Query Recipient Windows Active Directory directly

I/Intro

As Document http://conheotiensinh.blogspot.com/2010/08/config-iredmail-as-mail-gatewayanti.html.I intro to you how to query recipients use Perl and after discusses with Zhang Huangbin and I promise with him.So today I will intro to you How to query recipient(real-time) Windows Active Directory directly.

II/Config

Step 1:Create /etc/postfix/ldap_user.cf with info:

server_host = 192.168.22.233 ##with 192.168.22.233 As Active Directory

search_base = dc=test, dc=vn

version = 3

query_filter = (&(objectclass=person)(mail=%s))

result_attribute = samaccountname

bind = yes

bind_dn = test\admin # Account use query Recipient.

bind_pw = 123 #pass use query Recipient

Step 2: change config in /etc/postfix/main.cf

relay_recipient_maps = hash:/etc/postfix/relay_recipients

To

relay_recipient_maps = ldap:/etc/postfix/ldap_user.cf

Step 3:restart Postfix

/etc/init.d/postfix restart

Thanks Zhang Huangbin for suggest and Contribute

Please let me know if you have question

quan.hoa@conheotiensinh.co.cc

Config Mail Gateway LINUX less than 5 minutes (Anti-spam, Mail Anti-virus,Greylisting).

I/Intro

As previous document I intro to you Iredmail as mail server in linux with full-featured (/Postfix/Dovecot/Amavisd/ClamAV/SpamAssassin/RoundCube/iRedAdmin/

postfixadmin).But With this document I will intro iredmail as mail gateway(because By default iredmail config /Amavisd/ClamAV/SpamAssassin/greylisting for anti spam and mail anti-virus).

II/Install Iredmail

Install iredmail as normal But only choose phpmyadmin(for managed greylisting easier) and Awstats

III/Remove some services not use

Because we setup iredmail as Mail gateway so We not use some services:dovecot,pysieved

IV/Change some config

1/Edit /etc/postfix/main.cf

mydestination =

local_recipient_maps =

local_transport =error:local mail delivery disabled

relay_recipient_maps = hash:/etc/postfix/relay_recipients

relay_domains = test.vn

transport_maps = hash:/etc/postfix/transport

comments all line with mysql_* or ldap_*

2/ edit /etc/postfix/master.cf

comment line

#local unix - n n - - local

3/edit /etc/postfix/transport

test.vn smtp:192.168.22.233 #with 192.168.22.233(IP mail server backend as exchange...)

4/create /etc/postfix/relay_recipients

u1@test.vn OK

u2@test.vn OK

ug@test.vn OK

u3@test.vn OK

u4@test.vn OK

5/hashing Databases

postmap /etc/postfix/transport

postmap /etc/postfix/relay_recipients

V/Populating relay_recipients from Active Directory

Note that this script requires perl and Net::LDAP(you need install perl-ldap by yum). However, this does NOT have to be on your email gateway.

Download http://www-personal.umich.edu/~malth/gaptuning/postfix/getadsmtp.pl

Edit the script so that values below are correct:

$VALID = "/etc/postfix/relay_recipients";

$dc1="dc1.test.vn";

$dc2="dc2.test.vn";

$hqbase="cn=Users,dc=test,dc=vn";

$user="cn=user,cn=Users,dc=test,dc=vn";

$passwd="password";

If You have any problem script perl please send mail to quan.hoa@conheotiensinh.co.cc.I will edit for you

VI/Create Bash shell automatic update relay_recipients from Active directory

create bash shell /opt/ad.sh with info:

cd /etc/postfix ; ./getadsmtp.pl && /usr/sbin/postmap relay_recipients

/usr/sbin/postfix reload

use crontab run as your schedule

Beside you can use iredmail for multi domain(can get relay_recipients from Multi Active directory).

Thanks

quan.hoa@conheotiensinh.co.cc

Config cluster Load balancer layer 7 support SSL with Heatbeat,Nginx and Haproxy

I/INTRO

As Document http://conheotiensinh.blogspot.com/2010/06/setting-up-high-availability-load.html.I config Haproxy load balance HTTPS with stunnel(It very easy for config and deploy).But with stunnel you can't detech IP source access to haproxy and Performance can't same as Nginx.So I will intro to you 1 solution resove this problem with Nginx as SSL Reverse Proxy,Heartbeat as cluster and haproxy load balance.

