Start stunnel on Mac OS X Sierra startup

sudo vi /Library/LaunchDaemons/macports.stunnel.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "">

<plist version="1.0">

Create scheduled actions Odoo 9

Scheduled actions can be set by adding this code in your xml file. This exemple will call the function schedule_action from the model hr.employee and send a notification by email if the boolean enable_send_notification is True.

<record id="ir_cron_schedule_action" model="ir.cron">
   <field name="name">Schedule actions</field>
   <field name="user_id" ref="base.user_root" />
   <field name="interval_number">1</field>
   <field name="interval_type">days</field>
   <field name="numbercall">-1</field>
   <field eval="False" name="doall" />
   <field eval="'hr.employee'" name="model" />
   <field eval="'schedule_action'" name="function" />

This model inherits hr.employee and defines 1 additional field, and 2 additional functions. send_notification is sending email based on the the template my_module.email_hr_employee_notification, see this post how to create email template with xml, schedule_action is the function called by the scheduler.

import logging
import openerp.addons.decimal_precision as dp
from datetime import datetime, date, timedelta
from openerp.exceptions import UserError
from openerp import models, fields, api, _

_logger = logging.getLogger(__name__)
class HrEmployee(models.Model):
    _inherit = 'hr.employee'
    enable_send_notification = fields.Boolean(string='Send notification')

    def send_notification(self):
        ir_model_data = self.env['']
        template_obj = self.env.ref('my_module.email_hr_employee_notification')
        template_obj.send_mail(self.ids[0], force_send=True)
        return True
    def schedule_action(self, cr, uid, context=None):
        hr_employee_obj = self.pool.get('hr.employee')
        hr_employee_ids = self.pool.get('hr.employee').search(cr, uid, [])
        for hr_employee_id in hr_employee_ids:
            hr_employee = hr_employee_obj.browse(cr, uid, hr_employee_id , context=context)
            if hr_employee.enable_send_notification:

Whitelist / Blacklist Amavis SpamAssassin Zimbra 8.6


Sometimes SpamAssassin scores email as False Positive spam, to avoid incoming emails to get junked, we can define globally in the config file /opt/zimbra/conf/ domain with a initial score.

#  read_hash("/var/amavis/sender_scores_sitewide"),

   { # a hash-type lookup table (associative array)
     ''                        => -3.0,
     ''              => -3.0,
     ''                    => -3.0,
     ''                  => -3.0,

To whitelist a domain we add domain with a negative score:

#  read_hash("/var/amavis/sender_scores_sitewide"),

   { # a hash-type lookup table (associative array)
     ''                           => -3.0,
     ''                        => -3.0,
     ''              => -3.0,
     ''                    => -3.0,
     ''                  => -3.0,

To blacklist a domain we add domain with positive score:

#  read_hash("/var/amavis/sender_scores_sitewide"),

   { # a hash-type lookup table (associative array)
     ''                            =>  5.0,
     ''                        => -3.0,
     ''              => -3.0,
     ''                    => -3.0,
     ''                  => -3.0,

To apply the modification restart Amavis:

su - zimbra
zmamavisdctl restart

Now from the source of incoming emails we can see when it’s coming from the initial score is -3 and is 5.

X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-10 required=6 tests=[AM.WBL=-3,
	autolearn=no autolearn_force=no

Make OpenVPN stealthy with stunnel on Mac OS and Debian

openvpn stunnel

OpenVPN is more and less banned in some countries, therefore to be able to use it there, we need to make it stealthy by installing a 3rd party software like Tor, SSH Tunnel or Stunnel which hides openVPN traffic from governmental firewall detection. The principle is quite simple, we create a tunnel between our computer and the openVPN server which is encrypted by a certificate, then send our openVPN traffic through this tunnel.

Debian 8 stunnel server installation

First OpenVPN should be configured to use TCP instead of UDP, on this example we open port number 1000 and redirect the traffic to localhost port number 443 which is my openVPN server port. We will start by installing the package, run this command to install sTunnel:

apt-get install stunnel4

Follow the installation wizard and edit /etc/stunnel/stunnel.conf with your favorite editor like bellow:

# Location of the certificate that we created
cert = /etc/stunnel/stunnel.pem
client = no
output = /var/log/stunnel4/stunnel.log
# Name of the connection
accept = 1000
connect =

If after the installation there’s no stunnel.pem file, we can create the certificate by running this following command.

openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
cat key.pem cert.pem >> /etc/stunnel/stunnel.pem

Start sTunnel

service stunnel4 start

check stunnel.log to make sure there’s no error.

Mac OS X stunnel client installation and configuration

First we need to install homebrew, installation guide is on HomeBrew‘s website. After completing homebrew installation run this command:

brew install stunnel

Then edit stunnel.conf file, run this command:

vi /usr/local/etc/stunnel/stunnel.conf
pid = /usr/local/etc/stunnel/
output = /usr/local/etc/stunnel/stunnel.log
client = yes
accept =
connect =

This config file will create a tunnel from localhost on port 1000 to the remote ip on port 1000, change the ip and the port following your current network configuration.

Mac OS X openVPN configuration

I will not describe how to setup the openVPN client, but there’s 2 mandatory modifications to bring to our conf file. Change the remote ip address to localhost with the right port we just set before on sTunnel config file and add those new directives redirect-gateway def1 and route remote_vpn_ip_address net_gateway that will route all internet traffic to the VPN gateway except the one in destination to our remote vpn ip address.

remote localhost 1000
redirect-gateway def1
route remote_vpn_ip_address net_gateway

Save the modification and restart openVPN.

service openvpn restart

Start sTunnel on Mac OS X

Make sure the sTunnel server is up and running before starting stunnel on the client:

sudo stunnel

Now you can use your new openVPN config file to connect stealthy on your openVPN server.

Fail2ban Odoo 9 Authentication


Odoo 9 community doesn’t come with autoban security. Fail2ban is an alternative to secure Odoo authentication. For more information concerning fail2ban click here

Let’s start with creating a new filter:

vi /etc/fail2ban/filter.d/odoo.conf

Paste the content from bellow code:


# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


failregex = INFO:openerp.addons.base.res.res_users:Login failed for db:.* login:.*\n.*INFO:werkzeug: - - \[.*\] \"POST /web/login .*\" 200 -
         - \[.*\] \"POST /web/database/(drop|duplicate|create) HTTP/2.0\"

ignoreregex =
journalmatch = _SYSTEMD_UNIT=odoo.service + _COMM=odoo


maxlines = 2

Add those line in jail.local

enabled = true
port    = 443,80,8069
filter  = odoo
logpath = /var/log/syslog
maxretry = 5
bantime  = -1
findtime = 1h

Change the value of syslog in the /etc/odoo/openerp-server.conf

syslog = True

Restart Odoo then fail2ban to apply modification.