Archive for the ‘Networking’ Category

Barracuda Spam Firewall Reject Bad Recipients with Zimbra LDAP

You may need to open the LDAP port on your Zimbra server:

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT

Determine your Zimbra LDAP password:

# su - zimbra
$ $ zmlocalconfig -s zimbra_ldap_password
zimbra_ldap_password = XXXXXXXXXXXX

Open the Barracuda Spam Firewall administration interface. Click the Domains tab. Click the Modify link next to the domain(s) you would like to enable bad recipient rejection for. Click on the LDAP Configuration sub-tab under the Users tab. Retain all defaults except:

  • LDAP Server – Change this to the host name of your Zimbra server
  • Bind DN (Username) – Change this to uid=zimbra,cn=admins,cn=zimbra
  • Bind Password – Change this to your zimbra_ldap_password

Zimbra Firewall Configuration for RHEL/CentOS and Others

The firewall on a RHEL system is configured by default with system-config-firewall, which on the console is an annoying ncurses menu which doesn’t permit adding custom ports/protocols.

The ports you probably want open for Zimbra are:

25
    smtp [mta] - incoming mail to postfix 
80
    http [mailbox] - web mail client 
110
    pop3 [mailbox] 
143
    imap [mailbox] 
443
    https [mailbox] - web mail client over ssl 
465
    smtps [mta] - incoming mail to postfix over ssl (Outlook only) 
587
    smtp [mta] - Mail submission over tls 
993
    imaps [mailbox] - imap over ssl 
995
    pops [mailbox] - pop over ssl 
7071
    https [mailbox] - admin console

The raw iptables configuration is stored in /etc/sysconfig/iptables:

# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 456 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 7071 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Ensure the iptables init script is part of your default runlevel.

# chkconfig --level 345 iptables on

Restart it to apply the changes.

/etc/init.d/iptables restart

Epic Segfault: Zimbra 5.0.18′s slapd on Ubuntu 8.04 Server LTS

After dealing with kernel panics (from what I am hoping was merely OOMs) by moving my new Zimbra VM to a different box and giving it 4 cores and 4 gigs of ram and 4 gigs of swap I was about 80 accounts deep into my second Courier-IMAP Maildir Migration when it started throwing this error:

service.FAILURE (system failure: ZimbraLdapContext)

dmesg shows:

[ 1299.261973] slapd[10678]: segfault at 444d2d54 eip b778f154 esp b1587e28 error 4

Upon restarting Zimbra everything seems to be fine. Unfortunately, the one reference to this error I have found (http://wiki.zimbra.com/wiki/Uninstall_Instructions_for_Unix_and_Windows_Account_Management_in_Admin_UI) states:

Once this is done, you’re almost out of the woods, but this last step is very, very important. You MUST run slapindex to update the indexes in your Zimbra LDAP database, or you run the risk of having segfault/protection errors that crash the slapd process. So far, this has mostly been observed using Zimbra Network Edition running on Ubuntu 8.04 Server LTS. The exact command is ‘/opt/zimbra/openldap-2.3.43.10z/sbin/slapindex’. The command will probably throw you an error message about “loglevel”. Open the referenced slapd file and temporarily change the log-level to an actual number (49152 is what I usually set it to). Then revert that change after slapindex has run. Start Zimbra again via ‘zmcontrol start’ and watch the processes for about 30 minutes to make sure nothing is amiss. If you get slapd errors, run slapindex again, it’s usually the cause of the problem.

The article has very little to do with what I’m trying to accomplish, but given the versions of Ubuntu and Zimbra I think it’s a fair bet that either/and:

  • We’re having the same problem anyway
  • Running slapindex might solve my problem too

Unfortunately, the migration moves quite slowly so adding slapindex to the script is out of the question.

I’ll be giving ZCS 8 a shot on RHEL 6 tomorrow. Hooray. >.>

Return top

LINKS

foxpa.ws
Online Marketing Toplist
Internet
Technology Blogs - Blog Rankings

Internet Blogs - BlogCatalog Blog Directory

Technology blogs 		Bad Karma Networks

Please Donate!


Made in Canada  •  There's a fox in the Gibson!  •  2010-12