Internet Services Delta Manual for HP-UX 11i Version 1.
© Copyright 2002 Hewlett-Packard Company Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Contents 1 Sendmail 8.11.1..........................................................................................5 Chapter Overview....................................................................................................................5 Sendmail 8.11.1 Features.......................................................................................................5 Multiple Queue Directories...............................................................................................
Improved Logging Mechanism........................................................................................33 Extended Configuration Syntax and Options.....................................................................33 New Options in "options" Statement...............................................................................33 New Options in "zone" Statement...................................................................................35 New Option in "server" Statement.................
1 Sendmail 8.11.1 Availability of the new version of Sendmail 8.11.1 on various HP-UX platforms is summarized in the table below. Table 1 Available Sendmail Versions HU-UX Software 11.00 Available as web upgrade. 11.i Available as web upgrade 11i Version 1.6 Shipped with Sendmail 8.11.1 Chapter Overview This chapter contains the following sections: • Sendmail 8.11.
NOTE: sendmail.cf file is present in the directory "usr/newconfig/etc/mail". The user has to move sendmail.cf to the directory "etc/mail" before using any of the features listed below. Multiple Queue Directories This feature facilitates the parallel processing of mails by spreading process loads across multiple disks, thereby improving the queue performance, which is impacted by the number of entries in the queue directories.
DaemonPortOptions This option can be used to customize the daemon's SMTP service. The default value for the field 'Family' is 'inet' even if DaemonPortOptions is not defined or value for the 'Family' is not specified in the DaemonPortOptions setup. By default, the DaemonPortOptions appears in the sendmail.cf file as: O DaemonPortOptions=Name=MTA, Family=inet O DaemonPortOptions=Port=587, Name=MSA, M=E NOTE: For more information on MSA, read the "Spam Control using Message Submission Agent" section below.
Spam Control Using MSA (RFC 2476) Message Submission Protocol is a means for MUAs to introduce new messages into the message transfer agent routing network. Messages being submitted by MUAs, in some cases, may be unfinished. Unfinished messages need to be completed by the MSA before submitting to the MTA. It also helps in implementing authenticated submission, including off-site submission by authorized users such as travellers. The messages received on port 587 are regarded as "submitted messages".
• dnsbl This new DNS-based black list option replaces 'rbl', the RealtimeBlackhole List feature that was included in Sendmail 8.9.3 release. The rbl option is deprecated now. The dnsbl option avoids the possible confusion between RealtimeBlackhole List and other DNS-based Blacklist servers like ORBS. It takes the name of the Blacklist server and also an optional rejection message as arguments. dnsbl can be included multiple times in the sendmail.
NOTE: Sendmail 8.11.1 depot will install the mailservs file in the /usr/newconfig/etc/rc.config.d. You need to manually move this file to /etc/rc.config.d/ in order to use this feature. The priorities for these flags are defined in the /usr/newconfig/etc/rc.conig.d/mailservs file. • send_only This option generates a sendmail.cf file without the 'check_compat' ruleset. You can only send mail messages, but cannot receive them. The SENDMAIL_SENDONLY flag in /etc/rc.config.
NOTE: You must know how to setup DNS before implementing this feature. For information on setting up DNS, refer to "Installing and Administering Internet Services" manual, posted on http://docs.hp.com. The following steps describe how to set up virtual hosting: • Assume 'mydomain.com' as the new domain name. If the mail server, which serves the new domain name has a full time connection to the internet, include the following line in the db.domain file. mydomain.com. IN MX 10 mymailserver.mydomain.com.
IMPORTANT: 'Virtual Hosting' feature provides better support for ISPs that offer queueing services to dial-up customers as queue-runs no longer wait for the dial-up server connection attempts to time out. LDAP-based Routing This feature can be used to implement the LDAP-based re-routing. This provides a method to re-route addresses with a domain portion in class {LDAPRoute} to either a different mail host or a different address.
Kldap -1 -v mailHost -k (&(objectClass=inetLocalMailRecipient) (mailLocalAddress=%0)) Kldapmra ldap -1 -v mailRoutingAddress -k (&(objectClass=inetLocalMailRecipient) (mailLocalAddress=%0)) where mailLocalAddress is the RFC 822 compliant email address of the recipient mailHost is the fully-qualified host name of the MTA that is the final SMTP destination of the message to the recipient mailRoutingAddress is the RFC 822 address to be used when routing messages to the SMTP MTA of the recipient.
