Thursday, August 04, 2011

Exim in Debian


I was trying to configure Exim4 in debian for receiving and sending email occasionally.

First I have setup account in dyndns.com for my dynamic public IP.
#dpkg-reconfigure exim4-config
General type of mail configuration:  internet site; mail is sent and received directly using SMTP.
System mail name: yourdomain.com
IP-addresses to listen on for incomming SMTP connections: // leave blank
Other destinations for which mail is accepted: yourdomain.com
Domains to relay mail for: // leave blank
Machines to relay mail for: // leave blank
Keep number of DNS-queries minimal (Dial-on-Demand) ?: No
Delivery method for local mail: Maildir format in home directory
Split configuration into small files ? : No

You can add new account in Evolution mail as "maildir", sending SMTP localhost. done.....

If you face problem while sending mail, you might be interested to configure SMTP relay:
http://wiki.debian.org/GmailAndExim4


TLS and Authentication

Generate a certificate using:
#bash /usr/share/doc/exim4-base/examples/exim-gencert

It will generate exim.crt and exim.key in /etc/exim4/
You may simply copy certificates if you have bought it earlier.

#cd /etc/exim4
#vi exim4.conf.template

add the following line
MAIN_TLS_ENABLE = yes

before
.ifdef MAIN_TLS_ENABLE


To verify TLS we are installing diagnostic tool:
# apt-get install swaks libnet-ssleay-perl
Test the connection:
$ swaks -a -tls -q HELO -s localhost -au your_user -ap '<>'
=== Trying localhost:25...
=== Connected to localhost.
<-  220 debianwb ESMTP Exim 4.76 Thu, 04 Aug 2011 14:22:02 +0600
 -> EHLO debianwb
<-  250-debianwb Hello localhost [127.0.0.1]
<-  250-SIZE 52428800
<-  250-PIPELINING
<-  250-STARTTLS
<-  250 HELP
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started w/ cipher DHE-RSA-AES256-SHA
 ~> EHLO debianwb
<~  250-debianwb Hello localhost [127.0.0.1]
<~  250-SIZE 52428800
<~  250-PIPELINING
<~  250 HELP
 ~> QUIT
<~  221 evie closing connection
We were sending an empty pass while testing swaks.
Now, we will add authentication schema.
For the shell users we are using SASL, which uses PAM for password authentication.

#apt-get install sasl2-bin

To enable:
#vi /etc/default/saslauthd
START=yes
start the deamon
#/etc/init.d/saslauthd start

#vi /etc/exim4/exim4.conf
Un-comment the following line authentication via saslauthd:
plain_saslauthd_server:
   driver = plaintext
   public_name = PLAIN
   server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
   server_set_id = $auth2
   server_prompts = :
   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
   .endif

Add exim to sasl group
#adduser Debian-exim sasl

Test the connection using your username:
#swaks -a -tls -q AUTH -s localhost -au your_user
Password:

you may need to add
#vi /etc/hosts
127.0.0.1    your_domain

Enableing IMAP access:
#apt-get install courier-imap courier-imap-ssl
Create directories for web-based administration -> No
You may install "File Access Monitor" daemon to check other folders beside Inbox:
# apt-get install fam
 Check this link for details information.

Optionally you can check for X.509 Certificate:
# vi /etc/courier/imapd.cnf

If you do not want to use the default certificate, after edit the imapd.cnf, you may generate using:
# mkimapdcert

If you are behind a router, forward port 25, 143, 706, 993 to your server.

source:
http://blog.edseek.com/~jasonb/articles/exim4_courier/index.html
http://pkg-exim4.alioth.debian.org/README/README.Debian.html
http://library.linode.com/email/exim/send-only-mta-debian-6-squeeze
http://koivi.com/exim4-config/

Wednesday, August 03, 2011

secure wipe

#apt-get install secure-delete

It will provide the following tools for secure wiping:
/usr/bin/srm
/usr/bin/sfill
/usr/bin/sswap
/usr/bin/sdmem

srm - secure remove (secure_deletion toolkit)
$srm file_name
$srm -r folder_name

There is already another tool "shred" comes with "coreutils" package in Debian:
coreutils - GNU core utilities
/usr/bin/shred
shred - overwrite a file to hide its contents, and optionally delete it
$shred file_name


sfill  -  secure free disk and inode space wiper (secure_deletion toolkit)
#sfill /mount_point/

sswap - secure swap wiper (secure_deletion toolkit)

