cPanel email problem – (13): Permission denied: failed to chdir to /home/username

I had this weird issue on one of our production cpanel servers where user’s email stopped working without any reason. Only error that was available was:

T=dovecot_virtual_delivery defer (13): Permission denied: failed to chdir to /home/username

From time to time users document root permissions were set to user nobody and execution privileges were removed. Because of this, email wasn’t working and I couldn’t find out why.

After a lot of headache I googled across this thread. Permissions were altered by cPanel’s File Protect. Somehow file protect recognized this accounts permissions weren’t right. After checking in users account, there was sub-domain created for which document root was set to “/”. This is not valid document root, and because of this, file protect altered users permissions.

I changed document root for this sub-domain and problem was solved. You should also correct user’s permissions on document root after fixing issue with file protect:

chmod +x /home/username
chown username:username /home/username

You should make sure that user accounts permissions are absolutely correct.

Hope this saves some sleep ūüôā

cPanel: Your server does not support the connection encryption type you have specified

If you’re¬†getting message like¬†“Your server does not support the connection encryption type you have specified” when try to set up email in your Outlook, then chances are that your cPanel mail server has disabled some needed encryption types.

By default, cPanel disables all those protocols: SSLv2, SSLv3, TLSv1, TLSv1.1. SSL2 and SSL3 should be disabled at all costs, but you may not get away with TLS 1.1 or even TLS 1 being disabled.

To enable TLS 1 and TLS 1.1 in your Exim, login as admin in your cpanel and then: Home -> Service Configuration -> Exim Configuration Manager. Select second option so you can insert your own directives and add this:

 +no_sslv2 +no_sslv3

RoundCube: Could not save new password. Connection error. Recv failure: Connection reset by peer

If you’re having trouble when try to change your email password in Roundcube on your Directadmin installation, than error will be probably something like this:

Could not save new password. Connection error. Recv failure: Connection reset by peer

Solution is simple. Just open Roundcube configuration file (/var/www/html/roundcube/plugins/password/config.inc.php) and find:

$rcmail_config['password_directadmin_host'] = 'tls://localhost';

then, change it to:

$rcmail_config['password_directadmin_host'] = 'ssl://localhost';

It should work.

malware acl condition: clamd: unable to send file body to socket (127.0.0.1)

If you see error like this in your mail logs, than chances are that your ClamAV is not able to process attachments files larger than limit set in clamav configuration. In this case, sender which sent email with larger attachment to your server, will get something like this in respond:

[10.10.10.10] #<[10.10.10.10] #5.0.0 smtp; 5.4.7 - Delivery expired (message too old) [Default] 451-'Temporary local problem - please try later' (delivery attempts: 75)> #SMTP#

In your mail log you’ll see something like this:

+++ 1e248B-000NMy-T6 has not completed +++
1969-08-15 01:40:21 1e248B-000NMy-T6 malware acl condition: clamd : unable to send file body to socket (127.0.0.1)
1969-08-25 01:40:21 1e248B-000NMy-T6 H=some.hostname.com [1.1.1.1] X=TLSv1:RC4-SHA:128 CV=no F=<prvs=449d2f142=senders@email.com> temporarily rejected after DATA

To solve this, open your clamav.conf file (/etc/clamav.conf or find your location) and change value for StreamMaxLength according to your needs. Default value is 25M.

Don’t forget to restart your ClamAV.

Directadmin – find all email forwarders on server for specific email account

Here is simple one liner for finding all mail aliases on Directadmin server that are forwarding to your email account Рin this example your@email.com. All aliases are saved in files /etc/virtual/<domain_name>/aliases.

[root@directadmin ~]# grep -ri "your@email.com" /etc/virtual/*/aliases | awk -F '/|:' {'print $4 ": " $6 " ->" $7'}
email.com: alias1 -> your@email.com
somedomain.net: sales -> your@email.com,mail2@somedomain.net
anotherdomain.com: chacha -> myaddress@anotherdomain.com,this@email.com,your@email.com
.
.
.

Migrate email to gmail with imapsync – Host2 failure: Error login

So you want to migrate your emails from your hosting to your Gmail and you can’t get it to work with imapsync? You¬†triple checked your login credentials and are correct but transfer still doesnt work. So what is causing¬†error bellow?

Host2 failure: Error login on [66.102.1.108] with user [mymail@mydomain.com] auth [LOGIN]: 2 NO [ALERT] Please log in via your web browser

You have to login to your Google Apps settings (Security -> Advanced security settings) and change value for Less secure apps to: Enforce access to less secure apps for all users. Than it should work.

check_eximailqueue: query returned no output! [FIX]

If you are icinga/nagios user and dealing with exim, you probably know for wonderful plugin check_eximailqueue. This plugin warns you when there are specific amount of email in your exim mail queue. Usually this indicates spam.

I installed this plugin on CentOS 7 with Directadmin installed. When I was executing plugin locally, it worked fine. But when I tried to execute it remotely (from Icinga server), it failed.

This was error returned when executing from Icinga server:

> # /usr/local/libexec/nagios/check_nrpe -H my.serverhostname.com -c check_exim_queue
Mailqueue WARNING - query returned no output!

