Using Amazon’s SES With Postfix As A Smarthost Forwarder (Mail Relay)

Leave a reply

One of the challenges of running web servers “in the cloud” is that they can have somewhat random IP addresses assigned to them. This can be an advantage if you’re a spammer intent on renting an IP address for a few hours to blast a few thousand emails from. As a result, many of the IP addresses associated with Amazon’s EC2 instances are already flagged as spam-generators, even though the actual spam generator has moved on. So how can we send legitimate email from out web server if it’s been flagged around the world as a spammer? The answer is to use Amazon’s Simple Email Service (SES) to send the actual mail. Below I’ll show you how to configure Postfix (a popular MTA on linux servers) to use Amazon’s SES.

I’ve cribbed much of this document from other sources on the Internet. I’ll post some useful links at the bottom that were used as sources.

I’ll assume you’re using Ubuntu as a server, since that’s what I use. If not, you should be able to find the required packages in your distribution of choice.

We’ll need the following packages. If installing postfix prompts for a type of server, choose “Internet with Smarthost” and set the smarthost to localhost.

apt-get install postfix
apt-get install libsasl2-2
apt-get install libsasl2-modules
apt-get install ca-certificates

Next we’ll want to configure Postfix. Edit your /etc/postfix/main.cf file and set the following options:


smtpd_use_tls=yes
relayhost = email-smtp.us-east-1.amazonaws.com:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/postfix/cacert.pem

For the next step, you’ll need the username and password hashes that Amazon provides you when you configure a new SMTP sending account. They’ll look something like this:

Now create the sasl_passwd file in /etc/postfix with the following format:

email-smtp.us-east-1.amazonaws.com:587 AKIAI2BEJ7D7WJNUI5KA:AmA/OOL9/M6mLG1wiR5Tf/LK2YVgf1+XlJpMd/YOQvWv

chmod it to 0400 and run the following command to create the username database for postfix:

postmap /etc/postfix/sasl_passwd

Next well create the postfix certificate. Just run this command:

cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem

 

 

Now you should be able to restart postfix and send email. Note that your From: address on any outgoing mail still needs to be verified by Amazon before it can be used, and you’ll still be subject to all the same TOS agreements that you would when using their other interfaces.

I hope you’ve found this useful.

By the way since Amazon SES now support STARTTLS, we did not have to use stunnel in this guide.

https://forums.aws.amazon.com/ann.jspa?annID=1387

And now to test your setup, do the follow:

apt-get install mailutils

Your machine should now have the ability to send email from the command line. Test it.
echo "test" | mail joe@hotmail.com

That’s All Folks!

How to secure an Ubuntu 12.04 server

Leave a reply

Harden the security on an Ubuntu 12.04 LTS server by installing and configuring the following:

  1. Install and configure Firewall - ufw
  2. Secure shared memory - fstab
  3. SSH - Disable root login and change port
  4. Protect su by limiting access only to admin group
  5. Harden network with sysctl settings
  6. Disable Open DNS Recursion – Bind9 DNS
  7. Prevent IP Spoofing
  8. Harden PHP for security
  9. Install and configure Apache application firewall - ModSecurity
  10. Protect from DDOS (Denial of Service) attacks with ModEvasive
  11. Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban
  12. Intrusion Detection - PSAD
  13. Check for RootKits - RKHunter and CHKRootKit
  14. Scan open Ports - Nmap
  15. Analyse system LOG files - LogWatch
  16. SELinux - Apparmor
  17. Audit your system security - Tiger

If you are looking for a GUI script to install and configure all the steps explained here automatically,
visit How to secure an Ubuntu 12.04 LTS server – Part 2 The GUI Installer script

Requirements:

  • Ubuntu 12.04 LTS server with a standard LAMP stack installed.

1. Firewall - UFW

  • A good place to start is to install a Firewall.
  • UFW – Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool - gufw, or use  Shorewall, fwbuilder, or Firestarter.
  • Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide,  UFW manual pages or the Ubuntu UFW community documentation.
  • Install UFW and enable, open a terminal window and enter :
sudo apt-get install ufw
sudo ufw enable
  • Check the status of the firewall.
sudo ufw ufw status verbose
  • Allow SSH and Http services.
sudo ufw allow ssh
sudo ufw allow http

2. Secure shared memory.

  • /dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure.
  • Open a Terminal Window and enter the following :
sudo vi /etc/fstab
  • Add the following line and save. You will need to reboot for this setting to take effect :
tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0

