Return to Sender

Postfix_logoI have spent the past week or so -and not an inconsiderable amount of coin- trying to build a CentOS7 server that uses Postfix, Dovecot, Spamassassin, Amavis and Roundcube so that I can finally ditch the ever-more-privacy-intrusive mail services from the likes of Gmail and Outlook. It is a madness that comes over me once every year or so. The enormous, steaming pile of disparate software pieces that have to bolted together just-so to get anything working at all has never really put me off trying… but my previous efforts, though functional, haven’t really been fully functional and never took security too seriously.

This time I got really close to doing it properly. Everything worked fine after just the seventh installation-from-scratch attempt, and six nice how-to articles ready to publish. 95% of the work had been sorted out on the first pass, I have to say -but the missing 5% was the very devil to get right. It was all to do with delivering Spam (because no spam detection algorithm is perfect), but into a junk mail folder rather than the main inbox. The tool to do that is called ‘dovecot-pigeonhole’ and the protocol involved is called ‘sieve’… and configuring sieve and dovecot in a way that actually works is a nightmare. But I did it. It worked. Spam moved all by itself to a place where I could save it if I wanted to or delete it if I didn’t.

And then I logged on with the wrong password… and Roundcube (the webmail interface) let me in regardless!

WTF?!

Turns out that by design and default, MySQL (and thus Dovecot and thus Roundcube) uses ‘CRYPT’ as its password encryption technology, which is based on DES, and (here’s the punchline) only uses the first 8 characters of your supplied password. So yes, I had mis-typed the 23rd character of my 26-character long password (it happens!)… but Roundcube had let me in anyway because the first 8 characters had been typed in an impeccably accurate manner.

Several things to say about this. The first one is that it’s bloody annoying! Second, it’s bloody stupid. And third, after an hour reading about how you can configure things to do SHA512-CRYPT (which doesn’t chop your passwords in thirds without telling you), I spent 45 minutes trying to implement it without success before giving up in utter frustration.

I am now using outlook.com again!

Of the 98 hurdles between me and a working, secure, web-accessible, flexible, virus-blocking, spam-delivering email server, I had managed to leap, more or less gracefully, 97 of them. But truncating passwords is too much like plain stupidity to make the effort involved in limping over the 98th just too much bother.

I wonder if there is a non-postfix, non-dovecot means of doing a mail server… I have a spare server in Paris to make use of, after all…

CentOS 6.6

CentOS released the 6th update to their version 6 distro at the end of October, just two weeks on from Red Hat’s original release. Clearly, the new(ish) relationship between Red Hat and CentOS is paying dividends.

The usual round of framework and documentation updates now follows at chez Dizwell, of course. Wouldn’t want my Churchill articles to suggest that 6.5 is the latest version it works on, for example!

CentOS 7 arrives…

CentOS 7 has been released and is available for download from the usual places. I’ll be adapting (or trying to!) Salisbury and Asquith to work with it over the next few days and you can expect updates to those frameworks as I do.

I go for my cataract removal operation next Monday, however, so although I will at home for a couple of days afterwards (and thus have plenty of time to do the deed), I might still be bumping into things and thus not at my most efficient. Asquith/Salisbury v.2 when I can, therefore, but no promises.

Linode, CentOS 6.x and Postfix, Dovecot

I have been busy playing with my new Linode virtual private server, and it’s been great fun! It’s also already managed to show me how much I don’t know :-)

Specifically, I wanted my new server to be able to act as an Email server. That means running Postfix and Dovecot on top of CentOS …which isn’t exactly difficult if you know what you’re doing, but can be tricky if you, like me, are a novice. There are lots of guides around the Internet: lots of them do Postfix and Dovecot on Debian or Ubuntu, which isn’t exactly right for CentOS users. Some of them actually use CentOS… but mostly version 5.x, which isn’t right for us 6.x users. Then, too, a lot of people seem to use MySQL as a repository of which email users exist and what passwords they have… which looked like overkill to me. So those configurations aren’t right either.

