Systems/Mail

From popdata
Jump to: navigation, search

Back to Systems

Zimbra Email & MTA PostFix & AMAVIS anti-virus on Verrazzano

  • runs on host verrazzano
  • start: /etc/init.d/zimbra start
  • stop: /etc/init.d/zimbra stop
  • logs: /var/log/mail.log , /opt/zimbra/log/

Around 2011-12-14, some windows workstations were accumulating multiple TCP connections to Zimbra server Verrazzano (80, 443 in addition to IMAPs), such that "netstat --tcp" shows over 900 connections. .. See on Verrazzano ~dlaplante/bin/netstat-tcp-summ.sh

  • [commented out of zimbra crontab] daily cleanup of connection counts at 4am: /opt/zimbra/bin/zmmailboxdctl restart
    • 2013-03-06 SysPulse graph of Verrazzano connections shows typically a daily wave between 60 and 170 connections, where the daily 4am interruption is quickly regained. This suggests the connections are all active connections, which get re-attached by the clients. The important thing is that there is no longer accumulation of connections over the course of the week.

Spam blacklists

  • 2017-10-05 to 24th compromised account training@popdata.bc.ca was used to pump millions of spam OTRS#2017102410000083. Verrazzano blocked by many, especially Yahoo & Outlook OTRS#2017110610000043
  • Lookup mail.phlo.ubc.ca 137.82.131.50
  • http://www.anti-abuse.org/multi-rbl-check-results/?host=137.82.131.50
    2017-11-07 all ok
  • http://multirbl.valli.org/lookup/137.82.131.50.html
    2017-11-07 all but 1 ok. A lot of tests; most failures (red) due to "DNS request failed:"; Bottom section: "DNSBL Informationallist Test" non-blocking listings (blue)
    FCrDNS means "Forward Confirmed reverse DNS" i.e. lookup by name matches lookup by address.
  • Microsoft/Hotmail/Outlook spam feedback
  • Subscribed using spamreport@popdata.bc.ca birthdate 1988-02-07 . Company Name: Population Data BC; Contact email address: it@popdata.bc.ca; Complaint feedback Email Address:spamreport@popdata.bc.ca format=ARF; 137.82.131.0/24; Authorization email (from WHOIS): security@ubc.ca
    • When you submit this form, two things will happen: 1- We will send email messages to each of the above authorization addresses, with an authorization link. Once the links have been clicked, you will be able to view data for those IPs in SNDS. 2- We will send a contract to the contact address above, so that you or an appropriate representative from your company can sign the agreement. After you have been authorized to view IP data, and have signed the contract, JMRP feedback complaints will start flowing to the complaint address provided above.
    • 2018-02-07/DL JMRP often not working (We're sorry! An error has occurred), but SNDS is ok at https://postmaster.live.com/snds/data.aspx . "Access Control" link confirms that 137.82.131.0 is being monitored, nothing bad yet. JMRP may or may not be set up send an ARF [Abuse Reporting Format] message for each flagged email, max 10 per day.

Zimbra queues

Zimbra user management

  • Login to https://mail.popdata.bc.ca:7071/zimbraAdmin/ and under "Manage => Accounts" select a user (right-click)
  • Login to Verrazzano
    • To get password change date
      sudo /home/zimbra/bin/zmprov sa -v "mail=*@popdata.bc.ca" | egrep '^uid: |zimbraAccountStatus: |zimbraPasswordModifiedTime: |zimbraLastLogonTimestamp: '
      then join all lines starting with 'z' to the previous line.
      2017-10-31 DL see Alfresco/Systems & Security/Mail/zimbra-popdata-password-time-status.txt
  • Change encryption options for MTA, IMAP and POP
    • Configure => Global Settings => {MTA, IMAP, POP} "[no] Enable clear text login" . Warning: require server restart.

Sometime in late 2017 Denis configured Zimbra to lock out accounts with more than 10 bad password guesses. The lockout resets itself after 1 hour. This slows down systematic guessing attempts to 200 per day (except guessers can't tell whether they got the wrong password or triggered the lockout). If a smartphone with wrong password keeps trying it could also trigger a lockout. 2018-03-21 Time and Kelly's account in "Lockout" status. Need to check logs


Zimbra security configuration

  1. under Class Of Service (COS) -> Default -> Advanced
    • Password min lenght 16, max 64
      Other restrictions 0 (Ex: minimum count of UC / digit / special)
  2. TLS only (encryption)
    • Servers => mail.phlo.ubc.ca
      -> MTA : [yes] "TLS authentication only" [good]
      -> IMAP or POP : [no] "enable clear text login"
  3. Login Lockout is enabled
    • Home -> Configure -> Class Of Service (COS) -> Default -> Advanced -> Failed Login Policy
    • 2017-10-25 (default) 10 failures in 1 hour, lockout for 1 hour (240 guesses/day)
      2018-11-22 plan change to 5 failures per 15m (480 guesses/day), lockout 15m to reduce frustration
  • Resetting lockout
    1. zimbraAdmin -> Manage -> Accounts ; sort by Status
    2. open user -> half-way down 'Account Setup" -> Status: Active / Closed / Locked / Pending / Maintenance . Lockout cannot be chosen on the status menu.
  • See also Advanced -> Failed Login Policy for user customization

Zimbra Calendar

  • need to grant write access to popdata-events caalendar for new users
  • Using another account's calendar:
    • Zimbra webmail, select tab "Calendar"; in sidebar right-click on "Calendars", select “Find Shares”. Neither search box works, just scroll. If you get denied access, ask IT staff.
    • Microsoft Outlook 2010: from Zimbra tab, click "open other mailbox", select "Popdata BC"

Zimbra Clients - Web, Outlook, Thunderbird, Apple Mail ...

