Tips, Tricks, Documents: 01/01/2011

Monday, January 31, 2011

How to: Mount an ISO image under Linux

An ISO image is an archive file (disk image) of an optical disc using a conventional ISO (International Organization for Standardization) format. ISO image files typically have a file extension of .ISO. The name "ISO" is taken from the ISO 9660 file system used with CD-ROM media, but an ISO image can also contain UDF file system because UDF is backward-compatible to ISO 9660.

You can mount an ISO images via the loop device under Linux. It is possible to specify transfer functions (for encryption/decryption or other purposes) using loop device.

But, how do you mount an ISO image under Linux? You need to use mount command as follows:
Procedure to mount ISO images under Linux

1) You must login as a root user, if not root user then switch to root user using following command:
$ su -

2) Create the directory i.e. mount point:
# mkdir -p /mnt/disk

3) Use mount command as follows to mount iso file called disk1.iso:
# mount -o loop disk1.iso /mnt/disk

4) Change directory to list files stored inside an ISO image:
# cd /mnt/disk
# ls -l
More about loop device

A loop device is a pseudo-device that makes a file accessible as a block device. Loop devices are often used for CD ISO images and floppy disc images. Mounting a file containing a filesystem via such a loop mount makes the files within that filesystem accessible. They appear in the mount point directory using above commands.

Friday, January 28, 2011

Chèn “Readmore” cho bài đăng của blog

BƯỚC 1: SAO LƯU TEMPLATE VÀ CHÈN CSS

Sau khi đăng nhập vào blogger.com, click trên Template (Mẫu) -> Edit HTML (Chỉnh sửa HTML) thực hiện sao lưu template vào máy tính của bạn.

Sao lưu xong, kéo thanh trượt tìm tag (Có thể bấm Ctrl + F để tìm) và chèn vào phía trên nó đoạn mã dưới và lưu lại.

BƯỚC 2: CHÈN LIÊN KẾT “ĐỌC THÊM”

Tiếp tục hãy click Expand Widgets Template và kéo thanh trượt để tìm tag

Cũng có thể như thế này:

(Bấm đồng thời Ctrl + F để tìm). Sau đó chèn đoạn mã này phía dưới nó.

Đọc thêm!

BƯỚC 3: TÙY BIẾN “ĐỌC THÊM”

Nếu bạn dùng đoạn mã trên, khi click vào “Đọc thêm!” bài đăng này sẽ được load về trình duyệt và thay thế trang trước đó. Bạn muốn bài đăng được mở ở một cửa sổ mới hãy chèn đoạn mã này.

Đọc thêm!

Trường hợp bạn muốn chữ “Đọc thêm” lớn hơn hay nhỏ hơn so với các chữ khác của bài hãy chèn đoạn mã dưới. Thay đổi phần trăm để được nhỏ hơn.

Đọc thêm!

Trường hợp bạn muốn chữ “Đọc thêm” in đậm hãy chèn đoạn mã dưới.

Đọc thêm!

Trường hợp bạn muốn chữ “Đọc thêm” có màu hãy chèn đoạn mã dưới (ví dụ ở đây là màu đỏ, bạn có thể lấy màu khác: Từ cửa sổ đăng bài Compose, gõ vài ký tự và chọn màu, click Edit Html để lấy mã, chữ có màu sẽ nằm giữa …).

Đọc thêm!

Bạn có thể sử dụng kết hợp cả ba.

BƯỚC 4: THAY ĐỔI CÁCH ĐĂNG BÀI

Ở cửa sổ đăng bài, thay vì chọn Compose, hãy chọn Edit Html và cấu trúc bài đăng của bạn như bên dưới.

Phần tóm tắt hay đầu bài đăng

Phần còn lại

Xem hình:

Đăng bài theo có Đọc thêm

Bài đăng phải nằm trong cấu trúc này. Nếu bạn cảm thấy khó nhớ đoạn code thì hãy vào Settings (Cài đặt) -> Formatting (Định dạng), kéo thanh trượt và tìm Post Template (Mẫu đăng bài), dán đoạn mã vào box kế bên và click Save Settings (Lưu cài đặt) để lưu lại. Mỗi lần đăng bài, đoạn mã này được chèn trước và bạn chỉ việc làm các thao tác để đăng bài.

Chúc thành công.

How to hide Navbar in blogspot

Go to LAYOUT > EDIT HTML to open the template editor. Look for <b:skin> and paste the following after that:

/* By Aditya http://the-lastword.blogspot.com/
----------------------------------------------- */
div.navbar {
opacity:0.0;
display:none;
}

Save template ----> Finish

Các chú ý khi sử dụng outlook

- Backup folder data mail
- Backup Contacts, Address book

Wednesday, January 26, 2011

VPN user and password authentication

http://forum.zentyal.org/index.php?topic=1646.0

I've succesfully configure openvpn to use the LDAP user and password auth. Here what I've done :
Using openvpn-auth-ldap from http://code.google.com/p/openvpn-auth-ldap/

1) cd /usr/src
2) wget http://openvpn-auth-ldap.googlecode.com/files/auth-ldap-2.0.3.tar.gz
3) apt-get install gobjc re2c dpkg-dev libldap2-dev

4) apt-get source openvpn
5) ./configure --prefix=/usr --with-openvpn=/usr/src/openvpn-2.1~rc7
6) make
7) make install

The configuration file, named /etc/openvpn/ldap-auth-conf contain :

Quote

# BEGIN OF ldap-auth-conf
<LDAP>
   URL   ldap://localhost
   BindDN      cn=admin,dc=ebox
   Password   COPY CONTENT OF /var/lib/ebox/conf/ebox-ldap.passwd here
   # Network timeout (in seconds)
Timeout 15

# Enable Start TLS
TLSEnable no

# Follow LDAP Referrals (anonymously)
FollowReferrals yes

# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem

# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs

# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem

# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=Users,dc=ebox"

# User Search Filter
SearchFilter "uid=%u"

# Require Group Membership
RequireGroup false

# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users

<Group>
BaseDN ou=Groups,dc=ebox
SearchFilter cn=openvpn
#MemberAttribute uniqueMember
MemberAttribute memberUid
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
# END OF ldap-auth-conf

Test your configuration file :
/usr/src/auth-ldap-2.0.3/src/testplugin /etc/openvpn/ldap-auth-conf
** Use a real ebox username/password, this test should return :
Authorization Succeed!
client-connect succeed!
client-disconnect succeed!

If that work add plugin /usr/lib/openvpn-auth-ldap.so /etc/openvpn/ldap-auth-conf at the end of your openvpn server configuration file.

To tell openvpn client to prompt a username/password you need to add auth-user-pass at the end of your clients configuration files.

That will need to be added in the eBox template and an option in the webUI would be appreciated.

Enjoy.

Tuesday, January 25, 2011

Thiết kế mạng Lan cho doanh nghiệp

Thiết kế mạng Lan cho doanh nghiệp

Thiết kế, xây dựng hạ tầng truyền thông cho các đơn vị, tổ chức tạo điều kiện triển khai các ứng dụng nghiệp vụ và các dịch vụ gia tăng của đơn vị, tổ chức đó.
Mục tiêu chung được thể hiện qua các điểm cụ thể sau:

* Xây dựng hạ tầng truyền thông thống nhất, tốc độ cao đồng bộ.
* Quản trị hệ thống tập trung.d
* Phát triển các dịch vụ gia tăng trên mạng như Video conferencing, VoIP.
* Xây dựng hạ tầng cơ sở đảm bảo môi trường tiêu chuẩn cho trung tâm dữ liệu.

I.2.Nội dung thiết kế

* Xây dựng thiết kế mạng LAN, WAN cho các đơn vị, tổ chức.
* Xây dựng mạng trục WAN backbone.
* Xây dựng hệ thống an ninh mạng theo chiều sâu, nhiều lớp và sử dụng nhiều công nghệ khác nhau.
* Xây dựng hệ thống quản trị cấu hình trang thiết bị và giám sát kênh truyền thông.
* Xây dựng hạ tầng cơ sở trung tâm dữ liệu chính.
* Xây dựng thiết kế mạng cho trung tâm dữ liệu dự phòng.
* Xây dựng các dịch vụ mạng gia tăng như IP Telephony và Video Conferencing

II.Tổng quan về thiết kế
II.1.Định hướng kiến trúc
Trong phần này, chúng tôi xin giới thiệu sơ lược về một định hướng kiến trúc tiêu biểu được áp dụng trong việc xây dựng hạ tầng Công nghệ Thông tin cho các tổ chức và doanh nghiệp lớn. Đó là Định hướng Kiến trúc Dịch vụ (Service-Oriented Architecture - SOA).
Đây là kiến trúc khung (architectural framework) mang tính định hướng sự phát triển, mở rộng có mục đích đối với các hệ thống mạng lớn và là một cuộc cách mạng trong nhận thức về nền tảng mạng truyền thông hướng tới môi trường mạng thông tin thông minh (Intelligent information network) giúp cho việc tăng nhanh các khả năng ứng dụng, dịch vụ, mở rộng tiến trình kinh doanh và tất nhiên, kèm theo đó là lợi nhuận.
Service-Oriented Architecture:
Kiến trúc SOA gồm có 3 lớp:

