Kiranjith's Blog

Install Packages Via yum Command Using DVD / CD as Repo – CentOS (RHEL Based)

kiranjith — Fri, 14 Jan 2011 19:25:00 +0000

CentOS Linux comes with CentOS-Media.repo which is used to mount the default locations for a CDROM / DVD on CentOS-5.*. You can use this repo and yum to install items directly off the DVD ISO that we release.
Open /etc/yum.repos.d/CentOS-Media.repo file, enter:

# vi /etc/yum.repos.d/CentOS-Media.repo
Make sure enabled is set to 1:
enabled=1

Save and close the file. To use repo put your DVD and along with the other repos, enter:

# yum –enablerepo=c5-media install pacakge-name

To only use the DVDmedia repo, do this:

# yum –disablerepo=\* –enablerepo=c5-media install pacakge-name

OR use groupinstall command

# yum –disablerepo=\* –enablerepo=c5-media groupinstall ‘Virtualization’

Installing and configuring mod_security-Ubuntu 9.04

kiranjith — Sun, 26 Dec 2010 18:49:00 +0000

This how-to is reported to work in Ubuntu 8.04-10.10 as well.
What is mod_security you ask ?

Mod Security can significantly increase the security of your Apache installation.

What Is ModSecurity?

ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

It is also an open source project that aims to make the web application firewall technology available to everyone.

Do not think you need this ? Follow along with the examples and decide for yourself (This tutorial assumes you already have Apache and php5 installed).

First, let us look at the default Apache behavior. I will use “ubuntuVPS” as the server of interest.

“Insecure” Example 1 – curl

Use curl to obtain information on the server (bodhi@home is a remote machine connecting to “ubutnuVPS”. You can test all this with any browser if you wish, simply use your server’s home page).

bodhi@home# curl -i ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:06:21 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: “50d4a-2d-468a44dadbe80″
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html

It works!

Looks like this in your browser (the famous It works! page)
It works!

See how with a single command we already know the server is Ubuntu running Apache 2.2.11 and PHP 5.2.6 ?

“Insecure” Example 2 – bad .php

For this I will ask you to create a file “/var/www/insecure.php”

Put the following code in the file :

< ? $secret_file = $_GET['secret_file'];

include ( $secret_file); ? >;

Note: I had to put a space at the front of the php tag “<; ?”, remove it.

Now what ? Open a browser and enter http://ubuntuVPS/insecure.php?secret_file=/etc/passwd
I shall use curl in this example:

bodhi@home# curl -i “http://ubuntuVPS/insecure.php?secret_file=/etc/passwd”
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:24:11 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-3ubuntu4.1
Vary: Accept-Encoding
Content-Length: 860
Content-Type: text/html
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
postfix:x:104:107::/var/spool/postfix:/bin/false

YIKES !!!
Install and configure mod_secure

There was a time when installing mod_security was a bit difficult, now it is as easy as :

sudo apt-get -y install libapache-mod-security

The “hard part” is that we need to configure mod_security and obtain a few rules.

Configure mod_security

Using any editor, make a file “/etc/apache2/conf.d/modsecurity2.conf” and put the following contents in the file.

Include conf.d/modsecurity/*.conf

Note: I had to add a space at the front of the tag “” and “”, remove them.

By default, mod_security logs to /etc/apache2/logs, the following commands will put the log in /var/log/apache2/mod_security and create a symbolic link back to /etc/apache2/logs

sudo mkdir /var/log/apache2/mod_security
sudo ln -s /var/log/apache2/mod_security/ /etc/apache2/logs
Download and install rules

Download rules from here

As of this writing, the rule set was “modsecurity-core-rules_2.5-1.6.1.tar.gz”, you may need to adjust accordingly as new rules are released.

sudo mkdir /etc/apache2/conf.d/modsecurity
cd /etc/apache2/conf.d/modsecurity
sudo wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo tar xzvf modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo rm CHANGELOG LICENSE README modsecurity-core-rules_2.5-1.6.1.tar.gz

Enable mod_security:

sudo a2enmod mod-security

Now restart Apache

sudo /etc/init.d/apache2 restart

That’s it

Testing mod_security

“Secure” Example 1 – curl

bodhi@home# curl -i http://ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:44:42 GMT
Server: Apache/2.2.0 (Fedora)
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: “50d4a-2d-468a44dadbe80″
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html

It works!