Turn off swap first :
 #swapoff /dev/sdaX
or
#swapoff -a  //to turn off all swap
Now run sswap:
#sswap /dev/sdaX 
sdmem - secure memory wiper (secure_deletion toolkit)


There is some limitation of these tools.
Please use manual pages of individual package for details information.

Thursday, March 17, 2011

Bandwidth Control in Linux

There are several ways to control / shape / manage bandwidth in Linux.


Simple approach. Install wondershaper:

#apt-get install wondershaper

Configure it using kilobits (change eth1 according to yours):
from manual "wondershaper [ interface ] [ downlink ] [ uplink ]"
#wondershaper eth1 2048 2048
If you want to clear simply run:
#wondershaper clear eth1


We will control the bandwidth using a tool "tc", which is a part of "iproute" package in Debian.
tc - show / manipulate traffic control settings

Simple, classless Queueing Disciplines:

The Token Bucket Filter (TBF) - Simple and easy, for slowing an interface down. 

qdisc - queuing discipline 
latency - number of bytes that can be queued waiting for tokens to become available.
burst - Size of the bucket, in bytes.
rate - speedknob

#tc qdisc add dev eth1 root tbf rate 220kbit latency 50ms burst 1540
click here for more information on TBF.


Stochastic Fairness Queueing (SFQ) - round robin type, provide each session the chance to send data in turn. It changes its hashing algorithm within an interval.

qdisc - queuing discipline 
perturb - Reconfigure hashing once this many seconds.
#tc qdisc add dev eth1 root sfq perturb 10
click here for more information on SFQ.



To check the status run:
#tc -s -d qdisc show dev eth1
To remove it:
#tc qdisc del dev eth1 root



Classful Queueing Disciplines:

CBQ (Class Based Queueing) - A Classful Queueing
HTB - Another classful Queueing. (we will use it.)

Example classful qdisc



Let assume we want to create some rules for a small office using HTB.
eth0 - external interface - PUBLIC_IP 
eth1 - internal interface - LOCAL_IP 
Email will get the highest priority
General/Other will get the medium priority.
Video streaming will get the lowest priority.


Creating root 1: and 1:1 using HTB (default 6 means follow 1:6 if no rule matched)
#tc qdisc add dev eth1 root handle 1: htb default 6
#tc class add dev eth1 parent 1: classid 1:1 htb rate 2mbit ceil 2mbit

Creating leaf class 1:5 (prio represents priority, and 0 means high priority)
#tc class add dev eth1 parent 1:1 classid 1:5 htb rate 1mbit ceil 1.5mbit
#tc filter add dev eth1 protocol ip parent 1:0 prio 0 u32 match ip src YOUR_MAIL_SERVER_IP/32 flowid 1:5
#tc filter add dev eth1 protocol ip parent 1:0 prio 0 u32 match ip sport 22 0xffff flowid 1:5

Creating leaf class 1:6 (It is set as default in root qdisc, so we are not setting any rules)
#tc class add dev eth1 parent 1:1 classid 1:6 htb rate 0.5mbit ceil 1.5mbit

Creating leaf class 1:7 (use /32 for specific IP, /24 for that series. Priority low - prio 5. You can get the IP address using "iptraf" tool)
#tc class add dev eth1 parent 1:1 classid 1:7 htb rate 0.2mbit ceil 1mbit
#tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 match ip src VIDEO_STREAM_IP/32 flowid 1:7


Optionally we can also add discipline with leaf (for an example we are adding SFQ with leaf class 1:5)
#tc qdisc add dev eth1 parent 1:5 handle 20: sfq perturb 10

To remove it:
#tc qdisc del dev eth1 root handle 1: htb


Click here for more information on HTB.


This document is written to describe a basic of bandwidth controlling/shaping for the new users. Please check the details documentation for advance options.

source:
http://lartc.org/howto/index.html
http://www.opalsoft.net/qos/DS.htm
http://blog.edseek.com/~jasonb/articles/traffic_shaping/index.html
HTB user guide:
http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm
Filter:
http://lartc.org/howto/lartc.qdisc.filters.html
http://linux-ip.net/articles/Traffic-Control-HOWTO/index.html

Friday, March 11, 2011

FreeBSD with Debian GRUB


I have installed FreeBSD 8.2 amd64 in my PC for testing.

If you want to boot FreeBSD using GRUB, simply edit 
/etc/grub.d/40_customized

In the other section add the following line:
(change the partition according to yours)
menuentry 'FreeBSD 8.2 amd64' {
        set root='(hd0,X)'
        chainloader +1
}

Update the grub.cfg
#update-grub

FreeBSD should appear in your grub menu while booting...

Friday, March 04, 2011

Encrypted folder in Linux

We are using EncFS. It provides an encrypted filesystem in user-space.

You may need to load fuse module:

#modprobe fuse

Install encfs:
#apt-get install encfs

Optionally you may install (EncFS system tray applet for GNOME):
#apt-get install cryptkeeper

encfs [options] rootDir mountPoint
Here I am creating a root folder name encrypt for storing encrypted files.
Also creating a mount point folder named decrypt, which we will use to read/write files.
$encfs ~/.encrypt ~/decrypt

It will ask permission for creating the directory - type y here.
Now, it will ask for expert or pre-configured mode - use pre-configured - type p here.

It will ask for a password. Use a secure password here.

done! now you can use decrypt folder as an encrypted folder.

The actual data will be stored under .encrypt folder, and will be available via decrypt folder after mounting via encfs.


You may unmount it using:
$fusermount -u ~/decrypt

source:
http://www.debian-administration.org/articles/204
http://ubuntuforums.org/showthread.php?t=148600

Encrypted partition in Linux

To create encrypted disks we are using cryptsetup

#apt-get install cryptsetup

Backup your data and optionally clean it:
#shred -n1 -v /dev/sdaX

Initializes a LUKS partition (warning!):
#cryptsetup luksFormat /dev/sdaX

 Type "YES". It will ask for a password for filesystem. Use a secure password, otherwise encryption wont help you.
There is other options for securing. Check the cryptsetup manual for details.


Open and sets up a mapping for LUKS partition:
#cryptsetup luksOpen /dev/sdaX your_map_name

Format the LUKS partition using the mapping:
#mkfs.ext3 /dev/mapper/your_map_name

Now you can mount it:
#mount /dev/mapper/your_map_name /mnt/your_mount_name


Optionally you can umount and (removes mapping) lock the LUKS again:
#umount  /mnt/your_mount_name
#cryptsetup luksClose your_map_name

I have tested this in Debian 6.0.0.
You may need to load module (optionally you may add in /etc/modules):
modprobe dm_mod


Edit /etc/crypttab
# <target name="">  <source device="">         <key file="">      <options>
your_map_name            /dev/sdaX               none            luks


Edit /etc/fstab
# <file system=""> <mount point="">nbsp;  <type>   <options>       <dump>   <pass>
/dev/mapper/your_map_name      /mnt/your_mount_name  ext3    user,auto       0       0


You can reboot. It will ask for the password while booting.


source:
http://www.debian-administration.org/article/Encrypting_an_existing_Debian_lenny_installation
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3683011/Protect-Your-Stuff-With-Encrypted-Linux-Partitions.htm
http://www.linuxconfig.org/Partition_Encryption

Saturday, February 19, 2011

MoinMoin in DreamHost


I have tested using moin-1.9.3.tar.gz in DreamHost.
You have to enable Passenger in your domain.

Download  MoinMoin from:
http://moinmo.in/

Documentation (specially check the Server Installation part):
http://master19.moinmo.in/InstallDocs


1. ssh to your server, and download moin using wget.

2. Extract it:
tar -zxvf moin-1.9.3.tar.gz

3. Run setup script
cd moin-1.9.3
python setup.py --quiet install --prefix=$HOME --record=install.log

4. Check the install.log using emacs or nano for the python version it is using.
emacs install.log 
...
/home/youraccount/lib/python2.5/site-packages/...
...

5. Edit the moin.cgi (it would be easy, if you start another ssh shell in the server)
find -name moin.cgi     //if you want to find it yourself.
$HOME/share/moin/server/moin.cgi

emacs $HOME/share/moin/server/moin.cgi

Make the following changes
# a1) Path of the directory where the MoinMoin code package is located.
#     Needed if you installed with --prefix=PREFIX or you didn't use setup.py.
#sys.path.insert(0, 'PREFIX/lib/python2.3/site-packages')

# a2) Path of the directory where wikiconfig.py / farmconfig.py is located.
#     See wiki/config/... for some sample config files.
#sys.path.insert(0, '/path/to/wikiconfigdir')
===================================================

# a1) Path of the directory where the MoinMoin code package is located.
#     Needed if you installed with --prefix=PREFIX or you didn't use setup.py.
sys.path.insert(0, '/home/youraccount/lib/python2.5/site-packages')

# a2) Path of the directory where wikiconfig.py / farmconfig.py is located.
#     See wiki/config/... for some sample config files.
sys.path.insert(0, '/home/youraccount/moin/config')

you can verify this location using another shell while editing.


6. This example is designed for single wiki
create this directory $HOME/moin/config/
cd $HOME/moin/config
cp $HOME/share/moin/config/wikiconfig.py .
cp -r $HOME/share/moin/data/ .
cp -r $HOME/share/moin/underlay/ .

7. Edit wikiconfig.py in $HOME/moin/config/
emacs wikiconfig.py

maka the following changes
# If that's not true, feel free to just set instance_dir to the real path
# where data/ and underlay/ is located:
#instance_dir = '/where/ever/your/instance/is'
instance_dir = wikiconfig_dir

# If that's not true, feel free to just set instance_dir to the real path
# where data/ and underlay/ is located:
instance_dir = '/home/youraccount/moin/config'
#instance_dir = wikiconfig_dir

Change the sitename if you want to change your wiki name.

8. Copy /home/youraccount/share/moin/server/moin.cgi to your public folder, and rename it to wiki.cgi
or
create a file wiki.cgi in your public folder. Softlink did not work for me, so lets call the moin.cgi using another python script.
#!/usr/bin/python
import os
os.system('python /home/youraccount/share/moin/server/moin.cgi')

9. now you need to link the htdocs for css and images.
cd $HOME
find -name htdocs   //if you want to find it yourself
(I have found in the following location.)
./lib/python2.5/site-packages/MoinMoin/web/static/htdocs

change directory to your public folder.
create a symbolic link of htdocs in your public folder.
ln -s $HOME/lib/python2.5/site-packages/MoinMoin/web/static/htdocs .
mv htdocs moin_static193  //change the softlink name. This is important

You can always use your custom directory names, but in that case you have to edit the configuration file. This example is written for a simple installation of MoinMoin.

Using a browser open:
http://yourdomain.com/wiki.cgi

If you can see the wiki, you have successfully setup the MoinMoin.
Now, start customizing it by editing the config files.

To avoid the *.cgi you may add the following lines in your .htaccess file
ReWriteEngine on
ReWriteRule ^wiki$ wiki/
ReWriteRule ^wiki(/.*) wiki.cgi$1
RequestHeader set X-Moin-Location /wiki

Now use it as:
http://yourdomain.com/wiki/



10. Optional mail configuration:
emacs $HOME/moin/config/wikiconfig.py
# Mail --------------------------------------------------------------
...
    mail_smarthost = "mail.yourdomain.com"
    mail_from = u"Your Wiki <noreplay@yourdomain.com>"
    mail_login = "auth-email@yourdomain.com email-pass"
...
optionally you may add noreplay@yourdomain.com as "Garbage Email" from dreamhost panel. It will delete mail without bounce.

src:
http://wiki.dreamhost.com/MoinMoin
http://mitch.contlafamily.com/wiki/HOWTO/Install_MoinMoin_On_Dreamhost