Posts Tagged ‘server root’

How to redirect TCP port traffic from Internet Public IP host to remote local LAN server, Redirect traffic for Apache Webserver, MySQL, or other TCP service to remote host

Thursday, September 23rd, 2021

 

 

Linux-redirect-forward-tcp-ip-port-traffic-from-internet-to-remote-internet-LAN-IP-server-rinetd-iptables-redir

 

 

1. Use the good old times rinetd – internet “redirection server” service


Perhaps, many people who are younger wouldn't remember rinetd's use was pretty common on old Linuxes in the age where iptables was not on the scene and its predecessor ipchains was so common.
In the raise of mass internet rinetd started loosing its popularity because the service was exposed to the outer world and due to security holes and many exploits circulating the script kiddie communities
many servers get hacked "pwned" in the jargon of the script kiddies.

rinetd is still available even in modern Linuxes and over the last years I did not heard any severe security concerns regarding it, but the old paranoia perhaps and the set to oblivion makes it still unpopular soluttion for port redirect today in year 2021.
However for a local secured DMZ lans I can tell you that its use is mostly useful and I chooes to use it myself, everynow and then due to its simplicity to configure and use.
rinetd is pretty standard among unixes and is also available in old Sun OS / Solaris and BSD-es and pretty much everything on the Unix scene.

Below is excerpt from 'man rinetd':

 

DESCRIPTION
     rinetd redirects TCP connections from one IP address and port to another. rinetd is a single-process server which handles any number of connections to the address/port pairs
     specified in the file /etc/rinetd.conf.  Since rinetd runs as a single process using nonblocking I/O, it is able to redirect a large number of connections without a severe im‐
     pact on the machine. This makes it practical to run TCP services on machines inside an IP masquerading firewall. rinetd does not redirect FTP, because FTP requires more than
     one socket.
     rinetd is typically launched at boot time, using the following syntax:      /usr/sbin/rinetd      The configuration file is found in the file /etc/rinetd.conf, unless another file is specified using the -c command line option.

To use rinetd on any LInux distro you have to install and enable it with apt or yum as usual. For example on my Debian GNU / Linux home machine to use it I had to install .deb package, enable and start it it via systemd :

 

server:~# apt install –yes rinetd

server:~#  systemctl enable rinetd


server:~#  systemctl start rinetd


server:~#  systemctl status rinetd
● rinetd.service
   Loaded: loaded (/etc/init.d/rinetd; generated)
   Active: active (running) since Tue 2021-09-21 10:48:20 EEST; 2 days ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 1 (limit: 4915)
   Memory: 892.0K
   CGroup: /system.slice/rinetd.service
           └─1364 /usr/sbin/rinetd


rinetd is doing the traffic redirect via a separate process daemon, in order for it to function once you have service up check daemon is up as well.

root@server:/home/hipo# ps -ef|grep -i rinet
root       359     1  0 16:10 ?        00:00:00 /usr/sbin/rinetd
root       824 26430  0 16:10 pts/0    00:00:00 grep -i rinet

+ Configuring a new port redirect with rinetd

 

Is pretty straight forward everything is handled via one single configuration – /etc/rinetd.conf

The format (syntax) of a forwarding rule is as follows:

     [bindaddress] [bindport] [connectaddress] [connectport]


Besides that rinetd , could be used as a primitive firewall substitute to iptables, general syntax of allow deny an IP address is done with (allow, deny) keywords:
 

allow 192.168.2.*
deny 192.168.2.1?


To enable logging to external file ,you'll have to include in the configuration:

# logging information
logfile /var/log/rinetd.log

Here is an example rinetd.conf configuration, redirecting tcp mysql 3306, nginx on port 80 and a second web service frontend for ILO to server reachable via port 8888 and a redirect from External IP to local IP SMTP server.

 

#
# this is the configuration file for rinetd, the internet redirection server
#
# you may specify global allow and deny rules here
# only ip addresses are matched, hostnames cannot be specified here
# the wildcards you may use are * and ?
#
# allow 192.168.2.*
# deny 192.168.2.1?


#
# forwarding rules come here
#
# you may specify allow and deny rules after a specific forwarding rule
# to apply to only that forwarding rule
#
# bindadress    bindport  connectaddress  connectport


# logging information
logfile /var/log/rinetd.log
83.228.93.76        80            192.168.0.20       80
192.168.0.2        3306            192.168.0.19        3306
83.228.93.76        443            192.168.0.20       443
# enable for access to ILO
83.228.93.76        8888            192.168.1.25 443

127.0.0.1    25    192.168.0.19    25


83.228.93.76 is my external ( Public )  IP internet address where 192.168.0.20, 192.168.0.19, 192.168.0.20 (are the DMZ-ed Lan internal IPs) with various services.

