[BlueOnyx:26563] Easy-Backup v1.1.2-1 released

2023-10-30 Thread Michael Stauber via Blueonyx 

Hi all,

We just released Easy-backup v1.1.2-1, which fixes a problem with backup 
retention if incremental backups are configured.


Simply put: If you configured (for example) 7 days of backup retention, 
then Easy-Backup would do just that: It would do one full backup and six 
days of increments.


On the 8th day it would start a new full backup set (keeping the old 
one!) and do another six days of increments.


So it would essentially fill the storage until you eventually would run 
out of space, as older backup sets never got deleted.


This has now been fixed and by simply installing the new v1.1.2-1 
version of it, Easy-Backup will now automatically do proper 
"house-cleaning" after each backup run.


To this end it also received a new command line switch:

/usr/sausalito/sbin/easy-backup --prune

That switch allows you to run those "house-cleaning"-tasks without doing 
a full backup first.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26561] Re: easy-backup troubles

2023-10-29 Thread Michael Stauber via Blueonyx 

Hi Tim,


When I run it manually on the first run it just stopped running,
No errors, no email, just stopped.

Second run manually I get this
[INFO] Found 'restore_lock' in CODB, set by user 'root' on 23-10-29 
12:49. Trying again in 30 seconds. Waiting for 1800 seconds in total.
[INFO] Found 'restore_lock' in CODB, set by user '' on 23-10-29 12:49. 
Trying again in 30 seconds. Waiting for 1800 seconds in total.


Only one instance of Easy-Backup may run at the same time. So it has a 
mechanism built in that prevents it from being executed twice by setting 
a restore lock that expires after a given time.


If you have confirmed that no other instances of Easy-Backup are 
running, you can remove the restore lock this way:


/usr/sausalito/sbin/easy-backup --unlock

Either way: Please open a "Support Request" via the GUI and tick the 
checkbox "Allow Access" and I happily take a look at it and make sure it 
runs correctly on your server.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26558] Re: fail2ban question on 5210R

2023-10-26 Thread Michael Stauber via Blueonyx 

Hi Herbert,


I just got fail2ban installed from the BlueOnyx shop. Thanks.

I am seeing this in the logs. Is it normal?

2023-10-26 14:34:00,746 fail2ban.transmitter    [3373081]: WARNING 
Command ['status', 'apache'] has failed. Received 
UnknownJailException('apache',)
2023-10-26 14:34:00,834 fail2ban.transmitter    [3373081]: WARNING 
Command ['status', 'apache-mod-security'] has failed. Received 
UnknownJailException('apache-mod-security',)
2023-10-26 14:34:00,921 fail2ban.transmitter    [3373081]: WARNING 


Yeah, these can be ignored for now. I'll fix that in the next release of 
Fail2ban, which should be out soon.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26555] Re: backup all DNS records of a specific domain

2023-10-26 Thread Michael Stauber via Blueonyx 

Hi Meaulnes,

After having transferred a domain to another domain host, I wanted to 
delete its DNS entries on my server in Server Management > Network 
Services > DNS > Select Domain...


Is there a way to previously backup all the records of that domain in 
one go for easy restore? Of course I could copy all the records as text 
files and restore them manually if required, but maybe there is a more 
efficient way?


In that case the easiest way would be to back up the DNS Zone files 
themselves.


You can find them in this directory on the BlueOnyx:

/var/named/chroot/var/named/

If the Vsite was named company.com, then these will be the files you 
need to backup:


/var/named/chroot/var/named/db.company.com
/var/named/chroot/var/named/db.company.com~
/var/named/chroot/var/named/db.company.com.include

If need be, you can import the DNS again form them by pointing 
/usr/sausalito/sbin/dnsImport.pl to the directory where you have these 
files.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26550] Re: Dovecot Aliases for email username?

2023-10-21 Thread Michael Stauber via Blueonyx 

Hi Greg,


Hmm. Not happy with Microsoft on this one.


Yeah, it's a stupid change. They break something and we have to bend 
over backwards? Not really.



At the very least, it should be opt in… Just saying.


Indeed. And it's even pretty complicated. Sure, I can write something 
that (if the feature is enabled) dumps out a dovecot alias file and 
keeps it updated whenever email server aliases, user email aliases or 
users and vsites in general change.


But that doesn't solve another problem: Saslauth will also then need a 
similar change to be able to accept logins with username or email 
address. And that's where it gets a little tricky.


Either way: This is somewhat complicated and invasive and it's not some 
code I can crank out and properly test in a day or three.


There is a half-assed half-measure, though:

In /etc/dovecot/conf.d/10-auth.conf one can set this:

auth_username_format = %Ln

And in Postfix's /etc/postfix/main.cf the following settings are needed:

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_authenticated_header = yes
smtpd_sasl_exceptions_networks = $mynetworks
auth_username_format = %n

At least according to what I could just dig up. Some of these settings 
are already present. But essentially it switches Postfix from using 
"cyrus" to using Dovecot for auth-checks.


And the ...

auth_username_format = %Ln

... in /etc/dovecot/conf.d/10-auth.conf will then allow both ...

@
... as well as ...


The caveat of this is: It won't allow:

@
... or ...
@

In ordert to cover these as well we'd need to write out and maintain a 
complete alias file for Dovecot as linked in the first message of this 
topic.


And that's just the Postfix side of things and Sendmail is an entirely 
different topic. If I do this, then probably only for Dovecot and 
Postfix anyway.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26548] Re: Dovecot Aliases for email username?

2023-10-20 Thread Michael Stauber via Blueonyx 

Hi Michael,

Here is what I found about dovecot aliases. 
https://serverfault.com/questions/1054395/login-aliases-for-smtp-imap 



That looks interesting, indeed! I'll look into it.

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26545] Re: 5209R AV-SPAM issue same as BlueOnyx:23984

2023-10-18 Thread Michael Stauber via Blueonyx 

Hi Larry,


First thing I noticed is that sendmail is
checking /var/run/clamav/clamav-milter.sock and the
clamav-milter.conf file specifies
/var/run/clamav-milter/clamav-milter.sock.
Changed that in the conf file to be the same as
sendmail but still getting the error messages.

Server is a 5209R with AV-SPAM 6.3.2-1


I'm sorry, but the AV-SPAM 6.3.2-1 is from September 2017. The latest 
version is v7.2.7, which was released just a few days ago. So you're 
missing years worth of improvements and fixes.


The whole integration of the Milters into Sendmail (and Postfix on newer 
BlueOnyx versions) got drastically revised and improved in between as well.


Please consider upgrading to a newer version. Or at least turn off the 
Clam AV, as the one you're still using is way too old to be of any use.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26542] Re: easymigrate failure - mapmaker.pl

2023-10-17 Thread Michael Stauber via Blueonyx 

Hi Darren,

I’m getting a failure when using easymigrate, this is happening with 
every vsite on the source which is 5209r. I am going to 5211r


If I look at /var/log/messages I see this:

Oct 18 00:53:09 intersys18 cced(smd)[6788]: client 
0:handlers/base/ssl/vsite_ssl.pl: SET succeeded


Oct 18 00:53:09 intersys18 cced(smd)[6788]: handler 
handlers/base/email/mapmaker.pl failed


Oct 18 00:53:10 intersys18 cced(smd)[6788]: client 0:[0:6722]: CREATE failed


My apologies. I made a screw up yesterday when I published an update to 
base-email-* on 5211R. The mapmaker.pl Handler had an error. An updated 
base-email-* has been published earlier today.


Run ...

yum clean all
yum update

... and you should be good again.

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26530] Re: Network settings changing.

2023-10-05 Thread Michael Stauber via Blueonyx 

Hi Brian,

Not sure if this has been questioned before, but had an issue earlier 
today where I had to restart a server and although the server had been 
running for a long time with a static IPv4 address, it seems it 
discovered a rogue DHCP server and decided it would use the IP address 
from DHCP instead. When trying to change the IP address it was a little 
weird as the settings would not stick as it kept reverting to the DHCP 
server assigned IP address.



The whole network stack of BlueOnyx doesn't use DHCP at all. When you 
install BlueOnyx DHCP gets turned off and static network settings are 
configured. And they remain static unless someone manually fiddles with 
it or maybe some third party software fiddles with it.


I can't imagine a way how the network settings would switch to DHCP on 
their own. So I'm as confused as you are why this has happened in your case.


The only way how you can still use DHCP on a BlueOnyx (there are some 
valid usage cased for this after all) is when you create the (empty) 
file /etc/is_aws. When that is present, all network related handlers and 
constructors will no longer have permissions to change your network 
settings at all. But even then: That doesn't switch your server to DHCP 
on its own and one has to manually modify the network config files to do so.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26528] Re: Installing Dell OMSA on a BlueOnyx Server

2023-10-05 Thread Michael Stauber via Blueonyx 

Hi Richard,

Is it safe to add the Dell OMSA repository to a BlueOnyx server to add 
the hardware monitoring tools?


Yes, that should be fine.

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26525] Re: minor Roundcube issue

2023-10-03 Thread Michael Stauber via Blueonyx 

Hi Darren,


The solution was simply to change the host name in Virtual Site Settings
from "www" to "mail" for all sites I wanted to have webmail access, despite
the fact the www host was not on the Blue Onyx. After I did that, it seems
to be handling the webmail access normally, even though I have again pointed
that first site's "www" A record to a different host.


That is correct. You can use the same domain on different Vsites or even 
servers - as long as the DNS records point to the correct respective 
location.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26523] Re: Postfix: Allow relay access by IP (and hostname)

2023-09-26 Thread Michael Stauber via Blueonyx 

Hi Chad,

I missed this email last night, but apparently this morning at 6am when 
the RPMs came in, it started working, automagically.  I know this 
because the backlog of outgoing emails from things that hadn't been 
working then triggered rate alerts from my upstream provider.  In the 
intervening time when emails weren't getting relayed, apparently the 
attempts and retries, etc. had accumulated in the database and there 
were upwards of 100,000 emails that would have been headed outbound. 


Yikes! That was quite a flood indeed!

I'm assuming, from the implementation and what I found in the mynetworks 
entry, it will take pretty much anything listed in the Relay field from 
the UI and put it directly in.


That is correct. Anything that is listed in the relay field is allowed 
to relay through your MTA without further checks.


That would allow the use of a CIDR netmask to be part of the entry 

> and then be passed directly into the Postfix config in that same
> manner.

Correct. You can put in something like 192.168.0.0 and then the whole 
192.168.0.0/16 network is allowed to relay through your server.


--
With best regards

Michael Stauber

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26521] Re: Postfix: Allow relay access by IP (and hostname)

2023-09-25 Thread Michael Stauber via Blueonyx 

Hi Chad,


Your original recommendation was:

"Change your "mynetworks" line in /etc/postfix/main.cf to something like
this if you want to allow the whole 192.168.0.0/16 network to be able to
relay through it:

mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/16

I did this, but find that, when I execute the postfix restart, them 
main.cf gets rewritten, and mynetworks is updated to:
I just published base-email-* RPMs for BlueOnyx 5210R and 5211R which 
fix this issue.


When you now restart Postfix, the "mynetworks" line in 
/etc/postfix/main.cf will be rewritten to include the following:


- Localhost IPv4
- Localhost IPv6
- All IP addresses bound to your server
- All IPs and Hostnames from "Server Management" / "Network Services" /
  "Email", "Advanced"-tab, field "Relay Email From Hosts/Domains/IP
  Addresses"

So anything you specify under "Server Management" / "Network Services" / 
"Email" / "Advanced"-tab, field "Relay Email From Hosts/Domains/IP 
Addresses" will be allowed to relay through your server without 
authentication. That turns your Postfix into an open relay for the 
specified hosts or IPs.


Preferably you should *not* use Hostnames in that field, but only IPs. 
But if need be, hostnames (of the sending servers) will also work, yet 
these could be spoofed by someone who knows you allow that hostname to 
relay.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26519] Re: No clamd server appears to be available

2023-09-25 Thread Michael Stauber via Blueonyx 

Hi Darren,


That appears to have worked, however, my clamav-daemon.socket did not look like 
that, it only had:

ListenStream=/run/clamav/clamd.ctl
ListenStream=7358


Was this by chance a BlueOnyx 5209R?

--
With best regards

Michael Stauber

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26517] Re: No clamd server appears to be available

2023-09-25 Thread Michael Stauber via Blueonyx 

Hi Darren,

I believe I am having a problem caused by the change you've made 

> here - the clamd process is constantly running at 100% cpu all
> the time. The maillog shows this repeated continuously:>

clamd[232355]: TCP: Cannot bind to [127.0.0.1]:7358: Address already in use
clamd[232355]: Not listening on any interfaces

Netstat shows this:
tcp6 436  0 :::7358   :::*   LISTEN  0   25723  1/system

even if I disable the clam av av-spam service, it continues.



Yeah, I'm not entirely happy with the latest change either, as the 
attempts to bind Clam AV to the TCP port produces some weird results 
without rhyme or reason.


First of all: Make sure you have the latest AV-SPAM installed. This 
should be 7.2.7-1 (5209R/5211R) or 7.2.7-2 (5210R).


If that's already the case and/or the problem persists, open this file 
in an editor (as root):


/usr/lib/systemd/system/clamav-daemon.socket

There should be a section like this in it:


[Socket]
ListenStream=/run/clamav/clamd.ctl
# Default:
ListenStream=127.0.0.1:7358
# Use this instead if 'No clamd server appears to be available' persists:
# ListenStream=127.0.0.1:1024


As you can see: It tries to bind to 127.0.0.1:7358, which works for most 
installs where I tested this. But it doesn't for some, like in your case.


Comment out the line ...

ListenStream=127.0.0.1:7358

... and removed the leading "#" (and the space) from the other line:

# ListenStream=127.0.0.1:1024

So it should look like this when done:

ListenStream=127.0.0.1:1024

Save the changes and then run the following:

systemctl daemon-reload
systemctl stop clamav-daemon clamav-daemon.socket
systemctl restart clamav

Then give it a minute, as clamav-daemon.socket will only be able to 
finalize its task once Clam AV is fully started up.


At first it will bind to 127.0.0.1:1024 and the process list (as well as 
netstat) will show that Systemd is holding that port open. Then after 
Clam AV has fully started up it will bind to 127.0.0.1:7358 as well and 
will show that Clam AV is holding that port open.


I'm still looking into fixing this for good, but I haven't yet managed 
to identify why I don't get fully reproducible and consistent behavior 
for this across several different virtualization platforms and physical 
server installs. It's a pretty weird issue between Systemd and this 
current Clam AV release.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26514] Re: [EXTERNAL] Re: SSL error when receiving mail from GMAIL

2023-09-24 Thread Michael Stauber via Blueonyx 

Hi Arie,

Vsite web- and mailserver aliases are www.ceelie.info 
, ceelie.info and mail.ceelie.info.

I've selected those three in the LetsEncrypt! module.


Very well. But why does ...

https://www.ceelie.info/
https://mail.ceelie.info/
https://ceelie.info/

... bring up a webpage(s) with a self-signed certificate?

See: 
https://www.ssllabs.com/ssltest/analyze.html?d=ceelie.info=on=on



As for the hosting DNS, these are the settings.


Take a look at this: https://www.blueonyx.it/dns-for-email

The righthand side of the DNS MX records (where it points to) must the 
the FQDN of the Vsite as shown in the Vsite List.


