SPAM Whitelisting

Whitelisting can help you to get your emails reach inbox instead of spam folder,

i will teach you now how to whitelist your self on some spam filter systems and some email providers.

First of all you must have a domain which have valid rDNS with your server, and you must have a web site on your domain. This may takes you some time, but i highly recommend you to make a fake marketing agency web site, i know this may sounds unethical and, maybe even, illegal ( okay, it’s hard to believe it could illegal since there is tons of hosting companies, web design agency and so on, which are not registered anywhere ), and you can make some simple looking web site explaining that you are providing email marketing services to your clients. Make sure you make it clear that you have a ZERO tolerance to spam and that all emails you have in your lists are generated by you, bla bla, opt in, bla bla, cpan spam, bla bla, just google some email marketing agency and see what they say :-). This will helps you A LOT to get whitelisted almost anywere.

Deciphering SMTP Errors

The SMTP errors that Gmail provides are key to mapping your path to getting off of Gmail’s blacklist.

For email delivery, the two main error codes are 421 and 550 errors.

421 Errors

421 errors are often temporary blocks. Most email servers will attempt to resend the email if they get a 421 error. If you quickly correct a spam or email flood issue, these blocks may resolve automatically. Left unchecked, Google may decide to block your email entirely.

550 Errors

550 errors are permanent failures. If you scan your logs for 550 errors from Gmail, they will often include links and additional information.

If you have 550 errors, you will likely need to take action before Gmail will remove your server IP address.

Requesting Blacklist Removal

If you do not fix the problem first, your removal request will likely be ignored. You don’t want to give the Gmail team any reason not to approve your request. So make sure everything is in order.

Just so you know …  Google does not want you to contact them.

Their forms are buried behind a series our questions that typically lead nowhere. Most of the time you will start with Gmail’s “My domain is having delivery problems with Gmail” form. As you answer the questions, you will typically end up in a dead-end.

However, with the right sequence of answers, you can eventually wind your way to:

Report a delivery problem between your domain and Gmail.

This is where the action happens.   Complete the form in detail but do not be overly verbose.

Once submitted, you can expect it to take 3-7 days to process. Often, you will not hear back from Gmail. Your email will simply start flowing again – provided you fixed the reason you were blacklisted in the first place.

Bulk Senders

Sometimes you have a lot of email – legitimate email – to send. Google does not clearly define what is bulk email. Typically, you will see an SMTP error code in the 400 series, such as:

421, "4.7.0", Our system has detected an unusual rate of unsolicited mail originating from your IP address. 

To protect our users from spam, mail sent from your IP address has been temporarily blocked. 

Review our Bulk Email Senders Guidelines.


If you receive this message, be sure to review Google’s Bulk Sender Guidelines and then complete the Bulk Sender Contact Form.


URL :…

It’s very easy to get on their whitelist, but if they get tons of spam complains about your message, you will be removed to blacklist list very fast ^^


URL :…er/bulkv2.html

It’s hard to get whitelisted on Yahoo, but give it a try.


URL :…rpp&ct=eformts

SPAM FILTERS WHERE YOU CAN ASK FOR WHITELISTENING – only with invite, so it’s almost impossible to get there, but it’s worth if you can

Basically here is the list of, almost, all spam filter systems, so Google their unblacklistening or whitelistening pages :


Tricks to Getting Removed

We work on email delivery issues nearly daily. In our experience, if you do not fix these issues, your chances of getting removed from Gmail or any other blacklist is minimal.

  • Reverse DNS Must Resolve to a Valid Hostname
  • Your Server’s Hostname Must Have a DNS ‘A’ Record
  • Do not blindly forward email to Gmail
  • Make Sure DKIM/SPF are correct
  • Stop the spamming!

You must make sure that whatever triggered the listing in the first place is stopped. If you  do not, you will simply be re-listed.

Posted in Exim, Mail server, Postfix | Leave a comment

How To Rotate IP Address Pool In Linux (Redhat / Centos / Ubuntu / Debian)

You can rotate your Server IP address pool in Linux server by using iptable NAT Postrouting.

I assume you have 8 public IP addresses (x.x.x.1 TO x.x.x.8) configure on Linux postfix server.

Now we rotate only SMPT (port no. 25) traffic, every time SMTP services use different IP address. All 8 IP rotate automatically when your mail server send mail to other user, Every time Linux mail server generate different source address.


# iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 8 --packet 0 -j SNAT --to-source  x.x.x.1

# iptables -t nat -I POSTROUTING -m state –state NEW -p tcp –dport 25 -o eth0 -m statistic –mode nth –every 8 –packet 0 -j SNAT –to-source x.x.x.2

# iptables -t nat -I POSTROUTING -m state –state NEW -p tcp –dport 25 -o eth0 -m statistic –mode nth –every 8 –packet 0 -j SNAT –to-source x.x.x.3

# iptables -t nat -I POSTROUTING -m state –state NEW -p tcp –dport 25 -o eth0 -m statistic –mode nth –every 8 –packet 0 -j SNAT –to-source x.x.x.4

# iptables -t nat -I POSTROUTING -m state –state NEW -p tcp –dport 25 -o eth0 -m statistic –mode nth –every 8 –packet 0 -j SNAT –to-source x.x.x.5

# iptables -t nat -I POSTROUTING -m state –state NEW -p tcp –dport 25 -o eth0 -m statistic –mode nth –every 8 –packet 0 -j SNAT –to-source x.x.x.6

# iptables -t nat -I POSTROUTING -m state –state NEW -p tcp –dport 25 -o eth0 -m statistic –mode nth –every 8 –packet 0 -j SNAT –to-source x.x.x.7

# iptables -t nat -I POSTROUTING -m state –state NEW -p tcp –dport 25 -o eth0 -m statistic –mode nth –every 8 –packet 0 -j SNAT –to-source x.x.x.8

So as per requirement of services you can rotate your whole IP address pool or multiple ip address with different different service port number.

Now if you send 8 mail then all 8 mail have different source address and then it roll over again in the sequence of 1 to 8.


Posted in Exim, Linux, Mail server, Plesk, Postfix | Leave a comment

Install FFmpeg on CentOS or RedHat EL 6.x

Install FFmpeg on CentOS or RedHat EL 6.x

If you are upgrading from a previous version of Razuna you should always update your ImageMagick, Exiftool and  Ffmpeg installation!


The following install steps have been proven to work on RedHat Enterprise Linux 6.2 and 6.5. You can check which version you are running with

cat /etc/redhat-release

Additionally, we assume that you are connected and registered with the Red Hat network and/or updated the system with the latest updates from the repositories.

Follow this guide step by step!

