Controlling SPAM with Sendmail

It’s annoying to read. It wastes your time. It wastes you disk space. It can also be a really big problem for mail administrators, especially for those with large networks and many users to look over.

There are many solutions to battle spam, but most administrators are hesitant in the event that there is a good chance of blocking or discarding legitimate and possibly email in the process.

Hopefully this article will give you a better understanding of what is at risk and what you can do about blocking, discarding, or marking spam, increasing your mail performance, save disk space, and save time reading through them.

Well, let’s get started …

First, let’s see that you’re not part of the problem. More specifically, let’s make sure that you’re not helping the spammers by being an open relay. This just means that you don’t allow unauthorized people to relay mail through your mail server. This isn’t likely if you’re using Sendmail 8.9 or above, but if you are using custom rulesets or if you played with the sendmail.cf file yourself, you may want to have this checked out. Let’s also check to see if you’re listed on any blacklists while you’re at it. The site I like to use to test open relays is http://www.ordb.org. There, you just put in your IP address and in a day, you should get the results. You can check if you’re listed on any blacklists by going to http://www.dnsstuff.com in their spam database lookup. If you are listed, you may want to contact the list owner to have yourself removed after a test or with an explanation.
Another thing you can do to protect your users and increase the performance of your system is to add to your mc file:
define(`confPRIVACY_FLAGS’,`authwarnings,novrfy,noexpn,goaway,needmailhelo,restrictqrun’)
This will stop spammers from checking against your machine to see if a user exists, make sure that all mail that comes in starts with the MTA saying “helo,” and allow only root to run the mail queue. Disallowing the features will help increase your performance because your system will no longer respond to a bunch of useless questions.
Let’s start fighting spam!
The risk in blocking spam could be substantial. The last thing you want to do is block an important email that could have meant a lot of business. Of course, the least risky method would be not to block spam at, but what would be the point of this article?
We should see the differences the versions of Sendmail because in as you go up in version, the more you can do against spam and the easier it is.
An example of this is that in Sendmail 8.9 or higher, there’s a:
FEATURE(`accept_unresolvable_domains’)dnl
If this feature is not included in the sendmail configuration, sendmail will not accept mail from domains that do not resolve, meaning that there is no A record or MX record for that domain. This prevents spammers from coming up with fake domain names or at least limits them to only certain fake domain names.
One caveat for this is that as you probably know, some DNS servers do get poisoned or cache false information. For this reason, this can prevent you from getting legitimate email.
In Solaris, this feature is automatically turned on in DOMAIN(solaris-generic). For that reason, in the sendmail.mc file, you may wish to replace
DOMAIN(solaris-generic)dnl
with
DOMAIN(solaris-antispam)dnl
Changing to DOMAIN(solaris-antispam) will remove FEATURE(`accept_unqualified_senders’) from your mc file as well.

SUBJECT BLOCKING
A relatively low risk method of blocking spam is by subject line. You can do this with a simple addition to the mc file before compiling it.
Details for this are here:
http://lantech.geekvenue.net/chucktips/ … index_html
This would be good for blocking viruses that are going around and spam with the same subject line. The subject line here however, would have to be an exact match. Of course, spammers are smarter than this. For this reason, on a lot of spam, you will see that the subject lines have random characters at the end of them. Sendmail allows for regular expression matching as well. To do this, there is an example in the README file in /usr/lib/mail/cf. It’s available in Sendmail 8.10 or above.

ACCESS DATABASE
The next relatively risk-free method of blocking spam is by their envelope from address. In Sendmail 8.8.8 (Solaris 2.6), it is relatively expensive and your list probably shouldn’t be very big and it is also somewhat difficult as well. You can store a list of hosts and a list of email addresses, but they get stored as a list and not a map. Your performance degrades as your list gets longer since the entire file is read and each mail will go through the list of checks as it is processed.
Details for setting this up are here: http://www.Sendmail.org/%7Eca/email/check.html
In Sendmail 8.9 and above (Solaris 7-9), you have what is known as the access database. With this, you can keep a large list of email addresses, domains, subdomains, IP addresses, and even IP networks. Since it is stored in a map (hashed database), regardless of it’s size, Sendmail will look at a map and make one call. (It will take longer to build the map if it’s larger and while the map is being built, you won’t have one in it’s place, but that’s a different discussion.) I would advise keeping a pretty big list. I have a relatively small list of domains and no IP addresses in my list because IP addresses change ownership and there’s always that ever so slight chance that you’re blocking email from a domain that you want email from. I have a pretty big list of email addresses. Some can argue that it’s pointless because the spammers can change their email addresses each time, but I think that it’s still worth having.

To use the access database, in versions 8.9 and higher, simply add to your mc file:
FEATURE(`access_db’,`hash -o /etc/mail/access.db’)dnl
Or
FEATURE(`access_db’,`hash -T -o /etc/mail/access.db’)dnl (in Sendmail 8.12)
Create the file: /etc/mail/access
websculptures.com RELAY
bounced.surecom.com REJECT
[email protected] REJECT
xxxmailgirl.com DISCARD
[email protected] 550 No Such User
You can use the RELAY (if you relay for the domain like being a secondary MX record), REJECT will give an access denied by default, and DISCARD will throw the message into /dev/null. You can also give your own error message and assign it a number. Different numbers are supposed to mean different things – you should follow the error codes listed in RFC 821. I like to use discard because you don’t want spammers to get any more clever in their spamming ways and one way of assuring this is by letting them think that you received the email. After you’re done building the file, you need to build the database. Do this with:
makemap hash /etc/mail/access < /etc/mail/access
You do not need to restart Sendmail for this to take effect.

DNS BLACKLISTS (RBL)
Realtime Blackhole Lists are lists of either mail servers on the Internet are open-relay or known spammers. They are useful in stopping spam because they are lists that you do not have to maintain. They are on the Internet where some are free, some are not. What they do is once a connection is made to your mail server, it will do a DNS lookup on a database to see if it’s listed. If listed, it will return an error message to the client giving him a message. This message is custom, but usually will say something like you are listed on this blackhole list and go to them to get removed.

Detailed instructions on setting this up are here:http://mail-abuse.org/rbl/usage.html

On Sendmail 8.9 or higher, it’s very simple. Add the following lines to your mc file:
FEATURE(`access_db’)dnl
FEATURE(`blacklist_recipients’)dnl
FEATURE(`dnsbl’, `blackholes.mail-abuse.org’)dnl
You can replace “blackholes.mail-abuse.org” with any other services you will be using.
Here’s a pretty extensive list: http://www.declude.com/junkmail/support/ip4r.htm
Be aware that not all of them are known spammers and I’m not sure if the lists are maintained by humans. Using the lists can make you lose legitimate emails. They show no mercy on incompetent email administrators who do not know how to protect their machines from sending out spam.
Another note worth mentioning is that the lists can degrade your performance as well. If you are getting too many mails from different IP addresses for instance or if you are using too many lists and your DNS server is slow, you can have problems. If the list maintainers allow you to download their zone files into your own DNS server, you best do so.

