A Joomla site has been working fine but is now displaying an error when trying to save new content. The error displays as “You do not have permission to access this document.”
It is an Apache Web Server error and not a Joomla error. Considering that Joomla has not changed it will be related to server changes or Apache updates.
We had made a server change to address Apache Security Headers recently. Those changes were working ok with other sites and with the public view of this Joomla site.
The .htaccess file for the Joomla website was the first thing to check. That revealed we had added some specific headers relating to those security headers back in 2021 to address an different issue.
#Added 20211201 following Joomla recommendations after upgrade to 3.10.3
<FilesMatch "\.svg$">
<IfModule mod_headers.c>
Header always set Content-Security-Policy "script-src 'none'"
</IfModule>
</FilesMatch>
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
In this case, the .htaccess site specific instructions clashed with the recently modified server instructions. Removing the .htaccess specific commands allowed the system to process the new Articles correctly.
Conclusion
If you have an error in Joomla “You do not have permission to access this document.” for your Joomla article, it is an Apache error.
Check your .htaccess and your server configuration for potential Apache issues first.
Need help with your Joomla or WordPress site? WrenMaxwell provides support and secure website hosting services. Contact Us at any time.
“Should I publish an email address on my website?”
NO! Never, Never, Never, Ever publish an email address.
Spam email is a constant issue for anyone managing email.
Any action that reduces the chances of spam or scam email getting to your account is a good thing.
Spam Email
To address the question we need to understand what spam email represents. It is about the impact it can have on you and your business.
Spam mail in this context includes all the Unsolicited and Untrusted email that exists on a daily basis.
Types of spam email include those selling the latest sex, diet, or hair growth/removal treatments (these used to be called ‘snake-oil’). Along with the more dangerous malware, ransom-ware, and virus laden emails.
All of these are a risk to your email and your time at a minimum. Accidentally clicking a scam email can be extremely costly.
“..in 2021… …average total cost of recovery from a ransomware attack… ..increased to $2,340,000 per incident.”
If those ‘big numbers’ are too big and you think you are too small or not worth targeting, you are wrong.
Scamming, phishing, emails are looking for your identity and your banking or credit card details. Even smaller values in hundreds or a few thousand dollars is their target along with the ability to get your identity and take out a large loan in your name.
Even for smaller businesses or personal accounts the risk exists. Imagine losing all your data on your computer. Imagine your identity being stolen. There are potential risks in every email you receive, even from senders that you recognise.
Spam accounts for 14.5 billion messages globally per day.
Spam email is a risk to you and your business. It consumes a mountain of resources in dealing with it.
Publish My Email Address it is Important
It is a fallacy to say “Its important that this email address is highly visible as this is how customers will contact us”. Use a contact form.
Customers that are using the website will use whatever means provided to contact the business. Provide them with a contact form and they will use that method.
Is there a method for the email address to be visible only to humans? No. Scammers use scripts that read the code of a webpage and not what a human viewer reads.
Using example [at] your-business [dot] domain is often suggested as an option for a human to read and mentally convert the [at] and [dot] but the email harvesting scripts included code to recognise these options and convert them to a usable email address.
Other methods include time-consuming java-script coding, or making jpg images, or other coding solutions.
Do not waste the time and effort doing that. A contact form removes the need completely.
Use a Contact Form
A contact form is quicker, easier, safer.
There are lots and lots of scripts, templates, and tools to create and manage Contact Forms.
WrenMaxwell provides WordPress website hosting and utilises WordPress Contact Form Plugins.
Your designer can add a simple Contact Us page in minutes and replace any email address with a simple ‘Click to Contact Us’ link to that new page and its contact form.
In terms of designer time and cost, it should be minimal and part of their standard process.
For analytics of your customer contact through your website a Contact Form provides a tracking process that does not exist if using just a published email address. This is a topic relating to CRM and how to analyse the success of your website.
Conclusion
“Should I publish an email address on my website?”
Never publish an email address. Always use a Contact Form plugin or script.
A Contact Form, along with additional website security and server-based security measures will reduce the amount of spam or scam emails that get to your inbox.
Need help with your WordPress website?
