starbeamrainbowlabs's questions

I'm using Unbound on an internal network What I want it to do is as follows:

1. If a local_zone matches, return from there
2. If not and it matches the internal domain name, then try forwarding to Consul on 127.0.0.1:8600
3. If not, then forward to Cloudflare on 1.0.0.1:853 (DNS-over-TLS)

For example if example.com is the internal domain name, if I try to resolve foo.example.com it should try steps #1, #2, and finally 3 if it doesn't match:

1. foo.example.com can't be found in any local_zones, move on
2. foo.example.com can't be resolved by Consul, move on
3. foo.example.com was resolved by Cloudflare, return result

My problem is that step 3 is not performed correctly. For example, the above demonstration currently looks like this:

1. foo.example.com can't be found in any local_zones, move on
2. foo.example.com can't be resolved by Consul, return failure

In step #2 there it should not return a failure - instead it should fallback to trying Cloudflare.

How can I get unbound to fallback to forwarding to another DNS server if resolution fails when forwarding to a given server?

My current config is as follows:

# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

server:
    interface: 0.0.0.0
    interface: ::0

    ip-freebind: yes

    # Access control - default is to deny everything apparently

    # The local network
    access-control: 172.16.230.0/24 allow
    # The docker interface
    access-control: 172.17.0.1/16 allow

    username: "unbound"

    harden-algo-downgrade: yes
    unwanted-reply-threshold: 10000000

    private-domain: "example.com"

    prefetch: yes

    # Service expired cached responses, but only after a failed 
    # attempt to fetch from upstream, and 10 seconds after 
    # expiration. Retry every 10s to see if we can get a
    # response from upstream.
    serve-expired: yes
    serve-expired-ttl: 10
    serve-expired-ttl-reset: yes

    local-zone: "example.com." transparent
    local-data: "foo.example.com.   IN A 172.16.230.100"
    local-data: "bar.example.com.   IN A 172.16.230.101"

    local-data-ptr: "172.16.230.100 foo.example.com."
    local-data-ptr: "172.16.230.101 bar.example.com."

    fast-server-permil: 500

# Forward to consul
stub-zone:
    name: "example.com."
    stub-addr: 127.0.0.1@8600
    stub-first: yes

forward-zone:
    name: "."
    # Cloudflare DNS
    forward-addr: 1.0.0.1@853
    # DNSlify - ref https://www.dnslify.com/services/resolver/
    forward-addr: 185.235.81.1@853
    forward-ssl-upstream: yes

I've got an dedicated server hosted by KimSufi that's running Ubuntu Server 18.04. While I've goto both an IPv4 address and an IPv6 address, I keep getting random dropouts on IPv6. Doing a ping -6 google.com when it's dropped out yields this:

Network is unreachable

If I try sudo ifup eth0`, then I get this:

RTNETLINK answers: File exists Failed to bring up eth0.

...as the interface is already up - just IPv4 only. By executing ifup -n eth0 however, I can see a list of commands it executes when bringing the interface up. In particular, executing the following command appears to fix the issue temporarily:

/sbin/ip -family inet6 route add default via 2001:41d0:e:07ff:ff:ff:ff:ff

....then (after a bit of a delay), testing via ping -6 google.com works again.

However, it drops out again randomly soon after.

Does anyone know what's going on, and how I can stop the default IPv6 route from disappearing?

Edit: The IPv6 section of /etc/network/interfaces looks like this:

iface eth0 inet6 static
    address 2001:41d0:e:074b::1
    netmask 128
    dns-nameservers 2001:41d0:3:163::1
    post-up /sbin/ip -family inet6 route add 2001:41d0:e:07ff:ff:ff:ff:ff dev eth0
    post-up /sbin/ip -family inet6 route add default via 2001:41d0:e:07ff:ff:ff:ff:ff
    pre-down /sbin/ip -family inet6 route del default via 2001:41d0:e:07ff:ff:ff:ff:ff
    pre-down /sbin/ip -family inet6 route del 2001:41d0:e:07ff:ff:ff:ff:ff dev eth0

I've got a nice little mail server setup (running Ubuntu Server 16.04) that works a treat. It uses postfix as SMTP, which uses dovecot (IMAP) as an authentication source for virtual mailbox users.