THIRD PARTY PRODUCTS – SPAMASSASSIN & RAZOR w/ PROCMAIL or MIMEDefang
Spamassassin (http://www.spamassassin.org) and Vipul’s Razor (razor.sf.net) are two free and very effective spam-fighting applications. They both require you to compilation however. If you enjoy compiling software and have a spam problem, these tools are well worth the time in setting up. Being effective tools, it would make sense that they are complicated. Spamassassin will go through your mail and look thru it and see if the mail fits a bunch of tests listed here: http://www.spamassassin.org/tests.html. If it fits a particular test, it will assign points to it. So if the email has “sex” in it or if its html is formatted a certain way, it will give or take points. A final value will determine whether or not the mail is spam. You have the power to customize the amount of points it assigns for each test and you also can decide on how many points an email has to have in order to be considered spam. Another nice feature of Spamassassin is that it uses the DNSBL’s. It can see that an email came from a certain IP address and rather than reject the mail outright, it will assign it points and the rest of the email can determine whether or not the email is spam. It can also incorporate Vipul’s Razor. Vipul’s Razor is a “distributed, collaborative, spam detection and filtering network.” Spamassassin can take the Razor’s score into consideration as well.
While Spamassassin and Razor are good applications, you will need to find a way for Sendmail to call these applications and use them. The easiest way I think is with Procmail (http://www.procmail.org). Usage of Procmail however, limits your mail scanning however because it is not done as you are receiving the mail, but after Sendmail has already received the mail and passed onto the Mailer. This means that it would not work for domains that you relay for, only users and aliases on that machine.
Instructions for installing Spamassassin (http://www.spamassassin.org/dist/INSTALL) and Razor (http://razor.sourceforge.net/docs/install.html and http://razor.sourceforge.net/docs/razor-check.html) both include the usage of Procmail. Here are some other cool things you can do with procmail: http://www.uwasa.fi/~ts/info/proctips.html.
For scanning all incoming mail, I think that MIMEDefang (http://www.roaringpenguin.com) is one of the best milter applications available. It checks mail as it is being received and can decide while in transit, whether to relay, deliver, discard, or reject the email. MIMEDefang works well with various antivirus applications and works with Spamassassin. For milter capability however, you should run Sendmail version 8.12 or higher. It was available at the time that 8.11 was out, but we are advised not to use it. Sun’s 8.11.6 version of sendmail does not have milter compiled into it. Sun’s 8.12 Sendmail does, but the operating system does not include the libmilter.a file. For this, you will have to download the source (from http://www.sendmail.org) and compile it from the libmilter directory.
MORE TALK ON SENDMAIL VERSIONS
If you are running Solaris 2.6, you should be running Sendmail 8.8.8. For Solaris 7 and 8, you should run 8.11.6 and for Solaris 9, you should be running 8.12.8. If not, patches are available. The way to determine the version you are running is with the command:
/usr/lib/sendmail –d0.101
If you wish to be running any other version of Sendmail, you can compile it from the source from http://www.sendmail.org. I would like to point out that if you do, you should at least compile in the:
define(`confMAPDEF’, `-DNEWDB’)
This is for hash support in your maps (virtusertable, access_db, genericstable, etc.) You will need the BerkeleyDB (http://www.sleepycat.com) for this.
SOME OTHER SPAM REFERENCES
http://spam.abuse.net/adminhelp/mail.shtml
http://www.digitalanswers.org/check_local

Blocking incoming mail by subject in sendmail

LOCAL_RULESETS HSubject: $>Check_Subject
D{MPat}ILOVEYOU
D{MMsg}This message may contain the LoveLetter virus. SCheck_Subject
R${MPat} $*$#error $: 550 ${MMsg}
RRe: ${MPat} $*$#error $: 550 ${MMsg}

In this case, we are blocking the ILOVEYOU virus.
“D{MPat}ILOVEYOU” is what’s in the subject line when the message comes in.“D{MMsg}This message may contain the LoveLetter virus.” is the message that sendmail will give to the sender. You are free to be creative with this message and you could also create a universal error message for all of the mails with the subject line you want to block.

If you have a huge list of subject lines you want to block, you could do it this way:
LOCAL_RULESETS HSubject: $>Check_Subject
D{MPat}ILOVEYOU
D{MPat2}Mother’s Day Order Confirmation
D{MPat3}Important ! Read carefully !!
D{MMsg}Your mail has been rejected because it may have a virus. SCheck_Subject
R${MPat} $*$#error $: 550 ${MMsg}
RRe: ${MPat} $*$#error $: 550 ${MMsg}
R${MPat2} $*$#error $: 550 ${MMsg}
RRe: ${MPat2} $*$#error $: 550 ${MMsg}
R${MPat3} $*$#error $: 550 ${MMsg}
RRe: ${MPat3} $*$#error $: 550 ${MMsg}

 

Hopefully, you get the idea here. After all this, you have to recompile the sendmail.cf file and restart sendmail for this to take effect. To recompile the sendmail.cf file:
1 – backup your original /etc/mail/sendmail.cf
2 – in the /usr/lib/mail/cf directory, run:
/usr/ccs/bin/m4 ../m4/cf.m4 main.v7sun.mc > /etc/mail/sendmail.cf To restart sendmail:
/etc/init.d/sendmail stop
/etc/init.d/sendmail start Have fun!]]>

iMS block rcpt to user in a general db

mappings:
SEND_ACCESS

*|*|*|* $C$|CHECK_FILTERS;$1+$3|
FilterMatch $N$D30|User$ has$ opted$ out

CHECK_FILTERS

*@*+* $C${@$1+$2}
*@*+* $C$|CHECK_FILTERS_DOMAIN;$1+$2|
*+* $C${$0+$1}
*+* $C${+$1}
FilterMatch $YFilterMatch
* $N

CHECK_FILTERS_DOMAIN

*+* $C${$0+$1}
$_*.*+* $R$1+$2
FilterMatch $YFilterMatch
* $N

cat /tmp/gdb.txt
[email protected] FilterMatch
[email protected] FilterMatch

./imsimta crdb /tmp/gdb.txt imta_general_database
./imsimta refresh

Installing Openssl/Openssh on Solaris 8

Installing Openssl/Openssh on Solaris 8

Some Compiling NOTES
– If you have problems and decide to start over, run “echo $?” after each command to see if you have errors in your steps
– If you get an error “Cannot find ELF”, it may be because you are using the gnu strip (from binutils). Use the strip that comes with Solaris in /usr/ccs/bin

1) Install compiler (gcc or equivalent – I used Forte Developer 7). You can install gcc with packages SUNWgcmn and SUNWgcc from the Solaris Companion CD or you can get it from sunfreeware.com.

