Re: False alarms about services with tcpserver
Andrea: I've not ever used the utility 'Mon', but I've spent a good deal of time configuring systems with HA (High Availability). It's not uncommon for a service to flagged as down on periodic checks. The solution to false positives requires some give and take. For example, when I was writing code to monitor a sybase engine, I would run a check every X seconds. If the server failed to respond Y times in a row, it was assumed down. For other applications, we might have polled every J seconds, and required more or less failures. If there is a way to configure Mon to report a service as down after a number of failures, then that is my recommendation. Just because a service fails a test once doesn't mean that it's down. I could just be busy. David Andrea Cerrito wrote: > > Hi to all, > > I have a server farm with pop3 / smtp / ftp services running on Linux and > served by tcpserver. My monitoring software is Mon, and sometimes I'm > receiving alarms about these services: they are always false alarms. > > For example: > > ===SERVICE IS MARKED AS DOWN== > Summary output: Time Out > > Group : pop3-a.frontend.int > Service : smtp > Time noticed : Tue Jun 12 13:27:10 2001 > Secs until next alert : > Members : pop3-a.frontend.int > > Detailed text (if any) follows: > --- > pop3-a.frontend.int > > SERVICE IS MARKED AS UP== > Summary output: Time Out > > Group : pop3-a.frontend.int > Service : smtp > Time noticed : Tue Jun 12 13:28:16 2001 > Secs until next alert : > Members : pop3-a.frontend.int > > Detailed text (if any) follows: > --- > pop3-a.frontend.int > > Just one minute (and I'm doing test every minute)... I'm trying to > understand why I'm having those false alarms on only services running with > tcpserver on Linux. I mean, if the service is running with tcpserver on > Solaris or the services is running on linux without tcpserver, I've no > errors (ie, qmail on solaris and Apache on linux). > > Viewing logs, I've no errors. > > What can be the problem?? What I've to search for?? > > Thanks > > PS I didn't find a list about ucspi-tcp: if I wrote to wrong list, please > tell me which is the correct one :) > --- > Cordiali saluti / Best regards > Andrea Cerrito > ^^ > Net.Admin @ Centro MultiMediale di Terni S.p.A. > P.zzale Bosco 3A > 05100 Terni IT > Tel. +39 744 5441330 > Fax. +39 744 5441372
Re: SSL
Yes, you can use 'stunnel'. http://www.stunnel.org. Works like a champ for me. Enjoy, David > SeanW wrote: > > Can qmail handle passing pop password via SSL ? > > > Sean Weissensee
Re: xinetd
Charles Cazabon wrote:
{ snip }
>
> > That way, I can have only my domain in rcpthosts, but allow my other clients
> > access.
>
> You're misunderstanding the purpose of rcpthosts. It's only supposed to
> contain the domains for which you act as either a primary or backup mail
> exchanger.
I don't think I'm misunderstanding it. The only thing in my rcpthosts
is my domain name and 'localhost'. If it's empty, then I'm a relayer,
which is a no-no. Without tcpserver, I can't (or haven't figured out
how with Xinetd) to populate the required env vars, hence my clients
can't send email via qmail-smtpd to domains not listed in rcpthosts,
right?
{ snip }
>
> Now that you've written code to do some of this for qmail-smtpd, what would
> happen if you wanted exactly the same features with qmail-qmtpd, or
> qmail-pop3d, or fingerd? With djb's modular approach, you don't need to
> rewrite a single line of code. tcpserver "just works" for all of them.
Well, for the qmail stuff, I you're right: I'd have to patch'em all, use
tcpserver or patch xinetd to act like tcpserver. But with other servers
(like fingerd), I'm content to let my firewall and xinet (as is) deal
with who gets in or out. :-)
Thanks for your comments!
David
>
> Charles
> --
> ---
> Charles Cazabon<[EMAIL PROTECTED]>
> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/
> Any opinions expressed are just that -- my opinions.
