Plesk 12.x / Linux :: Unable To Disable SSL V2 And V3 In Postfix And Courier
Dec 13, 2014
I am trying to secure my VPS and one thing noted in a recent scan was SSL v2 and v3 being supported for SMTP, POP3 and IMAP. So a check of ‘Disabling SSLv3 Support on Servers’ and the Postfix configuration settings suggest:
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
# Preferred syntax with Postfix = 2.5:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
This actually goes further than disabling SSLv2 and v3 and also excludes the use of NULL and MD5 ciphers.
The Postfix conf file, main.cf exists in two places on my VPS:
# find / -name main.cf
/usr/libexec/postfix/main.cf
/etc/postfix/main.cf
Examining both only the copy in /etc/postfix/ is configured and at the end of this file I can find all the Plesk settings, including some RBLs I’ve defined via the UI. Hence I know this is the working config as of the two, it’s the only one actually configured. Hence I add the required commands to the config:
...
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
[Code] ....
I then go to the Plesk Tools & Settings > Services Management and restart:
SMTP Server (Postfix)
And for good measure:
Plesk milter (Postfix)
I then test whether SSLv2 is enabled:
# openssl s_client -connect x.x.x.x:25 -starttls smtp -ssl2
Now what I should get back is an error as the attempt to connect with SSLv2 should fail as it's an excluded protocol, but instead what I get back is the Plesk cert and a connection:
# openssl s_client -connect x.x.x.x:25 -starttls smtp -ssl2
CONNECTED(00000003)
depth=0 C = US, ST = Virginia, L = Herndon, O = Parallels, OU = Parallels Panel, CN = Parallels Panel, emailAddress = info@parallels.com
verify error:num=18:self signed certificate
...
Why? What do I need to do to have Postfix use the updated config and refuse an SSL2 connection?
I seem to have the same issue with Courier having made similar changes to the /etc/courier-imap/pop3d-ssl file:
# Iain 2014-12-12
# TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
TLS_CIPHER_LIST="TLSv1:HIGH:MEDIUM:!LOW:!EXP:!NULL:!aNULL@STRENGTH"
And /etc/courier-imap/imapd-ssl file:
# Iain 2014-12-12
# TLS_PROTOCOL=SSL23
TLS_PROTOCOL=TLS1
actually, this should probably read:
# Iain 2014-12-12
# TLS_PROTOCOL=SSL23
TLS_PROTOCOL=TLS1, TLS1.1, TLD1.2
Why am I unable to disable SSL v2 and v3 for SMTP/POP3/IMAP with Postfix and Courier?
View 15 Replies
ADVERTISEMENT
Sep 2, 2014
I setup and enable fail2ban by Plesk 12 (tools and settings). What happens is, few days after i am unable to access this option again. I got time out
I've tried to disable by ssh "fail2ban-client stop" and nothing... the command become loading and never conclude,
how to remove or stop fail2ban ?
View 6 Replies
View Related
Jul 8, 2014
I am unable to disable or modify the firewall by using the plesk firewall extention. Plesk throw the two errors below:
Code:
Error: Could not disable firewall:
util_exec(.., 'proc_open') failed: file does not exist or is not executable: /opt/psa/admin/bin/modules/firewall/register_service
Code:
Error: Could not activate firewall configuration:
util_exec(.., 'proc_open') failed: file does not exist or is not executable: /opt/psa/admin/bin/modules/firewall/safeact
I checked the symlinks, they point to the same location: /opt/psa/admin/bin/modules/firewall/mod_wrapper
-r-s--x--- 1 root root 18896 Jun 6 10:37 mod_wrapper
View 2 Replies
View Related
Sep 24, 2008
I have a mail server which is courier, postfix, amavisd, using Mysql db and virtual mailboxes which I administer through postfixadmin.
I want to be able to add a set of default folders to all mailboxes created such as Possible Spam and some others.
I have investigated shared folders but this is not what i want, is there a way I can get courier/postfix to create a set of additional sub-folders when it creates a mailbox.
All mailboxes are accessed as IMAP mailboxes.
View 0 Replies
View Related
Jul 2, 2014
My issue started ince a couple of months seemed to increase with update to Plesk 12.0 (though I can't guarantee it).I am using Centos 6.5, all updated. What happens is that postfix usage starts to increase without any apparent reason (during week-ends for example). Then postfix is not responding anymore.
