Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Marcus

Pages: [1]
1
Installation and Upgrades / Master/Slave sync error
« on: December 20, 2012, 07:41:44 pm »
Hello,

I'm having problems setting up the Master/Slave replication on fresh, fully up-to-date v3.0 installs.

Up to now, this is what I've done:
1) setup master (very basic - I only choosed "Users&Groups" and removed the "cloud" freemium)
2) setup slave (same local network - very basic - only Users&Groups and removed the "cloud" freemium)

On the master: 
1) picked up the "Slave connection password"

On the slave:
1) Clicked on the drop down menu (Sync users from:) and choosed "Other Zentyal Server"
2) I typed the local IP in the "Master host:" field
3) Changed the "Master port:" to something else (SSL is needed)
4) Entered the "slave password"
5) Hit Change followed by updating the configuration (top right)

On the master;
1) created a group
2) created a user

Logs are giving:
DEBUG> SOAPClient.pm:115 EBox::SOAPClient::__ANON__ - 500 Status read failed: 
ERROR> Slave.pm:149 EBox::UsersAndGroups::Slave::__ANON__ - Error notifying sl1 for _addUser: 500 Status read failed: 
DEBUG> SOAPClient.pm:115 EBox::SOAPClient::__ANON__ - 500 Status read failed: 
ERROR> Slave.pm:149 EBox::UsersAndGroups::Slave::__ANON__ - Error notifying sl1 for _modifyGroup: 500 Status read failed: 

I've redone the sync configuration by switching the slave configuration to "none", saved the new configuration, switching it back to remote zentyal and saved again.  Still same error...

** Apparmor got removed from both servers and that didn't seem to help.

Any help would be much appreciated.

Best,

Marcus

2
Hello,

Zentyal: v3.0 (up to date)

I installed the webserver module on a newly installed host.

The problems came after removing the webserver module (along with Zarafa).

I noticed that I wasn't able to forward ports (80 and 443) to a NATed host.  then I noticed that the SSL was also still installed.

So, first of, I tried to remove the SSL and failed... (keeping in mind that the modules got removed)
Same for Zarafa (that was also installed then removed)

Further investigation on the problem showed that all the regular files along with the configurations of the vhosts previously configured were still there.

Anyways, my question is;
How can I remove the rules and configurations of IPTables, SSL and Apache without beeing force to reinstall those modules and put bogus configurations ?

e.g.
For port redirection of port 80 & 443;
I had to reinstall the webserver and configure the listening ports to 8899 (initialy port 80) and 4433 (initialy port 443).

Wild guess;
I'll have to dump Zarafa MySQL database manually

** This is only for educational purpose - the server will get wiped out tomorow morning **

IMO, those files and configurations should be completly purged once the module  is removed.  If I recall it right, the trash left behind an uninstall was already talked about.  I've notice some improvement but there is still much work pending in order to get things clean and tidy.

Best,

Marcus

3
Installation and Upgrades / [FTP] Allowing passive connections
« on: September 13, 2012, 05:42:49 pm »
Hello World!

Quick tip in order to allow passive connections (a.k.a. PASV).

I was trying to put my cPan*l backups on a Zentyal powered server.  Everything seemed fine until I looked the logs...

Quote
PASV
227 Entering Passive Mode (123,123,123,123,47,27).
STOR mybackup.tar.gz
425 Failed to establish connection.


Problem:
vsFTPd (on Zentyal -at least) doesn't allow/accept passive connections.


Solution:
** Make sure to be the root user **

First, let's add a custom IPTables rule.

Code: [Select]
cat > /etc/zentyal/hooks/firewall.postservice <<-FIREWALL
#!/bin/sh

# This is the firewall postservice script and it's run after Zentyal
# has finished setting up the firewall.

# You can add here custom rules that you might need for your firewall

# The script will receive a command line argument indicating whether the
# module is enabled (1) or not (0).

if [ "$1" -eq "1" ]
then
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
    true
fi

exit 0
FIREWALL

Now, let's enable those rules right away:
Code: [Select]
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Code: [Select]
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Code: [Select]
iptables -A INPUT -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
We must make sure that our custom configuration will be persistant;
mkdir -p /etc/zentyal/stubs/ftp && cp /usr/share/zentyal/stubs/ftp/vsftpd.conf.mas

Now let's modify the FTP server configuration (make sure to replace <YOUR PUBLIC UP> with your public IP);
Code: [Select]
cat >> /etc/zentyal/stubs/ftp/vsftpd.conf.mas <<-FTP_CONF
## Marcus Hack ##
pasv_promiscuous=YES
pasv_enable=YES
pasv_min_port=60000
pasv_max_port=60100
pasv_address=<YOUR PUBLIC IP>

# Max Clients
max_clients=100

# Max connections per IP
max_per_ip=20

cmds_allowed=ALLO,ABOR,APPE,CWD,DELE,HELP,LIST,MDTM,MKD,NLST,PASS,PASV,PWD,QUIT,RETR,RMD,RNFR,RNTO,SIZE,STOR,TYPE,USER
## ############## ##
FTP_CONF

And now lets wrap it up by restart the service;
Code: [Select]
/etc/init.d/zentyal ftp restart
Let's wrap it up by testing our new configuration. 
You should now have something similar to:
Quote
PASV
227 Entering Passive Mode (123,123,123,123,47,27).
STOR mybackup.tar.gz
150 Ok to send data.
226 Transfer complete.
QUIT
221 Goodbye.

