Use SSL certificate free for 3 months

Create your key (mail.saic.key) and your request (mail.saic.csr):

openssl req -new -newkey rsa:4096 -nodes -subj ‘/CN=mail.saic.it/O=SAIC, Inc./C=IT/ST=Italy/L=Viadana’ -keyout mail.saic.key -out mail.saic.csr

Go to this website and follow the istruction for have back the certificate for your Common Name (mail.saic.it) and the authority certificate :

Certificate Authority https://www.sslforfree.com

I configured my dns.

I set all file permission

chmod 444 mail.saic.*

then vim /etc/postfix/main.cf

smtp_tls_key_file                         = /etc/ssl/certs/mail.saic.key

smtp_tls_cert_file                        = /etc/ssl/certs/mail.saic.crt

smtp_tls_CAfile                           = /etc/ssl/certs/saic.sslforfree.ca

here the console for renew the certificate

great!!

 

It can be useful to check a certificate and key before applying them to your server. The following commands help verify the certificate, key, and CSR (Certificate Signing Request).

Check a certificate

Check a certificate and return information about it (signing authority, expiration date, etc.):

openssl x509 -in server.crt -text -noout

Check a key

Check the SSL key and verify the consistency:

openssl rsa -in server.key -check

Check a CSR

Verify the CSR and print CSR data filled in when generating the CSR:

openssl req -text -noout -verify -in server.csr

Verify a certificate and key matches

These two commands print out md5 checksums of the certificate and key; the checksums can be compared to verify that the certificate and key match.

openssl x509 -noout -modulus -in server.crt| openssl md5
openssl rsa -noout -modulus -in server.key| openssl md5

 

Self Signed Certificate : Commands

Create a private key

openssl genrsa -out server.key 4096

Generate a new private key and certificate signing request

openssl req -out server.csr -new -newkey rsa:4096 -nodes -keyout server.key

Generate a self-signed certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout server.key -out server.crt

Generate a certificate signing request (CSR) for an existing private key

openssl req -out server.csr -key server.key -new

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in server.crt -out server.csr -signkey server.key

Remove a passphrase from a private key

openssl rsa -in server.pem -out newserver.pem

Parse a list of revoked serial numbers

openssl crl -inform DER -text -noout -in list.crl

Check a certificate signing request (CSR)

openssl req -text -noout -verify -in server.csr

Check a private key

openssl rsa -in server.key -check

Check a public key

openssl rsa -inform PEM -pubin -in pub.key -text -noout
openssl pkey -inform PEM -pubin -in pub.key -text -noout

Check a certificate

openssl x509 -in server.crt -text -noout
openssl x509 -in server.cer -text -noout

Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in server.p12

Verify a private key matches an certificate

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
openssl req -noout -modulus -in server.csr | openssl md5

Display all certificates including intermediates

openssl s_client -connect www.paypal.com:443

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in server.cer -out server.pem

Convert a PEM file to DER

openssl x509 -outform der -in server.pem -out server.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in server.pfx -out server.pem -nodes

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt

How to test if the email address exists

Source Link

To check if user entered email mailbox.does.not.exist@webdigiapps.com really exists go through the following in command prompt on windows / terminal on mac. The commands you type in are in green and the server response is in blue. Please refer to MAC & PC screenshots towards the end of this post.

Step 1 – Find mail exchanger or mail server of webdigiapps.com

COMMAND:
nslookup -q=mx webdigiapps.com
RESPONSE:
Non-authoritative answer:
webdigiapps.com mail exchanger = 0 mx2.sub3.homie.mail.dreamhost.com.
webdigiapps.com mail exchanger = 0 mx1.sub3.homie.mail.dreamhost.com.

Step 2 – Now we know the mail server address so let us connect to it. You can connect to one of the exchanger addresses in the response from Step 1.

COMMAND:
telnet mx2.sub3.homie.mail.dreamhost.com 25
RESPONSE:
Connected to mx2.sub3.homie.mail.dreamhost.com.
Escape character is ‘^]’.
220 homiemail-mx7.g.dreamhost.com ESMTP

COMMAND:
helo hi
RESPONSE:
250 homiemail-mx8.g.dreamhost.com

COMMAND:
mail from: <youremail@gmail.com>
RESPONSE:
250 2.1.0 Ok

COMMAND:
rcpt to: <mailbox.does.not.exist@webdigiapps.com>
RESPONSE:
550 5.1.1 <mailbox.does.not.exist@webdigiapps.com>: Recipient address rejected: User unknown in virtual alias table

