Brandon's Blog » Gentoo

Gentoo ebuild for qmail with JMS1 combined patch

Brandon — Thu, 16 Apr 2009 05:07:00 +0000

In a previous post, I introduced a patch to add DKIM and DomainKeys support to Qmail with John Simpson’s combined patch. In this post I’ll introduce the ebuild I wrote (well, modified) to allow easily installing qmail-jms1 on a Gentoo system.

Though this ebuild makes installing qmail with John’s patch a little easier, it doesn’t make administering a qmail system child’s play. Before merging this ebuild, you should read through John’s website. You may also want to read about netqmail on Gentoo. While this ebuild has nothing to do with netqmail, it does borrow some the conventions presented in the Gentoo doc concerning starting, stopping and controlling qmail.

I didn’t include any of John’s run scripts or configuration files. Only the combined patch is applied to the base qmail image. I’ve also included some additional patches I’ve found useful. They are described in more detail on my qmail patches page. Most of my extra patches are controlled by use flags (dkim, ipv6) and not applied by default.

For the impatient, here is a direct link to the ebuild:
http://svn.bltweb.net/repos/public/gentoo_overlay/mail-mta/qmail-jms1/qmail-jms1-7.08-r1.ebuild

Install my portage overlay

The easiest way to use the qmail-jms1 ebuild is to use my Gentoo Portage Overlay. Please see the overlay page for instructions on how to set it up.

You will need the following ebuilds from my overlay:

virtual/qmail
mail-mta/qmail-jms1
sys-apps/ucspi-tcp
mail-filter/libdkim (only needed if using the dkim use flag)

Install Qmail

Once the overlay is set up, installing qmail-jms1 is easy.

Add the following to your /etc/portage/package.keywords file:

mail-mta/qmail-jms1
sys-apps/ucspi-tcp
mail-filter/libdkim
# You may also need these:
net-mail/dot-forward
sys-process/daemontools
sys-apps/ucspi-ssl
virtual/checkpassword
net-mail/checkpassword-pam

Now install qmail-jms1:

$ emerge -pv qmail-jms1
$ sudo emerge qmail-jms1

Configure Qmail

Yeah right… There is plenty of documentation elsewhere for this. Try John’s website.

Start Qmail

# ln -s /var/qmail/supervise/qmail-send /service/qmail-send
# ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd
# rc-update add svscan default
# /etc/init.d/svscan start

That’s all I have for now. Installing, configuring and administering qmail should not be taken lightly. This ebuild has made it easier for me to set up and maintain my servers, however you should only consider using it if you are already familiar with setting up a qmail server.

Feel free to leave any comments, suggestions or problems below!

Scan for Conficker with Nmap 4.85 beta5 Gentoo ebuild

Brandon — Tue, 31 Mar 2009 22:31:36 +0000

On Monday Dan Kaminsky, along with the Honeynet Project’s Tillmann Werner and Felix Lede announced they discovered the ability to detect if a machine is infected with the Conficker worm by scanning a network. See Dan’s post for more information. Shortly thereafter, version 4.85BETA5 of the nmap tool was released to allow remote scanning for the Conficker worm.

As April 1st is just a few hours away (I guess it’s already here in some parts of the world), I wanted to scan my network using the latest version of the nmap tool. As Gentoo doesn’t have an ebuild yet, I quickly created one and thought I’d share it.

This file contains everything you need:
Nmap 4.85BETA5 ebuild

Installing Nmap 4.85BETA5

$ cd ~
$ wget http://www.brandonturner.net/blog/wp-content/uploads/2009/03/nmap-485_beta5ebuild.tgz
$ sudo mkdir -p /usr/local/portage
$ cd /usr/local/portage
$ sudo tar -xzf ~/nmap-485_beta5ebuild.tgz
$ echo '=net-analyzer/nmap-4.85_beta5' | sudo tee -a /etc/portage/package.keywords
$ echo 'net-analyzer/nmap lua' | sudo tee -a /etc/portage/package.use
$ emerge -pv nmap
(If emerge doesn’t show that it will emerge nmap-4.85_beta5, ensure you have PORTDIR_OVERLAY="/usr/local/portage" in your /etc/make.conf file)
$ sudo emerge nmap

Scanning for Conficker

insecure.org has some instructions on how to scan for Conficker. Basically, here is what I did to scan a 192.168.1.0/24 network:

$ cd ~
$ nmap -sC --script=smb-check-vulns --script-args=safe=1 -p445 -d -PN -n -T4 --min-hostgroup 256 --min-parallelism 64 192.168.1.0/24 | tee conficker_scan.txt | grep -P 'Host \d|Conficker' | grep -B 1 'Conficker'

This stores the complete output of the nmap command in conficker_scan.txt, but displays a quick-and-dirty summary to stdout. Your milage may vary. Obviously you should edit the network address (in green above) for your network.

