SCO Office Server 4. 1 Administration Series Troubleshooting 1
Today's Presenter § Sean Costello Technical Services Manager Bynari, Inc. 2
Abstract SCO Office Server 4. 1 Troubleshooting This session covers topics of interest to beginning and experienced mail system administrators wishing to improve their troubleshooting skills and understanding of the SCO Office Mail Server. Focus will be on core components supporting successful mail delivery, logging, configuration, migration and data-store repair. The Web. Client and the Connector will be briefly discussed. 3
Agenda § § Architecture Overview Logging Core Components & Configuration Migration § Web. Client & Connector 4 10 10 40 20 min min 10 min
Architecture Overview • Component Diagrams • Start Up • System & Component Logging
High Level Mail Flow Postfix Sieve Global Disclaimers Amavisd Spamassassin Cyrus Postfix Clam. AV Connector Cyrus Web Client 6
Component Diagram 7
Starting SCOoffice Server (1) clamscan 9* spamassassin 10* qmgr 12* pickup 12* cleanup 12* trivial-rewrite 12* local 12* flush 12* smtpd 12* slapd 4 slurpd 5 saslauthd 6 clamd 7 amavisd 8 postfix 11 slapd 3 slurpd 3 saslauthd 3 clamd 3 amavisd 3 imapd 14 httpd 17 cyrus master 13 postfix 3 /etc/init. d/insightserver 2 P 86 insightserver 1 8 pop 3 d 15 cyrus 3 mon. d scripts 20* apachectl 16 proftpd 18 apache 3 proftpd 3 alert. d scripts 21* mon 19 mon 3
Starting SCOoffice Server (2) clamscan 9* spamassassin 10* qmgr 12* pickup 12* cleanup 12* trivial-rewrite 12* local 12* flush 12* smtpd 12* slapd 4 slurpd 5 saslauthd 6 clamd 7 amavisd 8 postfix 11 slapd 3 slurpd 3 saslauthd 3 clamd 3 amavisd 3 postfix 3 imapd 14 httpd 17 cyrus master 13 cyrus 3 /etc/init. d/insightserver 2 P 86 insightserver 1 9 pop 3 d 15 mon. d scripts 20* apachectl 16 proftpd 18 apache 3 proftpd 3 alert. d scripts 21* mon 19 mon 3
Logging Syslogd Other Log Files
List of log files SCO Office uses the following log files: § § § 11 /var/adm/syslog /opt/insight/logs/amavis. log /opt/insight/logs/freshclam. log /opt/insight/logs/access_log /opt/insight/logs/error_log
Logging configuration files Where to specify component logging levels: § § § § 12 /etc/syslog. conf /opt/insight/etc/postfix/master. cf /opt/insight/etc/postfix/main. cf /opt/insight/etc/amavisd. conf /opt/insight/etc/clamav. conf /opt/insight/etc/freshclam. conf /opt/insight/etc/apache/httpd. conf /opt/insight/etc/php. ini
Syslogd facility Component Cyrus IMAP and POP 3 local 6 Postfix mail SASLAUTHD auth Pro. FTPD authpriv Mon (coming soon) slapd/slurpd 13 Syslogd Facility local 4
Syslog events to monitor Events to monitor in syslog: § § § 14 Monitor SMTPD connections: egrep “[^s]connect from|client=“ /var/adm/syslog Monitor bounced messages: grep status=bounced /var/adm/syslog Monitor deferred messages: grep status=deferred /var/adm/syslog Monitor Cyrus database errors: grep DBERROR /var/adm/syslog Monitor SASLAUTHD authentication failures: grep “auth failure” /var/adm/syslog
Server Components & Configuration Apache Cyrus Proftpd Postfix Open. Ldap
List of components Apache - HTTP(S) Web Administration Interface Web Client Interface Postfix - SMTP(S) Primary MTA for system Site Content Filtering Global Disclaimers Cyrus - IMAP(S) / POP 3(S) / LMTP POP 3 or IMAP Agent Sieve Rules Open. LDAP - LDAP(S) Central User Authentication Structural Configuration Repository Pro. FTP - FTP Freebusy Publishing 16
Apache version: Apache/1. 3. 29 Server port listener(s): HTTP 80 HTTPS user: groups: apache modules: ssl, php shell util(s): Openssl crontab: Backup Scripts 443 Resource Manager 17
Apache Files & Directories rc script: home directory: /opt/insight/htdocs/ configuration files: 18 /opt/insight/etc/rc/apache /opt/insight/etc/apache. conf /opt/insight/etc/apache/totalapache. conf /opt/insight/htdocs/(. . . )/. htaccess
Apache Log Files Log files: /opt/insight/logs/error_log /opt/insight/logs/access_log /opt/insight/logs/ssl-error_log /opt/insight/logs/ssl_engine_log /opt/insight/logs/ssl_request_log Logging configuration file: Error. Log. Level Custom. Log SSLLog. Level Error. Log Transfer. Log Custom. Log 19 /opt/insight/etc/apache/totalapache. conf logs/error_log warn logs/access_log combined env=!VLOG logs/ssl_engine_log info logs/ssl-error_log logs/ssl-access_log logs/ssl_request_log
Apache Configuration Files The base configuration file apache. conf is generated by the Web Admin interface. Updates made to this file manually must also be reflected in the SCOconfig. xml file. 20
Apache Crontab The Apache crontab is used for initiating: § Backup scripts (Ldap, Cyrus, configuration files) § Cleanup backup script § Resource manager 21