If you piece bits of all of them together, though, and throw in a splash of original guesswork, you might end up with something like my new ‘Setting up your own CentOS 6.x Email Server using Postfix and Dovecot, but without using MySQL’ article.

CentOS 6.4

Well done to the CentOS team who have, again, managed to build their new release (6.4) from Red Hat sources just two weeks or so after Red Hat published their new code. (RH6.4 was released February 21st; CentOS 6.4 was released last Saturday, 9th March. Impressive -and they beat Scientific Linux to the punch once more. Oracle Enterprise Linux 6.4 was out a week earlier still, of course, but I kind of expect Oracle Corporation to do that: they have significant resources to bring to bear on it, after all).

The release itself doesn’t have anything you might call significant in it, as the increment in merely the minor version number more-or-less tells you in advance.

Oracle 11.2.0.1 and 11.2.0.3 run on it fine, and a Kickstart file that does duty for auto-configuring a 6.3 server performs flawlessly for a 6.4 server, too.

CentOS 6.3 has been available on the mirrors for around a week -which means the CentOS devs have managed to push out two point releases of their re-compiled RHEL6.x just weeks after Red Hat themselves released the ‘real deal’ upstream. Given it took them something like nine months to replicate RHEL6.0 and many months to achieve a 6.1, their good form on the 6.2 and 6.3 tracks looks reassuring.

So much so that I’ve re-installed it as my primary desktop (though only as a dual boot with Windows, given that I’m forced to use Windows at work).

There is absolutely nothing about RHEL6.3/CentOS6.3 which is particularly exciting from my point of view. The big plusses are that it ships with LibreOffice by default, not OpenOffice; Firefox 10.x, not ye ancient 3.6; and Oracle 11.2 installs on it perfectly (a Gladstone update will follow shortly)

The big thumbs-downers are: Stellarium still doesn’t work properly on my rig when installed via yum: you still have to go the self-compile route. Twin monitors work by default, but the in-built config tool doesn’t let you choose which one is the main monitor (I like mine to be the right-hand one, which isn’t allowed). To get that sort of control, you still have to download NVidia’s proprietary drivers. And, perhaps more surprisingly, I couldn’t get Rhythmbox to play my FLAC files by default (the Movie Player application did, but not the default audio application… go figure!).

Other than those little niggles (all of which can be worked around), it’s a nice, stable, slightly boring, Gnome 2 (Thank God!) desktop that I like a lot.

Alas, poor Romulus

As time races towards the point where the last bits of my Sydney server room are moved to Seattle, this was one of the more poignant moments: the point where I shut down my OID (Oracle Internet Directory) server, which has been doing faithful names resolution duties for quite a while:

The load averages are nothing to write home about, but that box has been running uninterrupted for 2 years and 17 days. Until now.

Oh -and look. It is possible to use CentOS (4.x) in a production environment!

Network Configuration in minimal Linux installs

By default, the new Centos 6.0 distro performs a “minimal” install, as I mentioned last time. This is good because you end up with a very small footprint O/S (no Gnome, for example), leaving the server more resources to run the things you actually use servers for (like Oracle).

The downside to it, however, is that a feature of Red Hat Enterprise Server 6 (and therefore of all its clones -so this stuff applies to Scientific Linux 6, too) is that it defaults to managing your network connections with NetworkManager, which isn’t actually installed as part of a minimal install. The net result (no pun intended) is that your network doesn’t work when you first boot into your new, slimline O/S.

The fix is to run the command system-config-network-tui, which allows you to specify a fixed IP address manually. In Centos 6, however, even this tool is not installed as part of a minimal install (I guess they took the word ‘minimal’ literally), so you’ll end up having to edit by hand the /etc/sysconfig/network-scripts/ifcfg-eth0 file.

You’ll need to end up with something looking like this:

IPADDR=192.168.0.33
BOOTPROTO=none
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
DNS1=192.168.0.1
DNS2=192.168.0.2
USERCTL=yes

Obviously, you replace those specific IP addresses with whatever suits your local environment. The USERCTL=yes line is optional: it lets non-root users control the interface. Once the file has the appropriate entries, a reboot will do to make the new settings take effect.

