Anthony Lopez

“I’d rather see a sermon than hear one any day;”

Setting up DKIMproxy

Posted by lopeza on August 21, 2009

One day I was asked to make our email deliverabilty more reliable.  I found the Yahoo domain keys and DKIM were additional ways to help with some email providers besides SPF.  I setup DK and DKIM milters and found that when sending bulk loads of emails (100k+) the time it took to sign and send was well over 7 seconds per email.  I am sure there are tweaks that we could have done to modify the sending script to deal with this but we just wanted something simple and easy to use.  Later I decided to install DKIM proxy and make submitting email to an email server easy and requiring no scripting change.  After testing I found that our email blasting was fast and our deliverability for sending email had gone up about 27%.  We still continue relationships with email providers to gain trust but that is too an everchanging process.  Below I documented what I did to get DKIMproxy and postfix configured on a RHEL 5 server.  I believe it should be the same for CentOs 5 as well.   Good Luck on your setup!

Website – http://dkimproxy.sourceforge.net/

Installing DKIMproxy

http://dkimproxy.sourceforge.net/download.html
Prerequisites

cpan install Mail::DKIM
cpan install Crypt::OpenSSL::RSA
cpan install Digest::SHA
cpan install Mail::Address
cpan install MIME::Base64
cpan install Net::DNS
cpan install Net::Server
cpan install Error

Installing DKIMproxy Service:

cd /home/admin/
wget http://downloads.sourceforge.net/dkimproxy/dkimproxy-1.2.tar.gz
tar -xzvf dkimproxy-1.2.tar.gz
cd dkimproxy-1.2
./configure –prefix=/usr/local/dkimproxy
make install
useradd dkimuser
passwd dkimuser
cp sample-dkim-init-script.sh /etc/init.d/dkimproxy
chkconfig –add dkimproxy
chkconfig dkimproxy on

Installing DKIMproxy to sign outbound messages

http://dkimproxy.sourceforge.net/usage.html
Generate a private/public key pair using OpenSSL:

cd /usr/local/dkim/
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
chown dkimuser.root private.key
chmod 640 private.key

Pick a selector name… e.g. selector1
Put the public-key data in DNS, in your domain, using the selector name you picked. Take the contents of the public.key file and remove the PEM header and footer, and concatenate the lines of the file into one big line. Then create a TXT entry, like this:

selector1._domainkey IN TXT “k=rsa; t=s; p=MHwwDQYJK … OprwIDAQAB”

where selector1 is the name of the selector chosen in the last step and the p= parameter contains the public-key as one long string of characters.

Configure DKIMproxy

Create a file named /usr/local/dkimproxy/etc/dkimproxy_out.conf and give it the following content:

# specify what address/port DKIMproxy should listen on
listen 127.0.0.1:10027

# specify what address/port DKIMproxy forwards mail to
relay 127.0.0.1:10028

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain clubmom.com

# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)

# specify location of the private key
keyfile /usr/local/dkimproxy/private.key

# specify the selector (i.e. the name of the key record put in DNS)
selector clubmomdkim

Start DKIMproxy

service dkimproxy start

Setting up the outbound proxy with Postfix

http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
Edit the /etc/postfix/master.cf with the the following:

#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission inet n – n – – smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

#
# specify the location of the DKIM signing proxy
# Note: we allow “4″ simultaneous deliveries here; high-volume sites may
# want a number higher than 4.
# Note: the smtp_discard_ehlo_keywords option requires Postfix 2.2 or
# better. Leave it off if your version does not support it.
#
dksign unix – – n – 4 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls

#
# service for accepting messages FROM the DKIM signing proxy
#
127.0.0.1:10028 inet n – n – 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

reload postfix

Setup your mail server to send to dkimproxy

A dev environment is setup on office1 using dev04 as an outbound mailserver using dkimproxy on port 587

To use sendmail and configure a smarthost onto a port other than 25. Modify /etc/mail/sendmail.mc

define(`SMART_HOST’,`relay:dev04.clubmom.local’)dnl
define(`RELAY_MAILER’,`esmtp’)dnl
define(`RELAY_MAILER_ARGS’, `TCP $h 587′)dnl
#make -C /etc/mail
#service sendmail restart

Posted in Linux, RHCE | 1 Comment »

Setting up VSFTP using non-local users.

Posted by lopeza on August 12, 2009

Install Required packages

pam
db4
vsftpd
compat-db (this is the package name on fedora which provides the binary db42_load)

Configure PAM

# vi /etc/pam.d/vsftpd (I EDITED THE FILE TO LOOK LIKE THIS)
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
#auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers
#auth required pam_shells.so
#auth include system-auth
#account include system-auth
#session include system-auth
#session required pam_loginuid.so
(note: I had to comment out the bottom 6 lines to get the pam_userdb authentication to succeed for ftp logins. With them not commented out, authentication of known good users failed)

Create system user for vsftpd.conf (this is a dummy user, not logged into directly via FTP)
# adduser -d /home/virtualftp/ virtualftp