Code:
top - 13:27:13 up 3 days, 18:44, 0 users, load average: 0.73, 0.33, 0.32
Tasks: 238 total, 2 running, 236 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.3%us, 0.6%sy, 0.1%ni, 98.7%id, 0.3%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 32917292k total, 8982212k used, 23935080k free, 1899416k buffers
Swap: 1046520k total, 0k used, 1046520k free, 4905884k cached
[code]....
View 1 Replies
View Related
Feb 11, 2007
Hopefully I'm posting this in the correct area. Our server runs CentOS 4.4 on x86_64 arch.
So basically everything was going rather smoothly...
Problems began to arise at the point where I finished installing/configuring SquirrelMail. Upon logging in, I saw this:
[see attachment]
Ok, so I checked maillog and saw:
Feb 11 13:50:46 zeus imapd: LOGIN, user=alex, ip=[::ffff:127.0.0.1], protocol=IMAP
Feb 11 13:50:47 zeus imapd: Failed to connect to socket /tmp/fam--
Feb 11 13:50:47 zeus imapd: Failed to create cache file: maildirwatch (alex)
Feb 11 13:50:47 zeus imapd: Error: Input/output error
Feb 11 13:50:47 zeus imapd: Check for proper operation and configuration
Feb 11 13:50:47 zeus imapd: of the File Access Monitor daemon (famd).
Feb 11 13:50:47 zeus imapd: DISCONNECTED, user=alex, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=21, sent=57, time=1
So I did some searching and determined it was a problem with Courier-IMAP being compiled with File Alteration Monitor support and famd not running (I built RPM directly from source tarball without any customization whatsoever per the instructions on the Courier website).
I found some possible solutions to be:
1) Install and run fam and be sure portmapper is running as well (problem being is that fam has since been replaced by gamin on CentOS, which is installed properly on my system).
2) Do a source install of Courier-IMAP and --disable-fam
Ok, so route 1 went like this: I uninstalled gamin, found fam-2.6.8, installed it, started it manually, made sure portmapper was running and tried again. This time, I still got the same errors in SquirrelMail, but the errors in maillog didn't show up. However, shortly after the page loaded, the famd process I had started manually promptly ended without my intervention. Ok, onto trying #2.
Route 2 went like this: reinstalled gamin, then I tried building a custom RPM by manually configuring with --disable-fam and then using rpmbuild -bc --short-circuit and rpmbuild -bi --short-circuit. That didn't change anything at all, I still had the same errors both with SquirrelMail and in maillog. Then I said ok, I'll just do a complete source install. ./configure --disable-fam && make && make install. Manually started that server, tried again, same deal, both errors.
So I've got problems. Either with Courier-IMAP, SquirrelMail, or both. The other daemons seem to run fine, I just mentioned them in case of the possibility of some kind of (unknown to me) conflict.
If you need to see any of my configs, let me know...any information greatly appreciated...I'm desperate.
View 1 Replies
View Related
Jul 14, 2015
I have a problem with an account. The client connects and starts getting his mails, like this:
Jul 14 07:39:04 host courier-pop3d: LOGIN, user=*****@*****.com, ip=[::ffff:*.*.*.152], port=[*]Click to expand...
View 2 Replies
View Related
Jun 30, 2009
I have a small VPS that is used only to send mail. It uses the HyperVM software, so I installed "Klaxo" (LXadmin) on it and set up the domain, etc..
I then went into the "Server : Linux --> Services" page and disabled everything except qmail. (I also set them so they are not auto-started at bootup.)
The problem is that after about 10 minutes or so... all the services are automatically restarted.
I have no idea what process is doing this, and it's driving me a little nutty.
Does anyone know how to permanently disable a service using the Klaxo/lxadmin control panel?
(Or at least, where I can find whatever monitoring system is checking if they are up, and then restarting them?)
View 2 Replies
View Related
Feb 2, 2015
I'm using plesk with CentOS 6.6
After setting up some e-mail accounts over the plesk gui I tried to connect via a mail software (like thunderbird).
This failed with every combination of settings I tried. So I checked if the POP3/IMAP services are running correctly using telnet.
I connected using the following command:
Code:
telnet <host-ip> 110
The response was:
Code:
Trying <host-IP>...
Connected to <host-IP>.
Escape character is '^]'.
-ERR Cannot connect to POP server <host-IP> (<host-IP>:110), NB connect error 1460
Connection closed by foreign host.
