How to auto security updates on CentOS

===========================================================================

How to auto security updates on CentOS

To install yum-cron

# yum install yum-cron -y

To enable auto security updates

# vi /etc/yum/yum-cron.conf
update_cmd = security —> from default
update_messages = yes —> from no
download_updates = yes —> from no
apply_updates = yes —> from no

To setup email after complete patch

# vi /etc/yum/yum-cron.conf
emit_via = email —> from stdio
email_from = root@localhost
email_to = dilli@xyz.com
email_host = xyz.com

To except updation

Some times no required patch updation for kernel, mysql, zimbra like application.

# vi /etc/yum/yum-cron.conf
exclude = mysql* kernel* zimbra*

To check log with daily on /var/log/yum-daily

To start yum-cron

# systemctl start yum-cron
# systemctl enable yum-cron

 

How to install security updates on CentOS using yum

How to install security updates on CentOS using yum.

# install the security plugin
yum -y install yum-plugin-security

# display all security-related updates
yum –security check-update

# list all bugs fixed
yum updateinfo list bugzillas

# summary of advisories
yum updateinfo summary

# upgrade all packages with security info to latest available package
yum –security update

# upgrade all packages with security info to last security update
yum –security update-minimal

# help
man yum-security

 

How to enable SSH Keygen

To generat ssh-kengen on client machine.

[root@client ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory ‘/root/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
bd:8c:08:64:33:1f:30:9d:69:90:0d:09:18:2c:87:c8 root@primay.client.lan
The key’s randomart image is:
+–[ RSA 2048]—-+
|=+..=B o |
|=E. oo* |
|.. =.. |
| o + . . |
| . . S . |
| . . o . |
| . . o |
| |
| |
+—————–+

 

[root@server ~]# rsync -avz root@server:/root/.ssh/id_rsa.pub .
The authenticity of host ‘10.100.100.123 (10.100.100.123)’ can’t be established.
ECDSA key fingerprint is 01:5c:57:8c:29:97:ce:16:45:b5:a3:ea:bc:68:da:d1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.100.100.123’ (ECDSA) to the list of known hosts.
root@10.100.100.123’s password:
receiving incremental file list
id_rsa.pub

sent 30 bytes received 421 bytes 82.00 bytes/sec
total size is 412 speedup is 0.91

[root@server ~]# cd /root/.ssh
[root@server .ssh]# mv id_rsa.pub authorized_keys

[root@client]# ssh root@server.lan
Last login: Mon Mar 6 08:21:10 2017 from 10.100.100.113
[root@server ~]#

 

Increase Amavis’s Log Level on Zimbra 8 or later

Increase Amavis’s Log Level on Zimbra 8 or later

To increase the log level from 1 to 2 for zimbra.log to find out specific which each email has triggered.

Customizing the Amavis Loglevel is supported in ZCS 8.0.5 and later:

[zimbra@mail ]$ zmprov mcf zimbraAmavisLogLevel 2

[zimbra@mail ]$ zmamavisdctl restart

[zimbra@mail ]$ tail -f /var/log/zimbra.log

 

How to add RBLs and RHSBLs on zimbra server

How to add RBLs and RHSBLs on zimbra server

To verify already updated policies in host

[root@mail ]# su zimbra
[zimbra@mail ]$ zmprov gacf | grep zimbraMtaRestriction
zimbraMtaRestriction: reject_invalid_helo_hostname
zimbraMtaRestriction: reject_non_fqdn_sender

Let’s add RBLs using zmprov as following links for zimbra
https://wiki.zimbra.com/wiki/Anti-spam_Strategies

To add RBL server

[zimbra@mail /]$ zmprov mcf +zimbraMtaRestriction “reject_rbl_client zen.spamhaus.org”
[zimbra@mail /]$ zmprov mcf +zimbraMtaRestriction “reject_rbl_client psbl.surriel.com”
[zimbra@mail /]$ zmprov mcf +zimbraMtaRestriction “reject_rbl_client b.barracudacentral.org”

or

[zimbra@mail /]$ zmprov mcf \
zimbraMtaRestriction “reject_rbl_client zen.spamhaus.org” \
zimbraMtaRestriction “reject_rbl_client psbl.surriel.com” \
zimbraMtaRestriction “reject_rbl_client b.barracudacentral.org” \
zimbraMtaRestriction “reject_rbl_client bl.spamcop.net”

