Re: Exim config
This one time, at band camp, Craig said: > Hi Guys > > Does anyone happen to know how I could have Exim parse a text file with > a list of users in, if they are in the file to send mail to another an > exhange server else deliver to local mailbox ? > > Any suggestions would be welcomed. I'd take a look at the aliasfile driver - you can have a file set up similar to /etc/aliases, and redirect those addresses. -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Re: Exim4 and mailman
This one time, at band camp, Dale E Martin said: > (No need to copy me, I'm subscribed to the mailing list.) > > > Yes, Im reading through a guide how to set this up but am getting a little > > confused with what/where to add/edit my exim4.conf file. Do you purhaps have > > an example of what you added? I'm very new to exim and mailman :) > > Sure. Let me mention two things before you take my example to heart too > much... First, I migrated this from exim 3 to exim 4 so maybe there is a > better way. Also, the Debian exim 4 packages distribute the configuration > file into bits in a directory structure - for good reasons, I'm sure. (For > example, if the mailmain maintainer gets on board then mailman could simply > install it's own bits in the to configuration heirarchy and it should work > out of the box.) However, I had a fairly customized exim setup and needed > it working quickly, so I went the "monolothic file" route and have a > "/etc/exim4/exim4.conf" Having said all of that, here you go - > anything in "[]" is my comments to you and not actually in the file. I am not sure I am doing things the 'Right Way', but I am only using /etc/aliases for my mailman lists, and they are working just fine. $listname: "|/var/lib/mailman/mail/wrapper post $listname" $listname-admin: "|/var/lib/mailman/mail/wrapper mailowner $listname" $listname-request: "|/var/lib/mailman/mail/wrapper mailcmd $listname" $listname-owner: $listname-admin Change $listname to the real mailing list localpart and it works out of the box. With Exim3 I did use the special routers and transports, but when I migrated to Exim4, I thought I would give this method a try, and it's working great. The only problem with this method isthat you don't get virtual domain settings, I suppose. Can anybody see any other problems with it? -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Reverse dns?
This one time, at band camp, Daniel Holze said: > Hello debian-isp, > > i have a /24 and i have reverse delegations on this IP-Space. > So i have i file it calls: > 28.129.82.in-addr.arpa > > Our ISP said that it must be work but it didnt. > Maybe i think ripe didnt know my Nameservers. > Anyone know how i can ask Ripe if my NameServer accepted for rdns? As others have pointed out, it's not registered, but it is working: steve:~$ host -a 28.129.82.in-addr.arpa ns1.dwl-dns.de 28.129.82.in-addr.arpa NS ns1.dwl-dns.de 28.129.82.in-addr.arpa NS ns2.dwl-dns.de 28.129.82.in-addr.arpa SOA ns1.dwl-dns.de hostmaster.dwleasing.de ( 2003123101 ;serial (version) 10800 ;refresh period (3 hours) 900 ;retry interval (15 minutes) 1814400 ;expire time (3 weeks) 86400 ;default ttl (1 day) ) steve:~$ host -l 28.129.82.in-addr.arpa ns1.dwl-dns.de 28.129.82.in-addr.arpa. NS ns1.dwl-dns.de. 28.129.82.in-addr.arpa. NS ns2.dwl-dns.de. 100.28.129.82.in-addr.arpa. PTR general.suck0r.de. 25.28.129.82.in-addr.arpa. PTR GrafiX2K.De. 12.28.129.82.in-addr.arpa. PTR star.rdns.info. 101.28.129.82.in-addr.arpa. PTR miss-swiss.de. 102.28.129.82.in-addr.arpa. PTR kostenneutral.de. 1.28.129.82.in-addr.arpa. PTR gateway.dwleasing.de. 3.28.129.82.in-addr.arpa. PTR ns2.dwl-dns.de. 200.28.129.82.in-addr.arpa. PTR pdns.dwleasing.de. 23.28.129.82.in-addr.arpa. PTR suck0r.de. 10.28.129.82.in-addr.arpa. PTR ns2.xaranet.de. 24.28.129.82.in-addr.arpa. PTR GrafiX2K.De. steve:~$ host -a 28.129.82.in-addr.arpa 28.129.82.in-addr.arpa does not exist, try again So your server knows howto handle the queries, but the root nameservers yet directing requests your way. -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Postfix-mysql-procmail
This one time, at band camp, Russell Coker said: > Another option is to receive the entire message, accept it for delivery but > instead of a 25x give a 55x code with a message saying "this message was > delivered, but please note that the account holder is on vacation". > > These methods should allow the vacation message to reliably go only to the > originator of the message (or to no-one if it's a spam). However they do > require that a new proxy program be written to receive the mail as no > existing software (AFAIK) is capable of doing it. I think you can do something like this with /etc/aliases, although I am no expert. exim uses a real-$local_part in the standard configuration to bypass aliasing, so an entry could be added like: testuser: real-testuser, :fail: On vacation Just tested and this is what I see: 2004-01-10 22:44:23 1AfWWV-dZ-Mc <= [EMAIL PROTECTED] U=steve P=local S=313 I send the message with mail 2004-01-10 22:44:23 1AfWWV-dZ-Mc ** [EMAIL PROTECTED] R=system_aliases: It generates an error 2004-01-10 22:44:23 1AfWWV-dZ-Mc => testuser <[EMAIL PROTECTED]> R=real_local T=maildir_home And then gets really deliverd to testuse 2004-01-10 22:44:23 1AfWWV-dc-Rh <= <> R=1AfWWV-dZ-Mc U=Debian-exim P=local S=1102 2004-01-10 22:44:23 1AfWWV-dZ-Mc Completed 2004-01-10 22:44:24 1AfWWV-dc-Rh => steve <[EMAIL PROTECTED]> R=procmail T=procmail_pipe 2004-01-10 22:44:24 1AfWWV-dc-Rh Completed And the bounce goes to me with the text noted. I don't know what your MTA allows, but this works here. HTH, -- ----- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Postfix-mysql-procmail
This one time, at band camp, Russell Coker said: > Neither /etc/aliases nor procmail allows a custom 55x code to be sent. > > A bounce (as used in your example) is undesirable in the case of spam and > viruses. It makes your machine the cause of problems, which then results > in other people causing problems for you. Hmm, it seems you're right. It doesn't generate a bounce, but it does 550 - just too early (at the rcpt rather than data stage). Apparently it generated a bounce because I was using mail, which I guess calls exim as sendmail, rather than with smtp, so it behaves slightly differently. Here is a telnet session with the same configuration, coming from another machine: steve:~$ telnet mercury 25 Trying 216.158.52.98... Connected to mail.lobefin.net. Escape character is '^]'. 220 mail.lobefin.net ESMTP Exim 4.30 Sun, 11 Jan 2004 11:56:48 -0500 ehlo busybox 250-mail.lobefin.net Hello www.lobefin.net [216.158.52.108] 250-SIZE 52428800 250-PIPELINING 250-AUTH LOGIN PLAIN 250-STARTTLS 250 HELP mail from: [EMAIL PROTECTED] 250 OK rcpt to: [EMAIL PROTECTED] 550 unknown user And the corresponding log line: 2004-01-11 11:57:08 H=www.lobefin.net (busybox) [216.158.52.108] F=<[EMAIL PROTECTED]> rejected RCPT [EMAIL PROTECTED]: on vacation It does _not_ work as well as I had hoped, but it at least does generate a 550, rahter than a bounce. Back to the drawing board. -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Jesus Help Me !