COMMAND:
quit
RESPONSE:
221 2.0.0 Bye

Screenshots – MAC Terminal & Windows

MAC email verification
Windows email verification

NOTES:

1) the 550 response indicates that the email address is not valid and you have caught a valid but wrong email address. This code can be on the server and called on AJAX when user tabs out of the email field.  The entire check will take less than 2 seconds to run and you can make sure that the email is correct.
2) If email was present the server will respond with a 250 instead of 550
3) There are certain servers with a CATCH ALL email and this means all email address are accepted as valid on their servers (RARE but some servers do have this setting).
4) Please do not use this method to continuously to check for availability of gmail / yahoo / msn accounts etc as this may cause your IP to be added to a blacklist.
5) This is to supplement the standard email address javascript validation.

How to show ip for postfix smtp

The current connection over 25 port command:

watch ‘netstat -na | grep :25’

with this command, you can see the external ip that user the server to send emails.

while true
      do
        lsof-i | grep smtp
        sleep 10
     done
with this command you can find the username of the spammer software

How to remove from Postfix queue only one mail address

execute this command :

vim postfix-delete.pl 

insert this code:

#!/usr/bin/perl

$REGEXP = shift || die “no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!”;

@data = qx</usr/sbin/postqueue -p>;

for (@data) {

  if (/^(\w+)(\*|\!)?\s/) {

     $queue_id = $1;

  }

  if($queue_id) {

    if (/$REGEXP/i) {

      $Q{$queue_id} = 1;

      $queue_id = “”;

    }

  }

}

#open(POSTSUPER,”|cat”) || die “couldn’t open postsuper” ;

open(POSTSUPER,“|postsuper -d -“) || die “couldn’t open postsuper” ;

foreach (keys %Q) {

   print POSTSUPER $_\n;

   };

close(POSTSUPER);

execute this command:

chmod 755 postfix-delete.pl

run in this way:

./postfix-delete.pl  direzione@centromedicosantamargherita.it

Postfix SMTP Authentication for Mail servers

16. SMTP Authentication for Mail servers

 

SMTP AUTH for mail server is a feature that is often required to relay mail through other mail servers. To enable SMTP AUTH for Postfix, acting as mail client in this scenario, you need to do the following steps:

Procedure 10. Configure SMTP AUTH for mail servers

  1. Provide a file, which will holds necessary information about credentials
  2. Configure Postfix to enable SMTP AUTH for the smtp daemon
  3. Configure Postfix to use the file with the SASL credentials.

16.1. Add credentials to sasl_passwd

Postfix, acting as mail client in this scenario, will need to be able to

  1. know when to provide a username and password
  2. pick the right credentials when there is more than one mail server who requires Postfix to SMTP AUTH

16.1.1. Enter credentials

These informations are layed down in /etc/postfix/sasl_passwd:

[root@mail postfix]# less /etc/postfix/sasl_passwd
# foo.com1         username:password2
# bar.com            username:password
1 Using the hostname Postfix can identify the correct username:password when there are multiple entries in sasl_passwd
2 username:password are entered in plaintext format. They are separated by a single colon “:

The mail server that we want to relay through in this example is mail.my-isp.org; username is test and it’s password is testpass. We open /etc/postfix/sasl_passwd and add our credentials. When we are done it looks like this:

[root@mail postfix]# cat /etc/postfix/sasl_passwd
mail.my-isp.org      test:testpass

16.1.2. Secure sasl_passwd

As you have noticed, the credentials in sasl_passwd are entered plaintext. That means that anybody who can open the file will be able to read this sensitive information. Therefore we change ownership and permission to root and r/w only.

[root@mail postfix]# chown root:root /etc/postfix/sasl_passwd && chmod 600 /etc/postfix/sasl_passwd

After these commands ownership and permissions read like this:

[root@mail postfix]# ls -all /etc/postfix/sasl_passwd
-rw-------    1 root     root           79 Dec 30 23:50 /etc/postfix/sasl_passwd
[Note] Note
You wonder why Postfix running as user postfix can read this file?

Postfix will start as user root, read all files that need root permission and switch to user postfix after that.

16.1.3. Create sasl_passwd DB file

Now that we have set correct ownership and permissions there is one more thing to do. A plaintext file can’t be read as fast as database. Postfix requires this file to be a database, because it doesn’t want to spend a lot of time looking the credentials up when it needs to get it’s job done. We create a sasl_passwd.db with the help of postmap:

[root@mail postfix]# postmap hash:/etc/postfix/sasl_passwd

After that there will be a new file sasl_passwd.db in /etc/postfix/.

