Internet Express for Tru64 UNIX Version 6.10 Administration Guide Abstract This document describes how to use the Administration utility for HP Internet Express to manage a Web server and the Internet services provided with the product.
© Copyright 2010, 2011 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents About This Document...................................................................................12 Intended Audience..................................................................................................................12 Document Organization..........................................................................................................12 Typographic Conventions.........................................................................................................
Displaying User Account Information.........................................................................................47 Deleting User Accounts...........................................................................................................48 Changing Groups for User Accounts.........................................................................................49 Changing the Password for an Account.....................................................................................
Synchronizing with a Password File......................................................................................83 Adding a Group Entry........................................................................................................83 Maintaining Group Membership..........................................................................................84 Deleting a Group Entry.......................................................................................................
Creating a New Mail Filter......................................................................................110 Adding the Sample Filter Using the Administration Utility.............................................110 Testing the New Filter..............................................................................................110 Configuring Queues....................................................................................................111 Adding a Queue..................................
Controlling the UW IMAP Server.......................................................................................135 Configuring SSL for UW-IMAP...........................................................................................136 Viewing the IMAP Server Log............................................................................................136 IMP Webmail Administration..................................................................................................
FireScreen Administration.......................................................................................................170 Installing FireScreen..........................................................................................................171 Configuring FireScreen.....................................................................................................175 Setting Command-Line Options.....................................................................................
Refreshing an Entry.....................................................................................................200 Controlling Client-Side Schema Checking.......................................................................200 Adding a New Directory Entry......................................................................................201 Modifying a Directory Entry..........................................................................................201 Deleting a Directory Entry.........
Configuring Share Parameters.......................................................................................222 Controlling Printers......................................................................................................223 Viewing the Status of the Server....................................................................................223 Viewing the Current Configuration.................................................................................223 Administering Passwords......
17 PostgreSQL Database and MySQL Administration......................................249 Installing PostgreSQL.............................................................................................................249 Starting and Stopping PostgreSQL Server.................................................................................249 Viewing the PostgreSQL Log File.............................................................................................250 Administering PostgreSQL Accounts....
About This Document This manual describes how to use the HP Internet Express for Tru64™ UNIX Administration utility to configure and manage Internet software components supplied with the product kit. Information on managing components that are not configured through the Administration utility is also included in this document, as well as information on managing user accounts.
• Chapter 19 describes how to start jabber. • Chapter 20 describes how to start twiki. • Chapter 21 describes how to set up client and server for secure sessions. • Appendix A describes how to create a certificate of authority, and also includes a sample mail filter. • The Glossary contains a glossary of terms used in this manual. This manual also contains an index.
Related Information The Internet Express Documentation Bookshelf provides access to the following documents: • Release Notes — This manual includes release notes for Internet Express. • Read This First — This manual describes the contents of the kit. • Installation Guide — This document describes how to install the administration software and Open Source Internet software provided on the Internet Express for Tru64 UNIX Installation and Documentation CD–ROM.
The Internet Express documentation files are installed in the /usr/internet/docs/IASS directory. • You can access the Documentation Bookshelf installed on your system by entering the following URL (substituting the name of your system for hostname) in your browser: http://hostname/documents/bookshelf.html • You can also read the installed documentation directly from the file system using a Web browser running on the same system by using the file URL: file:/usr/internet/docs/IASS/bookshelf.
/usr/share/man /usr/local/man /usr/internet/pgsql/man /usr/internet/openldap/man /usr/news/man /usr/local/samba/man /usr/internet/httpd/man /usr/opt/hpapache2/man You can specify an alternative search path when entering the man command by using the M or P option; for example: # man -M /usr/news/man active.5 You can also define the man command's MANPATH environment variable on the command line or in a file, such as your .profile file or .login file.
• The full title of the document • The section numbers and page numbers of the information on which you are commenting • The version of Tru64 UNIX and Internet Express that you are using • If known, the type of processor that is running Tru64 UNIX The Tru64 UNIX Publications Group cannot respond to system problems or technical support inquiries. Please address technical questions to your local system vendor or to the appropriate HP technical support office.
1 Using the Administration Utility The Administration utility for Internet Express helps you manage Internet services and the AlphaServer system through a Web browser. Because you use a browser to perform these tasks, you are not expected to be familiar with Tru64 UNIX. The Administration utility is a set of CGI programs that use a configured instance of the Secure Web Server (powered by Apache) on port 8081.
Using the Administration Utility Main Menu Figure 1 shows the Administration utility for Internet Express Main Menu. Figure 1 Administration Utility Main Menu Table 1 shows which selection to make From the Administration utility Main menu, depending on the task you want to perform. Note: The availability of certain administration tasks depends on the Internet Express components installed on your system.
Table 1 Administration Utility Menu Options and Tasks (continued) Menu Options Tasks InterNetNews (INN) administration (Chapter 15) Internet Relay Chat (IRC) Server administration (Chapter 16) PostgreSQL account administration (Chapter 17) MySQL account administration (Chapter 17) BIND domain name server (Chapter 18) Install/Remove Components Install or remove components (Section : Installing and Removing Components).
Figure 2 Sample Administration Utility Form Every Administration utility form has the following properties: • A navigation bar at the top of the form (Section : Navigating the Administration Utility) • The name of the form (in Figure 2, Create Generic User Accounts) • Text fields, list boxes, buttons, and other input fields for collecting data and transmitting it to the Administration utility • Submit, Reset, or Clear buttons (separated from the data area by a short horizontal rule): Using the Admi
◦ The Submit button transmits the data you specified on the form to the Administration utility ◦ The Reset button (not shown in Figure 2) erases the data you specified and restores the default values (if any) ◦ The Clear button erases the data in all fields Some forms have additional links at the bottom of the form (for example, the form for managing the Secure Web Server provides a link to the Apache documentation on the Apache Web site). To complete the form shown in Figure 2, follow these steps: 1.
Note: A user who accesses the Administration utility is granted the ability to access privileged files and perform system management tasks until exiting from the browser. The user retains privileges even when browsing files that are not part of Internet Express. Do not leave an Administration session unattended. Also, limit access to the admin account to those individuals authorized to perform Internet system management tasks.
Using Internet Express Services in a Cluster If you are running Internet Express in a cluster, be aware of the following considerations: • For all services, use the cluster alias to access the service to provide highest availability. All services have been configured to allow the cluster alias to be used. • InterNetNews, Squid, Internet Relay Chat, OpenLDAP, and Tomcat run as single-instance servers. Only one instance of these servers will be run within the cluster. The/sbin/init.
one line per file, that includes fields with the table category name, component title and description, and URL link. Each field must be separated by a semi-colon to ensure the file is correctly parsed for display in the Manage Components table. The category name can be the same as an existing category or a completely new category. The following example is the menu configuration file for the IMP Webmail component. (The IMP Webmail component is part of the Mail category in the Manage Components table.
Figure 3 Manage Components Menu Accessing Web-Based System Management Tools This section describes the system management options available from the Internet Express Administration utility.
Tuning Kernel Attribute Values By tuning attribute values in the following kernel subsystems, you can optimize the Internet-related services running on your AlphaServer system for various process loads, system configurations, network topologies, and other conditions: • Generic subsystem (generic) • Internet subsystem (inet) • Network subsystem (net) • Process subsystem (proc) • Socket subsystem (socket) • Virtual memory subsystem (vm) For detailed information on how each kernel subsystem attribu
Boot-Time Value changes are set in the system configuration file (/etc/sysconfigtab) and take effect the next time you boot the system. 6. 28 After you submit the form, it is redisplayed and shows the attribute value changes that you made. Reboot the operating system for these changes to take effect. When you reboot, the boot-time attribute values become the run-time attribute values and the run-time values you previously set are lost.
2 Where to Find More Information This chapter contains a list of Web sites and other information sources that are relevant to the administration of Internet Express for Tru64 UNIX. The list includes links to Web sites dealing with Internet Express products and services, and system security, as well as links to commercial and nonprofit organizations on the World Wide Web that might be of interest. Note: The URLs and contents of sites listed here are subject to change.
expect http://expect.nist.gov/ expect is a tool for automating and testing interactive applications, such as telnettelnet, FTP, passwd, fsck, rlogin, tip, and so on. Exploring Expect: A Tcl-Based Toolkit for Automating Interactive Applications (ISBN 1-56592-090-2), written by Don Libes and published by O'Reilly & Associates, is an excellent source of information. The expect homepage provides access to FAQs, examples, contributed scripts, and software. Firefox http://www.mozilla.
InterNetNews (INN) is a complete usenet system that provides tools to manage newsfeed services, including connections to external newsfeed configurations and control of client access to newsgroups. The Internet Software Consortium homepage for the INN server provides release notes and access to the latest kit. For more information on newsfeeds and the InterNetNews Server, see the Usenet and InterNetNews document by Thomas Podnar and the set of FAQs by Tom Limoncelli in /usr/ internet/docs/inn/nntp.ps.
MySQL MySQL is an open source database management system that relies on SQL for processing the data in the database. MySQL is most commonly used for Web applications and for embedded applications and is a popular alternative to proprietary database systems. http://www.mysql.com OpenLDAP http://www.openldap.org The Lightweight Directory Access Protocol (LDAP) is an Internet standard directory service protocol that runs over TCP/IP.
PostgreSQL Relational Database Management System http://www.postgresql.org PostgreSQL is an object-relational database management system, supporting many SQL constructs. PostgreSQL is a required component for the Internet Monitor, but it can also be installed as a separate component with Internet Express. The Internet Express kit includes PostgreSQL documentation in the source tar files on the Internet Express “Installation and Documentation? CD-ROM.
The Internet Express kit includes documentation on Squid in the /usr/internet/docs/squid directory. Struts http://struts.apache.org/ Apache Struts is a free open-source framework for creating Java web applications. TCP Wrapper ftp://ftp.porcupine.org/pub/security/index.html TCP Wrapper intercepts an incoming network connection and verifies that the connection is allowed before passing the connection to the network daemon. TCP Wrapper is configured through the /etc/hosts.allow file.
The Computer Emergency Response Team (CERT) is a clearinghouse for security-related events that occur in the Internet community. If you are an administrator, subscribe to the CERT mailing list and frequently check the CERT advisories. CERT works with the Internet community to facilitate the community's response to security events involving hosts, takes proactive steps to improve the community's awareness of security issues, and conducts research aimed at improving the security of existing systems.
Encompass http://www.encompassus.org Encompass, formerly DECUS (US Chapter), is an association of information technology professionals who share a common interest in the products, services, and technologies of Hewlett-Packard Company. From their homepage, you can find connections to member services, local user groups, training, events, and publications.
3 User Administration The Manage Users menu lets you perform a variety of user account management functions. To access this menu: 1. From the Internet Express Administration Utility Main menu, choose Manage Components. The Manage Components menu is displayed. 2. From the Manage Components menu, under Users, choose Manage Users. The Manage Users menu is displayed (Figure 4).
• Change an account's password (see Section : Changing the Password for an Account) • Change an account's mail service (see Section : Changing Mail Services for Users) • Manage the iass account (see Section : Managing the iass Account) • Allow users to self-manage their accounts (see Section : Managing the User Self-Administration Feature) Overview of User Accounts The Administration utility supports the management of the following types of user accounts: • Captive accounts for named users—You can
Note: Whenever you use the Administration utility to manage user accounts, you may see a message displayed in a box titled Security Information warning you that some unencrypted information may be transmitted over the network. Click on Continue to continue the operation. You can temporarily disable this message by clearing the checkmark in front of Show This Alert Next Time.
You can also access the ~iass/.users.list using the Manage iass Account menu item (see Section : Managing the iass Account). Searching for User Accounts Several user management tasks (such as displaying or deleting user accounts or changing groups) require you to select the user accounts on which you want to operate.
Figure 6 Selecting User Accounts To return the criteria in the User Account Selection Criteria frame to their default values, click on Reset. If you do not clear or reset the previous choices, they remain in effect to be used in a subsequent query. You can omit an individual selection criterion from subsequent queries by turning off its associated checkbox. Assigning Users to Groups When you create a user account, you can assign the user to from one to four logical categories called groups.
For captive Internet Express users, group assignment is optional. You can select up to four groups to associate with an Internet Express user account. The Administration utility automatically assigns IASS_Usr (or Lkr_Usr_, if it exists from a previously installed version of Internet Express) as the primary group to Internet Express captive accounts.