This one time, at band camp, [EMAIL PROTECTED] said: > On Mon, Jan 12, 2004 at 02:02:27PM +1100, Craig Sanders wrote: > > > this mailing list is for the discussion of the Debian GNU/Linux > > operating system in Internet Service Provider environments. that's > > why it's called "debian-isp". note that it is *not* called "Divine > > Assistance" or anything similar. > > I totally agree -- get off the list. There must be someplace else > where you can ventilate this cosmic debris (in the biblical sense of > the word that is). Please note that except for the half dozen replies to an apparent email, I would never have know about the email at all (but I haven't gotten to my spam box yet). So this 5 or 6 emails I did see replying to one that didn't matter. I'm not mad (and I don't disagree - especially about qmail ), but please let's try to keep the signal-to-noise up a little bit. Just keeping the noise going, -- --------- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Announce: Domain Technologie Control 0.12.0 R1
This one time, at band camp, Thomas GOIRAND said: > Hi ! > > For nearly one year, I've made a software called Domain Technologie > Control. It's a hosting web GUI for admin and accounting apache, > named, proftpd, and qmail. DTC is made of PHP scripts and a web > interface that manage a MySQL database that handles all the host > information. It generates backup scripts, statistic calculation > scripts, and config files for bind, Apache, qmail, and proftpd, using > a single system UID/GID. With DTC, you can delegate the task of > creating subdomains, email, and FTP accounts to users for the domain > names they own, and monitor bandwidth per user and service. > > It's already in 5 language, fully skinable, and totaly automated. > > It has been released in debian package form. Now I have a debian > repository there: > > deb ftp://ftp.gplhost.com/debian stable main > > and the home page of the project there : > > http://www.gplhost.com/?rub=softwares&sousrub=dtc > > I want release it to public thrue Debian's repository. I've tried > couples of times to mail debian people, but failed, and got no reply. > > I've just finished to make the BSD port, and [EMAIL PROTECTED] will > be watching over my port before releasing to public. > > Can someone contact me and help me to be added in the Debian tree ? Since you've already done the work of packaging it yourself, why not ask on [EMAIL PROTECTED] and see if anyone there is interested in sponsoring an upload? If you're not interested in being the debian maintainer as well as upstream author, file a Request for Packaging ug against wnpp (work needing and prospective packages) pseudo-package. Hopefully include links to the work you've already done, so as to avoid too much duplication of effort. www.debian.org/devel has many more details about this sort of thing. HTH, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Considering Debian (currently using Red Hat)
_brk fix) is backported into the _same_ kernel version that you are running. > 5.) Of course we'll be testing it extensively ourselves, but what would > you say the most significant differences, both from a user and an admin > perspective, are between Debian and Linux? Or, maybe better > stated, why Debian? I know that's a religeously charged question, but > at the moment our only position is "not RHL." We're open to being > converted ;-) Debian has three major things that drew me to it: It has the best FHS support of any of the distros I've found. On RedHat and other systems, applications are always installing themselves into strange places like /opt or /usr/local, while I expect distro programs to always be found in /bin or /usr/bin (and the corresponding /sbin's). Config files are always found in /etc (not /usr/local/etc or some strange place) and are carefully preserved across upgrades. The Bug Tracking System and the openness of the development model means that most bugs I have found are not only already reported by someone else, but usually already acknowledged and fixed by the time I have found them. The freeze before release also means that most bugs have a chance to be ironed out before the next stable is actually released, because they are found by people actually running the software. Then there is of course, the ideological part - Debian is about Free Software, and has a commitment to provide a quality distro to it's users. > 6.) And finally, if you care to toss in any ideas or info, I'm very > glad and excited to hear it. For instance, if you were going to switch > all your systems within the next year, would you choose something else? > A BSD port? Go back to Solaris? Novell? SCO? Just kidding. I guess the only thing I would add is that there are, of course, downsides to every project. Debian's downside for large companies is that it is a volunteer effort, and as such, there is no such thing as technical support available on a fee basis. There are the mailing lists, which are very helpful, and usually give me the answer I need faster than any technical has, but some companies may be turned off by that. On the other hand, since Debian is not for profit, it seems to me unlikely that it will dissappear out from under you because it is not making a profit, as RedHat has. So long as there are interested people, it will be around. HTH, and good luck, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Considering Debian (currently using Red Hat)
This one time, at band camp, Lucas Albers said: > I have recently started the process of switching my computers from redhat > to debian. > I would very much appreciate step by step directions for creating a local > repository for redistribution of kernel packages and locally built > packages. Just pick a directory that you want to put your local debian packages in, and run dpkg-scanpackages on it. It will create a Packages file, which you then need to gzip. This is my rugh script that updates my directories whenever I add a new package - it does both source and binary, which may be more than you want. It also does seperate stable/unstable trees. Feel free to redo as you need. #!/bin/sh # make_apt, v 0.1 # Make apt-gettable source lines in my debian subdirectory. echo $0 DIR=/home/steve/public_html/debian/ cd $DIR for dist in woody sid; do rm dists/$dist/main/binary-i386/Packages.gz dpkg-scanpackages pool/$dist/main/ indices/override.$dist.main > \ dists/$dist/main/binary-i386/Packages gzip -9 dists/$dist/main/binary-i386/Packages rm dists/$dist/main/source/Sources.gz dpkg-scansources pool/$dist/main > dists/$dist/main/source/Sources gzip -9 dists/$dist/main/source/Sources done override.$dist.main looks something like this: qvcd optionalutils cosmosoptionalx11 and the sources.list entries corresponding to this setup are: Stable sources.list lines: deb http://www.lobefin.net/~steve/debian woody main deb-src http://www.lobefin.net/~steve/debian woody main Unstable sources.list lines: deb http://www.lobefin.net/~steve/debian sid main deb-src http://www.lobefin.net/~steve/debian sid main Remember to let your web or ftp server know to serve the correct directory, or none of this will be much use. > I ran across basic directions on setting up mirror, but nothing about > debianizing a package; if you just want it for a local package. > eg, you don't need the full steps, just enough to convert a tar.gz file to > a .deb file. http://www.debian.org/doc/maint-guide/ has a pretty good starting reference for this. > I run the 2.4.23+ kernels on my servers as it supports the newest > hardware. I don't run stable because they don't have drivers for my newer > network card. I also recompile my kernel with grsecurity security patches. > I am currently only running 4 debian boxes, but I have yet to encounter a > single kernel crash. Using make-kpkg is a good way to build a kernel-image .deb that you can then put in your mirror for redistribution. man make-kpkg for details - it's really pretty straightforward. -- --------- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Strabge LDAP problem
Hello all, I am having the strangest LDAP issue. We recently migrated a network from a hodgepdge of system accounts to an all LDAP setup, with the exception of a few administrative accounts. All seems to be working well, except for one thing - finger. id returns the expected values, users can log in, mail gets accepted and delivered, everything I can think of to check works fine, except finger. Even stranger: finger -m $user returns expected results, although finger $user returns 'no such user'. Aha! I said - an indexing problem , or perhaps nscd. Responses coming back too slow for finger. Messed about with different indexing schemes (they are currently this: index gecos,cn,uid pres,eq,sub index homeDirectory,objectClass,loginshell,gidnumber,uidnumber pres,eq for an ldif of: dn: uid=$user,ou=People,dc=ccil,dc=org objectClass: top objectClass: ccilAccount objectClass: posixAccount objectClass: ccilAddress objectClass: ccilWorkAddress objectClass: ccilPerson cn: Some Guy uid: $user uidNumber: 11709 gidNumber: 100 homeDirectory: /home/u/$user l: Smalltown st: PA postalCode: 12345 userPassword:: loginShell: /bin/bash gecos: Some Guy pppAccess: TRUE emailAccess: TRUE registered: Oct 30 22:23:16 2001 street: 1224 Main St. bday: 01-02-03 telephoneNumber: 215-555-1212 education: College Graduate gender: Blank (names changed to protect the innocent)) Changing indexing options, running slapindex over and over, no help. By accident, I reran finger in my root session that was kept open as an "I hope I don't hose something" backup plan, and it worked. Now I start to think ACL's, nscd permissions, etc, but I see nothing out of the ordinary. We're using a pretty close to stock Debian config for all of this, with some minor tuning for indexing options and cache size, but that's about it. The ACL's are the stock ones, so I really don't know what's falling over here. Anybody have any ideas what to debug next? TIA, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Sendmail & access restrictions
Hello all, We're in the process of locking down access to various services on a network, and one of the things we want to do is lock down sendmail a little. We are migrating a box from being the front-end mail machine, with the SASL database and all of the other user info on it, to being a backend machine that only does two things: receive mail from front-end machines for the local domain, and relay mail that has used SMTP-AUTH. I think I'm being dense, but I can't figure out how to do something like the following in /etc/mail/access: xxx.xxx.xxx.xxx: OK # front-end machine 1 xxx.xxx.xxx.xxy: OK # front-end machine 2 [ . . . ] AUTH: OK *: REJECT I would like the above logic, but still have local mail (cron jobs, etc) work somehow. Anybody set this kind of thing up before? I know how to do it in exim4 (or at least have rough ideas), but I can't figure out how to do the logic for sendmail. TIA, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Strange LDAP problem
This one time, at band camp, Theodore Knab said: > If finger is not working, does chfn or the password change stuff work ? > > I think this is a PAM issue. However, I could be wrong. > > My '/etc/pam.d/login' file looks like this and fingers work with LDAP. > > What does your look like ? > > [EMAIL PROTECTED]:/etc/pam.d$ cat login | grep -v ^# > > auth requisite pam_securetty.so > auth requisite pam_nologin.so > auth required pam_env.so > auth sufficient pam_ldap.so > auth required pam_unix.so nullok > accountsufficient pam_ldap.so > accountrequired pam_unix.so > sessionsufficient pam_ldap.so > sessionrequired pam_unix.so > sessionoptional pam_lastlog.so > sessionoptional pam_motd.so > sessionoptional pam_mail.so standard noenv > password sufficient pam_ldap.so obscure min=4 max=50 > password required pam_unix.so nullok obscure min=4 max=50 auth required pam_securetty.so auth required pam_nologin.so auth sufficient pam_ldap.so auth required pam_unix_auth.so try_first_pass accountsufficient pam_ldap.so accountrequired pam_unix_acct.so password sufficient pam_ldap.so password required pam_unix.so use_first_pass session sufficientpam_ldap.so sessionrequired pam_unix_session.so #sessionoptional pam_console.so Not so strikingly different that I see the problem. Remeber too, that users can log in and that `id` works as expected. > My LDAP entry looks like: [...] > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > objectClass: account > objectClass: qmailuser > objectClass: couriermailaccount > objectClass: Person > objectClass: OrganizationalPerson > objectClass: inetOrgPerson This is where I see some differences. We don't use inetOrgPerson, but we use a locally extended one in our schema. I don't see how this could make a difference, though. Thanks for the help, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Sendmail & access restrictions