So in your case that should be "www.ceelie.info" and not just 
"ceelie.info". The reason for this is how Sendmail/Postfix match the 
email aliases to local user accounts.


Here is a third party site for checking TLS:

https://www.checktls.com/

When I try it against a correctly configured 5210R or 5211R it checks 
out just fine.


When I test it against ad...@ceelie.info it errors out because you have 
a self-signed SSL certificate in your certificate chain:


--
-END CERTIFICATE-
subject=C = NL, L = Leiden, O = Ceelie, CN = mail.ceelie.info, 
emailAddress = elpa...@ceelie.info
issuer=C = NL, L = Leiden, O = Ceelie, CN = mail.ceelie.info, 
emailAddress = elpa...@ceelie.info

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2438 bytes and written 426 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate) <--- !
--

Make sure the GUI of the BlueOnyx has a valid SSL certificate (Let's 
Encrypt or other), too. Because in an SNI environment the GUI cert is 
the first certificate in the SNI certificate chain.


So I see three issues:

- DNS best practices for BlueOnyx not followed
- BlueOnyx GUI has no valid SSL certificate
- Vsite itself seems to have a self-signed certificate

> When trying ...
>
> openssl s_client -starttls smtp -connect :
>
> ... all three servernames/domains fail for port 25 and 587.
> Port 443 gives a CONNECTED(0003). Nothing more.

Yes, because that OpenSSL client command has the option "-starttls smtp" 
for checking SMTP specifically.


Use this to check the web based TLS:

openssl s_client -connect :443

Or this to check the GUI HTTPS:

openssl s_client -connect :81

I'm not sure what you're doing there, but either you're not supplying 
the correct information and the Vsite name is different than 
"www.ceelie.info" and/or you're not following the instructions and best 
practices for BlueOnyx.


If you want, contact me offlist and/or supply a "Support Request" via 
the GUI with "Allow access" ticked and I'll take a look directly at the 
server.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26510] Re: Strange SSL error

2023-09-23 Thread Michael Stauber via Blueonyx 

Hi Rodrigo,

We are still ahving this problem on a newly yummed 5211, Server offer the > BX.Host certificate instead of the domain when using> outlook with 
pops and smtps ,> > Certificate is letsencrypt> > Do I have to install 
an specific package to receive the correction, The> domain only has 1 alias.
No, this should already work fine. You could try to restart CCEd to 
force an update of the SSL configuration for Postfix and Dovecot, though:


/usr/sausalito/sbin/cced.init restart

You can also test the TLS connection agains Postfix this way:

openssl s_client -starttls smtp -connect :587

Just replace  with the fully qualified domain name you want to test.

Example:

openssl s_client -starttls smtp -connect 5210r2.smd.net:587

That is a Vsite on a 5210R with an LE cert. In the output the relevant 
lines are this:


mstauber@beast:~$ openssl s_client -starttls smtp -connect 
5210r2.smd.net:587

CONNECTED(0003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = 5210r2.smd.net 
verify return:1
---
Certificate chain
 0 s:CN = 5210r2.smd.net
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 10 07:50:50 2023 GMT; NotAfter: Dec  9 07:50:49 
2023 GMT

 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 
2025 GMT

 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 
2024 GMT

---

Above it shows the name of the certificate that answered:

depth=0 CN = 5210r2.smd.net

Also further below in the output below the raw certificate you can see 
something like this:


-END CERTIFICATE-
subject=CN = 5210r2.smd.net
issuer=C = US, O = Let's Encrypt, CN = R3

That also (again) tells us which domain the cert is valid for and the 
issuer.


Try it with the FQDN of the Vsite that is not working and see if the 
cert validity that shows up is for the Vsite or for the server.


--
With best regards

Michael Stauber

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26509] Re: SSL error when receiving mail from GMAIL

2023-09-23 Thread Michael Stauber via Blueonyx 

Hi Larry,


   Hmmm, not sure this will every work - and if it does work with
Google it will break most other mail servers that try to talk to you.
Port 25 is the original email port (sendmail) and is no auth, no SSL/TLS
on purpose.  As defined by the IETF, port 465 is the SSL/TLS port for
sendmail, and port 587 is the authenticated, with SSL/TLS port.

   Not withstanding that, your error is no acceptable cipher for you
and gmail to agree upon.  Port 443 is web (http / Apache) and postfix
is mail.  Is it possible that you email is not configured to use the
keys you created??


In 5210R and 5211R the SSL certificates of Vsites are used for HTTPS in 
Apache and/or Nginx. But they are are also tied into Dovecot for POP3 
and IMAP as well as into Postfix.


This was also in large part the drive to switch newer BlueOnyx versions 
from Sendmail to Postfix, as Postfix supports SNI and Sendmail doesn't.


So if you run a BlueOnyx 5210R or 5211R, have it configured to use 
Postfix and have "Enable SMTPS Server" enabled? It will not only use the 
GUI's SSL certificate, but also the SSL certificates of all Vsites to 
answer to TLS connections.


The SNI Email integration in BlueOnyx is explained here:

Postfix:
https://www.blueonyx.it/news/267/15/5210R-Postfix-SNI-for-email-and-Maildir/

Dovecot:
https://www.blueonyx.it/news/266/15/5209R5210R-SNI-support-added-to-Dovecot/

But yeah, in Arie's case there was something off. His SNI certificates 
didn't include validity for the requested domain and there also seems to 
have been a protocol/cipher mismatch.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26507] Re: SSL error when receiving mail from GMAIL

2023-09-23 Thread Michael Stauber via Blueonyx 

Hi Arie,

Addressed this issue some time ago. I tried LetsEncrypt and it works 
flawless on port 443, but how do I set it for port 25?


Error log:

Sep 23 18:57:19 www postfix/smtpd[249156]: connect from 
mail-yw1-f175.google.com[209.85.128.175]


Sep 23 18:57:19 www postfix/smtpd[249156]: TLS SNI ceelie.info from 
mail-yw1-f175.google.com[209.85.128.175] not matched, using default chain


The Google mailserver established an SMTP TLS connection to 
"ceelie.info". This is not the name of your BlueOnyx itself, so if at 
all, then Postfix would serve the TLS request using the SNI certificates 
that may (or may not) exist for your server.


For starters: Check /etc/postfix/vsite_ssl.map to see if there is a line 
starting with "ceelie.info" in it. If not, then you may not have 
configured SSL correctly for that Vsite in question.


To troubleshoot this go to the Vsite of which "ceelie.info" is part of, 
click on "SSL", click on the button "Let's Encrypt" and see if 
"ceelie.info" is listed under "SSL domain aliases". It *should* be 
listed on the lefthand side of that table, in which case it will be 
included in the validity of the requested SSL certificate as a DNS Alias.


In your case "ceelie.info" wasn't a valid SSL SNI host, so no SSL 
certificate was served. In fact it seems that "ceelie.info" seems to use 
a self signed certificate at this time? If so, then yeah: That won't fly.


Sep 23 18:57:19 www postfix/smtpd[249156]: SSL_accept error from 
mail-yw1-f175.google.com[209.85.128.175]: -1


Sep 23 18:57:19 www postfix/smtpd[249156]: warning: TLS library problem: 
error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared 
cipher:ssl/statem/statem_srvr.c:2285:


The SSL connection then failed, because of the missing certificate 
and/or incompatibility of shared protocols.


Sep 23 18:57:19 www postfix/smtpd[249156]: lost connection after 
STARTTLS from mail-yw1-f175.google.com[209.85.128.175]


And that's where Google hung up on you, ending the connection after 
having found no common grounds to establish a TLS connection.


To cover all the bases, do this: In the GUI of that Vsite check that 
"celie.info" is present as a "Web Server Alias" as well as a "Email 
Server Alias". Make sure you have DNS A Records and DNS MX Records for it.


Then as mentioned: Under SSL management of that Vsite under "Let's 
Encrypt" include all "SSL domain aliases" you want active in the 
Certificate request and request a new SSL certificate.


That will then create a new SSL certificate and it will be integrated 
into the SNI configuration of Dovecot and Postfix.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26504] Re: [EXTERNAL] Re: Error when deleting VSite

2023-09-23 Thread Michael Stauber via Blueonyx 

Hi Arie,


Found the solution in
https://www.mail-archive.com/blueonyx@mail.blueonyx.it/msg17128.html 



Like I suspected: SQL errror. But this also reminds me to change that 
handler to soft-fail and still allow Vsite deletion. Even if it 
potentially leaves the SQL user and DBs around.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26499] Re: Error when deleting VSite

2023-09-22 Thread Michael Stauber via Blueonyx 

Hi Arie,


Running on 5210R. I created a VSite for testing a few things. When 
finished I tried to delete the VSite in the GUI. Not working, I received 
this error:


Task Status

The server encountered an internal error and was unable to complete your 
request.


Check /var/log/messages to see what caused the error. Most likely it's a 
MariaDB issue.



How do I delete the VSite? Maybe a command line or such?


Identify the group name of the Vsite. It's something like "site22". Then 
run this command:


/usr/sausalito/sbin/vsite_destroy.pl site22

That will delete Vsite "site22" and all data related to it - including 
Users, DNS, SQL databases, Aliases and so on.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26497] Re: The Postfix learning curve continues

2023-09-21 Thread Michael Stauber via Blueonyx 

Hi Chad,

Most of the challenges are, honestly, coming from other solutions that 
send telemetry, etc. both to local admin (i.e. me) and for remote 
diagnostics/statistics.  The emails that are going to domains hosted by 
my BlueOnyx, as you'd expect, get delivered just fine.  It's those pesky 
outgoing things (and to be honest, I also use internal email to external 
SMS notification emails for some things that also get shot down).


Sure, that's fully understandable.

While none of these are life and death critical, I'm glad to know that 
at least the problem is understood, and appreciate the complexities of 
implementing a fix.  Hopefully parsing the IF{postfix} then {ensure IP's 
only} won't be a big lift, and also won't disrupt anything else that 
needs to work. 
No problem. I'll look into it as soon as I can. I had planned it for 
today, but instead the two local ISP's in our city played the blame game 
again: Two technicians from Movistar opened the porthole in front of our 
apartment, lifted all Coax distributors of their competitor "Tigo" out, 
threw them back into the hole, gave 'em a few kicks for good measure and 
since then we're cut off from the internet again.


Just spent three hours filing a claim with the ISP to get this sorted. 
This is now the third sabotage in six weeks and it's getting ridiculous. 
Hopefully it'll get sorted by tomorrow, but over here one never knows.


Anyway: As soon as I can I'll look into this.

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26495] Re: POP sent to IMAP sent

2023-09-21 Thread Michael Stauber via Blueonyx 

Hi Meaulnes,


okaaay, me old man will comply and use the /en vogue/ IMAP 


That's the spirit! :o)

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26493] Re: The Postfix learning curve continues

2023-09-20 Thread Michael Stauber via Blueonyx 

Hi Chad,

I'm resurfacing an issue from about a month ago, on my transition to 
Postfix.  I've simply not had the time to worry about my internal stuff 
not working, until now.


Your original recommendation was:

"Change your "mynetworks" line in /etc/postfix/main.cf to something like
this if you want to allow the whole 192.168.0.0/16 network to be able to
relay through it:

mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/16

Then restart Postfix and see if that helps:

systemctl restart postfix"

I did this, but find that, when I execute the postfix restart, them 
main.cf gets rewritten


Unfortunately that seems correct. I just checked this part of that 
mechanism and it's not entirely working as intended for that particular 
purpose:


In /etc/postfix/main.cf the line "mynetworks" is reserved and you cannot 
edit it. It will get overwritten on Postfix restarts with the IP 
addresses that you have bound to your server.


The *intended* mechanism for allowing to relay is under "Server 
Management" / "Network Services" / "Email" in the "Advanced" tab.


The idea is to allow all hosts listed in "Relay Email From 
Hosts/Domains/IP Addresses" to relay through your server.


However: In our current Postfix implementation that adds entries to 
/etc/postfix/access like this:


test.smd.net   RELAY

But if "Enable SMTP Auth" is active, that then trips Saslauthd and 
relaying is denied, because the sender didn't authenticate.


You're right: In practical terms the IPs of allowed senders would need 
to go into "mynetworks" instead of stuffing them into 
/etc/postfix/access. The issue here is that we've sort of ported the 
Sendmail config to the Postfix config and in Sendmail you can use the 
access file to allow relaying w/o tripping SMTP-Auth. In Postfix it's a 
different story.


The complication is that the GUI field "Relay Email From 
Hosts/Domains/IP Addresses" accepts both IPs and domain names, but the 
"mynetworks" line in Postfix just accepts IPs. So I'll have to throw in 
some extra cogs and wheels to make sure that only IPs end up in the 
"mynetworks" line. But this is doable.


I'll play around with it tomorrow and will see if I can work this out 
and then we'll have a YUM update ready to fix this in the next few days.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26491] Re: Postfix stopping and starting - and trying to run Sendmail

2023-09-20 Thread Michael Stauber via Blueonyx 

Hi Neil,

Having seen the other thread about mail problems, I've done the yum 
re-update that you recommended.


However, I'm seeing

  server1 postfix/master[103392]: terminating on signal 15

every 2 minutes then a little while later:

server1 postfix/postfix-script[103598]: starting the Postfix mail system

Sep 20 20:34:04 server1 systemd[1]: sendmail.service: start
operation timed out. Terminating.

Sep 20 20:34:19 server1 systemd[1]: Starting Sendmail Mail Transport
Agent...


Your server seems to be unsure if it has Sendmail of Postfix enabled. 
Only one of them should be running. Please go to "Server Management" / 
"Network Services" / "Email" in your BlueOnyx GUI and see what you have 
configured as "SMTP Server". Change it to the MTA you want to use and 
hit save.


That should then stop and disable the MTA that ought to be off and will 
enable and start the MTA that should be running. I recommend using Postfix.


(PS Sorry if this arrives multiple times: I'm seeing a "Soft Bounce" 550 
5.7.1 Rejected: 185.41.28.109 listed at rbl.solarspeed.info 
 from my mail server waterend.net 
!)


rbl.solarspeed.info is my own RBL server into which I feed IPs and IP 
address ranges that sent me SPAM, or which have other observed bad 
behaviour such as brute force attacks. Most of my servers are using it - 
including this list-server. I just checked and for one reason or other I 
had the whole 185.41.28.0/22 (AS200484) address range blocked.


I just removed that block, although it might take a moment until it has 
propagated to all my DNS servers.


If you need any further help with your MTA issue, please file a "Support 
Request" via the BlueOnyx GUI and tick the checkbox "Allow access", so 
that I can take a look.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26489] Re: No clamd server appears to be available

2023-09-19 Thread Michael Stauber via Blueonyx 

Hi David,


Is there a fix for the No clamd server appears to be available?


Yes, AV-SPAM v7.2.7-1, which was released 60 minutes ago. I also 
installed it already on your two servers as per the open tickets.


The issue is/was that Clam AV daemon binds itself to localhost. That 
usually means 127.0.0.1, but also ::1 in case you have IPv6. However: 
Since version 1.0.0 the official Clam AV RPM ships without Milter binary 
and when you build it manually (like I do for the AV-SPAM) you end up 
with non-working IPv6 support for it for some strange reason.


