|
reading posted:I have been trying to get email running from a Beaglebone on my residential Comcast 'net and it has been impossible so far. Very frustrating, even when I tried to use port 587 which apparently Comcast considers more secure. When talking about email servers, there are basically two important interfaces: * the MTA interface (Mail Transfer Agent), the part that talks to other mail servers (SMTP in port 25) * the MUA interface (Mail User Agent), the part that talks to your email client (IMAP, mail submission in port 587, maybe port 25 too) Possible problems on the MTA interface: If you have a home or small-business network connection, it is typical that your outgoing email can only be sent to your Internet Service Provider's mail server: your MTA cannot have unrestricted connections to any other MTA in the world. This is to allow ISPs to detect and block the systems that have been infected by email-spamming malware. In this case, you'll need what is known as "smarthost" configuration: your MTA must send all outgoing messages whose destination is not anywhere on your local network to the ISP's mail server. Some ISPs simply accept all outgoing mail that comes from their customers' IP addresses, others will require authentication when sending email. Whenever authentication is used, encryption is usually a requirement too: sending usernames and passwords unencrypted over the network is simply stupid. Incoming email requires that your email server has a valid DNS name (forward and reverse DNS lookups must agree). DNS is more than just assigning names to IP addresses: MX records and SPF records are DNS things that an email server admin must know about. Your email server must also be connectable by other email servers: on home/small-business Internet connections, the common assumption is that an average customer won't want to run his/her own email server. Some service agreements even prohibit running services at all. Others might require you to do something to enable incoming connections (= basically, prove that you read or at least browsed through the instructions provided by the ISP). As long as you provide the MUA interface for your private network only, the MUA interface is nobody's business but yours. Go hog wild. But if you want to, for example, allow your smartphone to access your mail server without starting a VPN first even when you aren't within reach of your home WLAN, you'll need to make the MUA interface Internet-accessible too. If you plan to do this, be very very careful: make sure you use encryption, or at the very least, use authentication methods that won't send your password in plaintext. Whatever you do, *don't* allow sending outgoing mail from the Internet without authentication: various worms and other malware are constantly scanning the internet for servers that would allow this.
|
# ? Nov 3, 2014 16:41 |
|
|
# ? May 30, 2024 15:06 |
|
Odette posted:when I try to set up postfix/dovecot? Just install the software stack. https://www.iredmail.org
|
# ? Nov 3, 2014 17:22 |
|
I've got ZFS On Linux running, and I've got services that use the ZFS dataset, but I don't know how to get them to not start until the ZFS file system is actually mounted. I think I need to add the name of the zfs service (zfs-mount) to the Required-Start line on the services that I want to not start until ZFS is mounted. Is there anything else I need to do once I've modified the init file? Or is there a better way (make ZFS mount earlier in the boot process?). It's already set to start before everything else, but it must take long enough that it's still starting by the time my other services start.
|
# ? Nov 5, 2014 09:11 |
|
FISHMANPET posted:I've got ZFS On Linux running, and I've got services that use the ZFS dataset, but I don't know how to get them to not start until the ZFS file system is actually mounted. I think I need to add the name of the zfs service (zfs-mount) to the Required-Start line on the services that I want to not start until ZFS is mounted. Is there anything else I need to do once I've modified the init file? Or is there a better way (make ZFS mount earlier in the boot process?). It's already set to start before everything else, but it must take long enough that it's still starting by the time my other services start. On what distro? You should wait for the mountpoint. Systemd can handle this gracefully. With sysvinit, you can use required-start. Or just restart the services in rc.local
|
# ? Nov 5, 2014 15:18 |
|
I'm using Ubuntu 14.04, which uses upstart maybe? The reason it's a problem is that crashplan starts while ZFS is still mounting, sees that it's configured directory isn't there (/storage/crashplan) and creates crashplan in /storage. Then ZFS finally gets around to mounting the storage dataset at /storage, sees that it's not empty, and fails. Then my other computers happily backup to crashplan, which fills my root partition. To fix it I have to stop the crashplan service, delete the folder, mount the zfs dataset, then restart the crashplan service.
|
# ? Nov 5, 2014 18:26 |
|
FISHMANPET posted:I'm using Ubuntu 14.04, which uses upstart maybe? With upstart you can use the 'mounted' event. code:
|
# ? Nov 5, 2014 18:53 |
|
Both ZFS and crashplan are in /etc/init.d, not /etc/init, so even though the system is using Upstart, it appears crashplan and zfs are both regular old init scripts. Crashplan depends on $local_fs and $remote_fs, but maybe those are defined in some weird way, because "mountall" mounts the zfs directory, but it doesn't get mounted before crashplan starts.
