Easy Install cbpolicyd On CentOS 7

I have encountered the situation when users have weak passwords and are guessed by spammers so valid accounts are used for SPAM. The solution they choose in case is the limitation of mails sent over a period of time.

1. Install dependencies on the application

yum install -y mariadb mariadb-server perl-Cache-FastMmap perl-Config-IniFiles

2. Download and install policyd rpm package and source files for setting up db.

wget https://download.policyd.org/v2.0.14/cluebringer-2.0.14-1.noarch.rpm
rpm -Uvh cluebringer-2.0.14-1.noarch.rpm
wget https://download.policyd.org/v2.0.14/cluebringer-v2.0.14.zip

3. Settings database.

unzip cluebringer-v2.0.14.zip
cd cluebringer-v2.0.14/database/

Prepare sql file

vim run.sh
for i in core.tsql access_control.tsql quotas.tsql amavis.tsql checkhelo.tsql checkspf.tsql greylisting.tsql;
./convert-tsql mysql $i
done > policyd.sql

Change in file
sed -i 's/TYPE=InnoDB CHARACTER SET latin1 COLLATE latin1_bin//' policyd.sql

4. Create database and populate.
mysql -u root -p
create database policyd;
GRANT all on policyd.* to ‘policyd’@’localhost’ identified by ‘Your-password’;
mysql -u root -p policyd < policyd.sql

5. Configure cbpolicyd database on webui.conf

vim /etc/policyd/cluebringer.conf
config line like this

vim /etc/policyd/webui.conf
config line like this

6. Setup in your page policyd and postfix.
Access for config file
cd /var/www/html/
ln -s /usr/share/cluebringer/webui/ policyd

Now you need to create your apache access with vhosts.

Modify postfix
Add the following Postfix config setting in BOTH smtpd_recipient_restrictions and

smtpd_end_of_data_restrictions: check_policy_service inet:

It’s recommended to add these parameters first, i.e.:

smtpd_recipient_restrictions = check_policy_service inet:, permit_mynetworks, ..

You can check logs on /var/log/cbpolicyd.log and /var/log/maillog
Start service /etc/init.d/cbpolicyd start
[root@mail html]# systemctl enable cbpolicyd
cbpolicyd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig cbpolicyd on

Setup Vacation on Postfixadmin 3.2 Centos 7.x

This year we set up a new server with Postfixadmin 3.2 and I recently also had to set the vacation module.
I want to outline how I’ve solved the problem that appears on setup.

1. Install perl library dependancies:

yum install perl-Email-Valid perl-Email-Sender perl-Email-Simple perl-Test-Email perl-Try-Tiny perl-MIME-Charset perl-MIME-EncWords perl-Log-Log4perl perl-Log-Dispatch perl-Test-mysqld

For Debian:

apt-get installlibmail-sender-perl
libdbd-mysql-perl libemail-valid-perl libmime-perl liblog-log4perl-perl
liblog-dispatch-perl libgetopt-argvfile-perl libmime-charset-perl

2.  Add user and group, crete folder.
groupadd -r -g 65501 vacation
useradd -r -u 65501 -g vacation -d /var/spool/vacation -s /sbin/nologin vacation

mkdir /var/spool/vacation
cp /var/www/html/postfixadmin/VIRTUAL_VACATION/vacation.pl /var/spool/vacation
chown -R vacation:vacation /var/spool/vacation

chmod -R 750 /var/spool/vacation/vacation.pl

3. Setup script.

vim /var/spool/vacation/vacation.pl

our $db_type = ‘mysql’;
our $db_username = ‘postfix’;
our $db_password = ‘yourdbpasswd’;
our $db_name = ‘postfix’;

our $vacation_domain = ‘autoreply.yourdomain.com’;

close file with :wq

Setup config.local.php
vim /var/www/html/postfixadmin/config.local.php

$CONF[‘vacation’] = ‘YES’;
$CONF[‘vacation_domain’] = ‘autoreply.yourdomain.com’;

4. Config vacation in postfix

vim /etc/postfix/master.cf


vacation unix – n n – – pipe
flags=Rq user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} — ${recipient}

( do not forget to add some space in front  “flags=….. ” )

Make sure you have this line in /etc/postfix/main.cf

transport_maps = hash:/etc/postfix/transport

vim /etc/postfix/transport

autoreply.domain.org    vacation:

Save file and close. After this:

postmap /etc/postfix/transport

Restart Postfix

systemctl restart postfix.service.