Figure 7 Creating a Named User Account When the captive account for the named user is successfully added to the system, the Administration utility displays information about the account on a confirmation page. Creating Captive Accounts for Generic Users You can create a single Internet Express generic user account, or multiple accounts at once, with system-generated user names and passwords.
Figure 8 Creating Generic User Accounts For example, suppose you specify guest as the prefix and 3 as the number of users. If no existing user name matches the specified prefix (guest), the Administration utility creates accounts for guest1, guest2, and guest3. If any of the combinations of prefix and number results in an existing account name, the utility increments the number by one and tests to be sure this results in a unique account name.
• Specify and verify the user password (see Section : Assigning Passwords to User Accounts). If you do not specify a password, the system generates one. • Specify a user identifier (UID). You can enter a UID greater than 105 (up to the maximum UID value available on the system), but if you leave the user ID field blank, the Administration utility assigns the next available UID from the list maintained in the /etc/passwd file.
Figure 9 Creating a System User Account Creating Groups To create a user group, follow these steps: 1. From the Manage Users menu, choose Create Groups. 2. On the Create Groups form, enter the name of the new group you want to create in the Unique Group Name field. (The names of existing groups are displayed in the Available Groups list box as a convenience.) Use only alphabetic, numeric, or combinations of alphabetic and numeric characters.
Note: On a system using the Network Information Services (NIS), you cannot create a group name that conflicts with an NIS group name even if that name does not exist in your local /etc/group file. Figure 10 Creating Groups Displaying User Account Information You can display user account information for any number of selected users. (See Section : Searching for User Accounts for instructions on searching for users.
Figure 11 Displaying User Account Information Note: On a system using the Network Information Services (NIS), the names of UNIX system accounts (or groups) are not displayed in the User Account Names (or User Account Groups) list box, nor will any NIS user information be included in the output when you click on Submit. Deleting User Accounts You can deny a user access to the system by deleting a user's account.
4. • Click on one or more names from the User Account list and click on Display Selected. • Click on Display All to select all the names in the User Account list box. The Delete User Accounts form shows the login name, UID, primary group and login directory for each user you selected. To remove a user's home directory when the account is deleted, click on the checkbox in the Remove Directory column. (By default, a user's home directory remains on the system after the account is deleted.
3. 4. Use one of the following methods to select user accounts: • Click on one or more names from the User Account Selection List and click on Display Selected. • Click on Display All to select all the names in the User Name list box. The Change User Secondary Groups form shows the current group assignments for the selected users. In the Secondary Groups list box, click on one or more secondary groups to which the selected users are to be assigned.
Figure 13 Changing User Account Secondary Groups Changing the Password for an Account The Change User Account Password function is useful when a user has forgotten the password for an account, or if you want to retain a user account on the system but deny access temporarily to the account. You do not need to know the current password for an account to change the account's password. You can view passwords in the .users.list file by logging into the iass account (see Section : Purging Obsolete Passwords).
1. 2. 3. 4. From the Manage Users menu, choose Change User Account Password. Use the User Account Selection Criteria frame to search for the user account whose password you want to change. (See Section : Searching for User Accounts for instructions on searching for users.) In the resulting User Account Selection List frame, click on one user whose password you want to change and click on Display Selected.
• Cyrus IMAP with Password (see Section : Assigning Cyrus IMAP with Password Mail Service) • APOP (see Section : Assigning APOP with Password Mail Service) Assigning Regular Delivery Mail Service With regular delivery, mail is delivered into the /var/spool/mail directory.
6. 7. Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar. When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu. Assigning the Cyrus IMAP Mail Service To assign the Cyrus IMAP service to the users you selected, follow these steps: 1. From the Change User Account Mail Service form, choose Cyrus IMAP from the Mail Service menu. 2. Click on Submit.
7. 8. Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar. When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu. Assigning APOP with Password Mail Service You can set up selected users to use POP mail with an encrypted password (using MD5 encryption). This password is stored in the popauth file, and protects the users' mail from unauthorized access.
• List User Accounts and Passwords (see Section : Listing User Accounts and Passwords) • Purge Passwords for User Accounts (see Section : Purging Passwords for User Accounts) • Remove the .users.list file (see Section : Removing the .users.list File) Listing User Accounts and Passwords Use the Manage iass Account menu to list user accounts and passwords stored in the ~iass/ .users.list file. To do this, follow these steps: 1. From the Manage Users menu, choose Manage iass Account. 2.
• Enable (or disable) the User Self-Administration feature (Section : Enabling and Disabling the User Self-Administration Feature) • Modify the Web server configuration (Section : Modifying the Web Server Configuration) • Enable (or disable) a delay in the processing of login requests (Section : Enabling and Disabling Login Delays) • Manage groups (Section : Managing User Self-Administration Groups) • Customize the User Self-Administration feature (Section : Customizing the User Self-Administration
Figure 14 Manage User Self-Administration Menu 2. From the Manage User Self-Administration menu, choose Enable/Disable User Self-Administration. The Administration utility displays the current status allowing you to enable or disable user self-administration, depending on which is appropriate. Figure 15 shows a page where the User Self-Administration feature is disabled. 3. Click on Enable to enable user self-administration. Once this feature has been enabled, the Enable button changes to Disable.
1. 2. 3. From the Configure Web Server for User Self-Administration form, select an SSL virtual host from the list box. Enter an alias name or accept the default name. (The alias name is used to access the self-administration pages.) The alias name should begin and end with a slash (/). For example, if you set the virtual host to _default_:443 and the alias name to /SelfAdmin/, the administration pages will be accessed by https://hostname/SelfAdmin/login.php. Click on the Submit button.
1. 2. From the Manage User Self-Administration menu, choose Modify Web Server Configuration. Select a Virtual Host from the list of virtual hosts or click on Remove Configurations to remove all user self-administration configurations from the httpd.conf file (Figure 17: Modify Web Server Configuration Page). When you select a virtual host, it must be configured on your system. See Section : Enabling User Self-Administration When No Web Server Configuration Exists for more information.
Managing User Self-Administration Groups The User Self-Administration feature is organized in different groups that can be enabled and disabled independently. User self-administration groups contain the following elements: • ID – A unique, short word used to identify a group. • Description – Information used as menu item text and as page headers. • Main Page – Information that identifies the file to which the user's main menu provides a link.
Figure 19 Adding Groups Deleting and Modifying Groups To modify the properties for an existing group or delete an existing group: 1. From the Manage User Self-Administration menu, choose Manage Groups. The Manage Groups forms is displayed. Existing groups are listed in the Existing Group Descriptions field. 2. Select the group you want to delete or modify from this list.
• To delete a group, click on the Delete button. This will remove the group definition and menu item from the user's main menu but will not remove any files. A status message is displayed. • To modify group attributes, click on the Modify button. For built-in groups, you can only modify the Enabled status and the description string. All group attributes, except ID, are available for custom groups. a. Change the group description in the Description field. b. Change the name for the main page.
/usr/internet/httpd/admin/htdocs/osis/selfadmin/data/template.php file. You can customize the display properties of the user pages by editing defaults.inc and style.css files located in the /usr/internet/httpd/admin/htdocs/osis/selfadmin/data directory. The defaults.inc file contains paths to the image files used for the header, bullets, and link arrows. This file also contains the definition of attributes used to create the header.
4 User Authentication The Internet Express Administration utility lets you set up and manage user authentication with the LDAP Module for System Authentication, which serves as a central repository of user information, for identifying and authenticating individual users This chapter describes the following: • Section : Managing the LDAP Module for System Authentication • Section : Overview of the LDAP Client Managing the LDAP Module for System Authentication The LDAP Module for System Authentication is
Chapter 11 describes how to administer Internet Express-provided Directory servers. Default Configuration for the LDAP Module for System Authentication Internet Express configures the security matrix in the/etc/sia/matrix.conf file to use the LDAP Module for System Authentication. The security matrix consists of a list of security-related system calls and the library to be used for each call. As shown in Example 1, the siad_ses_authent and siad_ses_estab calls are configured to use the libsialdap.
Figure 20 LDAP Caching Daemon program libc.so getpwent SIA library SIA/LDAP plug-in library socket controlled by: maximum threads caching daemon (ldapcd) network connection controlled by: active connections cache controlled by: expire entries expire cache LDAP directory server ZK-1475U-AI Configuration information, used by the LDAP caching daemon and the provided tools, use a the configuration file, /etc/ldapcd.conf.
Example 2 LDAP Caching Daemon Configuration File # # directory server and port, active ldap connections cached # by the daemon, max worker threads started # directory: host.xyz.
The value of pw_cachesize determines how many individual passwd entries are allowed to be cached. The value of pw_expirecache determines the maximum length of time that the ldapcd caching daemon will check the cache for an individual passwd entry. When the value of pw_expirecache is exceeded, the ldapcd daemon returns to the server to look for the requested passwd entry. 6 The values for gr_cachesize and gr_expirecache work similarly to pw_cachesize and pw_expirecache, but they work for group entries.
5. Verify that the accounts branch works by entering the following command, substituting the values you found in step 1 for searchbase, machine_dn, and machine_pass: /usr/local/bin/ldapsearch \ -D "machine_dn" -w "machine_pass" \ -b "searchbase" \ ou=accounts 6. Use the Administration utility (or manually edit the /etc/ldapcd.
Example 3 Sample RFC 2307 User and Group Object Class Definitions # # Partial RFC 2307 schema. # # The OIDs are derived from iso(1) org(3) dod(6) # internet(1) directory(1) nisSchema(1). # # Attribute types from RFC 2307 # attribute attribute attribute attribute attribute attribute uidNumber gidNumber gecos homeDirectory loginShell memberUid 1.3.6.1.1.1.1.0 1.3.6.1.1.1.1.1 1.3.6.1.1.1.1.2 1.3.6.1.1.1.1.3 1.3.6.1.1.1.1.4 1.3.6.1.1.1.1.
Table 4 LDAP Database Index Types Index Type Description pres Presence index. Allows for searches that return every entry that contains the indexed attribute. eq Equality index. Allows for searches that return the entries containing an attribute that is set to a specific value. approx Approximate index. Used only for string values such as commonName or givenName. Allows for phonetic searching. sub Substring index. Allows for searches that return entries containing a specified substring.
Notes: After you configure the LDAP Module for System Authentication, you must import users (unless you are using an existing LDAP server). For instructions on importing or exporting users and groups to and from the LDAP directory server, see Section : Importing and Exporting Users from /etc/passwd. Statically linked clients and executables (which do not use shared libraries) cannot take advantage of the LDAP Module for System Authentication loadable architecture.
6. 7. 8. 9. 10. 11. 12. 13. Distinguished Name to cn=root,o=. The OpenLDAP Directory Server uses the password specified to access the iass login account and the administration servers for the initial Root DN Password. The System Name is the name of the system on which the LDAP directory server is running or a comma-separated list of names of systems on which replicated directory servers are running.
The remaining fields allow you to change the name of the LDAP attribute within the Object Class selected for the Password structure. The name of each attribute must be a member of the object class specified in the Object Class Name field. 6. • The Login Name field represents the name of the LDAP attribute to be used within the Password Object Class to store the name of a UNIX login (user) name. The default value is uid.
The remaining fields allow you to change the name of the LDAP attribute within the Object Class selected for the Group structure. The name of each attribute must be a member of the object class specified in the Object Class Name field. • The Group Name field represents the name of the LDAP attribute to be used within the Group Object Class to store the name of a UNIX user group. The default value is cn.
Importing Users into the Directory Server To import users from the /etc/passwd file and store them in the LDAP database, follow these steps: 1. Configure the LDAP server to use extended LDAP schema for UNIX account information (see Section : Extended LDAP Schema for UNIX Account Information). 2.
Access Control By default, users defined in the LDAP database are able to log into every system which uses that database in conjunction with the LDAP Module for System Authentication. If you want to limit user access to specific systems, use the access control files /etc/ldapusers.deny and /etc/ ldapusers.allow. A default /etc/ldapusers.deny file is provided at installation time. Included are all of the standard system users: root, bin, daemon, and so on.
Table 5 LDAP Database Utilities Program Name Options Description ldap_check None Checks either ./ldapcd.conf or /etc/ldapcd.conf against the listing of directory servers in the conf file. Validates all entries related to the directory server. Diagnostics are printed to stdout; when the exit code is greater than 0, a problem was encountered. ldap_add_user -b branch—Branch to add users to; should be a full distinguished name, including the search base. Adds a user to the LDAP directory server.
