Thursday, 16 August 2012

RHEL: Linux Bond / Multiple Network Interfaces (NIC) Into a Single Interface

RHEL: Linux Bond / Multiple Network Interfaces (NIC) Into a Single Interface

Bonding is nothing but Linux kernel feature that allows to aggregate multiple like interfaces (such as eth0, eth1) into a single virtual link such as bond0. The idea is pretty simple get higher data rates and as well as link failover.
We will configure here bond0 virtual link on eth0 and eth1 NIC Cards on RHEL5.8 Server. It will also work on latest RHEL 6 version.
Bonding is mainly kernel feature of RHEL server which provides this functionality of load balancing and redundancy of link. The Bonding driver should be installed on server before configuring multiple NIC cards into a single bond virtual link.

Step #1: Create a Bond0 Configuration File

Red Hat Enterprise Linux (and its clone such as Cent OS) stores network configuration in /etc/sysconfig/network-scripts/ directory. First, you need to create a bond0 configuration file as follows:
# vi /etc/sysconfig/network-scripts/ifcfg-bond0
Append the following lines:

DEVICE=bond0
IPADDR=10.0.1.67
NETWORK=10.0.0.0
NETMASK=255.255.252.0
USERCTL=no
BOOTPROTO=none
ONBOOT=yes

 You need to replace IP address with your actual setup. Save and close the file.

Step #2: Modify eth0 and eth1 config files

Open both configuration using a text editor such as vi/vim, and make sure file read as follows for eth0 interface
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
Modify/append directive as follows:

DEVICE=eth0
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none

Open eth1 configuration file using vi text editor, enter:
# vi /etc/sysconfig/network-scripts/ifcfg-eth1
Make sure file read as follows for eth1 interface:


DEVICE=eth1
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none



Save and close the file.

Step # 3: Load bond driver/module

Make sure bonding module is loaded when the channel-bonding interface (bond0) is brought up. You need to modify kernel modules configuration file:
# vi /etc/modprobe.conf
Append following two lines:

alias bond0 bonding
options bond0 mode=balance-alb miimon=100


Save file and exit to shell prompt.

Step # 4: Test configuration

First, load the bonding module, enter:
# modprobe bonding
Restart the networking service in order to bring up bond0 interface, enter:
# service network restart
Make sure everything is working. Type the following cat command to query the current status of Linux kernel bounding driver, enter:

# cat /proc/net/bonding/bond0

Sample outputs:
Bonding Mode: adaptive load balancing
Primary Slave: None
Currently Active Slave: eth1
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth0
MII Status: down
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 10:1f:74:2f:8c:8c

Slave Interface: eth1
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0

To list all network interfaces, Enter:
# ifconfig

Sample outputs:

bond0     Link encap:Ethernet  HWaddr 10:1F:74:2F:8C:8C
          inet addr:10.0.1.67  Bcast:10.0.15.255  Mask:255.255.240.0
          inet6 addr: 2002:dc9c:bfcf:5:121f:74ff:fe2f:8c8c/64 Scope:Global
          inet6 addr: fec0::5:121f:74ff:fe2f:8c8c/64 Scope:Site
          inet6 addr: fec0::a:121f:74ff:fe2f:8c8c/64 Scope:Site
          inet6 addr: 2002:dc9c:bfca:a:121f:74ff:fe2f:8c8c/64 Scope:Global
          inet6 addr: fe80::121f:74ff:fe2f:8c8c/64 Scope:Link
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
          RX packets:4123683 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1658279 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2050975191 (1.9 GiB)  TX bytes:555880972 (530.1 MiB)

eth0      Link encap:Ethernet  HWaddr 10:1F:74:2F:8C:8E
          UP BROADCAST SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:162 Memory:f4000000-f4012800

eth1      Link encap:Ethernet  HWaddr 10:1F:74:2F:8C:8C
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:4123683 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1658279 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2050975191 (1.9 GiB)  TX bytes:555880972 (530.1 MiB)
          Interrupt:170 Memory:f2000000-f2012800

__________________________________________________________________________________

Tuesday, 7 August 2012

Post Installation Checklist of Qmail Server Part-2


Post Installation Checklist of Qmail Server Part-2


1.     Test IMAP: IMAP connection can be tested by following command.

telnet 10.0.0.99 143

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc.  See COPYING for distribution information.
a001 login jitendrakumar password
a001 OK LOGIN Ok.
a001 logout
* BYE Courier-IMAP server shutting down
a001 OK LOGOUT completed

