I have installed Gitlab 8.15 and Exim 4.84 on CentOS 7
Whenever Gitlab sends a message, it should come from 'gitlab#mydomain.nl' which is correctly set in config/gitlab.yml.
If I look in the log, I see the following:
2016-12-21 21:50:02 cwd=/ 6 args: /usr/sbin/sendmail -i -f gitlab#mydomain.nl -- mypersonal#gmail.com
2016-12-21 21:50:02 1cJnpq-0001ZR-NG <= git#vps.mydomain.nl U=git P=local S=3859 id=585aeafaad130_175126f0b9c43854#vps.mydomain.nl.mail T="Reset password instructions" from <git#vps.mydomain.nl> for mypersonal#gmail.com
Note that between those 2 lines, the from address changed from gitlab#mydomain.nl to git#vps.mydomain.nl which is based on user#FQDN.
My external SMTP server then does a DKIM and SPF lookup on vps.mydomain.nl, instead of mydomain.nl, which fails and the mail is rejected.
I am not sure where this change happens and how I should fix this. Is this something on Gitlab side or something on Exim side?
The relevant parts from my exim configuration:
begin routers
mysmtphost_email:
driver = manualroute
domains = ! +local_domains
ignore_target_hosts = 127.0.0.0/8
transport = mysmtphost_relay
route_list = * vps.mysmtphost.email::587
no_more
(...)
begin transports
mysmtphost_relay:
driver = smtp
port = 587
hosts_require_auth = <; $host_address
hosts_require_tls = <; $host_address
Just found out the user git was not part of the trusted_users directive in the exim.conf file. I changed it to include the user as follows:
trusted_users = mail:apache:passenger:git
I came to this conclusion since mails sent by other Rails applications running as user passenger were being sent correctly as specified by the from address. Then I noticed passenger being part of this directive and git not.
From the Exim documentation:
Trusted users are always permitted to use the -f option or a leading
“From ” line to specify the envelope sender of a message that is
passed to Exim through the local interface (see the -bm and -f options
below). See the untrusted_set_sender option for a way of permitting
non-trusted users to set envelope senders.
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_command_line.html#SECTtrustedadmin
Processes running as root or the Exim user are always trusted. Other
trusted users are defined by the trusted_users or trusted_groups
options. In the absence of -f, or if the caller is not trusted, the
sender of a local message is set to the caller’s login name at the
default qualify domain.
Related
I would like to send SMS notifications to my phone when a host is unreachable using Nagios Core. I already have Nagios configured and being monitored. Also, I have the contacts.cfg and commands.cfg files already added. I am using email to sms to send messages. For example: 8041233456#tmomail.net. I am using Redhat Linux and I already used the command definition in the Linux command to see if I am able to get sms messaging and it worked. For example: adding the "command_line" that is initialized below in the Linux command I actually receive a message and only see $ as an output, but at least is went through.
My issue is when going to Nagios core and selecting the custom host test to send I receive no response. This custom test does work with regular email though. Below are my config files that I added.
define contact {
contact_name ericg-cell
use generic-contact
alias my name
email 8041233456#tmomail.net
service_notification_commands notify-service-by-email
host_notification_commands notify-service-by-email
service_notifications_enabled 1
#service_notification_options u
}
define command {
command_name notify-host-by-email
command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /bin/mailx -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$
}
define command {
command_name notify-service-by-email
command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n $NOTIFICATIONCOMMENT$\n" | /bin/mailx -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}
I want to stay using mailx to send sms messaging and not any other tools related because I see online that there are only showing other tools to use and not mailx. I also already have my services and host files already being monitored.
You can use https://d7networks.com Nagios plugin for implementing the SMS service. Its easy to configure and SMS feature can be obtained on real time.
please refer https://exchange.nagios.org/directory/Addons/Notifications/SMS/D7SMS-for-Nagios/details
So trying to setup a simple RADIUS authentication for a CISCO 2600 and freeradius -X
The message says that the client is unknown but still the client conf looks like this:
client R1{
ipaddr = 10.1.1.10
secret = secretkey
shortname = R1
nastype = cisco
}
client radnetwork{
ipaddr = 10.1.1.0
netmask = 24
secret = secretkey
shortname = radnetwork
}
client localhost {
ipaddr = 127.0.0.1
secret = secretkey
shortname = localhost
nastype = other
}
I've made sure to chmod 777 both clients.conf and users and because it did drove me crazy and at first the permissions were wrong.
Running radtest locally radtest myuser mysecret localhost 1812 gets me:
(0) No reply from server for ID 168 socket 3
and in the log:
Dropping packet without response because of error: Received packet from 127.0.0.1 without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (shared secret is incorrect.)
even as the secret ins VERY simple and it is set that way everywhere in this lab.
Thank you for helping in advance.
Your question is confusing. Your title suggests you have an unknown client, i.e. you've not provided a client definition for the client contacting the server, but the question content is about a mismatched shared secret.
I'll answer the mismatched shared secret part. It may be that figuring that out resolves your other issue.
The posted radtest command is invalid and missing the secret, which is frustrating as the secret is the subject of this question.
As a first step you should run radsniff with the -s option to specify the expected secret, and verify that the User-Password attribute it shown correctly in plaintext.
Next, ensure unprintable characters aren't being inserted into the secret in your client definitions by wrapping the secret in double quotes.
Verify that the clients.conf file you're editing is actually being read by introducing a syntax error (just add an extra right hand curly brace '}' at the end) and restarting FreeRADIUS.
Note: For all changes to the server config, you need to restart FreeRADIUS.
This is a common issue. It's never the code, it's nearly always one of the conditions above.