#O Timeout.resolver.retry.normal=4 • DataFileBufferSize This option can be used to control the maximum size of a memory-buffered data (df) file before a disk-based file is used. The default setting for this option is: #O DataFileBufferSize=4096 • XscriptFileBufferSize This option can be used to control the maximum size of a memory-buffered (xf) transcript before a disk-based file is used.
New Command Line Options Table 1-3 lists and describes the new or enhanced command line options available in Sendmail 8.11.1: Table 3 Command Line Options Option Description -G This option indicates that the message being submitted by the command line is meant only for relaying and not for gateway submission. -L This option can be used to set the identifier in syslog messages to a supplied tag.
• A '/Quit' command to address the test mode is added. This command can be used to exit from the address test mode. • The SMTP commands are not processed when the SMTP connection drops. This prevents a remote system from flooding the connection with commands and also disconnecting. In the earlier releases, all buffered commands were processed by the server. • Purgestat and sendmail '-bH' options delete only expired files in the host status database, which have exceeded the values set by Timeout.
as O Timeout.ident=0s Now you need to kill and restart Sendmail. 2. To disable identd, perform the following steps: a. Edit the /etc/inetd.conf file and comment out the ident line by placing a '#' in the first column as follows: #auth stream tcp wait bin /usr/lbin/identd identd b. Force inetd to re-read the inetd.conf file by executing '/usr/sbin/inetd -c' in the command line. NOTE: identd is not distributed with this release of Sendmail.
2 WU-FTPD 2.6.1 Availability of the new version of WU-FTPD 2.6.1 on various HP-UX platforms is summarized in the table below. Table 4 Available WU-FTPD Versions HU-UX Software 11.00 Available as web upgrade 11.i Available as web upgrade 11i Version 1.6 Shipped with WU-FTPD 2.6.1 Chapter Overview This chapter contains the following sections: • WU-FTPD 2.6.
directory "/etc/ftpd" can now be overridden with a local copy specific to that domain. If you do not wish to place a copy of one or all the files listed above in the virtual host directory for any specific host, then the master copy can be used. The following example illustrates a possible entry in the ftpservers configuration file: 123.123.123.123 /etc/ftpd/somedomain In this example, when a ftp client connects to the server, using the IP Address 123.123.123.
mailfrom Specifying the sender's email address for anonymous upload notifications. • timeouts: This feature is used to control the various timeouts used within the daemon. The following daemon timeout values are now available: 1. accept - The time period the daemon waits for an incoming (PASV) data connection. The default value is 120 seconds. 2. connect - The time period the daemon waits before attempting to establish an outgoing (PORT) data connection. The default value is 120 seconds.
• Control of the address reported: This feature allows control of the address reported in response to a PASV command and the TCP port numbers, which may be used for a passive data connection. The general syntax for this is: passive address passive ports Example 2 passive address 10.0.1.15 10.0.0.0/8 In this example, clients connecting from the class-A network 10 will be notified that the passive connection is listening on the IP-address 10.0.1.15 passive ports 10.0.
restricted-uid [...] restricted-gid [...] unrestricted-uid [...] unrestricted-gid [...] Example 3 restricted-uid abtalt abtuser restricted-gid users abt • Retrieval of files: This feature allows retrieval of files which would otherwise be denied by the 'noretrieve' clause. This clause overrides the noretrieve clause. The general syntax for this is: allow-retrieve [ absolute|relative ] classname ] ...
Example 4 virtual xx.xx.xx.xx allow root - Adding this entry will ensure that user root is allowed to start the ftp session in the machine. By default, all real and guest users will be denied service. This is applicable only for virtual ftpservers. virtual xx.xx.xx.xx allow * virtual xx.xx.xx.xx deny root - Adding this entry will deny root users and allow other users to start ftp. virtual xx.xx.xx.xx private - Adding this entry will deny service for anonymous ftp. virtual xx.xx.xx.xx hostname telnet2.
