2018-03-12 New Server

I migrated my sites to a new server! Hopefully this means that the next dist-upgrade will work without a hitch.

Debian 9 “Stretch” it is!

If you notice any of my sites misbehaving, let me know. For now I’m proud of the A+ rating by SSL Labs.

Related: 2018-03-09 OpenVZ Pains, Sibirocobombus Setup.

2018-03-09 OpenVZ Pains

Bonus: I just realized how much simpler my setup has become now that I’m no longer self-hosting an email server!

To remind myself and others of the giant pain email has become, I’m copying the relevant stuff I deleted from my *Sibirocobombus Setup* page and the comments on that page.

☯

You need to add reverse DNS entry on the web site.

“Mailing to remote domains not supported.”

alex@sibirocobombus:~$ mail kensanata@gmail.com
Subject: test from sibirocobombus
hi
.
Cc:
alex@sibirocobombus:~$ mail
No mail for alex
alex@sibirocobombus:~$ sudo exim -bp
 0m  1.2K 1bQDA7-0000As-S4 <> *** frozen ***
           alex@sibirocobombus

alex@sibirocobombus:~$ fg
-bash: fg: current: no such job
alex@sibirocobombus:~$ exiwhat
-bash: exiwhat: command not found
alex@sibirocobombus:~$ exim -Mvl 1bQDA7-0000As-S4
-bash: exim: command not found
alex@sibirocobombus:~$ sudo exim -Mvl 1bQDA7-0000As-S4
2016-07-21 14:33:11 Received from <> R=1bQDA7-0000Ao-RS U=Debian-exim P=local S=1230
2016-07-21 14:33:11 kensanata@gmail.com <alex@sibirocobombus> R=nonlocal: Mailing to remote domains not supported
*** Frozen (delivery error message)

I guess this means we need to fix exim?

First, comment the crontab on my Raspberry Pi such that it will no longer update my zonefile.

Setting up Exim using these rules:

https://wiki.debian.org/Exim#Things\ you\ might\ want\ to\ configure
Copying the dkim private and public keys from my Raspberry Pi to `/etc/exim4/dkim` and `chown Debian-exim.Debian-exim dkim.*` to change their owners.
edit `/etc/exim4/exim4.conf.localmacros` and add the following:

1. https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4

2. note that the selector is something in your zone file, ie. dkim._domainkey for me DKIM_CANON=relaxed DKIM_SELECTOR=dkim DKIM_DOMAIN=alexschroeder.ch DKIM_PRIVATE_KEY=/etc/exim4/dkim/dkim.private

edit `/etc/exim4/exim4.conf.template` and add some stuff for Spam Assassin as described in the Debian documentation and in the Exim documentation; remember that you need to `apt-get install exim4-daemon-heavy` like I did up above! This is what I use:# https://wiki.debian.org/Exim#Spam_scanning and # http://www.exim.org/exim-html-current/doc/html/spec_html/ch-content_scanning_at_acl_time.html#SECID206 # put headers in all messages (no matter if spam or not) warn spam = nobody:true add_header = X-Spam-Score: $spam_score ($spam_bar) add_header = X-Spam-Report: $spam_report # add second subject line with *SPAM* marker when message # is over threshold warn spam = nobody add_header = Subject: ***SPAM (score:$spam_score)*** $h_Subject: # reject spam at high scores deny message = This message scored $spam_score spam points. spam = nobody:true condition = ${if >{$spam_score_int}{60}{1}{0}}
I’m eager to deny spam mails. The example they have used 120 (spam score > 12) and I’m using much less.
`service exim4 restart`
if we’re on blocklists, check http://www.spamhaus.org/lookup/ and https://senderscore.org/blacklistlookup/
`mail kensanata@gmail.com` and try it
make sure your spam filter works by by sending yourself an email containing the magic string and verify that you see the appropriate response in `/var/log/exim4/rejectlog`
if you’re sure that it works and you’re not being flooded by spam, you can think about automatically forwarding all emails by creating a `~/.forward` file in every user’s home directory containing nothing but the new email address; watch out: if you forward too much spam, Gmail will start to refuse mails from your domain!
`sudo -u claudia mail` # to read mails for other users and delete spam
if you’ve waited for a while and verified that you’re not being flooded by spam and you’ve setup the forwarding info so that future mails can be read elsewhere, it’s time to resend mails already delivered using `formail` (which is part of `procmail`):sudo cat /var/spool/mail/claudia | formail -k

