mailserv52

[David Gnojek]

Hi guys,

have somebody tested mailserv on obsd52 already?

I did some plays with it. installation, mailservices and webmin works, but roundcube.

PHP scripts end up me with blank pages. so issue stays between nginx and php-fpm now.

here is a testing installation if somebody is interested to help.

  export PKG_PATH=http://ftp.OpenBSD.org/pub/OpenBSD/`uname -r`/packages/`uname -m`/

  pkg_add git
  cd /var
  git clone git://github.com/dagn/mailserv.git 
  cd /var/mailserv/install
  ./install.sh --devel
  
(install with php5.3, myslq 5.3)

Cheers

David

[David Gnojek]

so after few digings. seems the webmail symbolic link causes this problems. it does not run properly with nginx.

when I opened webmail directly https://mailserv.domain.com/roundcubemail-0.8.4/ rcube rendered properly and php works fine.

[joko kusdiyanto]

i've tried installing in vmware environment, 

i seem works fine (for sending email) , haven't tested for receiving email yet.

still working to find the problem why this log occur in  php-fpm.log

[17-Jan-2013 15:59:10] NOTICE: fpm is running, pid 22008

[17-Jan-2013 15:59:10] NOTICE: ready to handle connections

[17-Jan-2013 15:59:28] ERROR: unable to bind listening socket for address '127.0.0.1:9000': Address already in use (48)

[17-Jan-2013 15:59:28] ERROR: FPM initialization failed

[17-Jan-2013 15:59:48] ERROR: unable to bind listening socket for address '127.0.0.1:9000': Address already in use (48)

[17-Jan-2013 15:59:48] ERROR: FPM initialization failed

[Marcus Bointon]

On 17 Jan 2013, at 10:09, joko kusdiyanto <kusdi...@gmail.com> wrote:

[17-Jan-2013 15:59:10] NOTICE: fpm is running, pid 22008

[17-Jan-2013 15:59:10] NOTICE: ready to handle connections

[17-Jan-2013 15:59:28] ERROR: unable to bind listening socket for address '127.0.0.1:9000': Address already in use (48)

[17-Jan-2013 15:59:28] ERROR: FPM initialization failed

[17-Jan-2013 15:59:48] ERROR: unable to bind listening socket for address '127.0.0.1:9000': Address already in use (48)

[17-Jan-2013 15:59:48] ERROR: FPM initialization failed

I don't know why it's doing that, but it should be using a unix socket anyway, not a TCP one.

Marcus

[David Gnojek]

seems the notice in php-fpm logs is initialized by god ( /etc/god/php.god) which is checking the service.

set the unix socket is possible as well. we can give it a try.
there is necessary to replace few thinks
in  nginx.conf

fastcgi_pass unix:/tmp/php.socket;

and in /etc/php-fpm.conf set

listen= /tmp/php.sock
listen.owner = www
listen.group = www
listen.mode = 0666

[joko kusdiyanto]

and now php-fpm spawns every 20 seconds :( too many

[18-Jan-2013 15:34:40] NOTICE: fpm is running, pid 7573

[18-Jan-2013 15:34:40] NOTICE: ready to handle connections

[18-Jan-2013 15:35:00] NOTICE: fpm is running, pid 26541

[18-Jan-2013 15:35:00] NOTICE: ready to handle connections

[18-Jan-2013 15:35:20] NOTICE: fpm is running, pid 17818

[18-Jan-2013 15:35:20] NOTICE: ready to handle connections

[18-Jan-2013 15:35:41] NOTICE: fpm is running, pid 21931

[18-Jan-2013 15:35:41] NOTICE: ready to handle connections

[18-Jan-2013 15:36:01] NOTICE: fpm is running, pid 13306

[18-Jan-2013 15:36:01] NOTICE: ready to handle connections

[18-Jan-2013 15:36:21] NOTICE: fpm is running, pid 17504

[18-Jan-2013 15:36:21] NOTICE: ready to handle connections

[David Gnojek]

fixed php watch dog /etc/god/php.god which did not run properly
finally it works.

