Setup Postfix to Relay Mail for Specific Domains or Users

Mail Relaying
I have been working with my mail server a lot lately and I ran into some problems of getting mail delivered to Outlook.com Mail Accounts (Hotmail.com, Outlook.com, Live.com, etc) but I will discuss that more in another article (In Short two months later and still can’t). I have an user that subscribes to MailRoute.net’s excellent spam filtering service, and they use it with my mail server for inbound filtering. However, because Outlook.com will refuse to deliver messages from my mail server, we decided to use MailRoute’s outbound filtering – not really for the outgoing filter, but for the better deliverability to the Outlook.com Mail Accounts.

So I needed to setup my mail server to relay mail for one domain to another server that is outside of my control and network. My mail server uses Postfix 2.10 for the Mail Transfer Agent (MTA). So this is how you can configure Postfix forward (relay) all mail for one virtual domain to another mail server (smart host) before being sent to its final destination.

Setup Mail Relay on Your Mail Server

You will need to do all of this as root, so either sudo or elevate to a root shell.

  1. Create a file that will contain the domains that will be processed by another server. I used /etc/postfix/bysender.
  2. Open the file bysender, add the following information:
    @example.com   [outbound.thirdparty.server.com]
    
    • On the left @example.com is the domain that you want to have its messages forwarded (relayed) to the outside server
    • The right [outbound.thirdparty.server.com] is the server that you want to relay messages to, and yes you need the brackets
    • By the way: You could have one particular user’s messages relayed to a different outside mail server by just putting in the entire e-mail address on the left side
  3. Save and Close the bysender file.
  4. Now we need to hash/map the bysender file so that Postfix can use it. Run the following command:
    postmap /etc/postfix/bysender
  5. Now open your Postfix main.cf and insert the following:
    sender_dependent_relayhost_maps = hash:/etc/postfix/bysender
    
    • Update the file path if needed
  6. Now you need to restart Postfix, run the following command:
    service postfix restart 
    • This assumes Ubuntu’s Service Command

Go ahead and test the configuration by sending a test message from the domain and review the headers at the receiving mail account, you should see the mail being sent to your smart host, or in my case MailRoute, before arriving to the servers for the outside mail account.

Side Notes

I found this information via Zimbra Support documentation, I attempted to find this in the official Postfix documentation, but the docs for Postfix are very hard to understand, requires you to have read them all and assumes that you already know most everything about mail and message movement within a system.

Also, I found several articles suggesting to use a transport file with a very similar layout as the bysender file here, but that just caused the mail server and MailRoute to play hot potato with the message (tossing it back and forth). From what I figured is the transport file is used to override DNS entries to direct mail for a particular domain to another server that may not exist in DNS records or is behind a firewall.

I hope that this was informative and helpful to your needs.


Resources

Dovecot Password Creation from PHP

I’m currently working on making a Laravel based management system for my new mail service that I have setup using the Christoph Haas’ ISPmail Tutorial, Ars Technica’ Email Server Tutorial and others. I needed to be able to create Dovecot compatible passwords from my PHP application.

So when it came to the day-to-day management of the system I didn’t want to run SQL commands to manage the user accounts, so I started building a web based management console. When it came to creating the user’s password I ran into a small problem, I couldn’t use the doveadm pw command because the dovecot software is installed on the mail server and while the management console will be installed on my web server – two different machines. I didn’t want to install Dovecot on my web server – for reasons, so I had to find a different way of creating the user’s password. So I looked at my options to create the password in PHP, after after many hours of researching it. I found the solution – which when I found it made me feel like an idiot.

So to help anyone else that may be looking for a way to create dovecot passwords using a more secure password than MD5, via PHP. Below are the different methods of creating a Dovecot supported password in PHP.

