testing eFa v4 Release Candidate 2

Bugs in eFa 4
Post Reply
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

testing eFa v4 Release Candidate 2

Post by henk »

Just did the new build from scratch. After 15 minutes ready to login :clap:

Had some minor issues. Could be related to NOT using IPV6 and using recusion. All the major issues are solved :clap: :violin:

the /etc/postfix/sender_canonical contained a malformed mailadres.

I will mention the changes made, as not all changes are required to be up and running (IPV6 disabled version)
The lines with a # are the original vaules afer running the EFA-INIT/Configure

1. EFA-Init

enable Ipv6 dns: only Y will continue (I use no Ipv6)

Code: Select all

/etc/eFa/eFa-Config
CONFIGURED:YES
HOSTNAME:sansspam
DOMAINNAME:test.lan
IPV4ADDRESS:172.16.1.15
IPV6ADDRESS:
DNSIP1:
DNSIP2:
RECURSION:ENABLED
INTERFACE:eth0
IPV4NETMASK:255.255.0.0
IPV4GATEWAY:172.16.1.1
IPV6MASK:
IPV6GATEWAY:
TZONE:Europe/Amsterdam
IANA:nl
ORGNAME:kaaskoppen.nl
MAILSERVER:127.0.0.1
ADMINEMAIL:adminuser@test.lan
ISUTC:true
#IPV6DNS:yes
IPV6DNS:no

/var/log/messages
Jan 30 12:20:29 unbound: [5360:0] error: can't bind socket: Permission denied for ::
Jan 30 12:20:29 unbound: [5360:0] error: can't bind socket: Permission denied for ::

Since unbound need to be configured per installation, al least disable ipv6 when EFA=Init enable Ipv6 is no

/etc/unbound/conf.d/unbound.conf
do-ip4: yes
do-ip6: no

2. /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.15 sansspam.test.lan sansspam

3. /etc/sysconfig/network-scripts/ifcfg-eth0

# Generated by parse-kickstart
#IPV6INIT=yes
IPV6INIT=no
IPV6_AUTOCONF=no
#IPV6_AUTOCONF=yes
BOOTPROTO="none"
DEVICE=eth0
ONBOOT=yes
UUID=xxxx
TYPE=Ethernet
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
#IPV6_DEFROUTE=yes
#IPV6_PEERDNS=yes
#IPV6_PEERROUTES=yes
NAME=eth0
#NAME="System eth0"
IPADDR="172.16.1.15"
NETMASK="255.255.0.0"
GATEWAY="172.16.1.1"
DNS1="127.0.0.1"
#DNS2="::1"
ZONE=public

4. the ifname.bak is still present, removed it
# ls -l
total 236
-rw-------. 1 root root 444 Jan 30 12:33 ifcfg-eth0
-rw-r--r--. 1 root root 408 Jan 30 12:04 ifcfg-eth0.bak

5./etc/sysconfig/network

# Created by anaconda and modified by henk
NETWORKING_IPV6=no
IPV6INIT=no
IPV6_AUTOCONF=no
DHCPV6=no
IPV6FORWARDING=no

6./etc/dovecot/dovecot.conf

# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::
listen = *

7./etc/postfix/main.cf

# Enable IPv4, and IPv6 if supported
#inet_protocols = ipv4, ipv6
inet_protocols = ipv4

#mynetworks = 127.0.0.0/8 [::1]/128
mynetworks = 127.0.0.0/8

#qmqpd_authorized_clients = 127.0.0.1 [::1]
qmqpd_authorized_clients = 127.0.0.1

/etc/postfix/header_checks

/^Received:\ from\ sansspam.test.lan\ \(localhost\ \[127.0.0.1/ IGNORE
#/^Received:\ from\ sansspam.test.lan\ \(localhost\ \[::1/ IGNORE

/etc/postfix/sender_canonical

#root@test.lan root@sansspamtest.lan <<<<<<<<<<<<<<<<<<<<<<
root@test.lan adminuser@test.lan

postmap /etc/postfix/header_checks
postmap /etc/postfix/sender_canonical


/etc/sysctl.d/disableipv6.conf
# Ensure IPv6 is disabled
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6= 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 0

Code: Select all

sysctl -p
/etc/sysconfig/chronyd

# Command-line options for chronyd
#OPTIONS=""
OPTIONS="-4"

SSH
/etc/ssh/ssh_config
# ssh_config(5) man page.