Table 5 LDAP Database Utilities (continued) Program Name Options ldap_mod_group -b branch – Branch in which groups to be modified Assigns the listed login names to the specified group. Use the -r reside. option to remove the specified -r – Remove login names from specified group. login names from the group or the -R – Remove login names from all groups. -R option to remove login names from all groups. ldap_del_group -b branch – Branch from which to delete groups. -n – Do not submit.
Checking the LDAP Server Configuration The ldap_check utility validates the contents of the ./ldapcd.conf or /etc/ldapcd.conf file as follows: • Verifies that the specified directory servers are running and that connections to the servers can be made Note: If any of the LDAP servers specified in the ldapcd.conf file fail the verification, the remaining servers are not checked and the entire verification fails.
The ldap_add_user utility adds users to the first directory server specified in the ldapcd.conf file. If multiple servers are listed, only the first is used, even if it is not operational. The distinguished name (DN) is constructed as follows: logname_attribute=logname,branch The logname_attribute is replaced by the attribute name specified by the pw_username entry in the ldapcd.conf file. The logname is the user's login name. The branch is one of three possible values, taken in this order: 1.
To retrieve all users: ldap_get_user [ -b branch ] [ -f filename ] Note: In the following examples, the -b branch and -f output-file options (not shown) can also be used. To use a search filter to find users: ldap_get_user -s filter To use a search filter with object class restrictions added to the search: ldap_get_user -S filter For example, a search filter might look like the following: uid=bjensen (&(uidNumber>=10)(uidNumber<=20)) Note: You must quote the filter string according to your shell.
If a problem is encountered when creating a group in the LDAP directory server, the ldap_add_group utility returns an exit code greater than 0. For a description of the options you can use with this utility, see Table 5. To add one or more groups from a file: ldap_add_group -f input-file To add one or more groups from stdin: cat filename | ldap_add_group -f - Note: The input must be in group(4) format.
Notes: The input must be in group(4) format, but only the group name will be used. A list of group names (one per line) is also acceptable as input. Retrieving a Group Entry Use the ldap_get_group utility to retrieve group(4) entries for selected groups in the LDAP directory server. Unless otherwise specified, the ldap_get_group utility selects all groups on the default group branch or search base. Use the -s option to select a subset of users (see Table 5).
Note: Whenever you enable or disable the LDAP Module for System Authentication, you must reboot the system. Otherwise, some applications (such as cron and Advanced Server for UNIX) will not detect the change in authentication method. Stopping the ldapcd Daemon Use the ldap_disable utility to stop the LDAP caching daemon (ldapcd) and configure the system so that the LDAP Authentication will not be used.
Engineering, c=US" dn: cn=Joseph Shmoe, o=HP Engineering, c=US changetype: modify replace: title title: Process Engineer - ^D modifying entry cn=Joseph Shmoe, o=HP Engineering, c=US You can use the ldapsearch command to retrieve the modified entry: # /usr/local/bin/ldapsearch -b 'o=HP Engineering, c=US' 'cn=Joe Shmoe' cn=Joseph Shmoe, o=HP Engineering, c=US objectclass=person cn=Joseph Shmoe cn=Joe Shmoe sn=Shmoe givenname=Joseph mail=shmoe@fac.digieng.
/etc/ldapusers.allow If you want to disallow access to all but a few users, you must create the /etc/ldapusers.allow file. The /etc/ldapusers.allow file is a text file in which you enter the name of a Tru64 UNIX user who will only be authenticated by LDAP authentication. If the /etc/ldapusers.allow file exists on a system, only users listed in that file are allowed to log in using LDAP authentication. Note that this is true even if /etc/ldapusers.allow is empty.
# su user1 The su operation examines NIS and returns success. As it is successful, su completes the operation and /etc/ldapusers.deny is ignored.
5 Mail Delivery Administration Using the Internet Express Administration utility, you can manage the following delivery components: • Sendmail Mail Transport Agent for sending, distributing, and delivering mail (Section : Sendmail Server Administration). • Majordomo mailing list administrator to create and maintain mailing lists (Section : Majordomo Mailing List Administration).
◦ LDAP (see Section : Configuring LDAP) ◦ Configure MILTER (Sendmail Server/ Using Open Source Configuration Rules only) (see Section : Configuring Mail Filters (MILTER)) ◦ Configure Queues (Sendmail Server/ Using Open Source Configuration Rules only ) (see Section : Configuring Queues) ◦ Configure Queue Performance (Sendmail Server/ Using Open Source Configuration Rules only) (see Section : Configuring Queue Performance) ◦ Configure Trusted Layer Security (TLS) (Sendmail Server/ Using Open Source
1. 2. 3. 4. Under Mail on the Manage Components menu, choose Sendmail Server. From the Sendmail Server Administration menu, choose Configure Sendmail Server. From the Configure Sendmail Server menu, choose Server and click on Configure. On the Configure Server form, you must first configure the Internet Mail Protocol (SMTP). The first time you configure your system as a mail server, the Available Protocols menu offers only the Internet Mail Protocol.
If you configured your system to be a mail server, you can use the Administration utility to create one or more host aliases for any protocol you configure for the server. (You can also create one or more host aliases for your system when you initially configure it as a mail server; see Section : Configuring the System as a Mail Server.) To set up a host alias for the mail server, follow these steps: 1. Under Mail on the Manage Components menu, choose Sendmail Server. 2.
• Configure Queues (Sendmail Server/ Using Open Source Configuration Rules only ) (see Section : Configuring Queues) • Configure Queue Performance (Sendmail Server/ Using Open Source Configuration Rules only) (see Section : Configuring Queue Performance) • Configure Trusted Layer Security (TLS) (Sendmail Server/ Using Open Source Configuration Rules only) (see Section : Configuring Trusted Layer Security) Configuring Mail Protocols When you initially configure your system as a mail server, you are req
Configuring the MTS Protocol To configure the MTS protocol for the Sendmail server, complete the Configure MTS Protocol form as follows: 1. Create one or more pseudo domain aliases, if needed (see Section : Creating and Deleting Pseudo Domain Aliases). 2. Create one or more host aliases, if needed (see Section : Creating and Deleting Host Aliases for a Mail Server). 3. Select one of the following routing methods: 4. 5. 6. • Internet—Forwards mail over the Internet to an unspecified gateway.
5. 6. 7. • Enter the name of the relay system in the Relay Hostname field. You can enter from 1 to 21 alphanumeric characters (including special characters). The name cannot start or end with a hyphen (-). • Select the relay protocol (the protocol that will be used to forward mail to the relay) from the Relay Protocol pull-down menu. SMTP is the default. Enter the DECnet node address for this server (area.node) for this server in the Node Address field; for example, 32.958.
7. Accept the default pseudo domain (D5NET) or enter another pseudo domain in the Pseudo Domain field. Click on Submit. A message is displayed indicating that the changes have been accepted. Click on Continue to return to the Configure Sendmail Server form. If an error occurs, use the navigation bar to return to the Configure DNET5 Protocol form. 8. On the Configure Server form, you can select another protocol to configure. If you are finished configuring protocols, click on Submit.
4. 5. • Internet—Forwards mail over the Internet to an unspecified gateway. The Internet depends on BIND/DNS to select an appropriate relay; therefore, you do not need to specify a relay host name for Internet routing. • Direct—Sends mail directly to the addressee. This option is not displayed if the X.25 protocol is not installed on this server. • Relay—Forwards mail to another system (called the relay host) for processing.
Figure 21 Configure Masquerading Form Users Automatically Excluded from Masquerading The following users are always excluded from masquerading (whether or not you explicitly specify them in the Excluded Users List field or in the Excluded Users File): • root • postmaster • news • uucp Sendmail Server Administration 99
• mailer-daemon • rdist • nobody • daemon • pop • imap Configuring Your System for Masquerading To configure your system for masquerading, follow these steps: 1. To enable masquerading, turn on the Enable Masquerading checkbox. (To disable masquerading while retaining the masquerading configuration, turn off this checkbox.) 2. Enter the masquerading host name in the Masquerade As field. This field is required.
Notes: If a user listed in the Excluded Users List field or contained in the file specified in the Excluded Users File field sends mail to a local user, the sending user's name will be masqueraded. 7. To use the masquerading host name in all recipients' addresses, check Use Masquerading Hostname in Recipient Addresses. (Recipient addresses include those on the To: and Cc: lines in the message header.) 8. To exclude your system's host aliases from masquerading, check Exclude Host Aliases From Masquerading.
You You 1. 2. 3. 4. must also set up name servers for the virtual addresses that get mapped to the real addresses. can use Domain Name System (DNS) configuration to complete the following: Select an available domain name. Establish two machines as primary and secondary name servers for this domain. Configure MX records for this domain. Register this domain with InterNIC. See the Tru64 UNIX manual Network Administration: Services for more information about configuring DNS.
Lowercase checkbox to prevent conversion to lowercase. (This parameter corresponds to the -f option on the K configuration line in the sendmail.cf file.) 11. Click on Submit to change the server configuration. When the Suppress Errors in the Absence of the Database Files checkbox is not checked, the Administration utility checks that the filename.dir and filename.pag files exist (where filename is the name of the virtual user table you specified in the Database File Name field).
Configuring Anti-Spam The Administration utility allows you to configure the following features of Sendmail to prevent mail from spam sites (also called unsolicited bulk e-mail) from reaching your system: • Configure relaying (see Section : Configuring Relaying) • Configure access database (see Section : Configuring the Access Database) • Configure checking on sender's information (see Section : Configuring Checking on Sender's Information) Configuring Relaying By default, your Sendmail server configu
Note: Setting this checkbox may allow spam mail to relay through your server if it is not set up properly. • Set the Check for Blacklist Recipients in Access Database checkbox when you want to block incoming mail for certain recipient user names, host names, or IP addresses. For example, you can block incoming mail addressed to nobody, host example1.domain.name, or user guest@example2.domain.name, as specified in the accessdb file.
1. 2. Create an access database file in /var/adm/sendmail/accessdb using the format shown in Example 5. After you create the access table in a text file, use the makemap command to create the database map, based on the data in the table. For example: # makemap btree accessdb < accessdb This command creates the accessdb.db file in BTREE format. Sendmail uses this file to determine whether to accept or reject the relaying of mail messages.
Bob "bigboy" Roberts (esq)@bob.com To preserve quotation marks and escape characters (those preceded by a backslash) in keys before database lookup, turn off the Strip Quotation Marks from Keys checkbox. (This parameter corresponds to the -q option on the K configuration line in the sendmail.cf file.) 10. Ordinarily, Sendmail converts a key to all lowercase letters before looking it up in the access database.
7. This field corresponds to the -b option in the K line in sendmail.cf. In the List of LDAP Servers field, enter the names of servers at your site that support LDAP. Use a space to separate entries in this field. The LDAP libraries attempt to connect to these servers in the order you list them. For example: dirserver1.xyz.com dirserver2.xyz.com 8. This field corresponds to the -h option in the K line in sendmail.cf.
Here are a few examples: • Filter Name: sample1 Socket: local:/var/run/f1.sock A local file filter, using a local UNIX socket • Filter Name: sample2 Socket: inet:1099@remotehost.com A network socket accessed via IPv4 port number 1099 on remotehost. • Filter Name: sample3 Socket: inet6:1066@myhost.com A network socket accessed via IPv6 port number inet:1066 on myhost.com. Filters can reject or defer mail if the connection to the filter fails.
1. 2. 3. 4. 5. 6. 7. 8. Under Mail on the Manage Components menu, choose Sendmail Server/Using Open Source Configuration Rules. From the Sendmail Server Administration menu, choose Configure Sendmail Server. On the Configure Sendmail Server menu, make sure that Server is selected and click on Configure. From the Configure Sendmail Server menu, choose Configure MILTER. In the Existing Filters list, choose the filter to be modified. Click Modify. Modify the values as desired.
If the sample filter returns immediately to a command line, there was problem. Check the following items: 1. Whether the command line had errors 2. If the local socket was created 3. The syslog for any errors 4. Use the command netstat -a to verify the filter process is listening on the correct local socket. To test the filter, e-mail messages must be piped to the filter via Sendmail. There are two means of doing this: by using sendmail -bs, or by telnet localhost 25.