-X From:

-X Subject:

-X Message-Id:

-X Date:

-X To:

-X Content-Type:

-I "To: kensanata@gmail.com"

-s /usr/sbin/sendmail -t -f kensanata@gmail.com

https://wiki.debian.org/Exim#Things\ you\ might\ want\ to\ configure

https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4

Debian documentation

in the Exim documentation

https://wiki.debian.org/Exim#Spam_scanning

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-content_scanning_at_acl_time.html#SECID206

http://www.spamhaus.org/lookup/

https://senderscore.org/blacklistlookup/

magic string

resend mails

I’m trying to improve SpamAssassin and found the wiki page Improve Accuracy. `spamassassin -D --lint 2>&1 | grep -i failed` produces a few Perl modules:

Improve Accuracy

`sudo apt-get install libssl-dev`
`cpanm Digest::SHA1 Geo::IP Razor2::Client::Agent Mail::DKIM DBI Encode::Detect Net::Patricia`
edit `/etc/default/spamassassin` and set `CRON=1`

*Watch out!* Perhaps you’ll be getting daily mail with the following:

/etc/cron.daily/spamassassin:
channel: could not find working mirror, channel failed
sa-update failed for unknown reasons

On ServerFault, I found the suggestion that some of the files in `/var/lib/spamassassin` had the wrong owner. It should be `debian-spamd`. And they were right!

On ServerFault

This listed `/var/lib/spamassassin/3.004000` and all its files belonging to root:

sudo find /var/lib/spamassassin -user root

To fix it:

sudo find /var/lib/spamassassin -user root -exec chown debian-spamd:debian-spamd '{}' ';'

I’m not sure why those files ended being there, owned by root. Perhaps I had run `sudo sa-update` just to “test” it?

☯

Time to get tough on spam! This is not funny.

alex@sibirocobombus:~$ mail
Mail version 8.1.2 01/15/2001.  Type ? for help.
"/var/mail/alex": 332 messages 332 new
>N  1 Oneill.12731@gree  Tue Sep 13 23:19  446/30612 Equipment receipts
 N  2 Herman4@habit-rea  Tue Sep 13 23:29  226/14170 payment copy
 N  3 Nichole7@hudsonpl  Tue Sep 13 23:35  225/14073 payment copy
 N  4 Mariana2@sprintin  Tue Sep 13 23:53  223/13877 payment copy
 N  5 huixinsoft40@foxm  Wed Sep 14 01:33  100/6194  =?utf-8?B?dGhlIGRpcmVjdCBmYWN0b3J5IGl
 N  6 dgvsd876dvs@126.c  Wed Sep 14 01:43   75/4277  =?utf-8?B?UHJvbW90aW9uYWwgYXBwYXJlbCB
 N  7 Diann630@totalind  Wed Sep 14 02:36  222/13874 payment copy
 N  8 dkhaaabgupxy@ens.  Wed Sep 14 02:42   97/5898  =?GB2312?B?UHJvZmVzc2luYWwgVGFibGV0IF
 N  9 mnsh@cichzeowtnre  Wed Sep 14 03:13   72/3877  =?GB2312?B?UkU6SGlnaCBxdWFsaXR5IGFuZC
 N 10 mpybenrgvr@uouqb.  Wed Sep 14 03:13   74/4043  =?GB2312?B?UkU6SGlnaCBxdWFsaXR5IGFuZC
 N 11 Corine67@kbr.mx    Wed Sep 14 03:35  222/13797 payment copy
 N 12 Karyn405@imagodep  Wed Sep 14 04:08  224/13999 payment copy
 N 13 Ray79@excluservic  Wed Sep 14 04:11  224/13924 payment copy ***SPAM (score:5.3)*** p
 N 14 Adolfo902@slsterl  Wed Sep 14 04:18  233/14625 payment copy ***SPAM (score:5.9)*** p
 N 15 d4gdfv@yeah.net    Wed Sep 14 04:38   73/4129  =?utf-8?B?UkU6IGJ1c2luZXNzIG1hcmtldCB
 N 16 Rene216@sk-sigurd  Wed Sep 14 04:41  224/13935 payment copy ***SPAM (score:5.3)*** p
 N 17 hulsingcrm37@aliy  Wed Sep 14 05:58   82/4756  =?utf-8?B?UkU6IHF1b3RlIHByaWNl?=
 N 18 ybgup@bdmpxxybdln  Wed Sep 14 06:37   62/3257  =?GB2312?B?UmU6IHByb2Zlc3Npb25hbCBzdG