Apache Crontab Things You Should Know: § The appropriate backup script must be modified in the event that the default data storage locations are changed. FILELIST="$CONFIGDIRECTORY /opt/insight/var/spool/imap" /opt/insight/etc/imapd. conf: partition-default: /opt/insight/var/spool/imap § The cleanup backups script is scheduled to run once monthly. Verify that the cleanup backups script is not disabled and increase the frequency to avoid running out of disc space. § The cleanup backups script removes archives older than 14 days. It must be manually edited to change the retention period. /opt/insight/htdocs/is 4 web/cron/server-cleanup_backup_files. sh: 22 DAYS="14"
Apache Crontab Things You Should Know: § The resource manager binary initiates the responses to meeting requests sent to resource accounts and updates free/busy information for all users. This process is scheduled to run every 10 minutes. /opt/insight/bin/resourcemgr. sh 23
Apache Troubleshooting If the web server will not start for no apparent reason 1. Make sure that the pid file doesn't already exists. # ls -l /opt/insight/var/run/httpd. pid -rw------- 1 root sys 6 Feb 14 19: 23 /opt/insight/var/run/httpd. pid If the file exists while the server is stopped then delete this file. . . # rm /opt/insight/var/run/httpd. pid 24
Apache Troubleshooting (cont. ) If the web server will not start for no apparent reason 2. Increase the Loglevel verbosity by updating the configuration file /opt/insight/etc/apache/totalapache. conf file. Change the entry from. . . Log. Level warn . . . to. . . Log. Level debug . . . save and exit the file then restart apache. . . # /opt/insight/etc/rc/apache restart 25
Apache Troubleshooting (cont. ) If the web server will not start for no apparent reason 3. 4. 5. 6. 7. 8. 9. 10. 26 Start the apache process directly from the shell to capture console logging. . . # cd /opt/insight/etc/rc #. /apache stop # /opt/insight/sbin/apachectl start dynamic linker : /opt/insight/sbin/httpd : could not open libmhash. so. 2 /opt/insight/sbin/apachectl: 29125 Killed /opt/insight/sbin/apachectl start: httpd could not be started #_
Apache Troubleshooting (cont. ) If the web server will not start for no apparent reason 3. . we find that the apache server couldn't start because it couldn't locate linked libraries. We could have also found this using ldd like so. . . # cd /opt/insight/sbin # ldd. /httpd needs: libcurl. so. 2 => /opt/insight/libcurl. so. 2 libldap. so. 2 => /opt/insight/libldap. so. 2 /usr/libgnuintl. so. 4 dynamic linker : . /httpd : could not open libmhash. so. 2 27
Apache Troubleshooting (cont. ) If the web server will not start for no apparent reason 3. . in this scenario we know that libmhash. so. 2 resides in /opt/insight/lib/ so we found a missing symbolic link… Fix by creating a symlink to the library with the cmd. . . # ln -s /opt/insight/libmhash. so. 2 /opt/K/SCO/oms/4. 1. 0 Ga/opt/insight/libmhash. so. 2 # ldd. /httpd needs: libcurl. so. 2 => /opt/insight/libcurl. so. 2 libldap. so. 2 => /opt/insight/libldap. so. 2 /usr/libgnuintl. so. 4 libmhash. so. 2 => /opt/insight/libmhash. so. 2. . . 28
Apache Troubleshooting (cont. ) To troubleshoot resourcemgr issues we can initiate it manually by running the shell command # su - apache -c '/opt/insight/bin/resourcemgr. sh' 29
Apache Question: How can I force users to connect to the server via SSL? 30
Apache Question Answer: Admins can force users to be rerouted to https: // via. htaccess files. Further they can also restrict access to the admin portion of the server from the internet using this same method. Rewrite. Engine On Rewrite. Cond %{REQUEST_METHOD} !^https Rewrite. Rule ^login. php$ https: //www. mydomain. com/login. php [R, L] 31
Postfix version: Postfix (2. 0. 20) port listener(s): SMTP 25 SMTPS 465 10025 user: groups: postfix, postdrop content filter: Amavisd-new Global Disclaimers shell util(s): newaliases, postconf, postqueue, postmap, postsuper, post-install 32
Postfix Files & Directories rc script: /opt/insight/etc/rc/postfix home directory: /opt/insight/var/spool/postfix configuration files: /opt/insight/etc/postfix/main. cf /opt/insight/etc/postfix/master. cf /opt/insight/etc/mail/aliases. . . LDAP bind cfg files (4. 2) /opt/insight/etc/postfix/ldap-domains. cf /opt/insight/etc/postfix/ldap-forward. cf /opt/insight/etc/postfix/ldap-recipient. cf /opt/insight/etc/postfix/ldap-sender. cf /opt/insight/etc/postfix/ldap-source. cf. . . other customizable cfg files /opt/insight/etc/postfix/transport /opt/insight/etc/postfix/header_checks 33
Postfix Configuration Files There are two primary Postfix configuration files. The first is master. cf. It is not generated by the Web Admin interface. The contents of this file are generally static but it is customizable based on the customers need. Each line describes how a mailer component program should be run. Below are the sections primarily used by Insight Server. 34
