26

Re: Debian 10 Buster Post

iolumbro wrote:

So, this public beta release will include initial support for Debian 10?

Yes. Even better, with OpenDMARC integration, a tutorial is on the way (just give me some time to finish it, although it's already integrated in iRedMail Easy).

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

27

Re: Debian 10 Buster Post

ZhangHuangbin wrote:

BTW, i will release new iRedMail version via the iRedMail Easy platform next Monday (Jul 15), have to delay Debian 10 support in both iRedMail and iRedMail Easy for few more days.

Issues i noticed on Debian 10 are:

- Switching iptables to nftables
- No chains for Fail2an in iptables (will switch to nftables too)

Hope i can fix them next week, then there will be iRedMail-1.0-beta1 available for public testing.

Hi Zhang,

What I realized was that iptables-nft translates iptables rules to nftables transparently. Everything we do with iptables, we can see both using iptables -L -v -t <table> and using nft list ruleset. This is done to avoid problems with existing firewalls scripts. But they advise us to learn the syntax of nftables.
When fail2ban starts the service, it does not load the rules immediately, as it did when it did not use nftables. But when it detects some wrong activity in the logs, at that point it load the rules. I did a brute force test on my server and fail2ban blocked my access normally.

That's what I realized here.

28

Re: Debian 10 Buster Post

I didn't figure out why Fail2ban rules were not loaded yet sad
Need some more time to dig.

29

Re: Debian 10 Buster Post

Installed Debian 10 today on a spare machine and installed iRedMail using the installer.

root@yoda# uname -a
Linux yoda 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5 (2019-06-19) x86_64 GNU/Linux

Issues I noticed;
1. iptables - no fail2ban chains which others have reported.
2. I see the following related to amavis in the mail.log
Jul 16 15:46:18 yoda amavis[1895]: (!)policy protocol: INVALID AM.PDP ATTRIBUTE LINE: POST / HTTP/1.1\r\n
Jul 16 15:46:18 yoda amavis[1895]: (!!)policy_server FAILED: Missing 'request' field at (eval 105) line 197, <GEN30> line 7.
Jul 16 15:46:19 yoda amavis[1895]: (!)policy protocol: INVALID AM.PDP ATTRIBUTE LINE: [{"version": "1.1", "params": [], "id": 0, "method": "getmempoolinfo"}, {"version": "1.1", "params": [], "id": 1, "method": "getnetworkinfo"}, {"version": "1.1", "params": [], "id": 2, "method": "getblockchaininfo"}, {"version": "1.1", "params": [], "id": 3, "method": "getmemoryinfo"}, {"version": "1.1", "params": [], "id": 4, "method": "gettxoutsetinfo"}]

root@yoda:~# systemctl status amavis
● amavis.service - LSB: Starts amavisd-new mailfilter
   Loaded: loaded (/etc/init.d/amavis; generated)
   Active: active (running) since Tue 2019-07-16 15:46:15 PDT; 22min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 483 ExecStart=/etc/init.d/amavis start (code=exited, status=0/SUCCESS)
    Tasks: 5 (limit: 4497)
   Memory: 198.4M
   CGroup: /system.slice/amavis.service
           ├─1215 /usr/sbin/amavisd-new (master)                                                   
           ├─1895 /usr/sbin/amavisd-new (ch1-avail)                                                 
           ├─1896 /usr/sbin/amavisd-new (ch1-avail)                                                 
           ├─1897 /usr/sbin/amavisd-new (virgin child)                                             
           └─1898 /usr/sbin/amavisd-new (virgin child)                                             

Jul 16 15:46:15 yoda amavis[1215]: No ext program for   .F, tried: unfreeze, freeze -d, melt, fcat
Jul 16 15:46:15 yoda amavis[1215]: No ext program for   .zoo, tried: zoo, unzoo
Jul 16 15:46:15 yoda amavis[1215]: No decoder for       .F
Jul 16 15:46:15 yoda amavis[1215]: No decoder for       .zoo
Jul 16 15:46:15 yoda amavis[1215]: Using primary internal av scanner code for clamav-socket
Jul 16 15:46:15 yoda amavis[1215]: Found secondary av scanner clamav-clamscan at /usr/bin/clamscan
Jul 16 15:46:18 yoda amavis[1895]: (!)policy protocol: INVALID AM.PDP ATTRIBUTE LINE: POST / HTTP/1.
Jul 16 15:46:18 yoda amavis[1895]: (!!)policy_server FAILED: Missing 'request' field at (eval 105) l
Jul 16 15:46:19 yoda amavis[1895]: (!)policy protocol: INVALID AM.PDP ATTRIBUTE LINE: [{"version": "
3. mysql error.log file I'm seeing this warning.
2019-07-16 16:10:02 100 [Warning] Aborted connection 100 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)
2019-07-16 16:10:02 101 [Warning] Aborted connection 101 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)
2019-07-16 16:11:01 102 [Warning] Aborted connection 102 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)
2019-07-16 16:11:02 103 [Warning] Aborted connection 103 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)
2019-07-16 16:12:01 104 [Warning] Aborted connection 104 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)
2019-07-16 16:12:02 105 [Warning] Aborted connection 105 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)
2019-07-16 16:13:01 106 [Warning] Aborted connection 106 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)
2019-07-16 16:13:01 107 [Warning] Aborted connection 107 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)

30

Re: Debian 10 Buster Post

chaz wrote:

2019-07-16 16:10:02 100 [Warning] Aborted connection 100 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)

I'm worrying about this "warning" message.

We had this issue on FreeBSD 12 for a long time, it slowly increase the error count, when it reaches the max allowed errors, mysql will stop working and don't access any connections. Unfortunately, i didn't figure out why it happened on FreeBSD 12. Now we get this on Debian 10.

Seems it's a SOGo related issue, because it happened to SOGo sql user only. i didn't see other SQL users have such issue.

I reported this issue to SOGo team on 2019-02-19, but no reply yet.
https://sogo.nu/bugs/view.php?id=4684

31

Re: Debian 10 Buster Post

ZhangHuangbin wrote:
chaz wrote:

2019-07-16 16:10:02 100 [Warning] Aborted connection 100 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)

I'm worrying about this "warning" message.

We had this issue on FreeBSD 12 for a long time, it slowly increase the error count, when it reaches the max allowed errors, mysql will stop working and don't access any connections. Unfortunately, i didn't figure out why it happened on FreeBSD 12. Now we get this on Debian 10.

Seems it's a SOGo related issue, because it happened to SOGo sql user only. i didn't see other SQL users have such issue.

I reported this issue to SOGo team on 2019-02-19, but no reply yet.
https://sogo.nu/bugs/view.php?id=4684

I experienced that problem on the FreeBSD 12 and need to restart mysql to get it working again. On the Debian 10 I left it to run over night SOGo is still working but the warning message is building up in the log file. It coming at the rate of 1 per min.

On the amavis warning, it's a configuration error on my part. My bad. Amavis is working per normal.

You mentioned OpenDMARC integration. I don't see it anyway. It is a separate package?

32

Re: Debian 10 Buster Post

ZhangHuangbin wrote:
chaz wrote:

2019-07-16 16:10:02 100 [Warning] Aborted connection 100 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)

I'm worrying about this "warning" message.

We had this issue on FreeBSD 12 for a long time, it slowly increase the error count, when it reaches the max allowed errors, mysql will stop working and don't access any connections. Unfortunately, i didn't figure out why it happened on FreeBSD 12. Now we get this on Debian 10.

Seems it's a SOGo related issue, because it happened to SOGo sql user only. i didn't see other SQL users have such issue.

I reported this issue to SOGo team on 2019-02-19, but no reply yet.
https://sogo.nu/bugs/view.php?id=4684


Not to be that guy, but have you thought of dropping SOGo and doing something else? Maybe Nextcloud or ownCloud?

I run Nextcloud and love it, especially over SOGo. Or, in the event that it causes this many issues, just offering Roundcube as default? Again, not trying to be "that guy" but just throwing out suggestions. I, for one, would love it packaged with Nextcloud or ownCloud, or both to be honest hahaha.

33

Re: Debian 10 Buster Post

chaz wrote:

You mentioned OpenDMARC integration. I don't see it anyway. It is a separate package?

Yes, it requires package "opendmarc". I will finish the integration document later:
https://docs.iredmail.org/integration.opendmarc.html (DRAFT)

34

Re: Debian 10 Buster Post

wylel wrote:

Not to be that guy, but have you thought of dropping SOGo and doing something else? Maybe Nextcloud or ownCloud?
I run Nextcloud and love it, especially over SOGo. Or, in the event that it causes this many issues, just offering Roundcube as default? Again, not trying to be "that guy" but just throwing out suggestions. I, for one, would love it packaged with Nextcloud or ownCloud, or both to be honest hahaha.

- We have no plan to remove or replace SOGo recently. MAYBE in the future, or offer through the iRedMail Easy platform (https://www.iredmail.org/easy.html).
- You're free to setup NextCloud/ownCloud after iRedMail installation. smile

35

Re: Debian 10 Buster Post

ZhangHuangbin wrote:
wylel wrote:

Not to be that guy, but have you thought of dropping SOGo and doing something else? Maybe Nextcloud or ownCloud?
I run Nextcloud and love it, especially over SOGo. Or, in the event that it causes this many issues, just offering Roundcube as default? Again, not trying to be "that guy" but just throwing out suggestions. I, for one, would love it packaged with Nextcloud or ownCloud, or both to be honest hahaha.

- We have no plan to remove or replace SOGo recently. MAYBE in the future, or offer through the iRedMail Easy platform (https://www.iredmail.org/easy.html).
- You're free to setup NextCloud/ownCloud after iRedMail installation. smile

I know I am, and have, like I said, I was just throwing out suggestions. To me, SOGo is a cheap dumbed down version of the alternatives, and has too many issues to install it over, say, no webmail at all. Its functionality is minimal, and not worth its horrible optimization and knowledge requirements to get it to work "correctly".

36

Re: Debian 10 Buster Post

Also, speaking of iRedMail Easy, I noticed it said "Release new versions frequently", this is for new releases, not bug fixes and security patches, correct?

37

Re: Debian 10 Buster Post

wylel wrote:

SOGo is a cheap dumbed down version of the alternatives, and has too many issues to install it over, say, no webmail at all.

SOGo does offer a webmail with calendar, contacts.

wylel wrote:

Also, speaking of iRedMail Easy, I noticed it said "Release new versions frequently", this is for new releases, not bug fixes and security patches, correct?

Usually new version includes bug/security fixes (configuration/settings).
Check our detailed release notes here:
https://docs.iredmail.org/iredmail-easy … notes.html

38

Re: Debian 10 Buster Post

ZhangHuangbin wrote:
wylel wrote:

SOGo is a cheap dumbed down version of the alternatives, and has too many issues to install it over, say, no webmail at all.

SOGo does offer a webmail with calendar, contacts.

wylel wrote:

Also, speaking of iRedMail Easy, I noticed it said "Release new versions frequently", this is for new releases, not bug fixes and security patches, correct?

Usually new version includes bug/security fixes (configuration/settings).
Check our detailed release notes here:
https://docs.iredmail.org/iredmail-easy … notes.html

I understand that. My concern is that security fixes in the software would be held for public release in favor of Easy. I am not saying you do this, thats why I wanted clarification. I see that iRedAPD 3.0 was part of that release of Easy, and us using the Downloadable installer version got it as well on the 15th. With that I would imagine you would never hold high level security bugs that could compromise our systems.

39

Re: Debian 10 Buster Post

Dear all,

Fail2ban + nftables should work fine on Debian 10 Buster in latest iRedMail development edition, could you guys help test it?

we're close to iRedMail-1.0-beta1. smile
Hope CentOS 8 will be released soon, then we can support it in iRedMail-1.0 final release.

40

Re: Debian 10 Buster Post

Downloaded and tested the iRedMail-1.0-beta1 (zhb-iredmail-32b706d26a5c) installer on Debian 10 in a LXC.

A couple of observations.

1. Installer.
The install worked. Observed the following

Setting up fail2ban (0.10.2-2.1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service -> /lib/systemd/system/
fail2ban.service.
[fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/
fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly.

[ INFO ] Updating ClamAV database (freshclam), please wait ...
ERROR: /var/log/clamav/freshclam.log is locked by another process

2. Postfix. Notice the following warning in /var/log/mail.log file

Jul 27 11:22:07 test2 postfix/postfix-script[1051]: warning: symlink leaves directory: /etc/postfix/./makedefs.out

3. Amavis. Seeing this in /var/log/mail.log file. Initially I thought it was a configuration error. I check my the config is good.

