Re: Mailserver HDD organization
On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: please use qmail, its really the securest MTA you can get. please use postfix, since it's as secure as qmail and has a better license -- Alberto Gonzalez Iniesta | They that give up essential liberty [EMAIL PROTECTED] | to obtain a little temporary safety Encrypted mail preferred | deserve neither liberty nor safety. Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mailserver HDD organization
On Thu, 17 Jan 2002, Alberto Gonzalez Iniesta wrote: On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: please use qmail, its really the securest MTA you can get. please use postfix, since it's as secure as qmail and has a better license please, use whatever good MTA you are most skilled with, as you will be able to secure it much better. What about avoiding to start religious wars, everybody? Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mailserver HDD organization
On Thu, Jan 17, 2002 at 12:22:07PM +0100, Alberto Gonzalez Iniesta wrote: On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: please use qmail, its really the securest MTA you can get. please use postfix, since it's as secure as qmail and has a better license we could ask to venema or to bernstein what do the think about that, so we can make some traffic smtp benchmark too :- i think it's better to use the MTA you want, with a good conf file made by yourself and some firewall rules just to dream sweeter Samuele -- Samuele Tonon [EMAIL PROTECTED] http://www.linuxasylum.net/~samu/ Acid -- better living through chemistry. Timothy Leary -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mailserver HDD organization
Hi there On the subject of MTA's, is there no groupware like Lotus Domino or exchance server available on Debian? Personaly I feel all Linux MTA's are very good. Is it not just a matter of personal choice? Kind Regards Gerrit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mailserver HDD organization
I don't think the choice of MTA is relevant to the HDD organisation. I use both Postfix and Qmail and they both work fine. The only thing you have to realize is when you use Qmail with maildir, you really need a large /home partition. Greetz, Ivo dudes@doc:~$ apt-cache show clue Package: clue Priority: optional -Original Message- From: Alberto Gonzalez Iniesta [EMAIL PROTECTED] Date: Thu, 17 Jan 2002 12:22:07 +0100 Subject: Re: Mailserver HDD organization On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: please use qmail, its really the securest MTA you can get. please use postfix, since it's as secure as qmail and has a better license -- Alberto Gonzalez Iniesta | They that give up essential liberty [EMAIL PROTECTED] | to obtain a little temporary safety Encrypted mail preferred | deserve neither liberty nor safety. Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mailserver HDD organization
Though I have supported Sendmail in Big-Iron environments, I am now using the Default Debian Exim to serve mail. I have been happy with Exim and it has served me reliably. Yet I don't often hear its name used as an alternative to Sendmail. Usually I hear Postfix or Qmail. Though I have used all of the MTAs I am referring to, I would like some quantitative and qualitative feedback. IE, 'I use Exim to serve 3000 people on a measly 486' or 'I used Exim and was cracked open before I could say Postfix' or 'Exim behaves like a lobatamized turtle.' I know, I know, use what you feel comfortable with, but how comfortable are you guys with Exim? -A. Dave vdongen wrote: I don't think the choice of MTA is relevant to the HDD organisation. I use both Postfix and Qmail and they both work fine. The only thing you have to realize is when you use Qmail with maildir, you really need a large /home partition. Greetz, Ivo dudes@doc:~$ apt-cache show clue Package: clue Priority: optional -Original Message- From: Alberto Gonzalez Iniesta [EMAIL PROTECTED] Date: Thu, 17 Jan 2002 12:22:07 +0100 Subject: Re: Mailserver HDD organization On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: please use qmail, its really the securest MTA you can get. please use postfix, since it's as secure as qmail and has a better license -- Alberto Gonzalez Iniesta | They that give up essential liberty [EMAIL PROTECTED] | to obtain a little temporary safety Encrypted mail preferred | deserve neither liberty nor safety. Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mailserver HDD organization
mmh, conclusions... ...I think I'm going to use exim. exim runs fine with Mailman for the lists, has spam filtering... and is avaiable as binary and completly free under Debian Potato 2.2r5. Anyway I'll consider qmail for future upgrades. Thanks for all replays, have a nice day... -Ivo On Thu, 2002-01-17 at 12:28, Giacomo Mulas wrote: On Thu, 17 Jan 2002, Alberto Gonzalez Iniesta wrote: On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: please use qmail, its really the securest MTA you can get. please use postfix, since it's as secure as qmail and has a better license please, use whatever good MTA you are most skilled with, as you will be able to secure it much better. What about avoiding to start religious wars, everybody? Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mailserver HDD organization
hi ivo
for partitions...
- i prefer smallest/reasonable / partitions ( 64M or 128M etc )
- getting into single user mode is extremely important
- /var/spool/{mail,mqueue} in a mail server should
be its own huge partitions ???