Look no more server or php information (Fedora apache 2.2.0 , LOL !!! )

“Secure” Example 2 – bad .php

bodhi@home# curl -i “http://ubuntuVPS/insecure.php?secret_file=/etc/passwd”
HTTP/1.1 501 Method Not Implemented
Date: Tue, 28 Apr 2009 22:47:38 GMT
Server: Apache/2.2.0 (Fedora)
Allow: TRACE
Vary: Accept-Encoding
Content-Length: 291
Connection: close
Content-Type: text/html; charset=iso-8859-1

Method Not Implemented

GET to /insecure.php not supported.

Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80

Looks like this in your browser:

501 Method Not Implemented
Method Not Implemented

GET to /insecure.php not supported.Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80

Ah 501 Error looks much better then the contents of /etc/passwd
Where to go from here ?

1. Monitor your logs :

tail /var/log/apache2/mod_security/modsec_audit.log

2. Learn / edit your mod_security rules : ModSecurity Reference Manual

3. Delete bad.php, LOL

sudo rm -rf /var/www/insecure.php

I hope you enjoyed and learned from this tutorial

Reference:
“This is just a copy cat of the post from http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/
All credit should go to the respective author. I tried the method in Ubuntu 10.10 and it works fine.”

Note:-
Some of the rules may deny the access to you applications (eg: phpmyadmin/drupal etc). Test the rules well before you implement.

HowTo: 10 Steps to Configure tftpboot Server in UNIX / Linux (For installing Linux from Network using PXE)

kiranjith — Thu, 22 Jul 2010 09:08:00 +0000

In this article, let us discuss about how to setup tftpboot, including installation of necessary packages, and tftpboot configurations.

TFTP boot service is primarily used to perform OS installation on a remote machine for which you don’t have the physical access. In order to perform the OS installation successfully, there should be a way to reboot the remote server — either using wakeonlan or someone manually rebooting it or some other ways.

In those scenarios, you can setup the tftpboot services accordingly and the OS installation can be done remotely (you need to have the autoyast configuration file to automate the OS installation steps).

Step by step procedure is presented in this article for the SLES10-SP3 in 64bit architecture. However, these steps are pretty much similar to any other Linux distributions.

Required Packages

The following packages needs to be installed for the tftpboot setup.

dhcp services packages: dhcp-3.0.7-7.5.20.x86_64.rpm and dhcp-server-3.0.7-7.5.20.x86_64.rpm
tftpboot package: tftp-0.48-1.6.x86_64.rpm
pxeboot package: syslinux-3.11-20.14.26.x86_64.rpm

Package Installation

Install the packages for the dhcp server services:

$ rpm -ivh dhcp-3.0.7-7.5.20.x86_64.rpmPreparing...                ########################################### [100%]   1:dhcp                   ########################################### [100%]

$ rpm -ivh dhcp-server-3.0.7-7.5.20.x86_64.rpmPreparing...                ########################################### [100%]   1:dhcp                   ########################################### [100%]

$ rpm -ivh tftp-0.48-1.6.x86_64.rpm

$ rpm -ivh syslinux-3.11-20.14.26.x86_64.rpm

After installing the syslinux package, pxelinux.0 file will be created under /usr/share/pxelinux/ directory. This is required to load install kernel and initrd images on the client machine.

Verify that the packages are successfully installed.

$ rpm -qa | grep dhcp$ rpm -qa | grep tftp

Download the appropriate tftpserver from the repository of your respective Linux distribution.

Steps to setup tftpboot

Step 1: Create /tftpboot directory

Create the tftpboot directory under root directory ( / ) as shown below.

# mkdir /tftpboot/

Step 2: Copy the pxelinux image

PXE Linux image will be available once you installed the syslinux package. Copy this to /tftpboot path as shown below.

# cp /usr/share/syslinux/pxelinux.0 /tftpboot

Step 3: Create the mount point for ISO and mount the ISO image

Let us assume that we are going to install the SLES10 SP3 Linux distribution on a remote server. If you have the SUSE10-SP3 DVD insert it in the drive or mount the ISO image which you have. Here, the iso image has been mounted as follows:

# mkdir /tftpboot/sles10_sp3

# mount -o loop SLES-10-SP3-DVD-x86_64.iso /tftpboot/sles10_sp3

Refer to our earlier article on How to mount and view ISO files.

Step 4: Copy the vmlinuz and initrd images into /tftpboot

Copy the initrd to the tftpboot directory as shown below.

