Wednesday, August 31, 2016

email - What value does SenderID provide over SPF and DKIM?

I understand that




  • SPF "binds" a message envelope to a set of permitted IP addresses.


  • SenderID (with the default pra option) "binds" the message header to a set of permitted IPs in addition to the SPF logic.


  • DKIM "binds" the from address header (and any additional header the sender chooses), and the body to a DNS Domain name





I'm using the word "bind" above instead of "authorized" because it makes more sense (to me)



Questions:




  1. If SPF is already verifies a message FROM in the envelope, why is there a need to check the headers?


  2. When would the need to verify the envelope (SPF) need to be different than the headers (SenderID)


  3. If I'm already verifying the headers with DKIM, why do I need SenderID?



  4. Most large companies I've checked don't disable SenderID with an explicit record. EBay is a notable example of one that does. What is the rationale for disabling SenderID "pra" processing of outbound messages?


Hosting multiple domains in exchange server 2003

My company recently acquired another firm. I am thinking of bringing their mailboxes onto our email server (Exchange Server 2003).





  1. Can I host multiple domains on my exchange server? Where can I find information on this?

  2. Can I do this without creating another Active Directory domain?



I would prefer to make them a regular user in my current domain (mycompany.com) but have email addresses as theircompany.com



Edit ~ Also, how do I handle reverse lookup? Since I'll be pointing their MX to my current server email.mycompany.com, when they send emails as user@theircompany.com, would't it reverse to email.mycompany.com? Would this cause a problem for reverse lookup?

Tuesday, August 30, 2016

security - Scan POP3 mail accounts for suspicious activity

Is there a way to scan POP3 e-mails for certain domains / keywords assuming user/passwords are known? Our company would like the ability to know if suspicious e-mails are being sent, such as e-mails to/from employees of competitors (particularly if they contain attachments), or e-mails that contain certain internal terminology that should never be sent via e-mail.




All of the POP3 accounts are set to keep e-mails for at least a few days, and we know all users' passwords and usernames, so this doesn't need to be a proxy ... just something that can download and somehow filter/flag.

linux networking - Bonding 4 Gigabit ethernet and 2 Fiber SFP+




We received a DL380 with 4 Gigabit Ethernet (normal CAT6), and 2 Fiber SFP+ (HPE 10Gb SR SPF+).
I've successfully managed to bond the 4 Gigabit Ethernet together, and put in place some LACP on our Cisco equipment.



I can succefully bond the 4 Gigabit Ethernet together with the following



auto bond0
iface bond0 inet dhcp
bond-mode 4
bond-primary eno1
bond-slaves eno1 eno2 eno3 eno4

bond-miimon 100
bond-downdelay 400
bond-updelay 800


According to this post it's impossible to add one of the Fiber channel to the bonding group ?
Sadly, the solution provided is... 404



I'm curious if stuff have changed from now ?
Can we bond 1Gb Ethernet with 10GB SFP+ Fiber ?


Answer




Sorry, when you say 'Fibre Channel' do you mean Fibre-Channel or plain old ethernet over fibre? because...they're very different indeed. For a start do your FC SFP+'s actually say 10Gbps? as that's not a valid FC port speed - they go up in 'binary' (1,2,4,8,16,32 etc.) not 'decimal' like Ethernet (1,10,100,1000,10000,100000 etc.) - it'll be printed on the actual SFP+. Also what make/model of 'Fibre-channel' adapter does it have?



Although technically you can do IP-over-FC (I know, I did it once, painful) nobody does, FC and Ethernet are very different protocols and while some switches (Cisco Nexus for one) allow you to plug FC SFP/SFP+'s into their unified ports to allow for downstream conversion to FCoE at no time does the FC port 'talk' Ethernet.


Sunday, August 28, 2016

node.js - Nodejs Nginx error: (13: Permission denied) while connecting to upstream

I'm trying to run multiple Nodejs applications on Nginx server running on CentOS 7. I noticed that when I run a Nodejs app on some ports I get an 502 Bad Gateway error in the browser so I checked the error logs:



[notice] 12806#0: signal process started
[crit] 12807#0: *13 connect() to 127.0.0.1:7777 failed (13: Permission denied) while connecting to upstream, client: **.**.99.58, server: myapp.com, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:7777/", host: "myapp.com"
[crit] 12807#0: *13 connect() to [::1]:7777 failed (13: Permission denied) while connecting to upstream, client: **.**.99.58, server: myapp.com, request: "GET / HTTP/1.1", upstream: "http://[::1]:7777/", host: "myapp.com"



when I change the app to listen to 8008 for example everything is working fine. I checked permissions and if the process is running as root and everything seems ok. I played with the timeouts as well but no result. Can anyone help?

Configuring private name servers and reverse DNS



I have a VPS setup to host five domains from a single IP address. After some help from a previous post here, my DNS for the main domain has this configuration:



; cPanel first:11.34.2.8 (update_time):1458686884 Cpanel::ZoneFile::VERSION:1.3 hostname:supernova.lamardesigngroup.com latest:11.54.0.20
; Zone file for lamardesigngroup.com
$TTL 14400

lamardesigngroup.com. 86400 IN SOA ns1.lamardesigngroup.com. rlamar4088.aol.com. (
2016032103 ;Serial Number
86400 ;refresh
7200 ;retry
3600000 ;expire
86400 ;minimum
)
lamardesigngroup.com. 86400 IN NS ns1.lamardesigngroup.com.
lamardesigngroup.com. 86400 IN NS ns2.lamardesigngroup.com.
lamardesigngroup.com. 14400 IN A 212.1.213.8

lamardesigngroup.com. 14400 IN MX 50 lamardesigngroup.com.
mail 14400 IN CNAME lamardesigngroup.com.
www 14400 IN CNAME lamardesigngroup.com.
supernova 14400 IN A 212.1.213.8
ns1 14400 IN A 212.1.213.8
ns2 14400 IN A 212.1.213.8


and here is how I setup my Reverse DNS zone:




; cPanel first:11.54.0.21 (update_time):1459092416 Cpanel::ZoneFile::VERSION:1.3 hostname:supernova.lamardesigngroup.com latest:11.54.0.21
; Zone file for 213.1.212.in-addr.arpa
$TTL 14400
213.1.212.in-addr.arpa. 86400 IN SOA ns1.lamardesigngroup.com. bobl.lamardesigngroup.com. (
2016032407 ;Serial Number
3600 ;refresh
7200 ;retry
1209600 ;expire
86400 ;minimum
)

213.1.212.in-addr.arpa. 86400 IN NS ns1.lamardesigngroup.com.
213.1.212.in-addr.arpa. 86400 IN NS ns2.lamardesigngroup.com.
8 14400 IN PTR lamardesigngroup.com.


When running a DNS check on lamardesigngroup.com I get this error about my reverse DNS.




Reverse MX A records (PTR) ERROR: No reverse DNS (PTR) entries. The problem MX records are:
8.213.1.212.in-addr.arpa -> no reverse (PTR) detected





What changes do I need to make to get this setup properly? My hosting provider gives me a primary nameserver IP of 31.220.19.53, do I need to use that somewhere in here?


Answer



Normally, your IP address provider should configure the PTR record. Unless the PTR record has been delegated you won't be able to configure a PTR visible to external DNS checkers. If it is delegated, the address format will be different. You can check external DNS for your IP. It appears you do currently have a PTR record.



You need only one MX server for all the domains. The fully qualified domain name of the MX should be what is returned by the PTR record. I would suggest you use a name like smtp.lamardesigngroup.com. as your MX. It can have the same IP address as lamardesigngroup.com.



Using the same IP for ns1 and ns1 will eventually cause you issues. Do try to find someone to mirror your DNS. There are reliable free DNS mirrors.


domain name system - Mailgun mails bouncing, possible DNS records are wrong?



This has probably been asked and answered before, but I'm a bit lost because I don't know what's happening and therefor don't know what to look for. I would not only like a solution of course, but I would also like to understand what's happening. I have a technical background, but in software development. Servers, DNS records, etc is a bit new to me (although I've managed).



I'm running a web application on shared hosting. I have access to a Plesk control panel (I believe 12.5). The domain name is registered at another company. And for sending mails, I'm using Mailgun (calling their API).



Now, some mails bounce (others don't), with messages like:





  • Sender address rejected: Domain not found

  • sorry, your domain does not exists.



When I use MXToolbox, an MX Lookup looks fine. But when I test the email server (with MXToolbox), I see the following messages:




  • Reverse DNS does not match SMTP Banner


  • Warning - Does not support TLS



I don't think the second is a problem (?), but the first one might be? When I do a check for SPF I see:




  • DNS Record not found



Should I fix this? (I've heard about SPF in mail contexts) This question seems to suggest I should add an SPF record, but I currently can't in Plesk 12.5.




On the other hand, Mailgun itself says everything is fine (apart from the records but as I read it, they're not important for sending mails?):
Mailgun DNS



So what's going on here? And how can I fix it, or what should I know to dig deeper?



Update



The domain this is happening on is peergroups.be




An example of headers of a mail that was received:




Delivered-To: peter.morlion@gmail.com
Received: by 10.100.161.143 with SMTP id q15csp289063pjc;
Wed, 24 May 2017 04:10:04 -0700 (PDT)
X-Received: by 10.98.93.217 with SMTP id n86mr37944933pfj.113.1495624203335;
Wed, 24 May 2017 04:10:03 -0700 (PDT)
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of bounce+3c1c7e.55be3c-no-reply=peergroups.be@mg.peergroups.be designates 198.61.254.51 as permitted sender) smtp.mailfrom=bounce+3c1c7e.55be3c-no-reply=peergroups.be@mg.peergroups.be;

dkim=pass header.i=@mg.peergroups.be
Received-SPF: pass (google.com: domain of bounce+3c1c7e.55be3c-no-reply=peergroups.be@mg.peergroups.be designates 198.61.254.51 as permitted sender) client-ip=198.61.254.51;
Received: by 10.99.134.67 with POP3 id x64mf19905540pgd.0;
Wed, 24 May 2017 04:10:02 -0700 (PDT)
X-Gmail-Fetch-Info: no-reply@peergroups.be 4 peergroups.be 110 no-reply@peergroups.be
DomainKey-Status: good
Received: from so254-51.mailgun.net ([198.61.254.51]) by home with MailEnable ESMTP; Wed, 24 May 2017 06:15:04 -0400
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.peergroups.be; q=dns/txt; s=pic; t=1495620904; h=Content-Type: Mime-Version: Subject: From: To: Message-Id: Date: Sender; bh=60eeErLSy3DUfbYC4arXt0KAzdkuCC532GBme+wUcGk=; b=ky0zW94QsXQqkl8LFf+S0YI87ltc92JRKbl4sxN2HKe6ZJwsBBfIJMr5IQGg+LVBCxb0wt3b jcAVWRGFzHVXmIk/y5Ejphp1LwrkKKg62rocD6Jx4ZZFLsDiTMaXa3k108wnEhQuK4vbiEZP QUtpRzdcoaYC5AtFzoaQ9PYPU6g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mg.peergroups.be; s=pic; q=dns; h=Sender: Date: Message-Id: To: From: Subject: Mime-Version: Content-Type; b=O0C2WmpWCejy1cmQF1zc8spQo3zdEe7EV14Niynve2ilpUBguylHYU/muTCkD+n6saCKjK fvyjkBsvkxI6r2dA1myRBq8RQ9jZjgFxPjG6QgVSw9xObYz69QssRGrEAIZonOUMjoTzqrbd uDAM11KpxXB488y9NzH8LmzaXTAig=
Sender: no-reply=peergroups.be@mg.peergroups.be

Date: Wed, 24 May 2017 10:15:04 +0000
X-Mailgun-Sending-Ip: 198.61.254.51
X-Mailgun-Sid: WyIxMjkwYSIsICJuby1yZXBseUBwZWVyZ3JvdXBzLmJlIiwgIjU1YmUzYyJd
Received: by luna.mailgun.net with HTTP; Wed, 24 May 2017 10:15:03 +0000
Message-Id: <20170524101503.72580.5AE8265694D87481@mg.peergroups.be>
To: no-reply@peergroups.be
From: Peergroups
Subject: Some subject here
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="c9281a23246040cfb8a7081ab45d40f5"

Return-Path:


Answer



It seems I made a small mistake where I added the MX records for mailgun using the peergroups.be domain, but Mailgun was using mg.peergroups.be Adding MX records for mg.peergroups.be solved it. This also became apparent in the Mailgun dashboard, where the orange warning signs you see in the screenshot above became green checkmarks.


networking - KVM bridged network like in virtualbox



I have a server with 3 NIC's with OpenSUSE 13.2 and KVM installed. I have installed Debian as guest.



My network is 192.168.88.0/24, DHCP server is at 192.168.88.1. Now I want my guest to also get a 192.168.88.x IP-address from the DHCP server. This behaviour is possible with VirtualBox using "Bridged networking".




I found this page about networking in KVM: http://www.linux-kvm.org/page/Networking. User Networking, private virtual bridge and public virtual bridge isn't what I want.



I instead used "Virtual network defualt: NAT". Now my VM is getting an IP, but 192.168.122.x.



How can I give the VM an IP in the same range as the host os, without loosing the IP of the host os?



Thanks!


Answer



Some time ago I found out what I was doing wrong. I was creating the network in bridge in YAST, the configuration tool for OpenSUSE. However you should (of course..) create the network bridge in the virt-manager tool:




enter image description here



Inside this window I can configure everything I want. You can also configure the network interfaces themself



enter image description here


Saturday, August 27, 2016

storage - write hole: which RAID levels are affected?