Postfix Configuration Files The second file is main. cf. It is generated by the Web Admin interface. Manual updates to this file must also be made in the SCOconfig. xml file if they are to be retained permanently. # Generated by SCOoffice Mail Server 4. 1. 0, 07/21/05 13: 42: 48 # Any changes to this file will be lost myhostname = giraffe. pdev. sco. com mydomain = pdev. sco. com myorigin = $mydomain mydestination = $myhostname, $mydomain mynetworks = 127. 0. 0. 1, 192. 168. 0. 22 relay_domains = $mydestination local_recipient_maps = $alias_maps ldap: ldapsource alias_maps = hash: /opt/insight/etc/mail/aliases alias_database = hash: /opt/insight/etc/mail/aliases #transport_maps = mailbox_transport = lmtp: unix: /opt/insight/var/imap/socket/lmtp smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) 35
![Postfix Logging Configuration log file: /usr/adm/syslog [postfix] Logging configuration file: /opt/insight/etc/postfix/main. cf smtp_tls_loglevel =](https://present5.com/presentation/e30454799e21cff4438569a4e1abe99f/image-36.jpg "Postfix Logging Configuration log file: /usr/adm/syslog [postfix] Logging configuration file: /opt/insight/etc/postfix/main. cf smtp_tls_loglevel =")
Postfix Logging Configuration log file: /usr/adm/syslog [postfix] Logging configuration file: /opt/insight/etc/postfix/main. cf smtp_tls_loglevel = 0 smtpd_tls_loglevel = 0 syslog_facility = mail syslog_name = postfix * Logs TLS (transport layer security) activity 36
Postfix Logging Configuration Logging configuration file: /opt/insight/etc/postfix/master. cf #================================ # service type private unpriv chroot wakeup maxproc command + args …. . #================================ smtp inet n n smtpd -vv qmgr fifo n n 300 1 qmgr -v lmtp unix n lmtp -v smtp-amavis unix n 3 smtp -v 127. 0. 0. 1: 10025 inet n n smtpd Reload Postfix after modifying this file with –v for debug output. #/opt/insight/sbin/postfix reload 37
Anatomy of Postfix: Mail Delivery postdrop pickup incoming messages sendmail trivialrewrite local maildrop smtpd cleanup qmgr smtp incoming pipe active 38 bounce
Postfix Shell Utilities § § postconf Displays currently running Postfix configuration parameters and their settings #/opt/insight/sbin/postconf | grep mynetworks § postqueue –p Displays current contents of the Postfix queue. #/opt/insight/sbin/postqueue -p § 39 newaliases The above command generates the system aliases file '/opt/insight/etc/mail/aliases. db' from the source file '/opt/insight/etc/mail/aliases'. #/opt/insight/bin/newaliases /postqueue -f Flushes the current contents of the Postfix queue. Used to initiate an immediate delivery retry for contents of Postfix queue item(s). #/opt/insight/bin/postqueue -f
Postfix Shell Utilities (cont. ) § § postmap -fg This command is used to test regexp: files with simulated “strings” as if called from the main. cf in runtime. #/opt/insigth/sbin/postmap –fg myemail@example. net regextp: /opt/insight/postfix/mydesintations § 40 postmap Used to compile text files into Berkley DB binaries. The above command would create the file transport. db used for postfix transport entries as specified in the main. cf. This utility can also be used to generate the aliases. db file generated by the newaliases cmd. #/opt/insight/sbin/postmap /opt/insight/etc/postfix/transport postsuper –d This command deletes the queue id specified. The command is used to manipulate the queue contents for Postfix. Placing items on hold, un-hold, requeue, and purge. #/opt/insight/sbin/postsuper -d D 67 B 9 D 8
Postfix Shell Utilities (cont. ) § postsuper -d This command deletes the queue id specified. The command is used to manipulate the queue contents for Postfix. Placing items on hold, un-hold, requeue, and purge. #/opt/insight/sbin/postsuper -d D 67 B 9 D 8 § post-install Used to reset the queue directory structure and permissions. You must also fix permissions on the main. cf file so that apache has write abilities when the configuration is pushed through the web admin interface. #/opt/insight/etc/postfix/post-install set-permissions command_directory=/opt/insight/sbin # cd /opt/insight/etc/postfix # chmod 775 main. cf # chown root: apache main. cf # ls -l main. cf -rwxrwxr-x 1 root apache 41 2765 Feb 14 19: 22 main. cf
Postfix Troubleshooting The majority of SCO Office Server issues are regarding Postfix configuration or delivery. Trouble shooting this component goes in this order. . . 1. Does it start? If Postfix will not start properly this almost always due to a configuration entry in the /opt/insight/etc/postfix/main. cf file. To check for this condition grep the log file for fatal error entry you see something along the lines of. . . postfix/cleanup[26411]: fatal: open dictionary: need "type: name" form instead of: "test" Anytime you see fatal in the logs regarding Postfix it's a sure sign that there a problem with the configuration of Postfix. 42
Postfix Troubleshooting (cont. ) 2. 43 Will it relay mail for clients via SMTP? Generally speaking Postfix will often be capable of sending email via SMTP before it can send locally. This is because local delivery requires the use of both SMTP and LMTP while relaying outside the domain only requires SMTP. If it will not relay mail for clients there a number of possible reasons discussed in the FAQ on this topic.