To identify the services for which rinetd is properly configured to redirect / forward traffic you can see it with netstat or the newer ss command
 

root@server:/home/hipo# netstat -tap|grep -i rinet
tcp        0      0 www.pc-freak.net:8888   0.0.0.0:*               LISTEN      13511/rinetd      
tcp        0      0 www.pc-freak.n:http-alt 0.0.0.0:*               LISTEN      21176/rinetd        
tcp        0      0 www.pc-freak.net:443   0.0.0.0:*               LISTEN      21176/rinetd      

 

+ Using rinetd to redirect External interface IP to loopback's port (127.0.0.1)

 

If you have the need to redirect an External connectable living service be it apache mysql / privoxy / squid or whatever rinetd is perhaps the tool of choice (especially since there is no way to do it with iptables.

If you want to redirect all traffic which is accessed via Linux's loopback interface (localhost) to be reaching a remote host 11.5.8.1 on TCP port 1083 and 1888, use below config

# bindadress    bindport  connectaddress  connectport
11.5.8.1        1083            127.0.0.1       1083
11.5.8.1        1888            127.0.0.1       1888

 

For a quick and dirty solution to redirect traffic rinetd is very useful, however you'll have to keep in mind that if you want to redirect traffic for tens of thousands of connections constantly originating from the internet you might end up with some disconnects as well as notice a increased use of rinetd CPU use with the incrased number of forwarded connections.

 

2. Redirect TCP / IP port using DNAT iptables firewall rules

 

Lets say you have some proxy, webservice or whatever service running on port 5900 to be redirected with iptables.
The easeiest legacy way is to simply add the redirection rules to /etc/rc.local​. In newer Linuxes rc.local so if you decide to use,
you'll have to enable rc.local , I've written earlier a short article on how to enable rc.local on newer Debian, Fedora, CentOS

 

# redirect 5900 TCP service 
sysctl -w net.ipv4.conf.all.route_localnet=1
iptables -t nat -I PREROUTING -p tcp –dport 5900 -j REDIRECT –to-ports 5900
iptables -t nat -I OUTPUT -p tcp -o lo –dport 5900 -j REDIRECT –to-ports 5900
iptables -t nat -A OUTPUT -o lo -d 127.0.0.1 -p tcp –dport 5900 -j DNAT  –to-destination 192.168.1.8:5900
iptables -t nat -I OUTPUT –source 0/0 –destination 0/0 -p tcp –dport 5900 -j REDIRECT –to-ports 5900

 

Here is another two example which redirects port 2208 (which has configured a bind listener for SSH on Internal host 192.168.0.209:2208) from External Internet IP address (XXX.YYY.ZZZ.XYZ) 
 

# Port redirect for SSH to VM on openxen internal Local lan server 192.168.0.209 
-A PREROUTING  -p tcp –dport 2208 -j DNAT –to-destination 192.168.0.209:2208
-A POSTROUTING -p tcp –dst 192.168.0.209 –dport 2208 -j SNAT –to-source 83.228.93.76

 

3. Redirect TCP traffic connections with redir tool

 

If you look for an easy straight forward way to redirect TCP traffic, installing and using redir (ready compiled program) might be a good idea.


root@server:~# apt-cache show redir|grep -i desc -A5 -B5
Version: 3.2-1
Installed-Size: 60
Maintainer: Lucas Kanashiro <kanashiro@debian.org>
Architecture: amd64
Depends: libc6 (>= 2.15)
Description-en: Redirect TCP connections
 It can run under inetd or stand alone (in which case it handles multiple
 connections).  It is 8 bit clean, not limited to line mode, is small and
 light. Supports transparency, FTP redirects, http proxying, NAT and bandwidth
 limiting.
 .
 redir is all you need to redirect traffic across firewalls that authenticate
 based on an IP address etc. No need for the firewall toolkit. The
 functionality of inetd/tcpd and "redir" will allow you to do everything you
 need without screwy telnet/ftp etc gateways. (I assume you are running IP
 Masquerading of course.)

Description-md5: 2089a3403d126a5a0bcf29b22b68406d
Homepage: https://github.com/troglobit/redir
Tag: interface::daemon, network::server, network::service, role::program,
 use::proxying
Section: net
Priority: optional

 

 

server:~# apt-get install –yes redir

Here is a short description taken from its man page 'man redir'

 

DESCRIPTION
     redir redirects TCP connections coming in on a local port, [SRC]:PORT, to a specified address/port combination, [DST]:PORT.  Both the SRC and DST arguments can be left out,
     redir will then use 0.0.0.0.

     redir can be run either from inetd or as a standalone daemon.  In –inetd mode the listening SRC:PORT combo is handled by another process, usually inetd, and a connected
     socket is handed over to redir via stdin.  Hence only [DST]:PORT is required in –inetd mode.  In standalone mode redir can run either in the foreground, -n, or in the back‐
     ground, detached like a proper UNIX daemon.  This is the default.  When running in the foreground log messages are also printed to stderr, unless the -s flag is given.

