Jimmy's weblog

12/21/2005

WRT54GS V4 and openwrt

Filed under: — jimmy @ 5:01 am

You might have read my posting about the WRT54G and openwrt. Today I tested a brandnew WRT54GS. It was shipped with firmware version 1.03. I don’t know why Linksys starts again at 1.x version numbers but it’s definitely a linux router. All series 4 should be still linux. If you wonder why I say “still”, checkout this article. In short words: series 5 will use VxWorks, but Linksys will ship a new device, called WRT54GL, which will be running Linux.
Unfortunately the ping hack didn’t work, tftp neither (maybe I did something wrong, but I think it can’t work without boot_wait). Someone on the irc channel told me that the upload with the web interface worked for him… For me too, but I don’t know how dangerous it is.
Openwrt RC4 has now a web interface, too. So after rebooting I took a look at the new interface… Great :-) I set boot_wait so that I can use tftp which I used afterwards to restore the original firmware. My browser (opera) had some problems with the page reload and I thought that I crashed the router. But after restarting opera I saw the original web interface again :-)

12/12/2005

Postfix: Faking the From header (not From:)

Filed under: — jimmy @ 7:28 pm

I never send mail over my main server, I always send over my local gateway or sometimes from my notebook. This is usually no problem but some mailservers and auto responders send mails to the address in the From header, which might me different than the address in the From: header. For better understanding: The From: is usually set by the mail client and the From is usually set by your mailserver. Default value for From is your username and the hostname of the machine. So in my case it’s jimmy@ultimate.g-tec.co.at. But I only receive mails for my domain g-tec.co.at, not for ultimate.g-tec.co.at. Every mailserver has a couple of ways to rewrite its headers, in postfix it’s done by masqerading, in this case.

masquerade_domains = g-tec.co.at

This line (in /etc/postfix/main.conf) now strips off all the hostnames that I use on my machines. So ultimate.g-tec.co.at becomes g-tec.co.at and the From is now “jimmy@g-tec.co.at”.
Works perfectly :-)

12/6/2005

Postfix smarthost (simple way)

Filed under: — jimmy @ 2:08 am

Today I removed my last exim server which was running on my private server. Since this was a simple step (it only has to send mails, receiving is done by my main mail server), I decided to test how to setup postfix as a smarthost and how to use a smarthost.

Part I: Configure postfix to use a smarthost
With Debian it’s just reconfiguring the package. If you don’t use debian or want to do it by hand, it’s basically adding one entry in /etc/postfix/main.cf:

relayhost = ultimate.g-tec.co.at

That’s all :-)

Part II: Configure postfix to be a smarthost for another mail server
As the title of this posting says, it’s the simple way. So both servers are in the same LAN and our firewall makes sure, that no attacker from outside can spoof our LAN IPs.
Again, it’s one little change in /etc/postfix/main.cf. Simply add the IP of the other Server to “mynetworks”

mynetworks = 127.0.0.0/8 192.168.0.66

Done. This setup is enough if you only have servers in your LAN and if you don’t receive mails for them. This is useful when having a couple of servers and you want to send mail over one centralized mail server. If you want to send mails over a smarthost outside of your LAN you have to use TLS.

12/5/2005

Postfix and SASL (Debian)

Filed under: — jimmy @ 5:30 am

Today I wanted to configure one of my postfix boxes to use SASL. This time I decided to use saslauthd instead of pwcheck, as I always did before.
Let’s start with the easy part… installing the packages (it’s a debian sarge server):

apt-get install postfix-tls sasl2-bin libsasl2 libsasl2-modules

Now edit /etc/default/saslauthd:

START=yes
MECHANISMS="pam"

saslauthd is not started after package installation (we’ll do it later)!
Next file to edit is /etc/postfix/sasl/smtpd.conf (you have to create it):

pwcheck_method: saslauthd

Ok, let’s add some lines in /etc/postfix/main.cf to enable SASL:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination

postfix does a chroot so it can’t communicate with saslauthd. This is the tricky part:

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
adduser postfix sasl

Now restart postfix and start saslauthd

/etc/init.d/postfix restart
/etc/init.d/saslauthd start

Finally we test it using telnet. We need perl to generate the string for the SASL authentication

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
e.g.
perl -MMIME::Base64 -e 'print encode_base64("jimmy\0jimmy\0real-secret");'
amltbXkAamltbXkAcmVhbC1zZWNyZXQ=

Then use telnet:

jimmy@reptile:~$ telnet jimmy.co.at 25
Trying 80.237.145.96...
Connected to jimmy.co.at.
Escape character is '^]'.
220 kitana.jimmy.co.at ESMTP Mailserver
ehlo reptile.g-tec.co.at
250-kitana.jimmy.co.at
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
AUTH PLAIN amltbXkAamltbXkAcmVhbC1zZWNyZXQ=
235 Authentication successful

If it doesn’t work check you logfiles. If you get something like this: “warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied”, then check the permissions in /var/spool/postfix/var/run/saslauthd.