Networking – Page 15

Postfix with IPv6

September 3, 2010 by Igor Drobot Leave a Comment

In this how to I describe the basically configuration and administration of Postfix on Debian Lenny.
Current I’m using Postfix version 2.5.5
This tutorial should working with older and newer versions.

1 2	postconf -d \| grep "mail_version =" \| cut -d" " -f 3 2.5.5

You can find the postfix main configuration file under “/etc/postfix”
Let see what wee need to configure a working Internet Mail-Server

1	postfix ~ # vim /etc/postfix/main.cf

My example configuration:

myhostname = ipv6.postfix.idrobot.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = ipv6.postfix.idrobot.net, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
smtp_bind_address6 = 2a01:4f8:101:265::37
mailbox_command =
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
bounce_template_file = /etc/postfix/bounce.cf

If you want to relay your mails to another mail-server you can use the relayhost option:
Edit main.cf, and add this line:

1	relayhost = ipv6.mx.idrobot.net

Some administration commands:
Show running config:

1	postconf -n

Show the default postfix config instead of running one:

1	postconf -d

Show message content:

1	postcat -q 7FB942082

Delete all mail in queue:

1	postsuper -d ALL

Schedule immediate delivery:

1	postqueue -i 7FB942082

Flush the queue:

1	postqueue -f

Nokia N900 IPv6 Support

September 3, 2010 by Igor Drobot Leave a Comment

1. Launch the X-Terminal application
2. Type in the command: “sudo gainroot”
3. Type in “apt-get install kernel-power-flasher” to launch the request to install the IPv6-enabled kernel available at Extras-Testing repository
4. Accept ll confirmations
5. After finishing the download, the new kernel will be flashed automatically to your N900 device. Now turn of the device and then turn on the device to reboot.

Now you are able to use ipv6 module

To add very simple ipv6 address install “IPROUTE” to use “ip” command.

1	ip -6 a a 2001:470:1f0b:1514::100/64 dev wlan0

Hurricane-Electric IPv6 certification

August 16, 2010 by Igor Drobot 1 Comment

I think you have heard already of IPv4 address depletion. A new version of Internet addressing (New Internet protocol) system was prepared many years ago. But since everyone was using IPv4 address, the migration has not been implemented in a large scale. If we continue to use IPv4 address as on today, the entire range would be used up in less than one years. (Hurricane-Electric has a very nice counter.) Public IPv4 addresses are mainly used by Internet servers. Other PCs or Servers can use private IPv4 address which are not reachable from Internet. Although many methods like NAT (Network Address Translation) and CIDR (Classless Inter Domain Routing) were implemented to stretch the IPv4 address usage, it seems that it is reaching a level of saturation now.

It is sure that everyone must migrate to IPv6 address within a couple of months/ years. Some Internet registries are not so liberal in assigning free IPv4 address now. If you want to learn about IPv6 and make sure that you have skills to administer IPv6 address and servers, Hurricane Electric free IPv6 certification is a really great way to begin. You can register for this certification at: he.net. I will give you a brief overview of the tests in the following section.

Through this test set you will be able to:

-> Prove that you have IPv6 connectivity
-> Prove that you have a working IPv6 web server
-> Prove that you have a working IPv6 email address
-> Prove that you have working forward IPv6 DNS
-> Prove that you have working reverse IPv6 DNS for your mail server
-> Prove that you have name servers can respond to queries via IPv6
-> Prove your knowledge of IPv6 technologies through quick and easy testing

There are seven levels of certification available. The breakdown of each are given below:

Newb: Read the primer stuff, be able to answer some quick and easy questions.

Explorer: Verify that you can access ipv6.he.net over IPv6

Enthusiast: Verify that you have an IPv6 capable web server that we can connect to and fetch information from. This should be entered as a FQDN and not an IPv6 address, or you will have issues once you start working on the Guru level.

Administrator: Verify that you have a working IPv6 capable MTA by sending you an email only over IPv6.

