Secure imap, pop3 and smtp on a plesk server

One of the most annoying things I find with Plesk is the total lack of gui options to change the email ssl certificates. To add a proper validated cert to your mail services you have to go digging around in the terminal and the help from Plesk seems to be none existent.

This little walk through assumes you are using a cert that needs an intermediate certificate. I don't know how to say for sure if you need one or not but try this without the TLS_TRUSTCERTS bits and see if it works. If not (ie, if you cert is not accepted by your mail client) try adding the bits you missed.

The easy bit (realively) is to replace the cert for smtp. Depending on your MTA you either need to replace /var/qmail/control/servercert.pem or /etc/postfix/postfix_default.pem. 'mv' the existing file out of the way and then use 'vi' to create a new one. Paste your private key followed by your certificate and save. The .pem file should look like this (but with more lines of key where the ... bits are);

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCYFeAgFta7B8eD
...
pZ/OF1TI4tew/CTW8SWIIik=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEtDCCA5ygAwIBAgISESFuFiBSDkFktSUNNJgN861dMA0GCSqGSIb3DQEBBQUA
...
urb3UARrqL8=
-----END CERTIFICATE-----

Next we start on imap/pop3. Start by checking /etc/courrierimap/imapd-ssl and  /etc/courrierimap/pop3d-ssl config file and check where TLS_CERTFILE points to. Whilst you are there it's worth checking TLS_TRUSTCERTS too. On my install they were next to each other in the file. If TLS_TRUSTCERTS is commented out or has no value I would suggest setting it to the same path as TLS_CERTFILE but with a cert called trustcert.pem maybe. If it helps, it was all at around line 140-160 for me. Remember to check both files or one service will work and the other will remain broken.

next you need to backup your current .pem files (just in case).

cd /usr/share/courier-imap/
mv imapd.pem imapd.pem.001
mv pop3d.pem pop3d.pem.001
mv trustcerts.pem trustcerts.pem.001

Next create your new .pem file

vi imapd.pem

paste your private key followed by your certificate so you get something like you did for the smtp bit above. Save and exit vi.
The imapd.pem and pop3d.pem have exactly the same content so create 1 and then copy it to the other.

cp imapd.pem pop3d.pem

Next you need to add your intermediate certificate. For me this seemed to be the second part of the CA certificate as listed in plesk's ssl cert control panel. In my example there were 2 certs in there, it was the second one that worked. So vi trustcerts.pem and paste the cert (including the begin and end tags). save and exit vi when you are done.

Finally restart all the services that you have changed. Something like this should do;

/etc/init.d/xinetd restart
/etc/init.d/courier-imap restart

Test with your choice of mail client configured to use ssl.

Plesk 10 + 11 blocking mail to microsoft live email address

After much messing around and several calls to my vps provider some time ago I established that the graylisting included with plesk panel does something funny with Microsoft hosted email. Things like outlook.com, hotmail, live.com, anything from BT (which is all Microsoft hosted).

Having just had a new shiny pleaks v11 server commissioned and have hit the same problem. It's virtually unusable without some graylisting but the built in one has this massive (in my opinion) flaw.

Whilst trying to find the solution again (didn't make a note last time...) I came across this article from Parallels.

http://kb.parallels.com/en/114739

It explains that the issue is because Microsoft dared to use the word "pool" in the FQDN of their outbound mail server pool. Now, it seems to me that if you have a pool of servers using the same name that using the word pool is a fairly reasonable thing to do when you describe it. Maybe they should increase the size of the pool and call it a lake, mear or water. Alternatively they could reduce the pool and make it a puddle.

Either way, to resolve the issue you need to turn off the greylisting, remove the word pool from the list of things that it looks for or whitelist the microsoft servers. The following command should do the latter for you, not sure if maybe  just *.microsoft.com would be safer but I'll see how this does first.

/usr/local/psa/bin/grey_listing --update-server -domains-whitelist "add:*messaging.microsoft.com"

Please note that I have just stolen that line from the above referenced article, I didn't work it out my self.

I guess you could add this in via the web interface but that's just not hard core enough for me.

using reports in data path for sage

I regularly need to re-install Sage and one of the defaults always catches me out.

We store all our reports and templates in the data path to help keep things together and make backups easier to deal with. The problem is that every time you install sage it defaults to reading those files from some other path (not sure where).

The setting for this is in;
Settings, Company Preferences,
Enter the password for the current user
Then go to the Reporting Tab, "Use Data Path for Reports".

Tick the box, hit ok

I don't think you need to log out and back in but it probably wouldn't hurt.

GW

Plesk and SSL certificates

SSL Certificates in plesk seem to be a bit of a pain in the bum. The option to secure the control panel is not somewhere obvious (if you ask me) and to secure email connections you have to start digging around in a terminal. Now, whilst I don't mind that I appreciate that other people may not be quite as happy...

So, to secure your control pannel in plesk first make sure you have a current, valid, signed certificate. I won't go into how to do this just yet, maybe that's a post for another week.

Once you have the certificate from the left hand menu goto;
server management ->tools and settings

then under head to
tools and resources -> ssl certificates

Find the ssl certificate that you want to use to secure the control panel (check it's the one with the hostname of the server), tick the check box on the left hand side

Head back up the page until you hit the blue bar with "remove ssl certificate" and "secure the panel" and "make default for websites. Click "secure the panel".

It's fairly obvious when you know how but it takes me ages to remember where that bloody button is.

The next bit we need to do is secure the mail server side of things.

Mail Queue recovery on Qmail

One of my servers has once again been had by the unwashed idiots who like sending spam and have left me with a fairly significant mail queue to try and clear out.

