Debugging the iRedmail stack

iRedMail is a script that will take care of all the configuration of a mail server. That’s a lot less trouble for the admin as it’s really automagical! But recently after upgrading Ubunt server 12.04 to 14.04, I couldn’t send/receive my mails anymore.

And as everytime, I completly forgot where are the proper log to consult, which program were installed by iRedMail etc…Here is a post to simplify this next time I’ll have a problem:

iRedMail Debugging

If not able to send/receive mails, first try to connect the IMAP server (dovecot) using K9-mail or Roundcube. (Dovecot log : /etc/log/dovecot.log)

If login is OK, try sending a mail. And look at /etc/log/mail.log and /etc/log/mail.err

If you see :  connect to 127.0.0.1[127.0.0.1]:10024: Connection refused the it means that Amavis is not running (port 10024). Try restarting  /etc/init.d/amavis restart   and check that it’s well running netstat -tap | grep amavisd   if not, it could be that you server do not have enough RAM (iRedMail needs 1Go minimum). In such case, you still can run the mail server, but you’ll have to disable Amavis/ClamAV/SpamAssassin.

If your server has 1Go, then you should run Amavis in debug mode using /etc/init.d/amavis debug   and see the output.

In my case, a folder in /var/lib/amavis didn’t had the appropriate rights and Amavis daemon couldn’t write inside (see below debug output)

/usr/sbin/amavisd-new[29699]: (!!)TROUBLE in pre_loop_hook: QUARANTINEDIR directory /var/lib/amavis/virusmails not writable at /usr/sbin/amavisd-new line 10926.

So I just chown -R amavis: /var/lib/amavis/virusmails   and restarted my server (thanks to ZhangHuangBin). It works great now! Below, a summary of the whole iRedMail stack:

The iRedMail stack

Details of iRedMail installation with Conf files, logs, RC-start scripts…etc

SSL cert keys (size: 2048):
– /etc/ssl/certs/iRedMail_CA.pem
– /etc/ssl/private/iRedMail.key

Mail Storage:
– Root directory: /var/vmail
– Mailboxes: /var/vmail/vmail1
– Backup scripts and copies: /var/vmail/backup

PHP:
* Configuration file: /etc/php5/apache2/php.ini
* Disabled functions: show_source,system,shell_exec,passthru,exec,phpinfo,proc_open

OpenLDAP:
* Configuration files:
– /etc/ldap
– /etc/ldap/slapd.conf
– /etc/ldap/ldap.conf
– /etc/ldap/schema/iredmail.schema
* Log file related:
– /etc/rsyslog.d/iredmail.conf
– /var/log/openldap.log
– /etc/logrotate.d/openldap
* Data dir and files:
– /var/lib/ldap
– /var/lib/ldap/vbonhomme.fr
– /var/lib/ldap/vbonhomme.fr/DB_CONFIG
* RC script:
– /etc/init.d/slapd
* See also:
– /root/iRedMail-0.8.6/conf/ldap_init.ldif

Postfix (basic):
* Configuration files:
– /etc/postfix
– /etc/postfix/aliases
– /etc/postfix/main.cf
– /etc/postfix/master.cf

Postfix (LDAP):
* Configuration files:
– /etc/postfix/ldap/virtual_mailbox_domains.cf
– /etc/postfix/ldap/relay_domains.cf
– /etc/postfix/ldap/transport_maps_domain.cf
– /etc/postfix/ldap/transport_maps_user.cf
– /etc/postfix/ldap/virtual_mailbox_maps.cf
– /etc/postfix/ldap/sender_login_maps.cf
– /etc/postfix/ldap/virtual_alias_maps.cf
– /etc/postfix/ldap/virtual_group_maps.cf
– /etc/postfix/ldap/virtual_group_members_maps.cf
– /etc/postfix/ldap/catchall_maps.cf
– /etc/postfix/ldap/recipient_bcc_maps_domain.cf
– /etc/postfix/ldap/recipient_bcc_maps_user.cf
– /etc/postfix/ldap/sender_bcc_maps_domain.cf
– /etc/postfix/ldap/sender_bcc_maps_user.cf

Policyd (cluebringer):
* Web UI:
– URL: httpS://xxxxxxxxxxx/cluebringer/
– Username: xxxxxXXXXX
– Password: xxxxxXXXXX
* Configuration files:
– /etc/cluebringer/cluebringer.conf
– /etc/cluebringer/cluebringer-webui.conf
* RC script:
– /etc/init.d/postfix-cluebringer
* Database:
– Database name: cluebringer
– Database user: cluebringer
– Database password: xxxxxxXXXXXXXX