2.     Test IMAPS Service: Test your new server's IMAP-SSL service by running following command.


[root@mail html]# openssl s_client -connect localhost:993 -quiet
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
verify return:1
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc.  See COPYING for distribution information.
a001 login jitendrakumar password
a001 OK LOGIN Ok.
a001 logout
* BYE Courier-IMAP server shutting down
a001 OK LOGOUT completed

3.     Test POP-SSL Service: Test your new server's POP-SSL service by running following command.

[root@mail html]# openssl s_client -connect localhost:995 -quiet
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com
verify return:1
+OK Hello there.
user jitendrakumar
+OK Password required.
pass password
+OK logged in.
quit
+OK Bye-bye.

4.     Qmail-Admin (Qmailadmin) Check List

A.    Email Accounts:-
a.     Check User is created successfully.
b.    Password with minimum 8 characters with 2 special characters.
c.     User quota is updating or not.
d.    Check forwarding is working fine.

B.    Forwarding
                        Check Forwarding is working fine. Check local and remote Mail ID forward.

C.    Mail Robot
                        Check Mail robot is working fine.

D.    Mailing List
a.     Check weather new mailing list is successfully created or not.
b.    Check moderator is receiving the accept/reject mail, when a user send mail to mailing list ID.
c.     Mail received by moderator, check accept and reject links are working fine.
d.    Check Add, Delete, Show Subscriber and Add, Delete, Show Moderators radio buttons are working fine in new created mailing list or exiting mailing list. 



Monday, 6 August 2012

Post Installation Checklist of Qmail Server Part-1

Post Installation Checklist of Qmail Server Part 1

1.     Check all qmail services running on server and their timestamp are same.

[root@mail ~]# qmailctl stat
/service/qmail-send: up (pid 6480) 10591 seconds
/service/qmail-send/log: up (pid 6482) 10591 seconds
/service/qmail-smtpd: up (pid 6474) 10591 seconds
/service/qmail-smtpd/log: up (pid 6479) 10591 seconds
/service/qmail-pop3d: up (pid 6475) 10591 seconds
/service/qmail-pop3d/log: up (pid 6471) 10591 seconds
/service/qmail2-send: up (pid 6476) 10591 seconds
/service/qmail2-send/log: up (pid 6472) 10591 seconds
/service/qmail2-smtpd: up (pid 6466) 10591 seconds
/service/qmail2-smtpd/log: up (pid 6467) 10591 seconds

2.     DNS Setup: Emails don’t work without properly configured domain names. So, it’s a good idea to configure the domain name (names) with proper MX records pointing to the new server before starting the installation of an email server. This can be done before the actual testing of email server but since it’s critical, just do it a step ahead.

3.     You need to create different scenarios for testing. The minimum testing scenario might look like this:

i) Test from local to local: send an email to local user using the same server. (From: localuser; To: localuser)
ii) Test from remote to local: send an email to newly created user using any outside server. (From: Gmail user; To: localuser)
iii) Test receiving emails: make sure you can receive both the email from test (i) and (ii).
iv) Test from local to remote: send an email using the local server to a remote server and make sure you can receive it in the remote server. (From: localuser; To: Gmail user)


1.     Check the logs: Check the server logs during test because they provide a very good view on what is happening e.g. the newly created user cannot login. You can see “password incorrect” in the log. Which will tell you that you are typing an incorrect password? Or “relay not allowed” meaning your SMTP auth is not working or the IP is not listed in “tcp.smtp” file. Server log is the first place we should be looking during first test even if we don’t see any obvious problems. We don’t want to discover any hidden silly problems after the system is put on production.

The main qmail log files:

/var/log/qmail/current
/var/log/qmail/smtpd/current
/var/log/qmail2/current
/var/log/qmail2/smtpd/current
/var/log/qmail/pop3d/current

2.     Check the Ports:

   Check the ports on mail server whether these are working on server.