I usually just run `p root` to see if I got anything from root. The Tiger reports, for example.

& p root
Message 186:
From root@alexschroeder.ch Sun Sep 18 02:01:18 2016
Envelope-to: root@alexschroeder.ch
Delivery-date: Sun, 18 Sep 2016 02:01:18 +0200
From: "Tiger automatic auditor at sibirocobombus" <root@sibirocobombus>
To: root@alexschroeder.ch
Subject: Tiger Auditing Report for sibirocobombus
Date: Sun, 18 Sep 2016 02:01:18 +0200

1. Performing check of user accounts...
NEW: --WARN-- [acc021w] Login ID colord appears to be a dormant account.
1. Performing check of passwd files...

But really, pages and pages of spam is not good. What can I do?

I edited `/etc/exim4/exim4.conf.localmacros` and added the following:

1. http://www.chew.ch/leoluc/software/debian/#AntiSpam
CHECK_RCPT_VERIFY_SENDER=yes
CHECK_RCPT_REVERSE_DNS=yes
CHECK_RCPT_SPF=yes # requires spf-tools-perl
CHECK_DATA_VERIFY_HEADER_SENDER=yes
CHECK_RCPT_IP_DNSBLS=bl.spamcop.net:zen.spamhaus.org

Reload the config file using `sudo service exim4 reload`, perhaps? I wasn’t sure and did the following, instead:

alex@sibirocobombus:~$ sudo update-exim4.conf
alex@sibirocobombus:~$ sudo service exim4 restart

My plan is to now lean back and watch `/var/log/exim4/rejectlog`.

Actually, there’s a test you can do according to DNS Blacklist with Exim: send a mail to nelson-pbl-test@crynwr.com from your mail server; the reply should get blocked.

DNS Blacklist with Exim

alex@sibirocobombus:~$ mail nelson-pbl-test@crynwr.com
Subject: testing blacklist
Thanks for the bot.
.
Cc:

OK, checking my log file... `/var/log/exim4/mainlog` now says:

2016-09-21 13:30:35 1bmfjX-0006Xh-Kg <= alex@alexschroeder.ch U=alex P=local S=413
2016-09-21 13:30:40 1bmfjX-0006Xh-Kg SMTP error from remote mail server after RCPT TO:<nelson-pbl-test@crynwr.com>: host ns1.crynwr.com [192.203.178.14]: 451 https://www.spamhaus.org/query/ip/192.71.233.105
2016-09-21 13:30:40 1bmfjX-0006Xh-Kg russnelson.com [192.203.178.57] Connection refused
2016-09-21 13:30:41 1bmfjX-0006Xh-Kg == nelson-pbl-test@crynwr.com R=dnslookup T=remote_smtp defer (111): Connection refused

