Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - puterfixer

Pages: 1 [2]
16
E-Mail / Re: To many spams - Postfix Mail Queue
« on: April 18, 2018, 10:40:21 PM »
#1 - You should change the configuration of your mail server so that the spam filters are enabled. This is to block further receipt of spam mails.

CPanel > Email > MailServer Manager > enable AntiSpam/AntiVirus + rDNS Check if not already enabled > Rebuild mail server.

#2 - To clean up a massive amount of e-mails in the postfix queue, the web interface is not going to work. You'll need to connect to the server using a SSH client, log in with a standard account, SU to get root, then create a PERL script file using the code below and run it with the source or destination e-mail address as parameter:

Code: [Select]
#!/usr/bin/perl -w
#
# pfdel - deletes message containing specified address from
# Postfix queue. Matches either sender or recipient address.
#
# Usage: pfdel <email_address>
#

use strict;

# Change these paths if necessary.
my $LISTQ = "/usr/sbin/postqueue -p";
my $POSTSUPER = "/usr/sbin/postsuper";

my $email_addr = "";
my $qid = "";
my $euid = $>;

if ( @ARGV !=  1 ) {
die "Usage: pfdel <email_address>\n";
} else {
$email_addr = $ARGV[0];
}

if ( $euid != 0 ) {
        die "You must be root to delete queue files.\n";
}


open(QUEUE, "$LISTQ |") ||
  die "Can't get pipe to $LISTQ: $!\n";

my $entry = <QUEUE>; # skip single header line
$/ = ""; # Rest of queue entries print on
# multiple lines.
while ( $entry = <QUEUE> ) {
if ( $entry =~ / $email_addr$/m ) {
($qid) = split(/\s+/, $entry, 2);
$qid =~ s/[\*\!]//;
next unless ($qid);

#
# Execute postsuper -d with the queue id.
# postsuper provides feedback when it deletes
# messages. Let its output go through.
#
if ( system($POSTSUPER, "-d", $qid) != 0 ) {
# If postsuper has a problem, bail.
die "Error executing $POSTSUPER: error " .
   "code " .  ($?/256) . "\n";
}
}
}
close(QUEUE);

if (! $qid ) {
die "No messages with the address <$email_addr> " .
  "found in queue.\n";
}

exit 0;

Save this somewhere (/root would be fine) as pfdel.pl, make it executable with chmod, then run it with keywords like:

./pfdel.pl somedomain.tld

This would process the entire mail queue and delete all mails with the specified text in the e-mail address of sender or receiver.

17
SSL / Re: Autorenewal SSL after 90 days
« on: January 11, 2018, 10:21:15 AM »
Hi @sangnguyencg,

I encountered the same issue with automatic renewal not working (although it should), and provided a fix in another thread in the same SSL section. Please take a look here:

http://forum.centos-webpanel.com/ssl/certificates-not-updated-automatically-after-90-days-fixed/

18
SSL / Re: Certificates not updated automatically after 90 days - fixed
« on: December 28, 2017, 07:16:18 AM »
An update: the certificates are being cached by various services, for example the mail services. You will need to remember to restart all mail services and Apache for the new certificates to be loaded and used. It just happened to me that, 24 hours after renewing the certificates, the mail server was still delivering the old (and no longer existing as a file on the server) certificate to mail clients, which complained that it was expired.

19
SSL / Certificates not updated automatically after 90 days - fixed
« on: December 27, 2017, 09:19:03 AM »
Hi guys,

I've been enjoying the LetsEncrypt SSL certificates for 3 months. They were due to automatic renewal via CRON task yesterday, but the certificates didn't get updated, so visitors to the sites were presented with a nice browser warning that the certificate has expired and the site might be malitious. Not nice.

After getting it fixed, here's how I did it. Sorry for explaining it at noob level, that's where I am and maybe it helps other noobs as well :)


First step: resolve websites' functionality without certificate warning (some had enforced redirects from HTTP to HTTPS).

