Running Multiple Postfix Instances On Same Box To Manage Google Mail Relay & AWS SES

So

I had a requirement where we wanted to have separate postfix instances which individually handles SMTP Relay traffic to redirect to Google Mail Relay & AWS SES. But we didn’t want to get an additional server to deploy postfix separately and add more servers to the farm.

There are more than one ways to do it.. and for particular reasons we wanted to have separate dedicate instances to manage separate configurations easily.

So, basically if you have the postfix package installed on linux, you will have the folder /etc/postfix/Ā (Depending on Linux Flavour – I am using RHEL7). It will be using default port 25 and 465

Main files to modify are master.cf and main.cf – I am assuming you know how to configure these files.

Configure that instance as your Google Relay.

Now to setup another instance on the same box, run the following commands

 

This will create a /etc/postfix-ses/ folder which is the new separate instance

If you wish to run AWS SES then you need the “cyrus-sasl-plain” package as well in your linux system (yum / apt)

Edit /etc/postfix-ses/master.cf and do the following

The above will run this new instance on port 10025 (instead of default port 25 which /etc/postfix/ is using) and SMTPS on 10465 (instead of default 465 which /etc/postfix/ is using)

Edit /etc/postfix-ses/main.cf and comment out the following

Configure the rest of the as per AWS Guide.

Reload / Restart Postfix Service – the same command will control both instances together.

Now you will have two instances of postfix running on the same box using different ports and thus clients can be told to use them accordingly.

All the logs are in the single file: /var/log/maillog

Logs are tagged with <date> <time> <hostname> <instancename> format so you can grep for different instances.

Done!!!

Note: This site has documented some commands on how to run various commands with multi-instances in Postfix

Batch Process an Array via Powershell for FIMService write back (Or any PS scenario)

So,

A long time ago I wrote a post showing how you can do Composite write-back to FIMService via Powershell. That used “Search-ResourcePaged” command from the Lithnet Module. But it’s not helpful in the scenario where you already have a list of users (say an exported CSV or a text file) you want to perform some action on. In that scenario, XPath is not needed (and might not help if there is no pattern to search) as you already have your objects to work on.

So say, for example, I have a list of 10000 objectID from FIM and want to delete them.

Simple way will be

Pretty simple but will take about 1/sec and take 10000 seconds to do it.

Yeah I am not going to wait that long…

Did some RnD (and Google) and found some different ways of going about it..

One way was doing ForEach -Parallels flag. I tried it but actually had a reverse affect for me… I did it wrong obviously.. It worked but took long/er for some reason (Even with -throttlelimit set)… Moved on… Went above my head for the limited time I had to do the job.

Then found a pretty simple way to do it online and made some modification to suit my scenario

 

Voila!!! it’s done in seconds. It will send batch of 1000 objects at a time to FIMService as a composite request and do them quickly. I did like 10000 in 10-15 seconds or so. You can also import a csv/txt file and create an array as well.

I am not a powershell expert and it may not be perfect or most elegant way of doing it but gets the job done quickly.

You can use the logic for virtually anything and not just to write back to FIMService. But yeah helped me to do large modifications / deletes pretty quickly.

Till the next time…

Passwords: Evil Necessity to be Protected!!!

I had missed posting this on the World Password Day but forgot to hit publish (my bad šŸ˜› )

You know your passport – Your very physical identity which you put in a locker or in a safe place. Or while you are travelling you keep it with you at all times and don’t leave it someone insecure.

Well, your digital identity is the same (I think more important tbh in this day and age). You post your life on Facebook, rant on twitter, upload ur food likes on Instagram and wierd faces on snapchat, music preference on Apple Music or Spotify, look for a job in Linkedin and so much more.

In our ever-growing presence of our online footprint, we mostly use a password to login to each service we consume. In some instance, you might use OpenID to log in to a new service using an existing account on facebook/google/LinkedIn etc. Depending on your circumstances you might choose either – a new standalone account to the service or an OpenID connection to that service.

