System Admin

Install and Config PowerMTA (PMTA)

Jack Huang System Admin , 51 Comments

PowerMTA package includes the following files:

    PowerMTA-3.5r16-201012281936.i586.rpm

    PowerMTA-3.5r16-201012281926.x86_64.rpm

    powermta_3.5r16-201012281937_i386.deb

    pmtad_linux64

    pmtad_linux32

    license.linux64

    license.linux32

Installation Instruction

1. Add user group

    groupadd pmta

2. Install PowerMTA on 64-bit Linux server

    rpm -Uvh PowerMTA-3.5r16-201012281926.x86_64.rpm

It display the following message:

    PowerMTA has been installed.  Please review the configuration

    (in /etc/pmta/config) to ensure it fits your needs.

    The PowerMTA User's Guide is available on file:/usr/share/doc/pmta/UsersGuide.pdf.

                        *** WARNING ***

    The SMTP TCP port is already in use by other software on this

    system.  Installation will continue, but in order to be able to

    start up PowerMTA you will need to stop the other software

    or reconfigure PowerMTA to use an alternative port.  See the

    manual section about startup problems for more information.

                        *** WARNING ***

    Thank you for choosing PowerMTA.

    This software requires a license to run.  To obtain a license key,

    please contact Port25 at or call +1.410.750.7687

    during office hours, U.S. Eastern Time.

    If you already received a license key from Port25, please save it

    as /etc/pmta/license before starting PowerMTA.

which means the installation is successful.

3. Copy license file and daemon file pmtad

    cp license.linux64 /etc/pmta/license

    cp pmtad_linux64 /usr/sbin/pmtad

4. Start pmta service

/etc/rc.d/init.d/pmta start
or
service pmta start

   Stop pmta service

/etc/rc.d/init.d/pmta stop
or
service pmta stop

If the service fails to start, use parameter –debug to check.

    /usr/sbin/pmtad –debug

5. Modify pmta config to allow access config file via browser.

    vi /etc/pmta/config

Find http-access and add:

    http-access 21.34.56.78 admin

21.34.56.78 is your own IP address.

Restart pmta service

    service pmta start

Now you can access config file via:http://mpta.mydomain.com:8080/editConfig

Note: You don't need to restart pmta after updating the config file in browser.

6. PowerMTA log file is /var/log/pmta/log

If you have any problem during the installation, please check the log file.

7. Maximum open file descriptors

Linux default open file limit is 1024. You need to increase this value for PMTA.

check current connections:

    ulimit -n

To increase the limit, open file:

    vi /etc/security/limits.conf

add the following lines at the end:

    * soft nofile 65535

    * hard nofile 65535

This post partially translated from PowerMTA安装教程完整版

Config rDNS, MX,SPF,DKIM DNS record for Mail Server

Jack Huang System Admin 6 Comments

1. MX record

A mail exchanger record (MX record) is a type of resource record in the Domain Name System that specifies a mail server. An MX record is the fully qualified domain name of a mail host and a preference value. The host name must map directly to one or more address record (A, or AAAA) in the DNS, and must not point to any CNAME records.

2. SPF

Sender Policy Framework (SPF) is a simple email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is being sent from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged sender addresses, so publishing and checking SPF records can be considered anti-spam techniques.

3. DKIM

DomainKeys Identified Mail (DKIM) is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators and that the email (including attachments) has not been modified during transport. A digital signature included with the message can be validated by the recipient using the signer's public key published in the DNS.

DKIM Validation Tools:

http://www.mail-tester.com/

http://www.brandonchecketts.com/emailtest.php

http://dkimcore.org/tools/

4. rDNS reverse DNS Resolution:

An e-mail Anti-spam technique is to check the domain names in the rDNS to see if they are likely from dialup users, dynamically assigned addresses, or other inexpensive Internet services. A recent shift has shown that spamming has switched to mainly coming from hosting companies making using rDNS even less useful. All of this adds to the argument that the few services that choose to block email servers purely on the basis of rDNS are simply discriminating without merit and often miss out more pro-active and useful indiscriminate anti spam measures.

 

What is ROKSO, SBL, XBL, PBL or DBL?

Jack Huang System Admin 1 Comment

ROKSO (Register of Known Spam Operations)

The Register of Known Spam Operations (ROKSO) database collates information and evidence on known persistent spam operations that have been terminated by a minimum of 3 Internet Service Providers for spam offenses.

