Category Archives: linux

SSL Certificates in Zimbra 5.0.x

Leave a reply

Using these links as a starting place,
http://www.jransomed.com/mywiki/Zimbra/InstallingSSLCertificate
http://wiki.zimbra.com/index.php?title=5.x_Commercial_Certificates_Guide

Here’s a run-down of installing SSL certificates in Zimbra Collaboration Suite (ZCS) 5.0.x. It’s relatively straightforward once you wrap your head around the steps. You’ll want to do these steps as root.

The customer on which this example is based had existing Comodo wildcard certificates for their *.domain.edu.

Browse to http://instantssl.com
log in
Arrow over to Comodo PreimumSSL Wildcard Certificate for *.domain.edu
click on ‘Download as .zip’

You should have three files that start with ‘STAR.’ rename them:
STAR_domain_edu.crt to commercial.crt
STAR_domain_edu.crt to commercial_ca.crt
STAR_domain_edu.key to commercial.key

Copy the commercial* files to each of the Zimbra hosts.


# mv commercial.key /opt/zimbra/ssl/zimbra/commercial
# mv commercial.crt commercial_ca.crt /var/tmp

Deploy the cert:


# cd /var/tmp
# zmcertmgr deploycrt comm ./commercial.crt commercial_ca.crt

This may not apply to you but we were unable to get openssl and by extension Zimbra to verify the Comodo cert chain. If zmcertmgr deploycrt is failing for you and you’re relatively confident your certs are okay here’s how I fixed it. It’s unconventional but it works. I am open to correction if someone has a more conventional fix for this..

Cd to /opt/zimbra/bin, copy zmshutil and zmcertmgr to /var/tmp and edit zmcertmgr in /var/tmp. Comment out the lines as below and add two lines also as below:


# cd /opt/zimbra/bin
# cp zmshutil /var/tmp/zmshutil
# cp zmcertmgr /var/tmp/zmcertmgr
# vi /var/tmp/zmcertmgr
    #  result=`${openssl} verify -purpose sslserver -CAfile $ca_crt $crt`
    #  if [ x"${result}" = x"${crt}: OK" ]; then
    #   echo "Valid Certificate: $result"
    echo "(artificially) Valid Certificate: $result"
    #  else
    #    echo "${ERROR_PREFIX} Invalid Certificate: $result"
    #    exit 1
    #  fi

    #  result=`${openssl} verify -purpose sslserver -CAfile $cafile $crt`

    #  if [ x"${result}" = x"${crt}: OK" ]; then
    #      echo "Valid Certificate Chain: $result"
    echo "(artificially) Valid Certificate Chain: $result"
    #  else
    #    echo "${ERROR_PREFIX} Invalid Certificate Chain: $result"
    #    exit 1
    #  fi

Once you’ve saved the modified version of zmcertmgr, run it from /var/tmp to deploy the certificates:


# cd /var/tmp
# ./zmcertmgr deploycrt comm ./commercial.crt commercial_ca.crt 
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
(artificially) Valid Certificate: 
** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Installing CA to /opt/zimbra/conf/ca...done.

Now your certificates are installed. You need to restart Zimbra for them to take effect:


# su - zimbra -c "zmcontrol stop && zmcontrol start"

You’ll need to repeat the above for each of your servers if you have a multi-server environment: stores, mtas, ldap, etc.

If you have a relatively recent version of openssl you can test that your certificate is working by testing tls on your mta(s):


$ openssl s_client -starttls smtp -connect mta.domain.edu:25

Slicehost: a first impression

Leave a reply

You are reading this post on my newly migrated slicehost xen virtual machine.

This is my first hosting experience: until now my web site was running off of a machine under my desk at home. This is obviously not ideal for bandwidth or reliability. Slicehost caters to a technical demographic that just wants a stripped down OS and little or no management tools. And it’s cheap to start.

Initially I installed mysql, apache2, php and various supporting packages. I loaded databases for WordPress and Gallery2 and rsynced my data over. With a little tweaking everything was up and running.

As you may know Gallery2 generates thumbnails on the fly as users visit the site. I cleared the thumbnails during some troubleshooting so they had to all be regenerated on my slicehost. What I found was that on the 256mb slice the system spent an inordinate amount of time in iowait and in many cases Gallery pages would timeout. It took noticeably longer than the Pentium III 350mhz I just migrated from.

After added swap files without improvement I finally upgraded to a 512mb slice. Result: it screams. Ultimately the 256mb slice is just not enough to contain the OS and an application of any significant size.

My intial thoughts were that slicehost was a disaster and I should run but really their baseline packages is just *really* lean on memory. If you’re having problems you might want to try upgrading before any further troubleshooting: they bill pro-rated and will allow you to fall back at no charge if you don’t like the updated slice.

Controlling sender domain in Postfix/Zimbra 5

Leave a reply

A client has asked that mail through his Zimbra MTA only be allowed from or to valid domains within their organization. This is particularly applicable to Zimbra as Zimbra will only archive mail if it’s from or to a domain for which it is authoritative. The idea is to archive all mail through their Zimbra environment.. If it is not one of their domains, refuse it.

If this were my organization it would look like this:
mail from user@morganjones.org to any domain would work
mail from user@1038east.com to any domain would work
mail from any domain to user@morganjones.org would work
mail from any domain to user@1038east.com would work
of course mail from and to user@morganjones.org or 1038east.com will work
all other mail will be considered relaying.

One thing we did not do that I might want to do is force authentication. The problem with this configuration is it does open up to spamming as it only validates from or to domain.

This is really a discussion about Postfix configuration but I did the work in Zimbra so I might as well add the additional steps to configure it in Zimbra.. These instructions will be applicable to straight Postfix or Zimbra.

You’ll want to do all the work as the zimbra user:
Run the zmprov command for each of your mtas.


# su - zimbra

$ zmprov ms mta01.morganjones.org zimbraMtaMyNetworks 127.0.0.0/8

$ vi /opt/zimbra/postfix/conf/main.cf
smtpd_sasl_auth_enable = no
# if you want enable sending to domains for which your environment is not
#   authoritative this is also handy for testing in your dev environment
#   that is only authoritative for a dev domain
relay_domains = 1038east.com, morganjones.org

You also want to modify smtpd_recipient_restrictions but in Zimbra you must modify that with in the zimbra configuration:


$ vi /opt/zimbra/conf/postfix_recipient_restrictions.cf
# remove permit_sasl_authenticated
check_sender_access hash:/opt/zimbra/postfix/conf/access

$ vi /opt/zimbra/postfix/conf/access
1038eaast.com OK
morganjones.org OK

$ zmmtactl reload

You might want to check that /opt/zimbra/postfix/conf/main.cf now contains this:


smtpd_recipient_restrictions = reject_non_fqdn_recipient,
check_sender_access
hash:/opt/zimbra/postfix/conf/access, permit_mynetworks,
reject_unauth_destination, reject_unlisted_recipient,
reject_invalid_hostname, reject_non_fqdn_sender, permit

You should now be set.

It’s worth mentioning: check_sender_access will only check and allow the sender domain. if you don’t set relay_domains the recipient domain is allowed because your environment is the final destination for that/those domain(s). As noted above you can set relay_domains above if you want to allow relaying to domains for which this environment is not the final destination.

Zimbra LDAP Debugging

Leave a reply

Multi-node Zimbra installs sometimes fail in mysterious ways.. We recently resolved what turned out to be a network problem but it was causing our Zimbra install to fail with what I originally suspected was an LDAP problem. I think the troubleshooting process may prove useful. This is Zimbra 5.0.4:

If a store doesn’t appear to be communicating with its ldap master, here’s how a I debugged it

On the ldap master:


# vi /etc/syslog.conf
    local4.debug          -/var/log/zimbra.log
# /sbin/service syslog reload
Reloading syslogd...                                       [  OK  ]
Reloading klogd...                                         [  OK  ]
# su - zimbra
$ zmlocalconfig -e ldap_log_level=800
$ zmcontrol stop && zmcontrol start

Now tail -f /var/log/zimbra.log for slapd logging

Now from the store:

yum install openldap-clients (RHEL5) or
up2date openldap-clients (RHEL4) if ldapsearch isn’t installed


$ ldapsearch -h zldap.morganjones.internal -W -x -LL -D cn=config
-b cn=zimbra objectclass=*
Enter LDAP Password:
version: 1 

dn: cn=zimbra
objectClass: organizationalRole
description: Zimbra Systems Application Data
cn: zimbra 

dn: cn=admins,cn=zimbra
objectClass: organizationalRole
description: admin accounts
cn: admins 

...

dn: cn=com_zimbra_convertd,cn=zimlets,cn=zimbra
zimbraZimletDescription: Convertd Extension for Admin UI
zimbraZimletVersion: 1.0
objectClass: zimbraZimletEntry
zimbraZimletIndexingEnabled: TRUE
zimbraZimletKeyword: com_zimbra_convertd
cn: com_zimbra_convertd
zimbraZimletIsExtension: TRUE
zimbraZimletPriority: 12
zimbraZimletEnabled: TRUE
$

side note: Zimbra users TLS for connections before stores and ldap servers. ‘-LL’ forces ldapsearch to use TLS, -x turns off ldaps.

Here’s the background that started me down this path:

Install ldap master with at least zimbra-ldap

Install a store, answer ‘n’ to zimbra-ldap and ‘y’ to zimbra-store. At the Main menu choose ‘1’ for Common Configuration.

Set Ldap master host and Ldap Admin password and when I typed ‘r’ it hung just like this:


Common configuration

   1) Hostname:                                store01.morganjones.internal
   2) Ldap master host:                      zldap.morganjones.internal
   3) Ldap port:                                389
   4) Ldap Admin password:                 set
   5) LDAP Base DN:                           cn=zimbra
   6) Require secure interprocess communications: yes
   7) TimeZone:
             (GMT-05.00) Easten Time (US & Canada)

Select, or 'r' for previous menu [r] r

A quick look at /tmp/zmsetup* revealed:


Couldn't bind to zldap.morganjones.internal as uid=zimbra,cn=admins,cn=zimbra
Checking ldap on zldap.morganjones.internal:389
Unable to startTLS: Resource temporarily unavailable
Couldn't bind to zldap.morganjones.internal as uid=zimbra,cn=admins,cn=zimbra
checking isEnabled zimbra-store

Aha.. an LDAP connectivity problem.

Linus on version control

Leave a reply

He introduces distributed version control and his system: GIT. If I understand it correctly: developers pull from HEAD, work independently, are able to share and merge among each other.

Apparently there are two open source distributed version control systems:
Mercurial and GIT

He’s vehemently against CVS, SVN and Perforce.

Remember he is the author of the Linux kernel (read: brilliant) and overlook his attitude. He has some really interesting things to say.

lighttpd and mailman

Leave a reply

There does not appear to be a how-to about integrating mailman with lighttpd. I’m relatively new to lighttpd and it’s pretty different from Apache. Please let me know if I am missing something significant.

I am using mailman 2.1.9 installed from rpm in Fedora Core 6 (fc6). There should not be much difference if you install it from the distribution.

If you install mailman from scratch it is important that you run the configure with –with-cgi-gid=lighttpd. Substitute ‘lighttpd’ with the group id you will be using to run lighttpd. lighttpd runs as group ‘lighttpd’ by default in fc6.


# mkdir /srv/www/lighttpd/images
# cp /usr/lib/mailman/icons/* /srv/www/lighttpd/images
# vi /usr/lib/mailman/Mailman/mm_cfg.py
    IMAGE_LOGOS = '/images/'
# vi /etc/lighttpd/lighttpd.conf


uncomment the following from "server.modules:"


    "mod_redirect",
    "mod_cgi",


If you're running lighttpd and mailman from the Fedora RPM:


    server.groupname            = "apache"


then


    # Exec        /mailman/*      $prefix/cgi-bin/* or
    # ScriptAlias /mailman/       $prefix/cgi-bin/
    alias.url = ( "/mailman" => "/usr/lib/mailman/cgi-bin",
        "/pipermail/" => "/var/lib/mailman/archives/public")
    $HTTP["url"] =~ "^/mailman" {
        cgi.assign = ( "" => "" )
    }

The Apache config directives are in comments above. In essence:
Alias /mailman to "/usr/lib/mailman/cgi-bin" on the filesystem
Tell lighttpd that any web path starting with /mailman contains executables.
cgi.assign = ("" => "") tells lighttpd that files without extensions should be run without an interpreter.

Zimbra install fails due to missing /usr/lib64/libstdc_++.so.5

Leave a reply

We are running Zimbra 4.5.3 Network Edition on Sun x4200s and x4100s with RHEL4. We’ve fully patched Redhat and I’m 99% sure certain Redhat was installed with full 64 bit support.


