Category Archives: Miscellaneous

ISPConfig 3.1 Automated Installation

This article is about Automated Installation of ISPConfig3.1 on Ubuntu 18.04 and the issue with Roundcube.

The installation steps can be found here and very well laid down – https://www.howtoforge.com/tutorial/ubuntu-ispconfig-automated-install-script/

I installed it on a Linode instance (the $10 instance).

The first thing I found is the softwares is better updated manually prior to the automated installation of the ISPConfig. In my case the installer script couldn’t install the updates.

The biggest problem I faced was after the installation Roundcube was neither sending or receiving any mails. Though the mailbox is opening and I can compose mails but on sending the mail it failed with a “Timed Out” error. Neither any incoming mails were received.

Upon searching and going through lots of suggestions (even a re-installation of Roundcube) ultimately found the issue was with two lines in the postfix master file (marked with red color and bold below)

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
#submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

The # infront of the submission and smtps needs to be removed.

Thanks to Till and this post on HowtoForge


One more important issue was this line in the main.cf file

mydestination = domain-name.com, localhost, localhost.localdomain

Though by default the domain name was added to the config but it prevented mails from being received. After removing the domain name and leaving only the localhost entries everything worked fine


While trying to fix the problem I found in the process – for ISPConfig based setup it is better to leave the SSL Certificate settings that the script has set. I tried changing to a purchased SSL and incoming mails stopped. It was about 4:30 AM in the morning and was too tired to do anything more. So reverted back to the original files and everything was fine.


While trying different possible solutions I had enabled the necessary ports in UFW. So is  not sure if that is really needed or not. But worth giving a try if mails are not delivered or received even after correcting the settings in the /etc/postfix/master.cf file


Roundcube errors can be found here – /var/log/roundcube/errors

DNS Records and Godaddy

I have no idea why Godaddy have to make things difficult by trying to be simple (different).

  1. Whenever the main domain needs to be referred @ is needed and a must. I had used “domian.com.” but it didn’t work – the DNS records were not propagating
  2. Where there is a subdomain, the domain should not be a part of the Host Entry – that is a must. For example – “mail.domain.com.” should be written as “mail” only.
  3. Similarly when referring to the main domain @ is needed
  4. For reference below are some examples
a 	@ 	17x.xxx.xxx.xx5
a 	mail 	17x.xxx.xxx.xx5
cname 	www 	@
mx 	@ 	mail.gxxxxxxxxxxxxxl.com (Priority: 10)
txt 	@ 	v=spf1 mx a ~all
txt 	_dmarc 	v=DMARC1; p=quarantine  # the quarantine or reject is needed.
txt 	default._domainkey 	v=DKIM1; t=s; p=MIxxxxxxxxxxxxw0xxQE


It needs the name of two nameservers with the same domain name for setting custom Nameservers.

PHP code for Amazon SNS Auto Subscription Confirmation (HTTPS)

Amazon Simple Notification Service or SNS is a messaging service which be used to send notifications by SMS, Email, Push notification or to a URL endpoint.

For a quick on setting up Amazon SNS see this article Amazon SNS setup for HTTPS and Email

Code for auto confirmation of subscriptions

<?php
$json_write_to_text = file_get_contents("php://input"); //read the raw data 
$json_write_to_text = json_decode($json_write_to_text, TRUE, 512, JSON_OBJECT_AS_ARRAY);

if($json_write_to_text['Type'] == SubscriptionConfirmation)
{
 $curl = curl_init();

 curl_setopt_array($curl, array(
  CURLOPT_URL => $json_write_to_text['SubscribeURL'],
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_CUSTOMREQUEST => "GET",
  CURLOPT_HTTPHEADER => $header,
 ));

 $response = curl_exec($curl);
 $err = curl_error($curl);

 curl_close($curl);
}

file_put_contents("response.txt",print_r($json_write_to_text,true)); // this is just for dumping the raw data and can be omitted 
?>

 

 

Amazon SNS setup for HTTPS and Email

Login to AWS Console

Goto Simple Notification Service

Create a Topic

Add a Subscription – the easy and safe way to do this is by clicking the ARN of the Topic (in the topic listing page ) and going to the Topic details page.

Topic Details
Subscription Protocols

Choose your subscription protocol (in simpler words in which way you want the notifications to be delivered)

Subscription Protocols

Amazon SNS will do a verification. The method depends on the protocol chosen. For example for emails it will send an email with a verification link, for HTTP or HTTPS it will call the endpoint with some data like below. On opening or hitting the SubscribeURL the verification will be complete.

