June 30, 2004

Setting up a mail server

I’m gearing up to set up a mail server for a client. I’m planning Postfix and Cyrus IMAP at the heart of it. PostgreSQL will probably end being used to store user information and maybe (hopefully) aliases. Web-cyradm will probably be the customer’s interface to maintaining users.

What follows are a bunch of links with little context.

Newer versions of Cyrus have virtual domain support. Check out messages from April 2004 on the Web-cyradm mailing list for a supposed patch to make Web-cyradm work with virtdomains. There is a Postfix-Cyrus-Web-cyradm-HOWTO.

I’m going to need to port user names and passwords from vpopmail to Cyrus. I’m thinking that by storing authentication information in PostgreSQL, this should be easy as long as I can figure out the encryption method used by vpopmail and the Cyrus SASL library support whatever that method is. Kind of looks like MD5.

On another note, the Cyrus SASL library does support talking directly to MySQL/PostgreSQL in its latest version(s), but FC2′s cyrus-sasl RPMs don’t include this support. (The way it’s been done in the past is apparently having SASL talk to PAM which will talk to (usually) MySQL.) The spec file specifically passes --disable-sql to configure. Look for me to build some RPMs with PostgreSQL support enabled.

Postfix has two kinds of content filtering: the more common after-queue content filtering and before-queue content filtering. Before-queue content filtering gives you the ability to reject messages in conversation. Postfix is kind of nice about it and talks SMTP to another server to do content filtering. I think I could use this in conjunction with amavisd-new to call out to SpamAssassin and ClamAV. There is some doubt that before-queue filtering is a good idea because you will end up running out of child SMTP servers and rejecting mail, or possibly timing out remote SMTP servers if your checks take too long. Talking to Nightwolf made me feel a little better about this though. I don’t think my mail server is going to have enough e-mail coming in to it for me to worry about it. Maybe. I guess I’ll have to watch for that somehow. Snort to monitor connection attempts or something?

Finally, if you want to implement something like milter-sender in Postfix, Postfix already has this ability build in. Check out http://www.postfix.org/ADDRESS_VERIFICATION_README.html. Theory has it that using this might tie up a lot of SMTP server children, but will also block a lot of spam.

I’m a little concerned over whether I’ll be able to do recipient address verification with the presence of aliases. If only Cyrus knows about aliases, and doesn’t keep in them in PostgreSQL, I don’t know how I’ll get Postfix to know about them. I guess I’ll cross that bridge when I come to it.

June 26, 2004

Hunting the Mozilla focus bug

So I’ve decided to try and recreate my Mozilla focus bug and hopefully file some useful bug reports on it with someone or another.

I think Red Hat Bug 119160 is the same problem. I haven’t reproduced it in quite the same manner, but the effects of the bug he’s describing sound similar to the effects I see: things look like they’re focused, but they’re not. It has something to do with switching desktops, too (though not necessarily with a keyboard shortcut).

So I try to fire up Gnome and Mozilla on the Vaio desktop I’m still borrowing. It had a minimal install done on it, I think. I use yum to start shoveling packages onto the machine and get what I’m looking for. Two bitches. First, I had a similar mouse problem: MS IntelliMouse Explorer PS/2 on a KVM, mouse jumps all around. Doesn’t seem to matter if I switch on the KVM or not; I left the same port active for boot up and still had this problem. Except this time my fix (documented at http://www.codefu.org/weblogs/darkness/archives/000154.html) didn’t work. So I tried using psmouse.proto=bare and Option "Protocol" "auto" as I found somewhere out on the Internet. Now everything is working, except my scroll wheel, and I suspect the fourth and fifth buttons if I ever tried to use them. Fine with me, for testing, as long as the bug still occurs. Second bitch: why the fuck is /usr/share/applications/mozilla.desktop in the mozilla-mail package? I probably need to file a bug about this.

So I do a graphical login. Set up Sawfish as my window manager. My new procedure for doing this, I guess: gnome-session-properties, remove Metacity, “Apply,” close gnome-session-properties, switch to a shell elsewhere (VC 1, some SSH session in, whatever), DISPLAY=:0 sawfish &, switch back to X on the target machine, open an xterm or equivalent, killall sawfish; sawfish &, gnome-session-properties, set “Respawn” or whatever on Sawfish, “Apply,” “Close,” close everything I don’t want running when I log in, Panel menu->Log Out, check “Save Current Setup,” log out, log back in. Phew.

