Sponsored Post Learn from the experts: Create a successful blog with our brand new courseThe WordPress.com Blog

WordPress.com is excited to announce our newest offering: a course just for beginning bloggers where you’ll learn everything you need to know about blogging from the most trusted experts in the industry. We have helped millions of blogs get up and running, we know what works, and we want you to to know everything we know. This course provides all the fundamental skills and inspiration you need to get your blog started, an interactive community forum, and content updated annually.

Using HAPROXY Against Zimbra MTA Services, reveal origin IP

We often use HAProxy when deploying zimbra in large environment for load balancing traffic espesially in MTA services  port 25, 465 and 587. but using default configuration  in haproxy and zimbra  affecting sender IP will be read as HAProxy server’s IP, so we cannot trace email by it’s origin IP. this is a big issue when dealing with spammer either from outside or internal.

Luckily there are option in postfix for read original IP from traffic that was sent by haproxy. the configuration are postscreen_upstream_proxy_protocol (if using postscreen as it’s a default in smtp port 25 since zimbra 8.7) and smtpd_upstream_proxy_protocol then from haproxy side by adding send-proxy option.

So here’s the steps for configuring it:

Continue reading “Using HAPROXY Against Zimbra MTA Services, reveal origin IP”

[ClearOS_6] Make ldap service listen to all IP

In ClearOS We can set Ldap service listen to all interface by setting Publish Policy option to All Networks, but maybe for security concern the service was not for ldap but ldaps (SSL ldap protocol) which listen in port 636.

Because there is an application that will be using ClearOS ldap as authentication backend cannot using ldaps (as it’s been hardcoded from  vendor) so we need to force ldap (port 389) service to listen in all IP.

So here’s the steps.

  • Edit init service for slapd
vi /etc/init.d/slapd
  • Go to line number 72 then add following lines.
for ip in $AUTOMAGIC_LANIPS; do
      harg="$harg ldap://$ip"
done
  • Save and exit, then restart slapd service to apply the changes
service slapd restart
  • Make sure the modified file will not replaced if there is update for package openldap-servers (do as your own risk)
vi /etc/yum.conf
  • Under section [main] add following line
exclude=openldap-servers
  • make sure ldap service port are listening to all available IP.
netstat -tnap | grep LISTEN | grep 389

 

[ZIMBRA] Prevent User Customizing “FROM” header

Background

Some of our Zimbra customers are complaining for authenticated user can customizing FROM header which can lead to fraud email. this issue can be reproduce by using thunderbird once compose an email as following picture.

customize_from_header.png

or by using this script, change variables username, password, fake_from and to_addr based on your environment.

Solution

I created customized milter engine using python milter library for my workaroud with following features:

Continue reading “[ZIMBRA] Prevent User Customizing “FROM” header”

Using Django Template Outside Project

if you have similar needs for using django template outside django project then this snipped will be useful.

import django
from django.template import Template, Context
from django.conf import settings
# optional if you just render str instead of template file
from django.template.loader import get_template
settings.configure(TEMPLATES=[{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
# if you want to render using template file
'DIRS': ['/tmp/template_dirs']
}])
django.setup()
# variables that will be passed to template
vars = {'name':'mochtar'}
print Template("Using string = {{name}}").render(Context(vars))
# file say_hello.tmpl located in folder /tmp/template_dirs as it's configured above
print get_template("say_hello.tmpl").render(vars)