Opus Interactive | If These Servers Could Talk

Blog Followers…

 

Sun has a free virtualization tool that allows you to run virtual machines right on your desktop PC.  It’s called VirtualBox (http://www.virtualbox.org).  It is a great looking, easy to use and feature filled application.

 

Need a copy of Windows XP, or Linux, or even a server that you can install software to test, browse malware websites, or generally break without affecting Windows on your PC?  Want to learn about the latest version of Windows Server, or some flavor of Linux?  Create a virtual machine, load the preferred operating system and you will have a second (or third or fourth) operating system available to use.

 

VirtualBox is equivalent to VMware Workstation and Microsoft VirtualPC.  However, VMware Workstation costs about $100 for a single license.  MS VirtualPC is less compatible with non-Windows operating systems.

 

BTW – don’t forget to shut down your virtual machines or they will continue to use your host system resources and you will wonder why your PC might be running slow.

 

Happy Virtual “Boxing”…

Everyone around here at Opus Interactive has been upgrading to the RTM of Windows 7 lately.  Our entire technical team has gone through the reload process and everyone has had great success making the switch from Vista to  Windows 7.  So far not one person has had issues with drivers, or software not working on our Windows 7 Enterprise 64 bit installations.

 

…With one exception.  The VMware VI Client version 4 (vSphere) would not run properly.  The installation worked just fine, however when running the program the following error would popup:

 

Error parsing the server “server” “clients.xml” file. Login will continue, contact your system administrator.
 

Then right after that, one more:

 

The type initializer for ‘VirtualInfrastructure.Utils.HttpWebRequestProxy’ threw an exception.

 

 

That’s just great!  We pretty much live in vCenter managing the infrastructure and client virtual machines on our vClustr platform.  What to do?

 

Fortunately several others have run into this same issue and a quick Google search returned a solution.  I actually only looked at the first couple of results so I am sure there were many links referring to this same solution.

 

With an additional DLL file and a few other tweaks we were up a running – the VMware VI Client version 4 loaded up without incident and we again had access to our VM inventory.

 

Here are the first two links I looked at that contained a solution to this problem.

http://www.techhead.co.uk/running-vmware-vsphere-client-on-windows-7

http://serverfault.com/questions/44946/how-do-you-get-the-vmware-vsphere-client-to-work-on-windows-7-rc

 

 

I imagine this is something VMware will address in an update.

We needed a set of servers that could easily be load balanced and did nothing but send mail via SMTP. Many clients need to send their mail from remote locations and will most often not be connected to our network. To avoid allowing the servers to be used to send spam we had to be sure that only our clients could send mail through the servers. To do this we chose to authenticate the users on the SMTP servers and store the user credentials in MySQL.

This setup allows for the following:

Users are required to authenticate against the SMTP servers to send mail.

Users can use an alternate port (587) if their ISP is blocking SMTP port 25.

Users can connect using TLS to encrypt traffic between their mail client and the server.

This document does not describe how to get data into the MySQL database from the front end mail servers.

As of the writing of this how-to the port versions were as follows:

MySQL – 5.1.22

courier-authlib (authdaemond) – 0.60.2

Postfix – 2.4.6,1

Install MySQL

# cd /usr/ports/databases/mysql51-server

# make install clean

# cd /usr/ports/databases/mysql51-client

# make install clean

Allow MySQL to run:

# echo “mysql_enable=YES” >> /etc/rc.conf

Create a data directory:

# mkdir /usr/local/mysql

# mkdir /usr/local/mysql/data

# chown -R mysql /usr/local/mysql/

# chgrp -R mysql /usr/local/mysql/

Configure MySQL:

# cp /usr/local/share/mysql/my-medium.cnf /etc/my.cnf

# /usr/local/bin/mysql_install_db –user=mysql –datadir=/usr/local/mysql/data

# ln -s /usr/local/mysql /var/db/mysql

# chown -R mysql /var/db/mysql/

# chgrp -R mysql /var/db/mysql/

Start MySQL:

# /usr/local/etc/rc.d/mysql-server start

Change passwords and create new users

Set the root password:

# /usr/local/bin/mysqladmin -u root password ‘newpassword’

Access the MySQL console:

# /usr/local/bin/mysql -u root -p{password}

Allow remote access via root user if desired:

mysql> GRANT ALL PRIVILEGES ON *.* TO ‘root’@'%’ IDENTIFIED BY ‘{password}’;

Access the MySQL console:

# /usr/local/bin/mysql -u root -p{password}

Create the SMTP auth database and table:

mysql> CREATE DATABASE smtpauthdata;

mysql> USE smtpauthdata;

mysql>

DROP TABLE IF EXISTS `smtpauthusers`;