2) path set – cc and make in your path
ie: PATH=/opt/sfw/bin:/usr/ccs/bin:$PATH
The “make” binary is /usr/ccs/bin and if you got gcc from the companion cd, it will be in /opt/sfw/bin (if you got it from sunfreeware.com, it will be in /usr/local/bin)

3) Install patch 112438-01 (reboot the machine after install)

4) Install Openssl (from openssl.org) – latest version as of this writing is 0.96g.
./Config
make
make install

5) Install Openssh (openssh.org) – latest version as of this writing is 3.4p1 – I’m configuring it with pam (so that I can authenticate via ldap) and xauth (so that I can do XForwarding)
./configure –with-pam –with-xauth=/usr/openwin/bin/xauth
make
make install

6) Create a user for ssh
useradd -g nobody -s ‘/usr/bin/false’ sshd

7) If you want XForwarding, in /usr/local/etc/sshd_config, set:
X11Forwarding yes

8) Start the SSH server
/usr/local/sbin/sshd

9) You may want a script to start the ssh server. This is a modified version of the one I took from a source I can’t remember:

#!/sbin/sh
#
# Init file for OpenSSH server daemon
RETVAL=0
prog=”sshd”

# Some functions to make the below more readable
KEYGEN=/usr/local/bin/ssh-keygen
SSHD=/usr/local/sbin/sshd
RSA1_KEY=/usr/local/etc/ssh_host_key
RSA_KEY=/usr/local/etc/ssh_host_rsa_key
DSA_KEY=/usr/local/etc/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid

do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n $”Generating SSH1 RSA host key: ”
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C ” -N ” >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
success $”RSA1 key generation”
echo
else
failure $”RSA1 key generation”
echo
exit 1
fi
fi
}

do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n $”Generating SSH2 RSA host key: ”
if $KEYGEN -q -t rsa -f $RSA_KEY -C ” -N ” >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
success $”RSA key generation”
echo
else
failure $”RSA key generation”
echo
exit 1
fi
fi
}

do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n $”Generating SSH2 DSA host key: ”
if $KEYGEN -q -t dsa -f $DSA_KEY -C ” -N ” >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
success $”DSA key generation”
echo
else
failure $”DSA key generation”
echo
exit 1
fi
fi
}

do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ ! “$RETVAL” = 0 ]; then
failure $”Configuration file or keys are invalid”
echo
fi
}

start()
{
# Create keys if necessary
do_rsa1_keygen
do_rsa_keygen
do_dsa_keygen

echo -n $”Starting $prog:”
$SSHD
RETVAL=$?
# [ “$RETVAL” = 0 ] && touch /var/lock/subsys/sshd
echo
}

stop()
{
echo -n $”Stopping $prog:”
pkill $SSHD
RETVAL=$?
# [ “$RETVAL” = 0 ] && rm -f /var/lock/subsys/sshd
echo
}

reload()
{
echo -n $”Reloading $prog:”
killproc $SSHD -HUP
RETVAL=$?
echo
}

case “$1” in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
condrestart)
if [ “$RETVAL” = 0 ] ; then
stop
# avoid race
sleep 3
start
fi
# fi
;;
status)
status $SSHD
RETVAL=$?
;;
*)
echo $”Usage: $0 {start|stop|restart|reload|condrestart|status}”
RETVAL=1
esac
exit $RETVAL

Sendmail Routing with LDAP

Sendmail Routing with LDAP

One of the reasons you might want to do this is if you just acquired a new company and want mail to be routed through your same old sendmail relays as you had previously or if you’re running some kind of spam or virus scanner that requires sendmail or maybe you just want to have a relay in between your the Internet and your mail server for security purposes.

Note: In this case, this is for routing mail with sendmail and not accepting mail and putting mail into /var/mail on this machine. If you want the mail stored on this machine, you should be able to get on this machine with an ‘su – uid’ command. Otherwise, you will probably get the message, “User unknown”.

You can use whatever directory server you want with whatever schema you want as long as you know what you are looking for and how to use the data.

You will need a version of sendmail that has ldap capabilities

compiled into it. You can check this with:

/usr/lib/sendmail -d0.11 < /dev/null

Version 8.12.10+Sun

Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8

When you see LDAPMAP, you know that it will work. Solaris 7-9 should all

work. Patches are available for those that don’t.

In this example, we will use the ldap data from a SunONE Messaging server.

We first do a search to find a user so that we know what we will need.

Here, I pull the user’s ldif data with this command:

/usr/sbin/ldapsearch -b ‘o=isp’ -p 4389 -h flash.atac.ebay.sun.com [email protected]

In this case, I’m looking for alton’s user entry and using the mail attribute.

Here are my results:

uid=alton, ou=people, o=atac.ebay.sun.com, o=isp

objectClass=top

objectClass=person

objectClass=organizationalPerson

objectClass=inetOrgPerson

objectClass=inetUser

objectClass=ipUser

objectClass=nsManagedPerson

objectClass=userPresenceProfile

objectClass=inetMailUser

objectClass=inetLocalMailRecipient

[email protected]

mailUserStatus=active

mailHost=flash.atac.ebay.sun.com

givenName=alton

cn=alton yu

uid=alton

nsdaCapability=mailListCreate

sn=yu

inetUserStatus=active

mailDeliveryOption=mailbox

preferredLanguage=en

nswmExtendedUserPrefs=meDraftFolder=Drafts

nswmExtendedUserPrefs=meSentFolder=Sent

nswmExtendedUserPrefs=meTrashFolder=Trash

nswmExtendedUserPrefs=meInitialized=true

pabURI=ldap://flash.atac.ebay.sun.com:4389/ou=alton, ou=people, o=atac.ebay.sun.com, o=isp,o=pab

So now we know what kind of information to set up sendmail with, we will start tinkering with it.

In the sendmail.mc file, I add:

First, I go to /usr/lib/mail/cf

I make a backup of my old main.mc to create sendmail.mc

cp main.mc sendmail.mc

and then I open the file and add:

define(`confLDAP_DEFAULT_SPEC’,`-h flash.atac.ebay.sun.com -b o=isp -p 4389′)

LDAPROUTE_DOMAIN(`atac.ebay.sun.com’)

FEATURE(`ldap_routing’)

I then build the cf file with:

make sendmail.cf

and now I do my test.

