sandip's blog

Sendmail tips

  1. Backup files:
       /etc/mail/sendmail.mc
       /etc/mail/sendmail.cf
       /etc/mail/access
       /etc/mail/access.db
       /etc/aliases
  2. These changes go in the /etc/mail/sendmail.mc file:

    Security enhancements:

    • Require a HELO or EHLO greeting from the sending SMTP server.
    • Put limits on Sendmail forks and other settings to stop a DOS attack from overwhelming server.
    • Munge the Sendmail server identification.
    • Recipient throttle to identify when an envelope arrives with more than 4 invalid users, presuming that this is a dictionary attack.
    • Limit the number of recipients in a single message.

    dnl #
    dnl #start security mods
    define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun,needmailhelo')dnl
    define(`confMAX_DAEMON_CHILDREN',20)dnl
    define(`confSMTP_LOGIN_MSG',$j Sendmail; $b)dnl
    define(`confMIN_FREE_BLOCKS', `4000')dnl
    define(`confMAX_HEADERS_LENGTH', `32000')dnl
    define(`confMAX_MIME_HEADER_LENGTH', `1024')dnl
    define(`confBAD_RCPT_THROTTLE',`4')dnl
    define(`confMAX_RCPTS_PER_MESSAGE', `10')
    dnl #end security mods
    dnl #

    Enable DNS BlockLists:

    dnl #
    dnl # Begin Spam Block Enhancement mod
    dnl # Start BlockList
    FEATURE(`dnsbl', `bl.spamcop.net', `"554 Spam blocked - see http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
    FEATURE(`dnsbl', `zen.spamhaus.org', `"554 Rejected - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}')dnl
    dnl # sorbs dynamic user list ( not dial up )
    FEATURE(`dnsbl', `dul.dnsbl.sorbs.net', `"554 Rejected "$&{client_addr}" - see http://dnsbl.sorbs.net"')dnl
    dnl # End BlockList
    dnl # Start dont bounce errors back to me
    define(`confDOUBLE_BOUNCE_ADDRESS', `dev-null')dnl
    dnl # End dont bounce
    dnl # Start delay checks, so we see the intended recipient
    dnl # Added friend so we can exempt specified local user via access file
    FEATURE(`delay_checks',`friend')dnl
    dnl # End delay checks
    dnl # End Spam Block Enhancement mod
    dnl #

    All of the above should go before the line:

    FEATURE(`blacklist_recipients')dnl

    Notes:

    The above Double Bounce Address throws the double bounces into the bit bucket.

    The delay_checks feature causes it to log the sender from address and other info, when it rejects spam.

  3. Create an alias in "/etc/aliases" called dev-null and point it to "/dev/null":

    dev-null: /dev/null

  4. In file "/etc/mail/access", enter:

    Connect:xxx.xxx.xxx.xxx OK

    where xxx.xxx.xxx.xxx is the server IP. This keeps you from blocking yourself, if you happen to get listed in one of the blocklists used!

  5. To apply the configurations, run:

    # newaliases
    # makemap hash /etc/mail/access.db < /etc/mail/access
    # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
    # /sbin/service sendmail restart

Checking Ubuntu Servers for openssh and openssl vulnerable keys

  1. Update openssh and openssl packages
    # apt-get update
    # apt-get install openssh openssl
  2. Install openssh-blacklist and openssl-blacklist
    # apt-get install openssh-blacklist openssl-blacklist
  3. Check all ssh compromised keys via:
    # ssh-vulnkeys -a
  4. Check all ssl keys and certificates via:
    # openssl-vulnkeys *.key *.pem

    Note: Plesk specific ssl certs are stored at "/opt/psa/var/certificates/"

Debugging sendmail

The -b switch instructs sendmail to "Become"/operate in a mode.
The -d0 switch, instructs sendmail to produce debugging information.
The level .11 prints more information than the default level of .1 .
The -bp switch instructs sendmail to print the contents of the queue.

$ sendmail -d0.11 -bp

You can verify aliases with the -bv switch:

$ sendmail -bv root

To run sendmail verbosely, use the -v switch:

$ cat /dev/null | sendmail -v root

Switching between python versions

If you've installed a different version of python via yum using pyvault repos, then you need to switch the default python back to the systems default to avoid problems with the OS packages.

Install the alternatives first:

# alternatives --install /usr/bin/python python /usr/bin/python2.3 100
# alternatives --install /usr/bin/python python /usr/bin/python2.4 24

where 100 and 24 are the priority numbers (Higher number prevailing).

Remove existing symlinks:

# rm /usr/bin/python

Configure the default:

# alternatives --config python

Or, set it to create automatically, which will use the highest priority:

# alternatives --auto python

Check with:

$ python -V

Fix for SSH timeouts on LinkSys WRT54GS wireless router

A recent storm surge killed my Belkin wireless router and was quickly replaced by a LinkSys WRT54GS wireless router. But, for some reason my ssh clients would time out due to inactivity of just a couple minutes. A quick fix was to include the below line in "/etc/ssh/ssh_config":

ServerAliveInterval 60

openvz user and quota issues

Recently, I've had a client who's had issues with uploading files and general functioning of the ISPConfig hosting control panel.

So the first thing I checked out was "/proc/user_beancounters", and everything seemed normal there.

Quick check with `vzquota` turned out that the inodes were maxed out.

Blocks and Inodes can also be checked/displayed within the container via `df -h` and `df -i`.

Additionally, since he had a lot of users, he was maxed out on the users limits too. Noticed that with `repquota -a` which pulled up a huge number of users.

Increasing the appropriate limits with vzctl on diskspace, diskinodes and quotaugidlimit resolved all issues.

makedepend on CentOS

Recently I've had to provide a developer with the makedep tool. It is available via imake rpm. However, it is deprecated and when installing automake and autoconf, it should automatically get installed as it is a required package by autoconf.

Metadata file does not match checksum

If getting the error "Metadata file does not match checksum", try running `

# yum clean metadata

`yum clean all` should also resolve the issue if the metadata fails.

Get a count of files/folder in a directory

$ ls -A1 /path/to/folder | wc -l

Lists out the files in a directory including hidden files in a single-column format and pipes it through a line count via wc.

Moving files around to include hidden files

Often times when moving files from one directory to another, specifically when dealing with web folders, I have missed out the all important .htaccess hidden files with just the usual `mv source/* destination` command.

Here's a one liner that will include the hidden files too:

$ ls -A <source> | while read i; do mv <source>/"$i" <destination>; done

Syndicate content
Comment