Postfix and Servers with invalid Helo

I like to keep higher than “normal” security on our email servers. One such setting in Postfix is:

smtpd_helo_required = yes

Along with this setting enabled, you need to specify who is allowed and who should be blocked via:

smtpd_helo_restrictions = [bunch of settings here...]

In this article, I will be discussing:

smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, [other options not discussed]

I think that blocking mail servers that don’t properly have DNS set up is a GOOD thing. There are plenty of servers that don’t meet RFC specifications, many of which are spammers who don’t want their server discoverable via DNS routes...

Read More

Providing Email client autoconfiguration information

This is a re-post of the information from the blog (which no longer exists) pulled from Part of a discussion on Stack Overflow. I have not personally validated any of this yet. Use at your own risk.

If you’ve ever configured a Gmail or Hotmail account in a mail client such as Thunderbird, Outlook or Apple Mail you will have noticed that all it asks of you is your username and password and automatically sets up the mail server hostnames, port numbers and connection settings. However, if you set up an email account hosted on your own mail server run on non-proprietary your mail client – at best – tries to make an educated guess as to what your SMTP and IMAP servers are. If you follow certain standards (e.g. calling your SMTP server smtp.maildomain...

Read More

Cars and Batteries and Terminals Oh My, is it really red first?

Proper connection order first, details below.

For JUMP STARTING with 2 vehicles:

  1. Red jumper to positive (red +) of dead battery.
  2. Red jumper to positive (red +) of charged battery.
  3. Black jumper to negative (black -) of charged battery.
  4. Black jumper to dead car’s frame (engine bolt) – NOT negative terminal of dead battery.
    Keeps final connection spark away from the dead battery.
  5. Charge for 3-5 minutes.
  6. Start the dead car.
  7. Disconnect in reverse. #4, #3, #2, #1.

For INSTALLING a car battery:

  1. Red cable to positive (red +) terminal (wrench to frame does nothing – no circuit to connect).
  2. Black cable to negative (black -) terminal (wrench to frame does nothing – negative to negative).

For REMOVING a car battery:

  1. NEGATIVE (black -) terminal first (wrench to frame does nothing – negative ...
Read More

Thunderbird or Outlook Won’t Save Sent Messages (imap/dovecot)

You’re getting an error that Outlook or Thunderbird cannot save to the sent folder and you’re connected to an imap server running dovecot. You’re also seeing Maximum Number of User+IP connections in /var/log/maillog as people try to send email messages.

Please edit the following configuration to accept more simultaneous connections from a single IP. Add it if missing.


Add or edit the line and increase it.

mail_max_userip_connections = 50

Restart dovecot via

systemctl restart dovecot

Read More

Roundcube Auth Fail with ISPConfig3 and Dovecot

After an upgrade of ISPconfig to the latest version, I told ISPConfig to “reconfigure” services. Roundcube started these entries in the /usr/share/roundcubemail/logs/imap.log:

[19-Dec-2021 23:26:53 +0000]: <21grgvah> [A61A] S: A0001 NO [UNAVAILABLE] Temporary authentication failure. [ 23:26:53]

At first I thought this was a user password problem, but confirmed the user’s password was accurate. After quite a lot of debug, I found that it wasn’t a Roundcube login issue (I had properly upgraded that software), it was a dovecot issue. Roundcube authenticates against the dovecot imap server, the communication between roundcube and dovecot was working. It was dovecot that was broken when communicating to the SQL database (found in /var/log/maillog).

ISPConfig ...

Read More

Convert SSL crt to pem

Linux Text

openssl rsa -in ssl.key -out ssl.pem -outform PEM
openssl x509 -in ssl.crt -out ssl.pem -outform PEM

Windows Binary

openssl x509 -inform DER -outform PEM -in ssl.crt -out ssl.pem -text

Read More

Hidden Google Drive Menu

If you thought they removed the feature to add shared folders to your own drive, you can be relieved to know that it still exists!!!

In your browser, open up:

Navigate to the “Shared With Me” area (left column).

Select an item or folder (single click to highlight it).

Next use SHIFT-Z to activate a hidden menu that will allow you to add the item or folder to your own Google Drive.



Read More

Add/Swap UniFi Security Gateway (USG) to Existing Network with Another Router and Existing Controller

  • In Unifi Controller => Networks set an IP range DIFFERENT from your current one
  • On your “old” router/firewall hard code a DNS resolve for “unifi” to your Controller IP
    I added: (our windows domain and corresponding DNS is running on a sub-domain).
    You can verify this works on your domain by opening a CMD and type “ping unifi” … it should resolve now.
  • Connect the USG WAN port to your LAN – Controller should get a LAN IP via DHCP.
  • In the Controller adopt the USG
  • In the Controller configure WAN port to your real WAN data (static IP, whatever etc.).
    Note: The Controller will show the USG forever as “Provisioning”. Wait a few minutes, then…
  • Replace your old firewall/router with the USG (WAN to WAN Port, LAN to LAN port)…
  • In Unifi Controller => Networks set the LAN IP range back...
Read More

Resizing KVM qcow2 images

Expanding images

  1. Shut down the virtual machine
  2. Resize the image with
    qemu-img resize image.qcow2 +SIZE
    Where SIZE is the size (e.g. 10G for 10 gigabytes).
  3. Boot into gparted live and resize the partition.

Shrinking images

  1. Boot into gparted live and resize the partition smaller.
  2. If you managed to resize the partition from within the virtual machine (and thus didn’t shut it down already for resizing), shut it down now.
  3. KVM/QEMU images are stored in /var/lib/libvirt/images by default. I store them under /storage/images for my purposes. This process is done by root-only, so su is acceptable in this case. Create a new smaller qcow2 file to store the copied data
    qemu-img create -f qcow2 -o preallocation=metadata newimage.qcow2 NEW_SIZE
    where NEW_SIZE is the size (10G for the exampl...
Read More

Reset a Granstream GXP21xx phone without the menu

Pull the power cord and re-plug it.
When the phone says “booting” hold the 1 and the 9 keys and keep holding until the phone says Factory Reset and asks for the admin password.
To enter the password, you will need to press a key multiple times to get the character you want, such as “ABC1abc” you would press 1 several times to get to get to the small ‘b’.

Password: Grandstr3am

Press the large DOT key in the middle of the arrow keys.
Phone should reboot and re-program itself.

Read More