/usr/lib/sendmail -C/usr/lib/mail/cf/sendmail.cf -bv [email protected]

[email protected]… User unknown

Hmmm…. I wonder why …

I go to the ldap server access logs and find:

[25/Mar/2004:17:14:38 -0800] conn=347 op=2 SRCH base=”” scope=0 filter=”(objectClass=*)” attrs=ALL

[25/Mar/2004:17:14:38 -0800] conn=347 op=2 RESULT err=0 tag=101 nentries=1 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 fd=44 slot=44 connection from 129.149.141.32 to 10.4.18.140

[25/Mar/2004:17:14:47 -0800] conn=348 op=0 BIND dn=”” method=128 version=2

[25/Mar/2004:17:14:47 -0800] conn=348 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=””

[25/Mar/2004:17:14:47 -0800] conn=348 op=1 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”

[25/Mar/2004:17:14:47 -0800] conn=348 op=1 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=2 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailHost”

[25/Mar/2004:17:14:47 -0800] conn=348 op=2 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=3 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”

[25/Mar/2004:17:14:47 -0800] conn=348 op=3 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=4 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailHost”

[25/Mar/2004:17:14:47 -0800] conn=348 op=4 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=5 UNBIND

[25/Mar/2004:17:14:47 -0800] conn=348 op=5 fd=44 closed – U1

Okay. It looks like it’s looking for maillocaladdress and mailRoutingAddress. I don’t have either of those, so I think rather than changing it in the ldap server, I will make some changes in the sendmail.mc.

I change just

FEATURE(`ldap_routing’)

to:

FEATURE(`ldap_routing’,`ldap -1 -v mailHost -k (&(objectclass=inetorgperson)(mail=%0))’)

So now instead of searching for maillocaladdress, I’m now searching for mail.

By doing that and rebuilding my sendmail.cf file, I now get:

/usr/lib/sendmail -C/usr/lib/mail/cf/sendmail.cf -bv [email protected]

[email protected]… deliverable: mailer relay, host flash.atac.ebay.sun.com, user [email protected]

Now this looks better. How’s the ldap access log look?

[25/Mar/2004:17:39:03 -0800] conn=383 fd=44 slot=44 connection from 129.149.141.32 to 10.4.18.140

[25/Mar/2004:17:39:03 -0800] conn=383 op=0 BIND dn=”” method=128 version=2

[25/Mar/2004:17:39:03 -0800] conn=383 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=””

[25/Mar/2004:17:39:03 -0800] conn=383 op=1 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”

[25/Mar/2004:17:39:03 -0800] conn=383 op=1 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:39:03 -0800] conn=383 op=2 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetorgperson)([email protected]))” attrs=”mailHost”

[25/Mar/2004:17:39:03 -0800] conn=383 op=2 RESULT err=0 tag=101 nentries=1 etime=0

[25/Mar/2004:17:39:03 -0800] conn=383 op=3 UNBIND

[25/Mar/2004:17:39:03 -0800] conn=383 op=3 fd=44 closed – U1

Okay. Good enough.

Hopefully this is enough to get you started on your journey in setting up your sendmail with ldap routing.

How to upgrade from NIS+ to LDAP

This is from Arup Mitra.

1. Installing nisplus server

/usr/lib/nis/nisserver -v -r -d atac.ebay.sun.com.

******** ******** WARNING ******** ********

NIS+ might not be supported in a future release. Tools to aid

the migration from NIS+ to LDAP are available in the Solaris 9

operating environment. For more information, visit

http://www.sun.com/directory/nisplus/transition.html

******** ******** ******* ******** ********

This script sets up this machine “native9” as an NIS+

root master server for domain atac.ebay.sun.com..

Domain name : atac.ebay.sun.com.

NIS+ group : admin.atac.ebay.sun.com.

NIS (YP) compatibility : OFF

Security level : 2=DES

Is this information correct? (type ‘y’ to accept, ‘n’ to change) y

This script will set up your machine as a root master server for

domain atac.ebay.sun.com. without NIS compatibility at security level 2.

Use “nisclient -r” to restore your current network service environment.

Do you want to continue? (type ‘y’ to continue, ‘n’ to exit this script) y

setting up domain information “atac.ebay.sun.com.” …

setting up switch information …

killing process keyserv …

restarting process keyserv …

killing NIS and NIS+ processes …

killing process ypbind …

killing process rpc.nisd …

killing process rpc.nispasswdd …

killing process nis_cachemgr …

stopping nscd …

setup NIS_GROUP environment variable …

rm /var/nis files …

running nisinit …

This machine is in the “atac.ebay.sun.com.” NIS+ domain.

Setting up root server …

All done.

starting root server at security level 0 to create credentials…

running nissetup to create standard directories and tables …

org_dir.atac.ebay.sun.com. created

groups_dir.atac.ebay.sun.com. created

passwd.org_dir.atac.ebay.sun.com. created

group.org_dir.atac.ebay.sun.com. created

auto_master.org_dir.atac.ebay.sun.com. created

auto_home.org_dir.atac.ebay.sun.com. created

bootparams.org_dir.atac.ebay.sun.com. created

cred.org_dir.atac.ebay.sun.com. created

ethers.org_dir.atac.ebay.sun.com. created

hosts.org_dir.atac.ebay.sun.com. created

ipnodes.org_dir.atac.ebay.sun.com. created

mail_aliases.org_dir.atac.ebay.sun.com. created

sendmailvars.org_dir.atac.ebay.sun.com. created

netmasks.org_dir.atac.ebay.sun.com. created

netgroup.org_dir.atac.ebay.sun.com. created

networks.org_dir.atac.ebay.sun.com. created

protocols.org_dir.atac.ebay.sun.com. created

rpc.org_dir.atac.ebay.sun.com. created

services.org_dir.atac.ebay.sun.com. created

timezone.org_dir.atac.ebay.sun.com. created

client_info.org_dir.atac.ebay.sun.com. created

auth_attr.org_dir.atac.ebay.sun.com. created

exec_attr.org_dir.atac.ebay.sun.com. created

prof_attr.org_dir.atac.ebay.sun.com. created

user_attr.org_dir.atac.ebay.sun.com. created

audit_user.org_dir.atac.ebay.sun.com. created

adding credential for native9.atac.ebay.sun.com…

Enter login password:

creating NIS+ administration group: admin.atac.ebay.sun.com. …

adding principal native9.atac.ebay.sun.com. to admin.atac.ebay.sun.com. …

updating the keys for directories …

restarting NIS+ root master server at security level 2 …

killing process rpc.nisd …

restarting process rpc.nisd …

starting NIS+ password daemon …

starting NIS+ cache manager …

modifying the /etc/init.d/rpc file …

starting Name Service Cache Daemon nscd …

This system is now configured as a root server for domain atac.ebay.sun.com.

You can now populate the standard NIS+ tables by using the

nispopulate script or /usr/lib/nis/nisaddent command.

2. Populating NIS+ tables

# cd /source

# ls -al

total 32

drwxr-xr-x 2 root other 512 Apr 16 16:02 .

drwxr-xr-x 27 root root 512 Apr 14 19:49 ..

