Tag: you

Postfix and Cyrus SASL authentication

Post author By cyberwizzard
Post date March 30, 2009
No Comments on Postfix and Cyrus SASL authentication

It has been a while since I’ve had the time to blog about something. Mainly that is because my study is demanding a lot of time and because I am working on some new thing which keep me pretty occupied. I will write about those things some other time.

Right, on to Postfix and Cyrus SASL. Most of my servers are running some flavor of *nix and because I started to like the low effort CentOS needs to keep running, I rebuild all my Gentoo based systems (which took hours to compile and then manually upgrade thanks to the ever changing configuration of a gazillion programs) to CentOS versions – including my Postfix + Courier-IMAP + MySQL mail system. This setup is pretty common as the first guide I found on the HowTo forge for CentOS 5.x was almost verbatim what I had done while porting from Gentoo to CentOS. Also, see the Gentoo guide I used to set it all up (also usable for CentOS).

The only thing I never got going – because I never needed it – was SMTP authentication. Now, when other people send mail to your server they will not need to authenticate: the server is the end-point for the email and as such it will accept any mail sent to the domains hosted on it. So when do you need authentication? When you want to relay.

Now, relaying has a bad name on the internet, try to Google for it and see what comes up. But relaying itself is not a fluke, its a solution. In my case, I have 2 reasons for relaying.

First, at work and at my parents, I can send mail just fine using the ISP mail servers (which I have to change every time I switch locations *sigh*) but the mail servers are a bit too well educated. My domain is currently an alias (CName to be exact) for a DynDNS address. When sending mail, the mail servers resolve and expand the domain I claim to send from and rewrite the address. This means that sending to mailing lists becomes impossible and other people wonder what a ath.cx address is…

Secondly, at home I can’t send mail at all because the idiots at my ISP (I will write about the woes another time) told their mail servers that the server had to match the sender (domain wise). Because of the fact that I am not allowed to link the DNS to my IP directly, this will resolve in – yet again – 2 different domains and in this case the mail is bounced back to me.

In both cases it would be very handy to be able to just send mail using my own mail server as it will deliver mail directly to the correct remote servers, using the correct names etc.

On a side note, the government has decided that is would be a great idea to store all mail traffic for everyone in the country to fight crime. As usual, declaring such a policy will simply tell everyone who is planning to blow up stuff to use alternate means of communication – most of it being encrypted and voiding the whole purpose. To that end, I like the idea of using my own mail server on an encrypted channel so my mail remains private and let everyone listening in what dark secrets I send around. (On a side note: yes, the server to server communication can not be encrypted unless both servers know how to – but the first bit is safe).

Now, on with the details. I assume you have Postfix running with MySQL, so it is delivering mail to a maildir on your server or forwarding it somewhere else. Courier (IMAP/POP3/whatever) is running as well and can access the mail delivered for Postfix and as such, your whole mail server is up and running. Now comes the catch: Courier has a authentication library which should be able to authenticate against MySQL. Most installations will use Cyrus SASL instead because it has more features (and in my case was easier to set up as I am using postfixAdmin to administrate the server).

You NEED Cyrus SASL 2 with the SQL plugin installed, if you use Courier Authlib you need a different guide or change the authlib you are using. If you use CentOS like me, run: ‘yum install cyrus-sasl-sql’ to grab the right plugin.

Now, open up ‘/usr/lib/sasl2/smtpd.conf’ to create the specific SASL authentication file for Postfix. On a side note: in my case, I didn’t have to start the service for this to work. Anyway, insert this:

pwcheck_method: authdaemond  log_level: 2  authdaemond_path: /var/spool/authdaemon/socket

The first line tells Postfix to use the Cyrus SASL daemon (instead of the Courier Authlib one). The second line is optional but is handy when debugging, increase if things don’t work so you can see what is happening. The 3rd line is crucial: this is the path to the socket of the Cyrus SASL daemon. On CentOS 5.x you should have it here, on other distributions you need to search for the socket and put it in there.

