SNI support for Dovecot and Postfix

If you are in position that you need multiple SSL certificates for different domains on single mail server, you can do it with SNI. Of corse, on very old versions this is not supported. Check documentation first, if its supported for your version of Dovecot and Postfix.

Dovecot:

In case of incoming mailserver Dovecot it’s easy as listed bellow. I made file ssl-sni.conf in which I add SNI configurations for my domains. Then I included ssl-sni.conf in main dovecot config.

Create ssl-sni.conf and add your SNI definitions in it:

local_name mail.domain1.com {
ssl_cert = </etc/ssl/certs/domain1/fullchain.pem
ssl_key = </etc/ssl/certs/domain1/privkey.pem
}

local_name pop3.domain2.com {
ssl_cert = </etc/ssl/certs/domain2/fullchain.pem
ssl_key = </etc/ssl/certs/domain2/privkey.pem
}
...

Then include this in main dovecot config (you can add those configurations directly in dovecot.conf or 00-ssl.conf also. I just prefer separate this):

# SNI include
!include ssl-sni.conf

Postfix:

As for Postfix, configuration is also simple:

Inside /etc/postfix/, create file domain_ssl.map and add ssl definitions in it:

mail.domain1.com /etc/ssl/certs/domain1/privkey.pem /etc/ssl/certs/domain1/fullchain.pem
smtp.domain2.net /etc/ssl/certs/domain2/privkey.pem /etc/ssl/certs/domain2/fullchain.pem

Run postmap and restart Postfix:

[root@mail postfix]# postmap -F domain_ssl.map which will create domain_ssl.map.db
[root@mail postfix]# systemctl restart postfix

If everything is OK, you should now have SNI supported mail server.

Directadmin – Unrouteable address error on incoming mail

I had this stupid error the other day on Directadmin. I upgraded Exim to the latest version and then all mail sent to address@email.com which was on this server was bounced with the error “Unrouteable address”. From the past, I knew that errors like this can be due to exceeded mail limit. But in this case, this was happening only for one mail out of 50 others, and no limits were reached.

After some searching, I found out that there was an alias pointing to the email address itself, which was causing this error. I removed the forwarder (alias) and incoming mail started to work again on this mailbox.

2021-05-09 20:53:28 H=([1.1.1.1]) [2.2.2.2] F=<us11-99cb50d256-903kjsd32113@inbound.mailchimp.com> rejected RCPT <address@email.com>: Unrouteable address

So I had mail forwarder like:
address@email.com -> address@email.com

So when dealing with such an error, just remove the alias like described above.

Limit number of email recipients with Roundcube

I had an issue with one of the mail servers on which one user’s account password was stolen and was sending spam. Spam was sent from Roundcube and there was a very large number of recipients in one email. Limit the number of recipients in Postfix was not an option. It had to be done on webmail. It is very simple with Roundcube. Just add variable bellow in your Roundcube configuration file – config.inc.php.

$config['max_recipients'] = 10;

This will allow only 10 recipients in one email message. Of course you can change the number according to your needs.

Directadmin – get disk size information for every email account on your server/user

If you want to get information about how much of disk is consuming every email account on your Directadmin server, then you can use this command.

[root@post ~]# find /home/*/imap/*/*/ -maxdepth 1 -type d -exec du -sh {} \; | awk -F '/' {'print $6"@"$5 " -> " $1'}
info@domain1.si -> 60K
test@domain1.si -> 60K
lala@domain1.ba -> 529M
info@somedomain.ba -> 529M
igor@somedomain.eu -> 772K
...

If you would want for every email account of some specific user, than you can use this:

[root@post ~]# find /home/user1/imap/*/*/ -maxdepth 1 -type d -exec du -sh {} \; | awk -F '/' {'print $6"@"$5 " -> " $1'}
info@domain1.si -> 1.3G
test2@domain1.it -> 1.3G
igor@test.si -> 68M
...

Simple, but it can save some time ūüôā

Make single Roundcube instance use multi different databases

I had to configure webmail service with Roundcube which would allow connecting multi mail servers o one platform. Every mail server had it’s own Roundcube instance already, but idea was, that only one installation can handle all mail servers.

I found out, that this can be done pretty symple with some php in roundcube configuration.

Open your roundcube configuration file, for example:

vi /var/www/roundcube/config/config.inc.php

Fetch correct hostname for specific webmail instance in php variable.

$host = $_SERVER['SERVER_NAME'];

Then you should create switch statement that will be able to manage correct database connection and host for specific server name – mail service. You can also have different types of database. For example mysql and postgres.