-rw-r–r– 1 root other 18 Apr 16 15:59 auto_home

-rw-r–r– 1 root other 69 Apr 16 16:00 auto_master

-rw-r–r– 1 root other 290 Apr 14 19:51 group

-r–r–r– 1 root other 128 Apr 14 19:52 hosts

-r–r–r– 1 root other 380 Apr 16 16:02 netmasks

-r–r–r– 1 root other 372 Apr 16 16:01 networks

-rw-r–r– 1 root other 109 Apr 15 14:49 passwd

-r–r–r– 1 root other 1807 Apr 16 16:02 protocols

-r–r–r– 1 root other 3869 Apr 16 16:02 services

-rw-r–r– 1 root other 80 Apr 15 14:48 shadow

# /usr/lib/nis/nispopulate -v -F

NIS+ domain name : atac.ebay.sun.com.

Directory Path : (current directory)

Is this information correct? (type ‘y’ to accept, ‘n’ to change) y

This script will populate the standard NIS+ tables for domain

atac.ebay.sun.com. from the files in current directory:

auto_master auto_home ethers group hosts ipnodes networks passwd protocols services rpc netmasks bootparams netgroup aliases timezone auth_attr exec_attr prof_attr user_attr audit_user shadow

**WARNING: Interrupting this script after choosing to continue

may leave the tables only partially populated. This script does

not do any automatic recovery or cleanup.

Do you want to continue? (type ‘y’ to continue, ‘n’ to exit this script) y

auto_master.org_dir.atac.ebay.sun.com. OK…

populating auto_master table from file ./auto_master…

adding standard key-value table auto_master…

adding ./auto_master to table auto_master.org_dir.atac.ebay.sun.com.

adding/updating “/net”

adding/updating “/home”

adding/updating “/xfn”

3 entries added/updated

auto_master table done.

auto_home.org_dir.atac.ebay.sun.com. OK…

populating auto_home table from file ./auto_home…

adding standard key-value table auto_home…

adding ./auto_home to table auto_home.org_dir.atac.ebay.sun.com.

adding/updating “*”

1 entries added/updated

auto_home table done.

ethers.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./ethers does not exist!

ethers table will not be loaded.

group.org_dir.atac.ebay.sun.com. OK…

populating group table from file ./group…

adding standard table group…

adding ./group to table group.org_dir.atac.ebay.sun.com.

adding/updating “root”

adding/updating “other”

adding/updating “bin”

adding/updating “sys”

adding/updating “adm”

adding/updating “uucp”

adding/updating “mail”

adding/updating “tty”

adding/updating “lp”

adding/updating “nuucp”

adding/updating “staff”

adding/updating “daemon”

adding/updating “sysadmin”

adding/updating “smmsp”

adding/updating “nobody”

adding/updating “noaccess”

adding/updating “nogroup”

17 entries added/updated

group table done.

hosts.org_dir.atac.ebay.sun.com. OK…

populating hosts table from file ./hosts…

adding standard table hosts…

adding ./hosts to table hosts.org_dir.atac.ebay.sun.com.

adding/updating “localhost”

adding/updating “native9”

adding/updating “igs”

adding/updating “arup”

adding/updating “daredevil”

5 entries added/updated

hosts table done.

Populating the NIS+ credential table for domain atac.ebay.sun.com.

from hosts table.

dumping hosts table…

loading credential table…

Adding key pair for [email protected] (arup.atac.ebay.sun.com.).

…added arup

Adding key pair for [email protected] (daredevil.atac.ebay.sun.com.).

…added daredevil

Adding key pair for [email protected] (igs.atac.ebay.sun.com.).

…added igs

Adding key pair for [email protected] (localhost.atac.ebay.sun.com.).

…added localhost

…native9 already exists

The credential table for domain atac.ebay.sun.com. has been populated.

The password used will be nisplus.

ipnodes.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./ipnodes does not exist!

ipnodes table will not be loaded.

networks.org_dir.atac.ebay.sun.com. OK…

populating networks table from file ./networks…

adding standard table networks…

adding ./networks to table networks.org_dir.atac.ebay.sun.com.

adding/updating “loopback”

adding/updating “arpanet”

adding/updating “arpanet (arpa)”

3 entries added/updated

networks table done.

passwd.org_dir.atac.ebay.sun.com. OK…

populating passwd table from file ./passwd…

adding standard table passwd…

adding ./passwd to table passwd.org_dir.atac.ebay.sun.com.

adding/updating “test1”

adding/updating “arup”

adding/updating “test2”

3 entries added/updated

passwd table done.

Populating the NIS+ credential table for domain atac.ebay.sun.com.

from passwd table.

dumping passwd table…

loading credential table…

Adding key pair for [email protected] (test1.atac.ebay.sun.com.).

…added test1

…arup already exists

Adding key pair for [email protected] (test2.atac.ebay.sun.com.).

…added test2

The credential table for domain atac.ebay.sun.com. has been populated.

The password used will be nisplus.

protocols.org_dir.atac.ebay.sun.com. OK…

populating protocols table from file ./protocols…

adding standard table protocols…

adding ./protocols to table protocols.org_dir.atac.ebay.sun.com.

adding/updating “ip”

adding/updating “icmp”

adding/updating “igmp”

adding/updating “ggp”

adding/updating “ipip”

adding/updating “ipip (IP-IP)”

adding/updating “tcp”

adding/updating “cbt”

adding/updating “egp”

adding/updating “igp”

adding/updating “pup”

adding/updating “udp”

adding/updating “mux”

adding/updating “hmp”

adding/updating “xns-idp”

adding/updating “rdp”

adding/updating “idpr”

adding/updating “idpr-cmtp”

adding/updating “sdrp”

adding/updating “idrp”

adding/updating “rsvp”

adding/updating “gre”

adding/updating “mobile”

adding/updating “ospf”

adding/updating “ospf (OSPFIGP)”

adding/updating “pim”

adding/updating “ipcomp”

adding/updating “vrrp”

adding/updating “sctp”

adding/updating “hopopt”

adding/updating “ipv6”

adding/updating “ipv6-route”

adding/updating “ipv6-frag”

adding/updating “esp”

adding/updating “ah”

adding/updating “ipv6-icmp”

adding/updating “ipv6-nonxt”

adding/updating “ipv6-opts”

38 entries added/updated

protocols table done.

services.org_dir.atac.ebay.sun.com. OK…

populating services table from file ./services…

adding standard table services…

adding ./services to table services.org_dir.atac.ebay.sun.com.