In my journey to understanding the advantages of RAIDZ, i came across the concept of write hole.



As this page explains, a write hole is the inconsistency you get among the disks of the array, when the power is lost during a write. That page also explains that it affects both RAID-5/6 (if the power is lost after the data has been written, but before the parity has been calculated) and RAID-1 (data is written to one disk but not the others), and that it is an insidious problem that can only be detected during either a resync/scrub, or (disastrously) during the reconstruction of one of the disks...however, most of the other sources talk about it as it only affected parity-based RAID levels.



From what i understand, i think this could be a problem for RAID-1 too, as reads from the disks containing the hole would return garbage, so...is it a problem for every RAID level or not? Is it implementation-dependent? Does it affect software-RAID only, or also hardware controllers? (extra: how does mdadm fare in this regard?)


Answer



The write hole can affect every RAID level but RAID-0; both striped (RAID-4/5/6) and mirrored (RAID-1) configurations may be vulnerable, simply due to the fact that atomic writes are impossible in 2 or more disks.



I say "may" because the problem is implementation-dependent. Leaving aside next-gen filesystem solutions such as RAID-Z, also classic software-RAID implementations have found ways to tackle this: mdadm has relatively recently introduced a journal feature that uses dedicated cache disks to avoid it, and even if you choose not to use this feature, it also forces a resync after every unclean shutdown, thus catching and resolving the write-hole as soon as it happens.




Thanks to the #zfs irc channel for the help!


apache 2.2 - How can I use SetEnvIf to set a variable based on the Http Host?



I'm trying to set a variable on Apache



ENV=DEV if the http host is the dev URL



or



ENV=PRD if the http host is the prd URL




and then use $_SERVER['ENV'] to create some logic branches



So far none of these have worked for me and we do have the setenvif module installed



SetEnvIfNoCase Referer
SetEnvIfNoCase Remote_Host


What's the right way to do this?



Answer



Taking a quick look at the documentation:




The SetEnvIf directive defines environment variables based on attributes of the request. The attribute specified in the first argument can be one of three things:



An HTTP request header field (see RFC2616 for more information about these); for example: Host, User-Agent, Referer, and Accept-Language. A regular expression may be used to specify a set of request headers.




So, it's certainly possible to make an environment variable conditional on the Host header. It looks like you're trying to use either the Referer or Remote_Host headers, neither of which is exactly what you want (although in theory Referer should contain the value of the Host header in most cases). Remote_Host would be the hostname of the client making the request, which is not at all what you want (and in most configurations would simply not be available, since it's typical to have DNS lookups turned off for performance reasons).




Try something like this:



SetEnvIf Host "www-dev\.example\.com" ENV=DEV
SetEnvIf Host "www-production\.example\.com" ENV=PRD



...and then use $_SERVER['ENV'] to create some logic branches





But note also that you can simply reference the value of the Host header directly in PHP without going through this chicanery; $_SERVER['HTTP_HOST'] will have exactly what you want.


ESXi 5.1 Storage vMotion



We have a 5.1 vCenter server, with several hosts, some on 5.0 and others in 5.1.



We are licensed in Standard edition.



Using the vCenter Web Client we can Storage vMotion VMs between the 5.1 hosts (with local storage).



However, using the vSphere Client (Desktop client), we can't do that, the option to 'Change both host and datastore' is grayed out with a note saying





The virtual machine must be powered off to change the VM's host and datastore.




Any ideas on what to check? looks like a bug in the vSphere client.



Versions:




  • vCenter 5.1.0, 1123961


  • hosts ESXi 5.1.0, 1065491

  • vSphere Client: 5.1.0 1064113


Answer



To do VMotion without shared storage in 5.1, it can only be done from the vSphere Web Client.



There was no more development of vSphere Client - especially the new 5.1 features.



Refer to VMware blog here. It seems vSphere Client is being deprecated.




And refer to the 5.1 release notes:




vSphere Client. In vSphere 5.1, all new vSphere features are available only through the vSphere Web Client. The traditional vSphere Client will continue to operate, supporting the same feature set as vSphere 5.0, but not exposing any of the new features in vSphere 5.1.



Friday, August 26, 2016

Hyper-V & SSD Best Performance



I'm building a Hyper-V host using Windows Server 2012. It will be hosting 3 Hyper-V images.



I have a SSD and a larger standard HD. I cannot fit everything on the SSD.




Performance wise, will I be better off using the SSD for the host OS, or using it for the VHDs?


Answer



Put the host OS on a partition on the standard HD. Leave some space on the standard HD for VM overflow... even if you can fit all of the VMs on the SSD right now, you need to expect some growth.



Then put as much of the VM's as you can on the SSD. This may mean using multiple VHD's per VM, to separate the VM OS from the application hosted on that OS. If you have some applications that lend themselves to this, begin this process now, even if you can fit the whole VM on the SSD. It will make it easier to move later.


Wednesday, August 24, 2016

performance tuning - Apache HTTPD configuration for high load

Good day,



I want to be able to serve at least 7000 (preferably 10k) concurrent requests from my Apache Httpd. I have configured my httpd.conf with MPM worker with the following setup



ServerLimit          330
StartServers 25
ThreadsPerChild 25
MaxClients 7500



My Apache Httpd server does nothing except do a reverse proxy against a cluster of java app servers and some (disk) caching on some static items like HTML/CSS/JS.



While trying to pound my system using JMeter (with about 1k concurrent requests), in a couple of minutes, my server starts to crash but it shows no additional information.



My /etc/security/limits.conf is configured to



*                soft    nofile          10000
* hard nofile 30000
apache soft nproc 8192
apache hard nproc 12288

* soft stack 512
* hard stack 1024


Any ideas how I can reach 7k (or preferably 10k) concurrent requests



[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 48
[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 48

[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 48
[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 48
[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 48
[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 48

[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 48
[Mon Apr 09 21:47:42 2012] [alert] Child 15139 returned a Fatal error... Apache is exiting!
[Mon Apr 09 21:47:42 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Mon Apr 09 21:47:46 2012] [warn] child process 14004 still did not exit, sending a SIGTERM


EDIT (Additional Info):



This is me trying to see how many active httpd processes that I have while the test is running (each command is about 1second apart - i.e. me pressing the up key on my keyboard and then pressing enter)




[franz@webserver ~]$ ps -ef | grep httpd | wc -l
5
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
5
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
8
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
8
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
8

[franz@webserver ~]$ ps -ef | grep httpd | wc -l
9
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
9
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
9
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
9
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
9

[franz@webserver ~]$ ps -ef | grep httpd | wc -l
9
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
10
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
10
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
10
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
10

[franz@webserver ~]$ ps -ef | grep httpd | wc -l
10
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
11
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
11
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
13
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
13

[franz@webserver ~]$ ps -ef | grep httpd | wc -l
17
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
17
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
25
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
25
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
41

[franz@webserver ~]$ ps -ef | grep httpd | wc -l
41
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
39
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
39
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
39
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
39

[franz@webserver ~]$ ps -ef | grep httpd | wc -l
39
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
39
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
39
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
39
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
39

[franz@webserver ~]$ ps -ef | grep httpd | wc -l
39
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
39
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
37
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
37
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
36

[franz@webserver ~]$ ps -ef | grep httpd | wc -l
36
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
36
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
36
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
36
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
36

[franz@webserver ~]$ ps -ef | grep httpd | wc -l
36
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
36
[franz@webserver ~]$ ps -ef | grep httpd | wc -l
1
[franz@webserver ~]$ ps -ef | grep httpd | wc -l


Update:

If I add ThreadStackTrace, it does not crash anymore:
ServerLimit 330
StartServers 25
ThreadsPerChild 25
MaxClients 7500
ThreadStackSize 512



Note: I had stack entries in my limits.conf before adding ThreadStackSize, but I guess that wasn't enough. I had to add both the stack entries in limits.conf and ThreadStackSize in apache httpd.cofn.



However, it still cannot process 7500 concurrent requests. When I do a ps -ef | grep httpd | wc -l, the highest that I see is 42 only (and since one of that process is the grep command, that means it's about 41 apache httpd processes). But I've configured my apache to reach up to 330.




So to see if my apache configuration can really go beyond 40 processes, I tried modifying my StartServers into 50.



ServerLimit          330
StartServers 50
ThreadsPerChild 25
MaxClients 7500
ThreadStackSize 512



The result is the following:



[Wed Apr 11 03:33:40 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Apr 11 03:33:40 2012] [notice] Digest: generating secret for digest authentication ...
[Wed Apr 11 03:33:40 2012] [notice] Digest: done
[Wed Apr 11 03:33:40 2012] [warn] pid file /etc/httpd/run/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Wed Apr 11 03:33:40 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Wed Apr 11 03:33:40 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Wed Apr 11 03:33:40 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Wed Apr 11 03:33:40 2012] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 48

[Wed Apr 11 03:33:40 2012] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 48
[Wed Apr 11 03:33:40 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Wed Apr 11 03:33:40 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Wed Apr 11 03:33:40 2012] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 48
[Wed Apr 11 03:33:40 2012] [alert] (11)Resource temporarily unavailable: setuid: unable to change to uid: 48
[Wed Apr 11 03:33:40 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Wed Apr 11 03:33:40 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Wed Apr 11 03:33:40 2012] [alert] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread
[Wed Apr 11 03:33:40 2012] [notice] Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.0-fips configured -- resuming normal operations
[Wed Apr 11 03:33:40 2012] [alert] Child 55663 returned a Fatal error... Apache is exiting!



So I guess the main problem is that I cannot spawn more than 40 processes.



Update2:
Since I cannot seem to be able to increase the number of processes, I tried increasing the number of threads. I can go only as far as 30 ThreadsPerChild (from the original ThreadsPerChild). After that, Apache is not able to start because it cannot seem to create worker thread.



Anybody out there has some ideas how to reach 10k concurrent requests with Apache HTTPd?



Why this is not a duplicate:

Pardon, I am not sure why this was marked as duplicate. If the answer to my question is in Can you help me with my capacity planning?, can you kindly highlight how & where? That question is generic in nature while mine is very specific and a more "show me how to specifically reach c10k with apache httpd or point out what's wrong with my setup".



Thanks,



Franz

Tuesday, August 23, 2016

xenserver - Over committing memory failing with out reaching half of actual RAM



I am running centos 6.4 with 2.6.32-358.6.2.el6.x86_64 which is actually running as a xen vm
with




ram 2 GB



On this i have set



cat /proc/sys/vm/overcommit_memory  
2


But when i try to start my java application its showing




java.io.IOException: Cannot run program "/bin/bash": java.io.IOException: error=12, Cannot allocate memory
Caused by: java.io.IOException: java.io.IOException: error=12, Cannot allocate memory


But actually this machine has 1.5 gb free memory.



when i set



echo 0 > /proc/sys/vm/overcommit_memory



Everything is working fine,



i thought over committing memory allow me to use more virtual ram(swap+real ram),but why its failing even with more free real ram.


Answer



From this guide:




2 — The kernel fails requests for memory that add up to all of swap plus the percent of physical RAM specified in /proc/sys/vm/overcommit_ratio. This setting is best for those who desire less risk of memory overcommitment.





If you have less than 2 GB of swap, then the kernel will deny the request if overcommit_ratio is set too low. Having it set to "1" allows overcommitting and is good for performance.


domain name system - DNS down in Anonymous attack



As I'm writing this our company website and the web-service we developed are down in the big GoDaddy outage resulting from an Anonymous attack (or so says Twitter).
We used GoDaddy as our registrar and we use it for DNS for some domains.



Tomorrow is a new day - what can we do to mitigate such outages?
Simply moving to, say, Route 53 for DNS might not be enough.
Is there any way to remove this single point of failure?



Answer



You can eliminate this single point of failure by using two DNS providers.
It might also be feasible to run your own DNS server on one of your servers.
GoDaddy allows you to do zone transfers from their servers (IIRC premium DNS is required for this).



Get a second DNS provider which allows you to run a slave server (or run it yourself).
Adjust NS/Nserver records so they point to both providers and you are done.


Monday, August 22, 2016

apache 2.2 - Setting up Mono/ASP.NET 4.0 on Apache2/Ubuntu: Virtual hosts?

I'm attempting to setup Mono/ASP.NET 4.0 on my Apache server (which is running on Ubuntu). Thus far, I've been following a few tutorials/scripts supplied here, and here.



As of now:




  • Apache 2.2 is installed (accessible via 'localhost')

  • Mono 2.10.5 is installed




However, I'm struggling to configure Apache correctly... apparently the Virtual Host setting isn't doing its job and invoking the mod_mono plugin, nor is it even pulling source from the proper directory. While the Virtual Host setting points to '\srv\www\localhost', it clearly is pulling content instead from 'var/www/', which I've found is the default DocumentRoot for virtual hosts.



I can confirm:




  • "/opt/mono-2.10/bin/mod-mono-server4" exists.

  • Virtual hosts file is being read, since undoing the comment in the main httpd.conf changed the root directory from 'htdocs' to 'var/www/'

  • The Mono installation is at least semi-capable of running ASP 4.0, as evidenced by running XSP, navigating to 0.0.0.0:8080/ and getting an ASP.NET style error page with "Mono ASP 4.0.x" at the bottom.




Can anyone point out how to fix these configurations and get Mono linked up with Apache?



