Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail. PostfixAdmin is a web-based management tool created for Postfix. It is a PHP based application that handles Postfix Style Virtual Domains and Users that are stored in a database.
I have this PostFixAdmin install that leads to a blank page after login. A peek at the web server error log identified the problem:
Got error 'PHP message: Invalid query: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'superadmin' in...
I fixed it. Then I encountered another blank page. Another peek at the web server:
Got error 'PHP message: Invalid query: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'password_expiry' in...
It appears that during an upgrade from an older version, the database portion of the upgrade got botched somehow. So the fix was to get into the SQL console and manually run the following updates:
ALTER TABLE admin ADD COLUMN superadmin bool after password;
ALTER TABLE mailbox ADD COLUMN password_expiry TIMESTAMP DEFAULT now() not null;
ALTER TABLE domain ADD COLUMN password_expiry int DEFAULT 0;
And that was it. Simple but might help someone.
Setting up a print server allows you to share your regular USB printer as a network printer. We can set it up to allow printing using AirPrint from iOS and MacOS devices. We can even set it up to allow printing from Windows devices. Let’s set up one with a basic Raspberry Pi W. Of course, the higher Pis would do as well.
Continue reading “AirPrint With A Raspberry Pi Print Server”
Yesterday, I upgraded my mail server’s operating system. After upgrading, I encountered the following error in dovecot:
config: Warning: please set ssl_dh=</etc/dovecot/dh.pem
What’s dh.pem? I found the answer in the Dovecot 2.3 upgrade documentation. Apparently, the ssl-parameters.dat file is now obsolete. You should use ssl_dh setting instead by adding: ssl_dh=</etc/dovecot/dh.pem to the configuration.
But how do you get dh.pem?
One way is to can convert an existing/old ssl-parameters.dat to dh.pem:
dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
Another way, which I found here, is to generate a new dh.pem:
openssl dhparam -out /etc/dovecot/dh.pem 4096 -days 3650
It takes a LOOONG time. But once the file is ready, just add it to /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/letsencrypt/live/myserver.xyz/fullchain.pem
ssl_key = </etc/letsencrypt/live/myserver.xyz/privkey.pem
ssl_dh = </etc/dovecot/dh.pem
Restart dovecot and you’re back in business.
I’ve previously written on enabling HTTPS on your website using Let’s Encrypt. I showed that, with Let’s Encrypt, it’s quite easy to secure your Apache web server and, as a bonus, also showed how to secure your Dovecot mail server. But what if you are using Apache Tomcat? That’s quite easy, too!
Continue reading “Enabling HTTPS On Tomcat Using Let’s Encrypt”
There’s no question that secure communications is critical. On the web, this is done using HTTPS. HTTPS is secure extension of the HTTP. In HTTPS, communications is encrypted using Transport Layer Security (TLS), or its deprecated predecessor, Secure Sockets Layer (SSL).
TLS uses a public key encryption scheme where you have a public and private key pair. The web server provides they public key which the web browser can use to encrypt communications with. The public key is signed to certify the identity of the web server owning the key. This gives you the public key certificate or just simply certificate.
You can self-sign (or self-certify) just so you can encrypt communications and that’s fine if your dealing with yourself or parties who trust you and your self-signed certificate (e.g. your own systems or employees). But if you deal with other parties (e.g. other systems or customers) you need a certificate from a certificate authority (CA), a trusted entity that signs keys and issues certificates.
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG). They provide certificates absolutely free. The certificates expire in 90 days, but they can be automatically renewed using Certbot. There’s simply no excuse not to have a secure site. And it’s so easy to boot. There are step-by-step instructions for almost every web server and operating system combination at the Certbot page.
Here are the steps for getting certificates using Ubuntu and Apache:
- Add the Certbot apt repository
- sudo add-apt-repository ppa:certbot/certbot
- Update the repository
- Install Certbot from the new repository with apt-get:
- sudo apt-get install python-certbot-apache
- Obtain a certificate for your domain
This give your certificates for your new files and configures Apache automatically. But you should be able to find the certificate files for other purposes (see below) at /etc/letsencrypt/live/example.com
The certificate only last for 90 days. However, Certbot takes care of this problem by running certbot renew twice a day via a systemd timer or cron. We can also manually test renewal:
- sudo certbot renew –dry-run
BONUS: If you’re using Dovecot https://www.dovecot.org/, you can also use the certificate:
- Edit /etc/dovecot/conf.d/10-ssl.conf:
- ssl_cert = /etc/letsencrypt/live/example.com/fullchain.pem
- ssl_key = /etc/letsencrypt/live/example.com/privkey.pem
- Restart dovecot:
- sudo service dovecot restart
That’s it! You now have a secure website and email server.