I added “nagios¬† ALL=(ALL) NOPASSWD:/usr/sbin/exim” to my /etc/sudoers file but error still persisted. I manually set Exim and sudo path in script. Error was still there.

If you check your nrpe process, you’ll see that it runs by¬†nrpe user and not nagios!

[root@da ~]# ps -aux | grep nrpe
 nrpe 26993 0.0 0.0 46356 1460 ? Ss 10:44 0:00 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d

Solution is very simple.¬†Just change “nagios ALL=(ALL) NOPASSWD:/usr/sbin/exim” ¬†to “nrpe ALL=(ALL) NOPASSWD:/usr/sbin/exim”¬†¬†in your /etc/sudoers – replace user nagios with nrpe. It should work.

I hope it helps ūüôā

Directadmin – block zip attachments with ClamAV and Exim

A lot of¬†viruses and malware¬†is¬†sent in emails with zip attachments. Sometimes your antivirus like ClamAV wont catch nasty email. This is a big¬†problem when you receiving tons of this kind of messages. So if you’re receiving tons of¬†nasty emails¬†containing¬†zip attachments with viruses in it, good way¬†to solve this is by simply reject emails with zip attachments. This was done on¬†Directadmin server with Custombuild 2.0. Even if you’re not using Directadmin, configuration¬†for ClamAV should be very identical.

  • If you built Exim and Clamav with Custombuild 2.0, than you should see this line in your /etc/exim.conf. Uncomment¬†if it’s not already. If you’re using Custombuild 1.2, then this should be changed in /etc/exim.conf directly – settings¬†in step 2 bellow.
    .include_if_exists /etc/exim.clamav.conf
  • Open file¬†/etc/exim.clamav.conf and find word¬†demime within that file. Then¬†simply add zip to it. It should look like this:
    #1.0
    deny message = This message contains malformed MIME ($demime_reason)
    demime = *
    condition = ${if >{$demime_errorlevel}{2}{1}{0}}
    deny message = This message contains a virus or other harmful content ($malware_name)
    demime = *
    malware = *
    deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
    demime = bat:com:pif:prf:scr:vbs:zip
    warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

Now any email with zip attachment will be rejected. Sender will receive error message like this:

The error that the other server returned was: 
550 This message contains an attachment of a type which we do not accept (.zip)

Directadmin – enable and configure Spamassassin automatically on creating user

By default, when you add new user in Directadmin, Spamassassin is disabled. Some users are not aware¬†about Spamassassin, so they’ll have it disabled and will receiving a lot of spam. It is¬†good practice to enable Spamassassin by default and also set¬†some settings. You can do that by adding below code in your /usr/local/directadmin/scripts/custom/user_create_post.sh script. The first step is well described on Directadmin documentation. But you may also want to define some parameters for Spamassassin when user is created. It’s really simple. You can do that by manipulating filter.conf file. Steps below are preformed on¬†Directadmin running on FreeBSD. It should be the same for Linux also.

Continue Reading

Mass email migration with imapsync

You may want to migrate larger number of email accounts to another server.¬†If there are even different types of mail servers, than imapsync is one of the best¬†solutions for migration.¬†With script below, you’ll be¬†able to migrate multi accounts¬†without¬†repeating and running imapsync again and again.

Here is the script. Just create file, e.g. mail-migration.sh, and paste code below in it.

#!/bin/bash

# Source and destination mail server setting
SERVER1=post.literal.si
SERVER2=cp2.hosterdam.com

# Select appropriate auth mechanism.
#AUTHMECH1="--authmech1 LOGIN"
#AUTHMECH2="--authmech2 LOGIN"

# Uncomment if you want to start test/dryrun only. No emails will be transfered!
#TESTONLY="--dry"

# Path to imapsync
imapsync=/usr/bin/imapsync

# Users file
if [ -z "$1" ]
then
echo "No users text file given." 
exit
fi

if [ ! -f "$1" ]
then
echo "Given users text file \"$1\" does not exist" 
exit
fi

# start loop
{ while IFS=';' read  u1 p1 u2 p2; do
	$imapsync ${TESTONLY} ${AUTHMECH1} --host1 ${SERVER1} --user1 "$u1" --password1 "$p1" ${AUTHMECH2} --host2 ${SERVER2} --user2 "$u2" --password2 "$p2"
done ; } < $1

Don’t forget to chmod your script so that will be executable.

chmod +x mail-migration.sh

Now you’ll have to create a simple text file that will contain login informations for each email account that you want to transfer. Create text file, for example, mail-users.txt and add login informations like shown bellow. Login informations must be separated with ;. username1 is username on old server, username2 is username on new server.

username1@domain.com;password1;username2;password2
anotheruser1@domain.com;password1;anotheruser2@domain.com;password2
.
.
.

Finaly, lets transfer emails. Simply run your script like shown below. Use text file with login informations that you created. Imapsync will try to transfer all accounts that are in mail-users.txt.

root@myserver [~]# ./migrate-mail.sh mail-users.txt

© 2019 geegkytuts.net
Hosted by Hosterdam


About author