Friday, 10 July 2015

Postfix Spam EMail Queue Fix

The following commands will allow you to review these queues:

1- Display the mail queues, deferred and pending



mailq
or
postqueue -p
To save the output to a text file you can run:
mailq > mailqueue.txt
or
postqueue -p > mailqueue.txt

Either of these commands will show you all queued messages.
NB: this command shows the sender and recipients and ID, not the message itself. The ID is particularly useful if you want to inspect the message itself.

2- View message (contents, header and body) in Postfix queue


To view a message with the ID XXXXXXX
(you can see the ID from the queue)
postcat -vq XXXXXXXXXX
Or to save it in a file
postcat -vq XXXXXXXXXX > emailXXXXXXXXXX.txt

A useful feature for web servers is to enable mail.add_x_header = on in the Postfix configuration. This will add a header to all outgoing email messages showing the script and user that generated each message.  Once enabled this will then add the following extra header to message:
X-PHP-Originating-Script: 1001:spamEmailer.php

In this example 1001 is the UID and the spamEmailer.php was the script sending the message. This can allow you to quickly track down the source of spam messages being sent by your server.

With these commands you should be able to review your mail queue and make sure that intended messages are being sent and have not been rejected.

How to delete queued mail from the mail queue


Now that we have learned the necessary steps to reviewing your mail queue, the final 3 tips will demonstrate how to delete queued mail.

3- Tell Postfix to process the Queue now


postqueue -f
OR
postfix flush

This will cause Postfix to immediately attempt to send all queued messages.

4- Delete queued mail


Delete all queued mail
postsuper -d ALL
Delete only the differed mail queue messages (i.e. only the ones the system intends to retry later)
postsuper -d ALL deferred

5- Delete mail from the queue selectively


This is not something that is natively included with the standard Postfix tools however can be done with a bit of Perl scripting.
NB: This perl script seems to be free, and is all over the internet however I could not find out where it originates or who wrote it but my thanks go to them!
#########################################
#!/usr/bin/perl

$REGEXP = shift || die "no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!";

@data = qx</usr/sbin/postqueue -p>;
for (@data) {
  if (/^(\w+)(\*|\!)?\s/) {
     $queue_id = $1;
  }
  if($queue_id) {
    if (/$REGEXP/i) {
      $Q{$queue_id} = 1;
      $queue_id = "";
    }
  }
}

#open(POSTSUPER,"|cat") || die "couldn't open postsuper" ;
open(POSTSUPER,"|postsuper -d -") || die "couldn't open postsuper" ;

foreach (keys %Q) {
  print POSTSUPER "$_\n";
};
close(POSTSUPER);
#########################################

Usage Examples:
Delete all queued messages to or from the domain called spamers.com, enter:
./postfix-delete.pl spamers.com
Delete all queued messages that contain the word "spam" in the e-mail address:
./postfix-delete.pl spam

Thursday, 9 July 2015

Setup a self-signed SSL site with Apache2

Login and registration pages are often among them. This guide will show you how to quickly set-up a SSL site with a self-signed certificate and automatic HTTP-to-HTTPS redirect. This is ideal for setting up staging environments.
I’ll assume you have a standard Centos system with the apache2 package installed and ready.

Here's what we're going to do, in order:
  1. Make sure Apache has SSL enabled.
  2. Generate a certificate signing request (CSR).
  3. Generate a self-signed certificate.
  4. Copy the certificate and keys we've generated.
  5. Tell Apache about the certificate.
  6. Modify the VirtualHosts to use the certificate.
  7. Restart Apache and test.
Let's start with making sure that SSL is enabled by using the a2enmod utility to enable the SSL module:
sudo a2enmod ssl

Generate the CSR

Now it's time to generate the CSR, and fill out the questions you'd normally have verified by a Certificate Signing Authority:
sudo openssl req -new > new.ssl.csr
Once you do this, you'll be prompted for a passphrase — you're going to want to remember the passphrase.
Now, you're going to walk through a set of questions:


Generating a 1024 bit RSA private key
................++++++
........................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:Enter Code Here
State or Province Name (full name) [Some-State]:Enter State Here
Locality Name (eg, city) []:Enter City Here
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Enter Company Name
Organizational Unit Name (eg, section) []:Org Unit (if you have one)
Common Name (eg, YOUR name) []:First and Last Name
Email Address []:Work Email

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Leave Blank
An optional company name []:Optional

Parts in bold emphasis require input. You want to leave the challenge password blank, otherwise you'll need to enter this every time you restart Apache.

Generate the Certificate

Now it's time to create the certificate. You're going to use OpenSSL again to create the certificate and then copy the certificate to /etc/ssl where Apache can find them.


sudo openssl rsa -in privkey.pem -out new.cert.key
sudo openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days NNN
sudo cp new.cert.cert /etc/ssl/certs/server.crt
sudo cp new.cert.key /etc/ssl/private/server.key

The -days option sets the length of time before the certificate expires. I went ahead and (roughly) calculated the time until the release of Ubuntu I'm using will be out of support. You can revoke a certificate or replace one before the cert expires, of course.
Now, you have the key (server.key) and PEM certificate (server.crt is a PEM certificate). You need to make sure that the key is not world-readable, but that the certificate is.

Configure Apache

Now that we've got the certificate in place, you need to edit the Apache configuration to add SSL to your site. Your configuration may differ, depending on how you have your sites set up and whether you're only serving one site or whether you're serving several domains from your server.
Here's how I edited my configuration, which was located in /etc/apache2/sites-available/mydomain.net:

NameVirtualHost *:443
NameVirtualHost *:80

<VirtualHost *:80>
    ServerAdmin email address here
    ServerName mydomain.net
    ServerAlias www.mydomain.net
    DocumentRoot /srv/www/mydomain.net/public_html/
    ErrorLog /srv/www/mydomain.net/logs/error.log
    CustomLog /srv/www/mydomain.net/logs/access.log combined
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin 
 jzb@zonker.net
    ServerName mydomain.net
    ServerAlias www.mydomain.net
    DocumentRoot /srv/www/mydomain.net/public_html/

    ErrorLog /srv/www/mydomain.net/logs/error.log
    CustomLog /srv/www/mydomain.net/logs/access.log combined

    SSLEngine on
    SSLOptions +StrictRequire
    SSLCertificateFile /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key
</VirtualHost>
If you're already using the domain, you don't need to do anything but restart Apache. If you're setting Apache up for the first time, or this is a new domain, then you want to run this: