One of my servers has recently died. When I was installed the server around 7 years ago, qmail was a very trendy alternative to the “bad and insecure” sendmail, FreeBSD’s default MTA. Now, after a few years have passed, qmail is no longer so trendy and chicks don’t dig it as they used to… So while reinstalling the server I knew I had to choose something different than qmail. It’s not that I don’t like qmail anymore but after spending some time with postfix, especially after integrating it with things like clamav, dspam and other different extensions I think it’s just easier to manage. So the real reason was - i wanted all these nice toys I had with other postfix installations and I wanted them quickly and without all that hacking around and patching patches I would have to do with qmail.

Moving email accounts between qmail and postfix is not a hard task. They both support Maildir format so getting this part working was quick and painless. The only problem I had with moving this mail installation was what to do with my ezmlm based mailing list. So this is how to make qmail and postfix live happily under one roof.

Install all required ports

I installed these ports (my local versions in brackets, note that it’s a bit old installation now):

• mail/qmail (1.03_6)
• mail/qmail-contrib (0.1_1)
• mail/ezmlm-idx (0.40_4)
• mail/postfix (2.4.6,1)

Configure postfix

add qmail transport to master.cf:

qmail unix - n n - - pipe flags=R user=qmailq argv=/var/qmail/bin/sendmail ${recipient}

and in main.cf define transport configuration file with perl regex syntax:

transport_maps = pcre:/usr/local/etc/postfix/pcre_transport

now, add all your mailing lists to pcre_transport file so they get delivered via the qmail transport. An example for lists eztest@server.com and otherlist@server.com would look like this:

/eztest(-[a-z]+)?@server.com/ qmail:
/otherlist(-[a-z]+)?@server.com/ qmail:

Set up qmail

Just make a standard port installation but do not enable qmail as your default MTA, after all, you want it to be postfix, right?

After starting everything you can test it

create a new mailing list:

# ezmlm-make ~alias/eztest ~alias/.qmail-eztest eztest server.com
# chown -R alias ~alias/eztest

add a test user:

# ezmlm-sub ~alias/eztest user@example.com

And that’s it. Of course your list probably needs some changes in the configuration files (~alias/eztest/) but this is all well documented in ezmlm(5)

OpenBSD 4.3 has just been released. I’ve just tested installing it on a net 5501. The installation procedure is exactly the same as  for OpenBSD 4.2 described here. The only exception is that I couldn’t find pxeboot on the install43.iso file downloaded from ftp.openbsd.org (I’ll check if it’s on the original CDs when they arrive). It’s not a problem as one from a previous release works fine.

Currently I can’t really find any improvements in 4.3 that would be especially useful on net 5501 as it was the case with 4.2 and net 4501 (performance improvements to pf and many updates to sis(4)). However one nice thing is a new snmp daemon in the base system. This could we quite useful when tracking usage statistics on routers with, for example network weathermap

Why OpenBSD?

A bit of explanation first. I did some test installations of FreeBSD 6.x on an older Soekris net 4801 box and found out, to my surprise, that it wasn’t running as fast and stable as OpenBSD. Additionally, comparing to OpenBSD, installing FreeBSD over PXE on Soekris was a bit of a nightmare.

Instructions

Console connection

As Soekris boxes don’t come with VGA cards the only way to access and configure them is through a console cable. I’m using a standard console cable connected to my FreeBSD box. The only non standard thing is the default console speed which in Soekris is set up to 19200. So to get it working under FreeBSD you need to do:

# cu -s 19200 -l /dev/cuad0

If you reboot your Soekris now you should be able to see something like:

comBIOS ver. 1.33  20070103  Copyright (C) 2000-2007 Soekris Engineering.
net5501
0512 Mbyte Memory                        CPU Geode LX 500 Mhz
Pri Mas  CF CARD 2GB                     LBA Xlt 983-64-63  1982 Mbyte