Array
(
[Type] => SubscriptionConfirmation
[MessageId] => eeexxxea-xxxx-xxxx-xxxx-c15xxxx81361
[Token] => 2336412f3xxxxxxxxxxxxxxxxxxxxxxxxee34aadbb4eb9c926c288f8ca1xxxxxxxxxxxxcbe27c6835edd47bd28d0cf1d0cb9b4xxxxxxxx1003b95c6bc1231db657b1bb465a7d98c73a8d79faddb473a1a109c45654a1db1f11xxxxxxxxxxxxxxxxxxxf74dae61acfbe2f508901390b2cd6
[TopicArn] => arn:aws:sns:us-east-x:0xxxxxxxxxx9:xxx-bounce
[Message] => You have chosen to subscribe to the topic arn:aws:sns:us-east-x:0xxxxxxxxxx9:xxx-bounce.
To confirm the subscription, visit the SubscribeURL included in this message.
[SubscribeURL] => https://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-east-x:0xxxxxxxxxx9:xxx-bounce&Token=2336412f3xxxxxxxxxxxxxxxxxxxxxxxxee34aadbb4eb9c926c288f8ca1xxxxxxxxxxxxcbe27c6835edd47bd28d0cf1d0cb9b4xxxxxxxx1003b95c6bc1231db657b1bb465a7d98c73a8d79faddb473a1a109c45654a1db1f11xxxxxxxxxxxxxxxxxxxf74dae61acfbe2f508901390b2cd6
[Timestamp] => 2019-01-09T14:53:31.247Z
[SignatureVersion] => 1
[Signature] => euyT80G1NujWgQMWfltxxxxxxxxxxxxxxxiDqeicbE1FH5dwdBnAA7UY84zHf0fsJCd/xxxxxxxxxxxxxxxxxxxxxxxxx/rxx/t/wKxxxxxx/LKg2QwcjGPdnIh4xp6rNA4PKihOjMiPfTZYH4kQV+h+4zqFsQT1UL+ixlM+xBZqZY3zUV1lrHKz+SfIkPJxxxxxxxxxxIB2FN0O2leokHJYRlUqxxxxxxkMzlbsMg4ChDW8+hcJ14hNEz5kpM5T0Fqljt2CmqkF1BQ68ViTgFV7yYpcSTbejo0DuZAUxxxxxxxxxx5y340TcfTWWq+3hKSTtB9aTclgDchvLDYKNqg==
[SigningCertURL] => https://sns.us-east-x.amazonaws.com/SimpleNotificationService-ac56xxxxxxxxxxxxxxxxxxxx8aa1d9b.pem
)

Once the verification is complete the Subscription ID will show an ARN. See The Topic Details picture.

Sample PHP code for auto-verification of SNS Subscriptions for HTTP/HTTPS protocols PHP code for Amazon SNS Auto Subscription Confirmation (HTTPS)

 

 

 

ISPConfig with Jailkit – allowing custom or other commands for users

By default Jailkit allows certain commands or applications only. Below is the process to allow your users to access other commands or any custom command.

Here I wanted users to access PHP commandline and composer

  1. If needed then first install those applications normally as root
  2. Add entries for the applications/commands to the jailkit config file
    
     
    These block names will be used in ISPConfig.
    
    The folder/directories are important - else the necessary libraries and supporting files will not be copied and the application will not work properly for the users.
  3. Once the blocks have been added, the programs and all related files will have to be copied to the particular users webspace. 
    
    The jk_init command copies all files and related libraries with permissions. 
    
    jk_init -c /etc/jailkit/jk_init.ini -f -k -j /var/www/clients/clientXXX/webXXX php
    
    jk_init -c /etc/jailkit/jk_init.ini -f -k -j /var/www/clients/client1/web3 composer
    
  4. After copying the files update the Jailkit section of ISPConfig - add the block names of the applications that the users will be permitted to use
    System -> Server Config -> Jailkit chroot app section
    
    
    
    

If the commands are still not accessible – then the users should try relogin first.

Check CNAME or TXT records

If the CNAME or TXT records are not displayed with normally available online tools, then they can be found using

dig TXT _axxxxxxxs.kolkataonweb.com +short
OR
dig CNAME 4xxxxxxxxxxxxxxxxxc._domainkey.kolkataonweb.com +short

(mention the keys that you want to lookup)

If everything is fine then the answer section will return the record (like below)

;; ANSWER SECTION:
xxxxxxxxxxxx 3584 IN CNAME xxxxxxxxxxxxxxxxxx

The +short can be omitted or +all can be used or nothing can be given

Testing mail from commandline

echo "This is the main body of the mail" | mail -s "Subject of the Email" -a "From: [email protected]" [email protected]

telnet iot-parts.com 25
mailMAIL FROM:[email protected]
RCPT TO:[email protected]
DATA
telnet localhost 143
a login "username" "password"

     Test using imaps port (assuming you haven't disabled imaps port):
     # openssl s_client -connect imap.example.com:993

     Test using imap port and STARTTLS command (works also with imap port):
     # openssl s_client -connect imap.example.com:143 -starttls imap

b select inbox
c list "" *
e logout