7. 8. 9. 10. 11. 12. 13. 14. The Flags argument specifies whether queues are processed in parallel in the background, or in serial mode. Specifying "f" as the flags argument defines the parallel processing queue mode. The nice value argument is the operating system priority that queues are processed. The default value is set to give all processes an equal chance of running. In the Interval Between Queue Runs field, specify the time interval to wait between active runs.
Configuring Queue Performance The Queue Performance menu option allows you to set local values for default options found in Sendmail. Table 6, Table 7, Table 8 and Table 9 describe these values.
Table 8 Sendmail Timers Timer Description Default Value Mail Timeout on MAIL FROM: 5 to 10 minutes rcpt Timeout on RCPT TO: 1 hour datainit Timeout on DATA acknowledgement 5 minutes datablock Timeout on DATA block read No default datafinal Timeout on DATA acknowledgement of final 1 hour dot command Timeout on wait of next command 1 hour Initial Timeout on initial greeting message None Helo Timeout on HELO or EHLO None Rset Timeout on RSET acknowledgement 5 minutes Quit Timeout
egd is a Perl-based persistent daemon that gathers and then sources to Sendmail a flow of pseudorandom information. This information is used for encryption actions. In addition to access of random information, the system administrator must have a set of digital certificates that defines the authority (local or remote), server and client identification. Certificates follow a hierarchical model, the X.509 Certificate Authority.
1. 2. 3. 4. Under Mail on the Manage Components menu, choose Sendmail Server/Using Open Source Configuration Rules. From the Sendmail Server Administration menu, choose Configure Sendmail Server. On the Configure Sendmail Server menu, make sure that Server is selected and click on Configure. From the Configure Sendmail Server menu, choose Configure Trusted Layer Security (TLS). A form is displayed, showing the current performance values. 5. 6. 7. 8.
Here are some additional server examples: Access database text line TLS_Clt:nbc.hp.com StartTLS connection as server to system nbc TLS_Clt:nbc.hp.com VERIFY StartTLS connection and certificate verification required StartTLS connection and certificate verification required Must encrypt with at least 32 bits TLS_Clt:nbc.hp.
Summary of TLS options available for use in the access data file First field Second (or more) field Additional fields Srv_Features: (Server Features) Blank, address, hostname Optional S, or A or s v a Upper case options • S- Do not offer STARTTLS • V- Do not request STARTTLS client cert • A- Do not offer SMTPAUTH Lower case (s,v or a) means offer/request TLS: • s - Offer STARTTLS • v - Request STARTTLS client cert • a - Offer SMTPAUTH CERTISSUER Cert Issuer information RELAY or SUBJECT CERTSUBJECT
directory, or if the NFS server for the mailbox directory uses the Tru64 UNIX operating system. If you are not sure, select Create .lock Files. 4. 5. 6. • Create .lock Files—Select this style if the system on which the mailbox directory resides does not use the Tru64 UNIX operating system. • Both—Select this style if you are NFS exporting the mailbox directory or if you are sure that the NFS server was configured to use both lockf and .lock files.
3. 4. On the Majordomo Mailing List Administration menu, enter a unique name in the New Mailing List field, then click on Add. The names of existing list are displayed in Existing Mailing Lists field. Enter the e-mail address of the person who owns or will maintain the list. The list owner is defined as an alias in the mail aliases file. 5. Type a description of the purpose of the list (the list charter) in the Informational Message field.
Changing Administration Parameters To change administration parameters for a Majordomo mailing list, follow these steps: 1. From the Administration utility Main menu, choose Manage Components. 2. Under Mail on the Manage Components menu, choose Majordomo Mailing Lists. 3. Select mailing list you want to modify from the Existing Mailing Lists list. 4. From the Modify Majordomo Mailing List menu, choose Modify Administration Parameters. 5.
9. • auto to unrestricted—Allows anybody to unsubscribe anybody to the list without maintainer approval. The existence of the file listname.auto is the same as specifying the value this value. • unsubscribe self w/ confirmation—Allows people to unsubscribe themselves from the list. Majordomo sends a reply back to the subscriber, which includes an authentication number that must be sent back in with another unsubscribe command. This value overrides the value supplied by any existing files.
• $LIST—Name of the current list • $SENDER—Sender as taken from the from line • $VERSION—Version of Majordomo If used in a digest, no expansion tokens are provided. 10. Specify a maximum article length in the Maximum Article Length (maxlength) field. The default maximum article length is 40,000 characters. 11. Click on Submit. Changing Digest Parameters To change digest parameters for a Majordomo mailing list, follow these steps: 1. From the Administration utility Main menu, choose Manage Components.
Changing Moderated List Parameters To change the moderated list parameters for a Majordomo mailing list, follow these steps: 1. From the Administration utility Main menu, choose Manage Components. 2. Under Mail on the Manage Components menu, choose Majordomo Mailing Lists. 3. Select mailing list you want to modify from the Existing Mailing Lists list. 4. From the Modify Majordomo Mailing List menu, choose Modify Moderated List Parameters. 5.
NOTE: The first four fields on the Modify List Restriction Parameters menu must be specified as a Perl style "regular expression". The Perl style regular expression should begin and end with a leading and trailing slash as shown in the following example. Header Strings Prompting Review: Message Test Prompting Review: List is Advertised to These Users: List is Not Advertised to These USers: /subject:test/ /test mail/ /john@gmail.com/ /fredk@yahoo.
The following sections describe these topics: • Create a mailing list (Section : Create a Mailing List) • Delete a mailing list (Section : Deleting a Mailing List) • Access the List Management screen to perform list mangement activities (Section : Managing Mailing Lists) • Use scripts (Section : Mailman Scripts) • Mailman log files (Section : Mailman Log Files) Create a Mailing List The Mailman administration page is used for list creation. To create a list: 1.
The screen will prompt for the list administrator's password. Enter it in the blank and then click the button to access the Mailing List Administration menu (Figure 24). If a list password is misplaced, only the system administrator can reset it. Figure 24 Mailman Mailing List Administration Menu The Mailing List Administration menu enables the list adminstrator to set a variety of configuration options.
1. Click on the category name. The menu is refreshed with the fields relevant to the configuration option chosen. 2. 3. Fill out the form as desired. The menu provides help links for each option. To complete the process, click on Submit Your Changes. Mailman Scripts The installation of Mailman sets up a group of crontab entries, host definitions, and alias definitions that are used by the package.
At the end of each training run, bogofilter saves its updated database in a file called .bogofilter/wordlist.db. Over the course of time, spam message content will change. Periodic training runs with new spam and valid message sets are necessary to keep bogofilter's internal database current. Filtering with Bogofilter Once the bogofilter database has been primed, the command can be used to filter new messages.
:0: * ^X-Bogosity: Yes, tests=bogofilter spam-bogofilter Mutt Integration with Bogofilter The following .muttrc lines will create mutt macros for dispatching mail to bogofilter.
For sendmail integration, follow the procmail example from Section : Using Bogofilter with procmail.
6 Mail Access Administration Using the Internet Express Administration utility, you can manage the following mail access components: • Post Office Protocol (POP) based on the Qualcomm POP Mail Server (Section : POP Mail Server Administration) • Cyrus IMAP Server and University of Washington IMAP Servers (Section : IMAP Mail Server Administration) • The Internet Messaging Program (IMP) to implement an IMAP-based Webmail system (Section : IMP Webmail Administration) POP Mail Server Administration The Po
1. 2. 3. Under Mail on the Manage Components menu, choose POP Server. From the POP Server Administration menu, choose Enable/Disable the POPPASSD Server. If the server is currently enabled, you can disable the server by clicking on Disable. If the server is currently disabled, you can enable the server by clicking on Enable. Viewing the POP Mail Server Log The entries in the server log file are generated from data in the /var/adm/syslog.dated directories. To view the POP3 or POP2 server log file: 1.
For information on tuning your system to improve the performance of your mail server, see: http://h30097.www3.hp.com/docs/internet/TITLE.HTM Setting Up a UNIX User Account for UW IMAP No special administration tasks are normally needed to set up a user to use the UW-IMAP server, but if the user had been using mail folders in the mh format, convert the folders to UNIX "From-style" folders using the /usr/dt/bin/mailcv -A command. (To read the mailcv(1) reference page, use the man n mailcv command.
/usr/dt/bin/mailcv [-evdt] -I [-f foldername | directoryname] [user | user.folder] To convert IMAP folders to UNIX (“From style?) folders, enter the following command: mailcv [-vd] -U [-f foldername newfoldername For example, to convert the tree of UNIX (“From style?) folders for user duke into a tree of Cyrus IMAP folders, starting at directory bar, enter the following command: % /usr/dt/bin/mailcv -I -t -f .
3. 4. From the IMAP Server Administration menu, choose Enable/Disable the UW IMAP Server. If the server is currently enabled, you can disable it by clicking on Disable. If the server is currently disabled, you can enable it by clicking on Enable. Configuring SSL for UW-IMAP You can configure the Secure Sockets Layer (SSL) to enable encrypted communication between a mail client and the UW-IMAP Server.
Note: Although you can install both the UW-IMAP Server and the Cyrus IMAP Server subsets, you can enable only one of these servers at a time because they use the same standard IMAP port number. Enabling the Cyrus IMAP Server automatically disables the UW-IMAP Server. 2. From the IMAP Server Administration menu, choose View Cyrus IMAP Server Log Server or View UW IMAP Server Log, depending on which server has been enabled.
Accessing the IMP Webmail Administration Menu To access the IMP Webmail administration menu: 1. 2. From the Internet Express Administration utility Main menu, choose Manage Components. From the Manage Components menu, under Mail, choose IMP Webmail. The IMP Webmail Administration menu is displayed (Figure 25). Figure 25 IMP Webmail Administration Menu Enabling and Disabling IMP Webmail To enable (or disable) IMP: 1. From the IMP Webmail Administration menu, choose Enable/Disable IMP Webmail.
Figure 26 Enable/Disable IMP Webmail Page Managing Mail Server Settings The Mail Server Settings form (Figure 27) allows you to change the general mail server settings used by IMP to determine what mail server to connect to, as well as what mail folders are accessible to the user. To modify the mail server settings, follow these steps: 1. From the IMP Webmail Administration menu, choose Mail Server Settings. The Mail Server Settings form is displayed (Figure 27). Figure 27 Mail Server Settings Form 2. 3.
Table 12 IMP Mail Server Settings Setting Description Use server list Select shown to display a list of servers for users to select on the IMP login page. Select hidden to use the default server defined by the preferred mechanism or by the order of the server list defined in the servers.php file. Select none to use the default server unless overridden by some other means. Allow server change Select this property to allow users to type a server name if Use server list is set to none.
1. From the IMP Webmail Administration menu, choose Modify Mail Server List. The Modify Mail Server List form (Figure 28) is displayed. 2. 3. Enter the name of the new server in the New Server Name field. Optionally, select an existing server from the Existing Server list. The new entry will be added before the selected server. If no server is selected, the new server will be added to the end of the list. Click Add. A new form is displayed (Figure 29).
Table 13 IMP Mail Server List Settings (continued) Setting Description Namespace Enter a path to remove from mailbox names for presentation purposes. A common value for Cyrus IMAP servers is INBOX. This may cause confusion between shared folders and personal folders if they share the same name. Maildomain Enter the default hostname to use after the @ for the from address when sending mail. This value will also be used to complete unqualified addresses in the compose window.
Figure 30 Mailbox Settings Form 2. 3. Fill out the form. Table 14 describes the settings. Click Submit to make the necessary changes. A status message is displayed when completed. Table 14 IMP Mailbox Settings Setting Description Date format Enter the format used in the mailbox's Date field for messages sent on days other than today. The format will be used in a call to the PHP strftime function. See the PHP documentation for more information.
Figure 31 Compose Settings Form 2. 3. Fill out the form. Table 15 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete. Table 15 IMP Compose Settings Setting Description Allow setting Cc: header Select to allow users to set the Cc: heading. Allow setting Bcc: header Select to allow users to set the Bcc: heading. Date format Specify a format string to be passed to the PHP strftime function to display the date in the compose window header.
Figure 32 Message Settings Form 2. 3. Fill out the form. Table 16 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete. Table 16 IMP Message Settings Setting Description Prepend header Select to include the contents of /usr/internet/horde/imp/config/ header.txt in the header of all messages sent. Append trailer Select to include the contents of /usr/internet/horde/imp/config/ trailer.txt at the end of every message sent.
