Zimbra/Carbonio – ERROR: zclient.IO_ERROR (Read timed out) (cause: java.net.SocketTimeoutException Read timed out

I was moving emails from old Zimbra installation on new Carbonio and was getting this error when trying to import user from tgz archive:

root@mail:/opt/backup# /opt/zextras/bin/zmmailbox -z -m mymail@mydomain.com postRestURL '//?fmt=tgz&resolve=skip' /opt/backup/mymail@mydomain.com.tgz
ERROR: zclient.IO_ERROR (Read timed out) (cause: java.net.SocketTimeoutException Read timed out)

There was a timeout causing this. So after quick googling around I found this solution that works:

root@mail:/opt/backup# su - zextras
zextras@mail:~$ zmlocalconfig -e socket_so_timeout=3000000

Then your restore command should work without timeout. At the end, you can reset socket_so_timeout value:

root@mail:/opt/backup# su - zextras
zmlocalconfig -u socket_so_timeout


Directadmin – server-<YOUR IP>.da.direct was skipped due to unreachableDirectadmin

I just migrated Directadmin server to a new one. On the new one, there was some temporary hostname, that I guess Directadmin provides. It was http://server-<IP ADDRESS>.da.direct. I changed hostname of machine and did everything, but wasn’t able to generate Letsencrypt certificate for my directadmin server hostname. 

When try to generate certificate I was getting error below. I rewrite configs, run changehostname.sh, did all sort of things, but wasn’t able to get pass this error:

[root@da scripts]# ./letsencrypt.sh request `hostname` 4096
Setting up certificate for a hostname: my.dahostname.com
server-1-1-1-1da.direct was skipped due to unreachable http://server-1-1-1-1.da.direct/.well-known/acme-challenge/ file.
No domains pointing to this server to generate the certificate for.

After an hour, I found this answer from gentleman named “zEitEr”. I guess, when I setup new Directadmin server on temporary IP, acme account for letsencrypt was created with directadmins temporary hostname – server-<MY IP ADDRESS>.da.direct. What I did, was removed all letsencrypt accounts and regenerated them:

[root@da ~]# rm -rf /usr/local/directadmin/data/.lego/*
[root@da scripts]# ./letsencrypt.sh request `hostname` 4096
Setting up certificate for a hostname: my.dahostname.com
2024/02/16 13:31:42 No key found for account admin@my.dahostname.comGenerating a 4096 key.
2024/02/16 13:31:45 Saved key to /usr/local/directadmin/data/.lego/accounts/acme-v02.api.letsencrypt.org/admin@my.dahostname.com/keys/admin@my.dahostname.com.key
2024/02/16 13:31:45 [INFO] acme: Registering account for admin@my.dahostname.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/usr/local/directadmin/data/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/02/16 13:31:45 [INFO] [my.dahostname.com] acme: Obtaining SAN certificate
2024/02/16 13:31:46 [INFO] [my.dahostname.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/315898412537
...
Certificate for my.dahostname.com has been created successfully!
DirectAdmin certificate has been setup.
Setting up cert for Exim...
...

Hope that helps to save some nerves. Thanks to zEitEr

Calculate average memory consumption of php-fpm processes

Here is one liner which gives you average memory consumption of php-fpm processes.

 ps --no-headers -o "rss,cmd" -C "php-fpm" |  awk '{ sum+=$1 } END { printf ("%d%s\n", sum/NR/1024,"M") }'

If you have more pools, you can grep for specific pool and get average for that one:

 ps --no-headers -o "rss,cmd" -C "php-fpm" | grep <mypool2> |  awk '{ sum+=$1 } END { printf ("%d%s\n", sum/NR/1024,"M") }'

SSH: Server refused public-key signature despite accepting key!

This will be quick one :). If you are trying to connect to a server via SSH with Putty in combination with Pageant, and you are expecting an error message in the title of this post, chances are, your version of Pageant is too old. Upgrade your Pageant to the latest version and you should be good to go.

Directadmin – build GeoIP2 in Directadmin’s NGINX and create country blocking for vhosts.

GeoIP is super helpful if you have troubles with a lot of nasty requests from some nasty countries :). Or, sometimes, you just want to lock some website or part of it ( administration ), so that it is accessible only from your country.

Things are a little different when you are using Directadmin control panel. I had this Directadmin with NGINX reverse proxy, so all NGINX is first point for requests made on your websites. Besides SSL offloading, you can also do filtering, country blocking … before request ends on backend ( Apache ).

So, here is how you can build GeoIP2 extension into your NGINX on Directadmin. I my case, I have Nginx as reverse proxy with Apache.

Check which NGINX version is installed on your server

[root@da nginx]# nginx -v
nginx version: nginx/1.23.1

Continue Reading

How to clean Zimbra mail queue as root user

You may come across a problem when trying to clean Zimbra mail queue as Zimbra user as lack of privileges.

