Postfix


Address rewriting allows changing outgoing email ID or the domain name itself. Useful for hiding out internal user names, especially shell users on Linux and Unix boxes. For example:
» SMTP user/shell user: tom-01
» EMAIL ID: tom@domain.com
» Server name (FQDN): server01.hosting.com
However, when tom-01 send an email from shell prompt, cron job or using php, it looks like it was sent from tom-01@server01.hosting.com. In some cases, internal hosts have no valid Internet domain name, and instead, use a name such as localdomain.local or something else. It can be a problem when you want to send mail over the Internet because many mail servers reject mail addresses with invalid domain names to avoid spam. Another valid case is where your email routed using a smarthost such as AWS SES. A smarthost is an email server in the cloud or at ISP datacenter via which we can send emails and have them forwarded on to the email recipients’ email servers.
[continue reading…]

Email filtering is an essential task. There are many methods like:
=> Bayesian spam filtering
=> SpamAssassin/DSPAM programs
=> Check open relay using RBL etc

Now ORDB.org is shutting down its operation. ORDB is quite effective and I use this list against all of email servers. Spammers still use 3rd party servers and desktop computers so that they could minimize or avoid detection by re-routing their e-mail through these third party e-mail servers.

According to their home page:
We encourage system owners to remove ORDB checks from their mailers immediately and start investigating alternative methods of spam filtering. We recommend a combination involving greylisting and content-based analysis (such as the dspam project, bmf or Spam Assassin). DNS and the mailing lists will vanish today, December 18, 2006.

Generally, I use following sequence while configuring anti-spam
reject_rbl_client relays.ordb.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net

These services blocks thousands of spam everyday before hitting email server and Spam Assassin. Indeed a bad news for mail server admins!

PHP has mail() function to send an email to users. However this mail() will not work:

=> If sendmail (or compatible binary) is not installed

=> If Apache Web server / Lighttpd running in chrooted jail

=> And your smtp server needs an authentication before sending an email

=> Or you just need to send email using PHP PEAR

In all these cases you need to use PHP PEAR’s Mail:: interface. It defines the interface for implementing mailers under the PEAR hierarchy, and provides supporting functions which are useful in multiple mailer backends. In this tip you will learn about how to send an e-mail directly to client smtp server in real time.

PHP Pear’s Mail.php is located in /usr/share/pear/ directory. Following is sample code to send an email via authenticated smtp server.

PHP send email using PHP SMTP mail Pear functions – Sample source code

Following code is well commented, you need to make necessary changes as per your setup.

<?php
include("Mail.php");
/* mail setup recipients, subject etc */
$recipients = "feedback@yourdot.com";
$headers["From"] = "user@somewhere.com";
$headers["To"] = "feedback@yourdot.com";
$headers["Subject"] = "User feedback";
$mailmsg = "Hello, This is a test.";
/* SMTP server name, port, user/passwd */
$smtpinfo["host"] = "smtp.mycorp.com";
$smtpinfo["port"] = "25";
$smtpinfo["auth"] = true;
$smtpinfo["username"] = "smtpusername";
$smtpinfo["password"] = "smtpPassword";
/* Create the mail object using the Mail::factory method */
$mail_object =& Mail::factory("smtp", $smtpinfo);
/* Ok send mail */
$mail_object->send($recipients, $headers, $mailmsg);
?>

Sending smtp email from chrooted Apache or Lighttpd webserver

Read following section, if you are running a secure chrooted Apache or Lighttpd web server. I have already written about setting php mail() function in chrooted jail. If you are using chrooted jail server setup, copy all files from /usr/share/pear directory to /chroot-directory/usr/share/pear directory. For example if lighttpd chrooted jail located in /webroot directory, you need to type following commands to install PHP pear support:
# mkdir -p /webroot/usr/share/pear
# cd /webroot/usr/share/pear
# cp -avr /usr/share/pear .

If PHP SAFE MODE is on, you must set /webroot/usr/share/pear directory permission to webserver username to allow access. Otherwise you will see error as follows:

1-Nov-2006 09:43:19] PHP Warning:  main(): SAFE MODE Restriction in effect.  The script whose uid is 506 is not allowed to access /usr/share/pear/PEAR.php owned by uid 0 in /usr/share/pear/Mail.php on line 636.