To add RHSBLs

[zimbra@mail /]$ zmprov mcf \
zimbraMtaRestriction “reject_rhsbl_client dbl.spamhaus.org” \
zimbraMtaRestriction “reject_rhsbl_client multi.uribl.com” \
zimbraMtaRestriction “reject_rhsbl_client multi.surbl.org” \
zimbraMtaRestriction “reject_rhsbl_client rhsbl.sorbs.net”

To add Sender RHSBLs

[zimbra@mail /]$ zmprov mcf \
zimbraMtaRestriction “reject_rhsbl_sender multi.uribl.com” \
zimbraMtaRestriction “reject_rhsbl_sender multi.surbl.org” \
zimbraMtaRestriction “reject_rhsbl_sender rhsbl.sorbs.net” \
zimbraMtaRestriction “reject_rhsbl_sender dbl.spamhaus.org”

To add Reverse Client RHSBLs

[zimbra@mail /]$ zmprov mcf +zimbraMtaRestriction “reject_rhsbl_reverse_client dbl.spamhaus.org”

or

To add all RBLs

$ zmprov mcf \
zimbraMtaRestriction reject_invalid_helo_hostname \
zimbraMtaRestriction reject_non_fqdn_sender \
zimbraMtaRestriction “reject_rbl_client zen.spamhaus.org” \
zimbraMtaRestriction “reject_rbl_client psbl.surriel.com” \
zimbraMtaRestriction “reject_rbl_client b.barracudacentral.org” \
zimbraMtaRestriction “reject_rbl_client bl.spamcop.net” \
zimbraMtaRestriction “reject_rhsbl_client dbl.spamhaus.org” \
zimbraMtaRestriction “reject_rhsbl_client multi.uribl.com” \
zimbraMtaRestriction “reject_rhsbl_client multi.surbl.org” \
zimbraMtaRestriction “reject_rhsbl_client rhsbl.sorbs.net” \
zimbraMtaRestriction “reject_rhsbl_reverse_client dbl.spamhaus.org” \
zimbraMtaRestriction “reject_rhsbl_sender multi.uribl.com” \
zimbraMtaRestriction “reject_rhsbl_sender multi.surbl.org” \
zimbraMtaRestriction “reject_rhsbl_sender rhsbl.sorbs.net” \
zimbraMtaRestriction “reject_rhsbl_sender dbl.spamhaus.org”

The output look like as follows:

[zimbra@mail /]$ zmprov gacf | grep zimbraMtaRestriction zimbraMtaRestriction: reject_invalid_helo_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client psbl.surriel.com
zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org
zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
zimbraMtaRestriction: reject_rhsbl_client dbl.spamhaus.org
zimbraMtaRestriction: reject_rhsbl_client multi.uribl.com
zimbraMtaRestriction: reject_rhsbl_client multi.surbl.org
zimbraMtaRestriction: reject_rhsbl_client rhsbl.sorbs.net
zimbraMtaRestriction: reject_rhsbl_reverse_client dbl.spamhaus.org
zimbraMtaRestriction: reject_rhsbl_sender multi.uribl.com
zimbraMtaRestriction: reject_rhsbl_sender multi.surbl.org
zimbraMtaRestriction: reject_rhsbl_sender rhsbl.sorbs.net
zimbraMtaRestriction: reject_rhsbl_sender dbl.spamhaus.org

That’s it. 🙂

 

Customizing SpamAssassin on Zimbra 8.5 or later

Customizing SpamAssassin on Zimbra 8.5 or later

1. Using MailStore Archiving with Zimbra:

[root@mail ~]# vi /opt/zimbra/conf/amavisd.conf.in

— amavisd.conf.in.zimbra-dist 2011-06-03 20:22:33.856452812 +0200
+++ amavisd.conf.in 2011-06-03 20:22:45.686544874 +0200
@@ -156,6 +156,10 @@
# $forward_method = ‘smtp:[127.0.0.1]:10025’; # set to undef with milter!
%%uncomment SERVICE:archiving%%$archive_quarantine_method = ‘smtp:[127.0.0.1]:10025’;

+# Enable archiving to fixed e-mail address
+$archive_quarantine_method = ‘smtp:[127.0.0.1]:10025’;
+@archive_quarantine_to_maps = (‘my-archiving-address@example.com’);
+

%%uncomment VAR:zimbraAmavisQuarantineAccount%%$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_DISCARD;

This should send every e-mail passed through Zimbra to the address my-archiving-address@example.com. This is the POP3 or IMAP mailbox that MailStore uses to receive all e-mails. Amavis will take care of writing headers that help MailStore identify to which e-mail address the e-mail actually belongs, so that it can be archived in the right MailStore account.