Slot   Vend Dev  ClassRev Cmd  Stat CL LT HT  Base1    Base2   Int

-------------------------------------------------------------------
0:01:2 1022 2082 10100000 0006 0220 08 00 00 A0000000 00000000 10
0:06:0 1106 3053 02000096 0117 0210 08 40 00 0000E101 A0004000 11
0:07:0 1106 3053 02000096 0117 0210 08 40 00 0000E201 A0004100 05
0:08:0 1106 3053 02000096 0117 0210 08 40 00 0000E301 A0004200 09
0:09:0 1106 3053 02000096 0117 0210 08 40 00 0000E401 A0004300 12
0:20:0 1022 2090 06010003 0009 02A0 08 40 80 00006001 00006101
0:20:2 1022 209A 01018001 0005 02A0 08 00 00 00000000 00000000
0:21:0 1022 2094 0C031002 0006 0230 08 00 80 A0005000 00000000 15
0:21:1 1022 2095 0C032002 0006 0230 08 00 00 A0006000 00000000 15

1 Seconds to automatic boot.   Press Ctrl-P for entering Monitor.

Intel UNDI, PXE-2.0 (build 082)

Copyright (C) 1997,1998,1999  Intel Corporation

VIA Rhine III Management Adapter v2.43 (2005/12/15)

CLIENT MAC ADDR: 00 00 24 DE AD AA

And your system will start a PXE boot. At this point, copy your MAC address (in this case 00:00:24:DE:AD:AA) as you may need it in the next step.

DHCP

I’m using a ports based installation of isc-dhcp3-server running on FreeBSD.

To boot your soekris box over PXE you need to set up a DHCP server to send tftp server details. I’m doing it by creating a separate host configuration for my soekris.

host soekris {
hardware ethernet 00:00:24:DE:AD:AA;
option tftp-server-name "10.0.0.1";
option root-path "10.0.0.1:/tftpboot";
next-server 10.0.0.1;
filename "pxeboot";
option    routers 10.0.0.1;
}

What it does is it tells the Soekris box that it should use a tftp server at 10.0.0.1 and fetch and run the pxeboot file from it.

TFTP

I’m running a tftp server on my FreeBSD on 10.0.0.1. To set it up just comment out this line in your /etc/inetd.conf:

tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /tftpboot

Now you have to enable inetd in your /etc/rc.conf and start it (/etc/rc.d/inetd start)

At this point you have your tftp ready, now it’s time to prepare all the files needed to install OpenBSD. Mount your OpenBSD installation CD (or an ISO of it) and do the following on your TFTP server:

# cd /tftpboot
# mkdir 4.2 etc
# cp /mnt/cdrom/4.2/i386/bsd.rd /mnt/cdrom/4.2/i386/pxeboot .
# cp -Rv /mnt/cdrom/4.2/i386 4.2/

and finally create a /tftpboot/etc/boot.conf file with the following content:

set tty com0
stty com0 19200
set image /4.2/i386/bsd.rd

Installation

At this moment, after rebooting your Soekris it should fetch OpenBSD kernel image and ram disk and start the installation process. Follow it as you would do normally ( http://openbsd.org/faq/faq4.html ) with only these exceptions:

• do not create a swap partition if you are using a CF card, unless you really know what you’re doing.
• answer yes when asked “change the default console to com0″
• answer 19200 when asked “Which one should com0 use?” about the speed of your com0 console

after installing all required packages and finishing the whole process you should have a working OpenBSD installation on your Soekris.

There is only one last thing to be done. By default Soekris boots via PXE first and then uses its primary IDE drive (your CF card in this case) . You can either comment out the soekris section in your DHCP configuration or change the default boot order in Soekris BIOS. To do that reboot the Soekris, hit ctrl+p to enter Monitor and type:

set BootDrive=80 81 F0 FF

The goal is to have two IPsec hubs, one master and one slave, where the slave can take over when the master goes down and it can do it without losing all established IPsec tunnels.

With OpenBSD it’s really straight forward, as all features needed to do it are in the base system. They are: carp, pfsync and sasyncd.

We start with two hosts - master with IP 192.168.1.1 and slave with 192.168.1.2.