This one time, at band camp, Kris Deugau said: > Stephen Gran wrote: > > I think I'm being dense, but I can't figure out how to do something > > like the following in /etc/mail/access: > > > > xxx.xxx.xxx.xxx: OK # front-end machine 1 > > xxx.xxx.xxx.xxy: OK # front-end machine 2 > > OK. You'll want to add localhost and 127.0.0.1: > > localhost.localdomain RELAY > localhost RELAY > 127.0.0.1 RELAY That is quite helpful, thanks. > otherwise locally-generated mail will fail. Unless you've got a good > reason NOT to trust localhost, any sendmail access map should include > these or similar lines- the last one is probably all that's required. > > > AUTH: OK > > *: REJECT > > But these aren't really valid. I understand - they were rough logic for what I want, not actual lines - I said I couldn't figure it out :) > By default (at least with recent versions of sendmail), relaying is > denied UNLESS you have told sendmail otherwise. Ah, I see the problem - it's not _relaying_ alone I want to reject (we've got the auth part straightened out already, and we're not an open relay). What I want to do is not accept mail unless it comes from one of a few IP's, or is authenticated. Say the domain is foo.com, and this servers hostname is mail.foo.com. It is not listed as an MX record, so no legitimate emails should ever arrive there, only spams and viruses and whatnot. However, any mail that arrives for [EMAIL PROTECTED] is accepted, since sendmail knows that it _is_ mail.foo.com. I want to reject these, and only accept mail that is authed, or coming in through one of the frontend machines. I can't just do it with iptables, because of the roaming users. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Strange LDAP problem
This one time, at band camp, Michael Loftis said: > augh disregard my last...sound slike you got that done. long day over here > already. I know that feeling :) > can you turn up debugging on your slapd? loglevel 256 or loglevel 512 are > VERY helpful, they log what searches are run--one or both does i can't > remember...this way you can find out whats up. I will do so when I get some time - I think I did some of this in the past, and it helped me past some stupid errors in our ldif's before. Will try again. Thanks, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Strange LDAP problem
This one time, at band camp, Michael Loftis said: > augh disregard my last...sound slike you got that done. long day over here > already. > > can you turn up debugging on your slapd? loglevel 256 or loglevel 512 are > VERY helpful, they log what searches are run--one or both does i can't > remember...this way you can find out whats up. With loglevel 512: Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=nabraham,ou=People,dc=ccil,dc=org" Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=wcwa,ou=People,dc=ccil,dc=org" Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=sharon,ou=People,dc=ccil,dc=org" Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=bigstape,ou=People,dc=ccil,dc=org" Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=jseidel,ou=People,dc=ccil,dc=org" Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=nancymk,ou=People,dc=ccil,dc=org" Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=waldron,ou=People,dc=ccil,dc=org" [...] about 1500 more time, which I don't think anyone really needs to see :) It is doing the lookups, but it is apparently not getting translated back by the system calls? finger -m does, work, as does finger without a user argument, so at some level all of this works, jyust not for large queries. Similarly, I just noticed that getent passwd $user works, but getent passwd only returns the users in /etc/passwd. Odd, but I'm on to something now, I guess - all large queries fail, and the small ones succeed. Not sure what to do with it, but I have a starting point now. Maybe this is a problem in the system calls, or the size of the nscd cache, or something screwy like that? Not sure where else to go with this now. Thanks again, -- ----- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Sendmail & access restrictions
This one time, at band camp, Christian Storch said: > Here some straightforward methods for sendmail: > > You want to restrict to some IP's? > > local-host-names: > 10.0.0 > 192.168 > 127.1.2.3 Sure, but this doesn't stop incoming mail addressed to this hostname, but coming from some random place, from being accepted. > Or to authenticated users? > http://lists.debian.org/debian-isp/2004/debian-isp-200402/msg00267.html Already taken care of. Maybe this will make it more clear: /-frontend1\ internet---mail.foo.com \-frontend2/ [...] This is the normal flow of mail. The only other mail that should ever be accepted by mail.foo.com is mail coming from roaming users, who use auth+ssl on their connections. The mail is already flowing from frontend 1&2, and the auth part is set up for the users. The problem we are having is that mail is still arriving at mail.foo.com from other sites (presumably all spam), and we would like it to be rejected by sendmail. We can't close the port, due to roaming users. Local users also use webmail, so sent mail should reflect the real host name of the machine. I can't think this would be that unusual of a set up, but it doesn't seem to be as easy to do as I would think. If it's possible to force sendmail to only accept smtp auth as a hack, I would be willing to do that, although it seems that it should be possible without. I have tried the bat book, sendmail.org, etc. but I don't see what I am looking for anywhere. Thanks all, -- --------- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Sendmail & access restrictions
This one time, at band camp, Jon Hoffman said: > I don't have a spare machine to test right now but I > have seen a similar setup before, so I'll take a stab > from memory. If this works post it to the list, I > don't like posting un-tested configs. > > You might want to start by making sure you don't have > anything in relay-domains, and start with a fresh > access map. > > In access, add back your: > > 127.0.0.1 OK > frontend1 OK > frontend2 OK > To:@foo.mail.com REJECT Now *that* looks about right. I am getting a spare box next week or so - I will post back with the test results. Thanks a lot. -- --------- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: clamd with amavis on Postfix
This one time, at band camp, Theodore Knab said: > I am using playing with clamd and spamd on a [production] server. ;-) > > I really like clamd however it keeps dying. > > My clamd.conf looks like this: > ScanMail That's probably your problem. As the debconf note says, the ScanMail part of the code is not very stable. If you use amavis to call clamd, then clamd is never really scanning mboxes - amavis is unpacking the message and running clamd over the parts. Try commenting out that option and restarting clamd - it should last a little longer. -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Sendmail, LDAP, and authinfo
Hello all, Does anyone know if sendmail can do authentication against an LDAP server? We are getting ready to change which box is being used for outgoing mail, and since outgoing mail is only allowed either from the client's subnet or via auth, it would be nice if we could authenticate against an already setup LDAP server. I have seen plenty of stuff about mailertable, access, aliases, etc, but nothing about authinfo. ATM, we're using sasl on the box it's on, and my feeling was that migrating the setup to LDAP would be easier and more maintainable in the long run, especially since LDAP is already in place. It's easier to maintain one database than two. TIA, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Sendmail, LDAP, and authinfo
This one time, at band camp, Christian Storch said: > I would suggest to use 'pam_ldap.so' from 'libpam-ldap' via sasl. > How to do it with sendmail: > http://lists.debian.org/debian-isp/2004/debian-isp-200402/msg00267.html I was trying to stay away from pam-ldap - was thinking it might make more sense to do direct queries, instead of the abstraction - but if that's what there is, it looks easy enough. Thanks, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: e-mail for multiple domains
This one time, at band camp, Rod Rodolico said: > Ok, I've researched the exim stuff and I think I see how to do it via > aliases, but I want to see if anyone has a better solution. > > We're really an IPP. We host several domains, with a few users for > each. It is getting to the point where name conflict is an issue, ie I > need [EMAIL PROTECTED] and [EMAIL PROTECTED] to be two separate users. I see how > to set up Exim to make them resolve to separate users, ie [EMAIL PROTECTED] > could be resolved to joe1 and [EMAIL PROTECTED] could be resolved to joe2. > > However, I'd like to make it more seamless for the client. Seems like > making them log in with joe1 and joe2 is more of a hassle than they > need. I think what you want is something like mail delivered to /home/$domain/$user/Maildir/ ? Exim can do that - somethin like this: virtual_maildir_home: debug_print = "T: virtual_maildir_home for [EMAIL PROTECTED]" driver = appendfile directory = /home/$domain/$local_part/Maildir delivery_date_add envelope_to_add return_path_add maildir_format mode = 0600 mode_fail_narrower = false I don't think that courier can handle the pop retrieval of that, however. I have heard that cyrus does a better job with these sort fo things, so that may be something worth looking into. > Is there another way of doing this? I currently have all my users as > real users on the server, simply setting /bin/false for the shell on > those who do not need to update their web sites. LDAP would also be good, so that there is no tie between mail and loggin in at all, but your way works - it's just that managing a large passwd file is harder to do once you have to spread it out over several machines. -- --------- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Catchall for Exim 3.35
This one time, at band camp, Adam Dawes said: > Hi all, > > I'm doing some spam research and need to configure my exim so that it > accepts all incoming mail and shunts those with invalid addresses into a > catchall address. Basically, I want to mimick how Exchange servers > accept everything. I believe the following will do it for Exim 4, but > when I try it with my 3.35 installation, it chokes on all incoming > messages. I was hoping someone might have a snippet that I could use in > my exim.conf that would do the trick. > > catchall: > driver = smartuser > new_address: [EMAIL PROTECTED] > > thanks, > Adam Change the lsearch to an lsearch* for the /etc/aliases lookup, and do this in /etc/aliases: *: [EMAIL PROTECTED] I think that will work (can't remember if lsearch* is in exim3 or not, though) -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: hardware/optimizations for a download-webserver
This one time, at band camp, Michelle Konzack said: > Am 2004-07-19 10:01:06, schrieb Russell Coker: > >On Mon, 19 Jul 2004 05:59, Michelle Konzack <[EMAIL PROTECTED]> wrote: > >> >Thinking of the expected 50KB/sec download rate i calculated a > >> >theoretical maximum of ~250 simultaneous downloads -- am i right ? > >> > >> With a 100 MBit NIC you can have a maximum of 7 MByte/sec > > > >What makes you think so? > > > >Other people get >10MB/s. I've benchmarked some of my machines at 9MB/s. > > I do not belive it ! > > Maybe with UDP but not TCP it is not possibel from the protocol. > I have high performanc NIC's and some servers which are killer > but never gotten more as 7,4 MByte/second > > How do you Benchmark ? > Two computers with 2 feet cross-over cable ? > > Maybe you will have zero errors, but in real it does not work. (create large file) [EMAIL PROTECTED]:~$ dd if=/dev/urandom of=public_html/large_file bs=1024 count=5 5+0 records in 5+0 records out (get large file) [EMAIL PROTECTED]:~$ wget www.lobefin.net/~steve/large_file [...] 22:46:09 (9.61 MB/s) - `large_file' saved [5120/5120] Of course, for reasonable sized files (where reasonable is <10MB), I get transfer speeds closer to 11MB/s. YMMV, but it is not a fault of the tcp protocol. Switched 10/100 connection here. Of course real internet travel adds some latency, but that's not the point - the NIC is not the bottleneck, bandwidth is in the OP's question. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpVoO45EpZXz.pgp Description: PGP signature
