Firewall in Sarge

2004-10-14 Thread Adi Linden 
In Debian/Sarge, where is the appropriate place for some iptables rules to
deny access to some local ports?

Adi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Firewall in Sarge

2004-10-14 Thread Adi Linden 
> On my system  I put a firewall script in /etc/init.d and have it loaded on startup.
> But this is on a LAN.  You may want to do things differently for dial-up.

It's on a LAN. Sounds like everyone just rolls their own then, no standard
place to stick iptables rules.

Adi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

cyrus-imap on Sarge

2004-10-15 Thread Adi Linden 
I am trying to build cyrus-imap from sources on Sarge. For some reason the
./configure script complains that -ldb-4.2 does no contain a db_create
function. Why would that be? /usr/lib/libdb-4.2.so certainly exists.

If I build db-4.2 from source and use this to build cyrus-imap all is
well. At least cyrus-imap builds. But it does cause problems with other
Debian packages.

Adi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: cyrus-imap on Sarge

2004-10-15 Thread Adi Linden 
> You probably need the libdb4.2-dev package installed.

Yes, that is installed.

Adi



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Woody or Sarge

2004-10-04 Thread Adi Linden 
I need to build some servers that are hopefully going to be in service for
a long time. Most distributions I have been looking at have short support
cycles, where in the very near future a significant upgrade/rebuild is
required rather than just security fixes. Another solution would be to go
with a commercial Enterprise Linux (RedHat or Suse) offering. However, the
annual cost of those is prohibitive in some circumstances.

The stable Debian release appear to be around for a very long time, which
is exactly what I am looking for. But my question now is with Sarge on the
horizon, how long can I expect to see security fixes for Woody? One year,
two years, five years? What about Sarge?

Adi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Headless Installation

2004-10-04 Thread Adi Linden 
Is it possible to install a Debian system headless (no keyboard or monitor 
attached at any time)? A couple of possibilities come to mind. 

  A 'kickstart' like install where a single CD installs a base system
  with all parameters such as partitioning, network, etc pre-defined.

  A boot image which is accessible via ssh or VNC over the network (I
  think Suse offers something like this).

I've googled for Debian specific solutions but haven't found anything. I 
have done the 'kickstart' way using RedHat before.

Adi



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Headless Installation

2004-10-04 Thread Adi Linden 
> You -could- (I stress could here) use 'fai', but I suspect that you'd
> consider that overkill on you part. Indeed, I'd agree. What you'd really
> want to do is use 'deboostrap' on the headless server. There's plenty of
> documentation on how to do this.

To use 'deboostrap' I already need a working Unix/Linux system (reading 
). I am 
looking for something more along the line of a regular installation CD 
that is non-interactive but installs a bare Debian system automatically.

Adi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Woody or Sarge

2004-10-04 Thread Adi Linden 
> If you're satisfied with the existing feature set, are new features
> really anywhere near as important as security fixes?  Particularly
> when it comes to production servers?

New features aren't important at all. It is all about maintaining the 
current state of a server while keeping it secure on a hostile network. 
And with the least amount of effort, where security updates do not break 
anything...

> No kidding.  There's one person on the Portland Linux User's Group
> mailing list saying he's just has his up-to-date Red Hat server
> compromised as many times as the Windows server it's replacing.  That
> just has to be exasperating for him!

RedHat has been a frustrating experience. I put a lot of effort into 
building a few rpms for RedHat 7.1 that met some very specific needs. Also 
created a kickstart CD that loaded 'my' version of RedHat 7.1 onto 
headless servers without user intervention. When the CD popped out the box 
was accessible via ssh on the local network. So RedHat pumped out a bunch 
of releases in fairly quick succession. RedHat 8 was never fit for 
production use, IMHO. When RedHat 9 was released I was still deploying new 
servers using RedHat 7.2. Then updates for anything but RedHat Enterprise 
Linux quickly vanished. My BIG issue is the short lived support in terms 
of security updates. Having to reinstall a server after 18 month is 
totally unacceptable. 

> Not long after the next Stable happens, because it's not hard to
> upgrade in Debian.  18 months seems about average, IIRC.

This means that for longest possible support I should be looking at 
deploying Sarge, not Woody. How timely are security issues addressed in a 
Sarge?

Adi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

How to install MTA from source without breaking apt-get dependencies

2004-10-19 Thread Adi Linden 
I am trying to get the postfix MTA to work with cyrus-imap on
Debian/Sarge. I think I may have to build postfix from source rather than
use the Debian package. However, if I try to remove the postfix Debian
package it also removes other things that I don't want to touch, such as
mysql-server. How can I tell apt-get that I have an MTA installed even
though there is no package for it?

Adi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Postfix lmtp seg fault

2004-10-19 Thread Adi Linden 
I cannot get postfix to deliver mail via lmtp to cyrus-imap. Here are the
relevant configuration chunks I added:

cyrus.conf:
lmtpcyr   cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=1

master.cf
lmtpcyr   unix  -   -   n   -   -   lmtp

main.cf:
mailbox_transport = lmtpcyr:unix:/var/run/cyrus/socket/lmtp

Both cyrus-imap and postfix have access to /var/run/cyrus/socket/lmtp. No
problem there.

In the end I turned on debugging for lmtp in master.cf and added a debug
command with gdb in main.cf. This is (a small part) of what I get:

-- snip --
Loaded symbols for /lib/libnss_files.so.2
0x40214718 in waitpid () from /lib/libc.so.6
(gdb) Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x4005c121 in match_hostaddr () from /usr/lib/libpostfix-util.so.1
(gdb) #0  0x4005c121 in match_hostaddr () from /usr/lib/libpostfix-util.so.1
#1  0x4005b78e in match_list_match () from /usr/lib/libpostfix-util.so.1
#2  0x4002c886 in debug_peer_check () from /usr/lib/libpostfix-global.so.1
#3  0x0804c7bf in ?? ()
#4  0x0805a515 in ?? ()
-- snip --

I have no clue as to what is happening. I guess compiling from source is
one option if I figure out how to convince apt-get to play nice without
MTA package...

Adi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How to install MTA from source without breaking apt-get dependencies

2004-10-19 Thread Adi Linden 
> I don't think you need to build postfix from source to use cyrus-imap
> (i suspect you need to look carefully at the sasl authentication), but
> if you insist, i suggest to use the debian sources and build a debian
> package. Anyway, to do what you ask, i think you need to look at the
> "equivs" package...

I posted a seperate message with the details of my postfix troubles. I
have a workaround solution of using the cyrus deliver program. I
understand that all it does is accept piped input and talk to cyrus-imap
via lmtp.

I will work through the "equivs" package and go from there. I still 'don't
get' how Debian packages are built. I will have to look at that some time.

Thanks,
Adi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Creating new inbox Courier-IMAP

2004-10-21 Thread Adi Linden 
I am evaluating courier-imap and maildir for a mail server. When the first
email is delivered to a local mail account, is the maildir structure
automatically created by postfix, maildrop, procmail, etc...?

Adi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Debian on Dell PowerEdge 750

2004-10-24 Thread Adi Linden 
I am looking for some feedback on the Dell PowerEdge 750. These are some
pretty reasonably prices 1U servers, IMHO. I have used PE350 and PE650
with great success an 0% failure rates.

The basic Dell PowerEdge 750 comes with SATA (serial ATA) drive and no CD
or floppy. I am thinking about deploying a cluster of Dell PowerEdge 750
and using a USB CD-ROM to load sofware.

Has anyone any experience to share, using USB CD-ROM, using serial ATA or
anything specific to the Dell PowerEdge 750 and Debian Linux.

Thanks,
Adi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]