# cd /tftpboot/sles10_sp3/boot/x86_64/loader

# cp initrd linux /tftpboot/

Step 5: Create pxelinux.cfg Directory

Create the directory pxelinux.cfg under /tftpboot and define the pxe boot definitions for the client.

# mkdir /tftpboot/pxelinux.cfg

# cat >/tftpboot/pxelinux.cfg/defaultdefault linuxlabel linuxkernel linuxappend initrd=initrd showopts instmode=nfs install=nfs://192.168.1.101/tftpboot/sles10_sp3/

The following options are used for,

kernel – specifies where to find the Linux install kernel on the TFTP server.
install – specifies boot arguments to pass to the install kernel.

As per the entries above, the nfs install mode is used for serving install RPMs and configuration files. So, have the nfs setup in this machine with the /tftpboot directory in the exported list. You can add the “autoyast” option with the autoyast configuration file to automate the OS installation steps otherwise you need to do run through the installation steps manually.

Step 6: Change the owner and permission for /tftpboot directory

Assign nobody:nobody to /tftpboot directory.

# chown nobody:nobody /tftpboot

# chmod 777 /tftpboot

Step 7: Modify /etc/dhcpd.conf

Modify the /etc/dhcpd.conf as shown below.

# cat /etc/dhcpd.conf

ddns-update-style none;default-lease-time 14400;filename "pxelinux.0"; 

# IP address of the dhcp server nothing but this machine.next-server 192.168.1.101;subnet 192.168.1.0 netmask 255.255.255.0 {  # ip distribution range between 192.168.1.1 to 192.168.1.100  range 192.168.1.1 192.168.1.100;  default-lease-time 10;  max-lease-time 10;}

Specify the interface in /etc/syslinux/dhcpd to listen dhcp requests coming from clients.

# cat /etc/syslinux/dhcpd | grep DHCPD_INTERFACEDHCPD_INTERFACE=”eth1”;

Here, this machine has the ip address of 192.168.1.101 on the eth1 device. So, specify eth1 for the DHCPD_INTERFACE as shown above.

On a related note, refer to our earlier article about 7 examples to configure network interface using ifconfig.

Step 8: Modify /etc/xinetd.d/tftp

Modify the /etc/xinetd.d/tftp file to reflect the following. By default the value for disable parameter is “yes”, please make sure you modify it to “no” and you need to change the server_args entry to -s /tftpboot.

# cat /etc/xinetd.d/tftp service tftp {                       socket_type     = dgram                       protocol          = udp                       wait               = yes                       user               = root                       server            = /usr/sbin/in.tftpd                       server_args     = -s /tftpboot                       disable           = no            }

Step 9: No changes in /etc/xinetd.conf

There is no need to modify the etc/xinetd.conf file. Use the default values specified in the xinetd.conf file.

Step 10: Restart xinetd, dhcpd and nfs services

Restart these services as shown below.

# /etc/init.d/xinetd restart

# /etc/init.d/dhcpd restart

# /etc/init.d/nfsserver restart

After restarting the nfs services, you can view the exported directory list(/tftpboot) by the following command,

# showmount -e

Finally, the tftpboot setup is ready and now the client machine can be booted after changing the first boot device as “network” in the BIOS settings.

If you encounter any tftp error, you can do the troubleshooting by retrieving some files through tftpd service.

Retrieve some file from the tftpserver to make sure tftp service is working properly using the tftp client. Let us that assume that sample.txt file is present under /tftpboot directory.

$ tftp -v 192.168.1.101 -c get sample.txt

Bash Tip

kiranjith — Tue, 27 Apr 2010 20:27:00 +0000

http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1510560,00.html?track=NL-795&ad=763043&asrc=EM_NLN_11432908