- /home doesnt mean much for mail servers
( user stuff is all in /opt
ln -s /opt/home /
ln -s /opt/local /usr
- if you run secure imap, you'd have to worry about quota
for /home where their mail is saved
- i like having /tmp in its own partitions ( 128Mb? )
- i do NOT use /boot as separate partitions
- must not forget about swap partition ( 256M or so )
and if swap space is used constantly, add more memory
- i like having /opt to be the rest of the disk
- if you build your own kernel.. i claim you'd need to keep
the current initrd.gz or make your own custom initrd.gz
so that it can read the scsi disks... ( catch-22 issue )
- more partition-howtos
http://www.Linux-1U.net/Installation/partition.gwif.html
- Picture of partitions layout on a disk... ( middle of the page )
http://www.Linux-1U.net/Disks
- Debian Security howto
http://www.debian.org/doc/manuals/securing-debian-howto/
- for a secure mail server...
http://www.Linux-Sec.net
-- see the various hardening methodologies
http://www.Linux-Sec.net/Harden/howto.gwif.html
- harden the file system
- harden the daemons/services
- apply all the patches
- run secure pop3/imap if users insists on pop-style mua
- subscribe to security mailing lists and distro/app specific ml
- install one or more anti-virus sw
- backup your system daily ???
- users probably would like their mailboxes backed up hourly ??
http://www.Linux-Sec.net/Mail/#AntiVirus
http://www.Linux-Sec.net/Mail/secure_pop3.txt
- simulate a disk crash ( unplug it )
-
- see if you can recover
- how many/how much users emails did you lose ??
- should be zero with raid1 mirror
for runing a raid1 mirror ... that should be fun/simple to setup
- be sure to use the fd (raid autodetect) partitition type
http://www.1U-Raid5.net
have fun linuxing
alvin
On 17 Jan 2002, eim wrote:
Hallo to everyone on the Debian Sec. List,
I'm actually planing to install a new mailserver
on network, the mailserver will substitute an existing
one which runs of course Debain GNU/Linux potato and sendmail.
The new server will be a P266Mhz 128 | 65 MB Ram with 2x 8GB
IBM ULTRA WIDE SCSI HDD and oviously 100 MB network connection.
The software I plan to run on the new server is Debian Potato
with exim as MTA, mailman for the lists and some other stuff.
My real problem is the HDD Organization, the actual server has
all his / (root) in RAID 1 Mirrored via software on two IBM HDD
which each one is 2 GB.
I don't want to have only one big root parition on the new server,
it's not recomanded, isnt' it ?
I was thinking about a partition for /, one for boot, one for
/var/spool/mail and some other important system parts.
Has anyone real-life examples of running mailservers,
maybe some HDD organization infos, MTA infos and other
importante related know-how to run a secure and stable
mailserver on my network.
Thanks for any reply,
Have a nice day...
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mailserver HDD organization
On 17 Jan 2002 07:06:37 +0100 eim [EMAIL PROTECTED] wrote: I was thinking about a partition for /, one for boot, one for /var/spool/mail and some other important system parts. MTAs are inherently disk IO bound. As such, if possible devote a spindle to /var/spool/mail and do what you can to reduce other system IO (eg turn of syslog fsync()). If you can't do that (and it sounds like you can't), then use the appropriate RAID types. Has anyone real-life examples of running mailservers, maybe some HDD organization infos, MTA infos and other importante related know-how to run a secure and stable mailserver on my network. There's been quite a bit of this sort of data on the Mailman lists from Chuq von Rospach, myself, Nigel Metherington, and others. -- J C Lawrence -(*)Satan, oscillate my metallic sonatas. [EMAIL PROTECTED] He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mailserver HDD organization
On Thu, 17 Jan 2002 09:23:02 -0500 Dave Kline [EMAIL PROTECTED] wrote: I know, I know, use what you feel comfortable with, but how comfortable are you guys with Exim? -A. Dave Very. I like, and use both Exim and Postfix in deployed production systems. -- J C Lawrence -(*)Satan, oscillate my metallic sonatas. [EMAIL PROTECTED] He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Set UID=0
Some of the recent upgrades have the executables set UID=0 where they were not in the past. This includes (but may not be limited to) the following: at smbmnt smbmount smbumount Do these really need to be set UID=0? Is this a security concern? Thanks, Pat Moffitt MIS Administrator Western Recreational Vehicles, Inc. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mailserver HDD organization