     Depending on how redir was compiled, not all options may be available.

 

+ Use redir to redirect TCP traffic one time

 

Lets say you have a MySQL running on remote machine on some internal or external IP address, lets say 192.168.0.200 and you want to redirect all traffic from remote host to the machine (192.168.0.50), where you run your Apache Webserver, which you want to configure to use
as MySQL localhost TCP port 3306.

Assuming there are no irewall restrictions between Host A (192.168.0.50) and Host B (192.168.0.200) is already permitting connectivity on TCP/IP port 3306 between the two machines.

To open redirection from localhost on 192.168.0.50 -> 192.168.0.200:

 

server:~# redir –laddr=127.0.0.1 –lport=3306 –caddr=192.168.0.200 –cport=3306

 

If you need other third party hosts to be additionally reaching 192.168.0.200 via 192.168.0.50 TCP 3306.

root@server:~# redir –laddr=192.168.0.50 –lport=3306 –caddr=192.168.0.200 –cport=3306


Of course once you close, the /dev/tty or /dev/vty console the connection redirect will be cancelled.

 

+ Making TCP port forwarding from Host A to Host B permanent


One solution to make the redir setup rules permanent is to use –rinetd option or simply background the process, nevertheless I prefer to use instead GNU Screen.
If you don't know screen is a vVrtual Console Emulation manager with VT100/ANSI terminal emulation to so, if you don't have screen present on the host install it with whatever Linux OS package manager is present and run:

 

root@server:~#screen -dm bash -c 'redir –laddr=127.0.0.1 –lport=3306 –caddr=192.168.0.200 –cport=3306'

 

That would run it into screen session and detach so you can later connect, if you want you can make redir to also log connections via syslog with ( -s) option.

I found also useful to be able to track real time what's going on currently with the opened redirect socket by changing redir log level.

Accepted log level is:

 

  -l, –loglevel=LEVEL
             Set log level: none, err, notice, info, debug.  Default is notice.

 

root@server:/ # screen -dm bash -c 'redir –laddr=127.0.0.1 –lport=3308 –caddr=192.168.0.200 –cport=3306 -l debug'

 

To test connectivity works as expected use telnet:
 

root@server:/ # telnet localhost 3308
Trying 127.0.0.1…
Connected to localhost.
Escape character is '^]'.
g
5.5.5-10.3.29-MariaDB-0+deb10u1-log�+c2nWG>B���o+#ly=bT^]79mysql_native_password

6#HY000Proxy header is not accepted from 192.168.0.19 Connection closed by foreign host.

once you attach to screen session with

 

root@server:/home #  screen -r

 

You will get connectivity attempt from localhost logged : .
 

redir[10640]: listening on 127.0.0.1:3306
redir[10640]: target is 192.168.0.200:3306
redir[10640]: Waiting for client to connect on server socket …
redir[10640]: target is 192.168.0.200:3306
redir[10640]: Waiting for client to connect on server socket …
redir[10793]: peer IP is 127.0.0.1
redir[10793]: peer socket is 25592
redir[10793]: target IP address is 192.168.0.200
redir[10793]: target port is 3306
redir[10793]: Connecting 127.0.0.1:25592 to 127.0.0.1:3306
redir[10793]: Entering copyloop() – timeout is 0
redir[10793]: Disconnect after 1 sec, 165 bytes in, 4 bytes out

The downsides of using redir is redirection is handled by the separate process which is all time hanging in the process list, as well as the connection redirection speed of incoming connections might be about at least 30% slower to if you simply use a software (firewall ) redirect such as iptables. If you use something like kernel IP set ( ipsets ). If you hear of ipset for a first time and you wander whta it is below is short package description.

 

root@server:/root# apt-cache show ipset|grep -i description -A13 -B5
Maintainer: Debian Netfilter Packaging Team <pkg-netfilter-team@lists.alioth.debian.org>
Architecture: amd64
Provides: ipset-6.38
Depends: iptables, libc6 (>= 2.4), libipset11 (>= 6.38-1~)
Breaks: xtables-addons-common (<< 1.41~)
Description-en: administration tool for kernel IP sets
 IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel which can be
 administered by the ipset(8) utility. Depending on the type, currently an
 IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with
 MAC addresses in a  way which ensures lightning speed when matching an
 entry against a set.
 .
 If you want to
 .
  * store multiple IP addresses or port numbers and match against the
    entire collection using a single iptables rule.
  * dynamically update iptables rules against IP addresses or ports without
    performance penalty.
  * express complex IP address and ports based rulesets with a single
    iptables rule and benefit from the speed of IP sets.