3. SSH Hardening – disable root login and change port.

  • The easiest way to secure SSH is to disable root login and change the SSH port to something different than the standard port 22.
  • Before disabling the root login create a new SSH user and make sure the user belongs to the admin group (see step 4. below regarding the admin group).
  • If you change the SSH port also open the new port you have chosen on the firewall and close port 22.
  • Open a Terminal Window and enter :
sudo vi /etc/ssh/sshd_config
  • Change the following and save.
Port <ENTER YOUR PORT>
Protocol 2
PermitRootLogin no
  • Restart SSH server, open a Terminal Window and enter :
sudo /etc/init.d/ssh restart

4. Protect su by limiting access only to admin group.

  • To limit the use of su by admin users only we need to create an admin group, then add users and limit the use of su to the admin group.
  • Add a admin group to the system and add your own admin username to the group by replacing <YOUR ADMIN USERNAME> below with your admin username.
  • Open a terminal window and enter:
sudo groupadd admin
sudo usermod -a -G admin <YOUR ADMIN USERNAME>
sudo dpkg-statoverride --update --add root admin 4750 /bin/su

5. Harden network with sysctl settings.

  • The /etc/sysctl.conf file contain all the sysctl settings.
  • Prevent source routing of incoming packets and log malformed IP‘s enter the following in a terminal window:
sudo vi /etc/sysctl.conf
  • Edit the /etc/sysctl.conf file and un-comment or add the following lines :
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0 
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
  • To reload sysctl with the latest changes, enter:
sudo sysctl -p

6. Disable Open DNS Recursion - BIND DNS Server.

  • Open a Terminal and enter the following :
sudo vi /etc/bind/named.conf.options
  • Add the following to the Options section :
recursion no;
  • Restart BIND DNS server. Open a Terminal and enter the following :
sudo /etc/init.d/bind9 restart

7. Prevent IP Spoofing.

  • Open a Terminal and enter the following :
sudo vi /etc/host.conf
  • Add or edit the following lines :
order bind,hosts
nospoof on

8. Harden PHP for security.

  • Edit the php.ini file :
sudo vi /etc/php5/apache2/php.ini
  • Add or edit the following lines :
disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
magic_quotes_gpc = On

9. Web Application Firewall - ModSecurity.

10. Protect from DDOS (Denial of Service) attacks - ModEvasive

11. Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban.

  • DenyHosts is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.
  • Open a Terminal and enter the following :
sudo apt-get install denyhosts
  • After installation edit the configuration file /etc/denyhosts.conf  and change the email, and other settings as required.
  • To edit the admin email settings open a terminal window and enter:
sudo vi /etc/denyhosts.conf
  • Change the following values as required on your server :
ADMIN_EMAIL = root@localhost
SMTP_HOST = localhost
SMTP_PORT = 25
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
SMTP_FROM = DenyHosts nobody@localhost
#SYSLOG_REPORT=YES
  • Fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.
  • Fail2ban scans log files and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc.
  • Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.
  • Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).
  • Open a Terminal and enter the following :
sudo apt-get install fail2ban
  • After installation edit the configuration file /etc/fail2ban/jail.local  and create the filter rules as required.
  • To edit the settings open a terminal window and enter:
sudo vi /etc/fail2ban/jail.conf
  • Activate all the services you would like fail2ban to monitor by changing enabled = false to enabled = true
  • For example if you would like to enable the SSH monitoring and banning jail, find the line below and change enabled from false to true. Thats it.
[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3
  • If you have selected a non-standard SSH port in step 3 then you need to change the port setting in fail2ban from ssh which by default is port 22, to your new port number, for example if you have chosen 1234 then port = 1234
[ssh]

enabled  = true
port     = <ENTER YOUR SSH PORT NUMBER HERE>
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3
  • If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address.
destemail = root@localhost
  • and change the following line from :
action = %(action_)s
  • to:
action = %(action_mwl)s
  • You can also create rule filters for the various services that you would like fail2ban to monitor that is not supplied by default.
sudo vi /etc/fail2ban/jail.local
  • Good instructions on how to configure fail2ban and create the various filters can be found on HowtoForge - click here for an example
  • When done with the configuration of Fail2Ban restart the service with :
sudo /etc/init.d/fail2ban restart
  • You can also check the status with.
sudo fail2ban-client status

12. Intrusion Detection - PSAD.

  • Cipherdyne PSAD is a collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.
  • Currently version 2.1 causes errors during install on Ubuntu 12.04, but apparently does work. Version 2.2 resolves these issues but is not yet available on the Ubuntu software repositories. It is recommended to manually compile and install version 2.2 from the source files available on the Ciperdyne website.
  • To install the latest version from the source files follow these instruction : How to install PSAD Intrusion Detection on Ubuntu 12.04 LTS server
  • OR install the older version from the Ubuntu software repositories, open a Terminal and enter the following :
sudo apt-get install psad