Outlook: connector for Zimbra

zimbra connector for Outlook (32-bit) https://download.popdata.bc.ca/zco-8.msi

Ann Greenwood having trouble - on her desktop with new connector, only the top level folder (Inbox) gets udpated. Subfolders of Inbox are visible, but have no new content since her crash and reinstall. http://wiki.zimbra.com/wiki/Outlook_Troubleshooting_Options suggests

  • review folder "Sync Issues" (does not exist)
  • run the .msi file again and select Repair

Thunderbird

Thunderbird AddressBook / LDAP

Menu Edit=>Account=>Composition&Addressing=>Use a different LDAP server

Name: PD-ldap
Hostname: ldap2.popdata.bc.ca
Base DN: ou=users,dc=popdata,dc=bc,dc=ca
Port Number: 389
[no] use SSL (I don't understand why SSL fails.  Test: Tools=>Address book; select PD-ldap. type a name)
Thunderbird Calendar - Lightning

Don't remember how I installed it under Ubuntu. Shows in aptitude as: installed: xul-ext-lightning 1.9+build1-0ub

DNS MX records

Inside DNS records on Champlain

  • popdata.bc.ca MX mail.popdata.bc.ca (10.80.20.11 Verrazzano...)
  • lists.popdata.bc.ca MX pmail.popdata.bc.ca (10.80.20.80 Champlain ...)

Outside DNS records on WebNames.ca

  • popdata.bc.ca MX mail.popdata.bc.ca (137.82.131.50 Verrazzano...)
  • lists.popdata.bc.ca MX pmail.popdata.bc.ca (137.82.131.80 Champlain ...)
  • SPF anti-spam records: others should accept only from Verrazzano or Champlain
    popdata.bc.ca. TXT "v=spf1 ip4:137.82.131.50 ip4:137.82.131.80 ~all"

SPF records for RedCAP emails from PopData servers.

Diagnostic: get TXT records (ncluding spf) from google DNS server for bcahsn.ca. host -t txt bcahsn.ca 8.8.8.8

  • 2019-05-22 SPF record for bcahsn.ca still missing Champlain's IP address.
    • bcahsn.ca TXT "v=spf1 include:spf.protection.outlook.com -all"
      spf.protection.outlook.com TXT "v=spf1 ip4:207.46.100.0/24 ip4:207.46.163.0/24 [...] include:spfa.protection.outlook.com -all"
      spfa.protection.outlook.com. 293 IN TXT "v=spf1 ip4:157.56.112.0/24 [..] ip4:134.170.140.0/24 include:spfb.protection.outlook.com ip6:2001:489a:2202::/48 -all"
    ...
  • Interpretation: emails from @bcahsn.ca should only be accepted if coming through servers on DNS TXT SPF list for spf.protection.outlook.com
    • Need bcahsn.ca to change DNS record to "v=spf1 include:spf.protection.outlook.com ip4:137.82.131.80 -all"

History: 2019-01-07 mail.HLI.ubc.ca blocked message redcap@bcahsn.ca sent from redcap.popdata.bc.ca via Champlain

  • From: Mail Delivery Subsystem <MAILER-DAEMON@champlain.popdata.bc.ca>
    Sent: Monday, January 7, 2019 2:55 PM
    To: REDCap
    Subject: Undeliverable: BC AHSN REDCap Service Agreement - Resolution
    The original message was received at Mon, 7 Jan 2019 14:54:51 -0800 from redcap.popdata.bc.ca [10.80.30.10]
    ----- The following addresses had permanent fatal errors ----- <pat.camp@hli.ubc.ca>
    (reason: 550 Message was blocked by server (failed SPF))
    ----- Transcript of session follows ----- ... while talking to mail.hli.ubc.ca.:
    >>> MAIL From:<redcap@bcahsn.ca>
    <<< 550 Message was blocked by server (failed SPF)
    554 5.0.0 Service unavailable

SYMPA distribution lists on Champlain

  • Version Sympa 6.2.16 since ?? 2018-12-13
  • config: /etc/sympa/sympa.conf ; home: /var/lib/sympa/expl ; spool /var/spool/sympa;
  • syslog: /etc/sympa/facility (local0) => cabot:/home/logs/*/champlain/local0
  • 2013-07-02 changing config of "subscribers@lists..." via web to "noconceal" triggers "missing parameter". Normal is "conceal".
  • To add a subscriber: email From: listmaster@popdata.bc.ca To: sympa@lists.popdata.bc.ca Subject: quiet add sre-users EMAIL FIRSTNAME LASTNAME (userid)
    • This is done automatically when registering a new SRE project login (pds/radm/views.py function enable_group ).