In Scientific Linux 6, the system-config-network-tui tool exists, so you could use that… or you can achieve all these edits with the nano text editor. The Centos 6 minimal install is less forgiving, however, and you’ll have to use vi (because nano is not installed as part of its minimal install option).

CentOS 6… finally

The first question about when CentOS 6 would be released, contained in this thread on the CentOS forums, was asked on December 2nd 2010. 42 pages and 8½ months later, there is finally an answer: it’s out now.

Of course, Red Hat themselves (and Oracle’s Enterprise Linux equivalent) have moved on in the meantime to version 6.1 -and Scientific Linux already have a matching 6.1 beta out, as I’ve mentioned before. Still, better late than never, I guess.

Personally, I think the CentOS devs have blown this, badly -and the tone of their commentary on the forums has been sniffy, at best: not exactly calculated to win friends and influence people, anyway. There have been ‘defections’ in droves to Scientific (count me amongst them), and I don’t see that being reversed any time soon.

There’s not a lot to say about the OS itself, of course (especially since we’ve been using its Scientific binary equivalents for months!), but I have to say I really dislike the fact that it defaults to doing a “minimal” install (not even a “minimal desktop”). It means you get this once the install has finished:

I realise you could argue this is actually a good thing: very Ubuntu Server-like, svelte and exactly what an enterprise-class Server ought to be doing. None of your fancy GUI stuff required etc. I’d certainly vote for (and my kickstart efforts have tried to create) a very much slimmed-down installation. Oracle users will, however, know that an X Server is pretty much a requirement (yup, I know it doesn’t have to be running on the actual Oracle server, but it’s simpler when it does), short of getting into response files and silent installs, so starting off this svelte is a bit of a problem!

Scientific Linux 6.0, by the way, defaults to a standard Desktop install -and, at this stage, I think that’s an easier way to go than CentOS’ choice. It’s also mildly interesting to note that Scientific Linux doesn’t have a “minimal install” option: they call it a “basic server” install instead. What’s more, that installs 514 packages, which is way more than the Centos 6 basic install does. Why supposedly binary-compatible distros vary like this, I can’t say, but I wish they wouldn’t!

There are other niggles with CentOS, too. The GUI installer has not had the Red Hat trademarks cleaned particularly well. Here’s what you see in Centos:

Notice the weird blank, blue bar stretching across the top of the screen? Compare that to Scientific’s installer:

They got the ‘de-branding’ right, CentOS didn’t… which seems a bit slack. I know it’s not a particularly important thing, but I suspect that when the little details like this are wrong, there are ‘polishing’ problems elsewhere. I could, of course, be wrong (probably).

Anyway, it’s things like this, together with the mammoth amount of time taken for the distro to get even this far, which mean I’m deeply suspicious of the quality of this particular release. (Yeah, I know I don’t pay for it, but my expectations are rational, if not reasonable).

Your mileage might vary, of course. And in the meantime, Gladstone has been updated to work on Centos 6.0.

Good News/Bad News

Good News: Scientific Linux 6.1 is out in (very stable) Beta. I get mine from mirror.aarnet.com.au.

Bad News: CentOS 6.0 **still** hasn’t been released.

Good News: Scientific Linux 6.1 has a network install boot ISO (as SL 6.0 did, but SL 5.6 didn’t)

Bad News: the Scientific Linux network install boot ISO is over 200MB in size -so you almost might as well install from the original CDs or DVDs! By way of comparison, the CentOS 5.6 netinstall boot ISO was only 10MB in size. Maybe not so important when $4 USB drives come in 2GB sizes and up, but annoying nonetheless. I notice Fedora 15′s net install ISO is similarly huge… progress, I guess!

Even Badder News: you can’t use the Centos 5.6 netinstall boot ISO to kick off a Scientific Linux 6.1 install. (At least, I’ve not managed it yet!)

Good News: Gladstone has been updated to work with the 6.1 version of Scientific Linux.