Amedee Van Gasse's questions

Using Packer to build an AMI based on Windows Server 2019, and Ansible as provisioner.

This is the provisioners part of my packer-build.json:

    "provisioners": [
        {
            "type": "ansible",
            "playbook_file": "./provisioners/ansible/ansible_playbook.yml",
            "user": "Administrator",
            "use_proxy": false,
            "extra_arguments": ["-e", "ansible_winrm_server_cert_validation=ignore"]
        }
    ]

This is my ansible_playbook.yml:

---
- name: Jenkins node playbook
  hosts: all
  tasks:
    - include_tasks: update_system.yml
    - include_tasks: install_dependencies.yml
    - include_tasks: create_user.yml

I can confirm that at least update_system.yml and install_dependencies.yml run successfully.

This is my create_user.yml:

---

- name: Ensure user jenkins is present
  ansible.windows.win_user:
    name: jenkins
    password: ***REDACTED***
    state: present
    groups:
      - Users

.
.
.

I get an error at this point:

amazon-ebs: TASK [Ensure user jenkins is present] ******************************************

amazon-ebs: fatal: [default]: UNREACHABLE! => {"changed": false, "msg": "basic: Illegal operation attempted on a registry key that has been marked for deletion. (extended fault data: {'transport_message': 'Bad HTTP response returned from server. Code 500', 'http_status_code': 500, 'wsmanfault_code': '2147943418', 'fault_code': 's:Receiver', 'fault_subcode': 'w:InternalError'})", "unreachable": true}

Googling "ansible Illegal operation attempted on a registry key that has been marked for deletion" did not yield anything useful.

While writing this question, I tried to reproduce the issue, and to get quicker results, I changed ansible_playbook.yml from

---
- name: Jenkins node playbook
  hosts: all
  tasks:
    - include_tasks: update_system.yml
    - include_tasks: install_dependencies.yml
    - include_tasks: create_user.yml

to

---
- name: Jenkins node playbook
  hosts: all
  tasks:
    - include_tasks: create_user.yml
    - include_tasks: update_system.yml
    - include_tasks: install_dependencies.yml

so putting create_user.yml first.

Result: the error could no longer be reproduced.

Then I restored to the original configuration, and I also no longer had the error.

That does not make any sense at all to me, and I don't trust it. Sounds like a Heisenbug to me.

What is this error and how can I make absolutely sure that it doesn't occur again?

@Semicolon asked in the comments for the contents of update_system.yml and install_dependencies.yml.

---

- name: Install all critical and security updates
  win_updates:
    category_names:
      - CriticalUpdates
      - SecurityUpdates
    state: installed
  register: update_result

- name: Reboot host if required
  win_reboot:
  when: update_result.reboot_required

---

- name: Install AWS CLI
  win_shell: Import-Module AWSPowerShell

- name: install the Win32-OpenSSH service
  win_chocolatey:
    name: openssh
    package_params: /SSHServerFeature
    state: present

- name: Install required software
  win_chocolatey:
    name: '{{ item }}'
    state: present
  loop:
    - openjdk11
    - maven
    - git
    - ghostscript
    - imagemagick
    - nodejs
    - nuget.commandline
    - visualstudio2017buildtools

I have created a Windows Server 2019 AMI using Packer, and Ansible as provisioner.

I have added a user jenkins, and copied SSH files (public/private key, known_hosts, authorized_keys) to C:\Users\jenkins\.ssh.

This is the relevant part of my Ansible playbook:

    - name: Ensure user jenkins is present
      ansible.windows.win_user:
        name: jenkins
        password: ***REDACTED***
        state: present
        groups:
          - Users

    - name: Create directory structure
      ansible.windows.win_file:
        path: C:\Temp\
        state: directory

    - name: Allow write and execute access to User jenkins
      ansible.windows.win_acl:
        user: jenkins
        path: C:\Temp
        type: allow
        rights: ExecuteFile,Write

    - name: Copy SSH keys
      ansible.windows.win_copy:
        src: ./files/.ssh
        dest: C:\Users\jenkins
      vars:
        ansible_become_user: jenkins
        ansible_become_password: ***REDACTED***
        # The tmp dir must be set when using win_copy as another user
        # This ensures the become user will have permissions for the operation
        # Make sure to specify a folder both the ansible_user and the become_user have access to (i.e not %TEMP% which is user specific and requires Admin)
        ansible_remote_tmp: C:\Temp

I start an EC2 instance from this AMI.

