sudo -u postgres /Library/PostgreSQL/11/bin/pg_ctl -D /Library/PostgreSQL/11/data start
sudo -u postgres /Library/PostgreSQL/11/bin/pg_ctl -D /Library/PostgreSQL/11/data stop
Linux Tutorial and something else…..
I don't know what's the matter with people: they don't learn by understanding, they learn by some other way — by rote or something. Their knowledge is so fragile! (Feynman)
sudo -u postgres /Library/PostgreSQL/11/bin/pg_ctl -D /Library/PostgreSQL/11/data start
sudo -u postgres /Library/PostgreSQL/11/bin/pg_ctl -D /Library/PostgreSQL/11/data stop
Postfix provides a tool called postqueue
. The command provided with the -p
switch will display an entry for each message in the queue. The output will include a column for the message ID, size, arrival time, send, and recipient addresses.
Messages that are currently in the active queue will display a asterisk to the right of the message ID.
If there is a message in the hold queue, it will display a exclamation point to the right of the message ID.
If a message is deferred, there will not be symbol / mark to the right of the message ID.
postqueue -p
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
5866DAC07F3 362 Sat Oct 12 15:53:56 [email protected]
(connect to mail.tullyr.com[208.70.75.100]:25: Connection refused)
<[email protected]>
To delete messages from the Postfix queue, you can use the postsuper
command. The postsuper tool can be used to delete a single message, or all messages in the queue.
To delete a single message from the queue, provide the -d
switch followed by the message ID
.
postsuper -d 5866DAC07F3
When you want to delete all messages in the queue, you provide postsuper with the word ALL in all capitals instead of the message ID.
postsuper -d ALL
NOTE – Be careful when using the postsuper
command with the -d ALL
switch. This command will delete all messages in the queue immediately without prompting you for verification.
The Postfix hold queue provides a place for messages to be held indefinitely. If you move a message into the hold queue, it will not be delivered until you specifically remove it or move it back into the normal queue processing.
To place a message in the hold queue, you use the tool postsuper
with the -h
switch followed by message ID.
postsuper -h 5866DAC07F3
When you need to move a messae back into the normal queue for processing, you use the postsuper
command with the -H
switch followed by the message ID.
postsuper -H 5866DAC07F3
If you have messages that are incorrect based on a misconfigured Postfix installation, you may need to re-queue the messages via the postsuper
command. Some example of bad messages could be problems such as incorrect transport type, incorrect rewriting of an address, or an incorrect next hop.
After fixing the Postfix configuration, you can re-queue a single message or all messages. To requeue a message, you will use the postsuper
command with the -r
switch. When this command is run, it will update the incorrect information based on the new configuration.
To re-queue a single message you pass the message ID as in the example below.
postsuper -r 5866DAC07F3
If you need to re-queue all messages, you can pass the capital word ALL.
postsuper -r ALL
If you need to view the contents of a message in the queue, Postfix provides the postcat tool
for this. The postcat
tool will display the contents of a file when provided with the -q
switch followed by the message ID.
postcat -q 5866DAC07F3
If you have messages in the queue that you would like to flush, you can use the postqueue
command with the -f
switch. Flushing the queue will cause Postfix to attempt to deliver all messages in the queue immediately.
postqueue -f
There are times when this is needed. However, it’s usually not a good idea to flush all of the messages in the queue. If you do this a lot, it can have an impact on the performance on your mail server. You should leave the queue management to the Postfix queue manager.
With Postfix, it’s possible to flush only those messages that are going to a specific domain. You can do this with the -s
switch provided by postqueue
. However, to do this the domain must be eligible for fast flush.
For a domain to be eligible for fast flush, it must be listed in the fast_flush_domains
parameter. In Postfix, the default value for the fast_flush_domains
includes all of the hosts that are listed in relay_domains
.
To add the site to the fast_flush_domains
you can append it to the line fast_flush_domains
as shown below:
fast_flush_domains = $relay_domains tullyrankin.com
Now if you want to flush mail that is destined for the domain you added to the fast_flush_domains
, you can use the postqueue
command with the -s
option as shown below:
postqueue -s tullyrankin.com
As simple as it is to use, email relies on a more complicated set of operating procedures than that of the Web. For most users, its operation is transparent, which means that it is not necessary to understand how email works in order to be able to use it.
