Setting Up Mail Server Operation for CentOS Web Panel Web Hosting Control Panel on Amazon AWS Cloud

Subject: Setting Up Mail Server Operation for CentOS Web Panel Web Hosting Control Panel on Amazon AWS Cloud

Author: Mr. Turritopsis Dohrnii Teo En Ming, Singapore
Date: 25 Feb 2020 Tuesday

PREREQUISITES
=============

Before embarking on this guide, you should read the following guide first.

Guide: Mr. Teo En Ming’s Guide to Deploying CentOS Web Panel (CWP) Web Hosting Control Panel on Amazon AWS Cloud

Redundant blog links:

[1] https://tdtemcerts.blogspot.com/2020/02/mr-teo-en-mings-guide-to-deploying.html

[2] https://tdtemcerts.wordpress.com/2020/02/23/mr-teo-en-mings-guide-to-deploying-centos-web-panel-cwp-web-hosting-control-panel-on-amazon-aws-cloud/

EXTREMELY DETAILED INSTRUCTIONS OF TEO EN MING’S GUIDE
======================================================

Teo En Ming’s DNS Zone File for domain teo-en-ming.com on Primary DNS Server
============================================================================

$TTL    300
@       IN      SOA     ns1.teo-en-ming.com. ceo.teo-en-ming.com. (
2020022502     ; Serial
604800     ; Refresh
86400     ; Retry
2419200     ; Expire
604800 )   ; Negative Cache TTL
;
; name servers – NS records
IN      NS      ns1.teo-en-ming.com.
IN      NS      ns2.teo-en-ming.com.

; mail servers – MX records
IN      MX      0 mail.teo-en-ming.com.

; name servers – A records
ns1.teo-en-ming.com.          IN      A       13.58.253.162
ns2.teo-en-ming.com.          IN      A       3.20.186.205

; mail servers – A records
mail.teo-en-ming.com.       IN      A       3.21.30.127

; Additional A records
http://www.teo-en-ming.com.          IN      A       3.21.30.127
teo-en-ming.com.       IN      A       3.21.30.127

; Sender Policy Framework (SPF) TXT records
teo-en-ming.com.       IN      TXT     “v=spf1 ip4:3.21.30.127 -all”

===EOF===

REFERENCE
=========

Guide: Mail Exchange Record (MX)

Link: https://www.zytrax.com/books/dns/ch8/mx.html

REFERENCE
=========

Guide: How To: Lowering Your DNS TTLs

Link: https://www.liquidweb.com/kb/how-to-lowering-your-dns-ttls/

REFERENCE
=========

Discussion: Postfix: “Connection timed out” on all outbound email [closed]

Link: https://serverfault.com/questions/585503/postfix-connection-timed-out-on-all-outbound-email

QUOTE:

“For anyone who found this question but is on AWS EC2: outgoing SMTP intentionally rate limited, but you can ask to have it relaxed.”

REFERENCE
=========

Discussion: Intermittent exim gmail smtp connection timeout

Link: https://forums.cpanel.net/threads/intermittent-exim-gmail-smtp-connection-timeout.523911/

QUOTE:

“Just an update for anyone with a similar issue – with some fresh eyes and some more googling it sounds like this may be caused by some SMTP rate limitations built into the AWS EC2 network as Spam prevention.

They have a form to register to remove outgoing smtp connection limitations here:

https://aws.amazon.com/forms/ec2-email-limit-rdns-request

I’ve submitted and will update if this resolves the issues I was seeing.”

QUOTE:

“Amazon SMTP traffic management indeed seems to have been the cause. Within a couple of hours of filling out the above form, I got an email confirmation from AWS that “traffic restrictions had been removed” and normal function resumed immediately.

Confusing the matters is that this SMTP traffic management is not documented well (and sometimes with contradicting information). It does not appear to be a hard cap limit, nor does it trigger any notification when it’s applied – it actually appears to be a *throttle* on common SMTP ports, triggered by a very small number of connections, beyond which it allows a certain number of connections per/hour – which would absolutely create the kind of “intermittent” connectivity issues I saw (and the odd delivery order of mail in the queue depending on when a retry “won the lottery” to negotiate a connection).

Anyway – I hope that info is of some use to others in the future!”

