Guide on Renewing SSL Certificate for Apache, Postfix and Dovecot on CentOS 6.8 Linux
Guide on Renewing SSL Certificate for Apache, Postfix and Dovecot on CentOS 6.8 Linux = Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL) Country: Singapore Date: 12 November 2020 Thursday Singapore Time Type of Publication: Plain Text Document Version: 20201112.01 Generating Certificate Signing Request (CSR) Using OpenSSL command on Linux === Reference Guide: Generating CSR on Apache + OpenSSL/ModSSL/Nginx + Heroku Link: https://www.namecheap.com/support/knowledgebase/article.aspx/9446/14/generating-csr-on-apache--opensslmodsslnginx--heroku/#4 # cd /root # which openssl # openssl req -new -newkey rsa:2048 -nodes -keyout teo-en-ming-corp.key -out teo-en-ming-corp.csr Generating a 2048 bit RSA private key ...+++ +++ writing new private key to 'teo-en-ming-corp.key' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [XX]:SG State or Province Name (full name) []:Singapore Locality Name (eg, city) [Default City]:Singapore Organization Name (eg, company) [Default Company Ltd]:Teo En Ming Corporation Organizational Unit Name (eg, section) []:IT Department Common Name (eg, your name or your server's hostname) []:*.teo-en-ming-corp.com.sg (USE WILDCARD!!!) Email Address []:c...@teo-en-ming-corp.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # mkdir teo-en-ming # mv teo-en-ming-corp.csr teo-en-ming-corp.key teo-en-ming/ # cd teo-en-ming [r...@mail.teo-en-ming-corp.com.sg teo-en-ming]# ls -al total 16 drwxr-xr-x 2 root root 4096 Nov 11 11:43 . dr-xr-x---. 14 root root 4096 Nov 11 11:43 .. -rw-r--r-- 1 root root 1119 Nov 11 11:42 teo-en-ming-corp.csr -rw-r--r-- 1 root root 1708 Nov 11 11:42 teo-en-ming-corp.key # cat teo-en-ming-corp.csr (Display Certificate Signing Request) -BEGIN CERTIFICATE REQUEST- -END CERTIFICATE REQUEST- # cat teo-en-ming-corp.key (Display Private/Secret Key) -BEGIN PRIVATE KEY- -END PRIVATE KEY- Result from AlphaSSL Portal Congratulations! Your order has been placed successfully. Your order number is : You'll need to copy the following Domain Verification Code and place it in a text file called "gsdv.txt" which you'll then need to put in one of the approved locations Meta Tag : http://teo-en-ming-corp.com.sg/.well-known/pki-validation/gsdv.txt https://teo-en-ming-corp.com.sg/.well-known/pki-validation/gsdv.txt To complete the URL Verification, close the browser. Open the SSL Configuration Link in new browser and click on "Complete Url Verification". End of Result from AlphaSSL Portal == Domain Verification for SSL Certificate === # cd /home/teo-en-ming-corp/public_html # mkdir .well-known # cd .well-known # mkdir pki-validation # cd pki-validation/ Edit gsdv.txt. # nano gsdv.txt Begin Email from AlphaSSL = Email Subject: : Your SSL Certificate for *.teo-en-ming-corp.com.sg has been issued --- Please note that this email is automatically sent from a noreply mailbox. To contact AlphaSSL please use the Contact Details at the footer of this email. --- Dear Turritopsis Dohrnii Teo En Ming, Your AlphaSSL Certificate has now been issued and is ready to be installed. Your SSL Certificate can be found at the bottom of this email. CERTIFICATE DETAILS -- Order Number: Common Name: *.teo-en-ming-corp.com.sg INSTALLING YOUR CERTIFICATE Your SSL Certificate and Intermediate Certificate must be installed on your server. Please note that as of March 31st 2014, SHA-256 will become the default hashing algorithm used unless SHA-1 was selected during the ordering process. You can find guides on installing your certificate with the Support Center online at: http://www.alphassl.com/support QUICK INSTALLATION GUIDE 1) Using a text editor, copy the SSL Certificate text from the bottom
Re: per sender/email exclusion for smtpd_milter_maps, or equiv?
It is not possible to switch Milter options in the middle of an SMTP session. ah, understood. Maybe you can configure an exception for the sender's domain in the dkim milter configuration. not immediately obvious how with current milter dkimpy-milter, but there are other options.
Re: sender dependent relay host problem
hello wietse,
---
Mitten drin statt nur Datei!
Am 2020-10-08 21:28, schrieb Wietse Venema:
Marko Horn:
sender_dependent_relayhost_maps =
hash:/etc/postfix/lookups/relayhost/sender_relay
sender_relay:
-
@testdomain.de fsmtp:
sender_dependent_relayhost_maps requires a HOST, not a TRANSPORT.
