Troubleshooting

From QmailToaster
Revision as of 00:24, 30 March 2024 by Ebroch (talk | contribs) (→‎Notes)
Jump to navigation Jump to search

DNS

Typical /etc/hosts:

127.0.0.1  server.yourdomain.com  localhost.localdomain   localhost

Typical /etc/resolv.conf without dns caching:

search yourdomain.com
nameserver ip-address-of-first-nameserver
nameserver ip-address-of-second-nameserver

Typical /etc/resolv.conf with dns caching:

search yourdomain.com
nameserver 127.0.0.1

The SuperTool at MXToolbox.com is a nice tool for testing DNS records, blacklists, and other email related configuration settings. And it's FREE! (as of this writing)

Firewall

Note: this mail server will have all the tools necessary for a hacker to compile whatever tool they need to do their 'business', so it is very important to secure this server using iptables and/or some other form of firewall in front of it. Don't put this server 'naked' on the internet without some kind of firewall/hardening/strong passwords. This is a direct result of DJB's licensing that prohibits distributing his software in binary form...that is to say you have to compile it for the software to work, typically on the machine itself. Most public-facing servers have only the software necessary to function as intended...definitely no compilation tools included...as a 'best practice'.

Common services allowed by port:
 tcp: 22 #ssh-you might want to listen on a different port for ssh
      25 #smtp
      53 #dns
      80 #http(squirrelmail)
      110 #pop3
      143 #imap
      443 #https(squirrelmail)
      465 #smtp-ssl
      587 #ssl-submit(may be req'd for OE clients for ssl connections)
      993 #imap-ssl
      995 #pop3-ssl
 udp: 53 #dns
      123 #ntp

Log Files

QmailToaster logs are at:
  /var/logs/qmail/*
Freshclam log:
  /var/logs/clamav

Qmail log files have human-unfriendly timestamps. Go here for an explanation [1], or GO HERE [2] to get a helper script, it's highly recommended!


Qmailadmin

No Menu in qmailadmin, even with postmaster

I have found that by default when you create a new domain, the following are populated with a zero by default.

Accounts (0 disables this feature)
Forwards (0 disables this feature)
Aliases (0 disables this feature)
Autoresponders (0 disables this feature)
Mailing Lists (0 disables this feature)
Quota in bytes (NOQUOTA for unlimited)

If you go back to the domain and just remove the zero's from the line and leave them blank and save it as that, it should bring the menu back. Also Note - for the Quota, you either need to put NOQUOTA or enter an actual number other than zero otherwise you won't be able to receive any e-mail :) --Ryan 10/26/06


SMTP-AUTH

Test with telnet:
 [root@server ~]# telnet localhost 25
 Trying 127.0.0.1...
 Connected to localhost.localdomain (127.0.0.1).
 Escape character is '^]'.
 220 server.yourdomain.com - Welcome to Qmail Toaster Ver. 1.2 smtp Server ESMTP
After connect enter: ehlo localhost
 ehlo localhost
 250-server.yourdomain.com - Welcome to Qmail Toaster Ver. 1.2 smtp Server
 250-STARTTLS
 250-PIPELINING
 250-8BITMIME
 250-SIZE 20971520
 250 AUTH LOGIN PLAIN CRAM-MD5
Verify the above return data, then enter: quit
 [root@server ~]# quit
 [root@server ~]#

The following webpage describes how to further test Chetan Kapur SMTP AUTH connections. http://qmail.jms1.net/test-auth.shtml

This webpage also describes how to further test SMTP AUTH connections. http://www.webpan.com/customers/Email/SMTP_Authentication_Telnet_Test.htm

No Menus etc

If you are missing menus when browsing to http://webhost/admin-toaster/ then you have PHP globals turned off and PHP short open tags off (both are good security measures)

these probably should be submitted as bugs

apply these patches to the shown files

/usr/share/toaster/htdocs/admin/index.php

 1c1
 < <?
 ---
 > <?php
 55c55
 <   <form action="<? print $PHP_SELF; ?>" method="POST" onSubmit="return CheckFormChangePassword(this)">
 ---
 >   <form action="<?php print $_SERVER[PHP_SELF]; ?>" method="POST" onSubmit="return CheckFormChangePassword(this)">
 71c71

< <? print_date(); ?>

 ---

> <?php print_date(); ?>

 81c81
 <       <? print_change_passwd($_POST['oldpasswd'], $_POST['newpasswd'], $_POST['newpasswd2']); ?>
 ---
 >       <?php print_change_passwd($_POST['oldpasswd'], $_POST['newpasswd'], $_POST['newpasswd2']); ?>
 87c87

< --- > 89c89 < <? print_quick_go(); ?> --- > <?php print_quick_go(); ?> 117c117 < <? print_updates(); ?> --- > <?php print_updates(); ?> /usr/share/toaster/include/admin.inc.php 1c1 < <? --- > <?php

Mrtg stats

This also works for the mrtg stats page. I put togather a patch for this and added a refresh of 5 min. The patch can be found here.