Figure 33 Logging Settings Form 2. 3. Fill out the form. Table 17 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete. Table 17 IMP Logging Settings Setting Description Enabled Select to enable IMP logging of events. Driver If logging is enabled, choose the driver type from the selection list. The file driver type will log in to a text file. The syslog driver type will log in to the syslog facility.
Managing Preference Driver Settings The Preference Driver Settings form Figure 34 allows you to define the settings for storing and retrieving user preferences. To modify these settings, choose Preference Driver Settings from the IMP Webmail Administration menu. You will be presented with the fields described in Table 18. To modify the preference driver settings, follow these steps: 1. From the IMP Webmail Administration menu, choose Preference Driver Settings.
Managing Miscellaneous IMP Settings The Miscellaneous IMP Settings form (Figure 35) contains other IMP settings. To modify these settings, choose Miscellaneous IMP Settings from the IMP Webmail Administration menu. You will be presented with the fields described in Table 19. To modify the miscellaneous settings, follow these steps: 1. From the IMP Webmail Administration menu, choose Miscellaneous IMP Settings. The Miscellaneous IMP Settings form is displayed (Figure 35).
Figure 36 Horde Settings Form 2. 3. Fill out the form. Table 20 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete. Table 20 Horde Settings Setting Description Display Help Links Select this box to display help links on the user's pages. PHP error level Click the value to use in the PHP error_reporting function to configure the amount and types of PHP errors displayed on the user's screen. For more information, see: http://www.php.
Table 20 Horde Settings (continued) Setting Description Umask Enter the umask value (octal value) to run as. This affects the permissions of temporary files created. Temporary directory Enter this value to override the system default and PHP's upload_tmp_dir value, set either in the php.ini configuration or php_value directive in httpd.conf, for the temporary directory. Session information and temporary attachment files are stored there. Enable cache Click the cache driver to use.
Figure 37 Turba Settings Form 2. 3. Fill out the form. Table 21 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete. Table 21 IMP Turba Settings Setting Description Enabled If selected, enables access to Turba contacts manager. If not selected, users will not have access to their addressbook. Database Type Enter the type of the database server. The only supported value is pgsql for a PostgreSQL database.
a working installation of IMP, but most of your previous configurations and all stored user information (preferences and contact lists) will not be available. This information must be converted to the new formats. There are two menus provided in the IMP Webmail Administration section of the Administration Utility. Use them to convert your new configuration and data to match your old settings and data. • Upgrade Configurations (Section : Upgrading IMP Configurations).
Figure 38 Upgrade Database Settings Form 3. 4. Fill out the form. Table 22 describes the settings. Click Submit to make the necessary changes. A status message is displayed when complete. Table 22 IMP Database Upgrade Settings Setting Description Database Info These values should refer to the current database containing the Horde/IMP tables. The new tables will be added to this database. Database Name Enter the name of the database. The default installation uses database horde.
Table 22 IMP Database Upgrade Settings (continued) Setting Description Preference Table Convert Preference Table? Select if you want to convert the table containing all user's preferences. Current Preference Table Enter the name of the preference table used for Internet Express installations prior to Version 6.0. New Preference Table Enter the name of the new table to be created. This table must either be empty or not exist for the conversion to take place.
7 Web Services Administration The Internet Express Administration utility lets you manage the following Web service components: • Secure Web Server— (powered by Apache) An implementation of the Apache Software Foundation's (ASF) Apache HTTP server for Tru64 UNIX (Section : Secure Web Server Administration). • ht://Dig search tool — A complete World Wide Web index and search system for a domain or an Intranet (Section : ht://Dig Search Tool Administration).
Notes: Only those Web servers that are installed are presented by the Administration utility. For example, if the Internet Monitor is not installed, the Administration Server will not appear. Similarly, if you do not create a public Web server instance when installing the Secure Web Server subset, the public server will not appear. Internet Express Version 6.0 and later allows you to choose either Apache Version 1.3 or Version 2.0, or both for the public Web server.
When you access the Web server, you are given access to privileged files and can perform system management tasks until exiting the browser. Do not leave an Administration session unattended. Limit access to the admin account to those individuals authorized to perform Internet system management tasks. In a TruCluster Server environment, the Secure Web Server runs on all cluster members concurrently. Connections are distributed among the cluster members based on how the cluster alias has been configured.
• Server tuning parameters • Access control entries • Listening ports and addresses • Virtual hosts • URL defaults • HTML directory aliases • CGI directory aliases • Logging and reporting parameters The Secure Web Server configuration files are read in the following order: • httpd.conf • srm.conf • access.conf Note: By default, the configuration files access.conf and srm.conf do not contain any directives. While they remain supported in Internet Express Version 6.
• The Clear button at the bottom of the form • One of the links on the navigation bar at the top of the form to go to another Administration menu Allowing Remote Access to the Internet Monitor Administration Server The installation procedure installs the Internet Monitor Administration Server on port 8086, and initially allows access to the server from the local system only. To allow access to the Internet Monitor Administration Server from remote systems, follow these steps: 1.
1. 2. From the Administration utility Main menu, choose Manage Components Under Web on the Manage Components menu, choose Ht://Dig Index and Search System. The Ht://Dig Indexing and Search Administration page is displayed (Figure 39). Figure 39 Ht://Dig Indexing and Search Administration Page 3. 4. To check if the Public Web Server is running, click on Start/Stop the Public Web Server which connects to the Web Server Administration page.
Figure 40 Link to Ht://Dig Search Index Page 5. 6. Click on the documents symlink button to enable indexing. This action makes the Internet Express documents available from your document root. To update the ht://Dig configuration file (/usr/internet/www/conf/htdig.conf) to specify a start URL or exclude URLs from the search, enter the URL information in the respective fields and click on Update Ht://Dig configuration.
Figure 41 Updated Ht://Dig Configuration File Message You can also configure the ht://Dig search index and run a search fromTru64 UNIX the command shell. After installing ht://Dig, the Internet Express installation script displays the following message, prompting you to create a search index on the server: To create an index of this server, review the configuration in /usr/internet/www/conf/htdig.
# cd /usr/internet/httpd/htdocs # ln -s /usr/internet/docs/IASS documents # ln -s /usr/internet/www/htdocs/htdig htdig 2. Edit the /usr/internet/www/conf/htdig.conf file and change the value of start_url“?, replacing hostname with your system's host name: start_url: 3. http://hostname/documents Create the search index, as follows: # /usr/internet/www/bin/rundig -v Searching the Index After creating the search index (Section : Creating the Search Index), search the index by opening the search page.
8 XML Component Administration The XML components provide commercial-quality, standards-based XML solutions. These components include: Xerces XML parsers in C++ and Java, Xalan XSLT stylesheet processor in C++ and Java, FOP XSL formatting objects in Java, Batik Scalable Vector Graphics (SVG) toolkit in Java, Cocoon XML-based Web publishing in Java, and Apache Axis. All are from the Apache XML Project.
Apache Axis Server Administration As part of the IAEXMLJLIB subset, Internet Express installs the Apache Axis client API for invoking SOAP services. The Apache Axis Server is installed and configured by the IAESOAP subset. The base directory for the Axis webapp is /usr/internet/xml/axis/webapp. Note: The Apache Axis Server requires that the Tomcat Servlet Engine be started using Java Version 1.3.1 or greater.
Internet Express Version 5.9 upgraded Cocoon is to the Cocoon Version 2 code level. Because Cocoon Version 2 is nearly a complete rewrite of the original Cocoon project, to serve custom pages you must add configurations to the sitemap.xmap configuration file located in the /usr/ internet/httpd/tomcat/cocoon directory. In addition, the main cocoon configuration file has changed and is now called cocoon.xconf. This file is located in the /usr/internet/ httpd/tomcat/cocoon/WEB-INF directory.
9 Network Security Administration This chapter describes how to manage the following network security components: • TCP Wrapper (Section : TCP Wrapper Administration) • FireScreen Firewall (Section : FireScreen Administration) • Snort Intrusion Detection System (Section : Snort Intrusion Detection System ) • FreeRADIUS Server Administration (Section : FreeRADIUS Server Administration) TCP Wrapper Administration TCP Wrapper lets you control access to network services.
Table 26 Network Services Wrapped by Internet Express (continued) Network Service Default Access Setting pop2 Allows you to run the POP2 (Post Office Protocol Version 2) e-mail server poppassd Allows you to change passwords popper Allows you to run the POP3 (Post Office Protocol Version 3) e-mail server rexecd Allows you to execute commands on a remote system rlogind Allows you to log in to a remote system rpc.
3. 4. From the TCP Wrapper Administration menu, choose Display/Update Configuration to display a list of the services available on your system and the current access settings for each service. Select the service for which you want to modify access. The TCP Wrapper Service Management form shows the current security setting for the service you chose and offers the settings described in Table 27.
1. 2. 3. 4. 5. Under Network Security on the Manage Components menu, choose TCP Wrapper. From the TCP Wrapper Administration menu, choose Test Configuration to display the Test Configuration form. Select a service from the Service to Test list box. Enter a domain name, IPv4 address, or IPv6 address in the Requesting Client field, using the syntax defined in the hosts_access(5) reference page. Click Submit.
Note: The AltaVista Firewall and FireScreen software cannot coexist on the same system. If you plan to use the AltaVista Firewall software, do not install FireScreen. The Administration utility will not allow you to install FireScreen if it detects the presence of the AltaVista Firewall software.
Figure 44 Checking FireScreen Installation Prerequisites 2. 3. Click on Install. At this point in the FireScreen installation, the following startup variables are added to the /etc/rc.config file: • SCREEND Indicates whether the FireScreen daemon is to be started when the system is booted. • SCREEND_FLAGS Indicates which options are to be used when the FireScreen daemon is started on the system. • SCREEND_MODE Indicates whether screening is on.
4. You can specify a different system configuration file, a different kernel, or both, before proceeding with the installation (Figure 45). Note: Modifications that FireScreen makes to your system's kernel configuration file are not preserved when you update the Tru64 UNIX operating system. You must reinstall FireScreen after updating the operating system to replace these modifications and to ensure that the kernel is built with the option required by FireScreen.
Figure 46 Install FireScreen Page with Gateway Screening Enabled Figure 47 shows how the Install FireScreen page appears after the FireScreen installation with gateway screening was disabled in the kernel before installing FireScreen. Follow the link from the Web-Based Management page to the page for shutting down or rebooting the operating system before configuring FireScreen (Section : Accessing Web-Based System Management Tools). Change the number of minutes to wait from 30 to 1.
Figure 47 Install FireScreen Installation Page with Gateway Screening Disabled Configuring FireScreen To configure FireScreen, on the FireScreen Administration menu, choose Configure FireScreen. Figure 48 shows the Configure FireScreen menu.
Figure 48 Configure FireScreen Menu Use the Configure FireScreen menu to perform the following tasks: • Set command-line options (Section : Setting Command-Line Options) • Set the screening mode (Section : Setting the Screening Mode) • Add a screening rule (Section : Adding a Screening Rule) • Check the syntax of screening rules (Section : Checking Syntax of Screening Rules) • Delete a screening rule (Section : Deleting a Screening Rule) Note: You must restart FireScreen for configuration file ch
To change the default configuration file for FireScreen, make sure the Configuration File check box is selected and enter the full pathname of the configuration file you want to use in the field provided. • 2. Screening records will be logged in the /var/adm/syslog.dated/$DATE/daemon.logfile (where the value of $DATE is incremented every 24 hours based on the time that the system was last booted). When the syslog.conf file does not contain a daemon entry, the /var/adm/ firescreen.
Notes: The -c option performs the same function as Check Screening Rules form (Figure 54), so this option is not available on the Set Options form. The -d option is also not available on the Set Options form. If you want to use the -d option to debug FireScreen, you must set this option on the command line. Setting the Screening Mode To set the screening mode for FireScreen, follow these steps: 1. From the Configure FireScreen menu, choose Set Screening Mode. Figure 51 shows the Set Screening Mode form.
This report explains how FireScreen (which is based on the screend daemon) operates, what FireScreen can and cannot do to protect your network, and how to use screening rules to implement firewall security policies. To add a screening rule, follow these steps: 1. From the Configure FireScreen menu, choose Add New Screening Rule. The first time you add a screening rule, the only rule defined is the default rule. 2.
Figure 53 New Screening Rule Confirmation Page To return to the Add New Screening Rule form, use the navigation bar at the top of the screen. To check the syntax of screening rules, see Section : Checking Syntax of Screening Rules. Checking Syntax of Screening Rules To check the syntax of screening rules in the FireScreen configuration file, on the Configure FireScreen menu, choose Check Screening Rules. The existing screening rules are displayed and checked for syntax errors.