So if webserver username is lighttpd or apache use following command to setup correct ownership:
# chown lighttpd:lighttpd /webroot/usr/share/pear -ROR# chown apache:apache /webroot/usr/share/pear -R

You may also find modified wordpress WP-ContactForm plugin useful. It is a drop in form for users to contact you. It can be implemented on a page or a post. Original authored by Ryan Duff, which use php mail() function to send email. I have modified the same to send email via my ISP authenticated gateway using PHP PEAR’s Mail:: interface 😀

When you cannot monitor your server for service availability, it is better to take help of automated monitor and restart utility. Last 4 days I was away from my server as I was enjoying my vacation. During this time due to load my lighttpd webserver died but it was restarted automatically within 2 minutes. I had utility configured for monitoring services on a Linux system called monit. It offers all features you ever needed for system monitoring and perform error recovery for UNIX like system.

Before monit I had my own shell and perl script for monitoring service. If service failed script will try to restart service and send an automated email to me. However monit is a superior solution.

monit is a utility for managing and monitoring processes, files, directories and devices on a Unix system. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations. For example, monit can start a process if it does not run, restart a process if it does not respond and stop a process if it uses to much resources. You may use monit to monitor files, directories and devices for changes, such as timestamps changes, checksum changes or size changes.

You may also use monit to monitor files, directories and devices on localhost. Monit can monitor these items for changes, such as timestamps changes, checksum changes or size changes. This is also useful for security reasons you can monitor the md5 checksum of files that should not change.

Personally, I always install and configure monit on all boxes which are under my control.

Install monit under Debian or Ubuntu Linux

Use apt-get command to install monit
# apt-get install monitOR$ sudo apt-get install monit

Install monit under Red Hat enterprise Linux / CentOS Linux (source code installation)

Many distributions include monit. However monit is not included in official Red hat enterprise Linux. Just download monit source code from official web site using wget command:
# cd /opt
# wget http://www.tildeslash.com/monit/dist/monit-4.8.2.tar.gz
Untar monit
# tar -zxvf monit-4.8.2.tar.gz
# cd monit-4.8.2

Configure and compile monit:

# ./configure
# make

Install monit

# make install

Copy monit configuration file:

# cp monitrc /etc/monitrc

By default monit is located at /usr/local/bin/monit

How do I Configure monit?

monitrc is name of monit configuration file and it is by default located at /etc/monitrc location. However each distribution places file in different location: .
=> Source code installation : /etc/monitrc
=> Debian / Unentu Linux installation : /etc/monit/monitrc

Open monit configuration file and setup values as follows:
# vi /etc/monitrc

a) Run it as daemon and check the services (such as web, mysql, sshd) at 2-minute
intervals.
set daemon 120

b) Set syslog logging with the ‘daemon’ facility:
set logfile syslog facility log_daemon

c) Set mail server name to send email alert
set mailserver mail.cyberciti.biz
Set email format such as from email
set mail-format { from: alert@nixcraft.in
subject: $SERVICE $EVENT at $DATE
message: Monit $ACTION $SERVICE at $DATE on $HOST: $DESCRIPTION.
}

d) Now most important part, restart lighttpd or apache web server if failed or killed by Linux kernel due to any causes:
check process lighttpd with pidfile /var/run/lighttpd.pid
group lighttpd
start program = "/etc/init.d/lighttpd start"
stop program = "/etc/init.d/lighttpd stop"
if failed host 75.126.43.232 port 80
protocol http then restart
if 5 restarts within 5 cycles then timeout

Where,

  • check process lighttpd with pidfile /var/run/lighttpd.pid : You are specifying lighttpd pid file and daemon name
  • group lighttpd: Specify group name, which is allowed or used to start/restart lighttpd
  • start program = “/etc/init.d/lighttpd start” : Command to start lighttpd server
  • stop program = “/etc/init.d/lighttpd stop” : Command to stop lighttpd server
  • if failed host 127.0.0.1 port 80 : Server IP address and port number (80)
  • protocol http then restart : If above IP and port failed restart the webserver
  • if 5 restarts within 5 cycles then timeout : Try to restart 5 times; if monit cannot restart webserver 5 times; just time out to avoid race condition.