 .
 then IP sets may be the proper tool for you.
Description-md5: d87e199641d9d6fbb0e52a65cf412bde
Homepage: http://ipset.netfilter.org/
Tag: implemented-in::c, role::program
Section: net
Priority: optional
Filename: pool/main/i/ipset/ipset_6.38-1.2_amd64.deb
Size: 50684
MD5sum: 095760c5db23552a9ae180bd58bc8efb
SHA256: 2e2d1c3d494fe32755324bf040ffcb614cf180327736c22168b4ddf51d462522

Debian Linux: Installing and monitoring servers with Icanga (Nagios fork soft)

Monday, June 3rd, 2013

icinga-monitoring-processes-and-servers-linux-logo

There is plenty of software for monitoring how server performs and whether servers are correctly up and running. There is probably no Debian Linux admin who didn't already worked or at least tried Nagios and Mointor to monitor and notify whether server is unreachable or how server services operate. Nagios and Munin are play well together to prevent possible upcoming problems with Web / Db / E-mail services or get notify whether they are completely inaccessible. One similar "next-generation" and less known software is Icanga.
The reason, why to use Icinga  instead of Nagios is  more features a list of what does Icinga supports more than Nagios is on its site here
I recently heard of it and decided to try it myself. To try Icanga I followed Icanga's install tutorial on Wiki.Icanga.Org here
In Debian Wheezy, Icinga is already part of official repositories so installing it like in Squeeze and Lenny does not require use of external Debian BackPorts repositories.

1. Install Icinga pre-requirement packages

debian:# apt-get --yes install php5 php5-cli php-pear php5-xmlrpc php5-xsl php5-gd php5-ldap php5-mysql

2. Install Icanga-web package

debian:~# apt-get --yes install icinga-web

Here you will be prompted a number of times to answer few dialog questions important for security, as well as fill in MySQL server root user / password as well as SQL password that will icinga_web mySQL user use.

icinga-choosing-database-type

configuring-icinga-web-debian-linux-configuring-database-shot

debian-config-screenshot-configuring-icinga-idoutils

icinga-password-confirmation-debian-linux
….

Setting up icinga-idoutils (1.7.1-6) …
dbconfig-common: writing config to /etc/dbconfig-common/icinga-idoutils.conf
granting access to database icinga for icinga-idoutils@localhost: success.
verifying access for icinga-idoutils@localhost: success.
creating database icinga: success.
verifying database icinga exists: success.
populating database via sql…  done.
dbconfig-common: flushing administrative password
Setting up icinga-web (1.7.1+dfsg2-6) …
dbconfig-common: writing config to /etc/dbconfig-common/icinga-web.conf

Creating config file /etc/dbconfig-common/icinga-web.conf with new version
granting access to database icinga_web for icinga_web@localhost: success.
verifying access for icinga_web@localhost: success.
creating database icinga_web: success.
verifying database icinga_web exists: success.
populating database via sql…  done.
dbconfig-common: flushing administrative password

Creating config file /etc/icinga-web/conf.d/database-web.xml with new version
database config successful: /etc/icinga-web/conf.d/database-web.xml

Creating config file /etc/icinga-web/conf.d/database-ido.xml with new version
database config successful: /etc/icinga-web/conf.d/database-ido.xml
enabling config for webserver apache2…
Enabling module rewrite.
To activate the new configuration, you need to run:
  service apache2 restart
`/etc/apache2/conf.d/icinga-web.conf' -> `../../icinga-web/apache2.conf'
[ ok ] Reloading web server config: apache2 not running.
root password updates successfully!
Basedir: /usr Cachedir: /var/cache/icinga-web
Cache already purged!

3. Enable Apache mod_rewrite
 

 

debian:~# a2enmod rewrite
debian:~# /etc/init.d/apache2 restart


4. Icinga documentation files

Some key hints on Enabling some more nice Icinga features are mentioned in Icinga README files, check out, all docs files included with Icinga separate packs are into:
 

debian:~# ls -ld *icinga*/
drwxr-xr-x 3 root root 4096 Jun  3 10:48 icinga-common/
drwxr-xr-x 3 root root 4096 Jun  3 10:48 icinga-core/
drwxr-xr-x 3 root root 4096 Jun  3 10:48 icinga-idoutils/
drwxr-xr-x 2 root root 4096 Jun  3 10:48 icinga-web/

debian:~# less /usr/share/doc/icinga-web/README.Debian debian:~# less /usr/share/doc/icinga-idoutils/README.Debian

5. Configuring Icinga

Icinga configurations are separated in two directories:

debian:~# ls -ld *icinga*

drwxr-xr-x 4 root root 4096 Jun  3 10:50 icinga
drwxr-xr-x 3 root root 4096 Jun  3 11:07 icinga-web

>

etc/icinga/ – (contains configurations files for on exact icinga backend server behavior)

 

/etc/icinga-web – (contains all kind of Icinga Apache configurations)
Main configuration worthy to look in after install is /etc/icinga/icinga.cfg.