Re: spamassassin memory leak bug with bayes
This one time, at band camp, Dmitry Golubev said: > I found the missing library - it is libdb-4.0.so Why has not my ldd script > found it? I assume it is a bug that (a) ldd can not find it (b) without it, > mailscannet just takes over all the resources > > Dmitry I suspect mailscanner is a perl app, and not completely the problem - something else (maybe one of the underlying perl modules) is trying to use libdb-4.0.so and failing, but I am not sure. Either your script doesn't check all the necessary modules, or there is a missing dependency for a compiled app or library. objdump is often helpful in these settings - it will pick up something like an rpath easily. -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpZDbarg0LSf.pgp Description: PGP signature
Re: ssh and root logins
This one time, at band camp, Bernard Blackham said: > This lets the backup key *only* run rsync in server mode. I > /believe/ this means that (short of finding a buffer overflow in > rsync) logins with this ssh key will only be able to read files, and > not be able to change anything. Though if anybody can find any flaws > in this scheme, I'd like to know :) As is kind of obvious, if I can compromise that key, I can do rsync -e ssh --delete /some/empty/dir [EMAIL PROTECTED]:/ or something, which isn't very nice :) Admittedly though, if you use rsync for backups, you have to take this kind of chance, I think - I'm not sure how else to proceed. I do like the idea of your script - it takes things one step further than I have. TTYL, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp3B80VAFGnt.pgp Description: PGP signature
Re: ssh and root logins
This one time, at band camp, Stephen Gran said: > This one time, at band camp, Bernard Blackham said: > > This lets the backup key *only* run rsync in server mode. I > > /believe/ this means that (short of finding a buffer overflow in > > rsync) logins with this ssh key will only be able to read files, and > > not be able to change anything. Though if anybody can find any flaws > > in this scheme, I'd like to know :) > > As is kind of obvious, if I can compromise that key, I can do > rsync -e ssh --delete /some/empty/dir [EMAIL PROTECTED]:/ > or something, which isn't very nice :) Err, disregard - I just now noticed the --server _--sender_ part of it - no you should be fine, since that only allows pull jobs. Sorry about that, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpuH1Rddv7wy.pgp Description: PGP signature
managing syslog
Hello all, I am sorry to have to ask this here - it seems like it just should be working, but it's not, and I am now starting to get frustrated. At work we have several machines that output a lot of garbage to syslog, most of which we don't need to see. The programs responsible for the garbage are also capable of sending admin emails for alerts, so I thought that a nice idea might be to have syslog log all of the messages to a seperate file that we don't logcheck, and look them over if there's an email or a problem (don't worry - these are non-mission critical type apps, and are not network accessible, so I am not too worried about missing a message for a little while). I can configure the loglevel that the apps log to, fortunately, but it doesn't seem to be working correctly. So, if I am logging to syslog level local7, I add this to syslog.conf as the first uncommented line: local7.* /var/log/noisy.log and hup syslog. I now see the messages from the apps in noisy.log, but I still see the chatter in syslog :( Does anyone see anything obviously wrong with this, to help save me from tearing hair out? Thanks, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpqDAtLFDt3A.pgp Description: PGP signature
Re: managing syslog
This one time, at band camp, Frode Haugsgjerd said: > syslog.conf don't work as a filter (check line for line, stop at first match) > like iptables or sisco accesslists do. > If you stil got the default catch all ine: > *.*;auth,authpriv.none -/var/log/syslog > in syslog.conf, the messsages goes there too. This was the kick in the head I needed, thanks. Changing that line to *.*;auth,authpriv.none,local7.none -/var/log/syslog works as expected now. Thanks again, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpmxDaa14zZw.pgp Description: PGP signature
Re: Bug#276217: postfix: random SIGSEGV in smtp processes
This one time, at band camp, Adrian 'Dagurashibanipal' von Bidder said: > On Tuesday 12 October 2004 22.49, Emmanuel Lacour wrote: > > On Tue, Oct 12, 2004 at 07:33:36PM +0200, Adrian 'Dagurashibanipal' von > > > > I did run apt-get upgrade, but I can't say what packages were upgraded > > > (grr. Why doesn't dpkg write a log!?!?!?) > > > > apt-get upgrade -u > > ^^^ > > That still doesn't get me a log. Totally unrelated to your real question, but for this one: [EMAIL PROTECTED]:~$ cat usr/local/sbin/apt-get #!/bin/bash if [ ! -d /var/log/apt-get ]; then mkdir -p /var/log/apt-get fi filename="/var/log/apt-get/$(date +%Y%m%d%H%M%S)" echo "$0 $@" >> $filename echo "---" >> $filename /usr/bin/apt-get -q $@ 2>&1 | tee --append $filename Works nicely. Putting it in /usr/local/sbin makes it come first in root's default path, and has the advantage of being outside of regular user's path's so they can still 'apt-get source' without getting a permission denied on the log file. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpSJvax5GMHu.pgp Description: PGP signature
Re: Secure Delivery between MTA and MDA
This one time, at band camp, Simon Buchanan said: > We are setting up mail services to service a small ISP (-2000 Mail > boxes) using postfix and DBmail, which we have configured and working > well. The MTA (postfix with spam/virus) sits on a pairing exchange > (along with a web server)... we are connected to the Internet from the > pairing exchange via a 100Mbit connection. From the exchange to our NOC > is a 5Mbit pipe. The MDA (postfix/DBMail) sits in off our NOC. > > What i want to do is setup some sort of secure transfer between the MTA > and MDA. In theory the only traffic that is comming into the MDA is > correctly filtered mail.. Outgoing is a different story and not an issue > here. > > The MDA is sitting in its own DMZ behind a Borderware firewall. > > Suggesions for/against/other are welcome (please!) Firewall the MDA machine to only accept port 25 conections from the MTA machine (I assume that's the desired goal here). If by 'secure' you also mean encrypted, use TLS for transport between the two machines. I tend to think TLS is a waste of overhead for most email, as it passes in the clear on most hops, but if you expect to be passing sensitive information like system logs or passwordss, then I would use it. It is by no means "completely secure" but it adds overhead to people trying to hack your network. If they really want in, they'll genereally find a way, but if they're just looking for an easy to push over machine, this layer of defense can be helpful. -- --------- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpL6d1Oted1f.pgp Description: PGP signature
Re: Can we build a proper email cluster? (was: Re: Why is debian.org email so unreliable?)
This one time, at band camp, martin f krafft said: > also sprach Russell Coker <[EMAIL PROTECTED]> [2004.10.17.1622 +0200]: > > Are you going to be involved in doing the work? > > I volunteer to join the postmaster team and help out. /AOL. My experience is mostly exim3 & 4, and sendmail. -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpDsNQLLgYAJ.pgp Description: PGP signature
Re: Exim conditions for attachments
This one time, at band camp, Craig Schneider said:
> Hi Guys
>
> I have wrtten a condition to check if a user is in a flat text file, if
> so then allow them NOT to receive attachments of a certain type. However
> I need to put a condition in to allow them to receive from the
> $local_domain.
>
> Heres what I have so far:
>
> # deny message = User is unable to recieve attachments of this nature
> ($found_extension)
> #
> condition=${lookup{$recipients}lsearch{/etc/mail/extensions}{1}{0}}
> #demime = jpg:mpg:mpeg:mp3:gif:bmp
If you mean from 127.0.0.1, then add a
! hosts = :
If you mean from [EMAIL PROTECTED] (trivially forged, and I would avoid
relying on this test, add a
! senders_domain = +local_domains
(I may be wrong about sender_domains - check the spec. It's close to
that, but I forget and am too lazy to look right now :)
--
-
| ,''`.Stephen Gran |
| : :' :[EMAIL PROTECTED] |
| `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
-
pgpxeke84WLsO.pgp
Description: PGP signature
Re: Exim conditions for attachments
This one time, at band camp, Craig Schneider said:
(redirecting this back to the list - I read the list, so you can send
replies there.)
> Hi Stephen
>
> Thanks for the help dude.
>
> Do you mean like this? Or incorporate it into the condition somehow?
>
> # deny message = User is unable to receive attachments of this nature
> ($found_extension)
> # domains = ! +local_domains
> # condition =
> ${lookup{$recipients}lsearch{/etc/mail/extensions}{1}{0}}
> #demime = jpg:mpg:mpeg:mp3:gif:bmp
>
> Thanks
That statement will do this:
if ( the domain of the recipient is not a local domain) and
( the recipient is found in a file) and
( after unpacking, the message contains one of these mime types)
then deny the email
Which is not what I think you want.
I am also fairly sure that $recipients is not available in ACL's, but
only in system filters. There are several problems with the approach
you're trying:
First, you can only unpack a message after the data phase of the smtp
transaction, at which point you may have one or more recipients for a
message. What do you do with the email if one of the recipients is on
the list, but the others aren't? If you reject the email, nobody in the
recipient list gets the email, whether they're on your list or not, and
if you accept it, everybody on the recipient list gets the email.
The +local_domain as sender is something that is too easily forged to
allow for exemption, IMHO - it's a not uncommon spammer trick to send
email from you to you, so you might allow a lot of things that you don't
actually want.
If I were you, I would take a moment to decide what you mean by 'the
email comes from the local domain', and then implementation gets easier.
If all local mail is generated on the localhost (e.g., all users use
webmail or have shell accounts), then you can write a condition to check
for an empty host string. If instead you really plan to use just the
domain part of the sender, you can write a test that looks for sender =
[EMAIL PROTECTED] or whatever domainlist you use. If you receive mail
from your local domain users in other ways (from a set of known machines,
or via authenticated smtp), write an acl that puts in a header, and test
for that header later in a router or filter.
Per user mime filtering will have to be done later, outside of the smtp
time transaction, though, so you'll want a router or something to do
this work (and you'll want that router to have no-verify in it, since
it will mess up routing in the acl's otherwise) Overall, I think the
easiest approach would be to use a system filter, rather than an acl.
You'll have to decide what you want to do with these emails if the match
in the system filter (and I recommend not bouncing at this point, but
saving to a special mbox somewhere, to cut down on collateral spam)
I highly recommend reading /usr/share/doc/exim4-base/spec.txt.gz for
this sort of thing. It makes all of these issues clear.
> From: Stephen Gran [mailto:[EMAIL PROTECTED] On Behalf Of Stephen Gran
> This one time, at band camp, Craig Schneider said:
> > Hi Guys
> >
> > I have wrtten a condition to check if a user is in a flat text file,
> > if so then allow them NOT to receive attachments of a certain type.