> ---
Re: xinetd
It's also in tcp-env Scott Schwartz wrote: > > > tcpserver does much more than this; in particular, the ability to arbitrarily > > set environment variables on a per-IP or per-hostname basis is particularly > > valuable in controlling certain aspects of qmail's behaviour. > > Historical note: that functionality used to be available in > a separate program, most recently called tcpcontrol-0.50, > before it was merged with tcpserver. > > SYNOPSIS > tcpcontrol rules.cdb subprogram [ args ... ]
Re: ORBS, and RFC-ignorant blacklists
Besides, ORBS is dead! http://www.orbs.org/ Or, is that the wrong site? David Mark wrote: > > On Mon, Jun 04, 2001 at 09:17:50AM +0200, Piotr Kasztelowicz allegedly wrote: > > On Sun, 3 Jun 2001, Peter van Dijk wrote: > > > > > Furthermore, Alan Brown's activities are not illegal - the ORBS > > > relaytester runs in The Netherlands, where this is not illegal by any > > > law. > > > > Maybe in Netherlands is not illegal, but in Netherlands even euthanasia > > is legal by any law, in other countries not! The tester is in Netherlands > > but it otucomes follow results in other countries, where performing > > such lists and testing, which seeks the vulnerabilities in servers > > and helps hackers at attacks, is illegal. From corespondence on this > > list can be considered, that in US, NZ is illegal, in my country (Poland) > > too. So, if Netherland will be right to others, probably shall give > > this same injunction as NZ High Court - this want only a lot time > > I'm confused. Isn't the use of ORBS entirely voluntary? I don't see > how any site on the Internet is obliged to accept any traffic at > all. So, if a site chooses to reject traffic based on a list - > regardless of how flawed it may be - what's the big deal? > > But I fail see the relevance to qmail... > > Regards.
Re: xinetd
Charles: I believe your points are valid. But I'm just stuborn, I suppose :) So stuborn as a matter of fact, that I patched qmail-smptd this weekend to read a new control file which I called ipaddrallowed. In which I can put things like 192.168. or a full IP addr. If the source address of the client (as found via 'remoteip') matches those in the file, then the connect/relay is allowed. That way, I can have only my domain in rcpthosts, but allow my other clients access. Since I'm on a private network and behind a firewall, I don't have to worry about spoofed source addresses. As a matter of fact, I configured email access for my son today while we were at my office (he's outta school and doesn't have camp this week -- oh joy!) Anyway, all I did was add the a.b.c.d address of the machine he was using in ipaddrallow and presto, he was style'n! ;-) David Charles Cazabon wrote: > > David Means <[EMAIL PROTECTED]> wrote: > > > Charles Cazabon wrote: > > > > > > Eduardo Gargiulo <[EMAIL PROTECTED]> wrote: > > > > > > > > I had installed qmail and it's running ok. All the examples says to add > > > > a line in /etc/inetd.conf to run qmail-smtpd, but I don't know how to > > > > configure it in xinetd. Where can I find an xinetd example and what is > > > > tcp-env for? > > > > > > Running qmail from inetd is deprecated. Download ucspi-tcp and run it > > > under tcpserver. > > > > I personally don't care to run tcpserver, although I've run it in the past, > > and it worked well at that time. tcpserver is nothing but a wrapper to > > enable one to 1) log connections, and 2) keep unallowed hosts out. Xinetd > > does that for me. Why would any one want to run two servers that can do the > > same thing? > > tcpserver does much more than this; in particular, the ability to arbitrarily > set environment variables on a per-IP or per-hostname basis is particularly > valuable in controlling certain aspects of qmail's behaviour. I also find > that tcpserver's controls on maximum concurrency are much better suited to > controlling services than inetd/xinetd. I've also never had tcpserver crash, > for any reason -- not something I can say about inetd/xinetd. > > Charles > -- > --- > Charles Cazabon<[EMAIL PROTECTED]> > GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ > Any opinions expressed are just that -- my opinions. > ---
Re: xinetd
I personally don't care to run tcpserver, although I've run it in the
past, and it worked well at that time. tcpserver is nothing but a
wrapper to enable one to 1) log connections, and 2) keep unallowed hosts
out. Xinetd does that for me. Why would any one want to run two
servers that can do the same thing?
