Rspamd – disable greylist for mail recipient

So, I had a request from user to disable greylisting for he’s mail account only. Greylisting on server otherwise should be enabled. Rspamd offers few different filters to disable greylist: for IP, for sender domain, but I didn’t see any options for recipient.

Here is a simple lua script which disables greylisting for a specific recipient on your mail server. To do exactly like described here, you should upgrade your Rspamd to at least 3.11.

First, create file “/etc/rspamd/lua.local.d/disable_gl.lua” and add code bellow. Also, create “/etc/rspamd/maps.d/disable_grey.map” map file which will contain with recipient addresses with greylist disabled.

local rspamd_logger = require "rspamd_logger"
local rspamd_util = require "rspamd_util"

local disable_grey_map = rspamd_config:add_map({
    type = "regexp",
    url = "/etc/rspamd/maps.d/disable_grey.map",
    description = "Disable greylisting map"
})


local function disable_greylisting(task)
    local rcpt = task:get_recipients("smtp")
    if not rcpt then return end

    for _, r in ipairs(rcpt) do
	if disable_grey_map and disable_grey_map:get_key(r['addr']) then
            rspamd_logger.infox(task, "Disabling greylisting for recipient: %s", r['addr'])
            task:disable_action('greylist')
            return
        end
    end
end

rspamd_config:register_symbol({
    name = "DISABLE_GREYLIST",
    type = "callback",
    callback = disable_greylisting
})

cPanel – wrong PHP version when running composer in cPanel’s user account shell

If you’re reading this, you are probably having an issue because your composer is returning wrong (system default – native) PHP version. In this case, I tried to change to set PHP CLI version for composer from 7.2 to 8.2. In my case, this was done on CloudLinux environment where alt-php versions are in /opt/alt/. If you are using different PHP manager, find where your PHP binaries are.
I was getting this error:

[thisisme@cp ~]$ composer install
...
  Problem 1
    - Root composer.json requires php >=8.1 but your php version (7.2.34) does not satisfy that requirement.
...

You have to call composer with correct PHP binary. In my case, binary for version 8.2:

[thisisme@cp ~]$ /opt/alt/php82/usr/bin/php /opt/cpanel/composer/bin/composer diagnose
Checking platform settings: OK
Checking git settings: OK git version 2.43.2
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: OK
Checking disk free space: OK
...
Checking composer version: You are not running the latest stable version, run `composer self-update` to update (2.6.5 => 2.8.5)
Composer version: 2.6.5
PHP version: 8.2.27
...

If you don’t want to execute this huge line every time you want to run composer command, create a simple alias, and you should be set:

[thisisme@cp ~]$ vi .bashrc
# add this to the end of the file
alias composer=”/opt/alt/php82/usr/bin/php /opt/cpanel/composer/bin/composer”
[thisisme@cp ~]# source .bashrc

And now you can run simpler version:

[thisisme@cp ~]$ composer diagnose
Checking platform settings: OK
Checking git settings: OK git version 2.43.2
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: OK
Checking disk free space: OK
Checking composer version: You are not running the latest stable version, run `composer self-update` to update (2.6.5 => 2.8.5)
Composer version: 2.6.5
PHP version: 8.2.27
...

Postfix – rewrite From address and add Reply-to header with primary address

So I had an objective to create a mailing server with one DKIM key which would serve as mailing server for contact forms … Idea is, that you don’t need multiple DKIM keys as mail is sent from single domain, but in the same time, it should add reply-to header with primary email address so that when reply to this mail, user will send to real mail address.

I had problem rewriting From header and add reply-to header with primary mail address at the same time. I then discovered that you can’t define From in header_checks multiple times. Only first one will be processed. At first, I had an idea that first rule would add reply-to header with primary mail, then second rule would rewrite primary address with new domain part.

My wish was also, that first (user) part of email address should be kept and rewrote with new domain. I used sender_canonical for rewriting domain, but still no luck. In mail headers there was still old From mail and DKIM was not signed as domain didn’t match. What did the trick was adding local_header_rewrite_clients. This allowed postfix to rewrite headers to authenticated users and those defined in mynetworks.