However, the short introduction below has been provided to help you to understand its basic principles, give you an idea of how to best configure your email clients, and inform you about the underlying mechanisms of spam.
Email is based around the use of electronic mailboxes. When an email is sent, the message is routed from server to server, all the way to the recipient’s email server. More specifically, the message is sent to the mail server tasked with transporting emails (called the MTA, for Mail Transport Agent) to the recipient’s MTA. On the Internet, MTAs communicate with one another using the protocol SMTP, and so are logically called SMTP servers (or sometimes outgoing mail servers).
The recipient’s MTA then delivers the email to the incoming mail server (called the MDA, for Mail Delivery Agent), which stores the email as it waits for the user to accept it. There are two main protocols used for retrieving email on an MDA: POP3 (Post Office Protocol), the older of the two, which is used for retrieving email and, in certain cases, leaving a copy of it on the server; and IMAP (Internet Message Access Protocol), which is used for coordinating the status of emails (read, deleted, moved) across multiple email clients. With IMAP, a copy of every message is saved on the server, so that this synchronization task can be completed.
For this reason, incoming mail servers are called POP servers or IMAP servers, depending on which protocol is used:
To keep everyone from checking other users’ emails, MDA is protected by a user name called a login and by a password.
Retrieving mail is done using a software program called an MUA (Mail User Agent). When the MUA is a program installed on the user’s system, it is called an email client (such as Mozilla Thunderbird, Microsoft Outlook, Eudora Mail, Incredimail or Lotus Notes).
When it is a web interface used for interacting with the incoming mail server, it is called webmail.
By default, it is not necessary to authenticate oneself to send email, which means that it is very easy to falsify one’s own address when sending mail. For this reason, nearly all Internet service providers lock down their SMTP servers so that only their subscribers can use them, or more precisely, only machines whose IP address belongs to the ISP’s domain. This explains why users must modify the outgoing server settings in their email clients each time they move to a new home or business.
When an organization’s email server is improperly configured and allows third-party users on any network to send emails, this is called an open relay. Open relays are generally used by spammers, as using them hides the true origins of their messages. As a result, many ISPs keep an up-to-date blacklist of open relays to keep subscribers from receiving messages from such servers.
Postfix is used as MTA because it’s installed by default.
Spamass-milter, clamav-milter and milter-greylist are used as milters. Milter packages registered in EPEL are used.
Register EPEL like the following:
% sudo yum install -y epel-release
Now, you install milters:
% sudo yum install -y spamass-milter-postfix clamav-scanner-systemd clamav-update clamav-milter clamav-milter-systemd milter-greylist
And you install RRDtool for generating graphs:
% sudo yum install -y rrdtool
milter manager can be installed by yum.
Register milter manager yum repository like the following:
% curl -s https://packagecloud.io/install/repositories/milter-manager/repos/script.rpm.sh | sudo bash
See also: <URL:https://packagecloud.io/milter-manager/repos/install>
Now, you install milter manager:
% sudo yum install -y milter-manager
Here is a basic configuration policy.
milter-greylist should be applied only if S25R condition is matched to reduce needless delivery delay. But the configuration is automatically done by milter manager. You need to do nothing for it.
It’s difficult that milter manager runs on SELinux. Disable SELinux policy module for Postfix and Milter.
% sudo semodule -d postfix % sudo semodule -d milter
At first, you configure spamd.
spamd adds “[SPAM]” to spam mail’s subject by default. If you don’t like the behavior, edit /etc/mail/spamassassin/local.cf.
Before:
rewrite_header Subject [SPAM]
After:
# rewrite_header Subject [SPAM]
Add the following configuration to /etc/mail/spamassassin/local.cf. This configuration is for adding headers only if spam detected.
remove_header ham Status remove_header ham Level
Start spamd on startup:
% sudo systemctl enable spamassassin
Start spamd:
% sudo systemctl start spamassassin
Here are spamass-milter’s configuration items:
Change /etc/sysconfig/spamass-milter:
Before:
#EXTRA_FLAGS="-m -r 15"
After:
EXTRA_FLAGS="-m -r 15"
Start spamass-milter on startup:
% sudo systemctl enable spamass-milter
Start spamass-milter:
% sudo systemctl start spamass-milter
Update ClamAV virus database and start clamd.
Edit /etc/freshclam.conf like the following. It comments out “Example”, changes “NotifyClamd” value and uncomments other items.
