Anthony Lopez

“I’d rather see a sermon than hear one any day;”

Archive for the ‘RHCE’ Category

Things I find interesting in RedHat.

Setting up DKIMproxy

Posted by lopeza on August 21, 2009

One day I was asked to make our email deliverabilty more reliable.  I found the Yahoo domain keys and DKIM were additional ways to help with some email providers besides SPF.  I setup DK and DKIM milters and found that when sending bulk loads of emails (100k+) the time it took to sign and send was well over 7 seconds per email.  I am sure there are tweaks that we could have done to modify the sending script to deal with this but we just wanted something simple and easy to use.  Later I decided to install DKIM proxy and make submitting email to an email server easy and requiring no scripting change.  After testing I found that our email blasting was fast and our deliverability for sending email had gone up about 27%.  We still continue relationships with email providers to gain trust but that is too an everchanging process.  Below I documented what I did to get DKIMproxy and postfix configured on a RHEL 5 server.  I believe it should be the same for CentOs 5 as well.   Good Luck on your setup!

Website – http://dkimproxy.sourceforge.net/

Installing DKIMproxy

http://dkimproxy.sourceforge.net/download.html
Prerequisites

cpan install Mail::DKIM
cpan install Crypt::OpenSSL::RSA
cpan install Digest::SHA
cpan install Mail::Address
cpan install MIME::Base64
cpan install Net::DNS
cpan install Net::Server
cpan install Error

Installing DKIMproxy Service:

cd /home/admin/
wget http://downloads.sourceforge.net/dkimproxy/dkimproxy-1.2.tar.gz
tar -xzvf dkimproxy-1.2.tar.gz
cd dkimproxy-1.2
./configure –prefix=/usr/local/dkimproxy
make install
useradd dkimuser
passwd dkimuser
cp sample-dkim-init-script.sh /etc/init.d/dkimproxy
chkconfig –add dkimproxy
chkconfig dkimproxy on

Installing DKIMproxy to sign outbound messages

http://dkimproxy.sourceforge.net/usage.html
Generate a private/public key pair using OpenSSL:

cd /usr/local/dkim/
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
chown dkimuser.root private.key
chmod 640 private.key

Pick a selector name… e.g. selector1
Put the public-key data in DNS, in your domain, using the selector name you picked. Take the contents of the public.key file and remove the PEM header and footer, and concatenate the lines of the file into one big line. Then create a TXT entry, like this:

selector1._domainkey IN TXT “k=rsa; t=s; p=MHwwDQYJK … OprwIDAQAB”

where selector1 is the name of the selector chosen in the last step and the p= parameter contains the public-key as one long string of characters.

Configure DKIMproxy

Create a file named /usr/local/dkimproxy/etc/dkimproxy_out.conf and give it the following content:

# specify what address/port DKIMproxy should listen on
listen 127.0.0.1:10027

# specify what address/port DKIMproxy forwards mail to
relay 127.0.0.1:10028

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain clubmom.com

# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)

# specify location of the private key
keyfile /usr/local/dkimproxy/private.key

# specify the selector (i.e. the name of the key record put in DNS)
selector clubmomdkim

Start DKIMproxy

service dkimproxy start

Setting up the outbound proxy with Postfix

http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
Edit the /etc/postfix/master.cf with the the following:

#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission inet n – n – – smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

#
# specify the location of the DKIM signing proxy
# Note: we allow “4” simultaneous deliveries here; high-volume sites may
# want a number higher than 4.
# Note: the smtp_discard_ehlo_keywords option requires Postfix 2.2 or
# better. Leave it off if your version does not support it.
#
dksign unix – – n – 4 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls

#
# service for accepting messages FROM the DKIM signing proxy
#
127.0.0.1:10028 inet n – n – 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

reload postfix

Setup your mail server to send to dkimproxy

A dev environment is setup on office1 using dev04 as an outbound mailserver using dkimproxy on port 587

To use sendmail and configure a smarthost onto a port other than 25. Modify /etc/mail/sendmail.mc

define(`SMART_HOST’,`relay:dev04.clubmom.local’)dnl
define(`RELAY_MAILER’,`esmtp’)dnl
define(`RELAY_MAILER_ARGS’, `TCP $h 587′)dnl
#make -C /etc/mail
#service sendmail restart

Advertisements

Posted in Linux, RHCE | 1 Comment »

Installing oracle 9 on rhel 5

Posted by lopeza on January 15, 2009

I had to install Oracle on a RHEL 5 and after some troubles all works good.  Be sure to review all links and verify all paths on your specific system before creating the links.