Install the additional repo

rpm -Uhv

Update repository

yum -y update

Install all necessary packages

yum install glibc gcc gcc-c++ autoconf automake libtool git make nasm pkgconfig
yum install SDL-devel a52dec a52dec-devel alsa-lib-devel faac faac-devel faad2 faad2-devel
yum install freetype-devel giflib gsm gsm-devel imlib2 imlib2-devel lame lame-devel libICE-devel libSM-devel libX11-devel
yum install libXau-devel libXdmcp-devel libXext-devel libXrandr-devel libXrender-devel libXt-devel
yum install libogg libvorbis vorbis-tools mesa-libGL-devel mesa-libGLU-devel xorg-x11-proto-devel zlib-devel
yum install libtheora theora-tools
yum install ncurses-devel
yum install libdc1394 libdc1394-devel
yum install amrnb-devel amrwb-devel opencore-amr-devel 

Install xvid

cd /opt
tar xzvf xvidcore-1.3.2.tar.gz
cd xvidcore/build/generic
./configure --prefix="$HOME/ffmpeg_build"
make install

Install LibOgg

cd /opt
tar xzvf libogg-1.3.1.tar.gz
cd libogg-1.3.1
./configure --prefix="$HOME/ffmpeg_build" --disable-shared
make install

Install Libvorbis

cd /opt
tar xzvf libvorbis-1.3.4.tar.gz
cd libvorbis-1.3.4
./configure --prefix="$HOME/ffmpeg_build" --with-ogg="$HOME/ffmpeg_build" --disable-shared
make install

Install Libtheora

cd /opt
tar xzvf libtheora-1.1.1.tar.gz
cd libtheora-1.1.1
./configure --prefix="$HOME/ffmpeg_build" --with-ogg="$HOME/ffmpeg_build" --disable-examples --disable-shared --disable-sdltest --disable-vorbistest
make install

Install Aacenc

cd /opt
tar xzvf vo-aacenc-0.1.2.tar.gz
cd vo-aacenc-0.1.2
./configure --prefix="$HOME/ffmpeg_build" --disable-shared
make install

Install Yasm

yum remove yasm
cd /opt
tar xzfv yasm-1.2.0.tar.gz
cd yasm-1.2.0
./configure --prefix="$HOME/ffmpeg_build" --bindir="$HOME/bin"
make install
export "PATH=$PATH:$HOME/bin" 

Install Libvpx

cd /opt
git clone
cd libvpx
git checkout tags/v.1.3.0
./configure --prefix="$HOME/ffmpeg_build" --disable-examples
make install

Install X264

cd /opt
git clone git://
cd x264
./configure --prefix="$HOME/ffmpeg_build" --bindir="$HOME/bin" --enable-static 
make install

Note: (Sometimes the network might be down. Then you can also grab it via wget at and then use “tar xvjf last_xxx” to extract.

Configure Libraries

export LD_LIBRARY_PATH=/usr/local/lib/
echo /usr/local/lib >> /etc/

Compile FFmpeg (the configure options have to be on one line)

cd /opt
git clone git://
cd ffmpeg
git checkout release/2.2
./configure --prefix="$HOME/ffmpeg_build" --extra-cflags="-I$HOME/ffmpeg_build/include" --extra-ldflags="-L$HOME/ffmpeg_build/lib" --bindir="$HOME/bin" \
--extra-libs=-ldl --enable-version3 --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libvpx --enable-libfaac \
--enable-libmp3lame --enable-libtheora --enable-libvorbis --enable-libx264 --enable-libvo-aacenc --enable-libxvid --disable-ffplay \
--enable-gpl --enable-postproc --enable-nonfree --enable-avfilter --enable-pthreads
make install

(The –arch=x86_64 option should only be used if you are on a 64Bit System!)

You can also use their Github repository at

That’s it. This should give you a full functional FFMpeg installation for Razuna. Test it now with;


This should give you the following back (yours might vary a bit);

ffmpeg version 2.2 Copyright (c) 2000-2014 the FFmpeg developers
  built on Mar 28 2014 01:28:21 with gcc 4.4.7 (GCC) 20120313 (Red Hat 4.4.7-4)
  configuration: --enable-version3 --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libvpx --enable-libfaac --enable-libmp3lame --enable-libtheora --enable-libvorbis --enable-libx264 --enable-libvo-aacenc --enable-libxvid --disable-ffplay --enable-shared --enable-gpl --enable-postproc --enable-nonfree --enable-avfilter --enable-pthreads --extra-cflags=-fPIC
  libavutil      52. 66.100 / 52. 66.100
  libavcodec     55. 52.102 / 55. 52.102
  libavformat    55. 33.100 / 55. 33.100
  libavdevice    55. 10.100 / 55. 10.100
  libavfilter     42.100 42.100
  libswscale      25.102 25.102
  libswresample   0. 18.100 0. 18.100
  libpostproc    523.100 / 523.100
Hyper fast Audio and Video encoder
usage: ffmpeg [options] [[infile options] -i infile]... {[outfile options] outfile}...

Try to convert a movie with;

ffmpeg -i -vcodec libx264 -vpre hq -acodec libfaac movie.mp4


It could be that you run into issues with a message of “ffmpeg: error while loading shared libraries….:. This simply means that it can’t find the required libraries, in short you need to add them to the linked library configuration.

Check what libraries are missing with:

ldd `which ffmpeg`

This will give you a list of libraries ffmpeg is using. If any of them are marked with “not found” then search for the missing library in question, e.g. “” with:

find / -name

Once you have the path simply add it to /etc/ and issue a “ldconfig”.

This should get you ffmpeg up and running.


If you have problems with swscale while compiling
Try to get swscale sperate from svn tree

cd ffmpeg
cd libswscale
svn switch svn:// -r 29857

than just try to compile ffmpeg again

You can also try to

git clone ffmpeg



cd ffmpeg
./configure –enable-gpl –enable-nonfree –enable-postproc –enable-avfilter –enable-pthreads –enable-libxvid –enable-libx264 –enable-libmp3lame –enable-libfaac –disable-ffserver –disable-ffplay –enable-libvorbis –disable-ffplay –enable-shared –arch=x86_64



Posted in Apache, Linux | Leave a comment

HOWTO Virtual Mail Hosting on CentOS 6.x – Postfix MySQL Dovecot PostfixAdmin Amavisd-new Spamassassin Clamav DKIM SPF


This is an advanced email server configuration. This configuration will allow you to serve multiple domains on one server. This howto will allow you to setup a server that is one of four mail server types:

  • Mail server with spam and virus checking (Most people. Do everything in the howto)
  • Mail server w/o spam and virus checking (Someone else is doing email filtering for you)
  • Backup MX / spam and virus filtering server (you want to divide things up)
  • Backup MX (You want to receive and hold mail while your main server is down)

You will get the following features:

  • Postfix: the workhorse behind the mail receiving and sending
  • smtp authentication
  • secure smtp using TLS
  • Dovecot: imap and pop3 mailbox service
  • secure imap and pop3
  • server side filtering of flagged spam to a spam folder
  • mysql: handle all the virtual domains and users
  • PostfixAdmin: GUI for domain administration
  • roundcube: web mail access
  • spam/virus filtering using amavisd-new, spamassassin and clamav

Books You May Find Helpful

The following books may be helpful for some people.

The Accidental Administrator: Linux Server Step-by-Step Configuration Guide

Learning the bash Shell: Unix Shell Programming (In a Nutshell (O’Reilly))

Installing CentOS

Start with my HOWTO: CentOS 6.x base server. That howto will get CentOS installed and ready for this howto.

WARNING: Not following the base server howto will cause you grief. Due to 6.4+ changes things will break.