WrenMaxwell provides WordPress support and secure hosting.
Do you see in WordPress “Another update is currently in progress.” when you try to update the WordPress core? If so then you have probably checked all the other sites that advise you to delete a database entry, or use a plugin, or even use the wp-cli command to delete the database entry. In my recent research to resolve this, none of the sites I found actually provided any solution if that database entry does not exist.
I did end up with a post at WordPress.org: update-wordpress-another-update-is-currently-in-progress-2 and noted that even there the suggested solution was “wp option delete core_updater.lock” which was redundant advice as the original poster of the issue had already stated that the database table (wp_options) did not include that record.
In order to confirm this, I did install the wp command line utility from https://wp-cli.org/ and ran a couple of commands to check the current option for core_updater.lock, but as evidenced the wp-cli cannot find it either.
wp option get core_updater.lock Error: Could not get 'core_updater.lock' option. Does it exist?
At this point the short answer is that the wp_options table does not have the record to delete regardless of using a plugin, php-myadmin, or wp-cli. If it ain’t there it cannot be deleted, and yet we still have the issue of “Another update is currently in progress.”
At this point I am still looking for a solution ( while it would be good to identify the issue, but a work-around will suffice) and have been testing or confirmed:
Specific to a site with 5.8.1 installed (I do not think this matters)
Trying to update to 5.9.3 (again I do not think it is a version issue)
Checked other WP sites on the same server – all ok – says that it is not a server config issue (i.e. its isolated to the site)
Ran all other updates for this site – plugins, themes etc. no issue. Only the core update fails / errors.
Tested swap of PHP (Multi-PHP Manager) version just to see if something triggered a clean-up – no change
Checked back on the dev site for the same live site and the dev site had automagically been updated to 5.9.3 obviously without an issue. Which comes down to some error within the live site only.
Finally drilled into a browser Inspect Console and discovered there were 403 errors on some scripts, like the wp-admin/loadstyles.php.
A 403 Error Forbidden suggested it was htaccess or virtualhost related and probably not an issue with WordPress itself. I then confirmed file level permissions with default chmod and ownership with chown checked and re-applied just in case, but that made no difference.
The end result was the Cpanel / WHM server the WordPress Toolkit was enabled for both the live and the dev sites. The two sites appeared to be configured identically but a cycle through each of the settings for security, disabling and re-enabling cleared the live site of whatever glitch / corruption was present.
Summary: If you cannot find the core_updater.lock record then the error message is a fall-back error, or a red-herring to use an old-school term, and not accurate. What it is saying is “WordPress wants to run the update but something weird is happening and WordPress cannot write or read what it needs.”
If I had this time over I would check in this order rather than what I did which was circuitous at best.
WordPress Error “Another update is currently in progress” but no core_updater.lock
Check in browser console (Inspect) to see if anything is giving errors
WrenMaxwell provides fully managed hosting services for WordPress websites, business email, and domain names.
Apache Security headers are a method to incorporate some security settings into websites to reduce the risk of various hacking attacks. The following sections provide some of the more common headers that should be set.
One proviso with all of these settings is that we assume the end-users browser is relatively current and recognises or honours the header setting instructions. Likewise you should be using a current Apache server release.
The same (similar) headers can also be used with nginx but that is beyond the scope of this article.
ServerSignature Off
The first option to set is turning off the details of the server operating system.
ServerSignature Off
ServerTokens Prod
The reason for doing this is to hide information relating to the server from potential hackers. Advertising your servers operating system and version release allows them to look at specific vulnerabilities that might exist.
Clarification with this. There is no option to show the Server as ‘blank’ in the selection process. The combination above will still show as Apache, but will not include versioning details etc.
Also note that if you are using a CPanel server, you already have these options in the settings at WHM(Home) -> Service Configuration -> Apache Configuration -> Global Configuration.
Set-Cookies
The set-cookies header is important as one of the main cross-site-scripting attacks are looking for session cookies that are used by many websites to manage the site user connections.
Managing MIME-types, like text/html, in the website pages should be accepted as configured by the website. The purpose is to block content ‘sniffing’ that may provide a method for a hacker to execute some code that should not be executed on the site.