The following are the steps that I used.

  1. Add oracle user and some other stuff
    # groupadd dba
    # useradd -g dba oracle
    # cd /opt
    # mkdir oracle
    # chown oracle:dba oracle
    # cd /opt
    # ln -s path/to/jre1.6.0_11
    (Edit the Disk1/install/linux/oraparam.ini and modify JRE_LOCATION
    variable and set path to our JRE installation from Step 2.
    JRE_LOCATION=/opt/jre1.6.0_11)
  2. Kernel settings – Edit the /etc/sysctl.conf and add following lines (I decided to leave default values and did not modify any of these.  These have to be verified)
    kernel.sem = 250 32000 100 128
    kernel.shmmax = 2147483648
    kernel.shmmni = 128
    kernel.shmall = 2097152
    kernel.msgmnb = 65536
    kernel.msgmni = 2878
    fs.file-max = 65536
    net.ipv4.ip_local_port_range = 1024 65000

Note: You need execute “sysctl -p” or reboot system to apply above settings.

  1. create access list for oracle to use xwindows
    # xhost +local: oracle (with no space inbetween oracle)
  2. Check for required packages:
    rpm -q compat-db compat-gcc-34 compat-gcc-34-c++ compat-libgcc-296 compat-libstdc++-296 compat-libstdc++-33 gcc gcc-c++ glibc glibc-common glibc-devel glibc-headers libgcc make libXp
  3. Set environment – add these to /home/oracle/.bash_profile
    ORACLE_BASE=/opt/oracle
    ORACLE_HOME=$ORACLE_BASE/920
    ORACLE_SID=ORCL
    LD_LIBRARY_PATH=$ORACLE_HOME/lib
    PATH=$PATH:$ORACLE_HOME/binexport ORACLE_BASE ORACLE_HOME ORACLE_SID LD_LIBRARY_PATH
  4. First Workaround
    su -
    cd /usr/lib
    ln -s libstdc++-3-libc6.2-2-2.10.0.so libstdc++-libc6.1-1.so.2
  5. Download and Install:
    rpm -ivh http://oss.oracle.com/projects/compat-oracle/dist/files/RedHat/compat-libcwait-2.1-1.i386.rpm
    rpm -ivh http://oss.oracle.com/projects/compat-oracle/dist/files/RedHat/compat-oracle-rhel4-1.0-5.i386.rpm -nodeps
  6. Second Workaround
    su -
    cd /usr/bin
    ln -s gcc34 gcc32
  7. Third Workaround
    su -
    cd /usr/lib
    ln -s libgdbm.so.2.0.0 libdb.so.2
  8. Run installer
    ./runInstaller
  9. When NETCA/DBCA will fail
  10. Fourth Workaround
    I suggest to apply 9.2.0.8 patchset before.
    cd $ORACLE_HOME
    rm JRE
    ln -s $ORACLE_BASE/jre/1.3.1 JRE
    cd JRE/bin
    ln -s java jre
    cd i386/native_threads/
    ln -s java jre

Posted in Oracle, RHCE | Leave a Comment »

Samba server on RHEL 5.2 with Active Directory Authentication

Posted by lopeza on December 5, 2008

A quick and easy way.
There are probably hundreds of ways to configure so make sure to look around.