Postfix Troubleshooting (cont. ) 3. Will it deliver mail locally? First there is a need to determin if Postfix is configured to accept mail for the domain you are sending mail to. The setting that determine this are both 'mydestination' which specifies the domain that are local to this server and 'relay_domain' which are domains that this server will accept mail for (this is useful when using this server as an alternate mx destination in DNS). Testing Postfix can be accomplished through a port 25 connection from an IP address not listed in $mynetworks and attempting to send an email to root@example. com using the following command sequence. . . # telnet 192. 168. 4. 100 25 EHLO sco. com MAIL FROM: test@sco. com RCPT TO: root@example. com // at this point you will either receive a '554 <root@example. com>: Relay access denied' or '250 Ok' which means it accepts mail for this domain on this server. DATA This is a test message. quit 44
Postfix Troubleshooting (cont. ) 3. (cont. ) After validating that the server will accept mail for this domain We now move on to the next step in the process. There are two possible reasons for local delivery failure if the server is accepting mail for the domain. . . either it can't bind to the LDAP server to validate the local_recipient_maps entry or it knows it's a local address, but can't successfuly deliver via lmtp: . The first issue is easy to spot in the logs. . . fatal: ldap: /opt/insight/etc/postfix/main. cf(0, 100): table lookup problem Cat the file contents to find out what the bind credentials should be the test these as discussed in the Open. LDAP section using the ldapsearch utility. 45
Postfix Troubleshooting (cont. ) 3. (cont. ) The second is also easy to spot in the logs. . . postfix/lmtp[27745]: 35170199 D 5: to=<jdoe@example. com>, relay=/opt/insight/var/imap/socket/lmtp[/opt/insight/var/imap/socket/lmtp], delay=0, status=bounced (host /opt/insight/var/imap/socket/lmtp[/opt/insight/var/imap/socket/lmtp] said: 550 Mailbox unknown. Eithere is no mailbox associated with this 550 -name or you do not have authorization to see it. 550 5. 1. 1 User unknown (in reply to RCPT TO command)) This always relates to the defaultdomain entry in the /opt/insight/etc/imapd. conf file. 46
Postfix Question: My users are can only send email internally via SMTP. When external addresses are specified they get "Relay access denied". 47
Postfix Question Answer: This error is the result of Postfix's configuration to restrict delivery to authenticated users or connections coming from ranges specified on the mynetworks parameter in the main. cf configuration file. Ranges supplied via the mynetworks entry are generally internal network number or the specific ip address of machines known to relay SMTP traffic for. For all other circumstances authenticated SMTP is required. IC 2: to specify SMTP authentication in Outlook goto Tools > Accounts > View or change existing > select the POP 3 account name >Change > More settings > Outgoing Server tab and check the box that says "Myserver requires SMTP authentication". IC 3: to specify SMTP authentication in Outlook go to Tools > Accounts > View or change existing > select the Insight Connector IMAP account > Change > Advanced Tab and check the box that says "SMTP server requires authentication". Customers concerned about sending uid/pwd in the clear should also click the checkbox titled "Use Transport Layer Security (TLS)". 48
Postfix Question Answer: (cont. ) Pix firewall: there is a known issue with Cisco Pix Firewall using a protocol hardening technique. This process allows SMTP delivery to Postfix but breaks the SMTP authentication ability of Postfix. To disable this use the configuration option in the Pix configuration. . . no fixup protocol smtp Postfix: the configuration entry called "mynetworks" specified in the web admin interface at Configuration > Services > Postfix. The default setting for the mynetworks configuration entry is localhost and the boxes own ip address like so. . . # /opt/insight/sbin/postconf | grep mynetworks = 127. 0. 0. 1, 192. 168. 3. 211. . . 49
Postfix Question Answer: (cont. ) Networks in this configuration entry are comma seperated values. Whenever a four octet number is specified by it self without a network number the assumption is that it is host specific. The following line is exactly the same as above. . . mynetworks = 127. 0. 0. 1/32, 192. 168. 3. 1/32 When no network portion of the configuration value is supplied then /32 is implied. If we wanted to append a class C subnet for an internal network it would look as follows. . . mynetworks = 127. 0. 0. 1, 192. 168. 3. 1, 172. 16. 8. 0/24 This would mean that any source ip address on the 172. 16. 8. 1 -255 would be allowed to relay SMTP traffic through Postfix without authentication. Any number of bits for the network address may be specified (0 -32). CAUTION: The IP portion of the network number MUST be a valid network boundary for the number of bits specified. If it is not then Postfix may start but will not deliver mail locally or otherwise. 50
Postfix Question: I have created a new Domain. Postfix is rejecting mail to all users in the Domain. 51
Postfix Question Answer: The mydestinations parameter in the main. cf file must list all Domains hosted by the server. 52
Postfix Question: Postfix is rejecting mail for some users in a Domain but not others. 53
Postfix Question Answer: This is due to a pre-MP 1/MP 2 bug that set the Ldap attributes mail. Sender. Access and mail. Recipient. Access to a value of OK when ‘Send only local mail’ or ‘Receive only local mail’ restrictions were turned off for the user. These two attributes should only be present when these restrictions are turned on. The correct value for these attributes when the restriction is enabled are: mail. Sender. Access = local_sender_only mali. Recipient. Access = local_recipient_only Occurenes of these attributes = OK need to be removed from Ldap. 54
Postfix Question To Fix: 1. Verify the domain for the users is listed in the mydestinations paramter in the main. cf file. 2. Use ldapsearch to identify the users with the incorrect attribute settings. # ldapsearch -x -D cn=admin -w admin o mailrecipientaccess # Scott Simmons, pdev. sco. com dn: cn=Scott Simmons, o=pdev. sco. com mail. Recipient. Access: OK 3. 4. Use the ldapmodify utility to remove instances of mail. Sender. Access = OK and mail. Recipient. Access = OK. # ldapmodify –x –D cn=admin –w admin dn: cn=Scott Simmons, o=pdev. sco. com changetype: modify delete: mail. Recipient. Access <ctl-d> modifying entry "cn=Scott simmons, o=pdev. sco. com" <ctl-d> # 55