The X-Frame-Options setting is to manage the use of iframes to embed site content into another site. The goal is to prevent what is commonly known as click-jacking, where a foreign website can embed your website within an iframe. This means the foreign site can look like your site but have additional, and probably malicious code running in the background.
This header relates to having a SSL secure certificate for your website, i.e. using https:// rather than plain http:// to access the site. The max-age is effectively the time-to-live for the setting before it will be checked again. In the example 2592000 is one month. Longer max-age settings are recommended for use with the preload option. Try 31536000 for one year.
Header always set Strict-Transport-Security "max-age=2592000; includeSubDomains; preload"
The ‘preload’ is not an official setting but is commonly accepted. There are conditions to using the preload option. For more details check out Mozilla Developer MDN document for Strict-Transport-Security. I tend to leave preload out at this time as it entails some obligations that will consume more time.
Summary
Adding Apache security headers to a WHM / Cpanel server for all client sites is something that should be done by the server administrator. If you are a CPanel account holder and your site fails the header report you should hit-up your web host for an explanation or find a host that has these things configured already.
All in one block, (in no particular order) your security headers could look like this:
# Global Security Headers
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains;"
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
Header always set X-Frame-Options "sameorigin"
Header setifempty Referrer-Policy: same-origin
Header set X-XSS-Protection "1; mode=block"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "no-referrer"
Header set X-Content-Type-Options: nosniff
Header set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"
#Header set Content-Security-Policy: "default-src *"
</IfModule>
Using the above, with the Content-Security-Policy enabled, the free script tool over at https://securityheaders.com will show a nice big A+ and lots of green ticks. Noting that it is not checking the Set-Cookie option.
Content-Security-Policy Wildcard
Content-Security-Policy is a more comprehensive header and supercedes some of the headers described here. Lots more work to be done with this setting as it is targetting individual sites rather than shared hosting servers. If its enabled the setting above actually does nothing other than get a green tick in the security report at https://securityheaders.com. It also breaks many WordPress sites as while the default-src is the ‘fall-back’ position for most of the ‘-src’ options in CSP, in-line scripts are governed by the script-src parameter and it does not accept ‘*’ as a value, so the ‘fall-back’ breaks and browsers will not load the site with errors like:
While default-src says accept all with the *, script-src does not and will not work.
As a result I have commented that line out for my servers today while I look at this in more detail.
This mornings issue of the day was, PowerDNS Error Not Starting on a Cpanel WHM server.
pdns has failed. Contact your system administrator if the service does not automagically recover.
AlmaLinux is the Linux platform but that is not expected to be a factor in this.
I could see errors in both the WHM web interface and at the command line. Slightly different text depending on which method, but the essence was the same. DNS is broken.
pdns_server[347366]: Error parsing bind configuration: Error in bind configuration '/etc/named.conf' on line xxxx : syntax error
Checking further in the /var/log/messages with a filter to find pdns entries:
#grep -n5 pdns /var/log/messages
2120518:Mar 29 01:38:49 ns3 pdns_server[87833]: [webserver] Listening for HTTP requests on 127.0.0.1:953
2120519:Mar 29 01:38:49 ns3 pdns_server[87833]: Creating backend connection for TCP
2120520:Mar 29 01:38:49 ns3 pdns_server[87833]: Error parsing bind configuration: Error in bind configuration '/etc/named.conf' on line 1274: syntax error
So the error is at a specific line and using my preferred Linux editor ‘mcedit’ (midnight commander editor “#yum install mc” will get it for you) I can see that the line is:
view "external" {
Which looks to be ok, so the issue must be within the syntax and manifests at that line.
Using named-checkconf to get an output:
# named-checkconf named.conf
named.conf:1274: unknown option 'view'
named.conf:2485: unexpected token near end of file
Of course, your line numbers will vary. However, the “unknown option ‘view’” is the one that we need to sort out, as ‘view’ is definitely a valid syntax option in named.conf.
So why is it broken ?