I've just installed git git-1.8.1.2 and gitlab gitlab_6.7.2-omnibus-1.ubuntu.12.04_amd64.deb on fresh install of Ubuntu 12.04 lts following: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#ubuntu-12-04 and: https://www.gitlab.com/2014/03/12/packaged-gitlab-with-omnibus/
When setting up a new user in gitlab, it attempts to send out an email with temporary passwords but postfix gets an error from the relay host:
Bad sender address syntax (in reply to MAIL FROM command)
My /etc/gitlab/config/environments/production.rb looks like this
config.action_mailer.delivery_method = :smtp
config.action_mailer.perform_deliveries = true
config.action_mailer.raise_delivery_errors = true
config.action_mailer.smtp_settings = {
:address => 'mail.domain.com',
:port => 587,
:domain => 'domain.com',
:user_name => 'username#domain.com',
:password => 'password',
:authentication => 'password',
:enable_starttls_auto => true
}
I can send email via command line with postfix using I think the same relay host.
echo “This will go into the body of the mail.” | sendmail “Hello world” myemail#domain.com
What might be going wrong and where should I look?
I have also had the same problem on AWS using SES. After wasting 2 days debugging, reading docs and forums, I tried to loose the Security Group inbound rules, which were restricted only to the ports 22, 80 and 443.
Firstly I opened all inbound traffic for debug purposes. As soon as I open all ports to the world (0.0.0.0/0), the issue was gone. But this cannot stay so, then I closed all inbound ports, except 22 (SSH), 90 (HTTP), 443 (HTTPS) and additionally 25 (SMTP) to the IP of the SMTP-Server and it is still working.
So, to sum up, the SES needs to be able to communicate with the server using the SMTP port. That's why the port must be open for inbound traffic as well.
I've decided to post this here and not on serverfault, as the community there is to small and nearly 80% of my questions are unanswered...
So I've got my sever with 3 domains: x.com, y.com and z.com. x.com relays internally, y.com relays internally, and z.com SHOULD relay through amazon SES.
Right now, x and y.com mail correctly internally, but I need z.com to relay through SES.
So, my config so far in main.cf:
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_transport
domainz_sasl_auth_enable = yes
domainz_sasl_security_options = noanonymous
domainz_sasl_password_maps = hash:/etc/postfix/sas2_passwd
domainz_use_tls = yes
domainz_tls_security_level = encrypt
domainz_tls_note_starttls_offer = yes
domainz_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
and in my master.cf, I've appended a unix channel above the default smtp:
domainz unix - - n - 1 smtp
smtp inet n - n - - smtpd
and in my sender_transport I have
#domainZ.com domainz:
1. Where do I enter the ses smtp of "email-smtp.us-east-1.amazonaws.com". I assume we need to hit "domainz:" so we can pass the correct sasl data to it.
2. Keep in mind that this is mail going out from the server, not in, so that's why I didn't set a transport_map.
This is the error I'm getting when pushing out mail from #domainz:
"status=bounced (Host or domain name not found. Name service error for name=domainz type=AAAA: Host not found)"; so before we can even get to amazon's SES host, I'm having an issue at the transport level that I can't seem to figure out.
Thanks,
Mike
After nearly 24 hours of trying to solve this, I finally figured it out. I hope this helps whomever is looking to use this same method and doesn't have to go through the pain I just went through!
So in my example above, domain x + y relayed through virtual aliases. For z we must use a transport, in this case it was a sender_dependent_relayhost_maps transport, so I can grab the sender and relay them through amazon SES.
In main.cf, regardless of smtp/unix-socket, we straight up use SES standards:
smtp_sasl_auth_enable=yes
smtp_sasl_security_options=noanonymous
smtp_sasl_password_maps=hash:/etc/postfix/sas
smtp_use_tls=yes
smtp_tls_security_level=encrypt
smtp_tls_note_starttls_offer=yes
smtp_tls_CAfile=/etc/ssl/certs/ca-bundle.crt
In sender_dependent_relayhost_maps we use:
#domainz.com [email-smtp.us-east-1.amazonaws.com]:25
The smtp_sasl_password_maps file stores the matching relay's user:key.
And that's it!
I'm running a vsFTPd FTP server with virtual users (i.e. users are stored in Berkeley DB and do not exist at OS level). The users are authenticated via /etc/pam.d/ftp:
%PAM-1.0
auth required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
account required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
I want to implement an user-level IP filtering via tcp_wrappers, for ex.:
/etc/hosts.deny:
vsftpd: toto#10.10.10.10
(user 'toto') is a vitrual user.
However, toto can log in to the FTP server from 10.10.10.10:
Status: Connecting to 10.10.10.10:21...
Status: Connection established, waiting for welcome message...
Response: 220 "FTP server"
Command: USER toto
Response: 331 Please specify the password.
Command: PASS ********
Response: 230 Login successful.
Status: Connected
How to make vsftpd's virtual users working with tcp_wrappers? how to debug system calls to tcp_wrappers to ensure that vsftpd is passing a correct user name to tcp_wrappers?
TCP wrappers may sound promissory but won't work (long explanation) However you can achieve same level of granularity via PAM.
For instance you can locate the PAM's FTP conf file, if your vsFTPd was compiled with PAM support (ldd /usr/sbin/vsftpd | grep pam) and replace the account line to use pam access control instead.
# vi /etc/pam.d/vsftpd
account include password-auth (comment this line out)
# add the following line
account required pam_access.so
Then you can edit /etc/security/access.conf and create more complex rules to tailor your needs, i.e.
+ : restricted_username : 192.168.1.10
+ : ALL EXCEPT restricted_username : ALL
- : ALL : ALL
The above rule will allow the user 'restricted_username' to login only from that specific IP, while allowing the rest of the users log in from ALL other sources.