Professional: Verify that your MTA has working reverse DNS (ex: dig mx $domain +short ; dig AAAA $mx +short ; dig -x $mx AAAA +short)

Guru: Verify that the authoritative NS for your domain have AAAA records, and respond to queries for the domain (ex: step 1 is dig ns $domain ; dig AAAA $ns | step 2 is dig AAAAA $domain @$nsAAAA)

Sage: Check to see if your domain’s authoritative NS have IPv6 glue with their listed TLD servers. Meaning the TLD server can directly answer for the host record (ex: dig +trace ns $domain to get the TLD server list then dig aaaa $ns @TLD +short for the glue).

After each test you will get a new certificate:

IPv6 Commands

August 14, 2010 by Igor Drobot 1 Comment

Some IPv6 commands for daily use

Print the route packets trace to IPv6 network host.

1	traceroute6 ipv6.idrobot.net

Lookup AAAA record.

1	dig AAAA ipv6.idrobot.net

IPv6 DIG PTR reccord.

1	dig -x 2001:470:1f0b:1604::254

Check redirector.name glue records by dig command.
As it is a .name domain first we should check root servers for .net by the following command:

1	dig NS name

You will get 10 root servers:

;; ANSWER SECTION:
name.                   10800   IN      NS      m6.nstld.com.
name.                   10800   IN      NS      d6.nstld.com.
name.                   10800   IN      NS      k6.nstld.com.
name.                   10800   IN      NS      f6.nstld.com.
name.                   10800   IN      NS      h6.nstld.com.
name.                   10800   IN      NS      g6.nstld.com.
name.                   10800   IN      NS      a6.nstld.com.
name.                   10800   IN      NS      j6.nstld.com.
name.                   10800   IN      NS      l6.nstld.com.
name.                   10800   IN      NS      c6.nstld.com.

You can choose any root server for next query , I will take g6.nstld.com

1	dig ns1.redirector.name @g6.nstld.com

As output I get:

;; ADDITIONAL SECTION:
ns1.redirector.name.    10800   IN      A       188.40.116.206
ns1.redirector.name.    10800   IN      AAAA    2001:470:1f0b:1604::3
ns2.redirector.name.    10800   IN      A       188.40.116.216

Exim Courier and SSL

August 8, 2010 by Igor Drobot Leave a Comment

Here I will be setting up SSL cert with Exim4 and Courier-MAP under Debian 5 or Lenny to secure the sending and retrieval of emails and username and password details to my server.
In this how to I’m using a free 30 days certificate from psw[dot]net.

Create you own SSL config in: “/etc/exim4/conf.d/main/ss_certificate” and put it in:

MAIN_TLS_ENABLE = true
tls_certificate = /etc/exim4/mx.domain.com.cert
tls_privatekey = /etc/exim4/mx.domain.com.key
tls_on_connect_ports = 465

Don’t forget to change the group of your certificate to: Debian-exim

1	chown root:Debian-exim /etc/exim4/mx.idrobot.net*

Exim standard config “/etc/exim4/conf.d/main/03_exim4-config_tlsoptions” has already some TLS options like:
tls_certificate and tls_privatekey. decomment it. Because we use our own config for it, see above.

Now we make exim listen on port 465, edit the following config:

1	vim /etc/default/exim4

Replace the standard:

1
2
3

#SMTPLISTENEROPTIONS=''
# to
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'

After restart Eeim will be able to listen on port 25 and 465, and we are able to send mails over SSL ; PS. don’t forget your firewall ;)

1	iptables -A INPUT -i eth0 -p tcp --dport 465 -j ACCEPT

The next step is secure receive of mails with Courier IMAP-SSL Deamon

Now as second step to complete SSL-configuration open your imapd-ssl config

1	vim /etc/courier/imapd-ssl

and search for TLS_CERTFILE

1	TLS_CERTFILE=/etc/courier/mx.domain.com.pem

This mx.domain.com.pem certificate contains certificate and rsa private key:

1	cat mx.domain.com.crt mx.domain.com.key >> mx.domain.com.pem

1	/etc/init.d/courier-imap-ssl restart

Test your certificate by connecting to SSL-Port:

1	openssl s_client -connect localhost:993 -state -debug