Figure 55 Delete Screening Rules Form 3. Click on Delete. Starting and Stopping FireScreen When you make changes to the FireScreen configuration file, you must restart FireScreen for the changes to take effect (Section : Starting FireScreen). When you stop FireScreen with screening mode enabled, all IP forwarding is rejected until FireScreen starts again (Section : Stopping FireScreen).
Figure 57 Start/Stop FireScreen Form with Restart Option Enabled To protect your system from unauthorized access, the Administration utility starts a new FireScreen process, which reads the latest FireScreen configuration file, and then stops any FireScreen process that was previously running, as shown in the confirmation page (Figure 58). Figure 58 Start/Stop FireScreen Confirmation Page Stopping FireScreen To stop FireScreen, follow these steps: 1. 2.
Figure 60 Stop FireScreen Confirmation Page Viewing FireScreen Status Using the View FireScreen Status menu, you can view the following: • Screening rules (Section : Viewing FireScreen Screening Rules) • Log file (Section : Viewing the FireScreen Log) • Statistics (Section : Viewing FireScreen Statistics) To access this menu, choose View FireScreen Status from the FireScreen Administration menu.
Figure 62 View Log File Page To specify the types of events to be recorded in the FireScreen log file, access the Configure FireScreen menu and choose Set Options. See Section : Setting Command-Line Options for more information. Viewing FireScreen Statistics FireScreen invokes the /usr/sbin/screenstat command to display statistics for IP packet handling. To view FireScreen statistics, choose View Statistics from the View FireScreen Status menu. The statistics are displayed (Figure 63).
./snort -vde (include the data link layer headers) • Packet Logger Mode — log TCP/IP packet headers to disk Use the previous snort commands along with the -l switch and a log directory name to automatically go into packet logger mode. ./snort -vd -l ./log You must have an existing directory by that name to prevent Snort from exiting with an error. You should also specify the local host address, using the -h ipaddress switch.
3. 4. Click in a checkbox to select the preprocessor desired option: Option Description Perform IP defragmentation The IP defragmentation preprocessor uses memory management routines that are used in other parts of Snort. It uses the default memory limit of 4194304 bytes (4 MB) and a timeout period of 60 seconds. The timeout period is used to determine a length of time that a unassembled fragment should be discarded.
Considerations While Installing FreeRADIUS The installation procedure includes the build, install of the IAEFRAD subset. For more details, refer the Installation Guide. FreeRadius is installed in the /usr/local/radius directory. The configuration files exist in /usr/local/etc/raddb directory. When you install FreeRadius, all the necessary directories are created. You can run tests by using existing UNIX system accounts.
Login-Service = Telnet, Login-TCP-Port = Telnet" clients.conf file This file defines a RADIUS client (usually a NAS). The information given here over rides anything given in the clients file, or in the naslist file. The configuration here contains all of the information from those two files, and allows for more configuration items. The shortname is be used for logging. The nastype, login and password fields are mainly used for checkrad and are optional. This defines a RADIUS client.
= shadow for the server to be able to read the shadow password file. If you can authenticate users while in debug mode, but not in daemon mode, it may be that the debugging mode server is running as a user that can read the shadow info, and the user listed below cannot. user = nobody group = nobody 4. max_request_time: The maximum time (in seconds) to handle a request. Requests which take more time than this to process may be killed, and a REJECT message is returned.
10 Proxy Services Administration The Internet Express Administration utility lets you manage the following Proxy service components: • Dante SOCKS Server – A circuit-level firewall/proxy server that can be used to provide convenient and secure network connectivity to a wide range of hosts (Section : Dante SOCKS Server Administration).
Configuring the Dante SOCKS Server You configure the Dante SOCKS Server by editing the /etc/sockd.conf configuration file. This file controls both access controls and logging and is divided into two parts, server settings and rules. To use the Dante SOCKS Server, you must specify valid information in the method, client pass, and pass fields in /etc/sockd.conf.
Use the Squid Proxy/Caching Server Administration menu to perform the following tasks: • Reinitialize the disk cache (see Section : Reinitializing the Disk Cache) • Manage the Squid Proxy/Caching Server through the Cache Manager Interface (see Section : Managing the Squid Proxy/Caching Server). • Rotate log files (Section : Rotating Log Files). • Display access statistics (Section : Displaying Access Statistics).
See the comments in the squid.conf file for more information on setting passwords for Cache Manager operations. A URL is required only for the Refresh Object operation. 5. 6. Use the Operation list box to select an operation and click on Submit. Only the Shutdown Cache and Refresh Object operations perform an action; the rest display statistical information only. Restart Squid with the following command line: /sbin/init.d/squid_8080 restart 7.
Controlling the Squid Proxy/Caching Server To control the Squid Proxy/Caching Server, follow these steps: 1. From the Administration utility Main menu, choose Manage Components. 2. Under Proxy on the Manage Components menu, choose Squid Proxy/Caching Server. 3. From the Squid Proxy/Caching Server Administration menu, choose Start/Stop the Squid Proxy/Caching Server. The Start/Stop the Squid Proxy/Caching Server page shows the current state of the server. 4.
11 LDAP Directory Server Administration The Lightweight Directory Access Protocol (LDAP) is an Internet standard directory service protocol that runs over TCP/IP. An LDAP server manages entries in a directory, and makes the information available to users and applications across the network. An LDAP server can be used as a central repository of user information. When used in this way, an LDAP server is similar to Network Information Services (NIS), also known as the yellow pages.
Figure 64 LDAP Directory Tree Structure o=unix ou=people uid=straw RDN: ou=people DN: ou=people, o=unix uid=smith ou=groups cn=Engineering cn=Marketing RDN: uid=straw DN: uid=straw, ou=people, o=unix ZK-1476U-AI The attributes that are required or allowed in a directory entry are defined in an object class. Each directory entry must contain an objectclass attribute that has at least one object class definition for that entry.
Installing and Running the LDAP Browser To install the LDAP Browser on a system, ensure that the Internet Express OpenLDAP subset is installed. Then, follow these steps: 1. 2. From the Internet Express Administration utility Main menu, choose Manage Components. From Directory Services, choose Download LDAP Browser. The Download the LDAP Browser form is displayed. 3. 4. Right-click on the ldapbrowser.jar link to bring up the browser menu, and then save the file to a directory on your system.
Field Description Port Enter the port number on which the LDAP server is listening. The default LDAP port is 389. Base DN Enter the base distinguished name for this connection. The base distinguished name defines the top of the directory tree. To obtain a list of base distinguished names for a particular directory, make sure the host name and port fields have been filled in correctly and then click the Fetch button.
and server. For an SSL connection to be established successfully, the following conditions must be satisfied: • The LDAP server must be configured by its administrator to accept SSL connections. The default port for LDAP over SSL is port 636. Many servers are not configured by default to accept SSL connections, so check with the server administrator if there is any doubt. • The authentication certificate presented to the LDAP Browser by the server must be signed by a trusted certificate authority.
directory entry identified by its relative distinguished name (RDN). From the main browsing window, you can perform the following functions: • Operate on a directory entry — Click on an entry in the directory tree, and then choose any of the appropriate operations from the Edit or View menus or from the entry's context-sensitive pop-up menu. • View a directory entry — Click on an entry in the directory tree to select it and see a list of its attributes in the adjoining table.
Client-side schema checking can be enabled and disabled through an Edit menu check box item in either the main browsing window or the add or modify entry forms. When schema checking is enabled, the following behavior is introduced: • In the add and modify entry forms, required attributes are marked with an asterisk (*). • Required attributes cannot be deleted. • The add attribute dialog box presents only choices allowed by the schema.
1. 2. 3. From the main window, choose an entry. From the Edit menu or from the entry's context-sensitive pop-up menu, choose Copy entry. Enter the copy parameters in the resulting dialog box. If the entry is copied to the same parent, a different RDN value for the new entry should be specified; otherwise, an underscore and a sequence number will be appended to the RDN attribute to distinguish it from the original entry. • The entry can be copied to either the same parent or to a new one.
Deleting Attributes To delete an attribute: 1. 2. 3. From the main window, choose an entry. From the Edit menu or from the attribute list's context-sensitive pop-up menu, choose Delete attribute. Choose whether to delete only the selected values for the attributes or whether to delete all values for the selected attributes.
1. 2. 3. From the list in the template management dialog, select the template to be copied. Click on the Copy button. Enter a new name for the template copy when prompted. Searching the Directory To search the directory: 1. 2. From the main window, choose an entry to serve as the search base. From the View menu, select Search. The resulting search form prompts for the following information: 3. • Base DN — The base node for the search • Search filter — A standard LDAP search filter.
User Configuration File The LDAP Browser stores its configuration information in the file .ldapbrowser.xml in the user's home directory. The contents of this file should not be edited directly. If the LDAP Browser encounters startup errors, one possible cause is that this file has been hand-edited incorrectly or otherwise corrupted. You can attempt to fix the problem by removing or renaming the file and restarting the LDAP Browser.
5. If desired, change the value for Root Distinguished Name. Enter the distinguished name to be used when connecting to the LDAP server for administrative purposes. The Root Distinguished Name is not subject to access control or administrative limit restrictions for operations on this database. 6. 7. If desired, change the value for Administration Password. Click on Submit.
12 OpenSLP Administration Internet Express provides the OpenSLP server and Application Program Interfaces based on the SLP Version 2 standard protocol. The Service Location Protocol (SLP) provides client/server applications with the means to discover and select system services on the network. This chapter provides the following information: • An overview of OpenSLP (Section : OpenSLP Overview). • A listing of OpenSLP configuration files and examples (Section : Configuration Files and Examples).
File/Example Description slp.spi The SLP security parameter index file. This file is installed in /etc with the appropriate ownership and protection. example.c The SLP example program. The file is 22KB and is installed in /usr/ internet/openslp/examples. Once installed, ownership should be set to the user. example.conf The SLP example configuration file. This file is installed in /usr/internet/ openslp/examples. Once installed, ownership should be set to the user. example.
http://h30097.www3.hp.com/unix/cdsa Note: CDSA is available only for Tru64 UNIX 5.1 and later. If you are running Tru64 UNIX 5.0A, you cannot run security-enabled SLP. 2. Enable security in OpenSLP by placing the following entry in the /etc/slp.conf configuration file: net.slp.securityEnabled = true 3. In the root account, run the keytool utility to generate pairs of public and private keys. To do this, you must have an account on the system for user daemon.
4. 5. To stop a running OpenSLP daemon, click the Stop button. This action terminates the OpenSLP daemon (slpd). Click the Restart button to stop the OpenSLP daemon and then start it again. The Cancel option leaves the OpenSLP daemon in its current state and displays a message that daemon will not be changed.
Consider the following notes when you review the SLP APIs used in the examples (Section : Running the Example Configuration) provided with the OpenSLP component: • A service registration with no scope specified is a member of the default scope. Service registrations containing a scope must have DEFAULT listed to be a member of the default scope. A service registration with no naming authority specified is a member of the default naming authority (IANA, represented by the empty string).
and Examples) included in the OpenSLP subset also include documentation that describes operation of the software. The following list describes the SLP documentation available on line: • Introduction to SLP – Provides an overview of the Service Location Protocol and a general description of the agents, messages, and APIs. http://www.openslp.org/doc/html/IntroductionToSLP/index.html • Service Location Protocol Version 2 – Information about the standard protocol for SLP. http://www.ietf.org/rfc/rfc2608.
13 FTP Server Administration File Transfer Protocol (FTP) is a client/server protocol that allows a user on one computer to transfer files to and from another computer over a TCP/IP network. When you set up an anonymous FTP account on your system, any remote user can access your system by means of the user name ftp or anonymous. Once logged in, the user has access to only a special directory hierarchy containing public files, and can copy these files to another system using FTP.
5. • Minimum UID – The Administration utility searches for the specified UID and, if it is available, assigns it to the account. If that UID number is not available, the utility assigns the next highest available UID. • FTP Group Name — Name of the group to which you want to assign the anonymous Pure-FTP account. If the group you specify does not exist, the Administration utility creates it.
1. 2. 3. From the Administration utility Main menu, choose Manage Components. From the Manage Components menu, choose Pure-FTP Server. From the Pure-FTP Server Administration menu, choose Enable/Disable chroot. The current status is displayed (either enabled or disabled). 4. If chroot is enabled, click on Disable to disable the ability to execute chroot. If chroot is disabled, click on Enable to enable the ability to execute chroot.