I login with ssh:

ssh -i ~/.ssh/***REDACTED***.pem jenkins@ec2-***REDACTED***.compute.amazonaws.com -vvv

I am not logged in with the SSH key, but I can login with the password.

This is the SSH debug log:

debug3: load_hostkeys: loaded 1 keys from ***REDACTED***
debug1: Host 'ec2-***REDACTED***.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /home/amedee/.ssh/known_hosts:161
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/amedee/.ssh/***REDACTED***.pem  explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/amedee/.ssh/***REDACTED***.pem
debug3: sign_and_send_pubkey: RSA SHA256:3OWWXRDheAUWZ9kxRiSJPvwFy1/Nh3//CdbLirDuFSM
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:3OWWXRDheAUWZ9kxRiSJPvwFy1/Nh3//CdbLirDuFSM
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: 
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
jenkins@***REDACTED***.compute.amazonaws.com's password:

I am then greeted by Windows in this way:

Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.

jenkins@EC2AMAZ-ELNOCH3 C:\Users\jenkins.EC2AMAZ-ELNOCH3>

So I am not logged in as user jenkins but as user jenkins.EC2AMAZ-ELNOCH3.

A user jenkins also exists:

jenkins@EC2AMAZ-ELNOCH3 C:\Users\jenkins.EC2AMAZ-ELNOCH3>dir .. 
 Volume in drive C has no label.
 Volume Serial Number is E43B-9F7E

 Directory of C:\Users

12/11/2020  02:19 PM    <DIR>          .
12/11/2020  02:19 PM    <DIR>          ..
12/11/2020  01:51 PM    <DIR>          Administrator
12/11/2020  02:02 PM    <DIR>          jenkins
12/11/2020  02:22 PM    <DIR>          jenkins.EC2AMAZ-ELNOCH3 
12/12/2018  07:45 AM    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)  12,552,163,328 bytes free

and it has the SSH files that I copied using Ansible:

jenkins@EC2AMAZ-ELNOCH3 C:\Users\jenkins.EC2AMAZ-ELNOCH3>dir ..\jenkins\.ssh
 Volume in drive C has no label.
 Volume Serial Number is E43B-9F7E

 Directory of C:\Users\jenkins\.ssh

12/11/2020  02:02 PM    <DIR>          .
12/11/2020  02:02 PM    <DIR>          ..
11/13/2020  10:57 AM             1,221 authorized_keys    
11/13/2020  10:57 AM             1,675 id_rsa
11/13/2020  10:57 AM               401 id_rsa.pub
11/13/2020  10:57 AM             7,962 known_hosts        
               4 File(s)         11,259 bytes
               2 Dir(s)  12,552,081,408 bytes free

When I try an SSH connection with this .EC2AMAZ-ELNOCH3 appended to the username, then I can't login with a password:

ssh -i ~/.ssh/***REDACTED***.pem jenkins.EC2AMAZ-ELNOCH3@ec2-***REDACTED***.compute.amazonaws.com -vvv
.
.
.
debug1: Next authentication method: password
jenkins.EC2AMAZ-ELNOCH3@ec2-***REDACTED***.compute.amazonaws.com's password: 
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
jenkins.EC2AMAZ-ELNOCH3@ec2-***REDACTED***.compute.amazonaws.com's password:

When I am logged in as user jenkins.EC2AMAZ-ELNOCH3, I copy the files from C:\Users\jenkins\.ssh\ to C:\Users\jenkins.EC2AMAZ-ELNOCH3\.ssh\ and break the connection. Next time I login with SSH, passwordless login works, which proves that my SSH keys are correct but are in the wrong directory.