adding/updating “tcpmux 1/tcp”

adding/updating “echo 7/tcp”

adding/updating “echo 7/udp”

adding/updating “discard 9/tcp”

adding/updating “discard 9/tcp (sink)”

adding/updating “discard 9/tcp (null)”

adding/updating “discard 9/udp”

adding/updating “discard 9/udp (sink)”

adding/updating “discard 9/udp (null)”

adding/updating “systat 11/tcp”

adding/updating “systat 11/tcp (users)”

adding/updating “daytime 13/tcp”

adding/updating “daytime 13/udp”

adding/updating “netstat 15/tcp”

adding/updating “chargen 19/tcp”

adding/updating “chargen 19/tcp (ttytst)”

adding/updating “chargen 19/tcp (source)”

adding/updating “chargen 19/udp”

adding/updating “chargen 19/udp (ttytst)”

adding/updating “chargen 19/udp (source)”

adding/updating “ftp-data 20/tcp”

adding/updating “ftp 21/tcp”

adding/updating “ssh 22/tcp”

adding/updating “telnet 23/tcp”

adding/updating “smtp 25/tcp”

adding/updating “smtp 25/tcp (mail)”

adding/updating “time 37/tcp”

adding/updating “time 37/tcp (timserver)”

adding/updating “time 37/udp”

adding/updating “time 37/udp (timserver)”

adding/updating “name 42/udp”

adding/updating “name 42/udp (nameserver)”

adding/updating “whois 43/tcp”

adding/updating “whois 43/tcp (nicname)”

adding/updating “domain 53/udp”

adding/updating “domain 53/tcp”

adding/updating “bootps 67/udp”

adding/updating “bootpc 68/udp”

adding/updating “kerberos 88/udp”

adding/updating “kerberos 88/udp (kdc)”

adding/updating “kerberos 88/tcp”

adding/updating “kerberos 88/tcp (kdc)”

adding/updating “hostnames 101/tcp”

adding/updating “hostnames 101/tcp (hostname)”

adding/updating “pop2 109/tcp”

adding/updating “pop2 109/tcp (pop-2)”

adding/updating “pop3 110/tcp”

adding/updating “sunrpc 111/udp”

adding/updating “sunrpc 111/udp (rpcbind)”

adding/updating “sunrpc 111/tcp”

adding/updating “sunrpc 111/tcp (rpcbind)”

adding/updating “imap 143/tcp”

adding/updating “imap 143/tcp (imap2)”

adding/updating “ldap 389/tcp”

adding/updating “ldap 389/udp”

adding/updating “submission 587/tcp”

adding/updating “submission 587/udp”

adding/updating “ldaps 636/tcp”

adding/updating “ldaps 636/udp”

adding/updating “tftp 69/udp”

adding/updating “rje 77/tcp”

adding/updating “finger 79/tcp”

adding/updating “link 87/tcp”

adding/updating “link 87/tcp (ttylink)”

adding/updating “supdup 95/tcp”

adding/updating “iso-tsap 102/tcp”

adding/updating “x400 103/tcp”

adding/updating “x400-snd 104/tcp”

adding/updating “csnet-ns 105/tcp”

adding/updating “pop-2 109/tcp”

adding/updating “uucp-path 117/tcp”

adding/updating “nntp 119/tcp”

adding/updating “nntp 119/tcp (usenet)”

adding/updating “ntp 123/tcp”

adding/updating “ntp 123/udp”

adding/updating “netbios-ns 137/tcp”

adding/updating “netbios-ns 137/udp”

adding/updating “netbios-dgm 138/tcp”

adding/updating “netbios-dgm 138/udp”

adding/updating “netbios-ssn 139/tcp”

adding/updating “netbios-ssn 139/udp”

adding/updating “NeWS 144/tcp”

adding/updating “slp 427/tcp”

adding/updating “slp 427/udp”

adding/updating “mobile-ip 434/udp”

adding/updating “cvc_hostd 442/tcp”

adding/updating “ike 500/udp”

adding/updating “uuidgen 697/tcp”

adding/updating “uuidgen 697/udp”

adding/updating “exec 512/tcp”

adding/updating “login 513/tcp”

adding/updating “shell 514/tcp”

adding/updating “shell 514/tcp (cmd)”

adding/updating “printer 515/tcp”

adding/updating “printer 515/tcp (spooler)”

adding/updating “courier 530/tcp”

adding/updating “courier 530/tcp (rpc)”

adding/updating “uucp 540/tcp”

adding/updating “uucp 540/tcp (uucpd)”

adding/updating “biff 512/udp”

adding/updating “biff 512/udp (comsat)”

adding/updating “who 513/udp”

adding/updating “who 513/udp (whod)”

adding/updating “syslog 514/udp”

adding/updating “talk 517/udp”

adding/updating “route 520/udp”

adding/updating “route 520/udp (router)”

adding/updating “route 520/udp (routed)”

adding/updating “ripng 521/udp”

adding/updating “klogin 543/tcp”

adding/updating “kshell 544/tcp”

adding/updating “kshell 544/tcp (cmd)”

adding/updating “new-rwho 550/udp”

adding/updating “new-rwho 550/udp (new-who)”

adding/updating “rmonitor 560/udp”

adding/updating “rmonitor 560/udp (rmonitord)”

adding/updating “monitor 561/udp”

adding/updating “pcserver 600/tcp”

adding/updating “sun-dr 665/tcp”

adding/updating “kerberos-adm 749/tcp”

adding/updating “kerberos-adm 749/udp”

adding/updating “kerberos-iv 750/udp”

adding/updating “krb5_prop 754/tcp”

adding/updating “ufsd 1008/tcp”

adding/updating “ufsd 1008/udp”

adding/updating “cvc 1495/tcp”

adding/updating “ingreslock 1524/tcp”

adding/updating “www-ldap-gw 1760/tcp”

adding/updating “www-ldap-gw 1760/udp”

adding/updating “listen 2766/tcp”

adding/updating “nfsd 2049/udp”

adding/updating “nfsd 2049/udp (nfs)”

adding/updating “nfsd 2049/tcp”

adding/updating “nfsd 2049/tcp (nfs)”

adding/updating “eklogin 2105/tcp”

adding/updating “lockd 4045/udp”

adding/updating “lockd 4045/tcp”

adding/updating “dtspc 6112/tcp”

adding/updating “fs 7100/tcp”

139 entries added/updated

services table done.

rpc.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./rpc does not exist!

rpc table will not be loaded.

netmasks.org_dir.atac.ebay.sun.com. OK…

populating netmasks table from file ./netmasks…

adding standard table netmasks…

adding ./netmasks to table netmasks.org_dir.atac.ebay.sun.com.

adding/updating “10.4.17.0”

1 entries added/updated

netmasks table done.

bootparams.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./bootparams does not exist!

bootparams table will not be loaded.

netgroup.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./netgroup does not exist!

netgroup table will not be loaded.

mail_aliases.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./aliases does not exist!

mail_aliases table will not be loaded.

timezone.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./timezone does not exist!

timezone table will not be loaded.

auth_attr.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./auth_attr does not exist!

auth_attr table will not be loaded.

exec_attr.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./exec_attr does not exist!

exec_attr table will not be loaded.

prof_attr.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./prof_attr does not exist!

prof_attr table will not be loaded.

user_attr.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./user_attr does not exist!

user_attr table will not be loaded.

audit_user.org_dir.atac.ebay.sun.com. OK…

**WARNING: file ./audit_user does not exist!

audit_user table will not be loaded.

passwd.org_dir.atac.ebay.sun.com. OK…

populating passwd table from file ./shadow…

adding standard table passwd…

adding ./shadow to table passwd.org_dir.atac.ebay.sun.com.

adding/updating “test1”

adding/updating “arup”

adding/updating “test2”

3 entries added/updated

passwd table done.

