Configuring Console Access

Configuring Console Access
When normal (non-root) users log in to a computer locally, they are given two types of special permissions:
1.They can run certain programs that they would not otherwise be able to run
2.They can access certain files (normally special device files used to access diskettes, CD-ROMs, and so on) that they would not otherwise be able to access
Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to "win" the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in will own the files.
In contrast, every user who logs in at the console will be allowed to run programs that accomplish tasks normally restricted to the root user. If X is running, these actions can be included as menu items in a graphical user interface. As shipped, the console-accessible programs include halt, poweroff and reboot.
Disabling Shutdown Via Ctrl-Alt-Del
By default, /etc/inittab specifies that your system is set to shutdown and reboot the system in response to a -- key combination used at the console. If you'd like to completely disable this ability, you will need to comment out the following line in /etc/inittab:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Alternatively, you may just want to allow certain non-root users the right to shutdown the system from the console using --. You can restrict this privilege to certain users, by taking the following steps:
1.Add a -a option to the /etc/inittab line shown above, so that it reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now
The -a flag tells shutdown to look for the /etc/shutdown.allow file, which you'll create in the next step.
2.Create a file named shutdown.allow in /etc. The shutdown.allow file should list the usernames of any users who are allowed to shutdown the system using --. The format of the /etc/shutdown.allow file is a list of usernames, one per line, like the following:
stephen
jack
sophie
According to this example shutdown.allow file, stephen, jack, and sophie are allowed to shutdown the system from the console using --. When that key combination is used, the shutdown -a in /etc/inittab checks to see if any of the users in /etc/shutdown.allow (or root) are logged in on a virtual console. If one of them is, the shutdown of the system will continue; if not, an error message will be written to the system console instead.
For more information on shutdown.allow see the shutdown man page.
Disabling Console Program Access
In order to disable access by users to console programs, you should run this command as root:
rm -f /etc/security/console.apps/*
In environments where the console is otherwise secured (BIOS and LILO passwords are set, -- is disabled, the power and reset switches are disabled, and so forth), you may not want to allow any user at the console to run poweroff, halt, and reboot, which are accessible from the console by default.
To remove these abilities, run the following commands as root:
rm -f /etc/security/console.apps/poweroff
rm -f /etc/security/console.apps/halt
rm -f /etc/security/console.apps/reboot
Disabling All Console Access
The PAM pam_console.so module manages console file permissions and authentication. (See Chapter 8 for more information on configuring PAM.) If you want to disable all console access, including program and file access, comment out all lines that refer to pam_console.so in the /etc/pam.d directory. The following script will do the trick:
cd /etc/pam.d
for i in * ; do
sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i
done
Defining the Console
The pam_console.so module uses the /etc/security/console.perms file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:
=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
When users log in, they are attached to some sort of named terminal, either an X server with a name like :0 or mymachine.example.com:1.0 or a device like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:
=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1
Making Files Accessible From the Console
In /etc/security/console.perms, there is a section with lines like:
=/dev/fd[0-1]* \
/dev/floppy/*
=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/*
=/dev/cdrom* /dev/cdwriter*
You can add your own lines to this section, if necessary. Make sure that any lines you add refer to the appropriate device. For example, you could add the following line:
=/dev/sga
(Of course, make sure that /dev/sga is really your scanner and not, say, your hard drive.)
That's the first step. The second step is to define what is done with those files. Look in the last section of /etc/security/console.perms for lines similar to:
0660 0660 root.floppy
0600 0640 root
0600 0600 root.disk
and add a line like:
0600 0600 root
Then, when you log in at the console, you will be given ownership of the /dev/sga device and the permissions will be 0600 (readable and writable by you only). When you log out, the device will be owned by root and still have 0600 (now: readable and writable by root only) permissions.
Enabling Console Access for Other Applications
If you wish to make other applications accessible to console users, you will have to do just a little bit more work.
First of all, console access only works for applications which reside in /sbin or /usr/sbin, so the application that you wish to run must be there. After verifying that, do the following steps:
1.Create a link from the name of your application, such as our sample foo program, to the /usr/bin/consolehelper application:
cd /usr/bin
ln -s consolehelper foo
2.Create the file /etc/security/console.apps/foo:
touch /etc/security/console.apps/foo
3.Create a PAM configuration file for the foo service in /etc/pam.d/. An easy way to do this is to start with a copy of the halt service's PAM configuration file, and then modify the file if you want to change the behavior:
cp /etc/pam.d/halt /etc/pam.d/foo
Now, when you run /usr/bin/foo, it will call consolehelper, which will authenticate the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper will ask for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it will do precisely what is specified in /etc/pam.d/foo) and then run /usr/sbin/foo

IPTABLES+SQUID PROXY SETUP

Squid iptables firewall
The following iptables firewall is suited for a dual-homed Squid proxy server. ssh (TCP port 22), squid (TCP port 3128), and ICMP ECHO requests are allowed on the internal (LAN) interface.
Squid is configured to proxy ftp, http, https, and AOL Instant Messenger traffic. In addition, the server is running a caching/forwarding name server and time server and therefore requires therefore requires outgoing UDP port 123 (ntp) and TCP/UDP port 53 (dns).
#!/bin/sh

LAN="eth1"
INTERNET="eth0"
IPTABLES="/sbin/iptables"

# Kernel monitoring support
# More information:
# /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt
# http://www.linuxgazette.com/book/view/1645
# http://www.spirit.com/Network/net0300.html

# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Needed for FTP (specifically, to allow incoming ftp-data connections)
/sbin/modprobe ip_conntrack_ftp

# Flush all chains
$IPTABLES --flush

# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Set default policies
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES s


# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state \
--state NEW -j ACCEPT

# Allow incoming port 3128 (squid) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state \
--state NEW -j ACCEPT

# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT

# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state \
--state NEW -j ACCEPT

# Allow ntp synchronization
$IPTABLES -A OUTPUT -o $LAN -p udp --destination-port 123 -m state \
--state NEW -j ACCEPT

# Allow ssh on LAN interface
$IPTABLES -A OUTPUT -o $LAN -p tcp --destination-port 22 -m state \
--state NEW -j ACCEPT

# Allow Squid to proxy ftp, http, https, and AIM traffic
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state \
--state NEW -j ACCEPT

# Create a LOGDROP chain to log and drop packets
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG
$IPTABLES -A LOGDROP -j DROP

# Drop all other traffic
$IPTABLES -A INPUT -j LOGDROP

# Have these rules take effect when iptables is started
/sbin/service iptables save

Restricting normal users in login in a linux server

Restricting normal users in login in a linux server

We can restrict normal users to login in server using pam. Pam module pam_nologin.so is used for the purpose. configure the /etc/pam.d/login like as shown below.#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required pam_nologin.so file=/etc/nologin
#account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_ck_connector.so

VSFTPD VIRTUAL USER SETUP

VSFTPD Virtual Users Setup (with individual FTP home directories)



STEP 1: Install Required packages:
pam (installed by default)
db4 (db4 is my version and was installed by default)
vsftpd
compat-db (this is the package name on fedora which provides the binary db42_load)

Check if the 'db' package is installed

[root@mysystem vsftpd]# rpm -qa | grep -i db

If the db4 package is not installed, do it:

[root@mysystem vsftpd]# yum install db4

The package compat-db will give us the db42_load binary used to build the virtual username/password db file

[root@mysystem vsftpd]# yum install compat-db
[root@mysystem vsftpd]# yum install vsftpd

Can't find dbXX_load binary? check the locations of the files in this package

[root@mysystem vsftpd]# rpm -ql compat-db
STEP 2: Configure PAM
Confirm existance/location of the file /lib/security/pam_userdb.so

[root@mysystem vsftpd]# rpm -ql pam | grep pam_userdb.so
[root@mysystem vsftpd]# vi /etc/pam.d/vsftpd
(I EDITED THE FILE TO LOOK LIKE THIS:)

#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
#auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth required pam_shells.so
#auth include system-auth
#account include system-auth
#session include system-auth
#session required pam_loginuid.so

(note: I had to comment out the bottom 6 lines to get the pam_userdb authentication to succeed for ftp logins. With them not commented out, authentication of known good users failed)
STEP 3: Create system user for vsftpd.conf (this is basically a dummy user, not logged into directly via FTP)
[root@mysystem vsftpd]# adduser -d /home/virtualftp/ virtualftp
STEP 4: Configure vsftpd for virtual users
[root@mysystem vsftpd]# cd /etc/vsftpd
[root@mysystem vsftpd]# vi vsftpd.conf
(HERE IS MY vsftpd.conf FILE MINUS DEFAULT COMMENTS:)

local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

# Virtual users will be logged into /home/virtualftp/[username]/
user_sub_token=$USER
local_root=/home/virtualftp/$USER
guest_enable=YES
guest_username=virtualftp
# Umask applied for virtual users and anon
anon_umask=0022
# Allows uploading by virtual users
anon_upload_enable=YES
# Allows creation of directories by virtual users
anon_mkdir_write_enable=YES
# Allows deletion of files and directories by virtual users
anon_other_write_enable=YES


Now start up vsftpd (which is configured to run stand-alone in my config file):

[root@mysystem vsftpd]# vsftpd
STEP 5: Setup virtual FTP usernames and their passwords
[root@mysystem vsftpd]# vi /etc/vsftpd/vsftpd_users.txt
(FORMAT OF THE FILE:)

username1
passwordforusername1
username2
passwordforusername2
username3
passwordforusername3

Now we create the DB4 formatted username/password file from the plain text vsftpd_users.txt file that will be used by pam_userdb.so:

[root@mysystem vsftpd]# rm /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# chmod 600 /etc/vsftpd/vsftpd_users.db /etc/vsftpd/vsftpd_users.txt
STEP 6: Create directories for each virtual FTP user
[root@mysystem vsftpd]# mkdir -p /home/virtualftp/username1
STEP 7: Test an FTP virtual user login
[root@mysystem vsftpd]# ftp localhost
Connected to localhost.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): username1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX
Using binary mode to transfer files.
ftp>
Troubleshooting
If there are problems logging in with a virtual ftp user, check /var/log/secure FIRST!

[root@mysystem vsftpd]# tail -f /var/log/secure
Mar 2 15:07:04 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testing rhost=mysystem.cluster
Mar 2 15:07:04 mysystem vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user testing
Mar 2 15:08:32 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:11:15 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234' granted access
Mar 2 15:12:36 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user01234567890123456789012345' granted access
Mar 2 15:13:43 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user012345678901234567890123456' granted access
Mar 2 15:14:51 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234567' granted access


I found a few times, which can be seen in the real log files above, that the vsftpd_users.db file was not correctly recreated with the db42_load command over the top of an existing vsftpd_users.db file. To resolve this, I simply remove the current vsftpd_users.db file and recreate the file from scratch with the db42_load.

[root@mysystem vsftpd]# strings /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db

Plaggubale Authentication Modules

LINUX PAM
What is authentication ?
Program which grant user access to system verify each users identity though a process called authentication. Each program have its own way of authentication. Under linux many programs are configured to use a centralized authentication mechanism
called pluggable authentication modules.
Advantage of using PAM

1.It provide common authentication scheme that can used with wide verity of application.
2.It provide large amount of flexibility for both system administrators and developers.
3.It allows application developers to develop program with out creating their own authentication scheme.

LOCATION OF CONFIGURATION FILE

Location of configuration files is in /etc/pam.d/. In older versions pam configuration is in /etc/pam.conf.
Each pam aware application must have an entry in /etc/pam.d/.
EG: Login program must have an entry in /etc/pam.d/ directory.

PAM CONFIGURATION FILE FORMAT

PAM configuration file contain a group of
directive as follows.

(module interface)( control flag)(module name)(module arguments)


MODULE INTERFACE
These are all four type of pam module interface which correlates four type authentications process.

AUTH
This module is responsible for asking a password and verify the validity of a password. It can also set confidence for group membership of kerberos tickets.

ACCOUNT

This module interface verify the access is allowed.
eg: It check whether the account is expired or it is allowed to login in particular time of day.

PASSWORD

This module interface set and verify password.
SESSION

This module interface configures and manages user sessions. Modules using with this interface can also perform additional task that are needed to allow access ie mounting users home directory and making users mail box available.

NOTE: An individual module can be used with any or all the modules.
that is pam_unix.so can be uesd with all of the four interfaces.
Module interface directive can be stacked. When module inter face are used in pam configuration file the use of each module is available like a stack,that is first in last out. When multiple modules are ued for one purpose the order in which module interface are used are very important.
CONTROL FLAG
All pam modules generates a success or failure when it is called. Control flag tells pam what to do with the result. Since modules
are stacked in particular order control flag decides how important is the success or failure of a particular module in overall rule of authenticating a service to the user.

There are four predefined control flag
1.required
2.requisite
3.sufficient
4.optional

Required
The module result must be successful to authentication to continue. If a required module results fails the user is notified until results on all module referencing that interface are completed.

Requisite
This module result must be successful to continue. However the requisite module fails the user is notified with message reflecting the first failed required or requisite module.

sufficient
The module result must be ignored it fails. However a sufficient flagged module result is successful no required flagged result are failed then no other result are required an user is authenticated to the service.



optional
This module result is ignored. A module result is only become
necessary for successful authentication when there is no other module referencing the that interface.

Module name
In older pam configuration file module must be specified in absolute path naming. eg: /lib/security/pam_stack.so. In the newer system only module name must be specified in pam configuration file.

Modules location
Location of pam modules is in /lib/security/.

Module argument

We can pass arguments to used pam modules in pam configuration module. That is pam_userdb.so module uses secrets with in Berkeleydb file to authenticate the user. Berkeleydb file is an open source database system which is embedded in many application. The above mentioned module take db arguments. db=path to files.

Pam error messages

All the pam module report error messages in /var/log/messages.

AVILABLE MODULES

1.pam_access.so
The pam_access.so module is a acces control module. It can be used with the module interface account. It requires the configuration file /etc/security/access.conf. When the pam_access module is invoked, the /etc/security/access.conf file is searched for the first entry that matches the username and tty or hostname pair. If no match is found, then access is granted.

FIELDS IN /etc/security/access.conf

Each login access control line in /etc/security/access.conf has
three fields separated by a symbol : .
permission:user/group:origins ( in case of non networked login)
permission field may be a symbol + or - . + symbol indicate that the access is granted. - symbol indicate that access is denied.

second field is the user/group field which may be one or more login names group name or ALL. It should be noted that group entries should be written in ( ).

Third field is a list of one or more tty names hostname domainnames(begin with “.”). or internet network number(end with “ . “) .
The wild card ALL or LOCAL may also used.

Sample /etc/security/access.conf File

1. # access.conf file
2. -:ALL:.evil.com .spam.org
3. -:ALL EXCEPT root: tty1
4. +:ALL EXCEPT root:172.17.
5. +:wheel paul:leghorn
6.-:ALL:ALL
Now simply add the line
account required /lib/security/pam_securitty.so
Example of adding pam_access to the /etc/pam.d/login File

auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
account required /lib/security/pam_access.so
password required /lib/security/pam_cracklib.so minlen=20
retry=3 type=SECRET
password required /lib/security/pam_pwdb.so md5 use_authtok
session required /lib/security/pam_pwdb.so

Any attempted access from a denied location will result in a Permission denied error message, as shown in Example 5-23, where Paul attempts to log in at the console.All failed attempts due to pam_access are logged in /var/log/messages by default. See Chapter 8 for further information about log files.


PAM_CRACKLIB.SO











PAM_CRACKLIB.SO

In order to improve the security of standard reusable password tell us the users to require to change the password regularly,enforce minimum length and good rules for new passwords,and even keep the history of user passwords so that users don't repeat their passwords.

Enabling pam_cracklib.so

pam_cracklib.so module is enabled in pam configuration file ie in Debian systems /etc/pam.d/common-password,in RedHat linux system it is in /etc/pam.d/system-auth. Tipical configuration file look like this

password required pam_cracklib.so retry=3 minlen=6 difok=3

password required pam_unix.so md5 use_authtok

The first line enables the pam_cracklib module and set several parameters.
retry=3 means user get three chances to pick a good password before the password program exit. minlen=6 set minimum characters in password.
diffok=3 set the minimum number of characters that must be different from the previous password. If you increase the value of minimum length you must also increase the value of difok.

Block Non root user from shutdown the system

Prevent a non-root user from shutting down or rebooting the system

To prevent all non-root users from using the shutdown, reboot or halt commands, do the following :

1. In the file /etc/X11/gdm/gdm.conf , change the line that reads :

SystemMenu=true

to

SystemMenu=false

2. In the file /etc/inittab, change the line that reads :

ca:ctrlaltdel:/sbin/shutdown -t3 -r now

to

ca:ctrlaltdel:echo "You are not authorized to turn off the machine"

3. In the directory /etc/security/console.apps/, delete the file reboot, poweroff and halt.
4. Remove the file /usr/bin/poweroff

SquirrelMail Installation from Source

SquirrelMail


# wget http://sourceforge.net/projects/squirrelmail/files/stable/1.4.20/squirrelmail-1.4.20.tar.bz2/download



# tar xvjf /squirrelmail-1.4.20.tar.bz2/

# mv /squirrelmail-1.4.20 /varwww/html

#chown -R apache:apache /var/www/html/ squirrelmail-1.4.20

# cd /var/www/html/ squirrelmail-1.4.20

# cd /var/www/html

# mv squirrelmail-1.4.20 webmail


# cd webmail

# mkdir -p /var/local/squirrelmail


# mv -i data/ /var/local/squirrelmail/

# chown -R apache.apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/

# chown -R apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/

# chgrp -R apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/







Data directory inside the above location is to moved to some whare else, Because squirrel mail maintains uplodaed data in this directory.


# cd /var/www/html/ webmail/config

# ./conf.pl

Select the option 2
and enter like given below


1. Domain : ip address of the server

2. Invert Time : false

3. Sendmail or SMTP : Sendmail



A. Update IMAP Settings : localhost:143 (courier )

B. Change Sendmail Config : /usr/sbin/sendmail


Save and return to previous menu

From the main menu select the option 4 general options and change the following settings.


1. Data Directory : /var/www/html/squirrelmail-1.4.20/data/ // This is optional

2.Attachment Directory : $data_dir/ // This is optional

Save and return to previous menu


Add The virtualhost in apache.




# ServerAdmin webmaster@dummy-host.example.com

DocumentRoot /var/www/html/webmail

ServerName www.test.com

# ErrorLog logs/dummy-host.example.com-error_log

# CustomLog logs/dummy-host.example.com-access_log common





# service httpd restart
#/etc/init.d/imapd.rc restart

In the browser enter localhost/webmail

SENDMAIL LOGGING

SENDMAIL [ SYSLOG]


How does syslog determine where to send the log files for sendmail ?


catting the out put of mail in syslog in sles is shown below.


# grep -i mail /etc/syslog.conf

mail.* - /var/log/mail

mail.info - /var/log/mail.info

mail.warning - /var/log/mail.warn

mail.err - /var/log/mail.err

*.*,mail.none,news.none - /var/log/messages


Explanation:-

In general syslog entry in linux and unix servers are in the following form.

Facility.level -


Facility is mail in syslog.conf

level may be one of the 0 to 8 ie (debug-emergency)

mail.* in syslog.conf indicate that all the levels.


NOTE: debug produces more messages and enmergency produces less messages.
Debug level creates lots of disk IO.

System log setup with sendmail is each line conatain atleast two lines.

First line acknowledges the receive of the message and second lne correcsponds to the delivery attempts.



Example are gievn below.


Recieving of message from the mail user agent

Jun 2 11:42:13 pc1 sendmail[6484]: o526C9vA006484: from=root, size=6, class=0, nrcpts=1, msgid=<201006020612.o526C9vA006484@pc1.test.com>, relay=root@localhost


Jun 2 11:42:22 pc1 sm-mta[6500]: o526CD0Q006500: from=, size=262, class=0, nrcpts=1, msgid=<201006020612.o526C9vA006484@pc1.test.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Delivery of the message


Jun 2 11:42:22 pc1 sm-mta[6500]: o526CD0Q006500: to=, ctladdr= (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30262, dsn=2.0.0, stat=Sent


Jun 2 11:42:22 pc1 sendmail[6484]: o526C9vA006484: to=root, ctladdr=root (0/0), delay=00:00:13, xdelay=00:00:09, mailer=relay, pri=30006, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (o526CD0Q006500 Message accepted for delivery).

RESTRICTING MESSAGE SIZE IN SENDMAIL

RESTRICTING MESSAGE SIZE


Go to /data/sendmail-8.14.0/cf/cf

# vi sendmial.mc

insert the following line

define(`confMAX_MESSAGE_SIZE', `4096') // mAXIMUM MESSAGE SIZE IN coming toTHE SERVER IS RESTRICTED TO 4k

# cp sendmail.cf /etc/mail

# grep ^o /etc/smail/sendmail.cf

The output should conatin the following line.

MaxMessageSize=4096

CLAMAV INSTALLATION ON OpenSuse 11

CLAMAV INSTALLATION


# cd /data

# cd clamav

# tar xvzf clamav-0.96.1.tar.gz

# cd clamav

# groupadd clamav

# useradd -g clamav clamav

# ./configure

#make

# make install

# cd /usr/local/etc/

# vi clamd.conf

comment out the line Example.

#Example

uncomment the line

LocalSocket /tmp/clamd.socket

:wq //save the file


# vi freshclam.conf

Comment out the line Example

# Example


:wq //Save the file.



# touch /var/log/freshclam.log

# chmod 600 /var/log/freshclam.log


#chown clamav /var/log/freshclam.log



# which freshclam // This is the utility responsible for updating clam.


The output should be:

/usr/local/bin/freshclam


Run the following

# ldconfig

# freshclam // This command is for updating clamd

# clamscan

# clamd start

# ps -ax | grep clam


The output should be:



# ps -ax | grep clam

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

3981 ? Ssl 0:00 clamd start

4010 pts/0 R+ 0:00 grep clam





# freshclam // This option is mainly used for the updating clamav.


# which freshclam


The log file for the fresh clam process is


# ls -l /var/log/freshclam.log

Run the freshclam process in dialy basis in cron.

SAMBA PRIMARY DOMAIN CNROLLER

AMABA PDC

1.It removes duplicate users and group from each stand alone server.
2.Coupled with Microsoft's networking facility that allows a user to log in to her local workstation via a domain account

ADVANTAGES AND DISADVANTAGES

1.Samba 3.0 can act as a Windows NT 4.0 domain controller
2.It does not implement the Windows System Account Manager (SAM) replication protocol
3.This means that it cannot participate as a domain controller with Windows DCs in either an NT 4.0 or mixed-mode Active Directory domain.

ENTER THE FOLLOWING CONFIIGURATION IN TO /etc/samba/smb.conf.

# mkdir -p /data/public

# mkdir -p /data/netlogon

# vi /etc/samba/smb.conf

[global]
netbios name = SERVER1
workgroup = SUPPORT
security = user
encrypt passwords = yes
// enable PDC functionality
domain master = yes
domain logons = yes

os level = 33 //
preferred master = yes // DC act as local master browser
local master = yes //

[public]
path = /data/public
read only = no

[netlogon] // emulates the NETLOGON service on Windows domain controller
comment = Net Logon service
path = /data/netlogon
read only = yes // share is read only
write list = +ntadmin // includes the ntadmin group in the write list

Save the file




Wait approximately one minute for nmbd to complete its name registration process.
Run the following command.

// Enabling the domain master parameter in the global section of smb.conf causes nmbd to register the DOMAIN<0x1b> name (ORA<0x1b> in our example). This name is used by Windows clients to locate the PDC for a domain. When searching for any domain controller, not necessarily just the PDC, a Windows client attempts to resolve the DOMAIN<0x1c> name. You can instruct nmbd to register this name (e.g., ORA<0x1c>) by setting the domain logons option in smb.conf.


# nmblookup 'SUPPORT#1b' 'SUPPORT#1c'



The output should be:

querying SUPPORT on 192.168.1.255

192.168.1.2 SUPPORT<1b>

querying SUPPORT on 192.168.1.255

192.168.1.2 SUPPORT<1c>




Also verify the nmbd log file.

