Adsense 1

Friday, September 07, 2007

Vsftpd and iptables

In one of our servers we were running vsftpd service. iptables was setup to allow ports 21 and 20(data). Still after the user logs in, the connection dies when trying to enter passive mode.

Entry: /sbin/modprobe ip_conntrack_ftp

was already there in /etc/rc.local

still the module was not loaded by default, Since iptables unloas all modules automatically everytime it starts.

Change the below lines to change this behavior:


ip_conntrack_ftp       76273  0
ip_conntrack           45573  1 ip_conntrack_ftp
IPTABLES_MODULES_UNLOAD="no"    # Makes all modules to be persistent

Restart the service and check whether the conntrack module is loaded

# service iptables restart
# lsmod|grep ip_conntrack

Worked liked charm. Now i could login to the ftp service and enter passive mode.

Posted by at No comments:
Labels: , ,

Sunday, August 05, 2007

EMC SAN and GFS

Currently i am working on configuring gfs, with 3 servers using the same LUN from a EMC SAN storage. Will be posting the configuration steps shortly.
Posted by at
Labels: , ,

Saturday, May 19, 2007

Configuring pop3-secure(SSL)- Dual MTA Contd...

Continuing my previous post.


Below procedure shows the steps to configure pop3 with SSL.

cd /service/
svc -d qmail-pop3d/
cd /var/qmail/supervise/
mkdir qmail-pop3d-secure
mkdir qmail-pop3d-secure/log


vi qmail-pop3d-secure/run

#!/bin/sh exec /usr/local/bin/softlimit -m 20000000 \ /usr/local/bin/tcpserver -H -R -v -l 0 -c100 0 995 \ /usr/sbin/stunnel /var/qmail/control/pop3s.conf 2>&1

# cd /var/qmail/control

# vi pop3s.conf

cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-popup
execargs = qmail-popup example.net /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir

# mkdir -p /var/log/qmail/qmail-pop3d-secure
# chown -R qmaill.root /var/log/qmail/qmail-pop3d-secure
# cd /var/qmail/supervise
# cp qmail-pop3d/log/run qmail-pop3d-secure/log/
# chmod 755 qmail-pop3d-secure/run
Posted by at No comments:
Labels: , , ,

Friday, May 11, 2007

Dual MTA Qmail - Contd...

OS: CentOS4.4(64bit)

For the inside queue(that scans and delivers mail) i followed the instructions from qmailrocks. Disk space, pre-installation check list & other instructions are here

Note: I installed vpopmail without mysql since the number of domains i manage is small. If you are going to have more than 10 domains consider using vpopmail with mysql backend. Remember to replace all example.net entries with your own domain. For hostnames enter the FQDN of your server.

After installing qmailrocks, make sure that mails to & from your domain works. The qmail installation from qmailrocks listens on port 25, alter it to listen on port 2000.

Last few lines in '/var/qmail/supervise/qmail-smtpd/run' looks like this

# tail -4 /var/qmail/supervise/qmail-smtpd/run


/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 127.0.0.1 2000 \
/var/qmail/bin/qmail-smtpd your.hostname.here \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1


With the above setting, the QMR installation will serve us as a separate queue which will scan any mail that comes to it. Now we have everything setup to install our other queue.

Note: I used /var/qmail-inside as my qmail directory(for all incoming mails). You can choose any other directory you want. Also for this queue i patched qmail with jms's combined patch set 6cd

Below are the steps:


cd /usr/local/src
wget ftp://ftp.jp.qmail.org/qmail/qmail-1.03.tar.gz
wget http://qmail.jms1.net/patches/qmail-1.03-jms1.6cd.patch
wget http://untroubled.org/qmail-qfilter/qmail-qfilter-2.1.tar.gz
wget http://qmail.jms1.net/scripts/service-qmail-send-run
wget http://qmail.jms1.net/scripts/service-qmail-smtpd-run
tar zxfv qmail-1.03.tar.gz
mv qmail-1.03 qmail-inside
cd qmail-inside/


Edit conf-qmail and change the directory entry from /var/qmail to /var/qmail-inside

echo 211 > conf-split
echo 255 > conf-spawn
patch < /usr/local/src/qmail-1.03-jms1.6cd.patch make setup check


Next we have to copy create necessary control files for qmail. Copying all the control files from the /var/qmail/control will do. But we have remove some unwanted files too. virtualdomains file has the names of the virtual domains created with vpopmail. However, having this file means that the mail will be directly delivered to the vpopmail user rather than passing it to out other queue.


cd /var/qmail-inside/control/
cp /var/qmail/control/* /var/qmail-inside/control/
rm -f virtualdomains.lock locals.lock rcpthosts.lock clientcert.pem
rm -f virtualdomains


It is better to link some files directly from /var/qmail so that when there are new virtual domains we don't have to change the file each time we add a new virtual domain.


/var/qmail-inside/control
rm -f rcpthosts
ln -s /var/qmail/control/rcpthosts
rm -f plusdomain
ln -s /var/qmail/control/plusdomain


Now we are gonna created necessary aliases and cbd file.

cd /var/qmail-inside/alias  echo "postmaster" > .qmail-root
echo "postmaster@example.net" > .qmail-postmaster
echo "postmaster" > .qmail-mailer-daemon
cp .qmail-root .qmail-abuse
echo "127.0.0.1:allow,RELAYCLIENT=\"\"" > /etc/tcp.smtp.inside
tcprules /etc/tcp.smtp.inside.cdb /etc/tcp.smtp.inside.tmp < /etc/tcp.smtp.inside


