Toto's questions

We have a classified ads website. Buyers can contact sellers. The message is directly generated on the site (php7) and sent to the user by email.

If we follow the recommandations from openspf, we have these 2 solutions:

Solution 1

Return-path: [email protected]
Sender: [email protected]
From: [email protected]
Subject: I am interessted
To: [email protected]

Solution 2

Return-Path: [email protected]
From: [email protected]
Reply-To: [email protected]
Subject: I am interessted
To: [email protected]

These work okish with spf but:

Solution 1 is simply rejected by domains having a strict DMARC policy (p=reject), for exemple yahoo.com:

v=DMARC1; p=reject; pct=100; rua=mailto:[email protected];

Solution 2 is less and less working. When replying many mobile phones (Chinese brands) and email clients do not consider Reply-To but only From. Also, for exemple Gmail displays an enormeous warning message which scares users.

Be careful with this message
This email claims to come from my-classified-ads-website.com, but replies will go
to an email address at another domain. Avoid replying to this email
unless you reach out to the sender by other means to ensure that
this email address is legitimate.

Is there a solution?

(We would like to avoid a solution like craigslist or obliging users to use an internal message solution a-la-facebook).

We have a webserver which is hosted outside our office.

The firewall of the server limits the access (ssh, sftp, etc) by ip; only the public static ips of our office can access it.

Our problem is that the responsible person has to come to the office to work in case of emergency. We would like to find a solution to allow him to work without the location constraint.

Unfortunately our VDSL router (Zyxel P-870HN-51b) has not VPN capabilities.

We were simply thinking about buying a firewall (ZyXEL ZyWALL USG 40) and have it setup in our office so the remote employee would "get" a whitelisted public ip.

Is it a safe solution? Or would you advice something totally different?

Doing a top to check the io wait, I get these figures:

Cpu(s):  6.7%us,  1.4%sy,  1.2%ni, 85.5%id,  5.0%wa,  0.0%hi,  0.3%si,  0.0%st

Looking at these figures (%us ~= %wa), do they mean that:

1. there are almost as many CPU processes waiting than working? (=> bad)
2. the working processeses are waiting 5,0% of their execution plan? (=> ok in this case)
3. something else

We see errors like this in the apache error log:

[Thu May 17 14:32:35 2012] [error] [client 192.168.1.1] File does not exist:
/home/www-data/mywebsite.com/r/cache, referer: http://www.mywebsite.com/r/1010

It is strange because:

1. There is no reference in the code/url about a folder/file "cache".
2. The folder/file "cache" does not exist
3. The client is randomly trying to access a "cache" folder everywhere on the website.
4. It is always trying to access the folder/file "cache" following this pattern:

Pattern:

/level1/.../levelwhatever/filename (referer)
/level1/.../levelwhatever/cache

We run a LAMP (Debian stable: PHP 5.3.3-7+squeeze9. We also use APC 3.1.3p1). We use Google Analytics and AdSense.

We do not know how to reproduce the problem.

Note: I replaced the user's IP in the code for privacy.

I see different locations to store self-signed SSL certificates for Apache.

Which one should be used in which case?

1. /etc/ssl/certs/ (pem file) + /etc/ssl/private/ (for key file)
2. /etc/apache2/ssl/

I run Ubuntu 10.04 and installed a LAMP stack with a "satellite" Postfix (used as a relay for my ISP's smtp).

In php.ini, I kept the sendmail pass to default so with -t -i arguments:

;sendmail_path =

I send emails like this:

$headers  = 'From: [email protected]' . "\r\n";
$headers .= 'Reply-To: [email protected]' . "\r\n";
$headers .= 'Return-Path: [email protected]';

mail('[email protected]', 'Email title', 'Text of the body.', $headers);

The emails recieved have this in the body (It should be in the header):

Reply-To: [email protected] 
Message-Id: <[email protected]>
Date: Thu, 27 Oct 2011 23:02:18 +0200 (CEST)

How can we fix that?

Note: The emails are working properly on other installs: Gentoo with qmail or Windows with smtp set to my isp's in the php.ini.