Here are my configs and relevant information:



/usr/local/apache2/conf/httpd.conf:



#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.

# See for detailed information.
# In particular, see
#
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many

# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/foo_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/foo_log".

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#

# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to point the LockFile directive
# at a local disk. If you wish to share the same ServerRoot for multiple
# httpd daemons, you will need to change at least LockFile and PidFile.
#
ServerRoot "/usr/local/apache2"

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the

# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80

#
# Dynamic Shared Object (DSO) Support

#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#




#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.

#
User daemon
Group daemon




# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'

# server, which responds to any requests that aren't handled by a
# definition. These values also provide defaults for
# any containers you may define later in the file.
#
# All of these directives may appear inside containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#

# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#

ServerAdmin david@localhost

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify

# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#

ServerName localhost:80

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but

# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/usr/local/apache2/htdocs"

#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of

# features.
#

Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all


#

# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# This should be changed to whatever you set DocumentRoot to.
#


#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options

# for more information.
#
Options Indexes FollowSymLinks

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None


#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all



#

# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#

DirectoryIndex index.html


#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.

#

Order allow,deny
Deny from all
Satisfy All


#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a

# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.

#
LogLevel warn


#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common



# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio


#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a
# container, they will be logged here. Contrariwise, if you *do*

# define per- access logfiles, transactions will be
# logged therein and *not* in this file.
#
CustomLog "logs/access_log" common

#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
#CustomLog "logs/access_log" combined




#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar


#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a section to allow access to
# the filesystem path.


#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"





#
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#
#Scriptsock logs/cgisock



#
# "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#

AllowOverride None
Options None
Order allow,deny
Allow from all



#
# DefaultType: the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.

#
DefaultType text/plain


#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig conf/mime.types


#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z

#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

#
# AddHandler allows you to map certain file extensions to "handlers":

# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi

# For type maps (negotiated resources):
#AddHandler type-map var


#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml



#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile conf/magic

#
# Customizable error responses come in three flavors:

# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#

# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or 0 for unlimited
# Default setting is to accept 200 Ranges
#MaxRanges 0

#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall is used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted

# filesystems or if support for these functions is otherwise
# broken on your system.
#
#EnableMMAP off
#EnableSendfile off

# Supplemental configuration
#
# The configuration files in the conf/extra/ directory can be
# included to add extra features or to modify the default configuration of

# the server, or you may simply copy their contents here and change as
# necessary.

# Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf

# Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings

#Include conf/extra/httpd-autoindex.conf

# Language settings
#Include conf/extra/httpd-languages.conf

# User home directories
#Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf


# Virtual hosts
Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf


# Various default settings
#Include conf/extra/httpd-default.conf

# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#


SSLRandomSeed startup builtin
SSLRandomSeed connect builtin



* /usr/local/apache2/conf/extra/httpd-vhosts.conf *



#
# Virtual Hosts

#
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
#
# for further details before you try to setup virtual hosts.
#

# You may use the command line option '-S' to verify your virtual host
# configuration.

#
# Use name-based virtual hosting.
#
NameVirtualHost *:80

#
# VirtualHost example:

# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any block.
#


ServerName localhost
ServerAdmin david@localhost
DocumentRoot "/srv/www/localhost"


# MonoServerPath can be changed to specify which version of ASP.NET is hosted
# mod-mono-server1 = ASP.NET 1.1 / mod-mono-server2 = ASP.NET 2.0
# For SUSE Linux Enterprise Mono Extension, uncomment the line below:
# MonoServerPath localhost "/opt/novell/mono/bin/mod-mono-server2"
# For Mono on openSUSE, uncomment the line below instead:
MonoServerPath localhost "/opt/mono-2.10/bin/mod-mono-server4"

# To obtain line numbers in stack traces you need to do two things:
# 1) Enable Debug code generation in your page by using the Debug="true"
# page directive, or by setting in the

# application's Web.config
# 2) Uncomment the MonoDebug true directive below to enable mod_mono debugging
MonoDebug localhost true

# The MONO_IOMAP environment variable can be configured to provide platform abstraction
# for file access in Linux. Valid values for MONO_IOMAP are:
# case
# drive
# all
# Uncomment the line below to alter file access behavior for the configured application

MonoSetEnv localhost PATH=/opt/mono-2.10/bin:$PATH;LD_LIBRARY_PATH=/opt/mono-2.10/lib:$LD_LIBRARY_PATH;
#
# Additional environtment variables can be set for this server instance using
# the MonoSetEnv directive. MonoSetEnv takes a string of 'name=value' pairs
# separated by semicolons. For instance, to enable platform abstraction *and*
# use Mono's old regular expression interpreter (which is slower, but has a
# shorter setup time), uncomment the line below instead:
# MonoSetEnv localhost MONO_IOMAP=all;MONO_OLD_RX=1

MonoApplications localhost "/:/srv/www/localhost"


Allow from all
Order allow,deny
MonoSetServerAlias localhost
SetHandler mono
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI "\.(?:gif|jpe?g|png)$" no-gzip dont-vary


AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript





ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/usr/local/apache2/docs/dummy-host.example.com"
ServerName dummy-host.example.com
ServerAlias www.dummy-host.example.com
ErrorLog "logs/dummy-host.example.com-error_log"
CustomLog "logs/dummy-host.example.com-access_log" common




ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot "/usr/local/apache2/docs/dummy-host2.example.com"
ServerName dummy-host2.example.com
ErrorLog "logs/dummy-host2.example.com-error_log"
CustomLog "logs/dummy-host2.example.com-access_log" common




mono -V output:



root@david-ubuntu:~# mono -V
Mono JIT compiler version 2.6.7 (Debian 2.6.7-5ubuntu3)
Copyright (C) 2002-2010 Novell, Inc and Contributors. www.mono-project.com
TLS: __thread
GC: Included Boehm (with typed GC and Parallel Mark)
SIGSEGV: altstack
Notifications: epoll

Architecture: amd64
Disabled: none

SCCM deployment (XP) fails on random computers; cant seem to communicate with server



Let me start off by mentioning that I have no prior experience with SCCM, and that this is a proof of concept setup we are setting up in order to deploy our classroom environments more dynamically. The need arose to be able to change between OSes (XP and Win7, to begin with) and software (primarily Office 2003 and 2007 that are the problem children here).



We begun at the start, by deploying the OS without any additional software. The task sequence in question only has the App-V client. No other advertisements are enabled on the collection.




The Windows7 deployment seems to run without problems (so far). Sample size is not very big, but we have reason to believe so.



The WindowsXP deployment however does not perform as expected, with seemingly random computers not having their SCCM client or domain recognized in the SCCM console. It appears communication between the client and the server is "blocked" or does not occur (in the right manner).



