Jump to content

wfitg

Members
  • Posts

    205
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by wfitg

  1. wfitg

    Reset Password

    How can I remobe the "Reset My Password" link on the staff login box?
  2. I see the need for some businesses to keep emails on file. In some cases it is a legal requirement. I like the idea of having the option to truncate.
  3. I like the clustering and the truncating ideas. However, I think I will first try a seperate database to store email.
  4. I have not found a way to encrypt only the emails. There is a way to encrypt specific lines of an database. Why couldn't these emails be forked to a seperate "email database"? This way there would be no need to archive them. They could be kept on file forever.
  5. Saving the welcome email is good. Saving the welcome email with the password in plain text is not good. The welcome email should not include the variable {password} by default. It is too easy to overlook when doing the initial Blesta setup. IMHO - It would be better to archive any emails older than 6 months or a year rather then have the database grow huge. 100 clients getting an average of 2 emails or more per month is 2400 or more emails in the database over the course of 1 year. The emails are stored in plain text. That personal information could be a gold mind if the database got hacked. Time for some individual encryption, But, can only the mail be encrypted in the DB without having to encrypt the entire sql> ?
  6. I certainly see the need to keep emails on file for 6 months or even a year. And you make a good point. Personally, I would rather have the ability to archive them, or delete them after so many months.
  7. wfitg

    Release 3.3.0

    So how is the new version? Anyone care to share likes and dislikes?
  8. Exactly. I went in and removed the pass from each of the emails. But if the emails do not rotate the database could get huge. We need a way to archive them or delete them. The variable {password} should not be included in the welcome email by default. It should be an option that comes with a warning, or not available at all. I don't know anyone that sends the user name and pass in plain text email these days.
  9. My suggestion is having a delete button next to the email when we "view client email". Otherwise the log could get huge.
  10. I found the rotation settings. Here is my concern: The "Welcome Email" sends the user name and password by default. {username} {password} variables. I have changed that to say password: "the password you used when signing up" However, the old email with the user's name and password is being stored in the database in plain text. There is no way to delete it without manually changing the database.
  11. We need a way to clear the logs. In paticular, the email log that can be viewed for each client.
  12. I have spaced out the time intervals under settings/automation. I had several settings running every 5 minuets. I noticed there was a spike at around 3pm. This is when the load was the heaviest. I set this to run overnight instead of 3pm. Hopefully changing the settings for each task will reduce the memory being used
  13. *LOAD* 5 minute load average is 7.65
  14. Small database. What to look for?
  15. First the data: LFD.log I have a couple dozen of these in the lfd.log: Kill:0 User:wfitg VM:285(MB) EXE:/home/virtfs/wfitg/usr/bin/php /home/wfitg/public_html/backend/index.php cron And emails from lfd: Resource: Virtual Memory Size Exceeded: 285 > 200 (MB) Executable: /home/virtfs/wfitg/usr/bin/php Command Line: /usr/bin/php /home/wfitg/public_html/backend/index.php cron PID: 28803 (Parent PID:28802) Questions: Is this memory use normal? Could the warning threshold be too low? Could this be brute force? Is anyone else having high mem use + cron?
  16. httpd.conf "includes" are the way to go. A good way to DENY iframes too
  17. If i understand the OP correctly, this could be used. ini_set( 'session.cookie_httponly', 1 ); But it can be done using htaccess too <IfModule php5_module> php_value session.cookie_httponly true </IfModule> more http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php
  18. Yeah, he is busted. What an idiot. We have too many experienced webmasters, coders, and admins here for a scrpit kiddie to get away with much. An experienced spammer/hacker would not bother with such nonsense as this. They just want to send their spam. It looks like a deliberate attempt to make the Blesta company look bad. --------------------- here is an SPF generator if anyone needs it http://www.spfwizard.net/ Microsoft makes one too: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
  19. The -all will reject everything that does not pass. I like to use ~all because I can still get the flagged email. I simply setup a rule to have those flagged emails go to thje flagged folder. Then I can scan through them for any mistaken failures (or someone who simply does not have the records set correctly) and also remember those that are frequent abusers. The frequent ones can be can be blocked on ACL or IP Tables. I guess whatever works is the answer as long as something is in place to prevent domain spoofing. This will stop many of the script kiddies and wannabe hackers, but a determined spammer will try other methods than spoofing to hijack an email server.
  20. This looks great. I may start using DMARK too. However, if the person is on a shared server, but they have a dedicated IP for an SSL this could cause a problem. Their mail is comes from the shared servers's IP address, notfrom their dedicated IP. They will have to add an A record with the shared mail server's IP. Not many users know how to add DNS records so their mail will be bounced.
  21. Correct. Nothing can stop someone from using domain.com@gmail.com --except for being observant. I know it does work if someone is trying to spoof the actual domain name. For example, the mail server would bounce an email from sales@blesta.com if: (1)the blesta zone file has an SPF record set and (2)the email is not originating from blesta's email server. Of course, nothing in life is 100% but I can say that using this has cut down on my domain being spoofed and on the amount of spoofed emails that I receive. If I had a complany like Blesta I would probaby use the "soft fail" [ "v=spf1 ~all" ] flag so I could still get the email but also be alerted that it may not be coming from the correct server. The hard fail option is good for invividuals who do not want to get any spoofed mail at all.
  22. Here is a good write up on setting DNS SPF record to prevent your domain name from being spoofed; It also stops spoofed email from coming to your box if the "hard fail" element is used. https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability Most cPanels create SFP with the hard fail. "v=spf1 -all" But it is better to use the the soft fail. This way you get the spoofed email, but it is tagged as suspicious: "v=spf1 ~all"
×
×
  • Create New...