Page 2 of 2

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-08-22 23:43
by jimimaseye
v1.72
* remove unnecessary blank lines for minor space savings in DOMAINS to reduce report length

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-08-25 08:39
by jimimaseye
v 1.73
* Bug fix to still show EVENT log path even when the log is non-existant (and state as such)

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-09-01 15:54
by jimimaseye
v1.74
* Removed unecessary score values where Enabled=False on ANTISPAM

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-10-14 13:51
by jimimaseye
v1.75

* (Cosmetic). Linewrap of CUSTOMAV entry for tidiness.

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-10-28 12:10
by jimimaseye
v1.76

* Added listing of ROUTES under SMTP protocol (showing internal and masked external domain routes)

eg

Code: Select all

  Routes:
        Domain2.com              - Addresses: All
        Alias1.com               - Addresses: All
        rexxxxx.hoxxxx.net       - Addresses: Selective   !! NO ADDRESSES LISTED !!

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-02 11:14
by jimimaseye
v1.77

* Added MIRRORING

Code: Select all

-----------------------------------------------------------------------------------------------

MIRRORING         user@maxx.ouxxx.com
-----------------------------------------------------------------------------------------------

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-02 13:32
by mattg
:D

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-03 16:38
by jimimaseye
v1.78

* Bug fix for incorrect SIGNATURE 'Local' boolean.
* Re-ordered the ANTISPAM entries to match that of Admin screen layout
* Added specific information where entries are found but not active for DNSBL, SURBL, and Greylist-enabled Domains
eg

Code: Select all

Greylist DOMAINS enabled:
  !! No active domains enabled - GREYLISTING INEFFECTIVE !!

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-08 22:02
by jimimaseye
v1.80

* Minor redesign/reorder of the SMTP RELAY entry.
* Checks RELAYS and ROUTES to ensure they dont have incestuous resolution back to the server.

Note: Lookups only if the external ip address can be determined (some company firewalls, for example, may block this ability to self find) - ignoring the lookups if it cant (saving time and flashing).
  • It should report if lookup is good - "(ok)"
  • Lookups against internal IP address not available - "(Unable to check - LAN IP not available)" - (although I hope this is never the case)
  • Lookups point to Lan address - "!! POINTS TO SERVER'S LAN IP ADDRESS !!"
  • Route resolves to own external address - "!! TARGET RESOLVES TO SELF !!"
  • Route doesnt resolve - "!! Target does not resolve !!"
  • Relay points to self "!!POINTS TO LOCAL DOMAIN!!"
  • Relay resolves to local server - "!! RESOLVES TO LOCAL SERVER !!"
  • Relay lookups not done due to own external ip not obtainable - "(unchecked)" - (company firewalls/proxys etc interfering)
  • Route not possible as external IP address of server is not available - "(No incest check - ext. IP unavailable)"
  • Route not possible as internal NIC addresses of server is not available - "(Unable to check - LAN IP unavailable)"
Ive also done some minor layout changes around the SMTP Relayer.

!! CAPITALS !! are problems
!! Proper case !! are warnings that you may like to address or ignore but have consequences
(info) are for information

Example (showing some of the !! errors !! that can appear):

Code: Select all

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  4 Mins:  5   Plain Text:        False  Bind: 
                     Host: Domain1.com         Empty sender:       True  Batch recipients:   100
Max Msg Size: 20480  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                      EXTERNAL.TLD             Disc. on invalid:   True  Delivered-To hdr: False
                  !! RESOLVES TO LOCAL SERVER !!
                     Port:  25                 Max number commands:   2  Loop limit:           5
                     Req Auth: True !! NO USER SET !!                    Recipient hosts:     15
                     Con. Sec.: SSL/TLS
  Routes:
        daxxxxxxxx.co.uk         - Addresses: All         !! TARGET RESOLVES TO SELF !!
        daxxxx.hoxxxx.net        - Addresses: All         !! Target does not resolve !!
        yaxxx.com                - Addresses: All         (ok)

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-08 23:41
by mattg
Can we get details of the SSL certs (like we do for DKIM certs) added please, and TCP/IP can include which cert is used for the various security protocols

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-09 00:04
by jimimaseye
Noted. I'll put it on the 'to do' list to look in to it.

