Posfix and SASL Unix Auth

/etc/postfix/main.cf

Configure the Postfix MTA to support SASL

smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus

/etc/postfix/master.cf

Disable the run of the Postfix MTA in a chroot environment

smtp inet n - n - - smtpd

/etc/postfix/sasl/smtpd.conf

Tell Postfix where he finds the saselauthd socket file

pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
mech_list: PLAIN LOGIN

/etc/pam.d/smtp

Configure PAM to support local unix Authentication for the SMTP Deamon

auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so

Finally be sure saslauthd is running and is pointing to the right directory

/usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5

Here a Python Script to Test the Auth

#!/usr/bin/python
 
import argparse
import smtplib
 
if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Tests SASL')
    parser.add_argument('--username', '-u', dest='username', action='store', help='Username')
    parser.add_argument('--password', '-p', dest='password', action='store', help='Password')
    parser.add_argument('--host', '-H', dest='host', action='store', help='SMTP Hostname')
    parser.add_argument('--port', '-P', dest='port', action='store', help='SMTP Port', default='25')
 
    args = parser.parse_args()
 
    server = smtplib.SMTP(args.host, int(args.port))
    server.set_debuglevel(1)
    server.ehlo()
    server.starttls()
    server.ehlo()
    server.login(args.username, args.password)
    server.quit()
 
    exit(0)
Tagged: , , , , ,

Icinga: Could not stat() command file

I’ve just installed Icinga 1.6x on a Ubuntu Box and was faced again with this annoying error:

Error: Could not stat() command file ‘/var/lib/icinga/rw/icinga.cmd’!

I’ve played around with chmod, chown, chgrp and with the icinga and apache user. Finally i figured out, that it could be a error in the ubuntu package. This solved the error, even if you restart the service:

 
service icinga stop
 
dpkg-statoverride --update --add nagios www-data 2710 /var/lib/icinga/rw/
 
dpkg-statoverride --update --add nagios nagios 751 /var/lib/icinga/
 
service icinga start
Tagged: , ,

Getting IP from Linux CLI with Bash

I’ve just wrote a bash script for an automation and for this i needed the ip of my system.

I’d like to share this little snipped with you:

 
/bin/ip -f inet -o addr | grep eth0 | grep -oP '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?=/)'

Do you know a better way? Feel free to comment.

Tagged: , , ,

JMeter/Java Exceptions with SSL secured websites

Last week i had to setup a JMeter Testsuite for performance measurement of an SSL Secured Website. No big deal I thought, but I was completely wrong! Finally it took about one day to get rid of this annoying error below. At this point i need to mention, the server is running with a selfsigned certificate and Apache 2.x

For each request the client throws either an NullPointerException or SSLPeerUnverifiedException.

Java HTTP Client 4.0

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)

at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)

at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)

at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)

at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)

at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)

at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)

at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)

at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)

at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)

at org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.sample(HTTPHC4Impl.java:277)

at org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:62)

at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1054)

at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1043)

at org.apache.jmeter.threads.JMeterThread.process_sampler(JMeterThread.java:416)

at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:271)

at java.lang.Thread.run(Thread.java:680)

Java HTTP Client 3.1

javax.net.ssl.SSLException: java.lang.NullPointerException

at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1692)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1675)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1601)

at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:93)

at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)

at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)

at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)

at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)

at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)

at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)

at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)

at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)

at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)

at org.apache.jmeter.protocol.http.sampler.HTTPHC3Impl.sample(HTTPHC3Impl.java:249)

at org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:62)

at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1054)

at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1043)

at org.apache.jmeter.threads.JMeterThread.process_sampler(JMeterThread.java:416)

at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:271)

at java.lang.Thread.run(Thread.java:680)

Caused by: java.lang.NullPointerException

at org.apache.jmeter.util.keystore.JmeterKeyStore.getAlias(JmeterKeyStore.java:139)

at org.apache.jmeter.util.JsseSSLManager$WrappedX509KeyManager.chooseClientAlias(JsseSSLManager.java:380)

at com.sun.net.ssl.internal.ssl.AbstractWrapper.chooseClientAlias(SSLContextImpl.java:262)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:639)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:238)

at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)

at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:637)

at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:88)

... 16 more

I spent the main time of investigation on the JMeter/Java side. I’ve played around with the Java Keystore, created new certificates and searched trough internet forums.

From one to the other second i had the solution. The Website is running in a virtualHost container in the apache. The server is configured to serve sites as namebased virtualhosts. The SSL configuration has been done also inside the virtualhost configuration. Browsers do support this configuration without any problems. Its hard to point to any error at this point. I know from my previous employer, we configured a single separate ip for each SSL secured virtualHost in apache.

After configuring the website as a standalone site, outside an virtualhost container, everything worked perfectly.

If anyone has an idea how this problem could be solved from java side or has en explanation why this is as it is, i would be interested!

Update:

There is a technologie called SNI (Server Name Indication) which is responsible to make an handshake between client and server with TLS on a hostname basis possible. I looks like Java7 will support SNI. Is there no way to support SNI with Java versions below 7?

 

Tagged: , ,

Getting in contact with OpenStack

Till now, i was only able to deploy some vm’s on my MacMini Server with VMware Fusion on it. This worked oukay so far… Due to the mac mini is reaching its second birthday, it does not power vm’s very well. Also to keep the vm powered on, i need always stay logged in with the user and of course the management is only possible trough vnc directly on the server.