I don't want this user jenkins.EC2AMAZ-ELNOCH3 to exist. How can I make sure that only the user jenkins exists?

FYI I am only familiar with Linux, so if your answer contains advanced Windows terminology, then please elaborate. The last Windows version I used, was Windows 3.11. This is also the first time that I'm doing anything with Ansible, but I feel pretty confident that I understand the gist of it.

I am installing Gitlab-ce Omnibus in a Vagrant box (Debian 18.04 LTS). In my provisioning script, I run gitlab-ctl reconfigure. I get an error:

initdb: encoding mismatch

Console output:

default: * execute[/opt/gitlab/embedded/bin/initdb -D /var/opt/gitlab/postgresql/data -E UTF8] action run
default: 
default:     [execute] The files belonging to this database system will be owned by user "gitlab-psql".
default:               This user must also own the server process.
default:               
default:               The database cluster will be initialized with locale "en_US".
default:               initdb: encoding mismatch
default:               The encoding you selected (UTF8) and the encoding that the
default:               selected locale uses (LATIN1) do not match.  This would lead to
default:               misbehavior in various character string processing functions.
default:               Rerun initdb and either do not specify an encoding explicitly,
default:               or choose a matching combination.
default:     
default: 
default:     
default: ================================================================================
default:     
default: Error executing action `run` on resource 'execute[/opt/gitlab/embedded/bin/initdb -D /var/opt/gitlab/postgresql/data -E UTF8]'
default:     
default: ================================================================================
default:     
default: 
default: 
default:     
default: Mixlib::ShellOut::ShellCommandFailed
default:     
default: ------------------------------------
default:     
default: Expected process to exit with [0], but received '1'
default: 
default:     
default: ---- Begin output of /opt/gitlab/embedded/bin/initdb -D /var/opt/gitlab/postgresql/data -E UTF8 ----
default: 
default:     
default: STDOUT: The files belonging to this database system will be owned by user "gitlab-psql".
default: 
default:     
default: This user must also own the server process.
default:     
default:     The database cluster will be initialized with locale "en_US".
default:     STDERR: initdb: encoding mismatch
default:     The encoding you selected (UTF8) and the encoding that the
default:     selected locale uses (LATIN1) do not match.  This would lead to
default:     misbehavior in various character string processing functions.
default:     Rerun initdb and either do not specify an encoding explicitly,
default:     or choose a matching combination.
default:     ---- End output of /opt/gitlab/embedded/bin/initdb -D /var/opt/gitlab/postgresql/data -E UTF8 ----
default:     Ran /opt/gitlab/embedded/bin/initdb -D /var/opt/gitlab/postgresql/data -E UTF8 returned 1
default:     
default:     Resource Declaration:
default:     ---------------------
default:     # In /opt/gitlab/embedded/cookbooks/cache/cookbooks/postgresql/recipes/enable.rb
default:     
default:      80: execute "/opt/gitlab/embedded/bin/initdb -D #{postgresql_data_dir} -E UTF8" do
default:      81:   user postgresql_username
default:      82:   not_if { pg_helper.bootstrapped? }
default:      83: end
default:      84: 
default:     
default:     Compiled Resource:
default:     ------------------
default:     # Declared in /opt/gitlab/embedded/cookbooks/cache/cookbooks/postgresql/recipes/enable.rb:80:in `from_file'
default:     
default:     execute("/opt/gitlab/embedded/bin/initdb -D /var/opt/gitlab/postgresql/data -E UTF8") do
default:       action [:run]
default:       default_guard_interpreter :execute
default:       command "/opt/gitlab/embedded/bin/initdb -D /var/opt/gitlab/postgresql/data -E UTF8"
default:       backup 5
default:       returns 0
default:       user "gitlab-psql"
default:       declared_type :execute
default:       cookbook_name "postgresql"
default:       recipe_name "enable"
default:       domain nil
default:       not_if { #code block }
default:     end
default:     
default:     System Info:
default:     ------------
default:     chef_version=13.6.4
default:     platform=ubuntu
default:     platform_version=18.04
default:     ruby=ruby 2.3.7p456 (2018-03-28 revision 63024) [x86_64-linux]
default:     program_name=/opt/gitlab/embedded/bin/chef-client
default:     executable=/opt/gitlab/embedded/bin/chef-client
default:     
default: Recipe: gitlab::gitlab-rails
default:   
default: * execute[clear the gitlab-rails cache] action run
default: 
default:     - execute /opt/gitlab/bin/gitlab-rake cache:clear
default: 
default: 
default: Recipe: gitlab::redis
default:   * ruby_block[restart redis svlogd configuration] action create
default: 
default:     - execute the ruby block restart redis svlogd configuration
default:   * ruby_block[reload redis svlogd configuration] action create
default:     
default: - execute the ruby block reload redis svlogd configuration
default: 
default: 
default: 
default: Running handlers:
default: There was an error running gitlab-ctl reconfigure:
default: execute[/opt/gitlab/embedded/bin/initdb -D /var/opt/gitlab/postgresql/data -E UTF8] (postgresql::enable line 80) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
default: ---- Begin output of /opt/gitlab/embedded/bin/initdb -D /var/opt/gitlab/postgresql/data -E UTF8 ----
default: STDOUT: The files belonging to this database system will be owned by user "gitlab-psql".
default: This user must also own the server process.
default: 
default: The database cluster will be initialized with locale "en_US".
default: STDERR: initdb: encoding mismatch
default: The encoding you selected (UTF8) and the encoding that the
default: selected locale uses (LATIN1) do not match.  This would lead to
default: misbehavior in various character string processing functions.
default: Rerun initdb and either do not specify an encoding explicitly,
default: or choose a matching combination.
default: ---- End output of /opt/gitlab/embedded/bin/initdb -D /var/opt/gitlab/postgresql/data -E UTF8 ----
default: Ran /opt/gitlab/embedded/bin/initdb -D /var/opt/gitlab/postgresql/data -E UTF8 returned 1
default: Running handlers complete
default: 
default: Chef Client failed. 141 resources updated in 01 minutes 00 seconds
The SSH command responded with a non-zero exit status. Vagrant
assumes that this means the command failed. The output for this command
should be in the log above. Please read the output to determine what
went wrong.