Dovecot PHP Snippets

SHA512-CRYPT

$password = "PlainTextPassword";
$salt = substr(sha1(rand()), 0, 16);
$hashedPassword = "{SHA512-CRYPT}" . crypt($password, "$6$$salt");

SHA512 Base64 Encoded

$password = "PlainTextPassword";
$salt = substr(sha1(rand()), 0, 16);
$hashedPassword = "{SHA512.b64}" . base64_encode(hash('sha512', $password, true));

SHA256-CRYPT*

$password = "PlainTextPassword";
$salt = substr(sha1(rand()), 0, 16);
$hashedPassword = "{SHA256-CRYPT}" . crypt($password, "$5$$salt");

SHA256 Base64 Encoded*

$password = "PlainTextPassword";
$salt = substr(sha1(rand()), 0, 16);
$hashedPassword = "{SHA256.b64}" . base64_encode(hash('sha256', $password, true));

SSHA512-CRYPT (Salted)

$password = "PlainTextPassword";
$salt = substr(sha1(rand()), 0, 16);
$hashedPassword = "{SSHA512}" . base64_encode(hash('sha512', $password . $salt, true) . $salt);

SSHA256-CRYPT (Salted)

$password = "PlainTextPassword";
$salt = substr(sha1(rand()), 0, 16);
$hashedPassword = "{SSHA256}" . base64_encode(hash('sha256', $password . $salt, true) . $salt);

* Denote code that should work, but has not been directly tested. All testing involved PHP 7.

Be sure to change the salting to something either with more entropy or another function of your desire.

Be sure to test the outputted hash against your install of Dovecot by running the following command.

doveadm pw -t 'HASHED Password From Function' -p $password 

So, to test the outputted hash for the password “password123”, and assuming the function output was:

{SHA512-CRYPT}$6$24fd51974df4aa22$JiLGcBXH7JLQcRbcAyFV52r4OOVv4PbmX88E7IB22T/lJsg3/oTI.rAGcWizqV8iyYgDQ4fE9oezojT/hBfdF/ 

You would run the following command in your terminal:

doveadm pw -t '{SHA512-CRYPT}$6$24fd51974df4aa22$JiLGcBXH7JLQcRbcAyFV52r4OOVv4PbmX88E7IB22T/lJsg3/oTI.rAGcWizqV8iyYgDQ4fE9oezojT/hBfdF/' -p password123 

Aside: I would use the blowfish encryption scheme, but my server does not support it, so I used the next best thing. Also, I know there are many virtual mail management systems out there (ViMbAdmin), but I’m planning to built certain functionality of this management portal into other services I will offer to clients. I will also open source my management console, after I have clean up the code.

Blocking Access to Non-Existing Themes in WordPress

Over the last few months I have been seeing a rise in automated exploit scans of the WordPress based sites I manage. So I have decided to squash this annoying exploit by writing an .htaccess directive.

The exploit scanner I was seeing across my managed sites were looking for a vulnerability in the followings directories and/or themes:


http://example.com/wp-content/themes/awake/lib/scripts/dl-skin.php
http://example.com/wp-content/themes/myriad/lib/scripts/dl-skin.php
http://example.com/wp-content/themes/modular/lib/scripts/dl-skin.php
http://example.com/wp-content/themes/construct/lib/scripts/dl-skin.php
http://example.com/wp-content/themes/dejavu/lib/scripts/dl-skin.php
http://example.com/wp-content/themes/method/lib/scripts/dl-skin.php
http://example.com/wp-content/themes/elegance/lib/scripts/dl-skin.php
http://example.com/wp-content/themes/fusion/lib/scripts/dl-skin.php
http://example.com/wp-content/themes/persuasion/lib/scripts/dl-skin.php
http://example.com/wp-content/themes/echelon/lib/scripts/dl-skin.php
http://example.com/wp-content/themes/infocus2/lib/scripts/dl-skin.php
http://example.com/wp-content/themes/infocus/lib/scripts/dl-skin.php
...

I know I could just write a redirect just to look for dl-skin.php, and called it a day. But instead, I didn’t want to revisit when the next exploit came knocking. So I created a directive that will drop any requests for all themes folders – except for the theme directory I declared – a whitelist of themes if you would.

