Skip to content

Month: April 2010

Authenticated SMTP with Postfix on CentOS, the easy way

Published by Tom on April 27, 2010

This will be more of a future reference than an actual howto. It’s far from feature complete but it will get you started on authenticated SMTP sessions using Postfix. Quick & dirty.

Installing Postfix and SASL on CentOS:

# yum install postfix
# yum install cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5

Let’s move on to the configuration now. Below you will find my default template
for /etc/postfix/main.cf:

# cat /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name

myhostname = example.tld
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = example.tld
mydestination = example.tld, localhost.localdomain, localhost
transport_maps =
relayhost =
mynetworks = 127.0.0.1/32
#mynetworks = hash:/etc/postfix/networks

smtpd_sasl_path = sasl2/smtpd.conf
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = example.tld
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

recipient_delimiter = +
inet_interfaces = all

smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_rbl_client opm.blitzed.org,
        reject_rbl_client list.dsbl.org,
        reject_rbl_client sbl.spamhaus.org,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client dul.dnsbl.sorbs.net

Use smtpd_recipient_restrictions to make sure you’re not running an Open Relay server accepting spam from anyone. It will accept unauthenticated sessions originating from localhost only. However authenticated sessions are generally allowed.

Make sure your Postfix daemon is actually able to communicate with the sasl daemon.
To accomplish this append this to /etc/postfix/master.cf:

# cat /etc/postfix/master.cf
submission inet n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=example.tld
  -o header_checks=
  -o body_checks=
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous

Next up we’re going to add our users to the sasl database:

# saslpasswd2 -c -u $hostname $user

While we’re at it, it might be a good idea to fix permissions on the sasl database. Otherwise Postfix will be unable to read from it or write to it.

# chown postfix:postfix /etc/sasldb2
# chmod 660 /etc/sasldb2

We’re almost there. To configure the sasl daemon itself:

# cat /usr/lib/sasl2/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
# cat /usr/lib/sasl/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

And finally restart the daemons.

# /etc/init.d/sasld restart
# /etc/init.d/postfix restart

Be sure to confirm it’s working using both your default mail client and /var/log/maillog.

Enjoy!

Monitoring MySQL with Munin on a DirectAdmin platform

Published by Tom on April 8, 2010

Today I’ll be showing you how to monitor MySQL with Munin on a DirectAdmin platform. I’ve tested this setup for a customer on a CentOS box. It should be fairly easy to adapt this to Debian. You probably won’t even need to change credentials at all on a Debian box given the fact that it has an /etc/mysql/debian.cnf file by default. Although I’m not sure DirectAdmin puts it to good use. Any Debian/DirectAdmin users out there? Feel free to comment.

Let’s start off by checking the proper MySQL login credentials on our CentOS/RHEL box:

# cat /usr/local/directadmin/conf/mysql.conf
user=da_admin
passwd=removed

Easy enough. Let’s move on to installing munin and applying the credentials to the MySQL monitoring plugin. Munin isn’t available in the default repository. Not to worry, it’s in the Fedora Project’s EPEL repository for CentOS/RHEL. If you don’t have EPEL enabled yet be sure to check the excellent FAQ on the subject.

Or you could just move on to installing the repository.
For i386/i686:

 
# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/
epel-release-5-3.noarch.rpm

For x86_64:

For x86_64: 
# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/
epel-release-5-3.noarch.rpm

Now we can go on installing munin:

# yum install munin munin-node

Sadly this doesn’t install pull all the necessary dependencies. Not sure why the package maintainer missed out on this but it’s rather easy to fix it:

# yum install perl-Cache perl-Cache-Cache 
# yum install perl-IPC-ShareLite perl-DBD-MySQL

On to the credentials part. Edit the mysql plugin on line 132:

# vim +132 /usr/share/munin/plugins/mysql_

You should see something like this with the credentials left blank:

my %config = (
    'dsn'        => $ENV{'mysqlconnection'} || 'DBI:mysql:mysql',
    'user'       => $ENV{'mysqluser'}       || 'da_admin',
    'password'   => $ENV{'mysqlpassword'}   || 'removed',
);

As you can see I’ve already filled in the blanks.

Once the plugin has been configured we’re able to apply it. Before applying I’d suggest you take a look at what graphs are available:

# /usr/share/munin/plugins/mysql_ suggest
mysql_bin_relay_log
mysql_commands
mysql_connections
mysql_files_tables
mysql_innodb_bpool
mysql_innodb_bpool_act
mysql_innodb_insert_buf
mysql_innodb_io
mysql_innodb_io_pend
mysql_innodb_log
mysql_innodb_rows
mysql_innodb_semaphores
mysql_innodb_tnx
mysql_myisam_indexes
mysql_network_traffic
mysql_qcache
mysql_qcache_mem
mysql_replication
mysql_select_types
mysql_slow
mysql_sorts
mysql_table_locks
mysql_tmp_tables

To apply all of them simply run the following:

# cd /etc/munin/plugins
# ln -sf /usr/share/munin/plugins/mysql_ mysql_
# for i in `./mysql_ suggest`; \
do ln -sf /usr/share/munin/plugins/mysql_ $i; done

If you only need a few of them you can apply them this way:

# cd /etc/munin/plugins
# ln -sf /usr/share/munin/plugins/mysql_ mysql_
# ln -sf /usr/share/munin/plugins/mysql_ mysql_bin_relay_log
# ln -sf /usr/share/munin/plugins/mysql_ mysql_commands
# ln -sf /usr/share/munin/plugins/mysql_ mysql_connections
# ln -sf /usr/share/munin/plugins/mysql_ $any_other_graph

Be sure to reload munin-node:

# /etc/init.d/munin-node restart

And that’s it. Enjoy your graphs at http://127.0.0.1/munin. 🙂

Munin MySQL InnoDB graph