God.watch do |w|
  w.name = "php"
  w.interval = 30.seconds
  w.pid_file = "/var/run/php-fpm.pid"
  w.start = "/usr/local/sbin/php-fpm-5.3 -y /etc/php-fpm.conf"
  w.stop = "kill `cat /var/run/php-fpm.pid`"
  w.restart = "kill -HUP `cat /var/run/php-fpm.pid`"
  w.start_grace = 20.seconds
  w.restart_grace = 10.seconds
  w.pid_file = "/var/run/php-fpm.pid"

  w.start_if do |start|
    start.condition(:process_running) do |c|
      c.interval = 5.seconds
      c.running = false
    end
  end
end

[joko kusdiyanto]

OK i've tried to reinstall the mailserv52 (..and tested using data form mailserv50)

seem working fine :) with modification some file,

this the step : 

1. install with --devel option (as david says)

  export PKG_PATH=http://ftp.OpenBSD.org/pub/OpenBSD/`uname -r`/packages/`uname -m`/

  pkg_add git

  cd /var

  git clone git://github.com/dagn/mailserv.git 

  cd /var/mailserv/install

  ./install.sh --devel

2. after installation change some setting in /etc/php-fpm.conf 

- change user and group

;user = _nginx

;group = _mailserv

user = www

group = www

(or you can adduser _nginx and make as _mailserv group member)

- change listening socket from TCP socket to unix socket

;listen = 127.0.0.1:9000

listen = /tmp/php.sock

- set permission for socket

listen.owner = www

listen.group = www

listen.mode = 0666

3. go to /etc/nginx/fastcgi_params delete this line 

fastcgi_param  HTTPS              $https if_not_empty;

4. make some modification on /etc/nginx/nginx.conf

  

  server {

    listen 80;

    location / {

      rewrite /(.*) https://$host/$1 redirect;

    }

  }

  server {

    listen 443;

    ssl    on;

    root /var/www/webmail;

    index  index.html index.htm index.php;

    location ~ .php$ {

      fastcgi_pass   unix:/tmp/php.sock;

      fastcgi_index  index.php;

      include        fastcgi_params;

      fastcgi_param  HTTPS on;

      fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;

    }

5. create index.php file in /var/www/webmail/index.php 

<?php header( 'Location: webmail/' ); ?>

6. follow the step from David on /etc/god/php.god 

  

--
You received this message because you are subscribed to the Google Groups "mailserv" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mailserv+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Synchro]

I've been hacking on this.

For some reason I'm ending up with two versions of nginx installed. The main one is installed in /usr/local/sbin/nginx is from the pkg_add call and is version 1.0.15, which is the stock OpenBSD package. There is a second installation in /usr/sbin/nginx which is version 1.2.2, and as yet I can't see where that's come from - obviously we should only have one copy! I'd guess that it's being installed as some dependency as it doesn't appear in any of the mailserv scripts.

The comment posted in this thread about the "fastcgi_param HTTPS" line applies here because that format was introduced in nginx 1.1.11, so won't work in the stock nginx, but will in the later one. It's there because it's installed by the newer nginx package, which is evidently overwriting the stock config file. It's also a problem because the default path ends up with /usr/sbin before /usr/local/sbin, so if you just run 'nginx', you get the wrong version.

All the config scripts point at the stock package rather than the new one, so things are broken by default at present.

I've done numerous other changes:

• Changed to a completely stock php.ini-production ini file, then moved all the changes relative to that into a separate config file so that they are all in one place.
  
• Lowered nginx thread count to match openbsd limit (avoids an error message).
  
• Removed log viewing for a non-existent file in UI.
  
• Fixed some ownerships as mentioned in this thread (run nginx as www user).
  
• Added notes for alternative install packages.
  
• Moved the PHP socket to /var/run/php-fpm.sock so it's consistent with other sockets.
  
• Added a symlink for running php from command line.
  

Please have a play with my config which you'll find in my devel branch at https://github.com/Synchro/mailserv 

[Synchro]

I've made some progress on this. I'm fairly sure that nginx 1.2.2 is installed as a gem dependency as the installation stops with no output for quite a while at that point (when it might be compiling/installing), though I've not nailed that down for sure.

I've fixed the broken fastcgi_params file that it installs (by disabling the offending line using gsed), so now the whole install script completes without errors. A few other fixes too, including a fairly important security fix for the nginx PHP config.