The syntax of the named.conf requires
a semi-colon ‘;’ to terminate each line or command
braces to open and close specific sections like { }
In this specific case, for reasons unknown, the view command at line 65 was opened correctly:
view "internal" {
view command is valid
“internal” is the view name
the opening brace { is correctly placed
However when we get to lines 1270 and the last ‘zone’ element in the view section, the named.conf file failed to close the view segment with a closing brace and semi-colon, like ‘ }; ‘.
## end of last zone in the "internal" view section
}; // this correctly closes the zone
}; // but this to close the "internal" view section is / was missing
view "external" {
So the named.conf file was trying to have a second ‘view’ segment opening before the previous one was closed and that is a syntax error for named.conf. You cannot nest or embed ‘views’.
Ultimately a quick delete of named.conf and use of the cpanel rebuild script:
# /usr/local/cpanel/scripts/rebuilddnsconfig
fixed the problem. Noting that you must delete or rename the named.conf file first. If not then that rebuild script will run and silently not replace the named.conf with a working file. So your result is the same file, still not working.
I did review a number of pages gathering ideas for fixing this including:
As a bonus: named-checkconf can also accept an alternative filename so if you save multiple named.conf versions you can compare the output of errors or lack thereof. I used it when checking like this:
[root@ns3 etc]# named-checkconf named.conf.rebuild-save-thowden
named.conf.rebuild-save-thowden:1274: unknown option 'view'
named.conf.rebuild-save-thowden:2485: unexpected token near end of file
Use # named-checkconf -h to see a full list of options.
There is a big difference between Webmail vs Email Client Security.
The underlying issue is that if you have an email account with an email service provider you probably have a webmail interface available even if you do not use it. Even on-premise private servers can provide a webmail service.
Whereas many, many email users have a desktop or device based email client or software that they use to connect to the email account and they ignore the webmail interface.
The problem is that if the webmail access is compromised a scammer can do a lot of stuff there that will not appear in the desktop email software. Essentially, it is a back-door to your email account.
Do Not Ignore Webmail
If you are getting some weird emails or missing emails you should be getting it may be that your
Webmail Account has been hacked!
A big scary headline, but it is more frequent than you might think or hope.
This article stems from a recent examination of a series of scam / phishing emails that were sent to a WrenMaxwell client.
The emails appeared to be correct, from the right people, and containing a lot of legitimate information, except that they asked for the recipient to update the bank account details for the payment.
Here is some information which applies to all emails you receive, and while the specifics relate to Bigpond email account holders, this could equally apply to any webmail based server, as the process is very similar on all webmail.
Some rules to consider are included as well, here is the first one.
Rule #1. Never accept a request to change the bank account details for your outbound payments unless you have verified it in person or on a call with the business or individual concerned. For good measure do not use phone numbers that are provided in the same email, they are probably altered as well.
Ok, so the background on this is that the client received an email from another client of WrenMaxwell and between them had a phone call to confirm the back account change. This was very fortunate as the email had been compromised.
I’d note here that if you receive an email asking for you to change to an AMP bank account, it should be an automatic alarm for you. These emails included 2 different AMP bank accounts. I have tried to report them to AMP, but frankly, they are not interested in knowing that their accounts are being used for scamming. But I digress.
Overview of a Webmail Scam
Lets get back on track. Whats the technical summary ?
Bigpond accounts are compromised for access via webmail, i.e. the password is identified through brute force attack most likely using a dictionary of passwords. There is history that lends itself to this. Yes, 3 Bigpond accounts were involved in this specific case, and I will assume a lot more are also hacked or at risk of doing so.
Each account has the feature to create folders to store email. Adding a folder in webmail will not necessarily display the folder in the desktop mail client. This means it will effectively be a hidden folder for the scammer to use.
As well, each account has a setting option under Settings->Mail->Organise Inbox to allow for server-based rules to be configured. The hacked accounts all have rules added by the scammer to redirect any inbound email with the words ‘invoice’ or ‘statement’ to be diverted from the inbox to the folder created in step 3. The end user of the account is generally oblivious to this activity as their client software, like Outlook on the desktop, does not see the rules, and may not show the folder. So the user does not know.