Thanks for reading and please, do not hesitate to comment this little trick.

Best,

Marcus

6
Hello,

I was having some unkown problem with one of the server I installed.

Most users were having a 500 error when they "succesfully" loged in to their user corner and that was about it.

Logs didn't returned any obvious problem...


Any ways,
I noticed that users, including mine, that were experiencing this issue had a file taged with their username in the /var/lib/zentyal-usercorner/sids

Solution;
Flush this directory using this command:
Code: [Select]
sudo rm -rf /var/lib/zentyal-usercorner/sids/*

Et voilà!  My users were happy campers once again.


Best,

Marcus

7
Hello,

By default Zentyal will install a MySQL server without any root password during the Zarafa installation. In many scenarios, this may be very risky.

HowTo close this security hole:
1) Access to your Zentyal server CLI

2) Reconfigure your MySQL server using this command:
Code: [Select]
sudo dpkg-reconfigure mysql-server-5.1
3) Enter the root password when prompted to do so

Et voilà!

Best,

Marcus

8
Installation and Upgrades / SPF check
« on: October 04, 2011, 03:52:52 pm »
Hello,

Tested on Zentyal 2.0

In order to improve mail filtering and help discarding spam right when received, we need to add a SPF check.

How to add this filter:

Zentyal 2.2 note
If the files aren't existing yet in the /etc/zentyal/mail folder:
Code: (2.2) [Select]
sudo mkdir /etc/zentyal/mail && sudo cp /usr/share/zentyal/stubs/mail/main.cf.mas /etc/zentyal/stubs/mail/main.cf.mas
Zentyal 2.0 note
If the files aren't existing yet in the /etc/ebox/mail folder:
Code: (2.0) [Select]
sudo mkdir /etc/ebox/mail && sudo cp /usr/share/ebox/stubs/mail/main.cf.mas /etc/ebox/stubs/mail/main.cf.mas
1) Log to your server using a terminal

2) Add the SPF check (in Python)
Code: (all) [Select]
sudo apt-get install postfix-policyd-spf-python
3) Modify the rules to the Postfix main configuration file and replace the default SMTP restriction:
Code: (2.2) [Select]
sudo nano /etc/zentyal/stubs/mail/main.cf.mas
Code: (2.0) [Select]
sudo nano /etc/ebox/stubs/mail/main.cf.mas
Rules to add to the "smtpd_recipient_restrictions":
Code: (all) [Select]
, check_policy_service unix:private/policy-spf
And, right under it:
Code: (all) [Select]
# SPF
spf-policyd_time_limit = 3600s

e.g. once both rules added to the configuration:
Code: (all) [Select]
# Mail filter
smtpd_recipient_restrictions = <% $smtpRecipientRestrictions %>, check_policy_service unix:private/policy-spf