Installing The Software

We’ll start with the yum installs.
> yum install roundcubemail dovecot dovecot-mysql dovecot-pigeonhole cyrus-sasl-devel cyrus-sasl-sql subversion
> yum install perl-MailTools perl-MIME-EncWords perl-MIME-Charset perl-Email-Valid perl-Test-Pod perl-TimeDate
> yum install perl-Mail-Sender perl-Log-Log4perl imapsync offlineimap
> yum install amavisd-new clamav clamd razor-agents perl-Convert-BinHex

Postfix.Admin doesn’t have an rpm so we need to download it and put it where we want it.
> wget
> tar -xzvf postfixadmin-2.3.5.tar.gz
> mv postfixadmin-2.3.5 /usr/share/postfixadmin

Configuring The Server

Setup SSL Certificate

Now generate an SSL certificate for postfix and dovecot to have TLS support. Replace with your server hostname.
> genkey –days 3650

Setup the Virtual Mail User

Next we’ll configure the mail store directory. We put it in the /home directory to make backups and other item easy. So type the following.
> mkdir /home/vmail
> chmod 770 /home/vmail
> useradd -r -u 101 -g mail -d /home/vmail -s /sbin/nologin -c “Virtual mailbox” vmail
> chown vmail:mail /home/vmail

Configuring Postfix Admin

Create the apache config file for postfixadmin and restart apache.

	alias /mailadmin /usr/share/postfixadmin
	<Directory "/usr/share/postfixadmin">
	AllowOverride AuthConfig

> service httpd restart

Now we need to setup the mysql database for postfixadmin. We only need to create the database and user. The setup file will create the rest.
> mysql -u root -p -e “CREATE DATABASE postfix;”
> mysql -u root -p -e “CREATE USER postfix@localhost IDENTIFIED BY ‘choose_a_password’;”
> mysql -u root -p -e “GRANT ALL PRIVILEGES ON postfix . * TO postfix@localhost;”

Now its time to setup the config file. Don’t forget to set your password. Paste the following into the file.
> cd /usr/share/postfixadmin
> nano -w config.local.php

	* Contains configuration options that override the default config file
	* !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
	* You have to set $CONF['configured'] = true; before the
	* application will run!
	* Doing this implies you have changed this file as required.
	* i.e. configuring database etc; specifying setup.php password etc.
	$CONF['configured'] = true;
	// In order to setup Postfixadmin, you MUST specify a hashed password here.
	// To create the hash, visit setup.php in a browser and type a password into the field,
	// on submission it will be echoed out to you as a hashed value.
	$CONF['setup_password'] = 'changeme';
	$CONF['postfix_admin_url'] = '/mailadmin';
	$CONF['database_type'] = 'mysql';
	$CONF['database_host'] = 'localhost';
	$CONF['database_user'] = 'postfix';
	$CONF['database_password'] = 'changeme';
	$CONF['database_name'] = 'postfix';
	$CONF['admin_email'] = 'postmaster@change-this-to-your.domain.tld';
	$CONF['encrypt'] = 'md5crypt';
	$CONF['dovecotpw'] = "/usr/sbin/dovecotpw";
	$CONF['min_password_length'] = 6;
	$CONF['page_size'] = '20';
	$CONF['domain_path'] = 'YES';
	$CONF['domain_in_mailbox'] = 'NO';
	$CONF['aliases'] = '50';
	$CONF['mailboxes'] = '50';
	$CONF['maxquota'] = '100';
	$CONF['quota'] = 'YES';
	$CONF['quota_multiplier'] = '1024000';
	$CONF['transport'] = 'YES';
	$CONF['transport_options'] = array (
	'virtual', // for virtual accounts
	'local', // for system accounts
	'relay' // for backup mx
	$CONF['transport_default'] = 'virtual';
	$CONF['vacation'] = 'YES';
	$CONF['vacation_domain'] = 'autoreply.change-this-to-your.domain.tld';
	$CONF['vacation_control'] ='YES';
	$CONF['vacation_control_admin'] = 'YES';
	$CONF['special_alias_control'] = 'YES';
	$CONF['user_footer_link'] = "http://change-this-to-your.domain.tld/main";
	$CONF['show_footer_text'] = 'YES';
	$CONF['footer_text'] = 'Return to change-this-to-your.domain.tld';
	$CONF['footer_link'] = 'http://change-this-to-your.domain.tld';
	$CONF['used_quotas'] = 'YES';
	$CONF['new_quota_table'] = 'YES';
	// $CONF['create_mailbox_subdirs_hostoptions']=array('notls');

Next we need to run the setup.php script in a web browser. Enter the url in your browser. Ex.

If everything shows OK then create the admin user using the form displayed. Follow the instructions for setting the setup password.

Log into the web interface and follow the directions.

Configuring Postfix

Here we go with more config files. You’ll have to be sure to change some settings to match your host. The config files will have sections commented out. Don’t worry about it. These sections are for spam/virus/sympa configuration. Just copy and past to create the config files. What ever you see here replaces what already exists.

The main postfix config files.

	# postfix config file
	# uncomment for debugging if needed
	# postfix main
	mail_owner = postfix
	setgid_group = postdrop
	delay_warning_time = 4
	# postfix paths
	html_directory = no
	command_directory = /usr/sbin
	daemon_directory = /usr/libexec/postfix
	queue_directory = /var/spool/postfix
	sendmail_path = /usr/sbin/sendmail.postfix
	newaliases_path = /usr/bin/newaliases.postfix
	mailq_path = /usr/bin/mailq.postfix
	manpage_directory = /usr/share/man
	# network settings
	inet_interfaces = all
	mydomain =
	myhostname =
	mynetworks = $config_directory/mynetworks
	mydestination = $myhostname, localhost.$mydomain, localhost
	relay_domains = proxy:mysql:/etc/postfix/
	# mail delivery
	recipient_delimiter = +
	# mappings
	alias_maps = hash:/etc/aliases
	alias_database = hash:/etc/aliases
	transport_maps = hash:/etc/postfix/transport
	#local_recipient_maps =
	# virtual setup
	virtual_alias_maps = proxy:mysql:/etc/postfix/,
	virtual_mailbox_base = /home/vmail
	virtual_mailbox_domains = proxy:mysql:/etc/postfix/
	virtual_mailbox_maps = proxy:mysql:/etc/postfix/
	virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/
	virtual_minimum_uid = 101
	virtual_uid_maps = static:101
	virtual_gid_maps = static:12
	virtual_transport = dovecot
	dovecot_destination_recipient_limit = 1
	# debugging
	debug_peer_level = 2
	debugger_command =
	xxgdb $daemon_directory/$process_name $process_id & sleep 5
	# authentication
	smtpd_sasl_auth_enable = yes
	smtpd_sasl_security_options = noanonymous
	smtpd_sasl_local_domain = $myhostname
	broken_sasl_auth_clients = yes
	smtpd_sasl_type = dovecot
	smtpd_sasl_path = private/auth
	# tls config
	smtp_use_tls = yes
	smtpd_use_tls = yes
	smtpd_tls_security_level = may
	smtpd_tls_loglevel = 1
	smtpd_tls_received_header = yes
	smtpd_tls_session_cache_timeout = 3600s
	tls_random_source = dev:/dev/urandom
	smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
	# Change* to your host name
	smtpd_tls_key_file = /etc/pki/tls/private/
	smtpd_tls_cert_file = /etc/pki/tls/certs/
	# smtpd_tls_CAfile = /etc/pki/tls/root.crt
	# rules restrictions
	smtpd_client_restrictions =
	smtpd_helo_restrictions =
	smtpd_sender_restrictions =
	smtpd_recipient_restrictions = permit_sasl_authenticated,
	# uncomment for realtime black list checks
	# ,reject_rbl_client
	# ,reject_rbl_client
	# ,reject_rbl_client
	smtpd_helo_required = yes
	unknown_local_recipient_reject_code = 550
	disable_vrfy_command = yes
	smtpd_data_restrictions = reject_unauth_pipelining
	# Other options
	# email size limit ~20Meg
	message_size_limit = 204800000


