Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
16
Installation and Upgrades / Re: Vlans
« on: July 04, 2013, 10:28:12 am »
I'm just trying to figure out how to do this kind of setup myself...
My limited understanding is that you have to do routing between vlans and between a vlan and the internet so forget about bridges.
I'm not entirely clear on what network settings you're using on the vlan machines, the same as before the vlans were setup?
One thing you might want to check is whether your machines on the vlans are actually able to contact the zentyal server, eg can they get the admin console or ssh in. Pings can be returned by anything and IIRC the firewall in zentyal will return a ping even if it's actually blocking other traffic.
My limited understanding is that you have to do routing between vlans and between a vlan and the internet so forget about bridges.
I'm not entirely clear on what network settings you're using on the vlan machines, the same as before the vlans were setup?
Quote
Using static IPs (192.168.101.x/24, GW Zentyal, DNS Zentyal), servers connected to the switch can resolve DNS, and get to the internet.If they're using zentyal as their default GW that should be OK.
One thing you might want to check is whether your machines on the vlans are actually able to contact the zentyal server, eg can they get the admin console or ssh in. Pings can be returned by anything and IIRC the firewall in zentyal will return a ping even if it's actually blocking other traffic.
17
Installation and Upgrades / Re: HOWTO: Trusted Certificate
« on: February 26, 2013, 04:11:39 pm »Quote
This seems to work except that I went REALLY cheap on the certificate, and while the browser recognizes it, my mail client does not and I still get the warning.
Is the reason you're still getting the warning in your mail client because you didn't include the intermediate certificate in your postfix.pem and dovecot.pem
I'm far, far, FAR! from an expert at this kind of thing but I don't think it'll work without them.
You included them in your apache config hence the cert is recognised by web browsers.
18
Installation and Upgrades / Re: Virtual machine bridge networking
« on: May 31, 2012, 12:48:44 am »
Well, not wanting to derail this thread too much but...
I had a /29 subnet with a zentyal server with its external interface using one IP.
I set that interface to be bridged and setup the external IP on the new br1 interface (as you described to mrbeanzg)
Then I created a VM, connected it to the bridge and gave it another public IP but found that external access to that VM's IP was blocked by zentyal.
I just logged back into that system (I set it up in a hurry months ago and didn't bother to look into what was going on at the time) and it looks like I've got the physical interface I bridged (eth0) with "external" ticked which is presumably what it's behaving like this. However it looks like I can't select the bridge (br1) as external which is probably the point I got to before and gave up.
Sorry, I didn't start a new thread for this as I'd "fixed" it in a way that worked for me.
I had a /29 subnet with a zentyal server with its external interface using one IP.
I set that interface to be bridged and setup the external IP on the new br1 interface (as you described to mrbeanzg)
Then I created a VM, connected it to the bridge and gave it another public IP but found that external access to that VM's IP was blocked by zentyal.
I just logged back into that system (I set it up in a hurry months ago and didn't bother to look into what was going on at the time) and it looks like I've got the physical interface I bridged (eth0) with "external" ticked which is presumably what it's behaving like this. However it looks like I can't select the bridge (br1) as external which is probably the point I got to before and gave up.
Sorry, I didn't start a new thread for this as I'd "fixed" it in a way that worked for me.
19
Installation and Upgrades / Re: Virtual machine bridge networking
« on: May 30, 2012, 05:04:54 pm »
Just a quick aside... I noticed that when doing this the bridged interface exposed to the guest VMs seem be be behind the zentyal firewall so if you have multiple public IPs, one being used by zentyal and wanted to have a webserver in a VM on another of them you would still have to allow that traffic in zentyal's firewall.
It also means that all traffic going to the webserver appears to come from the zentyal public IP rather than the the IP the external connection is coming from so any firewall rules you want to apply on the guests have to be made in zentyal rather than on the guest.
I don't know if this is by design, a fault with how I've set it up or a known limitation... but I'd expect the bridged interfaces on to be on the other side of the firewall so traffic going to the webserver's public IP isn't filtered by zentyal while traffic going to zentyal's public IP would be filtered as normal.
If you run into this the solution I've used is to do the bridging and all the virtualisation without zentyal and move zentyal itself into a VM. Obviously this means you can't manage the VMs with zentyal but provided you're usinging a linux desktop you can use virt-manager which gives you many more options anyway (although this becomes a pain on the neck if you use a windows desktop).
It also means that all traffic going to the webserver appears to come from the zentyal public IP rather than the the IP the external connection is coming from so any firewall rules you want to apply on the guests have to be made in zentyal rather than on the guest.