The scammer reviews inbound email until they find an invoice or statement email from a legit sender, like a supplier or someone the user is ordering from. The scammer copies the email information in its entirety, loads it up in another hacked account, modifies the content so that the sender name is spoofed to look like the legit sender, and changes the content to add the ‘Please update our bank account details to BNO Bank xxxxx-1234565 etc.
If the user is not suspicious, they will add the new bank account details for payment of the expected invoice and send the money. Final step, the scammer drains the illicit account in some way, moving the money so that it cannot be reclaimed. Job done.
Understanding a Webmail Scam Step by Step
Ok, so there are a number of steps, but there is nothing really complex here. Lets look at each of the steps in turn.
Step 1. Webmail Password Compromise
Bigpond email is of course part of Telstra, Australia’s largest communications service provider. Love ’em or hate ’em, that’s a fact. The issue is that they have been around for a long-long time and if you look back in time, there are millions of email accounts that have been registered with them.
How many are still current, I do not know, but I’ll use the highly technical measure of umpteen. Now with all those accounts, there will be many that have very weak passwords. This is a literal gold-mine for scammers. If they can, with various techniques, attack enough accounts, for long enough they will gain access.
Bigpond webmail settings option
An added bonus for the scammer is that for many years the Bigpond account passwords were restricted to a maximum of 8 characters and only alpha-numerics, no symbols. This makes for very weak passwords.
On top of that, many users have done ‘set and forget’ with the account, on the basis that as long as Outlook or their preferred email software, connects then its all good.
There are also many Bigpond email accounts that exist because an account is included and created for every customer with a Bigpond modem or internet connection. However many of these accounts are never used as the customer has a work or other email service that does not rely on Bigpond. These accounts are the ones that will never be checked and can be used by scammers for years undetected.
Rule #2. Change your password, regularly. Use a Passphrase and not just a password. You will need to update the password in Outlook or on your phone / device after making the change in webmail.
The use of multiple accounts that have been compromised, helps to hide the source of the compromise. I think it might also help using a Bigpond account to send the scammy email to another Bigpond account as any external email filter is bypassed. Not sure on that one, just guessing.
Step 2. Are You Missing Emails You Should Receive?
With the account password compromised, the scammer can now access the account and create a folder or folder-structure to manage incoming emails for their needs.
They can add a folder in the webmail Folders section. In this instance, the scammer created a ‘Stored Items’ as a folder and ‘Creative’ as a sub-folder, confident that the user would not notice it.
The Creative folder looks so innocent!
The goal for the scammer is to redirect emails from the inbox to these obscured folders so that they can review and learn about the emails the user would normally receive. With the account readily accessible they can check-in at any time to see what emails have been received, whats in ‘their’ folder, and what looks good for scam material.
Rule #3. Regularly review your email folders and subscribe to all IMAP folders so that you can see what is on the server and not just the folders on your device.
Step 3. Email Rules On the Server
Server-based rules, are only visible if the user logs into the webmail account. They do not appear in desktop or device email software and the affected emails are processed on the server before they can be processed by the desktop or device software.
Using the “Organise Inbox” option to set up rules to manage the email that may provide the scammer with relevant information is also too easy. Bigpond call it “Organise Inbox” while others may refer to “Mail Rules” or similar.
This is a Bigpond Email Rules Panel with a few un-named rules. Each tick mark is another rule.
Using a desktop client like Outlook means that webmail is rarely used, so the scammer has it all to themselves. Even if the user does drop by and have a look, the scammer does not give the rules names, so they just show as a blank list and may well be ignored.
Selecting any of the rows with a tick symbol and selecting Edit will show the content of the Inbox Rule. Which will look something like this with no name, but Active ticked. If the Subject line of an incoming email contains the letters ‘Inv’ then the email will be caught and stored in the ‘My Folders -> Stored Items – Creative’ folder.
You should also check Email Forwarders or Mail Forwarding options as these can be configured to automatically send copies of your legitimate email to a scammer so they can identify other potential attack points.
Rule #4. Regularly login to your Webmail and review all the settings. Look for folders you did not create and automation rules that could be signs of scamming activity.