Postfix Question: Mail is getting stuck in the mail queue and in the maillog I see "Mail loops back to myself". What's wrong? 56
Postfix Question Answer: When this happens it means that when Postfix see's the email's destination address it doesn't consider the domain to be local. Check in Configuration > Services > Postfix > mydestination entry. The default appears as below. . . # /opt/insight/sbin/postconf | grep mydestination = $myhostname, $mydomain By defualt the machines hostname (FQDN) and domain are Postfix variables that are considered to be local destinations. This is not a requirement and additional domains can be appended to this list seperated by a comma as folllows. . . mydestination = $myhostname, $mydomain, example. com, example. net Restart Postfix with these settings and Postfix will consider the domain example. com and example. net as local destinations. 57
Postfix Question: When users send to a single unknown recipient in a list of users the server responds with no transport available. I would rather the server send the email to the known recipients and only bounce the email to the unknown address. How do I configure Postfix to do this? 58
Postfix Question Answer: If the address for a local destination domain is not found in the LDAP database or in the system aliases the SMTP server initates a 550 error "Unknown local recipient" in the actual SMTP connection. There are times when you may wish to supress this behavior such as the use of luser_relay or other delivery scenarios. In these cases you must update the Postfix configuration entry from. . . local_recipient_maps = $alias_maps ldap: /opt/insight/etc/postfix/ldap-source. cf . . . to. . . local_recipient_maps = After restarting Postfix the server will bounce only the email destined to the unknown recipient and deliver the message to all other addresses. 59
Postfix Question: How do I configure Postfix to use a relayhost that requires authentication? 60
Postfix Question Answer: Perform the following steps to configure Postfix to use authentication in it SMTP relayhost connection: 1. Update the existing Postfix entry. . . relayhost = mail. example. com In /opt/insight/etc/postfix/main. cf, add the lines: smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash: /opt/insight/etc/postfix/sasl_passwd smtp_sasl_security_options = noplaintext, noanonymous 61
Postfix Question Answer: NOTE: The above entries must also be added to the configuration file /opt/insight/htdocs/is 4 web/xml/config. xml in Insight Server. This will allow the entries to also be seen from the Web Admin interface. 2. Next create the file /opt/insight/etc/postfix/sasl_passwd with theinformation you use to login to your mail account for example. com: mail. example. com user: password 3. Then create the postfix database by loggin in as root and running: # /opt/insight/sbin/postmap /opt/insight/etc/postfix/sasl_passwd 4. Finally restart Postfix. . . # /opt/insight/etc/rc/postfix restart 62
Recommended Reading The Book of Postfix: State-of-the-Art Message Transport by Ralf Hildebrandt, Patrick Koetter (Paperback) 63
Cyrus version: port listener(s): IMAP 143 POP 3 110 IMAPS 993 POP 3 S 995 SASL 2003 Sieve 2000 user: groups: cyrus, mail rules filter: shell util(s): 64 Cyrus IMAP 4 v 2. 2. 10 Sieve reconstruct, ctl_mboxlist ctl_cyrusdb, db_recover sieveshell, nc
Cyrus Files & Directories rc script: /opt/insight/etc/rc/cyrus home directory: /opt/insight/var/cyrus default partition: /opt/insight/var/spool/imap configuration files: log file: 65 /opt/insight/etc/cyrus. conf /opt/insight/etc/imapd. conf /opt/insight/etc/saslauthd. conf /usr/adm/syslog imap, pop 3, master
Cyrus configuration files The Cyrus server component actually consists of various processes each performing a specific task. All of these tasks are controlled by the cyrus master. There is a specific process started for imap, pop 3, saslauthd, sieve, and lmtp. Each of these items is a spawned process by the cyrus master process and the startup parameters can be found in /opt/insight/etc/ cyrus. conf as shown below. This configuration file for the most part remains static and is not generated by the Web Admin interface. The only parameter that may need to be tuned is the lmtpunix line which on larger installation may need to be increased. The ‘maxchild=10’ throttles the number of threads available for the local delivery of messages. If you increase the ‘local_destination_concurrency_limit’ in the Postfix configuration you must also increase the maxchild parameter so that process are available to receive the increased number of local delivery attempts. 66
Cyrus configuration files The primary configuration file used to configure the Cyrus server is the imapd. conf file. This file is generated by the Web Admin interface so any changes would also need to be applied to the config. xml to make them permanent. The majority of imapd. conf entries primarily remain static except for three. Two of these entries are only changed upon initial installation while third reflects every domain available to login to the imap server. partition-default designates the root directory used for the file system level mail store of messages. defaultdomain is a majority of cases the also the primary domain on the server. Occasionally when Postfix is unable to send to lmtp this setting can be the root cause. Postfix logs an access denied while writing to the lmtp socket. loginrealms represents every domain hosted on the server and is used by saslauthd to search domains in LDAP. If all users from a particular domain are unable to login to the server then proper configuration of this entry is the always the culprit. 67