> > However I need to put a condition in to allow them to receive from the
>
> If you mean from 127.0.0.1, then add a
> ! hosts = :
>
> If you mean from [EMAIL PROTECTED] (trivially forged, and I would avoid
> relying on this test, add a ! senders_domain = +local_domains
>
> (I may be wrong about sender_domains - check the spec. It's close to
> that, but I forget and am too lazy to look right now :)
--
-
| ,''`.Stephen Gran |
| : :' :[EMAIL PROTECTED] |
| `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
-
pgpZjDbEU1Nwx.pgp
Description: PGP signature
Re: Limiting User Commands
This one time, at band camp, Stephen Le said: > On Sun, 7 Nov 2004 14:14:16 +, Steve Kemp <[EMAIL PROTECTED]> wrote: > > Lots of people have commented already, but I've not seen any > > discussion on why you might want to do this. What kind of bad > > commands are you trying to prevent? > > > > Most of the dangerous commands like fdisk, etc, will be handled > > by the existing permissions setup. > > For example, as I mentioned in an earlier reply, I might not want > normal users to be able to run ftp, telnet, ssh, wget, gcc, or any > other number of commands. I still want users to be able to run the > bulk of the commands available on the system, though. I might also > want to allow another set of users to be able to run the commands > unavailable to normal users. apt-get remove --purge ftp telnet wget gcc rm /usr/bin/ssh /usr/bin/scp I understand your point, but simply don't install the more dangerous things before bending over backwards to make things difficult. As with services, programs not needed should just not be on a server. Part of my monthly audit of systems I look after is to make sure things like gcc and a few others are not installed. Note that neither my approach nor yours really stops someone who is determined - all of the functionality of the above programs could be replicated in perl, python, etc, so you've only made it difficult, not impossible. Then there is ~/bin, where users can stash anything they like, if you don't also regularly search /home for questionable files. Even mounting it noexec isn't really a help - perl /path/to/script works as well as /lib/ld-linux.so.2 /path/to/binary Does not help at all for your original problem, I'm afraid. It looks to me like what you want is filesystem acl's or SELinux to totally lock things down, but others are going to be more helpful with those than I will. -- --------- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpJS5Xf0lFOX.pgp Description: PGP signature
Re: Debian for ISP
This one time, at band camp, Wouter Verhelst said: > Op di, 16-11-2004 te 19:28 +0100, schreef David Schmitt: > > On Tue, Nov 16, 2004 at 09:15:24AM -0700, Omar wrote: > > > Also I want to ask if there is a way that I can check the user > > > Authentication? > > > Or get a list of users and their level? admin, regular user and so on. I > > > believe > > > that the previous admin used LDAP, is there a way I can look into the LDAP > > > database and find out the users and their levels? > > > > Try taking a look at getent. Calling "getent passwd" gives you a list of > > system users. > > > > For lowlevel access to the ldap slapcat is probably the easiest. > > except that slapcat wants you to shut down the slapd for safe operation. > You probably want ldapsearch instead. It's not so much that you need to shut down slapd, as that you want to make sure that slapd is not doing _write_ operations, or you'll get inconsistent data. Since the vast majority of LDAP operations are read only, slapcat is generally fine. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpR2bKL24dzw.pgp Description: PGP signature
Re: Is gray-listing a one-shot anti-spam measure?
This one time, at band camp, Adrian 'Dagurashibanipal' von Bidder said: > (And - this to Stephen Frost, I believe - there is a patch to postgrey which > I will include in the next version, and I believe which will also be > included in the next upstream, to whitelist a client IP as soon as one > greylisted email came through. So the load on legitimate mailservers will > be even smaller.) Is there a way to make the number of succesful retries before whitelisting configurable for postgrey? I use a different implementation of greylisting alltogether, so it doesn't really concern me too much, but it seems like a good idea. The reason for the request being that while it is quite possible for a zombie machine to accidentally resend the same mail from/rcpt to combination by accident on a second spam run, the odds of it sending 10 or 15 (or some number, depending on your circumstances, I guess) are vanishingly small. Only a mechanism with a real queue runner would get more than a few successes, and those are the ones that should be whitelisted. -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpqLctW6P752.pgp Description: PGP signature
Re: MySQL Max connections?
This one time, at band camp, Jacob S said: > Do you or anybody else know what the default number is for > max_connections? I suppose it could be system load causing my problem, > since top usually shows an average of 4.0 or 5.0 when the problem > occurs. It seems like the whole mysql server or apache would be killed > though if that were the case. (Server is a 2.2Ghz P4 with 512MB of ram.) IIRC it's 100 by default. With basically no tuning here: mysql> show variables like 'max%'; +---++ | Variable_name | Value | +---++ | max_connections | 100| | max_connect_errors| 10 | | max_delayed_threads | 20 | | max_user_connections | 0 | +---++ (some lines snipped as not useful in context). HTH, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpeHXs787i4c.pgp Description: PGP signature
a couple of postfix questions
Hello all, Where I work, we have a mix of MTA's, and are in the process of reevaluating what we want to support. We currently have exim3, exim4, sendmail, one qmail, and one postfix install. Both the qmail and postfix installs are rather ancient - they are legacy that came with the system, were not set up by us, and have not been updated recently. The previous admins of these two systems installed from source and used equivs-likes hacks to to do so. I quite like exim4, have gotten used to it's quirks, and can make it do some really effective anti-spam things fairly easily now. So, if we are going to have an suid single binary MTA around, this is the one I want. As for other systems that are changeable, I think I like the multi-binary security model of both postfix and qmail, but am leaning towards postfix for the eventual implementation. Most of the systems really only do low volume system email, although a few are fairly high volume. I would like to keep a mix of MTA's in our systems, partly just to avoid the downsides of a homogeneous network, but also because different suites do different things well. I think that I would like to migrate to all exim4 and postfix (I would basically like to dump the sendmail and qmail systems). But before we begin migrating the sendmail systems to postfix, I wanted to ask some questions about it. The things that are vitally important are the ability to reject at smtp time for invalid localparts and for viruses - I believe that postfix (at least in recent versions) can do this, but I am just not sure. I do not want to have to rely on something like amavis + a seperate listener to do content scanning, if I don't have to - that means either blackholing them (in which case a false positive gets thrown away) or bouncing them (which means adding to the spam already out there), AFAICT. I guess what I am asking for is people's experiences migrating existing (especially sendmail) systems to postfix, and how easy it is to tie other things into it, especially at smtp time. We're talking about migrating something like 100 machines from one MTA to another, so I have been tasked with coming up with a relatively fool proof (heh) migration scheme - watching the mail logs of 100 machines is clearly not doable. Of course we'll do the usual migrate the low volume machines first, test, retest and watch, then move on, but you get an idea of the headache involved. I am not trying to start the usual 'my MTA rules' flamewar, although I am sure some of that will ensue. Thanks for any pointers to docs, experiences, or anything else. Martin and Craig - I know you two in particular are both big advocates of postfix, so I guess I am partly addressing this to you two, although feel no obligation to give free tech support :) Thanks all, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpGcNfHMpAAl.pgp Description: PGP signature
Re: Suggestions for remote server monitoring
This one time, at band camp, Peter Clark said: > What software would people recommend for remotely monitoring a server? > I'm > not talking about intrustion detection and whatnot, just keeping an eye on > things like CPU load, memory, bandwidth usage, etc. Bonus points if it uses > something like RRD--graphs and charts are not just pretty eyecandy for me. munin for local tests, nagios for the network ones. There is some overlap - munin can do network tests, but it seems they are best suited in those realms, at least so far. munin lacks the ability to directly alert an admin of a problem (although it can alert via nagios). nagios lacks decent graphing tools, while munin makes pretty RRD-graphs. HTH, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpr8E5UjhLLk.pgp Description: PGP signature
Re: Exim config
This one time, at band camp, Craig said: > Hi Guys > > Does anyone happen to know how I could have Exim parse a text file with > a list of users in, if they are in the file to send mail to another an > exhange server else deliver to local mailbox ? > > Any suggestions would be welcomed. I'd take a look at the aliasfile driver - you can have a file set up similar to /etc/aliases, and redirect those addresses. -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Re: Exim4 and mailman
This one time, at band camp, Dale E Martin said: > (No need to copy me, I'm subscribed to the mailing list.) > > > Yes, Im reading through a guide how to set this up but am getting a little > > confused with what/where to add/edit my exim4.conf file. Do you purhaps have > > an example of what you added? I'm very new to exim and mailman :) > > Sure. Let me mention two things before you take my example to heart too > much... First, I migrated this from exim 3 to exim 4 so maybe there is a > better way. Also, the Debian exim 4 packages distribute the configuration > file into bits in a directory structure - for good reasons, I'm sure. (For > example, if the mailmain maintainer gets on board then mailman could simply > install it's own bits in the to configuration heirarchy and it should work > out of the box.) However, I had a fairly customized exim setup and needed > it working quickly, so I went the "monolothic file" route and have a > "/etc/exim4/exim4.conf" Having said all of that, here you go - > anything in "[]" is my comments to you and not actually in the file. I am not sure I am doing things the 'Right Way', but I am only using /etc/aliases for my mailman lists, and they are working just fine. $listname: "|/var/lib/mailman/mail/wrapper post $listname" $listname-admin: "|/var/lib/mailman/mail/wrapper mailowner $listname" $listname-request: "|/var/lib/mailman/mail/wrapper mailcmd $listname" $listname-owner: $listname-admin Change $listname to the real mailing list localpart and it works out of the box. With Exim3 I did use the special routers and transports, but when I migrated to Exim4, I thought I would give this method a try, and it's working great. The only problem with this method isthat you don't get virtual domain settings, I suppose. Can anybody see any other problems with it? -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpFPbySv75MO.pgp Description: PGP signature
Re: Reverse dns?