Already tried, didn't help:

cat > /etc/default/locale <<EOF
LC_ALL=en_US.UTF-8
LANG=en_US.UTF-8
LANGUAGE=en_US.UTF-8
EOF

localedef -v -c -i en_US -f UTF-8 en_US.UTF-8 || true

I have non-root access to a headless Debian server that runs Jenkins. I want to build Unity3D on that Jenkins, which requires me to install Xvfb. Because it is a headless server, X11 is not installed, and because I don't have root access, I can't install software.

To get around this, I installed Linuxbrew, which is a Linux port of Homebrew, which allows you to install software in your $HOME and which does not require root access, as suggested in this ServerFault answer.

However, when I do

brew search xvfb

then I don't get any results, which means no Xvfb in Linuxbrew. The search is case-insensitive.

What other options do I have to install Xvfb without having root access?

I want to forward port 22 (ssh) to port 7999 (where bitbucket is running) only for user git, and use the normal sshd for every other user. I looked at HAProxy for the ssh forwarding, but that doesn't let me differentiate per user.

How do I configure this on the server? I don't want each individual client to configure a ProxyCommand in their .ssh/config.

EDIT

Let's ignore for a while all that I have written below and refrase the question: If you have your own domain name and you want to get email for that domain into your Gmail inbox (not Google Apps), how would YOU do it? Preferably SMTP only, without using POP3.