Cyrus shell util(s) reconstruct # su - cyrus -c '/opt/insight/bin/reconstruct -rfx "user"' - This is used to manually reonstruct the Cyrus files used for tracking folder contents. If Reconstruct can find existing header and index files, it attempts to preserve any data in them that is not derivable from the message files themselves. The state reconstruct attempts to preserve includes the flag names, flag state, and internal date. Reconstruct derives all other information from the message files. NOTE: The reconstruct does not update the quota files so if the reconstruct was run on a folder with a quota it is advisable to run the quota command with the -f option to update these files as well. # su - cyrus -c '/opt/insight/sbin/quota -f‘ ctl_mboxlist # su cyrus -c "/opt/insight/bin/ctl_mboxlist -d" > /opt/insight/var/imap/mboxlist-backup. txt - Ctl_mboxlist is used to perform various administrative operations on the mailbox list database. This use of the command dumps the contents of the mailbox database to a flat file called mboxlist-backup. txt. # su cyrus -c "/opt/insight/bin/ctl_mboxlist -u < /opt/insight/var/imap/mboxlist-backup. txt" -Imports the same flat file into the database thus building the mailboxes. db file from scratch. NOTE: The original mailboxes. db file should be removed between the command sequence. 68
Cyrus shell util(s) cont. ctl_cyrusdb # su cyrus -c "/opt/insight/bin/ctl_cyrusdb -r“ # su cyrus -c "/opt/insight/bin/ctl_cyrusdb -c“ // repairs the Cyrus datbase // checkpoints the transaction log for the Cyrus database -This command is used to recover the Cyrus databases after an application or system failure. The -c option checkpoint and archives the databases. Changes to the database which are part of committed transactions are written to disk. Also, a hot backup of the databases is made and inactive log files are removed. db_recover # su cyrus -c "/opt/insight/bin/db_recover -v -h /opt/insight/var/imap/db" - The db_recover utility must be run after an unexpected application, DB, or system failure to restore the database to a consistent state. All committed transactions are guaranteed to appear after db_recover has run, and all uncommitted transactions will be completely undone. sieveshell # /opt/insight/bin/sieveshell -a jdoe localhost You will receive an error if you do not edit the sieveshell script and modify the following line. . . exec perl -x -S $0 ${1+"$@"} # -*-perl-*. . . to read. . . exec /opt/insight/bin/perl -x -S $0 ${1+"$@"} # -*-perl-*69
Cyrus shell util(s) cont. Sieveshell (cont) 70
Cyrus shell util(s) cont. nc # echo ". login adminn. list "user/jdoe/*" *n. logoutn" | /opt/insight/bin/nc localhost 143 * OK mail 2. example. com Cyrus IMAP 4 v 2. 2. 10 server ready. OK User logged in * LIST (Has. No. Children) "/" "user/jdoe/Calendar" * LIST (Has. No. Children) "/" "user/jdoe/Contacts" * LIST (Has. No. Children) "/" "user/jdoe/Deleted Items" * LIST (Has. No. Children) "/" "user/jdoe/Drafts" * LIST (Has. No. Children) "/" "user/jdoe/Journal" * LIST (Has. No. Children) "/" "user/jdoe/Junk E-mail" * LIST (Has. No. Children) "/" "user/jdoe/Notes" * LIST (Has. No. Children) "/" "user/jdoe/Outbox" * LIST (Has. No. Children) "/" "user/jdoe/Sent Items" * LIST (Has. No. Children) "/" "user/jdoe/Tasks" * LIST (Has. Children) "/" "user/jdoe/test". OK Completed (0. 000 secs 13 calls) * BYE LOGOUT received. OK Completed - The netcat utility is great for writing quick script for IMAP command sequences. This first command demonstraits how to retrieve a list of folders for the user jdoe. Now we can take this output and create another IMAP command sequencesuch as getacl for each of the folders found. . . # echo ". login adminn. list "user/jdoe/*" *n. logoutn" | /opt/insight/bin/nc localhost 143|grep "^* LIST"| awk -F '"' '{print ". getacl ""$4"""}' 71
Cyrus Troubleshooting With Cyrus there are generally three types of issues: 1. The user is unable to login which indicates an issue with saslauthd. Check the bind credentials in the saslauthd. conf file used for connecting to the LDAP database. 2. I can't delete or rename this folder. First attempt to rename or delete the folder directly in IMAP using the. rename or. delete commands which would be the least impact to the server. If this doesn't work see the FAQ for exporting the mailboxlist to a text file so that these types of folders can be manuly deleted from the database. You must then import the flat file that is updated thus deleting any refference to the folder in the mailboxes. db file. 3. The users folder list appears to have multiple sets of root folders or displays folders that you can't select through the web admin interface. Under these circumstances the admin should reconstruct the users folders. See the reconstruct shell command mentioned above. 72
Authentication SASL AUTHENTICATION slapd …/etc/saslauthd. conf ldap_servers: ldap: //127. 0. 0. 1/ ldap_filter: login=%u saslauthd …/lib/sasl 2/smtpd. conf …/etc/imapd. conf pwcheck_method: saslauthd mech_list: plain login sasl_pwcheck_method: saslauthd smtpd imapd/pop 3 d …/etc/cyrus. conf imap pop 3 … 73 cmd=“imapd –p 2 … cmd=“pop 3 d” … cyrusmaster
Cyrus Question: I know I have new messages in my Inbox but I can't see them when I log in via IMAP or POP 3. In the log file I see an error that refers to a DBERROR. What's wrong? 74
Cyrus Question Answer: These are usually caused when the database that contains the user information is in a file lock state. If the error continues perform a database recovery. # /etc/init. d/insightserver stop # ps -aux |grep slapd (Be sure all slapd processes are killed) # /etc/init. d/insightserver recover # /etc/init. d/insightserver start It is also possible to see the errors with a specific user. In this case this may be a corrupted. seen file. To resolve the issue locate the file and delete it. When Cyrus see's that the. seen file is missing it will automatically recreate it alleviating the DBERROR condition. The name and location of the file is dependant on the user id. The format is: /opt/insight/var/imap/user/[a-z]/{uid}. seen Therefore if we were looking for the user jdoe's. seen file it would be in the following location. . . /opt/insight/var/imap/user/j/jdoe. seen 75
Cyrus Question: How do I dump of the folder list from the Cyrus IMAP database to a text file that edit and then use to repair or rebuild the Cyrus Database? 76
Cyrus Question Answer: To do this run the following command from a shell. . . # /opt/insight/etc/rc/cyrus dump This will create a dump file in the cyrus users home directory (/opt/insight/var/cyrus/) called mboxlist-{date}. txt. *Before starting the procedure it would be a good idea to have a current backup of the mailstore. You can now edit this file and remove the folder that is causing the problem. You will also want to rm -rf the specific folder structure causing the issue in the users mailstore at the file system level. 77
