Wednesday, June 17, 2015

Junking spam email from Postfix queue

So if your  mailq | tail -n 1 shows a lot of requests, and your qshape shows a lot of deferred stuff, its time to nuke some spam backlog. Run the following as sudo ....

mailq|fgrep .science|sed 's/\*.*//'|postsuper -d -
mailq|fgrep .work|sed 's/\*.*//'|postsuper -d -
mailq|fgrep .link|sed 's/\*.*//'|postsuper -d -
mailq|fgrep .club|sed 's/\*.*//'postsuper -d -
mailq|fgrep .ninja|sed 's/\*.*//'|postsuper -d -
postsuper -d ALL deferred

... and any other domains / email addresses after the "fgrep" that look suspicious. pflogsumm is good for getting metrics on repeat offenders. Its tricky to avoid this happening in the first place.


Other References (some outdated)

https://rtcamp.com/tutorials/mail/postfix-queue/
https://www.howtoforge.com/delete-mails-to-or-from-a-specific-email-address-from-postfix-mail-queue
http://www.cyberciti.biz/tips/howto-postfix-flush-mail-queue.html

Added

There is a real issue with the output of the mailq / "postqueue -p" output, in terms of making something usable to check against. Here's a modified example from my logs, regarding a spam message that's failing to be delivered: each entry in the outputted text file has a blank line after; the Perl scripts floating around out there try to accommodate this, but poorly. A Python/Ruby script might work better for this....

91ADA1DDAFC*   12156 Wed Jun 17 13:14:32  source@example.com
                                         destination@example.com
                                         destination2@example.com

Added #2

There's an awesome RHEL / CentOS repo maintained with current Postfix builds. Was able to update 2.3 to 2.11 without immediately borking config files!

Added #3

You can define a PCRE whitelist/blacklist of domains and addresses, and refer to it in main.cf. You don't have to run "postmap" on this after updating it either.

    smtpd_sender_restrictions =
        check_sender_access      pcre:/etc/postfix/sender_access

Sample entries to add....

/\.google.com$/         OK
/\.work$/       REJECT

http://www.linuxquestions.org/questions/linux-server-73/how-to-reject-addresses-by-tld-in-postfix-678757/
http://www.postfix.org/ADDRESS_VERIFICATION_README.html

Friday, May 8, 2015

Enabling Tomcat as a systemd service

The simplest way to get Tomcat as a service working on a RHEL 7 / CentOS 7 / other systemd-based setup. Note that I'm not addressing any SELinux or FirewallD considerations here...

1. Make sure you've extracted a copy of Tomcat somewhere, and that you've populated its bin/setenv.sh with at least export JAVA_HOME=/location-of-java & export CATALINA_OPTS="java+tomcat variables" for your environment.

2. adduser -r tomcat

3. Edit /etc/systemd/system/tomcat.service with the following. Make sure you adjust the paths in ExecStart + ExecStop accordingly.

[Unit]
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=forking
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
User=tomcat
Group=tomcat
[Install]
WantedBy=multi-user.target

4. systemctl enable tomcat && systemctl start tomcat

You can get the status of the instance by running systemctl status tomcat -l , and use the "stop" clause to stop the instance.

Thursday, April 16, 2015

FreeNAS 9.3 encrypted replication backup

Work in progress

FreeNAS supports ZFS replication, but there is an issue: encryption is limited to drives, and not volumes/ZFS pools. That means if you want to replicate to an offsite server, its data might be vulnerable. I am attempting to reduce this issue in my usage, so with inspiration from another blogger's older post on the matter, I think I've figured out a compromise solution.

This assumes you'll be using SSH + Web-GUIs to work on the FreeNAS systems in question.

1. On your TARGET Web-GUI, configure an iSCSI target to mount with the source server. Be sure to specify a big enough zvol to host whatever amount of data you're planning to backup.
2. On the SOURCE Web-GUI, define a periodic snapshot task for the volume you wish to replicate.
3. Define the following rc.conf tunables: iscsictl_enable = YES ; iscsictl_flags = "-Aa" ; iscsid_enable = YES
4. On the SOURCE SSH, make sure you have an .ssh/authorized_keys file in the home folder of the user you'll be using for this project (root or otherwise). Make sure to chmod 600 the file, and chmod 700 the .ssh subdirectory; you can "touch" the file to make an empty one.
5. You're going to need the localhost public key for SSH authentication. cat /data/ssh/replication.pub >> (authorized keys file)
6. Find a spot on your storage system, that other users won't be regularly writing to. You'll be creating an iscsi.conf file there, that will be copied to /etc on each startup (startup/updates appears to wipe this file). You may even want to limit the permissions on it (if root, say 600).

t0 {
        TargetAddress   = backup.example.com
        TargetName      = iqn.2015-04.com.example.server.iscsi:share
        AuthMethod      = CHAP
        chapIName       = chap_user
        chapSecret      = PASSWORD
        tgtChapName     = mutual_chap_user
        tgtChapSecret   = MUTUALCHAPPASS
}

7, Create another file where you made iscsi.conf: you can call this startbackup.sh + chmod 700 it.