Oops, my server is itself listed! 😢

192.71.233.105 is not listed in the SBL
192.71.233.105 is not listed in the PBL
192.71.233.105 is listed in the XBL, because it appears in:
    CBL

I followed the instructions:

instructions

alex@sibirocobombus:~$ mail helocheck@abuseat.org
Subject: test
CBL
.
Cc:

And I did get back the following:

From MAILER-DAEMON Wed Sep 21 13:36:53 2016
Envelope-to: alex@alexschroeder.ch
Delivery-date: Wed, 21 Sep 2016 13:36:53 +0200
X-Failed-Recipients: helocheck@abuseat.org
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@alexschroeder.ch>
To: alex@alexschroeder.ch
Subject: Mail delivery failed: returning message to sender
Date: Wed, 21 Sep 2016 13:36:53 +0200

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  helocheck@abuseat.org
    SMTP error from remote mail server after RCPT TO:<helocheck@abuseat.org>:
    host mail.abuseat.org [54.93.50.35]: 550 *** The HELO for IP address 192.71.233.105 was 'localhost.localdomain' (invalid syntax) ***

OK, following their instructions on naming issues.

naming issues

alex@sibirocobombus:~$ uname -n
sibirocobombus
alex@sibirocobombus:~$ hostname -s
sibirocobombus
alex@sibirocobombus:~$ hostname -d
localdomain
alex@sibirocobombus:~$ hostname -f
localhost.localdomain

This makes me sad.

alex@sibirocobombus:~$ cat /etc/hosts
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

192.121.170.192 kallobombus
127.0.0.1 localhost.localdomain localhost sibirocobombus alexschroeder.ch
1. Auto-generated hostname. Please do not remove this comment.
192.71.233.105 sibirocobombus communitywiki.org emacswiki.org campaignwiki.org rpg.alexschroeder.ch korero.org arabisch-lernen.org oddmuse.org alexschroeder.ch
::1		localhost ip6-localhost ip6-loopback
alex@sibirocobombus:~$ cat /etc/hostname
sibirocobombus

I changed the `127.0.0.1` line to say the following:

127.0.0.1 alexschroeder.ch localhost sibirocobombus

I’m not sure what I expect the names to be.

alex@sibirocobombus:~$ uname -n; hostname -s; hostname -d; hostname -f; hostname
sibirocobombus
sibirocobombus
ch
alexschroeder.ch
sibirocobombus

It seems to have done the thing, however. When I send another email to `helocheck@abuseat.org`, I get a positive reply:

From MAILER-DAEMON Wed Sep 21 13:50:57 2016
Envelope-to: alex@alexschroeder.ch
Delivery-date: Wed, 21 Sep 2016 13:50:57 +0200
X-Failed-Recipients: helocheck@abuseat.org
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@alexschroeder.ch>
To: alex@alexschroeder.ch
Subject: Mail delivery failed: returning message to sender
Date: Wed, 21 Sep 2016 13:50:57 +0200

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  helocheck@abuseat.org
    SMTP error from remote mail server after RCPT TO:<helocheck@abuseat.org>:
    host mail.abuseat.org [54.93.50.35]: 550 *** The HELO for IP address 192.71.233.105 was 'alexschroeder.ch' (valid syntax) ***

So now, I’ll remove myself from the CBL and wait an hour or two before testing again.

Also note: those test results seem to take ages to get back. It’s far easier to simply check `/var/log/exim4/mainlog` and look for entries like the following:

2016-09-21 16:20:40 no host name found for IP address 186.5.5.146
2016-09-21 16:20:42 H=([186.5.5.146]) [186.5.5.146] Warning: 186.5.5.146 is listed at bl.spamcop.net (127.0.0.2: Blocked - see http://www.spamcop.net/bl.shtml?186.5.5.146)

#Web #Administration