The first symptom, next to the information (domain and client) not showing up in SCCM, is that there are only 2 Actions in the Configuration Manager Properties in the control panel on the client. After some looking around, I noticed the BITS service was not started, whereas it was on the clients that function properly. Starting it did not seem to resolve the problem automatically (we're about 1 hour after starting it manually).



I then looked up the logs on the client, and found several errors, the most relevant ones I believe are these:




  1. CcmExec.log :




    OutgoingMessage(Queue='mp_[http]mp_policymanager', ID={3250AB2B-F5B8-4227-9AC9-8884F17AD703}): Will be discarded (expired). CcmExec 10/20/2010 11:28:42 AM 548 (0x0224)
    CForwarder_Base::Send failed (0x8000000a). CCMEXEC 10/20/2010 1:40:57 PM 356 (0x0164)


  2. ClientIDManagerStartup.log :



    RegTask: Failed to send registration request message. Error: 0x8000000a ClientIDManagerStartup 10/20/2010 2:44:57 PM 356 (0x0164)



    RegTask: Failed to send registration request. Error: 0x8000000a ClientIDManagerStartup 10/20/2010 2:44:57 PM 356 (0x0164)


  3. LocationServices.log :




    Failed to resolve 'SMS_SLP' to IP address from WINS LocationServices 10/20/2010 11:34:56 AM 356 (0x0164)



    LSGetSLP : Failed to resolve SLP from WINS, is it published LocationServices 10/20/2010 11:34:56 AM 356 (0x0164)



    LSGetManagementPointForSiteFromSLP : Unable to get the list of SLPs LocationServices 10/20/2010 11:34:56 AM 356 (0x0164)



    Failed to retrieve Default Management Point from SLP LocationServices 10/20/2010 11:34:56 AM 356 (0x0164)



    Failed to resolve 'NLB_001' to IP address from WINS LocationServices 10/20/2010 11:34:56 AM 356 (0x0164)




    Failed to resolve 'MP_001' to IP address from WINS LocationServices 10/20/2010 11:34:56 AM 356 (0x0164)



    Failed to retrieve default MP through WINS. LocationServices 10/20/2010 11:34:56 AM 356 (0x0164)



    Failed to reset certificate request times. (0x80041002) LocationServices 10/20/2010 11:34:56 AM 356 (0x0164)



    Failed to update security settings over AD with error 0x80004005.
    LocationServices 10/20/2010 11:34:56 AM 356 (0x0164)




Update: Extra information

The setup is done on a single physical server running SCCM, SQL Server 2008 and App-V. It is fully AD-integrated and the AD scheme is extended. Rights should not be an issue as most of the pc's deploy fine, there's just always a couple that don't. Someone asked if there was a WINS server; there's not. I'm not sure if this is a problem, wouldn't expect it to be... The "faulty" computer can ping and resolve the hostname of the SCCM server just fine.



Any help would be appreciated, we're kind of stuck atm.



I hope I provided enough information.


Answer



Seeing as the BITS service was never started on the failed computers, I decided to try a workaround where I manually start the service before deploying the SCCM client. However, I kept getting errors where some commandline tools did not seem to work, or I couldn't start the service in the current environment, being WinPE. I tried several types of scripts, both with net start and sc start. None worked...



So I attempted a more simple aproach: setting the service to automatic via GPO. I expected this to work since apparently the client was being installed under WinPE, which required a reboot into WinXP before the client and SCCM itself "connect". Seems I was right, the service starts correctly, and so far all of our clients were discovered. So far so good...


Sunday, August 21, 2016

CentOS Adding Hard Disks




I currently have a server with 500GB storage (2 physical disks, raid 0) and its already full. I've asked my provider for an upgrade of additional 1TB storage (2 physical, raid 0). These are all hardware based raid.



Almost all files from /usr/local/nginx/html are videos and have consumed the first hard disk raid. Now I wanna know that if I purchased this additional hard disk, would any file saved into the same directory be automatically saved into the newly added hard disk?



Because what Im doing is Im hosting video files on that directory, and I want to continue saving on that particular directory only.


Answer



You'd be better served by backing up your data, and having your host re-provision (meaning re-install the OS) the server with (4) 1TB drives in RAID10 for fault-tolerance and speed. This usually doesn't add much to the bottom-line monthly price of the server but if your host doesn't have an inventory of 1TB drives, picking them up at current market prices of 250%+ of what they were just 6 months ago might be costly.



If that isn't an option and you're well aware of the real potential for data-loss with RAID0 in production, then what I would suggest is carving your new RAID0 into an LVM (the RAID0 unit will be one physical volume, 1 volume group, and 1 logical volume).




pv0 - Use the RAID0 device (md0 if software RAID, or probably sdX if hardware RAID)
vg0 - Use all of the space (the entire 1TB of the RAID device)
lv0 - Do not use all of the space in the volume group. Allocate maybe 500GB of 1TB and format it as an ext3 filesystem. Mount it to a temporary location (/mnt/temp for instance), and move your video file data to it. Then remount the device at the existing location of the video data:



mount /dev/mapper/vg0/lv0 /usr/local/nginx/html



Create the appropriate fstab entry (man fstab). Now having left extra space on vg0 you have the option to use that space elsewhere on the server should another directory fill the 500GB partition, or the ability to add more space to vg0 as needed.


Saturday, August 20, 2016

iis - HTTP Error 500.19 - Internal Server Error



I'm getting the following error when trying to run my asp.net website in a browser:




HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.


Module IIS Web Core



Notification Unknown



Handler Not yet determined




Error Code 0x8007000d



Config Error



Config File \?\C:\inetpub\vhosts\======\httpdocs\web.config



Requested URL http://======:80/index.aspx



Physical Path




Logon Method Not yet determined



Logon User Not yet determined



(==== to hide sensitive data)



Config Source



-1: 

0:


Why am I getting this error? Other sites on the same server are working fine.
Thanks!


Answer



It seems to be indicating that the configuration file has problems; does the file exist? are its contents valid?


php apache unknow 500 error

I currently have an error with my apache/php installation on a centos system. I checked the log files in /var/log/httpd and in my logs directory as specified in my virtual host file, but they are not getting populated with errors. I've also set php to log errors, through the php.ini, to the /var/log/httpd/ but the error file is not getting created. When I setup the display_errors = On in the php.ini all I get is a blank screen.



this is a git controlled project that is running off of an ubuntu server that works perfectly, so there is something missing from this server.



My question is, is there any way I can get more info on the error that I am getting? I just need something that I can trace back. I am using a codeigniter framework, so for me to trace through the code will take days.



Thanks!

Apache SSL virtual hosts sharing same DocumentRoot

I have a web server with two domains pointing to the same document root. I have separate SSL certs for the two domains. I want (almost) everything that comes to the site(s) to run under SSL. All works, but the config I have seems overlong and repetitive, and I wondered if I could simplify it?