* Log file:
– /etc/rsyslog.d/iredmail.conf

Dovecot:
* Configuration files:
– /etc/dovecot/dovecot.conf
– /etc/dovecot/dovecot-ldap.conf (For OpenLDAP backend)
– /etc/dovecot/dovecot-mysql.conf (For MySQL backend)
– /etc/dovecot/dovecot-pgsql.conf (For PostgreSQL backend)
– /etc/dovecot/dovecot-used-quota.conf (For real-time quota usage)
– /etc/dovecot/dovecot-share-folder.conf (For IMAP sharing folder)
* RC script: /etc/init.d/dovecot
* Log files:
– /var/log/dovecot.log
– /var/log/sieve.log
* See also:
– /var/vmail/sieve/dovecot.sieve
– Logrotate config file: /etc/logrotate.d/dovecot

ClamAV:
* Configuration files:
– /etc/clamav/clamd.conf
– /etc/clamav/freshclam.conf
– /etc/logrotate.d/clamav
* RC scripts:
+ /etc/init.d/clamav-daemon
+ /etc/init.d/clamav-freshclam
* Log files:
– /var/log/clamav/clamd.log
– /var/log/clamav/freshclam.log

Amavisd-new:
* Configuration files:
– /etc/amavis/conf.d/50-user
– /etc/postfix/master.cf
– /etc/postfix/main.cf
* RC script:
– /etc/init.d/amavis
* MySQL Database:
– Database name: amavisd
– Database user: amavisd
– Database password: xxxxxxXXXXXX

SpamAssassin:
* Configuration files and rules:
– /etc/mail/spamassassin
– /etc/mail/spamassassin/local.cf

iRedAPD – Postfix Policy Daemon:
* Version: 1.4.2
* Listen address: 127.0.0.1, port: 7777
* Related files:
– /opt/iRedAPD-1.4.2/
– /opt/iredapd/
– /opt/iredapd/etc/settings.py

iRedAdmin – official web-based admin panel:
* Version: 0.3
* Configuration files:
– /usr/share/apache2/iRedAdmin-0.3/
– /usr/share/apache2/iRedAdmin-0.3/settings.py*
* URL:
– https://xxxxxxxxxxx/iredadmin/
* Login account:
– Username: xxxxxxxxxxx, password: xxxxxxxxxxxx
* SQL database account:
– Database name: iredadmin
– Username: iredadmin
– Password: xxxxxxxxxxxxxxxxxxx
* Settings:
– /usr/share/apache2/iRedAdmin-0.3/settings.py
* See also:
– /etc/apache2/conf.d/iredadmin.conf

Roundcube webmail:
* Configuration files:
– /usr/share/apache2/roundcubemail-0.9.5/
– /usr/share/apache2/roundcubemail-0.9.5/config/
* URL:
– http://xxxxxxxxxxxxx/mail/
– https://xxxxxxxxxxxx/mail/ (Over SSL/TLS)
– http://xxxxxxxxxxxxx/webmail/
– https://xxxxxxxxxxxxx/webmail/ (Over SSL/TLS)
* See also:
– /etc/apache2/conf.d/roundcubemail.conf

phpLDAPadmin:
* Configuration files:
– /usr/share/phpldapadmin/config/config.php
* See also:
– /etc/apache2/conf.d/phpldapadmin.conf

 

Hope it will be helpful to you.

Move your mails from one IMAP server to another using IMAPSYNC

I lived for almost 5 years with a @gmail address, and I was happy with that. But recently, personal concerns about privacy convinced me to switch to a self-run mail server (easy install thanks to iRedMail, mail.dir being stored in a ecryptfs container). It works perfectly, but I was still frequently logging back in my Gmail account to search my mail history. So I decided to move all my @gmail mails to my email server…And fortunately IMAPSYNC comes in handy for this task. Here are the few steps  I had to follow to assure a successful migration:

Install dependencies

Download the source code from git

In your /root directory for example:

git clone git://github.com/imapsync/imapsync.git

Then cd into the imapsync directory, and try to compile.

cd imapsync
mkdir dist
make install

The compiling should fail…it’s normal, perl still misses some dependencies:

perl -MCPAN -e "install Authen::NTLM"
perl -MCPAN -e "install Data::Uniqid"
perl -MCPAN -e "install File::Copy::Recursive"
perl -MCPAN -e "install IO::Tee"

Then run the following command to be sure that all the needed dependencies are well installed, if yes, the return will be empty:

perl -mMail::IMAPClient -mDigest::MD5 -mTerm::ReadKey -mIO::Socket::SSL        -mDigest::HMAC_MD5 -mAuthen::NTLM -e -mTime::HiRes        -mData::Uniqid -mURI::Escape -mFile::Copy::Recursive -mIO::Tee ""

Then sudo make install  again, and confirm the installation went smoothly by finding out the version of imapsync  imapsync -version  .