13. Check for rootkits - RKHunter and CHKRootKit.

  • Both RKHunter and CHKRootkit basically do the same thing – check your system for rootkits. No harm in using both.
  • Open a Terminal and enter the following :
sudo apt-get install rkhunter chkrootkit
  • To run chkrootkit open a terminal window and enter :
sudo chkrootkit
  • To update and run RKHunter. Open a Terminal and enter the following :
sudo rkhunter --update
sudo rkhunter --propupd
sudo rkhunter --check

14. Scan open ports - Nmap.

  • Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing.
  • Open a Terminal and enter the following :
sudo apt-get install nmap
  • Scan your system for open ports with :
nmap -v -sT localhost
  • SYN scanning with the following :
sudo nmap -v -sS localhost

15. Analyse system LOG files - LogWatch.

  • Logwatch is a customizable log analysis system. Logwatch parses through your system’s logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.
  • Open a Terminal and enter the following :
sudo apt-get install logwatch libdate-manip-perl
  • To view logwatch output use less :
sudo logwatch | less
  • To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :
sudo logwatch --mailto mail@domain.com --output mail --format html --range 'between -7 days and today'

16. SELinux - Apparmor.

  • National Security Agency (NSA) has taken Linux to the next level with the introduction of Security-Enhanced Linux (SELinux). SELinux takes the existing GNU/Linux operating system and extends it with kernel and user-space modifications to make it bullet-proof.
  • More information can be found here. Ubuntu Server Guide – Apparmor
  • It is installed by default since Ubuntu 7.04.
  • Open a Terminal and enter the following :
sudo apt-get install apparmor apparmor-profiles
  • Check to see if things are running :
sudo apparmor_status

17. Audit your system security - Tiger.

  • Tiger is a security tool that can be use both as a security audit and intrusion detection system.
  • Open a Terminal and enter the following :
sudo apt-get install tiger
  • To run tiger enter :
sudo tiger
  • All Tiger output can be found in the /var/log/tiger
  • To view the tiger security reports, open a Terminal and enter the following :
sudo less /var/log/tiger/security.report.*

How to install latest icinga & icinga-web on Ubuntu Server 12.04 & How to monitor remote hosts

Leave a reply

  Installing the neccessary software

Lets start with installing dbconfig-common. This package is used during the installation of the remaining software to ask the user questions about database access

apt-get install dbconfig-common

Now install the Icinga and Iciga-Idoutils packages, this should install a whole lot of dependencies as well

apt-get install python-software-properties add-apt-repository ppa:formorer/icinga apt-get update

Installing icinga

apt-get install icinga icinga-idoutils mysql-server libdbd-mysql mysql-client

During the installation you’ll need to provide parameters for Postfix choose the default internet site and the password of your MySQL root user. Be sure to provide valid answers because the information will be written to several files and changing them afterwards is annoying.

Now the first part is done and you should already be able to access your Icinga installation athttp://yourhostname.com/icinga with the username ‘icingaadmin’ and the password you entered during installation.

                         Configuring idoutils and ido2db

To enable ido2db, edit /etc/default/icinga and set IDO2DB to ‘yes’ .

**BUG if you are installing icinga 1.7.1 ++ you need to create a file manually

 cd /etc/icinga/modules nano idoutils.cfg

Now paste the following lines .

define module{ module_name idomod module_type neb path /usr/lib/icinga/idomod.so args config_file=/etc/icinga/idomod.cfg }

For Safe Side also do

ln -s /usr/lib/icinga/idomod.so /usr/sbin/

UPDATED

nano /etc/default/icinga

Edit IDO2DB=no to yes

IDO2DB=yes

And Run

/etc/init.d/ido2db start /etc/init.d/icinga restart

look in /var/log/syslog

                                                 Configuring Icinga to send email

Edit

nano /etc/icinga/objects/contacts_icinga.cfg

Change

root@localhost to your-email-address

                                            Icinga-Web

add-apt-repository ppa:formorer/icinga-web apt-get update apt-get install icinga-web

http://yourhostname.com/icinga-web

Done

                      Monitoring Remote Host From Your Server

The only think you need to install on remote server is nrpe & nagios-plugins

In this example my remote host is a freeBSD server which i want to monitor remotely

pkg_add -r nagios-plugins nrpe

In the “/etc/rc.conf” file, add a line to enable the nrpe2 daemon.

nrpe2_enable="YES"

Configuration

In the “/usr/local/etc” directory, copy the “nrpe.cfg-sample” file to a file named “nrpe.cfg”. Use the “chmod u+x nrpe.cfg” command to add write permissions for the root user.