SBL (Spamhaus Block List)

The Spamhaus Block List is a database of IP addresses from which Spamhaus does not recommend the acceptance of electronic mail.

The SBL is queriable in realtime by mail systems thoughout the Internet, allowing mail server administrators to identify, tag or block incoming connections from IP addresses which Spamhaus deems to be involved in the sending, hosting or origination of Unsolicited Bulk Email (aka "Spam").

XBL (Exploits Block List)

The Spamhaus Exploits Block List is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

PBL (Policy Block List)

The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.

DBL (Domain Block List)

The Spamhaus DBL is a realtime database of domains (typically web site domains) found in spam messages. Mail server software capable of scanning email message body contents for URIs can use the DBL to identify, classify or reject spam containing DBL-listed domains

List of website to check if your IP is in the blacklist or to remove your IP from the blacklist:
http://www.mxtoolbox.com/blacklists.aspx
http://www.spamhaus.org/lookup/
http://cbl.abuseat.org/lookup.cgi
http://rbls.org/

 

Install SS5 SOCKS5 Proxy server with multiple instances / outgoing IPs / ports

Jack Huang System Admin 19 Comments

SS5 is a high performance SOCKS proxy server implementing SOCK4 and SOCKS5 protocols. This step-by-step guide describes installation and configuration of SS5 with user/password authentication on a CentOS 5.x/6.x server.

1. Download the latest source rpm from sourceforge.net
wget http://downloads.sourceforge.net/ss5/ss5-3.8.9-8.src.rpm

2. Build the source rpm
This requires the rpmbuild tool provided by rpm-build package. Also, ss5 requires openldap-devel, pam-devel and openssl-devel development packages. Install these packages using YUM package manager:

For 32 bit Linux,
yum install gcc rpm-build openldap-devel pam-devel openssl-devel
For 64 bit Linux,
yum install gcc.x86_64 rpm-build.x86_64 openldap-devel.x86_64 pam-devel.x86_64 openssl-devel.x86_64

Install libgssapi-devel,
yum install libgssapi-devel

Now build ss5 source rpm to create the binary rpm package:
rpmbuild --rebuild ss5-3.8.9-8.src.rpm

3. Install SS5 rpm package
On CentOS 5.x, the RPM package will be created in /usr/src/redhat/RPMS/. On CentOS 6.x, RPM package will we created in the subdirectory rpmbuild/RPMS/ of build directory. You can install the RPM package using following command:
On CentOS 5,
rpm -ivh /usr/src/redhat/RPMS/x86_64/ss5-3.8.9-8.x86_64.rpm (for 64 bit Linux)
rpm -ivh /usr/src/redhat/RPMS/i386/ss5-3.8.9-8.i386.rpm (for 32 bit Linux)
On CentOS 6 (you might need to use “cd” command to change to root directory),
rpm -ivh rpmbuild/RPMS/x86_64/ss5-3.8.9-8.x86_64.rpm (for 64 bit Linux)
rpm -ivh rpmbuild/RPMS/x86_64/ss5-3.8.9-8.i386.rpm (for 32 bit Linux)

4. Run SS5 as root and change the port to 8899 (default port is 1080)
Edit /etc/init.d/ss5 and put following lines at the top after shabang(#!/bin/sh):
export SS5_SOCKS_PORT=8899
export SS5_SOCKS_USER=root

You can use any available port you want. Make sure that the port is opened in the server firewall, if any.

5. User/password authentication
SS5 configuration file is /etc/opt/ss5/ss5.conf. The ‘auth’ directive sets the authentication policy.

For no authentication,
auth 0.0.0.0/0 – –
For user/pass authentication,
auth 0.0.0.0/0 – u

The user/password pairs are stored in /etc/opt/ss5/ss5.passwd. Setup permission:
chown root:root /etc/opt/ss5/ss5.passwd
chmod 755 /etc/opt/ss5/ss5.passwd
chmod 755 /etc/opt/ss5

In /etc/opt/ss5/ss5.passwd, put user and password separated by a space and one user/password per line.
E.g.
user1 pass1
user2 pass2

6. Set permission ( /etc/opt/ss5/ss5.conf )
Allow all hosts to connect:
permit u 0.0.0.0/0 – 0.0.0.0/0 – – – – –

7. Start/Stop/Restart ss5
service ss5 start
service ss5 stop
service ss5 restart

If you see an error message like the following,
Can’t create pid file /var/run/ss5/ss5.pid
Can’t unlink pid file /var/run/ss5/ss5.pid
create the directory /var/run/ss5 and start ss5 again.