Follow these steps if you get an error in logs like this:

Aug 20 14:25:01 mail postfix/pipe[24086]: 43AF03E0B63: to=<lucian#domain.ro@autoreply.domain.ro>, orig_to=<lucian@domain.ro>, relay=vacation, delay=2, delays=1.4/0.01/0/0.56, dsn=5.3.0, status
=bounced (Command died with status 255: “/var/spool/vacation/vacation.pl”. Command output: Attribute (ssl) does not pass the type constraint because: Validation failed for ‘Bool’ with value “starttls” at
constructor Email::Sender::Transport::SMTP::new (defined at /usr/share/perl5/vendor_perl/Email/Sender/Transport/SMTP.pm line 200) line 98, <STDIN> line 38. Email::Sender::Transport::SMTP::new(‘Email::Sen
der::Transport::SMTP’, ‘HASH(0x433e128)’) called at /var/spool/vacation/vacation.pl line 474 main::send_vacation_email(‘lucian@domain.ro’, ‘lucian@domainsender.com’, ‘lucian@domain.ro’, ‘<b2f160c
a41b1e4773765ad634564ff1a@domainsender.com>’, 456, 0) called at /var/spool/vacation/vacation.pl line 657 )


vim /var/spool/vacation/vacation.pl

and change

our $smtp_ssl = ‘ssl’
our $smtp_ssl = ‘0’

Postfix user sender resctriction

Hello all !

Today we want to restrict local user to send mail to more destinations!

1 First step

postconf -e 'smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders'
postconf -e 'smtpd_restriction_classes = local_only'
postconf -e 'local_only = check_recipient_access hash:/etc/postfix/local_domains, reject'

2. Step 2 Then create the file /etc/postfix/restricted_senders which looks similar to this one:

user@ceae.info        local_only
lucian@ceae.info       local_only

3. Final step Afterwards create /etc/postfix/local_domains which should look similar to this:

ceae.info                  OK
domain.com                 OK
otherdomain.de             OK

After this restart your server postfix! Enjoy!
(Source https://www.howtoforge.com/community/threads/postfix-users-restriction.3947/ Thanks falko )

How remove a lot of mail from mailq with few cli comands.


We have a lot of mail with errors like:

D7AF9121256 34341 Tue Nov 21 11:19:27 MAILER-DAEMON ……….

We want to remove them.

First commands:

mailq | grep MAILER-DAEMON | awk ‘{ print $1 }’ > /root/mailq-201711.txt

Here we catch the ID like D7AF9121256 each mail and save in file /root/mailq-201711.txt.

cat /root/mailq-201711.txt


Now we have to remove caracacter * from each ID because we get error to next commands.
Open file /root/mailq-201711.txt with vim and execute commands :1,$ s/*/<space>/g   where 1 it’s first line and $ last line.   Save file and exit ( :wq )

And now delete mails form mailq with:

while read i; do postsuper -d $i; done </root/mailq-201711.txt

After read each line I delete ID with postsuper -d $i and read next line.   Enjoy!

Imapsync script or How to move more email account easy.

Today I will post a script that show you how to move easy more email account from old mail server to new server.
The story: We have have many account and we now details about every account ( user and password ).

The script

# Example for imapsync massive migration on Unix systems.
# Data is supposed to be in file.txt in the following format
# user001_1;password001_1;user001_2;password001_2
# Do not forget to put absolute path
# Separator is character semi-colon ; it can be changed
# by any character changing IFS=';'
# Each data line contains 4 columns, columns are 
# parameters for --user1 --password1 --user2 --password2
# Replace "imap.server1.org" and "imap.server2.org" 
# with your own hostname values. 
# This loop will also create a log file called 
# LOG/log_${u2}_$NOW.txt for each account transfer
# where u2 is just a variable containing the user2 
# account name, and NOW is the current date_time

mkdir -p LOG
{ while IFS=';' read  u1 p1 u2 p2
         { echo "$u1" | egrep "^#" ; } > /dev/null && continue
         NOW=`date +%Y_%m_%d_%H_%M_%S` 
         echo syncing to user "$u2"
         imapsync --host1 imap.server1.org -addheader  --user1 "$u1" --password1 "$p1" \
                  --host2 imap.server2.org --user2 "$u2" --password2 "$p2" \
                  > LOG/log_${u2}_$NOW.txt 2>&1
} < /etc/rc.d/file.txt
### Do not forget to put absolute path to your file "file.txt" or what ever you name it.

