Worklog

[Installations] General update

Several projects eating time in the last couple of weeks.

Cyclades console server

It died. I’ll be getting tech support on it to tell me what to do next. In the mean time, we have:

Caprica name server

This will be a replacement for Eirene, since it’s actually in the machine room and in the racks. Right now it’s been delegated the priv.earlham.edu subnet and runs a DHCP server for the private network. The idea here is that the private net /etc/hosts file was getting unwieldly and it’d be good to have that in DNS. Since the console server died, I decided to use the ethernet ports on the Sun ALOM as alternate consoles; having them speak DHCP was the easiest. The main trick there is that they require infinite lease times.

Timezone updates

As Indiana begins to observe DST, timezone info must be updated. All the Solaris boxes have patches for this (113225-03 for Solaris 9, 109809-03 for Solaris 8). This does the right thing for the Indiana time zone. On the FreeBSD systems, I’ve simply been setting the localtime to EST5EDT; the main problem we’ll see is in timestamps of files (off by an hour isn’t a huge concern for most of these systems).

[Firefighting] Solaris patches

I’m getting bitten by Solaris patches. In particular, several recent patches have decided to muck with /etc/rc3.d scripts in the postpatch script. I remove a number of these scripts at Jumpstart time so that the systems they start won’t be started (things like automounter and volume management, which mostly serve to bite one in the hindquarters). Sun adding them back in messes with my systems. They have every right to modify the main file in /etc/init.d, but they should keep their hands off of my territory in /etc/rc?.d.

So I copied out the portion of my Jumpstart script that disables these, and I’ve made it a standalone script that can be run after any patches are applied. Just run it. Good maintenance, and swat those pesky Sun idjits.

[Other] PacketShaper tuning

I tweaked the PacketShaper a little this afternoon, after numerous comments that incoming connections were taking a long time (particularly e-mail related ones, like IMAP, and from multiple people). I think the single biggest thing I did was to bump up the priority on the Default class for the main college address space from priority 1 to priority 3 (higher is better). I seem to recall an offhand comment on the list at some point that the first few packets of a flow are usually unclassified and thus put into Default. Increasing the priority of that lets them through faster and then lets them get classified faster, allowing them to take advantage of the policies and partitions for their particular traffic type that much sooner. IMAP feels a lot faster, both in Pine and Mail.app now.

[Installations] A lot of Cyrus work

This week has been mostly a continuation of Cyrus IMAP work. The system itself is ready for production use, but there are a number of helper scripts and utilities that need to be developed before we can start the migration.

• Tuesday I discovered that / and /usr were both at 99% full, even before thinking about going production, and after agonizing about this, I decided that the best thing to do was to repartition and re-Jumpstart. To make it slightly easier on myself (although building Cyrus and friends really isn’t that hard, as my SSL troubles last week showed), I made Solaris packages out of most of the software: Cyrus SASL, Cyrus IMAP, Perdition (and vanessa libs), and some perl libs — Cyrus::IMAP, and Mail::IMAP. Sendmail is still an after-build, and there are a number of other perl libs that I’ve since added to support the migration, user management, and quota scripts.

• Top of the list of things yet to do, of course, is the migration utility itself. I’ve got one almost completely ready — it temporarily resets the user’s password, copies all the subscribed folders from KE to SIPALA, gets the user’s quota from the self service quota system, sets the LDAP mailHost attribute to sipala, and then resets the password back to the original. Still to complete is the part that grabs the forward and vacation settings, if present. I’d also like to extend it to general sieve copying and some other Cyrus admin work, for future use in migrating users from one Cyrus box to another, but that’s future.

• As implied, there’s a quota system tie-in. I’ve been working on an XML-RPC interface to the quota system, or at least a subset of it, to use on SIPALA rather than the direct PostgreSQL connection. I think the XML-RPC is more portable, and it means I don’t have to install PostgreSQL libraries on SIPALA. It also means we could use MySQL as the database for the quota system if we wanted to. The part of the XML-RPC server that supports the migration script is done, and some parts that support the cron update scripts are done, but there’s more work there. I also need to tool the web interface for the quota system to take you to the mail host that your mail is on, rather than assuming everyone’s on the same mail host.