# gzip -dc zcs-NETWORK-4.5.3_GA_733.RHEL4_64.tgz |tar xf -
# cd zcs
# ./install.sh
...
Checking for prerequisites...
    NPTL...FOUND
    sudo...FOUND sudo-1.6.7p5-30.1.3
    libidn...FOUND libidn-0.5.6-1
libidn-0.5.6-1
    curl...FOUND curl-7.12.1-8
curl-7.12.1-8
    fetchmail...FOUND fetchmail-6.2.5-6
    gmp...FOUND gmp-4.1.4-3
gmp-4.1.4-3
    compat-libstdc++-296...FOUND compat-libstdc++-296-2.96-132.7.2
    compat-libstdc++-33...FOUND compat-libstdc++-33-3.2.3-47.3
    /usr/lib/libstdc++.so.5...FOUND
    /usr/lib64/libstdc++.so.5...MISSING

###ERROR###

One or more prerequisite packages are missing.
Please install them before running this installer.

Installation cancelled.

#

The solution is relatively simple:


# up2date --arch=x86_64 -i compat-libstdc++-33

Fetching Obsoletes list for channel: rhel-x86_64-es-4...

Fetching rpm headers...
########################################

Name                                    Version        Rel     
----------------------------------------------------------
compat-libstdc++-33    3.2.3    47.3     x86_64


Testing package set / solving RPM inter-dependencies...
########################################
compat-libstdc++-33-3.2.3-4 ########################## Done.                   
Preparing              ######################################
##### [100%]

Installing...
   1:compat-libstdc++-33    
########################################### [100%]
#

Redhat doesn't name their 64 libraries differently than their 32 bit libraries. I expect there's a way to tell the difference.

up2date looks for RHEL3(el3) packages in RHEL4 (el4)

Leave a reply 

# cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 4)
# up2date -i nagios-nrpe nagios-plugins nagios-plugins-nrpe
...
Name                                    Version        Rel     
----------------------------------------------------------
nagios-nrpe                 2.5.2    1.el3.rf    i386  
nagios-plugins            1.4.5    1.el3.rf    i386  
nagios-plugins-nrpe    2.5.2    1.el3.rf     i386  

Testing package set / solving RPM inter-dependencies...
...
There was a package dependency problem. The message was:

Unresolvable chain of dependencies:
nagios  2.7-1.el3.rf                     requires libgd.so.1.8
...

The solution is simple:

vi /etc/sysconfig/rhn/sources

change
yum dag http://apt.sw.be/redhat/el3/en/$ARCH/dag
to
yum dag http://apt.sw.be/redhat/el4/en/$ARCH/dag

You need to clear out the incorrect RHEL3 (el3) headers. If you don't it will continue working with the RHEL3 headers it has stored in /var/spool/up2date:

cd /var/spool/up2date
# ls *el3*
3ddesktop-0.2.7-1.1.el3.dag.i386.hdr
4g8-1.0-1.1.el3.rf.i386.hdr
855resolution-0.4-4.el3.rf.i386.hdr
915resolution-0.5.2-2.el3.rf.i386.hdr
a52dec-0.7.4-8.el3.rf.i386.hdr
a52dec-devel-0.7.4-8.el3.rf.i386.hdr
aalib-1.4.0-5.1.el3.dag.i386.hdr
aalib-devel-1.4.0-5.1.el3.dag.i386.hdr
...
# cd /var/spool/up2date
# mkdir /tmp/old_el3_headers
# mv * /tmp/old_el3_headers

Now you're ready to download el4 packages:

# up2date -i nagios-nrpe nagios-plugins nagios-plugins-nrpe
...
Name Version Rel
----------------------------------------------------------
nagios-nrpe 2.5.2 1.el4.rf i386
nagios-plugins 1.4.5 1.el4.rf i386
nagios-plugins-nrpe 2.5.2 1.el4.rf i386
...

Preparing ########################################### [100%]

Installing...
1:perl-Digest-SHA1 ########################################### [100%]
2:perl-Digest-HMAC ########################################### [100%]
3:perl-Socket6 ########################################### [100%]
4:perl-Crypt-DES ########################################### [100%]
5:perl-Net-SNMP ########################################### [100%]
6:nagios warning: group apache does not exist - using root)
########################################### [100%]
7:fping ########################################### [100%]
8:nagios-plugins ########################################### [100%]
9:nagios-nrpe ########################################### [100%]
10:nagios-plugins-nrpe ########################################### [100%]
The following packages were added to your selection to satisfy dependencies:

Name Version Release
--------------------------------------------------------------
fping 2.4 1.b2.2.el4.rf
nagios 2.7 1.el4.rf
perl-Crypt-DES 2.05 3.2.el4.rf
perl-Net-SNMP 5.2.0 1.2.el4.rf
perl-Socket6 0.19 1.2.el4.rf
perl-Digest-HMAC 1.01 13
perl-Digest-SHA1 2.07 5