another DNS problem
by Hiisi
Hi, list!
I'm trying to configure my system as a mail server. It's f12. My ISP
provides me with a static IP address and I've binded domain name to it
(kello.ru) I have sendmail installed and can successfully send messages
from remote hosts to users on this machine (i.e. to root(a)kello.ru).
However it's impossible to send messages from this machine to the
outside world. Whenever I'm trying to send messages using mail command
or mail function in php-scripts the recipient receives nothing. Instead,
I see a lot of messages of this kind in var/log/maillog:
Oct 31 01:21:41 kello sendmail[23801]: o9UA6Nvm013215:
to=<saippua5(a)gmail.com>, ctladdr=<root(a)kello.ru> (0/0), delay=11:15:18,
xdelay=00:00:00, mailer=relay, pri=1290432, relay=smtp.direct.ru.,
dsn=4.0.0, stat=Deferred: 451 DNS temporary failure (#4.3.0)
Domain name registrator told me that the MX-record for this domain
points to mail.kello.ru which is just an alias for this machine.
My ISP rejects all outgoing connections to port 25 except to their own
smtp-server (smtp.direct.ru).
Here's configuration of this system.
cat /etc/hosts
127.0.0.1 localhost.localdomain localhost.localdomain localhost
smstools.dyndns-mail.com
::1 localhost.localdomain localhost6 localhost
212.16.23.132 kello.ru mail.kello.ru
cat /etc/resolv.conf
search ns1.eserver-ru.com
nameserver 81.177.8.11
nameserver 81.177.9.11
nameserver 81.177.8.18
cat /etc/mail/sendmail.mc
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes
to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf
package is
dnl # installed and then performing a
dnl #
dnl # /etc/mail/make
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Do not advertize sendmail version.
dnl #
dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL', `9')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs
to
dnl # be sent out through an external mail server:
dnl #
define(`SMART_HOST', `smtp.direct.ru')dnl
dnl #
define(`confDEF_USER_ID', ``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS',
`authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and
disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs
do
dnl # use LOGIN. Other mechanisms should be used if the connection is
not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # cd /etc/pki/tls/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /etc/pki/tls/certs usage
dnl #
dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with
OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to
accept
dnl # incoming messages or process its message queues to 20.) sendmail
refuses
dnl # to accept connections once it has reached its quota of child
processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
dnl #
dnl # Limits the number of new connections per second. This caps the
overhead
dnl # incurred due to forking new sendmail processes. May be useful
against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP
address
dnl # limit would be useful but is not available as an option at this
writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his
quota.
dnl #
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery
uncomment
dnl # the following 2 definitions and activate below in the MAILER
section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback
address
dnl # 127.0.0.1 and not on any other network devices. Remove the
loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587
for
dnl # mail from MUAs that authenticate. Roaming users who can't reach
their
dnl # preferred sendmail daemon due to port 25 being blocked or
redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465,
but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587
followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook
Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use
STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses
smtps
dnl # when SSL is enabled-- STARTTLS support is available in version
1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6
loopback
dnl # device. Remove the loopback address restriction listen to the
network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6,
Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you
want to
dnl # protect yourself from spam. However, the laptop and users on
computers
dnl # that do not have 24x7 DNS do need this.
dnl #
dnl FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
MASQUERADE_AS(`kello.ru')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com
as well
dnl #
FEATURE(masquerade_entire_domain)dnl
dnl #
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl
MASQUERADE_DOMAIN(kello.ru)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
Could anybody give me some hints of how to solve this problem?
TIA
--
kernel, n.:
A part of an operating system that preserves the medieval
traditions of sorcery and black art.
13 years, 5 months
How to check the number of terminals open from inside a shell script
by sumatheja
Hi All,
I'm can anyone let me know if there's some variable holding
the value of the total number of terminals open. I have a requirement
where i need to execute some script only first time a terminal is
opened. I feel this is not the right place to post this but will be
glad if someone can help me out.
--
cheers
Sumatheja Dasararaju
13 years, 5 months
openswan is unusable
by David A. De Graaf
Has anyone managed to configure an openswan tunnel under Fedora 13?
