I always seem to forget this, and the mailq command is not clear, so here it is:
when you type mailq on a postfix server, the first address listed is the sender, the second the recipient.
Page 19 of 52
(Hmm, this suggests the python version might be better).
aptitude -P install postfix-policyd-spf-perl
Add this to master.cf (but perhaps change the path to the script):
policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl
Add this to main.cf, directly below/after reject_unauth_destination (if you do it before, you are an open relay):
check_policy_service unix:private/policy
So:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policy reject_unauth_pipelining, reject_non_fqdn_recipient
The source article has stuff about testing.
To view statistics of your xen server with Munin (source):
cd /usr/local/share/
mkdir -p munin/plugins
cd munin/plugins
wget http://wiki.kartbuilding.net/xen_traffic_all
wget http://wiki.kartbuilding.net/xen_cpu_percent
chmod 755 xen_traffic_all xen_cpu_percent
ln -s /usr/local/share/munin/plugins/xen_traffic_all /etc/munin/plugins/
ln -s /usr/local/share/munin/plugins/xen_cpu_percent /etc/munin/plugins/
vim /etc/munin/plugin-conf.d/munin-node#add the following:
[xen_traffic_all]
user root
[xen_cpu_percent]
user root/etc/init.d/munin-node restart
Original links:
- http://munin.projects.linpro.no/attachment/wiki/PluginCat/xen_traffic_all
- http://www.skullkrusher.net/linux/scripts/xen_percent
- http://lists.xensource.com/archives/html/xen-users/2006-01/msg00323.html
I wanted to attach the scripts, but because of upload problems, I can’t…
When you want to see which user you are and which database you’re working with, put this in .my.cnf:
prompt=(\\u@\\h) [\\d]>\\_
Too bad mysql doesn’t support color. You can make it work with rlwrap, but that’s kind of clumsy.
edit: hmm, this destroys mysqldump… argh.
I found this handy little site to send yourself a harmless test virus.
Edit: now in 2020, with Zimbra 8, and Startcom out of business, things have changed a bit. So, here are the steps now, for a Sectigo certificate (and referring to their directory structure):
- Copy ‘Linux/mail.example.com.ca-bundle’ to ‘/tmp/ca_bundle.crt’. Run ‘chown zimbra:zimbra /tmp/ca_bundle.crt’. (the name of the file suggests that your certificate is in the bundle, but it’s just the authority’s)
- Copy ‘mail.example.com.crt’ to ‘/tmp/ssl.crt’ and run ‘chown zimbra:zimbra /tmp/ssl.crt’
- Copy ‘mail.example.com.key’ to ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ and ‘chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key’
- ‘su – zimbra’ and then ‘/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt’
- A restart may not even be necessary. My monitoring already started alerting me about the recovery before hand, but just in case, also as user zimbra: ‘zmcontrol stop && zmcontrol start’
Old post:
I installed a commercial (free) SSL certificate from Startcom SSL in Zimbra. I basically followed this, except the java keytool thing. I don’t know why that is necessary… I did this on Zimbra 6.0.10_GA_2692.UBUNTU8_64 UBUNTU8_64 FOSS edition.
- Download the ca.pem and sub.class1.server.ca.pem (the CA for the free class 1 validation) to /tmp/
- Cat the CA certs to form a single CA certificate chain file: cat ca.pem sub.class1.server.ca.pem > ca_bundle.crt
- Place server certificate in /tmp/ssl.crt.
- Place the private key in /opt/zimbra/ssl/zimbra/commercial/commercial.key
- Deploy the commercial certificate with zmcertmgr as the root user: /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt
- Restart zimbra: su zimbra, then zmcontrol stop && zmcontrol start
If you want to gather statistics on a machine with a Munin server, install munin node:
aptitude -P install munin-node munin-plugins-extra
You will also need:
aptitude -P install libio-all-lwp-perl lynx
To make sure apache status works, go to /usr/share/munin/plugins and type:
./apache_processes autoconf
This will tell if your machine is configured correctly. On every machine that I install munin, it seems it has different dependencies, and if you’re missing anything, this autoconf will tell.
One of the things it will often say, is to enable extended status. Put that in /etc/apache2/mods-enabled/status.conf:
<IfModule mod_status.c> blablabla ExtendedStatus on </IfModule>
Beware though, extended status makes apache slower.
You can then go to /etc/munin/plugins and symlink all apache_* from /usr/share/munin/plugins there. It may have already done that if the autoconf conditions were met when you installed them, but I’m not sure.
Then either set the allowed server IP address in /etc/munin/munin-node.conf, or do as I do and add this to that config:
Allow ^.*$
And use iptables to only allow access from a given IP to port 4949.
I’ve encountered this error occasionally when loggin in:
-bash: warning: setlocale: LC_ALL: cannot change locale (nl_NL.UTF-8)
This breaks things like scp or bzr via sftp. To fix it, I followed this advice:
cd /var/lib/locales/supported.d
cat /usr/share/i18n/SUPPORTED|grep -i nl > nl
dpkg-reconfigure locales
It’s not really pretty though; it shouldn’t give an error at all when a locale is missing. I mean, this way, I have to generate every possible locale to support logins from all over the world…
When you install Ubuntu in Xen with xen-create-image, the console is automatically handled. If you want to add a console to a stock-installed Ubuntu, add this file to /etc/init and call it hvc0.conf:
# hvc0 - getty # # This service maintains a getty on hvc0 from the point the system is # started until it is shut down again. start on stopped rc RUNLEVEL=[2345] stop on runlevel [!2345] respawn exec /sbin/getty -8 38400 hvc0
Here are some useful extra nagios commands I often use:
define command{ command_name notify-host-by-sms command_line /usr/local/sbin/send-sms.sh -n $CONTACTPAGER$ -m "$HOSTNAME$: $HOSTSTATE$" } define command{ command_name notify-service-by-sms # Don't use service state, otherwise you only ever get to see 'critical' and not the reason. command_line /usr/local/sbin/send-sms.sh -n $CONTACTPAGER$ -m "$SERVICEDESC$ on $HOSTNAME$: $SERVICEOUTPUT$" } define command{ command_name check_imaps command_line /usr/lib/nagios/plugins/check_imap -H '$HOSTADDRESS$' --ssl -p 993 --certificate 15 } define command{ command_name check_rdp command_line /usr/local/lib/nagios/plugins/check_x224 -H $HOSTADDRESS$ -p $ARG1$ -w 10 -c 50 } define command{ command_name check_pops command_line /usr/lib/nagios/plugins/check_pop -H '$HOSTADDRESS$' --ssl -p 995 --certificate 15 } define command{ command_name check_smtps command_line /usr/lib/nagios/plugins/check_tcp -H $HOSTADDRESS$ -p 465 }
Recent Comments