Tagarchief: Postfix

Syslog kills Postfix performance

This night, some scriptkiddie decided it'd be fun to overload one of my servers by bruteforcing the FTP. The FTP server taking 90% of the CPU made the whole server slow. Especially the Postfix mailserver experienced a huge delay.

Anyway, I just firewalled out the scriptkiddie and Postfix could start processing the queue. But for some reason, it delivered no more than 5-10 mails a second. That would mean that processing the queue of 18.000 mails would take 30-60 minutes.

I've tried to figure out why Postfix was so slow before. Without any luck. Using the well known tuning pages didn't help me at all. Today, I opened up /usr/bin/top, to see that the system was doing a lot of I/O. I accidently found out why: I like to have syslog write *.* to /var/log/allmessages.

This simple rule caused so much extra I/O, that postfix was slowed down 90%. After disabling "allmessages" performance went up, and the queue was processed within minutes. Makes me wonder what happens if I...

  • disable logging at all, which is a bad idea as you can no longer spot abuse
  • find a way to enable write-cache - the default syslog of CentOS 5 does not support this AFAIK
  • write logs to another device

Interesting...

© GeekLabInfo Syslog kills Postfix performance is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

How to use chained SSL certificates

What are chained SSL certificates?

Normal "single root" certs are only certified by one single parent which is recognised by clients immediately. Chained certs on the other side are signed by a parent which itself is signed by another parent. This effectively makes your cert a "grandchild" of the CA root. In the image attached you'll see a cert that is chained by two intermediate certs.

How to use chained SSL certificates?

The several server software distributions require different types of configuration. This page is not telling you how to set up ssl for your software, I'm just telling how to use chained certs with the different programs.

Apache

Apache has quite some SSL functionality on board. I'm not gonna discuss it all, just want to say that the words you're looking for are:

SSLCertificateFile [path to crt file here]
SSLCertificateKeyFile [path to key file here]
SSLCACertificateFile [path to intermediate ca certs bundle here]

I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.

PureFTPd

My PureFTPd key and cert are all located in /etc/pure-ftpd/pure-ftpd.pem. In order to make ftp clients accept the SSL cert, i performed the following steps:

  1. I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.
  2. I combined the contents of the key, my own cert and the intermediate CA certs to /etc/postfix/ssl/smtpd.pem. I don't know if the order of the certs is important, but just to be sure I went back one parent at a time. So my file contains from top to bottom: my private key, certificate for my domain, thawte DV SSL CA, thawte primary root. It doesn't need thawte primary server CA as your client already has this one.
  3. Test it: openssl s_client -connect [your-hostname]:21 -starttls ftp

Dovecot

My dovecot SSL key is located in /etc/pki/dovecot/private/dovecot.pem and my SSL cert is /etc/pki/dovecot/certs/dovecot.pem. In order to make email clients accept the SSL cert, i performed the following steps:

  1. I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.
  2. I added the contents of the intermediate CA certs to /etc/pki/dovecot/certs/dovecot.pem. I don't know if the order of the certs is important, but just to be sure I went back one parent at a time. So my file contains from top to bottom: YourDomain.com, thawte DV SSL CA, thawte primary root. It doesn't need thawte primary server CA as your client already has this one.
  3. Test pop3s: openssl s_client -connect popserver:995
  4. Test imaps: openssl s_client -connect imapserver:995

Postfix

My postfix key and cert are all located in /etc/postfix/ssl/smtpd.pem.
In order to make email clients accept the SSL cert, i performed the following steps:

  1. I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.
  2. I combined the contents of the key, my own cert and the intermediate CA certs to /etc/postfix/ssl/smtpd.pem. I don't know if the order of the certs is important, but just to be sure I went back one parent at a time. So my file contains from top to bottom: my private key, certificate for my domain, thawte DV SSL CA, thawte primary root. It doesn't need thawte primary server CA as your client already has this one.
  3. Test smtps: openssl s_client -connect [your-hostname]:465
  4. Test smtp with starttls: openssl s_client -connect [your-hostname]:25 -starttls smtp
© GeekLabInfo How to use chained SSL certificates is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (8 votes, average: 3,88 out of 5)
Loading...

Blocking .wwf attachments

Some idiotic german 'invented' a way to 'save trees'. By converting your attachments to .wwf format - a special .pdf format that blocks printing. While this may be a great feature to block printing of contracts etcetera if you're running a malicious company, most people simply don't want this.

So the big question is: How do I block .wwf files?

Postfix

In /etc/postfix/main.cf uncomment or add the following line
header_checks = pcre:/etc/postfix/header_checks

Then edit /etc/postfix/header_checks and add the following line:
/Content-Disposition: .*\.wwf"/ REJECT Please don't send .wwf files.

Exchange

Attachment blocking in exchange is usually performed by a virusscanner/spamfilter. You could use for example Trend Micro or GFI to block .wwf files.

Sendmail

Depending on your setup, you could use amavisd-new, mailscanner or procmail to block out .wwf files.

qmail

To block attachments with qmail, you'll need Simscan. Simscan is a simple program that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation so the processing load on the email system is kept to a minimum. The project is open source and uses other open source components. Small, very efficient and written in C.

© GeekLabInfo Blocking .wwf attachments is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...