# - Part 34

How to set up a SMARTHOST in SunONE Messaging Server 6

This is useful if you have certain domains that you want to specify the mailservers for or if you need to send mail through another machine.

1) In the first half of the /<server root>/imta/config/imta.cnf file:
add under ! Rules to select local users:
domain.com $E$F$U%$D@smarthost-daemon

2) In the second half of the file, where you have all the channels separated by an empty line:
add:
!
! smarthost
smarthost smtp mx daemon relayhost.domain.com
smarthost-daemon

3) In the /<server root>/imta/config/job_controller.cnf file:
add:
!
[CHANNEL=smarthost]
anon_host=0
master_command=IMTA_EXE:smtp_client

4) Run /<server root>/imsimta refresh

That’s it! Now, all mail that goes to domain.com from this machine goes to relayhost.domain.com for processing.

Also, if you were supposed to use a smarthost, but didn’t set it on installation, here is where you change it.
On the channel that is used to send mail out (most likely, tcp_local)
add:
daemon relayhost.domain.com

so if your channel looks like this:
!
! tcp_local
tcp_local smtp mx single_sys remotehost inner switchchannel identnonelimited subdirs 20 maxjobs 7 pool SMTP_POOL maytlsserver maysaslserver saslswitchchannel tcp_auth
tcp-daemon

modify it so it looks like this:
!
! tcp_local
tcp_local smtp mx single_sys remotehost inner switchchannel identnonelimited subdirs 20 maxjobs 7 pool SMTP_POOL maytlsserver maysaslserver saslswitchchannel tcp_auth daemon relayhost.domain.com
tcp-daemon

Proxyauth in SunONE Messaging Server

This is useful for administrator to log into another user’s webmail.

Must have service.http.allowadminproxy to yes in configutil.

Log into url:

http://<server>/login.msc?user=<adminuid>&proxyauth=<enduser>&password=<adminpassword>

sample sieve filter in SunONE Messaging Server 5

2 – imsimta refresh
3 – should work – imsimta test -rewrite -filter [email protected] If you look at RFC 3028, you could get a better understanding of the
language. Example of imta.filter file:
require “envelope”;
require [“reject”]; if header :contains “From” “[email protected]”
{
reject “[email protected]”;
} if envelope :contains “From” “[email protected]”
{
discard;
} if header :contains “Subject” “$$$” {
reject “I don’t want your mail!”;
} if header :contains “To” “Undisclosed Recipients” {
reject “I don’t want your mail!”;
} require “fileinto;
if header :contains “To” “Undisclosed Recipients” {
fileinto “SPAM”;
}]]>

How to backup the message store in SunONE Messaging Server 6

ENTIRE MESSAGE STORE

to backup/restore:

imsbackup -f /backupdir/backupfilename /

imsrestore -f /backupdir/backupfilename /

./imsbackup -f – / > /backupdir/backupfilename

cat /backupdir/backupfilename | /opt/SUNWmsgsr/sbin/imsrestore -f –

JUST 1 FOLDER

imsrestore -f /backupdir/backupfilename user/uid

cat /backupdir/backupfilename | /opt/SUNWmsgsr/sbin/imsrestore -f – user/[email protected]

How to change Admin Server user in SunONE Directory Server 5

How to change user for Admin Server

Problem Statement:

S1DS 5.2(compressed archive) does not offer the option of specifying the

owner of the admin server during installation. When you specify

non-privilege user, such as nobody, for directory server, admin server is

also running as same non-privilage user as well as directory server.

Therefore, if you specify privilege port in unix (<1024) for the directory server, this will result in not being able to start / restart the directory server instance via the console. Troubleshooting Steps: If admin server is running as user except for root, you can't change the user for admin server via cosole. Here is a steps to change user for Admin server by hand. ** admin server should be stopped before conducting this procedure, but ns-slapd for configuration instance should be on-line. 1. change directive named 'User' in ServerRoot/admin-serv/config/magnus.conf to 'root' by text editor. 2. change file owner under ServerRoot/admin-serv to user you want as follows a. # cd /admin-serv

b. # chown -R root *

3. change attribute ‘nsSuiteSpotUser’ of admin server configuration entry

in your Directorty Server like

dn: cn=configuration, cn=admin-serv-, cn=Administration

Server, cn=Server Group, cn=, ou=, o=NetscapeRoot

to the user you want to change to.

For example) in case of using ldapsearch

a. do the following ldapsearch to determine target entry

#./ldapsearch -p -h -D “cn=Directory Manager” -w -b o=NetscapeRoot -s sub “nsSuiteSpotUser=*” dn nsSuiteSpotUser

dn:cn=configuration, cn=admin-serv-test, cn=Administration Server,

cn=Server Group,cn=test.example.com, ou=example.com, o=NetscapeRoot

nsSuiteSpotUser=nobody

b. modify usr in attribute nsSuiteSpotUser of this entry to ‘root’

# ldapmodify -p -D “cn=Directory Manager” -w dn: cn=configuration, cn=admin-serv-test, cn=Administration Server,

cn=Server Group, cn=test.example.com, ou=example.com, o=NetscapeRoot

changetype: modify

replace: nsSuiteSpotUser

nsSuiteSpotUser: root

modifying entry cn=configuration, cn=admin-serv-test,

cn=Administration Server, cn=Server Group, cn=test.example.com,

ou=example.com, o=NetscapeRoot

you can also do same modification via directory TAB in directory

server console.

How to disable SSL in SunONE directory server

Problem Statement: What can happen if you delete your certificates and forget to disable
encryption on your ldap server is that your directory server will not
start the next time you go to restart it. Resolution: What can happen if you delete your certificates and forget to disable
encryption on your ldap server is that your directory server will not
start the next time you go to restart it. Here’s how it looks:
bash-2.05# ./start-slapd
Enter PIN for Internal (Software) Token:
Server not running!! Failed to start ns-slapd process. tail /logs/errors
[24/Apr/2004:12:31:48 -0700] – Sun-ONE-Directory/5.2 B2003.143.0020 (32-
bit) starting up
[24/Apr/2004:12:31:48 -0700] – WARNING<4753> – SSL – conn=-1 op=-1 msgId=-
1 – Security Initialization: Can’t find certificate (server-cert) for
family cn=RSA,cn=encryption,cn=config (error -5978 – Network file
descriptor is not connected.)
[24/Apr/2004:12:31:48 -0700] – WARNING<4754> – SSL – conn=-1 op=-1 msgId=-
1 – Security Initialization: Unable to retrieve private key for cert
server-cert of family cn=RSA,cn=encryption,cn=config (error -5978 –
Network file descriptor is not connected.)
[24/Apr/2004:12:31:48 -0700] – ERROR<4756> – SSL – conn=-1 op=-1 msgId=-1 –
None of the cipher are valid.
[24/Apr/2004:12:31:48 -0700] – DEBUG – conn=-1 op=-1 msgId=-1 – SSL
socket import or configuration failed.
[24/Apr/2004:12:31:48 -0700] – DEBUG – conn=-1 op=-1 msgId=-1 – Failed
to init daemon To fix this, open the /config/dse.ldif and change
nsslapd-security: on
to:
nsslapd-security: off Then, restart the directory server.]]>

cool unix command line stuff

grep -E -o -hir ‘[a-zA-Z]+@([a-zA-Z]+\.)+[a-zA-Z]{2,3}’ . | tr A-Z a-z | sort | uniq maybe this one would be better:
grep -E -o -hir ‘[a-zA-Z0-9]+@([a-zA-Z0-9]+\.)+[a-zA-Z0-9]{2,3}’ . | tr A-Z a-z | sort | uniq]]>

How to run SunONE directory server as a diff (unix) user.

Description: Directory server 5.2 may have trouble in configuring itself on installation
if you set the server to run as another user. Here’s the workaround. Document Body: Directory server 5.2 may have trouble in configuring itself on installation
if you set the server to run as another user. Here are sample error messages you will get on installation: Created new Directory Server
Start Slapd Starting Slapd server configuration.
Fatal Slapd Missing configuration file
/opt/app/sunone/dir5_2/setup/slapd/slapd.inf
Configuration of the Directory Server failed.
Error Directory Server configuration failure Here’s the workaround. cd
slapd-/stop-slapd
find slapd- | xargs chown the_right_user
edit slapd-/config/dse.ldif
replace nsslapd-localuser line with:
nsslapd-localuser: the_right_user
slapd-/start-slapd Now you have a directory server that should be started by root or through
the admin server and run as “the_right_user”]]>

Reload/restore replication in SunONE Directory Server 5.1

2.On all hosts, remove replication state.
– Use Console disable the replica role for userRoot.
– If a master, delete the changelog associated with the userRoot database
– restart the slapd process. 3.Reinitialize primary master with it’s own data, stripped of replication state
– invoke an in-line db2ldif dump, without the ( -r ) switch
– stop slapd
– classic ldif2db using the dump just created to rebuild database
– start slapd, validate basic serviceability 4.Configure Replication on master 1
– Use console to enable/ configure a changelog for userRoot
– Enable replication in a multi master role 5.Prepare seed LDIF
– invoke and in-line db2ldif dump, USING the ( -r ) switch. Confirm that ldif carries replication state data.
– Copy the seed LDIF to consumer (master 2) 6.Enable replication on master 2
– Enable / configure a changelog for userRoot
– Enable replication in a multi-master role
– stop slapd
– classic ldif2db import using the seed ldif from master1
– start slapd (master 2), validate basic serviceability 7.Test functional replication , both ways, master1 <-> master 2]]>

Apache 2.0.x reverse proxy using and have it rewrite urls

How to set up a reverse proxy using Apache 2.0.x and have it rewrite urls.

This is particularly useful if you’re using an Identity server internally and want to be able to access the server externally. You can set up an Apache reverse proxy server in your DMZ and allow it to do so. If you use Identity Server 6.3 or higher, you will not need to do this.

The sole purpose for this article is because we needed a workaround for a customer due to a problem with the older version of Identity server where for the logout button uses an absolute url rather than a relative url and it causes the link to be inaccessible.

Because the customer was doing this on Linux, the instructions here will be for Linux and will differ from what you would do in Solaris. If you wanted to do this in Solaris, you would need either more sources or you could install the binaries from http://www.blastwave.org or http://www.sunfreeware.org.

To start with, you will need Apache 2.0.x installed. You can verify this with:

rpm -qav | grep httpd

rpm -qav | grep apache (depending on which Linux distribution you have)

My output shows I have httpd-2.0.52-3.1 installed.

You will want to check to see that your Apache installation also includes the mod_proxy modules. You can check this with:

rpm -qil httpd

My output shows:

/usr/lib/httpd/modules/mod_proxy.so

/usr/lib/httpd/modules/mod_proxy_connect.so

/usr/lib/httpd/modules/mod_proxy_ftp.so

/usr/lib/httpd/modules/mod_proxy_http.so

Redhat Linux and Trustix Secure Linux both have these by default. I obviously can’t speak for all the other Linux distributions out there. If you don’t have these, you don’t want to continue. You will probably want to either find an rpm that has these or go and download the source and compile Apache with them.

Now, here comes the fun stuff. You will need to compile a new module – mod_proxy_html. You can download the module from: http://apache.webthing.com/mod_proxy_html/

You may want to follow this as a guide: http://www.apacheweek.com/features/reverseproxies

There are a few dependencies you will need to compile this module. For instance, you will definitely need a compiler and some libraries. Here’s a small list that I have installed on my box. You may need more.

gcc

httpd-devel-2.0.52-3.1

libxml2-2.6.16-3.i386.rpm

libxml2-devel-2.6.16-3.i386.rpm

zlib-devel-1.2.1.2-1.i386.rpm

To compile the module, run:

apxs -c -I/usr/include/libxml2 -i mod_proxy_html.c

After doing this, you should find the module located where your apache modules are stored like:

ls -l /usr/lib/httpd/modules/mod_proxy_html.so

-rwxr-xr-x 1 root root 59627 Apr 8 18:02 /usr/lib/httpd/modules/mod_proxy_html.so

Congratulations! You now have the module installed. You now have to configure it.

In my case, the apache configuration file is located in /etc/httpd/conf/httpd.conf

Here, I add where the modules are:

———————————————————————————————–

LoadFile /usr/lib/libxml2.so.2

LoadModule proxy_html_module modules/mod_proxy_html.so

———————————————————————————————–

Then, later in the file:

———————————————————————————————–

ProxyHTMLLogVerbose On

LogLevel Debug

ProxyRequests off

ProxyPass /amserver http://sapphire.atac.ebay.sun.com/amserver

ProxyPassReverse /amserver http://sapphire.atac.ebay.sun.com/amserver

ProxyPass /amconsole http://sapphire.atac.ebay.sun.com/amserver

ProxyPassReverse /amconsole http://sapphire.atac.ebay.sun.com/amserver

SetOutputFilter proxy-html

ProxyHTMLURLMap http://sapphire.atac.ebay.sun.com http://megatron.atac.ebay.sun.com i

———————————————————————————————–

What I’m doing here is rewrite the url for any requests that go into amconsole or amserver to go and grab the data from the sapphire machine. Any urls that are within the pages that point to sapphire will be rewritten as megatron.

All you have to do now is restart apache.

/usr/sbin/apachectl restart

That’s it! You now should be able to access http://megatron.atac.ebay.sun.com/amserver or

http://megatron.atac.ebay.sun.com/amconsole and get the same login screen and be able to navigate the entire Identity Server or whatever else you put behind the proxy.

For issues, be sure to look at your Apache access and error logs and you can visit the following links:

http://apache.webthing.com/mod_proxy_html/

http://www.apacheweek.com/features/reverseproxies