Here's my config for xinetd. I've not yet configured it to be aware of
the RCPTHOSTS env var (or what ever it's called). Drop me a line if
you'd like.
David
service smtp
{
socket_type = stream
wait= no
user= qmaild
server = /var/qmail/bin/tcp-env
server_args = /var/qmail/bin/qmail-smtpd
log_on_success = HOST PID USERID DURATION USERID
log_on_failure = HOST RECORD ATTEMPT USERID
}
Charles Cazabon wrote:
>
> Eduardo Gargiulo <[EMAIL PROTECTED]> wrote:
> >
> > I had installed qmail and it's running ok. All the examples says to add a
> > line in /etc/inetd.conf to run qmail-smtpd, but I don't know how to
> > configure it in xinetd. Where can I find an xinetd example and what is
> > tcp-env for?
>
> Running qmail from inetd is deprecated. Download ucspi-tcp and run it under
> tcpserver.
>
> Charles
> --
> ---
> Charles Cazabon<[EMAIL PROTECTED]>
> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/
> Any opinions expressed are just that -- my opinions.
> ---
Re: notification of new email whenever user logs in on the shell
Do a 'man ', search for MAIL. Typically, the 'MAIL' env var has to be populated. I would assume that some shells support it, while others may not. David alexus wrote: > Hi > > can someone point me to right direction regarding this topic? > > basically somehow i need to show to user that there is a new mail for > him/her whenever user logs in > > i used to get it back then when i was using sendmail.. but i migrate to > qmail.. -- A Panagram To be or not to be: that is the question, whether tis nobler in the mind to suffer the slings and arrows of outrageous fortune. In one of the Bard's best-thought-of tragedies, our insistent hero, Hamlet, queries on two fronts about how life turns rotten.
Re: mailserver, can traceroute, cannot make SMTP connection
telnet and traceroute use very differing methods of reaching the destination. It is not uncommon to be able to traceroute to a dest, but not telnet, or to be able to telnet, but not traceroute. Typically, if you can telnet but not traceroute, then someone is blocking the traceroute via a firewall rule. There's another command called tracepath which sometimes works better than traceroute. The connection problem your seeing might be due to a routing issue, however, that seems contrary to what traceroute is reporting. Do you have a firewall up? Does the remote host? It's possible that they're blocking a range of IP addresses, or you're blocking access to them. David [EMAIL PROTECTED] wrote: > Dear All, > > I receive some strange problems lately, > my mailserver logs many CANT_MAKE_SMTP_CONNECTION.#4.4.1 > > So I took some domains from the logs and tried to examine the connection to > each domains. > What I did is I connect to internet using 2 connection, 1 my leased line > conn, and 1 other ISP. and then tried to traceroute and telnet to port 25. > > There are some sites where I CANT TRACEROUTE using both conn, so I suppose > the routing could be the problem, but from the ISP, I CAN TELNET to the > site's port 25, in the other hand, I CAN'T TELNET using my own mailserver > (leased line). It's strange to me. > > From ISP side, if it cannot traceroute, why it can telnet? > > Anyone can help me? > > Thanks! > > Chrisanthy -- A Panagram To be or not to be: that is the question, whether tis nobler in the mind to suffer the slings and arrows of outrageous fortune. In one of the Bard's best-thought-of tragedies, our insistent hero, Hamlet, queries on two fronts about how life turns rotten.