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-09 15:18
by paultilley100
Just ran this on my server and noticed that the ANTISPAM section, WHITELISTING area is listing the email address in clear text.

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-09 15:44
by jimimaseye
paultilley100 wrote:Just ran this on my server and noticed that the ANTISPAM section, WHITELISTING area is listing the email address in clear text.
the reason for that is for tracing problems where people say "ive have antispam set yet it is not blocking this spam". With whitelist entries showing we can highlight that the cause is beause the email sender has been whitelisted. It has happened a few time where people simply dont understand whitelisting and inadvertently whitelist everyone (eg, " 0.0.0.0 to 255.255.255.255 * " (As whitelist addresses are EXTERNAL references it shouldnt be any securuty concern for the local server.) However, users are free to obfuscate the entries if they wish to and the reason for the diags does not involve a scenario as mentioned.

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-09 23:21
by jimimaseye
v1.82

* Added route and relay checking to also check local HOSTS file (as well as DNS) for incest.

Routes/relays will return with error: !! POINTS TO LOCAL SERVER BY 'HOSTS' ENTRY !!

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-10 13:55
by paultilley100
jimimaseye wrote:
paultilley100 wrote:Just ran this on my server and noticed that the ANTISPAM section, WHITELISTING area is listing the email address in clear text.
the reason for that is for tracing problems where people say "ive have antispam set yet it is not blocking this spam". With whitelist entries showing we can highlight that the cause is beause the email sender has been whitelisted. It has happened a few time where people simply dont understand whitelisting and inadvertently whitelist everyone (eg, " 0.0.0.0 to 255.255.255.255 * " (As whitelist addresses are EXTERNAL references it shouldnt be any securuty concern for the local server.) However, users are free to obfuscate the entries if they wish to and the reason for the diags does not involve a scenario as mentioned.
Understood - It was just that I saw one of my addresses in there - a whitelisted address from our internal VOIP phone system (sending voicemails), which I wouldnt want displayed publically. Sorry for wasting your time, but I thought it might be important to people if they didnt realise this, and blindly posted their results.

First time I have run this script - thought I would investigate to be prepared for when something goes wrong, rather than firefight in a blind panic ;-)

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-11 01:56
by mattg
I understand both sides to this, and I agree with both

jimimaseye could the email addressess in the whitelists be changed so that they read something like
name[at]example[dot]com

This way they won't be easily picked up by bots searching this forum

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-11 17:02
by jimimaseye
v1.84

* Internals. A rework of RELAY/ROUTES coding.

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-25 13:26
by jimimaseye
v1.85

* Disguise whitelist addresses to "user[@t]domain[dot]com" format to confuse/break email address scrapers
* Add "!! No SMTP Port 25 defined. Direct external SMTP inbound not possible !!" warning (to TCPIP ports) if SMTP is enabled but no port 25 is set
* Added warnings on ip range 0.0.0.0 - 255.255.255.255 if External to Local is disabled or requires authentication.
* Removed the 'Deliveries' settings when SMTP protocol = false for IP RANGES or the SMTP protocol is disabled

eg

Code: Select all

IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True           !! External To Local    -  True !!
       !! EXTERNAL INBOUND ON SUB IP RANGES OR EXTERNAL DOWNLOADS ONLY !!  
     External To External - False           

OR

IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    - False     !! Inbound on Sub IP ranges or External Downloads only !! 
     External To External - False           

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-26 14:32
by jimimaseye
mattg wrote:Can we get details of the SSL certs (like we do for DKIM certs) added please, and TCP/IP can include which cert is used for the various security protocols
Done

v1.86

* Added the SSL certificate details list and state the name against the TCPIP ports