If the server has IPv6, Clam AV Milter will prefer to use IPv6 to "talk" 
to the Clam AV Daemon. Who sadly can't or won't respond to IPv6. That 
then caused the "No clamd server appears to be available".


AV-SPAM v7.2.7-1 fixes this by hard-wiring the bindings of Clam AV to 
127.0.0.1.


While that ought to work, I'm still running into an issue on your 
servers and am looking at that now.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26487] Re: POP sent to IMAP sent

2023-09-18 Thread Michael Stauber via Blueonyx 

Hi Meaulnes,

I guess all of you guys use IMAP on all of your computers, so you don't 
have this problem... I was looking for a solution for fetching my Sent 
folder contents automatically from my office desktop computer to the 
remote Sent folder on the server.


Like Taco and Chris have already mentioned: This day and age IMAP is 
really the best choice if you want to use the same account on multiple 
devices AND have all emails (sent and received) accessible everywhere.


I was in the same boat many years ago and was still using POP3 on an 
important account. Eventually it really became too much of an hassle 
when using multiple devices for checking emails.


Here is what I did: In Thunderbird I disabled the account that was still 
using POP3 and excluded it from being checked. I also renamed it to 
"usern...@server.com (POP3)" to make it really obvious: That's one old one.


Then I recreated the account in Thunderbird (using the same server, 
username and password), but configured it to use IMAP instead.


That way I now had two configurations in the email client for the very 
same account: An active one using IMAP, and a disabled one that used to 
use POP3 before it got disabled and was now excluded from regular email 
checks.


Now there were a few recent messages (and replies of mine) that I wanted 
to be present on the server and accessible via IMAP. So in Thunderbird I 
selected those messages and copied them from the disabled POP3 account 
to the now active IMAP account. Which then uploaded the messages via 
IMAP to the server. Then I set up a sensible folder structure and sorted 
the messages into the right folders.


If there were still a message older than that which I needed? I still 
had the old POP3 account data in Thunderbird and could fetch 'em from there.


So it's really not too much hassle to switch from POP3 to IMAP in the 
email-client. To the contrary: That little discomfort during the switch 
is repaid tenfold from there on.


Also, when you do this: Email clients usually also allow you to 
configure how long they keep messages on the server before deleting them 
there, or what to do with messages after that expiry date. Especially 
with IMAP (which usually leaves emails on the server) you should set up 
some sensible expunging or archiving.


Depending on the accounts typical usage I leave emails on the server for 
a few days or so and then archive them into either an IMAP folder on the 
server, or a local folder on my PC.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26486] Re: Strange SSL error

2023-09-18 Thread Michael Stauber via Blueonyx 

Hi Colin,


Unfortunately that hasn't fixed it.
I set up a test and still get a problem.

The vsite in question has the main host FQDN with 3 aliases:

So vsite is for example mail.domain.com
Also aliases smtp.domain.com, pop.domain.com

If the email client settings use incoming server as mail.domain.com all works 
fine.
If the email client uses either of the aliases it fails - returning the BX host 
cert. :-/


Indeed. I just replicated that setup on a test box and did some testing. 
The revised code from last weekend indeed wasn't catching all "DNS:" 
entries from the parsed SSL cert. If that line had three entries, it 
caught the first and last entry and ignored the middle one.


I just published new base-email-* RPMs for BlueOnyx 5210R and 5211R 
which fix this issue.


Please do another "yum clean all" and "yum update" to get these updates. 
That will then also automatically restart CCEd, which will then fix the 
SNI cert configs for both Dovecot and Postfix.


Sorry about that.

--
With best regards

Michael Stauber

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26482] Re: Strange SSL error

2023-09-18 Thread Michael Stauber via Blueonyx 

Hi Colin,

We have a strange SSL error with email that has just raised its head. 
Been fine for years but may have been an update?


We have a 5210R running postfix.

A Vsite on the server has a couple of web aliases (historical combining 
of servers).


The LE cert has all aliases and if using a web browser to access 
roundcube then it all works fine. Site is secure.


Many of our customers are still using one of the aliases in their email 
client server address and have done for years.


This weekend we started getting complaints of SSL errors when using 
email clients – the email client apparently returning the cert for the 
host server rather than the vsite when using one of the aliases.



This might be related to a YUM update that was published on Friday. 
While working on a client server I noticed that he had non-working SNI 
for several Vsites. The Vsites where it didn't work all had a single 
FQDN which they responded to. And the Handler/Constructor that parse the 
SSL certs to generate the SNI config files for Postfix and Dovecot so 
far only parse the "DNS:" line in the certificates, but not the 
"Subject:" line. So single FQDN certs resulted in a somewhat borked 
email SNI configuration. The update from Friday fixes that.


To address your issue do the following:

Run "yum clean all" and "yum update" to make sure you have all updates 
installed. Then restart CCEd for good measure:


/usr/sausalit/sbin/cced.init restart

If that doesn't fix it, try to renew the SSL certificate for the Vsite 
in question.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26478] Re: WSGI

2023-09-16 Thread Michael Stauber via Blueonyx 

Hi Herb,


Can we use WSGI with BlueOnyx sites?


Not sure, but I think so. Depending on your BlueOnyx version the names 
of the RPMs differ a bit, but you can run ...


yum search wsgi

... to see what's available for the various BlueOnyx versions in the 
official repositories.



Is this a matter of hand updating the site include file?


I believe so. You'd put a sufficiently adapted version of ...

WSGIDaemonProcess yourapplication user=user1 group=group1 threads=5
WSGIScriptAlias / /var/www/yourapplication/yourapplication.wsgi


WSGIProcessGroup yourapplication
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all


... in your /etc/httpd/conf/vhosts/site*.include file and that might do 
the trick. This may need some fiddling. Note the "Order deny,allow" and 
"Allow from all" lines, which would work on an Apache 2.2, but 5209R, 
5210R and 5211R use Apache 2.4, so that should be "Require all granted" 
instead.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26476] 5209R/5210R/5211R: AV-SPAM v7.2.6 released

2023-09-14 Thread Michael Stauber via Blueonyx 

Hi all,

An updated version of the AV-SPAM has been released for 5209R, 5210R and 
5211R.


This version comes with an updated Clam AV v1.2.0 and addresses the 
sporadic "No ClamAV servers are available" message that some of you have 
seen.


It also contains various GUI related fixes and improvements.

On 5209R/5210R the GUI was redone using the new GUI functions backported 
from 5211R. Such as better Error message handling, Error message 
caching, proper DatePicker UI element for the traffic statistics page 
and more.


On 5209R this also fixes a problem with Milter-GeoIP related to SQL 
storage and on 5211R it fixes an issue where the traffic statistics page 
might show an error if it is accessed before "swatch" had a chance to run.


Due to the amount of aggregated fixes it is highly recommended to 
upgrade to v7.2.6 on all BlueOnyx versions that already have an older 
AV-SPAM installed.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26475] Re: POP sent to IMAP sent

2023-09-14 Thread Michael Stauber via Blueonyx 

Hi Meaulnes,

You probably also were confronted with this situation: you left your 
office (where you use a desktop computer with a POP account) in a rush 
with your laptop under the arm. On the road, you miss the latest e-mails 
you sent, because there aren't in the IMAP Sent folder of that same 
account, they are in the POP Sent folder in your office.


By sending an e-mail from the office computer using a POP account, the 
mail client files a copy into the Sent folder. Is there a way to have 
the same copy in the IMAP's Sent folder on the server, too? It would 
then be visible on the laptop...


Any ideas?


Actually this is entirely a client side issue.

Emails are sent with SMTP or SMTPS. Not POP3 or IMAP. When an email is 
being sent, no copy is store anywhere. It comes in by SMTP(S) and goes 
out by SMTP(S). Done.


However: You can configure your email client(s) to keep a copy of the 
email. Either locally, or in a folder on the server. WHICH folder it 
uses to store the email can usually be configured somewhere. But there 
are also varying defaults such as "sent", "sent-email", "sent-mail" - 
even with varying capitalization. That entirely depends on the email client.


When you then access this mailbox with another client, that client may 
have different settings as to IF it stores sent emails and WHERE it does 
that.


This is easy to solve. Check your email client settings and make sure 
they all store sent emails in the same place. Also: Check which IMAP 
folders your email client is subscribed to. It could be that all you 
need is to include the "other" sent-email folder in your subscriptions 
to make it visible in the other email client.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26472] Re: minor Roundcube issue

2023-09-12 Thread Michael Stauber via Blueonyx 

Hi Darren,


  I couldn't find anything in /etc/httpd/conf.d/ which indicated any kind
of rewrite, and I also checked out the web directories of the virtual sites.
They do all have the webmail directory, but I'm not seeing anything which
could be forcing a redirect.


Ok, so when you point to browser to the domain of a Vsite and add 
/webmail to it, then I suppose it loads the RoundCube install of that 
Vsite, right?



  The only difference I am observing between my sites which do rewrite
the URL for the webmail and those which do not is this: the vsites which do
rewrite the URL don't have a real website on this Blue Onyx. One of these
sites only has the under construction website, but I guess that counts. All
the ones which suffer the URL rewrite have their web hosting done on some
other server outside of our network.


Let's break this down:

- Site is not hosted on the BlueOnyx
- DNS points to the external server where that site is located
- http:///webmail brings up /webmail on the primary Vsite
  of the BlueOnyx?

I fail to see how *anything* on the BlueOnyx itself could facilitate 
that. If the DNS A record points to the external server and a web 
request to http:///webmail is redirected to the BlueOnyx?


In that case the redirection happens on the eternal server. Possibly in 
a .htaccess in the webspace of that site, possibly in the Apache or 
Nginx configuration of the external server.


So the next step would be to check these 2-3 things on one of the 
external servers to see if you find anything.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26470] Re: minor Roundcube problem

2023-09-12 Thread Michael Stauber via Blueonyx 

Hi Darren,


This BlueOnyx box hosts our main website, as well as all our hosted websites
and email clients. We spun up a separate web server for our main website,
but when I updated the BlueOnyx's DNS for the new primary destination, we
discovered a problem:

When any of our hosting clients try to access the system for webmail, the
server redirects them to our primary webpage, which was fine when it was
serving the relevant webpage, but now that the DNS for the primary page
points to the new standalone web server, this basically breaks webmail for
all our hosted clients - when they go to www.mywebsite.com/webmail (just an
example), Blue Onyx sends them to our new page, which doesn't have the
webmail installed.


The RoundCube package from the shop installs RoundCube under /roundcube 
into each Vsite on the server. So out of the box there is no redirect 
that causes the behavior you're describing.


However, it could be that your Apache configuration has a custom rewrite 
rule that redirects any /webmail calls somewhere else - for all sites.


Check the directory /etc/httpd/conf.d/ and take a look at the config 
files in there to see if there is a rule with /webmail in it. If so, you 
might want to remove it.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26465] Re: Nginx config.

2023-09-11 Thread Michael Stauber via Blueonyx 

Hi Colin,


I am using Nginx and Cloudflare for one of my own sites.

I am not happy with the load  speed and want to check my settings.

This is the Cloudflare instructions but I cannot see where to add them. 5209R

Super Page Cache for Cloudflare - Nginx Settings
Browser caching rules
Open the configuration file of your domain and add the following rules:
 location ~* \.(xml|xsl)$ { add_header Cache-Control "no-cache, no-store, 
must-revalidate, max-age=0"; expires -1; }
location /robots.txt { add_header Cache-Control "no-cache, no-store, 
must-revalidate, max-age=0"; expires -1; }
location /wp-cron.php { add_header Cache-Control "no-cache, no-store, 
must-revalidate, max-age=0"; expires -1; }
location = 
/wp-content/wp-cloudflare-super-page-cache/www.whitehands.uk/debug.log { 
access_log off; deny all; }
 
Save and restart Nginx.


All the nginx conf files I can find say don't edit them.
Are there separate config files per site?


If this is on a BlueOnyx, then I'd stick those options into a new config 
file located in the directory /etc/nginx/default.d


Just make sure its name ends with *.conf

Then restart Nginx and see if it works for you.

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26459] Re: Easy-Backup problem

2023-09-09 Thread Michael Stauber via Blueonyx 

Hi Michael,

Easy-Backup did not run on 3 of 4 servers last night and I am not sure 
where to start looking for the problem.


I got no emails and I do not see anything hung in Running Processes this 
morning.


Any idea where I should start looking?


Let's do this step by step:

1.) Check if it possibly is still running:

ps axf|grep easy

2.) Check if the cronjob had tried to start it:

cat /var/log/cron|grep easy

3.) Logfile: If it did run, but aborted? The email
logfile might still be around and might shed some
light:

cat /home/.easy-backup/easy-backup.log

4.) Run it manually and see if it gets stuck or aborts and check
what messages it gives then:

/usr/sausalito/sbin/easy-backup --backup --admins

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26451] Re: Remove all vsites

2023-09-07 Thread Michael Stauber via Blueonyx 

Hi Colin,

I have an aborted easy migrate and want to delete all vsites and 
databases on the target server.


Is there an easy way to do this?


/usr/sausalito/sbin/vsite_destroy.pl site1

That will delete the Vsite with the group-id "site1" and all data 
related to it.


However: With Easy-Migrate and Easy-Backup you don't need to delete 
Vsites if you want to continue an aborted migration or restore. It will 
see that the site is already present and will do its best to synchronize 
it with the settings and data that you want to import.


So you can simply continue an aborted migration or restore.

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26448] Re: fail2ban error

2023-09-06 Thread Michael Stauber via Blueonyx 

Hi Ken,


I am seeing this error in the /var/log/monitorix

Can't exec "fail2ban-client": No such file or directory at 
/usr/lib/monitorix/fail2ban.pm  line 153


I just checked. In /usr/lib/monitorix/fail2ban.pm in line 153 it calls 
the binary "fail2ban-client", which should be present if you have 
fail2ban installed.


It usually resides under /usr/bin/fail2ban-client in that case.

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26446] Re: Easybackup

2023-09-06 Thread Michael Stauber via Blueonyx 

Hi Tim,

Ran an incremental backup last night and it showed up as a full back up. 
Duplicity failed because I ran out of disk space because the previous 
back wasn't replaced. I have it set to keep one day of backups. Any Ideas?


When you set it to one day of backups, then I guess every backup will be 
a full backup. After all: That means how many days of backups a set 
should contain.


If you're that short on space on the storage, it might be best to switch 
it from "Incremental" to "Full" backup anyway. Duplicity needs some 
wiggle-room for merging incrementals, so you shouldn't give it too 
little space to play with.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26444] Re: easy-backup ftp problem and question

2023-09-05 Thread Michael Stauber via Blueonyx 

Hi Michael,

One other item that might be nice is an option to only send an email if 
an error occurs. I liked that on raqbackup.


That's an interesting idea. I like it. I'll add it to the list. We 
already calculate if an error occurs and if so, change the subject and 
show the errors on top of the body. So it's really easy to implement.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26443] Re: easy-backup ftp problem and question

2023-09-05 Thread Michael Stauber via Blueonyx 

Hi Janwillem,

Error parsing time at 
/home/solarspeed/easy-backup/tmp/par-726f6f74/cache-f1214cafafa8c3fccb2fe571fe0f283e2a94c809/inc/lib/Time/Piece.pm line 481,  line 1703.