* Lớp cơ sở hạ tầng mạng (networked infrasstructure layer): là lớp mạng liên kết các khối chức năng theo kiến trúc phân tầng, có trật tự.
* Lớp dịch vụ tương tác (Interactive services layer): bao gồm sự kết hợp một số kiến trúc mạng đầy đủ với nhau tạo thành các chức năng cho phép nhiều ứng dụng có thể sử dụng trên mạng.
* Lớp ứng dụng (Application layer): Bao gồm các loại ứng dụng cộng tác và nghiệp vụ. Các ứng dụng này kết hợp với các dịch vụ tương tác cung cấp ở lớp dưới sẽ giúp triển khai nhanh và hiệu quả

II.2.Các phương thức thiết kế
Trong phần này, chúng tôi xin giới thiệu sơ lược về các phương thức thiết kế mạng và bảo mật được sử dụng trong việc thiết kế các hệ thống mạng lớn và hiện đại của các tổ chức và doanh nghiệp lớn. Tương ứng với kiến trúc SOA là thuộc lớp Cơ sở hạ tầng mạng.
II.2.1.Phương thức thiết kế phân lớp - Hierarchical
Phương thức thiết kế phân lớp (Hierarchical) ra đời và trở thành một kiến trúc phổ biến trong gần chục năm gần đây, được áp dụng để thiết kế các hệ thống mạng với qui mô trung bình cho đến qui mô lớn. Phương thức thiết kế này sử dụng các lớp (layer) để đơn giản hóa các công việc trong thiết kế mạng. Mỗi lớp có thể tập trung vào các chức năng cụ thể, cho phép người thiết kế lựa chọn đúng các hệ thống và các tính năng cho mỗi lớp.
Phương thức thiết kế Hierarchical gồm 3 lớp:

* Lớp Core: Có nhiệm vụ chuyển tiếp lưu thông với tốc độ cao nhất
* Lớp Distribution: Cung cấp các chính sách liên quan đến các hoạt động kết nối
* Lớp Access: Cung cấp truy cập cho các User/Workgroup vào mạng

Ví dụ về một hệ thống mạng thiết kế theo phương thức thiết kế Hierarchical:
II.2.2.Phương thức thiết kế theo mô đun - Modular
Phương thức thiết kế theo mô đun (Modular) được xem như là phương thức bổ xung cho phương thức thiết kế Hierarchical. Trong một hệ thống mạng qui mô lớn, nói chung sẽ bao gồm nhiều vùng mạng phục vụ các hoạt động và chức năng khác nhau. Việc thiết kế theo mô đun cho một hạ tầng mạng lớn bằng việc tách biệt các vùng mạng với chức năng khác nhau, cũng đang là một phương pháp thiết kế được sử dụng rộng rãi trong thiết kế hạ tầng mạng cho các doanh nghiệp, các công ty, và các tổ chức lớn (gọi tắt là Enterprise).
Phương thức thiết kế Modular có thể được chia làm ba vùng chính, mỗi vùng được tạo bởi các mô đun mạng nhỏ hơn:

* Enterprise campus: Bao gồm các module được yêu cầu để xây dựng một mạng campus đỏi hỏi tính sẵn sàng cao, tính mềm dẻo và linh hoạt.
* Enterprise edge: Hội tụ các kết nối từ các thành phần khác nhau tại phía rìa mạng của Enterprise. Vùng chức năng này sẽ lọc lưu thông từ các module trong Enterprise edge và gửi chúng vào trong vùng Enterprise campus. Enterprise edge bao gồm tất cả các thành phần thiết bị để đảm bảo truyền thông hiệu quả và bảo mật giữa Enterprise campus với các hệ thống bên ngoài, các đối tác, mobile users, và mạng Internet.
* Service provider edge: Các module trong vùng này được triển khai bởi các nhà cung cấp dịch vụ, chứ không thuộc về Enterprise. Các module trong Service provider edge cho phép truyền thông với các mạng khác sử dụng các công nghệ WAN và các ISPs khác nhau.

Ví dụ về một hệ thống mạng thiết kế theo phương thức thiết kế Modular:
II.2.3.Phương thức thiết kế bảo mật cho hệ thống mạng
Phương thức thiết kế bảo mật cho hệ thống mạng được sử dụng là Kiến trúc an ninh cho các Doanh nghiệp – SAFE (Security Architecture for Enterprise Networks), được xây dựng dựa trên nền tảng các công nghệ an ninh mạng tiên tiến nhất để bảo vệ các cuộc tấn công từ bên ngoài và bên trong của hệ thống mạng các doanh nghiệp. SAFE đem lại sự linh hoạt và khả năng mở rộng cao bao gồm khả năng dự phòng vật lý và cấu hình thiết bị khi có sự cố hay bị kẻ xấu tấn công vào hệ thống mạng. Khái niệm Module được sử dụng trong SAFE giúp cho việc tổ chức hệ thống an ninh được chặt chẽ và cho phép công việc thiết kế triển khai hệ thống an ninh mạng một cách linh hoạt theo từng Module một (Module by Module), trong khi vẫn đảm bảo được yêu cầu theo chính sách an ninh đặt ra cho từng giai đoạn.
Kiến trúc SAFE bao gồm các module sau:

* Corporate Internet Module: Corporate Internet Module tập trung chủ yếu các kết nối của người dùng bên trong hệ thống mạng (Internal user) truy cập Internet và các kết nối từ người dùng bên ngoài (Internet user) truy cập vào hệ thống các máy chủ Public Servers của doanh nghiệp như HTTP, FTP, SMTP và DNS. Ngoài ra trong Module này còn cung cấp dịch vụ truy cập từ xa bằng công nghệ VPN hay quay số truyền thống dial-up.
* Campus Module: Campus Module chủ yếu tập trung các máy trạm làm việc, hệ thống máy chủ và kiến trúc chuyển mạch lớp 2 và lớp 3. Campus Module bao gồm nhiều thành phần hợp nhất thành một Module thống nhất được mô tả bằng mô hình kết nối tổng quát sau:

Campus Module có cấu trúc thiết kế tương tự mô hình mạng Campus truyền thống và cũng được chia theo 3 lớp là Core, Distribution và Access Layer. Tuy nhiên ở lớp Access thì Campus Module được phân làm 3 Module bảo vệ gồm Building Module (users), Management Module và Server Module. Với sự phân cấp bảo vệ trong Campus Module giúp cho việc thiết lập hệ thống an ninh mạng được linh động và độc lập giữa các Module, nhờ vậy công việc tổ chức và quản trị trở nên dễ dàng hơn và giúp cho doanh nghiệp có thể mở rộng, gia cố và khắc phục các vấn đề an toàn cho hệ thống mạng khi có sự cố xảy ra.

* WAN Module: WAN Module chỉ có một kết nối duy nhất đến các mạng khác cách xa nhau về mặt địa lý thông qua các đường truyền thuê bao riêng. Các khả năng có thể bảo vệ các cuộc tấn công vào WAN Module gồm:
o IP spoofing-IP spoofing có thể được ngăn chặn thông qua Layer 3 filtering
o Unauthorized access—Tránh các truy cập trái phép bằng việc giới hạn và kiểm soát các kiểu giao thức sử dụng từ chi nhánh kết nối về Trung tâm thông qua Router

II.2.4.Nguyên lý thiết kế hệ thống bảo mật
An ninh mạng phải được thiết lập dựa trên các nguyên tắc sau:

* Bảo vệ có chiều sâu (defense in depth): Hệ thống phải được bảo vệ theo chiều sâu, phân thành nhiều tầng và tách thành nhiều lớp khác nhau. Mỗi tầng và lớp đó sẽ được thực hiện các chính sách bảo mật hay ngăn chặn khác nhau. Mặt khác cũng là để phòng ngừa khi một tầng hay một lớp nào đó bị xâm nhập thì xâm nhập trái phép đó chỉ bó hẹp trong tầng hoặc lớp đó thôi và không thể ảnh hưởng sang các tầng hay lớp khác.
* Sử dụng nhiều công nghệ khác nhau: Không nên tin cậy vào chỉ một công nghệ hay sản phẩm công nghệ bảo đảm an ninh cho mạng của một hãng nào đó. Bởi nếu như sản phẩm của hãng đó bị hacker tìm ra lỗ hổng thì dễ dàng các sản phẩm tương tự của hãng đó trong mạng cũng sẽ bị xuyên qua và việc phân tầng, phân lớp trong chính sách phòng vệ là vô nghĩa. Vì vậy khi tiến hành phân tầng, tách lớp, nên sử dụng nhiều sản phẩm công nghệ của nhiều hãng khác nhau để hạn chế nhược điểm trên. Đồng thời sử dụng nhiều cộng nghệ và giải pháp bảo mật kết hợp để tăng cường sức mạnh hệ thống phòng vệ như phối hợp Firewall làm công cụ ngăn chặn trực tiếp, IDS làm công cụ "đánh hơi", phản ứng phòng vệ chủ động, Anti-virus để lọc virus...v.v
* Các tiêu chuẩn đáp ứng: Các sản phẩm bảo mật phải đáp ứng một số chứng nhận tiêu chuẩn như Common Criteria, ISO/IEC 15408:2005 và ISO/IEC 18405:2005 EAL4, ICSA Firewall và VPN, FIPS-140

Anh Ngọc (Nguồn ANCO INC)

Các công cụ monitor hệ thống

- Nagios
- Spice network
- PRTG

Monday, January 24, 2011

Tạo bản ghost cho nhiều máy

http://www.vn-zoom.com/f94/tao-ban-ghost-cho-nhieu-may-456823.html

Vấn đề đa số các bạn dùng máy tính thường gặp phải là cài đặt lại phần mềm cho máy tính của mình, một công việc chẳng thú vị gì mấy đối với những người bận rộn. Tuy nhiên, điều đơn giản nhất để tránh sự nhàm chán đó là dùng chương trình Ghost để sao lưu (backup) lại ổ cứng của bạn ở tình trạng tốt nhất và sau khi bị sự cố thì ta chỉ cần phục hồi (restore) lại là xong ngay.