AddressFamily inet
# Host

/etc/ssh/sshd_config
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

AddressFamily inet
ListenAddress 0.0.0.0

/etc/httpd/conf/httpd.conf

#Listen 12.34.56.78:80
#Listen 80
Listen 0.0.0.0:80
#

Code: Select all

whereis mysqltuner
mysqltuner: /usr/sbin/mysqltuner.pl

So uou need to start it incl the path : /usr/sbin/mysqltuner.pl
Create a link to it?
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: testing eFa v4 Release Candidate 2

Post by shawniverson »

@henk

Working on more fixes.

Why are you so intent on trying to remove all ipv6 bindings and disabling it at the kernel and interface levels?
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: testing eFa v4 Release Candidate 2

Post by henk »

I quess it's my nature. As I disabled IPV6 in my entire internal network on every server, it doesn't make sense for a process to listen on ipv6.
On top of that, I like to understand thinks ( a bit), just like Selinux. I always disabled it due the lack of understanding. :shhh:
As Selinux is enabled and I know how to solve, with some great advise, Selinux related errors, that was ok.

Maybe I should be less stubborn and let Efa4 be the first server to have IPV6 enabled, a bit. :roll:
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Glaster
Posts: 11
Joined: 10 Dec 2014 21:29

Re: testing eFa v4 Release Candidate 2

Post by Glaster »

Hi,
I successfully installed EFA 4 RC 2, but after login to web GUI, i see error message:

Cannot open MailScanner configuration file

see attachment
Attachments
EFA4_MS_err.JPG
EFA4_MS_err.JPG (14.61 KiB) Viewed 29324 times
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: testing eFa v4 Release Candidate 2

Post by shawniverson »

@Glaster

What method did you use to build?
Glaster
Posts: 11
Joined: 10 Dec 2014 21:29

Re: testing eFa v4 Release Candidate 2

Post by Glaster »

Hi,
I use: Building using github clone for development

thanks
Alleyviper
Posts: 83
Joined: 16 Oct 2018 05:55
Location: Portugal

Re: testing eFa v4 Release Candidate 2

Post by Alleyviper »

Hi,

Let's not encrypt ;)

Code: Select all

Would you like to  Enable  Let's Encrypt? [y/n/c]                         y    Saving debug log to /var/log/letsencrypt/letsencrypt.log                  Error while running apachectl configtest.                                                                                                           AH00526: Syntax error on line 213 of /etc/httpd/conf.d/ssl.conf:          SSLCertificateFile takes one argument, SSL Server Certificate file ('/path/to/file' - PEM or DER encoded)

Code: Select all


Error while running apachectl configtest.                                                                                                           AH00526: Syntax error on line 213 of /etc/httpd/conf.d/ssl.conf:          SSLCertificateFile takes one argument, SSL Server Certificate file ('/path/to/file' - PEM or DER encoded)                                           
The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apachectl configtest.\n\nAH00526: Syntax error on line 213 of /etc/httpd/conf.d/ssl.conf:\nSSLCertificateFile takes one argument, SSL Server Certificate file ('/path/to/file' - PEM or DER encoded)\n",)
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

Let's Encrypt has been enabled/code]
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: testing eFa v4 Release Candidate 2

Post by shawniverson »

@Alleyviper

Can you share what that line 213 looks like (sanitized)? It sounds like certbot mangled the ssl.conf file, and I'd like to know why.

Also /var/log/letsencrypt/letsencrypt.log would be very helpful, if you can sanitize and share it.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: testing eFa v4 Release Candidate 2

Post by shawniverson »

Glaster wrote: 01 Feb 2019 09:56 Hi,
I use: Building using github clone for development

thanks
Did you restart the environment after building?
Glaster
Posts: 11
Joined: 10 Dec 2014 21:29

Re: testing eFa v4 Release Candidate 2

Post by Glaster »

shawniverson wrote: 01 Feb 2019 22:49 Did you restart the environment after building?
restart done several times, but the problem persists
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: testing eFa v4 Release Candidate 2

Post by henk »

logs?
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Alleyviper
Posts: 83
Joined: 16 Oct 2018 05:55
Location: Portugal

Re: testing eFa v4 Release Candidate 2

Post by Alleyviper »

Hi there,

I´ve been working like crazy. unfortunately my vps data got lost, so i´m installing from scratch and see it Letsencrypt fails again.

See you later, today... :)
Alleyviper
Posts: 83
Joined: 16 Oct 2018 05:55
Location: Portugal

Re: testing eFa v4 Release Candidate 2

Post by Alleyviper »

Hi there,

Now it works! :D The self-generated certificate remained after deploying letsencrypt. I had to restart Apache.