6. Accessing newly installed Icinga via web

To access just installed Icinga, open in browser URL – htp://localhost/icinga-web

icinga web login screen in browser debian gnu linux

logged in inside Icinga / Icinga web view and control frontend

 

7. Monitoring host services with Icinga (NRPE)

As fork of Nagios. Icinga has similar modular architecture and uses number of external plugins to Monitor external host services list of existing plugins is on Icinga's wiki here.
Just like Nagios Icinga supports NRPE protocol (Nagios Remote Plugin Executor). To setup NRPE, nrpe plugin from nagios is used (nagios-nrpe-server). 

To install NRPE on any of the nodes to be tracked;
debian: ~# apt-get install –yes nagios-nrpe-server

 Then to configure NRPE edit /etc/nagios/nrpe_local.cfg

 

Once NRPE is supported in Icinga, you can install on Windows or Linux hosts NRPE clients like in Nagios to report on server processes state and easily monitor if server disk space / load or service is in critical state.

How to list and delete mail queue on Qmail / Sendmail / Postfix and Exim SMTP server

Wednesday, April 3rd, 2013

How to list and manage delete Qmail Postfix Sendmail Exim mail SMTP queue View-and delete manage Linux and FreeBSD mail server queue

I have to administrate different kind of mail servers. Different clients has different requirements so in daily job I had to take care for all major mail server platforms our there. Often I have to fix problems with mail servers one very useful thing is to check the mail server queue to see what is there holding to be delivered. Often problems with busy mail servers are rooted in overfilled queues with undelivered mails so checking the queue on Postfix / Exim / Sendmail and Qmail is among the first thing to do to diagnose a problem with improperly working SMTP. In this little article I will show how one can check what is in the queue even if he didn't have the technical background on how each of those mail delivery agents works.

1. How to check and manage queue of Qmail Mail Server

Essential info on how many messages are in the queue and to list this messages in Qmail are done with qmail-qstat and qmail-qread.

a) Checking how many messages are in Qmail queue undelivered to remote SMTPs

root@mail:~# qmail-qstat
messages in queue: 1
messages in queue but not yet preprocessed: 0

b) Listing undelivered e-mails held in Qmail queue

root@mail:~# qmail-qread
26 Mar 2013 01:33:07 GMT  #9609259  748  <info@pomoriemonastery.com>
    remote    bpfejd@gprizm.com
root@mail:~#

One other useful command in dealing with Qmail queue is qmail-qread type it and see for yourself what it does.
c) Flushing qmail queue

Use a tiny shell script ( flush_qmail_queue.sh ), deleting all files in /var/qmail/queue/mess – directory where qmail stores undelivered messages in queue.

# ./flush_qmail_queue.sh

Though above script should be working in some cases, where there are permission problems with Queue or some other mess it is better to use more sophisticated Qmail Queue cleaining tool Qmail MailRemove. To use its necessary to have a working version of Python programming language. Once downloaded Qmail MailRemove, mkdir  /var/qmail/queue/filter (a directory needed for MailRemove to work). Then run script

# ./mailRemove.py email_to_remove

Other variant to clean messed qmail queue is to use qmailHandle.

2. How to check and delete mails from queue in Postfix SMTP

On postfix queue is checked using both postqueue command which is postfix's specific tool for viewing the queue or the standard sendmail mailq. mailq is actually – Postfix to sendmail compitability interface, i.e. this command is not the native way to view queue in Postfix but is just a wrapper binary which invokes postqueue with an option to visualize what is in queue for SMTP admins accustomed to work with sendmail.

a) Checking list of undelivered e-mails

Below is an examples:

mail:~# mailq

-Queue ID- –Size– —-Arrival Time—- -Sender/Recipient——-
4A22BBE1A3*     657 Mon Apr  1 18:46:01  www-data@debian.uk2net.com
                                         csacpabb@nasvalke.com

25824BE18B*     660 Thu Mar 28 18:15:03  www-data@debian.uk2net.com
                                         Aliermarl@fmailxc.com.com

D2AA7BE1BF      652 Sun Mar 31 04:30:21  www-data@debian.uk2net.com
(host mail.drugsellr.com[37.1.218.81] refused to talk to me: 421 Too many concurrent SMTP connections; please try again later.)
                                         Erudge@drugsellr.com

mail:~# postfix -p
-Queue ID- –Size– —-Arrival Time—- -Sender/Recipient——-
36911BE18D*     662 Mon Mar 25 11:08:01  www-data@debian.uk2net.com
                                         lutuaslenty@fmailxc.com.com