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-27 01:10
by mattg
Purely cosmetic feedback - great work jimimaseye

In IP ranges, slight spacing adjustment needed - require AUTH External to local

Code: Select all

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 60     Name: this Computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True       External To Local    - False
     External To External -  True              External To External -  True
SSL Certs, should be certificate file and Private 'KEY' file (The word Key is missing)

Code: Select all

SSL CERTIFICATES
   LetsEncrypt
           Certificate: \\192.168.0.193\mx.Domain6.com\fullchain.pem
           Private:     \\192.168.0.193\mx.Domain6.com\privkey.pem
-----------------------------------------------------------------------------------------------

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-11-27 09:42
by jimimaseye
mattg wrote:Purely cosmetic feedback - great work jimimaseye

In IP ranges, slight spacing adjustment needed - require AUTH External to local
.....
SSL Certs, should be certificate file and Private 'KEY' file (The word Key is missing)
....
Cheers.

Done. (same v1.86)

(Cant understand how I cocked up the External to Local formatting whenb I was only adding SSL stuff. I must have been sleep walking).

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-12-02 00:48
by jimimaseye
v1.87
* Added warning for missing/invalid SSL certificates stated in TCPIP PORTS.

eg,

Code: Select all

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   StartTLS Required   !! NO VALID CERTIFICATE !!
               0.0.0.0         / 110   / POP3   -   None                
               0.0.0.0         / 143   / IMAP   -   StartTLS Required   Cert: SSL2
               0.0.0.0         / 587   / SMTP   -   None                
-----------------------------------------------------------------------------------------------

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-12-02 01:37
by mattg
Port 25 STartTLS 'required' and 'SSL' should also be flagged as incorrect

Port 25 should ALWAYS be startTLS Optional or No Security, else limited mail from the internet

Oh and do you magic with hiding domain names on the certificate names and disk storage locations please...

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-12-02 03:22
by mikedibella
Oh and do you magic with hiding domain names on the certificate names and disk storage locations please...
That's how I got the certificate file from the other case. If you don't intend for that to be possible, you should to obfuscate the both the file name and the subject of the certificate since they both typically contain the FQDN of the published interface.

As I said in my other post, only the key is sensitive data. If you know the layer 3 address of a published SSL/TLS interface, it is rudimentary to extract the certificate using openssl.exe or another tool. It is certainly not an "exfiltration" since reading this data is required to perform SSL/TLS negotiation.

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-12-02 03:29
by mattg
Yep, I get that.

jimimaseye has said that he doesn't want domain names shown in this report in general.
Other things that can happen with the domain name include DNS MX record checks, which is often useful in tracking down tricky problems.

This board gets read by many bots looking for information that can be used for nefarious means. We've seen servers attacked hours after posting poor configuration, so we need to be careful about what information is publicly accessible.

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-12-02 03:33
by mikedibella
Know that my efforts here are always good faith attempts to uphold the spirit of "community supported." I really appreciate the value I get from hMailServer and want to pay it forward...

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-12-02 06:01
by mattg
understood and appreciated.

I'm self taught, a manager of healthcare facilities by vocation, not a trained tech.
I definitely don't want to scare anyone away from helping out with answers.

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-12-02 14:03
by jimimaseye
mattg wrote:Oh and do you magic with hiding domain names on the certificate names and disk storage locations please...
It already does (on the path name). But it can only mask domains that actual exist as a Domain or Alias in the settings (and consequently have a pseudonym) - if it doesnt then it is an unrecognisable string of characters and it cant possible know what is a domain/FQDN and what isnt.

Ill work on masking the certificate name (under the same conditions)

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-12-02 14:45
by jimimaseye
v1.88
* Give pseudonym references to local domains and aliases in SSL certificates names and paths.
* Give warning when SSL/StartTLS is required on port 25 for SMTP

eg

Code: Select all

-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   StartTLS Required   !! External Email Blocked !!
-----------------------------------------------------------------------------------------------

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2017-12-03 02:54
by mattg
Perhaps a warning on SMTP relayer, where port 25 is picked plus SSL/TLS.