CWP-Admin -> Apache Settings -> SSL Cert Manager -> Run Auto Renewal button.

Patience - for 8 domains, the page took a few minutes to load. This action updated all domains except for one.


Second step: fix the renewal for the domain that didn't work.

In SSL Cert Manager, check which domains' certificates are still listed as expired. Sure, you can click the Run Auto Renewal button again, but let's try another way. :)

SSH into the server with your favorite terminal, get root access via su command.
For each domain with expired certificate, run the command:

Code: [Select]
/root/.acme.sh/acme.sh --home /root/.acme.sh/cwp_certs --renew -d www.domainname.tld
If successful, check again in the SSL Cert Manager that the certificate is now expiring in 89 days.
If not successful, you may need to add the --force parameter to the command, or investigate more thoroughly the error message.


Third step: figure out why the CRON command didn't update the certificates automatically. Investigation hints:

- The CRON tasks exists, and looks like this:
Code: [Select]
31 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
- The CRON log in /var/log/cron simply shows that the CRON was running the /root/.acme.sh/acme.sh script every night, but with no additional info. That's because the CRON task redirects output to /dev/null

- The ACME log in /root/.acme.sh/acme.sh.log has not been doing anything successful in the past 90 days, because it ran into the same error:
Code: [Select]
_stopRenewOnError
di='/root/.acme.sh/*.*/
Not directory, skip: /root/.acme.sh/*.*/

- Checking the list of domains and certificates from the command line did not return anything:
Code: [Select]
/root/.acme.sh/acme.sh --list
- Checking into the /root/.acme.sh/acme.sh script for the occurrence of "Not directory", I find out that it occurs when it tries to update the certificates one by one, and loops through all files/folders in the ${CERT_HOME} variable. This variable is not set, it doesn't appear anywhere in the list of environment variables.
Code: [Select]
env
- Checking where the variable is defined in the same acme.sh script, apparently if it is not defined at the system level, it takes as default the location of the LetsEncrypt home folder, which IS defined as an environment variable ${LE_CONFIG_HOME}


Putting it all together, the LetsEncrypt script acme.sh has no idea that the certificate home folder on CWP is actually in /root/.acme.sh/cwp_certs, unless I explicitly mention it in the command line (as done in previous commands where --home parameter is mentioned) or, to save some keyboard ink, set the CERT_HOME environment variable to this path.

The solution:
1: Delete the incorrect CRON entry in the CWP-Admin, and add the custom entry with correct parameters:
Code: [Select]
31 0 * * * /root/.acme.sh/acme.sh --cron --home "/root/.acme.sh/cwp_certs" > /dev/null
2: Set the environment variable CERT_HOME so that the acme.sh script works correctly even without explicitly adding the --home parameter every time:
Code: [Select]
export CERT_HOME="/root/.acme.sh/cwp_certs"
3: Add the same command to set the environment variable to the /root/.acme.sh/acme.sh.env file, under the line defining the LE_WORKING_DIR variable, so that the variable is set even after a reboot.


After all this work, I am getting correct output from
Code: [Select]
/root/.acme.sh/acme.sh --list
and from
Code: [Select]
/root/.acme.sh/acme.sh --cron
without the need of other parameters. However, I will leave the explicit certificate home folder parameter in the CRON command, just in case something borks up the variables again.

For reference, my set-up is still with CentOS 6 and CWP 0.9.8.273.

Did this help? Please feel free to comment with any corrections/improvements I may have missed.

20
E-Mail / Re: Replace ClamAV with BitDefender?
« on: October 14, 2017, 02:28:58 PM »
Ah my bad, I had in mind Bitdefender Free Anti-Spam for Mail Servers. http://frams.bitdefender.com

It is a good product as well, just not an anti*virus* replacement.

