username@domain login name for email account with virtualmin and postfix

For IMAP and POP3 authentication, all you have to do is change the “Format for usernames that include domain” in:

Virtualmin > System Settings > Server Templates > Default Settings > Mail for Domain

to be “user@domain”.

However, Cyrus SASL, which is what handles the SMTP authentication, requires a special flag on it to handle user@domain usernames, a -r in the settings. The magical file you need to edit is /etc/sysconfig/saslauthd. At the bottom you will see the following:

Additional flags to pass to saslauthd on the command line.
See saslauthd(8) for the list of accepted flags. FLAGS=-r

Just make your FLAGS= like mine does. This will pass the -r to the sasl authentication daemon, and your user@domain authentication will work!

Let me know if you have any other questions.

Originally found at :

sftp chroot with openssh ERROR : fatal: bad ownership or modes for chroot directory

If you’re playing with the excellent new ChrootDirectory and internal-sftp options in recent OpenSSH releases (such as 5.1 which is in Ubuntu 8.10 Intrepid), you may have hit an error like:

fatal: bad ownership or modes for chroot directory
You may also have searched on Google for what to do about it and come away with very little useful information.

Well no more! I did the same thing and got bored of reading mailing list posts, so read the source code instead. The relevant section is in session.c:

if (stat(component, &st) != 0)
fatal(“%s: stat(\”%s\”): %s”, __func__,
component, strerror(errno));
if (st.st_uid != 0 || (st.st_mode & 022) != 0)
fatal(“bad ownership or modes for chroot ”
“directory %s\”%s\””,
cp == NULL ? “” : “component “, component);
This is quite simple really, it’s stat()ing the directory specified for “ChrootDirectory” and all its parents up to / and checking that they are:

owned by root
not group or other writable
(it also checks they are actually directories, but I’m going to assume you’re not stupid enough to try and chroot into a file )
Note my emphesis that these checks apply to the chroot directory itself and its parents and /, so if you are chrooting users into /srv/chroot/ then you need to ensure that /, /srv and /srv/chroot are owned by root and not writable by the group (even if it’s root, bizarrely) or other users.

Adopted from :

mod_php and suphp at same time


; Security options
;Check wheter script is within DOCUMENT_ROOT
;Send minor error messages to browser
;Handler for php-scripts
;Handler for CGI-scripts


# This is the Apache server configuration file providing suPHP support.
# It contains the configuration directives to instruct the server how to
# serve php pages while switching to the user context before rendering.
LoadModule suphp_module modules/
# This option tells mod_suphp if a PHP-script requested on this server (or
# VirtualHost) should be run with the PHP-interpreter or returned to the
# browser "as it is".
#suPHP_Engine on
# Disable php when suphp is used, to avoid having both.
#<IfModule mod_php5.c>
#php_admin_flag engine off
#<IfModule mod_php4.c>
#php_admin_flag engine off
# To use suPHP to parse PHP-Files
#AddHandler x-httpd-php .php
#AddHandler x-httpd-php .php .php4 .php3 .phtml
# This option tells mod_suphp which path to pass on to the PHP-interpreter
# (by setting the PHPRC environment variable).
# Do *NOT* refer to a file but to the directory the file resides in.
# E.g.: If you want to use "/path/to/server/config/php.ini", use "suPHP_Config
# /path/to/server/config".
# If you don’t use this option, PHP will use its compiled in default path.
# suPHP_ConfigPath /etc
# If you compiled suphp with setid-mode "force" or "paranoid", you can
# specify the user- and groupname to run PHP-scripts with.
# Example: suPHP_UserGroup foouser bargroup
# suPHP_UserGroup apache apache
# This option tells mod_suphp to handle requests with the type <mime-type>.
# Please note this only works, if an action for the handler is specified
# in the suPHP configuration file.
#suPHP_AddHandler x-httpd-php
# This option tells mod_suphp to NOT handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>

Usege example

SuexecUserGroup "#500" "#500"
DocumentRoot /home/
suPHP_Engine on
AddHandler x-httpd-php .php
AddHandler x-httpd-php .php .php4 .php3 .phtml
suPHP_AddHandler x-httpd-php
<Directory /home/>
allow from all
DirectoryIndex index.htm index.html index.php

suPHP parents directory is not own by defined user or root

root at server1:/root/suPHP/suphp-0.6.3/src# diff -u ./Application.cpp
— ./Application.cpp 2008-04-24 15:21:20.000000000 -0700
+++ ./Application.cpp-dist 2008-03-30 04:43:38.000000000 -0700
@@ -492,14 +492,12 @@
directory = directory.getParentDirectory();

UserInfo directoryOwner = directory.getUser();
if (directoryOwner != owner && !directoryOwner.isSuperUser()) {
std::string error = “Directory ” + directory.getPath()
+ ” is not owned by ” + owner.getUsername();
throw SoftException(error, __FILE__, __LINE__);

if (!directory.isSymlink()
&& !config.getAllowDirectoryGroupWriteable()

Originally found at

Install SSL certificate on postfix and dovecot

Make key file

#openssl genrsa -des3 -out 2048
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for
Verifying – Enter pass phrase for
# openssl req -new -key -out
Enter pass phrase for
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
A challenge password []:
An optional company name []:

Get CRT (GeoTrust, verisign etc)

Remove pass phrase

#openssl rsa -in -out

edit /etc/postfix/

smtpd_use_tls = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_key_file = /etc/pki/tls/certs/
smtpd_tls_cert_file = /etc/pki/tls/certs/

edit /etc/dovecot.conf

ssl_disable = no
ssl_cert_file = /etc/pki/tls/certs/
ssl_key_file = /etc/pki/tls/certs/

restart postfix and dovecot