1

Topic: Debian Upgrade Woes and Apache 2.4

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Debian 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Apache 2.4
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Would someone possibly be able to post a default Apache configuration that gets created with all of the relevant links in the config file? I'm looking for a virgin configuration file to get my web interfaces back up and running. Since I updated from Debian 8 to Debian 9, my Apache configuration is totally screwed up, and I just need the default-ssl.conf file that works with Apache 2.4 for all of the stuff like iRedAdmin, Roundcube, etc. I currently can't access any of them, because there's a problem with my configuration, and I'm having trouble pinpointing exactly what's wrong, so I'm thinking that if someone could post a default-ssl.conf for me, I can replace what I have, currently and at least get the web server up and running again, and figure out what I need to do for the rest of the sites that were working with Apache 2.2.

Also, does anyone have any experience migrating from OpenDKIM, to Amavis to do the DKIM signatures for my domains that I host? OpenDKIM is one of the things that I had been running previously, but I'm thinking that it would be better to just singn my emails with Amavis, instead of OpenDKIM.

Thanks in advance!
Steve

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Debian Upgrade Woes and Apache 2.4

Setup a VM and install iRedMail, then you get all files you need.

SteveLuxe wrote:

Also, does anyone have any experience migrating from OpenDKIM, to Amavis to do the DKIM signatures for my domains that I host? OpenDKIM is one of the things that I had been running previously, but I'm thinking that it would be better to just singn my emails with Amavis, instead of OpenDKIM.

Just curious, why switch to OpenDKIM?

3

Re: Debian Upgrade Woes and Apache 2.4

Hey Zhang,

Thanks for the response! I was hoping to just get a copy of default-ssl.conf for Apache if someone happened to have a good copy that they were willing to post for me, but if I need to install a virtual machine for the files to correct the problem, I'll do that. I guess I didn't think about installing iRedMail to a VM and pulling the configuration files from there.


Just curious, why switch to OpenDKIM?

I'm not trying to switch TO OpenDKIM, I'm trying to switch to Amavis FROM OpenDKIM. I originally used OpenDKIM before I used iRedMail, and I kept that configuration when I switched to iRedMail, because it was easier than having to change the DNS for every domain that I host email for. My question is whether someone here has any experience having successfully migrated an OpenDKIM configuration to use with Amavis, while retaining my existing DKIM key signatures? I've searched the web, with not very much success, to see if anyone has posted a tutorial on how to do this, but I've been coming up with nothing. I figured it might be worth my time to see if someone here in the forums has ever done this, and whether it's going to be worth my while to try, or if I should just do everything the hard way and create new DKIM keys in Amavis. I'd prefer, if possible to keep my existing key signatures.

Thanks again!

4

Re: Debian Upgrade Woes and Apache 2.4

Maybe this part in virtualhost is screwed?
Alias /cluebringer "/usr/share/postfix-cluebringer-webui/webui/"
Alias /iredadmin/static "/usr/share/apache2/iredadmin/static/"
WSGIScriptAlias /iredadmin "/usr/share/apache2/iredadmin/iredadmin.py/"
Alias /awstats/icon "/usr/share/awstats/icon/"
Alias /awstatsicon "/usr/share/awstats/icon/"
ScriptAlias /awstats "/usr/lib/cgi-bin/"
Alias /mail "/usr/share/apache2/roundcubemail/"

    <Location /awstats>
                Order deny,allow
        deny from all
                Allow from 192.168.2
    </Location>

        <Location /cluebringer>
                Order deny,allow
                deny from all
                Allow from 192.168.2
        </Location>

        <Location /iredadmin>
                Order deny,allow
                deny from all
                Allow from 192.168.2
        </Location>

5

Re: Debian Upgrade Woes and Apache 2.4

Hey Mir!

Thanks for posting. I guess I won't know until I can get a clean VM built, and compare the whole files. This isn't by far the only problem I'm having with Debian 9. Now all of a sudden with my Outlook users, we're getting a brand new error in Dovecot's logs.

from dovecot.log:

Jul 26 17:30:26 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=x.x.x.x, lip=x.x.x.x, TLS handshaking: SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher,

If I had hair, I'd be pulling it out right now. When I updated to Debian 9 Fail2ban stopped working because of a formatting error in a definition file. Fixed that. Dovecot stopped working. Fixed that. Apache is still borked, and I still need a good copy of default-ssl.conf, which I have to get from a VM that I haven't had time to build yet, and now I'm having logon failures because of the TLS cipher errors. If I had local access to this machine easily, I'd restore it from a hard backup, because it's a bare-metal server. Unfortunately, I'm facing fixing it, and I'm not even certain what's broken because right now everything seems as though it's broken in one way or another.

6

Re: Debian Upgrade Woes and Apache 2.4

No luck with anything so far. I already replaced my Apache configuration files, my virtual host files, and I'm still getting an SSL error. I'm beginning to think that my SSL Certificate for the server has somehow gotten corrupted, or my OpenSSL install is somehow messed up. Both Apache, and my Outlook clients, as well as a beta iOS 11 client are giving SSL errors. Outlook and iOS 11 can't even connect securely. Since I don't have the web server running properly, I'll be kinda unable to issue a new certificate via Let's Encrypt. I guess I'll try replacing the contents of the SSL certificate, and then see if that fixes anything, and if not, I'll have to buy a new certificate.

I'm still looking for advice on how to best migrate my DKIM keys from OpenDKIM to Amavis. If anyone knows how to do this, please let me know... Thanks!

7 (edited by SteveLuxe 2017-07-29 09:45:15)

Re: Debian Upgrade Woes and Apache 2.4

Okay, so after much virtual hair pulling, I managed to get Apache and the default webpages working again on Debian 9 by creating a completely new virtual machine, installing iRedMail, making a .tar.bz2 file of the /etc/apache2 folder, and removing the old configuration, putting the new config files in place, and running an apt-get install --reinstall apache2 so that it activated all of the modules and configurations that were in place.

I did the same thing for Dovecot, replacing the line with the database password in dovecot.cnf.

I haven't yet found out if Outlook is having the same issue, but my iOS 11 issue was because apparently Apple removed Wosign as a trusted CA from their devices in their upcoming OS. I would assume the same has been done by Microsoft. I used a handy little app for iOS called SSL Detective in order to find out why the problem was occurring.

I believe that most of the problems resulting from the upgrade to Debian 9 were a result of my /tmp partition being mounted with nosuid and noexec flags during the upgrade. I hope that this information helps someone else!