When trying to log in as Zimbra and run the command below, I came across a privilege’s problem as Zimbra user was unable to run postsuper command:

[zimbra@mailmachine root]$  mailq | tail -n +2 | awk 'BEGIN { RS = "" } / spam.user@spammer.net/ { print $1 }' | tr -d '*!' | postsuper -d -
postsuper: fatal: use of this command is reserved for the superuser

If you check mail queue as root user, you won’t see Zimbra messages. What you can do, is use binaries of Zimbra. Here is how I was able to clean mail queue with root user for Zimbra:

[root@mailmachine sbin]# /opt/zimbra/common/sbin/mailq | tail -n +2 | awk 'BEGIN { RS = "" } / spam.user@spammer.net/ { print $1 }' | tr -d '*!' | /opt/zimbra/common/sbin/postsuper -d -
postsuper: F22125044F450: removed
postsuper: F24D45044B05C: removed
postsuper: F31595048D7A0: removed
postsuper: F307B50478E75: removed
postsuper: F155F5049BCF0: removed
postsuper: F3A22504CAC00: removed
postsuper: F40E2504A3B49: removed
...

This will successfully clean Zimbra mail queue – messages from user spam.user@spammer.net. You may have different paths to your mailq and postsuper. I noticed that on some installations, path is “/opt/zimbra/postfix/sbin/postsuper”.

[SCRIPT] Install mod_security with OWASP ruleset and GeoIP2 NGINX modules with script.

Because I don’t own NGINX plus, I must build mod_security and geoip2 modules manually each time I set up a new server with NGINX. It’s good practice to have both installed, as it can increase security of your web application significantly. I was getting tired of building every time, so I created a script which will do that for you. This script is build for Rocky Linux 8, so it should work on CentOS 8 (Stream), AlmaLInux …

This script will auto-detect your NGINX version and will download source, build extensions and install ModSecurity also. It will also install necessary dependencies which are needed for install.  If you encounter errors, please check for errors on which library you need. It will also install OWASP ruleset for mod_security and configure your NGINX accordingly. Path to extensions will be inserted in your NGINX configuration by script.

You should install and configure geoipupdate and add geoip definitions in your nginx configuration.

I hope this helps you and saves you some time. Feel free to modify and customize the script according to your needs.

Here is the script: build nginx modules script

Migrate email accounts to different user account on the same cPanel server

Maybe you’ll want to merge two separate cPanel accounts on the same server, but you won’t be able to, because you can’t simply just delete domain from the first account, and you can’t add domain to the second account because it exists on the first one :).

You can migrate email and other user data simply, by creating backup of user account and delete it from cPanel. Below, I will show how to migrate just email. But you can also migrate websites like this.

  1. Make copy of primary user account (if websites, also make sure to dump databases of that user)
    root@cpanel [/home]# cp -rp useraccount1  useraccount1.bak
  2. Make copy of email aliases of primary account so they wont get lost after delete of primary account
    cp /etc/valiases/userdomain.com /etc/valiases/userdomain.com.bak
  3. Delete primary user account in cPanel – useraccount1 in our case
  4. Add domain of primary account to secondary account (useraccount2). Now you’ll be able to, because domain don’t exist on the system anymore.
  5. Copy settings from primary account from backup to secondary one (the one you added domain to) and set right permissions:
    root@cpanel [/home]# cp -rp /home/useraccount1.bak/etc/userdomain.com  /home/useraccount2/etc/userdomain.com
    chown -R useraccount2: /home/useraccount2/etc/userdomain.com
  6. Copy all email accounts to new account and set right permissions
     cp -rp /home/useraccount1.bak/mail/userdomain.com /home/useraccount2/mail/userdomain.com
    
    chown useraccount2:mail /home/useraccount2/mail/userdomain.com
    
    chown -R useraccount2: /home/useraccount2/mail/userdomain.com/*
  7. Recreate alliases
    cp /etc/valiases/userdomain.com.bak  /etc/valiases/userdomain.com

That’s it. You should be able to see email accounts for userdomain.com in new cPanel account. All passwords should remain the same as before.

Change email password on Directadmin with CLI / command line

It can happen that you don’t have access to Direcadmin’s GUI, but you have root access. I had this situation with one installation with very old OS on which the license was unable to update. So because of invalid license, control panel was not accessible. You can change email password from command line like this.

  • Go to virtual directory where passwords are saved
    myDA:~# cd /etc/virtual/mydomain.com/
    myDA:/etc/virtual/mydomain.com# 
  • You can generate new crypted passowrd like bellow. “mynewpassword” is new password.
    [root@server ~]# openssl passwd -1 -salt saltsalt mynewpassword
    $1$saltsalt$XCrU04m/7D.n5Ami6FbHo/
  • Copy generated hash from previous step and change it inside  /etc/virtual/mydomain.com/passwd

That’s it. You should be able to log in into the email account with a new password.

Found this here. Thank you very much!

Country block/allow with iptables and ipset

Here is a simple way to restrict access to your server from country’s that you don’t want to be able to connect to your services. On website www.ipdeny.com you can find IP lists for specific country’s. With a simple script, you can regularly update those lists so that they are up-to-date with new addresses. In my case, I needed a way to allow some services only available from specific countries. You can also change logic a little bit and blocking only specific county. 

This will work on Linux server with installed iptables and ipset. Ipset will contain all addresses provided from ipdeny.com. 

First, if you don’t already have it, install ipset.

[root@server ~]# dnf install ipset

Then, you’ll need to create ipset array which will contain all addresses. 

ipset create allow_cc hash:net family inet hashsize 1024 maxelem 65536

Continue Reading

© 2024 geegkytuts.net
Hosted by SIEL


About author