12. Postfix Installing and configuring Courier-Auth Libs, Courier-IMAP and POP3

kiranjith — Mon, 15 Mar 2010 14:33:00 +0000

    The Courier mail transfer agent (MTA) is an integrated mail/groupware server based on open commodity protocols, such as ESMTP, IMAP, POP3, LDAP, SSL, and HTTP. Courier provides ESMTP, IMAP, POP3, webmail, and mailing list services within a single, consistent, framework. Individual components can be enabled or disabled at will. The Courier mail server now implements basic web-based calendaring and scheduling services integrated in the webmail module.
Installing Courier Auth Lib:
    The Courier Authentication Library is a generic authentication API that encapsulates the process of validating account passwords. In addition to reading the traditional account passwords from /etc/passwd, the account information can alternatively be obtained from an LDAP directory; a MySQL or a PostgreSQL database; or a GDBM or a DB file. The Courier authentication library must be installed before building any Courier packages that needs direct access to mailboxes (in other words, all packages except for courier-sox and courier-analog).
    Here we will download compile and install the courier-authlib source code for authentication daemon. This will provides the backend authentication that is required by both POP3 and IMAP. The source code can be downloaded from http://www.courier-mta.org/. The courier can be used with Sendmail, Qmail or Postfix. The courier-mta supports the retrieval of mail from Maildir format and it doesn’t support the old MBOX format. Authentication mechanism using courier authlib:
    MUA sends the authentication to IMAP/POP3. The IMPA/POP3 hands over the request to courier-auth libs. Now the courier auth libs quires the user database (/etc/passwd, LDAP, MySQL)

MUA -> IMPA/POP3 -> Courier authlib -> userdb

Installing courier auth libs
Here we are interested in installing the courier IMAP and POP3 servers. to accomplish this initially we have to install the courier-auth libraries.
So download the authlib seperately and install it.

# wget http://sourceforge.net/projects/courier/files/authlib/0.63.0/courier-authlib-0.63.0.tar.bz2/download
# tar -jxvf courier-authlib-0.63.0.tar.bz2
# cd courier-authlib
# su user
$ ./configure
$ make
$ su root
# make install
# make install-configure

The entire process installs the binaries and configuration files. Binary named “authdaemond” under “/usr/local/sbin” directory is executing as the authlib daemon. This consults the /usr/local/etc/authlib/authdaemonrc configuration file.
Starting the authlib daemon

# /usr/local/sbin/authdaemond start
# ps -ef |grep authdaemond

Auth daemon is not bounded to any tcp or udp ports. But it is ready to accept any of authentication requests from IMAP or POP3. “If the auth daemon is not running the authentication process in IMAP and POP3 will not work”.
Installing courier imap (Installs the IMAP and POP3 service)
Both the pop3 and imap service is installed with the package courier-imap.
Download the package from http://www.courier-mta.org/download.php#imap and install the package

# wget https://sourceforge.net/projects/courier/files/imap/4.7.0/courier-imap-4.7.0.tar.bz2/download
# tar -jxvf courier-imap-4.7.0.tar.bz2
# cd courier-imap
# su user

If we need to have the SSL support, we need to have installed the openssl and openssl-devel packages installed.

$ ./configure
$ make
$ su root
# make install
# make install-configure

These steps finishes courier-imap installaion. “/usr/lib/courier-imap” is the directory location of the courier-imap installation. “/usr/lib/courier-imap” contains binaries, libraries, shared libraries and configuration files.
Note: The default facility in syslog used by courier-imap is “mail”. This can be chaged while compiling the binary

Configuring and Running Courier-POP3
Now we will configure the Courier-pop3 for retrieval of mail.
Inside “/usr/lib/courier-imap/libexec” directory has the startup script named pop3.rc and pop3-ssl.rc to start the pop3 and pop3 ssl services respectively.
Starting the pop3 service

# cd /usr/lib/courier-imap/libexec
# ./pop3.rc start

This will start the pop3 service and bind to 110. Now check the service runs by the following command

# netstat -ntlp | grep 110

Now test the retrieval of msg using any MUA from outside using the pop3 protocol. By default courier will retrieve the msgs from user mailbox (Maildir). Usually pop3 retrieves the mails from the “new” directory of Maildir struchure.

Implementing pop3-ssl
Normal pop3 transmits the msg in clear text format over the wire.In order to implemented the secured transfer of mails (encrypted) we have to run pop3-ssl.To Inorder to accomplish this we have to generate the self signed certificate or purchase a signed certificate from a trusted certificate authority that our email client trust.

Generating own self signed certificate:
Courier-mta includes the scripts to generate self signed certificate using openssl.

# cd /usr/lib/courier-imap/etc

In this directory we have a file called pop3d.cnf which contains the answers to the questions usually asked while attempt to generate the self signed certificate using the script inbuilt in courier-mta

# vim pop3d.cnf

Change the parameters to suite our enviornment. eg:- Locality, organization, organization unit, host, email address etc Save the file and navigate to the folder which contains the script to generate the certificate.