[joko kusdiyanto]

tested and works!

--

[Wesley MOUEDINE ASSABY]

Hi every one, 

I also done tests, and for me, i tested admin web, webmail, send/receive emails, works.

You can test it using this link : http://www.mouedine.net/mailserv52/

Regards

--

Wesley

[Marcus Bointon]

Glad to hear it's working for everyone! I've rebased and made a pull request for my changes.

Anyone got an idea of what's installing nginx 1.2.2?

Marcus

[David Gnojek]

Hi Marcus and others,

thanks for your work. good point with the double nginx in the system. I played with the clear OBSD52 installation and found out the nginx 1.2.2 is there installed by default in the system right after installation (usr/sbin/nginx).  So gem install in our scripts did not do this job.

in the release info is written that nginx 1.2.2 replaced old apache 1.3.
http://www.openbsd.org/faq/faq1.html

1) so we have to figure out how to un-install it before mailserv is installed
or
2) leave running default ng1.2.2 and disable the nginx installation from package.

[Marcus Bointon]

On 21 Feb 2013, at 21:55, David Gnojek <gno...@gmail.com> wrote:

> 2) leave running default ng1.2.2 and disable the nginx installation from package.

Well that explains it, but it seems a bit strange that the default version doesn't match what's in packages - it's not as if we're installing an old version on purpose! I'd definitely vote for using the later version; it would also avoid the problem with fastcgi_params.

Marcus

[David Gnojek]

placed mailserv:devel branch to the branch mailserv:stable

pulled the 5.2 tweaks to mailserv:devel

Marcus

[Marcus Bointon]

I've had a quick look into the nginx issue. It's not quite as simple as switching /usr/local/sbin/nginx to /usr/sbin/nginx (what's in my devel fork right now) because the built-in nginx runs chrooted, so we need to have a think about the paths and where things are installed. It may be fixable with few symlinks.

Marcus

[eker...@web.de]

Hello David Gnojek and to all,

 

i'm now using this superb mailserv on OpenBSD 5.2 and stisified with it after many trials of other my own home made mailserver with postfix/courier/squirrelmail etc. some othe opensource mailservers!

 

I'm running OpenBSD/FreeBSD/Ubuntu/Centos with a very small scale on my own webhosting.

Now I got a problem of mail system HACK possibly some scripts on my cms files systems which I found later and removed.

but I'm not sure for 100%. The issue is:I'm getting mass mails with forged user account which i do not have on user database with my @domain.com!

These mails get naturally rejcted and goes as Bounced, this makes as many as hundreds of emails per Minute  from the mailserv  through my ISP which blocks my outgoing connections of Internet!

Then I do not have internet access!!

I would be gratefull, if you'll could tell me how i'm going stop this outgoing mails  which gets rejected through the mailserv?

I tried to figure it out but I'm nes to this mailserv!

 

Best regards,

 

Sisantha

Gesendet: Donnerstag, 21. Februar 2013 um 23:46 Uhr
Von: "David Gnojek" <gno...@gmail.com>
An: mail...@googlegroups.com
Betreff: Re: [mailserv] mailserv52

[Marcus Bointon]

On 24 Feb 2013, at 07:39, eker...@web.de wrote:

I'm running OpenBSD/FreeBSD/Ubuntu/Centos with a very small scale on my own webhosting.

Now I got a problem of mail system HACK possibly some scripts on my cms files systems which I found later and removed.

but I'm not sure for 100%. The issue is:I'm getting mass mails with forged user account which i do not have on user database with my @domain.com!

These mails get naturally rejcted and goes as Bounced, this makes as many as hundreds of emails per Minute  from the mailserv  through my ISP which blocks my outgoing connections of Internet!

First check your logs - they are visible in the admin UI. If it's using a hole in roundcube, you would expect to see the outbound messages (and bounces) mentioned in the mail log, and hits on roundcube in the httpd.log. You'd also expect to see these requests coming from only a few IPs, so you can probably block them at the firewall.

Marcus

[eker...@web.de]

Ok, thank you for the tip.
Yes, I saw all of the logs and I intend to the same.
But I would like to know as howto: not to bounce all rejected mails, instead redirecting to spam/trash directory etc. with this, I'm dead sure that not a single spam mail is slipping through my mailserv!