REFERENCE
=========

Guide: Installing Telnet In CentOS/RHEL/Scientific Linux 6 & 7

Link: https://www.unixmen.com/installing-telnet-centosrhelscientific-linux-6-7/

Amazon Web Services’ Reply to Teo En Ming
=========================================

Hello,

We approved your request for the removal of the EC2 email sending limitations on your Amazon Web Services account! If you requested removal of email sending limits on any other Amazon Elastic IPs, they’ve also been removed.

Because reverse DNS record entries are commonly considered in anti-spam filters, we recommend assigning a reverse DNS record to the Elastic IP address you use to send email to third parties. Please use the form located at this link to request a reverse DNS entry:
https://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request

If you’d like to proceed with assigning a reverse DNS record to the Elastic IP, the first step would be to configure the A record for the domain to match the desired PTR record on your side.

Please follow the instructions at the link below to create the A record:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html

Please let us know if you have any questions.

Regards,
Amazon Web Services

REFERENCE
=========

Guide: How to create an SPF TXT record?

Link: https://www.dmarcanalyzer.com/spf/how-to-create-an-spf-txt-record/

REFERENCE
=========

Guide: Linux BIND DNS Configure Sender Policy Framework ( SPF ) an e-mail Anti Forgery System

Link: https://www.cyberciti.biz/faq/howto-bind-djbdns-spf-antispam-dns-configuration/

Creating New User Account in CentOS Web Panel
=============================================

Login to CentOS Web Panel Admin Panel.

From the left menu, click on User Accounts, then select New Account.

Domain name: teo-en-ming.com

Username:

Password:

Admin Email:

Server IPs:

Package: Default

Reseller: Not checked

Inode: 0

Process limit: 40

Open files: 150

Backup user account: checked

Shell Access: Disabled by default for security reasons: Unchecked

AutoSSL: Domain must be pointed to the server: Unchecked

Click Create.

Setting Up New Email Account
============================

Login to CentOS Web Panel User Panel.

From the left menu, click Email Accounts, then click Email Accounts.

Click Add a New MailBox.

Email Address: ceo@teo-en-ming.com

Password:

Quota MB: 16000

Click Add.

Using Your New Email Account
============================

Login to Roundcube Webmail.

Click Settings.

From the left menu, click Identities, then click ceo@teo-en-ming.com

Display Name: Turritopsis Dohrnii Teo En Ming

Click Save.

Congratulations! You can now start using your new email account.

REFERENCES
==========

[1] https://lkml.org/lkml/2020/2/25/509

[2] http://lkml.iu.edu/hypermail/linux/kernel/2002.3/02043.html

[3] https://marc.info/?l=linux-kernel&m=158263958532716&w=2

[4] http://lists.linuxfromscratch.org/pipermail/lfs-chat/2020-February/029097.html

[5] https://marc.info/?l=postfix-users&m=158264145200949&w=2

[6] https://marc.info/?l=qmail&m=158264284001458&w=2

[7] http://lists.kolab.org/pipermail/users/2020-February/021876.html

[8] https://www.mail-archive.com/server-user@james.apache.org/msg16259.html

[9] https://sourceforge.net/p/courier/mailman/message/36932325/

[10] https://sourceforge.net/p/squirrelmail/mailman/message/36932330/

Linux Shell Script to Start Windows 10 Virtual Machine with GPU Passthrough (QEMU/KVM) (23 Feb 2020)

#!/bin/bash

# Mr. Turritopsis Dohrnii Teo En Ming
# Singapore
# 22 Feb 2020 Saturday

# Haven’t configure bridged networking yet. TO-DO in future.

vmname=”windows10vm”

if ps -ef | grep qemu-system-x86_64 | grep -q multifunction=on; then
echo “A passthrough VM is already running.” &
exit 1

else

# use pulseaudio
export QEMU_AUDIO_DRV=pa
export QEMU_PA_SAMPLES=8192
export QEMU_AUDIO_TIMER_PERIOD=99
export QEMU_PA_SERVER=/run/user/1000/pulse/native