Continue Reading

Directadmin – block zip attachments with ClamAV and Exim

A lot of¬†viruses and malware¬†is¬†sent in emails with zip attachments. Sometimes your antivirus like ClamAV wont catch nasty email. This is a big¬†problem when you receiving tons of this kind of messages. So if you’re receiving tons of¬†nasty emails¬†containing¬†zip attachments with viruses in it, good way¬†to solve this is by simply reject emails with zip attachments. This was done on¬†Directadmin server with Custombuild 2.0. Even if you’re not using Directadmin, configuration¬†for ClamAV should be very identical.

  • If you built Exim and Clamav with Custombuild 2.0, than you should see this line in your /etc/exim.conf. Uncomment¬†if it’s not already. If you’re using Custombuild 1.2, then this should be changed in /etc/exim.conf directly – settings¬†in step 2 bellow.
    .include_if_exists /etc/exim.clamav.conf
  • Open file¬†/etc/exim.clamav.conf and find word¬†demime within that file. Then¬†simply add zip to it. It should look like this:
    #1.0
    deny message = This message contains malformed MIME ($demime_reason)
    demime = *
    condition = ${if >{$demime_errorlevel}{2}{1}{0}}
    deny message = This message contains a virus or other harmful content ($malware_name)
    demime = *
    malware = *
    deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
    demime = bat:com:pif:prf:scr:vbs:zip
    warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

Now any email with zip attachment will be rejected. Sender will receive error message like this:

The error that the other server returned was: 
550 This message contains an attachment of a type which we do not accept (.zip)

Mass email migration with imapsync

You may want to migrate larger number of email accounts to another server.¬†If there are even different types of mail servers, than imapsync is one of the best¬†solutions for migration.¬†With script below, you’ll be¬†able to migrate multi accounts¬†without¬†repeating and running imapsync again and again.

Here is the script. Just create file, e.g. mail-migration.sh, and paste code below in it.

#!/bin/bash

# Source and destination mail server setting
SERVER1=post.literal.si
SERVER2=cp2.hosterdam.com

# Select appropriate auth mechanism.
#AUTHMECH1="--authmech1 LOGIN"
#AUTHMECH2="--authmech2 LOGIN"

# Uncomment if you want to start test/dryrun only. No emails will be transfered!
#TESTONLY="--dry"

# Path to imapsync
imapsync=/usr/bin/imapsync

# Users file
if [ -z "$1" ]
then
echo "No users text file given." 
exit
fi

if [ ! -f "$1" ]
then
echo "Given users text file \"$1\" does not exist" 
exit
fi

# start loop
{ while IFS=';' read  u1 p1 u2 p2; do
	$imapsync ${TESTONLY} ${AUTHMECH1} --host1 ${SERVER1} --user1 "$u1" --password1 "$p1" ${AUTHMECH2} --host2 ${SERVER2} --user2 "$u2" --password2 "$p2"
done ; } < $1

Don’t forget to chmod your script so that will be executable.

chmod +x mail-migration.sh

Now you’ll have to create a simple text file that will contain login informations for each email account that you want to transfer. Create text file, for example, mail-users.txt and add login informations like shown bellow. Login informations must be separated with ;. username1 is username on old server, username2 is username on new server.

username1@domain.com;password1;username2;password2
anotheruser1@domain.com;password1;anotheruser2@domain.com;password2
.
.
.

Finaly, lets transfer emails. Simply run your script like shown below. Use text file with login informations that you created. Imapsync will try to transfer all accounts that are in mail-users.txt.

root@myserver [~]# ./migrate-mail.sh mail-users.txt

Exim – delete specific emails from queue

Sometimes your exim mail queue¬†can grow quite large. Especially when some website (WordPress!) is hacked and is¬†sending tons of spam mail. Or when you end up with thousands of frozen mails. You probably don’t want to remove all emails from queue. That would mean legit emails too. You want to specify¬†and delete only¬†specific ones.

For sake of this demonstration we want to delete all emails that contains string domain.com

18h   60K 1b33Uz-000LkN-48 <info@domain.com> (someuser)
          info@somedomain.com

Just run command below and all mails with string match doman.com will be deleted from mail queue.

exim -bp |  grep "domain.com" | awk {'print $3'} | xargs exim -Mrm

Or for example, in case of frozen mails:

exim -bp |  grep froz | awk {'print $3'} | xargs exim -Mrm

© 2021 geegkytuts.net
Hosted by SIEL


About author