Nếu vấn đề chỉ đơn giản là vậy thì không có gì để nói! Thế nhưng khi bạn nâng cấp máy mới với một mainboard khác và bạn vẫn muốn giữ lại bộ Windows XP cũ của mình thì vấn đề lại xảy ra nếu mainboard cũ và mới không giống nhau. Nói cách khác là khi phần cứng có sự thay đổi thì việc bạn Ghost lại hệ điều hành Windows XP cũ có thể sẽ khiến máy tính chạy sẽ không được ổn định như cũ nữa, và có thể gây ra lỗi.

Để giải quyết vấn đề này ta làm như sau:

Bước 1: Cài đặt Windows XP và tất cả chương trình cần thiết.

Bước 2: Vào thư mục C:\WINDOWS\Driver Cache\i386, mở file Driver.cab rồi trích (Extract) các tập tin Atapi.sys, Intelide.sys, Pciide.sys, and Pciidex.sys vào thư mục C:\WINDOWS\System32\drivers.

Bước 3: Tạo tập tin tên Mergeide.reg bằng Notepad với nội dung như sau:

Trích:
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\primary_ide_channel]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”atapi”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\secondary_ide_channel]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”atapi”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\*pnp0600]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”atapi”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\*azt0502]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”atapi”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\gendisk]
“ClassGUID”=”{4D36E967-E325-11CE-BFC1-08002BE10318}”
“Service”=”disk”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#cc_0101]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_0e11&dev_ae33]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_1039&dev_0601]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_1039&dev_5513]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_1042&dev_1000]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_105a&dev_4d33]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_1095&dev_0640]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_1095&dev_0646]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_1095&dev_0646&REV_0 5]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_1095&dev_0646&REV_0 7]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_1095&dev_0648]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_1095&dev_0649]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_1097&dev_0038]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_10ad&dev_0001]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_10ad&dev_0150]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_10b9&dev_5215]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_10b9&dev_5219]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_10b9&dev_5229]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”pciide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_1106&dev_0571]
“Service”=”pciide”
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_8086&dev_1222]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”intelide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_8086&dev_1230]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”intelide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_8086&dev_2411]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”intelide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_8086&dev_2421]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”intelide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_8086&dev_7010]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”intelide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_8086&dev_7111]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”intelide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\
CriticalDeviceDatabase\pci#ven_8086&dev_7199]
“ClassGUID”=”{4D36E96A-E325-11CE-BFC1-08002BE10318}”
“Service”=”intelide”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\atapi]
“ErrorControl”=dword:00000001
“Group”=”SCSI miniport”
“Start”=dword:00000000
“Tag”=dword:00000019
“Type”=dword:00000001
“DisplayName”=”Standard IDE/ESDI Hard Disk Controller”
“ImagePath”=hex(2):53,00,79,00,73,00,74,00,65, 00,6d,00,33,
00,32,00,5c,00,44,00,52,00,49,00,56,00,45,00,52,00 ,53,00,
5c,00,61,00,74 ,00,61,00,70,00,69,00,2e,00,73,00,79,00,73,
00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\IntelIde]
“ErrorControl”=dword:00000001
“Group”=”System Bus Extender”
“Start”=dword:00000000
“Tag”=dword:00000004
“Type”=dword:00000001
“ImagePath”=hex(2):53,00,79,00,73,00,74,00,65, 00,6d,00,33,
00,32,00,5c,00,44,00,52,00,49,00,56,00,45,00,52,00 ,53,00,
5c,00,69,00,6e,00,74,00,65,00,6c,00,69,00,64,00,65 ,00,2e,
00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\PCIIde]
“ErrorControl”=dword:00000001
“Group”=”System Bus Extender”
“Start”=dword:00000000
“Tag”=dword:00000003
“Type”=dword:00000001
“ImagePath”=hex(2):53,00,79,00,73,00,74,00,65, 00,6 ,00,33,
00,32,00,5c,00,44,00,52,00,49,00,56,00,45,00,52,00 ,53,00,
5c,00,70,00,63,00,69,00,69,00,64,00,65,00,2e,00,73 ,00,79,
00,73,00,00,00
Bước 4: Bây giờ bạn nhấp chuột phải vào tập tin Mergeide.reg và chọn Merge rồi nhấn Yes trong bảng thông báo của Windows.

Bước 5: Cuối cùng khởi động lại máy tính và cho chạy chương trình Ghost để tạo tập tin sao lưu. Vậy là bạn có được một bộ backup Windows XP tương thích với rất nhiều mainboard thông dụng rồi đó.

Securing SquirrelMail using HTTPS

http://www.differentpla.net/content/2004/03/securing-squirrelmail-using-https

Part 11 of Installing qmail and vpopmail. This part is about securing webmail access by using HTTPS.
At the end of Installing SquirrelMail, I'd finished installing webmail on my test box. Currently, this uses HTTP. This is not really secure enough for webmail, so this article is going to look at adding HTTPS access to webmail.

Apache-SSL or mod_ssl?

There are two options when it comes to providing support for HTTPS: Apache-SSL and mod_ssl. Debian has packages for both.
See these two mailing list posts (e.g.) for more information about which to choose:

http://lists.debian.org/debian-isp/2003/debian-isp-200304/msg00260.html

http://www.mail-archive.com/modssl-users@modssl.org/msg15791.html For this box, I'm going to use mod_ssl. My main motivation is that Apache-SSL runs as a separate daemon, which means that I'll have two sets of configuration files to maintain, and a bunch of apache-ssl processes using up memory even though this box won't be doing much HTTPS.

Installing mod_ssl

The first thing to do is to configure Apache to allow SSL access. As you'll recall, my test box is called flimsy, so we want to allow access to https://flimsy/. We do this (on Debian) by installing the libapache-mod-ssl package:

# apt-get install libapache-mod-ssl libapache-mod-ssl-doc

Information about configuring mod_ssl is in /usr/share/doc/libapache-mod-ssl-doc on Debian, but basically, you run mod-ssl-makecert to make yourself a certificate for testing, and then tweak your /etc/apache/httpd.conf file to turn on SSL. I'll talk about self-signed certificates (and installing them under Windows) later.
When Apache starts, it'll prompt for the passphrase used to protect the server certificate. See this for one way to work around this. Alternatively, you could just not enter a passphrase.
With a certificate installed using this method, you'll see a warning like the following:
When you create the certificate, you should specify the "Common Name" as the name by which clients will connect to this server. This is generally www.wherever.com. If you don't, you'll get a warning: "The name on the security certificate is invalid or does not match the name of the site" or similar.
For now, if you just hit "Yes", Internet Explorer will use the certificate for this session, allowing you to connect to the server.

Redirecting webmail to HTTPS

Now, currently, users can connect to the webmail using either HTTP or HTTPS. I'd like to force users to connect using HTTPS. This can be done with some mod_rewrite magic.
To make it go, put a .htaccess file in /var/www/webmail containing the following:

DirectoryIndex index.php

<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{SERVER_PORT}      !^443$
        RewriteRule ^(.*)$      https://%{SERVER_NAME}/webmail/$1 [L,R=303]
</IfModule>

If you prefer, you can probably put similar directives in a <Location> or <Directory> block in httpd.conf. Note that this stanza is protected by IfModule. This causes it to fall back to normal HTTP access if mod_ssl didn't load. In such a case, you might prefer to deny access to this directory entirely.

Self-Signed Certificates

In order to get rid of Internet Explorer's warning about the untrusted certificate, you need to have a signed certificate. For an e-commerce site, this is generally done by giving a stack of cash to VeriSign or Thawte. There are other Certificate Authorities, but these are the top two.
Alternatively, you can create a self-signed certificate and install it in Internet Explorer. For more information about how to do this see, for example, http://www.modssl.org/docs/2.8/ssl_faq.html#cert-ownca.
Note: If you're planning on using the same server key and certificate with BincIMAP, you'll need to remove the passphrase from the server key. BincIMAP has no way of prompting for the key and, due to the use of tcpserver, couldn't keep it anywhere anyway. For more information, see http://www.modssl.org/docs/2.8/ssl_faq.html#remove-passphrase.
If you follow the instructions given there to create a signed (or self-signed) certificate, you should end up with two files: server.crt and server.key. If you've installed Debian's mod_ssl, you should have directories named ssl.crt, ssl.csr and ssl.key in /etc/apache. I just put the files (in this example, I called them flimsy.key, flimsy.csr and flimsy.crt in those directories, and edited /etc/apache/httpd.conf to point to them:

<VirtualHost _default_:443>
     <IfModule mod_ssl.c>
        SSLEngine on
        SSLCertificateFile      /etc/apache/ssl.crt/flimsy.crt
        SSLCertificateKeyFile   /etc/apache/ssl.key/flimsy.key
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
     </IfModule>
</VirtualHost>

Installing a Self-Signed Certificate in IE

If, when presented with the certificate error message, you click on "View Certificate", you'll see your webserver's certificate.

You'd think that clicking the "Install Certificate" button would suffice, but it doesn't.
If you're using a self-signed certificate, you need to install your CA certificate in the "Trusted Root Certification Authorities" store. To to this, you can click on the "Certification Path" tab. This will show your server's certificate and your CA certificate. If you click on your CA certificate and click "View Certificate", you can view the details for your root CA certificate.
To install it, you first need to save it as a file. Select the "Details" tab and click the "Copy to File" button. If you then right-click on this file and select "Install Certificate" you'll see a wizard that will walk you through installing your CA certificate.
To see it, click on Tools / Options and go to the "Content" tab. Click on the "Certificates" button. Your certificate will be shown under "Trusted Root Certification Authorities".