Regards,

Sisantha

Gesendet: Sonntag, 24. Februar 2013 um 08:26 Uhr
Von: "Marcus Bointon" <marcus....@gmail.com>

An: mail...@googlegroups.com
Betreff: Re: [mailserv] mailserv52

--

[Marcus Bointon]

On 24 Feb 2013, at 09:27, eker...@web.de wrote:

But I would like to know as howto: not to bounce all rejected mails, instead redirecting to spam/trash directory etc. with this, I'm dead sure that not a single spam mail is slipping through my mailserv!

This doesn't make much sense. If you know an incoming email is unacceptable, there is no benefit in accepting it at all. Rejecting it at SMTP time will not cause backscatter, accepting could result in an effective denial of service on your own server. If spam messages are originating on your server, you need to find how they are being created. The most likely place is in roundcube, via something like unsanitised 'To' headers etc.

You need to be more specific about the problem you're having.

Marcus

[eker...@web.de]

Hi Marcus,

 

thanks for the good argument!

 

I got a feedback from my isp support saying that mails were sent throgh a link which was a "adu8.html" text file in my WP Theme) files folder.

The contents are: in metata tags has link to
a webpage and then on Body Tag<body>loading...  </body>

Beyond that, I found much more with "index.php, wp-xxx.php" etc text files!

I had only 3 users in my blog, but i'm suspecting one user ( a  WP prof) who  accessed it had put these files on the system, because directly after his login dates occured this mass ( massive!) mail user generating and sending phenomen. 

Now I have corrected the file permision accordingly which was also not correctly inserted.

 

I cant't analyse these php scripts, but it'll be absolutely interesting for the mailserv developmet team!

 If you are interested, I'll zip it and send these files for security analysis.

 

Regards,

 

Sisantha

Gesendet: Sonntag, 24. Februar 2013 um 09:33 Uhr

Von: "Marcus Bointon" <marcus....@gmail.com>
An: mail...@googlegroups.com
Betreff: Re: [mailserv] mailserv52

--

[Marcus Bointon]

On 24 Feb 2013, at 21:24, eker...@web.de wrote:

I got a feedback from my isp support saying that mails were sent throgh a link which was a "adu8.html" text file in my WP Theme) files folder.

The contents are: in metata tags has link to 
a webpage and then on Body Tag<body>loading...  </body>

Beyond that, I found much more with "index.php, wp-xxx.php" etc text files!

I had only 3 users in my blog, but i'm suspecting one user ( a  WP prof) who  accessed it had put these files on the system, because directly after his login dates occured this mass ( massive!) mail user generating and sending phenomen. 

Now I have corrected the file permision accordingly which was also not correctly inserted.

 

I cant't analyse these php scripts, but it'll be absolutely interesting for the mailserv developmet team!

 If you are interested, I'll zip it and send these files for security analysis.

You installed wordpress on your mail server instance? Bad idea. Wordpress has a very poor security history. It sounds like you're allowing (probably unintentionally) uploads that can contain executable PHP. The problem you're having here is nothing to do with mailserv. If you were having this problem on a clean-installed mailserv it would be a different matter.

Marcus

[David Gnojek]

yep it chrooted, this was think I fought in the beginning. did not know there was booth nginxs, but run on the system integrated nginx.

Iv redone a sysmlink to mailserv. Original symlink points to absolute path so nginx cried the path does not exist. (BTW. symbolic link does not have to be a chroot folder)

 #cd /var/www/webmail/
 #ln -s roundcubemail-0.8.4/ webmail

On Fri, Feb 22, 2013 at 1:28 AM, Marcus Bointon <marcus....@gmail.com> wrote:

I've had a quick look into the nginx issue. It's not quite as simple as switching /usr/local/sbin/nginx to /usr/sbin/nginx (what's in my devel fork right now) because the built-in nginx runs chrooted, so we need to have a think about the paths and where things are installed. It may be fixable with few symlinks.

Marcus

[David Gnojek]

Hi Sishanta,

to avoid this problems I would rather run the webserver content like WP on different dedicated webserver VM. Mailserver is mainly dedicated for mailing :)
or if no other way use last patches for your CMS.