C2439BE207*     662 Fri Mar 22 14:59:45  www-data@debian.uk2net.com
                                         Gavepolla@fmailxc.com.com

4A22BBE1A3*     657 Mon Apr  1 18:46:01  www-data@debian.uk2net.com
                                         csacpabb@nasvalke.com

b) Checking the  number of undelivered mails living in Postfix queue

postfix:~#  postqueue -p|wc -l
433

c) Viewing content of specific mail held in Postfix queue

Whether you need to check content of specific undelivered mail kept in queue you should do it by its ID, to view last mail from earlier postfix -p example:

postfix:~# postcat -q 4A22BBE1A3

*** ENVELOPE RECORDS deferred/A/4A22BBE1A3 ***
message_size:             656             187               1               0             656
message_arrival_time: Tue Apr  2 14:25:34 2013
create_time: Tue Apr  2 14:25:35 2013
named_attribute: rewrite_context=local
sender_fullname: www-data
sender: www-data@debian.uk2net.com
*** MESSAGE CONTENTS deferred/A/4A22BBE1A3 ***
Received: by postfix (Postfix, from userid 33)
        id AA379BE07A; Tue,  2 Apr 2013 14:25:34 +0100 (BST)
To: hawtiene@drugsellr.com
Subject: =?UTF8?B?QWNjb3VudCBpbmZvcm1hdGlvbiBmb3IgU09DQ0VSRkFNRQ==?=
X-PHP-Originating-Script: 1000:register_login_functions.php
From: SOCCERFAME <no-reply@mail.host.com>
Content-type:text/plain; charset=UTF8
Message-Id: <20130402132535.AA379BE07A@mail.host.com>
Date: Tue,  2 Apr 2013 14:25:34 +0100 (BST)

Please keep that email. It contains your username and password for postfix.
—————————-
nick : hawtiene
pass : 1v7Upjw3nT
—————————-

*** HEADER EXTRACTED deferred/A/4A22BBE1A3 ***
original_recipient: hawtiene@drugsellr.com
recipient: hawtiene@drugsellr.com
*** MESSAGE FILE END deferred/A/4A22BBE1A3 ***

d) Deleting mails in Postfix queue

To delete all mails in Postfix queue run:

postfix:~# postsuper -d ALL

If Postfix cannot deliver a message to a recipient it is placed in the deferred queue.  The queue manager will scan the deferred queue to see it if can place mail back into the active queue.  How often this scan occurs is determined by the queue_run_delay.
The queue_run_delay is by default 300s or 300 seconds. If you have a very busy mail server you may see a large deferred queue.
To delete all mails in deferred queue.

postfix:~# postsuper -d ALL deferred

3. How to check mail queue of Exim mail server

Viewing number of messages and list of undelivered messages in Exim queue is done using exim command by specifying arguments.

a) Checking the list of undelivered mails kept undelivered in Exim SMTP Queue

 

root@iqtestfb:/etc/exim4# exim -bp

4d 416 1UI1fS-00021I-1s <root@ETC_MAILNAME> *** frozen *** hipo@www.pc-freak.net 4d 746 1UI1gc-00023T-0S <root@ETC_MAILNAME> *** frozen *** root@ETC_MAILNAME 4d 752 1UI1lR-0003H0-89 <root@ETC_MAILNAME> *** frozen *** root@ETC_MAILNAME 4d 894 1UI1lR-0003H5-I6 <www-data@ETC_MAILNAME> *** frozen *** www-data@ETC_MAILNAME

b) Counting number of Exim undelivered messages kept in Mail Queue
exim-smtp:/etc/exim4# exim -bpc 2063 c) Getting a summary of all messages in Exim Queue (Count, Volume, Oldest, Newest, Destination Domain)
exim-smtp:/etc/exim4# exim -bp| exiqsumm