Re: Strange POP Problem
Hum... well, if you do find the answer to your problem in http://es.qmail.org/documentacion/autor/FAQ/html/qmail-FAQ.html, then please let me know. I search for "auth," "timeout", and "time" (since you're having an authentication problem) and it was not to be found. I suppose we need to go back to Mind Reading 101, eh? Darn. I knew I should've studied more in that class... DMeans. |nix ZixinG wrote: > If you're not intrested in helping there is no need for you to be so > sarcastic. > > Thanks anyway > > - Original Message - > From: "Charles Cazabon" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Sunday, April 29, 2001 3:37 AM > Subject: Re: Strange POP Problem > > > |nix ZixinG <[EMAIL PROTECTED]> wrote: > > > Then where would I be able to read the FAQ to solve this problem? > > > > We're not here to spoon-feed you. Do your homework. Check the files > included > > in the source, Dan's site, www.qmail.org, and www.lifewithqmail.org . > > > > Charles > > -- > > --- > > Charles Cazabon<[EMAIL PROTECTED]> > > GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ > > Any opinions expressed are just that -- my opinions. > > ---
Re: How to re-direct mail based on target domain
Marco: I appears to me that no splat '*' is needed. Just need the following in you smtproutes file: :your.isp.com David Marco Calistri wrote: > On 21-Apr-2001 Chris Johnson wrote: > > On Sat, Apr 21, 2001 at 02:48:28PM -0400, David Means wrote: > >> AOL will not accept mail from my server because I have a dynamic > >> IP address. How do I configure qmail to send messages destined for > >> AOL to my ISP? > > > > echo aol.com:mailserver.yourisp.com >> /var/qmail/control/smtproutes > > > > You might consider routing all of your mail to your ISP's mail server; AOL > > isn't the only ISP blocking mail injected directly from dialups. For example, > > you wouldn't be able to send mail directly to my server. (I realize that > > you're > > on an ADSL line, not a dialup line, but your ISP has listed you as such with > > mail-abuse.org. See http://mail-abuse.org/dul/.) > > > > Chris > > Chris,you gave me a very interesting suggestion for a similar problem > I had using /var/qmail/control/defaulthost/. > Attempting to send mail toward some SMTP servers I get refuses > and or mail-abuse.org notifications. > > qmail machine name is linux.ik5bcu.ampr.org (this is a unknown name) > but to overcome the above problems I changed the ../defaulthost > from this name to ik5bcu.ampr.org (my AMPRNET hostname=valid) > *note*:I changed *only* ../defaulthost and now I can send > mail to every server but I have some doubt that this is not > the right procedure,expecially looking to the changed return-path > and possible MAILER-DAEMON messages now addressed to ik5bcu.ampr.org > instead to linux.ik5bcu... > > Well I think that the better thing be to restore ../defaulthost > with proper qmail name,but then I don't know how to set *all* > mail toward my ISP...is it wildcard accepted on this case: > > echo *:mailserver.yourisp.com >> /var/qmail/control/smtproutes > > And if I'd send mail using my second ISP (spare)? > > -- > Regards,: Marco Calistri <[EMAIL PROTECTED]> > gpg key available on http://www.qsl.net/ik5bcu > Xfmail 1.4.7p2 on linux RedHat 6.2 -- A Panagram To be or not to be: that is the question, whether tis nobler in the mind to suffer the slings and arrows of outrageous fortune. In one of the Bard's best-thought-of tragedies, our insistent hero, Hamlet, queries on two fronts about how life turns rotten.
Re: How to re-direct mail based on target domain
Thank you for the information! David Chris Johnson wrote: > On Sat, Apr 21, 2001 at 02:48:28PM -0400, David Means wrote: > > AOL will not accept mail from my server because I have a dynamic > > IP address. How do I configure qmail to send messages destined for > > AOL to my ISP? > > echo aol.com:mailserver.yourisp.com >> /var/qmail/control/smtproutes > > You might consider routing all of your mail to your ISP's mail server; AOL > isn't the only ISP blocking mail injected directly from dialups. For example, > you wouldn't be able to send mail directly to my server. (I realize that you're > on an ADSL line, not a dialup line, but your ISP has listed you as such with > mail-abuse.org. See http://mail-abuse.org/dul/.) > > Chris > > >Part 1.2Type: application/pgp-signature -- A Panagram To be or not to be: that is the question, whether tis nobler in the mind to suffer the slings and arrows of outrageous fortune. In one of the Bard's best-thought-of tragedies, our insistent hero, Hamlet, queries on two fronts about how life turns rotten.
How to re-direct mail based on target domain
AOL will not accept mail from my server because I have a dynamic IP address. How do I configure qmail to send messages destined for AOL to my ISP? Thanks, David