Can it be that this causes the mail issue and/or not deletion of the log 
file?
I think you still have alter-admin access to one of the servers, so feel 
free to check if you have time or I happily open a new ticket.



Thank you. I was able to debug the issue on your server.

The problem was the method how I calculated how much time the backup or 
restore had taken. For that I fetched the start/end time via "date 
--rfc-3339=seconds" and used the Perl module Time::Piece to figure out 
the difference in minutes and seconds.


The issue? "date --rfc-3339=seconds" gives us the timezone as well and 
during the processing I used a filter that didn't like the timezone your 
server was using. There is nothing wrong with the timezone settings of 
your server, it's just that my code didn't account for how it was presented.


As the code then threw an error on that "elapsed time calculation" you 
never got the email, as the emailing happened afterwards in the code.


I changed that code to use Unix-Timestamps instead and that now works 
fine. You should already have gotten an email from your server about a 
backup that I just ran manually.


I'm now publishing Easy-Backup v1.1.0 to NewLinQ, which fixes this 
issue, a minor display error and the duplicity messages on the screen 
and in the email are now in English. Even if the shell is set to a 
different language.


--
With best regards

Michael Stauber

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26440] Re: easy-backup ftp problem and question

2023-09-04 Thread Michael Stauber via Blueonyx 

Hi Michael,


it appears that it is not compatible with a # in my ftp password


This is now fixed in Easy-Backup v1.0.10-1, which I've just published on 
NewLinQ.


While that was a relative simple fix, the feature request for optional 
extra directories to be backed up? That requires some more work, but 
I'll see that it gets done. Will take a few days, though.


I need to add a new switch to the CLI command (like --extradirs) that 
triggers automatically during backups and restores (if all Vsites are 
exported and not just a few). But it can also be set manually to restore 
just the extra-dirs. If set during a restore, it will restore the 
optional extra dirs you've included in the backup.


As for backing those extra-dirs up? They will be packed up in a separate 
Tarball that gets checksummed and stored alongside the rest of the tarballs.


Then the CODB Schema file and CODB config file need to be updated. One 
GUI page (the one under "Server Management" / "Maintenance" / 
"Easy-Backup") needs to be extended with a TextArea for entering the 
directories one by one. An extra handler needs to be created that checks 
if these directories actually exist when you save in the GUI. And then 
we need updated localization strings for nine languages for the new GUI 
text and the new error messages that deal with extra-directory 
functionality.


It's a good days work and I'll see if I can squeeze it in this week.

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26439] Re: easy-backup ftp problem and question

2023-09-04 Thread Michael Stauber via Blueonyx 

Hi Tim,

I had a successful run last night. Got my email. It takes a long time to 
run so perhaps it hasn't finished yet. 


Yeah, that might be possible.

Since we are tossing out new features..  I would live to be able to 
exclude some vsites from the entire backup process. Some of my clients 
are important and need backing up and some clients aren't worth the 
effort or space .


I'll think about it. Thanks for bringing that up!

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26438] Re: easy-backup ftp problem and question

2023-09-04 Thread Michael Stauber via Blueonyx 

Hi Janwillem,

So far Easy-Backup works very well (haven't tried a restore yet) but the 
only issue I see is that the email notification are not working on any 
server.

there is not even an attempt to email visible in /var/log/maillog
Am I missing something?


No idea. So far the email notification in Easy-Backup has been rock 
solid for me, aside from some UTF-8 and Mime-Encoding related issues 
during development. Easy-Backup uses the same mechanism for sending 
emails as "Active Monitor" does (the MIME::Lite Perl-module), so this is 
fairly straightforward.


If "Email Alerts" is set, an Email Address (or username) has been 
specified and the logfile /home/.easy-backup/easy-backup.log is present? 
Then the email will be sent. That logfile is deleted when Easy-Backup 
exits, so it will only be present while Easy-Backup does and export or 
import.


Ah and another feature request: would it be possible to add subdirs to 
the remote directory (now it only allows myremotedir and I would 
really love to have myremotedir/server01 etc


I don't think I will add this anytime soon. Duplicity will not create 
the toplevel directory for these subdirectories (at least not on 5209R) 
and me having to check if it exists and then create it via the plentiful 
of protocols is way too much hassle.


You can still backup various servers to the same account. Just use the 
server-name of the server you're backing up as target directory. And 
voila: Each server then backs up into his own directory.


--
With best regards

Michael Stauber

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26435] Re: easy-backup ftp problem and question

2023-09-03 Thread Michael Stauber via Blueonyx 

Hi Michael,

I did "/usr/sausalito/sbin/easy-backup --check" and it appears that it 
is not compatible with a # in my ftp password. Is that correct? If so 
can it be fixed or must I get the ftp password changed?


Hmmm. I don't know - yet. I'll test it out and will check what the 
problem might be. Many thanks for pointing it out.


I also have a question about extra folders. raqbackup allowed extra 
folders to be backed-up. I liked that for a few reasons. Is that 
something that might be added in future versions?


Yeah, that will be added in one of the next versions. I didn't want to 
over-complicate things in the initial release as it was already stacked 
with quite a lot of intricacies.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26428] Re: easy backup port 21

2023-09-01 Thread Michael Stauber via Blueonyx 

Hi Tim,

Might help if my ftp port was set to port 21.  Took me three saves of 
the GUI for port 21 to stick


That's fixed in v1.0.8 as well. :o)

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26427] Re: easy-backup questions

2023-09-01 Thread Michael Stauber via Blueonyx 

Hi Tim,


[root@cabin10 admin]# /usr/sausalito/sbin/easy-backup --check

and got

>

/bin/sh: lftp: command not found
LFTP not found:  Please install LFTP.



Yeah, that's what I said above. Install the updated PKG from NewLinQ, 
which fixes this.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26425] Re: easy-backup questions

2023-09-01 Thread Michael Stauber via Blueonyx 

Hi Tim,

Am 01.09.23 um 10:46 schrieb oldcabin webmaster via Blueonyx:

Installed easy-backup yesterday and all went well.

I ran it last night and it seemed to do it's thing (created backup files 
but the export to a remote server part seemed to not work.


It appears that the release version of Easy-Backup had some troubles 
with FTP.


For starters the package didn't install the required "lftp" RPM, which 
"duplictiy" then uses for the FTP transfer.


And under certain constellations the FTP port didn't get saved correctly 
in the config file after changes in the GUI.


A fixed Easy-Backup v1.0.8-3 has been released, which addresses these 
issues. Please be sure to have that installed and for good measure also 
check the storage settings in the GUI and for good measure: Save them again.


To test the connection you can run easy-backup with the --check switch 
like this:


[root@sol ~]# /usr/sausalito/sbin/easy-backup --check
┌─┐
│   Easy-Backup v1.0.8│
│   Easily Backup and Restore BlueOnyx Servers│
│ │
│ Copyright (c) 2008-2023 Michael Stauber, SOLARSPEED.NET │
│   Proprietary Software - All Rights Reserved│
└─┘

[INFO] Using directory /home/easy-backup

[INFO] Source System (sol.smd.net) is a BlueOnyx 5209R and is supported 
by Easy-Backup.


┌──┐
[INFO] Using 'duplicity' to check backup status on server 'v.smd.net' 
via scp

└──┘
[INFO] Executing: duplicity-command to check status of the remote 
backup-set.

[INFO] Duplicity command executed successfully.
Last full backup date: none
Collection Status
-
Connecting with backend: BackendWrapper
Archive dir: 
/home/.easy-backup/duplicity-cache/f007b00c8a0cc4f68f8050e77e25a53b


Found 0 secondary backup chains.
No backup chains with active signatures found
No orphaned or incomplete backup sets found.

┌──┐
[INFO] Used 'duplicity' to check backup status on server 'v.smd.net' via scp
└──┘
Done!


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26420] Re: 5209R/5210R/5211R: "Easy-Backup" has been released!

2023-08-31 Thread Michael Stauber via Blueonyx 

Hi all,

We're happy to announce that the PKGs for "Easy-Backup" (BlueOnyx 5209R, 
5210R and 5211R) have just been published on NewLinQ.


Product page in the BlueOnyx shop:

https://www.solarspeed.net/easy-backup.html

Detailed manual of Easy-Backup:

https://www.blueonyx.it/easy-backup


So what is Easy-Backup?


In the shop it replaces the product "Automated Backup" and it allows you 
to cleanly export all relevant data from your BlueOnyx and store it on a 
remote server for recovery.


By default Easy-Backup does a full backup the first time around and then 
incremental backups on each subsequent run. So when you have several 
days of accumulated (yet space savingly stored) backups available, you 
can choose if you want to restore the latest backup, or from an older 
version.


Easy-Backup consists of a CLI component as well as a GUI and the GUI 
lets you manage the general configuration as well as restores. Even 
siteAdmins and regular users can be granted the right to restore their 
data from the backups themselves.



In a nutshell:
--

Just counting the Easy-Backup CLI command: It is CMU on steroids and 
without +20 years of accumulated crud and cruft and a built using modern 
components, standards and procedures.


The GUI then brings it to levels we've never had available before.

The usage of "duplicity" to store remote backups incrementally? A dream 
come true: Incremental backups, restoreable via the GUI (and 
command-line, of course), even by siteAdmins and Users.



Compatibility of backups between BlueOnyx versions?
===

Easy-Backup supports BlueOnyx 5209R, 5210R and 5211R. Any Easy-Backup 
export generated on one of these supported platforms can be imported on 
the same platform AND any other supported BlueOnyx platform.



Can this be used for migrations between BlueOnyx versions?
==

*Yes!* You can easily backup from an older BlueOnyx (5209R or 5210R) and 
import that backup set on a BlueOnyx 5211R. Easy-Backup will make all 
the necessary adjustments, no matter in which direction (old BlueOnyx to 
a newer one or back!) you "migrate". Just point the target server to the 
remote storage server and then import the latest backup.



Which Bundles is Easy-Backup part of?
==

- All Packages Bundle
- BlueOnyx Enterprise Edition
- BlueOnyx Professional Edition

And of course it is also available as a stand alone product:

https://www.solarspeed.net/easy-backup.html

If you have any questions, please let us know. Thank you!

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26418] Re: Manual install notes for 5211R AlmaLinux 9

2023-08-25 Thread Michael Stauber via Blueonyx 

Hi Herb,


Thanks for everyone's hard work on BlueOnyx!


Thank you for using BlueOnyx! :o)

I just installed 5211R AlmaLinux using the manual mode and ran into an 
issue.


I had the /home directory mounted as ext4 in my /etc/fstab file. All normal.

The installation tried to add "gquota" and "uquota" to the fstab file 
but that didn't work since its "grpquota" and "usrquota".


Oh yeah. I should have mentioned that in the install docs: The 
filesystem of choice is now XFS (the default of EL8 and EL9!) and our 
entire tool-chain for disk quota builds on this. That's why it was 
trying to use "gquota" and "uquota" (the XFS variants of those tools) 
instead of "grpquota" and "usrquota", which was how these were named for 
EXT3 and EXT4.


Of course upon reboot it didn't mount and all hell broke lose requiring 
alot of hand fixes to complete the process.


Yeah, I can imagine. Sorry about that!


So I think I found a bug??


An oversight. The documentation should have made it clear that it ought 
to be XFS now. I'll fix it and I thank you for pointing it out!


When I was finished with the install issues I noticed firewalld was not 
started.


Correct. We configure it (to open the ports relevant to BlueOnyx), but 
don't start it automatically. But just start it and enable it and you 
should be good.



I need to limit ssh access.
I was an old hosts.deny fan. Back in when CentOS 7 was current.


Yeah, sadly the RedHat overlords decided to do away with TCPWrapper 
support and with that hosts.allow and hosts.deny got dropped from the OS 
and there is no sensible way to get them back.



Can these commands be used without a problem with BlueOnyx?

firewall-cmd --get-default-zone

firewall-cmd --permanent --remove-service=ssh

firewall-cmd --permanent --new-zone=sshzone

firewall-cmd --permanent --zone=sshzone --add-source=111.264.132.201/32

firewall-cmd --permanent --zone=sshzone --add-source=63.61.153.48/29 



firewall-cmd --permanent --zone=sshzone --add-source=211.228.142.32/28 



firewall-cmd --permanent --zone=sshzone --add-service=ssh

firewall-cmd --reload

firewall-cmd --list-all-zones


I was going to make a script to manage the ip list (add, remove, list, 
init zone)


In principle you can use all the commands that Firewalld offers you and 
there is nothing in a stock BlueOnyx that messes with this. Aside from 
once opening the BlueOnyx ports we don't touch Firewalld past the 
initial setup.


Or you can get "APF" from the BlueOnyx shop:

https://shop.blueonyx.it/apf.html

On 5210R and 5211R this grants you access to two PKGs:

- APF (Advanced Package Firewall)
- Firewalld

Ignore APF and install the "Firewalld" Package. It gives you a nice GUI 
to manage all sensible aspects of Firewalld on your BlueOnyx directly 
from the GUI. It also integrates GeoIP zone blocks, so you can block 
whole countries from accessing your server. It uses IPsets for this, so 
even large zone blocks don't have much of an impact on the time it needs 
to restart the firewall. It's then not loading thousands of IP address 
ranges, but whole "precompiled" sets in one go. Which is pretty neat.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26416] Re: 5210R hostname change hangs on 17%

2023-08-25 Thread Michael Stauber via Blueonyx 

Hi Janwillem,

When changing the hostname/domain and/or DNS servers in the System 
Settings -> TCP/IP menu item the changes don't happen, the task progress 
bar hangs at 17% forever.
I could set the hostname via the CLI and the new hostname is 
reflected in the GUI (under the BlueOnyx Logo) but in the System 
Setttings it's still the old one.

Seems CCED is not updating.



I think this is related to the other CCEd issue we just talked bout in 
the ticket system. Can you please file a "Support Request" via the GUI 
with "allow access" ticked? I'd like to take a look at this.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26413] Re: cmuExport Spamming on 5211R

2023-08-21 Thread Michael Stauber via Blueonyx 

Hi Steve,

My RaqBackup has recently become spammy on our BX 5211R. We get rows and 
rows of:


Scanout: INFO: Packing up HASH(0x5563cf49a720)
Scanout: INFO: Packing up HASH(0x5563cf49a780)
Scanout: INFO: Packing up HASH(0x5563cf49a7e0)

Is it possible some sort of debugging has come on?



The thing is that CMU isn't really working that well and especially 
troublesome on newer BlueOnyx versions such as 5210R and 5211R.


To fix the above issue edit /usr/cmu/perl/Archive.pm and in line 319 you 
should find this line:


warn "INFO: Packing up $f\n";

Change it to this (or delete it) and save:

#warn "INFO: Packing up $f\n";

That'll sort it out. I also just published an updated CMU for 5211R 
which removes move that line. So a "yum clean all" and "yum update" 
ought to fix it for you.


However: Please see the announcement about "Easy-Backup" that I'm also 
posting today. It's a much better solution than anything CMU-based. :o)


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26411] BlueOnyx: Sauce::Service updated

2023-08-14 Thread Michael Stauber via Blueonyx 

Hi all,

In BlueOnyx all service related transactions are performed through our 
Sauce::Service Perl Module. It allows us to check if a service is 
enabled, if it is running and we can also enable or disable it or change 
its run state. Like restarting or stopping it.