# cd ../share
# ./mkpop3dcert
# ls pop3.pem

This will generate the certificate with respect to the pop3d.cnf created before in current location.
Now navigate to libexec folder and start the pop3d-ssl script to start pop3 in secure mode. This will bind the port 995

# cd /usr/lib/courier-imap/libexec
# ./pop3d-ssl.rc start
# netstat -tulpn |grep 995

Now we can see that the pop3s server started and running on port 995.
Test it in MUA by changing the incoming mail pop3 to use a secure connection (ssl).Now send and receive mails by accepting the certificate.

Making the pop3 and pop3s service available at startup
Make a symbolic link to /etc/init.d.

# ln -s /usr/lib/courier-imap/libexec/pop3d.rc /etc/init.d/
# ln -s /usr/lib/courier-imap/libexec/pop3d-ssl.rc /etc/init.d/
# cd /etc/init.d

Now point to the runlevel where to start the script. To start in runlevel 3

# cd /etc/init.d/rc3.d
# ln -s ../pop3d.rc S20pop3d
# ln -s ../pop3d-ssl.rc S20pop3-ssld

This will create a startup script for the given runlevel. Make sure that we will create a Kill script in same method to kill/stop the service when system changes its runlevel.

Configuring and running Courier-imap service
The Courier-imap service startup script reside at the same location, where courier-pop3 locates
Starting the imap service

# cd /usr/lib/courier-imap/libexec
# ./impad.rc start
# netstat -ntlp | grep 143

This will show the imap service running and listening to the port 143
Configuring Courier-imap
The configuration file is located at “/usr/lib/courier-imap/etc” named “imapd”

# vim /usr/lib/courier-imap/etc/imapd

All derivatives are self explanatory. This file used to configure the listening address, port and number of daemons to start upon the binary starts etc.
Test the mail retrievel by configuring the MUA with IMAP. The credentials given is matched by the server with the /etc/passwd by default. And /etc/passwd is the file that tells where the Maildir resides (Courier checks the mails in the Maildir of users mail directory). IMAP communicates with clear text format by default.

Configuring Courier-imaps
This enables the communication by encryption with the help of SSL.

# vim /usr/lib/courier-imap/etc/imapd.cnf

Edit the above file for generate the certificate properly. Change the Country, State, Locality, Organization unit, Common name email address etc. Now generate the certificate

# ./usr/lib/courier-imap/share/mkimapdcert

This will create a certificate named imapd.pem.
Now start the imapd-ssl service

# ./usr/lib/courier-imap/libexec/imap-ssl.rc start
# netstat -ntlp |grep 993

Most client that support Imap with ssl will connect default to the port 993. This port is configurable in “courier-imap/etc/imapd-ssl” . Test the configuration by changing the Incoming mail server as imap with ssl. Restart the application and this will prompt to accept the certification for further communication.

11. Postfix MailBox

kiranjith — Wed, 10 Mar 2010 14:49:00 +0000

Postfix supports 2 types of Mail Box formats
1. MBOX Format
2. MailDir Format

MBOX (/var/spool/mail/$user)
MBOX is the default storage method used in the Postfix. This is also the traditional Unix format to store the msgs. This appends the mails to a single file in sequential fashion. This file needs to be locked by any application for writing into it. In a high utilized servers there may be issues of locking and performance if you are using the MBOX format. Because only one application at a time is able to read and write the file same time. By default postfix delivers mail to the file object in the spool directory. (For Eg: For user root the MBOX file is /var/spool/mail/root). Most of the mail retrieving technologies such as imap and pop3 base servers are following this directory structure by default.
Spooling mails in same MBOX format to users home directory.
This will results the mail delivery in users home directory. There is a MAIL variable in users shell that defines the default location of the mails for the MUA. The following command shows the mail variable.

# echo $MAIL
# set |grep -i mail

Moving the MBOX to users home

# vim /etc/postfix/main.cf
home_mailbox = Mailbox
# postfix reload

The default behavior of postfix is to spool the mail to the /var/spool/mail directory. By defining the home_mailbox postfix will delivers the mail to the users home directory. The file named “Mailbox” will be created by the Postfix daemon.
Now change the mail variable for the user(recommended when localy installed MUA such as mutt, mail etc used).