Before:
Example #LogFacility LOG_MAIL #NotifyClamd /path/to/clamd.conf
After:
#Example LogFacility LOG_MAIL NotifyClamd /etc/clamd.d/scan.conf
Run freshclam by hand at the first time:
% sudo freshclam
Configure clamd.
Edit /etc/clamd.d/scan.conf like the following. It comments out “Example” and uncomments other items:
Before:
Example #LogFacility LOG_MAIL #LocalSocket /run/clamd.scan/clamd.sock
After:
#Example LogFacility LOG_MAIL LocalSocket /run/clamd.scan/clamd.sock
Start clamd on startup:
% sudo systemctl enable [email protected]
Start clamd:
% sudo systemctl start [email protected]
Configure clamav-milter.
Edit /etc/mail/clamav-milter.conf like the following. It comments out “Example”, change “ClamdSocket” value and uncomments other items:
Before:
Example #MilterSocket /run/clamav-milter/clamav-milter.socket #MilterSocketMode 660 #ClamdSocket tcp:scanner.mydomain:7357 #LogFacility LOG_MAIL
After:
#Example MilterSocket /run/clamav-milter/clamav-milter.socket MilterSocketMode 660 ClamdSocket unix:/run/clamd.scan/clamd.sock LogFacility LOG_MAIL
Add “clamilt” user to “clamscan” group to access clamd’s socket:
% sudo usermod -G clamscan -a clamilt
Start clamav-milter on startup:
% sudo systemctl enable clamav-milter
Start clamav-milter:
% sudo systemctl start clamav-milter
Change /etc/mail/greylist.conf for the following configurations:
The configuration relaxes Greylist check to avoid Greylist adverse effect. It increases received spam mails but you should give priority to avoid false positive rather than false negative. You should not consider that you blocks all spam mails by Greylist. You can blocks spam mails that isn’t blocked by Greylist by other anti-spam technique such as SpamAssassin. milter manager helps constructing mail system that combines some anti-spam techniques.
Before:
socket "/run/milter-greylist/milter-greylist.sock" # ... racl whitelist default
After:
socket "/run/milter-greylist/milter-greylist.sock" 660 # ... subnetmatch /24 greylist 10m autowhite 1w sm_macro "trusted_domain" "{trusted_domain}" "yes" racl whitelist sm_macro "trusted_domain" spf pass racl greylist sm_macro "trusted_domain" not spf pass racl greylist default
Start milter-greylist on startup:
% sudo systemctl enable milter-greylist
Start milter-greylist:
% sudo systemctl start milter-greylist
Add “milter-manager” user to “clamilt” group to access clamav-milter’s socket:
% sudo usermod -G clamilt -a milter-manager
Add “milter-manager” user to “mail” group and “grmilter” group to access milter-greylist’s socket:
% sudo usermod -G mail -a milter-manager % sudo usermod -G grmilter -a milter-manager
Add “milter-manager” user to “postfix”” group to access spamass-milter’s socket:
% sudo usermod -G postfix -a milter-manager
milter manager detects milters that installed in system. You can confirm spamass-milter, clamav-milter and milter-greylist are detected:
% sudo /usr/sbin/milter-manager -u milter-manager -g milter-manager --show-config
The following output shows milters are detected:
... define_milter("milter-greylist") do |milter| milter.connection_spec = "unix:/run/milter-greylist/milter-greylist.sock" ... milter.enabled = true ... end ... define_milter("clamav-milter") do |milter| milter.connection_spec = "unix:/var/run/clamav-milter/clamav-milter.socket" ... milter.enabled = true ... end ... define_milter("spamass-milter") do |milter| milter.connection_spec = "unix:/run/spamass-milter/postfix/sock" ... milter.enabled = true ... end ...
You should confirm that milter’s name, socket path and “enabled = true”. If the values are unexpected, you need to change /etc/milter-manager/milter-manager.local.conf. See Configuration for details of milter-manager.local.conf.
But if we can, we want to use milter manager without editing miter-manager.local.conf. If you report your environment to the milter manager project, the milter manager project may improve detect method.
milter manager’s configuration is finished.