This all usually works quite well and Sauce::Service over the years has 
already seen some overhauls and improvements. Yet one issue remained:


Ever since we integrated PHP-FPM a restart of Apache (and Nginx) usually 
also entails restarting PHP-FPM. This creates a long list of service 
restart requests and (sadly) many of them are also quite repetitive.


This has now been solved by a redesign of the Sauce::Service Perl module 
and the respective YUM update has been published for BlueOnyx 5209R, 
5210R and 5211R.


A longer explanation of the changes can be found here:

https://www.blueonyx.it/sauceservice-sauce_serviced

The gist of it is: BlueOnyx now has a new daemon, which persistently 
runs in the background and which is called "sauce_serviced.service".


It handles GUI initiated service restarts in a slightly delayed fashion.

Say you save the PHP settings in the GUI and it may take between 30 
seconds and a minute until all related services are restarted. You don't 
have to wait that long in the GUI, though, as the restarts happen in the 
background after all SET transactions against CODB are done. So once you 
hit Save, you fairly quickly see the GUI page reload and show the 
results, while Sauce::Service::Daemon is still doing its magic.


The main benefit is that Systemd no longer is drowned in a flood of 
redundant service restarts, which enhances stability. Due to the 
background processing of these service restarts the GUI is a bit more 
dynamic as well.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26410] Re: PHP-FPM 8.1

2023-08-09 Thread Michael Stauber via Blueonyx 

Hi Robert,


Thanks Michael, will do now.


Very well. It's fixed now.

--
With best regards

Michael Stauber

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26408] Re: PHP-FPM 8.1

2023-08-09 Thread Michael Stauber via Blueonyx 

Hi Robert,

We have the PHP package from Solarspeed. The php-fpm-8.1 won't start 
claiming the port 9011 already in use but I find the site11.conf in the 
/etc/php-fpm-8.0.d/ directory. There are only two other sites in the 8.1 
conf directory and both respond with Service unavailable. See output 
below, how could I resolve without reboot? ...


For each Vsite PHP-FPM pool we need a port to bind them to. These ports 
may only be assigned once and the mechanism that assigns them usually 
works quite well.


Please check with "netstat -tupan|grep LISTEN" to see which 
service/process is holding port 9011 open. Based on the results you can 
try to restart that particular service and see if it fixes the issue.


If not: Open a "Support Request" via the GUI and make sure to tick 
"Allow access" and I'll sort it out for you.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26405] Re: [EXTERNAL] Re: Mailproblems, the saga continues

2023-08-08 Thread Michael Stauber via Blueonyx 

Hi Arie,


Canonical Hostname X10-server.fritz.box

I will begin with changing this last to ceelie.info and take it from there.


Here is a little guide that explains how email is handled on BlueOnyx:

https://www.blueonyx.it/dns-for-email

In general: The server itself has a name and for that name you need a 
DNS A record and DNS MX record. Plus a reverse record.


As for receiving emails on user accounts (and user email aliases) that 
are assigned to Vsites? Each Vsite additionally needs DNS A records and 
MX records for both the FQDN of the Vsite as well as all assigned Email 
Server Aliases. The Web server aliases (unless they're not the same as 
the Email Server Aliases) just need DNS A records.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26398] Re: Fail2Ban keeps stopping

2023-08-03 Thread Michael Stauber via Blueonyx 

Hi Colin,


I have now tried removing APF and unlinking it; then linking again but now it 
is not available to install.
Somethings not right! :-/


Yeah, sounds that way. Send me a ticket (with "Allow login" ticked) and 
I'll sort it out for you.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26394] Re: Fail2Ban keeps stopping

2023-08-02 Thread Michael Stauber via Blueonyx 

Hi Colin,

I’m running Fail2Ban 0.10.5-7 on one of my 5210R servers and it keeps 
stopping.


I moved this from a 5209R that I migrated to this server.

I have tried removing and reinstalling.

Is there an incompatibility with this version and 5210R?

Looking at versions the latest is 11.x?
The latest Fail2ban PKG for 5209R/5210R/5211R is v1.11.2-1, which you 
can get through the shop. That should fix this issue as well as 
occasionally resetting the list of whitelisted IP address ranges.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26393] Re: The Postfix learning curve continues

2023-08-02 Thread Michael Stauber via Blueonyx 

Hi Chad,


The relay error comes in this section:


Jul 31 14:36:33 mail postfix/submission/smtpd[645290]: generic_checks: 
name=permit_mynetworks status=0
Jul 31 14:36:33 mail postfix/submission/smtpd[645290]: generic_checks: 
name=reject_unauth_destination
Jul 31 14:36:33 mail postfix/submission/smtpd[645290]: 
reject_unauth_destination: emailal...@domain.com
Jul 31 14:36:33 mail postfix/submission/smtpd[645290]: 
permit_auth_destination: emailal...@domain.com
Jul 31 14:36:33 mail postfix/submission/smtpd[645290]: ctable_locate: 
leave existing entry key c...@bersche.com?emailal...@domain.com
Jul 31 14:36:33 mail postfix/submission/smtpd[645290]: NOQUEUE: reject: 
RCPT from backup.bersche.com[172.18.172.106]: 554 5.7.1 
: Relay access denied; from= 
to= proto=ESMTP helo=
Jul 31 14:36:33 mail postfix/submission/smtpd[645290]: generic_checks: 
name=reject_unauth_destination status=2
Jul 31 14:36:33 mail postfix/submission/smtpd[645290]: >>> END Recipient 
address RESTRICTIONS <<<
Jul 31 14:36:33 mail postfix/submission/smtpd[645290]: > 
backup.bersche.com[172.18.172.106]: 554 5.7.1 : 
Relay access denied
Jul 31 14:36:33 mail postfix/submission/smtpd[645290]: watchdog_pat: 
0x558e6487faa0
Jul 31 14:36:33 mail postfix/submission/smtpd[645290]: 
vstream_fflush_some: fd 10 flush 53

Jul 31 14:36:33 mail postfix/submission/smtpd[645290]: smtp_get: EOF


Yeah, I was looking at this on Monday when my internet problems started.

From what I an see there it's not DNS. Your server is rejecting the 
relay for the recipient domain "emc.com" with the message "Relay access 
denied."


Whitelisting the sending IP in "Relay Email From Hosts/Domains/IP 
Addresses" in the GUI does the trick for Sendmail, but Postfix is more 
picky it seems.


So this is really something that we need to put into "mynetworks" instead.

Change your "mynetworks" line in /etc/postfix/main.cf to something like 
this if you want to allow the whole 192.168.0.0/16 network to be able to 
relay through it:


mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/16

Then restart Postfix and see if that helps:

systemctl restart postfix

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26392] Re: Internet issues

2023-08-02 Thread Michael Stauber via Blueonyx 

Hi Ken,


Hey, don't paint us all with the same brush!


I only have one brush! :o)

Nah, there are sure good ones, too. But they are so rare that it's an 
exquisite delight to deal with them.



Also, if you're a small local ISP, there are a million ways for the
big guys to screw you over and steal your customers.  


Yeah, our guess here is this is exactly what happened. The three big 
ones here all know how shitty their own support and that of the 
competitors is. So this was a great chance to get some clients to switch 
over to them, because that's usually lot faster than waiting for a 
service technician and a repair.


I also wonder if things have changed since I lived 2 years as a 

> teenager in South America (Argentina) in the late 1960's.  A small
> bribe was often expected in everyday transactions, especially if civil
> servants were involved, and wasn't even viewed as particularly
> unethical or illegal.

Sadly this is still very much the case. In all aspects of daily lives. 
Sometimes the traffic cops stop you and you realize within the first 
minute or two that it's nothing but a "shake-down" for a bribe. Need to 
renovate the drivers license, a construction permit, or some odd 
bureaucratic diligence done? Well, there is the convoluted and time 
consuming "proper way", or you can ask someone who knows someone to do 
it for you "for a small fee" and get it sorted out right away.


Whenever I think of Michael living in Colombia, somehow I think of 

> Patrick Jane in the TV series The Mentalist, on an island off the
> coast of Venezuela where he can't be extradited to the U.S.  (will
> only make sense if you've watched it)  Or maybe Rick Blaine in
> Casablanca.  Don't be insulted, either reference makes you out to be a
> dashing chick magnet.

Bwahahah! Yeah, I get the reference. But I (sadly) can assure you: It's 
a lot less glamorous and downright mundane. And as for "chick magnet"? 
My lovely wife is the proper "repellent". :o)


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26390] Re: Internet issues

2023-08-02 Thread Michael Stauber via Blueonyx 

Hi Chris,

So true.  Anyone who has ever dealt with consumer-grade ISP's knows this 
pain.


Indeed! My flame-thrower style approach (and acting as ad-hoc 
representative of 12 other affected apartments) seems to have worked - 
for now. They eventually sent a crew over who went through all access 
points and some of the crawlspaces and they allegedly found the snag. 
Hopefully that'll be the last of it, but we'll see when the next 
torrential rain comes.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26385] Internet issues

2023-08-02 Thread Michael Stauber via Blueonyx 

Hi all,

Just a quick heads up: Since Monday I'm without reliable internet 
connection and am on a mobile line that also craps out or slows to a 
crawl every now and then.


I'm trying to respond to emails, but even that is really dodgy right now.

What happened? We have three big internet providers in Colombia. We're 
with a shack called Tigo and and their competitor MoviStar (subsidiary 
of Telefonica) installed fiber-optics in our complex last week. On 
Monday when they left they "accidentally" (yeah, rright!) caused a 
damage that affected all internet installations of their competitors in 
our complex. And as things go with all three providers: You can get a 
new contract (with same day install) lined up in fifteen minutes, or you 
have to wrestle with support for days until they send a technician to 
fix damage in an existing installation. Just spent three hours again in 
the waiting line in front of their office until it was my turn to 
"enthusiastically" rave about their stellar support. After all: A black 
hole is a stellar object, too. :p


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26381] Re: The Postfix learning curve continues

2023-07-31 Thread Michael Stauber via Blueonyx 

Hi Chad,

I'd tried setting the relay configuration previously, and it seems to 
not be honored for some reason.  I went with the widest scope of my 
network to start with, and also explicitly listed hostnames and IP 
address of a specific system.  I set the following via the GUI, which 
set /etc/postfix/access to show:


# cat access
photos.bersche.com RELAY
172.18.170.206  RELAY
172.18  RELAY
bersche.com RELAY


Yeah, that looks good.

What is the exact error message in /var/log/messages on your server when 
you try to relay from another box?


That will tell us what to look for.

permit_sasl_authenticated,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_mynetworks,reject_unauth_destination,reject_unauth_pipelining,reject_invalid_hostname,reject_non_fqdn_hostname,check_sender_access 
hash:/etc/postfix/access,permit
smtpd_sender_restrictions = permit_mynetworks, 
reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/access


I'd like to see the maillog entry first that happens on error. It could 
as well be the "reject_unknown_sender_domain" entries. If the sending 
servers don't have DNS records that could lead to a block.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26378] Re: The Postfix learning curve continues

2023-07-30 Thread Michael Stauber via Blueonyx 

Hi Chad,

I'm now facing an issue that I'm not sure how to address in Postfix.  I 
have a number of devices in my network (BMC/ILO/iDRAC) and other 
consumer devices (like NAS systems, etc.) that typically send emails 
when health/status issues arise.  Unfortunately, the majority of these 
do not have any concept of authentication to the email server before 
they try to send email.



You can do this via the GUI. Under "Server Management" / "Network 
Services" / "Email" go to the "Advanced" tab there is a form field 
called "Relay Email From Hosts/Domains/IP Addresses".


It takes domain names, IP addresses and IP address ranges. If you want 
to allow a whole IP address range like 192.168.0.0/16, then you'd enter 
it this way: 192.168.0.0 (without the mask).


Hosts that you have whitelisted this way can send email both to your 
server as well as through your server if the email is for an address 
that isn't hosted on the BlueOnyx itself.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26373] Re: Outlook cannot deliver to BO

2023-07-29 Thread Michael Stauber via Blueonyx 

Hi Meaulnes,

Seeking for a solution because users of mine repeatedly reported the 
same problem having Outlook blocked, I searched in the maillist and 
found Dick's e-mail. Back then, his mail has not been answered.


I don't have Outlook, so I can't test this.

The relevant part of the error message is this:

7/13/2023 12:54:33 PM - Server at voncastelberg.com (94.103.99.71) 
returned '450 4.4.316 Connection refused [Message=Socket error code 
10061] [LastAttemptedServerName=voncastelberg.com]


So the connection was refused on the BlueOnyx. But why was it refused? 
To know the exact issue we'd need the related log entries from 
/var/log/maillog that were written when Outlook tried to deliver this email.


That would tell us what we'd need to know in order to troubleshoot this 
further. But looking at the date? The logs might already be gone, so 
better check real quick and see if you still have 'em.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26371] Re: Cron

2023-07-28 Thread Michael Stauber via Blueonyx 

Hi Colin,

We have a new customer who wants a vsite but needs access to cron and 
support for http/2.


Is it possible to allow cron jobs on a BX vsite?


HTTP/2 is enabled by default in Apache on 5211R - and on 5209R/5210R it 
becomes available when you enable Nginx as SSL proxy. But then HTTP/2 
only works via HTTPS.


As for user owned cronjobs? At the moment only users with shell access 
can create and manage their own cronjobs via the "crontab" command.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26370] Re: Duplication of email delivery based on /etc/mail/aliases

2023-07-28 Thread Michael Stauber via Blueonyx 

Hi Larry and Chad,


   Hmmm, how about try doing the same thing via the .forward
instead of via the aliases and see if it still does the dupes.



Indeed. Using the .forward file (Email forwarding via the GUI) is the 
way to go on this. Manually modifying the alias file is somewhat frowned 
upon, as this can lead to problems down the road. After all: The GUI 
isn't aware of anything you manually add in there.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26364] Re: AV-Spam rule expression

2023-07-19 Thread Michael Stauber via Blueonyx 

Hi Chris,

My question is in the expression, should I be using the subject as it  > appears (I RECORDED YOU) or should I be attempting regex > 

(I\sRECORDED\sYOU)?
You want the rule to trigger on the subject (not body) and generally I 
also would throw a /i at the end of the rule to make it case 
insensitive. So it'll even trigger if some or all parts of the search 
text are capitalized. In that case the complete rule would look like this:


header   BTC_EXT0815 Subject =~ /I recorded you/i
describe BTC_EXT0815 Bitcoin extortion scam
scoreBTC_EXT0815 100

That "BTC_EXT0815" is a unique identifier for that rule and it can be 
anything. But it must the the same in all three lines.


In this example I gave that rule a score of 100, so it'll get tagged no 
matter what - unless the sender address is specifically whitelisted in 
the AV-SPAM. A score this high will also reject the message at the MTA 
if that feature is enabled (it usually is enabled by default).



--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26359] Re: BlueOnyx 5210R: Radicale CalDAV/CardDAV integration released

2023-07-17 Thread Michael Stauber via Blueonyx 

Hi all,

Existing GUI pages for 5210R don't need any changes to continue to work 
and these added functionality provides simplified and better options for 
future changes and modifications.


Actually: Enabling session support for the BlueOnyx 5210R GUI broke 
something: The auto-login into phpMyAdmin via the GUI. That one also 
used PHP-sessions and you can't have two different sessions going on at 
the same time.