The result? https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126798

Update 2004-01-22: Check out 3.8 and 3.9 in the Ion FAQ. From there you get to Mozilla bug 230097, and from there you get to Gnome bug 109246. So… maybe someone’s looking at this problem.

June 22, 2004

Quick notes on IPsec, Samba

I was just setting up a tunnel between home and a client. Home endpoint is kernel 2.6, client’s is kernel 2.4. strongSwan 2.1.2 (I think) at home, FreeS/WAN 2.06 at client’s. Running GRE over IPsec for the tunnel like I usually do. I had the problem where I’d browse from the client’s end to a share on a Samba box at home and it’d hang for a long time when I did anything like right clicking a file or trying to open a file. tcpdump at various points on the path showed that packets were being generated on the GRE tunnel at home destined for the client’s machine, but I don’t *think* I ever saw them leave as ESP packets. I decided this might be an MTU issue, thinking back to my L2TP issue a few weeks back. Kicked the MTU down to 1400, and sure enough everything started working quickly. I don’t exactly know the proper MTU I should be using here. Last week, when doing L2TP, I needed to use lower than 1400. Possibly because of the extra overhead in L2TP.

Also, though I had guest ok = yes on a share on the Samba server, browsing to didn’t work from a Windows 2003 (I think that’s what it’s running) box. It kept prompting for password, I couldn’t hit OK without typing a user name, and it’d just keep bouncing me back to that screen. Hitting “Cancel” canceled the whole operation. I found I had to put map to guest = bad user in the global configuration for the Samba server, which made it map any unknown user to guest. This might be something new in Samba 3.x. I don’t think I’ve seen this in Samba 2.2.x, which I’m running with a similar setup at home, but I also haven’t tested it against Windows 2003. I’ll note that when I hit the Samba 3.x server without map to guest = bad user from my Windows 2000 box here, I can hit OK without typing in a user name or password, but it just keeps presenting that dialog box over and over. My money’s on “change in Samba 3.x.”

June 21, 2004

iptables and 2.6 IPsec; H.323, NAT, and GnuGk

First up, I realized over the weekend that though I had begun using 2.6 IPsec, I hadn’t altered my usual set of iptables firewall rules which refer to ipsec0. 2.6 IPsec doesn’t use a “virtual device” for its IPsec tunnels, so saying things like “make sure this kind of traffic only comes in over an IPsec tunnel” becomes kind of wonky.

A quick note on how 2.6 IPsec interacts with Netfilter (and therefore iptables) as of about 2.6.6 or so (FC2 kernel). Packets are encrypted before the NF_IP_POST_ROUTING hook. This means that when forwarding a packet over an IPsec connection, the NF_IP_FORWARD and NF_IP_LOCAL_OUT hooks see the packets unencrypted, but any (for example) SNAT rules you have will see the ESP packet. (BTW, I only use ESP in tunnel mode. All of this documentation assumes that, though most everything applies to other IPsec modes as well.)

So how do you ensure that packet X came in via IPsec? Currently the hackish way to do this seems to depend on the fact that an nfmark set on an incoming IPsec packet will be the same nfmark seen on the resulting decrypted packet. So, for example, iptables -t mangle -A PREROUTING -p esp -j MARK --set-mark 1 to mark ESP packets as they come in, then match with -m mark --mark 1 elsewhere. If you use nfmark for other things perhaps you need a different nfmark value.

This is all icky IMHO. I don’t like using nfmark, especially since the patch to allow more complex operations on nfmark (like bitwise or) isn’t in the iptables nor kernel proper. The semi-good news is that there is a patch in the pipeline to make this kind of matching sane. Check out the IPsec-related patches in the Netfilter patch-o-matic extra repository. There are four or so for IPsec that fix up the way packets traverse Netfilter hooks. These patches make it more sane, and different enough from what I’ve covered above. Go hit up a mail archive for netfilter-devel and read the thread(s) on “NAT and IPsec” (IIRC). You’ll also find a “policy” patch which should be the patch that allows you to “match the IPsec policy used for handling a packet.” You can find usage examples on the netfilter-devel list too, I believe. I haven’t used these patches, and I might not as long as they’re not integrated into the base iptables and base kernel.

