Hi

I was wondering if someone could shed some light on the issue im having,

Currently i have working great NGINX as reverse proxy for my IIS

Im trying to get working the Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options working my NGINX but it keeps showing that its not getting applied when i check

https://securityheaders.com

#        listen 80;
   listen 443 ssl;
 server_name  sub.domain.com;

  ssl_certificate /etc/letsencrypt/live/sub.domain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/sub.domain.com/privkey.pem;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
       ssl_stapling_verify on;

## security headers
# Block loading in an iFrame
add_header X-Frame-Options SAMEORIGIN;
# Enforce HTTPS
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
# Blocks hidden malicious scripts
add_header X-Content-Type-Options nosniff;
# Stops scripts from unknown sources
add_header X-XSS-Protection "1; mode=block";
# Content security policy
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
# Referal policy
add_header Referrer-Policy "origin-when-cross-origin" always;
# permision policy
add_header Feature-Policy "camera 'none'; microphone 'none'; geolocation 'none'" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

        location ~ /.well-known {
        root /var/www/letsencrypt;
        allow all;
    }
        location / {

               proxy_pass http://192.168.3.211:8096/;

#                headers setting

                proxy_set_header Host $host;

                proxy_set_header X-Real-IP $remote_addr;

                proxy_set_header X-Forwarded-For $remote_addr;

                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Client-IP $remote_addr;

                }

        }

im going to assume

proxy_set_header Host $host; is what shows the header of the IIS?

Thank you

@pete-s yeah i guess im going to have to do that, it just bugs me that NGINX wont pass though the real IP

@pete-s
correct, whats odd is that it works perfectly fine on HA proxy on pfSense its just that i want to move better to a virtual machine and not depend on pfSense
Im not sure howcome it works on HA proxy and not on NGINX

@scottalanmiller
so in my case how would i solve this issue so the backend can see the real IP?

@scottalanmiller
Thanks for the reply, correct i was using before HAproxy on pfSense to do the TLS passthough but moving to NGINX as this server is later on going to manage all the SSL but because i need to migrate exactly the same way i have it currently as HAproxy

but i have configured to pass though but not passing the real IP

Hi

I was wondering if someone could shed some light on the issue im having,

Currently im testing out to TLS pass though to my zimbra server as the SSL has to be in the zimbra server and another wordpress site which also has the SSL

the setup would this this

INTERNET--------NGINX PROXY-------ZIMBRA and ------WORDPRESS SITE

I successfully configured the nginx proxy to TLS passthough but i checked the logs and it seems that not passing the real IP to zimbra or to wordpress

But couldn't figure it out because it wont let me send the proxy headers because im using the TLS passthough

this is the config

root@bunker:~# cat /etc/nginx/modules-enabled/passtru.conf
stream {

        map $ssl_preread_server_name $name {

       wordpress.domain.co wordpress;
        mail.domain.co zimbra;
        default https_default_backend;
    }

    upstream wordpress {
        server 192.168.7.35:443;
    }

    upstream zimbra {
        server 192.168.7.245:443;
    }
log_format basic '$remote_addr [$time_local] '
             '$protocol $status $bytes_sent $bytes_received '
             '$session_time "$upstream_addr" '
             '"$upstream_bytes_sent" "$upstream_bytes_received"
              "$upstream_connect_time"';

access_log /var/log/nginx/access.log basic;
error_log  /var/log/nginx/error.log;

    server {
        listen 443;
        proxy_pass $name;
        proxy_bind $name transparent;
        ssl_preread on;
    }
}

@dbeato the filter moves any subject that has SPAM to the folder junk which adds to all the domains instead of one by one

@gjacobse

why dont you just import it directly?

qm importdisk 100 DietPi_VMware-x86_64-Buster.vmdk zfs-vmdata

this case im running ZFS just change the zfs-vmdata to your lvm location

Hi
I was wondering if its possible what im trying to do, I want to send an email automatically every day to all the users and new users when created automatically. Im not sure if its done though zimbra or though postfix?
any ideas
Thank you

This is what i have so far, currently i have to add the email manually in the addresses.txt and could not figure out how to add the subject
if someone else has a better idea how to modify the script by all means

#!/bin/sh
SENDER="sistemas@mydomain"
ADDRESSFILE="/root/addresses.txt"
SENDMAIL="/usr/sbin/sendmail"

for RECIPIENT in $(cat ${ADDRESSFILE}); do

cat <<EOF | ${SENDMAIL} -i -f "${SENDER}" "${RECIPIENT}"

Hello User,
this is a reminder
EOF

@scottalanmiller
found out how to do it

first enable headers

zmprov mc default zimbraSieveEditHeaderEnabled TRUE

then create filter

cat /tmp/myfilters

require ["fileinto", "reject", "tag", "flag", "editheader"];

#Filter email based on a subject
if header :contains "Subject" [
  "SPAM"
  ]
{
    fileinto "Junk";
    stop;
}

then copy the sieve filters

cat /tmp/myfilters |xargs -0 zmprov md domain.com zimbraAdminSieveScriptBefore

and it works

Hi i was wondering if someone has accomplished what im trying to do,
Currently i need to create a filter for all the email users and future users.
I could not find a way on the web console to add that filter without doing one by one,
I did see this command

zmmailbox addFilterRule

but it would be the same way adding one by one so not sure if any more ideas?

