technology, networking and IP telephony
Posts tagged Linux
We systematically reject ‘apache@…’ Huh?
0February 12, 2011
I’m continually amazed by how much hands on effort it takes to run even a small blog or community these days. The SPAM bots are continually spewing their useless garbage everywhere, the hackers and script kiddies are continually trying to break down the front door and somewhere in there is the appreciative reader in search of an answer to his/her question or just genuinely interested in the topic at hand.
Every now and then a genuine (system administration) issue or problem surfaces that deserves some time and effort. Since I’m utilizing a virtual private server (VPS) running CentOS 5.5, I’m responsible for administering and managing the server myself. I was an IBM AIX (long live SMIT) and Solaris System Administrator in a previous life so it’s not a big challenge but it can be a time consuming task. The benefits of managing my own server are still significant enough for me and I’ve learned so much about Linux, MySQL, PHP, Perl, etc. that the experience has been well worth the investment in my view.
I recently noticed that I was getting a lot of bounced email messages on the server from a number of readers that had subscribed to posts on my blog. Here’s a quick snippet of the bounced error message;
Action: failed
Status: 5.1.7
Remote-MTA: dns; mx.acme.org
Diagnostic-Code: smtp; 550 5.1.7 ... We
systematically reject 'apache@...'It seems that a few domains (example above is acme.org – changed to protect identity) were rejecting any email message with the Return-Path set to apache@hostname. In my case the Return-Path was set to apache@michaelfmcnamara.com although the From address was set to noreply@michaelfmcnamara.com. Unfortunately you can’t set (not to my knowledge anyway) the Return-Path from within WordPress administration portal. You need to manually edit wp-includes/class-phpmailer.php and set the variable $Sender to the same email address you setup within WordPress to use as your From address.
/** * Sets the Sender email (Return-Path) of the message. If not empty, * will be sent via -f to sendmail or as 'MAIL FROM' in smtp mode. * @var string */ var $Sender = 'noreply@michaelfmcnamara.com';
With that change complete I can see from the server logs (/var/log/maillog) that the Return-Path is now being properly set.
Feb 12 08:29:56 michaelfmcnamara postfix/pickup[9770]: 2B8FD2C3BB: uid=48 from=<noreply@michaelfmcnamara.com>
Feb 12 08:29:56 michaelfmcnamara postfix/cleanup[11068]: 2B8FD2C3BB: message-id=<67fa95dc7fd22d7c6cfd481d506bfd87@blog.michaelfmcnamara.com>
Feb 12 08:29:56 michaelfmcnamara postfix/qmgr[2647]: 2B8FD2C3BB: from=<noreply@michaelfmcnamara.com>, size=1729, nrcpt=1 (queue active)
Feb 12 08:29:56 michaelfmcnamara postfix/local[11070]: 2B8FD2C3BB: to=<whowhatwhen@michaelfmcnamara.com>, relay=local, delay=0.07, delays=0.04/0.01/0/0.02, dsn=2.0.0, status=sent (forwarded as 321C72C37A)
Feb 12 08:29:56 michaelfmcnamara postfix/qmgr[2647]: 2B8FD2C3BB: removedWith that change those domains that were rejecting email from my server are now accepting them again. Just another day where I’ve learned something new.
Cheers!
Update: Thursday February 24, 2011
It seems the upgrade to WordPress 3.1 has overwritten the change I made in the file… had to update the file again!
Update: Friday April 22, 2011
It seems the upgrade to WordPress 3.1.1 has overwritten the change I made in the file again!
Ubuntu 8.04 Firefox and Glubble
2July 20, 2008
It was time to give my 7 year old daughter access to her own computer. She only spends about 30 – 60 minutes a day on the computer but it can be a challenge on some days when mom and daughter are vying for time with the family computer. As you already know I’m a big supporter of CentOS. However, I would be the first to admit that CentOS is not very user friendly and certainly not the best Linux distribution for any laptop or desktop computer. I have been hearing a lot of encouraging comments from friends and industry professionals about Ubuntu Linux. I know firsthand how difficult it can be to secure a Windows XP desktop in the hands of a 7 year old, not to mention how costly it can be when you start to add up all the software you need to purchase. I decided to load Ubuntu and give it a quick test run. I was evaluating several different criteria including performance (running some old hardware) and easy of use.
I had installed Ubuntu using the original Ubuntu 8.04 LTS Desktop Edition which required 242 patches/upgrades to be installed after I installed the operating system. I believe Ubuntu has since released a slipstreamed version (8.04.1) with the latest and greatest patches and upgrades since June 2008. The initial install along with the subsequent updates was very painless, I just sat back and let the software do the work.
I was very pleased with the performance and the easy of use of Ubuntu. Now I just needed to find some solution to help make sure that my daughter didn’t mistakenly end up on some shady website. I stumbled across Glubble, a Firefox Add-on which allows you to control which websites your children can visit. Your child can also request access to additional websites which a parent must then authorize.
If you are a parent looking to provide a safe experience for your child while he/she surfs the Internet I would highly recommend Glubble!
Cheers!
Domain Name Server patch
0July 13, 2008
by Michael McNamara in Security
Last week there was a flurry of information revolving around a new security flaw in the Domain Name System — software that acts as the central nervous system for the entire Internet.
On Tuesday July 10, 2008 a number of vendors including Microsoft, Cisco, Juniper and RedHat released patches and/or acknowledged the flaw existed. The Internet Software Consortium, the group responsible for development of the popular Berkeley Internet Domain Named (BIND) server from which nearly all DNS offshoots are based, also acknowledged the flaw and released a patch.
I personally spent about 90 minutes on last Wednesday updating several internal and external systems including numerous CentOS v5.2 servers and Windows 2003 Service Pack 2 servers. I was unable to find any mention of the DNS flaw on the Alcatel-Lucent website so I’ll probably need to place a call concerning Alcaltel-Lucent’s VitalQIP product.
I used yum to patch the CentOS Linux servers ["yum update"] and then just restarted the named process ["service named restart"]. On the Windows 2003 Service Pack 2 servers I used Windows Update to download and install KB941672 after which I rebooted the servers.
Here are some references:
http://www.theregister.co.uk/2008/07/09/dns_fix_alliance/
http://www.networkworld.com/news/2008/071008-patch-domain-name-servers-now.html
http://www.networkworld.com/news/2008/070808-dns-flaw-disrupts-internet.html
http://www.networkworld.com/podcasts/newsmaker/2008/071108nmw-dns.html
http://www.us-cert.gov/cas/techalerts/TA08-190B.html
http://www.microsoft.com/technet/security/bulletin/MS07-062.mspx
I would strongly suggest that all network administrators start looking into patching their DNS servers as soon as possible.
Cheers!
UPDATE: July 14, 2008
Here’s an update from RedHat concerning the configuration (named.conf) of BIND;
We have updated the Enterprise Linux 5 packages in this advisory. The default and sample caching-nameserver configuration files have been updated so that they do not specify a fixed query-source port. Administrators wishing to take advantage of randomized UDP source ports should check their configuration file to ensure they have not specified fixed query-source ports.
It seems that a check of the configuration file would be in order. Let me throw in a quick warning though if your DNS server is sitting behind a firewall you may need to check with the firewall administrator to understand how the firewall will behave if you randomize your source ports. I believe there are quite a few firewalls out there that only expect to see DNS traffic sourced from a DNS server on UDP/53.
Good Luck!