On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: - Original Message - From: eim [EMAIL PROTECTED] To: Debian-Security List [EMAIL PROTECTED] Sent: Thursday, January 17, 2002 7:06 AM Subject: Mailserver HDD organization Hallo to everyone on the Debian Sec. List, I'm actually planing to install a new mailserver on network, the mailserver will substitute an existing one which runs of course Debain GNU/Linux potato and sendmail. The new server will be a P266Mhz 128 | 65 MB Ram with 2x 8GB IBM ULTRA WIDE SCSI HDD and oviously 100 MB network connection. The software I plan to run on the new server is Debian Potato with exim as MTA, mailman for the lists and some other stuff. i would suggest you to use not exim. exim is a very nice MTA but the best mind of security and performance is qmail! My real problem is the HDD Organization, the actual server has all his / (root) in RAID 1 Mirrored via software on two IBM HDD which each one is 2 GB. I don't want to have only one big root parition on the new server, it's not recomanded, isnt' it ? no it isn´t I was thinking about a partition for /, one for boot, one for /var/spool/mail and some other important system parts. Has anyone real-life examples of running mailservers, maybe some HDD organization infos, MTA infos and other importante related know-how to run a secure and stable mailserver on my network. here is one: 200 users qmail server (smtp) imapd qpopper 4 iptables f-prot (virus scanner) / = 2 gb (300mb in use) /home= 10 GB /var= 20gb /boot= 300mb Boot is where kernels live (placed at the start of the disk for old bioses that cannot read far into large disks ... your bios may not need it... experiment if you have time). I have a lot of kernels on my system, 6 and my boot directory takes only 7 meg. A very reasonable size for boot is 16 meg, 32 is surely more than you will ever need. If you plan to watch over your system, one big partition is not bad, it allows for easier administration as you are managing only 1 partition as opposed to many. If you want to be cautios, consider breaking out /var to prevent bad users from filling up their mail spools (likewise with /home if they are allowed to use imap folders) and to prevent your logs from filling your system. Realistically, for most real world small applications with the large size of disks today, one partition will likely work fine for you. As far as MTA software, they qmail package is renown for being secure, but also for the developer being hard to work with and for having a restrictive license. If licensing is not an issue for you then it may work well for you. Postfix has a nice license, is simple to understand and manage, and places a lot of emphasis on security. good luck, donfede msg05344/pgp0.pgp Description: PGP signature
Re: Mailserver HDD organization
On Thu, Jan 17, 2002 at 09:16:05AM -0800, J C Lawrence wrote: On 17 Jan 2002 07:06:37 +0100 eim [EMAIL PROTECTED] wrote: I was thinking about a partition for /, one for boot, one for /var/spool/mail and some other important system parts. MTAs are inherently disk IO bound. As such, if possible devote a spindle to /var/spool/mail and do what you can to reduce other system IO (eg turn of syslog fsync()). If you can't do that (and it sounds like you can't), then use the appropriate RAID types. I suggest making a separate /var/spool/exim or /var/spool/postfix for queued, bounced, frozens,... messages. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com msg05345/pgp0.pgp Description: PGP signature
ping6
Hy! What is /bin/ping6 ??? Is it normal that /bin/ping and /bin/ping6 has setuid to root? regards, Tibor Repasi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ping6
On Thu, Jan 17, 2002 at 08:56:01PM +0100, Répási Tibor wrote: What is /bin/ping6 ??? Is it normal that /bin/ping and /bin/ping6 has setuid to root? Ping6 is the IPv6 version of ping. It is normal that they have setuid turned on. Othwerise, non-root users can not open the ICMP socket needed to send and receive echo requests and replies. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg05347/pgp0.pgp Description: PGP signature
Re: ping6
Ping for IPv6. You should see other utilities that end with 6 as well. -A. Dave Répási Tibor wrote: Hy! What is /bin/ping6 ??? Is it normal that /bin/ping and /bin/ping6 has setuid to root? regards, Tibor Repasi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
allowing users to change passwords
i need to provide a way for my users to change their password on my machines. however, most of them are too stupid for the console. so i played with poppassd, and it might end up being my option, but today i had another idea. so without having given it much though, i'll ask you: what would speak against setting the user's login shell to /usr/bin/passwd? it's SSH2-only, and with MindTerm as a java applet, i could even ask them to connect, login with their password, type their password again, then specify the new one twice. that shouldn't be a problem, right? or is it absolutely bad in terms of security? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck friends help you move. real friends help you move bodies. msg05349/pgp0.pgp Description: PGP signature
Re: allowing users to change passwords
Previously martin f krafft wrote: what would speak against setting the user's login shell to /usr/bin/passwd? Nothing, works just fine. It might be a bit confusing for users though since they will have to enter their original password twice as well. Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: allowing users to change passwords
Wichert Akkerman wrote: Previously martin f krafft wrote: what would speak against setting the user's login shell to /usr/bin/passwd? Nothing, works just fine. It might be a bit confusing for users though since they will have to enter their original password twice as well. You may wish to set the motd specifically for them and explain in it what they need to do. I would also audit the passwd program carefully for security problems like buffer overflows, etc. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | Linux, the OS Microsoft doesn't want you to know about.. | | -Bryan Andersen| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: allowing users to change passwords
Why bother having them go through the hassle of loading an applet which might not work ( not that Ive ever seen it not work ). If they are using mindterm, then they are already in a browser, which means you might as well just have them use a form via ssl to change their password via poppassd. On Thu, 17 Jan 2002, martin f krafft wrote: i need to provide a way for my users to change their password on my machines. however, most of them are too stupid for the console. so i played with poppassd, and it might end up being my option, but today i had another idea. so without having given it much though, i'll ask you: what would speak against setting the user's login shell to /usr/bin/passwd? it's SSH2-only, and with MindTerm as a java applet, i could even ask them to connect, login with their password, type their password again, then specify the new one twice. that shouldn't be a problem, right? or is it absolutely bad in terms of security? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck friends help you move. real friends help you move bodies. Todays root password is brought to you by /dev/random .-. | Steve Mickeler * Network Operations | +-+ | Neptune Internet Services | `-' 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: allowing users to change passwords
also sprach Steve Mickeler [EMAIL PROTECTED] [2002.01.18.0010 +0100]: If they are using mindterm, then they are already in a browser, which means you might as well just have them use a form via ssl to change their password via poppassd. yes, but did you see my recent posts on poppassd and its security problems? i am compiling poppassd-1.8-ceti from [1] right now though. it would be the best way. i could do that in addition to passwd... 1. http://www.ceti.com.pl/~kravietz/prog.html -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck when faced with a new problem, the wise algorithmist will first attempt to classify it as np-complete. this will avoid many tears and tantrums as algorithm after algorithm fails. -- g. niruta msg05353/pgp0.pgp Description: PGP signature
Exim mail Problem
Dear Debian Guruz, My debian server is acting funny. I did some searching around and greped for anomolies in my log files. I have noticed that exim mail is showing a message frozen in the mainlog file. 2002-01-17 18:38:02 16L9VL -0001OX-00 Message is frozen End queue run: pid=17620 Im seeing this same message execpt that the neat looking identifiers after the timestamp change slightly. There is about 50 diffrent identifiers or so in the main log. The problem im seeing is exim mail chewing up resources and not letting anything else play, like apache. ;o) Any ideas? Or how do I stop this from happening? Thanks in advance, Daniel J. Rychlik
Re: Mailserver HDD organization
I use exim to serve 4500+users, on a Pentium 133. Until a UPS failure recently, is had an uptime of 330+ days (dammit, I really wanted to get to 365!!) The only time exim broke down was when I stuffed up the configuration. Exim does everything that I want, RBL, anti-virus with the exiscan program, and custom filters as well. I must admit that the server will soon be replace by a P3 800 (running exim as well). Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 It's the smell! If there is such a thing. Agent Smith - The Matrix - Original Message - From: Dave Kline [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Debian-Security List [EMAIL PROTECTED] Sent: Friday, January 18, 2002 1:23 AM Subject: Re: Mailserver HDD organization Though I have supported Sendmail in Big-Iron environments, I am now using the Default Debian Exim to serve mail. I have been happy with Exim and it has served me reliably. Yet I don't often hear its name used as an alternative to Sendmail. Usually I hear Postfix or Qmail. Though I have used all of the MTAs I am referring to, I would like some quantitative and qualitative feedback. IE, 'I use Exim to serve 3000 people on a measly 486' or 'I used Exim and was cracked open before I could say Postfix' or 'Exim behaves like a lobatamized turtle.' I know, I know, use what you feel comfortable with, but how comfortable are you guys with Exim? -A. Dave vdongen wrote: I don't think the choice of MTA is relevant to the HDD organisation. I use both Postfix and Qmail and they both work fine. The only thing you have to realize is when you use Qmail with maildir, you really need a large /home partition. Greetz, Ivo dudes@doc:~$ apt-cache show clue Package: clue Priority: optional -Original Message- From: Alberto Gonzalez Iniesta [EMAIL PROTECTED] Date: Thu, 17 Jan 2002 12:22:07 +0100 Subject: Re: Mailserver HDD organization On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: please use qmail, its really the securest MTA you can get. please use postfix, since it's as secure as qmail and has a better license -- Alberto Gonzalez Iniesta | They that give up essential liberty [EMAIL PROTECTED] | to obtain a little temporary safety Encrypted mail preferred | deserve neither liberty nor safety. Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim mail Problem