Did I miss to enable a setting?
The Plesk gui schows me, that the corresponding services are running...
View 2 Replies
View Related
Aug 8, 2014
Yesterday we upgraded two of our servers to the latest Plesk 12.
The 1st server is an CentOS/CLoudlinux 6.x server and the 2nd an CentOS 5.x server.
Both of them were running Plesk 11.5 before the upgrade.
After the upgrade, we have the same issue in both servers which is that the START/TLS, SSL protocols at Courier imaps or pop3s do not work, and mail clients (outlook, thunderbird) return that the password is wrong when they connect over a secure connection.
In both of them, at the /var/log/maillog, we are getting the same messages, as the following one:
--------------------------------------------------------------------------
courier-imaps: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
--------------------------------------------------------------------------
As the issue is in both server, we believe thath it there is a bug in the new version or the update script.
We have already checked all configurations which seem ok, tried to... reboot the machines, mailchk repair, but nothing seems to work.
View 1 Replies
View Related
Feb 20, 2015
I'm trying to find Courier IMAP config: /etc/courier/imapd
Because i would like to edit the parameters for the trash folder (see qoute and link below)
The file on my server is not there. I did some grep and locate commands and was unable to find it.
##NAME: IMAP_EMPTYTRASH:0
#
# The following setting is optional, and causes messages from the given
# folder to be automatically deleted after the given number of days.
# IMAP_EMPTYTRASH is a comma-separated list of folder:days. The default
# setting, below, purges 7 day old messages from the Trash folder.
# Another useful setting would be:
#
# IMAP_EMPTYTRASH=Trash:7,Sent:30
[Code] ....
View 1 Replies
View Related
Dec 6, 2014
I would like each of my clients who have a dedicated IP address and an SSL certificate to be able to use their own domain name (and own certificate) when sending mail on ports 465 or 587. I have managed to change the default certificate used by Postfix to my own server's certificate, but I want users to use their OWN IP address and SSL certificate when sending, so this is not an option.
I have been able to update Dovecot to use a specific certificate for each IP address, but I can't seem to update Postfix. I was trying to follow these instructions but my postfix master.cf was quite different than the poster's file and I didn't succeed: [URL] ....
I know many people will simply say "it can't be done" or "just get the users to use the shared IP address", but I know there must be some workaround to make this work, even if it means manually updating the config file after every Plesk update. I'm even prepared (if possible) to have Plesk abandon management of Postfix and have me manage it manually, if that's even an option.
View 1 Replies
View Related
Aug 20, 2014
I can't send any mail from the server. I don't get any log information about errors. Postfix is installed on opensuse 13.1.
View 3 Replies
View Related
Feb 25, 2015
Each migration in the last years I'm running into this bug that Postfix wants to run on port 587 even though this is turned OFF in the Plesk Panel.
Sometimes it does this after some update.
Because another process is running on port 587 this means that postfix does not start and I have some downtime until I "repair" this.
"Repairing" means going into Plesk panel and turning ON SMTP-Auth.... Wait a moment for it to apply and then turning it OFF again....
This unwanted behaviour can be easily reproduced by having this option turned off in the Plesk panel and then running /usr/local/psa/admin/sbin/mchk --without-spam
This will end up in a non-running postfix if another process is already running on port 587.
This shouldn't be happening. Especially because I reported this behaviour years ago..
View 5 Replies
View Related
Aug 15, 2014
on a fresh debian 7 64bit openvz system we actually have a problem with the new plesk 12 feature of limiting outgoing mails.We migrated about 25 systems to plesk, this is the first that makes problems.If limiting outgoing mails is activated (i double-checked all possible checkboxes in plesk) a fresh mailbox gives us the following error while trying to send via smtp:
Aug 15 13:09:32 2d4 postfix/smtpd[8645]: connect from unknown[XX.XX.XX.XX]
Aug 15 13:09:32 2d4 postfix/smtpd[8645]: E9AF61C58851: client=unknown[XX.XX.XX.XX], sasl_method=PLAIN, sasl_username=XX@XXX.XX
Aug 15 13:09:32 2d4 greylisting filter[8651]: Starting greylisting filter...
Aug 15 13:09:32 2d4 /usr/lib/plesk-9.0/psa-pc-remote[8611]: handlers_stderr: SKIP
[code]....
After deactivating the feature all mail is sent without any problems. We use postfix + dovecot.