Jul 27 11:22:08 test2 amavis[697]: (!)policy protocol: INVALID AM.PDP ATTRIBUTE LINE: POST / HTTP/1.1\r\n
Jul 27 11:22:08 test2 amavis[697]: (!!)policy_server FAILED: Missing 'request' field at (eval 105) line 197, <GEN30> line 7.
Jul 27 11:22:09 test2 amavis[697]: (!)policy protocol: INVALID AM.PDP ATTRIBUTE LINE: [{"version": "1.1", "params": [], "id": 0, "method": "getmempoolinfo"}, {"version": "1.1", "params": [], "id": 1,"method": "getnetworkinfo"}, {"version": "1.1", "params": [], "id": 2, "method": "getblockchaininfo"}, {"version": "1.1", "params": [], "id": 3, "method": "getmemoryinfo"}, {"version": "1.1", "params"
: [], "id": 4, "method": "gettxoutsetinfo"}]

4. SOGo warning in /var/log/mysql/error.log file. Warning is logged 2 messages per min.

2019-07-27 11:36:01 51 [Warning] Aborted connection 51 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)
2019-07-27 11:36:01 52 [Warning] Aborted connection 52 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)
2019-07-27 11:37:01 53 [Warning] Aborted connection 53 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)
2019-07-27 11:37:01 54 [Warning] Aborted connection 54 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)

5. nft & fail2ban loaded. I've not tested it.

Other than that all services appears to be working.

41

Re: Debian 10 Buster Post

chaz wrote:

1. Installer.
...
Setting up fail2ban (0.10.2-2.1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service -> /lib/systemd/system/
fail2ban.service.
[fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/
fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly.

This is caused by fail2ban binary package, not iRedMail installer.

chaz wrote:

[ INFO ] Updating ClamAV database (freshclam), please wait ...
ERROR: /var/log/clamav/freshclam.log is locked by another process

Safe to ignore.

chaz wrote:

2. Postfix. Notice the following warning in /var/log/mail.log file
Jul 27 11:22:07 test2 postfix/postfix-script[1051]: warning: symlink leaves directory: /etc/postfix/./makedefs.out

Caused by postfix binary package, not iRedMail installer.

chaz wrote:

3. Amavis. Seeing this in /var/log/mail.log file. Initially I thought it was a configuration error. I check my the config is good.
Jul 27 11:22:08 test2 amavis[697]: (!)policy protocol: INVALID AM.PDP ATTRIBUTE LINE: POST / HTTP/1.1\r\n
Jul 27 11:22:08 test2 amavis[697]: (!!)policy_server FAILED: Missing 'request' field at (eval 105) line 197, <GEN30> line 7.
Jul 27 11:22:09 test2 amavis[697]: (!)policy protocol: INVALID AM.PDP ATTRIBUTE LINE: [{"version": "1.1", "params": [], "id": 0, "method": "getmempoolinfo"}, {"version": "1.1", "params": [], "id": 1,"method": "getnetworkinfo"}, {"version": "1.1", "params": [], "id": 2, "method": "getblockchaininfo"}, {"version": "1.1", "params": [], "id": 3, "method": "getmemoryinfo"}, {"version": "1.1", "params"
: [], "id": 4, "method": "gettxoutsetinfo"}]

I didn't figure out the cause yet. sad

chaz wrote:

4. SOGo warning in /var/log/mysql/error.log file. Warning is logged 2 messages per min.
2019-07-27 11:36:01 51 [Warning] Aborted connection 51 to db: 'sogo' user: 'sogo' host: 'localhost' (Got an error reading communication packets)

This MIGHT be a fatal error after this error reaches max error limit (set by MYSQL globally).

chaz wrote:

5. nft & fail2ban loaded. I've not tested it.

You can run commands like below to test it:

# Get all existing jails.
fail2ban-client -x status

# Ban one IP manually
fail2ban-client -x set <jail-name-here> banip 2.2.2.2

# Now check nftables ruleset
nft list ruleset

# Unban one IP manually
fail2ban-client -x set <jail-name-here> unbanip 2.2.2.2

# Check nftables ruleset again
nft list ruleset

42 (edited by ashfolk 2019-07-30 10:56:05)

Re: Debian 10 Buster Post

ZhangHuangbin wrote:

Dear all,

Fail2ban + nftables should work fine on Debian 10 Buster in latest iRedMail development edition, could you guys help test it?

we're close to iRedMail-1.0-beta1. smile
Hope CentOS 8 will be released soon, then we can support it in iRedMail-1.0 final release.

When iRedMail 1.0 final will be released then will it be able to COMPLETELY CLEANUP "beta" folders & "beta" data/variables/channels , and transform/UPGRADE the "beta" iRedMail into a proper stable release of iRedMail 1.0 ? ( what is the exact download URL for beta ? EDIT: found in your earlier post: https://bitbucket.org/zhb/iredmail/get/tip.tar.bz2 )

if thats the case, then i/we can try the beta.

43 (edited by chaz 2019-07-31 03:24:09)

Re: Debian 10 Buster Post

ZhangHuangbin wrote:

...

chaz wrote:

5. nft & fail2ban loaded. I've not tested it.

You can run commands like below to test it:

# Get all existing jails.
fail2ban-client -x status

# Ban one IP manually
fail2ban-client -x set <jail-name-here> banip 2.2.2.2

# Now check nftables ruleset
nft list ruleset

# Unban one IP manually
fail2ban-client -x set <jail-name-here> unbanip 2.2.2.2

# Check nftables ruleset again
nft list ruleset

Tested the nft & fail2ban. It's working.

Going over the /var/log/syslog file I noticed the following error

Jul 29 00:00:01 test2 systemd[1]: Starting Rotate log files...
Jul 29 00:00:01 test2 systemd[1]: Starting Daily man-db regeneration...
Jul 29 00:00:02 test2 logrotate[7249]: #007mysqladmin: connect to server at 'localhost' failed
Jul 29 00:00:02 test2 logrotate[7249]: error: 'Access denied for user 'root'@'localhost' (using password: NO)'
Jul 29 00:00:02 test2 logrotate[7249]: error: error running shared postrotate script for '/var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/log/mysql/mariadb-slow.log /var/log/mysql/error.log '

Jul 30 00:00:01 test2 rsyslogd:  [origin software="rsyslogd" swVersion="8.1901.0" x-pid="70" x-info="https://www.rsyslog.com"] rsyslogd was HUPed
Jul 30 00:00:02 test2 systemd[1]: logrotate.service: Main process exited, code=exited, status=1/FAILURE
Jul 30 00:00:02 test2 systemd[1]: logrotate.service: Failed with result 'exit-code'.
Jul 30 00:00:02 test2 systemd[1]: Failed to start Rotate log files.
Jul 30 00:00:02 test2 systemd[1]: man-db.service: Succeeded.

44 (edited by ashfolk 2019-08-02 14:53:37)

Re: Debian 10 Buster Post

on a Debian-10 ( kvm )

BEGIN - installation:

root@s3:~/zhb-iredmail-32b706d26a5c/iRedMail# bash iRedMail.sh 
[ INFO ] Checking new version of iRedMail ...
[ INFO ] apt-get update ...
Hit:1 [url]https://cdn-aws.deb.debian.org/debian[/url] buster InRelease
Hit:2 [url]https://cdn-aws.deb.debian.org/debian-security[/url] buster/updates InRelease
Get:3 [url]https://cdn-aws.deb.debian.org/debian[/url] buster-updates InRelease [46.8 kB]
Fetched 46.8 kB in 1s (40.0 kB/s)
Reading package lists... Done
[ INFO ] Fetching source tarballs ...
[ INFO ] + 1 of 6: [url]https://dl.iredmail.org/yum/misc/iRedAdmin-0.9.7.tar.bz2[/url]
[ INFO ] + 2 of 6: [url]https://dl.iredmail.org/yum/misc/mlmmjadmin-2.1.tar.gz[/url]
[ INFO ] + 3 of 6: [url]https://dl.iredmail.org/yum/misc/iRedAPD-3.0.tar.bz2[/url]
[ INFO ] + 4 of 6: [url]https://dl.iredmail.org/yum/misc/netdata-v1.16.0.gz.run[/url]
[ INFO ] + 5 of 6: [url]https://dl.iredmail.org/yum/misc/roundcubemail-1.3.9-complete.tar.gz[/url]
[ INFO ] + 6 of 6: [url]https://dl.iredmail.org/yum/misc/web.py-0.39.tar.gz[/url]
[ INFO ] Validate downloaded source tarballs ...
misc/iRedAdmin-0.9.7.tar.bz2: OK
misc/mlmmjadmin-2.1.tar.gz: OK
misc/iRedAPD-3.0.tar.bz2: OK
misc/netdata-v1.16.0.gz.run: OK
misc/roundcubemail-1.3.9-complete.tar.gz: OK
misc/web.py-0.39.tar.gz: OK
    [ OK ]
[ INFO ] Install package: dialog
[ INFO ] Installing package(s): dialog
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  dialog
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 274 kB of archives.
After this operation, 1196 kB of additional disk space will be used.
Get:1 [url]https://cdn-aws.deb.debian.org/debian[/url] buster/main amd64 dialog amd64 1.3-20190211-1 [274 kB]
Fetched 274 kB in 0s (667 kB/s)
Selecting previously unselected package dialog.
(Reading database ... 28379 files and directories currently installed.)
Preparing to unpack .../dialog_1.3-20190211-1_amd64.deb ...
Unpacking dialog (1.3-20190211-1) ...
Setting up dialog (1.3-20190211-1) ...
Processing triggers for man-db (2.8.5-2) ...
[ INFO ] Checking configuration file: /root/zhb-iredmail-32b706d26a5c/iRedMail/config ...[ INFO ] NOT FOUND. Launching installation wizard.
iRedMail:_Open_Source_Mail_Server_Solution
...
Optional components─ssssssssssssssssssssssssssss┐
│ * DKIM signing/verification and SPF validation are enabled by default.   │
│ * DNS records for SPF and DKIM are required after installation.          │
│ Refer to below file for more detail after installation:                  │
│ * /root/zhb-iredmail-32b706d26a5c/iRedMail/iRedMail.tips                 │
│ ┌─                                                                     ┐ │
│ │      [ * ] Roundcubemail  Popular_webmail_built_with_PHP_and_AJAX      │ │
│ │      [ * ] SOGo           Webmail,_Calendar,_Address_book              │ │
│ │      [ * ] netdata        Awesome_system_monitor                       │ │
│ │      [ * ] iRedAdmin      Official_web-based_Admin_Panel               │ │
│ │      [ * ] Fail2ban       Ban_IP_with_too_many_password_failures       │ │
...
* Below file contains sensitive infomation (username/password), please  *
* do remember to *MOVE* it to a safe place after installation.          *
*   * /root/zhb-iredmail-32b706d26a5c/iRedMail/config
...
[ INFO ] Installing package(s): postfix postfix-pcre libsasl2-modules mariadb-client mariadb-server postfix-mysql libdbd-mysql-perl php-cli php-fpm php-json php-gd php-curl mcrypt php-intl php-xml php-mbstring php-mysql nginx-full dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-managesieved dovecot-sieve dovecot-mysql amavisd-new libcrypt-openssl-rsa-perl libmail-dkim-perl clamav-freshclam clamav-daemon spamassassin altermime arj nomarch cpio lzop cabextract p7zip-full rpm libmail-spf-perl unrar-free pax lrzip mlmmj memcached sogo python-sqlalchemy python-dnspython python-mysqldb python-jinja2 python-netifaces python-pycurl python-requests uwsgi uwsgi-plugin-python fail2ban zlib1g libuuid1 libmnl0 curl lm-sensors netcat bzip2 acl patch cron tofrodos logwatch unzip bsdutils liblz4-tool nftables
Reading package lists...
Building dependency tree...
Reading state information...
bzip2 is already the newest version (1.0.6-9.1).
cpio is already the newest version (2.12+dfsg-9).
cron is already the newest version (3.0pl1-134).
libsasl2-modules is already the newest version (2.1.27+dfsg-1).
libsasl2-modules set to manually installed.
libmnl0 is already the newest version (1.0.4-2).
bsdutils is already the newest version (1:2.33.1-0.1).
libuuid1 is already the newest version (2.33.1-0.1).
zlib1g is already the newest version (1:1.2.11.dfsg-1).
The following additional packages will be installed:
  binutils binutils-common binutils-x86-64-linux-gnu clamav clamav-base
  clamdscan cpp cpp-8 debugedit dovecot-core fontconfig-config
  fonts-dejavu-core galera-3 gawk gcc gcc-8 gnustep-base-common
  gnustep-base-runtime gnustep-common libarchive-zip-perl libarchive13
  libasan5 libatomic1 libauthen-sasl-perl libavahi-client3
  libavahi-common-data libavahi-common3 libberkeleydb-perl libbinutils
  libc-dev-bin libc6-dev libcc1-0 libcgi-fast-perl libcgi-pm-perl libclamav9
  libconfig-inifiles-perl libconvert-binhex-perl libconvert-tnef-perl
  libconvert-uulib-perl libcrypt-openssl-bignum-perl
  libcrypt-openssl-random-perl libcurl4 libdate-manip-perl libdbi-perl
  libdigest-bubblebabble-perl libdigest-hmac-perl libdw1 libencode-locale-perl
  liberror-perl libexttextcat-2.0-0 libexttextcat-data libfcgi-perl
  libfontconfig1 libgc1c2 libgcc-8-dev libgd3 libglib2.0-0 libglib2.0-data
  libgnustep-base1.26 libgomp1 libhtml-parser-perl libhtml-tagset-perl
  libhtml-template-perl libhttp-date-perl libhttp-message-perl libio-html-perl
  libio-multiplex-perl libio-socket-inet6-perl libio-socket-ssl-perl
  libio-stringy-perl libisl19 libitm1 libjansson4 libjbig0 libjpeg62-turbo
  liblasso3 liblsan0 libltdl7 liblua5.2-0 liblua5.3-0 liblwp-mediatypes-perl
  liblzo2-2 libmailtools-perl libmariadb3 libmatheval1 libmcrypt4
  libmemcached11 libmhash2 libmime-tools-perl libmpc3 libmpfr6 libmpx2
  libmspack0 libnet-cidr-lite-perl libnet-cidr-perl libnet-dns-perl
  libnet-dns-sec-perl libnet-ip-perl libnet-libidn-perl libnet-patricia-perl
  libnet-server-perl libnet-smtp-ssl-perl libnet-ssleay-perl
  libnetaddr-ip-perl libnftables0 libnginx-mod-http-auth-pam
  libnginx-mod-http-dav-ext libnginx-mod-http-echo libnginx-mod-http-geoip
  libnginx-mod-http-image-filter libnginx-mod-http-subs-filter
  libnginx-mod-http-upstream-fair libnginx-mod-http-xslt-filter
  libnginx-mod-mail libnginx-mod-stream libnorm1 libnspr4 libnss3 libobjc4
  libpgm-5.2-0 libpq5 libpython2.7 libquadmath0 librpm8 librpmbuild8 librpmio8
  librpmsign8 libsbjson2.3 libsensors-config libsensors5 libsigsegv2
  libsnappy1v5 libsocket6-perl libsodium23 libsope1 libstemmer0d
  libsys-cpu-perl libsys-hostname-long-perl libsys-meminfo-perl
  libterm-readkey-perl libtfm1 libtiff5 libtimedate-perl libtsan0 libubsan1
  libunix-syslog-perl liburi-perl libwavpack1 libwebp6 libxmlsec1
  libxmlsec1-openssl libxpm4 libxslt1.1 libyaml-0-2 libzmq5 linux-libc-dev lz4
  make manpages-dev mariadb-client-10.3 mariadb-client-core-10.3
  mariadb-common mariadb-server-10.3 mariadb-server-core-10.3 mysql-common
  nginx-common p7zip perl-openssl-defaults php-common php7.3-cli php7.3-common
  php7.3-curl php7.3-fpm php7.3-gd php7.3-intl php7.3-json php7.3-mbstring
  php7.3-mysql php7.3-opcache php7.3-readline php7.3-xml psmisc
  python-asn1crypto python-certifi python-cffi-backend python-chardet
  python-cryptography python-enum34 python-idna python-ipaddress
  python-markupsafe python-openssl python-pkg-resources python-six
  python-sqlalchemy-ext python-urllib3 python3-pyinotify python3-systemd re2c
  rpm-common rpm2cpio rsync sa-compile shared-mime-info socat sogo-common
  spamc ssl-cert unar uwsgi-core whois xdg-user-dirs zip
Suggested packages:
  dspam lhasa libnet-ldap-perl libsnmp-perl libzeromq-perl unrar binutils-doc
  clamav-docs daemon cpp-doc gcc-8-locales rpm-i18n dovecot-gssapi
  dovecot-ldap dovecot-lucene dovecot-pgsql dovecot-solr dovecot-sqlite
  dovecot-submissiond ntp ufw mailx monit sqlite3 gawk-doc gcc-multilib
  autoconf automake libtool flex bison gdb gcc-doc gcc-8-multilib gcc-8-doc
  libgcc1-dbg libgomp1-dbg libitm1-dbg libatomic1-dbg libasan5-dbg
  liblsan0-dbg libtsan0-dbg libubsan1-dbg libmpx2-dbg libquadmath0-dbg
  libgssapi-perl glibc-doc libclamunrar9 libclone-perl libmldbm-perl
  libnet-daemon-perl libsql-statement-perl libgd-tools libdata-dump-perl
  libipc-sharedcache-perl libmcrypt-dev liblog-log4perl-perl libwww-perl
  fancontrol read-edid i2c-tools make-doc mariadb-test netcat-openbsd tinyca
  libcache-memcached-perl libmemcached libanyevent-perl libyaml-perl
  mlmmj-php-web mlmmj-php-web-admin fcgiwrap nginx-doc p7zip-rar ed
  diffutils-doc php-pear procmail postfix-pgsql postfix-ldap postfix-lmdb
  postfix-sqlite resolvconf postfix-cdb mail-reader postfix-doc
  python-cryptography-doc python-cryptography-vectors python-enum34-doc
  python-jinja2-doc python-egenix-mxdatetime python-mysqldb-dbg
  python-openssl-doc python-openssl-dbg python-setuptools libcurl4-gnutls-dev
  python-pycurl-dbg python-pycurl-doc python-socks python-sqlalchemy-doc
  python-psycopg2 python-fdb python-pymssql python-ntlm python-pyinotify-doc
  alien elfutils rpmlint rpm2html razor pyzor libencode-detect-perl
  libgeo-ip-perl openssl-blacklist pike8.0 | pike7.8 | pike7.6 | pike
  uwsgi-dev uwsgi-extra uwsgi-plugins-all python-uwsgidecorators
Recommended packages:
  ripole
The following NEW packages will be installed:
  acl altermime amavisd-new arj binutils binutils-common
  binutils-x86-64-linux-gnu cabextract clamav clamav-base clamav-daemon
  clamav-freshclam clamdscan cpp cpp-8 curl debugedit dovecot-core
  dovecot-imapd dovecot-lmtpd dovecot-managesieved dovecot-mysql dovecot-pop3d
  dovecot-sieve fail2ban fontconfig-config fonts-dejavu-core galera-3 gawk gcc
  gcc-8 gnustep-base-common gnustep-base-runtime gnustep-common
  libarchive-zip-perl libarchive13 libasan5 libatomic1 libauthen-sasl-perl
  libavahi-client3 libavahi-common-data libavahi-common3 libberkeleydb-perl
  libbinutils libc-dev-bin libc6-dev libcc1-0 libcgi-fast-perl libcgi-pm-perl
  libclamav9 libconfig-inifiles-perl libconvert-binhex-perl
  libconvert-tnef-perl libconvert-uulib-perl libcrypt-openssl-bignum-perl
  libcrypt-openssl-random-perl libcrypt-openssl-rsa-perl libcurl4
  libdate-manip-perl libdbd-mysql-perl libdbi-perl libdigest-bubblebabble-perl
  libdigest-hmac-perl libdw1 libencode-locale-perl liberror-perl
  libexttextcat-2.0-0 libexttextcat-data libfcgi-perl libfontconfig1 libgc1c2
  libgcc-8-dev libgd3 libglib2.0-0 libglib2.0-data libgnustep-base1.26
  libgomp1 libhtml-parser-perl libhtml-tagset-perl libhtml-template-perl
  libhttp-date-perl libhttp-message-perl libio-html-perl libio-multiplex-perl
  libio-socket-inet6-perl libio-socket-ssl-perl libio-stringy-perl libisl19
  libitm1 libjansson4 libjbig0 libjpeg62-turbo liblasso3 liblsan0 libltdl7
  liblua5.2-0 liblua5.3-0 liblwp-mediatypes-perl liblz4-tool liblzo2-2
  libmail-dkim-perl libmail-spf-perl libmailtools-perl libmariadb3
  libmatheval1 libmcrypt4 libmemcached11 libmhash2 libmime-tools-perl libmpc3
  libmpfr6 libmpx2 libmspack0 libnet-cidr-lite-perl libnet-cidr-perl
  libnet-dns-perl libnet-dns-sec-perl libnet-ip-perl libnet-libidn-perl
  libnet-patricia-perl libnet-server-perl libnet-smtp-ssl-perl
  libnet-ssleay-perl libnetaddr-ip-perl libnftables0
  libnginx-mod-http-auth-pam libnginx-mod-http-dav-ext libnginx-mod-http-echo
  libnginx-mod-http-geoip libnginx-mod-http-image-filter
  libnginx-mod-http-subs-filter libnginx-mod-http-upstream-fair
  libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libnorm1
  libnspr4 libnss3 libobjc4 libpgm-5.2-0 libpq5 libpython2.7 libquadmath0
  librpm8 librpmbuild8 librpmio8 librpmsign8 libsbjson2.3 libsensors-config
  libsensors5 libsigsegv2 libsnappy1v5 libsocket6-perl libsodium23 libsope1
  libstemmer0d libsys-cpu-perl libsys-hostname-long-perl libsys-meminfo-perl
  libterm-readkey-perl libtfm1 libtiff5 libtimedate-perl libtsan0 libubsan1
  libunix-syslog-perl liburi-perl libwavpack1 libwebp6 libxmlsec1
  libxmlsec1-openssl libxpm4 libxslt1.1 libyaml-0-2 libzmq5 linux-libc-dev
  lm-sensors logwatch lrzip lz4 lzop make manpages-dev mariadb-client
  mariadb-client-10.3 mariadb-client-core-10.3 mariadb-common mariadb-server
  mariadb-server-10.3 mariadb-server-core-10.3 mcrypt memcached mlmmj
  mysql-common netcat nftables nginx-common nginx-full nomarch p7zip
  p7zip-full patch pax perl-openssl-defaults php-cli php-common php-curl
  php-fpm php-gd php-intl php-json php-mbstring php-mysql php-xml php7.3-cli
  php7.3-common php7.3-curl php7.3-fpm php7.3-gd php7.3-intl php7.3-json
  php7.3-mbstring php7.3-mysql php7.3-opcache php7.3-readline php7.3-xml
  postfix postfix-mysql postfix-pcre psmisc python-asn1crypto python-certifi
  python-cffi-backend python-chardet python-cryptography python-dnspython
  python-enum34 python-idna python-ipaddress python-jinja2 python-markupsafe
  python-mysqldb python-netifaces python-openssl python-pkg-resources
  python-pycurl python-requests python-six python-sqlalchemy
  python-sqlalchemy-ext python-urllib3 python3-pyinotify python3-systemd re2c
  rpm rpm-common rpm2cpio rsync sa-compile shared-mime-info socat sogo
  sogo-common spamassassin spamc ssl-cert tofrodos unar unrar-free unzip uwsgi
  uwsgi-core uwsgi-plugin-python whois xdg-user-dirs zip
0 upgraded, 276 newly installed, 0 to remove and 0 not upgraded.
Need to get 141 MB of archives.
After this operation, 555 MB of additional disk space will be used.
Get:1 [url]https://cdn-aws.deb.debian.org/debian[/url] ...
...
Extracting templates from packages: 100%
Preconfiguring packages ...
Fetched 141 MB in 1min 13s (1943 kB/s)
                                      Selecting previously unselected package libmpfr6:amd64.
(Reading database ... 28536 files and directories currently installed.)
Preparing to unpack .../libmpfr6_4.0.2-1_amd64.deb ...
...
Setting up libconfig-inifiles-perl (3.000001-1) ...
...
Creating config file /etc/php/7.3/mods-available/calendar.ini with new version
...
* Start iRedMail Configurations
[ INFO ] Generate self-signed SSL cert (2048 bits, expire in 10 years).
[ INFO ] Generate Diffie Hellman Group with openssl, please wait.
[ INFO ] Create required system accounts.
[ INFO ] Configure Nginx web server.
[ INFO ] Configure PHP.
[ INFO ] Configure MariaDB database server.
[ INFO ] Setup daily cron job to backup SQL databases with /var/vmail/backup/backup_mysql.sh
[ INFO ] Configure Postfix (MTA).
[ INFO ] Configure Dovecot (POP3/IMAP/Managesieve/LMTP/LDA).
[ INFO ] Configure mlmmj (mailing list manager).
[ INFO ] Configure ClamAV (anti-virus toolkit).
[ INFO ] Configure Amavisd-new (interface between MTA and content checkers).
[ INFO ] Configure SpamAssassin (content-based spam filter).
[ INFO ] Configure iRedAPD (postfix policy daemon).
[ INFO ] Configure iRedAdmin (official web-based admin panel).
[ INFO ] Configure Fail2ban (authentication failure monitor).
[ INFO ] Configure Roundcube webmail.
[ INFO ] Configure SOGo Groupware (Webmail, Calendar, Address Book, ActiveSync).
* iRedMail-1.0-beta1 installation and configuration complete.
< Question > Would you like to use firewall rules provided by iRedMail?
< Question > File: /etc/default/iptables, with SSHD ports: 22. [Y|n]y
[ INFO ] Copy firewall sample rules.
< Question > Restart firewall now (with ssh ports: 22)? [y|N]y
[ INFO ] Restarting firewall ...
[ INFO ] Updating ClamAV database (freshclam), please wait ...
ERROR: /var/log/clamav/freshclam.log is locked by another process
* URLs of installed web applications:
* - Roundcube webmail: [url]https://s3.example.com/mail/[/url]
* - SOGo groupware: [url]https://s3.example.com/SOGo/[/url]
* - netdata (monitor): [url]https://s3.example.com/netdata/[/url]
* - Web admin panel (iRedAdmin): [url]https://s3.example.com/iredadmin/[/url]
* You can login to above links with below credential:
* - Username: postmaster@example.com
* - Password: pass1234 (this is not my real password)
* Congratulations, mail server setup completed successfully. Please
* read below file for more information:
*   - /root/zhb-iredmail-32b706d26a5c/iRedMail/iRedMail.tips
* And it's sent to your mail account postmaster@example.com.
* WARNING *
* Please reboot your system to enable all mail services.

