diff --git a/Manuals/Tcpi-ug/Configurations/Dialup/server.docbook b/Manuals/Tcpi-ug/Configurations/Dialup/server.docbook
index 02624d1..b17aba4 100644
--- a/Manuals/Tcpi-ug/Configurations/Dialup/server.docbook
+++ b/Manuals/Tcpi-ug/Configurations/Dialup/server.docbook
@@ -11,7 +11,7 @@
- Ppp Server
+ Installing Ppp Server
The ppp server provides the software required to establish and
maintain a PPP link with another system and negociate Internet
@@ -23,7 +23,7 @@
- Name Server
+ Installing Name Server
The name server provides the software required to translate
domain names into IP address and IP addresses into domain
@@ -47,7 +47,7 @@
- Mail Server
+ Installing Mail Server
The mail server provides the software required to let you
send/receive e-mail messages to/from others. The mail server
@@ -62,10 +62,18 @@
where your mailbox is stored in). The authentication daemon
is used by the mail delivery agent to authenticate user's
credentials (e.g., the information that let you access an
- specific mailbox).
+ specific mailbox). The authentication daemon can also be used
+ by the mail transfer agent to authenticate users before
+ sending mail to it, however, that is not set in this
+ configuration (i.e., the mail transfer agent will receive mail
+ from all its interfaces which are sent either to example.com domain name or
+ server.example.com host
+ name).
- yum install postfix cyrus-imapd cyrus-sasl
+ yum install postfix cyrus-{imapd{,-utils},sasl{,-ldap,-md5,-plain}}
By default, the sendmail
@@ -106,7 +114,7 @@
-
+
@@ -115,7 +123,7 @@
- Web Server
+ Installing Web Server
The web server provides the software required to support web
interfaces like those one previously mention to register new
@@ -140,7 +148,7 @@
- Directory Server
+ Installing Directory Server
The directory server provides the software required to unify
@@ -161,8 +169,603 @@
Configuring Server Computer
+ Once all required packages have been installed inside the
+ server computer, it is time to configure them. This section
+ describes how to configure the server computer to provide a
+ public mail system.
+
+
+
+ Configuring Network Internface
+
+
+ /etc/sysconfig/network-scripts/ifcfg-eth0
+
+
+# Please read /usr/share/doc/initscripts-*/sysconfig.txt
+# for the documentation of these parameters.
+TYPE=Ethernet
+DEVICE=eth0
+HWADDR=00:1c:c0:f0:aa:05
+BOOTPROTO=none
+NETMASK=255.255.255.0
+IPADDR=192.168.0.1
+ONBOOT=yes
+USERCTL=no
+IPV6INIT=no
+PEERDNS=yes
+
+
+
+
+
+
+
+ Configuring Ppp Server
+
+ This configuration specifies the way the server computer will
+ handle incoming dial-up connections.
+
+
+
+ /etc/ppp/options
+
+
+# Set the name of the local system for authentication purposes to
+# name. This is a privileged option. With this option, pppd will use
+# lines in the secrets files which have name as the second field when
+# looking for a secret to use in authenticating the peer. In
+# addition, unless overridden with the user option, name will be used
+# as the name to send to the peer when authenticating the local system
+# to the peer. (Note that pppd does not append the domain name to
+# name.)
+name "server.example.com"
+
+# Require the peer to authenticate itself before allowing network
+# packets to be sent or received. This option is the default if the
+# system has a default route. If neither this option nor the noauth
+# option is specified, pppd will only allow the peer to use IP
+# addresses to which the system does not already have a route.
+auth
+
+# Specifies that pppd should create a UUCP-style lock file for the
+# serial device to ensure exclusive access to the device. By default,
+# pppd will not create a lock file.
+lock
+
+# If pppd is acting as a server for Microsoft Windows clients, this
+# option allows pppd to supply one or two DNS (Domain Name Server)
+# addresses to the clients. The first instance of this option
+# specifies the primary DNS address; the second instance (if given)
+# specifies the secondary DNS address. (This option was present in
+# some older versions of pppd under the name dns-addr.)
+ms-dns 192.168.0.1
+
+# Allow peers to connect from the given telephone number. A trailing
+# ‘*’ character will match all numbers beginning with the leading
+# part. Notice that this option (allow-number) is useful only to
+# incoming calls. When you want to realize an outgoing call, this
+# restrictions must be commentted out.
+##### centos-pppd-admin will overwrite this part!!! (begin) #####
+##### centos-pppd-admin will overwrite this part!!! (end) #####
+
+# Enable connection debugging facilities. If this option is given,
+# pppd will log the contents of all control packets sent or received
+# in a readable form. The packets are logged through syslog with
+# facility daemon and level debug. This information can be directed to
+# a file by
+# setting up /etc/syslog.conf appropriately (see syslog.conf(5)).