Now you have set up the SASL authentication settings, it is time to tell Postfix to check the SASL pipeline when someone tries to authenticate. Add the following to your main.cf:

# SASL settings  broken_sasl_auth_clients = yes  smtpd_sasl_auth_enable = yes  smtpd_sasl_authenticated_header = yes  smtpd_sasl_security_options = noanonymous  smtpd_sasl_local_domain =  # Used by SASL to identify the Postfix client  smtpd_sasl_path = smtpd

These settings are pretty safe, won’t turn your box into an open relay (the bad sort of relaying abused by spammers) and will still make it possible to use pretty much every mail client out there. Note the last line: that line sets the key word when Postfix will try to authenticate: that is why the SASL configuration is called smtpd.conf. Another reason to use this name is the fact the smtpd is the name of the daemon that will request authentication and on some distributions, it will automatically search for that name.

Now safe, restart postfix and try to authenticate (set your mail client to connect to your server when sending mail and to use the same username and password you need when recieving mail). If everything went well, you can now send mail to anyone, from anywhere using your very own address and just one mail server!

If you get this:

[postfix/smtpd] warning: SASL authentication failure: cannot connect to Courier authdaemond: Connection refused

…you have a problem. Ignore the bit that says Courier authdaemond – you are trying to connect to Cyrus but Postfix doesn’t know this and as you are using the Courier interface, it will tell you something that is incorrect. The message means that it couldn’t find the socket, it is not allowed to access the socket or a similar issue is preventing it from working.

Step 1: Do NOT hardlink the socket to the SASL directory to include it into the Postfix root jail. This will work as long as the system is up: if the authlib daemon is restarted, it will recreate the socket and your hardlink will be dead – sending you off on a goose chase (guess how I found out that one… afterwards I also found this conversation about it)

Step 2: Make sure the socket file is where you told Postfix it would be. Try restarting all services and make sure the timestamp on the socket changed when you restarted everything. If it didn’t change, you are referring to the wrong file. Try to delete it, restart everything again and you won’t see it reappear. Search for it again and fix the path in the smtpd.conf file.

Step 3: When accessing the socket, you need more than read and write access to the socket. You also need r/w access to a random regular file in the directory holding the socket. This is how sockets work and if I understand correctly, a hidden file is used once a program opens the socket to continue the session – hence you need to be allowed to create that file. On CentOS, open ‘/etc/group’, find the line that says ‘daemon:…’ and add ‘postfix’ to that line, use a comma if one or more names are on that line already. Now Postfix is part of the daemon group which owns the socket directory on CentOS. If you have a different distribution, find out who owns the directory, who is running postfix (usually this is the user + group ‘postfix’ or ‘mail’) and fix it.

Step 4: Restart all services or the whole system if you get here. Read the log files again looking for hints what went wrong. If you still have problems, try to Google for it or leave a comment.

Good luck!

Tags admin, are, authlib, courier, istrate, not_ok, postfix, server, the, use, you

Programming

Matlab and C++

Wouldn’t it be cool to use native code in Matlab? You can ^-^.

I started out by writing a small hello world program to test C++ but every time I ran it against GCC I got funky errors. After a while I found out why: g++ is the C++ compiler, GCC only does old-skool C. D0h!

This is the crap you would see:

# gcc test.cpp
/tmp/ccrnZKfr.o: In function `__static_initialization_and_destruction_0(int, int)':
test.cpp:(.text+0x23): undefined reference to `std::ios_base::Init::Init()'
/tmp/ccrnZKfr.o: In function `__tcf_0':
test.cpp:(.text+0x66): undefined reference to `std::ios_base::Init::~Init()'
/tmp/ccrnZKfr.o: In function `main': test.cpp:(.text+0x76):
undefined reference to `std::cout' test.cpp:(.text+0x7b):
undefined reference to `std::basic_ostream<char, char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*)'
/tmp/ccrnZKfr.o:(.eh_frame+0x12): undefined reference to `__gxx_personality_v0'
collect2: ld returned 1 exit status

The guide I found even explains how to make a small Makefile to speed up the process of compiling (and testing). The (short) guide is here.

Right now I’m waiting for Matlab to finish installing and then I’ll try to test my Hello World from within Matlab. More info how that works can be found here.