END - installation.

This server functions as a NameServer & it was running fine , i think the installer script did not detect the NameServer & did not ask user <question> to add DNS port 53 as allowed in NFT (net-filter firewall) !
so now NameServer is not reachable from internet (after installing iRedMail) ! my/our other NameServer answered DNS queries for this s3-server's iRedMail mail-server.

i think the installer script should find-out which PORTs (and IP-ADDRESSES) are pre-configured to LISTEN for INTERNET CONNECTION in a Server , and then set/add also those in NF (net-filter firewall rules) along with (iRedMail) Mail server related ports & SSH port, etc , before blocking/disallow traffic coming-in from all other ports, which will make it non-functional or partially-non-functional.

the initial "Details of this iRedMail installation" email from root@hostname.example.com contains too many PASSWORDS & SENSITIVE config data , So i would like to strongly suggest NOT-TO send all these info over an email , & especially as 1st email , while the Mail server & Mail clients are not yet configured to use postmaster's password securely thru secure/encrypted connection ( imapS, popS ) , (connecting to a Mail Server even for only one time or by mistake one time, without using the SECURE-PROTOCOLS IMAPS/POP3S will result in all sensitive data transferred/travel over/through the OPEN non-secure IMAP/POP3 protocols/connections , which is a DATA SECURITY BREACH . So all these sensitive info MUST be SAVED in a file , i.e: /root/iRedMail_Detail_installation.txt" or /etc/iRedMail/iRedMail_Detail_installation.txt , etc.

Will you be adding GnuPG/GPG support in the iRedMail-installer for sending encrypted emails ?
when email's content is not encrypted with GPG/PGP/SMIME then it is OPEN email.

Installer created a self-signed SSL/TLS cert , so i don't see why installer cannot create a key(-pair) for the user: postmaster@example.com , and use that to send encrypted email(s), especially that "Detail" email with sensitive data infos.

Before setup of iRedMail, i/we already had these SERVER CONFIGURATIONS/LAYOUT:
s1 , s2 , s3 . each has 1 IPv4 & 1 IPv6 . these are located in different geo-locations.

s1 has ipv4-1 & ipv6-1,
s2 has ipv4-2 & ipv6-2,
s3 has ipv4-3 & ipv6-3.
above are to be used for primary domain : example.com and for our secondary domains: example2.com , example3.com , example4.com , example5.com, etc

each server has more MAIL-SERVERS / MAIL-HOSTS : m1 & mx in s1 , m2 & mx in s2 , m3 & mx in s3.
s1 & m1 in s1, are to hold emails for users from geo-location-1.
s2 & m2 in s2, are to hold emails for users from geo-location-2.
s3 & m3 in s3, are to hold emails for users from geo-location-3.
mx in s1 is for users who travels or moved-to geo-location-1 from other geo-location.
mx in s2 is for users who travels or moved-to geo-location-2 from other geo-location.
mx in s3 is for users who travels or moved-to geo-location-3 from other geo-location.
m1 has ipv4-1 & ipv6-11,
m2 has ipv4-2 & ipv6-22,
m3 has ipv4-3 & ipv6-33.
mx in s1 has ipv4-1 & ipv6-15,
mx in s2 has ipv4-2 & ipv6-25,
mx in s3 has ipv4-3 & ipv6-35.
above m1 , m2 , m3 , mx , are to be used only for primary domain: example.com

Because of GDPR in EU, Privacy & Protection laws in USA, etc, i/we will have to keep user's data separated in different server located in their geo/jurisdiction area.

each s1, s2, s3 server's ipv4 & ipv6 address's RDNS/"PTR" are defined in BIND DNS NameServer ( s1 , s2 , s3 ).
each Mail-server's ( m1 , m2 , m3 , mx in s1 , mx in s2 , mx in s3 ) ipv4 & ipv6 adrs's RDNS/"PTR" are also defined in NameServer .

so currently i'm/we're trying to do these : s1 , s2 , s3 , m1 & mx in s1 , m2 & mx in s2 , m3 & mx in s3.

i/we want users to have email-adrs like this : user@example.com
Users in "mx" mail-host will have to access web-portal if needed for email-access (or for registration), like this : https://email.example.com/mail/ , etc ( not https://s3.example.com/mail/ ) . Users who are located in same location as s3 server will have to access their emails via s3/m3's web-portal https://s3.example.com/mail/ or https://m3.example.com/mail/ ( or via this mail-server : m3.example.com for IMAPS/POP3S/SMTPS ) , same way s2 location's users will have to access s2/m2 web-portal or use m2.example.com as IMAPS/POP3S/SMTPS mail-server , ...

based on user's geo-location, account will be created by-default in either s1/m1 or s2/m2 or s3/m3 , and when user choose to fall under all geo-location (all jurisdiction) then "mx" mail-server will be used to keep account data.

i/we created/added these DNS records:

email.example.com.  IN  A  ipv4-1  ; ip-adrs of s1
email.example.com.  IN  A  ipv4-2  ; ip-adrs of s2
email.example.com.  IN  A  ipv4-3  ; ip-adrs of s3
email.example.com.  IN  AAAA  ipv6-1  ; (s1)
... ; like above, the "email" has AAAA records for ipv6-2 (s2) ,  ipv6-3 (s3) ,  ipv6-11 (m1) , ipv6-22 (m2) , ipv6-33 (m3) , ipv6-15 (mx in s1) , ipv6-25 (mx in s2) , ipv6-35 (mx in s3)  = total 9 ipv6 addresses.

we are using the "email.example.com" in this (recommended) way , because we have multiple hosts for Mail-Servers in same physical server, and its better than using multiple CNAME (with an exceptional config code in BIND DNS server) for simple round-robing serving and for failover/redundancy.

so currently there are 8 MX records in DNS for "example.com":

example.com.  IN  MX  15  email.example.com.
example.com.  IN  MX  20  m1.example.com.   ; on s1
example.com.  IN  MX  20  m2.example.com.   ; on s2
example.com.  IN  MX  20  m3.example.com.   ; on s3
example.com.  IN  MX  20  mx.example.com.   ; on s1, s2, s3
example.com.  IN  MX  25  s1.example.com.
example.com.  IN  MX  25  s2.example.com.
example.com.  IN  MX  25  s3.example.com.

and there are 7 MX records in DNS for "email.example.com":

email.example.com.  IN  MX  20  m3.example.com. ; on s3
email.example.com.  IN  MX  20  m1.example.com. ; on s1
email.example.com.  IN  MX  20  m2.example.com. ; on s2
email.example.com.  IN  MX  20  mx.example.com. ; in each of s1 , s2 , s3
email.example.com.  IN  MX  25  s3.example.com.
email.example.com.  IN  MX  25  s1.example.com.
email.example.com.  IN  MX  25  s2.example.com.

Below CNAME was added for backward compatibility:

mail.example.com.  IN  CNAME  email.example.com.

i think becasue of above DNS record, iRedMail used "mail" in some data,
so i will remove above entry, iRedMail need to use the "email".

i/we also have, these CNAME DNS records:

autoconfig.example.com.  IN  CNAME  email.example.com.
autoconfig.email.example.com.  IN  CNAME  email.example.com.
autodiscover.example.com.  IN  CNAME  email.example.com.
autodiscover.email.example.com.  IN  CNAME  email.example.com.

and i/we have these Service DNS records, to find the service provider server:

