Blue Gears

I get lots of spam. There seems to be nothing I can do about it so I believe I need to find a better  scanner/mail platform. So I went looking for something different. Currently I use Amavisd/Postfix/ClamAV/SpamAssassin, which when properly configured SHOULD find nearly all Spam. But alas, I believe after the most recent upgrade the configuration was shot. Even the bayesian learning system did not really learn anything new, and I kept getting the same old mail. This was/is annoying at best.

So I looked into Zimbra. Zimbra ships as a Virtual Appliance which was perfect for my needs and a 10 user limited license is fairly inexpensive as in free.

Zimbra

My attempts to install Zimbra using the RPM method on CentOS 5.4 hit a snag. There is apparently some sort of network scan that goes on to determine if your settings are correct, etc. I was able to install it, but the configuration stated antispam and antivirus were not available, even though the proper files were installed. So I figured I would try out the virtual appliance.

The virtual appliance imported just fine, but on boot it tried to do the same network scan to determine if the settings were correct even though I gave it a STATIC IP, etc. Since this was to live behind NAT, there is no direct access between it and many of the things it apparently needed. The Virtual Appliance did not boot fully.

So Zimbra did not work for me. I am not sure why it does any sort of scan. This worries me from a Security perspective as I did not know WHAT it was doing. Nor was it explained clearly. In essence my network did not allow Zimbra to properly find everything. Perhaps it is looking for a lax set of security for a DMZ location.

MailScanner

When I had a physical mail server, I used to use MailScanner and was pleased with it, but upgrades were a pain so I went to something different when I went virtual. Alas, that was my downfal. MailScanner (http://www.mailscanner.info) incorporates many of the same things as Zimbra but in a much different package. So I went back to a base CentOS 5.4 installa nd worked out from there.

MailScanner comes with two sets of packages MailScanner-4.79.11-1.rpm.tar.gz and install-Clam-SA-latest.tar.gz. The first installs MailScanner and all its dependencies, and the later installs the latest ClamAV and SpamAssassin as well as the rules. So far so good. During configuration of MailScanner I also determined that I needed the following tools:

• unrar  – http://packages.sw.be/unrar
• antiword – http://packages.sw.be/antiword
• DCC – http://www.rhyolite.com/anti-spam/dcc
• Razor – http://razor.sourceforge.net

Then I needed a modern version of postfix (2.7.1), which I found in binary and source form from http://postfix.wl0.org/.  I first tried the binary but determined it did not support SASL authentication via TLS, so had to recompile from source with a slight change to the SPEC file. I enabled ‘with_sasl’ then rebuilt from source. The following builds this as an installable RPM for me.

rpm -ivh postfix-2.7.1-1.src..rpm
# Modify /usr/src/redhat/SPECS/postfix.spec to enable SASL
rpmbuild -bb /usr/src/redhat/SPECS/postfix.spec

Now postfix was ready. I have done all this before, but many years ago. Next was to make sure postfix runs within a chroot jail for security reasons…. So how do we do this? Run the following scripts:

sh /etc/postfix/examples/chroot-setup/LINUX2
sh /etc/postfix/postfix-chroot.sh

Now I was ready to turn everything on which I did. But I still have an authentication problem with postfix from my smtp clients. But they would not connect. Which lead me to determine that the chroot setup for SASL was incorrect and we needed to perform some more changes. Such as the following.

mkdir -p /var/spool/postfix/var/run
mv /var/run/saslauthd /var/spool/postfix/var/run
ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd
cp /etc/passwd /var/spool/postfix/etc
mv /etc/sasl2 /var/spool/postfix/etc
ln -s /var/spool/postfix/etc/sasl2 /etc/sasl2

Now I am backup. I even made some new changes to the main.cf within postfix which disables anonymous clients from accessing my mailserver for relay purposes. The following are those changes to /etc/postfix/main.cf. I placed these at the end:

# SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes

Conclusion
This new setup started blocking more spam than the old configuration. Which was exactly what I wanted to happen. Unfortunately Zimbra would not work for me and that was an issue. I was really looking forward to working with Zimbra, but it was just too problematic. Yes, if I understood it as well as I understand postfix and MailScanner I may have tried to solve the problem, but this time I did not have the time. Zimbra needs to be simpler to use, paying attention to the manual configurations I make instead of trying to determine my network, etc.

I recently upgraded my Fedora 12 Linux Machine on which I do development to the latest Kernel. After a reboot, I noticed the display went from my normal 1920×1080 down to 640×480. In addition, the monitor itself complained that this was not an optimum setting. I knew something was wrong, so I did the following:

• Went to the NVIDIA site and downloaded the latest drivers, mine were just a little old. After installing them, the problem was not solved.
• Logged in with the 640×480 resolution and ran gnome-display-properties and noticed it could not determine my monitor type.
• I searched the web some at this point and found two posts. Continue reading ‘Fedora 12 Upgrade Lead to 640×480 Display Resolution — Solution’ »

Well I had some serious issues going to vSphere 4.1 from v4.0U2. The steps for the upgrade seemed straightforward:

1. Upgrade vCenter Server
2. Upgrade ESX

Well, it was not all that easy. Continue reading ‘vSphere Upgrade: Going to 4.1’ »

I was in the market for a new Laptop, given that mine is at least 3 years old and starting to show its age with non-working USB ports, one blown power supply, and failing batteries. My requirements are slightly above the average:

Any laptop must be able to run the following at the same time within a hosted virtualization solution such as VMware Workstation or Fusion.