So I switched the BlueOnyx 5210R phpMyAdmin to use Cookies for 
authentication and integrated the same custom authentication script that 
we already use for BlueOnyx 5211R.


YUM updates with fixed "base-phpmyadmin-*" and "phpMyAdmin" have just 
been published for BlueOnyx 5210R to address the issue.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26358] Re: BlueOnyx 5210R: Radicale CalDAV/CardDAV integration released

2023-07-15 Thread Michael Stauber via Blueonyx 

Hi all,

Radicale CalDAV/CardDAV is now available for BlueOnyx 5210R as well.

A week ago we released a Radicale CalDAV/CardDAV integration for 
BlueOnyx 5211R. This has now been ported over to BlueOnyx 5210R as well. 
It will automatically installed during the next YUM/DNF update of your 
server.


News article:

https://www.blueonyx.it/news/325/15/5210R-Radicale-CalDAVCardDAV/

Link to the documentation:

https://www.blueonyx.it/organizer

BlueOnyx 5210R code changes in SVN:

https://devel.blueonyx.it/trac/changeset?reponame==4709%40BlueOnyx%2F5210R=4685%40BlueOnyx%2F5210R

I could re-use almost the entire 5211R base-organizer module and just 
had to modify one handler a little. But getting the 5211R GUI pages to 
work on 5210R turned out to be a bit of a challenge. It reminded me 
again how much 5211R has advanced and I had lavishly used functions in 
the GUI page that simply weren't present in 5210R.


So ... I had to go back and add these to 5210R as well to make this (and 
future) module conversions easier. This is why it took a whole week to 
get this done.


Until 5211R we had no "good" way to pass error messages that happened on 
one page on to a another GUI page to present them. Or show the errors in 
the same GUI page after a reload. What we had for that were crude work 
arounds, which weren't that practical. In BlueOnyx 5211R we use PHP 
session storage for that purpose (and others) and that has turned out to 
be very beneficial and much easier to use.


This mechanism has now been added to 5210R as well. At least for the 
error handling.


For these reasons the Class BxPage.php on 5210R inherited the following 
new/modified functions:


$BxPage->ReturnToThisPage($errors, $redirect_URL);

Redirects the GUI to a specified GUI URL and passes an array of error 
messages to it for display.


$BxPage->setErrors($errors)
$BxPage->getErrors()

These functions already existed and now use PHP session storage to 
retain error messages until we've had a chance to display them. Or until 
the next POST request against the GUI happens.


$BxPage->setFormUrl($url)

Allows to change the form target of GUI related POST forms to another 
GUI page. We could do this already in another way, but this is a lot 
simpler.


$BxPage->setGETPOST($val)

Tell BxPage to fetch all GET and POST requests (as well as the 
user-agent and browser-version of the visitor) of the current GUI page.


$BxPage->getGETPOST($val)

Returns GET, POST or AGENT info of the current GUI page as arrays.

Likewise the helper blueonyx_helper.php got updated a litte:

init_libraries() now tells CodeIgniter to load the "session" library.

GetFormAttributes() is now more in line with what 5211R does and 
integrates the required key checks for form input fields that we had 
marked as required. It then stores errors directly via 
$BxPage->setErrors($errors) to keep them "on file" until we can present 
them.


Added getUserAgent() function to fetch the user agent and browser 
version of the visitor.


Capabilities.php and ServerScriptHelper.php got extended with a 
capability check that so far was unique in 5211R:


if (!$CI->getAllowed('validUser')) {
// Nice people say goodbye, or CCEd waits forever:
$CI->cceClient->bye();
$CI->serverScriptHelper->destructor();
Log403Error("/gui/Forbidden403");
}

With that simple and "cost effective" check we can test if the user 
accessing that GUI page is a 'validUser'. Means: He is a valid user, 
known to CODB and is currently successfully logged in.


We use this simple check on GUI pages with the lowest privileges that 
are accessible to all logged in users. Basically anything that's 
reachable under "Personal Profile". So far 5210R (and older) used a 
check that was slightly more complex and cost a few CPU cycles and CODB 
accesses more.


Existing GUI pages for 5210R don't need any changes to continue to work 
and these added functionality provides simplified and better options for 
future changes and modifications. So this is a good compromised and 
investment into the future of 5210R.


The idea to port the whole 5211R GUI to 5210R is still on the table for 
the general speed improvements, easier code maintenance and simplified 
coding of future enhancements. Yet: It would really rock the boat and 
that's why I'm reluctant to do it. Instead there might be more gradual 
changes to the existing 5210R GUI to selectively port individual 
enhancements from 5211R over.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26357] Re: Redhat sources - current state of affairs

2023-07-15 Thread Michael Stauber via Blueonyx 

Hi Chris,

It's fair to say that Red Hat's actions have been disruptive to nearly 
all sectors of RHEL user base, but the impact to the hosting community 
has been profound.  BlueOnyx is not the only control panel that was 
caught flat-footed by RH's pronouncements and it may be years before the 
ripples are fully settled.


Yeah, and we can be certain that causing these ripples was an 
intentional side effect.


The commercial vendor we use for some hosting applications had been 
working on their Ubuntu support for a while, but that has certainly 

> been fast-tracked to a fully supported (and just short of recommended)
> option. And they've been based on RHEL for as long as we have.

I can imagine. Having another OS (preferably a fully community driven 
one like Debian) as potential exit strategy is something we should have 
in the pipe. So I'm back at looking at a native BlueOnyx build for 
Debian as a long term alternative.


While my company certainly has a hand in many different pots when it 
comes to Linux flavors, our comfort zone has been with Enterprise Linux 
from the start.


I think this is something we all can relate to. And while it's good that 
Enterprise Linux won't go away, the ripples in the water will persist 
for quite some time and this isn't helpful.


I find it curious that CloudLinux themselves are offering a free 

> distribution although they're funding AlmaLinux.

Indeed, that was a bit of a surprise. Their Cloud Linux had RHEL or 
CentOS 7/8/9 as upstream and tacked on some extras for the cloud related 
management. Plus they also offered architectural support for platforms 
that RedHat no longer offered. Like Arm64.


I guess the early CentOS 8 EOL left them with a gap to fill for their 
own needs. Creating AlmaLinux and spinning it off into a self-governing 
foundation was an interesting move. I also like the "added value" they 
provide, such as their ELEVATE OS upgrade script or the extra Arm64 builds.


I can tell you one thing for certain:  Given the mercurial nature of 
RedHat's decision making, we will not be considering their product. They 
seem to shift directions on a whim, which is not a trait I'm interested 
in when making decisions on how best to provide stability and success 
for my business.   I cannot help but wonder if other managers might be 
thinking along similar lines, and if RedHat's actions will ultimately 
put then into an also-ran position.  Now that would really make things 
interesting with the futures of AlmaLinux, Rocky Linux, CloudLinux etc.


The level of cooperation and collaboration we're currently seeing is 
great and hopefully it has the desired effect that RedHat realizes that 
further moving of goal-posts might not be in their own best interests. I 
heard nobody react to the current situation by saying: "Well, I guess 
then I buy some RedHat licenses instead!"


That ain't going to happen and all RedHat managed was to piss off a lot 
of the community on whose work they depend via Fedora, Epel, CentOS 
Stream. Or developers of those upstream projects which they themselves 
are leeching from. Like the combined works under the Apache Software 
Foundation's umbrella and others.


There is a lot of resilience in the open source community against 
corporate overlords and that can quickly turn into resistance. Which 
makes sense: It gives us dragons to slay and we don't even have to leave 
the basement for that. :p


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26353] BlueOnyx 5211R: Radicale CalDAV/CardDAV integration released

2023-07-09 Thread Michael Stauber via Blueonyx 

Hi all,

As mentioned earlier on this list ([BlueOnyx:26331]) I announced the 
possibility to integrate a Radicale CalDAV/CardDAV service into BlueOnyx.


After a two-week coding marathon this now has been released for BlueOnyx 
5211R:


News page:

https://www.blueonyx.it/news/323/54/5211R-Radicale-CalDAVCardDAV

FAQ entry:

https://www.blueonyx.it/organizer

Code in SVN:

http://devel.blueonyx.it/trac/browser/BlueOnyx/5211R/ui/base-organizer.mod

As sufficient donations came in, I made this part of BlueOnyx itself and 
BlueOnyx 5211R users automatically get it installed via the next YUM/DNF 
Update.


I would like to thank the following donors (listed in alphabetical 
order) for making this happen:


   - BB-ONE.net GmbH
   - blackpoint GmbH
   - PRIMOS Datensysteme GmbH
   - Maxxnet.de
   - Virtbiz.com

The news-page and the FAQ entry listed above explain all the details and 
of course: If you have any questions, let me know here.


A BlueOnyx 5210R version will be released within the next two weeks or 
so. A version for BlueOnyx 5209R is not planned.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26352] Re: BO 5211 on LXC , Internal Server Error while removing User

2023-07-08 Thread Michael Stauber via Blueonyx 

Hi Rodrigo,

> We need pointers to solve this issue:
>
> 1) migrated users with easymigrate from an old 5209 to a new 5211
> virtual (lxc)
>
> Only one site on the server.
>
> 2)On the resulting server,
>
> Trying to eliminate a Users ends up in a :
>
> Internal server error
>
> no clues about wheres the issue:
>
> 3)What we checked
> /var/log/messages does not register a thing
>
> /var/log/adm_error does not show anything useful


This sounds like a combination of issues and not just a singular failure.

For starters: /var/log/messages should have some useful information 
about where it errored out during the user deletion. If an attempted 
user deletion did not result in logfile entries, then your logging is 
buggered out. We also see this occasionally on OpenVZ 7 and I'd be 
surprised if the issue didn't exist in LXC as well.


So let us shake the logging loose again, which you can with these commands:

rm /var/log/journal/*/*
rm /var/lib/rsyslog/imjournal.state
systemctl restart systemd-journald
systemctl restart rsyslog

Next: Enable Debugging in the 5211R GUI. See this URL for more information:

https://www.blueonyx.it/blueonyx-5211r-debugging

Instead of an "Internal Server Error" the GUI will then show *really* 
helpful information that helps to troubleshoot this further.


That should produce a detailed error message about where and why it failed.

In the absence of more information I can only speculate why the user 
deletion failed, but more often than not it is related to email alias 
issues.


Alternatively: File a "Support Request" via the GUI and tick the 
checkbox "Allow access" and I'll take a look. But let me know in the 
comments which users I'd be allowed to attempt to delete to produce the 
error.


--
With best regards

Michael Stauber

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26350] Re: CalDAV + CardDAV (Contacts & Address Books) integration for BlueOnyx?

2023-07-05 Thread Michael Stauber via Blueonyx 

Hi Rodrigo,


Only review the security implications of radiale.org,

Any open CVEs that might compromise BlueOnyx security.


https://www.cvedetails.com/vulnerability-list/vendor_id-15782/product_id-331
31/Radicale-Radicale.html



Yeah, I've seen those as well and it is good that you mention it. We 
will be using "radicale3-3.1.8" from Epel on 5211R and I believe the 
version for 5210R will not be much older either. Both are much newer 
than the vulnerabilities you mentioned. The latest CVE from 2017 
(CVE-2017-8342) for example is now directly mitigated by a built in 
brute force detection and enforcing a growing delay on authentication 
after each failed login.


In fact the *really* tight security in Radicale v3 has already driven me 
nuts and complicated the integration tremendously.


It runs as unprivileged user "radicale" in a Systemd jail. That jail has 
its own /tmp and Radicale only has access to it's own home directory 
/var/lib/radicale. Beyond that Radicale is unable to elevate its own 
privileges, capabilities and can't modify ControlGroups or access 
devices or anything kernel related:



[root@5211r ~]# cat /usr/lib/systemd/system/radicale.service
[Unit]
Description=Radicale CalDAV and CardDAV server
Documentation=https://radicale.org/3.0.html#documentation
After=network.target
Requires=network.target

[Service]
ExecStart=/usr/libexec/radicale/radicale
Restart=on-failure
Type=exec
User=radicale
Group=radicale
UMask=0027
WorkingDirectory=/var/lib/radicale
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
NoNewPrivileges=true
CapabilityBoundingSet=
ReadWritePaths=/var/lib/radicale/


That is about as tight as you can configure something.

Which also meant that Radicale itself didn't even have the ability to do 
any authentication itself and was either accessible to anyone (like: 
when you use it in internal networks) or relied on htpasswd protection 
via htpasswd file *in* the jail. Or mod_proxy and mod_authnz_external 
password protection in Apache itself and passing the user-name via 
%{REMOTE_USER} *after* the external authentication had been satisfied.


Something like this:


RewriteEngine On
RewriteRule ^/radicale$ /radicale/ [R,L]


AuthType Basic
AuthName "Radicale - Password Required"
AuthUserFile "/etc/radicale/htpasswd"
Require  valid-user

ProxyPasshttp://localhost:5232/ retry=0
ProxyPassReverse http://localhost:5232/
RequestHeaderset X-Script-Name /radicale
RequestHeaderset X-Remote-User expr=%{REMOTE_USER}



While that is good, it makes GUI-integration a real hassle.

Access to the authentication layer via PAM? Nope! Not possible from 
within that strict jail. Even if: An unprivileged user can only PAM auth 
his own credentials and not those of someone else.


So I had to devise a secure method how Radicale can auth over the 
network (by letting Radicale do a POST request to Apache on "localhost" 
against a new /internalauth" URL that checks username and passwords and 
reports if they're fine or not. And then I wrote a Python authentication 
module for Radicale which uses that method.


Even then I can't do an auto-login from the GUI into the Radicale 
backend, as it has cross-site scripting protection enabled (so a remote 
POST request won't work) and on top of that: It prevents hitting the 
"submit" button via a jQuery script, which is another way I tried to get 
auto-login working from inside the GUI.


In principle I have it all working now (minus the auto-login) and the 
code is in SVN:


https://devel.blueonyx.it/trac/browser/BlueOnyx/5211R/ui/base-organizer.mod

As I can't get auto-login into the backend working I'll be doing a full 
GUI integration of Radicale instead. That way we can manage all Radicale 
aspects from within the BlueOnyx GUI, using BlueOnyx methods. And then 
we don't need the GUI that Radicale itself brings with it. At least not 
for the management. It's still used when someone accesses CalDAV or 
CardDAV to access calendars and/or contacts.


By the weekend I should perhaps have it ready for 5211R and will then 
port it to 5210R as well.


--
With best regards

Michael Stauber

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26349] Re: 5210R sendmail to postfix switch questions

2023-07-05 Thread Michael Stauber via Blueonyx 

Hi Tim,


OK I flipped on Postfix and things looked good.


Very well.

One thing I did notice is my procmail.rc doesn't appear to be being used 
once I switched it over


I have a lot of hand written recipes and other things going on that I 
would like to be able to still do with Postfix


Can I still use my procmail.rc recipes?


You can still use /etc/procmailrc as well as ~user/.procmailrc, as 
Postfix also used Procmail for local deliveries - same as Sendmail did.