Open the file in a text editor, and look for the “allowed_hosts=127.0.0.1″ line. points to the address of your Nagios server.

allowed_hosts=127.0.0.1,icinga-server-ip

Start the NRPE daemon.

/usr/local/etc/rc.d/nrpe2 start

                                  Now back to Icinga Server

cd /etc/icinga/objects

Edit

nano localhost_icinga.cfg define host{ use generic-host ; Name of host template to use host_name localhost alias localhost address 127.0.0.1 }

Add another host under it . FreeBSD Server

define host{ use generic-host ; Name of host template to use host_name FreeBSD alias FreeBSD address ip-address-of-FreeBSD-server }

Now at every service define your host seperated by ” , ” localhost,FreeBSD

host_name localhost,FreeBSD ; 2 hostname may be more depend of host you define

Example For One Service

define service{ use generic-service ; Name of service template to use host_name localhost,FreeBSD service_description Disk Space check_command check_all_disks!20%!10% }

Now Edit hostgroups_icinga.cfg for monitoring HTTP & SSH

nano hostgroups_icinga.cfg define hostgroup { hostgroup_name http-servers alias HTTP servers members localhost,FreeBSD } # A list of your ssh-accessible servers define hostgroup { hostgroup_name ssh-servers alias SSH servers members localhost,FreeBSD }

Now restart icinga

/etc/init.d/icinga restart

Now go to http://yourhostname.com/icinga OR http://yourhostname.com/icinga-web monitor your remote host from Ubuntu

Help

http://www.meier.ws/2012/02/icinga-1-6-as-a-monitoring-solution-on-ubuntu-12-04-part-1-installation/

http://beginlinux.com/server/nagios/installing-nrpe-on-freebsd-90

https://wiki.icinga.org/display/howtos/Setting+up+Icinga+with+IDOUtils+on+Ubuntu

Update

BUG*** icinga is not sending emails .

Edit your /ets/hosts file & if should look like this

127.0.0.1 localhost xxxx-host-xxx xxx.xx.xx localhost xxxx-host-xxx FreeBSD

Postfix Flush the Mail Queue

Leave a reply

To see the queue

# postqueue -p

 

Under Postfix MTA, just enter the following command to flush the mail queue:
# postfix flush
OR
# postfix -f

To see mail queue, enter:
# mailq

To remove all mail from the queue, enter:
# postsuper -d ALL

To remove all mails in the deferred queue, enter:
# postsuper -d ALL deferred

Creating key pairs for Amazon EC2

Leave a reply

Recently I had to show my friends how to do this, I figured why not document it somewhere.

There are two key pairs that you need: one pair for making API calls (and using the command line tools which make API calls under the covers), and another pair to log into your EC2 machines with SSH. The following works on Linux and Mac clients “out of the box”, Windows users will need to download the appropriate software.

Now, Amazon provides facilities for generating key pairs, why not use those? The first rule of public-key cryptography is that nobody but you ever sees your private key. In fact, that’s not just a rule, that’s the whole point: the best way to keep a secret is never to share it. If you use Amazon’s facilities to generate your private keys, you’re violating this rule. Yes, malicious Amazon employees could force the use of key pairs that they have generated themselves, but that should at least be traceable. In the end, when you use Amazon’s infrastructure, you are putting a certain level of trust in Amazon, but a basic tenet of security is that having security at multiple levels is A Good Thing.

Ok, with the reasons to do it yourself covered, this is how you do it:

Generating AWS Signing Certificates

 openssl req -x509 -newkey rsa:2048 -passout pass:a -keyout kx -out cert
 openssl rsa -passin pass:a -in kx -out key

The first command produces the key pair and a self-signed certificate; just hit return to accept the defaults at all the certificate request prompts (real information is not required or useful). The second command removes the password “a” from the private key file, which is generally required for automation purposes (make sure that the file and your machines are appropriately secured). The kx file can be deleted.

To use the key pair, upload the cert file as a signing certificate to Amazon and specify the location of the cert and key files in the appropriate environment variables (EC2_CERT and EC2_PRIVATE_KEY) or directly on the command line.

Generating EC2 key pairs

 ssh-keygen -b 2048 -t rsa -f aws-key

This will generate two files, aws-key and aws-key.pub containing the private and public keys respectively. Import aws-key.pub as a “key pair” (it’s only the public key, not really a pair) into AWS. When you launch a Linux instance with this key, this public key is made available to the instance, where it will typically appear in an authorized_keys file for remote access via ssh. If you don’t set the key as your default ssh key on your client, you can use the -i option of ssh to specify the location.