The default location of log file: /var/log/ss5/ss5.log

8. If you have a block of say 10x IPs, you can config multiple ss5 proxy instance to use different outgoing IP.
8.1 create user to run the instances:
useradd user1 -s /bin/false -p YourPasswordHere

8.2 retrieve user’s UID:
awk -F: '/^user1:/{print $1,$4}' /etc/passwd

8.3 config firewall to set the outgoing IP:
iptables -t mangle -A OUTPUT -m owner --uid-owner USER_UID -j MARK --set-mark USER_UID
iptables -t nat -A POSTROUTING -m mark --mark USER_UID -j SNAT --to-source 24.68.1.1
(replace USER_UID with the output number from step 2)

To review the firewall rules:
iptables -nvL -t nat
iptables -nvL -t mangle

8.4 start the instance with specific user, IP and port:
ss5 -u user1 -b 24.68.1.1:10001
Note: make sure you open the port 10001 on the firewall.

You will need to repeat this process for each IP.

Configure phplist to send email from multiple postfix instances / IP addresses

Jack Huang System Admin , 16 Comments

Once you get your postfix server running for a while, you may see that the bottleneck is not the hardware but the rate in which you are able to send out email to different providers.

Instead of wasting idle resources, we can just add an IP address to the server and setup Postfix to run in a multi instance configuration. This way, we can utilise what we already have and double the email throughput of the server.

Preparations

1. First, we need to add one or more IP addresses to our host.

2. Make sure a postfix server is running.

3. Enable the multi instance support, run the command:
postmulti -e init

4. Create the first instance:

postmulti -I postfix-2 -G outgoing -e create
-I Is the nick name for the instance. You can use the hostname or whatever you like.
-G is the group name. In this post we are not using groups so just name it whatever you think describes it best. An example use for groups, is the ability to reload some of the instances while keeping the rest running.

The process will create new folder to hold both the configuration and the postfix mail queue. The structure is fairly simple but important to note for interacting with the instances:

Configuration files such as the main.cf files will be at /etc/instancename/ and in our example, under /etc/postfix-2/
The queue will be at /var/spool/instancename/ and in our example, under /var/spool/postfix-2/

5. Assigning an ip address to an instance

Lets assume that we have two IP addresses available on the server – 192.168.50.44 192.168.50.45
For the main instance, which is configured in /etc/postfix, we will keep the localhost listener, and add a specific address:
Edit the /etc/postfix/main.cf file and look for the line:
inet_interfaces = all
And change it to:
inet_interfaces = localhost, 192.168.50.44

open /etc/postfix/master.cf, look for the line:
smtp unix - - n - - smtp
And change it to:
smtp unix - - n - - smtp -o smtp_bind_address=192.168.50.44

This means that the base postfix instance is now listening and sending through the localhost address and 192.168.50.44

For each of the other instances, edit the main.cf file located under /etc/instancename and specify which IP address will be in use. To follow with our example, edit the /etc/postfix-2/main.cf file and replace:
inet_interfaces = all
With:
inet_interfaces = 192.168.50.45

open /etc/postfix-2/master.cf, look for the line:
smtp unix - - n - - smtp
And change it to:
smtp unix - - n - - smtp -o smtp_bind_address=192.168.50.45

6. Restart the postfix service after making these change.

7. Install one or multiple phplist

8. Configure each phplist to send email from different postfix instances
add the following code to the beginning of admin/index.php :
putenv("MAIL_CONFIG=/etc/postfix-2");
(note: use variable for “postfix-2” if you only have one phplist install)

9. Specify a list of user name are allowed to submit mail in /etc/postfix/main.cf or /etc/postfix-2/main.cf for each instance
authorized_submit_users = testuser

10. (Option) Commands to start/stop/enable/disable postfix instance:
postmulti -i postfix-2 -p start
postmulti -i postfix-2 -p stop
postmulti -i postfix-2 -e enable
postmulti -i postfix-2 -e disable

Now, we can schedule multiple phplist to run at the same time and we have double the email throughput of the server.