Setting up automounts, milters, IPv6, etc.

Alexander Dalloz ad+lists at uni-x.org
Tue Sep 27 19:22:24 UTC 2005 

Am Di, den 27.09.2005 schrieb Philip Prindeville um 20:40:

> I was hoping to get some pointers on how to do the following sysadmin 
> chores:
> 
> * I'm running sendmail+cyrus, and I'd like to configure a milter with 
> some simple
>   rules (for instance, don't accept email from sites that don't have 
> IN-ADDR.ARPA
>   records)

You better don't implement that because you would reject much too much
false positives.

http://www.cs.niu.edu/~rickert/cf/ -> HACK(`require_rdns')
   "I don't recommend this. The amount of collateral damage is
excessive." (Neil W. Rickert)  [You know who Neil is? Co-author of the
bat book.]

What you can consider is to let influence a missing reverse DNS or even
bogus DNS entries (MX pointing to 127.0.0.1) for spam rating, not blind
rejection. I recommend to have a close look at MimeDefang
www.mimedefang.org. It is highly adjustable just with little Perl
knowledge.
An example: http://www.mimedefang.org/kwiki/index.cgi?CheckForMX

> * I'd also like to set up autofs, but it seems to be failing...  I tried 
> to set up an example
>    /home mountpoint like the auto.master man page suggests, but they 
> don't give an
>    example of what /etc/auto.home would look like (and just coping 
> auto.net into it
>    doesn't work).  Suggestions?

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-nfs-client-config.html

> * I tried to edit /etc/sysconfig/network to have "NETWORK_IPV6=no" but 
> it still
>    wants to bring up IPV6 networking anyway:
> 
> eth0      Link encap:Ethernet  HWaddr 00:11:09:04:D5:2A
>           inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0
>           inet6 addr: fe80::211:9ff:fe04:d52a/64 Scope:Link

>    is this a bug?  What am I missing?

Add to /etc/modprobe.conf

alias net-pf-10 off
alias ipv6 off

> * Lastly, when I start up my mail UA, it complains about the certificate 
> coming from
>    the host being signed localhost.localdomain...  Is there a 
> walk-through on how to set
>    up the various certificates required for using SSL/TLS for sending 
> email from a
>    client?  How do I set up certificates for individual users, for instance?

/usr/share/doc/openssl*/FAQ
There are a lot of info to be found by a google search for example for
"openssl create self-signed certificates". Fedora ships the CA script
and CA.pl (openssl-perl).

> /var/log/messages.1:Sep 19 19:30:30 mail sendmail[23081]: unable to open 
> Berkeley db /etc/sasldb2: No such file or directory

You offer MD5 mech which is not configured.

> Sep 27 12:29:30 mail sendmail[5896]: NOQUEUE: connect from [192.168.1.5]
> Sep 27 12:29:30 mail sendmail[5896]: AUTH: available mech=DIGEST-MD5 
> ANONYMOUS CRAM-MD5, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 
> LOGIN PLAIN
> Sep 27 12:29:30 mail sendmail[5896]: j8RITUIv005896: Milter: no active 
> filter
> Sep 27 12:29:30 mail sendmail[5896]: STARTTLS=server, 
> relay=[192.168.1.5], version=TLSv1/SSLv3, verify=NO, 
> cipher=DHE-RSA-AES256-SHA, bits=256/256
> Sep 27 12:29:30 mail sendmail[5896]: STARTTLS=server, cert-subject=, 
> cert-issuer=, verifymsg=ok
> Sep 27 12:29:30 mail sendmail[5896]: AUTH: available mech=LOGIN 
> DIGEST-MD5 PLAIN ANONYMOUS CRAM-MD5, allowed mech=EXTERNAL GSSAPI 
> DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
> Sep 27 12:29:31 mail sendmail[5896]: j8RITUIw005896: AUTH failure 
> (CRAM-MD5): user not found (-20) SASL(-13): user not found: no secret in 
> database

Your client uses CRAM-MD5 as your Sendmail setup offers that mech, but
you have not configured your server to provide that. So it must fail.

> Sep 27 12:29:31 mail sendmail[5896]: AUTH=server, relay=[192.168.1.5], 
> authid=philipp, mech=PLAIN, bits=0
> Sep 27 12:29:31 mail sendmail[5896]: j8RITUIw005896: 
> from=<philipp at redfish-solutions.com>, size=72799, class=0, nrcpts=1, 
> msgid=<43398F8A.50903 at redfish-solutions.com>, proto=ESMTP, 
> daemon=MTA-v4, relay=[192.168.1.5]

Fallback to mech PLAIN, which I guess succeeds.

>    similarly, I can't send email using SSL when connecting to my 
> sendmail server...
>    (but TLS seems to work).

SSL is something different than (START)TLS in this context. Is that
above a question or statement?

> * Ditto for Cyrus.  I can't use secure authentication:
> 
> Sep 27 12:38:42 mail imaps[5986]: starttls: TLSv1 with cipher AES256-SHA 
> (256/256 bits reused) no authentication

Too few information. We can't know what you changed from default setup.
Use "imtest" for testing and adjusting your setup.

>    I'm using Thunderbird, if that makes any difference.

Yes, Thunderbird can use MD5, while other popular MUAs can only speak
PLAIN or LOGIN (Outlook, OE).

> -Philip

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 21:00:34 up 7 days, 4:46, load average: 0.65, 0.29, 0.21 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050927/aaeda4ec/attachment-0001.sig>

More information about the fedora-list mailing list