# export MAIL=~/Mailbox

Make it permanent (following shows for bash shell)

# vim /etc/bashrc
export MAIL=~/Mailbox

Now source the file and check the mail variable

# . /etc/bashrc
# echo $MAIL

Now the MUA will be able to get the mail from exact location.

Maildir
This is newer Unix standard to route the mail to a directory struchure. Maildir provides the superior scaling as well as “no locking issues”.
Implementing Maildir

# vim /etc/postfix/main.cf
home_mailbox = Maildir/
# postfix reload

The above process will create a sub-directory in each users home directory called Maildir. Beneath this directory contains the structure that contains the msgs. Maildir is introduced by Qmail and recognized and supported by almost all the MUAs. Test sending a mail to any user in the system and trace the newly created directory inside the home.

# ls ~/Maildir
cur
new
tmp

These are the three sub directories created by postfix. When a msg is spooled typically copied in to the “tmp” directory. “new” directory contains the unread mails. The mails containing in the directory “new” has a typical nomenclature for the identification of the msgs.
Eg:- 2214525412.v80osui654.destinedhost.
In the above file name the initial prefix (2214525412) is the unique identified that corresponds to the time after the epoc time 1970 (command “date +%s” shows the current epoc time). “v80osui654″ is the identified added by postfix and followed by the destination host name of the mailbox.“cur” (current) directory contains the read mails
The MAILDIR variable has to be set and MAIL variable has to be unset

# unset MAIL
# export MAILDIR=~/Maildir

The variable change need to be specified globally. if we are using any MUAs depends upon this variable, else the mails wont be able to process by MUAs.
Set the variables globally

# vim /etc/bashrc
unset MAIL
export MAILDIR=~/Maildir
# . /etc/bashrc

10. Postfix Virtual Domains

kiranjith — Mon, 08 Mar 2010 15:11:00 +0000

By default postfix has setup to handle few domains, defined by $mydestination. The idea of the virtual domain is to map the multiple domains to the same server. ” hostname -f ” shows the FQDN also known as canonical domain used by Postfix.
Note: The IP address also considers as domain. For eg:- A message To: user@[10.0.0.1] (The “[]” is must). So in this case the IP address is also considered as the domain. This domain is also considered as a part of the canonical domain.

Basic Virtual Domain Configuration

# vim /etc/postfix/main.cf
mydestination = $myhostname, localhost, $mydomain, anewdomain.com, someotherdomain.com
relay_domains = $mydestination
# postfix reload

Now the messages that destined to the domains listed in the $mydestination will be handled by the server. So messages send to a user at domain that defined at $mydestination will be delivered locally.
For Eg:- Mail send to kiran@anewdomain.com and kiran@someotherdomain.com will get deliver to the same user in the host. In other words the list of domains that defined in the $mydestination will be considered to be local and delivers the mail locally.

Virtual Domains Using Maps For Single Domain
This scenario is used ideally in a Linux mail server where the local users need to share the different domains, (used in ISP environment).
Splitting Local users in to separate domains
To do so we have to setup the virtual aliases maps

# vim /etc/postfix/main.cf
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual

virtual_alias_domains tells what domains are needed to be supported by virtaul alias maps

# vim /etc/postfix/virtual
userdd@example.com kiran
dduser@example.com jam
# postmap /etc/postfix/virtual

The format is as same as in the transport table. In the Left Hand Side we mention the address that need to be mapped and in Right Hand Side we mention the local or remote user mail address to which mail has to be delivered.

# postfix reload

Reload the postfix service

# postconf | grep virtual_alias_

Now test the setting by composing the msg to the user userdd@example.com and dduser@example.com. The msg will be delivered to the local user kiran and jam respectively.

Virtual Domains Using catch all features.
In a virtual alias map environment if mail is send to a non-existing Local user in a postfix server the mail will be rejected with the error “recipient address rejected” in log file. This situation could be overcome by defining the catchall address for the domain. But these feature will be subjected to catch all the mails that coming to the domain and obviously the server will be filled up with spam mails. So it is not at all considered to be used at production environment.
Defining the catch all

# vim /etc/postfix/main.cf
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual
# vim /etc/postfix/virtual
@example.com kiran
# postmap /etc/postfix/virtual

Here all the mails that comes to the domain example.com will be routed to user kiran.

The following virtual map file will send the all mails coming to the domain example.com to multiple recipients.