	# Postfix master process configuration file. For details on the format
	# of the file, see the Postfix master(5) manual page.
	# ***** Unused items removed *****
	# ==========================================================================
	# service type private unpriv chroot wakeup maxproc command + args
	# (yes) (yes) (yes) (never) (100)
	# ==========================================================================
	smtp inet n - n - - smtpd
	# -o content_filter=smtp-amavis:
	# -o receive_override_options=no_address_mappings
	pickup fifo n - n 60 1 pickup
	-o content_filter=
	-o receive_override_options=no_header_body_checks
	cleanup unix n - n - 0 cleanup
	qmgr fifo n - n 300 1 qmgr
	#qmgr fifo n - n 300 1 oqmgr
	tlsmgr unix - - n 1000? 1 tlsmgr
	rewrite unix - - n - - trivial-rewrite
	bounce unix - - n - 0 bounce
	defer unix - - n - 0 bounce
	trace unix - - n - 0 bounce
	verify unix - - n - 1 verify
	flush unix n - n 1000? 0 flush
	proxymap unix - - n - - proxymap
	smtp unix - - n - - smtp
	# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
	relay unix - - n - - smtp
	-o fallback_relay=
	# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
	showq unix n - n - - showq
	error unix - - n - - error
	discard unix - - n - - discard
	local unix - n n - - local
	virtual unix - n n - - virtual
	lmtp unix - - n - - lmtp
	anvil unix - - n - 1 anvil
	scache unix - - n - 1 scache
	# ====================================================================
	# Interfaces to non-Postfix software. Be sure to examine the manual
	# pages of the non-Postfix software to find out what options it wants.
	# ====================================================================
	maildrop unix - n n - - pipe
	flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
	uucp unix - n n - - pipe
	flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
	ifmail unix - n n - - pipe
	flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
	bsmtp unix - n n - - pipe
	flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
	# spam/virus section
	smtp-amavis unix - - y - 2 smtp
	-o smtp_data_done_timeout=1200
	-o disable_dns_lookups=yes
	-o smtp_send_xforward_command=yes inet n - y - - smtpd
	-o content_filter=
	-o smtpd_helo_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,reject
	-o mynetworks=
	-o smtpd_error_sleep_time=0
	-o smtpd_soft_error_limit=1001
	-o smtpd_hard_error_limit=1000
	-o receive_override_options=no_header_body_checks
	-o smtpd_bind_address=
	-o smtpd_helo_required=no
	-o smtpd_client_restrictions=
	-o smtpd_restriction_classes=
	-o disable_vrfy_command=no
	-o strict_rfc821_envelopes=yes
	# Dovecot LDA
	dovecot unix - n n - - pipe
	flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}
	# Vacation mail
	vacation unix - n n - - pipe
	flags=Rq user=vacation argv=/var/spool/vacation/ -f ${sender} -- ${recipient}


	# This specifies the list of subnets that Postfix considers as
	# "trusted" SMTP clients that have more privileges than "strangers".
	# In particular, "trusted" SMTP clients are allowed to relay mail
	# through Postfix.
	# Be sure to add your public ip address block if needed.

The postfix / mysql config files.

	hosts = localhost
	user = postfix
	password = postfix
	dbname = postfix
	query = SELECT goto FROM alias WHERE address='%s' AND active = '1'


	hosts = localhost
	user = postfix
	password = postfix
	dbname = postfix
	query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'


	hosts = localhost
	user = postfix
	password = postfix
	dbname = postfix
	query = SELECT domain FROM domain WHERE domain='%s' and backupmx = '1'


	hosts = localhost
	user = postfix
	password = postfix
	dbname = postfix
	query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'


	hosts = localhost
	user = postfix
	password = postfix
	dbname = postfix
	query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'

We need to touch a file. So type the follwoing.
> touch /etc/postfix/virtual_regexp

Configure Vacation Email Functionallity

Lets finish the postfix configuration with vacation mail. Don’t forget to fill in your domain name where needed. Type the following:

> useradd -r -d /var/spool/vacation -s /sbin/nologin -c “Virtual vacation” vacation
> mkdir /var/spool/vacation
> chmod 770 /var/spool/vacation
> cp /usr/share/postfixadmin/VIRTUAL_VACATION/ /var/spool/vacation/
> echo “ vacation:” > /etc/postfix/transport
> postmap /etc/postfix/transport
> chown -R vacation:vacation /var/spool/vacation
> echo “” >> /etc/hosts
> mkdir /etc/postfixadmin

Create /etc/postfixadmin/vacation.conf with the following:

	# ========== begin configuration ==========
	$db_type = 'mysql';
	$db_username = 'user';
	$db_password = 'password';
	$db_name = 'postfix';
	$vacation_domain = '';

Configuring Dovecot

Now for the dovecot config file. Dovecot now uses multiple config files to break things up. We’re going to only use a couple config files. So cut and paste the following files.
> mv /etc/dovecot/dovecot.conf /etc/dovecot/
> nano -w /etc/dovecot/dovecot.conf