Now you can point your browser at (in this example) https://flimsy.home.differentpla.net/webmail/ and it connects without bringing up any warnings.
For more information about Internet Explorer and certificates, read Chapter 6 - Digital Certificates in the Internet Explorer Resource Kit documentation.

Virtual Hosts and HTTPS

If you're using Virtual Hosts with Apache, you will run into what seems like a major problem: you can't use name-based virtual hosts and HTTPS. For more information, see http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts.
Here are some possible different solutions:

Use IP-based virtual hosts. This requires a different IP address for each virtual host. This can be done by installing more than one network card or by using IP aliasing with a single network card.
Unfortunately, this won't work in my situation, because I've only got a single IP address for my DSL connection, and I'd need to upgrade my service and buy a router that supported more than one external IP address.
Use a different port for each virtual HTTPS host. This would work in my case, but it's easy to forget to supply the port number when typing in the address.
Don't worry about it. Use the same virtual host to access all of your mailboxes. This works with vpopmail, because the domain name is part of the username used to log in. You can do this as long as you don't mind that your users will see that all of your different domains are running off the same server. I don't particularly mind, so this is what I'll do.

Testing with Name-based Virtual Hosts

peculiar, my "production" server is already configured with several name-based virtual hosts. To try this out, I'll have to configure my test box in a similar fashion.
In Part 4, I configured my internal DNS so that both of my test domains would resolve to the same box. If I connect to http://flimsy.differentpla.test/ or http://flimsy.beerology.test/, I am presented with the same page.
Configuring name-based virtual hosts to handle this is very easy. Just put something like the following into /etc/apache/httpd.conf:

NameVirtualHost *

<VirtualHost *>
    ServerName flimsy.differentpla.test
    DocumentRoot /var/www/flimsy.differentpla.test
</VirtualHost>

<VirtualHost *>
    ServerName flimsy.beerology.test
    DocumentRoot /var/www/flimsy.beerology.test
</VirtualHost>

This is the minimum needed to get name-based virtual hosts to work. You'll probably want to configure more than just this for each virtual host. For example, peculiar has separate log files and custom error documents for each host.
Any requests that don't match a particular ServerName or ServerAlias directive will resolve to the first matching VirtualHost block.
We also need a minimal index.html in each of the DocumentRoot locations, e.g.:

<!--/var/www/flimsy.beerology.test/index.html-->
<html>
 <head><title>flimsy.beerology.test</title></head>
 <body>
  <h1>flimsy.beerology.test</h1>
 </body>
</html>

We ought also to tweak the DocumentRoot settings in the VirtualHost block responsible for HTTPS:

<VirtualHost _default_:443>
    DocumentRoot /var/www/flimsy.home.differentpla.net
    <IfModule mod_ssl.c>
        SSLEngine on
        SSLCertificateFile      /etc/apache/ssl.crt/flimsy.crt
        SSLCertificateKeyFile   /etc/apache/ssl.key/flimsy.key
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    </IfModule>
</VirtualHost>

If we don't do this, it'll be set to the default (/var/www on Debian), which is where each of our virtual hosts is installed. A user will be able to get a list of the virtual hosts on this box by browsing to http://flimsy.home.differentpla.net/. So, we change it.
Success! Users can connect to either of the name-based virtual hosts, and they can still connect to https://flimsy.home.differentpla.net/ to check their mail.
If a user inadvertently tries to connect to https://flimsy.differentpla.test, which resolves to the same site, they'll be presented with a warning message:

The user can choose "Yes", and they'll get the webmail login form as normal. In future, we'd probably prefer to use some mod_rewrite magic to redirect them to an information page if they've typed in the wrong address. We might also want to use mod_rewrite so that people who use HTTPS to connect to pages that don't need to be secure are redirected to use the HTTP variant, thus saving CPU cycles on the server.
Next: Securing IMAP.

Internet Mail

Add new comment

HowTo SSH/SCP without a password

HowTo SSH/SCP without a password.

http://www.hostingrails.com/HowTo-SSH-SCP-without-a-password

This small HowTo will explain how to setup key-based authentication for password-less SSH and SCP usage.

This HowTo does assume the reader has some basic knowledge of ssh and a terminal, and is using an operating system that implements SSH. If you're using a Windows OS and want to use SSH, try PuTTY. For Putty, see key-based auth with Putty.

In the examples that follow please substitute 'servername' , 'ipaddress' and 'username' with the proper information for your setup. I have included a list of weblinks for the words in italic at the end of this document.

Step 1. Verify that you can connect normally (using a password) to the server you intend to setup keys for:

#### Examples ####

user@homebox ~ $ ssh username@'servername'

# Or:

user@homebox ~ $ ssh username@'ipaddress'

# If your username is the same on both the client ('homebox') and the server ('servername'):

user@homebox ~ $ ssh 'servername'

# Or:

user@homebox ~ $ ssh 'ipaddress'

# If this is your first time connecting to 'servername' (or 'ipaddress'), upon establishing a connection with the
# server you'll be asked if you want to add the servers fingerprint to the known_hosts file on your computer.
# Press 'enter' to add the fingerprint.

Step 2. Now that you're connected to the server and verified that you have everything you need for access (hopefully), disconnect by typing 'exit' .

#### Examples ####

user@servername ~ $ exit

# You should be back at:

user@homebox ~ $

Step 3. The next step is to copy a unique key generated on your 'homebox' to the server you are connecting too. First, before you generate a new key, check to see if you already have a key:

#### Example ####

user@homebox ~ $ ls -l ~/.ssh
total 20
-rwx--xr-x 1 user user 601 Feb 2 01:58 authorized_keys
-rwx--xr-x 1 user user 668 Jan 1 19:26 id_dsa
-rwx--xr-x 1 user user 599 Jan 1 19:26 id_dsa.pub
-rwx--xr-x 1 user user 6257 Feb 2 21:04 known_hosts

# The file we need to copy to the server is named id_dsa.pub. As you can see above, the file needed exists. You may or may not have other files in ~/.ssh as I do. If the key doesn't exist, however, you can make one as follows:

#### Example ####

user@homebox ~ $ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa): # Press 'enter' here
Enter passphrase (empty for no passphrase): # Press 'enter' here
Enter same passphrase again: # Press 'enter' here
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
6f:c3:cb:50:e6:e9:90:f0:0f:68:d2:10:56:eb:1d:91 user@host

# Entering a password when asked during the key generation processes when prompted would require you to enter a password each time you SSH/SCP to the server which defeats the purpose of this document.

Step 4. Regardless whether you had a key ready to go or if you had to generate a new key, the next step is the same in either case. Now you're ready to copy the key to the server. Do so like this:

#### Example ####

user@homebox ~ $ ssh-copy-id -i ~/.ssh/id_dsa.pub user@'servername' (or 'ipaddress')

# If you are asked weather or not you wish to continue, say yes.

Step 5. Now it's time to test the setup. To do that, try to ssh to the server:

#### Example ####

user@homebox ~ $ ssh 'servername' (or 'ipaddress')

# You should log in to the remote host without being asked for a password.

Step 6. You can now SSH or SCP to the remote host without having to enter a password at each connection. To make sure your public key stays secure from prying eyes, do the following to change permissions and restrict access on 'homebox' and also on 'servername' to ~/.ssh:

#### Example ####

user@homebox ~ $ chmod 600 ~/.ssh/id_dsa ~/.ssh/id_dsa.pub

# Verify the permissions on the files:

#### Example ####

user@homebox ~ $ ls -l ~/.ssh
-rw------- 1 user user 668 Feb 4 19:26 id_dsa
-rw------- 1 user user 599 Feb 4 19:26 id_dsa.pub

Links

1. OpenSSH

2. known_hosts

3. fingerprint

------
Nice post!

I've noticed that I don't have the command ssh-copy-id on my OS X machine (I didn't even know one existed!). To achieve the same effect I usually do the following:

user@homebox ~ $ scp ~/.ssh/id_dsa.pub user@'servername':.ssh/authorized_keys

This is assuming you've already created a .ssh directory on your server 'servername' (just ssh in as normal and `mkdir .ssh`). This also assumes that you don't already have an `authorized_keys` file in the .ssh directory on your server. If you do just copy (scp) the id_dsa.pub file to a temporary file in your server's home directory and then

user@homebox ~ $ scp .ssh/id_dsa.pub user@servername:homebox_dsa.pub
user@homebox ~ $ ssh user@servername
user@servername ~ $ cat homebox_dsa.pub >> .ssh/authorized_keys
user@servername ~ $ rm homebox_dsa.pub

If you've got it, the ssh-copy-id way is clearly a lot easier!

~ Mark

Hi Mark. Thanks for adding that bit. I don't have access to a Mac (new one anyway) so that's very nice to know.

Seth

Seth, I liked this post a lot, but felt the formatting and wording can be improved. I've made a few changes to the introduction.

Xin
(I wish I had used my name for my username now!)

-------

I found an elegant way of creating a new, or adding to an existing authorized_keys file with a single command:

ssh username@somedomain.com -n "echo `cat ~/.ssh/id_dsa.pub` >> ~/.ssh/authorized_keys"

-

I think it *is* a good practice to use pass phrases when using ssh keys. You can use ssh-agent on Linux and SSH Agent or SSHKeychain on Mac OS X, to avoid you to type your pass phrase everytime you access a remote host. Also, you can forward your keys using 'ssh -A' if you need to hop onto some host in the middle.

