Adding a postfix template to Zabbix

I am switching over to Zabbix it just works better then Zenoss for me. During the process I added in templates for postfix. Those are outlined here.

This wiki article and This forum post

To summarize what is there.

# You 1st install pflogsumm and logtail
apt-get install pflogsumm logtail

#Then add to /etc/zabbix/zabbix_agentd.conf and restart the agent.
nano -w /etc/zabbix/zabbix_agentd.conf

UserParameter=postfix.mailq,mailq | grep -v "Mail queue is empty" | grep -c '^[0-9A-Z]'

#Then create the file
nano -w /usr/local/sbin/zabbix-postfix.sh


#!/bin/bash

MAILLOG=/var/log/mail.log
DAT1=/tmp/zabbix-postfix-offset.dat
DAT2=$(mktemp)
PFLOGSUMM=/usr/sbin/pflogsumm
ZABBIX_CONF=/etc/zabbix/zabbix_agentd.conf
DEBUG=1

function zsend {
key="postfix[`echo "$1" | tr ' -' '_' | tr '[A-Z]' '[a-z]' | tr -cd [a-z_]`]"
value=`grep -m 1 "$1" $DAT2 | awk '{print $1}'`
[ ${DEBUG} -ne 0 ] && echo "Send key \"${key}\" with value \"${value}\"" >&2
/usr/bin/zabbix_sender -c $ZABBIX_CONF -k "${key}" -o "${value}" 2>&1 >/dev/null
}

/usr/sbin/logtail -f$MAILLOG -o$DAT1 | $PFLOGSUMM -h 0 -u 0 --no_bounce_detail --no_deferral_detail --no_reject_detail --no_no_msg_size --no_smtpd_warnings > $DAT2

zsend received
zsend delivered
zsend forwarded
zsend deferred
zsend bounced
zsend rejected
zsend held
zsend discarded
zsend "reject warnings"
zsend "bytes received"
zsend "bytes delivered"
zsend senders
zsend recipients

rm $DAT2

#Then chmod the file.
chmod 700 /usr/local/sbin/zabbix-postfix.sh

#Then add a cron entry for it. The site says every 30 min. I am doing it every min as my servers are busier to get more data into the system.
nano -w /etc/cron.d/zabbix_postfix


* * * * * root /usr/local/sbin/zabbix-postfix.sh

#Depending on your setup you might need to allow sudo access.
echo zabbix ALL = NOPASSWD: `which mailq` >> /etc/sudoers

#Then import the attached file as a template (postfix_stat.xml).

Although this is a good start this template has no tiggers or graphic’s attached to it so I will need to add those in at some point.

Network Manager Disabled

After having issues with network manager after my laptop shutdown I found a fix to the issue. To read the full blog post go here.

http://www.harshj.com/2010/06/02/network-manager-disabled/

Highlights:


# Remove wrongly persisting NM state file.
sudo rm /var/lib/NetworkManager/NetworkManager.state
# Restart network-manager service.
sudo service network-manager restart

Someone later down in the comments gave a cleaner less brute force way but this one is just pretty easy and works well.

Thanks
Robert

Openldap 2.3 to 2.4 upgrade broke replication.

It looks like the old slurp interface is gone from Openldap 2.4. ( http://www.openldap.org/doc/admin24/replication.html )

After a little searching I found. ( http://deandra.homeip.net/node/33 )

The text looks good. Her server looks to be on Shaw Cable Modem. So I copied what was import for me below.

Set up the provider

Add the following lines to the provider’s slapd.conf:

rootdn “cn=admin,dc=example,dc=com
moduleload syncprov
overlay syncprov

These lines load the syncprov modules and activate the sync provider overlay. They also define a rootdn, which is needed for syncrepl to work.

syncprov-checkpoint 100 10

Checkpoint the contextCSN checkpoints on the provider. In this example, if more than 100 operations or 10 minutes have elapsed since the last checkpoint, a new one is made. (contextCSN indicates the synchronization state of the context. Checkpoints are done to ensure that replication is not duplicated if a server restarts.)

syncprov-sessionlog 100

Determines the size of the session log, which keeps track of the replication. The session log, in this example, will not exceed 100 entries.

You’ll probably also want to set up an index for the attributes syncrepl uses, so synchronizations will go faster:

index objectclass,entryCSN,entryUUID eq

Set up the consumer

Add the following lines to your consumer’s slapd:

index objectclass,entryCSN,entryUUID eq

rootdn “cn=admin,dc=example,dc=com”

syncrepl rid=123
provider=ldap://provider.example.com:389
type=refreshAndPersist
retry=”60 10 300 +”
searchbase=”dc=example,dc=com”
schemachecking=off
bindmethod=simple
binddn=”cn=syncuser,dc=example,dc=com”
credentials=secret

This defines this directory as a consumer replica.

rid denotes which replica this is. I couldn’t find this in the LDAP documentation, but rid probably must be unique among your replica set.

provider is the URI of the LDAP server you’re replicating from.

type determines the type of replica search you’re performing. refreshOnly Tells the consumer that you’re going to pull updates at intervals, (and must be accompanied by an interval line.) refreshAndPersist tells the consumer to keep a persistent search open, so changes on the master are immediately replicated to the slaves.

retry tells the slave when to retry the master if the connection fails. The example above says, “retry every sixty seconds for ten tries, and then retry every 300 seconds indefinitely.”

searchbase determines the search base of the sync search. This would be used to replicate only a fragment of the master database.

schemachecking tells the consumer whether or not to enforce the schema when updating from the master. If turned off, the loaded schema definitions on the master and slaves doesn’t have to match exactly.

bindmethod, binddn, and credentials determine the user the consumer will bind to the provider as. The consumer uses the rootdn when updating its own database. You can specify any user here you want, so long as that user has the necessary access privileges to read the portion of the database you’re trying to replicate. I used the rootdn for this, but that’s probably not a good idea.