+debug
+
+# Terminate the connection when it has been available for network
+# traffic for 900 seconds (i.e. 15 minutes after the first network
+# control protocol comes up).
+maxconnect 900
+
+# Specifies that pppd should disconnect if the link is idle for 60
+# seconds (e.g., 1 minute). The link is idle when no data packets (i.e.
+# IP packets) are being sent or received. Note: it is not advisable
+# to use this option with the persist option without the demand
+# option. If the active-filter option is given, data packets which are
+# rejected by the specified activity filter also count as the link
+# being idle.
+idle 60
+
+
+
+
+
+ /etc/ppp/cha-secrets
+ /etc/ppp/pap-secrets
+
+
+# client server secret IP addresses
+
+# Specify the client configuration. This is when this manchine calls
+# someone's else machine and tries to establish a point-to-point
+# connection. Most of this configuration is handled by the
+# `system-config-network' utility.
+#
+####### redhat-config-network will overwrite this part!!! (begin) ##########
+####### redhat-config-network will overwrite this part!!! (end) ############
+
+# Specify the server configuration. This is when someone's else
+# machine calls this machine trying to establish a point-to-point
+# connection. This part of the configuration isn't handled by
+# `system-config-network' utility. To prenvent this configuration to
+# be lost the next time the `system-config-network' utility be used,
+# be sure to have this configuration backed up somewhere so it can be
+# resotred in such situations.
+#
+"client.example.com" "server.example.com" "mail4u" "192.168.0.2"
+
+
+
+
+
+
+
+
+ Configuring Name Server
+
+
+
+ /etc/named.conf
+
+
+# BIND DNS server 'named' configuration file for the Red Hat BIND
+# distribution. This file was initially taken from
+# `/usr/share/doc/bind-*/samples/named.conf' file and modified to fit
+# this server's needs.
+#
+# This machine exists to develop The CentOS Project Corporate Identity
+# through The CentOS Artwork Repository. Presently, this machine is
+# isolated from Internet. However, a modem has been attached[1] and
+# configured so people can establish point-to-point connections to
+# this machine and download working copies of The CentOS Artwork
+# Repository and help me to develop it.
+#
+# In this configuration there are only two IP addresses involved. The
+# one used in this server (192.168.0.1) and another for the client who
+# realize the point-to-point connection (192.168.0.2). This server is
+# named `server.example.com' and the client `client.example.com' or
+# something similar.
+# --------------------------------------------------------------------
+# See the BIND Administrator's Reference Manual (ARM) for details, in:
+# file:///usr/share/doc/bind-*/arm/Bv9ARM.html
+#
+# Also see the BIND Configuration GUI:
+# /usr/bin/system-config-bind and its manual.
+# --------------------------------------------------------------------
+
+options {
+
+ # Those options should be used carefully because they disable port
+ # randomization.
+ // query-source port 53;
+ // query-source-v6 port 53;
+
+ # Put files that named is allowed to write in the data/ directory:
+ directory "/var/named"; // the default
+ dump-file "data/cache_dump.db";
+ statistics-file "data/named_stats.txt";
+ memstatistics-file "data/named_mem_stats.txt";
+};
+
+logging {
+
+ # If you want to enable debugging, eg. using the 'rndc trace'
+ # command, named will try to write the 'named.run' file in the
+ # $directory (/var/named). By default, SELinux policy does not
+ # allow named to modify the /var/named directory, so put the
+ # default debug log file in data/ :
+ channel default_debug {
+ file "data/named.run" versions 5 size 20m;
+ severity dynamic;
+ };
+};
+
+# All BIND 9 zones are in a "view", which allow different zones to be
+# served to different types of client addresses, and for options to be
+# set for groups of zones. By default, if named.conf contains no
+# "view" clauses, all zones are in the "default" view, which matches
+# all clients. If named.conf contains any "view" clause, then all
+# zones MUST be in a view; so it is recommended to start off using
+# views to avoid having to restructure your configuration files in the
+# future.
+
+view "internal" {
+
+ # This view will contain zones you want to serve only to
+ # "internal" clients that connect via your directly attached LAN
+ # interfaces - "localnets".
+ match-clients { 192.168.0/24; };
+ match-destinations { 192.168.0/24; };
+ recursion no;
+
+ # All views must contain the root hints zone. However, since this
+ # machine is disconnected from Internet it is not possible for it
+ # to reach root servers. So, this line is commented based that no
+ # recursion is performed here.