# yum install samba

Backup your original smb.conf file

# cp /etc/samba/smb.conf /etc/samba/smb.conf.orig

My smb.conf file which connects to an windows 2003 active directory

[global]
workgroup = YOURDOMAIN
netbios name = YOURHOSTNAME
server string = YOURHOSTNAME
security = ads
realm = YOURDOMAINFQDN
password server = YOURDOMAINCONTROLLER
encrypt passwords = yes

log file = /var/log/samba/%m.log
max log size = 1024
#log level = 1

name resolve order = wins hosts lmhosts bcast
client signing = Yes
server signing = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

local master = no
domain master = no
preferred master = dc01
wins server = dc01
dns proxy = no

#To add support for winbind, I added these lines to the global section:
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

#===Share Definitions ===
[public]
# Any authenticated user can view or download files from this share
path = /storage/public
browseable = yes
writeable = yes
guest ok = no
valid users = CLUBMOM+AD_USERSGROUP AD_USER
force group = CLUBMOM+AD_USERSGROUP
create mask = 0666
directory mask = 0777

[TESTSHARE]
# Any authenticated user can view or download files from this share
path = /PATH/TO/SHARE
browseable = yes
writeable = yes
guest ok = no
valid users = CLUBMOM+AD_USERSGROUP AS_USER
force group = CLUBMOM+AD_USERSGROUP
create mask = 0666
directory mask = 0777

Modify the /etc/nsswitch.conf file

passwd: files winbind
shadow: files
group: files winbind

Hostname lookup (to play it safe I added it directly into /etc/hosts)

192.168.x.xxx HOSTNAME.YOURDOMAIN HOSTNAME

Add the realm to /etc/krb5.conf
YOURDOMAIN = {
kdc = YOURDOMAIN.CONTROLLER
kdc = YOURSECONDDOMAIN.CONTROLLER
}

These next commands get you started

service smb restart
service winbind restart
net ads join -U Administrator
kinit Administrator@YOURDOMAIN
service smb restart
service winbind restart

Remember to restart smb and winbind every time you modify smb.conf.

Posted in RHCE | Tagged: , | Leave a Comment »

How do I determine whether the number of open files is exceeding the limit set in the kernel?

Posted by lopeza on December 2, 2008

First place I thought of looking is lsof, but quickly I realized that the result may not be accurate.

# lsof -n | wc -l
3233 

A better way to find the value would be to use

# cat /proc/sys/fs/file-nr | awk '{print $1-$2}'
3060

If you wanted to list and change your values

# cat /proc/sys/fs/file-max
767479
# echo "104854" > /proc/sys/fs/file-max

 

# cat /proc/sys/fs/file-nr
2550     0       767479
|	 |       |
|	 |       |
|        |       maximum open file descriptors
|        total free allocated file descriptors
total allocated file descriptors
(the number of file descriptors allocated since boot)

The number of open file descriptors is column 1 – column 2; (Note: we have read contradictory definitions of the second column in newsgroups. Some people say it is the number of used allocated file descriptors – just the opposite of what we’ve stated here. Luckily, we can prove that the second number is free descriptors. Just launch an xterm or any new process and watch the second number go down.)

Posted in RHCE | Leave a Comment »

rhn updates with yum

Posted by lopeza on July 7, 2008

Weird thing happened with rhn and one of my systems. I added a new system to rhn and began recieving 404 errors when trying to install packages with yum. I manually went to rhn and downloaded all the packages successfully. All I could think of is that my system is getting the wrong package location from rhn. I ran rhn-profile-sync before rhn_registering again and it fixed the issue.

Just hope this helps someone else at some time.

Posted in RHCE | Tagged: , | Leave a Comment »

First Entry

Posted by lopeza on April 17, 2008

Hi World,

I have been thinking about starting a blog for a really long time and never actually thought I’d have something worth writing that people would actually want to read. Until a close friend of mine told me that I have a great deal of experience in technology that would be awesome to share. He also believed that my positive attitude would reflect well in my writing. So here it goes… Soon I will post my first entry, about what I don’t know yet, but rest assured it will be about my experiences in technology.

Posted in General, MySQL, RHCE | Leave a Comment »