|
# ? Nov 5, 2014 20:07 |
|
Crossposting from the virtualization megathread because this is niche enough where it would probably get a bite in here: I have a need to stuff like 6 or 8 GPUs in a server and share them out to VMs, where they'll both be used for video and OpenCL/CUDA tasks. Is the GPU passthrough stuff in KVM or Xen mature enough to handle this use case, and if so, which one is likely to be better at it?
|
# ? Nov 5, 2014 20:47 |
|
Misogynist posted:Crossposting from the virtualization megathread because this is niche enough where it would probably get a bite in here: Without first hand experience I'm gonna guess you're gonna have better luck with xen. Possibly even xen server itself. Amazon has done some interesting stuff with their gpu stuff under xen.
|
# ? Nov 5, 2014 22:45 |
|
jaegerx posted:Without first hand experience I'm gonna guess you're gonna have better luck with xen. Possibly even xen server itself. Amazon has done some interesting stuff with their gpu stuff under xen. pcistub and passthrough work basically the same with either. Amazon is using basically the same stuff as everyone else running passthrough on Xen on Linux. It's not anything Xen specific. It's more that the GRID devices currently show up with multiple PCI IDs on one card, and passing them through individually is finicky and error-prone (which is why it isn't mainline yet). XenServer (or Xen Cloud Platform) actually supports vGPUs completely. But then it's not plain Linux.
|
# ? Nov 5, 2014 23:15 |
|
evol262 posted:
|
# ? Nov 6, 2014 01:55 |
|
Nystral posted:Is this like saying Oracle Linux or RHEL is not plain Linux or is there something deeper going on here? Can you explain? Xenserver is really it's own platform. Think like esx. While it's linux like it's not like you can admin it like a linux server. You have to do things the xenserver way. You wouldn't treat a VMware server the same as you treat a RHEL server. Same goes for xenserver.
|
# ? Nov 6, 2014 02:13 |
|
Linux Question: does Linux fully support sound or wi-fi yet?
|
# ? Nov 6, 2014 06:21 |
|
Last Chance posted:Linux Question: does Linux fully support sound or wi-fi yet? No Linux is bad. yospos bithc lol But yeah you'll have to be more specific.
|
# ? Nov 6, 2014 06:24 |
|
Last Chance posted:Linux Question: does Linux fully support sound or wi-fi yet? There was a huge hissyfit a few years ago about PulseAudio, which is a sort-of replacement sort-of enhancement for alsa. Which was a sort-of compatible replacement for oss. So yes, sound has worked for a long time. WiFi, too, though a lot of WiFi (especially USB) ends up being like the winprinters of olde and doing everything in firmware that, if it gets ported at all, may only work on some kernel versions. But it also works reliably. Especially atheros, Intel, and even most broadcoms these days. Avoid realtek. You'll still have to be more specific about what actual hardware you're asking about. And what you mean by "fully support". Less loaded questions, please.
|
# ? Nov 6, 2014 06:41 |
|
I need a way to authenticate and run a service on RHEL multiple times as an Active Directory user without having to store passwords, ideally using PAM. I've tried pam_winbind and pam_ldap, but both require plaintext passwords. Looking at pam_krb5, but it doesn't seem to handle sessions like I hoped. SSSD does sessions, but the documentation wants UNIX services installed on the AD server which isn't acceptable as we have no control over these domains other than having a user account. Suggestions? e: pam_tcb? I saw it mentioned but haven't read the docs yet Pedestrian Xing fucked around with this message at 07:45 on Nov 6, 2014 |
# ? Nov 6, 2014 07:41 |
|
I'm looking at migrating from Spacewalk to Katello. Anyone have any experience with it? Should I just stick to Spacewalk until it matures a bit? The Katello user documents look really thin. Am I really going to have to learn 4 different services to get it working?
|
# ? Nov 6, 2014 14:57 |
|
Griffon posted:I'm looking at migrating from Spacewalk to Katello. Anyone have any experience with it? Should I just stick to Spacewalk until it matures a bit? The Katello user documents look really thin. Am I really going to have to learn 4 different services to get it working? No. Katello ties them together with a web ui. Spacewalk/satellite is going the way of the dodo. Katello is the future. Spacewalk is about as mature as it's going to be. Katello's also much nicer to work with. Pedestrian Xing posted:I need a way to authenticate and run a service on RHEL multiple times as an Active Directory user without having to store passwords, ideally using PAM. I've tried pam_winbind and pam_ldap, but both require plaintext passwords. Looking at pam_krb5, but it doesn't seem to handle sessions like I hoped. SSSD does sessions, but the documentation wants UNIX services installed on the AD server which isn't acceptable as we have no control over these domains other than having a user account. Suggestions? How are you authenticating? Interactive session or script? How are you hoping session handling works?