I don't know if this is by design, a fault with how I've set it up or a known limitation... but I'd expect the bridged interfaces on to be on the other side of the firewall so traffic going to the webserver's public IP isn't filtered by zentyal while traffic going to zentyal's public IP would be filtered as normal.
If you run into this the solution I've used is to do the bridging and all the virtualisation without zentyal and move zentyal itself into a VM. Obviously this means you can't manage the VMs with zentyal but provided you're usinging a linux desktop you can use virt-manager which gives you many more options anyway (although this becomes a pain on the neck if you use a windows desktop).
20
Installation and Upgrades / Load balance + QoS will this setup work?
« on: May 30, 2012, 04:19:55 pm »
I've got 3 internal networks and 3 internet connections. What I want to achieve is to get the best use of the 3 internet connections while ensuring that users on local1 get as much bandwidth as they need, users on local2 get whatever is left over from local1 and users on local3 get whatever is left after local1 and local2 have had whatever they need.
I'd like to use a Zentyal box to load balance the 3 internet connections and have QoS prioritise access to them based on which local network the traffic originated from.
It seems straight forward enough...
Just setup the three gateways, then configure the load balancer.
Create a network object containing all internet1, internet2 and internet3 (called balancedInternet).
Then create 3 QoS rules like these:
port based service "any"
source "local1"
destination "balancedInternet"
priority 7
port based service "any"
source "local2"
destination "balancedInternet"
priority 6
port based service "any"
source "local3"
destination "balancedInternet"
priority 5
I'm also considering replacing the 3 internet connections with a "single" bonded 3-way internet connection which would mean I could forget about load balancing.
Anyone got any thoughts on this?
EDIT:
sorry, originally posted in support so I moved it here.
Code: [Select]
local1--------------- ----------------- Internet1
| |
local2-------------- LB & QoS ------------- Internet2
| |
local3--------------- ----------------- Internet3
(just in case my ascii diagram doesn't come out let me clarify that the LB&QoS box has 6 network cards connected to each of the networks each using their own subnet)I'd like to use a Zentyal box to load balance the 3 internet connections and have QoS prioritise access to them based on which local network the traffic originated from.
It seems straight forward enough...
Just setup the three gateways, then configure the load balancer.
Create a network object containing all internet1, internet2 and internet3 (called balancedInternet).
Then create 3 QoS rules like these:
port based service "any"
source "local1"
destination "balancedInternet"
priority 7
port based service "any"
source "local2"
destination "balancedInternet"
priority 6
port based service "any"
source "local3"
destination "balancedInternet"
priority 5
I'm also considering replacing the 3 internet connections with a "single" bonded 3-way internet connection which would mean I could forget about load balancing.
Anyone got any thoughts on this?
EDIT:
sorry, originally posted in support so I moved it here.
21
Installation and Upgrades / Re: using trusted certificates
« on: March 15, 2011, 06:42:01 pm »
What I did does SEEM to work... IE that pesky iPhone no longer keeps griping about certificates and Thunderbird recognises the certs too.
However since this is pretty much out of my comfort zone a little "yes what you've done is fine" would have been nice but since I'm not paying for anything I'm not too disappointed either
However since this is pretty much out of my comfort zone a little "yes what you've done is fine" would have been nice but since I'm not paying for anything I'm not too disappointed either
22
Installation and Upgrades / Re: using trusted certificates
« on: February 14, 2011, 05:43:55 pm »
OK well I think I've got it working, here's what I did:
create a new key:
openssl genrsa -out myfqdn.key 2048
create a csr:
openssl req -new -key myfqdn.key -out myfqdn.csr
paste the csr into 123-reg's page.
you get back 2 keys at the end of an email that have to be saved as 2 text
files: myfqdn.crt and myfqdn.intermediate.crt
create a new /etc/postfix/sasl/postfix.pem file
cat myfqdn.key > postfix.pem
cat myfqdn.crt >> postfix.pem
cat myfqdn.intermediate.crt >> postfix.pem
this file can now be used by postfix.
It can also be copied to /etc/dovecot/ssl/dovecot.pem for use by dovecot (duh)
restart the ebox mail system with:
sudo /etc/init.d/ebox mail restart
Since there aren't any passwords set on these certificates you'd better make sure you've got your file permissions set so only root and read them! (chmod 400)
I'd really appreciate some feed back as to whether I've done the right thing. Besides the postfix.pem and dovecot.pem files there are also smtp.pem files in both /etc/postfix/sasl and /etc/dovecot/ssl and I don't know what they're for
I don't see any reference to them in either main.cf or dovecot.conf.
create a new key:
openssl genrsa -out myfqdn.key 2048
create a csr:
openssl req -new -key myfqdn.key -out myfqdn.csr
paste the csr into 123-reg's page.
you get back 2 keys at the end of an email that have to be saved as 2 text
files: myfqdn.crt and myfqdn.intermediate.crt
create a new /etc/postfix/sasl/postfix.pem file
cat myfqdn.key > postfix.pem
cat myfqdn.crt >> postfix.pem
cat myfqdn.intermediate.crt >> postfix.pem
this file can now be used by postfix.