CREATE TABLE `smtpauthusers` (

`id` int(10) unsigned NOT NULL auto_increment,

`username` varchar(50) NOT NULL,

`password` varchar(50) NOT NULL,

PRIMARY KEY (`id`)

) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=latin1;

Add a user for authdeamon access:

mysql> GRANT SELECT ON smtpauthdata.* TO ’smtpauthuser’@'localhost’ IDENTIFIED BY ‘{password}’;

Add a user for the sync script access (we will be inserting user auth data from another database):

mysql> GRANT SELECT, INSERT, DELETE ON smtpauthdata.* TO ’smtpauthsync’@'%’ IDENTIFIED BY ‘{password}’;

Install Courier-Authlib (authdaemond)

# cd /usr/ports/security/courier-authlib

# make install clean

Select AUTH_MYSQL in the configuration menu.

Allow authdaemond to run:

# echo “courier_authdaemond_enable=YES” >> /etc/rc.conf

Configure authdaemond:

# pico /usr/local/etc/authlib/authdaemonrc

Reduce the value of ‘authmodulelist’ to just ‘authmysql’:

Comment the default authmodulelist= line

Add:

authmodulelist=”authmysql”

# pico /usr/local/etc/authlib/authmysqlrc

Modify as follows:

MYSQL_SERVER localhost

MYSQL_USERNAME smtpauthuser

MYSQL_PASSWORD {yourpassword}

MYSQL_SOCKET /tmp/mysql.sock

MYSQL_PORT 0

MYSQL_OPT 0

MYSQL_DATABASE smtpauthdata

MYSQL_USER_TABLE smtpauthusers

MYSQL_CLEAR_PWFIELD password

MYSQL_UID_FIELD 999

MYSQL_GID_FIELD 999

MYSQL_LOGIN_FIELD username

MYSQL_HOME_FIELD ‘/home/nofolder’

Install Postfix

# cd /usr/ports/mail/postfix

# make install clean

Select SASL2, TLS at the configuration menu.

Allow Postfix to run:

# echo “postfix_enable=YES” >> /etc/rc.conf

Enable SASL for Postfix:

# mkdir /usr/local/etc/sasl2

# pico /usr/local/etc/sasl2/smtpd.conf

Add:

pwcheck_method: authdaemond

log_level: 3

mech_list: PLAIN LOGIN

authdaemond_path: /var/run/authdaemond/socket

# These two lines exist to keep errors from showing up in the logs

auxprop_plugin: mysql

sql_select: select password from users where email = ‘%u@%r’

Enable TLS for Postfix.

Generate an SSL certificate:

# mkdir /usr/local/postfix

# mkdir /usr/local/postfix/ssl

# cd /usr/local/postfix/ssl

# openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650

(answer questions)

Enter configuration options for Postfix:

# pico /usr/local/etc/postfix/main.cf

Add:

# tls config

smtp_use_tls = yes

smtpd_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = /usr/local/postfix/ssl/smtpd.pem

smtpd_tls_cert_file = /usr/local/postfix/ssl/smtpd.pem

smtpd_tls_CAfile = /usr/local/postfix/ssl/smtpd.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

# sasl config

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

#smtp restrictions

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains

# The email gateway is supposed to accept emails to postmaster and abuse.

# Define a virtual alias map

virtual_alias_maps = hash:/usr/local/etc/postfix/virtual

NOTE:

There are other configurations settings for postfix in main.cf that you may want to look into for your environment.

myhostname = server FQDN

local_transport = error:local mail delivery is disabled

mynetworks = 127.0.0.0/8

myorigin = server FQDN

Set Postfix to listen on the RFC standard alternate TCP ports:

# pico /usr/local/etc/postfix/master.cf

Add:

# listen on the RFC alternate SMTP port

587 inet n – n – - smtpd

Set basic email addresses:

# pico /usr/local/etc/postfix/virtual

Add:

sysadmin sysadmin@opusnet.com

postmaster sysadmin

abuse sysadmin

#root sysadmin

Generate the file:

# postmap /usr/local/etc/postfix/virtual

# newaliases

Allow postfix access to the authdaemond socket:

# chown -R postfix:postfix /var/run/authdaemond

Start the applications

Start Postfix

# /usr/local/etc/rc.d/postfix start

Start authdaemond

# /usr/local/etc/rc.d/courier-authdaemond start

Testing

First create a Base 64 encoded username / password string:

(install the mmencode port if it doesn’t exist – /usr/ports/converters/mmencode)

# printf ‘yourusername’ | mmencode

# printf ‘yourpassword’ | mmencode

These will yield a cryptic set of characters

Next, connect to Postfix on the server via Telnet:

# telnet localhost 25

You should see: 220 servername ESMTP Postfix

Next say hello:

> EHLO example.com

You should see something like:

250-smtp02-opus.opusnet.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

You will want to see three key lines that show that TLS and SMTP Auth are enabled:

250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

Next attempt your login:

> AUTH LOGIN

You will see a Base 64 encoded login prompt – paste your encoded username string and press enter.

