Troubleshooting: Difference between revisions
(→Notes) |
No edit summary |
||
Line 231: | Line 231: | ||
If for any reason Dovecot IMAP4/POP3 clients won't authenticate with the following error: | If for any reason Dovecot IMAP4/POP3 clients won't authenticate with the following error: | ||
Jun 14 08:40:56 imap-login: Info: Disconnected (no auth attempts in 0 secs): \ | Jun 14 08:40:56 imap-login: Info: Disconnected (no auth attempts in 0 secs): \ | ||
user=<>, rip= | user=<>, rip=xxx.xxx.xxx.xxx, lip=yyy.yyy.yyy.yyy, TLS handshaking: SSL_accept() \ | ||
failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: \ | failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: \ | ||
SSL alert number 42, session=<br> | SSL alert number 42, session=<br> |
Revision as of 20:31, 31 March 2024
DNS
Typical /etc/hosts:
127.0.0.1 server.yourdomain.com localhost.localdomain localhost
Typical /etc/resolv.conf without dns caching:
search yourdomain.com nameserver ip-address-of-first-nameserver nameserver ip-address-of-second-nameserver
Typical /etc/resolv.conf with dns caching:
search yourdomain.com nameserver 127.0.0.1
The SuperTool at MXToolbox.com is a nice tool for testing DNS records, blacklists, and other email related configuration settings. And it's FREE! (as of this writing)
Firewall
Note: this mail server will have all the tools necessary for a hacker to compile whatever tool they need to do their 'business', so it is very important to secure this server using iptables and/or some other form of firewall in front of it. Don't put this server 'naked' on the internet without some kind of firewall/hardening/strong passwords. This is a direct result of DJB's licensing that prohibits distributing his software in binary form...that is to say you have to compile it for the software to work, typically on the machine itself. Most public-facing servers have only the software necessary to function as intended...definitely no compilation tools included...as a 'best practice'.
Common services allowed by port: tcp: 22 #ssh-you might want to listen on a different port for ssh 25 #smtp 53 #dns 80 #http(squirrelmail) 110 #pop3 143 #imap 443 #https(squirrelmail) 465 #smtp-ssl 587 #ssl-submit(may be req'd for OE clients for ssl connections) 993 #imap-ssl 995 #pop3-ssl udp: 53 #dns 123 #ntp
Log Files
QmailToaster logs are at: /var/logs/qmail/*
Freshclam log: /var/logs/clamav
Qmail log files have human-unfriendly timestamps. Go here for an explanation [1], or GO HERE [2] to get a helper script, it's highly recommended!
Qmailadmin
No Menu in qmailadmin, even with postmaster
I have found that by default when you create a new domain, the following are populated with a zero by default.
- Accounts (0 disables this feature)
- Forwards (0 disables this feature)
- Aliases (0 disables this feature)
- Autoresponders (0 disables this feature)
- Mailing Lists (0 disables this feature)
- Quota in bytes (NOQUOTA for unlimited)
If you go back to the domain and just remove the zero's from the line and leave them blank and save it as that, it should bring the menu back. Also Note - for the Quota, you either need to put NOQUOTA or enter an actual number other than zero otherwise you won't be able to receive any e-mail :) --Ryan 10/26/06
SMTP-AUTH
Test with telnet: [root@server ~]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 server.yourdomain.com - Welcome to Qmail Toaster Ver. 1.2 smtp Server ESMTP
After connect enter: ehlo localhost ehlo localhost 250-server.yourdomain.com - Welcome to Qmail Toaster Ver. 1.2 smtp Server 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 20971520 250 AUTH LOGIN PLAIN CRAM-MD5
Verify the above return data, then enter: quit [root@server ~]# quit [root@server ~]#
The following webpage describes how to further test Chetan Kapur SMTP AUTH connections. http://qmail.jms1.net/test-auth.shtml
This webpage also describes how to further test SMTP AUTH connections. http://www.webpan.com/customers/Email/SMTP_Authentication_Telnet_Test.htm
No Menus etc
If you are missing menus when browsing to http://webhost/admin-toaster/ then you have PHP globals turned off and PHP short open tags off (both are good security measures)
these probably should be submitted as bugs
apply these patches to the shown files
/usr/share/toaster/htdocs/admin/index.php
1c1 < <? --- > <?php 55c55 < <form action="<? print $PHP_SELF; ?>" method="POST" onSubmit="return CheckFormChangePassword(this)"> --- > <form action="<?php print $_SERVER[PHP_SELF]; ?>" method="POST" onSubmit="return CheckFormChangePassword(this)"> 71c71
< <? print_date(); ?>
---
> <?php print_date(); ?>
81c81 < <? print_change_passwd($_POST['oldpasswd'], $_POST['newpasswd'], $_POST['newpasswd2']); ?> --- > <?php print_change_passwd($_POST['oldpasswd'], $_POST['newpasswd'], $_POST['newpasswd2']); ?> 87c87
< --- > 89c89 < <? print_quick_go(); ?> --- > <?php print_quick_go(); ?> 117c117 < <? print_updates(); ?> --- > <?php print_updates(); ?> /usr/share/toaster/include/admin.inc.php 1c1 < <? --- > <?php
Mrtg stats
This also works for the mrtg stats page. I put togather a patch for this and added a refresh of 5 min. The patch can be found here.