Some quick notes on running a startup…

  1. Running a startup is like having a kid. You need to give them freedom & trust them & then pretend to not be disappointed in how they turn out.
  2. You need a deep unwavering belief that you can make this work. And sometimes there has to be a way around the fact that no one wants what you’re making. Maybe because your not pitching it correctly or because you haven’t found the market that does want your product.
  3. Entrepreneurship? It’s a lifestyle, not a profession. It’s a disorder. It’s being crazy. In a good way of course.
  4. ♛ = VC
    ♜ = CEO
    ♞ = Management
    ♟= Employees

Using s3cmd To Manage Files on Amazon S3

Recently I moved a lot of files between 2 different S3 accounts on to Amazon Simple Storage Service, or S3, which I know is great and easy to use, and I’ve used it with some wrappers, but never directly until now. I used s3cmd from s3tools - a collection of python scripts that made this really really easy. Even better, I’m an Ubuntu user so s3cmd is already packaged for me and I simply installed with:

sudo aptitude install s3cmd

Once installed, I found s3cmd --help was surprisingly helpful. To start with you need to set up an access key on AWS (Amazon Web Services) using your amazon user credentials, then supply this to s3cmd by using s3cmd --configure and following the prompts.

 

Working with Buckets

S3 storage works on “buckets” which seem to be like root directories for virtual hosts. These must have unique names across the whole of S3 (meaning the bucket names are global for all S3) so some organisation-specific prefixing may be needed here, but the command looks something like:

s3cmd mb <bucket>

The bucket name starts with s3:// to denote that it is accessed on S3.

Files

To put files onto S3 there are two commands. For one file, you use s3cmd put which takes the source and target and copies the file accordingly. For more files, s3cmd has a really handy sync command which will accept a directory as the source argument and a bucket or path as the target, and literally sync the two. I found this very helpful as I had 687,000+ files to move!

To see what is in a bucket use s3cmd ls and the name of the bucket. This lists all the files, and you can use the s3cmd info command if you want to know more about an individual file such as its size, modified date or permissions. I found it really easy to see what was in the bucket.

Permissions

Since I’m only using S3 as a replacement for an uploads directory, all the files are publicly accessible. Amazon does provide a comprehensive ACL scheme but I didn’t use it so I won’t write about it this time. To make everything public, I simply did this:

s3cmd setacl --acl-public --recursive s3://[bucket]

File URLs

Once the files are there and public, they are web accessible by replacing their s3://[bucket]/[filename] address withhttp://[bucket].s3.amazonaws.com/[filename]

You can find a full list of commands here:

http://s3tools.org/s3cmd

Ubuntu Date & Time update via NTP

Command Line ntpdate

Ubuntu comes with ntpdate as standard, and will run it once at boot time to set up your time according to Ubuntu’s NTP server. However, a system’s clock is likely to drift considerably between reboots if the time between reboots is long. In that case it makes sense to correct the time occasionally. The easiest way to do this is to get cron to run it every day. With your favorite editor, create (needs sudo) a file/etc/cron.daily/ntpdate containing:
 #!/bin/sh
 ntpdate ntp.ubuntu.com
Make sure that you make this new file executable:
sudo chmod 755 /etc/cron.daily/ntpdate




Source: https://help.ubuntu.com/community/UbuntuTime











			

		


		
	

							
	

		

			
Facebook Changed Everyone’s Email to @Facebook.com! Heres how to fix yours back

			

				
Facebook just removed everyone’s email address from their profile and replaced it with an @facebook.com email address without asking you. Here’s how to easily fix the problem.


Facebook launched its own email service back in 2010, which was promptly forgotten by everyone. This morning, Forbes noticed that they removed everyone’s email addresses from their profiles, replacing them with an @facebook.com email address instead (not Facebook’s internal email address which they use for notifications and password resets, just the one listed on your profile). Luckily, it’s easy to get your old email address back on your profile:


    

  1. Click “About” on your profile and scroll down to your email address. Click “Edit” to change them.
    2. 

  2. Click on the circle next to your Facebook email address and change its setting to “Hidden From Timeline”.
    3. 

  3. Click on the circle next to your other email addresses and change their settings to “Shown On Timeline”.
    4. 

  4. Click the Save button at the bottom of the Edit popup (Don’t forget this step).
    5. 



*Note I think this may have only happened for timeline users..