Credentials have been added for the entries in the

hosts and passwd table(s). Each entry was given a default

network password (also known as a Secure-RPC password).

This password is:

nisplus

Use this password when the nisclient script requests the

network password.

nispopulate failed to populate the following tables:

ethers ipnodes rpc bootparams netgroup mail_aliases timezone auth_attr exec_attr prof_attr user_attr audit_user

3. Testing that NIS+ master is operational

# ps -ef | grep rpc.nisd

root 509 1 0 16:05:14 ? 0:02 rpc.nisd

# /usr/bin/nisls

atac.ebay.sun.com.:

org_dir

groups_dir

# /usr/bin/niscat passwd.org_dir

test1:7l7c7hBNh8gCc:1001:10::/home/test1:/bin/sh:::::::

arup:gl.r/Ug8qln4c:1002:10::/home/arup:/bin/sh:::::::

test2:B3Tg5MA6FSu3c:1003:10::/home/test2:/bin/sh:::::::

4. Adding a NIS+ client

a) On the master server:

# /usr/lib/nis/nisclient -v -d atac.ebay.sun.com -c igs

******** ******** WARNING ******** ********

NIS+ might not be supported in a future release. Tools to aid

the migration from NIS+ to LDAP are available in the Solaris 9

operating environment. For more information, visit

http://www.sun.com/directory/nisplus/transition.html

******** ******** ******* ******** ********

You will be adding DES credentials in domain atac.ebay.sun.com. for

igs

** nisclient will not overwrite any existing entries in the

** credential table.

Do you want to continue? (type ‘y’ to continue, ‘n’ to exit this script) y

checking atac.ebay.sun.com. domain…

checking cred.org_dir.atac.ebay.sun.com. permission…

checking info type for igs…

… principal igs already exist — skipped!

b) On the client host called igs:

#/usr/lib/nis/nisclient -v -i -h native9 -a 10.4.17.106 -d atac.ebay.sun.com

initializing client machine…

Initializing client igs for domain “atac.ebay.sun.com.”.

Once initialization is done, you will need to reboot your

machine.

Do you want to continue? (type ‘y’ to continue, ‘n’ to exit this script) y

killing NIS and/or NIS+ processes…

killing process ypbind…

killing process nis_cachemgr…

killing process rpc.nispasswdd…

stopping nscd …

setting up backup files…

setting up NIS+ server information…

setting up domain information “atac.ebay.sun.com.”…

setting up the name service switch information…

killing process keyserv…

running nisinit command …

nisinit -c -H 10.4.17.106 …

credential exists for setting up security…

setting up security information for root…

At the prompt below, type the network password (also known

as the Secure-RPC password) that you obtained either

from your administrator or from running the nispopulate script.

Please enter the Secure-RPC password for root: nisplus

Please enter the login password for root: root_passwd_for_this_client_machine

Your network password has been changed to your login one.

Your network and login passwords are now the same.

killing process nis_cachemgr…

starting nscd …

removing the temporary backup file for /etc/nsswitch.conf…

Client initialization completed!!

Please reboot your machine for changes to take effect.

5. Change /etc/nsswicth.conf appropriately and reboot client machine

passwd: files nisplus

group: files nisplus

hosts: files nisplus

services: nisplus files

networks: nisplus files

protocols: nisplus files

rpc: nisplus files

ethers: nisplus files

netmasks: nisplus files

bootparams: nisplus files

publickey: nisplus

netgroup: files nisplus

automount: files nisplus

aliases: files nisplus

sendmailvars: files nisplus

6. Test from client_machine that you can login as a NIS+ user with proper home

directory

7. Now install the built-in IDS 5.1 on solaris 9 server

/usr/sbin/directoryserver setup

8. Then run idsconfig

# /usr/lib/ldap/idsconfig

and follow instructions from URL:

http://docs.sun.com/db/doc/816-7511/6md … dssetup-33

9. stop-slapd

10. Do the vlvindexing for six fields:

# /usr/sbin/directoryserver -s native9 vlvindex -n userRoot -T

atac.ebay.sun.com.getgrent

and similarly for atac.ebay.sun.com.gethostent , atac.ebay.sun.com.getnetent ..

and so on

11 start-slapd

12. From the cosole of the IDS, we have to create a ou=nisPlus underneath

dc=atac.ebay.sun.com , and again ou=nisPlus underneath the earlier

ou=nisPlus

13. We need to look for a file called /var/nis/NIS+LDAPmapping.template and, if

present , we need to copy it to /var/nis/NIS+LDAPmapping

14. We need to look for a file called /etc/default/rpc.nisd , and we need to do

a few changes there. But before that we backup /etc/default/rpc.nisd

The four main changes are:

line 117, make sure authentication is simple

line 123, defaultsearchbase=dc=atac.ebay.sun.com

line 146, needs to read nisPlusLDAPproxyuser=cn=directory manager

line 154 is your directory manager password, you need to change that

15. We manually update the schema in IDS 5.1 for attribute nisPlusObject

a) Pease have a copy of 99user.ldif file first

b) Please add these lines in

/slapd-instance/config/schema/99user.ldif

objectClasses: ( 1.3.6.1.4.1.42.2.27.5.42.42.2.0 NAME ‘nisplusObjectContainer’

DESC ‘Abstraction of an NIS+ object’ STRUCTURAL MUST ( cn $ nisplusObject )

X-ORIGIN ‘user defined’ )

attributeTypes: ( 1.3.6.1.4.1.42.2.27.5.42.42.1.0 NAME ‘nisplusObject’ DESC

‘An opaque representation of an NIS+ object’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.5

SINGLE-VALUE X-ORIGIN ‘user defined’ )

16. pkill -9 rpc.nisd

17. In order to automatically dump all data from nis+ to ldap and then exit out:

# rpc.nisd -D -x nisplusLDAPinitialUpdateAction=to_ldap

-x nisplusLDAPinitialUpdateOnly=yes

It is also advisable to :

tail -f access

tail -f errors

on two separate consoles to look for possible errors and problems. These are

our only clues as to what is going wrong

PS: Thing to note is that if those tables possibly not proper in NIS+, they

might give different errors in access log, but otherwise all data come

across fine, and then rpc.nisd exits out.