Setting up SSH Chroot Jail.

Setting up chroot is a pain. Here are some links to stuff written on the topic.

http://olivier.sessink.nl/jailkit/howtos_sftp_scp_only.html

http://www.sublimation.org/scponly/wiki/index.php/Main_Page

http://www.sublimation.org/scponly/wiki/index.php/FAQ

http://www.sublimation.org/scponly/wiki/index.php/Install

Thanks
Robert

Setup an SSH SOCKS proxy!

To Read the full article go over to Hak5 and read the whole thing.

http://www.hak5.org/episodes/episode-416

What you’ll need

* An SSH server to act as your proxy.
* An SSH client on the computer you’re using.

Start your SSH tunnel

The command to run on your linux / mac client in a terminal window is :

ssh -ND 9999 you@example.com

For Windows it’s as simple as browsing to the directory you saved plink to and running

plink.exe -N -D 9999 you@example.com

Of course, you’re going to replace the you with your username on your SSH server and example.com with your server domain name or IP address. What that command does is accept requests from your local machine on port 9999 and hands that request off to your server at example.com for processing.

Set Firefox to use SOCKS proxy

PS: Remember that you’ll need to open your firewall a bit by cracking open port 9999 on your local machine and port 22 on your server for SSH.

Incoming Mail and PHP

We all know how to send email from PHP. Actually, it’s quite easy: mail("to@me", "Hello", "Hello"); Handling mail the other way, sending email to PHP is a task much more unknown. In this article, we will write and install a script that we can send an email to.

http://www.evolt.org/article/Incoming_Mail_and_PHP/18/27914/index.html


#!/usr/bin/php

// read from stdin
$fd = fopen("php://stdin", "r");
$email = "";
while (!feof($fd)) {
$email .= fread($fd, 1024);
}
fclose($fd);

// handle email
$lines = explode("\n", $email);

// empty vars
$from = "";
$subject = "";
$headers = "";
$message = "";
$splittingheaders = true;

for ($i=0; $i < count($lines); $i++) {
if ($splittingheaders) {
// this is a header
$headers .= $lines[$i]."\n";

// look out for special headers
if (preg_match("/^Subject: (.*)/", $lines[$i], $matches)) {
$subject = $matches[1];
}
if (preg_match("/^From: (.*)/", $lines[$i], $matches)) {
$from = $matches[1];
}
} else {
// not a header, but message
$message .= $lines[$i]."\n";
}

if (trim($lines[$i])=="") {
// empty line, header section has ended
$splittingheaders = false;
}
}

For my needs I needed to take an email generated from an automated system and change a few fields and resubmit the email. So I email address email.phpfilter@example.com and using postfix I accept the email and send it to the following php function.


#!/usr/bin/php

// read from stdin
$fd = fopen("php://stdin", "r");
$email = "";

while (!feof($fd)) {
$email .= fread($fd, 1024);
}
fclose($fd);

// handle email
$lines = explode("\n", $email);

// $to is the final destination of the email
$to = "email@example.com";
// On of the files I need to change is the reply-to because the generated system reply address doesn't
// work for my needs.
$replyto = "Reply-To: email.gateway@example.com";

// empty vars
$subject = "Blank";
$headers = "";
$message = "";
$splittingheaders = true;

for ($i=0; $i < count($lines); $i++) {
if ($splittingheaders) {
// look out for special headers
if (!preg_match("/^To: (.*)/", $lines[$i], $matches)) { // If To just drop it we don't need that field.
if (!preg_match("/^Subject: (.*)/", $lines[$i], $matches)) { // If subject again just drop it.
// Anything other then To or Subject store the header.
$headers .= $lines[$i]."\n";
} else {
// We are ignoring the Subject but this is a good place to insert my Reply-To address.
$headers .= $replyto."\n";
}
}
} else {
// not a header, but message
// If a line inside the message == Subject: then grab that out and assign to the Var Subject.
// Else just store the message subject.
if (preg_match("/^Subject: (.*)/", $lines[$i], $matches)) {
$subject = $matches[1];
} else {
$message .= $lines[$i]."\n";
}
}

if (trim($lines[$i])=="") {
// empty line, header section has ended
$splittingheaders = false;
}
}
// Last step email the new redefined messages.
mail($to, $subject, $message, $headers);

It works pretty good with the one except. It inserts a blank line at the top of the message. At some point I might track that down but it isn't an issue for my use.

Adding Bind9 recursion support in debain.

I just upgraded from etch to lenny and recursion support was removed from the defaults. So I had to make a few changes to bring it back in. Here is the change I needed to make.

Edit

sudo nano -w /etc/bind/named.conf.options

and after line
options {
directory “/var/cache/bind”;

add:

recursion yes;
allow-recursion {any;};
allow-query {any;}; // this is needed to override the default
allow-transfer {“none”; }; // transfer will be allowed per zone below.

***** Warning this allows anyone that can talk to this box to use dns though your box.

If you just want to set it up though localhost read here.

http://fixunix.com/dns/51724-re-bind-9-allow-recursion-limited-localhost.html

If you want to have and extern and internal groups.

https://www.isc.org/node/391

Thanks
Robert