Port 25 with StartTLS may work for some providers although most will be 587 + StartTLS, or 25 + no security, or 465 + SSL/TLS

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-01-10 23:54
by mattg
viewtopic.php?f=7&t=32256&p=201577#p201576

Route detail needs to show the switches please, ie whether or not the recipient and sender are considered local or external

Also what does
!! Warning: DEFAULT DOMAIN is SET !! - "EXTERNAL.TLD"
mean?
Does that mean that the user picked a completely different domain than they host as the default, one that matches the 'local server name' in SMTP?

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-01-11 01:08
by jimimaseye
ROUTES: I'm thinking about adding an option at run time to include route detail (or even a separate script to list the routes out). Under normal situations they are not needed but occasionally......
mattg wrote: Also what does
!! Warning: DEFAULT DOMAIN is SET !! - "EXTERNAL.TLD"
mean?
Does that mean that the user picked a completely different domain than they host as the default, one that matches the 'local server name' in SMTP?
Yes. They have entered a domain that isn't one of their hosted domains so doesn't appear as any of the pseudos (domain1.com, domain2. com etc) and so its external to this server. (Of course it may also be sub.domain1.com too but that is also not normally ideal)

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-01-28 14:30
by jimimaseye
mattg wrote: Route detail needs to show the switches please, ie whether or not the recipient and sender are considered local or external
Done.,

v1.89
* Routes now show the switches against 'S' (sender) and 'R' (recipient).

Adjusted layout:

Code: Select all

  Routes:
    Domain2.com              - S: Local   R: Remote - Addr: All         (ok)

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-01-29 01:30
by jimimaseye
(Coming soon. Im working on RULES output. Very indepth......)

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-01-30 00:20
by jimimaseye
v1.90

* Added RULES

When running the script there is now a 3rd prompt asking whether to include rules or not (default = N). Under normal circumstances they are not required but if dealing with someone where they are important simply ask them to "run the script and reply 'Y' to the 3rd prompt." (They appear immediately after the domains and the domain names are masked). NOTE: the rules appear in order of processing.

Output example showing all action options:

Code: Select all


RULES
   TestRule                    Criteria:  Use AND
             Body                   Contains        Some body Text
     Custom: X-MYHEADER-1           Equals          ValueX

                               -Actions-
             Delete
             Forward                                user@Domain1.com
             Move To Folder                         Spammy
             Reply
             Run Function                           MyScript
             Set Header Value                       MyCustomerHeader = Yes
             Stop Rule Processing
             Create and Send Copy
             Bind to local IP                       11.22.33.44
             Send Using Route                       dexxxxxxxx.co.uk
             
   Known Spam                  Criteria:  Use OR
             To                     Regular Expr    (?i:^.*(emailsales@|fax@|bouncednotifications@).*$)
             From                   Contains        Yvonne Sahm

                               -Actions-
             Set Header Value                       X-SPAMCHECK = Yes
             Move To Folder                         Spam Folder
(More examples in the initial post example report)

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-01-30 02:15
by mattg
looking good jimimaseye

What's next?
- A copy of Eventhandlers.vbs contents?
- Auto include the last 10 Error log lines if today's error log exists?
- A list of all of the individual WARNINGS additionally shown together at the top of the screen

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-01-31 22:44
by jimimaseye
V1.91

* Bug fix to Cipher List output
* Compressed (space saving) rules output

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-02-25 21:03
by jimimaseye
v1.92

* Mod to make the output compatible to new forum style. (removal of [ size=85] tag)

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-11-19 20:55
by jimimaseye
v1.93

* Minor bug fix for non-english boolean translation.