#!/bin/csh
cp iscsi.conf /etc/
chmod 600 /etc/iscsi.conf
iscsictl -Aa

8. Run the new script: you can tail /var/log/messages to see if it worked
9. Back on the SOURCE Web-GUI, specify an Init/Shutdown script to run the startbackup.sh script as "pre-init".
10. Use the Volume Manager Manual setup function to create an encrypted drive on what you mapped with iSCSI (should show as a "da#" drive).
11. Setup a replication task to go from your source file system to the new encrypted volume. Set it for  localhost as a target, no SSH encryption, and you can scan for the key if you want (this may need to be the same as the /data/ssh/replication.pub from earlier).

Remaining to verify: how this behaves after a reboot + if SSH does need to be kicked on for proper replication, since this is supposed to be already AES-128 GELI encrypted anyway.

Friday, January 16, 2015

mbuffer on FreeNAS + sending a recursive ZFS dataset

So I wanted to follow this procedure for doing a copy of a ZFS filesystem from one FreeNAS box to another. However, mbuffer isn't available for FreeNAS, and the devs aren't planning on adding it either. Fortunately, there is a working FreeBSD port of it available for install.

* Make sure you have SSH enabled on both systems. For this example, I'm assuming you're using the root user, or familiar with sudo users.
* On system #1, logged in via SSH, use wget to download an AMD64 version 9.3 or later copy of the mbuffer package.  At this time, that'd be the mhash-0.9.9.9_2.txz file.
* Also use wget to download the security/mhash package. At this time, that'd be the mbuffer-2014.03.10.txz file.
* Run pkg add -f (name of txz file) for each of the two downloads.
* Repeat the previous steps to download and install the txz files on system #2.

As for the procedure itself, it seems to get hung-up on redirecting the mbuffer output. Fortunately, there's a switch for silent operation. Here is the updated command to send a datapool and its recursive subvolumes to system #2, using SSH from system #1. You'll need to take a zfs snapshot beforehand.

zfs snapshot -r drivepool/dataset@snapshotname

zfs send -R drivepool/dataset@snapshotname | mbuffer -q -s 128k -m 1G | ssh root@system2 'mbuffer -q -s 128k -m 1G | zfs receive -F drivepool/dataset'

Monday, March 24, 2014

A brief test of using case-sensitive filenames on Windows 8 and Server 2012R2

If you load the Services for NFS module on Windows, and set the following reg key, you can enable partial support for non case insensitive (think Linux/Unix) filenames. This was done with Windows 8.1 and Server 2012 R2: I figure it should work like this on 7 or 2012; the functionality has been around for at least 10 years as far as I can tell.

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
obcaseinsensitive = 0

Quick observations...


  • On the workstation, one cannot create sensitive filenames directly: locally, or on an SMB share.
  • On the server, sensitive filenames co-exist just fine. They can also be copied by SMB, or downloaded with Filezilla FTP, and still remain sensitive.
  • Case-sensitive files can be copied back to an SMB share on the server, and retain their sensitivity.

Monday, December 2, 2013

Getting pictures placed with users on Active Directory + Exchange

If you're looking to get user photos working on your Exchange contact lists, there is a little bit of process involved. You'll need a copy of jpegtran and Image Resizer installed on either the server or a workstation to generate the correct picture imports.


  • Resize any copies of photos you need to 96x96 px using Image Resizer.
  • The photos need to be under 10KB. Use jpegtran.exe -optimize OLD.jpg NEW.jpg on each picture to accomplish that.
  • Fire up the Exchange Powershell console on your mail server.
  • Get-ADGroupMember Employees | select name > userlist.txt
  • Using the names from the userlist.txt file, do an Import-RecipientDataProperty -Identity "PERSON" -Picture -FileData ([Byte[]]$(Get-Content -Path "FILENAME" -Encoding Byte -ReadCount 0)) on each user that has a picture waiting for him or her.

  • Footnote: I usually attribute what I can, but since I took the Powershell command notes, I have lost track of their original source.

    Tuesday, November 19, 2013

    Quick fix for getting WebEx players to work in Windows 8.1 on Firefox and Chrome


    • Right-click on Firefox / Chrome in your taskbar
    • Right-click on Firefox / Chrome in the list, and select “Properties”
    • “Compatibility” -> “Change settings for all users”
    • “Run this program” as “Windows 8” in the drop-down list.
    • OK until you get out of the menus. Restart Firefox/Chrome as needed.

    The WebEx plugins apparently test for what OS they're running on. The version string difference by the 8.1 upgrade causes it to declare as unsupported, even though 8.1 didn't really modify anything WebEx would use. I assume a future update will fix this.

    Added: using compatibility mode might be breaking Adobe Flash. Use compatibility mode only as needed.