_autodiscover._tcp.example.com.  IN  SRV  10  10  443  m3.example.com.
_autodiscover._tcp.example.com.  IN  SRV  10  10  443  m1.example.com.
_autodiscover._tcp.example.com.  IN  SRV  10  10  443  m2.example.com.
_autodiscover._tcp.example.com.  IN  SRV  10  10  443  mx.example.com.
_autodiscover._tcp.example.com.  IN  SRV  25  10  443  s3.example.com.
_autodiscover._tcp.example.com.  IN  SRV  25  10  443  s1.example.com.
_autodiscover._tcp.example.com.  IN  SRV  25  10  443  s2.example.com.
_autodiscover._tcp.email.example.com.  IN  SRV  10  10  443  m3.example.com.
_autodiscover._tcp.email.example.com.  IN  SRV  10  10  443  m1.example.com.
_autodiscover._tcp.email.example.com.  IN  SRV  10  10  443  m2.example.com.
_autodiscover._tcp.email.example.com.  IN  SRV  10  10  443  mx.example.com.
_autodiscover._tcp.email.example.com.  IN  SRV  25  10  443  s3.example.com.
_autodiscover._tcp.email.example.com.  IN  SRV  25  10  443  s1.example.com.
_autodiscover._tcp.email.example.com.  IN  SRV  25  10  443  s2.example.com.
;
_caldavs._tcp.example.com.  IN  SRV  10  10  443  m3.example.com.
_caldavs._tcp.example.com.  IN  SRV  10  10  443  m1.example.com.
_caldavs._tcp.example.com.  IN  SRV  10  10  443  m2.example.com.
_caldavs._tcp.example.com.  IN  SRV  10  10  443  mx.example.com.
_caldavs._tcp.example.com.  IN  SRV  25  10  443  s3.example.com.
_caldavs._tcp.example.com.  IN  SRV  25  10  443  s1.example.com.
_caldavs._tcp.example.com.  IN  SRV  25  10  443  s2.example.com.
_caldavs._tcp.email.example.com.  IN  SRV  10  10  443  m3.example.com.
_caldavs._tcp.email.example.com.  IN  SRV  10  10  443  m1.example.com.
_caldavs._tcp.email.example.com.  IN  SRV  10  10  443  m2.example.com.
_caldavs._tcp.email.example.com.  IN  SRV  10  10  443  mx.example.com.
_caldavs._tcp.email.example.com.  IN  SRV  25  10  443  s3.example.com.
_caldavs._tcp.email.example.com.  IN  SRV  25  10  443  s1.example.com.
_caldavs._tcp.email.example.com.  IN  SRV  25  10  443  s2.example.com.
;
_carddavs._tcp.example.com.  IN  SRV  10  10  443  m3.example.com.
_carddavs._tcp.example.com.  IN  SRV  10  10  443  m1.example.com.
_carddavs._tcp.example.com.  IN  SRV  10  10  443  m2.example.com.
_carddavs._tcp.example.com.  IN  SRV  10  10  443  mx.example.com.
_carddavs._tcp.example.com.  IN  SRV  25  10  443  s3.example.com.
_carddavs._tcp.example.com.  IN  SRV  25  10  443  s1.example.com.
_carddavs._tcp.example.com.  IN  SRV  25  10  443  s2.example.com.
_carddavs._tcp.email.example.com.  IN  SRV  10  10  443  m3.example.com.
_carddavs._tcp.email.example.com.  IN  SRV  10  10  443  m1.example.com.
_carddavs._tcp.email.example.com.  IN  SRV  10  10  443  m2.example.com.
_carddavs._tcp.email.example.com.  IN  SRV  10  10  443  mx.example.com.
_carddavs._tcp.email.example.com.  IN  SRV  25  10  443  s3.example.com.
_carddavs._tcp.email.example.com.  IN  SRV  25  10  443  s1.example.com.
_carddavs._tcp.email.example.com.  IN  SRV  25  10  443  s2.example.com.
;
_imap._tcp.example.com.  IN  SRV  0  0  143  .
_imap._tcp.email.example.com.  IN  SRV  0  0  143  .
;
_imaps._tcp.example.com.  IN  SRV  10  10  993  m3.example.com.
_imaps._tcp.example.com.  IN  SRV  10  10  993  m1.example.com.
_imaps._tcp.example.com.  IN  SRV  10  10  993  m2.example.com.
_imaps._tcp.example.com.  IN  SRV  10  10  993  mx.example.com.
_imaps._tcp.example.com.  IN  SRV  25  10  993  s3.example.com.
_imaps._tcp.example.com.  IN  SRV  25  10  993  s1.example.com.
_imaps._tcp.example.com.  IN  SRV  25  10  993  s2.example.com.
_imaps._tcp.email.example.com.  IN  SRV  10  10  993  m3.example.com.
_imaps._tcp.email.example.com.  IN  SRV  10  10  993  m1.example.com.
_imaps._tcp.email.example.com.  IN  SRV  10  10  993  m2.example.com.
_imaps._tcp.email.example.com.  IN  SRV  10  10  993  mx.example.com.
_imaps._tcp.email.example.com.  IN  SRV  25  10  993  s3.example.com.
_imaps._tcp.email.example.com.  IN  SRV  25  10  993  s1.example.com.
_imaps._tcp.email.example.com.  IN  SRV  25  10  993  s2.example.com.
;
_pop3._tcp.example.com.  IN  SRV  0  0  110  .
_pop3._tcp.email.example.com.  IN  SRV  0  0  110  .
;
_pop3s._tcp.example.com.  IN  SRV  10  10  995  m3.example.com.
_pop3s._tcp.example.com.  IN  SRV  10  10  995  m1.example.com.
_pop3s._tcp.example.com.  IN  SRV  10  10  995  m2.example.com.
_pop3s._tcp.example.com.  IN  SRV  10  10  995  mx.example.com.
_pop3s._tcp.example.com.  IN  SRV  25  10  995  s3.example.com.
_pop3s._tcp.example.com.  IN  SRV  25  10  995  s1.example.com.
_pop3s._tcp.example.com.  IN  SRV  25  10  995  s2.example.com.
_pop3s._tcp.email.example.com.  IN  SRV  10  10  995  m3.example.com.
_pop3s._tcp.email.example.com.  IN  SRV  10  10  995  m1.example.com.
_pop3s._tcp.email.example.com.  IN  SRV  10  10  995  m2.example.com.
_pop3s._tcp.email.example.com.  IN  SRV  10  10  995  mx.example.com.
_pop3s._tcp.email.example.com.  IN  SRV  25  10  995  s3.example.com.
_pop3s._tcp.email.example.com.  IN  SRV  25  10  995  s1.example.com.
_pop3s._tcp.email.example.com.  IN  SRV  25  10  995  s2.example.com.
;
_sieve._tcp.example.com.  IN  SRV  10  10  4190  m3.example.com.
_sieve._tcp.example.com.  IN  SRV  10  10  4190  m1.example.com.
_sieve._tcp.example.com.  IN  SRV  10  10  4190  m2.example.com.
_sieve._tcp.example.com.  IN  SRV  10  10  4190  mx.example.com.
_sieve._tcp.example.com.  IN  SRV  25  10  4190  s3.example.com.
_sieve._tcp.example.com.  IN  SRV  25  10  4190  s1.example.com.
_sieve._tcp.example.com.  IN  SRV  25  10  4190  s2.example.com.
_sieve._tcp.email.example.com.  IN  SRV  10  10  4190  m3.example.com.
_sieve._tcp.email.example.com.  IN  SRV  10  10  4190  m1.example.com.
_sieve._tcp.email.example.com.  IN  SRV  10  10  4190  m2.example.com.
_sieve._tcp.email.example.com.  IN  SRV  10  10  4190  mx.example.com.
_sieve._tcp.email.example.com.  IN  SRV  25  10  4190  s3.example.com.
_sieve._tcp.email.example.com.  IN  SRV  25  10  4190  s1.example.com.
_sieve._tcp.email.example.com.  IN  SRV  25  10  4190  s2.example.com.
;
_smtps._tcp.example.com.  IN  SRV  10  10  465  m3.example.com.
_smtps._tcp.example.com.  IN  SRV  10  10  465  m1.example.com.
_smtps._tcp.example.com.  IN  SRV  10  10  465  m2.example.com.
_smtps._tcp.example.com.  IN  SRV  10  10  465  mx.example.com.
_smtps._tcp.example.com.  IN  SRV  25  10  465  s3.example.com.
_smtps._tcp.example.com.  IN  SRV  25  10  465  s1.example.com.
_smtps._tcp.example.com.  IN  SRV  25  10  465  s2.example.com.
_smtps._tcp.email.example.com.  IN  SRV  10  10  465  m3.example.com.
_smtps._tcp.email.example.com.  IN  SRV  10  10  465  m1.example.com.
_smtps._tcp.email.example.com.  IN  SRV  10  10  465  m2.example.com.
_smtps._tcp.email.example.com.  IN  SRV  10  10  465  mx.example.com.
_smtps._tcp.email.example.com.  IN  SRV  25  10  465  s3.example.com.
_smtps._tcp.email.example.com.  IN  SRV  25  10  465  s1.example.com.
_smtps._tcp.email.example.com.  IN  SRV  25  10  465  s2.example.com.
;
_submission._tcp.example.com.  IN  SRV  10  10  587  m3.example.com.
_submission._tcp.example.com.  IN  SRV  10  10  587  m1.example.com.
_submission._tcp.example.com.  IN  SRV  10  10  587  m2.example.com.
_submission._tcp.example.com.  IN  SRV  10  10  587  mx.example.com.
_submission._tcp.example.com.  IN  SRV  25  10  587  s3.example.com.
_submission._tcp.example.com.  IN  SRV  25  10  587  s1.example.com.
_submission._tcp.example.com.  IN  SRV  25  10  587  s2.example.com.
_submission._tcp.email.example.com.  IN  SRV  10  10  587  m3.example.com.
_submission._tcp.email.example.com.  IN  SRV  10  10  587  m1.example.com.
_submission._tcp.email.example.com.  IN  SRV  10  10  587  m2.example.com.
_submission._tcp.email.example.com.  IN  SRV  10  10  587  mx.example.com.
_submission._tcp.email.example.com.  IN  SRV  25  10  587  s3.example.com.
_submission._tcp.email.example.com.  IN  SRV  25  10  587  s1.example.com.
_submission._tcp.email.example.com.  IN  SRV  25  10  587  s2.example.com.
;
_caldavs._tcp.example.com.  IN  TXT    "path=/SOGo/dav/"
_caldavs._tcp.email.example.com.  IN  TXT    "path=/SOGo/dav/"
_carddavs._tcp.example.com.  IN  TXT    "path=/SOGo/dav/"
_carddavs._tcp.email.example.com.  IN  TXT    "path=/SOGo/dav/"

i/we don't want anyone or any mail-client to connect with non-secure port 143 or 110 , so they are disabled in above DNS-records.

What will (FORCE) make sure that TLS/SSL is always used for IMAPS/port-993 & POP3S/port-995 , and what will force Mail-server to disable IMAP/port-143 & POP3/port-110 usage completely ?

SPF TXT record:

example.com.  IN  TXT  (
  "v=spf1 mx:m3.example.com mx:m1.example.com mx:m2.example.com mx:mx.example.com mx:s3.example.com mx:s1.example.com mx:s2.example.com mx:email.example.com ip4:ipv4-1 ip4:ipv4-2 ip4:ipv4-3 ip6:ipv6-1 ip6:ipv6-2 ip6:ipv6-3"
  " ip6:ipv6-11 ip6:ipv6-22 ip6:ipv6-33 ip6:ipv6-15 ip6:ipv6-25 ip6:ipv6-35 -all")
;
email.example.com.  IN  TXT  (
  "v=spf1 mx:m3.example.com mx:m1.example.com mx:m2.example.com mx:mx.example.com mx:s3.example.com mx:s1.example.com mx:s2.example.com mx:email.example.com ip4:ipv4-1 ip4:ipv4-2 ip4:ipv4-3 ip6:ipv6-1 ip6:ipv6-2 ip6:ipv6-3"
  " ip6:ipv6-11 ip6:ipv6-22 ip6:ipv6-33 ip6:ipv6-15 ip6:ipv6-25 ip6:ipv6-35 -all")
;

just added the DKIM info in DNS, which is provided by the iRedMail:

dkim._domainkey.example.com.  3600  IN  TXT (
  "v=DKIM1; p="
  "..."
  "..."
  "..."
  "...")

For my/our MAIL-SERVER configuration/layout , iRedMail instance will have to run in each 3 servers : s1 , s2 , s3.
Can they(Mail-servers) be kept synced (uptodate) with each-others ? ( that is, a user who registered in "mx" in s3 will be able to use email services from mx in s1 or mx in s2 ? even when "mx" in s3/m3/s3 mail-server hosts have gone down ? )

Can the SQL DATA for users in mx in s1 be REPLICATED into the other two mx : mx in s2 , mx in s3 ?
so like above, i/we want to replicate mx users of mx in s2 into : mx in s1 , mx in s3.
likewise i/we also want to replicate mx users of mx in s3 into : mx in s1 , mx in s2.
mx will hold data for few specific users, who will travel lot or moved into another geo-location.

How to enable IPv6 based email sending & receiving in iRedMail ?
i/we want to make sure IPv6 based Mail-server functions are working, because we want to transfer m1 , m2 , m3 , mx Mail-servers into different physical Server ( s4 , s5 , s6 ) which are only IPv6 capable, don't have IPv4 connectivity.
( so later it will be : s1 , s2 , s3 , m1 & mx in s4 , m2 & mx in s5 , m3 & mx in s6 )

iRedMail did not load Let'sEncrypt (LE) app (and did not create LE based SSL/TLS CERT) !

DANE DNS records are checked by the MTA/postfix app ? is it adding a meta-data with each email for indicating the status of DANE based verification ?

Did not see any DMARC info from iRedMail installation.

THANKS for this great package, and for your help.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EDIT : i added more info/data, questions, etc after my initial post , perhaps the webpage reader/viewer should refresh the webpage, & read again this entire-post, Thanks.
EDIT : adding the bbcode *[*code*]*...*[*/code*]* around the code to look/appear better.

45 (edited by ashfolk 2019-08-02 14:02:09)

Re: Debian 10 Buster Post

please see my previous post/message.

after installing iRedMail, below "nft" command displays this:

root@s3:~# nft list rules
table inet filter {
    set f2b-postfix {
        type ipv4_addr
        elements = { ipv4-2 }
    }

    chain input {
        type filter hook input priority 0; policy accept;
        tcp dport { smtp, http, pop3, imap2, https, urd, submission, imaps, pop3s, sieve } ip saddr @f2b-postfix reject
        iif "lo" accept
        ct state established,related accept
        ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
        ip protocol icmp icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
        ip protocol igmp accept
        ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
        ip6 nexthdr ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
        tcp dport ssh accept
        tcp dport http accept
        tcp dport https accept
        tcp dport smtp accept
        tcp dport submission accept
        tcp dport pop3 accept
        tcp dport pop3s accept
        tcp dport imap2 accept
        tcp dport imaps accept
        counter packets 43024 bytes 5607720 drop
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }
}
table ip filter {
    chain INPUT {
        type filter hook input priority 0; policy accept;
    }

    chain FORWARD {
        type filter hook forward priority 0; policy accept;
    }

    chain OUTPUT {
        type filter hook output priority 0; policy accept;
    }
}
table ip6 filter {
    chain INPUT {
        type filter hook input priority 0; policy accept;
    }

    chain FORWARD {
        type filter hook forward priority 0; policy accept;
    }

    chain OUTPUT {
        type filter hook output priority 0; policy accept;
    }
}

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
why fail2ban (f2b) added my s2 server's ip-address ipv4-2 as banned & dropping traffic ? !
in the TXT "...spf..." record, the ipv4-2 is clearly approved.
and,
in above output i can see : DNS , sieve , etc are not mentioned & so they are not-accepted !
so i open "/etc/nftables.conf" for edit , to add DNS & Sieve Ports:

root@s3:~# nano /etc/nftables.conf

and add DNS/53, Sieve/4190, 465, etc, as shown below:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

#!/usr/sbin/nft -f

flush ruleset

# `inet` applies to both IPv4 and IPv6.
table inet filter {
    
    chain input {
        type filter hook input priority 0; policy accept;
        
        # accept any localhost traffic
        iif lo accept
        
        # accept traffic originated from us
        ct state established,related accept
        
        # accept ICMP & ICMPv6 & IGMP
        ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
        ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
        ip protocol igmp accept
        # no ping floods:
        ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
        ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
        
        # dns/domain
        udp dport 53 accept
        tcp dport 53 accept
        
        # sshd
        tcp dport 22 accept
        
        # http/https
        tcp dport 80 accept
        tcp dport 443 accept
        
        # smtp
        tcp dport 25 accept
        # submission
        tcp dport 587 accept
        # smtps/urd
        tcp dport 465 accept
        
        # pop3/pop3s
        tcp dport 110 accept
        tcp dport 995 accept
        
        # imap2/imaps
        tcp dport 143 accept
        tcp dport 993 accept
        
        # sieve
        tcp dport 4190 accept
        
        # count and drop any other traffic
        counter drop
        
    }

    chain output {
        type filter hook output priority 0;
        policy accept;
    }

    chain forward {
        type filter hook forward priority 0;
        policy drop;
    }
}

table ip filter {
    chain INPUT {
        type filter hook input priority 0; policy accept;
    }

    chain FORWARD {
        type filter hook forward priority 0; policy accept;
    }

    chain OUTPUT {
        type filter hook output priority 0; policy accept;
    }
}

table ip6 filter {
    chain INPUT {
        type filter hook input priority 0; policy accept;
    }

    chain FORWARD {
        type filter hook forward priority 0; policy accept;
    }

    chain OUTPUT {
        type filter hook output priority 0; policy accept;
    }
}

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
i saved the /etc/nftables.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

root@s3:~# systemctl restart nftables.service
root@s3:~# systemctl status nftables.service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ping ipv4-2 -c 4    ;# ping to s2, works
ping6 ipv6-2 -c 4    ;# ping6 to s2, works
dig @ipv4-2 IN ANY s2.example.com.    ;# works
dig @ipv6-2 IN ANY s2.example.com.    ;# works
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
but in s2:
root@s2:~#
ping ipv4-3 -c 4    ;# ping to s3, Does NOT work
ping6 ipv6-3 -c 4    ;# ping6 to s3, Does NOT works
dig @ipv4-3 IN ANY s2.example.com.    ;# Does NOT work
dig @ipv6-3 IN ANY s2.example.com.    ;# Does NOT work
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
s3 can send/receive emails , but the DNS NameServer in s3 is still unreachable from internet ! :(

EDIT : i have mistakenly shown the f2b section inside the "nftables.conf" file, edited to remove that.