# vim /etc/postfix/virtual
@example.com kiran, user1, user2, user3

The following virtual map will send the mails coming to user kiran@example.com to remote domain kiran@secureserver.com.

# vim /etc/postfix/virtual
kiran@example.com kiran@secureserver.com

Virtual alias Maps For Multiple Domains
The following example shows the configuration of the multiple domains

# vim /etc/postfix/main.cf
virtual_alias_domains = firstdomain.com, seconddomain.net, thirddomain.org, fourthdomain.com
virtual_alias_maps = hash:/etc/postfix/virtual

# vim /etc/postfix/virtual
sales@firstdomain.com             kiran
hr@seconddomain.net               jam
finance@thirddomain.org        jeo
project@fourthdomain.com    paul
abuse@seconddomain.net        abuse
# postmap /etc/postfix/virtual

This finishes the configuration of the Virtual alias maps

#postmap -q abuse@seconddomain.net /etc/postfix/virtual

The above command will query the virtual map file for the mapped address.

# postfix reload

Test the settings by sending mails to each and every users in the new domains.
While testing this configuration make sure that the proper DNS entry in place.

9. Postfix SmartHost and NullClient

kiranjith — Thu, 04 Mar 2010 15:20:00 +0000

SmartHost
SmartHost forwards all the mails that are not destined to the same server. Ideally this feature is used to forward mails to the SmartHost Mail server which can masquerade and relay mails to outer world.
Mail Flow example:
Local Server -> SmartHost Server -> Outer World
In Local server we defines the SmartHost server. So all the mails that are not destined to the Local server will be forwarded to SmartHost Server. Then SmartHost server forwards the msgs to the outer world.

Defining SmartHost
Initially check that what domains the postfix will accept the mails for.

# postconf |grep mydestination

The output shows the list of the domains that postfix accepts mails for. After defining the SmartHost postfix will forward all the mails to the SmartHost server which are not destined to $mydestination.

# vim /etc/postfix/main.cf
relayhost = smarthost.server.com

In this scenario postfix forwards all the mails that are not destined local to smarthost.server.com.
Note: In this case the postfix will perform DNS MX record query to the domain smarthost.server.com. Adding square brackets “[]” will skip the MX record query and delivers the msgs directly.
eg: relay_host = [mail1.smarthost.server.com]

# postconf |grep relayhost

# postfix reload
Verify the configuration and reload the postfix service
Test the configuration by sending mails to outside using this Local Server.Examine the Logs in the Local server as well as in the SmartHost server.

NullClient
NullClient forwards all the mails including locally generated to the defined server. NullClient never receives any mails.
Mail Flow Example:
internet -> Mail Server exposed Internet -> Internel Mail Server
From any internet Box the Mail server Exposed to Internet will accept the mails and Using the NullCLient configuration all the mails will be forwarded to Internal Mail Server.

Configuring the NullClient
In the above mail flow diagram the configuration come at the Mail server exposed to Internet

# vim /etc/postfix/main.cf
mydestination =
local_transport = error:Local Mailing is Disabled
relayhost = smarthost.domain.com

mydestination = “nothing” This tells the postfix that we are not handling mails for any domains
local_transport = error:Local Mailing is Disabled tells that postfix is not handling any of the local mails too.
relayhost tells postfix now to forward all the mails destined local or remote to the SmartHost server defined. Make sure that the SmartHost server has configured to receive the mails for.
Note:
It is “not mandatory” that in a Null Client configuration there should be a “relayhost”. If we are not mentioning any smarthost Postfix will attempt to resolve the MX of the destination of the mail and sends the mail directly.
Update master.cf

# vim master.cf
# local unix n n - - local

Comment the above derivative to disable the “local” transport feature of Postfix (local mailing).

# postfix reload

Reload the postfix configuration. Now the postfix server will act as Null Client and all the mails that generates will be forwarded to the smarthost defined. Test the configuration by sending the mail “from” and “to” to the NullClient host and check the logs.

8. Postfix Transport Table – SMTP Routing

kiranjith — Wed, 03 Mar 2010 15:33:00 +0000

This feature allows to route messages to additional domains according to the Map defined. Here Postfix accepts the message and rather than consulting the DNS for MX record it routes the mail by checking the transport map. In sendmail this feature is called mailertable

Transport Map
The map format is as follows

Left Handside                    Right Hand Side
user@domain.com       transport:nexthope
domain.com           transport:nexthope
host1.domain.com                 transport:nexthope

In the above format the Right Hand side defines the list of the domains that Postfix accepts the messages and routes. In Left Hand Side defines the transport mechanism that used and the destination of the mails.