ORIGINAL QUESTION:

• I have several vanity domain names, one of them is amedee.be.
• I am running a Debian server on an Amazon AWS host, with Postfix.
• I have also installed SpamAssassin and I have confirmed that it takes care of the most obvious spam.
• I am using Procmail to forward mail to Gmail.
• I am using the best practices as described by Google: https://support.google.com/a/answer/175365?hl=en

Most email arrives just fine, which is unlike in the Similar Questions that ServerFault suggests, where it is all or nothing. But more often than I would like (about 1 in 20), I get this in /var/log/mail.log:

Nov 30 15:01:39 ip-172-31-51-67 postfix/smtp[29724]: 4B72563149: 
  to=<[email protected]>, 
  relay=gmail-smtp-in.l.google.com[74.125.22.26]:25, 
  delay=2657, 
  delays=2657/0.2/0.07/0.18, 
  dsn=5.7.1, 
  status=bounced (host gmail-smtp-in.l.google.com[74.125.22.26] said: 
    550-5.7.1 [52.0.177.1037] Our system has detected that this message is 
    550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 
    550-5.7.1 this message has been blocked. Please visit 
    550 5.7.1 https://support.google.com/mail/answer/188131 for more information. 
  y66si45484104qhc.73 - gsmtp (in reply to end of DATA command))

I have verified that it is most definitely not spam. When the same mail is sent to Gmail directly, it arrives.

I don't know if it is a coincidence, but I started noticing this around the time when I moved my server from Hetzner to AWS. I have been using this setup for a few years and it's only in the last 2 months that emails gets lost. The strange thing is, the Postfix and Procmail configs on my old and new server are identical.

Other related questions mention DKIM and SPF, which I would have to investigate what those letters mean, but in the past I haven't used that and it works, so first I would like to rule out other obvious causes.

/etc/postfix/main.cf

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/checks/body_checks
broken_sasl_auth_clients = yes
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/checks/header_checks
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
local_destination_concurrency_limit = 1
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0

# If you can't deliver it in two hours - it can't be delivered!
#bounce_queue_lifetime = 2h
#maximal_queue_lifetime = 3h
#queue_run_delay = 3m
#minimal_backoff_time = 5m
#maximal_backoff_time = 10m

message_size_limit = 0
mime_header_checks = regexp:/etc/postfix/checks/mime_header_checks
mydestination =
        styx,
        styx.amedee.be,
        ip-172-31-51-67.ec2.internal,
        localhost.ec2.internal,
        localhost,
        intrepid,
        intrepid.exabyte.be,
        intrepid.amedee.be,
        mail.amedee.be,
        mx.amedee.be,
        localhost.localdomain,
        localhost.amedee.be,
        amedee.be,
        amed.ee,
        vangasse.eu,
        vangas.se,
        dhertefelt.be,
        dhertefe.lt,
        pcrobots.amedee.be,
        nowww.be
mydomain = amedee.be
myhostname = styx.amedee.be
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/8
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = -
relayhost =
smtp_destination_concurrency_limit = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name. All Your Spam Are Belong To Us!
smtpd_client_connection_count_limit = 5
smtpd_client_restrictions =
#       reject_invalid_hostname,
        permit
smtpd_error_sleep_time = 10
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
#       reject_invalid_hostname,
        permit
smtpd_junk_command_limit = 3
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
#       reject_invalid_hostname,
        reject_multi_recipient_bounce,
        reject_non_fqdn_recipient,
#       reject_non_fqdn_sender,
        reject_unauth_destination,
        reject_unauth_pipelining,
        reject_unknown_recipient_domain,
        reject_unlisted_recipient,
        permit
smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        defer_unauth_destination
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_local_domain = $myhostname
#smtpd_sasl_path = private/auth
#smtpd_sasl_security_options = noanonymous
#smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
#       reject_unknown_sender_domain,
        permit
smtpd_soft_error_limit = 2
smtpd_timeout = 120
smtpd_tls_cert_file = /etc/postfix/tls/mail.cert
smtpd_tls_key_file = /etc/postfix/tls/mail.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
#virtual_alias_domains = /etc/postfix/maps/virtual_alias_domains
virtual_alias_maps = hash:/etc/postfix/maps/virtual_alias_maps

/etc/postfix/master.cf

smtp      inet  n       -       -       -       -       smtpd
  -o content_filter=spamassassin
submission inet n       -       -       -       -       smtpd
  -o content_filter=spamassassin
pickup    unix  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
spamassassin unix -     n       n       -       -       pipe
  user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