It's been working fine, but now I have a second server in another location (with a dynamic IP address), which I'd like to be able to send mail through my main mail server. I've seen a guide on setting it up in authenticated-relay mode, and am part-way through the process, but then I realised that I'd need a send-only email account for it to authenticate against, as I don't want it to be able to receive mail and fill up the server's hard drive (I won't check the inbox!).

How can I create a new email account in my virtual users setup that doesn't have a mailbox, but can still connect via SMTP and send emails?

I've just been moving a postfix mail server to a different box, and I'm having trouble getting postfix to talk opendkim via a unix socket. The opendkim socket is located at /var/run/opendkim/opendkim.sock:

srwxrwxr-x 1 opendkim opendkim 0 Aug 14 15:11 /var/run/opendkim/opendkim.sock=

....but postfix can't see it. Here's a line from /var/log/mail.log:

Aug 14 15:13:04 new postfix/smtpd[23954]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory

Here is the line from my /etc/postfix/main.cf:

smtpd_milters = inet:127.0.0.1:11444 unix:/var/run/opendkim/opendkim.sock

Does anyone have any ideas as to what is causing the problem? I have googled around a bit, but I can't find any solutions that work.

Update: I'm using Postfix 3.1.0-3. Here's my uname -a:

Linux starbeamrainbowlabs.com 3.14.32-xxxx-grs-ipv6-64 #7 SMP Wed Jan 27 18:05:09 CET 2016 x86_64 x86_64 x86_64 GNU/Linux

I have my own email server, and I'd like to be able to use dynamic email address tagging. I added the recipient_delimiter = +- directive to my config and restarted postfix, but now if I email [email protected] for example, the email will be bounced with the error "Unknown User". If I email [email protected], the email is delivered to the webmaster account as expected.

Here's my postfix config:

## These are all default Postfix settings that we won't change
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
inet_interfaces = all
mailbox_command = /usr/lib/dovecot/deliver -c
    /etc/dovecot/conf.d/01-mail-stack-delivery.conf -m "${EXTENSION}"
mailbox_size_limit = 0
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +-
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_random_source = dev:/dev/urandom

## Settings below this line are things we're modifying or adding

## Your mail server identity options
myhostname = mail.starbeamrainbowlabs.com
#mydestination = localhost, starbeamrainbowlabs.com,
#    localhost.starbeamrainbowalabs.com
# 89.107.190.141 = cross-code central
mynetworks = 127.0.0.0/8 192.168.0.0/24 [::ffff:127.0.0.0]/104 [::1]/128 89.107.190.141

## Customized smtpd paramters
smtpd_banner = $myhostname ESMTP
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
    check_helo_access hash:/etc/postfix/helo_access
    #reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    #reject_unknown_helo_hostname,
    #warn_if_reject, # warn us instead of actually blocking them
    permit
smtpd_sender_restrictions = permit_mynetworks,
    permit_sasl_authenticated,
    #reject_unknown_sender_domain,
    reject_sender_login_mismatch
smtpd_recipient_restrictions = permit_mynetworks,
    permit_sasl_authenticated,
    reject_unknown_client_hostname,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    reject_unauth_destination, 
    reject_invalid_hostname,
    reject_non_fqdn_sender
smtpd_sender_login_maps = $virtual_mailbox_maps

## Dealing with rejection: use permanent 550 errors to stop retries
unknown_address_reject_code = 550
unknown_hostname_reject_code = 550
unknown_client_reject_code = 550

## customized TLS parameters
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/private/chain/www-mail.starbeamrainbowlabs.com.pem
smtpd_tls_key_file = /etc/ssl/private/key/decrypted/www-mail.starbeamrainbowlabs.com.key
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_ciphers = high
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s