[zimbra@mail root]$ zmamavisdctl restart
Stopping amavisd… done.
Stopping amavisd-mc… done.
Starting amavisd-mc…done.
Starting amavisd…done.

2. Make Zimbra only accept mail for existing accounts:

By default, Zimbra accepts e-mails for addresses which are not valid and later sends a bounce mail. Unfortunately this can cause SPAM back-scatter and thus should be avoided (also see my blog article).

In Zimbra 8 it is very simple to change this behavior:

[zimbra@mail root]$ zmprov mcf +zimbraMtaRestriction reject_unverified_recipient

Effect on Hosts Listed in zimbraMtaMyNetworks

The change described above will have no effect on hosts listed in zimbraMtaMyNetworks. Therefore, if you have mail-server acting as a front-end to the Zimbra server, you should not list it in zimbraMtaMyNetworks. zimbraMtaMyNetworks should only contain the Zimbra server itself (and the loopback address).

However, for OpenDKIM and SpamAssassin, you also want to trust your other mail servers. You can get this effect by editing the configuration files and adding the appropriate IP addresses there:

[zimbra@mail root]$ vi /opt/zimbra/conf/opendkim-localnets.conf.in (Zimbra 8 only):

%%zimbraMtaMyNetworksPerLine%%
192.168.1.1/32
[2001:db8::1]/128

[zimbra@mail root]$ vi /opt/zimbra/conf/salocal.cf.in

%%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%% 192.168.1.1/32 [2001:db8::1]/128

In recent Zimbra versions (ZCS 8.5 and newer) it might be more elegant to add your own trusted_networks line to

[zimbra@mail root]$ /opt/zimbra/data/spamassassin/localrules/sauser.cf

trusted_networks 127.0.0.1/8 [::1]/128 192.168.1.1/32

[zimbra@mail root]$ zmamavisdctl restart && zmmtactl restart
Stopping amavisd…done.
Stopping amavisd-mc… done.
Starting amavisd-mc…done.
Starting amavisd…done.
Rewriting configuration files…done.
Stopping saslauthd…done.
Starting saslauthd…done.
/postfix-script: refreshing the Postfix mail system
[zimbra@mail root]$ zmamavisdctl status && zmmtactl status
amavisd is running.
amavisd-mc is running.
[zimbra@mail root]$

3. Strict-Transport-Security Header

It makes sense to add the Strict-Transport-Security header so that the web interface is never used through an unencrypted connection. I got the idea here). I use these settings with Zimbra 8.

Typically, the add_header option needs to be added to two files:

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template

The option is added in the following form and add it right after the ssl_verify_depth option:

[zimbra@mail root]$ vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template

add_header Strict-Transport-Security max-age=15768000;

Since Zimbra 8.7 there is a simpler option for adding this header:

[zimbra@mail root]$ zmprov mcf +zimbraResponseHeader “Strict-Transport-Security: max-age=15768000”

If you enable the Nginx proxy for the first time, do not forget to (re-)enable the redirect mode (unless you are using the pure https mode):

zmprov ms server.lan zimbraReverseProxyMailMode redirect

You also might have to configure the protocol and hostname used for generating URLs (otherwise, some generated URLs might use the http scheme):

zmprov md mail.server.lan zimbraPublicServiceHostname server.lan
zmprov md server.lan zimbraPublicServiceProtocol https

4. Adjusting DH key size (Diffie-Hellman key exchange)

By default, Nginx only uses 1024 bit keys when using the TLS_DH_* ciphers (Diffie-Hellman key exchange). This is not considered enough any longer. In order to increase this size, the Diffie-Hellman parameters need to be configured explicitly. I am using the following settings with Zimbra 8.6.

First, the DH parameters need to be generated with OpenSSL:

[zimbra@mail conf]$ openssl dhparam -outform PEM -out /opt/zimbra/conf/dhparam2048.pem 2048

Next, the ssl_dhparam option has to be added to the relevant sections of the Nginx configuration. I added it to the following configuration files, right before the ssl_ecdh_curve option:

/opt/zimbra/conf/nginx/templates/nginx.conf.mail.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.sso.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.sso.template

The configuration line should look like this:

ssl_dhparam /opt/zimbra/conf/dhparam2048.pem;

Starting with Zimbra 8.7, Zimbra uses 2048 bit DH params by default and this manual intervention is not necessary any longer.