This one time, at band camp, Daniel Holze said: > Hello debian-isp, > > i have a /24 and i have reverse delegations on this IP-Space. > So i have i file it calls: > 28.129.82.in-addr.arpa > > Our ISP said that it must be work but it didnt. > Maybe i think ripe didnt know my Nameservers. > Anyone know how i can ask Ripe if my NameServer accepted for rdns? As others have pointed out, it's not registered, but it is working: steve:~$ host -a 28.129.82.in-addr.arpa ns1.dwl-dns.de 28.129.82.in-addr.arpa NS ns1.dwl-dns.de 28.129.82.in-addr.arpa NS ns2.dwl-dns.de 28.129.82.in-addr.arpa SOA ns1.dwl-dns.de hostmaster.dwleasing.de ( 2003123101 ;serial (version) 10800 ;refresh period (3 hours) 900 ;retry interval (15 minutes) 1814400 ;expire time (3 weeks) 86400 ;default ttl (1 day) ) steve:~$ host -l 28.129.82.in-addr.arpa ns1.dwl-dns.de 28.129.82.in-addr.arpa. NS ns1.dwl-dns.de. 28.129.82.in-addr.arpa. NS ns2.dwl-dns.de. 100.28.129.82.in-addr.arpa. PTR general.suck0r.de. 25.28.129.82.in-addr.arpa. PTR GrafiX2K.De. 12.28.129.82.in-addr.arpa. PTR star.rdns.info. 101.28.129.82.in-addr.arpa. PTR miss-swiss.de. 102.28.129.82.in-addr.arpa. PTR kostenneutral.de. 1.28.129.82.in-addr.arpa. PTR gateway.dwleasing.de. 3.28.129.82.in-addr.arpa. PTR ns2.dwl-dns.de. 200.28.129.82.in-addr.arpa. PTR pdns.dwleasing.de. 23.28.129.82.in-addr.arpa. PTR suck0r.de. 10.28.129.82.in-addr.arpa. PTR ns2.xaranet.de. 24.28.129.82.in-addr.arpa. PTR GrafiX2K.De. steve:~$ host -a 28.129.82.in-addr.arpa 28.129.82.in-addr.arpa does not exist, try again So your server knows howto handle the queries, but the root nameservers yet directing requests your way. -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp1lxy4W5cxO.pgp Description: PGP signature
Re: Postfix-mysql-procmail
This one time, at band camp, Russell Coker said: > Neither /etc/aliases nor procmail allows a custom 55x code to be sent. > > A bounce (as used in your example) is undesirable in the case of spam and > viruses. It makes your machine the cause of problems, which then results > in other people causing problems for you. Hmm, it seems you're right. It doesn't generate a bounce, but it does 550 - just too early (at the rcpt rather than data stage). Apparently it generated a bounce because I was using mail, which I guess calls exim as sendmail, rather than with smtp, so it behaves slightly differently. Here is a telnet session with the same configuration, coming from another machine: steve:~$ telnet mercury 25 Trying 216.158.52.98... Connected to mail.lobefin.net. Escape character is '^]'. 220 mail.lobefin.net ESMTP Exim 4.30 Sun, 11 Jan 2004 11:56:48 -0500 ehlo busybox 250-mail.lobefin.net Hello www.lobefin.net [216.158.52.108] 250-SIZE 52428800 250-PIPELINING 250-AUTH LOGIN PLAIN 250-STARTTLS 250 HELP mail from: [EMAIL PROTECTED] 250 OK rcpt to: [EMAIL PROTECTED] 550 unknown user And the corresponding log line: 2004-01-11 11:57:08 H=www.lobefin.net (busybox) [216.158.52.108] F=<[EMAIL PROTECTED]> rejected RCPT [EMAIL PROTECTED]: on vacation It does _not_ work as well as I had hoped, but it at least does generate a 550, rahter than a bounce. Back to the drawing board. -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgptMZ4XZXKGY.pgp Description: PGP signature
Re: Postfix-mysql-procmail
This one time, at band camp, Russell Coker said: > Another option is to receive the entire message, accept it for delivery but > instead of a 25x give a 55x code with a message saying "this message was > delivered, but please note that the account holder is on vacation". > > These methods should allow the vacation message to reliably go only to the > originator of the message (or to no-one if it's a spam). However they do > require that a new proxy program be written to receive the mail as no > existing software (AFAIK) is capable of doing it. I think you can do something like this with /etc/aliases, although I am no expert. exim uses a real-$local_part in the standard configuration to bypass aliasing, so an entry could be added like: testuser: real-testuser, :fail: On vacation Just tested and this is what I see: 2004-01-10 22:44:23 1AfWWV-dZ-Mc <= [EMAIL PROTECTED] U=steve P=local S=313 I send the message with mail 2004-01-10 22:44:23 1AfWWV-dZ-Mc ** [EMAIL PROTECTED] R=system_aliases: It generates an error 2004-01-10 22:44:23 1AfWWV-dZ-Mc => testuser <[EMAIL PROTECTED]> R=real_local T=maildir_home And then gets really deliverd to testuse 2004-01-10 22:44:23 1AfWWV-dc-Rh <= <> R=1AfWWV-dZ-Mc U=Debian-exim P=local S=1102 2004-01-10 22:44:23 1AfWWV-dZ-Mc Completed 2004-01-10 22:44:24 1AfWWV-dc-Rh => steve <[EMAIL PROTECTED]> R=procmail T=procmail_pipe 2004-01-10 22:44:24 1AfWWV-dc-Rh Completed And the bounce goes to me with the text noted. I don't know what your MTA allows, but this works here. HTH, -- ----- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpOKeLhaeWsS.pgp Description: PGP signature
Re: Jesus Help Me !
This one time, at band camp, [EMAIL PROTECTED] said: > On Mon, Jan 12, 2004 at 02:02:27PM +1100, Craig Sanders wrote: > > > this mailing list is for the discussion of the Debian GNU/Linux > > operating system in Internet Service Provider environments. that's > > why it's called "debian-isp". note that it is *not* called "Divine > > Assistance" or anything similar. > > I totally agree -- get off the list. There must be someplace else > where you can ventilate this cosmic debris (in the biblical sense of > the word that is). Please note that except for the half dozen replies to an apparent email, I would never have know about the email at all (but I haven't gotten to my spam box yet). So this 5 or 6 emails I did see replying to one that didn't matter. I'm not mad (and I don't disagree - especially about qmail ), but please let's try to keep the signal-to-noise up a little bit. Just keeping the noise going, -- --------- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpPs1rPTuvid.pgp Description: PGP signature
Re: Announce: Domain Technologie Control 0.12.0 R1
This one time, at band camp, Thomas GOIRAND said: > Hi ! > > For nearly one year, I've made a software called Domain Technologie > Control. It's a hosting web GUI for admin and accounting apache, > named, proftpd, and qmail. DTC is made of PHP scripts and a web > interface that manage a MySQL database that handles all the host > information. It generates backup scripts, statistic calculation > scripts, and config files for bind, Apache, qmail, and proftpd, using > a single system UID/GID. With DTC, you can delegate the task of > creating subdomains, email, and FTP accounts to users for the domain > names they own, and monitor bandwidth per user and service. > > It's already in 5 language, fully skinable, and totaly automated. > > It has been released in debian package form. Now I have a debian > repository there: > > deb ftp://ftp.gplhost.com/debian stable main > > and the home page of the project there : > > http://www.gplhost.com/?rub=softwares&sousrub=dtc > > I want release it to public thrue Debian's repository. I've tried > couples of times to mail debian people, but failed, and got no reply. > > I've just finished to make the BSD port, and [EMAIL PROTECTED] will > be watching over my port before releasing to public. > > Can someone contact me and help me to be added in the Debian tree ? Since you've already done the work of packaging it yourself, why not ask on debian-mentors@lists.debian.org and see if anyone there is interested in sponsoring an upload? If you're not interested in being the debian maintainer as well as upstream author, file a Request for Packaging ug against wnpp (work needing and prospective packages) pseudo-package. Hopefully include links to the work you've already done, so as to avoid too much duplication of effort. www.debian.org/devel has many more details about this sort of thing. HTH, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpGV9a0n9bEc.pgp Description: PGP signature
Re: Considering Debian (currently using Red Hat)
_brk fix) is backported into the _same_ kernel version that you are running. > 5.) Of course we'll be testing it extensively ourselves, but what would > you say the most significant differences, both from a user and an admin > perspective, are between Debian and Linux? Or, maybe better > stated, why Debian? I know that's a religeously charged question, but > at the moment our only position is "not RHL." We're open to being > converted ;-) Debian has three major things that drew me to it: It has the best FHS support of any of the distros I've found. On RedHat and other systems, applications are always installing themselves into strange places like /opt or /usr/local, while I expect distro programs to always be found in /bin or /usr/bin (and the corresponding /sbin's). Config files are always found in /etc (not /usr/local/etc or some strange place) and are carefully preserved across upgrades. The Bug Tracking System and the openness of the development model means that most bugs I have found are not only already reported by someone else, but usually already acknowledged and fixed by the time I have found them. The freeze before release also means that most bugs have a chance to be ironed out before the next stable is actually released, because they are found by people actually running the software. Then there is of course, the ideological part - Debian is about Free Software, and has a commitment to provide a quality distro to it's users. > 6.) And finally, if you care to toss in any ideas or info, I'm very > glad and excited to hear it. For instance, if you were going to switch > all your systems within the next year, would you choose something else? > A BSD port? Go back to Solaris? Novell? SCO? Just kidding. I guess the only thing I would add is that there are, of course, downsides to every project. Debian's downside for large companies is that it is a volunteer effort, and as such, there is no such thing as technical support available on a fee basis. There are the mailing lists, which are very helpful, and usually give me the answer I need faster than any technical has, but some companies may be turned off by that. On the other hand, since Debian is not for profit, it seems to me unlikely that it will dissappear out from under you because it is not making a profit, as RedHat has. So long as there are interested people, it will be around. HTH, and good luck, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpp9hMeVMfLI.pgp Description: PGP signature
Re: Considering Debian (currently using Red Hat)