Cyrus Question Answer: (cont. ) If the folder name was "d@ntdothis" in user jdoe's mailbox the rm command would look like. . . # rm -rf /opt/insight/var/spool/imap/j/user/jdoe/d@ntdothis You can now use the updated file to rebuild the folder list and permissions for the Cyrus database from scratch using the following command sequence. . . . move the "mailboxes. db" on the server. . . # mv /opt/insight/var/imap/mailboxes. db. old #cd /opt/insight/var/imap #rm -fr *. db db/* db. * #su cyrus #/opt/insight/bin/ctl_cyrusdb -r #/opt/insight/bin/ctl_cyrusdb -c #/opt/insight/bin/ctl_cyrusdb -r #/opt/insight/bin/ctl_mboxlist -u < /path/to/curus/dump/mboxlist-xxxxx. txt . . . now reconstruct the mail store. . . # su - cyrus -c '/opt/insight/sbin/reconstruct -rfx "user"' 78
Open. LDAP version: port listener(s): LDAPS user: groups: root shell util(s): 79 Open. LDAP: 2. 1. 29 ldapsearch, ldapmodify ldapadd, ldapdelete ldapmodrdn, slapcat slapindex, slapadd 389 636
Open. LDAP Files & Directories rc script: home directory: /opt/insight/var/openldap-data configuration files: /opt/insight/etc/openldap/slapd. conf /opt/insight/etc/openldap/slurpd. conf log file: 80 /opt/insight/etc/rc/slapd /usr/adm/syslog slapd[], slurpd[]
Open. LDAP Container Structures The LDAP schemas included in the default slapd configuration file are as follows: include /opt/insight/etc/openldap/schema/core. schema /opt/insight/etc/openldap/schema/cosine. schema /opt/insight/etc/openldap/schema/inetorgperson. schema /opt/insight/etc/openldap/schema/insight. schema The LDAP schema used consists of domain containers (dc=), organizational units (o=), and nested group’s (ou=) as container objects. These containers retain the individual records (cn=). Any objectclass included in the default schemas may be refferenced by the records. One example of a general objectclass: defined would be inetorgperson as defined in the inetorgperson. schema file. The additional fields used for store various aspect of the records are documented in the FAQ’s regarding LDIF importing into Open. LDAP. The rootdn is always “cn=admin” and the object classes used by SCO Office Server records are insight. Person, insight. Resource, insight. Service or insight. Alias. The default objects created upon installlation are the cn=admin, the service account, and the domain name of the server. 81
Open. LDAP Container Structure # # # # extended LDIF LDAPv 3 base <> with scope sub filter: (objectclass=*) requesting: ALL # admin dn: cn=admin cn: admin object. Class: insight. Admin login: admin sn: admin user. Password: : mail: admin@pdev. sco. com 82 # Insight. Server dn: cn=Insight. Server cn: Insight. Server insight. Server. Version: 4. 1. 0 insight. Allow. User. Alias. Create: TRUE object. Class: insight. Server. State: single # pdev. sco. com dn: o=pdev. sco. com object. Class: insight. Domain object. Class: insight. Organization dc: pdev. sco. com insight. Allow. User. Alias. Create: YES insight. Local. Domain: OK o: pdev. sco. com description: pdev. sco. com
Open. LDAP shell util(s) ldapsearch # /opt/insight/bin/ldapsearch -x -h osr. bynari. net -D "cn=admin" -w admin -b 'o=bynari. net' dn |grep "^dn: o=bynari. net dn: cn=John Doe, o=bynari. net - This utility opens a connection to an LDAP server, binds, and performs a search using specified parameters. The filter should conform to the string representation for search filters as defined in RFC 2254. If not provided, the default filter, (object. Class=*), is used. If ldapsearch finds one or more entries, the attributes specified by attrs are returned. If * is listed, all user attributes are returned. If + is listed, all operational attributes are returned. If no attrs are listed, all user attributes are returned. If only 1. 1 is listed, no attributes will be returned. In the example ldapsearch only organizational unit of o=bynari. net is searched and only the dn: entries are returned. ldapmodify # /opt/insight/bin/ldapmodify -x -h osr. bynari. net -D "cn=admin" -w admin dn: cn=John Doe, o=bynari. net changetype: modify mail. Forward: jdoe@example. net modifying entry "cn=John Doe, o=bynari. net" - Some of the changetype: supported by ldapmodify are add, modify, delete, and modrdn. 83
Open. LDAP shell util(s) cont. slapindex # /opt/insight/sbin/slapindex - Slapindex is used to regenerate slapd indices based upon the current contents of a database. It opens the given database determined by the database number or suffix and updates the indices for all values of all attributes of all entries. slapcat # slapcat > /tmp/bynari. ldif - This utility is used to generate an LDAP Directory Interchange Format (LDIF) output based upon the contents of a slapd database. It opens the given database determined by the database number or suffix and writes the corresponding LDIF to standard output or the specified file. The LDIF generated by this tool is suitable for use with slapadd. As the entries are in database order, not superior first order, they cannot be loaded with ldapadd without being reordered. slapadd # cat /tmp/bynari. ldif |/opt/insight/sbin/slapadd -c - This utility is used to add entries specified in LDAP Directory Interchange Format (LDIF) to a slapd(8) database. It opens the given database determined by the database number or suffix and adds entries corresponding to the provided LDIF to the database. The LDIF input is read from standard input or the specified file. As slapadd is designed to accept LDIF in database order, as produced by slapcat, it does not verify that superior entries exist before adding an entry, does not perform all user and system schema checks, and does not maintain operational attributes (such as create. Time. Stamp and modifiers. Name). 84
Open. Ldap Question: My LDAP server won't start and none of my users can login. How do I recovering the LDAP database? 85
Open. Ldap Question Answer: The following commands will recover the LDAP database. . . # /etc/init. d/insightserver stop # ps -ea |grep slapd 2854 ? 00: 00 slapd // if the process is still running manually kill it. # kill -9 2854 # /opt/insight/etc/rc/slapd recover 86
Open. Ldap Question: How do I start LDAP in debug mode? 87