That was the reason for me to rent some virtual machines by rackspacecloud.com. Seriously, rackspacecloud is impressive! But keeping two or more vm’s up and running for more than a month is a really expensive playground! Moving to Amazon’s EC2 wasn’t an option too. So i decided to buy a extreme low-end cheap virutalisation capable server. After some research (Hardware should be compatible with ESXi in case of whatever) i’ve build the following server for me:

Case: Asus Vintage V8-P8H67E, Intel H67, Socket 1155, USB 3.0 (about 170$)

CPU: Intel Core i5 2500 BOX, 3.3GHz, LGA 1155, 4C/4T (about 200$)

RAM: Kingston ValueRAM, 3×4 GB, DDR3-1333, CL9 (about 60$)

Raid (optional): Adaptec RAID 2405, 4-Channel SAS/SATA, low profile (about 200$)

Additional Network: Intel PWLA8391GTBLK Pro 1000GT Gigabit Adapter PCI, Bulk (about 30$)

VLAN Gigabit Switch: HP ProCurve Switch V1810G-8 8 Port 10/100/1000 Mbps, SFP (about 110$)

Harddisk: got some at home

The Result is a Box with 100% Virtualisation Support (vPro, VT-x, VT-d, 64bit), 12GB RAM and small in form and silent too.

In the past i’ve landed several times on openstack.org during some research in automating virtualisation infrastructures. Openstack is a framework for building private clouds. Openstack promises an virtualisation ecosystem with all needed components to build a perfect world. The project looks very mature and there are a lot of partners supporting them. Openstack supports also a wide range of Hypervisors though they’r strongly recommending to use KVM for virtualistion. I will give the project a try…

 

Tagged: , , , , , ,

Safari 5.1 does not like https sites

After the update to OSX 10.7 Lion which ships Safari 5.1 i could no more open any HTTPS Sites with Safari. After googling around i found the Solution. You have just to delete the following file:

~/Library/Preferences/com.apple.security.revocation.plist

Thats all…

Since i’ve updated to 10.7 i’m faced with several bugs! Huge Bugs, which prevent me from working productive!

Tagged: , , , ,

iTunes sharing over VPN

If your are one of those people who have VPN access to their home IT infrastructure you may have wonder why iTunes sharing does not work while connected the the VPN. This is due to a limitation of VPN which does not forward any broad/multicast messages. But there is help! With the tool Network Beacon you are able to send self created beacons over the VPN connection to a remote device. I’ve tried it, and its working like a charm !

more

Tagged: , , , ,

Das Ding mit den eBooks

20110612-125900.jpg

Immer wie mehr kaufe ich Bücher, bis jetzt jedoch nur technische, im eBook Format. Ich hab das Buch auf all meinen mobilen Geräten immer dabei, kann nach Stichworten suchen und natürlich auch Abschnitte markieren und kommentieren. Ich bin überzeugt, dass sich mein Bücherregel immer wie mehr vernachlässigt vorkommen wird. Einzig, das Ding mit den Lesezeichen hab ich noch nicht so ganz begriffen ;)

Apple hat es leider bis jetzt noch nicht hingekriegt mit dem iBook Store in der Schweiz. Aus diesem Grund schneiden sich meine Finger am virtuellen Papier aus Büchern aus Amazons Kindle Store. Apple wird es nicht leicht haben, wenn sie irgendwann doch noch mit dem iBook Store kommen, da sich Bücher aus dem Kindle Store wohl nicht transferieren lassen werden.

Tagged: , ,

So schenkt man heute

Mein Bruder heiratet demnächst. Aus diesem Grund habe ich für Ihn und seine Verlobte eine Internet Präsenz erstellt (http://corinnastefan.ch) Schnell stellt sich die Frage wie man das Thema Geschenke abhandeln könnte.

Ein paar Stunden Arbeit, und ein kleines aber feines WordPress Plugin ist geschrieben. Über eine zentrale Datenbank können Geschenke vom Brautpaar erfasst werden und die Gäste können sich bequem an Geschenken beteiligen. Sobald ich Zeit finde, werde ich die letzen Kanten und rauen Seiten des Plugins noch bearbeiten und zu wordpress.org als offizielles Plugin hochladen.

Hier ist das Plugin in Action.

Tagged: , , ,

Getting Autoupdate working on WordPress

The requirements of WordPress are at least a PHP Version of 5.2.4. If you have an older Version you may have troubles getting WordPress Autoupdate working as expected. If spend some hours in getting it working. Finally i’ve found a way… I’ve no clue if this is the only way, but it works for me and yes its a really dirty hack! So please do it, only if you really know what you’re doing!

This steps are done with the actual 3.1.3 Release of WordPress

1. Add the following Settings to your wp-config.php and be sure you’ve removed all other entries beginning with: FTP_* and FS_*

define('FTP_BASE', '/home/path/to/your/site');
define('FTP_CONTENT_DIR', '/home/path/to/your/site/wp-content/');
define('FTP_PLUGIN_DIR', '/home/path/to/your/site/wp-content/plugins/');
define('FS_METHOD', 'direct');

2. Comment out line 138 to 141 in /wp-admin/includes/class-wp-upgrader.php

 if ( !empty($upgrade_files) ) {
     foreach ( $upgrade_files as $file )
          $wp_filesystem->delete($upgrade_folder . $file['name'], true);
}

To This:

/*if ( !empty($upgrade_files) ) {
     foreach ( $upgrade_files as $file )
          $wp_filesystem->delete($upgrade_folder . $file['name'], true);
}*/

3. Add the following line after line 144

$working_dir .= "dirtyhack";

This should finally look like this:

//We need a working directory
$working_dir = $upgrade_folder . basename($package, '.zip');
$working_dir .= "dirtyhack";

Yes, this really a DIRTY HACK… If you know a better way, let me know… It works for me.

If you upgrade WordPress-Core automatically all this changes are lost!

Tagged: , , , , , ,
Page 2 of 1112345...10...Last »