14 Samba File and Print Server Administration The Samba File and Print Server consists of the following three daemons, each listening on its own port: • smbd—Provides file and print services to SMB clients, such as Windows 2000, Windows NT, or LanManager • nmbd—Provides NETBIOS name serving and browsing support • The daemon for the Samba Web Administration Tool (SWAT), described in Section : Administering the Samba Server Using the SWAT Program The Samba server daemons read the smb.
Example 7 Samba Server Configuration File ; Configuration file for smbd. [global] 1 workgroup WORKGROUP domain master yes local master yes preferred master yes printing bsd printcap name /etc/printcap load printers yes guest account nobody browseable yes wins support true hosts allow domain_name ; ; This next option sets a separate log file for each client. Remove it if you want a combined log file. log file /usr/local/samba/log.
option allows Samba to act as a local master browser. The preferred master option causes the nmbd daemon to force a browser election on startup. For more information on domain masters and browsing, see /usr/internet/docs/samba/Browsing.txt. The printing, printcap name, and load printers options configure the Samba server to allow all printers on the Tru64 UNIX system configured with the normal BSD printing mechanism to be used by the Windows clients.
Note: If you want to allow handling of encrypted passwords on Windows 98 or Windows NT clients, the Samba server must maintain its own password database. (See /usr/internet/docs/ samba/htmldocs/ENCRYPTION.html for instructions on how to create the password database.) 5 6 When hide dot files is set to yes, hidden files on the UNIX system are not displayed in PC client applications (such as Explorer). Internet Express configures the Samba server to preserve case in file names.
The smb.conf file is a configuration file for the Samba suite. This file consists of several sections and parameters. Each section describes a shared resource, known as a share. The special sections include Global, Homes, and Printers. When you select Configure the Samba Server, the Home menu shown in Figure 67 displays.
Figure 67 Configure the Samba Server Menu Administering the Samba Server Using the SWAT Program 221
From the Configure the Samba Server menu, you can perform the following tasks: • Display the SWAT home page, which contains pointers to online documentation for the related daemons and components. • Set global variables in the smb.conf file (See Section : Configuring Global Variables) • Set parameters for shares, as defined in the smb.
Controlling Printers This page allows you to set parameters for printers. By default, the Printer Parameters page shows the Basic View of the settings. To view a more complete list of parameters, select the Advanced View option. To set parameters for shares, follow these steps: 1. 2. 3. 4. 5. 6. From the Administration utility Main menu, choose Manage Components. From the Manage Components menu, choose Samba Server. From the Samba Server Administration menu, choose Configure the Samba Server.
6. 7. If you are modifying a password for an existing user, enter the current password in the Old Password field, then enter the new password in the New Password field and in the Retype New Password Field. Click on the Change Password button. To set SMB passwords on the Client/Server Password Management page, follow the previous steps. There is one additional field that you can fill in, Remote Machine.
15 InterNetNews Server Administration Using the Administration utility, you can set up your news server in the following ways: • You can use news as a local bulletin board; all information is local to your news server and is not propagated to the external InterNetNews (INN) network. Many Internet Service Providers (ISPs) configure news in this manner. • You can configure your news server to be a fed site.
Figure 68 InterNetNews Administration Menu Note: For information on tuning your system to improve the performance of your news server, visit the following Tru64 UNIX site: http://h30097.www3.hp.com/internet/inn_wp.
Figure 69 Configuring the INN Server The fields for configuring a news server are as follows: • Domain—This field specifies the domain name of your system. By default, the domain name of your system is used. Enter a value in this field only if your system's host name (as stored in the HOSTNAME variable in the /etc/rc.config file) is not domain qualified. • From Host—This field is optional.
the newsfeed server administrator which news categories, or newsgroups, you want (or do not want) to be fed to your server.
4. From the Configure External Newsfeeds menu, choose Display External Newsfeeds. The Administration utility displays the default external newsfeed configuration that applies to all newsfeeds (that is, the values for Send These Newsgroups and Do Not Send These Newsgroups). The Display External Newsfeeds page also lists newsfeed hosts, including the dummy newsfeed (see Section : Adding an External Newsfeed), and the flags and parameters that have been set for each. 5.
The news server does not feed this article to any newsfeed server whose host name appears in the path header. INN uses this mechanism to prevent newsfeed servers from sending back copies of news articles they have received. b. This step is optional. In the Newsgroups to Propagate and Newsgroups NOT to Propagate fields, enter the newsgroups you want sent or not to be sent to your news server. The newsgroups that match the specifications in these fields constitute the subscription list for your site.
Tf,Wnm:newsfeed_hostname T is the flag for the type of feed and f is the value for a file feed. W is the flag that controls what information is written. The value n causes INN to write the article's message ID to the file represented by the newsfeed_hostname file. The value m causes the INN Server to write the article's message ID. This file is found in the out.going directory. (On an AlphaServer system, the file is usually /data/spool/news/out.going/newsfeed_hostname.
4. 5. From the Configure External Newsfeeds menu, choose Modify Newsfeed Defaults. Modify data shown on the Modify Newsfeed Defaults form and click on Submit. For more information on the fields on this form, see Section : Adding an External Newsfeed. Updating the Local Active File You can use the actsync utility to automatically update your news server's local active file. The actsync utility copies or merges changes from your newsfeed's active file into the active file residing on the local system.
Displaying Client Access Groups To display the client access definitions that exist on your system, follow these steps: 1. From the Administration utility Main menu, choose Manage Components. 2. On the Manage Components menu, choose InterNetNews. 3. From the InterNetNews Administration menu, choose Configure Client Access. 4. From the Configure Client Access menu, choose Display Client Access Groups.
Table 29 Access Groups Form Fields (continued) Name Description Contact Address Specifies a contact e-mail address for the administrator of the InterNetNews Server. Date in localtime? If a Date: header is not included in a posted article, nnrpd normally adds a new Date: header in UTC. If this is set to Yes, the Date: header will be formatted in local time instead. This is a boolean value and the default is No.
4. 5. 6. From the Modify Client Access menu, choose Modify Client Access Groups. In the Existing Access Groups list box, select the group you want to remove. Click on Delete. The Administration utility displays a message indicating that the client access definition has been removed. 7. To return to the Modify Client Access Groups menu or the InterNetNews Administration menu, use the navigation bar at the top of the screen.
Table 30 Client Authentication Groups Menu Fields (continued) Name Description User Resolver Command Specifies the command line of a program to be executed to resolve the identity of an incoming connection. This program must be in the /usr/news/bin/auth/resolv directory. This is an optional field and can be left blank. User Authentication Command Specifies the command to be executed to authenticate the user making the connection request. This program must be in the /usr/news/bin/auth/passwd directory.
5. 6. 7. In the Existing Authentication Groups list, select the name of the group you want to modify. Click on Modify. The Modify Authentication Groups menu is displayed. In the list box of existing groups, click on the group that you want to precede or follow the new group in the list. 8. Click on either the Before or After selection field. 9. On the Modify Client Authentication Groups form, modify the data you want to change. 10. Click on Submit.
Adding a New Storage Method Class Table 31 describes the options on the Configure Storage menu. Table 31 Options on the Configure Storage Menu Option Description Placement Indicates the search order of the group, relative to other methods. Storage Type Indicates either tradspool, cnfs, timecaf, or trash. For a description of these types, see the storage.conf(5) reference page. Newsgroups in this method Indicates the categories of newsgroups that are to be stored using the method.
8. 9. Modify the fields as desired. Table 31 (page 238) describes the fields. Click on Submit. Deleting a Storage Method Class To delete a storage method class, follow these steps: 1. 2. 3. 4. 5. 6. 7. From the Administration utility Main menu, choose Manage Components. On the Manage Components menu, choose InterNetNews. From the InterNetNews Administration menu, choose Configure Storage Options. From the Configure Storage Options menu, choose Configure Storage Method Entries.
Note: The buffer will be automatically created if it does not already exists and is the size specified. d. e. 7. In the Size field, enter a value (in kilobytes) for the size of the buffer. Click on Submit. To add a new metacycbuff entry: a. Enter a name in the New Metacycbuff field. b. Click on Add. The Add Storage Method menu is displayed. c. d. Next to the Uses cycbuff entries label, select the cycbuff entry from the list to be associated with the new metacycbuff entry.
Deleting CNFS Entries To delete CNFS entries, follow these steps: 1. 2. 3. 4. 5. From the Administration utility Main menu, choose Manage Components. On the Manage Components menu, choose InterNetNews. From the InterNetNews Administration menu, choose Configure Storage Options. From the Configure Storage Options menu, choose Configure the CNFS Storage Method. Choose Modify Storage Method Entries. The Modify CNFS Entries menu is displayed, showing the currently defined CNFS entries. 6.
• All newsgroups matching * Articles with expiration headers are kept for a minimum of one day and a maximum of four days. Articles without expiration headers are kept for four days. • All newsgroups matching local.* Articles are kept for a minimum of one day and are retained the maximum number of days specified by the default article expiration definition (unless the article has an expiration header that causes it to be purged sooner).
c. buttons in this field to accept the minimum and maximum values specified in the expiration header, or to override either or both values. Flush Article With Expiration Headers—Articles with expiration headers specify a minimum and maximum number of days to keep expired articles. Use the radio buttons in this field to accept the minimum and maximum values specified in the expiration header, or to override either or both values.
Figure 70 Specifying an Article Expiration Definition 6. Click on Submit. The Administration utility displays a message indicating that the article expiration definition has been added. You can use the navigation bar at the top of the page to return to the Modify Article Expiration Definitions menu or the InterNetNews Administration menu.
1. 2. 3. 4. 5. 6. 7. From the Administration utility Main menu, choose Manage Components. On the Manage Components menu, choose InterNetNews. From the InterNetNews Administration menu, choose Modify Article Expiration Definitions. Choose Modify Article Expiration Definitions. In the Existing Article Expiration Definitions list box, select a news pattern for which you want to modify the article expiration definition, then click on Modify.
Creating Local Newsgroups To create a local newsgroup, choose Add/Delete Local Newsgroups from the InterNetNews Administration menu. The Add/Delete Local Newsgroups form shows the existing local newsgroups (if any) and provides a field where you can enter the name of a new local newsgroup. When you create a local newsgroup, use the prefix local. to exclude it from external newsgroups. Choose a name that describes the purpose or content of the information offered by the newsgroup (for example, local.org.
Controlling the INN Server To control the INN server, follow these steps: 1. From the Administration utility Main menu, choose Manage Components. 2. On the Manage Components menu, choose InterNetNews. 3. From the InterNetNews Administration menu, choose Start/Stop the INN Server. 4. Depending on the current status of the INN server (shown at the top of the page), you can select the following: • Stop the INN server—Available when the current status is running.
16 Internet Relay Chat Administration Internet Relay Chat (IRC) allows users to communicate with each other in real time across a network of Internet servers. Configuring IRC Information on configuring IRC is included in usr/internet/irc/example.conf on the Internet Express kit. You can customize your Internet Relay Chat (IRC) server by modifying the configuration file, /usr/internet/irc/lib/ircd/ircd.conf. The configuration options are documented in the comments in this file.
17 PostgreSQL Database and MySQL Administration Internet Express provides the PostgreSQL and MySQL database management systems. PostgreSQL is an advanced database server that supports most SQL constructs, including subselects, transactions, and user-defined types and functions. Each PostgreSQL server controls access to a number of databases, storage areas used by the server to partition information.
1. From the Manage Components menu, choose PostgreSQL Database Management System. The Manage PostgreSQL menu is displayed (Figure 71). Figure 71 Manage PostgreSQL Menu 2. From the Manage PostgreSQL menu, choose Start/Stop PostgreSQL. The current state of the PostgreSQL server is displayed: • To start a stopped server, click on the Start button. • If the server is running, click on Stop to stop the server or Restart to stop and restart the server.
1. 2. From the Manage Components menu, choose PostgreSQL Database Management System. The Manage PostgreSQL menu is displayed (Figure 71). On the Manage PostgreSQL menu, choose View PostgreSQL Log. The contents of the log file are displayed, as in Figure 73. Use the standard navigation features to advance page by page, go to a specific page, or search for a particular text string.
