Thursday, January 21, 2021

Webmail SquirrelMail

 Install httpd

    dnf install httpd

    Configure as mentioned in: https://www.server-world.info/en/note?os=Fedora_20&p=httpd&f=1

install squirellMail

    dnf -y install squirrelmail

    Configure as mentioned in : https://www.server-world.info/en/note?os=Fedora_20&p=httpd&f=12

    used sendmail instead of SMTP as mentioned in above article

install mod_ssl openssl

firewall-cmd --permanent --add-service=https

firewall-cmd --permanent --add-service=http

open ports 80 & 143 in firewall

systemctl restart httpd





Saturday, January 27, 2018

Firewalld

The firewalld was allowing cockpit on the the external interface. First tried by disabling firewalld and enabling iptables. This seemed to help but it is an old and tedious process needing to enable each process one by one so stopped and disabled iptables and set about understanding firewalld.

Found that  both the interfaces enp2s0 and enp3s0 were in the zone called "FedoraServer"  which had exceptions for cockpit, squid, ssh, dhcpv6-client, smtp, pop3 & ftp. So moved the interface enp2s0 to the zone "drop" which drops all incoming connections without giving any message. The command for changing zone is:

firewall-cmd --zone=drop --change-interface=enp2s0

Friday, December 29, 2017

Mycelium - Bitcoin

Install and  Mycelium app

Choose Restore option

Choose 12 Words

Enter these words

Now good to go.

Saturday, December 9, 2017

Fedora 25 Server SSH Socket instead of Service

After a recent update sshd.service would not load at boot but would manually start. Based on web articles it was hanged to sshd.socket

systemctl disable sshd.service

added a file

/etc/systemd/system/sshd.socket.d/10-sshd-listen-ports.conf

with the following

[Socket] 
ListenStream= 
ListenStream=192.168.0.3:22 
FreeBind=true

Run 

# systemctl enable sshd.socket
# systemctl start sshd.socket

If the file is modified then run

# systemctl daemon-reload

# systemctl status sshd.socket

the result is:

sshd.socket - OpenSSH Server Socket
   Loaded: loaded (/usr/lib/systemd/system/sshd.socket; enabled; vendor preset:
  Drop-In: /etc/systemd/system/sshd.socket.d
           ΓΆΓΆ10-sshd-listen-ports.conf, override.conf
   Active: active (listening) since Sat 2017-12-09 08:29:22 IST; 7h ago
     Docs: man:sshd(8)
           man:sshd_config(5)
   Listen: 192.168.0.3:22 (Stream)


the external card has been isolated from ssh now there are no reports of failed external login attempts

Monday, December 19, 2016

Windows 10 Shared Printer

Go to 'Network & Internet' > 'Network & Sharing Center' > 'Advanced Sharing'

Click on 'All Networks' at the bottom

Click on "Turn off Password Protected Sharing"




Wednesday, December 7, 2016

Fortinet Enabling Proxy

Go to System-Network-Interfaces
Go to PROXY-ZONE
Double click dmz
Add tick to "Enable explicit proxy"

Fedora Server 25

This is a text based server with cockpit interface.

Install as standard server went without hitch. Adding the mailserver caused the dovecot package to fail.

After install

Ran

dnc -y update
dnc install sendmail
dnc install dovecot
dnc install squid
dnf install m4
dnf install sendmail-cf


All the above went well.

Cockpit connected without problem

ssh also worked immediately.