Example for file.txt. ( I put diferent example of user and password )


Hope will help you this page!

How to upgrade Postfixadmin from old version to new version.

Hello, we need now to upgrade from postfixadmin-2.3.5 to postfixadmin-3.0.2.

This document describes upgrading from an older PostfixAdmin version >= v1.5x on Centos Linux.

1: Backup the Database and file!

[root@mail html]# cp -p -R postfixadmin-2.3.5 postfixadmin-2.3.5-bkp
[root@mail html]# mysqldump -uroot -p –routines –single-transaction postfix > /root/work/postfix-sqldump.sql

2: Go to html directory

[root@mail html]# cd /var/www/html/

Get new archive

[root@mail html]# wget http://serverde.covaci.tk/postfixadmin-3.0.2.tar.gz

Unarchive new Postfix Admin

[root@mail html]# tar -zxvf postfixadmin-3.0.2.tar.gz

3: Change permissions

[root@mail html]# cd /var/www/html/postfixadmin-3.0.2
[root@mail postfixadmin-3.0.2]# find -type f -print0 | xargs -0 chmod 640
[root@mail postfixadmin-3.0.2]# find -type f -print0 | xargs -0 chown root:apache
[root@mail postfixadmin-3.0.2]# chown -R apache. templates_c/

Since version 3.0 we use smarty templates. That means the templates_c directory needs to be writeable for your webserver ( create if do not exist ).

[root@mail postfixadmin-3.2]# mkdir templates_c && chmod 750 templates_c && chown -R apache. templates_c

( if your Apache runs as user “apache” )

4: Configure config.inc.php

Check the config.inc.php file. There you can specify settings that are relevant to your setup.

Comparing config.inc.php with your previous using “diff” might save you some time.

You can use a config.local.php file to contain your local settings. These will override any defined in config.inc.php – and save some time when upgrading to a new version of PostfixAdmin 😉

5: Run setup.php

Go to you apache vhost and change the path.

[root@mail html]# vim /etc/httpd/conf/httpd.conf

ServerName mailadmin.ceae.info
ServerPath /postfixadmin-3.0.2
DocumentRoot /var/www/html/postfixadmin-3.0.2
CustomLog /var/log/httpd/postfixadmin_access.log combined
ErrorLog /var/log/httpd/postfixadmin_error.log

Restart apache service:
[root@mail html]# service httpd restart

Now we run setup.php
I open a new tab in my browser and type http://mailadmin.ceae.info/setup.php

If it is ok you should see like this:

Postfix Admin Setup Checker

Running software:

  • PHP version 5.3.3
  • Apache

Checking for dependencies:

  • Magic Quotes: Disabled – OK
  • Depends on: presence config.inc.php – OK
  • Checking $CONF[‘configured’] – OK
  • Smarty template compile directory is writable – OK
  • Depends on: MySQL 3.23, 4.0 – OK
  • Depends on: MySQL 4.1 – OK
    (change the database_type to ‘mysqli’ in config.inc.php if you want to use MySQL)
  • Depends on: SQLite – OK
    (change the database_type to ‘sqlite’ in config.inc.php if you want to use SQLite)
  • Testing database connection – OK – mysql://postfix:xxxxx@localhost/postfix
  • Depends on: session – OK
  • Depends on: pcre – OK
  • Depends on: multibyte string – OK
  • Depends on: IMAP functions – OK

Everything seems fine… attempting to create/update database structure

Database is up to date

Since version 2.3, PostfixAdmin supports alias domains ($CONF[‘alias_domain’]).
If you want to use them, you have to add some queries to your postfix config – see POSTFIX_CONF for details.

This is all that is needed.

How to setup DMARC for you domain.

The Domain-based Message Authentication, Reporting and Conformance (DMARC) DNS record allows an email sender (which is already using DKIM, SPF or both) to indicate to a mail receiver one or more of the following:

Indicate the mechanisms the sender uses to authenticate its email (DKIM, SPF or both). Some of this functionality is already provided for separately within DKIM (the ADSP capability) and SPF (the pre field) but DMARC enables a comprehensive definition covering both systems.

Indicate comprehensively for DKIM, SPF or both how to handle mail that fails validity checks.

Optionally requests the receiver to send a feedback report (defined by the Abuse Report Format – RFC 5965 or the Incident Object Description Exchange Format – RFC 5070) which allows the mail sender to monitor and change its policies based on receiver feedback. Both individual and aggregate report formats are allowed. This capability is uniquely triggered by the DMARC RR.