Example 6 greeting text Hi!!! Welcome to FTP Server - Displays the message "Hi!!! Welcome to FTP server" as the greeting message. • Limit the total time of a session: This feature allows you to limit the total time a session can take. By default, there is no limit set. Real users are never limited. The general syntax for this is: limit-time {*|anonymous|guest} • Forcing all UID/GID's: This feature has the ability to force all UID/GID in a range to be treated as guests.
used to adjust the nice value of the server process only for those users who do not belong to any class for which a class-specific nice directive exists in the ftpaccess file. The general syntax for this is: nice [ class ] NOTE: Only negative values are considered. Positive values or 0 are ignored for the nice-delta. • defumask clause: The 'defumask' clause allows to set the umask for a file created by the daemon, if the remote user is a member of the named class.
NOTE: For more details on the new clauses added to the ftpaccess utility, refer to the ftpaccess(4) manpage. Enabling RFC 1413 The Identification Protocol (RFC 1413) provides a means to determine the identity of a user of a particular TCP connection. Given a TCP port number pair, it returns a character string which identifies the owner of that connection on the server's system. Use the "-I" daemon option to enable RFC 1413 based authentication. By default, this authentication is disabled.
Table 5 Command Line Options (continued) Option Description -I This option enables the use of RFC1413 (AUTH/ident) to attempt to determine the username on the client. -s & -S These options run the daemon in standalone operation mode. The -S option runs the daemon in the background and is useful in start-up scripts during system initialization (i.e., in rc.local). The -s option leaves the daemon in foreground and is useful when running from init (see init(1M)).
Compatibility with Previous Versions Customers currently using WU-FTPD 2.4 do not need to modify their configuration file. It is compatible with this release of WU-FTPD. However, it is highly recommended to use the WU-FTPD 2.6.1 configuration file (.cf) delivered with this release in order to effectively use the new features and changes incorporated in this version. Documentation The README files for WU-FTPD are available in /usr/share/doc. You may also need to read WU-FTPD 2.
3 BIND 9.2.0 Availability of the new version of BIND 9.2.0 on various HP-UX platforms is summarized in the table below. Table 7 Available BIND versions HU-UX Software 11.00 Available as web upgrade. 11.i Available as web upgrade 11i Version 1.6 Shipped with BIND 9.2.0 Chapter Overview This chapter contains the following sections: • Summary of BIND 8.1.2 features supported on HP-UX 11i Version 1.6 • Summary of BIND 9.1.3 features supported on HP-UX 11i Version 1.6 • BIND 9.2.
• Extended Configuration Syntax and Options • Improved Logging Mechanism NOTE: For information on the above features, refer to the BIND 9.1.3 Release Notes available at: http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services BIND 9.2.0 Features The features incorporated in BIND 9.2.0 on HP-UX 11i Version 1.
If set to yes, incremental transfer will be provided whenever possible. If set to no, all transfers to the remote server will be non-incremental. If not set, the value of the provide-ixfr option in the global options block is used as the default. The request-ixfr clause determines whether the local server acting as a slave will request incremental zone transfers from the given remote server, a master. If set to yes, incremental transfer will be requested from the given remote server (master).
Signing the Child's Keyset The /usr/bin/dnssec-signkey program is used to sign a keyset for a child zone. # /usr/bin/dnssec-signkey example.com.keyset Kcom.+003+51944 The output of the above command is a file named example.com.signedkey which has the keys for example.com signed by the com zone's zone key. Signing the Zone The /usr/bin/dnssec-signzone program is used to sign a zone. A sample directive to invoke the dnssec-signzone to sign the zone, example.com is as shown below. Kexample.com.
NOTE: Refer to the lwresd(1m) man page for more information. Improved Logging Mechanism In BIND 9.2.0, the logging mechanism is established only when the entire configuration file has been parsed. In BIND 8.1.2, it was established as soon as the logging statement was parsed. When the server is starting up, all logging messages regarding syntax errors in the configuration file go to the default channels or to standard error if the "-g" option was specified.
• request-ixfr This option is used to determine whether the local server, acting as a master, will respond with an incremental zone transfer when the given remote server, a slave, requests it. If set to yes, incremental transfer will be provided whenever possible. If set to no, all transfers to the remote server will be non-incremental. If not set, the value of the provide-ixfr option in the global options block is used as default.
statstics-file "path_name"; The statistics file generated by BIND 9.2.0 is similar, but not identical, to that generated by BIND 8.1.2. For information on the format of the statistics file and the statistics counters, refer to the named-conf(1) man page distributed with this release. • blackhole This option is used to specify a list of addresses from which the server will not accept queries or and does not use them to resolve a query. Default is none.