## Customized Dovecot and virtual user-specific settings
canonical_maps = hash:/etc/postfix/canonical
home_mailbox = Maildir/
message_size_limit = 104857600
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_domains = hash:/etc/postfix/virtual-mailbox-domains
virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-users
virtual_transport = dovecot

## This setting will generate an error if you restart Postfix before
## adding the appropriate service definition in master.cf, so make
## sure to get that taken care of!
dovecot_destination_recipient_limit = 1

## Customized milter settings
milter_default_action = accept
milter_connect_macros = j {daemon_name} v {if_name} _
non_smtpd_milters = $smtpd_milters
smtpd_milters = inet:127.0.0.1:11444 unix:/opendkim/opendkim.sock

## Other customized mail server settings
default_destination_concurrency_limit = 5
disable_vrfy_command = yes
relay_destination_concurrency_limit = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may

From /etc/postfix/master.cf, I have this defining Dovecot:

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver
  -f ${sender} -d ${recipient}

I also have definitions for ifmail, bsmtp, scalemail-backend, mailman, uucp, scache, maildrop, and a bunnch of others, but I'm not entirely sure what they all do.

Does anyone know what is going on here and how I can fix it please?

I'm using virtual mailboxes.

I am taring and then compressing a bunch of files&directories on my Ubuntu Server VPS for a backup. It only has 1GB of RAM and 128MB of Swap (I can't add more - OVH use OpenVZ as their virtualisation software), and every time tar runs it uses a ton of memory for it's buffer, causing everything else to get swapped out - even when using nice -n 10.

Is there any way to force tar to use a small buffer and reduce it's memory usage? I am worried that once the backup gets to be a certain size, my server will go down because tar won't have enough memory for it's buffer.

I am using bzip2 to compress, and I have already limited it's memory usage with the -4 option.

Edit: Here is what htop looks like when I have had tar running for a while:

Here is a link to the full gif

Edit 2: Here is the tar command I am using:

nice -n 20 tar --exclude "*node_modules*" --exclude "*.git/*" --exclude "/srv/www-mail/rainloop/v*"  -cf archive.tar /home /var/log /var/mail /srv /etc

Recently I opened my server's webmaster email inbox and found 32 "Delivery status notification failed" emails reporting the failure of the delivery of 32 emails I did not send.

After some investigation I have determined that several IP addresses are attempting to impersonate my web server by sending emails from random email addresses (that don't exist) using their own mail servers.

I have a tight SPF record set:

 v=spf1 a mx ptr ip4:37.187.192.179 ip6:2001:41d0:52:a00::68e a:starbeamrainbowlabs.com a:mail.starbeamrainbowlabs.com -all

My Question: Do these spammers attempting to impersonate my mail server impact my mail server's reputation? Will I get added to some blacklists and then be unable to send emails to certain domains?

I have an IIS web server on my local network for development purposes, and I want to disable all caching mechanisms. IIS seems to be caching everything, even when I disable output caching like so:

I have set the above at the root of my webserver.

The weird thing is that I need to request a file a few times before it starts caching it.

I know that it can't be a client side related issue as I checked that they were requesting a fresh copy from the server each time.

Example of what I did:

1. I create a HTML file
2. I navigate to the above HTML file on the server (e.g. http://example/path/to/file/test.html) in my browser, and refresh the page a few times.
3. I change the HTML file on the disk
4. I refresh the page in my browser again, but I still see the old HTML file, and not the new one that I had saved to the disk in step 3.

IIS version: 7.5, Windows version: Windows 7

Can anyone help me please?

I have a local LightTPD server running on my windows 7 computer.

I have SSL set up and it works - but every time I request a document from the SSL part of the server I get the following on the logging window:

2013-03-17 19:11:05: (connections.c.1721) SSL (error): 5 -1 113 Software caused
connection abort

Related lighthttpd.conf lines:

$SERVER["socket"] == ":444" {
   ssl.engine    = "enable" 
   ssl.pemfile   = cert_dir + "/server.pem" 
}

Do I need to worry about it and is there any way that I can stop it from doing this?