	## Dovecot config file
	protocols = imap pop3 lmtp sieve
	auth_mechanisms = plain login
	passdb {
	driver = sql
	args = /etc/dovecot/dovecot-mysql.conf
	userdb {
	driver = prefetch
	userdb {
	driver = sql
	args = /etc/dovecot/dovecot-mysql.conf
	mail_location = maildir:/home/vmail/%d/%n
	first_valid_uid = 101
	#last_valid_uid = 0
	first_valid_gid = 12
	#last_valid_gid = 0
	#mail_plugins =
	mailbox_idle_check_interval = 30 secs
	maildir_copy_with_hardlinks = yes
	service imap-login {
	inet_listener imap {
	port = 143
	inet_listener imaps {
	port = 993
	ssl = yes
	service pop3-login {
	inet_listener pop3 {
	port = 110
	inet_listener pop3s {
	port = 995
	ssl = yes
	service lmtp {
	unix_listener lmtp {
	#mode = 0666
	service imap {
	vsz_limit = 256M
	service pop3 {
	service auth {
	unix_listener auth-userdb {
	mode = 0666
	user = vmail
	group = mail
	# Postfix smtp-auth
	unix_listener /var/spool/postfix/private/auth {
	mode = 0666
	user = postfix
	group = postfix
	service auth-worker {
	service dict {
	unix_listener dict {
	mode = 0666
	user = vmail
	group = mail
	service managesieve-login {
	inet_listener sieve {
	port = 4190
	service_count = 1
	process_min_avail = 0
	vsz_limit = 64M
	service managesieve {
	ssl = yes
	ssl_cert = </etc/pki/tls/certs/your-server.your-domain.tld.crt
	ssl_key = </etc/pki/tls/private/your-server.your-domain.tld.key
	ssl_verify_client_cert = no
	#ssl_ca =
	lda_mailbox_autocreate = yes
	lda_mailbox_autosubscribe = yes
	protocol lda {
	mail_plugins = quota sieve
	postmaster_address = postmaster@your-domain.tld
	protocol imap {
	mail_plugins = quota imap_quota trash
	imap_client_workarounds = delay-newmail
	lmtp_save_to_detail_mailbox = yes
	protocol lmtp {
	mail_plugins = sieve
	protocol pop3 {
	mail_plugins = quota
	pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
	protocol sieve {
	managesieve_max_line_length = 65536
	managesieve_implementation_string = Dovecot Pigeonhole
	managesieve_max_compile_errors = 5
	dict {
	quotadict = mysql:/etc/dovecot/dovecot-dict-quota.conf
	plugin {
	quota = dict:user::proxy::quotadict
	acl = vfile:/etc/dovecot/acls
	trash = /etc/dovecot/trash.conf
	sieve_global_path = /home/sieve/globalfilter.sieve
	sieve = ~/dovecot.sieve
	sieve_dir = ~/sieve
	sieve_global_dir = /home/sieve/
	#sieve_extensions = +notify +imapflags
	sieve_max_script_size = 1M
	#sieve_max_actions = 32
	#sieve_max_redirects = 4

Now for trash.conf
> nano -w /etc/dovecot/trash.conf

	1 Spam
	# Uncomment if you want trash as well
	# 2 Trash

Next we configure Dovecot to access mysql. Create the following file.
NOTE: password_query and user_query were formatted to fit on the webpage. Each one should only be one line in the file.

	driver = mysql
	connect = host=localhost dbname=postfix user=postfix password=yourpassword
	default_pass_scheme = MD5-CRYPT
	# following should all be on one line.
	password_query = SELECT username as user, password, concat('/home/vmail/', maildir) as userdb_home,
	concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox
	WHERE username = '%u' AND active = '1'
	# following should all be on one line
	user_query = SELECT concat('/home/vmail/', maildir) as home, concat('maildir:/home/vmail/', maildir) as mail,
	101 AS uid, 12 AS gid, CONCAT('*:messages=10000:bytes=', quota) as quota_rule FROM mailbox WHERE
	username = '%u' AND active = '1'

and /etc/dovecot/dovecot-dict-quota.conf

	connect = host=localhost dbname=postfix user=postfix password=password
	map {
	pattern = priv/quota/storage
	table = quota2
	username_field = username
	value_field = bytes
	map {
	pattern = priv/quota/messages
	table = quota2
	username_field = username
	value_field = messages

Finally set Dovecot to boot at startup.

Now Create the sieve filter for SPAM filtering.
> mkdir /home/sieve
> nano -w /home/sieve/globalfilter.sieve
> chown -R vmail:mail /home/sieve

	require "fileinto";
	if exists "X-Spam-Flag" {
	if header :contains "X-Spam-Flag" "NO" {
	} else {
	fileinto "Spam";
	if header :contains "subject" ["***SPAM***"] {
	fileinto "Spam";

Configuring Roundcube mail

Edit the roundcube apache config file to look like the following:
>nano -w /etc/httpd/conf.d/roundcubemail.conf

	# Round Cube Webmail is a browser-based multilingual IMAP client
	# Force https here instead of in Round Cube
	RewriteEngine On
	# This checks to make sure the connection is not already HTTPS
	RewriteCond %{HTTPS} !=on
	# These rules will redirect all users who are using any part of /secure/ to the same location but using HTTPS.
	# i.e. to
	RewriteRule ^/?roundcubemail/(.*) https://%{SERVER_NAME}/roundcubemail/$1 [R,L]
	RewriteRule ^/?webmail/(.*) https://%{SERVER_NAME}/webmail/$1 [R,L]
	Alias /roundcubemail /usr/share/roundcubemail
	Alias /webmail /usr/share/roundcubemail
	<Directory /usr/share/roundcubemail/>
	Order Deny,Allow
	Deny from all
	Allow from all
	php_value suhosin.session.encrypt Off

Create the database for roundcube.
> mysql -u root -p -e “CREATE DATABASE roundcubemail;”
> mysql -u root -p -e “GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY ‘password’;”

Create the tables.
> mysql -u root -p roundcubemail < /usr/share/doc/roundcubemail-0.5.4/SQL/mysql.initial.sql

Edit /etc/roundcubemail/ and find the line:

	$rcmail_config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';

Change ‘pass’ to your passowrd.

Edit /etc/roundcubemail/ and find the lines and make the changes below:


	$rcmail_config['default_host'] = '';

change to:

	$rcmail_config['default_host'] = 'localhost';


	$rcmail_config['smtp_server'] = '';

change to:

	$rcmail_config['smtp_server'] = 'localhost';


	$rcmail_config['force_https'] = false;

change to:

	$rcmail_config['force_https'] = true;


	$rcmail_config['plugins'] = array();

change to:

	$rcmail_config['plugins'] = array('managesieve');


	$rcmail_config['quota_zero_as_unlimited'] = false;

change to:

	$rcmail_config['quota_zero_as_unlimited'] = true;

Now lets configure the manage sieve plugin.
> cd /usr/share/roundcubemail/plugins/managesieve/
> cp

Edit and change the following:

	$rcmail_config['managesieve_port'] = 2000;


	$rcmail_config['managesieve_port'] = 4190;

Restart apache.
> service httpd restart

Configuring the Little Things That Drive You MAD

Be sure your /etc/hosts looks similar to the following.

	# Do not remove the following line, or various programs
	# that require network functionality will fail. localhost

Preparing and Testing the Postoffice

First things first. Reboot the system. If everything went well we all should be at the same point.

No errors? Lets keep going.

Setup a test domain and account. Setup your favorit mail client and send some test emails.

Setting up Spam and Virus Filtering (Optional)

Lets cover installing and configuring spam and virus filtering. Optional? Huh? Some people use a 3rd party or use a seperate server for filtering.