Configure vsftpd for virtual users

#vi /etc/vsftpd/vsftpd.conf (I EDITED THE FILE TO LOOK LIKE THIS)

local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
# Virtual users will be logged into /home/virtualftp/[username]/
user_sub_token=$USER
local_root=/home/virtualftp/$USER
guest_enable=YES
guest_username=virtualftp
# Umask applied for virtual users and anon
anon_umask=0022
# Allows uploading by virtual users
anon_upload_enable=YES
# Allows creation of directories by virtual users
anon_mkdir_write_enable=YES
# Allows deletion of files and directories by virtual users
anon_other_write_enable=YES
# Sets a port range for passive mode. (must configure firewall to accept)
pasv_max_port=51123
pasv_min_port=51323
port_enable=YES

Setup virtual FTP usernames and their passwords (use the following format)

# vi /etc/vsftpd/vsftpd_users.txt

username1
passwordforusername1
username2
passwordforusername2
username3
passwordforusername3

Build the vsftpd database

#db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db
#chmod 600 /etc/vsftpd/vsftpd_users.db /etc/vsftpd/vsftpd_users.txt

Create directories for each virtual FTP user

#mkdir -p /home/virtualftp/username1

Test an FTP virtual user login

#ftp localhost
Connected to localhost.
220 (vsFTPd 2.0.5)
Name (localhost:root): username1
331 Please specify the password.
Password:
230 Login successful.

Posted in Learning, Linux | Leave a Comment »

The Bagster

Posted by lopeza on July 28, 2009

During many of my remodels I try to stack up as much debris as possible before ordering a dumpster.  Now there is the bagster.  It is an amazing idea at a great price.  I only wish they serviced more areas and provided a better lookup map on their site.  Their call center has no information on potential new service areas and just recommend to call or check the site frequently.

http://www.thebagster.com/

Posted in Vendors | Tagged: , , , , , , | Leave a Comment »

Sailing The Clipper City

Posted by lopeza on July 28, 2009

UPDATE! – The operations manager at this sailing company offered me an open bar deal for 50 of my company’s employees and promised to call me back with a sail date and invoice to solidify the deal.  A few days later when I called to follow-up she told me that she decided not to honor her offer.  I had asked to speak to the owner of the sailboat to discuss the poor business relationship that reneging on a deal would bring to their company, but the operations manager denied me the opportunity.  Their normal rates are overpriced as is and after breaking our deal I’d recommend NOT EVER TOURING ON THIER SAILBOAT.  Maybe I’ll feel differently when the owner calls me back to talk and honor his employee’s original deal!

The Clipper City was first built as a cargo schooner just prior to the Civil War, then rebuilt from the original plans, on loan from the Smithsonian Institution, and recently refurbished. The new, restored Clipper City, with a length of 160 feet and a height of 120 feet, can comfortably sail 144 people — the most of any passenger sailboat in the United States. With its sweeping deck, full bar, and eight sails, this majestic schooner and its attentive crew now sail daily from South Street Seaport, providing guests with a unique way to see Manhattan.

The original 1854 Clipper City schooner came from the shipyard of Manitowoc, Wisconsin, a town soon nicknamed “Clipper City” because of its growing reputation for shipbuilding. The plans for Clipper City are in the permanent collection at the Smithsonian, and a replica cross-section of the boat is on permanent display at the Wisconsin Maritime Museum. In 1856, the U.S. Nautical Magazine & Naval Journal reported that Clipper City could sail from Chicago to Port Washington, Wisconsin, a full 115 miles, in just seven and a half hours. Built to haul lumber, she was enormously successful in her time.

Clipper City was decommissioned in 1890, but in 1984 naval architects DeJong & Lebet re-built her, with adaptations to meet modern safety requirements. The new Clipper City, a steel-hulled schooner carrying six fore-and-aft rigged sails and two square topsails on two steel masts, was operated as a Baltimore charter vessel for 20 years. She then fell into disrepair, but was recently acquired and extensively renovated. The ship that sails daily from Pier 17 on South Street has been carefully restored to match the beauty of her Civil War–era ancestor.

Posted in Attractions | Tagged: , , , , , , | 1 Comment »

JP Morgan Corporate Challenge

Posted by lopeza on June 11, 2009

Yesterday, myself and a few coleagues ran the 5k charity race to help the Central Park Conservancy.  I am glad with my finish time and am looking forward to some more running.  finish time 29min 28secs.

Posted in Fun | Leave a Comment »

What if your only Windows 2003 Global Catalog Server fails

Posted by lopeza on June 4, 2009

Our environment was setup with a single global catalog server (or GCS) due to a misconfiguration.  When our domain controller/GCS failed/crashed we noticed that our secondary domain controller did not pick up the work of the GCS and our exchange email server was not functioning.

In order to resolve, we configured the secondary domain controller to be a GCS, had it seize the 5 FSMO roles, and configure our exchange server to use the new GCS. 

Seize the 5 FSMO roles:
http://support.microsoft.com/kb/255504

Make it a GCS:
http://support.microsoft.com/?id=313994

Remove the crashed DC from AD sites and services:
Delete the servername and rebuild the server and readd it. (But there are many different things you can do here)

Update Exchange system manager:
Reconfigure the “Recipient update service” to the running DC for both entries.

To check for errors you can run:
C:\Program Files\Support Tools\dcdiag /v > c:\dcdiag.txt
C:\Program Files\Support Tools\netdiag /v > c:\netdiag.txt

Posted in Windows | Leave a Comment »

« Previous Entries