[root@mail ~]# nmap localhost

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2011-12-30 13:53 IST
Interesting ports on localhost (127.0.0.1):
(The 1647 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
199/tcp open  smux
443/tcp open  https
631/tcp open  ipp
825/tcp open  unknown
953/tcp open  rndc
993/tcp open  imaps
995/tcp open  pop3s

6.     Test Courier-authlib: Check first if the created account is still there (without testing the authentification)

 [root@mail ~]# /home/vpopmail/bin/vuserinfo jitendrakumar@mydomain.in
name:   jitendrakumar
passwd: $1$6qh6nLgH$PjYHZzP/n/ofo9nyjNIQ2.
clear passwd: password
comment/gecos: Jitendra Kumar
uid:    1
gid:    0
flags:  0
gecos: Jitendra Kumar
limits: No user limits set.
dir:       /home/vpopmail/domains/mydomain.in/0/jitendrakumar
quota:     NOQUOTA
usage:     NOQUOTA
last auth: Tue Jan  3 13:39:51 2012
last auth ip: pop3

Test now the authentication process:

[root@mail ~]# /usr/local/src/courier-authlib-0.55/authtest jitendrakumar@mydomain.in
 Authentication succeeded.
 Authenticated: jitendrakumar@mydomain.in  (uid 507, gid 502)
 Home Directory: /home/vpopmail/domains/mydomain.in/0/jitendrakumar
           Maildir: (none)
           Quota: (none)
Encrypted Password: $1$6qh6nLgH$PjYHZzP/n/ofo9nyjNIQ2.
Cleartext Password: (none)
Options: disablewebmail=0,disablepop3=0,disableimap=0

This is the sign authlib is working well!

7.     SMTP authentication: The SMTP authentication system lets us identify the sender of any emails to you and helps us stop anonymous emails from getting through. It allows us to control spam and viruses sent through our outgoing mail servers and to protect your email service.

telnet 10.0.0.99 25
220 mail.mydomain.in ONLY SECURE MAIL ESMTP
EHLO TESTING
250-mail.mydomain.in ONLY SECURE MAIL
250-STARTTLS
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250-8BITMIME
250 SIZE 17000000

If you see the AUTH line, then your server is broadcasting that capability. Next, let's try connecting and authenticating. First, generate the Base64 string required.

[root@mail ~]# perl -MMIME::Base64 -e 'print encode_base64("\000jitendrakumar\@mydomain.in\000AAA")'
AGppdGVuZHJha3VtYXJAY2RhY25vaWRhLmluAEFBQQ==

Next, connect and issue the AUTH command to login:
telnet 10.0.0.99 25
220 mail.mydomain.in ONLY SECURE MAIL ESMTP
EHLO TESTING
250-mail.mydomain.in ONLY SECURE MAIL
250-STARTTLS
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250-8BITMIME
250 SIZE 17000000
AUTH PLAIN AGppdGVuZHJha3VtYXJAY2RhY25vaWRhLmluAEFBQQ==
235 ok, go ahead (#2.0.0)

If you see the 235 response, then your login has succeeded.


8.     Chkuser Testing: chkuser rejects messages if the MX record in the from field nonexistent. This is a rare case since spammers will try to use own domain in from field.

telnet 10.0.0.99 25
220 mail.mydomain.in ONLY SECURE MAIL ESMTP
mail from:jitendra@fake.com
511 sorry, can't find a valid MX for sender domain (#5.1.1 - chkuser)


9.     Password Management: The password policy should be implemented in qmail-admin package so that every user would forcefully change password of minimum 8 characters with two special characters.

10.     Default User and Domain Quota: The default quota of every domain user should be set by following command. ( set default user quota, '100M' = 100 MB )

[root@mail ~]# /home/vpopmail/bin/vmoddomlimits –q 100M

The Domain Quota can be set by following command. ((set domain disk quota, '100' = 100 MB))

[root@mail ~]# /home/vpopmail/bin/vmoddomlimits –Q 100
 


11.     Open Relay: There should be open relay to only localhost and other IPs should be blocked.

[root@mail bin]# cat /etc/tcp1.smtp
127.:allow,RELAYCLIENT="",RBLSMTPD=""
10.0.0.99:allow,RELAYCLIENT="",RBLSMTP=""
.:deny

12.     Test POP3: POP3 connection can be tested by following result.

telnet 10.0.0.99 110
+OK <19705.1325496378@mail.mydomain.in>
user jitendrakumar
+OK
pass password
+OK
quit
+OK