46

Re: Debian 10 Buster Post

ashfolk wrote:

the initial "Details of this iRedMail installation" email from root@hostname.example.com contains too many PASSWORDS & sensitive config data , So i would like to strongly suggest NOT-TO send all these info over an email , & especially as 1st email ,

I don't agree:

- This email doesn't leave your server.
- POP3/IMAP/SMTP/WEBMAIL are all secured with TLS or SSL, it's secured.

ashfolk wrote:

Will you be adding GnuPG/GPG support in the iRedMail-installer for sending encrypted emails ?

No.

ashfolk wrote:

What will (FORCE) make sure that TLS/SSL is always used for IMAPS/POP3S , and what will force Mail-server's to disable IMAP+POP3 completely ?

IMAP/POP3 over TLS or SSL are forced with default iRedMail configuration. IMAP/POP3 without secure connection is not possible.

ashfolk wrote:

in above output i can see : DNS , sieve , etc are not mentioned & so they are not-accepted !

iRedMail focuses on mail services, it cannot detect all network services running on your server, so a little customization is required in your case. Other sysadmins may ask to detect different services, we cannot cover all, so leave it to sysadmins.

ashfolk wrote:

why fail2ban (f2b) added my s2 server's ip-address ipv4-2 as banned & dropping traffic ? !

Are you sure you're using the default nftables.conf generated by iRedMail?

47

Re: Debian 10 Buster Post

the s3 is a fresh server, just Debian-10 was installed, sshd was configured , then Unbound (as a local DNSSEC validated DNS resolver) & BIND (as Authoritative DNS NameServer for "example.com") were loaded, configured, tested . no firewall was enabled . then iRedMail was installed.

the "nft list ruleset" command displayed the f2b (fail-2-ban) section/codes , so when i posted nftabales.conf in earlier post/message , i copy-pasted f2b codes inside the nftables.conf by mistake , i will edit earlier post & show it separately.
it appears to me that f2b can add+use new nftables rules on-the-fly, without modifying the nftables.conf

Below implemented BASH script codes are released under GPL v2 . (c)2019 Ashfolk . No guarantee/warranty . User may use with own choice+risk.

which IPv4 ports & address an Admin user need to add in Server's (nft)-firewall in order to allow outside/Internet visitors, clients users able to connect-with Server's LISTEN service ports & IP-addresses ?

root@s3:~# while read proto adrs_port pid_program_8 pid_program_9 ; do  portNumber=${adrs_port##*:} ; if [ "$proto" == "tcp" ] ; then program=${pid_program_9#*/} ; else program=${pid_program_8#*/} ; fi ; ipAdrs=${adrs_port%%:${portNumber}} ; if [ "$ipAdrs" != "127.0.0.1" ] ; then if [ "$ipAdrs" == "0.0.0.0" ] ; then echo "    # PortName(${portNumber}), (${program})" ; echo "    ${proto} dport ${portNumber} accept" ; echo "    " ; else echo "    # PortName(${portNumber}), (${program})" ; echo "    ${proto} dport ${portNumber} ip daddr ${ipAdrs} accept" ; echo "    " ; fi ; fi ; done < <(/usr/bin/netstat -4 -tulpenW 2>/dev/null | /usr/bin/awk '$1 ~ /^(tcp|udp)/ { print $1, $4, $8, $9 }' ) ;

which IPv6 ports & address an Admin user need to add in Server's (nft)-firewall in order to allow outside/Internet visitors, clients users able to connect-with Server's LISTEN service ports & IP-addresses ?

root@s3:~# while read proto adrs_port pid_program_8 pid_program_9 ; do  portNumber=${adrs_port##*:} ; proto=${proto%%6} ; if [ "$proto" == "tcp" ] ; then program=${pid_program_9#*/} ; else program=${pid_program_8#*/} ; fi ; ipAdrs=${adrs_port%%:${portNumber}} ; if [ "$ipAdrs" != "::1" ] ; then if [ "$ipAdrs" == "::" ] ; then echo "    # PortName(${portNumber}), (${program})" ; echo "    ${proto} dport ${portNumber} accept" ; echo "    " ; else echo "    # PortName(${portNumber}), (${program})" ; echo "    ${proto} dport ${portNumber} ip6 daddr ${ipAdrs} accept" ; echo "    " ; fi ; fi ; done < <(/usr/bin/netstat -6 -tulpenW 2>/dev/null | /usr/bin/awk '$1 ~ /^(tcp|udp)/ { print $1, $4, $8, $9 }' ) ;

some email-client apps ask user for their password 1st (in 1st stage), then by-default 1st attempts-to connect-with ("looks"-for) IMAP/143/POP3/110 servers without using TLS/SSL , Some even uses the PASSWORD over OPEN connection with IMAP/POP3 servers (in that 1st stage) ! as a result PASSWORD traveled over OPEN connection !
so its necessary to feed wrong password in the 1st stage.
in 2nd stage, email-client apps shows detail of email-server info , smtp hostname & imap/pop3 hostname , port, protocol, etc , Many user often don't change any settings here (in this 2nd stage , as they don't understand it or in a hurry , etc, etc) , which is by default often using non-secured IMAP/port-143 or POP3/port-110 (without any TLS/SSL) for "backward compatibility" or whatever reasons . so user starts using PASSWORD over OPEN (aka not-secured aka non-Encrypted) connection and also obtains ALL EMAILS over/through OPEN connection.
But careful user must be careful in the 1st stage (by not specifying the CORRECT PASSWORD) & must be careful in that 2nd stage and make sure to select IMAPS/port-993 (or POP3S/port-995) & TLS/SSL protocol (secure/Encryption protocol) 1st , then specify CORRECT PASSWORD , & then proceed to next stage , then PASSWORD will be used over/thru SECURE/encrypted TLS/SSL protocol based connection.

Not every app is following secure process or secure steps , so a security conscious & aware & enabler-minded developer have to take extra-steps to counter the insecurity that exists in others.

and as you said:

ZhangHuangbin wrote:

IMAP/POP3 over TLS or SSL are forced with default iRedMail configuration. IMAP/POP3 without secure connection is not possible.

so i take it as/that , iRedMail has configured Dovecot in such way that it will DENY email-client app's any connection to port 143(imap), 993(imaps), 110(pop3), 995(pop3s) , WHEN email-client is NOT-USING SSL/TLS secure/encrypted protocol/connection.
THANK YOU . i didn't know this before you clarified it here.

Can iRedMail work on IPv6 only servers ? send/receive over IPv6 based TLS/SSL connection ?

if i install iRedMail in 2 or 3 hosts under same domain-name, then can iRedMail keep userlist, emails, etc synchronized instantly in between those 2 or 3 hosts, (by using MySQL database replication, email folder synchronization, etc thru/via SSH tunnels) ?

based on my/our servers-config, net-config, mail-servers-config, email+user sync functionalities, etc which i posted so far, wouldn't you recommend me to manually configure Dovecot+Postfix+etc instead of using iRedMail ?

48

Re: Debian 10 Buster Post

ashfolk wrote:

Below implemented BASH script codes are released under GPL v2 . (c)2019 Ashfolk . No guarantee/warranty . User may use with own choice+risk.

Shared shell commands don't have any readability ...

ashfolk wrote:

Can iRedMail work on IPv6 only servers ? send/receive over IPv6 based TLS/SSL connection ?

Sure.

ashfolk wrote:

if i install iRedMail in 2 or 3 hosts under same domain-name, then can iRedMail keep userlist, emails, etc synchronized instantly in between those 2 or 3 hosts, (by using MySQL database replication, email folder synchronization, etc thru/via SSH tunnels) ?

With MySQL replication or similar setup, yes.

ashfolk wrote:

based on my/our servers-config, net-config, mail-servers-config, email+user sync functionalities, etc which i posted so far, wouldn't you recommend me to manually configure Dovecot+Postfix+etc instead of using iRedMail ?

Definitely use iRedMail.
Or even better, use our iRedMail Easy platform to deploy iRedMail server:
https://www.iredmail.org/easy.html

49 (edited by ashfolk 2019-08-05 06:21:10)

Re: Debian 10 Buster Post

thank you for your responses.
i will try to understand+configure iRedMail components further.

the "iRedMail-Easy" is v.costly (for me/us, atm) , but Thank-you for letting us all know , i have visited the webpage earlier though . when my+our project is stable (or when we have few PAID users) then we will consider paid services.

do you have another improved/next installer other than "zhb-iredmail-32b706d26a5c/iRedMail" ?
i can try+test again on s3 , ( after reinstalling the OS , or Do you have an Uninstaller ? ).

my/our s1 & s2 have only 1GB ram each , so i will have to install only the iRedMail portion without f2b , netdata , clamav, etc which uses lots of RAM.

and an option during installation, to NOT turn-ON the nftables firewall would be better , ( but installer should provide/place an initial "nftables.conf" file in /etc/ ).

iRedMail's (last installer supplied) nftables rules (in "nftables.conf" ) MUST be improved more , it created problem with SSH login problem from clients-to-server (but not server-to-server) , Domain/DNS connections for IPv4 & IPv6 , icmp/ping , etc etc !!!

Users who will not choose f2b (Fail2Ban) , will probably also avoid to enable/apply nftables firewall rules directly , without testing rules step-by-step (one-by-one) 1st (starting with permissive mode).
if there were a perfect (or a near one, as) nftables practical guide ( regarding allowing basic server functionalities/services, like: ping/icmp, igmp, ndp, dns(tcp/udp), http, https, email-ports, ssh, etc etc for specific ipv4 & ipv6 ) then we could just copy-paste rules from there, but i could not find any :(
( i have already tried rules taken from various articles but (so far) those didn't work (well some worked & some didn't) , so they are not really practical , but my search still going on for more practical working rules , Rules shown in official nftables (https://wiki.nftables.org/) guide have left out most basic server functionalities with a firewall working to stop all except the basic most important functionalities/services i mentioned earlier , they are either too permissive or excessively over defensive ! that guide needs to be improved a lot ).

i/we have configured ssh tunnels to other servers (with pub-key access) already , reading-up on SQL replication articles.
but before i do above, i need to enable multi-host based email-server in the s3 1st, enable ipv6es, etc, etc . i will look into your forum & docs for guidance+help.

i have modified the "nftables.conf" further , specified specific ip (v4 & v6) & specific ports for mail-servers (mail-hosts) , and also specified specific ip (v4 & v6) & port(s) for NS/NameServer , etc etc ... ipv4 part of NameServer is working , but ipv6 parts are not yet ! icmp not working for ipv4 or ipv6 !
so i'm keeping nftables & f2b disabled for now , ( when/once my side few works : RDNS delegation/test from/by RIPE, LIR, etc are complete, then ) i will again try nftables, for sure.

those single line bash script as a complete bash script/file, is shown in next post.

EDIT : changed my statements & messages.
EDIT : removed earlier bash script code from here, as the next post is for this.