5. Enabling SpamAssassin rule updates

Since Zimbra 8, it might be necessary to explicitly enable SpamAssassin rule updates. You can do this through zmlocalconfig:

To check current status of antispam

[zimbra@mail conf]$ zmlocalconfig antispam_enable_rule_updates
antispam_enable_rule_updates = false
[zimbra@mail conf]$ zmlocalconfig antispam_enable_restarts
antispam_enable_restarts = false
[zimbra@mail conf]$ zmlocalconfig antispam_enable_rule_compilation
antispam_enable_rule_compilation = false

[zimbra@mail conf]$ zmlocalconfig -e antispam_enable_rule_updates=true
[zimbra@mail conf]$ zmlocalconfig -e antispam_enable_restarts=true
[zimbra@mail conf]$ zmlocalconfig -e antispam_enable_rule_compilation=true

[zimbra@mail conf]$ zmamavisdctl restart && zmmtactl restart

To check for updates:

[zimbra@mail conf]$ zmlocalconfig antispam_enable_rule_updates
antispam_enable_rule_updates = true
[zimbra@mail conf]$ zmlocalconfig antispam_enable_restarts
antispam_enable_restarts = true
[zimbra@mail conf]$ zmlocalconfig antispam_enable_rule_compilation
antispam_enable_rule_compilation = true

The last line is only necessary if you want to compile rules (this should improve the scan performance).

6. Customizing Postfix:

customizing postfix is a mix of zmlocalconfig and zmprov settings on ZCS 8.5 and later version.

To reject unknown client name

[zimbra@mail ]$ zmprov ms mail.lqs.co.in +zimbraMtaRestriction reject_unknown_reverse_client_hostname

 

How To Configure Outgoing SMTP Authentication on Zimbra 8.7

How To Configure Outgoing SMTP Authentication on Zimbra 8.7

When we need to route all outgoing mail through your ISP’s MTA, and that MTA requires that you authenticate, certain settings in postfix are required.

Required outgoing SMTP mailrelay

SMTP Relay : relayserver.server.lan
Username : relayacc@server.lan
Password : Relay@Sev
Port : 25 / 587 / 465

Let’s create a relay access file for zimbra authentication to outgoing SMTP, and create a file relay_access as follows:

# vi /opt/zimbra/conf/relay_access

relayserver.server.lan relayacc@server.lan:Relay@Sev # add this line

save and exit

Now postmap relay_access

# postmap /opt/zimbra/conf/relay_access

To enable outgoing mail for zimbra

# zmprov ms `email.server.lan` zimbraMtaSmtpSaslPasswordMaps lmdb:/opt/zimbra/conf/relay_access
# zmprov ms `email.server.lan` zimbraMtaSmtpSaslAuthEnable yes
# zmprov ms `email.server.lan` zimbraMtaSmtpCnameOverridesServername no
# zmprov ms `email.server.lan` zimbraMtaSmtpTlsSecurityLevel may
# zmprov ms `email.server.lan` zimbraMtaSmtpSaslSecurityOptions noanonymous

# zmprov ms `email.server.lan` zimbraMtaRelayHost relayserver.server.lan:587 -> The port may change it

No need reload postfix, it will automatically update within 2 minutes, change the necessary action for mx to DNS.

Note : If mails are not being delivered while checked mail.log. We need to confirm our SMTP ports like 465 or 587 because of some ISP’s not enable TLS properly. So on time change the port will as above formet mention.

That’s it 🙂

 

 

Setting up a free (real) “commercial” SSL certificateZimbra

First, create a Certificate Request (CSR) in Zimbra

/opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject ‘/C=io/ST=Tamilnadu/L=Chennai/O=LQS/OU=IT/CN=mail.server.lan’ -subjectAltNames ‘mail.server.lan,email.lqs.com’

Next thing you do is register at startcom if you do not have an account yet. You’ll get an S/MIME certificate by Startcom for free which you need to login to their control panel. Your browser will generate the secret certificate and store it in its internal storage.

Then at startcom, you use the validation wizard to validate your domain. This will send a mail to postmaster/hostmaster/webmaster@host.example.com (you can choose which one) with host.example.com being your domain. So you need access to one of these mailboxes to prove that you own the domain.

Then use the certificate wizard at Startcom to create a new certificate. Skip the certificate creation step! Instead, past the CSR created by Zimbra ( /opt/zimbra/ssl/zimbra/commercial/commercial.csr ) into the webform. (Better always create private certificates yourself, never use certificate generators by somebody else, not even the CA.)