It can also be copied to /etc/dovecot/ssl/dovecot.pem for use by dovecot (duh)
restart the ebox mail system with:
sudo /etc/init.d/ebox mail restart
Since there aren't any passwords set on these certificates you'd better make sure you've got your file permissions set so only root and read them! (chmod 400)
I'd really appreciate some feed back as to whether I've done the right thing. Besides the postfix.pem and dovecot.pem files there are also smtp.pem files in both /etc/postfix/sasl and /etc/dovecot/ssl and I don't know what they're for
I don't see any reference to them in either main.cf or dovecot.conf.
23
Installation and Upgrades / Re: moved mysql to /home/mysql, now nothing works!!! HELP URGENT!!!
« on: February 11, 2011, 03:49:13 pm »
I've one suggestion...
change your config back to how it was and sym link the old mysql data directory to its new location. Zentyal will probably want to over write your config change each time you reboot anyway so that isn't a very good way to do it.
Just remember that the backup won't restore the sym link if you have to do a restore from it!
change your config back to how it was and sym link the old mysql data directory to its new location. Zentyal will probably want to over write your config change each time you reboot anyway so that isn't a very good way to do it.
Just remember that the backup won't restore the sym link if you have to do a restore from it!
24
Installation and Upgrades / Re: Where are the mails?
« on: February 09, 2011, 10:27:09 pm »
don't forget to check the size of the partition that /var/vmail is on. By default zentyal puts it on the small root partition so if you use imap you can very easily fill the partition.
25
Installation and Upgrades / Re: using trusted certificates
« on: February 09, 2011, 09:24:46 pm »
OK so putting together that link I posted previously and this post:
http://forum.zentyal.org/index.php?topic=616.0
I've done the following:
copied /var/lib/ebox/conf/ssl/ssl.key to a new directory (so I didn't muck anything up)
used it to create a csr with this command:
openssl req -new -key ssl.key -out my_fqdn.csr
I left any passwords blank.
This has given me a csr to submit to godady/123-reg.
I'd just like some reassurance I'm going about this the right way before I go spending any money on a potentially useless certificate.
Am I right to reuse the key auto generated by ebox or should I create my own new key?
http://forum.zentyal.org/index.php?topic=616.0
I've done the following:
copied /var/lib/ebox/conf/ssl/ssl.key to a new directory (so I didn't muck anything up)
used it to create a csr with this command:
openssl req -new -key ssl.key -out my_fqdn.csr
I left any passwords blank.
This has given me a csr to submit to godady/123-reg.
I'd just like some reassurance I'm going about this the right way before I go spending any money on a potentially useless certificate.
Am I right to reuse the key auto generated by ebox or should I create my own new key?
26
Installation and Upgrades / Re: using trusted certificates
« on: February 08, 2011, 11:21:15 am »
Indeed, there are plenty of tutorials on installing certs into generic apache or into windows but nothing specifically about zentyal.
I suppose my main worry is that the last time I had to install a trusted cert it was on windows and IIRC to create the csr involved removing the self signed cert from the server and re-running a wizard... which broke email for the day or so it took the ca to send the certificate.
Am I right in thinking that under linux the certs used by the various services are less interdependent? It looks like I should be able to create a new key and csr in any directory I want, get the signed cert and then install it, all while leaving the server running.
Here's a site I've been looking at, does it make sense with zentyal?
http://www.uno-code.com/?q=node/178
I suppose my main worry is that the last time I had to install a trusted cert it was on windows and IIRC to create the csr involved removing the self signed cert from the server and re-running a wizard... which broke email for the day or so it took the ca to send the certificate.
Am I right in thinking that under linux the certs used by the various services are less interdependent? It looks like I should be able to create a new key and csr in any directory I want, get the signed cert and then install it, all while leaving the server running.
Here's a site I've been looking at, does it make sense with zentyal?
http://www.uno-code.com/?q=node/178
27
Installation and Upgrades / using trusted certificates
« on: February 07, 2011, 07:49:20 pm »
I recently had a user complain that his iphone suddently started asking him to accept the self signed cert that his ebox (1.4) mailserver uses every time he sent or received an email. After a bit of digging I found some references to the latest iphone software update being broken so it can't remember which certificates you want to accept.