You will see a Base 64 encoded password prompt – paste your encoded password string and press enter.

Hopefully you will see something like:

> 235 2.0.0 Authentication successful

To send a test message once authenticated:

> MAIL FROM:<sender@domain.com>

Then press ENTER. If the sender is not permitted to send mail, the SMTP server will return an error.

> RCPT TO:<recipient@remotedomain.com>

Then press ENTER. If the recipient is not a valid recipient or the server does not accept mail for this domain, the SMTP server will return an error.

> DATA.

Type your message text, press ENTER, type a period (.), and then press ENTER again.

This write-up was tested on FreeBSD 6.2 and 6.3.  As of this writing the NTFS-3g release was 1.2531.
Please let me know if you run into typos or other technical issues when implementing this.

1.) Update the ports collection.

Setup the update:

Make it look something like this:

#######################################################
*default host=cvsup1.us.FreeBSD.org
*default base=/var/db
*default prefix=/usr
*default release=cvs  tag=.
*default delete use-rel-suffix
#comment the below line if you don’t want to update the /src directory
#src-all
#update /usr/ports
ports-all tag=.
#######################################################

Run the update:

Update installed ports:

2.) De-install any existing packages.

Older versions don’t work properly for auto mounting in /etc/fstab.  In addition older versions of the kernel module and libraries won’t work with the latest version of fusefs-ntfs.

3.) Install the necessary packages.

4.) Load the kernel module

Enable the kernel module

edit /etc/rc.conf and add:

fusefs_enable=”YES”

Start the module

5.) Attach the USB drive.

Attach the USB drive and check your syslog for the detection of the drive:

Example:

Sep  8 09:19:47 servername kernel: umass0: Seagate FreeAgentDesktop, rev 2.00/0.00, addr 2
Sep  8 09:19:47 servername kernel: da1 at umass-sim0 bus 0 target 0 lun 0
Sep  8 09:19:47 servername kernel: da1: <Seagate FreeAgentDesktop 100D> Fixed Direct Access SCSI-4 device
Sep  8 09:19:47 servername kernel: da1: 40.000MB/s transfers
Sep  8 09:19:47 servername kernel: da1: 476940MB (976773168 512 byte sectors: 255H 63S/T 60801C)

6.) Mount the USB drive.

If you get an error about the partition being hibernated:
Error opening partition device: Operation not permitted

Failed to mount ‘/dev/da1s1′: Operation not permitted

The NTFS partition is hibernated. Please resume and shutdown Windows properly, so mounting could be done safely.

Use:

That error message does sometimes point to a conflict in module and library versions though and cannot be fixed until the versions installed are correct.

Notes:

· If you want a persistent mount, be sure to add a mount entry to the /etc/fstab file or a post boot script such as rc.local.

· If you are done with the USB storage drive:

Recent security research discovered that there were multiple DNS implementations vulnerable to cache poisoning.This is a multi-vendor vulnerability outlined at the following links (among many others):

http://secunia.com/cve_reference/CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113

In our DNS infrastructure we separate the recursive query DNS servers from the authoritative DNS servers.  We limit recursive queries to our own network ranges.  Our internal DNS servers used with Active Directory are blocked at the firewall allowing no external access.  To remain secure however we of course updated them all.

All of our production DNS servers run BIND on OpenBSD (4.2 currently) so here is a quick run-down of what we did to patch BIND.

# cd /usr/src
# wget ftp://ftp.openbsd.org/pub/OpenBSD/4.2/src.tar.gz
# tar -xvzf src.tar.gz

# wget ftp://ftp.openbsd.org/pub/OpenBSD/patches/
4.2/common/013_bind.patch

# more 013_bind.patch

        Apply by doing:

# cd /usr/src
# patch -p0 < 013_bind.patch

        Then rebuild and install bind:

# cd usr.sbin/bind
# make -f Makefile.bsd-wrapper obj
# make -f Makefile.bsd-wrapper
# make -f Makefile.bsd-wrapper install

http://www.doxpara.com/
https://www.dns-oarc.net/oarc/services/dnsentropy
https://www.dns-oarc.net/oarc/services/porttest

 

That should do it!