Code: Select all

sudo service httpd restart
sudo service httpd status




First, deployed Lestencrypt

Code: Select all

[eFa] server.domain.tld

[eFa] If this is not correct, please update your Hostname and Domain Name within main menu #4.

[eFa] Please also make sure the name above is externally resolvabe before continuing.
[eFa] Please also make sure that TCP 80 and 443 is opened from the WAN to EFA.
[eFa] By continuing, you agree to the Terms Of Service for Let's Encrypt and EFF.


Would you like to  Enable  Let's Encrypt? [y/n/c]
y
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for server.domain.tld
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://server.domain.tld

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=server.domain.tld
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/server.domain.tld/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/server.domain.tld/privkey.pem
   Your cert will expire on 2019-05-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


Let's Encrypt has been enabled

Press [Enter] key to continue...


Code: Select all

[eFa] : 1
[user@server ~]$ sudo service httpd restart

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for user:
Redirecting to /bin/systemctl restart httpd.service
[user@server ~]$ sudo service httpd status
Redirecting to /bin/systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2019-02-10 23:03:57 WET; 6s ago
     Docs: man:httpd.service(8)
  Process: 18444 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
 Main PID: 19072 (httpd)
   Status: "Started, listening on: port 443, port 80"
   CGroup: /system.slice/httpd.service
           ├─19072 /usr/sbin/httpd -DFOREGROUND
           ├─19073 /usr/sbin/httpd -DFOREGROUND
           ├─19074 /usr/sbin/httpd -DFOREGROUND
           ├─19075 /usr/sbin/httpd -DFOREGROUND
           ├─19076 /usr/sbin/httpd -DFOREGROUND
           └─19302 /usr/sbin/httpd -DFOREGROUND

Feb 10 23:03:57 server.domain.tld systemd[1]: Starting The Apache HTTP Server...
Feb 10 23:03:57 server.domain.tld httpd[19072]: Server configured, listening on: port 443, port 80
Feb 10 23:03:57 server.domain.tld systemd[1]: Started The Apache HTTP Server.
[user@server ~]$

Anyone had issues with Letsencrypt?


Best regards,

Alleyviper
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: testing eFa v4 Release Candidate 2

Post by henk »

I noticed the header MS_FOUND_SPAMVIRUS exists:X-MailScanner-SpamVirus-Report is still default. ( as it was in Efa 3)

Changed in /etc/MailScanner/spamassassin.conf

Code: Select all

#
# The header name in the next line must have your %org-name% added into it,
# so that it matches what is set in "Spam-Virus Header" in your
# MailScanner.conf file.
#
#header MS_FOUND_SPAMVIRUS exists:X-MailScanner-SpamVirus-Report
header MS_FOUND_SPAMVIRUS exists:X-xxxxxx-MailScanner-EFA-SpamVirus-Report
score  MS_FOUND_SPAMVIRUS 3.0

Where xxxxxx is my %org-name%
(In /etc/MailScanner/MailScanner.conf: Spam-Virus Header = X-%org-name%-MailScanner-EFA-SpamVirus-Report)

In the same file, If you want to use the Shortcircuit Plugin, You need to enable the options you want to shortcut.
It's perfect to shortcut nothing by default, you can decide what to shortcut here.

Code: Select all

 ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
 #
 #   default: strongly-whitelisted mails are *really* whitelisted now, if the
 #   shortcircuiting plugin is active, causing early exit to save CPU load.
 #   Uncomment to turn this on
 #
-# shortcircuit USER_IN_WHITELIST       on
-# shortcircuit USER_IN_DEF_WHITELIST   on
+ shortcircuit USER_IN_WHITELIST       on
+ shortcircuit USER_IN_DEF_WHITELIST   on
 # shortcircuit USER_IN_ALL_SPAM_TO     on
 # shortcircuit SUBJECT_IN_WHITELIST    on

 #   the opposite; blacklisted mails can also save CPU
 #
-# shortcircuit USER_IN_BLACKLIST       on
-# shortcircuit USER_IN_BLACKLIST_TO    on
+ shortcircuit USER_IN_BLACKLIST       on
+ shortcircuit USER_IN_BLACKLIST_TO    on
 # shortcircuit SUBJECT_IN_BLACKLIST    on

 #   and a well-trained bayes DB can save running rules, too
 #
-# shortcircuit BAYES_99                spam
+ shortcircuit BAYES_99                spam
 # shortcircuit BAYES_00                ham

 endif # Mail::SpamAssassin::Plugin::Shortcircuit
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Post Reply