[root@mail postfix]# ls -all /etc/postfix/sasl_passwd.db
-rw-------    1 root     root        12288 Mar 13 23:13 /etc/postfix/sasl_passwd.db

From the onwership and permissions you can see that postmap applied the same as in the source file. That’s it for sasl_passwd; you only need to get back when the informations need an update.

[Note] Note
Don’t forget to postmap the file, when you change credentials. Postfix will tell you anyway by claiming that sasl_passwd is newer than sasl_passwd.db in the maillog.

16.2. Enable SMTP AUTH

There are only three options that you must set to enable SMTP AUTH for mail servers in Postfix.

[Note] Note
You can easily tell that these parameters are settings for the smtp daemon. They all begin with smtp_.

16.2.1. Enable SMTP AUTH

The first thing we do is enabling SMTP AUTH for the smtp daemon. We open main.cf and enter some documentation first and then we set smtp_sasl_auth_enable to yes.

# SASL SUPPORT FOR SERVERS
#
# The following options set parameters needed by Postfix to enable
# Cyrus-SASL support for authentication of mail servers.
#
smtp_sasl_auth_enable = yes

16.2.2. Set path to sasl_passwd

Then we tell Postfix where to find sasl_passwd by adding smtp_sasl_password_maps = hash:/path/to/sasl_passwd to the configuration.

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

16.2.3. Set security options

Finally we set security options. In our scenario we will allow Postfix to use anonymous and plaintext authentication. That’s why we set the paramter, but leave it empty:

smtp_sasl_security_options =

All settings together will give this listing in main.cf.

# SASL SUPPORT FOR SERVERS
#
# The following options set parameters needed by Postfix to enable
# Cyrus-SASL support for authentication of mail servers.
#
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =

16.2.4. Reload Postfix

All that you need to do now is to reload Postfix and you’re ready to use your ISPs mail server to relay mail.

[root@mail postfix]# postfix reload
postfix/postfix-script: refreshing the Postfix mail system

Have fun!

Configure DomainKeys (OpenDKIM) with Postfix on CentOS 7

Configure DomainKeys (OpenDKIM) with Postfix on CentOS 7

Very useful guide

In this post we will demonstrate how to install & configure DomainKeys with postfix (MTA) on CentOS 7 , i am assuming Postfix is already installed with following domain and hostname.

Hostname = mail5.freshdaymall.com

Domain = freshdaymall.com

Step:1 Set EPEL Repository using below rpm command

OpenDKIM package is not available in the default yum repositories but available in CentOS 7 EPEL repositories.

[root@mail5 ~]# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Step:2 Install OpenDKIM Package using yum

[root@mail5 ~]# yum install -y opendkim

Step:3 Run below Command to create keys

Execute the below command to create public & private keys under folder “/etc/opendkim/keys

[root@mail5 ~]# opendkim-default-keygen
Generating default DKIM keys:
Default DKIM keys for freshdaymall.com created in /etc/opendkim/keys.
[root@mail5 ~]#
[root@mail5 ~]# cd /etc/opendkim/keys/
[root@mail5 keys]# ll
total 8
-rw-r----- 1 root opendkim 891 Nov 29 08:42 default.private
-rw-r--r-- 1 root opendkim 320 Nov 29 08:42 default.txt
[root@mail5 keys]#

default.private is the private key for the domain and default.txt is public key that we will publish in DNS record (TXT) in the domain. A Selector ( default ) is created while generating keys, a selector can be unique keyword which is associated in keys and included in DKIM signature.

Step:4 Edit the Following Files :

  • /etc/opendkim.conf —- Config file of opendkim
  • /etc/opendkim/KeyTable —- As name suggest it defines the path of private key for the domain
  • /etc/opendkim/SigningTable — This file tells OpenDKIM how to apply the keys.
  • /etc/opendkim/TrustedHosts — This file defines which hosts are allowed to use keys.

Edit the file “/etc/opendkim.conf” & set the below parameters.

opendkim-conf-file

Edit the KeyTable file and replace the example.com with your domain name.

[root@mail5 ~]# cat /etc/opendkim/KeyTable
# OPENDKIM KEY TABLE
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.

#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
default._domainkey.freshdaymall.com freshdaymall.com:default:/etc/opendkim/keys/default.private
[root@mail5 ~]#

Edit the SigningTable file and define who will sign the outgoing mails.