Here is the whole configuration:

main.cf:
### rewrite domain & add reply-to & rewrite message-id
local_header_rewrite_clients = permit_sasl_authenticated, permit_mynetworks
canonical_classes = envelope_sender, header_sender
canonical_maps = regexp:/etc/postfix/sender_canonical
header_checks = regexp:/etc/postfix/header_checks

header_checks:
/^From:\s*(.*<)?([^@]+)@([^>]+)>?/ PREPEND Reply-To: <${2}@${3}>
/^Message-Id:\s+<(.*?)@([^>]+)>/ REPLACE Message-Id: <${1}@newdomain.com>

sender_canonical:
/^<?([^@]+)@[^> ]+>?$/ ${1}@newdomain.com
DKIM SigningTable:
*@newdomain.com newdomain.com

Then define your hostname of mailing server in your application to use as mailing service. In my case, user has to authenticate. If you send mail from username@mydomain.com, reply-to header with the same address would be added, From would be replaced with username@newdomain.com and DKIM would be successfully signed with newdomain.com. If end user replyes to this mail, Return-to is defined and mail would be sent to primary address username@mydomain.com and not non-existing username@newdomain.com.

Directadmin – building PHP 8.3 returns error: iconv does not support errno

I tried to install additional PHP version 8.3 and get this error:

directadmin checking if iconv supports errno… configure: error: iconv does not support errno

System is using old iconv version and Directadmin is not using its own libiconv anymore. You can use iconv version from /usr/local instead. Go to /usr/local/directadmin/custombuild/configure/php/configure.php83 and add this line:

--with-iconv=/usr/lib \

Then install new PHP version and it should work:

[root@server custombuild]# ./build php_expert 8.3 php-fpm

Icinga2 reporting error – Invalid filter / can’t generate report

I installed reporting module on our Icinga2 monitoring system, so I would be able to generate some SLA report for one of our client which has a lot of servers. I installed the module and wanted to make the filter so that the report would be generated only for hosts with “example” string in hostname.

In Icinga2 documentation, this is done simply with match function, like this:

match("*example*",host.name)

This gave me error:

Invalid filter "match("*example*",host.name)", unexpected ( at pos 6 (Parser.php:561)

#0 /usr/share/icinga-php/ipl/vendor/ipl/web/src/Filter/Parser.php(285): ipl\Web\Filter\Parser->parseError()
#1 /usr/share/icinga-php/ipl/vendor/ipl/web/src/Filter/Parser.php(88): ipl\Web\Filter\Parser->readFilters()
#2 /usr/share/icinga-php/ipl/vendor/ipl/web/src/Filter/QueryString.php(44): ipl\Web\Filter\Parser->parse()
...

I also tried “host.name=*example*” with empty response.
To do this properly, you must create your filter like below and it should work:

host.name~*example*

Zimbra/Carbonio – ERROR: zclient.IO_ERROR (Read timed out) (cause: java.net.SocketTimeoutException Read timed out

I was moving emails from old Zimbra installation on new Carbonio and was getting this error when trying to import user from tgz archive:

root@mail:/opt/backup# /opt/zextras/bin/zmmailbox -z -m mymail@mydomain.com postRestURL '//?fmt=tgz&resolve=skip' /opt/backup/mymail@mydomain.com.tgz
ERROR: zclient.IO_ERROR (Read timed out) (cause: java.net.SocketTimeoutException Read timed out)

There was a timeout causing this. So after quick googling around I found this solution that works:

root@mail:/opt/backup# su - zextras
zextras@mail:~$ zmlocalconfig -e socket_so_timeout=3000000

Then your restore command should work without timeout. At the end, you can reset socket_so_timeout value:

root@mail:/opt/backup# su - zextras
zmlocalconfig -u socket_so_timeout


Directadmin – server-<YOUR IP>.da.direct was skipped due to unreachableDirectadmin

I just migrated Directadmin server to a new one. On the new one, there was some temporary hostname, that I guess Directadmin provides. It was http://server-<IP ADDRESS>.da.direct. I changed hostname of machine and did everything, but wasn’t able to generate Letsencrypt certificate for my directadmin server hostname. 

