SETTINGS DIAGNOSTIC REPORT

[jimimaseye]

v1.72
* remove unnecessary blank lines for minor space savings in DOMAINS to reduce report length

[jimimaseye]

v 1.73
* Bug fix to still show EVENT log path even when the log is non-existant (and state as such)

[jimimaseye]

v1.74
* Removed unecessary score values where Enabled=False on ANTISPAM

[jimimaseye]

v1.75

* (Cosmetic). Linewrap of CUSTOMAV entry for tidiness.

[jimimaseye]

v1.76

* Added listing of ROUTES under SMTP protocol (showing internal and masked external domain routes)

eg

Code: Select all

  Routes:
        Domain2.com              - Addresses: All
        Alias1.com               - Addresses: All
        rexxxxx.hoxxxx.net       - Addresses: Selective   !! NO ADDRESSES LISTED !!

[jimimaseye]

v1.77

* Added MIRRORING

Code: Select all

-----------------------------------------------------------------------------------------------

MIRRORING         user@maxx.ouxxx.com
-----------------------------------------------------------------------------------------------

[mattg]

[jimimaseye]

v1.78

* Bug fix for incorrect SIGNATURE 'Local' boolean.
* Re-ordered the ANTISPAM entries to match that of Admin screen layout
* Added specific information where entries are found but not active for DNSBL, SURBL, and Greylist-enabled Domains
eg

Code: Select all

Greylist DOMAINS enabled:
  !! No active domains enabled - GREYLISTING INEFFECTIVE !!

[jimimaseye]

v1.80

* Minor redesign/reorder of the SMTP RELAY entry.
* Checks RELAYS and ROUTES to ensure they dont have incestuous resolution back to the server.

Note: Lookups only if the external ip address can be determined (some company firewalls, for example, may block this ability to self find) - ignoring the lookups if it cant (saving time and flashing).

• It should report if lookup is good - "(ok)"
• Lookups against internal IP address not available - "(Unable to check - LAN IP not available)" - (although I hope this is never the case)
• Lookups point to Lan address - "!! POINTS TO SERVER'S LAN IP ADDRESS !!"
• Route resolves to own external address - "!! TARGET RESOLVES TO SELF !!"
• Route doesnt resolve - "!! Target does not resolve !!"
• Relay points to self "!!POINTS TO LOCAL DOMAIN!!"
• Relay resolves to local server - "!! RESOLVES TO LOCAL SERVER !!"
• Relay lookups not done due to own external ip not obtainable - "(unchecked)" - (company firewalls/proxys etc interfering)
• Route not possible as external IP address of server is not available - "(No incest check - ext. IP unavailable)"
• Route not possible as internal NIC addresses of server is not available - "(Unable to check - LAN IP unavailable)"

Ive also done some minor layout changes around the SMTP Relayer.

!! CAPITALS !! are problems
!! Proper case !! are warnings that you may like to address or ignore but have consequences
(info) are for information

Example (showing some of the !! errors !! that can appear):

Code: Select all

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  4 Mins:  5   Plain Text:        False  Bind: 
                     Host: Domain1.com         Empty sender:       True  Batch recipients:   100
Max Msg Size: 20480  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                      EXTERNAL.TLD             Disc. on invalid:   True  Delivered-To hdr: False
                  !! RESOLVES TO LOCAL SERVER !!
                     Port:  25                 Max number commands:   2  Loop limit:           5
                     Req Auth: True !! NO USER SET !!                    Recipient hosts:     15
                     Con. Sec.: SSL/TLS
  Routes:
        daxxxxxxxx.co.uk         - Addresses: All         !! TARGET RESOLVES TO SELF !!
        daxxxx.hoxxxx.net        - Addresses: All         !! Target does not resolve !!
        yaxxx.com                - Addresses: All         (ok)

[mattg]

Can we get details of the SSL certs (like we do for DKIM certs) added please, and TCP/IP can include which cert is used for the various security protocols

[jimimaseye]

Noted. I'll put it on the 'to do' list to look in to it.

[paultilley100]

Just ran this on my server and noticed that the ANTISPAM section, WHITELISTING area is listing the email address in clear text.

[jimimaseye]

Just ran this on my server and noticed that the ANTISPAM section, WHITELISTING area is listing the email address in clear text.

the reason for that is for tracing problems where people say "ive have antispam set yet it is not blocking this spam". With whitelist entries showing we can highlight that the cause is beause the email sender has been whitelisted. It has happened a few time where people simply dont understand whitelisting and inadvertently whitelist everyone (eg, " 0.0.0.0 to 255.255.255.255 * " (As whitelist addresses are EXTERNAL references it shouldnt be any securuty concern for the local server.) However, users are free to obfuscate the entries if they wish to and the reason for the diags does not involve a scenario as mentioned.

[jimimaseye]

v1.82

* Added route and relay checking to also check local HOSTS file (as well as DNS) for incest.

Routes/relays will return with error: !! POINTS TO LOCAL SERVER BY 'HOSTS' ENTRY !!

[paultilley100]

Just ran this on my server and noticed that the ANTISPAM section, WHITELISTING area is listing the email address in clear text.

the reason for that is for tracing problems where people say "ive have antispam set yet it is not blocking this spam". With whitelist entries showing we can highlight that the cause is beause the email sender has been whitelisted. It has happened a few time where people simply dont understand whitelisting and inadvertently whitelist everyone (eg, " 0.0.0.0 to 255.255.255.255 * " (As whitelist addresses are EXTERNAL references it shouldnt be any securuty concern for the local server.) However, users are free to obfuscate the entries if they wish to and the reason for the diags does not involve a scenario as mentioned.

Understood - It was just that I saw one of my addresses in there - a whitelisted address from our internal VOIP phone system (sending voicemails), which I wouldnt want displayed publically. Sorry for wasting your time, but I thought it might be important to people if they didnt realise this, and blindly posted their results.

First time I have run this script - thought I would investigate to be prepared for when something goes wrong, rather than firefight in a blind panic

[mattg]

I understand both sides to this, and I agree with both

jimimaseye could the email addressess in the whitelists be changed so that they read something like
name[at]example[dot]com

This way they won't be easily picked up by bots searching this forum

[jimimaseye]

v1.84

* Internals. A rework of RELAY/ROUTES coding.

[jimimaseye]

v1.85

* Disguise whitelist addresses to "user[@t]domain[dot]com" format to confuse/break email address scrapers
* Add "!! No SMTP Port 25 defined. Direct external SMTP inbound not possible !!" warning (to TCPIP ports) if SMTP is enabled but no port 25 is set
* Added warnings on ip range 0.0.0.0 - 255.255.255.255 if External to Local is disabled or requires authentication.
* Removed the 'Deliveries' settings when SMTP protocol = false for IP RANGES or the SMTP protocol is disabled

eg

Code: Select all

IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True           !! External To Local    -  True !!
       !! EXTERNAL INBOUND ON SUB IP RANGES OR EXTERNAL DOWNLOADS ONLY !!  
     External To External - False           

OR

IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    - False     !! Inbound on Sub IP ranges or External Downloads only !! 
     External To External - False           

[jimimaseye]

Can we get details of the SSL certs (like we do for DKIM certs) added please, and TCP/IP can include which cert is used for the various security protocols

Done

v1.86

* Added the SSL certificate details list and state the name against the TCPIP ports

[mattg]

Purely cosmetic feedback - great work jimimaseye

In IP ranges, slight spacing adjustment needed - require AUTH External to local

Code: Select all

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 60     Name: this Computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True       External To Local    - False
     External To External -  True              External To External -  True

SSL Certs, should be certificate file and Private 'KEY' file (The word Key is missing)

Code: Select all

SSL CERTIFICATES
   LetsEncrypt
           Certificate: \\192.168.0.193\mx.Domain6.com\fullchain.pem
           Private:     \\192.168.0.193\mx.Domain6.com\privkey.pem
-----------------------------------------------------------------------------------------------

[jimimaseye]

Purely cosmetic feedback - great work jimimaseye

In IP ranges, slight spacing adjustment needed - require AUTH External to local
.....
SSL Certs, should be certificate file and Private 'KEY' file (The word Key is missing)
....

Cheers.

Done. (same v1.86)

(Cant understand how I cocked up the External to Local formatting whenb I was only adding SSL stuff. I must have been sleep walking).

[jimimaseye]

v1.87
* Added warning for missing/invalid SSL certificates stated in TCPIP PORTS.

eg,

Code: Select all

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   StartTLS Required   !! NO VALID CERTIFICATE !!
               0.0.0.0         / 110   / POP3   -   None                
               0.0.0.0         / 143   / IMAP   -   StartTLS Required   Cert: SSL2
               0.0.0.0         / 587   / SMTP   -   None                
-----------------------------------------------------------------------------------------------

[mattg]

Port 25 STartTLS 'required' and 'SSL' should also be flagged as incorrect

Port 25 should ALWAYS be startTLS Optional or No Security, else limited mail from the internet

Oh and do you magic with hiding domain names on the certificate names and disk storage locations please...

[mikedibella]

Oh and do you magic with hiding domain names on the certificate names and disk storage locations please...

That's how I got the certificate file from the other case. If you don't intend for that to be possible, you should to obfuscate the both the file name and the subject of the certificate since they both typically contain the FQDN of the published interface.

As I said in my other post, only the key is sensitive data. If you know the layer 3 address of a published SSL/TLS interface, it is rudimentary to extract the certificate using openssl.exe or another tool. It is certainly not an "exfiltration" since reading this data is required to perform SSL/TLS negotiation.

[mattg]

Yep, I get that.

jimimaseye has said that he doesn't want domain names shown in this report in general.
Other things that can happen with the domain name include DNS MX record checks, which is often useful in tracking down tricky problems.

This board gets read by many bots looking for information that can be used for nefarious means. We've seen servers attacked hours after posting poor configuration, so we need to be careful about what information is publicly accessible.

[mikedibella]

Know that my efforts here are always good faith attempts to uphold the spirit of "community supported." I really appreciate the value I get from hMailServer and want to pay it forward...

[mattg]

understood and appreciated.

I'm self taught, a manager of healthcare facilities by vocation, not a trained tech.
I definitely don't want to scare anyone away from helping out with answers.

[jimimaseye]

Oh and do you magic with hiding domain names on the certificate names and disk storage locations please...

It already does (on the path name). But it can only mask domains that actual exist as a Domain or Alias in the settings (and consequently have a pseudonym) - if it doesnt then it is an unrecognisable string of characters and it cant possible know what is a domain/FQDN and what isnt.

Ill work on masking the certificate name (under the same conditions)

[jimimaseye]

v1.88
* Give pseudonym references to local domains and aliases in SSL certificates names and paths.
* Give warning when SSL/StartTLS is required on port 25 for SMTP

eg

Code: Select all

-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   StartTLS Required   !! External Email Blocked !!
-----------------------------------------------------------------------------------------------

[mattg]

Perhaps a warning on SMTP relayer, where port 25 is picked plus SSL/TLS.

Port 25 with StartTLS may work for some providers although most will be 587 + StartTLS, or 25 + no security, or 465 + SSL/TLS

[mattg]

viewtopic.php?f=7&t=32256&p=201577#p201576

Route detail needs to show the switches please, ie whether or not the recipient and sender are considered local or external

Also what does

!! Warning: DEFAULT DOMAIN is SET !! - "EXTERNAL.TLD"

mean?
Does that mean that the user picked a completely different domain than they host as the default, one that matches the 'local server name' in SMTP?

[jimimaseye]

ROUTES: I'm thinking about adding an option at run time to include route detail (or even a separate script to list the routes out). Under normal situations they are not needed but occasionally......

Also what does

!! Warning: DEFAULT DOMAIN is SET !! - "EXTERNAL.TLD"

mean?
Does that mean that the user picked a completely different domain than they host as the default, one that matches the 'local server name' in SMTP?

Yes. They have entered a domain that isn't one of their hosted domains so doesn't appear as any of the pseudos (domain1.com, domain2. com etc) and so its external to this server. (Of course it may also be sub.domain1.com too but that is also not normally ideal)

[jimimaseye]

Route detail needs to show the switches please, ie whether or not the recipient and sender are considered local or external

Done.,

v1.89
* Routes now show the switches against 'S' (sender) and 'R' (recipient).

Adjusted layout:

Code: Select all

  Routes:
    Domain2.com              - S: Local   R: Remote - Addr: All         (ok)

[jimimaseye]

(Coming soon. Im working on RULES output. Very indepth......)

[jimimaseye]

v1.90

* Added RULES

When running the script there is now a 3rd prompt asking whether to include rules or not (default = N). Under normal circumstances they are not required but if dealing with someone where they are important simply ask them to "run the script and reply 'Y' to the 3rd prompt." (They appear immediately after the domains and the domain names are masked). NOTE: the rules appear in order of processing.

Output example showing all action options:

Code: Select all

RULES
   TestRule                    Criteria:  Use AND
             Body                   Contains        Some body Text
     Custom: X-MYHEADER-1           Equals          ValueX

                               -Actions-
             Delete
             Forward                                user@Domain1.com
             Move To Folder                         Spammy
             Reply
             Run Function                           MyScript
             Set Header Value                       MyCustomerHeader = Yes
             Stop Rule Processing
             Create and Send Copy
             Bind to local IP                       11.22.33.44
             Send Using Route                       dexxxxxxxx.co.uk
             
   Known Spam                  Criteria:  Use OR
             To                     Regular Expr    (?i:^.*(emailsales@|fax@|bouncednotifications@).*$)
             From                   Contains        Yvonne Sahm

                               -Actions-
             Set Header Value                       X-SPAMCHECK = Yes
             Move To Folder                         Spam Folder

(More examples in the initial post example report)

[mattg]

looking good jimimaseye

What's next?
- A copy of Eventhandlers.vbs contents?
- Auto include the last 10 Error log lines if today's error log exists?
- A list of all of the individual WARNINGS additionally shown together at the top of the screen

[jimimaseye]

V1.91

* Bug fix to Cipher List output
* Compressed (space saving) rules output

[jimimaseye]

v1.92

* Mod to make the output compatible to new forum style. (removal of [ size=85] tag)

[jimimaseye]

v1.93

* Minor bug fix for non-english boolean translation.

[mattg]

Rules only includes global rules, not account level rules

Can we get account level rules added please

[jimimaseye]

Can we get account level rules added please

I had already considered it some time ago. The problem is that a domain can have tens or hundreds of users, and there can be hundreds of domains. 100 domains x 100 accounts = 10,000 potential account rules being listed. We wouldnt have enough virtual paper to (or browser screen) to display the report . Even if less (1 domain) we could be iterating through hundreds of accounts and displaying their rules when in reality we only require the rules for 1 account to be displayed (as we investigate a specific issue for someone).

[mattg]

Yeah that's correct I guess.

I was just wanting to show some of my account level rules to someone having trouble with rules
I like the way you format your output...

[jimimaseye]

Perhaps a secondary standalone script for 'account rules' that prompts for an account could do it. I'll give it a think.

[jimimaseye]

Yeah that's correct I guess.

I was just wanting to show some of my account level rules to someone having trouble with rules
I like the way you format your output...

v1.94

* Added extra prompt for a single account address to have it's rules included (optional) if GLOBAL RULES are requested.

(You can always run it and extract/ edit the output to just display your account rules or run the s for several times for different accounts and merge the outputs together before posting).

[jimimaseye]

v1.95

* Minor code changes (tidyup).

[jimimaseye]

v1.96

* Minor bug fix for non-english boolean translation 'Greylist Bypass A/MX'

[mattg]

adds TLSv1.3 (and doesn't show SSLv3.0 in 5.7.0)

Code: Select all

' SSLTLS
   Txt = "SSL/TLS" & vbcrlf 
   Txt = Txt & space(13) & "SSL 3.0 : " & RJust(BooTrans(oTarget.SslVersion30Enabled),6) & vbcrlf
   Txt = Txt & space(13) & "TLS 1.0 : " & RJust(BooTrans(oTarget.TlsVersion10Enabled),6) & vbcrlf
   Txt = Txt & space(13) & "TLS 1.1 : " & RJust(BooTrans(oTarget.TlsVersion11Enabled),6) & vbcrlf
   Txt = Txt & space(13) & "TLS 1.2 : " & RJust(BooTrans(oTarget.TlsVersion12Enabled),6) & vbcrlf
   Txt = Txt & space(13) & "TLS 1.3 : " & RJust(BooTrans(oTarget.TlsVersion13Enabled),6) & space(15) & _
    " Verify Remote SSL/TLS Certs: " & RJust(BooTrans(oTarget.VerifyRemoteSslCertificate),6) & vbcrlf
   Txt = Txt & "SslCipherList  :" & vbcrlf & vbcrlf
   CipherList = Split(oTarget.SslCipherList, ":")
   X=0
   For Each Cipher in CipherList
      if not trim(Cipher) = "" then
         X = X + 1
         if not (X mod 3) = 1 then Txt = Txt & "- "
         Txt = Txt & LJust(Cipher,32)
         if (X mod 3) = 0 then Txt = Txt & vbcrlf 
      End if
   Next
   if (X mod 3) > 0 then Txt = Txt & vbcrlf
   Txt = Txt & string(95,"-") & vbcrlf
   objTextFile.WriteLine(txt)
' END SSLTLS

I see that the script mode is set to debug, and that I get this error at the bottom, but I can't see anything missing
Have sent output to you via PM

Code: Select all

Error 438. Out-dated version. Some fields or objects missing.

[jimimaseye]

v1.97 Modified SSL checks to account for v5.7

[jimimaseye]

v1.98

* Minor code tidyup (removed random ambiguous line - no functionality change)

[NigelRoth]

Excellent tool, thanks.

But there seem to be a couple of bugs.
1. I don't think LJust is a vbs function, perhaps it is a Python?
2. ObfusRef(ORuleSub.MatchValue) does not compute.

I assume these don't normally show up as On Error Resumes Next

[jimimaseye]

Thanks but there is no problem. All things raised are valid and function as intended and for good reason. Everything within the script is VBS (Ljust is a function in the script created by me.)

I prefer not to spoil the thread with discussion about the script itself, keeping it factual about updates. If you wish to discuss in detail ,then I would be happy to in a separate thread...if you feel there is need to. Thanks.

[jimimaseye]

v1.99

* Mod for appropriate TLS checks for v5.6.8 onwards (5.6.8 onwards no longer supports SSL3 and does provides TLS1.3)

[jimimaseye]

v2.00

* Include !! Warning !! if no Local Host Name has been entered on SMTP Delivery Tab

[jimimaseye]

v2.01

* Fixed error and provide critical " !! WARNING !! " when Rule declares to 'Send By Route' without a Route being stated.

[mattg]

Can we add a check to see if catchall is actually a local account please
https://www.hmailserver.com/forum/viewt ... =7&t=35331

[jimimaseye]

Can we add a check to see if catchall is actually a local account please
https://www.hmailserver.com/forum/viewt ... =7&t=35331

I guess so. How would you like it to be flagged/identified? Would you consider it an information !! warning !! or error !! WARNING !! ? (ie, not unfeasible, allowed, but not normal as its potentially problematic if you didnt know why it's been done).

I guess there is a bit more to this to consider:
a, an address that is not local and point to 'external' is not a problem
b, an address that is not local and the domain is local, not the current domain and has a catchall associated is not a problem
therefore
c, an address that is not local but points to local (enabled) domain, domain is the same (self) or domain is different with no associated catchall - this would classify as problematic error marked as "!! WARNING !!"

[mattg]

I never considered using an externally hosted account for a catch all
Interesting concept
Essentially that means that I could re-direct all mail to unknown users to a honey trap...

(Perhaps just flagged as 'no local account matches')