I can do this, because I use a custom themes on these site and I also know what that theme’s folder name will be – usually something along the name of the site. So if you change your theme a lot or don’t know what your themes’ folder name is You May Not Want To Use This. This is meant for people using custom themes or sites that are managed by an Agency or Developer(s).

The Code

# Blocks requests to other themes with possible security holes
# Only Themes directory names starting with __ThemeNameHere__ are valid.
<IfModule mod_alias.c>
    RedirectMatch 403 (?i)(__subFolder__/)?wp-content/themes/(?!__ThemeNameHere__)
</IfModule>

How it Works?

This will only allow requests to http://example.com/__subFolder__/wp-content/themes/__ThemeNameHere__/* while return an HTTP/403 to any other folder in the Themes Directory. The __subFolder__ is optional – this is to allow for WordPress installs that are located in a sub-directory from the site root.

The Technical Explanation: Redirect to 403 If Match Regular Expression of (?i) Case Insensitivity, Capture Group of subFolder/ but is optional, followed by wp-content/themes/ then a negative (or negated) look ahead for ThemeNameHere that is a word (\w) and more (+).

How to Use It?

To implement this, place the code in your site’s .htaccess below the WordPress Section. Don’t forget to update the following variables:

__subFolder__  # The Sub Folder where your WordPress site lives
__ThemeNameHere__  # The Folder Name of your theme, could Be beginning or whole name

Example

Assuming your WordPress Site is in a folder named blog and you access it via http://example.com/blog/ and your theme is the default ‘TwentyFifteen’ Theme, which is stored in a folder name ‘twentyfifteen’, the code you would use would look like this:

<IfModule mod_alias.c>
    RedirectMatch 403 (?i)(blog)?wp-content/themes/(?!twentyfifteen) 
</IfModule>

If your WordPress site is stored in root of your site – http://example.com/ the code you would use is:

<IfModule mod_alias.c>
    RedirectMatch 403 (?i)wp-content/themes/(?!twentyfifteen)
</IfModule>

Try it out and Feedback

Have you seen this exploit scanner or another like it? Trying out this little redirect or having problems with it? Lets continue the discussion in the comments below…

Update – 2015-03-17: Dropped \w+ declaration after the theme name – this would not match requests with hyphens in then.

Open a Samsung XL2270 Display for Repair

I recently needed to open a Samsung SyncMaster XL2270 (aka Samsung SMLX2270) for repair, because it would randomly have horizontal lines that run through it and I wanted to check the connections and capacitors.

When you check the monitor for screws or any other fasteners you won’t find any, so how do you get into it?

I’ll tell you how…

NOTICE: The Below Information is Provided for Informational Use Only. The Use of the Information May Result in: Damage, Injury, or Death. You agree not to hold anyone liable for any results of using this information. If you break it or hurt yourself – YOU MAY NOT HOLD ME OR ANYONE ELSE LIABLE.

Be Careful, if in doubt contact a Professional

Short Answer: Push/Pull the front bezel off starting in the corners.

The longer answer…

  1. First thing is disconnect any cables – power and video cables.
  2. Next remove the base plate by unscrewing it on the bottom of the plate
  3. Here comes the fun! You are going to place the display facing away from you (you are facing the back and see the words Samsung).
  4. Starting in the corners, push on the front edge (bezel) that borders the screen – I suggest starting on the top. See image for locations.
  5. Samsung XL2270 with arrows pointing to the four corners of the display from the back.

    Places To Push on Screen Edge

  6. The front bezel will POP off in that corner go to each corner and repeat. Warning – When the display is about open, be careful of some wires that connect to the front bezel. The back is what comes off completely.
  7. The Back will Pop Off and you may set it aside to inspect and/or repair the display.

In order to reassemble the display you line up the back and you pop it back on by applying pressure.

Also you may want to use Plastic Opening Tools or Guitar Picks to assist in opening the display.

I hope this was informative and useful.