Thank you

@black3dynamite
Thanks for the reply and sorry the late reply i did not get a notification on the email,
seemed that the issue was that it has to be done by \nameof server and not IP

@notverypunny

Thanks for the reply, but GPO by powershell i think its only compatible for server 2016-2019 but running currently 2012

Hi
I was wondering if someone else has accomplished on what im trying to do
i have GPO to automatic stores the keys in the AD when activated the bitlocker, but it seems that i have to do it manually, so i put a logon script bat with this

script.bat

Powershell.exe -ExecutionPolicy Bypass \\192.168.3.150\shares\publica\sistemas\enablebitlocker.ps1

But the for some odd reason im getting this popup which i would want it to run it silently or is there way to automatic say yes ?

Safety warningRun only the trusted scripts. Scripts from the Internet can be useful, but this script coulddamage your equipment. If you trust this script, use the Unblock-File cmdlet to allow it to run without this messagewarning. Do you want to run

this is the powershell script

$CdriveStatus = Get-BitLockerVolume -MountPoint 'c:'
if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted') {
    C:\Windows\System32\manage-bde.exe -on c: -recoverypassword -skiphardwaretest
}

Thank you

thanks for the reply, so currently running zabbix 5.0, i have a proxy on each remote site which the agents goes though the proxy which sends the data to the zabbix server. Here is the issue, when a agent goes off line it alerted me every 30mins so what i did went to the template and changed the macro from 30min to 5min. But whats odd is that it doesnt appear offline rather then in the section unknown. And whats even more odd if the zabbix proxy of the remote site goes offline it doesnt alert me just shows unknown. The template i have for the agents on windows and linux called OS windows active agent and OS linux active agent. But i implemented proxy i had it directly to the zabbix server only issue there is that my server was getting overloaded

This server has been out since 9am and has passed more then 12 hours and no alert only shows unknown

which shows like this

and on the templates you see that it has configured the trigger when no data is received

in this case its at 30min

Hi
I was wondering if someone could shed some light on the issue im having. Before i had my zabbix agents connecting directly to my zabbix server on different remote sites which worked fine until my zabbix got overloaded. Then on each remote site i put a zabbix proxy which helped alot on my server. So one day one of servers got shutdown and didn't alert me only 30min later which is odd. So my question is how can configure the alert of zabbix when the data stops coming in after 5min rather then 30min?

Thank you

Thank you currently i put 30 days as wont let me add less to test it out i guess have to wait around a few weeks to test it out thank you again

Thank you for the reply, but i only need to purge 2 email boxes of the inbox, i went to the user mailbox on the admin and on advance i found this i check on the purge interval and got this

zimbra@mail:/root$ zmprov gacf | grep zimbraMailPurgeSleepInterval
zimbraMailPurgeSleepInterval: 1m

So my question is if i activate the email message life time to 90 it means that it will purge emails of that email inbox keeping only 90 days of email?

Thank you

Hi,
I was wondering if someone else has had the same dilemma, so currently i have postfix email server which im moving to zimbra.

On my postfix server i had this script that would clean 90 days of emails

#!/bin/bash
 /usr/bin/find /home/in/Maildir/cur -type f -mtime +90 -delete -name "*.mail.mydomain.com:2"
 /usr/bin/find /home/in/Maildir/cur -type f -mtime +90 -delete -name "*.mail.mydomain.com:2,S"
/usr/bin/find /home/in/Maildir/cur -type f -mtime +90 -delete -name "*.mail.mydomain.com"

and this script to clean the other mailboxes

 #!/bin/bash
MAILDIRS=$(find /home/*/Maildir/ -maxdepth 0 -type d)
for basedir in $MAILDIRS; do
  for dir in .Trash .Junk .Spam .Low\ Priority; do
    for dir2 in cur new; do
      [ -e "$basedir/$dir/$dir2" ] && (
        echo "Processing $basedir/$dir/$dir2..."
        find "$basedir/$dir/$dir2/" -type f -mtime +90 -delete
      )
    done
  done
done

I also saw an option on zimbra about retention policy but i think its not automatic as it needs user permission manually?
or am i wrong?

I was looking around but i found a few scripts for zimbra but it deletes amounts of email but not by time

Thank you

Thanks for the reply, the issue is that sanoid.conf does not send the snapshot to the usb but syncoid does, or does having that template automatic prune the snapshots?