In other news, I’m charged with testing out a client’s video conferencing appliance which sits behind a Linux box doing NAT to their single routeable IP. I, too, am in this situation, but trying to connect to their appliance with NetMeeting (rather than another appliance). Same concept, though: H.323 still hates NAT. I gather there is something like H.245 which is some sort of tunneling that probably gets around some of these problems, blah blah blah, uninformed rambling. NetMeeting doesn’t support this tunneling protocol last I heard, though, so for now I struggle on. (Maybe I should try GnomeMeeting. I think it supports this tunneling protocol which I may or may not be fabricating entirely.)

So I go about trying to stick an H.323 gatekeeper on my Linux NAT box here. GnuGk was a prominent search result so I gave it a go. Its included RPM spec file didn’t go over so well, so here’s my GnuGk 2.0.8 SRPM. I built this on Fedora Core 1 i386. Note the large number of packages required for build and what you suppose is their irrelevance to the very basic set of features you’re installing. SDL? What? This is a daemon. LDAP? Even though I turned it off? I think all these extra libraries are a result of GnuGk using the PWLib build “system,” which by the by I think FC1 might have a little screwed up. Either that or GnuGk uses it in a bastardly way. Anyway, it builds, and it runs. I’ll admit I haven’t been using it much, and the init script might need some work still. I accept patches.

You’ll need an /etc/gnugk.ini after building and installing GnuGk. Check out section 7.2.1 of the GnomeMeeting FAQ. Two things I had to modify for GnuGk 2.0.8. First, [RasSvr::ARQFeatures] needs to be [RasSrv::ARQFeatures]. Second, under the [RasSrv::ARQFeatures] section, add ParseEmailAliases=1 as an option. Without this option, you can’t do things like place a call from NetMeeting to @ which is what GnomeMeeting suggests you try, I believe. Also note that this configuration seems to be open to some mischief from others. Particularly, the interactive status port is open to all through that rule=allow line, I do believe, and you can change things (or at least disconnect calls) from this port I think.

For instructions on how to configure NetMeeting, see http://www.gnugk.org/netmeeting.html. Note that (I hope) you don’t have to put in both a phone number and a user name. I just entered a user name. After I did this setup, I was able to connect to the gatekeeper and instruct it to “dial out” to the remote VC unit. I wasn’t able to connect to the remote VC unit, though, and I think that might be the remote end’s fault. The remote network, at this point, has no gatekeeper. I’m trying to figure out if I need to add one or not. It simply has a butt-load of ports forwarded in to it. For the curious, the appliance on the remote end is a Polycom unit. I think I’m going to need to figure out which Polycom unit and see if I can’t remotely reconfigure it. I suspect it has some NAT settings hiding around in its interface that needs to be twiddled, for starters.

On a note related to both of the topics covered in this entry, somewhat, there does seem to be an H.323 NAT module in the Netfilter POM-NG extra repository. A possible alternative to using a gatekeeper, at least in my situation(s).

June 17, 2004

strongSwan userland RPM spec file, FC2 beyond minimal RPMs

An RPM spec file to for strongSwan userland (*Update*: check out this web log entry on strongSwan SRPM). I’m using this in FC2 (Linux 2.6) installs now, since the RPMs linked to by strongSwan are older than what looks like the current release. I do wish make rpm worked in packaging/redhat in strongSwan. Sort of. I also note that apparently SUBDIRS has special meaning when supplied on the command line/in the environment to GNU make, and I can’t find a way to disable this behavior. Update: I actually forgot to include the patch used in the spec file, and I’ve since powered off and stored the box that I was building on. To create the patch, unpack strongSwan, cd into the directory, and then something like cp Makefile{,.orig} && perl -pi -e 's/SUBDIRS/STRONGSWAN_SUBDIRS/g' Makefile && diff -u Makefile{.orig,} > strongswan-2.1.2-makefile.patch and copy strongswan-2.1.2-makefile.patch into your RPM SOURCES directory.

Also, a side note mainly for myself. The list of packages I like to install after a minimal install of FC2: lynx elinks w3m screen cvs strace ntp ncftp vim-enhanced