I checked these answers:
Setting up SSL virtual hosts in Apache, Apache: Multiple Virtual Hosts w/ SSL Certificates?, https://www.howtoforge.com/hosting-multiple-ssl-web-sites-on-one-ip-address-with-apache-2.2-and-gnutls-debian-lenny
but although useful, they didn't seem to quite address this case.




I wondered if there's a way to break out the config into files that one can then include?



my ports.conf:



NameVirtualHost *:80
NameVirtualHost *:443
Listen 80



# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443



Listen 443




sites-available-default:




ServerAdmin xx@yy.com
ServerName yy.com

DocumentRoot /var/www


Options FollowSymLinks
AllowOverride None


# everything to run under ssl
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Options -Indexes FollowSymLinks MultiViews

AllowOverride None
Order allow,deny
allow from all


ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny

Allow from all


ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined


ProxyRequests Off


Order deny,allow
Allow from all


ProxyPass /geoserver http://localhost:8080/geoserver
ProxyPreserveHost On

ProxyStatus On




default-ssl:





ServerAdmin xx@yy.com

ServerName yy.com:443
DocumentRoot /var/www

Options FollowSymLinks
AllowOverride None


Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny

allow from all


ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all



ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

# SSL Engine Switch:

# Enable/Disable SSL for this virtual host.
SSLEngine on

SSLCertificateFile /etc/apache2/ssl/yy.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/yy.com.key

# Server Certificate Chain:
SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt

# Certificate Authority (CA):



SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


# SSL Protocol Adjustments:
BrowserMatch "MSIE [2-6]" \

nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown





The second site's ssl.conf:







ServerAdmin xx@zz.com
ServerName zz.com
ServerAlias www.zz.com
DocumentRoot /var/www

# SSL Engine Switch:

# Enable/Disable SSL for this virtual host.
SSLEngine on

SSLCertificateFile /etc/apache2/ssl/zz.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/zz.com.key

# Server Certificate Chain:
SSLCertificateChainFile /etc/apache2/ssl/zz.com/intermediate.crt

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/


AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all



SSLOptions +StdEnvVars



SSLOptions +StdEnvVars


BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown







Any help appreciated.



Mini

CentOS Apache + Tomcat SSL using mod_jk

I have Apache + Tomcat (using mod_jk) working correctly on a CentOS 6.3 machine. I am trying to set up SSL with Apache. When I browse to the site I get the following output:



Forbidden
You don't have permission to access / on this server.



Here are the relevant conf files:



/DIR/apache-tomcat-7.0.37/jk/mod_jk.conf:
This is linked symbolically to the /etc/httpd/conf.d directory



LoadModule              jk_module       /DIR/apache-tomcat-7.0.37/jk/mod_jk-1.2.31-httpd-2.2.x.so
JkWorkersFile /DIR/apache-tomcat-7.0.37/jk/workers.properties
JkMountFile /DIR/apache-tomcat-7.0.37/jk/uriworkermap.properties
JkShmFile /var/log/httpd/mod_jk.shm

JkLogFile /var/log/httpd/mod_jk.log
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkMount /* worker1
JkLogLevel info
# SSL Additions below:
JkExtractSSL On
JkHTTPSIndicator HTTPS
JkSessionIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT



/etc/httpd/conf/httpd.conf:
I only added 1 line at the very end of the file when trying to configure SSL.
I included the entire file just in case.



ServerTokens OS
ServerRoot "/etc/httpd"

PidFile run/httpd.pid



Timeout 60

KeepAlive Off

MaxKeepAliveRequests 100
KeepAliveTimeout 15




StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000





StartServers 4
MaxClients 300
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0


Listen 80



LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so

LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so

LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so

LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so

LoadModule substitute_module modules/mod_substitute.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so

LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so

Include conf.d/*.conf

User apache
Group apache



ServerAdmin root@localhost


UseCanonicalName Off
DocumentRoot "/var/www/html"


Options FollowSymLinks
AllowOverride None
Order allow,deny

Allow from all






Options Indexes FollowSymLinks



AllowOverride None

Order allow,deny
Allow from all







UserDir disabled



DirectoryIndex index.html index.html.var


AccessFileName .htaccess




Order allow,deny
Deny from all
Satisfy All



TypesConfig /etc/mime.types



DefaultType text/plain


MIMEMagicFile conf/magic

HostnameLookups Off

ErrorLog logs/error_log



LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog logs/access_log combined

ServerSignature On



Alias /icons/ "/var/www/icons/"


Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all





# Location of the WebDAV lock database.
DAVLockDB /var/lib/dav/lockdb

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"



AllowOverride None

Options None
Order allow,deny
Allow from all




IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable Charset=UTF-8

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip


AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv

AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl

AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif
ReadmeName README.html

HeaderName HEADER.html

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t


AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el

AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko

AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn

AddLanguage zh-TW .zh-tw

LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW

ForceLanguagePriority Prefer Fallback
AddDefaultCharset UTF-8



AddType application/x-compress .Z

AddType application/x-gzip .gz .tgz


# MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
AddHandler type-map var

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml


Alias /error/ "/var/www/error/"




AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var

Order allow,deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback





BrowserMatch "Mozilla/2" nokeepalive

BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully

BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully


##################################################Added when trying to configure SSL:
SSLOptions +StdEnvVars +ExportCertData


/etc/httpd/conf.d/ssl.conf:




LoadModule ssl_module modules/mod_ssl.so

Listen 443

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

SSLMutex default




SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin






ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn


SSLEngine on



SSLProtocol all -SSLv2


SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key



SSLOptions +StdEnvVars



SSLOptions +StdEnvVars



SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0



CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"



########################### Added here for SSL
Alias / "/DIR/apache-tomcat-7.0.37/webapps/ROOT/"

Options Indexes FollowSymLinks

AllowOverride All
Order deny,allow
Allow from all




#JkMount /alesia/servlet/* ajp13
#JkMount /alesia/*.jsp ajp13


JkMount /*.jsp worker1


AllowOverride None
Deny from all






I added the end of the file when trying to configure SSL. I modified the line in the guide I was following to be:




JkMount /*.jsp worker1




since my mod_jk.conf references worker1, but I'm not sure if this line is required.



When I browse to < server IP >/WEB-INF/ I get a list of the files in the ROOT/WEB-INF so it looks like it's pointing to the correct folder, I just don't have permission to view or execute the files?




I know that the self-signed cert is working since before any re-configuration it was serving the default docroot successfully.



Any leads are appreciated.

Friday, August 19, 2016

backup - Best failover strategy for e-mail servers on AWS to ensure high availability

We have our e-mail server hosted on AWS. Last week Amazon had a failure in their East Coast region which brought down our server along with many others.



We now want to implement a failover strategy so that if the mail server becomes unavailable again then we can simply switch to another mail server in a different zone and users can continue sending and receiving mail AS WELL AS still having access to their existing mail items.