Cheers

david

[eker...@web.de]

No, not wordpres, drupal with a wordpres theme and it is on another server.
Mail server isonly with the required minimum installation of OpenBSD5.1 (not as stated 5.2).
What I found these wp-sample.php,inex.php,infoMb6.ph,wishlistUOwL.php etc., test data which I deleted later haveen placed by a bad guy.I think, if this eas the fact that mass mail sending php scripts from the server itself, there is no way to stop it untill one detects, even virus scaning gives no clues as it just sits like ordinary files!!
These scriptwould be very, very interesting for you as well to study and get a good knowledge of these to counter later on.
plese let me know if are intersed to see these scripts.

Cheers,

Sisantha

Gesendet: Montag, 25. Februar 2013 um 07:55 Uhr

Von: "Marcus Bointon" <marcus....@gmail.com>
An: mail...@googlegroups.com
Betreff: Re: [mailserv] mailserv52

--

[eker...@web.de]

hi, David,
thanks.
I have dedicated server for cms etc., which now on freebsd jail, one in Centos and one in ubuntu/Zentayal SBS systems and mailserv also on a dedicated server.
the point is: there is no way to stop mass mail senings( oiriginating) from the cms server which is having php script inserted throug a user!!
And updating cms is also make no use.
Now I have removed thos scripts but the lesson I learned here is: there is no chance against from users adding malware in to their files which activates such actions!

Are intersed to see these script?

Cheers,

Sisantha

Gesendet: Montag, 25. Februar 2013 um 22:06 Uhr

Von: "David Gnojek" <gno...@gmail.com>
An: mail...@googlegroups.com

Betreff: Re: Re: [mailserv] mailserv52

[Marcus Bointon]

On 25 Feb 2013, at 23:19, eker...@web.de wrote:

Now I have removed thos scripts but the lesson I learned here is: there is no chance against from users adding malware in to their files which activates such actions!

Are intersed to see these script?

There is a simple solution: don't allow your users to upload executable content. If you apply basic security measures against such things you won't have these problems.

Please stop hijacking this thread about problems that are not related to mailserv and ask in a wordpress forum.

Marcus

[eker...@web.de]

Ok, sure I'll do.

cheers,

sisantha

Gesendet: Dienstag, 26. Februar 2013 um 08:33 Uhr

Von: "Marcus Bointon" <marcus....@gmail.com>
An: mail...@googlegroups.com
Betreff: Re: [mailserv] mailserv52

--

[eker...@web.de]

Hi,

 

Sorry for the missunderstaning!

 

Is there any possibility in the mailserv system to stop sending non user account ( which sre not in the mailserv-database ), i.e.: ESMTP or similar way?

What I would like to know is also, to authentify before sending emails etc.

 

Best regards,

 

Sisantha 

Gesendet: Dienstag, 26. Februar 2013 um 10:53 Uhr
Von: eker...@web.de
An: mail...@googlegroups.com
Betreff: Aw: Re: [mailserv] mailserv52

[Marcus Bointon]

On 28 Feb 2013, at 17:12, eker...@web.de wrote:

Is there any possibility in the mailserv system to stop sending non user account ( which sre not in the mailserv-database ), i.e.: ESMTP or similar way?

What I would like to know is also, to authentify before sending emails etc.

There is no authentication on sendmail so that's hard to block that way. Ideally you would not be running anything else on your mailserv so that everything has to go through SMTP, which does require authentication.

Marcus

[David Gnojek]

+ Practically the nginx&php works me fine now for current 5.2 devel branch.

+ issue is Dovecot does not start properly from God.

Nov  7 23:32:11 mailserv52 dovecot: master: Error: service(dns_client): pipe() failed: Too many open files
Nov  7 23:32:21 mailserv52 dovecot: anvil: Fatal: Error reading configuration: Timeout reading config from /var/dovecot/config

up to now tested to set up login.conf following parameters
without success
dovecot:\
 :openfiles-cur=512:
 :openfiles-max=2048:
 :tc=daemon:


+ works fine from cmd line #dovecot -c /etc/dovecot.conf

--