August 12, 2014

RHEL 6 Synchronize Time Using Other NTP Peers

Introduction

In this blog will I show how to setup a NTP server and perform NTP synchronizing on remote server.

Server Installation

yum install ntp ntpdate -y

Server Configuration

vi /etc/ntp.conf
...
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
...

The server IP is 192.168.1.240 and is located in 192.168.1.0/24 subnet.

Server Firewall

vi /etc/sysconfig/iptables
...
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
...

Server Start

service ntpd restart; chkconfig ntpd on

Client Installation

yum install ntp ntpdate -y

Client Start

service ntpd restart; chkconfig ntpd on

Client Test

Query your NTP server, but NOT set time. If query return higher stratum than 16, just wait a little and then requery.

$ ntpdate -q 192.168.1.240
server 192.168.1.240, stratum 3, offset -0.000189, delay 0.02585
12 Aug 16:43:45 ntpdate[1700]: adjust time server 192.168.1.240 offset -0.000189 sec

Client Set NTP Server

$ sudo vi /etc/ntp.conf 
...
server 192.168.1.240
#server 0.rhel.pool.ntp.org iburst
#server 1.rhel.pool.ntp.org iburst
#server 2.rhel.pool.ntp.org iburst
#server 3.rhel.pool.ntp.org iburst
...

And finally you need to restart ntpd service.

August 10, 2014

RHEL 6 Configure an MTA to Forward (Relay) Email Through a Smart Host.

Introduction

A relay mail server (MTA) is a intermediate server that forwards email to the final delivery mail server (MDA), i.e. writes message to default store /var/spool/mail/${USER}.

Remote Client --> Mail Transfer Agent, MTA (192.168.1.11) --> Mail Delivery Agent, MDA (192.168.1.12)

Configuration MTA

$ vi /etc/postfix/main.cf
...
myhostname = san.magnuskkarlsson.com
...
mydomain = magnuskkarlsson.com
...
myorigin = $mydomain
...
inet_interfaces = all
...
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
...
mynetworks = 192.168.1.0/28, 127.0.0.0/8
...
relayhost = 192.168.1.12

If you want MTA to ONLY transfer mail then set 'mydestination = '. With the above configuration the MTA will delivers local users email from remote client.

Restart service to let configuration take effects.

service postfix restart; chkconfig postfix on

Check that SMTP port 25 (TCP) is open in iptables. If you need to update the configuration, don't forget to restart iptables service.

$ vi /etc/sysconfig/iptables
...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT 
...

Configuration MDA

$ vi /etc/postfix/main.cf
...
myhostname = rhel6.magnuskkarlsson.com
...
mydomain = magnuskkarlsson.com
...
myorigin = $mydomain
...
inet_interfaces = all
...
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
...
mynetworks = 192.168.1.0/28, 127.0.0.0/8
...
relayhost = 

Do not forget to restart postfix service after configuration changes.

Create ordinary unix user for test, via command adduser mail2.

Check iptables SMTP port 25 (tcp) is open. Update if needed and restart iptables service.

If SELinux is active (default), check that default SELinux boolean for postfix is on.

$ getenforce 
Enforcing

# getsebool -a | grep postfix
allow_postfix_local_write_mail_spool --> on

Test

Now we are ready to test by sending mail from a remote client.

$ telnet 192.168.1.11 25
Trying 192.168.1.11...
Connected to 192.168.1.11.
Escape character is '^]'.
220 san.magnuskkarlsson.com ESMTP Postfix
EHLO 192.168.1.11
250-san.magnuskkarlsson.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: foo@bar.com
250 2.1.0 Ok
RCPT TO: mail2@rhel6.magnuskkarlsson.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: hello 
sbj 
.
250 2.0.0 Ok: queued as 92E1040EB2
^]

telnet&gr; quit
Connection closed.

Now verify that mail was delivered on MDA (192.168.1.12).