Open. Ldap Question Answer: To see debugging info logged to console perform the following in a shell. . . # /opt/insight/etc/rc/slapd stop # /opt/insight/libexec/slapd -d 1 -h "ldap: //: 389/ ldaps: //: 636/" This can be very useful when tracking down erroneous configurations values customers change in the slapd. conf file. 88
Open. Ldap Question: I’ve forgotten the ‘admin’ password. Can I find out what it is? 89
Open. Ldap Question Answer: 1. Change the password in the /opt/insight/etc/openldap/slapd. conf file rootpw <admin password> 2. Restart slapd # /opt/insight/etc/rc/slapd restart 90
Migration PST migration Exchange migration
Migration Tools: § § § Simple tools with basic functionality for most tasks GUI: Import PST file (uses readpst) GUI: Exchange migration wizard (uses readpst) Command line: migrate. php (uses readpst) Outlook (File->Import/Export) New Functionality in MP 2 a: § Readpst can migrate mail, Calendar and Contacts folders § Readpst can migrate the. seen flags § Organizations can be migrated from Exchange 92
Migration Limitations: § Outlook 2003 PST files are not supported. Export the mail to an Outlook 2000 or XP format PST file. § The Exchange 5. 5 native address format is X 500. It is also known as the Exchange legacy format. Migration of Exchange PST files may result in addresses that are not converted from X 500 to SMTP format. In such cases, ‘Reply’ or ‘Reply All’ will not be available for messages that contain X 500 format addresses. § Active Directory (AD) can be organized in hundreds of different ways. Because of this flexibility it is difficult to provide a tool that can properly migrate AD Organizations, Groups and Users in all cases. Many sites work properly and some will require manual intervention. 93
![Migration import-pst. sh shell script [root@mail 2 root]# /opt/insight/htdocs/is 4 web/bin/import-pst. sh This utility](https://present5.com/presentation/e30454799e21cff4438569a4e1abe99f/image-94.jpg "Migration import-pst. sh shell script [root@mail 2 root]# /opt/insight/htdocs/is 4 web/bin/import-pst. sh This utility")
Migration import-pst. sh shell script [root@mail 2 root]# /opt/insight/htdocs/is 4 web/bin/import-pst. sh This utility imports PST files into SCO Office Server. Would you like to search the directory [/root] for PST files to import? [y/n] n Syntax: /opt/insight/htdocs/is 4 web/bin/import-pst. sh {full path to PST file} {password} Note: If no PST file is specified user is prompted to search the current directory for PST files to import. The password attribute is only required if you would like to import the PST as the user. See documentation for additional details. . . 94
Migration Exchange Server Account Migration: To find the LDAP Suffix to be used for an Exchange 2000 Server, open a shell on the Insight Server and login as root to run the following commands. . . # /opt/insight/bin/ldapsearch -x -h [ip address] -p 3268|more // this returns the following output. . . # # # # extended LDIF LDAPv 3 base <> with scope sub filter: (objectclass=*) requesting: ALL # md 1 email. testemail. com dn: DC=md 1 email, DC=testemail, DC=com. . . take above dn: information and add CN=Users, to this line. This is the LDAP Suffix entry to be used. CN=Users, DC=md 1 email, DC=testemail, DC=com 95
Migration Exchange Server Bind Credentials: The following command are used to further test the LDAP Suffix and bind credentials to be used during an Exchange migration. From a shell prompt as root run the following command… # /opt/insight/bin/ldapsearch -x -h [ip address] -p 3268 –D “administrator@md 1 email. testemail. com” –w password –o ‘CN=Users, DC=md 1 email, DC=testemail, DC=com’; # extended LDIF # # LDAPv 3 # base <> with scope sub # filter: (objectclass=*) # requesting: ALL # # md 1 email. testemail. com dn: DC=md 1 email, DC=testemail, DC=com. . . 96
Migration Exchange Server Bind Credentials: In the above line –D represents the account name and the –w represents the password used for testing the bind credentials. The ‘–o’ represents the base search string to be tested. The search base search portion of this test is optional. If the command doesn’t work remove this option for further testing. If the command still doesn’t work try using the DN for the administrator account instead of the RDN. In this case the DN for this account would be: CN=Administrator, CN=Users, DC=md 1 email, DC=testemail, DC=com 97
Migration Configuring Postfix to co-exist with Exchange Postfix Configuration Changes myhostname=sco. example. net mydomain = sco. example. net relayhost=mail. example. net mydestination=$myhostname, $mydomain relay_domain=example. net 98
Web. Client Things to know
Web. Client Folders display in Outlook but not in Web. Client § Remove the /opt/insight/icc/data/<letter>/<login>/mailsettings file and restart the Web. Client The right-hand side of the toolbar does not display in the Calendar folder << >> § Set screen resolution 1024 x 768 minimum § Use normal font size (large may be too big) § Maximize the window 100
Web. Client My special folders (Calendar, Contacts etc. ) display as if they are ordinary mail folders § The synchronization message which indicates the folder type has been removed. § Create the synchronization message as the file 1. and reconstruct the users folder (script available from Support). 101
Connector 2. 5 Duplicates
Connector 2. 5 How to remove duplicates § Support script for type mail folders only § MAPILABS tool – cheap & excellent http: //www. mapilab. com/outlook/duplicate_remover/ Preventing Duplicates § Always create a new profile when moving the account to a new server. Never just change the server hostname in the account configuration. § Never open >1 PST file with active Connector mappings to the same account. 103
Professional Services Assistance What services can SCO PS provide?
Professional Services Assistance § § § § 105 MS Exchange migration assistance Email virus protection Spam filtering Integration services (LDAP, Exchange) Business continuity Web. Client customization Mail appliance customization Customized training
Professional Services § § International Phone: 44 1707 22668 Email: rsutton@sco. com § 106 North America Phone: (831)430 -4510 Email: yasmink@sco. com On the web www. sco. com/consulting
SCO Office Server 4. 1 Troubleshooting Thank You
Скачать презентацию SCO Office Server 4 1 Administration Series Troubleshooting
e30454799e21cff4438569a4e1abe99f.ppt