Try running mailq, to get a list of messages currently in the queue. Try doing an "exigrep 16L9VL-0001OX-00 mainlog" to try and find out why the message is frozen. You will probably have to search back through your logs if its been there a while. And here is a little script I use a work to delete messages from the queue matching a pattern: #!/usr/bin/ksh SPAM=$1 mailq |grep $SPAM |cut -b11-26 /tmp/spamlist for i in `cat /tmp/spamlist`doexim -Mrm $iecho "deleted $i"donerm /tmp/spamlist And here is a modifaction to try and force deliverery attempts on messages matching a pattern. #!/usr/bin/ksh SPAM=$1 mailq |grep $SPAM |cut -b11-26 /tmp/sendlist for i in `cat /tmp/sendlist`doexim -M $iecho "delivered $i"donerm /tmp/sendlist Andrew TaitSystem AdministratorCountry NetLink Pty, LtdE-Mail: [EMAIL PROTECTED]WWW: http://www.cnl.com.au30 Bank St Cobram, VIC 3644, AustraliaPh: +61 (03) 58 711 000Fax: +61 (03) 58 711 874"It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: Daniel J. Rychlik To: [EMAIL PROTECTED] Sent: Friday, January 18, 2002 11:47 AM Subject: Exim mail Problem Dear Debian Guruz, My debian server is acting funny. I did some searching around and greped for anomolies in my log files. I have noticed that exim mail is showing a message frozen in the mainlog file. 2002-01-17 18:38:02 16L9VL -0001OX-00 Message is frozen End queue run: pid=17620 Im seeing this same message execpt that the neat looking identifiers after the timestamp change slightly. There is about 50 diffrent identifiers or so in the main log. The problem im seeing is exim mail chewing up resources and not letting anything else play, like apache. ;o) Any ideas? Or how do I stop this from happening? Thanks in advance, Daniel J. Rychlik
Re: Help with Firewall section in the Debian Security Manual
On Wed, 16 Jan 2002, Javier Fernández-Sanguino Peña wrote: Both should point to other sites regarding general info (what a firewall is? what does netfilter do?) and not reproduce it (terrible waste of time and difficult to maintain up to date). Javier, Is it really wise to talk about netfilter in a Debian Security HOWTO? After all, the stable distribution of Debian (which is what newbies will and should use), uses the 2.2 kernel which doesnt support netfilter. Perhaps if you want to talk about iptables based firewalling, you are really targetting users running testing / unstable, and thus you are talking about a Debian testing / unstable Security HOWTO. Regards, Jor-el -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mailserver HDD organization
On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: please use qmail, its really the securest MTA you can get. please use postfix, since it's as secure as qmail and has a better license -- Alberto Gonzalez Iniesta | They that give up essential liberty [EMAIL PROTECTED] | to obtain a little temporary safety Encrypted mail preferred | deserve neither liberty nor safety. Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
Re: Mailserver HDD organization
On Thu, 17 Jan 2002, Alberto Gonzalez Iniesta wrote: On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: please use qmail, its really the securest MTA you can get. please use postfix, since it's as secure as qmail and has a better license please, use whatever good MTA you are most skilled with, as you will be able to secure it much better. What about avoiding to start religious wars, everybody? Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: Mailserver HDD organization
On Thu, Jan 17, 2002 at 12:22:07PM +0100, Alberto Gonzalez Iniesta wrote: On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: please use qmail, its really the securest MTA you can get. please use postfix, since it's as secure as qmail and has a better license we could ask to venema or to bernstein what do the think about that, so we can make some traffic smtp benchmark too :- i think it's better to use the MTA you want, with a good conf file made by yourself and some firewall rules just to dream sweeter Samuele -- Samuele Tonon [EMAIL PROTECTED] http://www.linuxasylum.net/~samu/ Acid -- better living through chemistry. Timothy Leary
Re: Mailserver HDD organization
Hi there On the subject of MTA's, is there no groupware like Lotus Domino or exchance server available on Debian? Personaly I feel all Linux MTA's are very good. Is it not just a matter of personal choice? Kind Regards Gerrit
Re: Mailserver HDD organization