Once the certificate is created by Startcom (usually takes some minutes), install it as described in the zimbra wiki:

Store the new (public) certificate you get from Startcom somewhere (e.g. /root/commercial.crt )
Download the root CA certificate

wget -O /root/ca.pem https://www.startssl.com/certs/ca.pem
Download the intermediary certificate from startcom

# If your certificate is class 1:
wget -O /root/ca_intermediary.crt https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
# If your certificate is class 2:
wget -O /root/ca_intermediary.crt https://www.startssl.com/certs/class2/sha2/pem/sub.class2.server.sha2.ca.pem
Combine them:

cat /root/ca_intermediary.crt /root/ca.crt > /root/ca_chain.crt
Verify your certificate:

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /root/commercial.crt /root/ca_chain.crt
Deploy your certificate:

/opt/zimbra/bin/zmcertmgr deploycrt comm /root/commercial.crt /root/ca_chain.crt
Check:

/opt/zimbra/bin/zmcertmgr viewdeployedcrt
Restart Zimbra

su – zimbra
zmcontrol stop
zmcontrol start

 

How to filter Banned cotents or Notification to users on Zimbra

How to filter Banned cotents or Notification to users

I’m got little bit solution and it’s works fine.

As follows:

# vi /opt/zimbra/conf/amavisd.conf.in

– modified row:  $final_banned_destiny

It was “D_BOUNCE” and now it’s changed “D_DISCARD”

– zmamavisdctl restart

References : https://blog.bravi.org/?p=683

 

How to install SSL certificate on Apache for CentOS 7

How to install SSL certificate on Apache for CentOS 7

To installl SSL

[root@web]# yum install mod_ssl openssl

Installed:
mod_ssl.x86_64 1:2.4.6-45.el7.centos.4

Updated:
openssl.x86_64 1:1.0.1e-60.el7_3.1

Dependency Updated:
openssl-libs.x86_64 1:1.0.1e-60.el7_3.1

Complete!

[root@web]# mkdir /etc/httpd/ssl -p

To generate a private key ca.key

[root@web conf.d]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
…………………………………………….+++
………………………………………………………………………………………………………………………………….+++
e is 65537 (0x10001)
[root@web ssl]# ls
ca.key

To generate the certificate signing request cs.csr

[root@web ssl]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:io
State or Province Name (full name) []:Tamilnadu
Locality Name (eg, city) [Default City]:Chennai
Organization Name (eg, company) [Default Company Ltd]:LQS
Organizational Unit Name (eg, section) []:RIM
Common Name (eg, your name or your server’s hostname) []:web.server.lan
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:root@123
An optional company name []:
[root@web ssl]# ls
ca.csr ca.key

Finally, generate a self-signed certificate ca.crt

[root@web ssl]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=io/ST=Tamilnadu/L=Chennai/O=Fourth Dimenstion/OU=RIM/CN=web.server.lan
Getting Private key

[root@web ssl]# ls
ca.crt ca.csr ca.key

[root@web ssl]# cp ca.crt /etc/pki/tls/certs/
[root@web ssl]# cp ca.crt /etc/pki/tls/certs/
[root@web ssl]# cp ca.key /etc/pki/tls/private/
[root@web ssl]# cp ca.csr /etc/pki/tls/private/
[root@web ssl]#

To editing the SSL config file:

[root@web ssl]# vi /etc/httpd/conf.d/ssl.conf

Uncomment the DocumentRoot and ServerName like as follows:

DocumentRoot “/var/www/html”
ServerName 10.100.100.123:443
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

[root@web ssl]# systemctl restart httpd

For Virtual Apache Hosting as follow:

[root@web ssl]# /etc/httpd/conf.d/ssl.conf

add buttom of the file.

</VirtualHost>

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

ServerName http://www.dilli.com
ServerAlias dilli.com
DocumentRoot /var/www/html/www.dilli.com
ErrorLog /var/www/html/www.dilli.com/error.log
CustomLog /var/www/html/www.dilli.com/access.log combined

</VirtualHost>

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

ServerName http://www.sk.com
ServerAlias sk.com
DocumentRoot /var/www/html/www.sk.com
ErrorLog /var/www/html/www.sk.com/error.log
CustomLog /var/www/html/www.sk.com/access.log combined

</VirtualHost>

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

ServerName http://www.srini.com
ServerAlias srini.com
DocumentRoot /var/www/html/www.srini.com
ErrorLog /var/www/html/www.srini.com/error.log
CustomLog /var/www/html/www.srini.com/access.log combined

</VirtualHost>