Category Archives: Uncategorized

[Postfix] Limiting outbound FROM domains

An app on our server allowed customers to pick whatever FROM address they wanted for their email alert including domain. This completely skewed our statistics over at Sparkpost as we attempted to send emails from unverified domains like a.com, none.com, dont.care etc.

I was growing tired of waiting for the developers to move their ass so I decided to step in. This is how you limit your outbound emails to specific domains:

Edit /etc/postfix/header_checks

if /^From:/
!/(^From:.*domain\.com|^From:.*domain\.net|^From:.*domain\.co\.il)/ DISCARD SEND FROM THE RIGHT DOMAINS ASSHOLE
endif

Edit /etc/postfix/main.cf

header_checks = pcre:/etc/postfix/header_checks

Restart or reload Postfix.

And there you have it.
All emails should be of either of domain.com, domain.co.il or domain.net.
The rest will be scrapped.

 

Fixing ESP Packet with Unknown SPI

I was having some weird times with our Virtual Fortigate Appliance.
It had a very steady IPSEC VPN connection with our of our sites but for some reason the packets were being dropped with no good reason although the tunnel remained connected.

I found the following in the logs:

Untitled

“Received ESP packet with unknown SPI”.
Official Fortigate KBs claim turning on DPD should prevent this from happening.
But in actuality it did NOT.
My intuition somewhat told me that this has got something to do with PFS as it deals with generating keys per data. I was right. After disabling it the tunnel became stable like a rock.

Cheers

 

Synching folders between multiple servers

After a DFSR meltdown and spending an entire day trying to figure out why it will not sync anymore, I decided to go for an alternative.
I needed something relatively simple:

– Run as a service
– Preferably free.
– No hosting server required like with Owncloud

Surprisingly this was MUCH harder to find than I thought as even paid services were either incredibly lacking or stupidly overpriced.

Then I found this:

https://forum.syncthing.net/t/syncthing-windows-installer/2009

It does all of the above with ease.

How to block default in Fortigate via BGP

Problem:

Solution:

config router access-list
edit “Block_Def_Route”
config rule
edit 1
set action deny
set exact-match enable
next
edit 2
set exact-match disable
next
end
next
end

config router bgp
config neighbor
edit “10.40.15.1”
set distribute-list-in “Block_Def_Route”
set remote-as 6167
set route-map-out “Verizon_Prepend1”
next
edit “10.40.16.1”
set distribute-list-in “Block_Def_Route”
set remote-as 6167
set route-map-out “Verizon_Prepend”
next
end
end

Downed IIS Websites and Application Pools Reports

As it seems one of the DEV guys disabled one of our production Applications…and forgot to bring it back up. The result: Some not too happy customers didnt receive their reports on time.

The following script will report back via email Application Pools that have been stopped:

http://pastebin.com/rgGfYihY

The following script will report back via email Websites that have been disabled:

http://pastebin.com/39X5ma

JV

How to fix: iprope_in_check() c heck failed on policy 0, drop

The above line is a debug error code I grabbed from one of our Forti units.

My issue was very simple.

One policy which was SNATing traffic through a tunnel, was simply not catching any hits so the packets were being dropped. I pulled many hairs on this one until some angel on the Israeli Fortigate Facebook page helped me figure it out.

If you are receiving this line then you are probably like me, trying to direct traffic of an IP that is ALREADY ASSIGNED IN YOUR NETWORK – outwards. That’s right. Look at your router’s interfaces addresses including DMZ\MGMT etc. You are likely to find something similar there.