Step 4. Webmail Access by Scammer
The scammer can then drop by any time to check what incoming emails have been caught and potentially exploit the factual content to create a new email which they send from another hacked account to the user with the request for new bank account details wrapped in content that is otherwise accurate.
These emails look legitimate because they are based on a legitimate email with all the same information with some minor exceptions:
The email sender address shows as the legitimate senders address but its actually from another account
The phone numbers may be changed to redirect your calls to the scammer
The links in the email may redirect your web browser to a scamming website which looks correct but is not
Requests to change the bank account might be added to the email content
At this point you could receive a compromised email and could be sending money to the wrong bank account. Refer to Rule #1.
Step 5. Scamming or Phishing Emails
Hopefully Step 5 never occurs as you are monitoring what goes on.
But just some quick pointers on spotting scammy emails. These are general ideas and not specific to the instance above which was all about social engineering with ‘change the bank account’.
With most systems you can use the right-click on your mouse to ‘inspect’ website links and email links to view the hidden actual address behind the text. If the right-click information is different to the text presented in the email, it is most likely a scam.
When checking website links always look for the first ‘/’ character after the https:// bit and read backwards from there to check for the actual server host and domain name. e.g https://www.wrenmaxwell.com.au/ is the domain for WrenMaxwell, ‘wrenmaxwell.com.au’, while the host or server name is ‘www’. What some scammers will try to do may look like this:
Which kind of looks ok, except that everything to the right of the first ‘/’ is faked and managed on the scammers server at https://unrelated.website.com/. Be wary of hotlinks in emails. A website link like the above says that the owner of https://unrelated.website.com has had their site compromised with a phishing site. Stay away.
The same thing with attached files in the emails. .PDF documents may look innocent and the subject line of Overdue Invoice may imply you need to open the PDF to see who and what you owe, but the file can include malware that will get into your system and create havoc with your data in many different ways.
How can you tell if the senders email is correct ? You need to check the email source content or email headers for valid information. This may require some technical knowledge of your email system and where to look for that information. There are too many options that are beyond the scope of this post. If you have concerns and need some help contact the team at WrenMaxwell.
Rule #5. One final general rule. Never send an email with both user account details and the password in an email. Always separate the user name and password via different systems. Email username and SMS/TXT the password, or make an old-fashioned phone call to the recipient to provide the password verbally. At the same time, be sure you are providing access only to someone you know and have trusted for some time.
Webmail Security Review and Cleaning
The clean up and testing of security on the client systems took about a day. Tracing the emails within the relevant Bigpond accounts, and reporting same to Bigpond, got a very good, quick and thorough response from Bigpond security, thanks to Scott.
A key issue is the hacking of the account occurred with minimal visibility for the client. It was only after the emails had been compromised the issue was identified. Given that the scammer could read ALL the email in the account, the next steps include updating passwords for any other system that was referenced in the emails. The issue being that emails commonly contain user account and password details which could be easily viewed and copied.
Webmail Security Checklist
The primary purpose of this post was to document the check points to monitor webmail. Having covered a lot of peripheral topics, here is the core items you should check:
If you have an email account, anywhere, then it most likely provides a webmail interface that you can access from any web browser.
Login to that webmail interface on a regular basis just to check the settings. Put it in your diary it should only take 5 minutes each time.
Change your email Passphrase on a regular basis and do not use simple passwords.
Check All the setting options for anything that you have not specifically created. Folders, Rules, Forwarders in particular.
Remember that settings in the webmail are not directly visible in Outlook or your desktop/device email software.
I hope this helps someone to avoid an email scam and make their webmail a safer and more secure system.
If you would like some help with understanding or fixing a security issue with your system feel free to contact WrenMaxwell Support at any time.
The creation of a Sender Policy Framework (SPF) Record is something that is managed by the person or team that manages your Domain Name Service.
The creation of an SPF record is a relatively simple process.
Generally a domain name is hosted by a service provider like WrenMaxwell and it will be accessed via a control panel or interface that allows for the creation, editing or deletion of domain records.
An SPF record is simply a text or TXT record within the domain. This is an example of a basic SPF record.
Domain
TTL
Record Type
Record
wrenmaxwell.com.au.