Duplicate Email from Mailing List
- It may happen because low memory on server. Make sure you enough memory on the server. You can:
- add more memory on server
- stop unused service on server
- disable some of SpamAssassin plugins
- disable some of unofficial ClamAV dat.
- decrease the value of Concurrencyincoming, Concurrencyremote and Concurrencylocal
- If you use spamdyke, increase the value of idle-timeout
- Problem with SpamAssassin auto expiration function. create below script and added to your crontab
# cat /etc/cron.daily/sa-bayes-expire #!/bin/sh # written 11/17/06 by Eric 'shubes' <ejs@shubes.net> # force journal sync and expiration of spamassassin bayes database # sa-learn -u vpopmail --force-expire chown vpopmail:vchkpw /home/vpopmail/.spamassassin/bayes_toks #
Memory allocation errors in daemons
Some elements of qmailtoaster such as mail submission or POP3 may fail to work because they do not have enough memory to run. If you find that parts of the toaster package are not working as you expect, this could be the cause.
In particular, qmailtoaster on 64-bit architectures may require additional memory in order to work correctly.
Identifying the problem
The first thing to do is to look at the 'current' log file for the daemon that is not working. For example, if you encounter a problem with submitting mail (handled by 'submission'), you might try:
tail -f /var/log/qmail/submission/current | tai64nlocal
and then try submitting a mail message. If you are having memory problems, you will probably see something like:
2012-02-14 22:26:16.919911500 tcpserver: ok 4502 xx.nameofmyserver.com:xx.xx.xx.xx:587 :xx.xx.xx.xx::50888 2012-02-14 22:26:16.920568500 /var/qmail/bin/qmail-smtpd: error while loading shared libraries: libgcc_s.so.1: failed to map segment from shared object: Cannot allocate memory
(the actual shared library mentioned may vary depending on your setup).
In some cases, the error will not appear in the log, but may be sent back to the client. For example, when 'pop3' fails, the only indication of the problem may be a message in the 'current' log that says that the return status of the POP session is:
status 256
where a healthy POP server would return
status 0
If you access POP manually (see http://www.hackvalue.nl/en/article/74/learn%20to%20speak%20pop3%20in%20one%20simple%20lesson for examples), a message such as:
/home/vpopmail/bin/vchkpw: error while loading shared libraries: libresolv.so.2: failed to map segment from shared object: Cannot allocate memory -ERR unable to write pipe
may be sent back to you. This is effectively the same problem, and has the same solution.
Fixing the problem
The problem can usually be solved by raising the 'softlimit' on memory allocated to the qmail daemons. This is a limit imposed by the 'run' script to prevent the daemon using excessive amounts of memory. In some cases, however, the default limit is too small.
To change the limit, open up the 'run' script for the daemon. For example, for 'submission' you would do:
vi /var/qmail/supervise/submission/run
(substitute your favorite text editor for 'vi') and look for the line that reads something like:
exec /usr/bin/softlimit -m 48000000
Change the number after the '-m' to a larger number: as a first attempt, try doubling the number. If that works, you can try reducing it to a smaller number later.
Save your changes and then restart qmail with:
qmailctl stop qmailctl start
(you must do 'stop' and then 'start' rather than 'restart' to be sure that all qmail daemons are properly restarted).
Once qmail has restarted, repeat your test procedure. In most cases, this should have resolved the issue.
Other causes and solutions
Similar problems can also occur in other circumstances. If raising the softlimit and restarting doesn't work, the problem might be due to one of the following issues.
Lack of space on the filesystem holding '/tmp' or '/var/tmp': if the filesystem that holds temporary data has filled up, qmail won't work. Try:
df -h /tmp df -h /var/tmp
to see how much space is available.
Copying over the contents of an old vpopmail directory: as well as user data, the vpopmail directory contains a 'bin' directory with executable files in it. If you blindly copy over the whole vpopmail directory from an old machine to a new one, you may overwrite the binaries for the new machine and replace them with binaries appropriate to the old one. This can produce errors similar to the ones described above.
Notes
Dovecot won't authenticate If for any reason Dovecot IMAP4/POP3 clients won't authenticate with the following error: Jun 14 08:40:56 imap-login: Info: Disconnected (no auth attempts in 0 secs): \ user=<>, rip=xxx.xxx.xxx.xxx, lip=yyy.yyy.yyy.yyy, TLS handshaking: SSL_accept() \ failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: \ SSL alert number 42, session=
Create either a signed or self-signed certificate and restart Dovecot.
Squirrelmail won't authenticate If for any reason you cannot login to squirrelmail with authentication errors open the config file '/etc/squirrelmail/config_local.php' and edit the entry to read, '$imap_auth_mech = 'login';' matching one 'auth_mechanisms = plain login' parameters in Dovecot's configuration. On most toasters 'auth_mechanisms' is in 'toaster.conf'.
Make sure that Squirrelmail's webmail login is protected with https. Enter the following at the top of Squirrelmail's Apache configuration file '/etc/httpd/conf/squirrelmail.conf':
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
This will ensure all traffic including login passwords are encrypted. In fact it is a good idea to add this in all QMT webmail and administration sites including 'roundcubemail.conf' and 'toaster.conf'
It is also a good idea to lock down QMT administration to certain IP addresses defining your own 'aclnet' variable
QMT man pages don't work (ex. # man qmail-smtpd), enable them with the following command."' # echo "MANDATORY_MANPATH /var/qmail/man" >> /etc/man_db.conf