Though I have supported Sendmail in Big-Iron environments, I am now using the Default Debian Exim to serve mail. I have been happy with Exim and it has served me reliably. Yet I don't often hear its name used as an alternative to Sendmail. Usually I hear Postfix or Qmail. Though I have used all of the MTAs I am referring to, I would like some quantitative and qualitative feedback. IE, 'I use Exim to serve 3000 people on a measly 486' or 'I used Exim and was cracked open before I could say Postfix' or 'Exim behaves like a lobatamized turtle.' I know, I know, use what you feel comfortable with, but how comfortable are you guys with Exim? -A. Dave vdongen wrote: I don't think the choice of MTA is relevant to the HDD organisation. I use both Postfix and Qmail and they both work fine. The only thing you have to realize is when you use Qmail with maildir, you really need a large /home partition. Greetz, Ivo [EMAIL PROTECTED]:~$ apt-cache show clue Package: clue Priority: optional -Original Message- From: Alberto Gonzalez Iniesta [EMAIL PROTECTED] Date: Thu, 17 Jan 2002 12:22:07 +0100 Subject: Re: Mailserver HDD organization On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: please use qmail, its really the securest MTA you can get. please use postfix, since it's as secure as qmail and has a better license -- Alberto Gonzalez Iniesta | They that give up essential liberty [EMAIL PROTECTED] | to obtain a little temporary safety Encrypted mail preferred | deserve neither liberty nor safety. Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Mailserver HDD organization
I know, I know, use what you feel comfortable with, but how comfortable are you guys with Exim? I use Exim here for a low throughput small office mail server, grabbing aliases from LDAP. I'm very happy with it - the documentation is extensive, and the configuration is a doddle. The Exim user mailing list is pretty good too; Philip Hazel, the software's author is (was - it's a while since I was subscribed) a regular contributor and has written an O'Reilly book on Exim as well as running Exim workshops from time-to-time at Cambridge University. I know that some large ISP's in the UK do use Exim: BTOpenworld off the top of my head have 1 million users and use exim. Hope this helps a little. Regards, Ronny
Re: Mailserver HDD organization
mmh, conclusions... ...I think I'm going to use exim. exim runs fine with Mailman for the lists, has spam filtering... and is avaiable as binary and completly free under Debian Potato 2.2r5. Anyway I'll consider qmail for future upgrades. Thanks for all replays, have a nice day... -Ivo On Thu, 2002-01-17 at 12:28, Giacomo Mulas wrote: On Thu, 17 Jan 2002, Alberto Gonzalez Iniesta wrote: On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: please use qmail, its really the securest MTA you can get. please use postfix, since it's as secure as qmail and has a better license please, use whatever good MTA you are most skilled with, as you will be able to secure it much better. What about avoiding to start religious wars, everybody? Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »«
Re: Mailserver HDD organization
hi ivo
for partitions...
- i prefer smallest/reasonable / partitions ( 64M or 128M etc )
- getting into single user mode is extremely important
- /var/spool/{mail,mqueue} in a mail server should
be its own huge partitions ???
- /home doesnt mean much for mail servers
( user stuff is all in /opt
ln -s /opt/home /
ln -s /opt/local /usr
- if you run secure imap, you'd have to worry about quota
for /home where their mail is saved
- i like having /tmp in its own partitions ( 128Mb? )
- i do NOT use /boot as separate partitions
- must not forget about swap partition ( 256M or so )
and if swap space is used constantly, add more memory
- i like having /opt to be the rest of the disk
- if you build your own kernel.. i claim you'd need to keep
the current initrd.gz or make your own custom initrd.gz
so that it can read the scsi disks... ( catch-22 issue )
- more partition-howtos
http://www.Linux-1U.net/Installation/partition.gwif.html
- Picture of partitions layout on a disk... ( middle of the page )
http://www.Linux-1U.net/Disks
- Debian Security howto
http://www.debian.org/doc/manuals/securing-debian-howto/
- for a secure mail server...
http://www.Linux-Sec.net
-- see the various hardening methodologies
http://www.Linux-Sec.net/Harden/howto.gwif.html
- harden the file system
- harden the daemons/services
- apply all the patches
- run secure pop3/imap if users insists on pop-style mua
- subscribe to security mailing lists and distro/app specific ml
- install one or more anti-virus sw
- backup your system daily ???
- users probably would like their mailboxes backed up hourly ??
http://www.Linux-Sec.net/Mail/#AntiVirus
http://www.Linux-Sec.net/Mail/secure_pop3.txt
- simulate a disk crash ( unplug it )
-
- see if you can recover
- how many/how much users emails did you lose ??
- should be zero with raid1 mirror
for runing a raid1 mirror ... that should be fun/simple to setup
- be sure to use the fd (raid autodetect) partitition type
http://www.1U-Raid5.net
have fun linuxing
alvin
On 17 Jan 2002, eim wrote:
Hallo to everyone on the Debian Sec. List,
I'm actually planing to install a new mailserver
on network, the mailserver will substitute an existing
one which runs of course Debain GNU/Linux potato and sendmail.
The new server will be a P266Mhz 128 | 65 MB Ram with 2x 8GB
IBM ULTRA WIDE SCSI HDD and oviously 100 MB network connection.
The software I plan to run on the new server is Debian Potato
with exim as MTA, mailman for the lists and some other stuff.
My real problem is the HDD Organization, the actual server has
all his / (root) in RAID 1 Mirrored via software on two IBM HDD
which each one is 2 GB.
I don't want to have only one big root parition on the new server,
it's not recomanded, isnt' it ?