You should see something like:

Host 192.168.1.101 appears to be up ... good.
|  Conficker: Likely CLEAN
--
Host 192.168.1.102 appears to be up ... good.
|  Conficker: Likely CLEAN
--
Host 192.168.1.103 appears to be up ... good.
|  Conficker: Likely CLEAN
--
Host 192.168.1.104 appears to be up ... good.
|  Conficker: Likely INFECTED
--

Linux boxes usually return something like Conficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND.

Installing Gentoo 2008.0 amd64 on a Linode VPS

Brandon — Tue, 10 Feb 2009 05:21:17 +0000

Today I signed up for a Linode VPS. Linode appeared to have great reviews and very reasonable prices. I had originally looked at Host Virtual, primarily because they are planning to offer native ipv6 (something I’ve been wanting to play with) later this month. I ended up with Linode because they have a Dallas datacenter which makes my connections from Austin pretty fast.

One advantage that Host Virtual provided was a more recent Gentoo image. Linode only offers a Gentoo 2007.0 install, which it doesn’t even list as a current distribution. No worries, in this post I describe the steps I took to install a fresh Gentoo 2008.0 amd64 image on my new Linode!

Update: On April 4 2009, Linode released a Gentoo 2008.0 x86_64 image, which somewhat obsoletes this post. I haven’t tried it, but if your looking to try 64-bit Gentoo on a Linode, try that image instead of these instructions.

Before we get started, some of the things I wanted on my system:

x86_64 kernel running natively compiled 64-bit applications
ReiserFS filesystem instead of ext3
Basic LAMP server and no more

Note: Currently, Linode does not provide a 64-bit recovery option, so we’ll have to install a small 64-bit environment to use when setting up our new Gentoo environment. This can be done with only 300MB of disk space so it is best to leave it installed in case your Gentoo environment gets screwed up.

1. Create recovery configuration profile

From the Linode Manager Dashboard, click Deploy a Linux Distribution
Select an Unbuntu 8.10 64-bit (or similar 64-bit OS) with a 300MB disk drive. If you want swap space, you should configure that here.
Click Create Profile
Change the name of the profile to “Recovery Ubuntu 64bit”

2. Create the Gentoo disk image

From the Linode Manager Dashboard, click Create a new Disk Image
Give your disk a label (you can change this later) and size (most likely all the remaining disk space on your Linode)
Pick Unformatted / raw for the filesystem, we’ll format using ReiserFS later
Click Create Disk
Edit your Recovery Unbuntu 64bit profile: set /dev/xvdc to the disk image you just created.
Click Save Profile

3. Boot the recovery profile

From the Linode Manager Dashboard, boot your recovery profile
Log in with your favorite ssh client: root@ and the root password you set up in section 1
Install some tools required in later steps:
root@li # apt-get update
root@li # apt-get install reiserfsprogs wget

4. Set up Gentoo

This section roughly follows the Gentoo Quick Install Guide.

Create the ReiserFS filesystem:
root@li # mkreiserfs /dev/xvdc
Mount the filesystem:
root@li # mkdir -p /mnt/gentoo
root@li # mount /dev/xvdc /mnt/gentoo
root@li # cd /mnt/gentoo
Set up the stage:
root@li # wget http://gentoo.osuosl.org/releases/amd64/2008.0/stages/stage3-amd64-2008.0.tar.bz2
root@li # tar xjpf stage3*
root@li # rm stage3*
Install latest portage snapshot:
root@li # cd /mnt/gentoo/usr
root@li # wget http://gentoo.osuosl.org/snapshots/portage-latest.tar.bz2
root@li # tar xjf portage-lat*
root@li # rm portage-lat*
Chroot into the new Gentoo environment:
root@li # cd /
root@li # mount -t proc proc /mnt/gentoo/proc
root@li # mount -o bind /dev /mnt/gentoo/dev
root@li # cp -L /etc/resolv.conf /mnt/gentoo/etc/
root@li # chroot /mnt/gentoo /bin/bash
li50-172 / # env-update && source /etc/profile
Set your timezone:
li50-172 / # ls /usr/share/zoneinfo
(Using US/Central as an example)
li50-172 / # cp /usr/share/zoneinfo/US/Central /etc/localtime
li50-172 / # nano -w /etc/conf.d/clock
(Change value of TIMEZONE variable, e.g. TIMEZONE=”US/Central”)
li50-172 / # date
Mon Feb 9 14:41:50 CST 2009
Set host and domain name
li50-172 / # cd /etc
li50-172 etc # echo “127.0.0.1 mybox.at.myplace mybox localhost” > hosts
li50-172 etc # sed -i -e ‘s/HOSTNAME.*/HOSTNAME=”mybox”/’ conf.d/hostname
li50-172 etc # hostname mybox
li50-172 etc # hostname -f
mybox.at.myplace

Configure fstab mount points

li50-172 etc # nano -w fstab

Edit the fstab file similar to:

/dev/xvda     /       reiserfs     noatime,notail  0 1
/dev/xvdb     none    swap         sw              0 0

Edit /etc/inittab.
To ensure the lish console works if you ever need it, edit the terminals section of /etc/inittab to look like:

# TERMINALS
c1:12345:respawn:/sbin/agetty 38400 hvc0 linux
#c2:2345:respawn:/sbin/agetty 38400 tty2 linux
#c3:2345:respawn:/sbin/agetty 38400 tty3 linux
#c4:2345:respawn:/sbin/agetty 38400 tty4 linux
#c5:2345:respawn:/sbin/agetty 38400 tty5 linux
#c6:2345:respawn:/sbin/agetty 38400 tty6 linux

Configure networking and SSH:
li50-172 etc # rc-update add net.eth0 default
* net.eth0 added to runlevel default
li50-172 etc # rc-update add sshd default
* sshd added to runlevel default
li50-172 etc # passwd
New UNIX password: type_the_password
Retype new UNIX password: type_the_password_again
passwd: password updated successfully
Install system tools:
li50-172 etc # emerge logrotate syslog-ng vixie-cron reiserfsprogs dhcpcd
li50-172 etc # rc-update add syslog-ng default
* syslog-ng added to runlevel default
li50-172 etc # rc-update add vixie-cron default
* vixie-cron added to runlevel default
Prepare to reboot:
li50-172 etc # exit
root@li # umount /mnt/gentoo/proc /mnt/gentoo/dev/ /mnt/gentoo
root@li # exit

5. Set up Gentoo profile

From the Linode Manager, shutdown the recovery Linode.
Create a new profile by clicking Create a new Configuration Profile
Set the following options:
- Label: Gentoo 2008.0 amd64
- Kernel: a 64-bit kernel, e.g. 2.6.27.4-x86_64-linode3
- Drive: /dev/xvda: The disk image you set up in section 2 (not the small Ubuntu recovery disk)
- Drive: /dev/xvdb: Swap Image

6. Boot Gentoo and finish installation

From the Linode Manager, click the Boot button for your new Gentoo profile
Log in via ssh: root@
(You may have to delete the old ssh key out of your known_hosts file on your local machine)
Add a non-root user, install sudo and disable root logins via SSH:
mybox ~ # useradd -m -G wheel username
mybox ~ # passwd username
New UNIX password: type_the_password
Retype new UNIX password: type_the_password_again
passwd: password updated successfully
mybox ~ # nano -w /etc/ssh/sshd_config
(Add a line: PermitRootLogin: no)
mybox ~ # emerge sudo
mybox ~ # visudo
(Uncomment the line: “%wheel ALL=(ALL) ALL“, around line 24)
mybox ~ # /etc/init.d/sshd restart
Install a simple conservative firewall:
mybox ~ # emerge iptables
mybox ~ # iptables -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
mybox ~ # iptables -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
mybox ~ # iptables -A INPUT -i lo -j ACCEPT
mybox ~ # iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
mybox ~ # iptables -P FORWARD DROP
mybox ~ # iptables -P INPUT DROP
mybox ~ # /etc/init.d/iptables save
mybox ~ # /etc/init.d/iptables start
mybox ~ # rc-update add iptables default
* iptables added to runlevel default
Select a Gentoo mirror and update make.conf:
mybox ~ # emerge mirrorselect
mybox ~ # mirrorselect -i -o >> /etc/make.conf
mybox ~ # mirrorselect -i -r -o >> /etc/make.conf
mybox ~ # nano -w /etc/make.conf

Edit the file to include the parts in bold:
```
# Typical Linode has 4 processors, make use of them when compiling
MAKEOPTS="-j5"

CHOST="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -pipe"
CXXFLAGS="${CFLAGS}"
```
At this point you should also run emerge -vpe world and decide what USE variables you want to include in your make.conf file.
Define locales:
mybox ~ # nano -w /etc/locale.gen
(Uncomment the first two en_US lines)
mybox ~ # locale-gen
Update portage and installed packages:
mybox ~ # emerge portage
mybox ~ # emerge -vpuD –newuse world
mybox ~ # emerge -vUD –newuse world
(Go grab some lunch, this is going to take a while.)
mybox ~ # emerge –oneshot libtool
mybox ~ # emerge gentoolkit
mybox ~ # revdep-rebuild

7. Reboot and enjoy

At this point I like to reboot the server to ensure that everything comes back up the way I expect it. This isn’t necessary however.

After reboot my server was using just under a GB of data (990264 bytes) and about 60MB of RAM. The server is now ready to install apache, mysql, etc. I’ll be looking at optimizing my memory usage in a later post.

Note: If you found this helpful and are interesting in signing up for Linode, feel free to use my referral code below. I’m only putting this out there if you’d like to use it – you can easily sign up for a Linode VPS without it!
http://www.linode.com/?r=edff465df97bb1e29468836d3700c79a2d24a17e