Next step is to create all supervise and log directories

mkdir -p /var/qmail-inside/supervise/qmail-inside-send/log
mkdir -p /var/qmail-inside/supervise/qmail-smtpd-25/log
mkdir -p /var/qmail-inside/supervise/qmail-smtpd-465/log
chmod +t /var/qmail-inside/supervise/qmail-inside-send
chmod +t /var/qmail-inside/supervise/qmail-smtpd-25
chmod +t /var/qmail-inside/supervise/qmail-smtpd-465
mkdir -p /var/log/qmail-inside/qmail-inside-send
mkdir -p /var/log/qmail-inside/qmail-smtpd-25
mkdir -p /var/log/qmail-inside/qmail-smtpd-465
chown -R qmaill /var/log/qmail-inside/
chown vpopmail.qmail servercert.pem


Create run files for both smtpd instances:
vi /var/qmail-inside/supervise/qmail-smtpd-25/log/run


#!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s2500000 /var/log/qmail-inside/qmail-smtpd-25


vi /var/qmail-inside/supervise/qmail-inside-send/log/run

#!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail-inside/qmail-inside-send


Now we are going to create the supervise directories:

cd /var/qmail-inside/supervise
cp /usr/local/src/service-qmail-smtpd-run qmail-smtpd-25/
cp /usr/local/src/service-qmail-smtpd-run qmail-smtpd-465/
cp /usr/local/src/service-qmail-send-run qmail-inside-send/
cp qmail-smtpd-25/log/run qmail-smtpd-465/log/


vi qmail-smtpd-465/log/run

change the directory qmail-smtpd-25 to qmail-smtpd-465

chmod 755 qmail-smtpd-465/log/run qmail-smtpd-25/log/run\ qmail-inside-send/log/run
cd /var/qmail-inside/supervise/qmail-inside-send/
mv service-qmail-send-run run

Edit the file run: vi run

and change the following entries

VQ=/var/qmail to VQ=/var/qmail-inside

and save the file


chmod 755 run
cd ../qmail-smtpd-25/
mv service-qmail-smtpd-run run
vi run


Change the following:

VQ="/var/qmail-inside"
SMTP_CDB="/etc/tcp.smtp.inside.cdb"
GREETDELAY=30
IP=0

uncomment RBLSMTPD_PROG, RBL_BAD , save the file and make it executable.
# chmod 755 run


We have to install sslserver for enabling secured smtp connections(i configured it to listen on port 465).

Installing sslserver

cd /usr/local/src/
wget http://www.superscript.com/ucspi-ssl/ucspi-ssl-0.70.tar.gz
cd /package/
tar zxfv /usr/local/src/ucspi-ssl-0.70.tar.gz
cd host/superscript.com/net/ucspi-ssl-0.70
package/compile
package/rts  # output should be empty
package/install
cd /var/qmail-inside/supervise/qmail-smtpd-465/
mv service-qmail-smtpd-run run
vi run


change the following

VQ="/var/qmail-inside"
SMTP_CDB="/etc/tcp.smtp.cdb"
QUSER=vpopmail
IP=0
PORT=465
SSL=1
AUTH=1
REQUIRE_AUTH=1

Save the file

chmod 755 run
cd /var/qmail-inside/control/
echo ":127.0.0.1:2000" > smtproutes
cd /service/
ln -s /var/qmail-inside/supervise/qmail-smtpd-25/
ln -s /var/qmail-inside/supervise/qmail-inside-send/
ln -s /var/qmail-inside/supervise/qmail-smtpd-465/

ps -ef|grep qmail-inside

will show that the processes are started and running. Check the corresponding services logs and make sure that they don't throw errors.

If you followed the above steps word by word then, log files for the above services will be at: /var/log/qmail-inside/qmail-smtpd-25/current and /var/log/qmail-inside/qmail-smtpd-465/current

Errors and fixes:
When configuring your mail client to send mail you get auth failure. You have to use useid@example.net as username. Also make sure that SSLis enbaled and the port is set as 465.
Posted by at No comments:
Labels: , , ,

Tuesday, May 08, 2007

Dual MTA with Qmail

Recently i installed two qmails in a single server to handle mails from inner and outer domains. I will be posting a step by step tutorial of the same in the coming days.

Why dual MTA?

Basically i wanted two different queues to handle mails in different ways.
Queue 1) To get the mails(incoming) and pass it on to queue 2.
Queue 2) Will receive mails only from queue 1, runs virus scan, spamassassin and delivers mails to local or remote mail boxes(outgoing).

While i could have achieved the same functionality with single queue i doubted it may not suit my needs in the future. Say if the server can handle 250 mails and the queue is already full then we may see some delay in receiving mails from remote machines and/or may completely loose some mails. More over I don't have to change the incoming queue's setup and continue receiving mails until i needed. It provides me the flexibility to pass the message to different server/s altogether whenever needed.

How the setup will look like?

Queue 1: Two qmail-smtpd instances one listening on port 25 and the other listening on port 465(SSL).
port 25 - To receive mails from public domains such as yahoo/google.
port 465 - For internal users to send mails(auth + encryption).

Queue 2: qmail-smtpd listens on port 2000. Receives mail only from localhost(127.0.0.1). Calls qmailscanner and have it scanned with clamav & spamassassin. If it has virus the mail is quarantined. If tagged SPAM then the mail's subject is prepend with [SPAM] and delivered to user's mail box. If the user is local, the mail will be delivered to Junk directory.

Also there were some specific needs for me. We had many aliases in the server and only certain people must be able to send mail to those aliases. While this can be done with mailing list software like ezmlm i thought of discovering more. When a unauthorized user sends a mail to particular alias it will send a mail to the moderator. I wanted the mail to be bounced back to the sender(ezmlm has that option) and also give my own message for the bounce(reason). I wrote my own perl script to achieve this and it was simple enough. Ezmlm is also installed in my server and serving other purposes.

Enough for tonight. I will be posting a step-by-step guide in couple of days.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)