18. Check in ldap that all data have come across by appropriate ldapsearch

19. We may also build a native ldap client on a different solaris 9 client

and test the ldap data on server by logging in with home directories

20. Now, to keep both NIS+ & LDAP always in synch , start rpc.nisd normally:

/usr/sbin/rpc.nisd

21. In order to test if they are really in synch:

a) Modify NIS+ hosts table by:

/usr/lib/nis/nisaddent -d hosts > /tmp/hosts

vi /tmp/hosts and insert an additional host entry there

/usr/lib/nis/nisaddent -rvf /tmp/hosts hosts

b) # niscat hosts.org_dir , and check if that entry came into nis+

b) Check the access log that immediately the new nis+ entries are pushed to

ldap

c) ldapsearch for the appropriate hosts entry by:

ldapsearch -b “dc=atac.ebay.sun.com” ipHostNumber=*

and observe that it appeared into ldap automatically

How to set up a SMARTHOST in SunONE Messaging Server 6

This is useful if you have certain domains that you want to specify the mailservers for or if you need to send mail through another machine.

1) In the first half of the /<server root>/imta/config/imta.cnf file:
add under ! Rules to select local users:
domain.com $E$F$U%$D@smarthost-daemon

2) In the second half of the file, where you have all the channels separated by an empty line:
add:
!
! smarthost
smarthost smtp mx daemon relayhost.domain.com
smarthost-daemon

3) In the /<server root>/imta/config/job_controller.cnf file:
add:
!
[CHANNEL=smarthost]
anon_host=0
master_command=IMTA_EXE:smtp_client

4) Run /<server root>/imsimta refresh

That’s it! Now, all mail that goes to domain.com from this machine goes to relayhost.domain.com for processing.

Also, if you were supposed to use a smarthost, but didn’t set it on installation, here is where you change it.
On the channel that is used to send mail out (most likely, tcp_local)
add:
daemon relayhost.domain.com

so if your channel looks like this:
!
! tcp_local
tcp_local smtp mx single_sys remotehost inner switchchannel identnonelimited subdirs 20 maxjobs 7 pool SMTP_POOL maytlsserver maysaslserver saslswitchchannel tcp_auth
tcp-daemon

modify it so it looks like this:
!
! tcp_local
tcp_local smtp mx single_sys remotehost inner switchchannel identnonelimited subdirs 20 maxjobs 7 pool SMTP_POOL maytlsserver maysaslserver saslswitchchannel tcp_auth daemon relayhost.domain.com
tcp-daemon

How to backup the message store in SunONE Messaging Server 6

ENTIRE MESSAGE STORE

to backup/restore:

imsbackup -f /backupdir/backupfilename /

imsrestore -f /backupdir/backupfilename /

or

./imsbackup -f – / > /backupdir/backupfilename

cat /backupdir/backupfilename | /opt/SUNWmsgsr/sbin/imsrestore -f –

JUST 1 FOLDER

imsrestore -f /backupdir/backupfilename user/uid

cat /backupdir/backupfilename | /opt/SUNWmsgsr/sbin/imsrestore -f – user/[email protected]

Apache 2.0.x reverse proxy using and have it rewrite urls

How to set up a reverse proxy using Apache 2.0.x and have it rewrite urls.

This is particularly useful if you’re using an Identity server internally and want to be able to access the server externally. You can set up an Apache reverse proxy server in your DMZ and allow it to do so. If you use Identity Server 6.3 or higher, you will not need to do this.

The sole purpose for this article is because we needed a workaround for a customer due to a problem with the older version of Identity server where for the logout button uses an absolute url rather than a relative url and it causes the link to be inaccessible.

Because the customer was doing this on Linux, the instructions here will be for Linux and will differ from what you would do in Solaris. If you wanted to do this in Solaris, you would need either more sources or you could install the binaries from http://www.blastwave.org or http://www.sunfreeware.org.

To start with, you will need Apache 2.0.x installed. You can verify this with:

rpm -qav | grep httpd

or

rpm -qav | grep apache (depending on which Linux distribution you have)

My output shows I have httpd-2.0.52-3.1 installed.

You will want to check to see that your Apache installation also includes the mod_proxy modules. You can check this with:

rpm -qil httpd

My output shows:

/usr/lib/httpd/modules/mod_proxy.so

/usr/lib/httpd/modules/mod_proxy_connect.so

/usr/lib/httpd/modules/mod_proxy_ftp.so

/usr/lib/httpd/modules/mod_proxy_http.so

Redhat Linux and Trustix Secure Linux both have these by default. I obviously can’t speak for all the other Linux distributions out there. If you don’t have these, you don’t want to continue. You will probably want to either find an rpm that has these or go and download the source and compile Apache with them.

Now, here comes the fun stuff. You will need to compile a new module – mod_proxy_html. You can download the module from: http://apache.webthing.com/mod_proxy_html/

You may want to follow this as a guide: http://www.apacheweek.com/features/reverseproxies

There are a few dependencies you will need to compile this module. For instance, you will definitely need a compiler and some libraries. Here’s a small list that I have installed on my box. You may need more.

gcc

httpd-devel-2.0.52-3.1

libxml2-2.6.16-3.i386.rpm

libxml2-devel-2.6.16-3.i386.rpm

zlib-devel-1.2.1.2-1.i386.rpm

To compile the module, run:

apxs -c -I/usr/include/libxml2 -i mod_proxy_html.c

After doing this, you should find the module located where your apache modules are stored like:

ls -l /usr/lib/httpd/modules/mod_proxy_html.so

-rwxr-xr-x 1 root root 59627 Apr 8 18:02 /usr/lib/httpd/modules/mod_proxy_html.so

Congratulations! You now have the module installed. You now have to configure it.

In my case, the apache configuration file is located in /etc/httpd/conf/httpd.conf

Here, I add where the modules are:

———————————————————————————————–

LoadFile /usr/lib/libxml2.so.2

LoadModule proxy_html_module modules/mod_proxy_html.so

———————————————————————————————–

Then, later in the file:

———————————————————————————————–

ProxyHTMLLogVerbose On

LogLevel Debug

ProxyRequests off

ProxyPass /amserver http://sapphire.atac.ebay.sun.com/amserver

ProxyPassReverse /amserver http://sapphire.atac.ebay.sun.com/amserver

ProxyPass /amconsole http://sapphire.atac.ebay.sun.com/amserver

ProxyPassReverse /amconsole http://sapphire.atac.ebay.sun.com/amserver

SetOutputFilter proxy-html

ProxyHTMLURLMap http://sapphire.atac.ebay.sun.com http://megatron.atac.ebay.sun.com i

———————————————————————————————–

What I’m doing here is rewrite the url for any requests that go into amconsole or amserver to go and grab the data from the sapphire machine. Any urls that are within the pages that point to sapphire will be rewritten as megatron.

All you have to do now is restart apache.

/usr/sbin/apachectl restart

That’s it! You now should be able to access http://megatron.atac.ebay.sun.com/amserver or

http://megatron.atac.ebay.sun.com/amconsole and get the same login screen and be able to navigate the entire Identity Server or whatever else you put behind the proxy.

For issues, be sure to look at your Apache access and error logs and you can visit the following links:

http://apache.webthing.com/mod_proxy_html/

http://www.apacheweek.com/features/reverseproxies