-- Igor"

-------

I'm using PUTTY (pageant) on a XP and on Vista. I use 2048 RSA private key that is password protected. I typically use PUTTY to connect, fyi: my purpose is really to be able to use git (which uses SSH) without having to log in every time I commit. Assuming you are too and have a key generated already...

load key into PuttyGen (enter password for the key) in the window copy the "public key for pasting into OpenSSH..." append this to the ~/.ssh/authorized_keys.

One comment: when I used the append from above aka the elegant code, it did not add a \n at the end of the line aka didn't work. I vi'd the file added a new line.

--Eric

Problem tren qmail server voi error POP3, can send but can not receive on Microsoft outlook

cach giai quyet: check lai permission tren folder Maildir/cur all fai co quyen vpopmail.vchkpw tren all cac file.

Khong the log on vo squirelmail

http://www.bramschoenmakers.nl/en/node/270

SquirrelMail: Unknown user or password incorrect

Submitted by Bram Schoenmakers on 19 October, 2007 - 13:08.

After having solved the problem described in previous entry, I encountered new problems with logging in.
Now, after I entered my credentials, the following error was shown:

Unknown user or password incorrect

The SquirrelMail website suggested that the IMAP server was misconfigured somehow. So I checked /var/log/maillog:

Oct 19 08:50:59 example imapd: LOGIN, user=test@example.com, ip=[127.0.0.1], protocol=IMAP
Oct 19 08:50:59 example imapd: LOGOUT, user=test@example.com, ip=[127.0.0.1], headers=0, body=0, rcvd=30, sent=238, time=0
Oct 19 08:50:59 example imapd: LOGIN, user=test@example.com, ip=[127.0.0.1], protocol=IMAP
Oct 19 08:50:59 example imapd: Failed to create cache file: maildirwatch (test@example.com)
Oct 19 08:50:59 example imapd: Error: Input/output error
Oct 19 08:50:59 example imapd: Check for proper operation and configuration
Oct 19 08:50:59 example imapd: of the File Access Monitor daemon (famd).
Oct 19 08:50:59 example imapd: Failed to create cache file: maildirwatch (test@example.com)
Oct 19 08:50:59 example imapd: Error: Input/output error
Oct 19 08:50:59 example imapd: Check for proper operation and configuration
Oct 19 08:50:59 example imapd: of the File Access Monitor daemon (famd).
Oct 19 08:50:59 example imapd: LOGOUT, user=test@example.com, ip=[127.0.0.1], headers=0, body=0, rcvd=431, sent=1438, time=0
Oct 19 08:50:59 example imapd: LOGIN FAILED, user=test@example.com, ip=[127.0.0.1]
Oct 19 08:51:04 example imapd: LOGOUT, ip=[127.0.0.1], rcvd=60, sent=332

Hmm, FAM didn't work really well, so I disabled it in the port and reinstalled it. Then, I restarted the IMAP server:

/usr/local/etc/rc.d/courier-imap-imapd.sh restart

But still, logging in didn't work. The FAM errors were gone, but the last two lines of the maillog output were still to be found.
It turned out that I hadn't restarted the courier-authdaemond. So restarting it:

/usr/local/etc/rc.d/courier-authdaemond restart

made the logins work flawlessly again. Hooray!
After that, I re-enabled FAM in the port. Loggin in still worked, but still those FAM errors spitted out in the maillog. I don't think it's really crucial so I'd better leave it out for now.

Cau hinh VPN cua IPcop voi Cisco ASA

- IKE Encryption: 3DES

- IKE Integrity: MD5

- IKE Grouptype: MODP-1024

- IKE Lifetime: 8 hours

- ESP Encryption: AES-256bit

- ESP Integrity: SHA1

- ESP Grouptype: MODP-1536

- ESP Keylife: 8 hours

- Perfect Forward Secrecy (PFS) is marked

Lenh xem dung luong thu muc tren linux: du - Skh *

Loi ko view duoc Birt viewer

do thieu lib common-logging ---> download lib common-logging sau do copy bo vao thu muc /WEB-INF/lib

Tim file trong linux: find ./ -name “config.xml”

Loi khong the log on vao Tomcat Manager sau khi da install tomcat = zypper

vi do thieu nhung goi lib -----> cach giai quyet dung lenh zypper search tomcat sau do install all nhung goi lien quan chua duoc install. Vao /etc/tomcat/tomcat-users.xml de change lai user va password default.

Loi ko the bridge ethernet interface is down trong VMware

ra may that chay lenh: vmnet-bridge -d /var/run/vmnet-bridge-0.pid /dev/vmnet0 eth0/1/2.... sau do reboot lai may ao

Log vo windows xp dung lenh

Chainloader (hd0,0)+1 sau do Boot

Can not start graphic on Suse

Sax2 -m O=vesa

Changing-from-squirrelmail-to-atmail

Changing From SquirrelMail To Atmail Open With ISPConfig 3

http://www.howtoforge.com/changing-from-squirrelmail-to-atmail-open-with-ispconfig-3

@Mail Open

Author: Sellotape
Version: 1.00
Last edited: Saturday, 04th December 2010

Atmail Open is an open source webmail client which is available free of charge and is a great alternative to Squirrelmail. This tutorial shows how to use it with ISPConfig 3 (instead of SquirrelMail). More information available here... http://atmail.org

Step 1 - Create A Database

First we need to create a database for Atmail.

* Open up ISPConfig and go to Sites.
* Select Database from the sub-navigation menu on the left.
* Click on Add new Database
* Create a Database name, Database user and a Database password

Step 2 - Backup Squirrelmail

Just in case it all goes wrong - we need to backup Squirrelmail.

cd /usr/share
mv squirrelmail squirrelmail.bak
mkdir squirrelmail

Step 3 -Download, Unpack And Remove Unnecessary Files

I was unable to get the latest version of Atmail open to work with my setup. For the purpose of this tutorial; we will be using v1.01 - Please feel free to let me know if you find a way to get the latest version working.

cd squirrelmail
wget http://downloads.sourceforge.net/atmailopen/atmailopen-1.01.tgz
tar xvfz atmailopen-1.01.tgz
cd atmailopen
mv * ../
cd ../
rm –r atmailopen
rm atmailopen-1.01.tgz

Step 4 - Make Atmail Open Writeable For Apache

chown –R [Apache-user] /usr/share/squirrelmail

Please note: On Debian systems, replace [Apache-user] with www-data. The Apache user on other Linux distributions might be different.

Step 5 - Install Atmail Open To Your Server

In your preferred browser, go to http://yourdomain.tld/webmail. You'll be required to read the on-screen instructions and read the licence agreement. Providing you accept you can continue!

Step 6 - Connect To The Database

In Step 1 we created a database in ISPConfig and we're now need to enter the details into the AtMail Open...

Connect to the database

Step 7 - Define The SMTP Host

Enter the SMTP Host (in this example we assume it is localhost). Whether or not you require Authentication (e.g. if you need to use a mail relayer to send e-mail) and an Administrator E-mail Address.

SMTP Host

Step 8 - Import Data From SquirrelMail (Or Another Webmail System)

At this step, you have the possibility to import data from other popular webmail systems. Should you decide to do this, please select Squirremail and enter the database connetion settings and click 'Continue'

Import data

Step 9 - All done! Log In To Atmail Open

You can now log in to your new Atmail Open Webmail system! It's all good to go from here but if you like, follow Step 10 to customise your login screen.

Login to Atmail

Step 10 - Customise The Login Screen

In this step we will cover how to remove the Mailserver, Language and Protocol fields from the login screen and define default settings so we don't need to input them manually everytime we login.

vi /usr/share/squirrelmail/html/login-light.html

Find the lines below and edit accordingly...

Login Header / Title text

< td >Webmail Access< /td >

Instructions to login / Custom Message

< td >< div id="AuthStatus" class="logintext" style="padding-left: 4px;" >Please provide your username and password.< /div >< /td >

Hide 'Mailserver; field from login page and set default to 'localhost'

Find...

< tr id="mailserver" >

And change to...

< tr id="mailserver" style="display:none;" >

Find...

< td align="left" >< input name="MailServer" type="text" class="logininput" id="MailServer">< /td >

And change to...

< td align="left" >< input name="MailServer" type="text" class="logininput" id="MailServer" value="localhost" >< /td >

Hide protocol from login page

Find...

< tr id="protocol" >

And change to...

< tr id="protocol" style="display:none;" >

Hide Language from login page

Find...

< tr >
< td > < /td >
< td colspan="2" align="right" >Language:< /td >

And change the < tr > tag to...

< tr style="display:none;" >

Please let me know if you have any suggestions to improve this tutorial... Enjoy!

Copyright © 2010 Ash
All Rights Reserved.

Installing Qmail server, Clamav, Spamassassin, Qmail-scanner on Suse

Installing qmail

. preparing .

root: ~ # yast -i zypper

root: ~ # zypper in gcc gcc-c++ make openssl openssl-devel gdbm-devel wget patch patchutils xinetd telnet nmap

- installing apache,php, mysql,perl, you can check this.