Count Volume Oldest Newest Domain —– —— —— —— —— 1 862 22h 22h 126.com 2 1751 12h 5h 163.com 21 3111KB 4d 3h abv.bg 2 766KB 42h 7h alice.it 1 383KB 7h 7h aol.com 1 383KB 4d 4d att.net 1 383KB 3d 3d beotel.net 2 766KB 20h 19h bih.net.ba 1685 3291KB 4d 1m etc_mailname 1 383KB 70h 70h facebook.com 1 383KB 66h 66h gaaa 81 22MB 4d 15m gmail.com 1 564 3d 3d gmaill.com 1 383KB 3d 3d googlemail.com 1 383KB 64h 64h hotmai.rs 33 10MB 4d 2h hotmail.com 25 9193KB 4d 79m hotmail.it 1 383KB 4d 4d hotmailcom 2 1128 24h 20h icloud.com 2 766KB 67h 67h inwind.it 11 3831KB 3d 7h libero.it 1 383KB 20h 20h live.co.uk 3 767KB 37h 3h live.com 6 1916KB 67h 45h live.it 1 552 28h 28h live.no 1 383KB 67h 67h llle.it 1 383KB 67h 67h lllle.it 1 383KB 33m 33m luigimori.it 2 389KB 56h 4h mail.bg 1 383KB 66h 66h mailmetrash.com 1 383KB 39h 39h malltron.it 1 562 7h 7h me.com 1 383KB 4d 4d msn.com 2 1116 49h 47h net.hr 1 383KB 28h 28h orion.rs 1 383KB 3d 3d paskaa.com 75 31KB 4d 3d www.pc-freak.net 1 572 3d 3d prismamedia.ro 1 383KB 71h 71h rediffmail.com 1 383KB 28h 28h seznam.cz 1 383KB 14m 14m siol.net 36 11KB 4d 3d sms.mtel.net 1 557 53h 53h t-com.hr 1 383KB 23h 23h tecnobagno.191.it 1 383KB 4d 4d teol.net 2 766KB 67h 44h virgilio.it 1 383KB 42h 42h windwslive.com 1 549 3d 3d yahoo 43 9213KB 4d 74m yahoo.com 2 766KB 70h 46h yahoo.it 1 383KB 71h 71h ymail.com ————————————————————— 2068 76MB 4d 1m TOTAL

 

c)  List Exim queued messages sorted by recipient address and sender address

  To list e-mails in queue sorted by recipient address

exim-smtp:/etc/exim4# exim -bpr|grep -Eo "^\s*[^ ]*@[^ ]*$" |sort | uniq -c

To List queued messages grouped by address of sender
exim-smtp:/etc/exim4# exim -bpr | grep -Eo "<[^ ]*@[^ ]*>" | sort | uniq -c  

d) Forcing Exim  to attempt re-send e-mails kept inside
queue

As Exim is relatively new SMTP its authors thought deeply before writting it and included options to do queue e-mail sent whether server is not under extremely high loads as well as send, regardless of load. Make Exim start sending queue e-mails if server is not overloaded (no extra-high server load)
exim-smtp:/etc/exim4# exim -q -v

  To make Exim force a queue run regardless of system load exim-smtp:/etc/exim4# exim -qf -v  

To make Exim deliver only e-mails sent from server to server (usually e-mails from local server monitoring software and log reports)
exim-smtp:/etc/exim4# exim -ql -v

e) Deleting e-mails from Exim mail queue

To Remove a message from queue identify by ID

exim-smtp:/etc/exim4# exim -Mrm <message-id>     Force Exim delivery of a message regardless of Frozen status

exim-smtp:/etc/exim4# exim -M<message-id >  

f) Removing Exim mails older than certain seconds or hours To remove all mails older than 12hrs (43000 seconds) exim-smtp:~# exiqgrep -o 43000 -i | xargs exim -Mrm

Deleting all frozen mails from queue is done with:

exim-smtp:~# exiqgrep -z -i | xargs exim -Mrm  

Removing all e-mails belonging to particular sender

exim-smtp:~# exiqgrep -i -f user@domain.com | xargs exim -Mrm

  Removing all mails from a sender that are older than 12hrs

exim-smtp:~# exiqgrep -o 43000 -i -f user@domain.com | xargs exim -Mrm
 

g) Flushing Exim mail queue
Use

exim-smtp:~# runq
  or

exim-smtp:~# exim -q

4. How to view and manage sendmail SMTP queue

a) Listing all e-mails stored in Sendmail queue

To list the mail queue in sendmail

sendmail:~# sendmail -bp
/var/spool/mqueue is empty
        Total requests: 0

or

sendmail:~# mailq
 

/var/spool/mqueue (3 requests) —–Q-ID—– –Size– —–Q-Time—– ————Sender/Recipient———– m9TMLQHG012749 1103 Thu Oct 30 11:21 <apache@localhost.localdomain> (host map: lookup (electrictoolbox.com): deferred) <test@electrictoolbox.com> m9TMLRB9012751 37113 Thu Oct 30 11:21 <apache@localhost.localdomain> (host map: lookup (electrictoolbox.com): deferred) <test@electrictoolbox.com> m9TMLPcg012747 240451 Thu Oct 30 11:21 <apache@localhost.localdomain> (host map: lookup (electrictoolbox.com): deferred) <test@electrictoolbox.com> Total requests: 3

b) Checking queue for specific mail sender or recipient

sendmail:~# mailq | grep -i email@domain-name.com -A 2 -B 2
....

