Paul's questions

I have an Ubuntu 18.04 server with Postfix configured to send through a local network mail relay.

Only when a message is generated by cron does it include the following in the From: header:

From: [email protected] (Cron Daemon)

All other messages from the server are as expected:

From: [email protected]

This is causing an issue for the relay DKIM signing and seems out of conformance with RFC 5322. My reading of 3.4 and Appendix A.5 is that the address most likely should be:

From: <[email protected]> (Cron Daemon)

However, I may be misunderstanding the RFC and there is some other problem.

Here is the current configuration, which is pretty much just the default "satellite" configuration created by the postfix package:

postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
inet_interfaces = loopback-only
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination = $myhostname, relayclient.example.com, localhost.example.com, localhost
myhostname = relayclient.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = 192.0.2.85
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

cat /etc/aliases:

# See man 5 aliases for format
postmaster:    root
root:          [email protected]

cat /etc/mailname:

relayclient.example.com

Is there a technical requirement (e.g., RFC) to serve a 404 response?

Or does some other problem emerge if requests not found are dropped or replies empty?

If there are multiple DS records with each using a different but RFC-compliant algorithm and digest type, is there any way to predict how real world validators will select one?

I've tried to, for example, to review what the default behavior BIND would be, but I'm not familiar enough to know where to start to understand how it would resolve.

Example:

A zone has the following valid DS record algorithm and digest types:

How does a validator choose which DS record to use?

If I send an email from [email protected] with [email protected] in the DMARC record of subdomain.example.com, is it necessary to create a DMARC reports TXT record (e.g., subdomain.example.com._report._dmarc.example.com TXT "v=DMARC1")?

I recently enabled RUF reports for those requesting them, and it occurred to me that if someone wanted to, they could force my server to generate a lot of RUF reports for various domains.

Assuming my server is configured correctly, is it likely that I would earn a negative reputation is someone targeted the server to force it to send excessive RUF reports?

For SpamAssassin 3.4.2 I've added the below configuration ruleset to local.cf with the intent of providing a spam score for failed DMARC tests.

The DMARC and SPF Authentication-Results headers are created by opendmarc and the DKIM Authentication-Results header by opendkim.

The expected output is a score for all three header results added to the X-Spam-Report header.

The actual output is only for a domain that has p=reject or p=none with the appropriate score added to the X-Spam-Report header, but for p=quarantine nothing is added to the X-Spam-Report header even though the DMARC, DKIM and SPF Authentication-Results headers have been added as expected.

Added to /etc/spamassassin/local.cf:

ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/

meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
score DMARC_REJECT 10
meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
score DMARC_QUAR 5
meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
score DMARC_NONE 0.1
endif # Mail::SpamAssassin::Plugin::AskDNS

What is wrong with the configuration?

Relevant config:

ssl_protocols TLSv1.2;

When I test the server at SSL Labs, the test reports that TLS 1.3 is available and lists the default ciphers and other results as if TLSv1.3 were included in my config.

Ubuntu Server 18.04.1, OpenSSL 1.1.1 11 Sep 2018, Nginx 1.14.1 built with OpenSSL 1.1.0g

How can I disable TLSv1.3?

I am using Piwik Analytics on a site that doesn't run any javascript and I would prefer to have data created from the access logs instead of from the image tracker - results from the logs are actually better because they can include static file downloads.

This is a LEMP server with Ubuntu 12.04 and nginx 1.4.5.

The python script is located at /var/www/example1.com/public/piwik/misc/log-analytics/import-logs.py and would need to run with several options. The access log is located at /var/www/example2.com/logs/access.log.1.

The relevant portion of /etc/logrotate.d/nginx contains:

/var/www/*/logs/*.log {
   daily
   missingok
   rotate 36500
   compress
   delaycompress
   notifempty
   create 0640 www-data adm
   sharedscripts
   prerotate
       if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
           run-parts /etc/logrotate.d/httpd-prerotate; \
       fi; \
   endscript
   postrotate
                [ -s /run/nginx.pid ] && kill -USR1 `cat /run/nginx.pid`
        endscript
}

I don't know how to integrate a python script such that it will run at the end of this (after the rotations have completed).

Edit:

An additional issue I didn't consider initially is that this script only needs to run for one domain - the rest of the domains on the server do not require the script. The file above I created so that it would automatically rotate logs for all domains added to the server without my having to edit /etc/logrotate.d/nginx.

I have a mail server with Ubuntu Server 12.04, Postfix, Dovecot, and Postgrey, using MySQL (MariaDB) and managed through Postfix Admin.

I am looking for a way to automatically add outbound email recipients to the Postgrey whitelist.

I'm setting up a server on Rackspace for migrating an existing website to so I can have everything working before changing the DNS entry.

I had no problems getting the server to work at the IP address using the default setup. I then copied the original sites-available file, symlinked to it in sites-enabled, and copied the original index.html to a new folder. I set the sites-available root to the new folder and did chown -R www-data:www-data, chmod 775 on the folder, and chmod 664 on the file. After which I restarted Nginx.

When I bring up the IP address of the site, I get 404 Not Found.

Here is sites-available:

server {
    listen [::]:80 default_server;
    root /var/www/example.com/public/;
    index index.html index.htm;        
    server_name localhost;
    location / {
            try_files $uri $uri/ =404;
       }
}

I just set up my first mail server on Ubuntu 12.04 LEMP server with Postfix and Dovecot using this guide, and it may have been the happiest day of my life to send an email to my Gmail account. The only problem was that the email ended up in the Gmail spam folder, so I went to work setting up SPF and DKIM. SPF is fine, but DKIM isn't working.

I installed opendkim, and followed the guide in this Ubuntu Community Help page. However, I did not install opendkim-tools as it caused a conflict and it seems opendkim has all of the necessary packages.

The problem is that the headers do not appear in sent emails. I have tried both the loopback port (SOCKET="inet:8891@localhost") and the unix domain socket (SOCKET="local:/var/run/opendkim/opendkim.sock") and neither option gets headers in the emails.

I have set up my firewall using ufw and allowing the apps that I have installed. In /etc/ufw/before.rules it has the default settings for loopback:

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

But I don't see these rules when I run iptables -L.

Even though I have a very limited understanding of these things, I feel my preference would be to have it set up for Unix domain sockets anyhow, but getting DKIM working through any method would be great.

(On a side note, it would be nice if there were a tag for opendkim - serverfault informed me it doesn't exist and I must have a score of 300 to create a new tag.)

I am following a serverfault response (skip to "You can have your cake and eat it too") about website permissions, and I can't get folder permissions 570 to work as expected. I have verified I'm a member of the group and permissions are 570, but I can't even access the directory.

Here is an example of what I'm trying to do:

mkdir newfolder
chown lesseruser newfolder
chgrp greaterusers newfolder
chmod 570 newfolder

I am a member of greaterusers (verified in /etc/group) and I cannot access the directory.

Output ll: dr-xrwx--- 2 lesseruser greaterusers

Will wonders never cease. I just rebooted the server and everything works as expected. Strange, but for sure I'll reboot the next time before posting. Thanks for the help.