cp /usr/share/OVMF/OVMF_VARS.fd /tmp/my_vars.fd

# /data is Toshiba 1 TB 3.5 inch internal SATA harddisk

qemu-system-x86_64 \
-name $vmname,process=$vmname \
-machine type=pc,accel=kvm \
-cpu host,kvm=off \
-smp 3,sockets=1,cores=3,threads=1 \
-m 16G \
-balloon none \
-rtc clock=host,base=localtime \
-serial none \
-parallel none \
-soundhw hda \
-usb \
-device usb-host,vendorid=0x0603,productid=0x00f2 \
-device usb-host,vendorid=0x056e,productid=0x0107 \
-device vfio-pci,host=01:00.0,multifunction=on \
-device vfio-pci,host=01:00.1 \
-drive if=pflash,format=raw,readonly,file=/usr/share/OVMF/OVMF_CODE.fd \
-drive if=pflash,format=raw,file=/tmp/my_vars.fd \
-boot order=dc \
-drive id=disk0,if=virtio,cache=none,format=raw,file=/home/teo-en-ming/win10.img \
-drive id=disk1,if=virtio,cache=none,format=raw,file=/data/toshiba.img \
-drive file=/home/teo-en-ming/win10-1709.iso,index=1,media=cdrom \
-drive file=/home/teo-en-ming/Downloads/virtio-win-0.1.173.iso,index=2,media=cdrom \
-vga none \
-nographic
#-netdev type=tap,id=net0,ifname=vmtap0,vhost=on \
#-device virtio-net-pci,netdev=net0,mac=00:16:3e:00:01:01

exit 0
fi

Mr. Teo En Ming’s Guide to Deploying CentOS Web Panel (CWP) Web Hosting Control Panel on Amazon AWS Cloud

Subject: Mr. Teo En Ming’s Guide to Deploying CentOS Web Panel (CWP) Web Hosting Control Panel on Amazon AWS Cloud

===FIRST DRAFT===

PUBLISHED 23 FEB 2020 SUNDAY, SINGAPORE, SINGAPORE

I chose CentOS Web Panel because the graphical user interface is a bit like cPanel and it is free/open source.

EXTREMELY DETAILED INSTRUCTIONS OF TEO EN MING’S GUIDE
======================================================

REFERENCE
=========

Guide: Part 1: How I Built a cPanel Hosting Environment on Amazon AWS

Link: https://wiredgorilla.com/part-1-built-cpanel-hosting-environment-amazon-aws/

Setup the Amazon AWS VPC (Virtual Private Cloud)
================================================

Go to https://us-east-2.console.aws.amazon.com/vpc/home?region=us-east-2#dashboard:

Click Launch VPC Wizard.

Select VPC with a Single Public Subnet.

IPv4 CIDR block: 10.0.0.0/16

VPC Name: Teo En Ming VPC

Public subnet’s IPv4 CIDR: 10.0.0.0/24

Availability Zone: No Preference

Subnet name: Public subnet

Click Create VPC.

Create Security Groups in Amazon AWS Cloud
==========================================

Click Security Groups in the VPC Dashboard.

Sub-Part 1
==========

Click Create Security Group.

Security Group Name: NameServers

Description: Allows access to DNS servers

VPC: Teo En Ming VPC

Click Create.

Sub-Part 2
==========

Click Create Security Group.

Security Group Name: CentOSWebPanel

Description: Allows access to CentOS Web Panel

VPC: Teo En Ming VPC

Click Create.

Sub-Part 3
==========

Select the NameServers Security Group.

On the Inbound tab, click Edit.

Under Type, select All Traffic.

Protocol: All

Port Range: 0 – 65535

Source: Anywhere

Click Save.

Sub-Part 4
==========

Select the CentOSWebPanel Security Group.

On the Inbound tab, click Edit.

Under Type, select All Traffic.

Protocol: All

Port Range: 0 – 65535

Source: Anywhere

Click Save.

Provisioning the Primary DNS Server
===================================

On the EC2 Dashboard, click Instances.

Click Launch Instance.

Search for centos in the AWS Markpetplace.

Select CentOS 7 (x86_64) – with Updates HVM (free tier eligible).

Click Continue.

Select t2.micro (free tier eligible).

Click Next: Configure Instance Details.

Network: Teo En Ming VPC

Subnet: Public subnet | us-east-2a

Click Protect against accidental termination.

Click Next: Add Storage

Size (GiB): 8

Click Next: Add Tags

Key = Name

Value = ns1

Click Next: Configure Security Group

Click Select an existing security group

Select NameServers

Click Review and Launch.

Click Launch.

Select Create a new key pair.

Key pair name: cwp

Click Download key pair.

Click Launch Instances.

Click Instances.

Select ns1, right click and select Networking > Manage IP Addresses.

Click Allocate an elastic IP to this instance.

Click Allocate.

Click Associate this Elastic IP Address.

Instance: ns1

Click Associate.