I did try to strip out most off of my recipes just to see if I could see 
any action in my procmail_log file but once I flipped it to postfix 
there was no logging in my logfile


VERBOSE=on
LOGABSTRACT=on
COMSAT=no
LOGFILE=/var/log/procmail_log


Check your /var/log/maillog. It will probably complain that Postfix 
couldn't write to /var/log/procmail_log


The thing is that Postfix runs as user "postfix", group "postfix" and 
although it's member of groups "mail" and "smssp"? The only way I found 
to keep procmail logging to a file was if I set the permissions of the 
logfile to 0644: chmod 0644 /var/log/procmail_log


--
With best regards

Michael Stauber

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26345] Re: 5210R sendmail to postfix switch questions

2023-07-03 Thread Michael Stauber via Blueonyx 

Hi Tim,


5210R

I am pondering switching from sendmail to postfix.

Anything that I should be aware of with regard to what is going to 
change regarding my client's email client setups?


Is there anything that they will have to change in their settings?

Can I switch back if I suddenly run into issues (my clients)


On 5210R/5211R you can switch between Sendmail and Postfix at any time 
and in either direction. Typically the clients won't even notice and no 
config changes are required server side or client side.


The main difference between Sendmail and Postfix (as far as BlueOnyx 
goes) is this:


Postfix supports SNI. So it will make use of *all* SSL certificates. 
That includes the GUI's cert and the SSL cert of all Vsites that have 
SSL enabled.


Whereas Sendmail could only use a single SSL certificate and therefore 
only used the GUI's SSL cert.


With Postfix your clients (who have SSL enabled on their Vsite) no 
longer get an SSL certificate mismatch if they use SMTPS, POPS or IMAPS 
and their configured mail-endpoint on the BlueOnyx is the domain name of 
their Vsite.


Of course: If you ever have clients who use *that* setup and switch back 
from Postfix to Sendmail? Yeah, then they get the "certificate mismatch" 
again, because Sendmail only uses the GUI cert, which doesn't have 
provisions for any Vsite SSL.


Other than that? Postfix is more robust and takes abuse a lot better 
than Sendmail. The way we have Postfix set up on BlueOnyx is that each 
time when Postfix is started it parses the Sendmail configuration and 
creates a new Postfix configuration on the fly. That way the 
configuration of both MTAs remains identical and "doesn't drift apart".


Should you ever wish to configure Postfix differently than the GUI 
allows, or want to set a parameter that the GUI doesn't have for the 
Postfix configuration? You can put your changes into this script, which 
will never be overwritten by YUM updates:


/usr/sausalito/bin/custom-postfix-confgen.sh

There is an example in that file that shows how it's done. This script 
runs at the end of the auto-configure of Postfix that happens during 
each Postfix restart. So you have full flexibility of how you want to 
configure that service if you want to tweak it further than the GUI allows.


Let me know if you have any further questions and I'd be glad to help.

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26340] Re: Backscatter / user not found bounce

2023-07-02 Thread Michael Stauber via Blueonyx 

Hi Ken,

Are you using some sort of MX relay to do email filtering, so 

> that by the time your BO server rejects the connection for no valid
> recipients, the outboard solution has already terminated its SMTP
> session and sends a bounce email?  Otherwise, I don't see how an SMTP
> reject would be backscatter.

You know, after I wrote my earlier reply to Colin (and had another cup 
of coffee to fully wake up) I was wondering about this as well.


What is the actual scenario of bounce generation? If the connection 
attempt is *rejected* at the MTA on the BlueOnyx (because the recipient 
doesn't exist), then the *sending* mailserver that contacted the 
BlueOnyx will create a bounce.


But it's not the BlueOnyx that would create a bounce in that case.

So the sending mailserver (not the BlueOnyx) creates the bounce that 
might flip back to an innocent bystander. Still: That bounce might show 
the name and/or IP of the BlueOnyx as final destination where the reject 
happened.


Someone else's mailserver config isn't something we can do much about.

Yet: This brings us back to SPF and the stricter sender checks that 
Postfix on a BlueOnyx does. Might these have helped? The strict checks 
in Postfix might have rejected the connection if the sender had no 
reverse records and/or no valid domain name for the sending IP.


SPF might have detected that the sender address has SPF enabled and that 
the sender IP and didn't conform with the published SPF records for the 
domain name in the email address.


Still: This would have caused a reject on the BlueOnyx (not a bounce). A 
bounce could only happen if the sender was an MTA and created the bounce 
itself, because the BlueOnyx didn't want to "play" with it.


Try it out on one of your servers: Send an email to 
nonexist...@yourserver.com and *your* *own* mailserver replies back to 
you with a bounce, because the recipient doesn't exist.


And we can also simulate what happens by using Telnet, if the email is 
from an external source and the spoken to mailserver is a BlueOnyx:


This is in a shell on my workstation:

mstauber@beast:~$ telnet mail.blueonyx.it 25
Trying 208.77.151.199...
Connected to mail.blueonyx.it.
Escape character is '^]'.
220 lists.blueonyx.it ESMTP Sendmail Ready; Sun, 2 Jul 2023 13:52:24 -0500
HELO sol.smd.net
250 lists.blueonyx.it Hello Dinamic-Tigo-191-89-131-84.tigo.com.co 
[191.89.131.84] (may be forged), pleased to meet you

MAIL FROM: m...@blueonyx.it
250 2.1.0 m...@blueonyx.it... Sender ok
RCPT TO: nonexist...@blueonyx.it
553 5.3.0 nonexist...@blueonyx.it... No such user here
DATA
503 5.0.0 Need RCPT (recipient)

I faked to be sending email from the domain name "sol.smd.net" (which is 
another server of mine), specified an existing sender email address of 
mine and specified as RCTP TO an nonexisting email address.


Server answer:

553 5.3.0 nonexist...@blueonyx.it... No such user here

After that reject I could NOT specify a message body, as a valid 
recipient is required. So no actual bounce was created.


Colin: Do you by chance have a mail relay in front of your BlueOnyx that 
forwards the inbound emails to the BlueOnyx. Because *that* could be the 
problem.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26337] Re: Backscatter / user not found bounce

2023-07-02 Thread Michael Stauber via Blueonyx 

Hi Colin,


We are having issues with spammers sending thousands of emails to non-existent users on 
our hosted domains and our BX server then bouncing them as "554 5.5.1 Error: no 
valid recipients" and our IP consequently getting blacklisted for backscatter.

Microsoft hate us now – Hotmail etc. and block all email from our subnet! :-/

5210R

Is there any practical way to stop “no valid recipient” email being sent out 
from the server?


Let us take a look at the source of the problem:

A SPAM-sender connects from a dial-up IP or botnet or a hacked server to 
your MTA and claims to be someone he isn't. Like whate...@hotmail.com. 
And he then tries to send email to a non-existing user on your end.


This can cause backscatter, as the non-delivery-notice is delivered to 
the claimed (but faked) whate...@hotmail.com sender address.


For legitimate emails you want non-delivery-notice to inform a 
legitimate sender that he's not getting through.


How to defeat backscatter in case of faked sender addresses?

Here are three recommendations:

1.) Switch to Postfix in the GUI

This has stricter sender verification checks.

2.) Enable and configure SPF and switch it to "Sign & Verify" mode

This checks the SPF records of sender domains and if the senders
IP is not within the SPF records published by say hotmail.com, then
the email will be rejected at the MTA w/o bounce and NDN.

To really prevent any bounces ever to leave your server and go somewhere 
you don't want them to go to? This can be done via Postfix.


Edit /usr/sausalito/bin/custom-postfix-confgen.sh and at the bottom add 
these lines:


postconf -e 'bounce_notice_recipient = '
postconf -e '2bounce_notice_recipient = '

Be sure to change  to a valid email address which 
you want all bounces to go to.


Then restart Postfix and you should be good to go:

systemctl restart postfix

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26335] Re: CalDAV + CardDAV (Contacts & Address Books) integration for BlueOnyx?

2023-06-28 Thread Michael Stauber via Blueonyx 

Hi Chris,

+1 from me.    IMO, it helps to make BlueOnyx mail more competitive with 
other commercial offerings.


Very well. It should be finished by the weekend and will make it 
straight into BlueOnyx.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26334] Re: CalDAV + CardDAV (Contacts & Address Books) integration for BlueOnyx?

2023-06-28 Thread Michael Stauber via Blueonyx 

Hi Larry,


+1 from me as well.  We have been supporting localized installs
of Horde/IMP webmail specifically for its calendar functions and
this would give our clients/customers another option.


Very well. I'm 80% done building the 5211R version and porting it to 
5210R will be easy.


Yeah, having a centralized and self hosted calendar and contact list can 
be quite useful.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26331] CalDAV + CardDAV (Contacts & Address Books) integration for BlueOnyx?

2023-06-26 Thread Michael Stauber via Blueonyx 

Hi all,

I've got a request for implementing CalDAV and CardDAV into BlueOnyx on 
the table. These are open protocols that allow users to manage their 
Calendar and Address Books by storing them on the server. This can then 
be accessed (via username, password and URL) on the sever by pretty much 
any application that supports it. Like various email clients and 
calendar software.


This also allows to synchronize/merge various calendars and address 
books and what not.


I've looked into a few open source projects for this and got this 
narrowed down to using a Python based solution called "Radicale": 
https://radicale.org


If integrated into BlueOnyx, you could turn the feature on or off server 
wide and and your users then can create and manage their own CalDAV and 
CardDAV address books and calendars via the BlueOnyx GUI. And these can 
then be used in external applications such as Thunderbird, Outlook and 
what not.


What's the general consensus on this?

Is that something you'd find useful to have?

The integration is a few days of work and it's planned for 5210R and 5211R.

If you'd find this useful to have, consider chipping in via a donation:

https://www.blueonyx.it/donations

If we can raise 500 Euros I'll integrate it into the stock BlueOnyx free 
of charge. If not? Then I'll release it via the shop as paid add-on.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26329] Re: issues after php 8 updates - fixed

2023-06-25 Thread Michael Stauber via Blueonyx 

Hi all,

About the "Zip" extension issue in PHP-8.0, 8.1 and 8.2:


./configure [...] --with-zip=/home/solarspeed/libzip

Yet the result is still this:

# ldd /home/solarspeed/php-8.2/bin/php-cgi|grep zip
     libzip.so.5 => /lib64/libzip.so.5 (0x7ff2b72ef000)



This actually turned out to be pretty nuts, but I think I have it sorted 
now. New PHP-8.0, 8.1 and 8.2 packages with working "zip" extension have 
just been released to NewLinq. These PKGs are for 5209R, 5210R and 5211R.


This release is accompanied by an updated "solarspeed-libzip" RPM served 
out of the BlueOnyx YUM repositories. That updates the side-loaded 
libzip to version 1.10.0-2 and also includes an 
/etc/ld.so.conf.d/solarspeed-libzip.conf with this in it:


/home/solarspeed/libzip/lib64

That bends the library path into shape and the libzip.so.5 from the 
"solarspeed-libzip" RPM is finally used.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26328] Re: negative AV-Spam score

2023-06-22 Thread Michael Stauber via Blueonyx 

Hi Chris,


Am I the only person who emails myself things from time to time?


Nope. :o)

I've also fallen into that trap and SPF is hitting me hard on this, too. 
Worse: I have an aggregator email account, which gets the forwards from 
all business and project related emails via email forwarding.


The BlueOnyx email forwarding keeps the original sender address, which 
is a bad idea when the originating account has strict SPF rules configured.


It's on my to-do list for next week: To overhaul the email forwarder in 
BlueOnyx to change the FROM in forwarded emails to the recipients 
address and to set the original FROM address into the REPLY-TO field 
instead.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26327] Re: issues after php 8 updates

2023-06-22 Thread Michael Stauber via Blueonyx 

Hi Juerg,

Remi PHP 8.x offers a zip-module also on EL8 (but also updates libzip to 
"libzip-1.9.2-1.el8.remi.x86_64"). Maybe you could use this module or 
updated libzip library from there.


Yeah, we also bring another (more modern) libzip aboard, which is 
installed under /home/solarspeed/libzip/ and PHP was specifically 
compiled against it with ...


./configure [...] --with-zip=/home/solarspeed/libzip

Yet the result is still this:

# ldd /home/solarspeed/php-8.2/bin/php-cgi|grep zip
libzip.so.5 => /lib64/libzip.so.5 (0x7ff2b72ef000)

It still links against the old onboard libzip and that's then missing 
some symbols and what not. Tried various compiler options and flags, set 
library paths and the usual stuff, but PHP has always been a bit hard 
headed about what it compiles and links against.


So back to the drawing board on this. I guess I'll try the Zip extension 
from PECL again.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26319] Re: issues after php 8 updates

2023-06-22 Thread Michael Stauber via Blueonyx 

Hi Tim,


Below are errors that I see for one plugin.
(It's not just related to this one plugin. I get them when working with 
Elementor and others. Some plugins are just fine.)


  [client 75.135.86.221:49756 ] 
/home/solarspeed/php-8.2/bin/php-cgi: symbol lookup error: 
/home/solarspeed/php-8.2/bin/php-cgi: undefined symbol: 
zip_compression_method_supported, referer: 


I tried various versions of php 8 and all throw this error.


This is on a BlueOnyx 5210R, right?

Until recently the PHP-8.X versions of PHP for BlueOny 5210R were 
missing the "Zip" extension, as there were issues building it against 
the ancient libzip that ships with EL8.


I eventually managed to build it just fine, but according to the error 
messages you see there it errors out when someone actually tries to use it.


I'll look into it again and will rebuild all PHP-8.X packages for 5210R. 
Either with Zip support (if I can solve the issue) or without. However, 
this is a somewhat complex issue, so it'll take me a few days to solve it.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26317] Re: negative AV-Spam score

2023-06-22 Thread Michael Stauber via Blueonyx 

Hi Juerg and Meaulnes,

Rules are documented in the files Larry told you, maybe in another 
directory,  but you can search for the filenames. Do not change the 
score in this file, because this files will be replaced after an update. 
You can create new score in the file you create your own rules (because 
I don't use the plugin I don't know it's location). Simple add a line:


score BAYES_00  -4

to overwrite score for BAYES_00.


Basically it works like this:

You can place your own (server wide) rules or score changes in a new 
file the directory /etc/mail/spamassassin/


Make sure the file name ends with *.cf and then do a "systemctl restart 
spamassassin" to put it into effect.


As long as you don't modify an existing file your own changes will 
survive through AV-SPAM and SpamAssassin updates.


User rules (which apply only to a single specific user) are located in 
~username/.spamassassin/user_rules and there is a GUI editor to modify them.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26311] Re: Redhat sources

2023-06-21 Thread Michael Stauber via Blueonyx 

Hi Christoph,


Wondering if this will be indirectly affecting BX via Alma/Rocky:

https://www.redhat.com/en/blog/furthering-evolution-centos-stream


I can't speak for AlmaLinux or RockyLinux, but RedHat still has to honor 
their OpenSource commitment to publish their sources *somewhere*. After 
all: They're for the most part just repackaging OpenSource software and 
mix it into a stable distribution.


They'll still be publishing the sources based on the announcement, but 
put their RHEL sources behind the paywall that requires having an active 
RedHat subscription. Which is fair enough.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26308] Re: HTTPS redirect

2023-06-20 Thread Michael Stauber via Blueonyx 

Hi Ken,


The AllowOverride checkboxes are what I was missing.


Very well. Am glad to hear you could sort it.