# SPF
spf-policyd_time_limit = 3600s

~~~~~~~~~~~~~~~~~~~~~~~~~~~
Side note;
While beeing there, you may add to this a RBL by adding this line following the smtpd_recipient_restrictions modification previously done:
Code: (all) [Select]
, reject_rbl_client zen.spamhaus.org
So that it looks like:
Code: [Select]
smtpd_recipient_restrictions = <% $smtpRecipientRestrictions %>, check_policy_service unix:private/policy-spf, reject_rbl_client zen.spamhaus.org~~~~~~~~~~~~~~~~~~~~~~~~~~~

4) Modify the SPF rule to the Postfix's master configuration file:
Code: (2.2) [Select]
sudo nano /etc/zentyal/stubs/mail/master.cf.mas
Code: (2.0) [Select]
sudo nano /etc/ebox/stubs/mail/master.cf.mas
Code: (all) [Select]
# SPF Policy
policy-spf  unix  -       n       n       -       -       spawn
     user=nobody argv=/usr/bin/policyd-spf


5) Restart Zentyal mail service using this command line (or through the GUI by clicking "Restart" at the right of "Mail" on the dashboard)
Code: [Select]
sudo /etc/init.d/ebox mail restart
**You may verify your work by typing this command:
Code: (all) [Select]
tail -f /var/log/mail.log
The SPF should show up in it.  You may also make sure that you didn't messed up anything by sending yourself an email from GMail.  Once again, it should show up in the logs.

e.g. (with bogus emails)
Oct  4 08:37:30 mtl policyd-spf[29529]: None; identity=helo; client-ip=209.85.160.175; helo=mail-gy0-f175.google.com; envelope-from=marcus@gmail.com; receiver=email@exemple.com
Oct  4 08:37:30 mtl policyd-spf[29529]: Pass; identity=mailfrom; client-ip=209.85.160.175; helo=mail-gy0-f175.google.com; envelope-from=marcus@gmail.com; receiver=email@exemple.com


Something else that will be visible is the SPF check in your email headers.

e.g.
email received from GMail
Received-spf: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.85.160.175; helo=mail-gy0-f175.google.com;

Best,

Marcus

9
Hello,

Zentyal: 2.0
Browser: Firefox 7.0 (Ubuntu)

After adding a CIDR to a firewall (41.204.64.0/19), I'm not able to manage a part of it (Filtering rules from external networks to Zentyal) anymore.  All the rest seems fine...

Error given in the GUI:
An internal error related to a template has occurred. This is a bug, relevant information can be found in the logs.

Error from the logs:
2011/10/03 10:04:19 ERROR> Base.pm:346 EBox::CGI::Base::__ANON__ - Illegal division by zero at (eval 4224) line 721, <GEN43> line 15566.

Any clue on how to resolve this error ?

~~~~~~~~~~~~~~~~~~~~~~~~~~~
Problem vanished after restarting Zentyal from the CLI using:
Code: [Select]
/etc/init.d/ebox restart
BUT...
My last entry was gone too (no big deal on this one - I rather have to re-enter it compared to reconfigure the whole firewall)
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Best,

Marcus

10
Installation and Upgrades / [VPN] Access to VPN server services
« on: September 13, 2011, 08:58:43 pm »
Hello,

I tried configuring a VPN using a DD-WRT powered router.  This comes from the fact that one ISP is currently blocking some outbound ports.

VPN server setup and VPN client setup was very easy.  Up to that point, everything is working like a charm.

Still, 1 problem remains:
I can't access the server's services through the VPN. 

VPN network: 192.168.160.0/24

Accessing the 192.168.160.1 is sending me to the Zentyal gateway that we have at our office (not the good one).

Any clue on how to proceed and make this work ?

Best,

Marcus

11
Hello,

I was reading the documentation for installing Zentyal from apt-get.

Something that would ease up the job is making everything from a single command line:

Zentyal 2.0
sudo apt-get install -y python-software-properties && sudo add-apt-repository ppa:zentyal/2.0 && sudo apt-get update && sudo apt-get install -y zentyal

Zentyal 2.1
sudo apt-get install -y python-software-properties && sudo add-apt-repository ppa:zentyal/2.1 && sudo apt-get update && sudo apt-get install -y zentyal

What does it do?
sudo add-apt-repository ppa:zentyal/<package> will add the new repository and add the key by the same time. 
All the rest is simply updating the sources lists and installing Zentyal.

Best,

Marcus

12
Installation and Upgrades / [SOLVED][BUG] DHCP + Static IP issue
« on: April 04, 2011, 05:01:16 pm »
Hello,
I'm experiencing some difficulties with the new DHCP system.

From time to time (most of time), when adding a static IP to the list, DHCP server fails to restart.  Restarting it from the admin gives me a:
"The module was restarted correctly."

But in facts, it does not restart correctly.  

There goes the error reported by the DHCP server when trying to restart it:
Code: [Select]
dhcpd self-test failed. Please fix the config file.
The error was:
Internet Systems Consortium DHCP Server V3.1.3
Copyright 2004-2009 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
/etc/dhcp3/dhcpd.conf line 59: expecting left brace.
    some static name
                             ^
Configuration file errors encountered -- exiting

Ok,
I must admit that I'm a bit short in time so I didn't test every possibilities in order to identify where this error comes from.

So it can be:
a) A space in "some static name"
b) The MAC is already listed in the DHCP server list.

** This is the current "workaround" that I'm using in order to restart the DHCP server:
1) Check the error log
2) Remove the problematic static IP from the list
3) Restart the DHCP server

Any help for figuring this one out would be greatly appreciated
otherwise
I'll post the solution/problem source when I'll find it

Thanks for reading

Best,

Marcus

13
Installation and Upgrades / [Zarafa Indexer] High CPU load
« on: February 20, 2011, 05:47:47 pm »
Hello,
I faced a problem last week. 

I decided to do a stress test on my email server.