This one time, at band camp, Lucas Albers said: > I have recently started the process of switching my computers from redhat > to debian. > I would very much appreciate step by step directions for creating a local > repository for redistribution of kernel packages and locally built > packages. Just pick a directory that you want to put your local debian packages in, and run dpkg-scanpackages on it. It will create a Packages file, which you then need to gzip. This is my rugh script that updates my directories whenever I add a new package - it does both source and binary, which may be more than you want. It also does seperate stable/unstable trees. Feel free to redo as you need. #!/bin/sh # make_apt, v 0.1 # Make apt-gettable source lines in my debian subdirectory. echo $0 DIR=/home/steve/public_html/debian/ cd $DIR for dist in woody sid; do rm dists/$dist/main/binary-i386/Packages.gz dpkg-scanpackages pool/$dist/main/ indices/override.$dist.main > \ dists/$dist/main/binary-i386/Packages gzip -9 dists/$dist/main/binary-i386/Packages rm dists/$dist/main/source/Sources.gz dpkg-scansources pool/$dist/main > dists/$dist/main/source/Sources gzip -9 dists/$dist/main/source/Sources done override.$dist.main looks something like this: qvcd optionalutils cosmosoptionalx11 and the sources.list entries corresponding to this setup are: Stable sources.list lines: deb http://www.lobefin.net/~steve/debian woody main deb-src http://www.lobefin.net/~steve/debian woody main Unstable sources.list lines: deb http://www.lobefin.net/~steve/debian sid main deb-src http://www.lobefin.net/~steve/debian sid main Remember to let your web or ftp server know to serve the correct directory, or none of this will be much use. > I ran across basic directions on setting up mirror, but nothing about > debianizing a package; if you just want it for a local package. > eg, you don't need the full steps, just enough to convert a tar.gz file to > a .deb file. http://www.debian.org/doc/maint-guide/ has a pretty good starting reference for this. > I run the 2.4.23+ kernels on my servers as it supports the newest > hardware. I don't run stable because they don't have drivers for my newer > network card. I also recompile my kernel with grsecurity security patches. > I am currently only running 4 debian boxes, but I have yet to encounter a > single kernel crash. Using make-kpkg is a good way to build a kernel-image .deb that you can then put in your mirror for redistribution. man make-kpkg for details - it's really pretty straightforward. -- --------- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpW1DBceezTa.pgp Description: PGP signature
Strabge LDAP problem
Hello all, I am having the strangest LDAP issue. We recently migrated a network from a hodgepdge of system accounts to an all LDAP setup, with the exception of a few administrative accounts. All seems to be working well, except for one thing - finger. id returns the expected values, users can log in, mail gets accepted and delivered, everything I can think of to check works fine, except finger. Even stranger: finger -m $user returns expected results, although finger $user returns 'no such user'. Aha! I said - an indexing problem , or perhaps nscd. Responses coming back too slow for finger. Messed about with different indexing schemes (they are currently this: index gecos,cn,uid pres,eq,sub index homeDirectory,objectClass,loginshell,gidnumber,uidnumber pres,eq for an ldif of: dn: uid=$user,ou=People,dc=ccil,dc=org objectClass: top objectClass: ccilAccount objectClass: posixAccount objectClass: ccilAddress objectClass: ccilWorkAddress objectClass: ccilPerson cn: Some Guy uid: $user uidNumber: 11709 gidNumber: 100 homeDirectory: /home/u/$user l: Smalltown st: PA postalCode: 12345 userPassword:: loginShell: /bin/bash gecos: Some Guy pppAccess: TRUE emailAccess: TRUE registered: Oct 30 22:23:16 2001 street: 1224 Main St. bday: 01-02-03 telephoneNumber: 215-555-1212 education: College Graduate gender: Blank (names changed to protect the innocent)) Changing indexing options, running slapindex over and over, no help. By accident, I reran finger in my root session that was kept open as an "I hope I don't hose something" backup plan, and it worked. Now I start to think ACL's, nscd permissions, etc, but I see nothing out of the ordinary. We're using a pretty close to stock Debian config for all of this, with some minor tuning for indexing options and cache size, but that's about it. The ACL's are the stock ones, so I really don't know what's falling over here. Anybody have any ideas what to debug next? TIA, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0zCGiSP1sx.pgp Description: PGP signature
Sendmail & access restrictions
Hello all, We're in the process of locking down access to various services on a network, and one of the things we want to do is lock down sendmail a little. We are migrating a box from being the front-end mail machine, with the SASL database and all of the other user info on it, to being a backend machine that only does two things: receive mail from front-end machines for the local domain, and relay mail that has used SMTP-AUTH. I think I'm being dense, but I can't figure out how to do something like the following in /etc/mail/access: xxx.xxx.xxx.xxx: OK # front-end machine 1 xxx.xxx.xxx.xxy: OK # front-end machine 2 [ . . . ] AUTH: OK *: REJECT I would like the above logic, but still have local mail (cron jobs, etc) work somehow. Anybody set this kind of thing up before? I know how to do it in exim4 (or at least have rough ideas), but I can't figure out how to do the logic for sendmail. TIA, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpDK144TPpHq.pgp Description: PGP signature
Re: Strange LDAP problem
This one time, at band camp, Theodore Knab said: > If finger is not working, does chfn or the password change stuff work ? > > I think this is a PAM issue. However, I could be wrong. > > My '/etc/pam.d/login' file looks like this and fingers work with LDAP. > > What does your look like ? > > [EMAIL PROTECTED]:/etc/pam.d$ cat login | grep -v ^# > > auth requisite pam_securetty.so > auth requisite pam_nologin.so > auth required pam_env.so > auth sufficient pam_ldap.so > auth required pam_unix.so nullok > accountsufficient pam_ldap.so > accountrequired pam_unix.so > sessionsufficient pam_ldap.so > sessionrequired pam_unix.so > sessionoptional pam_lastlog.so > sessionoptional pam_motd.so > sessionoptional pam_mail.so standard noenv > password sufficient pam_ldap.so obscure min=4 max=50 > password required pam_unix.so nullok obscure min=4 max=50 auth required pam_securetty.so auth required pam_nologin.so auth sufficient pam_ldap.so auth required pam_unix_auth.so try_first_pass accountsufficient pam_ldap.so accountrequired pam_unix_acct.so password sufficient pam_ldap.so password required pam_unix.so use_first_pass session sufficientpam_ldap.so sessionrequired pam_unix_session.so #sessionoptional pam_console.so Not so strikingly different that I see the problem. Remeber too, that users can log in and that `id` works as expected. > My LDAP entry looks like: [...] > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > objectClass: account > objectClass: qmailuser > objectClass: couriermailaccount > objectClass: Person > objectClass: OrganizationalPerson > objectClass: inetOrgPerson This is where I see some differences. We don't use inetOrgPerson, but we use a locally extended one in our schema. I don't see how this could make a difference, though. Thanks for the help, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0SXQ9UFLdq.pgp Description: PGP signature
Re: Sendmail & access restrictions
This one time, at band camp, Kris Deugau said: > Stephen Gran wrote: > > I think I'm being dense, but I can't figure out how to do something > > like the following in /etc/mail/access: > > > > xxx.xxx.xxx.xxx: OK # front-end machine 1 > > xxx.xxx.xxx.xxy: OK # front-end machine 2 > > OK. You'll want to add localhost and 127.0.0.1: > > localhost.localdomain RELAY > localhost RELAY > 127.0.0.1 RELAY That is quite helpful, thanks. > otherwise locally-generated mail will fail. Unless you've got a good > reason NOT to trust localhost, any sendmail access map should include > these or similar lines- the last one is probably all that's required. > > > AUTH: OK > > *: REJECT > > But these aren't really valid. I understand - they were rough logic for what I want, not actual lines - I said I couldn't figure it out :) > By default (at least with recent versions of sendmail), relaying is > denied UNLESS you have told sendmail otherwise. Ah, I see the problem - it's not _relaying_ alone I want to reject (we've got the auth part straightened out already, and we're not an open relay). What I want to do is not accept mail unless it comes from one of a few IP's, or is authenticated. Say the domain is foo.com, and this servers hostname is mail.foo.com. It is not listed as an MX record, so no legitimate emails should ever arrive there, only spams and viruses and whatnot. However, any mail that arrives for [EMAIL PROTECTED] is accepted, since sendmail knows that it _is_ mail.foo.com. I want to reject these, and only accept mail that is authed, or coming in through one of the frontend machines. I can't just do it with iptables, because of the roaming users. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpFWaU2XcquE.pgp Description: PGP signature
Re: Strange LDAP problem
This one time, at band camp, Michael Loftis said: > augh disregard my last...sound slike you got that done. long day over here > already. I know that feeling :) > can you turn up debugging on your slapd? loglevel 256 or loglevel 512 are > VERY helpful, they log what searches are run--one or both does i can't > remember...this way you can find out whats up. I will do so when I get some time - I think I did some of this in the past, and it helped me past some stupid errors in our ldif's before. Will try again. Thanks, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpSTXP802zim.pgp Description: PGP signature
Re: Strange LDAP problem
This one time, at band camp, Michael Loftis said: > augh disregard my last...sound slike you got that done. long day over here > already. > > can you turn up debugging on your slapd? loglevel 256 or loglevel 512 are > VERY helpful, they log what searches are run--one or both does i can't > remember...this way you can find out whats up. With loglevel 512: Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=nabraham,ou=People,dc=ccil,dc=org" Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=wcwa,ou=People,dc=ccil,dc=org" Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=sharon,ou=People,dc=ccil,dc=org" Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=bigstape,ou=People,dc=ccil,dc=org" Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=jseidel,ou=People,dc=ccil,dc=org" Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=nancymk,ou=People,dc=ccil,dc=org" Mar 24 21:15:51 mercury slapd[19886]: conn=46 op=1 ENTRY dn="uid=waldron,ou=People,dc=ccil,dc=org" [...] about 1500 more time, which I don't think anyone really needs to see :) It is doing the lookups, but it is apparently not getting translated back by the system calls? finger -m does, work, as does finger without a user argument, so at some level all of this works, jyust not for large queries. Similarly, I just noticed that getent passwd $user works, but getent passwd only returns the users in /etc/passwd. Odd, but I'm on to something now, I guess - all large queries fail, and the small ones succeed. Not sure what to do with it, but I have a starting point now. Maybe this is a problem in the system calls, or the size of the nscd cache, or something screwy like that? Not sure where else to go with this now. Thanks again, -- ----- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpjPek1cQNTb.pgp Description: PGP signature