First we set up carp so both servers will share one IP address. This IP will be used as the end point for establishing all IPsec tunnels.

master# echo "inet 192.168.1.10 255.255.255.0 192.168.1.255 vhid 1 pass yoursecretpasswd" > /etc/hostname.carp0

and

slave# echo "inet 192.168.1.10 255.255.255.0 192.168.1.255 vhid 1 pass yoursecretpasswd advskew 100" > /etc/hostname.carp0

We also need pfsync, not only to synchronize pf states but we will also need it to synchronize SA replay counters. Ideally pf states should be synchronized over a dedicated interface and a crossover cable (in case of 2 failover boxes).

master# echo " up syncdev rl0 syncpeer 172.16.31.2" > /etc/hostname.pfsync0
slave# echo "up syncdev rl0 syncpeer 172.16.31.1" > /etc/hostname.pfsync0

And now it’s time to set up sasyncd. In this simple configuration sasyncd only needs information about peer name, carp interface which state it will follow (acting as the master sasyncd if the carp interface is in MASTER state or as a slave when the carp interface is in BACKUP state) and a shared key which will be used to encrypt SA updates.

Edit /etc/sasyncd.conf , on master:

peer 172.16.31.2
interface carp0
sharedkey 0x078433394b762e8c526d5921768e633676a8733db242c7ddd49993c0dca5092a

use openssl rand -hex 32 to generate your shared key.

and on slave:

peer 172.16.32.1
interface carp0
sharedkey 0x078433394b762e8c526d5921768e633676a8733db242c7ddd49993c0dca5092a

Now on both servers enable sasyncd by adding sasyncd_flags=”" to your /etc/rc.conf.local files.

At this moment you can either reboot your servers to get everything started or do

# sh /etc/netstart
# sasyncd


Test it on your slave box, after a second you should be able to see exactly the same flows and SAD entries with ipsecctl -sa

I had some problems with my jabber server. It was just a plain jabberd+mysql installation from ports. For some reason it didn’t want to authenticate with SASL using digest-md5 mechanism. The only working option was plaintext without SASL, which wasn’t really perfect…

After searching in google it turned out to be a problem with GSASL library, which is the default SASL library used by jabberd.

It looks like jabberd also works with other SASL libraries, cyrus-sasl for example. Even that it’s marked as being experimental it seems to be working better than the default GSASL library.

Here’s how to install jabberd with cyrus-sasl:

1. Install cyrus-sasl (/usr/ports/security/cyrus-sasl2)

2. edit jabberd’s Makefile

 --- Makefile.orig       2008-02-19 22:11:37.000000000 +0000
+++ Makefile    2008-02-19 22:11:39.000000000 +0000
@@ -15,7 +15,6 @@
 COMMENT=       Online presence and instant messaging server

 LIB_DEPENDS=   expat.6:${PORTSDIR}/textproc/expat2 \
-               gsasl.11:${PORTSDIR}/security/gsasl \
                idn.16:${PORTSDIR}/dns/libidn

 OPTIONS=       MYSQL "Support MySQL (storage/auth/reg)" on \
@@ -37,7 +36,7 @@
 USE_LDCONFIG=  ${PREFIX}/lib/jabberd
 CONFIGURE_ARGS+=       --localstatedir=/var \
                --sysconfdir=${PREFIX}/etc/jabberd \
-               --enable-ssl --enable-mio=poll --enable-sasl=gsasl \
+               --enable-ssl --enable-mio=poll --enable-sasl=cyrus \
                --with-extra-include-path="${LOCALBASE}/include ${EIP}" \
                --with-extra-library-path="${LOCALBASE}/lib ${ELP}"

3. do make patch, and edit work/jabberd-2.1.21/sx/sasl_cyrus.c

--- sasl_cyrus.c.orig   2008-02-19 22:13:53.000000000 +0000
+++ sasl_cyrus.c        2008-02-19 22:14:05.000000000 +0000
@@ -20,7 +20,6 @@

 /* SASL authentication handler */

-#error Cyrus SASL implementation is not supported! It is included here only for the brave ones,\
 that do know what they are doing. You need to remove this line to compile it.

 #include "sx.h"
 #include "sasl.h"

4. continue with make install

I’ve recently added these key mappings to my .vimrc file:

map <C-l> :!php -t %<CR>

this checks php syntax of the currently edited file after hitting CTRL-t.

map <F9> :!php ./%<CR>

press F9 to run your php script.

map <C-s> :!d=`pwd`; until [ -f symfony ] ; do if [ `pwd` = "/" ] ;\
then exit ; fi ; cd ../; done; symfony cc; cd $d<CR>

this may be useful when working with symfony projects. After making some changes in your symfony project you have to clear cache if you want to preview them in your browser. This maps CTRL-s with “symfony cc” command. You can run it from any subdirectory of your symfony project.