Technorati: Matlab C++ Matlab plugin

Tags and, atest, code, cool, latest, matlab, native, no_ok, not_ok, use, wouldn, you

How-To's

How to make Bleezer look good

Post author By cyberwizzard
Post date May 5, 2008
No Comments on How to make Bleezer look good

Like I posted in a previous entry, I hate the way Bleezer looks on linux. The screenshots look great but I guess the author is using MacOS.

Personally, I like the Substance Look and Feel, even if its a bit heavy to render (the GUI gets a little sluggish if the windows get complex). I downloaded the 4.3 release from the Substance site and used the docs to figure out what argument to feed Java.

Note that Substance has multiple skins, all are a little bit different from eachother. This is why the Substance package has multiple classes you can select for the L&F.

Back to Bleezer. I tried making Bleezer use the Substance L&F by means of the command line. Something like this was supposed to work:

java -Dswing.defaultlaf=org.jvnet.substance.skin.SubstanceBusinessLookAndFeel -cp .:substance.jar -jar Bleezer.jar

However, it did not. For some reason you get this:

Exception in thread "main" java.lang.Error: can't load org.jvnet.substance.skin.SubstanceBusinessLookAndFeelat javax.swing.UIManager.initializeDefaultLAF(UIManager.java:1337)at javax.swing.UIManager.initialize(UIManager.java:1418)at javax.swing.UIManager.maybeInitialize(UIManager.java:1406)at javax.swing.UIManager.getUI(UIManager.java:1003)at javax.swing.JPanel.updateUI(JPanel.java:109)at javax.swing.JPanel.<init>(JPanel.java:69)at javax.swing.JPanel.<init>(JPanel.java:92)at javax.swing.JPanel.<init>(JPanel.java:100)at javax.swing.JRootPane.createGlassPane(JRootPane.java:527)at javax.swing.JRootPane.<init>(JRootPane.java:347)at javax.swing.JFrame.createRootPane(JFrame.java:260)at javax.swing.JFrame.frameInit(JFrame.java:241)at javax.swing.JFrame.<init>(JFrame.java:164)at com.bleezer.Bleezer.<init>(Bleezer.java:112)at com.bleezer.Bleezer.main(Bleezer.java:1556)

After trying a million tests to make sure the JAr file was included I finally ran a decompiler over Bleezer and it looks like Bleezer will only attempt to set the L&F on Windows and MacOS. This means the linux users are stuck with the Metal L&F and Bleezer does not provide an option to change the skin.

In a previous post I showed how you can override the L&F for Bleezer using the command line. For some reason, that same trick won’t work here so we’ll work around it.

The solution is to add the Bleezer JAR to the class path and then manually specifiy which class should be run. Using this trick, you can make Bleezer use the new L&F.

Putting it all together you could make a launch script to fire up Bleezer using the new Look and Feel:

#!/bin/bashjava -Dswing.defaultlaf=org.jvnet.substance.skin.SubstanceBusinessLookAndFeel -cp .:substance.jar:Bleezer.jar com.bleezer.Bleezer

And here is the end result, before:

…and after:

Technorati: Linux Java Blog editor

Tags bleezer, bleezerand, can, end, for, here, how, no_ok, not_ok, override, the, you

Japan Blog Study Tour

Cultural clash

When we first got in Japan we noticed how freaking clean Japan is. Almost no cigarettes on the floor, no cans, no nothing. Also no graffiti or markings on bus chairs or anything. I heard that rebelling youth is simply locked up in their room for 6 months to make the point that its not accepted here.

Just like those vending machines that are everywhere. And I mean EVERYWHERE. On each street corner, on stations in dark alleys even in a Shinto temple. The upside is that whenever you are thirsty you can get a drink when you want. It also costs nothing: 80 to 160 yen for normal to fancy drinks. That’s 55 euro cents to 1 euro for a drink you buy at a dutch kiosk (if you can find one in a 3km radius) and you can choose from more options than a normal dutch supermarket has.

Tags are, blog, clash, cultural, ever, japan, not_ok, study, tour, when, you