View 2 Replies
View Related
Oct 13, 2014
There are several big domains that frequently defer accepting mail from us causing long delays or rejections. Google, AOL, and Yahoo are examples. I'm considering trying the suggestions found in this online posting regarding rate limiting the sending of messages to those domains. In the below URL, please see the section titled "Different policies for different domains"...URL....
Would these changes be safe to make on a CentOS 6.4 server running Plesk 11.0.9 with Postfix 2.8.4? Would any special modifications for Plesk be necessary?
View 3 Replies
View Related
Jun 17, 2014
At this moment, all mail (no matter what domain) goes out straight to its destination. We want to send the mail trough a antispam firewall before it enters the internet.
What setting to change?
View 1 Replies
View Related
Apr 23, 2015
Reset postfix configuration in plesk 12? I have some misconfiguration on smtp banner and hostname so I prefer to reset all.
View 6 Replies
View Related
Jul 21, 2015
I am unable to switch from qmail to postfix via the control panel. It opens a new window that just hangs and never loads. While waiting for it to load, I see these 2 processes running..
root 25108 0.1 0.0 133972 20604 ? S 21:58 0:00 /var/cache/parallels_installer/parallels_installer_CentOS_6_x86_64 --service-mode=components --enable-xml-output --ssl-cert /usr/local/psa/admin/conf/httpsd.pem --branch release,stable --web-interface --with-ssl --disable-browser
root 25109 0.0 0.0 104952 3032 ? S 21:58 0:00 /var/cache/parallels_installer/parallels_installer_CentOS_6_x86_64 --service-mode=components --enable-xml-output --ssl-cert /usr/local/psa/admin/conf/httpsd.pem --branch release,stable --web-interface --with-ssl --disable-browser
But after waiting 20 minutes, the browser never loaded and the two proceses remain. So I killed both processes and removed /tmp/psa-installer.lock and started again. The same thing happened.
Is there a way to fix this? If not, is there an easy way to switch MTAs from the command line?
View 4 Replies
View Related
Jun 17, 2014
I've a problem with a server with Postfix. Emails (smtp) are refused by an operator because there is too many mail sent in a few moment.
With Qmail, we make this config :
1) we create file concurrencyremote
# vi /var/qmail/control/concurrencyremote
with the value 3
2) we restart Qmail and it's ok
With Postfix, we make that :
1) we modify the file /etc/postfix/main.cf
default_destination_concurrency_limit = 3
2) In /etc/postfix/transport :
wanadoo.com slow ;
wanadoo.fr slow ;
orange.fr slow ;
orange.com slow ;
laposte.net slow ;
.wanadoo.com slow ;
.wanadoo.fr slow ;
.orange.fr slow ;
.orange.com slow ;
3) After :
#postmap /etc/postfix/transport
4) In /etc/postfix/master.cf :
slow unix - - n - 5 smtp -o syslog_name=postfix-slow -o smtp_destination_concurrency_limit=3 -o slow_destination_rate_delay=1
5) In /etc/postfix/main.cf :
slow_destination_recipient_limit = 20
slow_destination_concurrency_limit = 3
And we modify :
transport_maps = hash:/var/spool/postfix/plesk/transport, hash:/etc/postfix/transport
6) At the end :
# /etc/init.d/postfix reload
But it doesn't work. Operator "Orange" refused emails.
In maillog, we have :
dsn=4.3.0, status=deferred (mail transport unavailable)
View 3 Replies
View Related
Jul 25, 2014
I just upgraded my Plesk 11.5 on Plesk version: 12.0.18 Update #9 , and after the upgrade the Postfix stop working. And forwarding, receiving is not working at all and I am getting message bellow.
OS: CentOS 6.5 (Final)
Plesk version: 12.0.18 Update #9
This is the mail system at host nsXXXXX.ovh.net.You can delete your own text from the attached returned message. mail system
<xyz@gmail.com>: Command rejected
Final-Recipient: rfc822; xyz@gmail.com
Action: failed
Status: 5.7.1
Diagnostic-Code: X-Postfix; Command rejected
View 2 Replies
View Related
Jul 19, 2014
after reinstalling the mta / postfix / smtp (because I couldn't send mails) my plesk is crashed.
I wanted to log in as admin but it doesn't accept my PW. Now with root and then it wants me to accept the license.
