username@domain login name for email account with virtualmin and postfix

For IMAP and POP3 authentication, all you have to do is change the “Format for usernames that include domain” in:

Virtualmin > System Settings > Server Templates > Default Settings > Mail for Domain

to be “user@domain”.

However, Cyrus SASL, which is what handles the SMTP authentication, requires a special flag on it to handle user@domain usernames, a -r in the settings. The magical file you need to edit is /etc/sysconfig/saslauthd. At the bottom you will see the following:

Additional flags to pass to saslauthd on the command line.
See saslauthd(8) for the list of accepted flags. FLAGS=-r

Just make your FLAGS= like mine does. This will pass the -r to the sasl authentication daemon, and your user@domain authentication will work!

Let me know if you have any other questions.

Originally found at : http://blog.molski.nl/2009/10/07/virtualmin-and-userdomain-pop3smtp-login-style/

sftp chroot with openssh ERROR : fatal: bad ownership or modes for chroot directory

If you’re playing with the excellent new ChrootDirectory and internal-sftp options in recent OpenSSH releases (such as 5.1 which is in Ubuntu 8.10 Intrepid), you may have hit an error like:

fatal: bad ownership or modes for chroot directory
You may also have searched on Google for what to do about it and come away with very little useful information.

Well no more! I did the same thing and got bored of reading mailing list posts, so read the source code instead. The relevant section is in session.c:

if (stat(component, &st) != 0)
fatal(“%s: stat(\”%s\”): %s”, __func__,
component, strerror(errno));
if (st.st_uid != 0 || (st.st_mode & 022) != 0)
fatal(“bad ownership or modes for chroot ”
“directory %s\”%s\””,
cp == NULL ? “” : “component “, component);
This is quite simple really, it’s stat()ing the directory specified for “ChrootDirectory” and all its parents up to / and checking that they are:

owned by root
not group or other writable
(it also checks they are actually directories, but I’m going to assume you’re not stupid enough to try and chroot into a file )
Note my emphesis that these checks apply to the chroot directory itself and its parents and /, so if you are chrooting users into /srv/chroot/ then you need to ensure that /, /srv and /srv/chroot are owned by root and not writable by the group (even if it’s root, bizarrely) or other users.

Adopted from : http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/

mod_php and suphp at same time

/etc/suphp.conf

[global]
logfile=/var/log/httpd/suphp_log
loglevel=warn
webserver_user=apache
docroot=/home
env_path=/bin:/usr/bin
umask=0077
min_uid=500
min_gid=500
; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=false
;Send minor error messages to browser
errors_to_browser=true
[handlers]
;Handler for php-scripts
;x-httpd-php=php:/usr/bin/php
x-httpd-php="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi=execute:!self

/etc/httpd/conf.d/su.php

# This is the Apache server configuration file providing suPHP support.
# It contains the configuration directives to instruct the server how to
# serve php pages while switching to the user context before rendering.
LoadModule suphp_module modules/mod_suphp.so
# This option tells mod_suphp if a PHP-script requested on this server (or
# VirtualHost) should be run with the PHP-interpreter or returned to the
# browser "as it is".
#suPHP_Engine on
# Disable php when suphp is used, to avoid having both.
#<IfModule mod_php5.c>
#php_admin_flag engine off
#</IfModule>
#<IfModule mod_php4.c>
#php_admin_flag engine off
#</IfModule>
# To use suPHP to parse PHP-Files
#AddHandler x-httpd-php .php
#AddHandler x-httpd-php .php .php4 .php3 .phtml
# This option tells mod_suphp which path to pass on to the PHP-interpreter
# (by setting the PHPRC environment variable).
# Do *NOT* refer to a file but to the directory the file resides in.
#
# E.g.: If you want to use "/path/to/server/config/php.ini", use "suPHP_Config
# /path/to/server/config".
#
# If you don’t use this option, PHP will use its compiled in default path.
# suPHP_ConfigPath /etc
# If you compiled suphp with setid-mode "force" or "paranoid", you can
# specify the user- and groupname to run PHP-scripts with.
# Example: suPHP_UserGroup foouser bargroup
# suPHP_UserGroup apache apache
# This option tells mod_suphp to handle requests with the type <mime-type>.
# Please note this only works, if an action for the handler is specified
# in the suPHP configuration file.
#suPHP_AddHandler x-httpd-php
# This option tells mod_suphp to NOT handle requests with the type <mime-type>.
# suPHP_RemoveHandler <mime-type>

Usege example

<VirtualHost 192.168.1.10:80>
SuexecUserGroup "#500" "#500"
ServerName example.com
ServerAlias www.example.com
DocumentRoot /home/example.com/public_html
suPHP_Engine on
AddHandler x-httpd-php .php
AddHandler x-httpd-php .php .php4 .php3 .phtml
suPHP_AddHandler x-httpd-php
suPHP_UserGroup example.com example.com
<Directory /home/example.com/public_html>
allow from all
</Directory>
DirectoryIndex index.htm index.html index.php
</VirtualHost>

suPHP parents directory is not own by defined user or root

root at server1:/root/suPHP/suphp-0.6.3/src# diff -u ./Application.cpp
./Application.cpp-dist
— ./Application.cpp 2008-04-24 15:21:20.000000000 -0700
+++ ./Application.cpp-dist 2008-03-30 04:43:38.000000000 -0700
@@ -492,14 +492,12 @@
directory = directory.getParentDirectory();

UserInfo directoryOwner = directory.getUser();
-#ifndef OPT_USERGROUP_OWNER
if (directoryOwner != owner && !directoryOwner.isSuperUser()) {
std::string error = “Directory ” + directory.getPath()
+ ” is not owned by ” + owner.getUsername();
logger.logWarning(error);
throw SoftException(error, __FILE__, __LINE__);
}
-#endif

if (!directory.isSymlink()
&& !config.getAllowDirectoryGroupWriteable()

Originally found at https://lists.marsching.com/pipermail/suphp/2008-April/001831.html

Install SSL certificate on postfix and dovecot

Make key file

#openssl genrsa -des3 -out example.com.key 2048
Generating RSA private key, 1024 bit long modulus
…………..++++++
..++++++
e is 65537 (0x10001)
Enter pass phrase for example.com.key:
Verifying – Enter pass phrase for example.com.key:
# openssl req -new -key example.com.key -out example.com.csr
Enter pass phrase for example.com.key:
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
A challenge password []:
An optional company name []:

Get CRT (GeoTrust, verisign etc)

Remove pass phrase

#openssl rsa -in example.com.key -out example.com.pem

edit /etc/postfix/main.cf

smtpd_use_tls = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_key_file = /etc/pki/tls/certs/example.com.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/example.com.crt

edit /etc/dovecot.conf

ssl_disable = no
ssl_cert_file = /etc/pki/tls/certs/example.com.crt
ssl_key_file = /etc/pki/tls/certs/example.com.pem

restart postfix and dovecot