SQUID CONF


# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localhet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl av_server arp 00:24:e8:4d:0c:48
acl bfv arp 00:13:02:c0:ec:d1
acl despatch arp 00:17:c4:45:c8:d1
acl divya arp 00:22:5f:6d:8d:1c
acl divya_cell arp f4:31:c3:a6:de:f2
acl ebby1 arp d8:5d:e2:42:2c:67
acl fenn arp D0:75:35:18:F1:B3
acl fareed arp A0:2B:B8:24:89:87
acl fenn_eth arp 68:f7:28:0d:7f:46
acl gouri arp D0:D7:9A:53:EC:E9
acl internet1 arp 30:85:a9:af:6b:42
acl internet2 arp e0:cb:4e:d4:49:7b
acl jk arp 1C:75:08:85:60:C9
acl jp arp fc:aa:14:18:55:70
acl kannan arp 30:3A:64:E8:F0:5D
acl lapaccnt10 arp 70:77:81:2C:27:B5
acl letha arp 08:60:6e:6a:29:1a
acl manoj_FC arp 24:fd:52:cf:cc:3c
acl malini arp 28:c6:8e:fc:0e:a5
acl neethu arp 00:e0:4c:81:92:1a
acl neethu1 arp 00:e0:4c:81:92:3f
acl pv arp ac:2b:6e:9b:0d:b1
acl reju  arp 04:7D:7B:0A:C5:C1
acl sanal arp 20:68:9d:a5:ee:97
acl sujith arp 00:26:6c:1e:73:0a
acl tinku arp fc:aa:14:ee:15:5e
acl tinyseed arp 00:22:5f:6d:8d:1c
acl uk arp 14:da:e9:dd:45:b9
acl his_site url_regex midas.co.in
acl his_site1 url_regex comtax.kerala.gov.in
acl his_site2 url_regex esewa.epfoservices.in
acl his_site3 url_regex epfindia.com
acl his_site4 url_regex aces.gov.in
acl his_site5 url_regex esic.in
acl his_site6 url_regex mail.google.com
acl his_site7 url_regex webmail.vsnl.com
acl his_site8 url_regex googleusercontent.com
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow his_site
http_access allow his_site1
http_access allow his_site2
http_access allow his_site3
http_access allow his_site4
http_access allow his_site5
http_access allow his_site6
http_access allow his_site7
http_access allow his_site8
#http_access allow localnet
http_access allow localhost
http_access allow av_server
http_access allow bfv
http_access allow despatch
http_access allow divya
http_access allow divya_cell
http_access allow ebby1
http_access allow fareed
http_access allow fenn
http_access allow fenn_eth
http_access allow gouri
http_access allow internet1
http_access allow internet2
http_access allow jk
http_access allow jp
http_access allow kannan
http_access allow lapaccnt10
http_access allow letha
http_access allow manoj_FC
http_access allow malini
http_access allow neethu
http_access allow neethu1
http_access allow pv
http_access allow reju
http_access allow sanal
http_access allow sujith
http_access allow tinku
http_access allow tinyseed
http_access allow uk

# An finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


configured the squid server but it would not work from clients. Deduced that the firewall was the problem. Tried without (systemctl stop firewalld) firewall and everything started working.

With firewall on ran the following command:

 firewall-cmd --list-all

The result:

 target: default
  icmp-block-inversion: no
  interfaces: enp2s0 enp3s0
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:


So ran:

firewall-cmd --add-service=squid

Now squid started functioning through the firewall. Made it permanent by:

firewall-cmd --add-service=squid --permanent

systemctl restart firewalld


SENDMAIL

tweak sendmail.mc
m4 sendmail.mc > sendmail.cf

SENDMAIL CONF

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     /etc/mail/make
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Do not advertize sendmail version.
dnl #
dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL', `9')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
define(`SMART_HOST', `smtp.gmail.com')dnl
dnl #
define(`confDEF_USER_ID', ``8:12'')dnl
define(`RELAY_MAILER_ARGS',`TCP $h 587')
define(`ESMTP_MAILER_ARGS',`TCP $h 587')
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     cd /etc/pki/tls/certs; make sendmail.pem
dnl # Complete usage:
dnl #     make -C /etc/pki/tls/certs usage
dnl #
dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl # If you're operating in a DSCP/RFC-4594 environment with QoS
dnl define(`confINET_QOS', `AF11')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 20.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=192.168.0.3, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1 .1.1="" br="" smtps="" uses="">dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
MASQUERADE_AS(`midastreads.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl




DOVECOT

edit /etc/dovecot/conf.d/10-mail.conf

Unhash:

mail_location = mbox:~/mail:INBOX=/var/mail/%u

Dovecot continued to give permission errors. Finally found that the permissions of files in /var/mail has to be 0600 instead 0660

"ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections"
You need to check a couple of settings in your Dovecot configuration.

1. First check in /etc/dovecot/conf.d/10-auth.conf and make sure that

disable_plaintext_auth = no
ssl = yes

2. You also need to make sure in /etc/dovecot/conf.d/10-ssl.conf that the following line is disabled with a #

#ssl = required

ACCESS

firewall-cmd --add-service=pop3 --permanent
firewall-cmd --add-service=smtp --permanent

Now firewall-cmd --list-all gives:

FedoraServer (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0 enp3s0
  sources:
  services: cockpit dhcpv6-client pop3 smtp squid ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:


systemctl restart firewalld

add the following to /etc/mail/access

192.168.0           localnet

generate access.db

HOSTS

add the following to /etc/hosts

192.168.0

NEW USER

When a new user is added change permission of his /var/mail file to 600