- installing perl modules:

root: ~ # zypper in perl-Digest-SHA1 perl-Digest-HMAC perl-Net-DNS perl-Time-HiRes perl-HTML-Tagset perl-HTML-Parser perl-YAML

- remove postfix package

root: ~ # /etc/init.d/postfix stop

root: ~ # zypper rm postfix

- download qmail package source

root: ~ # mkdir /downloads

root: ~ # cd /downloads

root: downloads # wget http://www.qmailrocks.org/downloads/qmailrocks.tar.gz

root: downloads # tar -xzvf qmailrocks.tar.gz

. compile qmail .

root: ~ # cd /downloads/qmailrocks

root: qmailrocks # ./scripts/install/qmr_install_linux-s1.script

root: qmailrocks # ./scripts/util/qmail_big_patches.script

root: qmailrocks # cd /usr/src/qmail/qmail-1.03

root: qmail-1.03 # make man && make setup check

root: qmail-1.03 # ./config-fast mail.yourdomain.com

root: qmail-1.03 # make cert

Country Name (2 letter code) [GB]: VN

State or Province Name (full name) [Berkshire]: Ho Chi Minh City

Locality Name (eg, city) [Newbury]: Ho Chi Minh City

Organization Name (eg, company) [My Company Ltd]: The Company J.A. HENCKELS Company

Organizational Unit Name (eg, section) []: mail

Common Name (eg, your name or your server's hostname) []: Company

Email Address []: postmaster@yourdomain.com

root: qmail-1.03 # chown -R vpopmail:qmail /var/qmail/control/clientcert.pem /var/qmail/control/servercert.pem

. compile ucspi-tcp .

root: ~ # cd /usr/src/qmail/ucspi-tcp-0.88/

root: ucspi-tcp-0.88 # patch < /downloads/qmailrocks/patches/ucspi-tcp-0.88.errno.patch

root: ucspi-tcp-0.88 # make && make setup check

. compile daemontools .

root: ~ # cd /package/admin/daemontools-0.76/src

root: src # patch < /downloads/qmailrocks/patches/daemontools-0.76.errno.patch

root: src # cd ..

root: daemontools-0.76 # ./package/install

. compile ezmlm .

root: ~ # cd /downloads/qmailrocks/

root: qmailrocks # tar -xzvf ezmlm-0.53-idx-0.41.tar.gz

root: qmailrocks # cd ezmlm-0.53-idx-0.41

root: ezmlm-0.53-idx-0.41 # make && make setup

. compile autoresponder .

root: ~ # cd /downloads/qmailrocks/

root: qmailrocks # tar -xzvf autorespond-2.0.5.tar.gz

root: qmailrocks # cd autorespond-2.0.5

root: autorespond-2.0.5 # make && make install

. compile vpopmail (with mysql integration) .

root: ~ # mkdir -p /home/vpopmail/etc

root: ~ # chown -R vpopmail:vchkpw /home/vpopmail/

root: ~ # cd /downloads/qmailrocks

root: qmailrocks # tar -xzvf vpopmail-5.4.13.tar.gz

root: qmailrocks # cd vpopmail-5.4.13

root: vpopmail-5.4.13 # ./configure --enable-logging=p --enable-auth-module=mysql --disable-passwd --enable-clear-passwd --disable-many-domains --enable-auth-logging --enable-sql-logging --enable-valias --disable-mysql-limit

root: vpopmail-5.4.13 # make && make install-strip

. tez vpopmail .

root: ~ # cd /home/vpopmail/bin

root: bin # ./vadddomain yourdomain.com

###Password postmaster: 123456

--+ if get error like : Failure while attempting to remove_line() the locals file

create file "locals" in /var/qmail/control

root: bin # touch /var/qmail/control/locals

root: bin #./vadduser tvlong@yourdomain.com

###password tvlong: 123456

. compile vqadmin .

root: ~ # cd /downloads/qmailrocks

root: qmailrocks # tar -xzvf vqadmin-2.3.6.tar.gz

root: qmailrocks # cd vqadmin-2.3.6/

root: vqadmin-2.3.6 # ./configure --enable-cgibindir=/srv/www/cgi-bin --enable-htmldir=/srv/www/htdocs

root: vqadmin-2.3.6 # make && make install-strip

. configure vqadmin .

root: ~ # vim /etc/apache2/httpd.conf

-( add this configure )-

<Directory "/srv/www/cgi-bin/vqadmin">

deny from all

Options ExecCGI

AllowOverride AuthConfig

Order deny,allow

</Directory>

root: ~ # cd /srv/www/cgi-bin/vqadmin

root: vqadmin # vim .htaccess

-( configure this file like this )-

AuthType Basic

AuthUserFile /srv/www/cgi-bin/vqadmin/.htpasswd

AuthName vQadmin

require valid-user

satisfy any

root: vqadmin # chown wwwrun .htaccess

root: vqadmin # chmod 644 .htaccess

-( create .htpasswd file )-

root: vqadmin # htpasswd2 -bc .htpasswd admin 123456

root: vqadmin # chmod 644 .htpasswd

-( reboot apache service )-

root: vqadmin # /etc/init.d/apache2 restart

-( tez vaqdmin )-

open your web browser and goto url :

http://yourdomain.com/cgi-bin/vqadmin/vqadmin.cgi

enter the user "admin" and password: 123456 to login.

. compile maildrop .

root: ~ # cd /downloads/qmailrocks/

root: qmailrocks # tar -xzvf maildrop-1.6.3.tar.gz

root: qmailrocks # cd maildrop-1.6.3/

root: maildrop-1.6.3 # ./configure --prefix=/usr/local --exec-prefix=/usr/local --enable-maildrop-uid=root --enable-maildrop-gid=vchkpw --enable-maildirquota

root: maildrop-1.6.3 # make && make install-strip && make install-man

--) if in compiled get error like : error: expected ‘;’ before ‘<’ token , maybe you must try to use maildrop version 2.0.4. this application can download on this.

. compile qmailadmin .

root: ~ # cd /downloads/qmailrocks/

root: qmailrocks # tar -xzvf qmailadmin-1.2.9.tar.gz

root: qmailrocks # cd qmailadmin-1.2.9/

root: qmailadmin-1.2.9 # ./configure --enable-cgibindir=/srv/www/cgi-bin --enable-htmldir=/srv/www/htdocs

root: qmailadmin-1.2.9 # make && make install-strip

-( tez qmailadmin )-

open your web browser and goto url:

http://yourdomain.com/cgi-bin/qmailadmin

you should see the login screen. login with the postmaster account and password for the domain that you created by vqadmin.

. finalizing qmail .

root: ~ # /downloads/qmailrocks/scripts/finalize/linux/finalize_linux.script

root: ~ # vim /var/qmail/supervise/qmail-pop3d/run < ----- Check

find "mail.example.com" and change it to your domain name (mail.yourdomain.com).

root: ~ # vim /var/qmail/supervise/qmail-smtpd/run <------Check

find "mail.example.com" and change it to your domain name (mail.yourdomain.com).

-( stop qmail service )-

root: ~ # qmailctl stop

--+ if u get error like: svc: warning: unable to control /service/qmail-smtpd: file does not exist, you can solution with make file 'me' in directory /var/qmail/control

root: ~ # touch /var/qmail/control/me

-( setup relay )-

root: ~ # echo '127.0.0.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp

root: ~ # qmailctl cdb

-( create common system alias )-

root: ~ # echo "tvlong@yourdomain.com" > /var/qmail/alias/.qmail-root

root: ~ # echo "tvlong@yourdomain.com" > /var/qmail/alias/.qmail-postmaster

root: ~ # echo "tvlong@yourdomain.com" > /var/qmail/alias/.qmail-mailer-daemon

root: ~ # ln -s /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-anonymous

root: ~ # chmod 644 /var/qmail/alias/.qmail*

. starting qmail .

root: ~ # /downloads/qmailrocks/scripts/util/qmr_inst_check

root: ~ # qmailctl stop

root: ~ # qmailctl start

root: ~ # qmailctl stat

. tezting service .

root: ~ # nmap localhost

Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-30 21:53 UTC

Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.

Interesting ports on localhost.localdomain (127.0.0.1):

Not shown: 1709 closed ports

PORT STATE SERVICE

22/tcp open ssh

25/tcp open smtp

80/tcp open http

110/tcp open pop3

443/tcp open https

3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 0.145 seconds

-( tezting pop3 service )-

root: ~ # telnet localhost 110

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

+OK <5521.1233352536@mail.yourdomain.com>

user postmaster@yourdomain.com

+OK

pass 123456

+OK

quit

+OK

Connection closed by foreign host.

-( tez smtp service )-

root: ~ # telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 mail.yourdomain.com ESMTP

ehlo localhost

250-mail.yourdomain.com

250-AUTH LOGIN CRAM-MD5 PLAIN

250-AUTH=LOGIN CRAM-MD5 PLAIN

250-STARTTLS

250-PIPELINING

250 8BITMIME

starttls

220 ready for tls

quit

quit

Connection closed by foreign host.

if you have this service "250-STARTTLS" in your smtp then your server is equipped for TLS functionality.

