepth 1 -type d -exec du -sh {} \; | awk -F '/' {'print $6"@"$5 " -> " $1'}
info@domain1.si -> 1.3G
test2@domain1.it -> 1.3G
igor@test.si -> 68M
...

Simple, but it can save some time 🙂

cPanel – change email password without cPanel access – edit shadow file

I had issue with cPanel on which license was expired. So web interface wasn’t accessible. One client had situation and need to change email password urgently. Because cpanel wasn’t accessible, he was unable to do so. There is a trick. You can change mail password without accessing cpanel directly. You can modify shadow file and paste new password hash. cPanel stores email passwords in shadow file. Here is how you can do it.

First, you need to generate new password hash in SHA512 format. You can do it with python:

[root@machine ~]# python3 -c 'import crypt; print(crypt.crypt("mynewpassword", crypt.mksalt(crypt.METHOD_SHA512)))'
$6$Xy/Xjk9kArTdnMeh$tZemrVaYPG8kqW0DFxpxGXzurUWYx/3qoYA5xw1KYokYaVS/34jMWrFbrjf95xjOlOrskVAZeXSnKLAPn56pi.

Then you need to locate shadow file for your user and edit it:

root@cpanel [~]# cd /home/test/etc/testdomain.com
root@cpanel [/home/test/etc/testdomain.com]#
root@cpanel [/home/test/etc/testdomain.com]# vi shadow

Here is original hash for our user. You should change it with hash generated in first step. Change part which is marked with bold:

test:$6$o/dl07XTG2tht5ir$GZQ8DCOQQ1FG9U/G87aq0kOiEru8ndwWK8RbrDy6vbl9DCKSDEsejjIxwfvO329a4dONuypsQx9HuUj6MVuqx.:18269::::::

so it looks like this:

test:$6$Xy/Xjk9kArTdnMeh$tZemrVaYPG8kqW0DFxpxGXzurUWYx/3qoYA5xw1KYokYaVS/34jMWrFbrjf95xjOlOrskVAZeXSnKLAPn56pi.:18269::::::

That’s it, you should be able to login in webmail with new password, generated with python – frist step.

Permanent block ratelimited user with Rspamd and fail2ban

This one was a little tricky. I had few mail servers with a lot of accounts. I setup rspamd instance in proxy mode. Then I called rspamd on every mail server with postfix milter. Rspamd works beautifully, ratelimiting is very useful too. But I in case of abusive mail sender, I wanted to permanently block IP from which spam originated. You can’t permanently block IPs with rspamd because ratelimit module can’t add IP address to some file.

So Fail2ban came to mind. I setup fail2ban on my rspamd installation and create filter which watches rspamd log and wait for cases when ratelimit is triggered. When fail2ban counts 10 cases of triggered ratelimit, filter puts IP of ratelimited sender to special blacklist file (ip_blacklist_ratelimit.map) which is included in rspamd multimap  definition – permanent block. Spamer IP is blocked permanently this way. 

I had few cases when some users password was stolen and spam was sending. Fail2ban and rspamd sucsessfuly banned those IPs. I also created action which will notify administrator when fail2ban blocks IP.

Rspamd ratelimit config:


# limit outgoing authenticated users
user = {
bucket = [
{
burst = 10; # capacity of 10 messages in bucket
rate = "1 / 1min"; # leak 1 messages per minute
},
{
burst = 100; # capacity of 100 messages in bucket
rate = "30 / 60min"; # leak 30 messages per hour
}]
}
}

Rspamd multimap definition for blocking blacklisted IPs:


# block users exceeded ratelimits 5 times
IP_BLACKLIST_RATELIMIT {
type = "ip";
prefilter = "true";
map = "${LOCAL_CONFDIR}/local.d/maps/ip_blacklist_ratelimit.map";
action = "reject";
}

Fail2ban jail configuration:


[rspamd-ratelimit]
enabled = true
action = rspamd-banip
ratelimit-alert[name=Rspamd-ratelimit, dest=terminator@myemail.com]
backend = auto
filter = rspamd-ratelimit
logpath = /var/log/rspamd/rspamd.log
maxretry = 10
bantime = 3600

Fail2ban filter for rspamd – rspamd-ratelimit.conf:


# Fail2Ban filter for rspamd ratelimit
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = rspamd_proxy
failregex = ^.*rspamd_proxy.*ip: .*?Ratelimit ".*?" exceeded

# Author: Igor Mazej

Fail2ban action for rspamd – rspamd-banip.conf:


#
# Author: Igor Mazej
#
#
[Definition]
actionstart = touch /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
actionban = printf %%b "\n" >> /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
actionunban = sed -i "//d" -i.backup /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
[Init]

CSF – whitelist user from SMTP_BLOCK

CSF features great option SMTP_BLOCK which block outgoing SMTP for all users except root, exim and mailman. I had a problem with one user which was using MailChimp as mass mailing within their application. Because of SMTP_BLOCK it wasn’t working. Disabling SMTP_BLOCK globally is not recommended, you can white list users for which you would like to allow sending.

Go to your CSF settings and find SMTP_ALLOWUSER. Then add user which should be allowed (users separated with coma). Don’t forget to restart CSF.

© 2024 geegkytuts.net
Hosted by SIEL


About author