Here’s the clamav config file. Replace /etc/clamd.conf with the following:

	## Cconfig file for the Clam AV daemon
	## Please read the clamd.conf(5) manual before editing this file.
	# Logfile
	LogFile /var/log/clamav/clamd.log
	LogFileMaxSize 20M
	LogTime yes
	LogSyslog yes
	# Pid
	PidFile /var/run/clamav/
	# Paths
	TemporaryDirectory /var/tmp
	DatabaseDirectory /var/clamav
	LocalSocket /var/run/clamav/clamd
	# Sets the group ownership on the unix socket.
	# Default: disabled (the primary group of the user running clamd)
	#LocalSocketGroup virusgroup
	# Misc
	FixStaleSocket yes
	TCPSocket 3310
	MaxConnectionQueueLength 50
	MaxThreads 50
	ReadTimeout 240
	User clamav
	AllowSupplementaryGroups yes
	# Exe
	ScanPE yes
	ScanELF yes
	DetectBrokenExecutables yes
	# Docs
	ScanOLE2 yes
	ScanPDF yes
	# Mail
	ScanMail yes
	PhishingSignatures yes
	PhishingScanURLs yes
	# Data Loss Prevention (DLP)
	# Enable the DLP module
	# Default: No
	#StructuredDataDetection yes
	# This option sets the lowest number of Credit Card numbers found in a file
	# to generate a detect.
	# Default: 3
	#StructuredMinCreditCardCount 5
	# This option sets the lowest number of Social Security Numbers found
	# in a file to generate a detect.
	# Default: 3
	#StructuredMinSSNCount 5
	# With this option enabled the DLP module will search for valid
	# SSNs formatted as xxx-yy-zzzz
	# Default: yes
	#StructuredSSNFormatNormal yes
	# With this option enabled the DLP module will search for valid
	# SSNs formatted as xxxyyzzzz
	# Default: no
	#StructuredSSNFormatStripped yes
	# Archives
	ScanArchive yes
	ArchiveBlockEncrypted no

Configure Razor. Type the following:
> razor-admin -register -user=some_user -pass=somepas

Update and restart clamav:
> freshclam
> service clamd restart

Configuring Amavisd-new

You need to edit /etc/amavisd.conf
Here is a list of items you should change. just scroll through the file to find each item.

  • $mydomain = ‘’; # set to your domain name
  • $log_level = 1; # set the log leve to one
  • $sa_tag_level_deflt = -99; # i want to see the headers so change to -99
  • $sa_tag2_level_deflt = 5.0; # start with 5
  • $sa_kill_level_deflt = 9; # change to 9
  • $sa_dsn_cutoff_level = 9; # change to 9
  • $sa_quarantine_cutoff_level = 50; # remove the starting # and change to 50
  • $myhostname = ‘’; # remove the starting # and enter your host name
  • $notify_method = ‘smtp:[]:10025’; # uncomment the line
  • $forward_method = ‘smtp:[]:10025’; # uncomment the line
  • $final_banned_destiny = D_DISCARD; # change to D_DISCARD

Now enable clamav:
Change the following:

	# ###
	# ['ClamAV-clamd',
	# \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
	# qr/\bOK$/m, qr/\bFOUND$/m,
	# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],


	\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
	qr/\bOK$/m, qr/\bFOUND$/m,
	qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

Now update spamassassin and start amavisd-new.
> sa-update
> service amavisd-new start

Be sure to set amavisd-new to start at boot.

Telling Postfix to Start Filtering SPAM

To get postfix going we need to un-comment a couple lines in /etc/postfix/

	smtp inet n - n - - smtpd
	# -o content_filter=smtp-amavis:
	# -o receive_override_options=no_address_mappings

Change to:

	smtp inet n - n - - smtpd
	-o content_filter=smtp-amavis:
	-o receive_override_options=no_address_mappings

Restart postfix and you’re done.

Using The Roundcubemail Password Plugin (Optional)

Let your users change their password using roundcubemail instead of postfixadmin.

Edit /etc/roundcubemail/ and find the lines and make the changes below:


	$rcmail_config['plugins'] = array('managesieve');

change to:

	$rcmail_config['plugins'] = array('managesieve','password');

Now lets configure the password plugin.
> cd /usr/share/roundcubemail/plugins/password/
> cp



	$rcmail_config['password_db_dsn'] = '';

change to:

	$rcmail_config['password_db_dsn'] = 'mysql://postfix:your-postfixadmin-password@localhost/postfix';


	$rcmail_config['password_query'] = 'SELECT update_passwd(%c, %u)';

change to:

	$rcmail_config['password_query'] = 'UPDATE mailbox SET password=%c WHERE username=%u limit 1;';

Restart apache.
> service httpd restart

What is OpenDKIM?
It is a digital email signing/verification technology, which is already supported by some common mail providers. In general, DKIM means digitally signing all messages on the mail-server to verify the message was actually sent from the domain in question and was not spam


Install the package using yum:

## yum install opendkim


Next thing to do is to configure OpenDKIM. Its main configuration file is located in /etc/opendkim.conf, so before making any changes create a backup and add/edit the following:

## cp /etc/opendkim.conf{,.orig}
## vim /etc/opendkim.conf
AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    sv
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp


Generate set of keys for your domain name:

## mkdir /etc/opendkim/keys/
## opendkim-genkey -D /etc/opendkim/keys/ -d -s default
## chown -R opendkim: /etc/opendkim/keys/
## mv /etc/opendkim/keys/ /etc/opendkim/keys/

add to OpenDKIM’s key table by adding the following record in /etc/opendkim/KeyTable

next, edit /etc/opendkim/SigningTable and add the following record to OpenDKIM’s signing table:


and add your domain and your hostname as trusted hosts in /etc/opendkim/TrustedHosts:

assuming the domain in question is ‘’ and server’s hostname is set to ‘’

finally, edit your DNS zone and add the TXT record from /etc/opendkim/keys/

default._domainkey      IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB" )  ; ----- DKIM key default for

it is also a good idea to add an SPF record if you haven’t already 14400 IN TXT "v=spf1 a mx ~all"

you can verify your dkim TXT record is valid using dig for example:

## dig +short TXT

"v=DKIM1\; k=rsa\; " "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApHRr7ZmXRaAB+RQRbP4VdMwIrIHIP18KFtXRsv/xpWc0Gix6ZXN13fcG03KNGKZo2PY+csPkGC5quDnH5V0JEhDZ78KcDWFsU6u4fr9ktVAdt6P7jWXjcyqdHOZ8+YN4cAeU4lRFNgQvdupIcByYwzPYMgBFHfJm9014HvRqhwIDAQAB"


In order to integrate OpenDKIM with Postfix we need to add the following few lines in /etc/postfix/

smtpd_milters           = inet:
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 2


Add OpenDKIM to your system’s start-up and start opendkim and restart postfix using the following commands:

## service opendkim start
## chkconfig opendkim on
## service postfix restart


To test the set-up simply send an email to and you should receive back an email containing something like this:

Summary of Results
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
DKIM check:         pass

Notes About Security And Clear Text Passwords From Mail Clients

My howto has been written to allow clear text passwords. This can and does cause security problem of sending of clear text passwords through the internet. This covers sending of the password from the client to the server. Passwords are stored in the database encrypted.

The configuration doesn’t require clients to use SSL/TLS. If you use SSL/TLS then the passwords are encrypted in the SSL connection. POPS, IMAPS and SMTPS all use SSL/TLS connection. So as long as your client supports secure connections to the mail server your clear text passwords will be secure.


With a bit of work you come out with a robust server.

Posted in Apache, DNS, Linux, Mail server, MySQL, PHP, Postfix | Leave a comment

Forwarder zone

If you want a name server to forward queries for certain domain names to another name server, use a zone statement of type forward to tell a BIND server to forward queries for domain names that end in the specified suffix to particular name servers. For example:

zone "" {

    type forward;

    forwarders {; };


This tells the name server to forward queries for domain names that end inexample.netto the name server at

As with the corresponding optionssub-statement, you can list multiple forwarders in the forwarderssub-statement.