Nginx [engine x] is a HTTP and reverse proxy server, as well as a mail proxy server written by Igor Sysoev. It has been running for more than five years on many heavily loaded Russian sites including Rambler (RamblerMedia.com). According to Netcraft nginx served or proxied 4.70% busiest sites in April 2010. Here are some of success stories: FastMail.FM, Wordpress.com,sourceforge.net....

II/INSTALL

Step 1:config IP As image

Step 2:install haproxy by rpm packet(if you need install haproxy with last version 1.4.8.Please contact me with email:quan.hoa@conheotiensinh.co.cc,I will give it to you) or you can download Haproxy from http://rpm.pbone.net/

Step 3:install heartbeat as Document :http://conheotiensinh.blogspot.com/2010/04/deploy-cluster-iptables-usefwbuider-and.html

Step 4:Install Nginx by rpm packet(if you need install nginx with last version 0.7.67.Please contact me with email:quan.hoa@conheotiensinh.co.cc,I will give it to you) or you can download Nginx from http://rpm.pbone.net/

III/CONFIG

Step 1:config haproxy on both Server .You config as image

Step 2:Config heartbeat on both server as document http://conheotiensinh.blogspot.com/2010/04/deploy-cluster-iptables-usefwbuider-and.html

Step 3:config Nginx on both serve as image

Step 4:access haproxy status pages with url https://192.168.129.133/haproxy?stats

Step 5:stop Server 1 and access haproxy status page:

if you have question.Please contact me with email quan.hoa@conheotiensinh.co.cc

Thanks

quan.hoa@conheotiensinh.co.cc

LOADBALANCE WITH MULTI PPPoE INTERFACE IN PFSENSE 2.0

I/Intro

Now pfsense release version 1.2.3 .It only support 1 interface use PPPoE.But with pfsense 2.0(Beta 4)you can use multi interface use PPPoE and Version 2.0 change config load balance outbound.So I will intro to you config multi interface use PPPoE.

II/Install Pfsense as previous Document

III/Config multi interface use PPPoE config as images

Note:you can create PPPoE Server for test this document with pfsense

IV/config load balance with pfsense

As previous version (1.2.3) you can config as http://conheotiensinh.blogspot.com/2009/10/multi-wan-load-balancing-outbound-use.html.But with pfsense version 2.0 load balance outbound change config.

step1:config gateway (system ->routing) config 2 gateway as images with 192.168.127.128 and 192.168.128.129 IP of PPPoe server (it will auto detect when connect via PPPoE)

step 2:config groups(system ->routing) change to Groups tab and create group as image

Step 3:view status of Gateway and Groups when 2 line connect

Step 4:Test disconnect 1 interface and view status

Step 5:create rule as image

Thanks

Conheotiensinh(quan.hoa@conheotiensinh.co.cc)

Setting Up A High-Availability Load Balancer HTTPS(With Failover and Session Support) With HAProxy/Keepalived/Stunnel

I/INTRO

As this document http://conheotiensinh.blogspot.com/2010/05/setting-up-high-availability-load_14.html.I setup load balancer for HTTP in Haproxy.But Haproxy not support SSL(HTTPS) directly So I will intro config haproxy support SSL use stunnel(As haproxy site require need install Stunnel for support SSL(HTTPS...))

II/INSTALL

1/Install haproxy and keepalived as document:http://conheotiensinh.blogspot.com/2010/05/setting-up-high-availability-load_14.html

2/Install Stunnel

you need insert patch of haproxy to Stunnel packet(I build rpm packet with insert patch of haproxy.If you need it for install easy Please contact me with email:quan.hoa@conheotiensinh.co.cc)

3/Config Keepalived as document:

http://conheotiensinh.blogspot.com/2010/05/setting-up-high-availability-load_14.html