+ //include "named.rfc1912.zones";
+
+ # These are your "authoritative" internal zones, and would
+ # probably also be included in the "localhost_resolver" view
+ # above:
+ zone "example.com" IN {
+ type master;
+ file "example.com.zone";
+ allow-update { none; };
+ };
+
+ zone "0.168.192.in-addr.arpa" IN {
+ type master;
+ file "example.com.rr.zone";
+ allow-update { none; };
+ };
+};
+
+# The localhost_resolver is already configured in `/etc/hosts' and set
+# as first choise in `/etc/hosts.conf' file. However, if you change
+# the order in `/etc/hosts.conf' file to make bind the first choise,
+# then you need to include here the localhost_resolver in order to
+# resolve localhost (127.0.0.1) address.
+
+key "rndckey" {
+ algorithm hmac-md5;
+ secret "JjsCg0VcCjZILGD8FR9nnw==";
+};
+
+controls {
+ inet 127.0.0.1 port 953
+ allow { 127.0.0.1; } keys { "rndckey"; };
+};
+
+
+
+
+
+ /var/named/example.com.zone
+
+
+$ORIGIN example.com.
+$TTL 86400
+@ IN SOA example.com. hostmaster.example.com. (
+ 2011100404 ; serial (d. adams)
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expiry
+ 1D ) ; minimum
+
+ IN NS dns.example.com.
+ IN MX 10 mail.example.com.
+
+server IN A 192.168.0.1
+client IN A 192.168.0.2
+
+dns IN CNAME server
+mail IN CNAME server
+www IN CNAME server
+
+
+
+
+
+ /var/named/example.com.rr.zone
+
+
+$ORIGIN 0.168.192.in-addr.arpa.
+$TTL 86400
+@ IN SOA example.com. hostmaster.example.com. (
+ 2011100405 ; serial (d. adams)
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expiry
+ 1D ) ; minimum
+
+ IN NS 192.168.0.1
+
+1 IN PTR server.example.com.
+2 IN PTR client.example.com.
+
+
+
+
+
+ /etc/rndc.conf
+
+
+include "/etc/rndc.key";
+options {
+ default-key "rndckey";
+ default-server 127.0.0.1;
+ default-port 953;
+};
+
+
+
+
+
+ /etc/rndc.key
+
+
+key "rndckey" {
+ algorithm hmac-md5;
+ secret "JjsCg0VcCjZILGD8FR9nnw==";
+};
+
+
+ When configuring rndc controls, don't use
+ the same secret shown in the example above. If you do so, the
+ secret information will not be a secret anymore (since we
+ already used it here). Instead, use the
+ rndc-genconf command to generate a new one,
+ and be sure it be placed correctly both in
+ /etc/rndc.conf and
+ /etc/named.conf configuration files.
+
+
+
+
+ /etc/resolv.conf
+
+ nameserver 192.168.0.1
+
+
+
+ /etc/host.conf
+
+ order hosts,bind
+
+
+
+
+
+ At this point you can start the named service and realize some
+ tests to verify the named service is certainly working as
+ expected. For example, consider the the following two
+ commands:
+
+
+
+[root@server ~]# service named start
+Starting named: [ OK ]
+[root@server ~]# dig example.com mx
+
+; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> example.com mx
+;; global options: printcmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3540
+;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;example.com. IN MX
+
+;; ANSWER SECTION:
+example.com. 86400 IN MX 10 mail.example.com.
+
+;; AUTHORITY SECTION:
+example.com. 86400 IN NS dns.example.com.
+
+;; Query time: 0 msec
+;; SERVER: 192.168.0.1#53(192.168.0.1)
+;; WHEN: Wed Oct 5 10:33:24 2011
+;; MSG SIZE rcvd: 67
+
+
+
+ If everything is ok, configure the named service to start at
+ boot time:
+
+
+ chkconfig --level 345 named on
+
+
+ If something goes wrong, look for named daemon entries inside the
+ /var/log/messages file to know what is
+ going on. When you are configuring the name server, it could
+ result useful to you keeping an always visible terminal,
+ running the following command on it:
+
+
+ grep named /var/log/messages | tail -f -
+
+
+
+
+ Configuring Mail Server (MTA)
+
+ Based on default configuration provided by Postfix RPM inside
+ &TCD; (release 5.5), look for the following options and leave
+ the rest as is.
+
+
+
+
+ /etc/postfix/main.cf
+
+
+myhostname = server.example.com
+mydomain = example.org
+inet_interfaces = $myhostname, localhost
+mynetworks = 192.168.0.0/24, 127.0.0.0/8
+mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+local_destination_recipient_limit = 300
+local_destination_concurrency_limit = 5
+
+
+
+
+
+
+
+
+ Configuring Mail Server (MDA)
+
+
+ /etc/cyrus.conf
+
+
+ Leave it as is. There is nothing to touch here for a small and
+ basic configuration like that one we are implementing in this
+ chapter.