Now I copy all my /var/www/vhosts/ maybe when I do the setup steps in plesk it will overwrite all my website content... I hope not all plesk settings are away.
Why I pay every month money for a license? The trouble and work I have with Plesk..
View 4 Replies
View Related
May 3, 2015
My server is Plesk 12 with Postfix and Courier IMAP i am also using Thunderbird as mail client...
My question is when i create a folder from my mail client or webmail they just appear as sub folders of my inbox which is not what i want, i want root level folders not to be under inbox... When i searched for this i found [URL] ....
Is this still the case? Is there anything i can do to have root level folders?
View 2 Replies
View Related
Oct 21, 2014
I have a hard problem with my VPS. I have postfix as mail server on plesk 12 under ubuntu 12.
I dont know why the outgoing mails of all my domains in my servers are getting spam in servers like gmail, yahoo, hotmail...
I'm using mxtoolbox to fix errors and warnings and finally fixed all of them, but my mails are still outgoing to spam.
In mxtoolbox actually I have no mail server errors / warning, u can see it with, for example, this one of my domains: [URL] ....
Headers:
This message is an automatic response from Port25's authentication verifier service at verifier.port25.com. The service allows email senders to perform a simple check of various sender authentication mechanisms. It is provided free of charge, in the hope that it is useful to the email community.
[Code] ....
View 1 Replies
View Related
Jul 12, 2015
Our partition become full and drop the vps, after that we are unable to start postifx, actually postfix start but master not.
So if I run :
/etc/init.d/postfix restart
Shutting down postfix: [FAILED]
Starting postfix: [ OK ]
/etc/init.d/postfix status
master is stopped
I already try to reconfigure all
/usr/local/psa/admin/bin/mailmng-service --start-service --mail-component=all
Into ToolsSettings i change between qmail and come back again to postfix (reinstalling)...
View 3 Replies
View Related
Jul 28, 2014
I have a brandnew server with CENTOS 6.5 Final with Plesk 12.
For some reason unknown i'm not able to configure Postfix as smtp server and accept plain text autentication. It only accept TLS autentication both on port 25 or 587. If i install Qmail everything works without any problem.
There my configuration files.
(Main.cf)
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
[Code].....
View 3 Replies
View Related
Feb 12, 2015
Mail isn't leaving the queue, it's returning this error
Feb 12 23:12:01 XXXX postfix-local[64360]: System error .qmail: Permission denied
Feb 12 23:12:01 XXXX postfix-local[64360]: Wrong permissions for .qmail
All the files within /var/qmail/ are set to the user and group "popuser", and have the nessacery rwx permissions for the user/group.
The OS is CentOS.
View 5 Replies
View Related
Jul 24, 2014
Somebody is sending spam from my postfix server.
How can I locate the domain causing the problem?
View 3 Replies
View Related
Dec 10, 2014
I want to put custom values in /etc/postfix/main.cf, but I'm afraid plesk would overwrite them during upgrade. How can I safely add custom values to main.cf and preserve them duing plesk updates?
View 1 Replies
View Related
Jun 20, 2014
My environment: Parallels Plesk v12.0.18_build1200140606.15 os_Debian 7.0 64bits - postfix
In documentation about Server-wide-mail settings
In Plesk for Linux with the Postfix mail server, you can change the IP address used for sending mail. Also, if your server sends mail from domain IP addresses, you can specify which name will be used as a host name in SMTP greetings.
Choose from the three options:
◦Send from domain IP addresses. By default, mail from each domain is sent using the domain's IP address. The host name used in SMTP greeting is defined by the configuration of the mail server.
◦Send from domain IP addresses and use domain names in SMTP greeting. If selected, Plesk changes the mail server configuration so that the SMTP greeting will contain the name of the domain from which an email message is sent.
This option prevent the sender's IP address from being put into public black lists, such as the Spamhaus or OpenBL lists. This might happen if the mail server host name is used in SMTP greeting for the messages sent from domain IP addresses. Some recipient servers consider such messages as spam.
We recommend that you use this option if you host less than 100 domains. In case of a large number of domains, using this option significantly increases the load on the server.
◦Send from the specified IP address. You might want to use certain IPv4 and IPv6 addresses for all outgoing mail.
Sending all mail from the specified address might be useful, for example, if the IP address of the mail server was put into public black lists, such as the Spamhaus or OpenBL lists. If you select None, outgoing mail will not be sent.Click to expand...
View 19 Replies
View Related
