Disable recursion in Bind

Running publically facing DNS servers is often necessary in order to allow Internet resolution of your domains and services but allowing 3rd party look ups of other people’s domains and services (recursion) can create unnecessary server load and potential security problems.

Disabling recursion in BIND is involves editing the BIND configuration file (usually /etc/named.conf) and including the following configuration:

// Version obscures your BIND version information which
// protects you against attackers probing known vulnerabilities.

version “[SECURED]”;

// Optional – disables all transfers –
// slaves allowed in zone clauses

allow-transfer {”none”;};

// Optional – disable all recursive queries

allow-recursion {”none”;};
recursion no;

Once you have secured your DNS configuration restart BIND (/etc/init.d/named restart) then test that recusion is disabled by clicking here and entering your DNS server/s IP address.

Plesk Webstats (AWStats)

To force re-create web statistics for all domains on a Plesk Linux server use:

/usr/local/psa/admin/sbin/statistics –calculate-all

Parallels knowledge base article 393 for more information.

Plesk Grey Listing Problems

I recently debugged a mail delivery issue between a Plesk 9.2 server running Qmail and 3rd party ‘sending’ servers. In short, Qmail was not accepting email and was issuing a ” 451 qq trouble in home directory (#4.3.0) (in reply to end of DATA command)” error. Mail was then being diverted to a backup mx server (running Postfix) and being held until the Qmail server eventually accepted mail or the postqueue was forced.

The following is the receive error from the Plesk 9.2 server, running Qmail:

Jul 14 09:44:50 vh qmail-queue-handlers[20737]: call_handlers: call executable = '/usr/local/psa/handlers/info/05-grey-vvIjta/executable'
Jul 14 09:44:50 vh greylisting filter[20738]: Starting greylisting filter...Jul 14 09:44:50 vh qmail-queue-handlers[20737]: handlers_stderr: DEFER
Jul 14 09:44:50 vh qmail-queue-handlers[20737]: call_handlers: DEFER during call '/usr/local/psa/handlers/info/05-grey-vvIjta/executable' handler
Jul 14 09:44:50 vh qmail-queue-handlers[20737]: call_handlers: stop callhandlers from dir '/usr/local/psa/handlers/before-queue/global'

The backup MX server would list:

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
35412AE80F9     1252 Mon Jul 13 21:41:04  [email protected]
(host vh.myserver.net[] said: 451 qq trouble in home directory (#4.3.0) (in reply to end of DATA command))
[email protected]

As the undeliverable error on mail being sent to the Plesk server.

After much research and testing, it became apparent that Plesk’s grey listing was incorrectly flagging the sending server as a spam source and was applying Grey Listing parameters to the inbound messages.

Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will “temporarily reject” any email from a sender it does not recognize. If the mail is legitimate, the originating server will try again and the email is accepted. If the mail is from a spammer it will probably not be retried since a spammer goes through thousands of email addresses and cannot afford the time delay to retry.

Whilst grey listing is a logical spam counter measure, it can cause major problems when a backup mail server is attempting to relay mail to a primary (or lower preferenced) server for a specific mail domain.

In our environment, the best solution was to disable Grey Listing completely as we already have a perimeter spam filtering solution in place.

This command will disable Plesk’s built in grey listing:

# /usr/local/psa/bin/grey_listing --update-server -status off

A detailed outline of Plesk’s Grey Listing implementation (grey_listing) can be found here.

Please Note: If you are utilizing Plesk’s build in spam filtering options, do not disable grey_listing. Instead, adjust expire and penalty options to better suit your configuration and, if n/usr/local/psa/bin/grey_listingecessary, white list mail from your backup MX server. See the Plesk technical documentation for specific configuration.

Postfix Queue Maintenance

From time to time its necessary to carry out maintenance on Postfix’s queues, especially after a massive influx of spam or mail queue issues.

This command will delete one specific email from the mail queue (taken from the postsuper man page):

#mailq | tail +2 | grep -v ‘^ *(‘ | awk  ‘BEGIN { RS = “” } { if ($8 == “[email protected]” && $9 == “”) print $1 } ‘ | tr -d ‘*!’ | postsuper -d –

Note that “[email protected]” should be replaced with the messages noted email address.

To clear (delete) the entire Postfix queue, run the following command:

#postsuper -d ALL

Note: This command will delete all messages in the Postfix queue. If you need more selective deleting, this can be done as well, use ‘man postsuper’ to find out all of the available options.

Forgotten or Lost Linux Root Password

It’s inevitable that at one time, or another, a Linux sys admin will forget or lose a root password for a system they manage or that they’ll inherit a server to which the root passwords are unavailable for.

Thankfully, a Linux servers root password can be reset in a few simple steps via single-user mode.

To enter single-user mode, reboot your computer. If you use the default boot loader, GRUB, you can enter single user mode by performing the following:

  1. At the boot loader menu, use the arrow keys to highlight the installation you want to edit and type [A] to enter into append mode.
  2. You are presented with a prompt that looks similar to the following:

    grub append>
    ro root=LABEL=/

  3. Press the Spacebar once to add a blank space, then add the word single to tell GRUB to boot into single-user Linux mode. The result should look like the following:

    ro root=LABEL=/ single

  4. Press [Enter] and GRUB will boot single-user Linux mode. After it finishes loading, you will be presented with a shell prompt similar to the following: sh-2.05b#

  5. You can now change the root password by typing:

    passwd root

  6. You will be asked to re-type the password for verification. Once you are finished, the password will be changed.

You can then reboot by typing reboot at the prompt; then you can log in to root as you normally would.