When try to generate certificate I was getting error below. I rewrite configs, run changehostname.sh, did all sort of things, but wasn’t able to get pass this error:

[root@da scripts]# ./letsencrypt.sh request `hostname` 4096
Setting up certificate for a hostname: my.dahostname.com
server-1-1-1-1da.direct was skipped due to unreachable http://server-1-1-1-1.da.direct/.well-known/acme-challenge/ file.
No domains pointing to this server to generate the certificate for.

After an hour, I found this answer from gentleman named “zEitEr”. I guess, when I setup new Directadmin server on temporary IP, acme account for letsencrypt was created with directadmins temporary hostname – server-<MY IP ADDRESS>.da.direct. What I did, was removed all letsencrypt accounts and regenerated them:

[root@da ~]# rm -rf /usr/local/directadmin/data/.lego/*
[root@da scripts]# ./letsencrypt.sh request `hostname` 4096
Setting up certificate for a hostname: my.dahostname.com
2024/02/16 13:31:42 No key found for account admin@my.dahostname.comGenerating a 4096 key.
2024/02/16 13:31:45 Saved key to /usr/local/directadmin/data/.lego/accounts/acme-v02.api.letsencrypt.org/admin@my.dahostname.com/keys/admin@my.dahostname.com.key
2024/02/16 13:31:45 [INFO] acme: Registering account for admin@my.dahostname.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/usr/local/directadmin/data/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/02/16 13:31:45 [INFO] [my.dahostname.com] acme: Obtaining SAN certificate
2024/02/16 13:31:46 [INFO] [my.dahostname.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/315898412537
...
Certificate for my.dahostname.com has been created successfully!
DirectAdmin certificate has been setup.
Setting up cert for Exim...
...

Hope that helps to save some nerves. Thanks to zEitEr

Nginx Proxy Manager – lock administration on IP or password

Nginx Proxy Manager is a great tool for managing proxy vhosts. Specially useful when dealing with Docker containers. By default, you can access administration from everywhere through default port 81. Here is how you can simply lock it with password or limit it so that is accessible from specified IPs.

First login into admin panel and create Access List which will contain access rules:

You can limit to be accessible from IPS:

or with password:

Then, create a new Proxy Host that will have backend set to nginx proxy manager administration. In my case, “proxy-manager” is the host of my nginx proxy manager container. Don’t forget to set Access List to the one that we created in the previous step.

Then change value  in your docker-compose file so that port 81 will be on localhost only:

version: '4.3'
services:
proxy-manager:
image: 'jc21/nginx-proxy-manager:latest'
container_name: proxy-manager
restart: always
ports:
- "80:80" # Public HTTP Port
- "443:443" # Public HTTPS Port
- "127.0.0.1:81:81" # Admin Web Port

Administration is now reachable through subdomain https://admin.domain.com/ and only from IPs that we set in above step – or with password. It is advisable that you make some random URL like https://siudhfoisdiishjw0ion094ioejvn.domain.com when creating administration access.

Calculate average memory consumption of php-fpm processes

Here is one liner which gives you average memory consumption of php-fpm processes.

 ps --no-headers -o "rss,cmd" -C "php-fpm" |  awk '{ sum+=$1 } END { printf ("%d%s\n", sum/NR/1024,"M") }'

If you have more pools, you can grep for specific pool and get average for that one:

 ps --no-headers -o "rss,cmd" -C "php-fpm" | grep <mypool2> |  awk '{ sum+=$1 } END { printf ("%d%s\n", sum/NR/1024,"M") }'

SSH: Server refused public-key signature despite accepting key!

This will be quick one :). If you are trying to connect to a server via SSH with Putty in combination with Pageant, and you are expecting an error message in the title of this post, chances are, your version of Pageant is too old. Upgrade your Pageant to the latest version and you should be good to go.

© 2025 geegkytuts.net
Hosted by SIEL


About author