. compile courier imap and imap ssl .

root: ~ # cd /downloads/qmailrocks/

root: qmailrocks # tar -xjvf courier-authlib-0.55.tar.bz2

root: qmailrocks # cd courier-authlib-0.55/

root: courier-authlib-0.55 # ./configure --prefix=/usr/local --exec-prefix=/usr/local --with-authvchkpw --without-authldap --without-authmysql --disable-root-check --with-ssl --with-authchangepwdir=/usr/local/libexec/authlib

root: courier-authlib-0.55 # make && make check

root: courier-authlib-0.55 # make install-strip && make install-configure

root: courier-authlib-0.55 # vim /etc/init.d/boot.local

--+ add this line

/usr/local/sbin/authdaemond start

. compile courier-imap .

you must compile courier-imap non-root user (ex: linux).

root: ~ # cd /downloads/qmailrocks/

root: qmailrocks # tar -xjvf courier-imap-4.0.2.tar.bz2

root: qmailrocks # useradd -m -p 123456 linux

root: qmailrocks # chown -R linux:wheel courier-imap-4.0.2

root: qmailrocks # cd courier-imap-4.0.2/

root: courier-imap-4.0.2 # su linux

linux: courier-imap-4.0.2 > ./configure --prefix=/usr/local --exec-prefix=/usr/local --with-authvchkpw --without-authldap --without-authmysql --disable-root-check --with-ssl --with-authchangepwdir=/usr/local/libexec/authlib

linux: courier-imap-4.0.2 > make && make check

linux: courier-imap-4.0.2 > exit

root: courier-imap-4.0.2 # make install-strip && make install-configure

--+ make SSL certificate +--

root: courier-imap-4.0.2 # /usr/local/sbin/mkimapdcert

root: courier-imap-4.0.2 # vim /usr/local/etc/imapd.cnf

change postmaster@example.com an administrative email adress (postmaster@yourdomain.com)

root: courier-imap-4.0.2 # vim /usr/local/etc/imapd

configure: IMAPDSTART=YES

root: courier-imap-4.0.2 # vim /usr/local/etc/imapd-ssl

configure: IMAPDSSLSTART=YES

make sure this configuration exists : TLS_CERTFILE=/usr/local/share/imapd.pem

root: courier-imap-4.0.2 # vim /usr/local/etc/authlib/authdaemonrc

configure : authmodulelist="authvchkpw"

root: courier-imap-4.0.2 # cp /usr/local/libexec/imapd.rc /etc/init.d/imap

root: courier-imap-4.0.2 # cp /usr/local/libexec/imapd-ssl.rc /etc/init.d/imaps

--+ starting up service +--

root: courier-imap-4.0.2 # /usr/local/sbin/authdaemond stop

root: courier-imap-4.0.2 # /usr/local/sbin/authdaemond start

root: courier-imap-4.0.2 # /etc/init.d/imap stop

root: courier-imap-4.0.2 # /etc/init.d/imap start

root: courier-imap-4.0.2 # /etc/init.d/imaps stop

root: courier-imap-4.0.2 # /etc/init.d/imaps start

--+ check with nmap +--

root : ~ # nmap localhost

Starting Nmap 4.60 ( http://nmap.org ) at 2009-02-01 14:16 UTC

Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.

Interesting ports on localhost.localdomain (127.0.0.1):

Not shown: 1707 closed ports

PORT STATE SERVICE

22/tcp open ssh

25/tcp open smtp

80/tcp open http

110/tcp open pop3

143/tcp open imap

443/tcp open https

993/tcp open imaps

3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 0.145 seconds

--+ tez imap +--

root: ~ # telnet localhost 143

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information.

a login postmaster@yourdomain.com 123456

a OK LOGIN Ok.

a logout

* BYE Courier-IMAP server shutting down

a OK LOGOUT completed

Connection closed by foreign host.

--+ you must input 'a' before executed command (login, logout)

. compile courierpassd .

root: ~ # cd /downloads/qmailrocks/

root: qmailrocks # tar -xzvf courierpassd-1.1.0-RC1.tar.gz

root: qmailrocks # cd courierpassd-1.1.0-RC1/

root: courierpassd-1.1.0-RC1 # ./configure

root: cd courierpassd-1.1.0-RC1 # make && make install

--+ configure courierpassd +--

_configure xinetd.d

root: ~ # cd /etc/xinetd.d/

root: xinetd.d # vim courierpassd

_add this line_

service courierpassd

{

port = 106

socket_type = stream

protocol = tcp

user = root

server = /usr/local/sbin/courierpassd

server_args = -s imap

wait = no

only_from = 127.0.0.1

instances = 4

disable = no

}

_configure services

root: ~ # vim /etc/services

__add this line : ___

courierpassd 106/tcp # for /etc/xinetd.d/courierpassd <------- Check

_start service

root: ~ # /etc/init.d/xinetd restart

_tezt service

root: ~ # nmap localhost

Starting Nmap 4.60 ( http://nmap.org ) at 2009-02-02 12:02 UTC

Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.

Interesting ports on localhost.localdomain (127.0.0.1):

Not shown: 1706 closed ports

PORT STATE SERVICE

22/tcp open ssh

25/tcp open smtp

80/tcp open http

106/tcp open pop3pw

110/tcp open pop3

143/tcp open imap

443/tcp open https

993/tcp open imaps

3306/tcp open mysql

Nmap done: 1 IP address (1 host up) scanned in 0.203 seconds

. install squirrelmail (web mail client) .

root: ~ # cd /downloads

root: downloads # wget http://internode.dl.sourceforge.net/sourceforge/squirrelmail/squirrelmail-1.4.17.tar.bz2

root: downloads # tar -xjvf squirrelmail-1.4.17.tar.bz2

root: downloads # mv squirrelmail-1.4.17 webmail

root: downloads # mv webmail/ /srv/www/htdocs/

--+ configure squirrelmail +--

root: ~ # mkdir /var/sqattachements

root: ~ # chown -R wwwrun:www /var/sqattachements/

root: ~ # cd /srv/www/htdocs/webmail/

root: webmail # chown -R wwwrun:www data/

root: webmail # cd config/

root: config # ./conf.pl

* push number #2 (Server Settings) and #1 (Domain) to configure your ip for your domain (ex: 192.186.1.1) and then press key S (save) and Q (quit).

SquirrelMail Configuration : Read: config_default.php (1.4.0)

---------------------------------------------------------

Server Settings

General

-------

1. Domain : 192.186.1.1

2. Invert Time : false

3. Sendmail or SMTP : SMTP

A. Update IMAP Settings : localhost:143 (other)

B. Update SMTP Settings : localhost:25

R Return to Main Menu

C Turn color on

S Save data

Q Quit

--+ add plugins change_pass +--

root: ~ # cd /srv/www/htdocs/webmail/plugins/

root: plugins # wget http://www.squirrelmail.org/plugins/change_passwd-4.0-1.2.8.tar.gz

root: plugins # tar -xzvf change_passwd-4.0-1.2.8.tar.gz <======

root: plugins # rm change_passwd-4.0-1.2.8.tar.gz

root: plugins # cd ../config/

root: config # ./conf.pl

* select #8 (plugins) then #4 (change_passwd) then hitting enter for actived/installed this plugin. hitting key S (save) then Q (quit).

--+ configure virtual host +---

root: ~ # vim /etc/apache2/httpd.conf

_add configuration like this :_

<VirtualHost 192.186.1.1:80>

ServerName mail.yourdomain.com

ServerAlias mail.*

ServerAdmin postmaster@yourdomain.com

DocumentRoot /srv/www/htdocs/

</VirtualHost>

root: ~ # /etc/init.d/apache2 restart

* open your web browser and go to url

http://mail.yourdomain.com

but if you are not make virtual host, you can access webmail like this:

http://yourdomain.com/webmail

then login with yours email accout or with account:

username : postmaster@yourdomain.com

password : 123456

Install Clamav by source

tar zxvf clamav-0.97.tar.gz

useradd -c "Qmail-Scanner Account" -s /bin/false qscand

cd clamav-0.97

./configure --with-user=qscand --with-group=qscand

make && make install

ldconfig -v

Now, we configure its configuration files, these are as follows:

vi /usr/local/etc/clamd.conf

#Example

LogFile /var/log/clamav/clamd.log

LogFileMaxSize 20M

LogTime yes

LogClean yes

LogSyslog yes

PidFile /var/run/clamav/clamd.pid

TemporaryDirectory /var/tmp

DatabaseDirectory /usr/local/share/clamav

LocalSocket /var/run/clamav/clamd.cl

MaxConnectionQueueLength 30

User qscand

MaxThreads 20

ScanMail yes

Now, create some directories with the ownership of qscand:

mkdir /var/run/clamav

chown -R qscand.qscand /var/run/clamav

mkdir /var/log/clamav

chown -R qscand.qscand /var/log/clamav

chmod -R 755 /var/log/clamav

By this, clamav is successfully installed.

/usr/local/sbin/clamd &

vi /usr/local/etc/freshclam.conf

#Example

DatabaseDirectory /usr/local/share/clamav

UpdateLogFile /var/log/clamav/freshclam.log

LogSyslog yes

DatabaseOwner qscand

DNSDatabaseInfo current.cvd.clamav.net

DatabaseMirror database.clamav.net

DatabaseMirror db.in.clamav.net

NotifyClamd /usr/local/etc/clamd.conf

Save and exit.

freshclam -v

Install Spamassasin by zypper command

- zypper in perl-spamassassin spamassassin

- /etc/init.d/spamd start

Install qmail-scanner & qms-analog

Unpack qmail-scanner...

tar zxvf qmail-scanner-1.25.tgz

Now unpack qms-analog...

tar zxvf qms-analog-0.4.2.tar.gz

Install qms-analog itself. This will come in handy in the next step when we install Qmailanalog.

cd qms-analog-0.4.2

make all

Next, we copy needed qms-analog files to the qmail-scanner source directory...

cp qmail-scanner-1.25-st-qms-YYYYMMDD.patch /downloads/qmailrocks/qmail-scanner-1.25/

Now, let's apply the qms-analog patch...

cd /downloads/qmailrocks/qmail-scanner-1.25

patch -p1 < qmail-scanner-1.25-st-qms-YYYYMMDD.patch

Now we will configure qmail-scanner and install it. Ordinarily, you would run the ./configure script to configure and install qmail-scanner. However, Mark Teel has donated a handy little config script that does most of the work for you.This script is called "qms-config-script" and, if you look above, you should have already copied this config script into the qmail-scanner source directory.