The instructions in /usr/share/doc/openswan-doc-2.6.29 may have been
correct once upon a time, but are simply wrong now.
Someone has judged that simple exchange of RSA public/private keys
provides insufficient security, so that actual access to those keys is
further restricted by something called "NSS support", whatever that is.
Unfortunately, they neglected to tell anyone how to penetrate this extra
veil of protection, as far as I have found, thus rendering a valuable
security capability unusable by the good guys (me).
Can anyone point me to lucid and complete documentation of how to use
the "new openswan" system? After groping through random googleisms, I
found a way to create the needed RSA keys. Instead of the documented
ipsec newhostkey --output /etc/ipsec.secrets
one must first create an NSS password, which goes God-knows-where:
certutil -N -d /etc/ipsec.d
and then
ipsec newhostkey --configdir /etc/ipsec.d \
--output /etc/ipsec.d/ipsec.secrets --password <thepasswd>
to create the ipsec.secrets file, then move it up a level
mv /etc/ipsec.d/ipsec.secrets /etc/ipsec.secrets
Then you can display the public key in the usual way
ipsec showhostkey --left
and use it to construct /etc/ipsec.d/net2net.conf based on the example
in <doc>/openswan-doc-2.6.29/config.html.
After doing this on the local and remote gateway machines, so they know
how to communicate and recognize each other, the tunnel ought to work.
But it doesn't.
When I try to start the tunnel there's a mysterious error
ipsec auto --up net2net
...
003 "net2net" #1: Can't find the private key from the NSS CERT (err -12285)
...
and the negotiation fails.
Can anyone give a clue how to access this very well hidden private key?
Google can't.
--
David A. De Graaf DATIX, Inc. Hendersonville, NC
dad(a)datix.us www.datix.us
13 years, 5 months
User Switcher Applet
by Sawrub
The user switcher applet in the panel on mouse hover shows the
tool-tip "Change Account Settings and Status". I do understand how to
change the account settings, can some one explain how/of what to change
the status.
--
Saurabh Sharma
Linux user number: 490644
http://sawrub-blog.blogspot.com/
Open your doors.......It's time to look beyond Windows
13 years, 5 months
Webmin / Usermin in FC11
by Edward S.P. Leong
Dear You,
If you are using Webmin/Usermin in FC11 Linux...
please reply to me, thanks !
Edward.
13 years, 5 months
javascripts invoked by browser
by JD
I was wondering if there is a way to restrict the execution
path and the file/directory access path of javascripts invoked
by the browser on behalf of the web site visited.
Any info, including references to how-to's are greatly appreciated.
13 years, 5 months
Firefox 3.6.12-1 Not Stable
by Sawrub
The latest firefox.x86_64 [3.6.12-1.fc14] pushed out seems to be
having some issues, have hung my system twice, as of now. Some one
having same issue.
--
Saurabh Sharma
Linux user number: 490644
http://sawrub-blog.blogspot.com/
Open your doors.......It's time to look beyond Windows
13 years, 5 months
Making Fedora boot faster
by Kalpa Welivitigoda
Hi all,
I thought to make my Fedora system boot faster. For that I thought to
disable unnecessary kernel modules and services. So I want to know in
detail what each and every kernel module and service do so that I can
disable which are no needed. Can anyone here provide me with a
detailed documentation on the kernel modules and services?
--
Best Regards,
W.H.Kalpa Pathum
http://kalpapathum.blogspot.com
http://thiraya.wordpress.com
13 years, 5 months
question on screen resolution
by Paul Allen Newell
To the Fedora community:
I have upgraded one of my machines to F13 in expectation of F12 hitting
end of life. For the most part, no problems, but I am seeing an odd
display problem.
I have three machines connect via KVM to a single monitor. Right now,
one is F13, one is F12, and one is F9. The F12 and F9 respect the
monitor size, but my new F13 install seems to crop the left side. Enough
to kill three or four characters when I open anything that is pinged to
upper left.
I am not certain what tests to run to see what is going on. I think I am
not changing any display issues as I don't touch any X stuff and let the
system do as it wishes.
Suggestions?
Thanks in advance,
Paul
13 years, 5 months