Here is the full header:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: (qmail 28922 invoked from network); 27 Oct 2011 23:00:55 +0200
Received: from zhhdzmsp-mail12.myisp.com (1.2.3.5)
  by www.mydomain.com with SMTP; 27 Oct 2011 23:00:55 +0200
Return-Path: <[email protected]>
X-FXIT-IP: IPv4[1.2.3.4] Epoch[1319888334]
Received: from [1.2.3.4] ([1.2.3.4:17957] helo=dev.mydomain.com)
    by zhhdzmsp-mail12.myisp.com (envelope-from <[email protected]>)
    (ecelerity 2.2.3.46 r()) with ESMTP
    id 6E/C0-28209-6D6C9AE4; Thu, 27 Oct 2011 21:02:14 +0000
Received: by dev.mydomain.com (Postfix, from userid 33)
    id 6F32440DE7; Thu, 27 Oct 2011 23:02:18 +0200 (CEST)
To: [email protected]
Subject: Email Title
X-PHP-Originating-Script: 1000:helpdesk.php
From: [email protected]

I have a "content" website that some leechers and 419 scammers love to crawl agressively which also generates costs and performance issue. :( I have no choice: I need to prevent them to access the sitemap files and index. :(

I am doing the same as Facebook: I generate a sitemap index on the fly (/sitemap.php). I whitelisted the "good" crawlers with DNS reverse lookup (PHP) and agent check (Same as Stackoverflow). To prevent whitelisted engines to make the sitemap index content public I added that header (Stackoverflow forgot it):

header('Content-type: application/xml; charset="UTF-8"', true);
header('Pragma: no-cache');
header('X-Robots-Tag: NOARCHIVE');

Question 1: Am I missing something to protect the sitemap index file?

Question 2: The problem comes from the static sitemap (.xml.gz) files generated. How can I protect them? Even if they have a "hard to guess" name, they can be found easily with a simple google query (example: "site:stackoverflow.com filetype:xml") and I have a very limited access to .htaccess.

EDIT: This is not a server config issue. Prefered language is PHP.

EDIT 2: Sorry, this is pure programmatic question, but it has been transfered from SO and I cannot close/delete it. :(

Some emails I send (from php) are returned by hotmail with this message:

<[email protected]>:
User and password not set, continuing without authentication.
65.55.92.136 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.55.92.136.

I understand that the recipient has no mailbox. But what does that mean:

"User and password not set, continuing without authentication."

And what can I do to avoid it?

I use linux/qmail.

EDIT : I am not using hotmail to send emails. I am sending emails to some hotmail users.

I use vpopmail and qmail on a Gentoo.

I have the domain "toto.com" (exemple) and need to delete the double bounces which are 99,99999% SPAMs. (I do not want to delete the "simple" bounces).

I can do this:

echo toto.com > /var/qmail/control/doublebouncehost
echo doublebounce > /var/qmail/control/doublebouncto
echo "#" > ~vpopmail/domains/toto.com/.qmail-doublebounce

Or:

Create a dummy email adress ([email protected]) and add it to the file /var/qmail/control/doublebounceto. Then add |exit 0 to /var/qmail/mailnames/toto.com/ihateit/.qmail

A) Which solution is more adapted to delete these hated SPAMs/double bounced emails?

B) What are the differences between the 2 solutions? (outgoing traffic? performance? etc).

Thanks for your great help.

I run a Gentoo (LAMP server) with a qmail.

I see that the folder /var/qmail/alias/.maildir/new/ contains 100'000s of files.

Do you know how I can have them purged automatically?

Thanks for your great help.

EDIT: I checked the files (+400k actually). They are from 2004-today. They all have the same header (toto.com is a replacement of the real domain):

Return-Path: <#@[]>
Delivered-To: [email protected]
Received: (qmail 27514 invoked for bounce); 17 Sep 2009 15:46:37 +0200
Date: 17 Sep 2009 15:46:37 +0200
From: [email protected]
To: [email protected]
Subject: failure notice

If I use outlook and check the account postmaster I do not see them.