Here is my mysql server restart configuration directives:
check process mysqld with pidfile /var/run/mysqld/mysqld.pid
group database
start program = "/etc/init.d/mysqld start"
stop program = "/etc/init.d/mysqld stop"
if failed host 127.0.0.1 port 3306 then restart
if 5 restarts within 5 cycles then timeout

Here is my sshd server configuration directives:
check process sshd with pidfile /var/run/sshd.pid
start program "/etc/init.d/sshd start"
stop program "/etc/init.d/sshd stop"
if failed host 127.0.0.1 port 22 protocol ssh then restart
if 5 restarts within 5 cycles then timeout

Here is my Apache serverrestart configuration directives:
check process httpd with pidfile /var/run/httpd.pid
group apache
start program = "/etc/init.d/httpd start"
stop program = "/etc/init.d/httpd stop"
if failed host 127.0.0.1 port 80
protocol http then restart
if 5 restarts within 5 cycles then timeout

Replace IP address 127.0.0.1 with your actual IP address. If you are using Debian just start monit:
# /etc/init.d/monit start

If you are using Red Hat Enterprise Linux, start monit from /etc/inittab file:
Open /etc/inittab file:
# vi /etc/inittab
Append following line:
mo:2345:respawn:/usr/local/bin/monit -Ic /etc/monitrc

Now start monit:
# init -qOR
# telinit -q

You can verify that monit is started from /var/log/messages log file:
# tail -f /var/log/messagesOutput:

Nov 21 04:39:21 server monit[8759]: Starting monit daemon
Nov 21 04:39:21 server monit[8759]: Monit started

If lighttpd died, you will see something as follows in log file:

Nov 21 04:45:13 server monit[8759]: 'lighttpd' process is not running
Nov 21 04:45:13 server monit[8759]: 'lighttpd' trying to restart
Nov 21 04:45:13 server monit[8759]: 'lighttpd' start: /etc/init.d/lighttpd

You may use monit to monitor daemon processes or similar programs running on localhost or started from /etc/init.d/ location such as
=> Apache Web Server
=> SSH Server
=> Postfix/Sendmail MTA
=> MySQL etc

Further readings

Once chroot() call is applied to chrooted lighttpd or apache web server, you lost the connection with real /usr/sbin/sendmail program.

The php mail() function allows you to send mail. For the Mail functions to be available, PHP must have access to the sendmail binary on your system during compile time. If you use another mail program, such as qmail or postfix, be sure to use the appropriate sendmail wrappers that come with them. PHP will first look for sendmail in your PATH, and then in the following: /usr/bin:/usr/sbin:/usr/etc:/etc:/usr/ucblib:/usr/lib. It’s highly recommended to have sendmail available from your PATH. Also, the user that compiled PHP must have permission to access the sendmail binary. Because of chroot you cannot access anything outside jail.

Even if you copy /usr/sbin/sendmail it will not work because it needs all other directories in /var and sendmail config file in /etc/mail directory.

So how do I configure php mail() support in chrooted jail webserver?

  • Don’t use php mail() use php SMTP class to send email (recommended method #1)
  • Install complete sendmail in chrooted jail (this is too much work)
  • Install statically linked mini_sendmail and /bin/sh in chrooted jail. (recommended method #2)

Task: Setting up static mini_sendmail for chrooted apache or lighttpd web server

mini_sendmail reads its standard input up to an end-of-file and sends a copy of the message found there to all of the addresses listed. The message is sent by connecting to a local SMTP server. This means mini_sendmail can be used to send email from inside a chroot(2) area. However, it needs to create a pipe so you need to copy shell to chroot as well.