Setting up the Transport Mechanism to Route the messages:
Check the derivative that supports transport map

# postconf |grep transport_maps

transport_maps is the derivative that enables the transport map. By default the derivative will be undefined. The types of transport that supported by the Postfix can be determined by examining the “/etc/postfix/master.cf” file. smtp, local, error etc are the types of the transport defined.
Create the transport map file

# vim /etc/postfix/transport
sales.domain.com           smtp:[internalhost1.domain.com]
tax.domain.com              smtp:[internalhost2.domain.com]
finance.domain.com       smtp:newdomain.com

The Left hand side we have mentioned the “mails coming from domains” which has to be routed (sales.domain.com) and in the Right hand side we have mentioned the transported which has to be use (smtp) and the destination machine (internalhost1.domain.com).
Note: “While using the transport table, when mails subjected to route, to disable the MX lookup by postfix for the destination domains we have to add the recieving domains inside the square bracket (“[]“). This will tell Postfix to “not perform” the MX lookup of the destined domains.

# postmap /etc/postfix/transport

Now we have generated the transport map file named transport.db
Enable the transport map feature in the postfix

# vim /etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport
# postfix reload

Now we have integrated the transport map with the postfix.

Testing the configuration

# postconf |grep transport_maps

Check the maps are defined correctly.
Make sure that the MX record for all the domains that needs to route the mail to another server points to the Mail Routing Server. Now try sending mails destined to domains sales.domain.com, tax.domain.com, finance.domain.com. According to the map defined the Mail Routing server will route the mails to respective host. It is understood that the receiving host has configured to accept the mails from the Mail Router.

7. Postfix Relay Domains

kiranjith — Tue, 02 Mar 2010 16:03:00 +0000

This is an another way of enabling relaying in postfix. By default Postfix will relay mails for the domains that specified in the “mydestination” derivatives (Postfix considers the mail that are originated locally). If we need to add more domains to be relayed through the same server we can user “relay_domains” as well as “mydestination” derivatives.
By default “relay_domains” will be configured with mydestination.
i.e,

relay_domains = $mydestination

By using “relay_domains” derivative postfix is configured to relay mail from domains defined.
For example:

# vim main.cf

relay_domains = $mydestination, new1domain.com, new2nd.domain.com

# smtpd_client_restrictions =

Comment out the above derivative.The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from. By default, this restriction is applied when the client sends the RCPT TO command, the RCPT TO error in the log file points this error.

# postfix reload

# ps -ef |grep master

The above change will allow postfix to relay the mails from new1domain.com & new2nd.domain.com domains.”smtpd_client_restrictions” makes the policy to reject the relay from other domains by default.
Note: All the subdomains will be relayed if a domain is specified in “relay_domains”. For eg:- if newdomain.com is specified then postfix server will allow relaying all the subdomains like host1.newdomain.com, host2.newdomain.com etc.

Relay Domains with Maps
Enabling the maps makes MTA to query the data from a database machanism. If a server is hosting many domains and practically entering each domain name in the configuration file is not possible, then we can use database maps for fast query and easier management.

Defining Rlay_domains Maps

# rpm -qa |grep db

Initially check for the Berkley DB packages are installed. These packages will be used by the postfix for database support.

# vim /etc/postfix/main.cf

relay_domains = $mydestination, hash:/etc/postfix/relaydomains

Now postfix will refer the db file “/etc/postfix/relaydomains.db” for relaying.

# vim /etc/postfix/relaydomains

domain1.com

domain2.com

domain3.com

domain4.com

domain5.com

# postmap /etc/postfix/relaydomains

“postmap” generates the db file with respect to /etc/postfix/relaydomains.
Note: The postmap utility will show error while running. It is because postmap expects the keys and values. The map file consist of keys and values separated with a white space. In our case we have only mentioned the keys. In a db map file Postmap expects the values for each key at right hand side. In this case the error is ignorable because this is the rare case that postfix will not read the “values” in the right hand side. Even if it shows the error the db file will be created.

# postfix reload

#ps -ef |grep master

Now we will be able to relay mails from all the domains defined in the “relaydomains” file. After initializing Postfix a new entry to the file along with the postmap command is sufficient for postfix to relay to the newly added domain without restarting the service.