4/config Haproxy in both loadbalance

Edit /etc/haproxy/haproxy.cfg

stats enable

stats auth test:123

listen domain_cluster_https 192.168.236.130:80

mode http

balance roundrobin

cookie SERVERID insert nocache

option forwardfor except 192.168.236.130

option httpchk HEAD /check.txt HTTP/1.0

server server1 192.168.127.131:80 cookie A check

server server2 192.168.127.132:80 cookie B check

5/config Stunnel

Edit /etc/stunnel/stunnel.conf

cert = /etc/stunnel/monit.pem # you need install cert

;key = /etc/stunnel/mail.key

; Some security enhancements for UNIX systems - comment them out on Win32

;chroot = /var/run/stunnel/

setuid = root

setgid = root

; PID is created inside chroot jail

;pid = /stunnel.pid

pid = /etc/stunnel/stunnel.pid

;debug = 3

;output = /etc/stunnel/stunnel.log

; Some performance tunings

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1

[https]

accept=192.168.236.130:443

connect=192.168.236.130:80

6/Test You can access web mail with URL:

https://192.168.236.130/mail

Check status HAPROXY with URL:https://192.168.236.130/haproxy?stats

Beside You can use another solution for this problem:

Use Pound for Reverse Proxy( SSL )and Haproxy for load balancer

Thanks

Setting Up A High-Availability Load Balancer(With Failover and Session Support) With HAProxy/Keepalived

I/INTRO

As you know,We any solution for load load blancer in Linux as:

Pfsense:http://conheotiensinh.blogspot.com/2009/09/load-balance-and-cluster-failover.htmlOnly support layer 4(can't deploy with system need Login)

PEN:http://conheotiensinh.blogspot.com/2009/09/load-balance-web-server-use-pen.html

Pen is a very simple load balancer for TCP protocols. It supports source IP-based persistence for up to 2048 clients. Supports IP-based ACLs. Uses select() and supports higher loads than Pound but will not scale very well to thousands of simultaneous connections.

POUND:http://conheotiensinh.blogspot.com/2009/08/load-balance-web-server-using-pound.html

Pound can be seen as a complement to HAProxy. It supports SSL, and can direct traffic according to the requested URL. Its code is very small and will stay small for easy auditing. Its configuration file is very small too. However, it does not support persistence, and the performance associated to its multi-threaded model limits its usage to medium sites only.

Beside We can use Linux Virtual Servers (LVS),Pure Load Balancer (PLB)But with load balance support layer 7 But with me HAproxy best choice.HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer 7 processing. Supporting tens of thousands of connections is clearly realistic with todays hardware. Its mode of operation makes its integration into existing architectures very easy and riskless, while still offering the possibility not to expose fragile web servers to the Net.

II/INSTALL

For this howto I set up four Centos systems (minimal installation without gui etc.) with the following configuration:

Load Balancer 1

IP: 192.168.236.128(eth0) and 192.168.127.128(eth1) Shared IP: 192.168.236.130

Load Balancer 2

IP: 192.168.236.129 192.168.127.129(eth1) Shared IP: 192.168.236.130

Web Server 1

IP: 192.168.127.130

Web Server 2

IP: 192.168.127.132

1/Intall Haproxy and keepalived

You can install from source but for easier you need install rpm packet(if you need lastest rpm packet of HAPROXY(version 1.4.5) and Keepalived(version 1.1.20) .Please contact me with email:quan.hoa@conheotiensinh.co.cc.I will give it to you

2/Edit /etc/haproxy/haproxy.cfg in both load balancer server as following:

global

log 127.0.0.1 local2

chroot /var/lib/haproxy

pidfile /var/run/haproxy.pid

maxconn 4000

user haproxy

group haproxy

daemon

defaults

mode http

log global

option dontlognull

option httpclose

option httplog

option forwardfor

option redispatch

timeout connect 10000 # default 10 second time out if a backend is not found

timeout client 300000

timeout server 300000

maxconn 60000

retries 3

listen webfarm 192.168.236.130:80

mode http

stats enable

stats auth test:123

#balance roundrobin

balance source

cookie JSESSIONID prefix

#balance source

#cookie SERVERID insert indirect

option httpclose

option forwardfor

option httpchk HEAD /check.txt HTTP/1.0

server web1 192.168.127.130:80 cookie A check

server web2 192.168.127.132:80 cookie B check

3/Configure Keepalived

As this Document I use keepalived for HA(beside you can use heartbeat and VRRP for cluster)

edit /etc/keepalived/keepalived.conf in both load balance(only change priority 101 on master, 100 on backup)