14400
TXT
“v=spf1 +a +mx -all”
In this example the domain is wrenmaxwell.com.au (note the trailing full stop in the record as the termination of the domain).
The TTL or Time To Live provides the duration in seconds before this record should be checked again.
TXT is the record type
The record content is enclosed in quote marks ( for cPanel / WHM this is standard. Other interfaces may add the quotes in the background)
What is in the SPF Record ?
v=spf1 is the version of SPF that is being used. Currently there is only spf version 1 so spf1 is standard.
+a says to accept the A record for the domain while +mx says accept the MX record for the domain.
-all says to fail All other servers sending email using this domain name.
SPF Record Syntax
After the version instruction the rest of the record consists of mechanisms and qualifiers.
When an SPF record is queried, the receiving server checks the ip address of the sending server against the SPF record for the sending domain. If a mechanism matches the ip address then the qualifier for that mechanism is used to determine what action should be taken in relation to the specific email that is being processed.
Mechanisms are always processed from left to right with each mechanism tested until a match is found. Once a match is found the query is stopped and the qualifier used to return the action or response to the receiving server.
SPF Record Qualifiers
The qualifiers are the symbols:
Qualifier
Recommendation
Comment
“-“
Fail
Fail tells the receiving server that the sending server is not allowed to send for this domain
“+”
Pass
Pass tells the receiving server that the sending server is allowed to send for this domain
“~”
SoftFail
SoftFail tells the receiving server that the sending server may be accepted but is not yet specified
“?”
Neutral
Fail tells the receiving server that nothing is specified about this server
There are a few other results that come from the evaluation of an SPF record but the above cover the main ones.
SPF Record Mechanisms
The are a number of mechanisms that are more commonly used and some that are not.
Mechanism
Explanation
A or a
All the A records for domain are tested. If the client IP is found among them, this mechanism matches.
MX or mx
All the MX records for domain are tested. If the client IP is found among them, this mechanism matches.
IP4
Check a specific host IP address of type version 4
IP6
Check a specific host IP address of type version 6
include
include:{some.other.domain} to check the SPF record of the hosting or remote domain
all
refers to any other server (all other servers) and this mechanism will always match
MX stands for MaileXchanger meaning a server or host that will manage email for the domain.
IP4 and IP6 refer to the type of IP address that is in use. A common error is to see IPv4 or IPv6 where the editor of the SPF record has inadvertently included the ‘v’ for version of the IP address, which is a common format in other forms of documentation of IP addresses but is invalid for SPF records.
The include mechanism caters for larger configurations where there may be clustered servers or regular changes to mail server hosts and the service provider, like Google gmail and Microsoft Mail, can manage their servers within domain structure that is linked from the client (your) domain SPF record.
The all mechanism should always be the last entry in an SPF record so that any other mechanisms are evaluated before this ‘catch-all’ mechanism is checked.
Using the wrenmaxwell.com.au SPF record as an example.
Domain
TTL
Record Type
Record
wrenmaxwell.com.au.
14400
TXT
“v=spf1 +a +mx -all”
The version instruction is standard. v=spf1
The +a says check the A records for the domain “wrenmaxwell.com.au” and if the assigned host ip address matches then ‘+’ accept it.
The +max says check the MX records for the domain “wrenmaxwell.com.au” and if the assigned host ip address matches then ‘+’ accept it.
The -all says if the sending server is any other server then “-” fail the server and do not accept the email message as it is not an authorised server.
Configuring a basic SPF record is not difficult if you are comfortable with managing your own DNS. If your email configuration is more complex than a single server or source of email, then there are many options that may be required to have a fully working SPF configuration. WrenMaxwell has been managing DNS systems for over 20 years and can assist you with your DNS support. Contact us any time for a free consultation.
Searching for a topic like “Cancel Prompt for htpasswd htaccess displays website” generally gives a lot of results with unrelated information and this one was not an exception. Plenty of instructions on ‘how to configure’ but relatively few on what to do if it fails.
The cause of this dilemma was that a CPanel configuration for Directory Privacy was displaying the protected website home page if Cancel was selected 3 or more times when the htaccess password prompt was displayed.