Posted in DNS, Linux | Leave a comment

Stub zones

Stub zones are a little like slave zones, in that the name server periodically checks with its master server to see if the zone’s serial number has changed. But instead of transferring the whole zone, it retrieves just the zone’s SOA and NS records, plus any necessary glue A records, using discrete queries. That’s enough information to tell the name server where to begin iterative name resolution of domain names that end in the domain name of the stub zone. For example, here’s a stub zone definition very similar to the forward zone :

zone "" {

    type stub;

    masters {; };

    file "";


Rather than sending a recursive query to the name server at for information about any domain name that ends with, this name server would learn the NS records, and send one of those name servers a non recursive query for the domain name it needed. It would then follow any successive referrals to find the answer. This is less work for the name server at, but it also requires connectivity to any name server the local name server might be referred to.

Posted in DNS, Linux | Leave a comment

Tips to secure your Apache Server

As a sysadmin, you should secure your Apache web server

  1. Hide Apache Version and OS Identity

Open configuration file with vim editor and search for “ServerSignature“, its by default On. We need to Off these server signature and the second line “ServerTokens Prod” tells Apache to return only Apache as product in the server response header on the every page request, It suppress the OS, major and minor version info.

ServerSignature Off
ServerTokens Prod

Following are possible ServerTokens values:

  • ServerTokens Prod displays “Server: Apache”
  • ServerTokens Major displays “Server: Apache/2″
  • ServerTokens Minor displays “Server: Apache/2.2″
  • ServerTokens Min displays “Server: Apache/2.2.17″
  • ServerTokens OS displays “Server: Apache/2.2.17 (Unix)”
  • ServerTokens Full displays “Server: Apache/2.2.17 (Unix) PHP/5.3.5″ (If you don’t specify any ServerTokens value, this is the default)
  1. Disable Directory Listing

By default Apache list all the content of Document root directory in the absence of index file.

We can turn off directory listing by using Options directive in configuration file for a specific directory. For that we need to make an entry in httpd.conf or apache2.conf file.

<Directory /var/www/html>
    Options -Indexes
  1. Keep updating Apache Regularly

Apache developer community is continuously working on security issues and releasing its updated version with new security options. So It is always recommended to use the latest version of Apache as your web server.

To check Apache version: You can check your current version with httpd -v command.

# httpd -v
Server version: Apache/2.2.15 (Unix)
Server built:   Aug 13 2013 17:29:28

You can update your version with the following command.

# yum update httpd

It is also recommended to keep your Kernel and OS updated to the latest stable releases if you are not running any specific application which works only on specific OS or Kernel.

  1. Disable Unnecessary Modules

It’s always good to minor the chances of being a victim of any web attack. So it’s recommended to disable all those modules that are not in use currently. You can list all the compiled modules of web server, using following command.

# grep LoadModule /etc/httpd/conf/httpd.conf

# have to place corresponding `LoadModule' lines at this location so the
# LoadModule foo_module modules/
LoadModule auth_basic_module modules/
LoadModule auth_digest_module modules/
LoadModule authn_file_module modules/
LoadModule authn_alias_module modules/
LoadModule authn_anon_module modules/
LoadModule authn_dbm_module modules/
LoadModule authn_default_module modules/
LoadModule authz_host_module modules/
LoadModule authz_user_module modules/
LoadModule authz_owner_module modules/
LoadModule authz_groupfile_module modules/
LoadModule authz_dbm_module modules/
LoadModule authz_default_module modules/
LoadModule ldap_module modules/
LoadModule authnz_ldap_module modules/
LoadModule include_module modules/
LoadModule log_config_module modules/
LoadModule logio_module modules/
LoadModule env_module modules/
LoadModule ext_filter_module modules/

Above is the list of modules that are enabled by default but often not needed: mod_imap, mod_include, mod_info, mod_userdir, mod_autoindex. To disable the particular module, you can insert a “#” at the beginning of that line and restart the httpd service.

  1. Run Apache as separate User and Group

With a default installation Apache runs its process with user nobody or daemon. For security reasons it is recommended to run Apache in its own non-privileged account. For example: apacheadmin.

Create Apache User and Group
# groupadd apacheadmin
# useradd -d /var/www/ -g apacheadmin -s /bin/nologin apacheadmin

Now you need to tell Apache to run with this new user and to do so, we need to make an entry in /etc/httpd/conf/httpd.conf and restart the service.

Open /etc/httpd/conf/httpd.conf with vim editor and search for keyword “User” and “Group” and there you will need to specify the username and groupname to use.

User apacheadmin
Group apacheadmin
  1. Use Allow and Deny to Restrict access to Directories

We can restrict access to directories with “Allow” and “Deny” options in httpd.conf file. Here in this example, we’ll be securing root directory, for that by setting the following in the httpd.conf file.

<Directory />
   Options None
   Order deny,allow
   Deny from all
  1. Options “None” – This option will not allow users to enable any optional features.
  2. Order deny, allow – This is the order in which the “Deny” and “Allow” directives will be processed. Here it will “deny” first and “allow” next.
  3. Deny from all – This will deny request from everybody to the root directory, nobody will be able to access root directory.
  1. Use mod_security and mod_evasive Modules to Secure Apache

These two modules “mod_security” and “mod_evasive” are very popular modules of Apache in terms of security.


Where mod_security works as a firewall for our web applications and allows us to monitor traffic on a real time basis. It also helps us to protect our websites or web server from brute force attacks. You can simply install mod_security on your server with the help of your default package installers.

Install mod_security on RHEL/CentOS/Fedora/
# yum install mod_security
# /etc/init.d/httpd restart

mod_evasive works very efficiently, it takes one request to process and processes it very well. It prevents DDOS attacks from doing as much damage. This feature of mod_evasive enables it to handle the HTTP brute force and Dos or DDos attack. This module detects attacks with three methods.

  1. If so many requests come to a same page in a few times per second.
  2. If any child process trying to make more than 50 concurrent requests.
  3. If any IP still trying to make new requests when its temporarily blacklisted.

mod_evasive can be installed directly from the source. Here, we have an Installation and setup guide of these modules which will help you to set up these Apache modules in your Linux box.

  1. Disable Apache’s following of Symbolic Links

By default Apache follows symlinks, we can turn off this feature with FollowSymLinks with Options directive. And to do so we need to make the following entry in main configuration file.

Options -FollowSymLinks

And, if any particular user or website need FollowSymLinks enable, we can simply write a rule in “.htaccess” file from that website.

# Enable symbolic links
Options +FollowSymLinks

Note: To enable rewrite rules inside “.htaccess” file “AllowOverride All” should be present in the main configuration globally.

  1. Turn off Server Side Includes and CGI Execution

We can turn off server side includes (mod_include) and CGI execution if not needed and to do so we need to modify main configuration file.

Options -Includes
Options -ExecCGI

We can do this for a particular directory too with Directory tag. Here In this example, we are turning off Includes and Cgi file executions for “/var/www/html/web1” directory.

<Directory "/var/www/html/web1">
Options -Includes -ExecCGI

Here are some other values with can be turned On or off with Options directive.