After I was told that I could prise his shiny toy from his cold dead hand I decided that the easiest thing to do was use trusted certs for mail but I'm not too sure how to go about this on ebox/zentyal so I'm after a bit of help.
As I understand it the certificates used by the services like web and mail in ebox are independent of the ebox-ca module (unless I go into the "service certificate" section and enable it).
I don't want to have to change the certificates I've generated in ebox-ca as I've got several vpn users who'd have to be re-issued with certs.
So do I just go through the process of creating a csr with openssl at the command line and submit them to someone like godady to get a cheap trusted cert or will that break the certs I've created with ebox-ca.
My knowledge of ssl is basically zero I'm afraid so any guidance is appreciated!
After I was told that I could prise his shiny toy from his cold dead hand I decided that the easiest thing to do was use trusted certs for mail but I'm not too sure how to go about this on ebox/zentyal so I'm after a bit of help.
As I understand it the certificates used by the services like web and mail in ebox are independent of the ebox-ca module (unless I go into the "service certificate" section and enable it).
I don't want to have to change the certificates I've generated in ebox-ca as I've got several vpn users who'd have to be re-issued with certs.
So do I just go through the process of creating a csr with openssl at the command line and submit them to someone like godady to get a cheap trusted cert or will that break the certs I've created with ebox-ca.
My knowledge of ssl is basically zero I'm afraid so any guidance is appreciated!
28
Installation and Upgrades / Re: access denied to documents in samba shares
« on: January 10, 2011, 05:42:34 pm »
dumb question but...
you have setup the acls in the share's settings?
Setting the share to 777 should have ruled out unix permissions being a problem which just leaves samba.
BTW IIRC the ACLs that zentyal talks about are samba based and don't have anything to do with file system ACLs in nix itself so you shouldn't need that acl flag in fstab unless you're using it for something else.
don't quote me on that though, I haven't spent much time with zentyal 2 yet.
you have setup the acls in the share's settings?
Setting the share to 777 should have ruled out unix permissions being a problem which just leaves samba.
BTW IIRC the ACLs that zentyal talks about are samba based and don't have anything to do with file system ACLs in nix itself so you shouldn't need that acl flag in fstab unless you're using it for something else.
don't quote me on that though, I haven't spent much time with zentyal 2 yet.
29
Installation and Upgrades / Re: restore pdc
« on: January 05, 2011, 01:43:36 pm »
Just clone (try clonezilla) the old install to the new server, it's not like you're using windows!
One thing to watch out for is that the names of you're nics will change so if you have just one nic in the server it will change from eth0 to eth1 (assuming the mac address of the nic is different on the new server).
To get rid of the old nic on the new server and change eth1 back to eth0 you need to edit this file:
/etc/udev/rules.d/70-persistent-net.rules
which is basically a list of mac addresses and the interface names that linux associates with them.
The other thing that might break is your bootloader, but cross that bridge if you come to it
The other option would probably be to do a full backup and then restore it on your new server... notes on that are in the docs.
One thing to watch out for is that the names of you're nics will change so if you have just one nic in the server it will change from eth0 to eth1 (assuming the mac address of the nic is different on the new server).
To get rid of the old nic on the new server and change eth1 back to eth0 you need to edit this file:
/etc/udev/rules.d/70-persistent-net.rules
which is basically a list of mac addresses and the interface names that linux associates with them.
The other thing that might break is your bootloader, but cross that bridge if you come to it
The other option would probably be to do a full backup and then restore it on your new server... notes on that are in the docs.
30
Installation and Upgrades / Re: email catchall account
« on: November 18, 2010, 11:50:15 pm »I can never understand why people like your boss keep asking for this kind of rubbish. Try to explain to him just how much spam will end up sitting on his server... the bandwidth and storage requirements it'll take.
...
No need to bash concepts you don't know/understand ... My approach is not the same like diablothe2nd's boss though. We're running hundreds of mailaddresses used short term or generated by external tools and it's just too inefficient to register them all on a mail server.
I'm using this catch all approach since more than 5 years on a CentOS based SME-Server and it works perfectly to sort our spam by certain rule sets just leaving a handful false positives in several thousand mails/day. I'm running the whole thing on a server with 30GB SSD on a DSL uplink, so your bandwidth and storage concerns are basically theory.
fair enough, but you are describing a fairly unusual requirement. Most people I encounter want a catchall because they are worried that someone will get their email address wrong and they won't get mail.
Just out of curiosity... Are you doing this on your main company domain and mailserver or do you use a separate domain and or server?