DMARC can be viewed as a meta RR that describes the sender’s email policy, comprising DKIM or SPF or both, for any domain. While the draft RFC does not explicitly say anything about the ADSP feature of DKIM it does go out of its way to identify ADSP shortcomings. On balance it would probably be confusing, if not a serious mistake, to have both ADSP and DMARC RRs for any domain.

DMARC is defined by RFC 7489. The DMARC.org web site claims that more than 2 billion email accounts are covered by DMARC. RFC 7960 describes various methods by which, what it charmingly calls ‘indirect email flows’, can be prevented from wreaking untold havoc on email delivery to DMARC enabled recipients.

1. Single Domain Name using DKIM and SPF – Aggressive
just add to you DNS zone line:

_dmarc TXT ( “v=DMARC1;p=reject;sp=reject;pct=100; adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dmarc-admin@example.com”)

If you want do not be aggresive change policy p=reject; with p=none;

Source: http://www.zytrax.com/books/dns/ch9/dmarc.html


How to install DKIM with OpenDKIM and Postfix on a CentOS 7

Hello, today we install DKIM in Centos 7 with Postfix.

# yum install opendkim

Next step to do is to configure OpenDKIM.

# cp /etc/opendkim.conf /etc/opendkim.conf.orig
# vim /etc/opendkim.conf

Options should be like this:

PidFile    /var/run/opendkim/opendkim.pid
Mode    sv
Syslog    yes
SyslogSuccess    yes
LogWhy    yes
UserID    opendkim:opendkim
Socket    inet:8891@localhost
Umask    002
Canonicalization    relaxed/relaxed
Selector    default
MinimumKeyBits 1024
KeyTable    refile:/etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList    refile:/etc/opendkim/TrustedHosts
InternalHosts    refile:/etc/opendkim/TrustedHosts

Next step we have to edit /etc/opendkim/TrustedHosts

# vim /etc/opendkim/TrustedHosts

Now we edit /etc/opendkim/KeyTable

vim /etc/opendkim/KeyTable

default._domainkey.ceae.info ceae.info:default:/etc/opendkim/keys/ceae.info.private

Now opendkim needs to know relation between mail adress and domains whe should configure SigningTable file.

vim /etc/opendkim/SigningTable

*@ceae.info default._domainkey.ceae.info

Now we generate one keypair for each domain

cd /etc/opendkim/keys
opendkim-genkey -D /etc/opendkim/keys/ -d ceae.info -s ceae.info

You will get:

[root@mail keys]# ls -l
total 8
-rw------- 1 root root 891 apr 25 22:02 ceae.info.private
-rw------- 1 root root 344 apr 25 22:02 ceae.info.txt

We have to change private keys owner.

[root@mail keys]# chown -R opendkim. /etc/opendkim/keys/

Restart opendkim and enable

 systemctl restart opendkim.service
 systemctl enable opendkim.service

Integrate opendkim with postfix:

 vim /etc/postfix/main.cf

and append these lines

milter_default_action = accept
smtpd_milters = inet:

Finally the most important step is publish your public keys in DNS.

 cat ceae.info.txt

default._domainkey IN TXT ( “v=DKIM1; k=rsa; ”
“p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh1hbzE5Ae83qLXL/DKAhTmOYXzLG3+RfdjG9nbv+zH/STABdYpU7kQKAs0M9X1bdIe8We8Bs//vKqqtgOB/j/jwcH+VMou3wBEULshzQK6qoBSb413qdGEnXIHUP3e9p4VttlebSp5w/3dLaOpNFNUMKz6Xb2Pa8xlxn5DgNrYQIDAQAB” ) ; —– DKIM key ceae.info for ceae.info

Restart Postfix:

 systemctl restart postfix.service

How we test if works ?

 dig default._domainkey.ceae.info TXT +short

P.S. in dns we start with default._domainkey IN TXT ……

Amavisd + SpamAssassin not working? No mail header X-Spam.

If you want Amavisd to insert X-Spam-* headers in each email, please decrease Amavisd setting $sa_tag_level_deflt (in Amavisd config file )to a very low score, e.g. -999, then restart Amavisd service:

$sa_tag_level_deflt  = -999;

That means Amavisd will insert X-Spam-Flag and other X-Spam-* headers when email score >= -999.

Do not forget to restart services Amavisd.