21
E-Mail / Replace ClamAV with BitDefender?
« on: October 10, 2017, 05:49:29 PM »
Hi,

Has anyone tried to replace ClamAV with BitDefender Security for Mail Servers suite? It's free and, from what I read, has a massively better reputation than ClamAV.

It would be nice if the next CWP major version considers including a choice of antivirus solutions.

22
Apache / Re: Definitive guide for nginx + apache + SSL?
« on: September 28, 2017, 09:20:29 PM »
Awwww yisssssss!! Can't wait! And thanks for the clarification!

23
Apache / Re: Definitive guide for nginx + apache + SSL?
« on: September 28, 2017, 01:30:55 PM »
Cool!! How soon is "soon"? :)

Meanwhile, I made some progress - I generated the SSL certificates and they seem to be working. It took several tries to get them right, and in multiple occasions Apache would not restart successfully. It seems that some threads remain running and I have to manually identify and kill the PIDs before I can restart the httpd service.

The next challenge is to make nginx bind to port 443 and answer https requests, then either deliver static files over SSL or forward the request to Apache for processing. I will manually build the virtual hosts files for nginx for this.

One more point I need to clarify: right now, http goes through nginx (80) and then apache (8181 with multiple virtual hosts), while https goes directly to apache (443 with multiple virtual hosts). If I want to have http and https going to nginx (80 and 443 with multiple virtual hosts), the request forwarded to Apache can continue working as if it was a http request, only on port 8181. I don't need Apache to have a secondary port to listen on, nor separate vhost profiles for ssl traffic. Am I right?

24
Apache / Re: Definitive guide for nginx + apache + SSL?
« on: September 27, 2017, 10:54:30 AM »
Indeed, the combination of nginx + Apache is using the best features of both. What doesn't make sense to me is why the addition of SSL would by-pass this architecture and rely solely on Apache. In my view, it would make more sense to keep nginx as a front-end with the additional role of encrypting traffic if accessed via https, and continue to benefit from its speed and low resources. Ideally I'd like to see the option to use nginx alone as a web server, without Apache at all (at least for the hosted domains, irrelevant if the web admin keeps it).

25
Apache / Re: Definitive guide for nginx + apache + SSL?
« on: September 27, 2017, 09:27:17 AM »
Thanks for the quick reply, 6Sense!

I was hoping that SSL can still work through nginx + Apache, meaning nginx taking both http and https traffic and redirecting it to Apache. Wouldn't this set-up be beneficial, just like in non-SSL configuration?

26
Apache / Definitive guide for nginx + apache + SSL?
« on: September 26, 2017, 07:08:12 PM »
Hiya,

I'm running a production server with CentOS 6.9 and latest CWP for several domains, in nginx + Apache configuration, on a shared IP.

I'm under pressure to get SSL enabled on all domains before Google Chrome starts spewing out warnings in October for any text field submitted over http (even a friggin search), and LetsEncrypt would be a fantastic option.

Last I remember, when I tried enabling LetsEncrypt by following the Wiki tutorial, I ended up with Apache and nginx fighting each other, and all sites down. Also, if I am also not mistaken, since the Wiki article was prepared and the forum post with instructions, LetsEncrypt manager has been labeled "DO NOT USE".

Is there a definitive guide I can follow now to enable SSL successfully, please? Do I need to also edit template files, rebuild hosts, stuff like that in order to keep this running every time I compile a new version of Apache?

Many thanks in advance! :)

27
CentOS 6 Problems / Re: nginx without Apache?
« on: July 28, 2016, 06:25:08 PM »
Hi Igor,

Thank you for your reply :) "Yet" means that it is planned to be supported in the future? What sort of timeline should be expected for this, please?

Thanks!

28
CentOS 6 Problems / nginx without Apache?
« on: July 13, 2016, 08:34:37 PM »
Hi,

For performance reason, I'd like to run nginx as the main web server, not as a reverse proxy for Apache, and completely stop using Apache. How can I do that, please? Any known watch-outs for this?

Thanks in advance!

Pages: 1 [2]