If you go password, I see people tend to use a known password in their brain (easy to repeat) for multiple services. They might even add a number like 123 to “make different passwords” for the same composition – BAD IDEA!!!

We are humans after all and it’sĀ in our nature to do repetitive tasks easily and thus passwords are no different. If you use the same password and any of those services are hacked or compromised, the hacker has probably your username/email and your password which he will definitely try to exploit and use on various other services. They’ve hit a jackpot.

To remove the human element in the password creation and remembering, I would say use a Password Manager.Ā There are many online/ offline/hybrid password managers out there.

I really don’t know any password of the services I use expect the Master Password of my Password Manager and my main/recovery email account – you know just in case I need to login to recover the master password or other sites.

I would basically try to list some practices I have used for years and ways of securing yourself online

  1. Register yourself and your family to sites likeĀ https://haveibeenpwned.com/: Sites like these notify you if your email address has been found in any PUBLIC data breaches. Of course, many breaches are not made public so you don’t know what you don’t know.
  2. Get yourself a password manager and randomize all your services password. Rule of thumb – You SHOULD NOT remember the password for most of the services you use. If you do, it’s probably easy(ier) to crack. Some good password managers I have used are
    • LastPass: It has some nice features like Security Score which audits the security level of your passwords and tells you which ones to harden and which services have been compromised. You should run that and try to score high. It also has a feature to auto change password for many popular services like facebook/twitter etc where it itself logs in and performs a password change so you don’t have to do the steps or remember the new passwords. There are plugins for all major browsers which it can autofill to log in to the service. LastPass free is good enough for individual accounts and don’t really need paid service. But for a family account, you might want to and it’s not expensive.
    • 1Password: Mac lovers love this. Among features mentioned on top it also has WatchtowerĀ which notifies you of breaches and tells you to same password (LastPass has similar feature) and Travel ModeĀ which allows you to remove your password vault from your computer if you are travelling into a country where you think you might not want them to have access to your passwords on a forced check on entry. It’s costly subscription model but it’s much better looking and sleek to say.
    • There are others like DashLane and BitWarden which I haven’t used but highly regarded in the community
  3. Now the Master Password to your Password Manager – Obvious to say, DON’T USE AN EASY ONE. But you need to remember this password obviously. One way of doing it isĀ Diceware logic. Basically using that logic you throw a dice 5 times to generate a number which then corresponds to a letter in a list. Then you can do this 5-6 times to generate a long list of random words. This helps you to remember the word. And then further you can replace characters with symbols or special characters. How this helps is that now you have rolled the dice 5 times for a word x 6 times for 6 words = 6 x 5 letter words = 30 characters and then further replace few characters with its resembling special character or symbol or capitalize (like 1 for l, $ for s and so on). This will help you generate a secure 30 character password which is easy to remember (like [email protected]) – I can remember that. Don’t try it.. not my password šŸ˜›
  4. ENABLE MFA on your password manager – If it doesn’t have it.. DON’T BUY IT.

In the end, I would like to say that you and your family and your colleagues and anyone who is even a bit concerned about their online security and presence, should implement strong password regime. Use a secure password manager, randomize all passwords such that you don’t remember them and that they are unique to each service, use some logic of your own or Diceware such that your master password is super lengthy and secure and of course enable MFA on your password managers as well.

Some of the practices I have used for sometime… What do you think? Be strong!!! Be safe!!!

Identity 101: 2 Factor Authentication and App Passwords

2FA A Must!!!

2 Factor Authentication (2FA) / 2 Step Verification is a big push these days and works as an additional security in this ever increasing world of social engineeringĀ and cyber threats. Not just at your work but for your personal account as well.

This should be turned on for every app you use if you care about your security. Many big providers have this option like Facebook, Gmail, Twitter, Dropbox, Apple, Microsoft, Crypto Sites etc… The list goes on and becomes larger day by day!!!