50 (edited by ashfolk 2019-08-05 06:10:51)

Re: Debian 10 Buster Post

"nftables_from_netinfo" , "netstat_to_nftables"
this bash script can output "inet" NF (net-filter) table (nftables Firewall) rules by default , or output "ip" NF table rules when commandline parameter "-4" is supplied , or output "ip6" NF table rules when commandline parameter is "-6".
No need for duplicate rules removal manually, now this code will do this checkup & fix it on its own smile

#!/usr/bin/env bash

# nftables_from_netinfo  v0.02.04
# Copyright 2019 Erik T Ashfolk
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#
# - - - - - - - - - - - - - - - - - - - - - - - - - -
#
# https://www.gnu.org/licenses/old-licenses/gpl-2.0.html
#
# - - - - - - - - - - - - - - - - - - - - - - - - - -
#
# "nftables_from_netinfo" , "netstat_to_nftables"
# version 0.02.04
# Convert "netstat -4/-6 -tulpenW" command output into nftables firewall rules.
# Place output of this BASH script into "nftables.conf" file's "inet" table
#   for filter section's chain input sub-section:
#     table inet filter {
#         ...
#         chain input {
#             type filter hook input...;
#             iif lo accept
#             ct state established,related accept
#             ...
#             <nftables_from_netinfo  output>
#             ...
#             counter drop...
#         }
#         ...
#     }
#     ...
#
# - - - - - - - - - - - - - - - - - - - - - - - - - -
#
# User/admin should remove/disable those rules/lines, which are not
#   to be open-up for LISTEN from internet-side.
#
#
# Run the command with -4 as command-line parameter:
#  it will show nftables rules for "ip" table section, which go into:
#  table ip filter { .. chain INPUT { .. <nftables_from_netinfo IPv4 output> .. } .. }
#
#
# Run the command with -6 as command-line parameter:
#  it will show nftables rules for "ip6" table seciton, which go into:
#  table ip6 filter { .. chain INPUT { .. <nftables_from_netinfo IPv6 output> .. } .. }
#
#
# No guarantee/warranty.
# User may use with own choice+risk.
# - - - - - - - - - - - - - - - - - - - - - - - - - -



nfiD4=-1;
nfiP4=-1;
nfiD6=-1;
nfiP6=-1;
nfiPU=-1;
nfRulesFound=0;
declare -a nfRulesD4=() ;
declare -a nfRulesP4=() ;
declare -a nfRulesD6=() ;
declare -a nfRulesP6=() ;
declare -a nfRulesPU=() ;
LineInNfRules="";
cmdLnOpt="";


#StartScript#


portNumToName() {
    # Get portname from here: github nftables
    # or from here: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
    # In below which has "#-" at end, those port names
    #  may-not-be official port name, so need to be looked-up in IANA db:
    case "$1" in
        (20) echo "ftp-data"; ;;        (21) echo "ftp"; ;;        (22) echo "ssh"; ;;
        (23) echo "telnet"; ;;        (25) echo "smtp"; ;;
        (42) echo "nameserver (Host Name Server Protocol)"; ;;        (53) echo "domain"; ;;
        (66) echo "sql-net"; ;;        (67) echo "bootps (DHCP)"; ;;    (68) echo "bootpc (DHCP)"; ;;
        (69) echo "tftp"; ;;        (80) echo "http"; ;;        (88) echo "kerberos"; ;;
        (92) echo "npp"; ;;        (110) echo "pop3"; ;;        (113) echo "auth (ident)"; ;; #-
        (115) echo "sftp"; ;;        (118) echo "sql (sql srvcs)"; ;; #-
        (119) echo "nntp (network news transfer protocol)"; ;;
        (123) echo "ntp (network time protocol)"; ;;        (137) echo "netbios-ns"; ;;
        (138) echo "netbios-dgm"; ;;        (139) echo "netbios-ssn"; ;;    (143) echo "imap2"; ;;
        (156) echo "sql (sql srvcs)"; ;; #-
        (161) echo "snmp"; ;;        (162) echo "snmptrap"; ;;        (179) echo "bgp"; ;;
        (194) echo "irc"; ;; #-
        (213) echo "ipx (internetwork pkt exchng)"; ;;        (220) echo "imap3"; ;;
        (264) echo "bgmp"; ;;        (389) echo "ldap"; ;;
        (401) echo "ups (uninterrruptible power sply)"; ;; #-
        (433) echo "nnsp"; ;; #-
        (443) echo "https"; ;;        (445) echo "smb"; ;; #-
        (464) echo "kerberos"; ;; #-
        (465) echo "urd (smtps)"; ;;        (500) echo "isakmp (ike/ipsec/ocf)"; ;; #-
        (515) echo "printer (lpd)"; ;;        (520) echo "rip"; ;; #-
        (529) echo "ripng"; ;; #-
        (543) echo "kerberos-login"; ;; #-
        (543) echo "kerberos-shell"; ;; #-
        (546) echo "dhcpv6-client"; ;;        (547) echo "dhcpv6-server"; ;;    (554) echo "rtsp"; ;;
        (563) echo "nntps"; ;;        (587) echo "submission"; ;;        (631) echo "ipp"; ;;
        (636) echo "ldaps"; ;;        (646) echo "ldp"; ;;        (647) echo "dhcp-failover"; ;;
        (648) echo "rrp (registry registrar protocol)"; ;; #-
        (694) echo "lnx-ha-hb"; ;; #-
        (700) echo "epp"; ;; #-
        (702) echo "irisb"; ;; #-
        (749) echo "kerberos (proto admin)"; ;; #-
        (750) echo "kerberos (iv)"; ;; #-
        (751) echo "kerberos (master auth)"; ;; #-
        (752) echo "kerberos (passwd srvr)"; ;; #-
        (753) echo "rrh"; ;; #-
        (783) echo "spamassassin"; ;; #-
        (829) echo "pkix-3-ca-ra (cmp)"; ;; #-
        (843) echo "flash (adobe)"; ;; #-
        (847) echo "dhcp-failover"; ;; #-
        (853) echo "domain-s"; ;;        (873) echo "rsync"; ;; #-
        (953) echo "rndc"; ;;        (989) echo "ftps-data"; ;;        (990) echo "ftps"; ;;
        (992) echo "telnets"; ;;        (993) echo "imaps"; ;;        (994) echo "ircs"; ;; #-
        (995) echo "pop3s"; ;;        (1080) echo "socks"; ;;        (1109) echo "kpop"; ;; #-
        (1186) echo "mysql-cluster"; ;;
        (1194) echo "openvpn"; ;;        (1234) echo "vlc"; ;; #-
        (1293) echo "ipsec"; ;; #-
        (1433) echo "mssql"; ;; #-
        (1527) echo "sql-net"; ;; #-
        (1688) echo "kms (microsoft)"; ;; #-
        (1701) echo "l2tp (l2tp/l2f)"; ;; #-
        (1707) echo "l2tp-ipsec"; ;; #-
        (1723) echo "pptp"; ;;        (1812) echo "radius (cisco/juniper)"; ;; #-
        (1813) echo "radius-acct"; ;; #-
        (1863) echo "msnp"; ;; #-
        (1900) echo "ssdp"; ;; #-
        (1935) echo "flash (macromedia/rtmp))"; ;; #-
        (2049) echo "nfs"; ;; #-
        (2083) echo "radsec"; ;;        (2086) echo "gnunet"; ;; #-
        (2375) echo "docker-rest"; ;; #-
        (2376) echo "docker-rests"; ;; #-
        (2377) echo "docker-swarm"; ;; #-
        (2401) echo "cvs"; ;; #-
        (2427) echo "mgcp"; ;; #-
        (2483) echo "ocldb (oracle database)"; ;; #-
        (2484) echo "ocldbs (oracle data base over tls/ssl)"; ;; #-
        (2710) echo "bittorrent-trk (xbt-trk)"; ;; #-
        (2727) echo "mgcp (ctl/agnt)"; ;; #-
        (2775) echo "smpp"; ;; #-
        (2947) echo "gpsd"; ;; #-
        (2948) echo "mms (wap)"; ;; #-
        (2949) echo "mms (secure wap)"; ;; #-
        (3020) echo "cifs"; ;;        (3128) echo "squid"; ;; #-
        (3268) echo "ldap"; ;; #-
        (3269) echo "ldaps"; ;; #-
        (3306) echo "mysql"; ;;        (3333) echo "eggdrop (irc bot)"; ;; #-
        (3389) echo "rdp (wbt)"; ;; #-
        (3478) echo "stun"; ;; #-
        (3535) echo "smtpa"; ;; #alt-smtp #-
        (3544) echo "teredo (tunnel)"; ;; #-
        (3690) echo "svn"; ;; #-
        (3784) echo "bfd"; ;; #-
        (3799) echo "radius"; ;; #-
        (3880) echo "igrs"; ;; #-
        (4116) echo "smartcard-tls"; ;; #-
        (4190) echo "sieve (ManageSieve)"; ;; #-
        (4243) echo "docker"; ;; #-
        (4500) echo "ipsec (nat traversal)"; ;; #-
        (4569) echo "iax2"; ;; #-
        (4604) echo "ident-reg"; ;; #-
        (4789) echo "vxlan"; ;; #-
        (5004) echo "rtp"; ;; #-
        (5005) echo "rtcp"; ;; #-
        (5050) echo "yim (yahoo msngr)"; ;; #-
        (5060) echo "sip"; ;; #-
        (5061) echo "sips"; ;; #-
        (5222) echo "xmpp"; ;; #-
        (5223) echo "xmpps"; ;; #-
        (5269) echo "xmpp-server"; ;; #-
        (5280) echo "xmpp"; ;; #-
        (5281) echo "xmpp"; ;; #-
        (5298) echo "xmpp"; ;; #-
        (5349) echo "stuns"; ;; #-
        (5353) echo "mDNS"; ;; #-
        (5432) echo "postgresql"; ;; #-
        (5500) echo "vnc-rfb"; ;; #-
        (5800) echo "vnc-rfb"; ;; #-
        (5900) echo "rfb (vnc)"; ;; #-
        (6346) echo "gnutella-svc"; ;; #-
        (6347) echo "gnutella-rtr"; ;; #-
        (6514) echo "syslogs"; ;; #-
        (6622) echo "mftp"; ;; #-
        (6665) echo "irc"; ;; #-
        (6667) echo "irc"; ;; #-
        (6679) echo "ircs (ircs/osaut)"; ;; #-
        (6697) echo "ircs"; ;; #-
        (6771) echo "blpd (bittorrent local peer discovery)"; ;; #-
        (6881) echo "bittorrent"; ;; #-
        (6888) echo "muse (muse/bittorrent)"; ;; #-
        (6969) echo "acmsoda (acmsoda/bittorrent-trk)"; ;; #-
        (7000) echo "bittorrent-trk (vuze)"; ;; #-
        (7070) echo "rtsp"; ;; #-
        (7946) echo "docker-swarm"; ;; #-
        (8008) echo "http-alt"; ;; #alt-http #
        (8069) echo "openerp (xml rpc)"; ;; #-
        (8070) echo "openerp (net rpc)"; ;; #-
        (8080) echo "http-alt"; ;; #alt-http #-
        (8245) echo "dyndns"; ;; #-
        (8332) echo "btc-json-rpc"; ;; #-
        (8333) echo "btcd"; ;; #-
        (9001) echo "etl-svc-mg (ms-sp/cisco-rtr-cfg/tor/dbgp/hsqldb)"; ;; #-
        (9030) echo "tor"; ;; #-
        (9050) echo "tor"; ;; #-
        (9051) echo "tor"; ;; #-
        (9150) echo "tor"; ;; #-
        (9332) echo "litecoin-json-rpc"; ;; #-
        (9333) echo "litecoin"; ;; #-
        (9899) echo "sctp"; ;; #-
        (10110) echo "nmea"; ;; #-
        (10514) echo "rsyslogs"; ;; #-
        (11211) echo "memcached"; ;; #-
        (11214) echo "memcached (ssl proxy)"; ;; #-
        (11371) echo "openpgp"; ;; #-
        (18091) echo "memcache (rest)"; ;; #-
        (18092) echo "memcache (capi)"; ;; #-
        (18333) echo "btcd-test"; ;; #-
        (19000) echo "jackd"; ;; #-
        (19294) echo "gtalk-media"; ;; #-
        (19295) echo "gtalk-media"; ;; #-
        (19302) echo "gtalk-media"; ;; #-
        (19999) echo "dnp (scada-rtu-ied)"; ;; #-
        (20000) echo "dnp (scada-rtu-ied)"; ;; #-
        (23399) echo "skype"; ;; #-
        (27017) echo "mongodb"; ;; #-
        (33434) echo "traceroute"; ;; #-
        (49152) echo "cmc (cert-mg-cms)"; ;; #-
        (64738) echo "mumble"; ;; #-
        (*) echo "PortName";
    esac;
};    # End of  portNumToName()