Start to milter manager on startup:
% sudo systemctl enable milter-manager
Start to milter manager:
% sudo systemctl start milter-manager
milter-test-server is usuful to confirm milter manager was ran:
% sudo -u milter-manager milter-test-server -s unix:/var/run/milter-manager/milter-manager.sock
Here is a sample success output:
status: accept elapsed-time: 0.128 seconds
If milter manager fails to run, the following message will be shown:
Failed to connect to unix:/var/run/milter-manager/milter-manager.sock
In this case, you can use log to solve the problem. milter manager is verbosily if –verbose option is specified. milter manager outputs logs to standard output if milter manager isn’t daemon process.
You can add the following configuration to /etc/sysconfig/milter-manager to output verbose log to standard output:
OPTION_ARGS="--verbose --no-daemon"
Restart milter manager:
% sudo systemctl restart milter-manager
Some logs are output if there is a problem. Running milter manager can be exitted by Ctrl+c.
OPTION_ARGS configuration in /etc/sysconfig/milter-manager should be commented out after the problem is solved to run milter manager as daemon process. And you should restart milter manager.
Enables Postfix:
% sudo systemctl enable postfix % sudo systemctl start postfix
Configure Postfix for milters. Append following lines to /etc/postfix/main.cf:
milter_protocol = 6 milter_default_action = accept milter_mail_macros = {auth_author} {auth_type} {auth_authen}
For details for each lines.
Register milter manager to Postfix. It’s important that spamass-milter, clamav-milter and milter-greylist aren’t needed to be registered because they are used via milter manager.
Append following lines to /etc/postfix/main.cf:
smtpd_milters = unix:/var/run/milter-manager/milter-manager.sock
Reload Postfix’s configuration.
% sudo systemctl reload postfix
milter manager logs to syslog. If milter manager works well, some logs can be shown in /var/log/maillog. You need to send a test mail for confirming.
There are many configurations to work milter and Postfix together. They can be reduced by introducing milter manager.
Without milter manager, you need to specify sockets of spamass-milter, clamav-milter and milter-greylist to /etc/postfix/main.cf. With milter manager, you don’t need to specify sockets of them, just specify a socket of milter manager. They are detected automatically. You don’t need to take care some small mistakes like typo.
milter manager also detects which ‘/sbin/chkconfig -add’ is done or not. If you disable a milter, you use the following steps:
% sudo systemctl stop milter-greylist % sudo systemctl disable milter-greylist
You need to reload milter manager after you disable a milter.
% sudo systemctl reload milter-manager
milter manager detects a milter is disabled and doesn’t use it. You don’t need to change /etc/postfix/main.cf.
You can reduce maintainance cost by introducing milter manager if you use some milters on CentOS.
milter manager also provides tools to help operation. Installing them is optional but you can reduce operation cost too. If you also install them, you will go to Install to CentOS (optional) .
ISSUE:
after the installation i saw this error in the maillog file
warning: connect to Milter service unix:/run/milter-manager/milter-manager.sock: Permission denied
One solution is :
chown milter-manager:postfix /run/milter-manager/milter-manager.sock
but if you restart milter-manager you return back with the error because the permission over the file is reset.
or
vim /etc/sysconfig/milter-manager
#SOCKET_GROUP=”milter-manager”
SOCKET_GROUP=“postfix”
Analyze your web site with this mozzilla link
<meta http-equiv=“Content-Security-Policy” content=“default-src ‘self’; child-src ‘none’; object-src ‘none'”>
session.cookie_secure = 1
session.use_only_cookies = 1
session.cookie_httponly = 1
To enable this security header on your origin server is quite easily and can be done in just a couple steps. Depending upon which web server you’re using will determine which snippet you should add to your server’s configuration file. The following section outlines what needs to be added to both Nginx and Apache web servers.
For Nginx users, add the following snippet to your .conf file. Once done, save your changes and reload Nginx.
add_header X-Content-Type-Options "nosniff"
For Apache users, simply add the following snippet to your .htaccess file. Once done, save your changes.
Header set X-Content-Type-Options "nosniff"
Enabling your web server to deliver the X-Content-Type-Options header is quite simple to do.
mod_headers.so
enabled in Apache HTTP serverHeader edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Note: Header edit is not compatible with lower than Apache 2.2.4 version.
To configure Apache to send the X-Frame-Options
header for all pages, add this to your site’s configuration:
Header always set X-Frame-Options "sameorigin"
To configure Apache to set the X-Frame-Options
deny , add this to your site’s configuration:
Header set X-Frame-Options "deny"
To configure nginx to send the X-Frame-Options
header, add this either to your http, server or location configuration: