Server Unavailable error

A PHP-based web site on a server that I manage was failing to load. It worked a few months ago when I set it up and the owner didn’t notice that it was failing. When I looked at the error log I got these messages.


[Wed Aug 08 07:45:21.627045 2018] [proxy:error] [pid 32113:tid 139735343294208] (2)No such file or directory: AH02454: FCGI: attempt to connect to Unix domain socket /run/php/php7.2-fpm.sock (*) failed
[Wed Aug 08 07:45:21.627334 2018] [proxy_fcgi:error] [pid 32113:tid 139735343294208] [client 64.91.53.183:36745] AH01079: failed to make connection to backend: httpd-UDS

Since it said that fpm.sock failed, I thought that maybe the mod was no longer enabled so I tried a2enmod proxy_fcgi but it said that it was already enabled.

There was some info on dependencies on various help sites, so I figured that at some point an aptitude safe-upgrade command might have messed things up. So I figured that running these commands might help, and it did.


sudo apt-get update
sudo apt-get upgrade

Reading through the install messages I noticed this:


Setting up php7.2-fpm (7.2.7-0ubuntu0.18.04.2) ...
Package apache2 is not configured yet. Will defer actions by package php7.2-fpm.
Replacing config file /etc/php/7.2/fpm/php.ini with new version
NOTICE: Not enabling PHP 7.2 FPM by default.
NOTICE: To enable PHP 7.2 FPM in Apache2 do:
NOTICE: a2enmod proxy_fcgi setenvif
NOTICE: a2enconf php7.2-fpm

So it looks like proxy_fcgi somehow got enabled and was causing problems. It is a small site with little traffic, so I decided to leave well enough alone and not enable the mod.

Banner day for scamming.

Two scams that are in the news hit our household today.

The first was a sextortion email. This one was a copycat though, since it had an an email address that was obviously found through a hack (vendorname@wellgolly.com), but they didn’t have the password to prove that they’d been monitoring the webcam.

And then I got to talk to a “Microsoft Security Team” member that was informing me that the internet on my computer was illegal. I tried to get him to clarify what he meant by expressing confusion about how the internet was on my computer, since as far as I know, it is outside my house, but I wasn’t able to string him along. And just for a point of reference, we only use Macs, iPads, and iPhones here, so there was no way that they detected “Illegal internet activity on my Windows”.

Getting Exim4 running on a new server

We’ve always kept our virtual domains in /etc/mail/virtuals and I was under the impression it was the default location. It isn’t.

I don’t remember adding this code when I set up Exim4 on my Linode server, but it is missing on my Digital Ocean server. I needed to add the folowing lines to exim4.conf.template, just above the line system_aliases: in the router section.


virtual_domains:
  driver = redirect
  domains = dsearch;/etc/mail/virtuals
  data = ${lookup{$local_part}wildlsearch{/etc/mail/virtuals/$domain}}
  allow_fail
  allow_defer
  file_transport = address_file

I also missed the step of creating the self-signed key and cert, so make sure you do that as well.

The documents have lots of special cases for handling email that I never used, but one could come in handy. An attempt to deliver to a particular local part can be deferred or forced to fail by aliasing the local part to
:defer:
or
:fail:

So you could do something like this, since spammers use this address all the time.
support: :fail:

One thing we never did in the virtuals file is to send a comment for addresses that bounce, but it could come in handy. e.g

X.Employee: :fail: Gone away, no forwarding address
support: :fail: Please use the contact form on our website if you have support questions.

RIGHT OUTER JOIN example

Another simple query. I have a list of vocabulary words with their definitions. I found a usage that clearly expressed the meaning of the word and put it in a different table. When I was nearly done I wanted to make sure that all of the words had at least one usage example. This is the code that does it.


SELECT words.word, words_usage.word
FROM words_usage 
RIGHT OUTER JOIN words 
ON words_usage.word = words.word 
WHERE words_usage.word IS NULL 
ORDER BY `words_usage`.`word` ASC

Getting Dovecot running on a new server.

I followed these Dovecot installation instructions and everything appeared to work, but I couldn’t get mail. I went into my mail client and retyped the password. I got an error message when it tried to verify the server saying that I had an invalid certificate.

I tried getting a standalone certificate using certbot, but my attempt failed. It turns out that you need to stop apache before running certbot with the standalone command. Then run:


sudo certbot certonly --standalone --preferred-challenges http -d mail.mymaildomain.com <code>

This puts a new certificate just for mail in the /etc/letsencrypt/live/mail.mymaildomain.com directory. You need to tell Dovecot where to find the certificate by editing the SSL file.

Look for these lines near the top of the file.


#ssl_cert = </etc/dovecot/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.pem

Configure Dovecot

Dovecot’s SSL configuration is done in an auxiliary file located at /etc/dovecot/conf.d/10-ssl.conf. In here you’ll find two parameters that need to be changed: ssl_cert and ssl_key. Like postfix, dovecot will need the full certificate chain to present to clients for validation.

Edit the configuration file to point to the new certificates. Be sure to include the leading < before the file path, this is what tells dovecot to read from a file rather than use the value literally. 


ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem

The only other issue I had was with the mail_location. I must have picked mbox format when the messages are in Maildir format. I changed this line in 10-mail.conf.


mail_location = maildir:~/Maildir