$ cat /var/spool/mail/mail2 
...
From foo@bar.com  Sun Aug 10 01:18:34 2014
Return-Path: <foo@bar.com>
X-Original-To: mail2@rhel6.magnuskkarlsson.com
Delivered-To: mail2@rhel6.magnuskkarlsson.com
Received: from san.magnuskkarlsson.com (unknown [192.168.1.11])
 by rhel6.magnuskkarlsson.com (Postfix) with ESMTP id 2ADC210CB
 for <mail2@rhel6.magnuskkarlsson.com>; Sun, 10 Aug 2014 01:18:34 +0200 (CEST)
Received: from 192.168.1.11 (unknown [192.168.1.122])
 by san.magnuskkarlsson.com (Postfix) with ESMTP id 92E1040EB2
 for <mail2@rhel6.magnuskkarlsson.com>; Sun, 10 Aug 2014 19:01:59 +0200 (CEST)
Subject: hello 

sbj 

August 8, 2014

RHEL 6 Postfix Aliases

Introduction

In my previos blog I described to configure and run MTA with postfix. Here I will describe how to make aliases.

Configuration

Start

Create alias

Now to let this take effect you must run the program newaliases.

Test

On remote client send mail to root@san.magnuskkarlsson.com.

And to verify on server.

RHEL 6 Configure a Mail Transfer Agent (MTA) to Accept Inbound Email From Other Systems

Installation

Configuration

Start

Firewall

Add TCP port 25 for SMTP.

Then restart firewall, to let new configuration take effect.

Test

First create a test user on server.

Then on remote client, we use telnet to send mail. For details see http://magnus-k-karlsson.blogspot.se/2014/06/how-to-send-mail-from-command-line-with.html.Here follows a summary.

Now check mail on server.

Reference

  • man 5 postconf

August 7, 2014

RHEL 6 FTP Configure Anonymous-Only Download.

Installation

yum install vsftpd -y

Configuration

$ vi /etc/vsftpd/vsftpd.conf
...
# Allow anonymous FTP?
anonymous_enable=YES
..
# Uncomment this to allow local users to log in.
local_enable=NO
...
# Uncomment this to enable any form of FTP write command.
write_enable=NO
...

Start

service vsftpd restart; chkconfig vsftpd on

Firewall

$ vi /etc/sysconfig/iptables
...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
...
$ vi /etc/sysconfig/iptables-config
...
IPTABLES_MODULES="nf_nat_ftp nf_nat_tftp"
...
$ service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
iptables: Loading additional modules: nf_nat_ftp nf_nat_tft[  OK  ]

Test

Create test data.

$ echo "Hello" >> /var/ftp/pub/hello.txt

$ restorecon -RFv /var/ftp/pub/hello.txt 
restorecon reset /var/ftp/pub/hello.txt context unconfined_u:object_r:public_content_t:s0->system_u:object_r:public_content_t:s0

And download it from remote host.

$ lftp 192.168.1.11
lftp 192.168.1.11:~> ls
drwxr-xr-x    2 0        0            4096 Aug 07 19:22 pub
lftp 192.168.1.11:/> cd pub/
lftp 192.168.1.11:/pub> ls
-rw-r--r--    1 0        0               6 Aug 07 19:22 hello.txt
lftp 192.168.1.11:/pub> get hello.txt 
6 bytes transferred
lftp 192.168.1.11:/pub> exit

# cat hello.txt 
Hello

RHEL 6 Configure a Caching-Only Name Server to Forward DNS Queries

Installation

yum install bind bind-chroot bind-utils -y

Configuration

$ vi /etc/named.conf
...
    listen-on port 53 { any; };
    listen-on-v6 port 53 { any; };
...
    allow-query     { 192.168.1.0/24; };
    forwarders      { 192.168.1.1; };
...
    dnssec-validation no;
...

Start

service named restart; chkconfig named on

Test

$ nslookup www.sunet.se 192.168.1.11
Server:  192.168.1.11
Address: 192.168.1.11#53

Non-authoritative answer:
www.sunet.se canonical name = vision.sunet.se.
Name: vision.sunet.se
Address: 192.36.171.156

Firewall

$ vi /etc/sysconfig/iptables
...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
...