There goes the spec of the Zentyal 2.0 box:
Kernel and CPU    :            Linux 2.6.32-28-generic on x86_64
Processor information :     AMD Athlon(tm) 64 X2 Dual Core Processor 5400+, 2 cores
RAM:                                 2GB DDR2 800MHz
Hard Drives :                     RAID 10 w/ 4X1.0TB (SATA-II, WD Green)

Test
Total emails :                   35,000
Sending from :                 2 servers
Email type:                      text
Attachment :                    no


Send/Receive took about 10 minutes over a 8Mbps WiFi and 32Mbps CPL networks (real speed).

CPU and RAM on the Zarafa box was all fine until Zarafa's indexer kicked in >>  CPU jumped to a load of 16.0.  I had to put a stop to it after an hour of non sens CPU load so I restarted the indexer.  Everything was fine for something like 5 minutes then the load came back.

The indexer problem came from 2 obvious facts:
1) Much email came in simultaneously
2) Zarafa indexer was set to 5 minutes

The second observation is the most important one.  Not having the time to index everything within the default configuration, Zarafa was queuing indexing requests, bringing the load to the roof.

In order to fix the problem and avoid any problems related with a spam flood, I had to modify the configuration of the indexer.  This way, Zarafa indexer was able to finish the indexing process before the next one and keeping the CPU load to an acceptable level.

This is how I change the indexer from 5 minutes to 30 minutes:

In a terminal as root user
Code: (terminal) [Select]
# cd / && find . -name 'indexer.cf*' | xargs perl -pi -e 's/index_interval = 5/index_interval = 30/g' && zarafa-indexer restart
Explaining this command
It will look for 2 files on the server:
1) /etc/zarafa/indexer.cfg
2) /usr/share/ebox/stubs/zarafa/indexer.cfg.mas

Then, it will change the lines
Code: [Select]
index_interval = 5for
Code: [Select]
index_interval = 30
And at last, it will restart the Zarafa indexer service.


Note that you may have to repeat this after a Zentyal update (if zarafa module get an update)


Having all that said, it would be great to have a dropdown menu under:

Zentyal >> Groupware >> General configuration settings

to tweak the indexing frequency.


Best,

Marcus

14
Hello,
I faced a problem few weeks ago.  I wasn't able to send out using an alias email with the Zarafa WebAccess.

I finally found out that it was a default spooler configuration that was blocking everything.

This is how I worked around my problem.

In a terminal as root user
Zentyal 2.0
Code: (terminal) [Select]
# cd / && find . -name 'spooler.cf*' | xargs perl -pi -e 's/always_send_delegates = no/always_send_delegates = yes/g' && find . -name 'spooler.cf*' | xargs perl -pi -e 's/allow_redirect_spoofing = no/allow_redirect_spoofing =  yes/g' && mkdir -p /etc/ebox/stubs/zarafa && cp /usr/share/ebox/stubs/zarafa/spooler.cfg.mas /etc/ebox/stubs/zarafa/spooler.cfg.mas && zarafa-spooler restart
Zentyal 2.2
Code: (terminal) [Select]
# cd / && find . -name 'spooler.cf*' | xargs perl -pi -e 's/always_send_delegates = no/always_send_delegates = yes/g' && find . -name 'spooler.cf*' | xargs perl -pi -e 's/allow_redirect_spoofing = no/allow_redirect_spoofing =  yes/g' && mkdir -p /etc/zentyal/stubs/zarafa && cp /usr/share/zentyal/stubs/zarafa/spooler.cfg.mas /etc/zentyal/stubs/zarafa/spooler.cfg.mas && zarafa-spooler restart
Zentyal 3.0
Code: (terminal) [Select]
# sudo sed -i 's/zarafa_always_send_delegates = no/zarafa_always_send_delegates = yes/g' /etc/zentyal/zarafa.conf && sudo /etc/init.d/zentyal zarafa restart
Explaining this command (Zentyal 2.x series)
It will look for 2 files on the server:
1) /etc/zarafa/spooler.cfg
2) /usr/share/ebox|zentyal/stubs/zarafa/spooler.cfg.mas

Then, it will change the lines
Code: [Select]
always_send_delegates = no
allow_redirect_spoofing = no
for
Code: [Select]
always_send_delegates = yes
allow_redirect_spoofing = yes

And at last, it will restart the Zarafa spooler service.


We are not done yet.  We now have to add our emails to the account.

Go to Webaccess >> Settings >> Compose mail >> From Email Addresses >> Add your alias


Having all that said, it would be great to have a simple checkbox under:

Zentyal >> Groupware >> General configuration settings

to enable/disable it.

Best,

Marcus

15
Installation and Upgrades / Firewall rules (Import/Export)
« on: March 05, 2010, 05:25:23 pm »
Hi everyone,

Does anyone know how to import/export firewall rules from one eBox to the other ?

Thanks in advance -

Best,

Pages: [1]