# Create/Add a header "comment" to indicate where RULES will go, to "inet" or "ip" or "ip6" table:
case "$1" in
    (-4)
        ((nfiP4++)) ; nfRulesP4[nfiP4]="    # (Below rules are for nftables \"ip\" table)" ; # echo "${nfRulesP4[nfiP4]}" ;
        cmdLnOpt="-4";
    ;;
    (-6)
        ((nfiP6++)) ; nfRulesP6[nfiP6]="    # (Below rules are for nftables \"ip6\" table)" ; # echo "${nfRulesP6[nfiP6]}" ;
        cmdLnOpt="-6";
    ;;
    (-help|--help)
        echo "nftables_from_netinfo" ;
        echo "nftables_from_netinfo        : show nftables rules for \"inet\" table" ;
        echo "nftables_from_netinfo  -4    : show nftables rules for \"ip\" (IPv4) table" ;
        echo "nftables_from_netinfo  -6    : show nftables rules for \"ip6\" (IPv6) table" ;
        cmdLnOpt="-h";
    ;;
    (*)
        ((nfiPU++)) ; nfRulesPU[nfiPU]="    # (Below rules are for nftables \"inet\" table)" ; # echo "${nfRulesPU[nfiPU]}" ;
        cmdLnOpt="-U";
esac;


if [[ "$cmdLnOpt" != "-h" ]] ; then
    
    
    # Creating another header "comment" line, to indicate which type of RULES SECTION:
    if [[ "$cmdLnOpt" == "-U" ]] ; then
        ((nfiPU++)) ; nfRulesPU[nfiPU]="    # RULES SECTION for Port (IPv6 & IPv4 combined):" ; # echo "${nfRulesPU[nfiPU]}" ;
        ((nfiPU++)) ; nfRulesPU[nfiPU]="    " ; # echo "${nfRulesPU[nfiPU]}" ;
    fi;
    if [[ "$cmdLnOpt" == "-6" || "$cmdLnOpt" == "-U" ]] ; then
        ((nfiD6++)) ; nfRulesD6[nfiD6]="    # RULES SECTION for IPv6 (Port & Address based):" ; # echo "${nfRulesD6[nfiD6]}" ;
        ((nfiD6++)) ; nfRulesD6[nfiD6]="    " ; # echo "${nfRulesD6[nfiD6]}" ;
    fi;
    if [[ "$cmdLnOpt" == "-6" ]] ; then
        ((nfiP6++)) ; nfRulesP6[nfiP6]="    # RULES SECTION for IPv6 (Port based):" ; # echo "${nfRulesP6[nfiP6]}" ;
        ((nfiP6++)) ; nfRulesP6[nfiP6]="    " ; # echo "${nfRulesP6[nfiP6]}" ;
    fi;
    
    if [[ "$cmdLnOpt" == "-6" || "$cmdLnOpt" == "-U" ]] ; then
        # Below "while" is reading/loading 4 data from 4 columns (1st,
        #  4th, 8th, 9th) into 4 variables from "netstat" output,
        #  & looping/iterating for each line of netstat output:
        while read proto adrs_port pid_program_8 pid_program_9 ; do
            portNumber=${adrs_port##*:} ;
            proto=${proto%%6} ;
            # when it is "tcp" then "program" is shown in column #9:
            if [[ "$proto" == "tcp" ]] ; then
                program=${pid_program_9#*/} ;
            else
                # when it is not-tcp, then "program" info is in column #8:
                program=${pid_program_8#*/} ;
            fi ;
            # get only the IPv6-adrs portion, by mathcing & removing the port number at-end:
            ipAdrs=${adrs_port%%:${portNumber}} ;
            # if the current line is not a local IPv6 address, then process it:
            if [[ "$ipAdrs" != "::1" ]] ; then
                if [[ "$ipAdrs" == "::" ]] ; then
                    # Rules for ALL IPv6 addresses:
                    if [[ "$cmdLnOpt" == "-6" ]] ; then
                        ((nfiP6++)) ; nfRulesP6[nfiP6]="    # $(portNumToName ${portNumber})(${portNumber}), (${program})" ; # echo "${nfRulesP6[nfiP6]}" ;
                        ((nfiP6++)) ; nfRulesP6[nfiP6]="    ${proto} dport ${portNumber} accept" ; # echo "${nfRulesP6[nfiP6]}" ;
                        ((nfiP6++)) ; nfRulesP6[nfiP6]="    " ; # echo "${nfRulesP6[nfiP6]}" ;
                    fi;
                    if [[ "$cmdLnOpt" == "-U" ]] ; then
                        ((nfiPU++)) ; nfRulesPU[nfiPU]="    # $(portNumToName ${portNumber})(${portNumber}), (${program})" ; # echo "${nfRulesPU[nfiPU]}" ;
                        ((nfiPU++)) ; nfRulesPU[nfiPU]="    ${proto} dport ${portNumber} accept" ; # echo "${nfRulesPU[nfiPU]}" ;
                        ((nfiPU++)) ; nfRulesPU[nfiPU]="    " ; # echo "${nfRulesPU[nfiPU]}" ;
                    fi;
                else    # for  if [[ "$ipAdrs" == "::" ]]
                    # Rules for Specific one IPv6 address:
                    ((nfiD6++)) ; nfRulesD6[nfiD6]="    # $(portNumToName ${portNumber})(${portNumber}), (${program})" ; # echo "${nfRulesD6[nfiD6]}" ;
                    ((nfiD6++)) ; nfRulesD6[nfiD6]="    ${proto} dport ${portNumber} ip6 daddr ${ipAdrs} accept" ; # echo "${nfRulesD6[nfiD6]}" ;
                    ((nfiD6++)) ; nfRulesD6[nfiD6]="    " ; # echo "${nfRulesD6[nfiD6]}" ;
                fi ;    # End of  if [[ "$ipAdrs" == "::" ]]
            fi ;    # End of  if [[ "$ipAdrs" != "::1" ]]
        done < <(/usr/bin/netstat -6 -tulpenW 2>/dev/null | /usr/bin/awk '$1 ~ /^(tcp|udp)/ { print $1, $4, $8, $9 }' ) ;
    fi;    # End of  if [[ "$cmdLnOpt" == "-6" || "$cmdLnOpt" == "-U" ]]
    
    
    # Creating header "comment" line, to indicate which type of RULES SECTION:
    if [[ "$cmdLnOpt" == "-4" || "$cmdLnOpt" == "-U" ]] ; then
        ((nfiD4++)) ; nfRulesD4[nfiD4]="    # RULES SECTION for IPv4 (Port & Address based):" ; # echo "${nfRulesD4[nfiD4]}" ;
        ((nfiD4++)) ; nfRulesD4[nfiD4]="    " ; # echo "${nfRulesD4[nfiD4]}" ;
    fi;
    if [[ "$cmdLnOpt" == "-4" ]] ; then
        ((nfiP4++)) ; nfRulesP4[nfiP4]="    # RULES SECTION for IPv4 (Port based):" ; # echo "${nfRulesP4[nfiP4]}" ;
        ((nfiP4++)) ; nfRulesP4[nfiP4]="    " ; # echo "${nfRulesP4[nfiP4]}" ;
    fi;
    
    if [[ "$cmdLnOpt" == "-4" || "$cmdLnOpt" == "-U" ]] ; then
        # Below "while" is reading/loading 4 data from 4 columns (1st, 4th, 8th, 9th)
        #  into 4 variables from "netstat" output, & looping/iterating for each line
        #  of netstat output:
        while read proto adrs_port pid_program_8 pid_program_9 ; do
            portNumber=${adrs_port##*:} ;
            if [ "$proto" == "tcp" ] ; then
                program=${pid_program_9#*/} ;
            else
                program=${pid_program_8#*/} ;
            fi ;
            # get only the IPv4-adrs portion, by mathcing & removing the port number at-end:
            ipAdrs=${adrs_port%%:${portNumber}} ;
            # if the current line is not a local IPv4 address, then process it:
            if [[ "$ipAdrs" != "127.0.0.1" ]] ; then
                if [[ "$ipAdrs" == "0.0.0.0" ]] ; then
                    if [[ "$cmdLnOpt" == "-4" ]] ; then
                        # Rules for ALL IPv4 addresses:
                        ((nfiP4++)) ; nfRulesP4[nfiP4]="    # $(portNumToName ${portNumber})(${portNumber}), (${program})" ; # echo "${nfRulesP4[nfiP4]}" ;
                        ((nfiP4++)) ; nfRulesP4[nfiP4]="    ${proto} dport ${portNumber} accept" ; # echo "${nfRulesP4[nfiP4]}" ;
                        ((nfiP4++)) ; nfRulesP4[nfiP4]="    " ; # echo "${nfRulesP4[nfiP4]}" ;
                    fi;    # End of  if [[ "$cmdLnOpt" == "-4" ]]
                    if [[ "$cmdLnOpt" == "-U" ]] ; then
                        # Find out if current "tcp/udp dport" rule exists in ..PU or not, if existed then set a flag:
                        nfRulesFound=0;
                        for LineInNfRules in "${nfRulesPU[@]}" ; do
                            if [[ "$LineInNfRules" == "    ${proto} dport ${portNumber} accept" ]] ; then
                                nfRulesFound=1;
                                break;
                            fi;
                        done;
                        # If "nfRulesFound" flag is still 0, only then load current "tcp/udp dport" in ..PU:
                        if [[ nfRulesFound -eq 0 ]] ; then
                            ((nfiPU++)) ; nfRulesPU[nfiPU]="    # $(portNumToName ${portNumber})(${portNumber}), (${program})" ; # echo "${nfRulesPU[nfiPU]}" ;
                            ((nfiPU++)) ; nfRulesPU[nfiPU]="    ${proto} dport ${portNumber} accept" ; # echo "${nfRulesPU[nfiPU]}" ;
                            ((nfiPU++)) ; nfRulesPU[nfiPU]="    " ; # echo "${nfRulesPU[nfiPU]}" ;
                        fi;
                    fi;    # End of  if [[ "$cmdLnOpt" == "-U" ]] 
                else    # for  if [[ "$ipAdrs" == "0.0.0.0" ]]
                    # Rules for Specific one IPv4 address:
                    ((nfiD4++)) ; nfRulesD4[nfiD4]="    # $(portNumToName ${portNumber})(${portNumber}), (${program})" ; # echo "${nfRulesD4[nfiD4]}" ;
                    ((nfiD4++)) ; nfRulesD4[nfiD4]="    ${proto} dport ${portNumber} ip daddr ${ipAdrs} accept" ; # echo "${nfRulesD4[nfiD4]}" ;
                    ((nfiD4++)) ; nfRulesD4[nfiD4]="    " ; # echo "${nfRulesD4[nfiD4]}" ;
                fi ;    # End of  if [[ "$ipAdrs" == "0.0.0.0" ]]
            fi ;    # End of  if [[ "$ipAdrs" != "127.0.0.1" ]]
        done < <(/usr/bin/netstat -4 -tulpenW 2>/dev/null | /usr/bin/awk '$1 ~ /^(tcp|udp)/ { print $1, $4, $8, $9 }' ) ;
    fi;    # End of  if [[ "$cmdLnOpt" == "-4" || "$cmdLnOpt" == "-U" ]]
    
    
    # Show netstat-to-nftables-rules convertion OUTPUT:
    #  by default show nftables "inet" (filter table) section's rules:
    #  or show "ip" section rules if command parameter was -4
    #  or show "ip6" section rules if command parameter was -6
    case "$1" in
        (-4)
            for LineInNfRules in "${nfRulesP4[@]}" ; do
                echo "$LineInNfRules";
            done;
            for LineInNfRules in "${nfRulesD4[@]}" ; do
                echo "$LineInNfRules";
            done;
        ;;
        (-6)
            for LineInNfRules in "${nfRulesP6[@]}" ; do
                echo "$LineInNfRules";
            done;
            for LineInNfRules in "${nfRulesD6[@]}" ; do
                echo "$LineInNfRules";
            done;
        ;;
        (*)
            for LineInNfRules in "${nfRulesPU[@]}" ; do
                echo "$LineInNfRules";
            done;
            for LineInNfRules in "${nfRulesD6[@]}" ; do
                echo "$LineInNfRules";
            done;
            for LineInNfRules in "${nfRulesD4[@]}" ; do
                echo "$LineInNfRules";
            done;
    esac;

fi;    # End of  if [[ "$cmdLnOpt" != "-h" ]]

#ClearAndExit#

# Clear variables & functions:
unset proto;
unset adrs_port;
unset pid_program_8;
unset pid_program_9;
unset portNumber;
unset program;
unset ipAdrs;

unset nfiD4;
unset nfiP4;
unset nfiD6;
unset nfiP6;
unset nfiPU;

unset -v nfRulesD4;
unset -v nfRulesP4;
unset -v nfRulesD6;
unset -v nfRulesP6;
unset -v nfRulesPU;
unset -f portNumToName;

unset nfRulesFound;
unset LineInNfRules;
unset cmdLnOpt;

Later i/we will integrate further codes, to add further practical rules regarding basic server functionalities , like allowing ICMP, NDP, etc (for : ip , ip6, inet nftables) , based on detected LISTEN port+app services.