Duplicate Email from Mailing List

  • It may happen because low memory on server. Make sure you enough memory on the server. You can:
  • If you use spamdyke, increase the value of idle-timeout
  • Problem with SpamAssassin auto expiration function. create below script and added to your crontab
# cat /etc/cron.daily/sa-bayes-expire
#!/bin/sh
# written 11/17/06 by Eric 'shubes' <ejs@shubes.net>
# force journal sync and expiration of spamassassin bayes database
#
sa-learn -u vpopmail --force-expire
chown vpopmail:vchkpw /home/vpopmail/.spamassassin/bayes_toks
#

Memory allocation errors in daemons

Some elements of qmailtoaster such as mail submission or POP3 may fail to work because they do not have enough memory to run. If you find that parts of the toaster package are not working as you expect, this could be the cause.

In particular, qmailtoaster on 64-bit architectures may require additional memory in order to work correctly.

Identifying the problem

The first thing to do is to look at the 'current' log file for the daemon that is not working. For example, if you encounter a problem with submitting mail (handled by 'submission'), you might try:

   tail -f /var/log/qmail/submission/current | tai64nlocal

and then try submitting a mail message. If you are having memory problems, you will probably see something like:

   2012-02-14 22:26:16.919911500 tcpserver: ok 4502
   xx.nameofmyserver.com:xx.xx.xx.xx:587 :xx.xx.xx.xx::50888
   2012-02-14 22:26:16.920568500 /var/qmail/bin/qmail-smtpd: error while
   loading shared libraries: libgcc_s.so.1: failed to map segment from
   shared object: Cannot allocate memory

(the actual shared library mentioned may vary depending on your setup).

In some cases, the error will not appear in the log, but may be sent back to the client. For example, when 'pop3' fails, the only indication of the problem may be a message in the 'current' log that says that the return status of the POP session is:

    status 256

where a healthy POP server would return

    status 0

If you access POP manually (see http://www.hackvalue.nl/en/article/74/learn%20to%20speak%20pop3%20in%20one%20simple%20lesson for examples), a message such as:

   /home/vpopmail/bin/vchkpw: error while loading shared libraries:
   libresolv.so.2: failed to map segment from shared object: Cannot allocate memory
   -ERR unable to write pipe

may be sent back to you. This is effectively the same problem, and has the same solution.

Fixing the problem

The problem can usually be solved by raising the 'softlimit' on memory allocated to the qmail daemons. This is a limit imposed by the 'run' script to prevent the daemon using excessive amounts of memory. In some cases, however, the default limit is too small.

To change the limit, open up the 'run' script for the daemon. For example, for 'submission' you would do:

     vi /var/qmail/supervise/submission/run

(substitute your favorite text editor for 'vi') and look for the line that reads something like:

     exec /usr/bin/softlimit -m 48000000
    

Change the number after the '-m' to a larger number: as a first attempt, try doubling the number. If that works, you can try reducing it to a smaller number later.

Save your changes and then restart qmail with:

   qmailctl stop
   qmailctl start

(you must do 'stop' and then 'start' rather than 'restart' to be sure that all qmail daemons are properly restarted).

Once qmail has restarted, repeat your test procedure. In most cases, this should have resolved the issue.

Other causes and solutions

Similar problems can also occur in other circumstances. If raising the softlimit and restarting doesn't work, the problem might be due to one of the following issues.

Lack of space on the filesystem holding '/tmp' or '/var/tmp': if the filesystem that holds temporary data has filled up, qmail won't work. Try:

   df -h /tmp
   df -h /var/tmp

to see how much space is available.

Copying over the contents of an old vpopmail directory: as well as user data, the vpopmail directory contains a 'bin' directory with executable files in it. If you blindly copy over the whole vpopmail directory from an old machine to a new one, you may overwrite the binaries for the new machine and replace them with binaries appropriate to the old one. This can produce errors similar to the ones described above.

Notes

Dovecot won't authenticate
If for any reason Dovecot IMAP4/POP3 clients won't authenticate with the following error:
Jun 14 08:40:56 imap-login: Info: Disconnected (no auth attempts in 0 secs): \
user=<>, rip=172.16.0.11, lip=172.16.1.50, TLS handshaking: SSL_accept() \
failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: \
SSL alert number 42, session=
Create either a signed or self-signed certificate and restart Dovecot.
Squirrelmail won't authenticate
If for any reason you cannot login to squirrelmail with authentication errors open the 
config file '/etc/squirrelmail/config_local.php' and edit the entry to read, 
'$imap_auth_mech = 'login';' matching one 'auth_mechanisms = plain login' parameters
in Dovecot's configuration. On most toasters 'auth_mechanisms' is in 'toaster.conf'.
Make sure that Squirrelmail's webmail login is protected with https. Enter the following at the top of Squirrelmail's Apache configuration file '/etc/httpd/conf/squirrelmail.conf':
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
This will ensure all traffic including login passwords are encrypted. In fact it is a good idea to add this in all QMT webmail and administration sites including 'roundcubemail.conf' and 'toaster.conf'
It is also a good idea to lock down QMT administration to certain IP addresses defining your own 'aclnet' variable
QMT man pages don't work (ex. # man qmail-smtpd), enable them with the following command."'
# echo "MANDATORY_MANPATH /var/qmail/man" >> /etc/man_db.conf