IPv4 address of Primary DNS server is 13.58.253.162
Provisioning the Secondary DNS Server
=====================================

On the EC2 Dashboard, click Instances.

Click Launch Instance.

Search for centos in the AWS Markpetplace.

Select CentOS 7 (x86_64) – with Updates HVM (free tier eligible).

Click Continue.

Select t2.micro (free tier eligible).

Click Next: Configure Instance Details.

Network: Teo En Ming VPC

Subnet: Public subnet | us-east-2a

Click Protect against accidental termination.

Click Next: Add Storage

Size (GiB): 8

Click Next: Add Tags

Key = Name

Value = ns2

Click Next: Configure Security Group

Click Select an existing security group

Select NameServers

Click Review and Launch.

Click Launch.

Select Choose an existing key pair.

Key pair name: cwp

Click Launch Instances.

Click Instances.

Select ns2, right click and select Networking > Manage IP Addresses.

Click Allocate an elastic IP to this instance.

Click Allocate.

Click Associate this Elastic IP Address.

Instance: ns2

Click Associate.

IPv4 address of Secondary DNS server is 3.20.186.205

Provisioning CentOS 7 to Install CentOS Web Panel Later
=======================================================

On the EC2 Dashboard, click Instances.

Click Launch Instance.

Search for centos in the AWS Markpetplace.

Select CentOS 7 (x86_64) – with Updates HVM (free tier eligible).

Click Continue.

Select t2.micro (free tier eligible).

Click Next: Configure Instance Details.

Network: Teo En Ming VPC

Subnet: Public subnet | us-east-2a

Click Protect against accidental termination.

Click Next: Add Storage

Size (GiB): 30

Click Next: Add Tags

Key = Name

Value = CentOSWebPanel

Click Next: Configure Security Group

Click Select an existing security group

Select CentOSWebPanel

Click Review and Launch.

Click Launch.

Select Choose an existing key pair.

Key pair name: cwp

Click Launch Instances.

Click Instances.

Select CentOSWebPanel, right click and select Networking > Manage IP Addresses.

Click Allocate an elastic IP to this instance.

Click Allocate.

Click Associate this Elastic IP Address.

Instance: CentOSWebPanel

Click Associate.

IPv4 address of CentOS Web Panel is 3.21.30.127

RFERENCE
========

Guide: Connecting to Your Linux Instance Using SSH

Link: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

How to SSH into Linux Instances in Amazon AWS Cloud
===================================================

$ chmod 600 cwp.pem

For Primary DNS Server:

$ ssh -i cwp.pem centos@13.58.253.162

For Secondary DNS Server:

$ ssh -i cwp.pem centos@3.20.186.205

For CentOS Web Panel:

$ ssh -i cwp.pem centos@3.21.30.127

REFERENCE
=========

Guide: How To Configure BIND as a Private Network DNS Server on CentOS 7

Link: https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-centos-7

Configuring the Primary DNS Server
==================================

$ sudo passwd

$ su –

# yum install bind bind-utils

# yum install nano

# nano /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator’s Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
listen-on port 53 { 127.0.0.1; 10.0.0.99; };
// listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
recursing-file “/var/named/data/named.recursing”;
secroots-file “/var/named/data/named.secroots”;
allow-transfer { 3.20.186.205; };
allow-query { any; };

/*
– If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
– If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
– If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file “/etc/named.root.key”;

managed-keys-directory “/var/named/dynamic”;

pid-file “/run/named/named.pid”;
session-keyfile “/run/named/session.key”;
};

logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};

zone “.” IN {
type hint;
file “named.ca”;
};

include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;

include “/etc/named/named.conf.local”;

# nano /etc/named/named.conf.local

zone “teo-en-ming.com” {
type master;
file “/etc/named/zones/db.teo-en-ming.com”; # zone file path
};

# chmod 755 /etc/named

# mkdir /etc/named/zones

# nano /etc/named/zones/db.teo-en-ming.com

$TTL 604800
@ IN SOA ns1.teo-en-ming.com. ceo.teo-en-ming.com. (
2020022301 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; name servers – NS records
IN NS ns1.teo-en-ming.com.
IN NS ns2.teo-en-ming.com.