I was thinking about a partition for /, one for boot, one for
/var/spool/mail and some other important system parts.
Has anyone real-life examples of running mailservers,
maybe some HDD organization infos, MTA infos and other
importante related know-how to run a secure and stable
mailserver on my network.
Thanks for any reply,
Have a nice day...
Re: Mailserver HDD organization
On 17 Jan 2002 07:06:37 +0100 eim [EMAIL PROTECTED] wrote: I was thinking about a partition for /, one for boot, one for /var/spool/mail and some other important system parts. MTAs are inherently disk IO bound. As such, if possible devote a spindle to /var/spool/mail and do what you can to reduce other system IO (eg turn of syslog fsync()). If you can't do that (and it sounds like you can't), then use the appropriate RAID types. Has anyone real-life examples of running mailservers, maybe some HDD organization infos, MTA infos and other importante related know-how to run a secure and stable mailserver on my network. There's been quite a bit of this sort of data on the Mailman lists from Chuq von Rospach, myself, Nigel Metherington, and others. -- J C Lawrence -(*)Satan, oscillate my metallic sonatas. [EMAIL PROTECTED] He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live.
Re: Mailserver HDD organization
On Thu, 17 Jan 2002 09:23:02 -0500 Dave Kline [EMAIL PROTECTED] wrote: I know, I know, use what you feel comfortable with, but how comfortable are you guys with Exim? -A. Dave Very. I like, and use both Exim and Postfix in deployed production systems. -- J C Lawrence -(*)Satan, oscillate my metallic sonatas. [EMAIL PROTECTED] He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live.
Re: ping6
Ping for IPv6. You should see other utilities that end with 6 as well. -A. Dave Répási Tibor wrote: Hy! What is /bin/ping6 ??? Is it normal that /bin/ping and /bin/ping6 has setuid to root? regards, Tibor Repasi
allowing users to change passwords
i need to provide a way for my users to change their password on my machines. however, most of them are too stupid for the console. so i played with poppassd, and it might end up being my option, but today i had another idea. so without having given it much though, i'll ask you: what would speak against setting the user's login shell to /usr/bin/passwd? it's SSH2-only, and with MindTerm as a java applet, i could even ask them to connect, login with their password, type their password again, then specify the new one twice. that shouldn't be a problem, right? or is it absolutely bad in terms of security? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] friends help you move. real friends help you move bodies. pgpkq5epLC7a5.pgp Description: PGP signature
Re: allowing users to change passwords
Why bother having them go through the hassle of loading an applet which might not work ( not that Ive ever seen it not work ). If they are using mindterm, then they are already in a browser, which means you might as well just have them use a form via ssl to change their password via poppassd. On Thu, 17 Jan 2002, martin f krafft wrote: i need to provide a way for my users to change their password on my machines. however, most of them are too stupid for the console. so i played with poppassd, and it might end up being my option, but today i had another idea. so without having given it much though, i'll ask you: what would speak against setting the user's login shell to /usr/bin/passwd? it's SSH2-only, and with MindTerm as a java applet, i could even ask them to connect, login with their password, type their password again, then specify the new one twice. that shouldn't be a problem, right? or is it absolutely bad in terms of security? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] friends help you move. real friends help you move bodies. Todays root password is brought to you by /dev/random .-. | Steve Mickeler * Network Operations | +-+ | Neptune Internet Services | `-' 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F
Re: allowing users to change passwords
also sprach Steve Mickeler [EMAIL PROTECTED] [2002.01.18.0010 +0100]: If they are using mindterm, then they are already in a browser, which means you might as well just have them use a form via ssl to change their password via poppassd. yes, but did you see my recent posts on poppassd and its security problems? i am compiling poppassd-1.8-ceti from [1] right now though. it would be the best way. i could do that in addition to passwd... 1. http://www.ceti.com.pl/~kravietz/prog.html -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] when faced with a new problem, the wise algorithmist will first attempt to classify it as np-complete. this will avoid many tears and tantrums as algorithm after algorithm fails. -- g. niruta pgpfYawPCfLpQ.pgp Description: PGP signature
Exim mail Problem
Dear Debian Guruz, My debian server is acting funny. I did some searching around and greped for anomolies in my log files. I have noticed that exim mail is showing a message frozen in the mainlog file. 2002-01-17 18:38:02 16L9VL -0001OX-00 Message is frozen End queue run: pid=17620 Im seeing this same message execpt that the neat looking identifiers after the timestamp change slightly. There is about 50 diffrent identifiers or so in the main log. The problem im seeing is exim mail chewing up resources and not letting anything else play, like apache. ;o) Any ideas? Or how do I stop this from happening? Thanks in advance, Daniel J. Rychlik