The last time this happened there were 200,000 mails in the queue totalling a couple of gig so on that occasion I decided to remove the queue and create a new one. I didn't write that one up but maybe I ought to at some point. Because this issue seems to be a little more manageable (a mear 18,000 and 300mb) I have decided to try and clear things up rather than create a new queue.

The most important thing to do in this situation (IMHO) is to stop the server from sending spam out, identify the source of the issue which has allowed someone to send the spam then "fix" the queue. This write up assumes that the first 2 items have been dealt with.

As always with the stuff I put here, it worked for me, your milage may vary.

The first thing to do is find some pattern to search for in order to clean the crap from your queue;

cd /var/qmail/queue/mess/0
ls

This will give you a load of files with numeric ids, pick a few at random and

less <filename>

Look through and see if there is anything that looks out of place (like it's spam). In this particular instance (as I write this up)I found most of the spam had one of the following strings in it;

Subject: Exception Notification
Subject: Logistics Delivery Notification
Subject: Mail Notification Service

The problem had been caused by a crap php "contact us" page so a large amount of the mail appeared to come from anonymous@myservername.com. So I ran the following line first with the anonymous email address as the string then with 'Notification' as the string. I fully intending to go back in and see what was left;

find -type f -exec grep -q 'YOUR_STRING_HERE' '{}' \; -exec rm -f '{}' \;

It turns out however that this only left me with 41 emails in the queue so I decided not to bother.

Just for reference this line should give you the current length of your mail queue.
/var/qmail/bin/qmail-qstat

logs are at
/usr/local/psa/var/log/maillog
/usr/local/psa/var/log/smtp_pendings.log

GW

CD ROM related VM goodness

Need to change the settings for a CD ROM drive on a virtual machine? Here is an example for a physical device and for an .iso image. This needs to be put in the vm config xml file which should be accessed by entering the following command;
virsh edit <vmname>

Firstly for a block device;
<disk type='block' device='cdrom'>
<driver name='qemu' type='raw'/>
<source dev='/dev/sr0'/>
<target dev='hdc' bus='ide'/>
<address type='drive' controller='0' bus='1' unit='0'/>
<readonly/>
</disk>

And for a disk image try this;
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source file='/srv/vmhost-01/ubuntu-12.04.2-server-amd64.iso'/>
<address type='drive' controller='0' bus='1' unit='0'/>
<target dev='hdc' bus='ide'/>
<readonly/>
</disk>

I'm guessing the address line may need adjusting but it should be about right.

vnc for virtual machines over the network

I have recently been playing around with Virtual machines quite a lot using ubuntu + libvirt + KVM etc. I keep coming across a problem which takes me ages to figure out but which should be simple.

Once I have started my vm and connected it to a VNC port I can never get to it over the network from a machine with a graphical interface. You are "supposed" to use ssh to create a secure tunnel to the vm host and connect VNC via that, this seems a bit of overkill however for a fairly secure LAN or if you are connecting via a management vlan that only admin's have access to.

It is probably worth noting that this could be a security risk, do some more research if you are not happy. I suspect that changing "0.0.0.0" in the following lines to "192.168.1.0" or "192.168.1.153" for example would restrict it to your local subnet or a specific machine (assuming the address range is right for your network) but I have not tested this so please don't quote me...

Anyhow, the file we need to edit is;

/etc/libvirt/qemu.conf

the line we need is;

# vnc_listen = "0.0.0.0"

remove the hash, save the file and restart qemu;

service qemu-kvm restart

That should do the job

Creating a disk image over the network

Before I start this post I think I ought to make clear that the setup I'm testing this on has 3 physical servers, 2 of which are in use and can't be taken down for more than a few seconds the 3rd is a big box of disks that I have put in place for storing the disk images and initial hosting of the Virtual machines. Once the 2 servers are virtualised I will be re-installing them as virtual hosts too. Maybe when I do that I'll detail how I did that bit too.

So I have got to the point where I need to move some physical servers into virtual machines. The first "issue' I have come across is that I need to get an image of the server to convert into a VM. I figured I could pull the disks from the physical box and put them in the one which will host the images or I could make the image on a usb drive and move it that way. Both these options however didn't quite seem right to me.

I hit upon the idea of creating the image and copying it directly over the network to the image machine no double handling of data, no downtime (although I'm sure some people will not like the idea of imaging a disk whilst it's live).

The command that did this for me is

dd if=/dev/cciss/c0d0 | ssh garethw@192.168.0.50 dd of=/home/garethw/server1-c0d0.img

dd if=/dev/cciss/c0d0 | ssh garethw@10.0.8.10 dd of=/srv/vhost1/finder-server-3/c0d0-v2.img

Backing up a 300gb drive over a 1gb network took about 8 hours.... oh eck.

There are a few examples of this kind of thing on the net most of which include gziping the stream from dd. I'm not sure if the vm software I'm using supports gzipped images so I left that out. It seemed to give about a 1/3 speed increase when copying with gzip though so it's probably worth it if it works.

The next thing to do is import the newly created disk image into your VM infastructure. I am using ubuntu with KVM as setup using the ubuntu server documentation (It's over Here)

The following line should import the disk and should only take a couple of seconds to run
virt-install -n vm1-svr3 -r 512 --disk   ./c0d0-1.img,device=disk,bus=virtio -w   bridge=br0,model=virtio --vnc --noautoconsole --import

This command should also start the vm for you. Be warned, if everthing is working this will mean the vm comes up with the same IP as the physical server so be sure you are ready to go or disconnect the network from your vm host before starting it.

Handy commands;
 virsh list
lists all the currently running vms, it does not list those that are not running

 virsh destroy vmname
Will unload the vm from memory, it does not (as the name suggests) destroy anything.

virsh vncdisplay vmname
show you which vnc "port" the VM is running on so you can connect to it remotely (after fixing the vnc binnd issue)