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-11-21 02:14
by mattg
Rules only includes global rules, not account level rules

Can we get account level rules added please

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-11-21 09:48
by jimimaseye
mattg wrote:
2018-11-21 02:14
Can we get account level rules added please
I had already considered it some time ago. The problem is that a domain can have tens or hundreds of users, and there can be hundreds of domains. 100 domains x 100 accounts = 10,000 potential account rules being listed. We wouldnt have enough virtual paper to (or browser screen) to display the report :wink: . Even if less (1 domain) we could be iterating through hundreds of accounts and displaying their rules when in reality we only require the rules for 1 account to be displayed (as we investigate a specific issue for someone).

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-11-21 10:19
by mattg
Yeah that's correct I guess.

I was just wanting to show some of my account level rules to someone having trouble with rules
I like the way you format your output...

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-11-21 12:09
by jimimaseye
Perhaps a secondary standalone script for 'account rules' that prompts for an account could do it. I'll give it a think.

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-11-23 22:07
by jimimaseye
mattg wrote:
2018-11-21 10:19
Yeah that's correct I guess.

I was just wanting to show some of my account level rules to someone having trouble with rules
I like the way you format your output...
v1.94

* Added extra prompt for a single account address to have it's rules included (optional) if GLOBAL RULES are requested.

(You can always run it and extract/ edit the output to just display your account rules or run the s for several times for different accounts and merge the outputs together before posting).

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2018-11-24 13:45
by jimimaseye
v1.95

* Minor code changes (tidyup).

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2019-07-20 12:16
by jimimaseye
v1.96

* Minor bug fix for non-english boolean translation 'Greylist Bypass A/MX'

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2019-09-28 04:44
by mattg
adds TLSv1.3 (and doesn't show SSLv3.0 in 5.7.0)

Code: Select all

' SSLTLS
   Txt = "SSL/TLS" & vbcrlf 
   Txt = Txt & space(13) & "SSL 3.0 : " & RJust(BooTrans(oTarget.SslVersion30Enabled),6) & vbcrlf
   Txt = Txt & space(13) & "TLS 1.0 : " & RJust(BooTrans(oTarget.TlsVersion10Enabled),6) & vbcrlf
   Txt = Txt & space(13) & "TLS 1.1 : " & RJust(BooTrans(oTarget.TlsVersion11Enabled),6) & vbcrlf
   Txt = Txt & space(13) & "TLS 1.2 : " & RJust(BooTrans(oTarget.TlsVersion12Enabled),6) & vbcrlf
   Txt = Txt & space(13) & "TLS 1.3 : " & RJust(BooTrans(oTarget.TlsVersion13Enabled),6) & space(15) & _
    " Verify Remote SSL/TLS Certs: " & RJust(BooTrans(oTarget.VerifyRemoteSslCertificate),6) & vbcrlf
   Txt = Txt & "SslCipherList  :" & vbcrlf & vbcrlf
   CipherList = Split(oTarget.SslCipherList, ":")
   X=0
   For Each Cipher in CipherList
      if not trim(Cipher) = "" then
         X = X + 1
         if not (X mod 3) = 1 then Txt = Txt & "- "
         Txt = Txt & LJust(Cipher,32)
         if (X mod 3) = 0 then Txt = Txt & vbcrlf 
      End if
   Next
   if (X mod 3) > 0 then Txt = Txt & vbcrlf
   Txt = Txt & string(95,"-") & vbcrlf
   objTextFile.WriteLine(txt)
' END SSLTLS
I see that the script mode is set to debug, and that I get this error at the bottom, but I can't see anything missing
Have sent output to you via PM

Code: Select all

Error 438. Out-dated version. Some fields or objects missing.

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2019-09-29 18:43
by jimimaseye
v1.97 Modified SSL checks to account for v5.7

Re: SETTINGS DIAGNOSTIC REPORT

Posted: 2019-09-30 00:11
by jimimaseye
v1.98

* Minor code tidyup (removed random ambiguous line - no functionality change)