+
+
+
+
+ /etc/imapd.conf
+
+
+ Leave it as is. There is nothing to touch here for a small and
+ basic configuration like that one we are implementing in this
+ chapter.
+
+
+ The initial configuration of Cyrus IMAP server is set to use
+ PLAIN authentication mechanisim (see
+ option) against saslauthd daemon. This makes the
+ password information to be vulnerable for man in the middle
+ attacks. In order to protect the user authentication, you can
+ use other authentication mechanisms like CRAM-MD5 or
+ DIGEST-MD5 in the e-mail client in order to send the password
+ information encrypted. Another solution would be to create an
+ encrypted channel for communication between the e-email client
+ and Cyrus IMAP server by mean of SSL encryption.
+
+
+ When you use authentication mechanisms that encrypt user
+ information before passing them to saslauthd daemon (e.g.,
+ DIGETS-MD5), you are protecting your data in the e-mail
+ client before passing it to saslauthd daemon. Therefore, when
+ the saslauthd daemon
+ tries to validate the credentials you passed in against PAM,
+ it fails. At my personal understanding, this happens becase
+ PAM must receive the user information as it was entered by the
+ user (i.e., plainly, without any encryption) in order to
+ realize the verification against the system default
+ authentication database (e.g.,
+ /etc/passwd,
+ /etc/shadow), and saslauthd daemon is passing an
+ encrypted version of the plain user information which
+ obviously cannot match the hash produced by plain user
+ information in first place.
+
+
+
+ One alternative to the situation mentioned above could be to
+ use PLAIN authentication mechanism over an SSL encrypted
+ communication or excluding PAM mechanism from saslauthd
+ daemon, and use LDAP mechanism instead. When LDAP mechanism
+ is used as default authentication mechanism inside saslauthd
+ daemon, it is possible for e-mail clients to send encrypted
+ passwords to saslauthd daemon. In this configuration, the
+ password stored in LDAP server must be encrypted using the
+ same algorithm used to send the encrypted password from e-mail
+ client to saslauthd daemon. Therefore, you need to force the
+ user to use just one authentication mechanism, that one used
+ to stored encrypted passwords inside the LDAP server.
+ Otherwise, it would be very difficult to authenticate users
+ that send passwords encrypted in a way different to that one
+ stored in the LDAP server.
+
+
+
+ Another configuration could be to keep e-mail clients using
+ PLAIN authentication over an SSL connection against saslauthd
+ daemon, and saslauthd using a PAM. But this time, PAM would be
+ configured to extend its default system authentication by
+ using an LDAP server. This way, it would be possible to
+ isolate user accound administration and greatly control the
+ kind of information a user might have. For example, the root
+ user account would be in the system default authentication,
+ however all service-specific user information would be in the
+ LDAP server. This permits us to create a web application that
+ interact with LDAP server in order to manage service-specific
+ user information only avoiding any contant with system default
+ authentication, the place where the root user is stored in. In
+ this PAM configuration, the first match that fails means that
+ the whole authentication process fails.
+
+
+
+
+
+ /etc/pki/cyrus-imapd/cyrus-imapd.pem
+
+
+ This file is a symbolic link to
+ /etc/pki/tls/certs/cyrus-imapd.pem. This
+ file contains a self-generated SSL certificate you probably
+ want to update for setting your host name in the Common
+ Name field of it. To create this file use the
+ following command:
+
+ openssl req -new -x509 -nodes -out /etc/pki/tls/certs/cyrus-imapd.pem -keyout /etc/pki/tls/certs/cyrus-imapd.pem -days 365
+
+
+
+
+
+
+ To initiate the Cyrus IMAP server, run the following command:
+
+
+ service cyrus-imapd start
+
+
+ In case something fails, look into the
+ /var/log/maillog file, specifically those
+ entries containing imap, pop,
+ nntp and cyrus strings. It could be
+ useful if, before initiating Cyrus IMAP server, you open a
+ terminal and run the following command in it, just to see what
+ is happening once Cyrus IMAP server is initiated:
+
+
+ egrep '(cyrus|imap|pop)' /var/log/maillog | tail -f -
+
+
+ Later, to test the STARTTLS negociation, you can
+ run the following command:
+
+
+ imtest -t "" server.example.com
+
+
+ To administer mailboxes inside Cyrus Imapd, set a password to
+ cyrus user (e.g., passwd cyrus), do login
+ with it, and connect to Cyrus IMAP server using the
+ cyradm command, as shown below:
+
+
+ cyradm --user=cyrus --auth=login localhost
+
+
+
+
+ Configuring Mail Server (SASL)
+
...
+
+
+
+ Configuring Web Server
+
+ ...
+
+
+
+
+ Configuring Directory Server
+
+ ...
+
+
+