• Also, as implied, there’s a WebDB tie in. WebDB is where forwarding and vacations are set, so it needs to be made aware of sieve. I’ve considered putting that info into LDAP and letting both KE and SIPALA generate the necessary stuff from there, but I think that’s actually not the best way. I think WebDB needs to be looking at the mailHost attribute itself and then either talking KE’s own peculiar language or sieve as appropriate.

[Installations] Pine and Perdition

Testing Pine with Perdition — I have my .pinerc stored on the IMAP server, and I simply replaced all the hostnames that point to KE (mailer.earlham.edu) with ones that point to mailproxy.earlham.edu (Perdition and Sendmail running on SIPALA).

It works flawlessly. I get my mail folders on KE, and I send mail through SIPALA.

[Installations] SIPALA Notes

Most of work this week has been working on SIPALA and various pieces of the new mail system. At this point, just about everything is working. I think the main things to do are VxFS/VxVM installation for the message store and considering a milter for antivirus checking.

Further build notes:

• OpenSSL 0.9.7 is required, as Sendmail doesn’t do the right thing with signature generation, or something with 0.9.6i. Since everything depends on OpenSSL, this required a rebuild of everything. Teaches me how to rebuild, in any case.

• OpenLDAP (v2.3.19): built using Forte C

• Cyrus SASL (v2.1.21): built using Forte C, and with CFLAGS=-DOPENSSL_DISABLE_OLD_DES_SUPPORT (otherwise we get conflicting encryption routines).
  • ./configure —enable-login —with-bdb-incdir=/usr/local/BerkeleyDB.4.2/include —with-bdb-libdir=/usr/local/BerkeleyDB.4.2/lib —with-ipctype=doors —with-openssl=/usr/local/ssl —with-ldap=/usr/local —enable-ldapdb CFLAGS=-DOPENSSL_DISABLE_OLD_DES_SUPPORT

• Cyrus IMAP (v2.3.1): built using GCC (Forte C doesn’t work)
  • ./configure —with-cyrus-user=cyrus —with-cyrus-group=cyrus —with-bdb=/usr/local/BerkeleyDB.4.2 —with-ldap=/usr/local —with-openssl=/usr/local/ssl —without-snmp —disable-krb5afspts
  • Change “pod2man” to “/usr/perl5/5.6.1/bin/pod2man” in man/Makefile
  • Set SASL_LIB=-L/usr/local/lib -R/usr/local/lib -lsasl2 and SASL_INC=-I/usr/local/include in perl/Makefile and perl/sieve/Makefile after the make process bombs in the perl directory (the Makefiles haven’t been generated before that). Then remake. Perl objects will be built with Forte C; this derives from system perl being built with standard Sun tools, and it does, in fact, work properly.

• Perdition (v1.17): built using GCC (and the vanessa libraries)
  • ./configure —disable-ldap-doc —with-ssl-includes=/usr/local/ssl/include —with-ssl-libraries=/usr/local/ssl/lib —with-ldap-includes=/usr/local/include —with-ldap-libraries=/usr/local/lib —disable-daemon-map
  • Daemon map needs to be disabled, since it uses the mkdtemp() routine, which is not present on Solaris 9.

• Sendmail (v8.13.3): built using GCC

Operational and configuration notes:

• Sendmail requires that /usr/local/lib/sasl2 be symlinked to /usr/lib/sasl2. Setting the environment pointer in the .mc file makes no difference; Sendmail still looks in the latter for the SASL information.

• /etc/nsswitch.conf: remove “nis” from the alias info, otherwise Sendmail tries to look up aliases in NIS, which won’t work.

• Sendmail .mc file needs to use “” notation for the LDAP specs, since they include commas (simple `’ notation doesn’t work for specs that include commas).

• Sendmail .mc files need to be processed with GNU m4 (/usr/local/bin/m4). /usr/ccs/bin/m4 doesn’t properly set the config directory macro from the command line.

• If I recall correctly, the only addition to the Sendmail cf directory is the ckuser_cyrus.m4 file in cf/feature.