(grant | deny ) identity nametype name [ types ] Each rule grants or denies privileges. Once a message has successfully matched a rule, the operation is immediately granted or denied and no further rules are examined. The identity field specifies a name or a wildcard name. The nametype field has 4 values, name, subdomain, wildcard, and self. If the nametype field is not specified, the rule matches all types except SIG, NS, SOA, and NXT Resource Records.
19. 20. 21. 22. 23. cleaning-interval key server trusted-keys sig-validity-interval An example of View (split DNS set-up) is as shown below: view "internal" { // This should match our internal networks match-clients {10.0.0.0/8:}; //Provide recursive service to internal clients only recursion yes; //Provide a complete view of the example.com zone // including addresses of internal hosts. type master; file "example-internal.
NOTE: allow-update option is not applicable for slave zones. Refer to the named.conf(4) man page for more information. New Option in "server" Statement The bogus option can be used to prevent queries to a remote server which is giving out invalid data. The default value of bogus is no. The syntax of bogus option in the "server" statement is as shown below: [ bogus yes_or_no ; ] named-checkconf This utility is used to check the syntax of named.conf file.
Table 8 rndc commands Command Description reload reload configuration file and zones reload zone [class [view]] reload the given zone refresh zone [class [view]] schedule zone maintenance for the given zone stats write serve statistics to the statistics file querylog toggle query logging dumpdb dump the current contents of the cache into the file specified by the dump-file option in named.conf. stop stop the server after saving any recent changes into the master files of the updated zones.
}; }; and also if the named.conf has an identical key statement for rndckey. NOTE: file. Refer to the rndc.conf(4) man page for more information on the rndc configuration Generating rndc.conf File rndc-confgen can be used to generate rndc.conf, the configuration file for rndc. Alternatively, it can also be run with the -a option to set up a rndc.key file thus avoiding the need for a rndc.conf file and a control statement.
Table 9 New Command Line Options Binaries/Tools Options Usage dig -b Set the source IP address of the query to address. This must be a valid address on one of the host's network interfaces. dig -k Sign the DNS queries sent by dig and their responses using transaction signatures (TSIG). dig -y Specify the TSIG key on the command line. dnssec-makekeyset & dnssec-signkey -a Verify all generated signatures. dnssec-signkey -c class Specify the DNS class of the key sets.
Table 9 New Command Line Options (continued) Binaries/Tools Options Usage dnssec-signzone -t Print the performance statistics at the time of completion. named -v Report the version number and exit. named-checkconf -t chroot to directory to process include directives in the configuration file as if it is run by a similarly chrooted named. named-checkconf -v Print the version number of named-checkconf and exit. named-checkzone -v Print the version number of named-checkzone and exit.
type slave; masters { 192.249.249.4; }; file "db.hp"; forwarders { }; } This will supress queries like "foo.india.hp.com" from being forwarded to nameservers at 192.249.249.1. NOTE: Forwarding to the nameservers available in the delegation information cannot be suppressed using an empty forwarders sub-statement. • alias-ip This option is no longer supported. Use the "listen-on" option of the "Options" statement to implement the alias-ip option.
• BIND 9.2.0 is less tolerant of errors in master files, so check your logs and fix any errors reported. The named-checkzone program can also be used to check master files. • Outgoing zone transfers now use the "many-answers" format by default.This format is not understood by certain old versions of BIND 4.9.7.This problem can be resolved by using the option "transfer-format one-answer;", but HP recommends upgrading the slave servers. BIND 8.1.2 Compatibility This section discusses the BIND 9.2.
Table 10 Man Pages (continued) Man Page Description nsupdate.1 Dynamic DNS update utility lwresd.1m Lightweight resolver daemon rndc.1 Name server control utility rndc.conf.4 rndc configuration file sig-named.1m Program used to send signals to the nameserver. named-checkconf.1 named configuration file syntax checking tool named-checkzone.1 Zone validity checking tool hosts_to_named.1m Program used to translate host table to name server file format. dig.
