Behind the Eyes

Tag: mail

  • Emptying Zimbra mailbox from the Command Line

    Hello everyone. I hope you are all doing well and staying safe!

    I wanted to document this procedure for clearing out an email box in Zimbra. I recently had to update my Zimbra mail server and I noticed that my admin account was strangely full. Over 200,000 messages in the inbox. Looking at it, they ended up being storage alerts that the Core snap in my Ubuntu Server was out of disk space. This is normal for snaps since they are SquashFS file systems for the applications they run and that is how they are designed. However, the amount of alerts was quite amazing.

    Since I’m not using snaps on this system, I removed the core snap and all of it’s revisions, and then removed snapd from the system so that the alerts would stop. I did this by doing the following:

    $ sudo snap list --all

    This listed all the snaps and revisions running on my mail server. I then noted the revision number and removed all the disabled snap versions of core by running the following:

    $ sudo snap remove --revision=xxx core

    where xxx is the revision number of the snap. I ran this twice since snaps only keep the previous two versions by default. I than deleted snapd from the system so that it won’t update and remove the core snap from the system:

    $ sudo apt purge snapd

    After this ran, I ran df -h to verify that the /dev/loop2 which is where core was mounted on my system was no longer mounted, which it wasn’t. Since I don’t plan on using snaps on this system, I have no issues.

    Next, I needed to delete the over 200,000 alerts in the admin account. I tried to use the web UI to do this, but it was taking forever. After some Google searching and reading the Zimbra documents, I found out about the command zmmailbox.

    Since I didn’t care about any of the email in the mailbox, I was ready to just delete the entire contents. Use the following commands to do it:

    $ ssh mailhost.example.net
$ sudo su - zimbra
$ zmmailbox
mbox> adminAuthenticate -u https://mailhost.example.net:7071 admin@example.net adminpassword
mbox> selectMailbox admin@example.net
mbox admin@example.net> emptyFolder /Inbox
mbox admin@example.net> emptyFolder /Trash
mbox admin@example.net> exit
$ exit

    It took a little while after the emptyFolder command but it cleared out the inbox and trash folders.

    Let me know if this helps you.

  • Using UFW to secure a server

    Using UFW to secure a server

    Hello Everyone! Hope you’re doing well!

    So for the last few weeks, I have been dealing with a DoS attack happening against me. After spending a couple days with Comcast Network Engineers we finally figured out that my mail server was being attacked. Once we disabled the NIC on the server, Internet service would start up immediately and everything appeared to be working properly. Looking at the auth logs, I noticed that port 80 and port 22 were getting bombarded by the DoS attacks.

    Since the Comcast gateway has a poor firewall, I looked in to getting an upgraded PAN to meet my demand, but unfortunatly, that was going to set me back about $4k, and I looked at Untangle, but ran into configuration issues with the Comcast Gateway and my static IP’s.

    So, until I save my pennies to get the upgraded PAN I had to use ufw to block my attacks.

    UFW, or Uncomplicated Firewall, is the default Firewall for Ubuntu. Since my mail server is running Ubuntu, I decided to use this. And it is fairly easy to setup and use.

    First thing I noticed when being attacked is that specific Chinese IP addresses were attacking the server on port 22 and port 80, which are the SSH port and the unencrypted default web server port. So these were going to be the first ones that I setup, however, one thing to note is that when you enabled ufw, it blocks all traffic, which is a good thing really, however, when you rely on email for your job, blocking it all is not good. so I needed to find out what external ports I needed to have open to the public so that it would still work, and which ones I could have just available internally so that I can still work on the servers if I need to.

    First thing I did was look at what ports my server was sharing outside. I did this with the netstat command:

    netstat -an | more

    This command outputs all the interfaces and ports that the server is listening and communicating on. This also tells you who is connected to what service if they have an open session, so this command is pretty important if you are wanting to get into security.

    To make it easy, I needed imap, pop, smtp, ssh, http, https, and ldap.

    I also needed to know what can be internal only and what needs to be exposed to the public so that my email server can still get email.

    Here is what I came up with:

    PortsVisibility
    22 (SSH)Internal
    25 (SMTP)public
    443 (HTTPS)public
    993 IMAPpublic
    465 (SMTPS)public
    587 (SMTP Submission)public
    80 (HTTP)Internal
    110 (POP3)Internal
    143 IMAPInternal
    389 (LDAP)Internal
    995 (IMAPS)Public

    So, now that I have the required information, I can create the rules. They are as simple as doing the following command:

    sudo ufw allow from x.x.x.x/24 to any port 22

    This rule allowed only my internal IPv4 network to connect to the server. I did this for all internal addresses. I also added the specific email external IP address with a /32 to specify only the server could talk to itself on the internal ports. Might have been overkill, but better safe than sorry. For my public rules I did the following command:

    sudo ufw allow from any to any port 443

    This will also create IPv6 rules as well.

    If you accidently create a rule and it isn’t working properly, you can remove the rule by first looking up its number:

    sudo ufw status numbered

    and then:

    sudo ufw delete [rule #]

    Once everything is done, enable the firewall so that the rules will be applied:

    sudo ufw enable

    If you every need to stop the firewall, you can disable it by sudo ufw disable and it will go back to being unsecured.
    I still had to reboot the server after creating the rules and enabling the firewall since sessions were still open but after the reboot, I haven’t had any more issues and email still works. You can look at the syslog to see all the blocks, which is somewhat fullfilling.

    If you have any questions, or if you have any comments, please leave them below!
    Thanks!