# tail -f /var/log/samba/nmbd.log

The output is:


[2010/07/08 21:53:53, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)

*****



Samba name server STROK is now a local master browser for workgroup SUPPORT on subnet 192.168.1.12

become_logon_server_success: Samba is now a logon server for workgroup SUPPORT on subnet 192.168.1.12



*****





2.SETTING UP WINDOWS CLIENT ACCOUNT ON THE SAMBA DC




On joining a domain client establishes a password known to its self and to the domain controller. This password is called the machine trust account password and is used to prove the identity of the computer each time it contacts the DC. Windows 2000 and later require that you provide credentials for an administrative account that can potentially create the new machine account and assign it a random password.

Domain Admins

Domain Admins is a special group in Windows domains. The group's RID is always 512. When a Windows client joins a domain, it adds this domain group to its local Administrators group. The result is that members of Domain Admins automatically gain administrative privileges on all domain members. Samba honors membership in the Domain Admins group as well, by granting all Domain Admins the ability to manage the user rights assignments necessary to authorize users to join hosts to the domain.


# vi /etc/samba/smb.conf

add
the following line to the GLOBAL section

enable privileges = yes

save the file

# service smb restart



In order to create a group mapping entry for this special domain RID, you must first look up the SID of the ORA domain. You must be root for all the command examples in this section


# net getlocalsid SUPPORT

The output is:

SID for domain SUPPORT is: S-1-5-21-2126422966-4252198253-3505372293

Now append the Domain Admins RID to the domain SID and create a group mapping entry for it:


# net groupmap add sid=-S-1-5-21-2126422966-4252198253-3505372293-512 \
ntgroup="Domain Admins" unixgroup=ntadmin

The output is:

Successfully added group Domain Admins to the mapping db


Now all members of the ntadmin Unix group will be seen as domain administrators by both Samba and Windows clients.

Virtual domain with sendmail and dovecot

Special Thanks To : BasilKurain.


Virtual hosting with dovecot

# grep dovecot /etc/passwd

The outpu is:

dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin

# grep dovecot /etc/group

dovecot:x:97:

# grep vmail /etc/passwd

The output is:

blank

# grep vmail /etc/group

The output is:

blank


# groupadd vmail


# useradd vmail -g vmail

# ls /home/ -l

The output is:

drwx------ 6 vmail vmail 4096 Jul 8 16:23 vmail

# touch /var/log/dovecot.log

# touch /var/log/dovecot-info.log

# vi /etc/dovecot.conf

add the following entries

# Remove imaps things if you don’t want them
protocols = imaps
# It’s nice to have separate log files for Dovecot. You could do this
# by changing syslog configuration also, but this is easier.
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
# Disable SSL for now.
ssl = no # v1.2+, for older versions use: ssl_disable = yes
disable_plaintext_auth = no
# We’re using Maildir format
mail_location = maildir:~/Maildir
# If you’re using POP3, you’ll need this:
# pop3_uidl_format = %08Xu%08Xv
# Authentication configuration:
auth_verbose = yes
auth default {
mechanisms = plain
passdb passwd-file {
args = /etc/dovecot/passwd
}
userdb static {
args = uid=vmail gid=vmail home=/home/vmail/%u
}
}

# mkdir /etc/dovecot/

# touch /etc/dovecot/passwd

# chown -R dovecot:dovecot /etc/dovecot

add the following line to

# vi /etc/dovecot/passwd

add this line:

vasanth@tetsing:{PLAIN}redhat

hemanth@testing.com:{PLAIN}redhat


save the file



Take browser

enter

localhost/webmail

username: vasanth@tetsing.com
password: redhat

You can also use

username: hemanth@testing.com
password: redhat



Now virtual domain testing.com is configured in the domain and users vasanth and hemanth are added.



Vasanth.T.M

Sendmail cotrolling script

I am posting one useful script to start, stop, restrat sendmail( Source code installation )

#! /bin/sh

case "$1" in
start)
echo "Starting SMTP port. (sendmail)"
/usr/sbin/sendmail -bd -q1h
;;
stop)
echo "Stopping down SMTP port:"
killall /usr/sbin/sendmail
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0