• VMware vSphere ESX 4
• VMware vSphere ESX 4i
• VMware vCenter Server on Windows 2008
• Virtual Storage Appliance (I use OpenFiler at the moment)
• Firewall
• Development Environment for my security script Continue reading ‘Moving from Windows 7 to Mac OS Snow Leopard’ »

In my last post “IBM DS3400 Redundant Controllers and Bad Batteries, eNet Cable Fail” I realized that I badly configured my SAN from the start. So I bit the bullet and started a process to change the number of spindles per LUN to 11 of 12 disks, with the 12 disk being a hot spare. Performance on SAN LUN is directly proportional to the number of spindles in use by the RAID set and my old setup had 3 Disk LUNs instead of using virtual LUNs ontop of one larger physical LUN.

Now that I know how to configure this, I wanted to make use of the higher performance. To do this, I had to

1. first offload all VMs from the SAN to some other storage by way of SVMotion
2. backup any RDMs I have
3. update the LUN layout of the IBM DS3400 to be 11 disks in a Raid 5 with virtual LUNs presented to ESX
4. SVMotion the VMs to the new LUNs Continue reading ‘vSphere Upgrade: Rearranging LUNs for Better Performance: Updated’ »

Recently my IBM DS3400 SAN gave an alert that the controller batteries had to be changed out. So after ordering some batteries, receiving them, it was time to perform a battery exchange.   The steps are quite straight forward but still require a bit of forethought. I run  IBM System Storage Manager 10 from within a VM running Windows 2008 R2, it is actually my VMware vCenter Server. In order, for me to exchange the batteries the IBM System Storage Manager 10 must be able to talk to the controllers either over the network or over the fibre connection. Since this is a VM, all I can do is control the SAN over the network at this time. Continue reading ‘IBM DS3400 Redundant Controllers and Bad Batteries, eNet Cable Fail’ »

I recently donated the last of my DL380 G3 systems to Keefe Technical Highschool for use as their ESX v3 Cluster. The only issue was that this machine was also my last remaining server that I had yet to virtualized and it was my backup server with quite a bit of disk space, connection to my tape libraries and my DISC Blu-Safe backup library. To virtualize my backup server was going to be difficult at best as I am switching entirely from Tape devices to Blu-ray devices.

I explained this choice in another post but suffice it to say, I need to be able to connect this USB device to a VM and then use it as part of my backup solution. This required a bit more work than before as now I had to include in my vNetwork a USB over IP device that would allow not only my printer but my Blu-Safe to be seen by multiple and individual VMs.  For this I chose the Belkin FL5009 5-port USB over IP device. While it has its issues, such as not working across a NAT, it does however allow me to share my printer with other VMs while locking the Blu-Safe to a very specific VM. Continue reading ‘vSphere Upgrade – The Backup Saga’ »

Thanks to Cody Bunch of the twittersphere helped me to solve the latest mystery within my vSphere environment: vCenter would fail to start after a reboot of the Windows 2008 vCenter Server VM. This has been plaguing me since I started this process, but it finally needed to be fixed!

The problem is that VMware Update Manager and VMware vCenter Server collide when they are both trying to access the MSSQL 2008 database for some odd reason.

The solution is fairly easy, add a service dependency on VMware Update Manager so that it requires VMware vCenter to start first. To do this open up regedit and navigate to HKLM\System\ControlSet001\services\vmware-ufad-vci key and add a new Multi String Value named ‘DependOnService’. Give this new registry element a value of ‘vpxd’.

This will now place a dependency on VUM such that it requires vCenter to start first. Now on reboots, vCenter starts properly and I no longer have to manually start the service.

Well I got bit by the 2nd disk issue that occurs with hardware 7 on Windows 2008 Datacenter server. It was very troublesome until the twitter-sphere pointed me to an article written by vStu about this issue. Yet this did not entirely fix the problem. It took some more twitter-sphere assistance to find the solution to the problem.

As vStu discovered all virtual machine disk files (VMDKs) are presented to VMs as SAN disks and Windows 2008 changed how SAN disks were handled, in effect they are offline until you set them online. I kept getting a pesky, “Disk is Offline because policy was set by an administrator” message. Microsoft’s website does not even know about this error message apparently. But the solution is a combination of websites. First you need to change how Windows 2008 sees the SAN devices, then you need to clear a readonly flag, then you are good to go. Using ‘diskpart’ enter the following commands: Continue reading ‘vSphere Upgrade – 2nd Disk Issues with Hardware 7’ »

Well, as time permits I have been slowly upgrading my VMs to the latest virtual hardware. When I started this process, it was before VMware instituted a warning within the Upgrade Virtual Hardware that you first need to upgrade VMware Tools. This problem bit me twice and it was enough that I put in my own policy to always upgrade VMware Tools BEFORE upgrading the Virtual Hardware.

When you play around with Windows 2008 R2, if you do not properly upgrade VMware Tools before a Virtual Hardware Upgrade your VM will spin out of control sucking up CPU until you kill it. Which you have to do, in order to fix the issue. A reboot will fix the issue, but then you must upgrade VMware Tools before anything else happens. I suggest using Safe-Mode.

In one of the updates VMware kindly introduced a warning box when you upgrade Virtual Hardware to let you know that you need to update VMware Tools first. If you do not install VMware Tools due to security concerns, you may want to not upgrade your virtual hardware. I have not tried removing the tools after Virtual Hardware Upgrade, which may be another option.