--
With best regards

Michael Stauber

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26305] Re: HTTPS redirect

2023-06-20 Thread Michael Stauber via Blueonyx 

Hi Ken,

I’m embarrassed to ask about an old 5208R system we have, obviously it 
is seriously out of date.  So if you ignore me or yell at me, I will 
understand.


Nah, no yelling. It's high time to upgrade, but we all know how it goes. :o)

I don’t particularly care what happens when someone types the IP address 
as the URL, but if they type www.domain.com, I’d like them to get 
https://www.domain.com just like when they type domain.com.


Yeah, with shared hosting the thing is that when someone goes to the IP 
and there are multiple Vsites on it? They land on the first VirtualHost 
that's configured in Apache for that IP.


For domain name redirects from HTTP to HTTPS a .htaccess is usually the 
simplest option.


However, usage of .htaccess files is not allowed by default in Vsites by 
default, as they can be used to reconfigure Apache and sometimes we 
might not want that siteAdmins can do that.


So first go to "Server Management" / "Network Services" / "Web" and make 
sure that under the grey heading "Options:" you have all checkboxes 
ticked. You can leave "MultiViews" and "SymLinksIfOwnerMatch" unchecked. 
Under "AllowOverride:" tick all checkboxes.


Then create a .htaccess in the /web directory of your Vsite and put the 
following three lines into it:


RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

That should do it.

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26302] BlueOnyx 5209R/5210R/5211R: Updated AV-SPAM (v7.2.4-1)

2023-06-16 Thread Michael Stauber via Blueonyx 

Hi all,

I just released updated AV-SPAM PKGs to NewLinQ which contains several 
fixes and improvements.


One notable new feature is in Milter-GeoIP: If you block whole networks 
or countries via the IP Blacklist or GeoIP then there might be cases 
where you still want to whitelist one or more IPs from said blacklist or 
country-block. This is now possible via "Whitelisted IP address ranges". 
Emails from "Whitelisted IP address ranges" will bypass the Milter-GeoIP 
filter entirely.


Furthermore the included Clam AV has been updated to the latest version 
(v1.1.0).


The new AV-SPAM PKGs are available for BlueOnyx 5209R, 5210R and 5211R 
to NewLinQ subscribers of product groups that include the AV-SPAM.


Shop link: https://shop.blueonyx.it/blueonyx/email/av-spam.html

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26301] BlueOnyx 5209R/5210R/5211R: Updated Fail2ban PKGs available

2023-06-15 Thread Michael Stauber via Blueonyx 

Hi all,

I just released updated Fail2ban PKGs to NewLinQ which upgrade Fail2ban 
to the latest versions.


These PKGs are available for BlueOnyx 5209R, 5210R and 5211R.

The GUI for managing Fail2ban got a small addition which now allows you 
to choose the "Ban Method", which Fail2ban uses. In case several are 
available to you. Availability of "Ban Methods" depends on if you have 
APF and/or Firewalld installed from the Shop as well.


If neither APF or Firewalld are present, Fail2ban will use null-routes 
to block offending IPs.


Shop link: https://shop.blueonyx.it/fail2ban.html

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26300] Re: Saving APF Blacklist opens firewall

2023-06-15 Thread Michael Stauber via Blueonyx 

Hi John,

FWIW: I've squelched my current issue with an awk command in a 
relatively simple bash script:


     #!/usr/bin/env bash
     #

   stdbuf -i0 -o0 -e0 tail -F /var/log/httpd/error_log | stdbuf -i0 -o0 
-e0 sed 's/] \[/|/g;s/\[/|/g;s/\]/|/g' | stdbuf -i0 -o0 -e0 awk -F '|' 
'/AH01630/ { match($5, /^client (.*):/, ip);print "banning " ip[1]; 
system("apf -d " ip[1] " banned wp hacker") }'



This may need some tweaking, but to replicate that in Fail2ban I'd 
probably do something like this:


Create /etc/fail2ban/filter.d/httpd-ah01630.conf with this in it:

--
[Definition]
failregex = AH01630: client  (rejected|denied) by server configuration
ignoreregex =
--

Create /etc/fail2ban/jail.d/httpd-ah01630.conf with this in it:

--
[httpd-ah01630]
enabled = true
port = 80,81,443,444
filter = httpd-ah01630
logpath = /var/log/httpd/error_log
--

Then "systemctl restart fail2ban" to make this active and do some 
testing to see if it works.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26299] Re: Saving APF Blacklist opens firewall

2023-06-15 Thread Michael Stauber via Blueonyx 

Hi John,


Possibly fail2ban is what I want ... I am not sure.


Yeah, it's the best option for detecting and blocking illicit access to 
the server. I'm currently rolling up the latest version of Fail2ban for 
5209R/5210R/5211R and it should be out tomorrow.


But the settings page in BlueOnyx is just a long list of checkboxes.  No 
explanation of how each setting works.


Hover over any option with the mouse-pointer for a second or two and a 
helptext will appear.


And the wiki link from the settings page says: "This topic does not 
exist yet: You've followed a link to a topic that doesn't exist yet. If 
permissions allow, you may create it by clicking on “Create this page”."


Which GUI pages is that? We do have Wiki-pages for most of them, so if 
there is something missing, I'd like to address it one of these days.



There is also a settings page for Dfix2 that looks very appropriate.


I would advise against using Dfix2. Yeah, sure: It's a free package, but 
it's pretty ancient and works less well on more modern BlueOnyx versions.


What I expected to see on the Dfix2 (or possibly fail2ban) settings page 
was the ability to choose an input source, enter in the regex(s), and be 
done.


Fail2ban is a very mature solution and it has regexp that cover pretty 
much all the eventualities that we usually want to block - and then 
some. But it as well doesn't allow you to modify regexp via the GUI. We 
simply can't validate user supplied regexp via the GUI and an incorrect 
regexp will usually cause issues.


But the Fail2ban configs are pretty straightforward and can easily be 
adapted. And it has such a widespread proliferation, that probably 
someone already has the perfect rule and regexp for exactly the case 
you're looking for.


Like said: The latest version will be available as PKG tomorrow and I 
would recommend to then give it a try. Fail2ban works nicely with APF 
and Firewalld and (if present) will use them to block offending IPs. In 
the absence of APF and Firewalld it'll use null-routes or (on 5209R) 
hosts.deny instead.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26294] Re: Saving APF Blacklist opens firewall

2023-06-14 Thread Michael Stauber via Blueonyx 

Hi John,


I actually see it is even simpler than that...

*/etc/apf/apf -d 88.210.37.73 added by John*
That's correct. Just adding an IP or IP address range via "apf -d " 
doesn't require a full reload of APF.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26291] Re: Saving APF Blacklist opens firewall

2023-06-13 Thread Michael Stauber via Blueonyx 

Hi John,


I'd like to counter if I may.


Sure!

It is taking a full minute and more to do the complete reload, in which 
time there are many hacking efforts at play.


iptables uses chains.  Instead of flushing everything and then building 
and adding one chain at a time:

1. Don't flush
2. Create a new chain(s) with the new rules
3. Insert the new chain(s) before the old chain
4. Remove the old chain(s)
5. Rename the new chain(s) to be the same as the old chain(s)



In principle this is a good idea, but I'm not sure if I want to go 
there. I consider APF a legacy product that will go away in 12 months 
and 17 days when CentOS 7 goes EOL. APF has served us very well for 
many, many years. No doubt about it. Yet 12 months before its retirement 
isn't really the right time to start making fundamental changes to it.


When you look under the hood of APF, you see that the code is quite 
complex and the way it is structured doesn't make inserting new chains 
and removing *all* previous chains that easy. And I guess that's why the 
original coders of APF did go the route of flushing all chains on a 
restart. It's doable, but at this point it might not really be worth the 
effort compared to the associated risks of releasing a modified APF that 
*might* have new flaws that were overlooked in testing. I'd rather not 
rock that boat.


And for modern versions of BlueOnyx we already have Firewalld as a more 
capable replacement.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26289] Re: fail2ban loses ignore IP list

2023-06-13 Thread Michael Stauber via Blueonyx 

Hi Darren,


I'd like to follow up on this - is 0.10.5-4 on 5209r correct or should there be 
a newer one?


I'm currently working on an updated Firewalld package for 
5209R/5210R/5211R and it should be ready sometime this week.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26288] Re: Saving APF Blacklist opens firewall

2023-06-13 Thread Michael Stauber via Blueonyx 

Hi John,


(On 5209r)
I have noticed if I add an ip address to the APF Blacklist and press 
Save, the firewall is open during the save process.
There are a lot of addresses in the firewall, and it takes several 
seconds to process the saving of the list.
The firewall should be delaying traffic, not permitting traffic that 
should be blocked while the rules are activated.


I believe under the hood you are using iptables?
overly simplified operations should be:

iptables -P INPUT DROP         # disable until all block rules are in place
iptables -P FORWARD DROP # disable until all block rules are in place
iptables -P OUTPUT DROP    # disable until all block rules are in place
iptables -F  # flush rules
# add blocking rules for blacklist
# add rule at end to permit www traffic not already blocked



Indeed, APF uses "iptables" and it's the oldest firewall solution we 
offer for BlueOnyx. It has since then been superseded by "Firewalld", 
which is included in the purchase of APF, but only offered for download 
if the target server is a BlueOnyx 5210R or BlueOnyx 5211R.


On BlueOnyx 5209R only the iptables based APF is a practical choice.

And you're right: When APF is restarted, it first flushes all rules and 
then sets up the new rules one by one in a large loop. If you have many 
rules active, then this might take a moment and during that time the 
server is unprotected or (as more rules kick in) then gradually more and 
more protected.


If IPs are added/removed to the whitelist or blacklist, then a full 
restart of APF isn't necessary. Instead just the relevant rules will be 
added/removed and the rest remains undisturbed. But when saving in the 
GUI we sort of have to hit the whole thing on the head and let APF do a 
full flush of the rules. We can't really avoid that.


There are naturally two different general approaches possible and these 
revolve around different philosophies. For some users a full on and 
complete inaccessibility of the server during a firewall restart might 
be acceptable, but for most it isn't. In fact I'll always be sweating 
blood and water if a server I'm working on just drops off the net and 
stops responding. We're not really in the business of giving people 
heart attacks. :o)


So yeah: The way it is? That's intentional to minimize disruptions and 
to not "rock the boat" too much.


As for Firewalld on 5210R and 5211R? That uses "nftables", which is the 
modern replacement of "iptables". One of the really *great* benefits of 
it is that we can use IPsets to quickly load *massive* IP blacklists 
into the firewall.


You can see this here for example:

https://shop.blueonyx.it/catalog/product/gallery/image/216/id/200/

When you blacklist a whole country from accessing your server 
(especially if it's a large one such as China), then this would result 
in a ridiculously impractical and massive amount of iptables rules. The 
current ruleset we use for China has 8673 IP address ranges in it. But 
if we load those blocked 8673 IP address ranges as IPSet? Then it's just 
a single firewall related transaction that gets performed. And that's 
blazingly fast and efficient.


Our Firewalld implementation also flushes the rules during a restart and 
therefore "opens up" briefly on a restart. But it's so much faster that 
you almost don't notice it.


So yeah: We do it this way to not rock the boat. APF is great, but it's 
really "old technology" and once you move to a newer version of 
BlueOnyx, be sure to try "Firewalld" instead. Your APF purchase already 
gives you access to it if you'd link it to a 5210R or 5211R.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26285] Re: Continuing Support for BlueOnyx: Your Help Makes a Difference!

2023-06-04 Thread Michael Stauber via Blueonyx 

Hi Meaulnes,

sorry dear Michael, but the payment form at 
https://www.blueonyx.it/donations doesn't accept payments from my Swiss 
AmEx credit card, it falls back to PayPal (that I hate) in the United 
States without the possibility to use a Swiss phone number...


So let me know how I can proceed
If you still have the PDF of an old invoice you can use the bank details 
that are listed on it for a wire transfer. Aside from Paypal that's 
currently the only option. Many thanks! Much appreciated!


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26283] Continuing Support for BlueOnyx: Your Help Makes a Difference!

2023-06-04 Thread Michael Stauber via Blueonyx 

Dear BlueOnyx Community,

I hope this message finds you well. I am reaching out to you today with 
a humble request for your support to ensure the continued development 
and sustainability of the BlueOnyx project.


As you may know, BlueOnyx has always been an open-source endeavor, 
driven by the passion and dedication of individuals like yourself. 
Together, we have built a powerful and user-friendly platform that 
empowers countless users worldwide.


Over the past year, I have dedicated my energy to the development and 
release of BlueOnyx 5211R, a remarkable milestone in our journey. I take 
great pride in this accomplishment, knowing it has been made possible by 
the collective efforts of our passionate community. It is also great to 
see that BlueOnyx 5211R found such widespread acceptance within our 
community and it has also attracted a small influx in new adopters.


However, I want to be transparent about the challenges we are currently 
facing. The sales figures for our commercial add-ons at SOLARSPEED.NET, 
our associated company, have not met our expectations. This has put both 
the BlueOnyx project and our company in a position of uncertainty when 
it comes to financial sustainability. In part our generous licensing 
that allows to use our software on all supported BlueOnyx versions meant 
that even the widespread adoption of BlueOnyx 5211R didn’t significantly 
result in new software purchases, as licenses are transferable from an 
old server to a new one. Likewise: Easy-Migrate works so well, that our 
offered migration services from older to newer BlueOnyx versions are now 
hardly ever needed or requested, which culled another source of regular 
income.


While we have made efforts to secure alternative sources of income, it 
is clear that we cannot continue without the support of our valued 
community members like you. Your contributions have always played a 
pivotal role in enabling us to provide a free and robust platform like 
BlueOnyx.


Today, I am reaching out to kindly request your support once again. If 
you have found value in BlueOnyx and believe in the project's mission, I 
kindly request that you consider making a donation to support our 
ongoing efforts or consider making a purchase in the BlueOnyx shop. 
Maybe you have a license that needs renewal or would like to try some of 
our software that you so far haven’t purchased? Your contributions, 
whether through a one-time donation, a small purchase or a monthly 
commitment, can truly make a difference. To make a donation securely and 
conveniently or consider a software purchase, please visit our donation 
page or our online shop:


https://www.blueonyx.it/donations
https://shop.blueonyx.it

I want to express my sincere gratitude to those who have already 
donated. Your generosity has been instrumental in our progress so far. 
Now, we humbly ask you to consider continuing your support and inspiring 
others to join our cause. Together, we can create a strong and 
sustainable foundation for BlueOnyx, fostering innovation and benefiting 
the entire community.


If you are unable to contribute financially at this time, we completely 
understand. There are still meaningful ways to help, such as spreading 
awareness about BlueOnyx, sharing your success stories, or contributing 
your skills to further enhance the project. Your active participation 
and engagement are invaluable to our community's growth and success.


Thank you for being a part of the BlueOnyx community and for considering 
our request. Together, we can overcome these challenges and continue 
building a platform that empowers individuals and businesses around the 
globe.


--
With sincere appreciation,

Michael Stauber
BlueOnyx Project Lead
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26281] Re: Testing smtp_tls_level in main.cf

2023-06-03 Thread Michael Stauber via Blueonyx 

H Arie,


Another test to see if I receive list mailings


No more test to the list please! This isn't a playground.

--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

  1   2   >