  1. Options All – To enable All options at once. This is the default value, If you don’t want specify any values explicitly in Apache conf file or .htaccess.
  2. Options IncludesNOEXEC – This option allows server side includes without the execute permission to a command or cgi files.
  3. Options MultiViews – Allows content negotiated multiviews with mod_negotiation module.
  4. Options SymLinksIfOwnerMatch – It’s similar to FollowSymLinks. But, this will follow only when the owner is the same between the link and the original directory to which it is linked.
  1. Limit Request Size

By default Apache has no limit on the total size of the HTTP request i.e. unlimited and when you allow large requests on a web server its possible that you could be a victim of Denial of service attacks. We can Limit the requests size of an Apache directive “LimitRequestBody” with the directory tag.

You can set the value in bytes from 0 (unlimited) to 2147483647 (2GB) that are allowed in a request body. You can set this limit according to your site needs, Suppose you have a site where you allows uploads and you want to limit the upload size for a particular directory.

Here in this example, user_uploads is a directory which contains files uploaded by users. We are putting a limit of 500K for this.

<Directory "/var/www/myweb1/user_uploads">
   LimitRequestBody 512000
  1. Protect DDOS attacks and Hardening

Well, it’s true that you cannot completely protect your web site from DDos attacks. Here are some directives which can help you to have a control on it.

  1. TimeOut : This directive allows you to set the amount of time the server will wait for certain events to complete before it fails. Its default value is 300 secs. It’s good to keep this value low on those sites which are subject to DDOS attacks. This value totally depends on kind of request you are getting on your website. Note: It could pose problems with come CGI scripts.
  2. MaxClients : This directive allows you to set the limit on connections that will be served simultaneously. Every new connection will be queued up after this limit. It is available with Prefork and Worker both MPM. The default value of it is 256.
  3. KeepAliveTimeout : Its the amount of time the server will wait for a subsequent request before closing the connection. Default value is 5 secs.
  4. LimitRequestFields : It helps us to set a limit on the number of HTTP request’s header fields that will be accepted from the clients. Its default value is 100. It is recommended to lower this value if DDos attacks are occurring as a result of so many http request headers.
  5. LimitRequestFieldSize : It helps us to set a size limit on the HTTP Request header.
  1. 12. Enable Apache Logging

Apache allows you to logging independently of your OS logging. It is wise to enable Apache logging, because it provides more information, such as the commands entered by users that have interacted with your Web server.

To do so you need to include the mod_log_config module. There are three main logging-related directives available with Apache.

  1. TransferLog: Creating a log file.
  2. LogFormat : Specifying a custom format.
  3. CustomLog : Creating and formatting a log file.

You can also use them for a particular website it you are doing Virtual hosting and for that you need to specify it in the virtual host section. For example, here is the my website virtual host configuration with logging enabled.

<VirtualHost *:80>
DocumentRoot /var/www/html/
DirectoryIndex index.htm index.html index.php
ErrorDocument 404 /404.php
ErrorLog /var/log/httpd/example.com_error_log
CustomLog /var/log/httpd/example.com_access_log combined
  1. 13. Securing Apache with SSL Certificates

Last, but not the least SSL certificates, you can secure your all the communication in an encrypted manner over the Internet with SSL certificate. Suppose you have a website in which people login by proving their Login credentials or you have an E- Commerce website where people provides their bank details or Debit/Credit card details to purchase products, by default your web server send these details in plain – text format but when you use SSL certificates to your websites, Apache sends all this information in encrypted text.

You can purchase SSl certificates from So many different SSL providers like If you are running a very small web business and do not willing to purchase an SSL certificate you can still assign a Self signed certificate to your website. Apache uses the mod_ssl module to support SSL certificate.

# openssl genrsa -des3 -out 1024
# openssl req -new -key -out exmaple.csr
# openssl x509 -req -days 365 -in -signkey -out

Once your certificate has been created and signed. Now you need to add this in Apache configuration. Open main configuration file with vim editor and add the following lines and restart the service.

        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/
        SSLCertificateKeyFile /etc/pki/tls/certs/
        SSLCertificateChainFile /etc/pki/tls/certs/sf_bundle.crt
        DocumentRoot /var/www/html/example/
        ErrorLog /var/log/httpd/
        CustomLog /var/log/httpd/ common

Open up your browser, type, and you will be able to see the new self-signed certificate.

  1. Restrict access to a specific network (or ip-address)

If you want your site to be viewed only by a specific ip-address or network, do the following:

To allow a specific network to access your site, give the network address in the Allow directive.

<Directory /site>
  Options None
  AllowOverride None
  Order deny,allow
  Deny from all
  Allow from

To allow a specific ip-address to access your site, give the ip-address in the Allow directive.

<Directory /site>
  Options None
  AllowOverride None
  Order deny,allow
  Deny from all
  Allow from
Posted in Apache | Leave a comment

Linux tools

In order to get the list of sorted folders size with folder name on  level 1, I figured out a method which would be helpful all admins.

du -h --max-depth=1 <<folder name>>| perl -e 'sub h{%h=(K=>10,M=>20,G=>30);($n,$u)=shift=~/([0-9.]+)(\D)/;
return $n*2**$h{$u}}print sort{h($b)<=>h($a)}<>;'

Note : Please change <<folder name>> with the required directory path.


In order to make this file immune to editing and deleting we need to use command “chattr”. Chattr changes the attributes of a file on Linux System.

The Syntax of command chattr, for the above purpose is:

# chattr +i example.txt

Now try to remove the file using normal user.

$ rm -r example.txt 

rm: remove write-protected regular empty file `example.txt'? Y 
rm: cannot remove `example.txt': Operation not permitted

Now try to remove the file using root user.

# rm -r example.txt 

cannot remove `example.txt': Operation not permitted

Shred tool overwrites a file repeatedly several times, thus making file recovery for any illegal activity almost nil and practically impossible.

# shred -n 15 -z topsecret.txt

shread – overwrite a file to hide its contents, and optionally delete it.

  1. -n – Overwrites the files n times
  2. -z – Add a final overwrite with zeros to hide shredding.

Note: The above command overwrites the file 15 times before overwriting with zero, to hide shredding.


Posted in Linux | Leave a comment

Editing users cronjob through ssh

I can see cronjobs owned by root by

crontab -l

You can use following command to see user’s crons

crontab -u username -l

User’s cron jobs reside in /var/spool/cron/ you can see them there also.

You would have to run this as root

for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done

will loop over each user name listing out their crontab. The crontabs are owned by the respective users so you won’t be able to see another user’s crontab w/o being them or root.


If you wished to have a script named /root/ run every day at 3am, your crontab entry would look like as follows. First, install your cronjob by running the following command:
# crontab -e
Append the following entry:
0 3 * * * /root/
Save and close the file.

Cron Easy to remember format:

* * * * * command to be executed
- - - - -
| | | | |
| | | | ----- Day of week (0 - 7) (Sunday=0 or 7)
| | | ------- Month (1 - 12)
| | --------- Day of month (1 - 31)
| ----------- Hour (0 - 23)
------------- Minute (0 - 59)

If you wish to edit a users cronjob, following command would be used :

# crontab -u username -e

Posted in Linux | Leave a comment