Re: Mailserver HDD organization
I use exim to serve 4500+users, on a Pentium 133. Until a UPS failure recently, is had an uptime of 330+ days (dammit, I really wanted to get to 365!!) The only time exim broke down was when I stuffed up the configuration. Exim does everything that I want, RBL, anti-virus with the exiscan program, and custom filters as well. I must admit that the server will soon be replace by a P3 800 (running exim as well). Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 It's the smell! If there is such a thing. Agent Smith - The Matrix - Original Message - From: Dave Kline [EMAIL PROTECTED] To: debian-security@lists.debian.org Cc: Debian-Security List debian-security@lists.debian.org Sent: Friday, January 18, 2002 1:23 AM Subject: Re: Mailserver HDD organization Though I have supported Sendmail in Big-Iron environments, I am now using the Default Debian Exim to serve mail. I have been happy with Exim and it has served me reliably. Yet I don't often hear its name used as an alternative to Sendmail. Usually I hear Postfix or Qmail. Though I have used all of the MTAs I am referring to, I would like some quantitative and qualitative feedback. IE, 'I use Exim to serve 3000 people on a measly 486' or 'I used Exim and was cracked open before I could say Postfix' or 'Exim behaves like a lobatamized turtle.' I know, I know, use what you feel comfortable with, but how comfortable are you guys with Exim? -A. Dave vdongen wrote: I don't think the choice of MTA is relevant to the HDD organisation. I use both Postfix and Qmail and they both work fine. The only thing you have to realize is when you use Qmail with maildir, you really need a large /home partition. Greetz, Ivo [EMAIL PROTECTED]:~$ apt-cache show clue Package: clue Priority: optional -Original Message- From: Alberto Gonzalez Iniesta [EMAIL PROTECTED] Date: Thu, 17 Jan 2002 12:22:07 +0100 Subject: Re: Mailserver HDD organization On Sun, Nov 25, 2001 at 11:04:45PM +0100, [EMAIL PROTECTED] wrote: please use qmail, its really the securest MTA you can get. please use postfix, since it's as secure as qmail and has a better license -- Alberto Gonzalez Iniesta | They that give up essential liberty [EMAIL PROTECTED] | to obtain a little temporary safety Encrypted mail preferred | deserve neither liberty nor safety. Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim mail Problem
Try running mailq, to get a list of messages currently in the queue. Try doing an "exigrep 16L9VL-0001OX-00 mainlog" to try and find out why the message is frozen. You will probably have to search back through your logs if its been there a while. And here is a little script I use a work to delete messages from the queue matching a pattern: #!/usr/bin/ksh SPAM=$1 mailq |grep $SPAM |cut -b11-26 /tmp/spamlist for i in `cat /tmp/spamlist`doexim -Mrm $iecho "deleted $i"donerm /tmp/spamlist And here is a modifaction to try and force deliverery attempts on messages matching a pattern. #!/usr/bin/ksh SPAM=$1 mailq |grep $SPAM |cut -b11-26 /tmp/sendlist for i in `cat /tmp/sendlist`doexim -M $iecho "delivered $i"donerm /tmp/sendlist Andrew TaitSystem AdministratorCountry NetLink Pty, LtdE-Mail: [EMAIL PROTECTED]WWW: http://www.cnl.com.au30 Bank St Cobram, VIC 3644, AustraliaPh: +61 (03) 58 711 000Fax: +61 (03) 58 711 874"It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: Daniel J. Rychlik To: debian-security@lists.debian.org Sent: Friday, January 18, 2002 11:47 AM Subject: Exim mail Problem Dear Debian Guruz, My debian server is acting funny. I did some searching around and greped for anomolies in my log files. I have noticed that exim mail is showing a message frozen in the mainlog file. 2002-01-17 18:38:02 16L9VL -0001OX-00 Message is frozen End queue run: pid=17620 Im seeing this same message execpt that the neat looking identifiers after the timestamp change slightly. There is about 50 diffrent identifiers or so in the main log. The problem im seeing is exim mail chewing up resources and not letting anything else play, like apache. ;o) Any ideas? Or how do I stop this from happening? Thanks in advance, Daniel J. Rychlik
Re: Help with Firewall section in the Debian Security Manual
On Wed, 16 Jan 2002, Javier Fernández-Sanguino Peña wrote: Both should point to other sites regarding general info (what a firewall is? what does netfilter do?) and not reproduce it (terrible waste of time and difficult to maintain up to date). Javier, Is it really wise to talk about netfilter in a Debian Security HOWTO? After all, the stable distribution of Debian (which is what newbies will and should use), uses the 2.2 kernel which doesnt support netfilter. Perhaps if you want to talk about iptables based firewalling, you are really targetting users running testing / unstable, and thus you are talking about a Debian testing / unstable Security HOWTO. Regards, Jor-el