; name servers – A records
ns1.teo-en-ming.com. IN A 13.58.253.162
ns2.teo-en-ming.com. IN A 3.20.186.205

; Additional A records
http://www.teo-en-ming.com. IN A 3.21.30.127

# named-checkconf

# systemctl start named

# systemctl enable named

Testing the Primary DNS Server
==============================

$ dig @13.58.253.162 teo-en-ming.com

Configuring the Secondary DNS Server
====================================

$ sudo passwd

$ su –

# yum install nano

# yum install bind bind-utils

# nano /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator’s Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
listen-on port 53 { 127.0.0.1; 10.0.0.76; };
// listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
recursing-file “/var/named/data/named.recursing”;
secroots-file “/var/named/data/named.secroots”;
allow-query { any; };

/*
– If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
– If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
– If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file “/etc/named.root.key”;

managed-keys-directory “/var/named/dynamic”;

pid-file “/run/named/named.pid”;
session-keyfile “/run/named/session.key”;
};

logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};

zone “.” IN {
type hint;
file “named.ca”;
};

include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;

include “/etc/named/named.conf.local”;

# chmod 755 /etc/named

# nano /etc/named/named.conf.local

zone “teo-en-ming.com” {
type slave;
file “slaves/db.teo-en-ming.com”;
masters { 13.58.253.162; }; # ns1 private IP
};
# named-checkconf

# systemctl start named

# systemctl enable named

Testing the Secondary DNS Server
================================

$ dig @3.20.186.205 teo-en-ming.com

Configuring Custom Name Servers At Your Domain Registrar
========================================================

Go to DNS management.

Under host names,

Set ns1 to 13.58.253.162

Set ns2 to 3.20.186.205

Set custom name servers to:

ns1.teo-en-ming.com

ns2.teo-en-ming.com

REFERENCE
=========

Guide: How to Set up a CentOS Web Panel

Link: https://www.alibabacloud.com/blog/how-to-set-up-a-centos-web-panel_595183

Setting Up CentOS Web Panel
===========================

$ sudo passwd

$ su –

# yum -y update && yum -y install wget

# hostnamectl set-hostname http://www.teo-en-ming.com

# cd /usr/local/src && wget http://centos-webpanel.com/cwp-el7-latest && sh cwp-el7-latest

Started installing CentOS Web Panel at 6.24 PM on 23 Feb 2020 Sunday.

Completed installing CentOS Web Panel at 6.30 PM on 23 Feb 2020 Sunday.

Total duration: 6 mins

#############################
# CWP Installed #
#############################

Go to CentOS WebPanel Admin GUI at http://SERVER_IP:2030/

http://3.21.30.127:2030
SSL: https://3.21.30.127:2031
———————
Username: root
Password: ssh server root password
MySQL root Password:

#########################################################
CentOS Web Panel MailServer Installer
#########################################################
SSL Cert name (hostname): http://www.teo-en-ming.com
SSL Cert file location /etc/pki/tls/ private|certs
#########################################################

Visit for help: http://www.centos-webpanel.com
Write down login details and press ENTER for server reboot!
Please reboot the server!
Reboot command: shutdown -r now

# shutdown -r now

Configuring CentOS Web Panel Web Hosting Control Panel
======================================================

Go to https://3.21.30.127:2031

From the left menu, click on CWP Settings, then select Edit Settings.

Admin Email: ceo@teo-en-ming-corp.com

Check Activate NAT-ed network configuration.

Click Save Changes.

From the left menu, click DNS Functions, then select Edit Nameservers IPs.

Name Server 1: ns1.teo-en-ming.com 13.58.253.162

Name Server 2: ns2.teo-en-ming.com 3.20.186.205

Click Save Changes.

That’s all.

In future, go to https://www.teo-en-ming.com:2031

It works!

AUTHOR: MR. TURRITOPSIS DOHRNII TEO EN MING, SINGAPORE

 

 

 

REFERENCES
==========

[1] https://lkml.org/lkml/2020/2/23/71

[2] http://lkml.iu.edu/hypermail/linux/kernel/2002.2/08712.html

[3] https://marc.info/?l=linux-kernel&m=158246414013004&w=2

[4] http://lists.linuxfromscratch.org/pipermail/lfs-chat/2020-February/029096.html

[5] https://lists.isc.org/pipermail/bind-users/2020-February/102673.html

[6] https://lists.centos.org/pipermail/centos/2020-February/349647.html

[7] https://marc.info/?l=apache-httpd-users&m=158246714513728&w=2

[8] https://lists.launchpad.net/maria-discuss/msg05714.html

[9] https://marc.info/?l=php-general&m=158246811013917&w=2