[root@mail5 ~]# cat /etc/opendkim/SigningTable 
# WILDCARD EXAMPLE
# Enables signing for any address on the listed domain(s), but will work only if
# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
# Create additional lines for additional domains.

*@freshdaymall.com default._domainkey.freshdaymall.com

As i am using * in above parameter which means all the users on domain are allowed to sign the emails.

Edit the TrustedHosts file , add Server’s FQDN and domain name below localhost ip (127.0.0.1)

[root@mail5 ~]# cat /etc/opendkim/TrustedHosts 
# OPENDKIM TRUSTED HOSTS
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should always be the first entry in this file.

127.0.0.1
mail5.freshdaymall.com
freshdaymall.com
[root@mail5 ~]#

Step:5 Edit Postfix Config File (/etc/postfix/main.cf)

Add the below lines at end of /etc/postfix/main.cf file.

[root@mail5 ~]# vi /etc/postfix/main.cf
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

Step:6 Start OpenDKIM & postfix Service

[root@mail5 ~]# hash -r
[root@mail5 ~]# systemctl start opendkim ; systemctl enable opendkim ; systemctl restart postfix
ln -s '/usr/lib/systemd/system/opendkim.service' '/etc/systemd/system/multi-user.target.wants/opendkim.service'
[root@mail5 ~]#

Step:7 Update the TXT DNS record of your domain.

Use the output of default.txt and update the DNS Record (TXT) of the Domain.

domain-public-key-opendkim

Step:8 Send a Test email and view the logs.

sendmail-with-telnet

Check whether email is signed or not.

signed-by-email

Wow , Our email is signed and domainKeys configuration task is completed now.

 

Logwatch Centos 7

useful link to install logwatch:
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-logwatch-log-analyzer-and-reporter-on-a-vps

example
logwatch –detail Low –mailto info@saic.it –service http –range today

Amavis – Clamd – Centos 7

I’ve ths error in /var/log/maillog:
(!)connect to /var/run/clamd.amavisd/clamd.sock failed

I solved in this way:

Edit /etc/clamd/clamd.conf

LocalSocket /var/run/clamd.amavisd/clamd.sock
User amavis

the User I defined (amavis), have to be the owner of the folder /var/run/clamd.amavisd
in the file /etc/amavisd/amavisd.conf you need the same file before : /var/run/clamd.amavisd/clamd.sock in this position
# ### http://www.clamav.net/
[‘ClamAV-clamd’,
\&ask_daemon, [“CONTSCAN {}\n”, “/var/run/clamd.amavisd/clamd.sock“],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Configuration for helo hostname and accept mail without postgray check

1.
add the following to the /etc/postfix/main.cf configuration file

smtpd_delay_reject = yes
smtpd_helo_required = yes smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access
hash:/etc/postfix/helo_access,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit

2.
create the file /etc/postfix/helo_access
and add your restriction like example:

myowndomain.com REJECT
pcname PERMIT

3.
create the database (you don’t need restart postfix)
postmap /etc/postfix/helo_access 

4.
postfix check
restart or reload postfix
/etc/init.d/postfix reload

or
/etc/init.d/postfix restart

print out configuration
postconf -n

mailq to see the mail in queue

To remove all mail from the queue, enter:
postsuper -d ALL

Accept mail without any postgray check:

vim  /etc/postfix/rbl_override

gmail.com OK

gmail.it OK

yahoo.com OK

hotmail.com OK

outlook.com OK

startcomca.com OK

libero.it OK

and my main.cf

smtpd_recipient_restrictions =
reject_unauth_pipelining,
check_helo_access hash:/etc/postfix/helo_access,
check_client_access hash:/etc/postfix/rbl_override,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_sender_login_mismatch,
reject_non_fqdn_helo_hostname,
permit_sasl_authenticated,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
reject_unauth_destination,
reject_unverified_recipient,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
#check_client_access pcre:/etc/postfix/client_checks.pcre,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client pbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client b.barracudacentral.org,
#####reject_rbl_client dnsbl-1.uceprotect.net,
#reject_rbl_client dnsbl.sorbs.net,
#reject_rbl_client dnsrbl.org,
#reject_rbl_client bl.blocklist.de,
#reject_rbl_client babl.rbl.webiron.net,
#reject_rbl_client cabl.rbl.webiron.net,
permit

 

after this configuration type:

postmap /etc/postfix/rbl_override

restart postfix