Most common additional security are SMS, Phone and App verification (There are additional types but these are most common). Because these are a separate disjoint method if say your email (in the cloud) is compromised and these methods are not affected by the internet to say as such!!!

For App Verification I say u MUST have an app which has a backup and restore functionality. I have over 20 apps on 2FA and imagine if I lost my device / format then I will have to go to each of the 20+ sites, disable 2FA and then re-register for 2FA. PITA (Don’t think I will even remember all the sites until I hit them some random day and it asks for 2FA code!!! Lol!!!)

Therefore, I really recommend a few:

  • LastPass Authenticator: Backup and Restore functionality and if you already use LastpassĀ as a password manager, you already have an account.
  • Microsoft Authenticator: Just been updated with backup and restore functionality on iOS a day ago.
  • 1Password Authenticator: If you are already invested in this wonderful Password App.. Don’t look any further!!!
  • Authy: Strong leader in this field.

I therefore simply can’t recommend Google Authenticator as they don’t have a simple backup and restore facility (and looks so dated). Any app supporting RFC6238 TOTP (Time-Based One-Time Password) and site supporting that is good šŸ™‚

Companies enabling 2FA and allowing QR code scanĀ MUST allow you to use any app which a user wishes to use so that you can use a central repository of your own backup and restore (and ease of use). If you are forced to use proprietary apps for each login (say Google says must use google app, LastPass says must use LastPass auth app, Microsoft says must use their app)… you can imagine the number of apps you will end up with on your phone and to manage them.

The positive of individual apps is that since they are customized for the site, they can do push notifications which allows easy login (via allow/deny or yes/no button popup). But I will still like a single app experience.

Sometimes, its a decision to give the “branding” of the company but I totally disagree with this as 2FA should be seamless for a user and if I have everything controlled by 1 app then why not? Bad business decision (user un-friendly)Ā if they force their own auth app over the more popular ones.

But that is normally not the case with most of the big companies and majority didn’t even bother to write their own app (and thus maintain app and code).

Apps are broken after 2FA???

Once you have 2FA ON (say on Google – I am heavily invested in their online ecosystem like mail, calendar, contacts etc), you will suddenly realise that many apps are asking for your password again. Say, for example, I turned on 2FA on my Gmail and I was using the same to log in and send pics to me (IMAP Protocol) of my security cameras when triggered by my security software. It stopped working. Or my contacts or calendar syncing via CardDAV or CalDAV protocols on my iPhone suddenly starts asking for the password.

This is because these apps can’t handle 2FA as they are not built for that. Google gives you an easy method to circumvent this issue by generating App Passwords for them. It allows you to generate a one time random 16 digit passcode which you can enter it on these apps. You DON’T have to remember them or write them down as if you have to re-enter it on the devices, just generate a new code. You can go here to do so.

Screenshot showing an example of what you can do.

Other providers like Microsoft, Yahoo (really? someone using it still?) etc do have a similar method.

TL;DR: 2FA – Turn ON (Not just for your business but for your personal use as well), use an app with secure backup and restore feature for sanity and if some apps suddenly break then look for App Password setting from the provider.

Google API Bug: Google Groups Settings returning wrong value – You need to invite!!!

So.. This is wierd..

Apparently, If you try and set “whocaninvite” in groups settings via API to “NONE_CAN_INVITE”, the API returns the value as “ALL_MANAGERS_CAN_INVITE”.

If you set other settings say “ALL_MANAGERS_CAN_INVITE” or “ALL_MEMBERS_CAN_INVITE” it works fine and confirms by returning the same value back.

This is the same if you do via GAM tool or via their web portal to change a group settings

 

 

Above, if you select “Managers of the group” and save.. and then go back to the group, you will see the tick gone.

Apparently not affecting everyone.. Well it was and then they said they fixed it, and I said.. Nope.. So they have to open a new bugĀ 72470856 for this one.

C’mon google.. you guys are the coders right? the developers?