|
# ? Nov 6, 2014 15:02 |
|
evol262 posted:
I should have been more specific. Login would be done programmatically using username /password entered elsewhere in the application. We need to be able to make multiple database connections across several processes as a single user while only having to actually authenticate once per session. We can use PAM for Auth. I've seen solutions for offline credential caching but they're kind of the reverse of what I'm looking for - instead of "attempt login via kerberos/ldap, use cached creds if unavailable", we need "attempt to use cached creds less than X hours old, login to get new creds otherwise". I'm figuring I'll have to write something to handle it at this point, likely based on a custom PAM module in Perl/Python and an Apache Shiro webservice.
|
# ? Nov 6, 2014 15:20 |
|
I'm p sure sssd caches credentials to some degree because i ran into issues with it doing exactly that when switching to rhel 6 many moons and 2 jobs ago.
|
# ? Nov 6, 2014 15:28 |
|
Pedestrian Xing posted:I should have been more specific. Login would be done programmatically using username /password entered elsewhere in the application. We need to be able to make multiple database connections across several processes as a single user while only having to actually authenticate once per session. We can use PAM for Auth. I've seen solutions for offline credential caching but they're kind of the reverse of what I'm looking for - instead of "attempt login via kerberos/ldap, use cached creds if unavailable", we need "attempt to use cached creds less than X hours old, login to get new creds otherwise". I'm figuring I'll have to write something to handle it at this point, likely based on a custom PAM module in Perl/Python and an Apache Shiro webservice. Offline credential caching is so you can still auth if you can't reach the directory server. It is not a way to "save" logons ala cookies or whatever. sssd does indeed cache credentials. But what you're describing is "get kerberos ticket when user logs in, log into server with forwardable ticket, use forwardable ticket to authenticating your database connections". You'll get prompted (or have it automatically renew, depending on how AD/whatever is configured) for renewal when it expires. This is exactly the use case kerberos is intended to solve. Don't reinvent the wheel.
|
# ? Nov 6, 2014 17:15 |
|
evol262 posted:Offline credential caching is so you can still auth if you can't reach the directory server. It is not a way to "save" logons ala cookies or whatever. Thanks, that helps. I probably need to try more krb5 options. I usually work with LDAP on Windows instead of directly with kerberos on Linux so this is new stuff to me.
|
# ? Nov 6, 2014 18:45 |
|
Hello people! I'm following this guide and I'm having similar issues with installing SpamAssassin & ClamAV. Seems that sudo doesn't really work. SpamAssassin: code:
code:
|
# ? Nov 8, 2014 22:30 |
|
Odette posted:sudo service spamassassin restart && service spamass-milter restart That runs the first "service" command as root but not the second, hence the permissions errors.
|
# ? Nov 8, 2014 23:54 |
|
covener posted:That runs the first "service" command as root but not the second, hence the permissions errors. Oh bloody hell, I'm an absolute retard. Thanks for pointing that out. Unfortunately, I have a terrible ISP and I can't seem to access any European sites at the moment (where my VPS is located), so I'll try that later.
|
# ? Nov 9, 2014 00:02 |
|
Another question: I seem to have postfix/dovecot up and running, but I can't connect to my mail server via SMTP/IMAP. Is there a way that I can test the mail server? Here's my iptables config: code:
|
# ? Nov 9, 2014 02:08 |
|
Odette posted:Another question: I seem to have postfix/dovecot up and running, but I can't connect to my mail server via SMTP/IMAP. Is there a way that I can test the mail server? Theres a lot of things that can go wrong or be misconfigured so the best way to test is using telnet. This is a good start http://wiki2.dovecot.org/TestInstallation Just include telnet in your google searches if you need SMTP or whatever and there are plenty of good sites that walk you through it. Can't seem to find the specific one I used years ago.
|
# ? Nov 9, 2014 02:58 |
|
Trying to update FocusWriter to its latest version on Ubuntu. How exactly do I do that?