c) Removing all e-mails from Sendmail queue

To delete everything stored in Sendmail queue delete files from directory where sendmail stores still undelivered mails. In sendmail this is /var/spool/mqueue and /var/mqueue

sendmail:~# rm /var/spool/mqueue/*.*
sendmail:~# rm /var/mqueue/*.*

Deleting all pending mails from queue

To remove / delete e-mails originating from certain domain / user or recipient

sendmail:~# sendmail -qS -v domain-name.com

To delete e-mail from certain user or recipieint

sendmail:~# sendmail -qR -v yahoo.co.uk

 

How to check /dev/ partition disk labeling in Debian GNU / Linux

Thursday, December 8th, 2011

The usual way that one is supposed to check a certain partition let’s say /dev/sda1 disk UUID (Universal Unique Identifier) label is through a command:
vol_id /dev/sda1

For reason however Debian does not include vol_id command. To check the UUID assigned disk labels on Debian one should use another command called blkid (part of util-linux deb package).

blkid will list all block device attributes so it doesn’t specifically, passing any partition as argument.
Here is an example output of blkid :

server:/root# blkid
/dev/sda1: UUID="cdb1836e-b7a2-4cc7-b666-8d2aa31b2da4" SEC_TYPE="ext2" TYPE="ext3"
/dev/sda5: UUID="c67d6d43-a48f-43ff-9d65-7c707a57dfe6" TYPE="swap"
/dev/sdb1: UUID="e324ec28-cf04-4e2e-8953-b6a8e6482425" TYPE="ext2"
/dev/sdb5: UUID="1DWe0F-Of9d-Sl1J-8pXW-PLpy-Wf9s-SsyZfQ" TYPE="LVM2_member"
/dev/mapper/computer-root: UUID="fbdfc19e-6ec8-4000-af8a-cde62926e395" TYPE="ext3"
/dev/mapper/computer-swap_1: UUID="e69100ab-9ef4-45df-a6aa-886a981e5f26" TYPE="swap"
/dev/mapper/computer-home: UUID="2fe446da-242d-4cca-8b2c-d23c76fa27ec" TYPE="ext3"

 

How to change MySQL server root password

Friday, July 29th, 2011

MySQL pass dialog Debian

I had to change my mysql root password for one of the servers since during the install I mispasted the password in the MySQL password prompt I needed the pwd to be changed.

Here is how I changed it to my desired one:

linux:~# /usr/bin/mysqladmin -u root -p'OLD_PASSWORD_STRING' password NEW_PASSWORD_STRING
linux:~#

The password gets changed immediately 😉

If a new password has to be set to a passwordless mysql server, the command to be issued is:

linux:~# /usr/bin/mysqladmin -u root password PASSWORD_STRING

Changing the MySQL password is also possible with mysql cli, after connecting to the sql server, though this method is a bit more time consuming. Here is how to do it from mysql console:

linux:~# mysql -u root -p
Server version: 5.1.49-3 (Debian)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the current input statement.
mysql> use mysql;
mysql> update user set password=PASSWORD(“NEW_PASSWORD”) where User=’root’;mysql> flush privileges;

Of course it’s possible to do change the root pass via phpmyadmin
Cheers 😉

How to make a mysql root user to login interactive with mysql cli passwordless

Wednesday, June 29th, 2011

MySQL Logo Passwordless root login .my.cnf

I’m using access to the mysql servers via localhost with mysql cli on daily basis.
With time I’ve figured out that it’s pretty unahandy to always login with my root mysql password, I mean each time to enter it, e.g.:

root@mysql-server:~# mysql -u root
Enter password:
...

Thus to make my life a way easier I decided to store my mysql root password in order to allow my root admin user to be able to login to my mysql server without asking for password. This saves time and nerves, as I’m not supposed to look up for the password file I store my server mysql root pass.

To allow my mysql cli interface, to login passwordless to the SQL server I had to create the file /root/.my.cnf readable only for my root user and store my MySQL username and password there.

Here is a sample /root/.my.cnf file:

root@mysql-server:~# cat /root/.my.cnf
[client]
user="root"
pass="mysecretMySQLPasswordgoeshere"

Now next time I use the mysql console interface to access my mysql server I don’t have to supply the password, here is how easier is the mysql login afterwards:

root@mysql-server:~# mysql -u root
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 3520
Server version: 5.0.77 Source distribution

Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the buffer.

mysql>

The only downside of using .my.cnf to store permanently the mysql server root and password is from security standpoint.
If for instance somebody roots my servers, where I have stored my root user/pwds in .my.cnf , he will be able immediately to get access to the MySQL server.

Another possible security flaw with using the mysql passwordless login “trick” is if somebody forgets to set proper file permissions to, .my.cnf

Once again the file should possess the permissons of:

root@mysql-server:~# ls -al /root/.my.cnf
-rw------- 1 root root 90 Apr 2 00:05 /root/.my.cnf

Any other permissons might allow non-privileged users to read the file and gain unathorized admin access to the SQL server.