vrrp_script chk_haproxy { # Requires keepalived-1.1.13

script "killall -0 haproxy" # cheaper than pidof

interval 2 # check every 2 seconds

weight 2 # add 2 points of prio if OK

}

vrrp_instance VI_1 {

interface eth0

state MASTER

virtual_router_id 51

priority 101 # 101 on master, 100 on backup

virtual_ipaddress {

192.168.236.130

}

track_script {

chk_haproxy

}

}

4/Edit /etc/sysctl.conf in both load balance

# Allow HAProxy shared IP

net.ipv4.ip_nonlocal_bind = 1

5/Test

I setup 2 webmail roundcube for test this haproxy

a/Login webmail and check log

b/Stop LB1 and check log in Load balance 2

c/Check status HAPROXY with URL:http://192.168.236.130/haproxy?stats

Thanks

Deploy iptables Cluster using Fwbuilder and Heartbeat

I/Intro

As We know fwbuilder is a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. Both professional network administrators and hobbyists managing firewalls with policies more complex that is allowed by simple web based UI can simplify management tasks with the application. The program runs on Linux, FreeBSD, OpenBSD, Windows and Mac OS X and can manage both local and remote firewalls.

Firewall Builder is packaged with most Linux distributions. If the package is not available in the base distribution, it usually can be found in "extras". You need to install package that has supporting API library libfwbuilder and package fwbuilder that contains Firewall Builder GUI and policy compilers. You can use your favorite package management tool sucn as yum, apt-get or aptitude to find and install them. On FreeBSD and OpenBSD Firewall Builder is part of ports, you can find it in /usr/ports/security/fwbuilder. Now The new version comes with support for high availability firewall configurations, including heartbeat, vrrpd, keepalived, conntrackd on Linux, CARP and pfsync on OpenBSD and PIX failover configuration. It can generate configuration scripts to manage ip addresses, VLAN, bridge and bonding interfaces on the firewall. Drop-in support for OpenWRT firewall script is now available, as well as experimental integration with IPCOP firewall appliances. The GUI has supports undo/redo of unlimited depth and was generally streamlined and has many other improvements.you can prefer:http://www.fwbuilder.org/

2/Install

Step 1:config IP for 2 firewall as image

Step 2:install heartbeat

yum -y install heartbeat

yum -y install heartbeat# run again becaus of errors

Step 3:copy file configure default.It's necessary to do this on both systems

cp /usr/share/doc/heartbeat-2.1.3/authkeys /etc/ha.d/authkeys

cp /usr/share/doc/heartbeat-2.1.3/ ha.cf etc/ha.d/ha.cf

cp /usr/share/doc/heartbeat-2.1.3/haresources etc/ha.d/haresources

Step 4 :Edit /etc/ha.d/authkeys It's necessary to do this on both systems

auth 3

3 md5 123

Step 5:edit etc/ha.d/ha.cf.It's necessary to do this on both systems

keepalive 2 #line 52

deadtime 10 # line 60

mcast eth0 225.0.0.1 694 1 0 #line 117

mcast eth1 225.0.0.1 694 1 0 #line 118

node fw1.test.vn #add it in BOTTOM

node fw2.test.vn #add it in BOTTOM

step 6:edit etc/ha.d/haresources

fw1.test.vn IPaddr::192.168.10.145/24/eth0/192.168.10.255

fw1.test.vn IPaddr::172.16.1.3/16/eth1/172.16.255.255

Step 7:

authkeys should have permissions "0600", other files can have permissions "0644"

Step 8:

/etc/init.d/heartbeat start

Step 9:Install fwbuilder

#rpm -Uvh libfwbuilder*

#rpm -Uvh fwbuilder*

Step 10:

Create 2 fw as image in Fwbuilder

Step 11:

Step 12:

we can open udp port 694 and udp port 3780 in both fw

Step 13:

Create Nat and Policy for cluster (it created as fwbuilder stand alone)

Step 14:Test

shutdown fw1 test again

start fw1 test again

beside you can use vrrp,carp.... for cluster.

if you need file template for config .Please send mail to quan.hoa@conheotiensinh.co.cc.I Will send it to you

Thanks

http://conheotiensinh.blogspot.com/