Migrate your emails

Now it’s time to move your email from Gmail to your self-run IMAP server.

New mail account

I personally decided to create a new email on my mail server to specifically store all my gmail mails. So I had to create this new mail, which is a very simple process thanks to the iredadmin web interface bundled in iRedMail.

Tweak some Gmail settings

Gmail runs on top of an IMAP server, but it has its own way to classify mails, beginning with the folders. You can go in the settings of your Gmail account and disable some “custom gmail folder” if you don’t want them to be copied by imapsync during the migration.

Note: You can actually tell imapsync to map specific Gmail IMAP server folder to another folder on your new IMAP server, as well as tell him to not copy some folders, which let you avoid the step below. Refer to this post to see the script.

Selection_040-1024x406

I also deleted all my gmail labels because the “tag” concept doesn’t exists in the IMAP, and so I suspected imapsync would maybe try to convert them into folders (but maybe not!). Anyway, I never really used these labels.

My IMAP server installed by iRedMail is Dovecot (which is supported by IMAPSYNC). All right, here is the final one command that worked for me (omit  –dry –justfolders   if you want to start the migration for real):

imapsync --host1 imap.gmail.com --authmech1 LOGIN --port1 993 --user1 vxxxxxxx.xxxxxxe@gmail.com --password1 "your_gmail_password" --host2 mail.vxxxxxxxe.fr --user2 vxxxxxx-gmail@vxxxxx.fr --password2 "password_of_new_email" --syncinternaldates --ssl1 -ssl2 --noauthmd5 --split1 100 --split2 100 --exclude "All Mail|Spam|Trash" --allowsizemismatch --useheader Message-ID --dry --justfolders

If you want to know more about each statement purpose, refer to this article.

I only had one small problem as I didn’t use the command to map folders together, it created a [GMAIL]/[SENT] folder in my new IMAP server. I used Thunderbird with a DRAGn’DROP to move them into the usual SENT folder of my IMAP server. But next time, I will add this to the command to map the Google directories with the dovecot architecture:

--folder "[Gmail]/Sent Mail" --regextrans2 's/Sent Mail/Sent/' --prefix1 '[Gmail]/' --folder "INBOX"

So I successfully moved 28 000+ emails to my new IMAP server ! 😉

Cisco router basic command and config

Show the hardware + software specifications of the router: show version

Show the current global configuration: show running-config

NAT

Enter the config mode  configure terminal   and only then add a static NAT rule: ip nat inside source static tcp <inside_local_ip> <port> <outside_global_ip> <port>

If you want to remove this NAT rule, run the same command but adding no at the beggining (in config mode as well!).

Refer to this article for more details.

Note: There are two main copies of Cisco Router configuration file. The configuration file where router stores the configuration changes when the router is up and running is called the “running-config” file. The “running-config” file is NOT persistent (stored in RAM), which means that the changes made in the “running-config” while the router is running are not retained after a reboot. To make it persistent after a reboot, we need to save it into the “startup-config” file using this command:

copy running-config startup-config 

Show interface

The show interface  command displays the status of the router’s interfaces. For a summary we can use show ip interface brief

SECURITY

Disable HTTP access to the Cisco router :

configure terminal
no ip http server

Setup Nginx + Passenger + RVM (ruby and rails) + Redmine 2.5

Recently I had to move a Redmine instance on a new server (Ubuntu 14.04).  When I was lost in process overwhelmed by some ruby, bundler and rake commands, I swore to myself that I would write down al the steps once succeeded. Here we are:

RVM

RVM is a program that let you install a precise version of Ruby (the one required by Redmine for example) and then let you partition all ruby gem in a specific folder (as once agin, Redmine required a precise version of each gem).