Install mini_sendmail

Type the following commands:
# cd /opt
# wget http://www.acme.com/software/mini_sendmail/mini_sendmail-1.3.6.tar.gz
# tar -zxvf mini_sendmail-1.3.6.tar.gz
# cd mini_sendmail-1.3.6

Compile mini_sendmail

# make

Copy mini_sendmail to chrooted directory

Assuming that your chrooted directory is /webroot
# mkdir -p /webroot/usr/sbin
# cp mini_sendmail /webroot/usr/sbin/sendmail

Configure php for mini_sendmail (sendmail)

Goto /webroot directory
# vi etc/php.ini
OR
# vi /webroot/etc/php.ini

Setup sendmail path

sendmail_path = /usr/sbin/sendmail -t -i

Restart Apache webserver

# /etc/init.d/httpd restart
# apachectl restart

Or Restart lighttpd web server

# /etc/init.d/lighttpd restart

Copy /bin/sh or /bin/bash

# cp /bin/sh /webroot/bin
# l2chroot /bin/sh

Test your setup

Create php script – mailtest.php as follows:
<?php
mail("you@yourcorp.com", "PHP Test mail", "Hope this works! ");
?>

Point browser to http://yourcrop.com/mailtest.php

More troubleshooting tips

(a) Make sure you have /etc/resolv.conf and /etc/hosts files available in chrooted jail at /webroot/etc directory.

(b) Make sure your mail server accept connection from localhost (default)

(c) Consult /var/log/maillog (or your MTA log file) outside jail for more information
# tail -f /var/logm/maillog

Continue reading the rest of Lighttpd security series articles

So how do you limit the mailbox size for users configured with the Postfix mail server?

It is good choice to avoid problem (disk DoS) by limiting mailbox size. This will avoid the user or hacker to eat up all hard disk space.

Display the default mailbox size limit

Type the following command:
# postconf mailbox_size_limit
Output:

mailbox_size_limit = 51200000

51200000 bytes is default mailbox size limit.

Display the default maximum size in bytes of a message

Type the following command:
# postconf message_size_limit
Output:

message_size_limit = 10240000

Setup new mailbozsize limit

Open file /etc/postfix/main.cf and
# vi /etc/postfix/main.cf
Add/modify/set values as follows:
mailbox_size_limit = 30000000
message_size_limit = 10240000

Save and restart postfix mail server:
# /etc/init.d/postfix restart

I don’t want let spammers take control of my mail server, I have configured my mail server but I am not sure how do I test my mail server for open relay? But what is an open mail realy?

An open mail relay occurs when a mail server processes a mail message where neither the sender nor the recipient is a local user. In this example, both the sender and the recipient are outside the local domain (or rather, the local IP range, for the technically inclined). The mail server is an entirely unrelated third party to this transaction. The message really has no business passing through this server.

I can check my server for open relay using any one of the following methods.

The old way (open relay server test)

Telnet to mail.myserver.com at port 25 and issue all the following commands:
helo client.server.com
mail from: rockyjr@vsnl.com
rcpt to: vivek@nixcraft.in
$ telnet mail.myserver.com 25Output:

Trying 202.51.x.xxx...
Connected to mail.myserver.com.
Escape character is '^]'.
220 mail.myserver.com ESMTP Postfix
helo client.server.com
250 mail.myserver.com
mail from: rockyjr@vsnl.com
250 Ok
rcpt to: vivek@nixcraft.in
554 : Relay access denied

As you see access denied to send email i.e. my mail server is NOT open relay.

The new way

Another and the best way is to use this website to test an open relay.

See also:

  • ORDB FAQ

This is an old post created by LinuxTitli but it was deleted accidentally by me 🙁 I had restored the same from Google cache 🙂

Sendmail is age-old mail transfer agent (MTA). We still use sendmail on Solaris boxes and all other web hosting (www) server to route mails via our master MTA.

Task: Linux/UNIX deliver old email

The command sendmail -q forces the mail queue to be sent. Use the command mailq to find out what’s in the queue:
# sendmail -q
# mailq
Following command will force sendmail to become verbose so that debugging turns into an easy job:

# sendmail -v -q

However, there is a catch. Sendmail would not process your queue if the system load were too high. You can configure these options in sendmail configuration file sendmail.cf and configure QueueLA option. Using this option you can configure load average at which Sendmail simply queues up new messages, this is a good tweaking and troubleshooting parameter.