But it does not matter, because the postconf(5) manpage says:
This information is overruled with relay_transport,
SENDER_DEPENDENT_DEFAULT_TRANSPORT_MAPS, default_transport and
with the transport(5) table.
sender_dependent_default_transport_maps =
randmap:{fsmtp:[192.168.100.186]:26,fsmtp:[192.168.100.186]:26,fsmtp:[192.168.100.186]:26,fsmtp:[192.168.100.188]:26,fsmtp:[192.168.100.188]:26,fsmtp:[192.168.100.188]:26,fsmtp:[192.168.100.190]:26,fsmtp:[192.168.100.190]:26,fsmtp:[192.168.100.190]:26}
master.cf:
--
fsmtp unix- - n - - smtp
# -o
smtp_fallback_relay=[192.168.100.186]:26,[192.168.100.188]:26,[192.168.100.190]:26
but the mails are not really going out in round robin. mostly 10-12
times thru same mailgateway.
Which gateway?
And if you send 20 messages, will 10-12 be sent to the
same gateway? Where do the other messages go to?
Wietse
at teh beginning,
sorry to get on nervs
i was a time not able to work further on the mail project but restarting
now.
when look at the last posts to this topic i realized , i have overseen
the little but important difference between two config varaibles:
SENDER_DEPENDENT_DEFAULT_TRANSPORT_MAPS &
sender_dependent_relayhost_maps
better i start at the beginning:
on my psotfix machine at example i have 2 domains = test-1.de &
test-2.de
i setup for test 3 Mailout-Gateways.
test-1.de should NOT go thru these 3 mailout-gateways
test-2.de should GO thru these 3 mailout-gateways...
BUT, i want to distribute the test-2.de mail to the 3 mailout-gateways
by round robin.
(there you told me from randmap)
IF, one of these mailout-gateway is down postfix should recognize this
and use the left 2 mailout-gateways.
i dont get it at all how to do this. is it possible to do so?
kind regards
marko
Re: sender dependent relay host problem
Marko Horn:
> better i start at the beginning:
>
> on my psotfix machine at example i have 2 domains = test-1.de &
> test-2.de
You are using one Postfx system to SEND email with a sender address
in one of two domains.
> i setup for test 3 Mailout-Gateways.
>
> test-1.de should NOT go thru these 3 mailout-gateways
The Postfix machine should send that email directly to the recipient's
mail server.
> test-2.de should GO thru these 3 mailout-gateways...
The same Postfix machine should send mail from the second domain
through three gateways.
> BUT, i want to distribute the test-2.de mail to the 3 mailout-gateways
> by round robin.
Unfortunately this cannot use
sender_dependent_xxx_maps = randmap:{...}
because that would send all messages through the three gateways.
Solution 1: use a fake multi-address gateway:
sender_dependent_default_transport_maps =
inline:{{@test-2.de = smtp:gateways.example.com}}
Where gateways.example.com has three IP addresses in DNS or in
/etc/hosts (the second variant requires "smtp_host_lookup = dns, native").
The Postfix SMTP client will try all three IP addresses in random order,
if the sender domain is test-2.de, otherwise it will use the default
setting (default_transport = smtp) and send mail directly.
Other solutions involve "sender_dependent_default_transport_maps =
tcp_table:..." or "sender_dependent_default_transport_maps =
socketmap:..." and are more painful to deploy,
Wietse
Re: Understanding multi-instance transport tables
Hi,
> > relay_transport = $default_transport
> > relay_domains = mycompany.com, $mydestination
>
> Fine, but I don't see a "relay_recipient_maps" for recipient validation,
> which is quite important to avoid backscatter.
I think I'm achieving this with check_recipient_access in
smtpd_recipient_restrictions?
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
reject_rhsbl_sender uri.mykey.invaluement.com,
check_sender_access ${indexed}check_backscatterer,
check_helo_access pcre:$config_directory/helo_checks.pcre,
check_helo_access ${indexed}helo_checks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
check_policy_service unix:private/policy-spf,
check_policy_service inet:127.0.0.1:2501,
check_recipient_access pcre:$config_directory/relay_recips_access,
check_recipient_access pcre:$config_directory/recipient_checks,
permit
I also have the check_sender_access above:
/etc/postfix-117/check_backscatterer:
<> reject_rbl_client ips.backscatterer.org
postmaster reject_rbl_client ips.backscatterer.org
/etc/postfix-117/relay_recips_access:
/^alex@mycompany\.com$/DUNNO
/^.*@mycompany\.com$/ REJECT
Can a more useful bounce message be provided
My server bounced a message. Here is the server log (sanitized). - Nov 13 02:07:52 myserver postfix/smtpd[27706]: NOQUEUE: reject: RCPT from sonic302-23.consmr.mail.gq1.yahoo.com[98.137.68.149]: 554 5.7.1 Service unavailable; Client host [98.137.68.149] blocked using cbl.abuseat.org; Blocked - see http://www.abuseat.org/lookup.cgi?ip=98.137.68.149; from= to= proto=ESMTP helo= --- Here is what the sender received: > From: mailer-dae...@yahoo.com > Date: November 12, 2020 at 6:07:55 PM PST > To: per...@sbcglobal.net > Subject: Failure Notice > > Sorry, we were unable to deliver your message to the following address. > > : > 554: 5.7.1 Service unavailable > > --- Below this line is a copy of the message. --- So did the Oath server swallow the useful link to abuseat.org? Can this be improved?