/home/amedee/.procmailrc

UMASK=007
PATH=/usr/bin:/usr/local/bin
MAILDIR=$HOME/Maildir
LOGFILE=$HOME/log/procmail.log
SHELL=/bin/bash
VERBOSE=no
SED=/bin/sed

SENDER=`formail -c -x Return-Path`
SENDMAILFLAGS="-oi -f $SENDER"

[email protected]

#From the manpages: prevent duplicate mails
:0 Wh: msgid.lock
| formail -D 8192 msgid.cache

:0
* ^Subject: Undelivered Mail Returned to Sender
/dev/null

:0
* .*
! $GMAIL

My question: what do I need to do so Gmail won't bounce any more of the legitimate emails that I forward?

EDIT: Somebody flagged my question as a duplicate of this question: How to send emails and avoid them being classified as spam? HOWEVER my question is not about sending email as the original sender, my question is about forwarding email that was sent by somebody else. The flagging was also done 2 minutes after I posted my question, which isn't enough time to read it completely, so I think it was a case of diagonal reading. Don't feel bad, we all want to score StackExchange reputation.

I will keep editing this question as I address each point from suspected duplicates, until I have proven without any reasonable doubt that it is not a duplicate.

EDIT: DNS config:

* 300 IN A 52.0.177.103
@ 300 IN A 52.0.177.103
styx 300 IN A 52.0.177.103
@ 300 IN MX 1 styx.amedee.be.
@ 300 IN SPF "v=spf1 ip4:52.0.177.103 ptr ?all"
@ 300 IN TXT "v=spf1 ip4:52.0.177.103 ptr ?all"

EDIT: According to mxtoolbox.com, my Reverse DNS does not match my SMTP banner. So I changed my SMTP banner in /etc/postfix/main.cf:

#smtpd_banner = $myhostname ESMTP $mail_name. All Your Spam Are Belong To Us!
smtpd_banner = ec2-52-0-177-103.compute-1.amazonaws.com

and confirmed the change after Postfix reload:

admin@ip-172-31-51-67:~$ telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 ec2-52-0-177-103.compute-1.amazonaws.com
quit
221 2.0.0 Bye
Connection closed by foreign host.

So, as far as I can tell, the Reverse DNS of 52.0.177.103 is ec2-52-0-177-103.compute-1.amazonaws.com, and the IP address of ec2-52-0-177-103.compute-1.amazonaws.com is 52.0.177.103. Rather unfortunate, I would much more prefer that the hostname styx.amedee.be and the Reverse DNS were the same, but I assume that this is beyond my control.

On our old server (hosted), Artifactory was running behind an Apache proxy. The public url was http://repo.example.com/

Our hosting provider moved us to a new server.

• A new version of Artifactory was installed, the data exported from the old server and imported in the new server
• Artifactory is now running behind Nginx
• The public url is now http://repo.example.com/artifactory/

We have asked our hosting provider to change the url back to http://repo.example.com/, because now our Jenkins jobs are breaking, and because external users may rely on the url. They told me that I first need to change some setting in Artifactory (no details what exactly), but the only setting I can find in the web interface, is the custom url base, and that is already set to http://repo.example.com. My best guess is that something needs to be changed in the configuration of the Tomcat server that runs Artifactory but

1. Tomcat configuration is outside my field of expertise
2. I cannot change the configuration myself, I don't have write access to those files.

What I actually need, is a configuration that I can send to our hosting provider, so they can just copy paste from my email.

Short version: How can I make Artifactory, running behind Nginx, accessible on http://repo.example.com?

EDIT: This is the current /usr/local/artifactory/tomcat/conf/server.xml:

<Server port="8015" shutdown="SHUTDOWN"> <Service name="Catalina"> <Connector port="8083"/> <Engine name="Catalina" defaultHost="localhost"> <Host name="localhost" appBase="webapps"/> </Engine> </Service> </Server>

Would it be enough to change this to:

<Server port="8015" shutdown="SHUTDOWN"> <Service name="Catalina"> <Connector port="8083"/> <Engine name="Catalina" defaultHost="localhost"> <Host name="localhost" appBase="webapps"> <Context path="" docBase="."/> </Host> </Engine> </Service> </Server>

As mentioned, I do not have root access to the server so I cannot modify this myself.