How you go about configuring and installing qmail-scanner from this point on depends on how you server's installation of Perl is configured. For the purposes of this installation, there are 2 Perl setups.

1. Perl is configured to allow for setuid functions.

2. Perl is not configured for setuid functionality and, in fact, does not permit it.

We'll start off with the configuration step for a server that allows setuid. However, if you run into setuid errors, you can jump to a set of instructions for servers that do not allow setuid functionality.

So let's do it...

First, you need to configure the script for your needs...

cd /downloads/qmailrocks/qmail-scanner-1.25

vi qms-config

You will notice several fields that need to be customized to fit your needs. Let's have a look. I've highlighted the fields you should customize in RED

#!/bin/sh

if [ "$1" != "install" ]; then
INSTALL=
else
INSTALL="--install"
fi

./configure --domain yourdomain.com \
--admin postmaster \
--local-domains "yourdomain.com,yourotherdomain.com" \
--add-dscr-hdrs yes \
--dscr-hdrs-text "X-Antivirus-MYDOMAIN" \
--ignore-eol-check yes \
--sa-quarantine 0 \
--sa-delete 0 \
--sa-reject no \
--sa-subject ":SPAM:" \
--sa-delta 0 \
--sa-alt yes \
--sa-debug no \
--notify admin \
"$INSTALL"

Now save and exit out of the config file. That was easy, wasn't it.

And now we will run a test config for qmail-scanner...

chmod 755 qms-config

./qms-config

Answer YES to all questions. If you get no errors, you can then run the script in "install" mode and this will install qmail-scanner on your server.

If don't have any error ... continue...

If the config test produced any error messages, stop here!

If you got a "setuid" related error when you ran the above script it is most likely due to you Perl installation not supporting setuid functionality

Stop and continue with this URL: http://www20119.blogspot.com/2011/03/perl-does-not-allow-for-setuid.html

If you didn't get any errors on the test run above, then you should be ok to run the "real" installation script below. So let's do it...
./qms-config install
Again, answer YES to all questions. If you get no errors, you can then run the script in "install" mode and this will install qmail-scanner on your server. If you do get errors, check out these troubleshooting tips.
And now all that's left for qmail-scanner is to initiate the version file and the perlscanner database...
First, we'll initialize the version file. This command also helps to keep your server's /var/spool/qmailscan folder clear of rogue files that can develop when SMTP sessions are dropped. You may want to stick this command into your server's crontab and run it once a day. You'll see more on this in the "maintaining your qmail server" step near the end of this tutorial.. So let's run it...
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z
And now we will generate a new perlscanner database for qmailp-scanner. For future reference, it's a good idea to run this next command whenever you upgrade qmail-scanner. You'll see more on this in the "maintaining your qmail server" step near the end of this tutorial. So let's do i t...
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g
A successful database build should produce the following output:
perlscanner: generate new DB file from /var/spool/qmailscan/quarantine-attachments.txt
perlscanner: total of 9 entries.
And now one final ownership check...
chown -R qscand:qscand /var/spool/qmailscan
Woohoo, qmail-scanner is installed! Now it's time to tie qmail-scanner into qmail itself.
vi /var/qmail/supervise/qmail-smtpd/run
To instruct Qmail to use Qmail-Scanner as the alternative queuing mechanism, we add the following line to the SMTP "run" script right under the first line (#!/bin/sh):
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" ; export QMAILQUEUE
..and we change the "softlimit" in that same script...
change softlimit to 40000000
Note: It is absolutely vital that you change the "Softlimit" setting in this script. If you don't, qmail may fail to deliver mail!!!
So now the qmail-smtp/run file should look like this:
#!/bin/sh
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" ; export QMAILQUEUE
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi
exec /usr/local/bin/softlimit -m 40000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/var/qmail/bin/qmail-smtpd your_domain.com \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1
Once you've got the qmail-smtpd file modified, save the changes and exit from the file. Now we will finalize the qmail-scanner installation by going over some post-install configuration options. After that, we'll fire everything up and take qmail-scanner for a test drive!
Click Here to continue

If your Perl installation does NOT allow for setuid functionality
cd /downloads/qmailrocks/qmail-scanner-1.25/contrib
make install
Now we will customize the qmail-scanner configuration script...
cd /downloads/qmailrocks/qmail-scanner-1.25
vi qms-config-cwrapper
You will notice several fields that need to be customized to fit your needs. Let's have a look. I've highlighted the fields you should customize in RED
#!/bin/sh
if [ "$1" != "install" ]; then
INSTALL=
else
INSTALL="--install"
fi
./configure --domain yourdomain.com \
--admin postmaster \
--local-domains "yourdomain.com,yourotherdomain.com" \
--add-dscr-hdrs yes \
--dscr-hdrs-text "X-Antivirus-MYDOMAIN" \
--ignore-eol-check yes \
--sa-quarantine 0 \
--sa-delete 0 \
--sa-reject no \
--sa-subject ":SPAM:" \
--sa-delta 0 \
--sa-alt yes \
--sa-debug no \
--notify admin \
--skip-setuid-test \
"$INSTALL"
Now save and exit out of the config file. That was easy, wasn't it.
And now we will run a test config for qmail-scanner...
chmod 755 qms-config-cwrapper
./qms-config-cwrapper
Answer YES to all questions. If you get no errors, you can then run the script in "install" mode and this will install qmail-scanner on your server. If you do get errors, check out these troubleshooting tips.
./qms-config-cwrapper install
Again, answer YES to all questions. If you get no errors, you can then run the script in "install" mode and this will install qmail-scanner on your server. If you do get errors, check out these troubleshooting tips.
vi /var/qmail/bin/qmail-scanner-queue.pl
Then change the first line of /var/qmail/bin/qmail-scanner-queue.pl
to "#!/usr/bin/perl (in other words, remove the "-T" from the perl call.)
chmod 0755 /var/qmail/bin/qmail-scanner-queue.pl
And now all that's left for qmail-scanner is to initiate the version file and the perlscanner database...
First, we'll initialize the version file. This command also helps to keep your server's /var/spool/qmailscan folder clear of rogue files that can develop when SMTP sessions are dropped. You may want to stick this command into your server's crontab and run it once a day. You'll see more on this in the "maintaining your qmail server" step near the end of this tutorial.. So let's run it...
/var/qmail/bin/qmail-scanner-queue -z
And now we will generate a new perlscanner database for qmailp-scanner. For future reference, it's a good idea to run this next command whenever you upgrade qmail-scanner. You'll see more on this in the "maintaining your qmail server" step near the end of this tutorial. So let's do i t...
/var/qmail/bin/qmail-scanner-queue -g
A successful database build should produce the following output:
perlscanner: generate new DB file from /var/spool/qmailscan/quarantine-attachments.txt
perlscanner: total of 9 entries.
And now one final ownership check...
chown -R qscand:qscand /var/spool/qmailscan
Woohoo, qmail-scanner is installed! Now it's time to tie qmail-scanner into qmail itself.
vi /var/qmail/supervise/qmail-smtpd/run
To instruct Qmail to use Qmail-Scanner as the alternative queuing mechanism, we add the following line to the SMTP "run" script right under the first line (#!/bin/sh):
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue" ; export QMAILQUEUE
..and we change the "softlimit" in that same script...
change softlimit to 40000000
Note: It is absolutely vital that you change the "Softlimit" setting in this script. If you don't, qmail may fail to deliver mail!!!
So now the qmail-smtp/run file should look like this:
#!/bin/sh
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue" ; export QMAILQUEUE
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi
exec /usr/local/bin/softlimit -m 40000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/var/qmail/bin/qmail-smtpd your_domain.com \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1
Once you've got the qmail-smtpd file modified, save the changes and exit from the file. Now we will finalize the qmail-scanner installation by going over some post-install configuration options. After that, we'll fire everything up and take qmail-scanner for a test drive!
Click Here to continue

To activate all the changes we just made, we're going to have to completely stop and restart qmail.
Stop it...
qmailctl stop
and start it...
qmailctl start
And a quick check of the qmail processes, just to be safe..
qmailctl stat
Now it's time to test the whole damn thing to see if Qmail-Scanner, Spamassassin and Clam AV are all working correctly. Fortunately, Qmail-Scanner comes with it's own testing script that does a fantastic job. So let's test it!
cd /downloads/qmailrocks/qmail-scanner-1.25/contrib
chmod 755 test_installation.sh
./test_installation.sh -doit
A successful test should produce the following output. 2 messages should be quarantined by Clam Antivirus in /var/spool/quarantine/new and 2 messages should be set to whatever mailbox you specified in the Qmail-scanner configuration script. Don't worry if you don't get virus notification emails. The normal notification emails that get sent out upon virus detection usually don't work during the test.
setting QMAILQUEUE to /var/qmail/bin/qmail-scanner-queue.pl for this test...
Sending standard test message - no viruses...
done!
Sending eicar test virus - should be caught by perlscanner module...
done!
Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)...
Sending bad spam message for anti-spam testing - In case you are using SpamAssassin...
Done!
Finished test. Now go and check Email for postmaster@mydomain.com
If you get 2 messages in your inbox and you see 2 messages in the quarantine folder, it's time to crack open a cold one! You've successfully installed all 3 packages! Woohoo!

Search This Blog