|
# ? Nov 9, 2014 18:18 |
|
Liam Emsa posted:Trying to update FocusWriter to its latest version on Ubuntu. What part of the instructions liked to on that page are unclear to you? The steps are simple: 1. enable the PPA on your system 2. apt-get update 3. apt-get install focuswriter
|
# ? Nov 9, 2014 18:39 |
|
Thanks, so, "install" will do the same thing as update a program I already have installed?
|
# ? Nov 9, 2014 19:03 |
|
if you do apt-get upgrade instead of install it should pull in the newer versions of anything you have already installed, but you need to do the other 2 steps first.
|
# ? Nov 9, 2014 19:04 |
|
Install worked perfectly. Sorry I was so boneheaded on that. You're right, it was pretty simple. I just saw all the different versions on that page and thought I had to unpack and install a tar or something.
|
# ? Nov 9, 2014 19:15 |
|
dovecot: imap-login: Fatal: Can't load private ssl_key: Key is for a different cert than ssl_cert I have these certs: AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt mail.domain.com.crt and server.key server.crt How can I combine them into the correct cert files for dovecot and postfix?
|
# ? Nov 9, 2014 19:29 |
|
First of all those certificates are usually DER encoded, and you need PEM encoded. To convert them you can use openssl in the following way: openssl x509 -inform DER -in certifcate.crt -out certificate.pem Do this for all your .crt files. Secondly, if you read this page: http://wiki2.dovecot.org/SSL/DovecotConfiguration it tells you this: quote:Chained SSL certificates So that's whay you need to do. You put all your converted-to-PEM certificates into one file using cat. cat mail.domain.com.pem COMODORSADomainValidationSecureServerCA.pem COMODORSAAddTrustCA.pem AddTrustExternalCARoot.pem > certificate_chain.pem certificate_chain.pem is just a name i made up you can name it whatever, just specify it in the configs. Now, I assume the list of certificates you gave is in the correct order, it looked sane to me but if it wasn't then you need to fiddle with that. The trick is to get them bottom-up. So your own certificate first, then the certificate that signed your certificate, then the one that signed that one, then the one above that etc. all the way to the root CA certificate. Lastly, remember to set the permissions properly, you don't want anyone loving with your certificates! The page I linked tells you what to use. spankmeister fucked around with this message at 20:01 on Nov 9, 2014 |
# ? Nov 9, 2014 19:58 |
|
spankmeister posted:The steps are simple: 1. enable the PPA on your system 2. apt-get update 3. apt-get install focuswriter Also last night I saw a game advertised on TV that boasted availability for Windows, Mac and Linux. Can't remember what game it was but it was the first TV ad I've ever heard that's mentioned Linux compatibility, which is cool.
|
# ? Nov 9, 2014 20:44 |
|
Personal Package Archive
|
# ? Nov 9, 2014 20:47 |
|
I seem to be able to receive messages, but I can't send anything from Thunderbird. I get this when trying to send a test email to my Gmail account: An error occurred while sending mail. The mail server responded: 5.7.1 Client host rejected: cannot find your hostname, [$remoteIP]. Please check the message recipient email@email.com and try again. EDIT: I can send mail via telnet, but not via remote SMTP? EDIT2: I found out that Postscreen is rejecting SMTP requests due to reverse DNS not resolving back to IP address. (I found out via WiFi not working, but mobile data working) Not sure how to disable this postscreen check, actually. Odette fucked around with this message at 21:48 on Nov 9, 2014 |
# ? Nov 9, 2014 20:50 |
|
Odette posted:I seem to be able to receive messages, but I can't send anything from Thunderbird. Is that response from gmail to your vps or postfix to your client?
|
# ? Nov 9, 2014 21:36 |
|
evol262 posted:Is that response from gmail to your vps or postfix to your client? From Postfix to my client, I updated the above post. Log file: code:
code:
Had to enable SASL Authentication within master.cf. Odette fucked around with this message at 23:16 on Nov 9, 2014 |
# ? Nov 9, 2014 21:50 |
|
|
# ? May 30, 2024 15:06 |
|
I'm connecting to a Linux server via xRDP using Windows Remote Desktop, the default option in the conenction window is sesman-xvnc, so does that mean I'm connecting via the VNC Protocol? In that case should I just use a regular VNC client? I originally wanted xRDP because I was under the impression that RDP is more bandwidth efficient than VNC, but xRDP opens up a new desktop session everytime I connect from Windows Remote Desktop, so if it's using a VNC protocol, I should just fall back to a regular VNC client right?
|
# ? Nov 10, 2014 08:00 |