Table 32 PostgreSQL Files and Directories Directory Contents /usr/internet/pgsql/man Location of PostgreSQL reference pages. /usr/internet/pgsql/doc Location of the PostgreSQL documentation. /usr/internet/pgsql/bin/ Location of the PostgreSQL commands. /usr/internet/pgsql/ Home directory of the PostgreSQL account where all files and directories are installed. /usr/internet/pgsql/.profile Contains a set of environment variable definitions for running most PostgreSQL commands.
Using the Administration utility, you can set up a crontab entry that runs a vacuum on your entire database at a specified time of day at daily or weekly intervals. The PostgreSQL server must be running for the vacuum to be performed. Although the vacuum can run in parallel with normal database operations (that is, select, insert, update, and delete), HP recommends that you schedule your database to be vacuumed during a low-usage period.
1. 2. From the Manage Components menu, choose PostgreSQL Database Management System. From the PostgreSQL Database Management System form, choose Setup Vacuum Crontab. The Setup Vacuum Crontab form is displayed, allowing you to specify and submit the database vacuum options (Figure 74).
Figure 74 Setup Vacuum Crontab Form Setting up a Crontab Entry for Vacuuming Databases 255
3. 4. 5. On the Setup Vacuum Crontab form, provide the following settings: • Select the desired frequency for the database vacuum: daily or weekly. If you select weekly, also select the day of the week that you would want to run the vacuum. • Select time of day using 24-hour clock format. This is the time that the vacuum will run. • If your system is part of a cluster, you must also select the cluster member from which to run the vacuum.
5. Look for the postmaster process: #ps -ef | grep postmaster If the postmaster process failed to start, increase your kernel's shared memory size limits, as follows: a. Review the /usr/internet/pgsql/data/postmaster.log file for an error message produced when trying to startup the postmaster. Most likely, you will see an error message similar to the following message: IpcMemoryCreate: shmget(key=5432001, size=28901376, 03600) failed: Invalid argument 1.
Administering MySQL This section describes the files and processes initiated by the MySQL installation, related scripts, and MySQL configuration files and log files.
Starting and Stopping the MySQL Server Using a Command Line Internet Express provides a startup script for MySQL in /sbin/init.d/mysql. Use the following command to start MySQL on the command line: # /sbin/init.d/mysql start Use the following command to stop MySQL on the command line: # /sbin/init.d/mysql stop MySQL Configuration Files The file /etc/my.cnf stores default startup options for both the server and for clients.
18 BIND Domain Name Server Administration The Domain Name System (DNS) is a hierarchical, distributed database that stores information for mapping Internet host names to IP addresses and vice versa. It also stores mail routing information and other data used by Internet applications. The Internet Express version of the Berkeley Internet Name Domain (BIND) implements a domain name server for the Tru64 UNIX operating system.
Table 35 describes the contents of the binary file directories. See the BIND reference pages and the BIND Administrator Reference Manual (/usr/internet/docs/bind9/arm) for additional information about these files. Table 35 BIND Binary File Directories File Description /usr/sbin/lwresd Lightweight Resolver Daemon – Experimental daemon that provides name lookup services to clients using the BIND Version 9.3.6-P1 lightweight resolver library.
Table 35 BIND Binary File Directories (continued) File Description /usr/bin/nslookup9 DNS lookup utility – Displays the following message: “Note: nslookup is deprecated and may be removed from future releases. Consider using the `dig' or `host' programs instead. Run nslookup with the `-sil[ent]' option to prevent this message from appearing.? /usr/bin/nsupdate Dynamic DNS update utility – Submits Dynamic DNS Update requests as defined in RFC 2136 to a name server.
Note: Do not manually start the named daemon. The named daemon should not be run on more than one cluster member or attempt to start multiple daemons on a singe host. Running the BIND Startup Script After enabling the BIND Version 9.3.6-P1 or BIND Version 8 server (Section : Enabling BIND), start the BIND server from the UNIX command prompt as follows: 1. 2. 3. Enter /sbin/init.d/named start. Enter /sbin/rcinet start. Reboot the system. BIND Version 9.3.6-P1 will run on Tru64 UNIX Version 5.0A and later.
Documentation for setting up a dynamic domain name server using BIND Version 9.2.0 can be found at the following URL: http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html Additional information on BIND Version 9.3.6-P1 can be found at the Internet Software Consortium's BIND Web site: http://www.isc.org/products/BIND/bind9.
19 Jabber The jabberd server is the original open-source server implementation of the Jabber protocol, and is the most popular software for deploying Jabber either inside a company or as a public IM service. Controlling the Jabber Server To control the Jabber server, follow these steps: • From the Administration utility Main menu, choose Manage Components. • From the Manage Components menu, choose Jabber. • From the Jabber Administration page, choose Start/Stop the Jabber Server.
20 Twiki TWiki is a flexible, powerful, and easy to use enterprise wiki .The structured wiki is typically used to run a project development space, a document management system, a knowledge base, or any other groupware tool, on an intranet or on the internet. Web content can be created collaboratively by using just a browser. Users without programming skills can create web applications. Developers can extend the functionality of TWiki with Plugging.
21 Stunnel Stunnel is SSL library that enables users to secure (encrypt) otherwise insecure sessions Sample client server configuration Following are the steps for setting up client and server: 1. Create the Stunnel client config file /usr/internet/stunnel/etc/stunnel/ client.conf. Sample client config file is as follows: cert = /usr/internet/openssl/bin/cacert.pem key = /usr/internet/openssl/bin/privkey.pem # Use in client mode client = yes pid = /client-stunnel.
A Sendmail Supplemental Information This appendix includes the following Sendmail information: • How to create a certificate of authority (Section : Creating a Certificate of Authority) • Background on OpenSSL certificate creation (Section : Background - OpenSSL Certificate Creation) • A sample mail filter (Section : Mail Filter Example) Creating a Certificate of Authority Local SSL certificates can be created using the security software included in the Sendmail subset of Internet Express.
Mail Filter Example This sample code is taken from the sendmail.org distribution, the sendmail/milter/README file: Note that this filter may not be thread safe on some operating systems. You should check your system man pages for the functions used below to verify the functions are thread safe. /* A trivial filter that logs all email to a file. */ #include #include #include #include #include #include #include "libmilter/mfapi.
/* continue processing */ return SMFIS_CONTINUE; } sfsistat mlfi_body(ctx, bodyp, bodylen) SMFICTX *ctx; u_char *bodyp; size_t bodylen; { /* output body block to log file */ if (fwrite(bodyp, bodylen, 1, MLFIPRIV->mlfi_fp) <= 0) { /* write failed */ (void) mlfi_cleanup(ctx, false); return SMFIS_TEMPFAIL; } /* continue processing */ return SMFIS_CONTINUE; } sfsistat mlfi_eom(ctx) SMFICTX *ctx; { return mlfi_cleanup(ctx,true); } Sfsistat mlfi_close(ctx) SMFICTX *ctx; { return SMFIS_ACCEPT; } sfsistat mlfi_abo
{ "SampleFilter", SMFI_VERSION, SMFIF_ADDHDRS, NULL, NULL, mlfi_envfrom, NULL, mlfi_header, mlfi_eoh, mlfi_body, mlfi_eom, mlfi_abort, mlfi_close /* /* /* /* /* /* /* /* /* /* /* /* /* filter name */ version code -- do not change */ flags */ connection info filter */ SMTP HELO command filter */ envelope sender filter */ envelope recipient filter */ header filter */ end of header */ body block filter */ end of message */ message aborted */ connection cleanup */ }; int main(argc, argv) int argc; char *argv
Glossary Access filtering The preferred means of filtering IP packets at a system, router, gateway, or firewall on Tru64 UNIX operating systems. Access filtering is the means for implementing Ingress and Egress filtering. See also Ingress filtering and Egress filtering. Administrative domain The set of systems or networks over which you have administrative control. Apache Web Server A freely available UNIX-based Web server. It is currently the most commonly used server on Internet connected sites.
DoS Denial of Service. Interruptions to internet service caused by a DoS attack. DoS attack An attack against a Web site, a network, a system, or other service provider intended to disrupt its ability to provide services to its users. Software that performs a DoS attack (DoS software ) overloads the service provider with requests for service until its capacity to respond to new service requests is exceeded. Legitimate requests for service cannot access to the service until the attack is stopped.
Network News Transfer Protocol See NNTP. newsgroup A hierarchical subject category into which InterNetNews articles are organized. NNTP Network News Transfer Protocol. A protocol for the distribution, inquiry, retrieval, and posting of Usenet news articles over the Internet. NNTP is an ASCII text protocol that lets you connect to the server using telnet if you do not have a news reader program. POP Post Office Protocol. A protocol that allows single-user hosts to read electronic mail from a server.
Transmission Control Protocol/Internet Protocol See TCP/IP. UUCP Mapping Project UNIX-to-UNIX Copy Program. A utility and protocol that allows a UNIX machine to copy files to another UNIX machine by means of serial lines. The mapping project is an effort to provide a world-wide registry of host names. The current map is posted in the comp.mail.maps newsgroup. Verisign A dominant certificate authority on the internet, though many of its certificates are signed as RSA Data Security.
Index Symbols .users.list file, 39, 55 managing, 55 removing, 56 /usr/news/etc/moderators file, 227 A access database configuring, 105 preserving quotation marks and escape characters in keys, 106 preventing conversion of keys to lowercase, 107 preventing database lookup, 106 specifying pathname, 106 access.
displaying entries, 239 modifying entries, 240 Cocoon Servlet administration, 165 disabling, 166 enabling, 166 managing, 166 viewing log files, 166 Computer Emergency Response Team see CERT Computer Incident Advisory Capability see CIAC Computer Security Resource Clearinghouse see CSRC config.
deleting, 48 specifying parent directory, 43 storing in LDAP directory, 43 GIDs assigning users, 46 GnuPG Web site, 30 group, 41 see also IASS_Usr group see also Lkr_Usr_ group adding accounts to, 41 assigning GIDs, 46 creating, 42, 46 primary for UNIX users, 42 storing in LDAP directory, 46 User Self-Administration feature, 61 H Hewlett-Packard Company AlphaServer products and services Web site, 29 Horde Application framework, 137 managing settings, 148 host alias creating, 92 deleting, 92 masquerading, 1
modifying an external newsfeed, 231 modifying article expiration definition, 244 modifying client authentication groups, 236 modifying CNFS entries, 240 modifying expired article retention period, 245 modifying newsfeed defaults, 231 nnrpd daemon, 226 reloading configuration file, 247 removing a client access definition, 234 removing an external newsfeed, 231 specifying configuration data, 226 starting, 247 updating local active file, 232 updating the active configuration file, 228 viewing log files, 246 We
deleting, 110 modifying, 109 sample, 269 mail server configuring for virtual domains, 101 creating host alias, 92 creating pseudo domain alias, 94 deleting host alias, 92 deleting pseudo domain alias, 94 mail server log (IMAP), 136 mail server log (POP), 133 mail server log (SMTP), 119 mail service APOP with encrypted password, 55 changing, 52 Cyrus IMAP, 54 Cyrus IMAP with password, 54 POP with password, 53 regular delivery, 53 types, 52 mail transport agent integration with bogofilter, 130 mailbox configu
viewing general log file, 259 Web site, 32 example files, 207 overview, 207 running services, 209, 210 using configuration files, 208 using registration files, 208 Web site, 32 N named captive user account changing mail service, 52 changing password, 51 changing secondary groups, 49 creating, 42 deleting, 48 specifying parent directory, 42 storing in LDAP directory, 42 netconfig utility, 171 netsetup utility, 171 network service access options, 169 newsgroup creating local, 246 deleting local, 246 managin
Proxy service see Squid Proxy/Caching Server public Web server accessing, 156 Pure-FTP Server, 213 administering, 213 enabling and disabling, 213 Web site, 33 Q queue groups configuring for Sendmail, 111 R rc.config file, 227 reference pages modified mailcv command, 135 registration form online, 20 relational database management system see PostgreSQL relative distinguished name, 195 remote access Internet Monitor Administration Server, 159 S Samba File and Print Server, 216 see also smb.
login screening events, 177 system management see Web-based system management T TCP security testing modifications, 169 TCP Wrapper adding service to list, 168 administration, 167 controlling access to other network services, 168 default access to network services, 167 modifying access, 168 testing security modifications, 169 Web site, 34 TIN Web site, 34 TLS configuring, 114 Tomcat, 165 Web site, 34 TruCluster Server administration notes, 23, 24 Trusted Layer Security see TLS Turba addressbook/contact man