Run this as a regular user in your home folder:

\curl -sSL https://get.rvm.io | bash -s stable --rails

This will install RVM in one command. Then, you have to source it to use it:

source ~/.rvm/scripts/rvm

Then install Ruby 2.0.0 as required by Redmine:

rvm install 2.0.0

If you install multiple version of Ruby, use rvm use ruby_version  to switch the version of Ruby you want to work with. Then we will create a specific folder called gemset to store Redmine gems and switch RVM focus on this folder:

rvm gemset create gemset_name    # create a gemset
rvm ruby_version@gemset_name  # specify Ruby version and our new gemset

You will have something similar to this .rvm/gems/ruby-2.0.0-p481@redmine2.5/gems/

Note: Running rvm ruby_version@gemset_name  as your regular user before installing any gem (using gem install  or bundle install  is very important. Moreover, you shouldn’t run the command from Byobu/Screen, or you will have this error like “rvm is not a function”.

REDMINE 2.5

Prior to the Redmine install, you can install these program as you will need them (some headers are required for the gem compilation below):

apt-get install git subversion imagemagick libmagickwand-dev mysql-server libmysqlclient-dev

I recommend following the official guide for the installation. The point is to give right on the Redmine2.5 folder to the user that is used by passenger to run your app. You can check which user run your app using ps aux | grep -i passenger  which should be the user who installed RVM, then apply the proper rights:

mkdir -p tmp tmp/pdf public/plugin_assets
sudo chown -R <regular_user>: files log tmp public/plugin_assets
sudo chmod -R 755 files log tmp public/plugin_assets

And then be sure to have select the right version of ruby and the right gemset, and to be in the Redmine2.5 folder before running these commands:

gem install bundler
bundle install --without development test
bundle exec rake generate_secret_token
RAILS_ENV=production bundle exec rake db:migrate
RAILS_ENV=production bundle exec rake redmine:load_default_data

 

first let’s install a version of Nginx compiled with passenger using the official guide of Passenger project.

Passenger help Nginx to handle ruby code. We need to tell Nginx which version of Ruby to use when running the app.

Run this comand /usr/bin/passenger-config –root  and copy its result in the file /etc/nginx/nginx.conf  It should look something like passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;  . Then from your gemset dir run: passenger-config –ruby-command  that will tell you where is the wrapper for the correct version of ruby that you want Nginx+Pasenger to use! According to this, edit you nginx vhost, and add the line:

server {
   listen 80;
   root /var/wwww/redmine2.5/web/public;
   passenger_enabled on;
   passenger_ruby /home/user/.rvm/wrappers/ruby-2.0.0-p247@your_gemset/ruby;
}

So you can run a different version of ruby and a different set gem for every app using a different passenger_ruby line in your nginx vhost. That’s the trick!

BONUS PROXY

If when running gem or bundler the gem server is unreachable because you are behing a proxy (or in China 🙂 then you should tell your bash to go through a proxy using this command:

export http_proxy=http://user:password@host:port

BONUS LDAP Active Directory

Maybe you want to authenticate your redmine users against your company AD LDAP (windows server…bouh). Then I advise you to first discover the LDAP server architecture using a LDAP browser from Linux or Windows. And maybe setup a user than has read access on the LDAP schema, as Redmine ned one. Here is the official documentation to setup LDAP authentication.

And here is my config :

Name : Ldap
Host : ldap server IP
Port : 389
Account : redmine@AD.LOCAL
Password : redmine user password (redmine user should have read access on the ldap)
Base DN : OU=Users_Custom,DC=CTXSUZ,DC=LOCAL
LDAP filter : Empty
Timeout (in seconds) : 5
On-the-fly user creation : checked
 
Attributes
 
Login attribute : sAMAccountName
Firstname attribute : givenName
Lastname attribute : sN
Email attribute : mail

Enjoy 😉

Ubuntu 12.04 + nginx + passenger + SPDY

SPDY is a improvment on HTTP and will soon become HTTP 2.0, most of the major browser support SPDY so if you enable it on your webserver, you will save a hundred milliseconds to your visitor (and to yourself). It cannot hurt right?

But here is the problem, Nginx do not support loadable module, which means that you have to add the SPDY option when compiling it. I personnally don’t like compiling stuff on my small VPS, and I always miss some dependencies. And last, the Nginx you get when doing apt-get install nginx on Ubuntu 12.04 has Passenger support, but not SPDY.

so the cool guys at Phusion provide us an alternative : Nginx downloadable binary with Passenger and SPDY already included. Everything is explained on this page.

The idea is to copy their binary over the apt-get provided nginx binary. And everytime apt-get wants to upgrade you nginx, copy over again.

That simple, and then you can say that your blog is “SPDY READY“!