Re: Sendmail & access restrictions
This one time, at band camp, Christian Storch said: > Here some straightforward methods for sendmail: > > You want to restrict to some IP's? > > local-host-names: > 10.0.0 > 192.168 > 127.1.2.3 Sure, but this doesn't stop incoming mail addressed to this hostname, but coming from some random place, from being accepted. > Or to authenticated users? > http://lists.debian.org/debian-isp/2004/debian-isp-200402/msg00267.html Already taken care of. Maybe this will make it more clear: /-frontend1\ internet---mail.foo.com \-frontend2/ [...] This is the normal flow of mail. The only other mail that should ever be accepted by mail.foo.com is mail coming from roaming users, who use auth+ssl on their connections. The mail is already flowing from frontend 1&2, and the auth part is set up for the users. The problem we are having is that mail is still arriving at mail.foo.com from other sites (presumably all spam), and we would like it to be rejected by sendmail. We can't close the port, due to roaming users. Local users also use webmail, so sent mail should reflect the real host name of the machine. I can't think this would be that unusual of a set up, but it doesn't seem to be as easy to do as I would think. If it's possible to force sendmail to only accept smtp auth as a hack, I would be willing to do that, although it seems that it should be possible without. I have tried the bat book, sendmail.org, etc. but I don't see what I am looking for anywhere. Thanks all, -- --------- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpeWH67QZDJt.pgp Description: PGP signature
Re: Sendmail & access restrictions
This one time, at band camp, Jon Hoffman said: > I don't have a spare machine to test right now but I > have seen a similar setup before, so I'll take a stab > from memory. If this works post it to the list, I > don't like posting un-tested configs. > > You might want to start by making sure you don't have > anything in relay-domains, and start with a fresh > access map. > > In access, add back your: > > 127.0.0.1 OK > frontend1 OK > frontend2 OK > To:@foo.mail.com REJECT Now *that* looks about right. I am getting a spare box next week or so - I will post back with the test results. Thanks a lot. -- --------- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpuR4bQ3ympj.pgp Description: PGP signature
Re: clamd with amavis on Postfix
This one time, at band camp, Theodore Knab said: > I am using playing with clamd and spamd on a [production] server. ;-) > > I really like clamd however it keeps dying. > > My clamd.conf looks like this: > ScanMail That's probably your problem. As the debconf note says, the ScanMail part of the code is not very stable. If you use amavis to call clamd, then clamd is never really scanning mboxes - amavis is unpacking the message and running clamd over the parts. Try commenting out that option and restarting clamd - it should last a little longer. -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpCTGP0C73u2.pgp Description: PGP signature
Sendmail, LDAP, and authinfo
Hello all, Does anyone know if sendmail can do authentication against an LDAP server? We are getting ready to change which box is being used for outgoing mail, and since outgoing mail is only allowed either from the client's subnet or via auth, it would be nice if we could authenticate against an already setup LDAP server. I have seen plenty of stuff about mailertable, access, aliases, etc, but nothing about authinfo. ATM, we're using sasl on the box it's on, and my feeling was that migrating the setup to LDAP would be easier and more maintainable in the long run, especially since LDAP is already in place. It's easier to maintain one database than two. TIA, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp1HStdyNhOZ.pgp Description: PGP signature
Re: Sendmail, LDAP, and authinfo
This one time, at band camp, Christian Storch said: > I would suggest to use 'pam_ldap.so' from 'libpam-ldap' via sasl. > How to do it with sendmail: > http://lists.debian.org/debian-isp/2004/debian-isp-200402/msg00267.html I was trying to stay away from pam-ldap - was thinking it might make more sense to do direct queries, instead of the abstraction - but if that's what there is, it looks easy enough. Thanks, -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpKub2w8rM6M.pgp Description: PGP signature
Re: e-mail for multiple domains
This one time, at band camp, Rod Rodolico said: > Ok, I've researched the exim stuff and I think I see how to do it via > aliases, but I want to see if anyone has a better solution. > > We're really an IPP. We host several domains, with a few users for > each. It is getting to the point where name conflict is an issue, ie I > need [EMAIL PROTECTED] and [EMAIL PROTECTED] to be two separate users. I see > how > to set up Exim to make them resolve to separate users, ie [EMAIL PROTECTED] > could be resolved to joe1 and [EMAIL PROTECTED] could be resolved to joe2. > > However, I'd like to make it more seamless for the client. Seems like > making them log in with joe1 and joe2 is more of a hassle than they > need. I think what you want is something like mail delivered to /home/$domain/$user/Maildir/ ? Exim can do that - somethin like this: virtual_maildir_home: debug_print = "T: virtual_maildir_home for [EMAIL PROTECTED]" driver = appendfile directory = /home/$domain/$local_part/Maildir delivery_date_add envelope_to_add return_path_add maildir_format mode = 0600 mode_fail_narrower = false I don't think that courier can handle the pop retrieval of that, however. I have heard that cyrus does a better job with these sort fo things, so that may be something worth looking into. > Is there another way of doing this? I currently have all my users as > real users on the server, simply setting /bin/false for the shell on > those who do not need to update their web sites. LDAP would also be good, so that there is no tie between mail and loggin in at all, but your way works - it's just that managing a large passwd file is harder to do once you have to spread it out over several machines. -- ----- | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp6wrtvrGZjK.pgp Description: PGP signature
Re: Catchall for Exim 3.35
This one time, at band camp, Adam Dawes said: > Hi all, > > I'm doing some spam research and need to configure my exim so that it > accepts all incoming mail and shunts those with invalid addresses into a > catchall address. Basically, I want to mimick how Exchange servers > accept everything. I believe the following will do it for Exim 4, but > when I try it with my 3.35 installation, it chokes on all incoming > messages. I was hoping someone might have a snippet that I could use in > my exim.conf that would do the trick. > > catchall: > driver = smartuser > new_address: [EMAIL PROTECTED] > > thanks, > Adam Change the lsearch to an lsearch* for the /etc/aliases lookup, and do this in /etc/aliases: *: [EMAIL PROTECTED] I think that will work (can't remember if lsearch* is in exim3 or not, though) -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpPZD3lj2igz.pgp Description: PGP signature
Re: exim4 for virtual domains
This one time, at band camp, TR RCPG said:
> Would someone kindly post the relevant parts of an
> exim4 configuration for a machine that works as isp
> with virtual domains, and different users (with
> possible not empty intersection set of users for
> different domains)? Some directions about combined
> remote mail retrieval + web access will be
> appreciated.
> thankyouall in advance
I tend to use arrangements like the following:
First, the filesystem:
/etc/exim4/virt_domains/domainA:
john: [EMAIL PROTECTED]
joe: [EMAIL PROTECTED]
abuse: [EMAIL PROTECTED]
*: [EMAIL PROTECTED]
domainB:
fred: [EMAIL PROTECTED]
abuse: joe
So, one alias file for each domain, stored somewhere. In the example
above, all addresses in domainA get forwarded to someone at aol.com, but
[EMAIL PROTECTED] gets delivered to the local user joe, while [EMAIL PROTECTED]
ultimately gets forwarded to [EMAIL PROTECTED]
Then, my domainlist is just:
domainlist virt_domains = dsearch;/etc/exim4/virt_domains
Router:
virtual_aliases:
debug_print = "R: virtual_aliases for [EMAIL PROTECTED]"
driver = redirect
domains = +virtual_domains
allow_fail
allow_defer
require_files = /etc/exim4/virt_domains/$domain
data = ${lookup{$local_part}lsearch*{/etc/lfrr/exim4/virt_domains/$domain}}
file_transport = address_file
no_more
This works best on systems where virtual domains are mostly forwarded,
rather than delivered locally, though. You can do the same tricks with
SQL, if you prefer faster access once things get too big for file
lookups.
If you want users delivered locally, Wouter's advice is probably very
good. But, this is the fun and difficult part about exim - the
configuration file is not just about setting config variables that have
a predefined meaning - you get to write your own logic for an
arrangement that works for you. It can make it more difficult (except
that there are usually snippets floating around for all the common uses),
but it is also way more flexible.
--
-
| ,''`. Stephen Gran |
| : :' :[EMAIL PROTECTED] |
| `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
-
pgp3sOyDOcvEr.pgp
Description: PGP signature
Re: exim4 for virtual domains
This one time, at band camp, David Schmitt said: > I also have my virtual_domain list in a file: > > [EMAIL PROTECTED]:~$ grep > virtual_domains /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs > > domainlist virtual_domains = lsearch*;/etc/mail/virtual-domains Why an lsearch* for virtual_domains? Aah, I see, so that you can make [EMAIL PROTECTED], [EMAIL PROTECTED] all work with a *.domain.com? I never thought of having that work like that - I like it. Am I correct in this? -- - | ,''`. Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgps2urXbg2ZB.pgp Description: PGP signature