Obviously having periodic back-ups of messages isn't a good-enough solution because there is a constant stream of incoming and outgoing emails being written to disk.



We are using a Windows 2008 Server and running Mailenable Enterprise. Configuration for MailEnable (eg. user accounts, passwords, etc.) are stored in an SQL Server Database on the Mail Server.



We are considering the following solution:




  • Mount S3 storage as a windows drive to store messages using a tool like tntdrive. Unlike EBS-storage (which is restricted to a single availability zone), S3 storage is available across availability zones which would make our storage available even if a single region fails.

  • We take daily snapshots of the mail server and copy this to S3.

  • In the case of the mail server failing we create a new instance of the mail server from our snapshot (this means that configuration changes such as password changes or new user account creation that happened since snapshot was taken will not be included, but we can accept that risk)


  • We mount the S3 storage containing the messages as a drive on the new server.

  • We switch the elastic ip for the mail server to the new server and we have a mail server that is available again!



Will this solution work? I am a bit worried about the latency and cost of S3 as compared to EBS (see http://jimliddle.sys-con.com/node/1103438/mobile). Is there a different approach we should be looking at? Would you recommend different Amazon tools to solve the problem?

reverse dns - Spamassassin - how to get a better score




I am testing a contact form, but I am getting a too high score for the emails sent from the contact/booking form.



Here is the header:



Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail01
X-Spam-Flag: YES
X-Spam-Level: **************************************************
X-Spam-Report:
* 0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or

* Generic rPTR
* 0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records
* 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
* domains are different
* 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag

* 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
* 2.5 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
X-Spam-Status: Yes, score=1005.0 required=8.0 tests=CK_HELO_GENERIC,
DKIM_SIGNED,FREEMAIL_FORGED_REPLYTO,GTUBE,HEADER_FROM_DIFFERENT_DOMAINS,
HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,NO_DNS_FOR_FROM,
T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0
Delivered-To: yyy@glmr.in
Received: by yyy.glmr.in (Postfix, from userid 994)
id 65C36C71; Fri, 24 Aug 2018 08:42:21 +0000 (UTC)
X-Sieve: Pigeonhole Sieve 0.4.2

X-Sieve-Redirected-From: yyy@tantramassageamsterdam.net
Delivered-To: yyy@tantramassageamsterdam.net
Received: from host49-253-177-94.static.arubacloud.com (sergioloporto.com [94.177.253.49])
by yyy.glmr.in (Postfix) with ESMTP id D6D09C63
for ; Fri, 24 Aug 2018 10:42:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=tantramassageamsterdam.net; s=default; t=1535100140;
bh=WSOTVXfvkyyb1gOOG6N6iGnxfvNm9xMtd9vuIZPexBE=;
h=To:Subject:Date:From:Reply-To;
b=f4EDlRfPzqqFBDdiR7FIRldS9u4Ru7nT1DwGSCkeThQ4zgzQ2pRfjwb7pSAE5RzPW

8MNnUgnwXcTPFXub/w88ouOTt9icozT3DGgyJ5SuzxNjYjH5qe8SRDaFuZc2Xzy/iG
SlpxFBuOYaqdtgqjJez5JHgVW4I8Q0RU2iGmMIos=
Received: by host49-253-177-94.static.arubacloud.com (Postfix, from userid 996)
id F1E89DE4; Fri, 24 Aug 2018 04:42:19 -0400 (EDT)
To: yyy@tantramassageamsterdam.net
Subject: [SPAM] New booking information
X-PHP-Originating-Script: 996:class-phpmailer.php
Date: Fri, 24 Aug 2018 08:42:19 +0000
From: Tantra Massage Amsterdam
Reply-To: test test

Message-ID: <4a51f7be34f3bd9dfda9eb17a94d4168@www.tantramassageamsterdam.net>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Prev-Subject: New booking information
X-Spam-Prev-Subject: [SPAM] New booking information
X-EsetId: 37303A29DFC05762617D64



I replaced some parts of the emails above with YYYY.
I sent a GTUBE test spam mail on purpose to get a high score in order to have details in the header.



I understand that FREEMAIL_FORGED_REPLYTO can't be fixed - because customers will have a free email address and the form puts it in "reply to".
Is there any way to fix that?



What about these? Can they be fixed?:



*  0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR
* 0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records

* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
* 0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML ta


Both mail server and web server have set up rDNS! Thus I can't understand the rDNS x-spam-reports...



I would appreciate if you could:




  • better explain those points


  • tell me what to check

  • what/how to fix



Thanks in advance


Answer



Since you own the contact form, you can just whitelist the from-address in your local.cf, either with




whitelist_from yyy@tantramassageamsterdam.net





or better yet, with




whitelist_from_rcvd yyy@tantramassageamsterdam.net yyy.glmr.in




whitelist_from_rcvd also checks the Received-header, so that spammers can't just fake the From-address.




The checks you mentioned can all be overridden with custom scores, if that is what you meant:




score FREEMAIL_FORGED_REPLYTO 0 # will now give 0 points instead of the default.




The reason you get the different statuses is




  • FREEMAIL_FORGED_REPLYTO: Your send address doesn't match the reply address, and google is a free service. Free services means more spammers, so that is why it's there. You could just have the reply address in the mail sent to yyy@tantramassageamsterdam.net so that they copy/click the reply address and write the answer there.


  • CK_HELO_GENERIC = Received: by host49-253-177-94.static.arubacloud.com, this is typically how you do reverse DNS for endusers, not servers, especially mailservers should have a proper PTR. This is typically set by some interface in your hosting provider.

  • NO_DNS_FOR_FROM DNS = since you have no PTR, I guess you also don't have an MX setup to point to your mailserver. This is also typically for spam since they don't user servers, they use other client computers.

  • DKIM_SIGNED = it is what is says on the tin, there is a DKIM signature.

  • HTML_MIME_NO_HTML_TAG = also what it says, there was only HTML message in this mail, no HTML tag to specify the mail.


scp - How do you manage ssh keys to add a second user?

I used this article to set up keys and a user to login to a Ubuntu server from a Windows box using Putty.



I would now like to add an additional ssh user that will login from a MacBook. I used ssh-keygen to generate the local keys but I fail in getting the keys copied up to the server. Here is my bash readout (changed in parts for obvious reasons)



MacBook-Pro:~ joe$ scp -2 -P 50022 -v ~/.ssh/id_rsa.pub newuser@111.222.333.444:
Executing: program /usr/bin/ssh host 111.222.333.444, user newuser, command scp -v -t .
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to 111.222.333.444 [111.222.333.444] port 50022.
debug1: Connection established.
debug1: identity file /Users/joe/.ssh/id_rsa type 1
debug1: identity file /Users/joe/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[111.222.333.444]:50000' is known and matches the RSA host key.
debug1: Found key in /Users/joe/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/joe/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/joe/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).

lost connection

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...