Directory Privacy, the CPanel interface option for configuring htaccess and htpasswd files for Apache websites, provides a ‘user friendly’ method to add specific user names and passwords to block public viewing of a website via a web browser.
To keep it simple, if you are experiencing a web page that is meant to be protected by .htaccess / .htpasswd, but it is being displayed if the Cancel option is selected at the password prompt, then check your .htaccess rule.
Edit the .htaccess file in your home folder or website root (assumes that it is the whole site being protected)
Find the line RewriteRule . /index.php [L]
Replace with RewriteRule ./ /index.php [L]
This worked in my case and as always your mileage may vary.
Reviewing Flipbook Publishing for client sites and brochures highlighted an array of service providers. The list here is not complete but picks up on commonly referenced sites, services and apps.
Why a Flipbook ? At its most basic it is the traditional printed brochure for commerce or business presentation. Historically these glossy, multi-page, documents cost big bucks and could easily become dated. How often would you see a self-adhesive sticker to provide an updated address or phone number. Editorial changes are impossible once the several thousand brochures are printed and released.
Flipbook services, HTML, PDF, and the Internet in general, provide options that allow for editorial updates, presentation on different formats, wide distribution with minimal (compared to printed paper) cost. Digital Publishing is a broader term used for these services.
A quick list of Flipbook Service Providers with basic per month prices:
Digital publishing, Flipbook making, whatever you want to call it, with various features that support distribution, will cost money. No free lunch here.
The ‘Free’ versions are all advertising based, which might be ok for an individual on low budget, but for corporate branding a paid up package will be required.
Update: We use WordPress (a lot!) and after searching for general purpose flipbook tools, I checked for WordPress plugins and found http://3dflipbook.net/ which has both a WordPress version and a Visual Composer version. Worth a try!
Appears ok, but needs some setting changes. Formatting / style might be an issue. Pricing and calculations are forced in the basic version and the paid version does not appear to provide any option for no price to be displayed. It also fails to provide booked vs unbooked dates as information to potential clients.
While the features list says it will be great, the actual interface is dreadful. Read the Documentation which only says install just like any other plugin. There is no further information. Create rooms, change settings, save settings, and still cannot create a booking, cannot see any availability calendar, no information on short-codes, etc. Read the reviews and you would not want to waste your time on this plugin.
Requires registration with Pinpoint and perhaps purchase to get key features. It is built to be an automated booking system which is specifically not wanted. An error when trying to activate the plugin is not a good start. Tried several times and gave up. I think the path is missing a trailing / but I am not about to repair someone elses code.
“Warning: sessionname(): Cannot change session name when session is active in /home/testsite/publichtml/wp-content/plugins/booking-system/framework/includes/class-session.php on line 129
Warning: iniset(): Headers already sent. You cannot change the session module’s ini settings at this time in /home/testsite/publichtml/wp-content/plugins/booking-system/framework/includes/class-session.php on line 134″
This is an all-up purchase and an independent plugin, no subscription or connection to an external site. It is a ‘booking system’, a framework to roll-your-own booking solution. It seemed like a lot of work and effort to configure even a simple booking process, and the free version is limited to a single calendar, which makes testing of a dual calendar impossible. Granted we would only want 2 calendars, but layouts and formatting of a dual calendar is required. This plugin might be just the thing but roll-your-own means more time, more cost.
This one possibly had more to offer, but I had already narrowed down a few features that I did not see in the list for this one, and I discounted it fairly early in the review.
Reads like it is simple to use, but it is ‘accomodation’ with so many assumed conditions that it is restricted to suiting multi room hotel type accomodation. Trying to configure a ‘cottage’ BnB means all fields still need to be filled in for 1 Location, 1 Property, 1 Room Type, 1 Room, 1 Bedroom, etc… Instructions are inaccurate and cursory at best. Finding your way around is trial and error. The Quick Start assumes you are already familiar with this specific application.
Summary
There a lots and lots of options, (although I read a review that said there were not many options available but the ones reviewed were all for sale at the one market place provider, which stinks of commission sales attempts!).
It could be that your choice of booking or event calendar needs features that I dismissed.