2 AWS instances, in the same region but different availability zones, one is in regular EC2 and the other is in VPC, both have an Elastic IP, both are 64bit Amazon Linux AMI 2014.03.1.

Both are running munin-node.

The instance in the VPC is running munin-cron.

I have added incoming TCP and UDP port 4949 to the security groups of both instances.

On the munin node, I added an allow-line with the IP address (regular expression) of the munin server to /etc/munin/munin-node.conf. I bind munin-node to any interface using host *. Then I did sudo service munin-node restart. Then I ran netstat.

$ sudo netstat -at | grep munin
tcp        0      0 *:munin             *:*                         LISTEN

So the port is open there.

On the munin server AND on the munin node:

$ nmap AMAZON-IP -p 80,4949 | grep tcp
80/tcp   open   http
4949/tcp closed munin

On the munin node:

$ nmap localhost -p 80,4949 | grep tcp
80/tcp   open  http
4949/tcp open  munin

So from the outside, the http port is open (Apache is running) but the munin port is closed. The node can't even reach the munin port on it's own public IP address, but it can on localhost. I added port 80 as a sanity check, to be sure that there is network connectivity at all.

So what am I overlooking here?

This is my AWS setup:

• 1 VPC with:
  • default public subnet, 10.0.0.0/24
    • 1 EC2 micro instance, private 10.0.0.172 and public Elastic IP
  • 1 RDS instance, running MySQL

The EC2 instance has network connection to the outside world (verified with ping 8.8.8.8). This is it's routing table:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ip-10-0-0-1.eu- 0.0.0.0         UG    0      0        0 eth0
10.0.0.0        *               255.255.255.0   U     0      0        0 eth0
instance-data.e *               255.255.255.255 UH    0      0        0 eth0

The EC2 instance can also connect to the RDS instance.

What I want, is to launch a second EC2 instance (Amazon Linux AMI 2014.03.1 64bit) from inside the first EC2 instance, using Vagrant. The second EC2 instance should be in the same VPC subnet but it's actual IP address doesn't matter much. It also doesn't need a public Elastic IP. It does need to connect to the outside world, to install software using yum.

This is my Vagrantfile:

VAGRANTFILE_API_VERSION = "2"

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.box = "dummy"

  config.vm.provider :aws do |aws, override|
    aws.access_key_id = "ACCESS_KEY_ID"
    aws.secret_access_key = "SECRET_ACCESS_KEY"
    aws.keypair_name = "KEYPAIR_NAME"

    aws.ami = "ami-2918e35e"
    aws.instance_type = "m1.small"
    aws.region = "eu-west-1"

    aws.subnet_id = "subnet-SUBNETID"
    aws.security_groups = "sg-SECURITYGROUPID"


    override.ssh.username = "ec2-user"
    override.ssh.private_key_path = "PRIVATE_KEY.pem"
  end

  config.ssh.pty = true
  config.vm.provision "shell", path: "provision.sh"
end

In the shell script provision.sh I install some software:

yum install -y subversion

This fails, because yum can't connect to the outside network.

When I do vagrant ssh and check the IP address, it's in the 10.0.0.0/24 range and I can ping in either direction between the two EC2 instances (ICMP was allowed in the security group). I can't ping 8.8.8.8 and I can't yum install software because the instance can't reach the repositories. I checked the route and it's identical to that of the first instance.

Also, in the AWS web console, the second instance doesn't have a public IP address.

When I add this line to my Vagrantfile:

aws.associate_public_ip = true

then I get the following error on vagrant up --provider=aws --provision:

There are errors in the configuration of this machine. Please fix
the following errors and try again:

AWS Provider:
* The following settings shouldn't exist: associate_public_ip

and the instance does not launch.

So my question is: how can I give the vagrant instance a network connection, without using an Elastic IP?