24 January 2009

Make some of your log files rotate and compress

logrotate is a very useful and powerful tool.

To make some of your log files to be rotated and compressed, create a new configuration file into the logrotate "include" directory (usually /etc/logrotate.d), and add the rotate/compress rule:

/var/log/XXX.log {
rotate 3
weekly
compress
size 1M
create 0640 myUser myGroup
}


In this example, the log will go through three weekly rotations before being removed. There can be rotations if the size exceeds 1MB.
Rotated files will be compressed.
New empty file (after rotation) will be created with "0640" mode, and myUser:myGroup ownership.

18 January 2009

Replace courier-imap by dovecot for emails server under GNU/Linux

The courier-imap package, and linked packages, have been replaced by dovecot from Fedora 8 (or earlier).
Anyway, it's still possible to maintain mailboxes part of your full and secured GNU/Linux emails server, compiling the source code of courier-imap.

If you still want to benefit from up-to-date package, using yum or if you want a more secured system, you should migrate to dovecot.

To begin, there is a tool allowing to migrate "metadata" from courier-imap to dovecot.

This is how to configure dovecot editing the /etc/dovecot.conf file, according to the configuration of the full and secured GNU/Linux emails server:
- define clearly what protocols you want to avoid wasting resources and potential security hole (See this post for equivalent for courier)
protocols = pop3 pop3s

- define the certificate and the key to use (can be the same of the smtp server)
ssl_cert_file = /etc/postfix/smtpd.cert
ssl_key_file = /etc/postfix/smtpd.key

- define the mail location
mail_location = maildir:/home/vmail/%d/%n

- define the mail UID, GID and the privileged group:
mail_uid = 5000
mail_gid = 5000
mail_privileged_group = vmail

- comment the imap or pop3 begin/end line according to your needs

- specify pop3 UIDL format for it to be compatible with the existing courier metadat
pop3_uidl_format = %u-%v

- specify the mechanisms into the auth default part
mechanisms = plain login

- comment all lines corresponding to auth you do not want (like for pam for instance)

- specify path of ONE specific file (you will create) to request the SQL database to get password and user information in the same request (optimization) (respect the order which is important, "userdb prefetch" must be before "userdb sq" part)
passdb sql {
args = /etc/dovecot-mysql.conf
}
userdb prefetch {
}
userdb sql {
args = /etc/dovecot-mysql.conf
}

- create a file with SQL query and connect information (/etc/dovecot-mysql.conf), replacing mail, admin and XXX with your corresponding databse name, privileged user login and password (default_pass_scheme is very important and must be defined according to the function used when adding password to database; in this case it correspond to the ENCRYPT function):
## /etc/dovecot-mysql.conf contents ##
driver = mysql
default_pass_scheme = CRYPT
connect = host=localhost dbname=mail user=admin password=XXX

# Extended request allowing to get password and all user information at same time.
password_query = SELECT password, '/home/vmail/%d/%n' as userdb_home, 'maildir:/home/vmail/%d/%n' as userdb_mail, 5000 AS userdb_uid, 5000 AS userdb_gid, concat('dirsize:storage=',quota) AS userdb_quota FROM users WHERE email = '%u'

# Used only for deliver (see LDA).
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=',quota) AS quota FROM users WHERE email ='%u'
## /etc/dovecot-mysql.conf contents ##

- (facultative) activate debug information in case something goes wrong
mail_debug = yes
auth_debug = yes
auth_debug_passwords = yes

- restart the dovecot service
service dovecot restart

- attempts to connect to your imap/pop server with your favorite email client, checking the log file (default is /var/log/maillog)

- (facultative) disabled debug information if no more needed

Upgrade GNU/Linux Fedora from 8 to 9, then 10 (with yum)

To upgrade GNU/Linux Fedora from 8 to 9, then 10, there is no problem.
It is easier than previous upgrade, and there is less kind of issue.

The principle is globally the same when upgrading from Fedora core N to Fedora core N+1 (see this post), from Fedora core 6 to Fedora 7 then 8 (see this post), or from Fedora 7 to Fedora 8 (see this post).
In addition, the recommendations of Fedora project have greatly evolved and seem now complete.

Upgrade from Fedora 8 to Fedora 9:
- do not forget to clean all the yum metadata with yum clean all,
- upgrade the Fedora release:
rpm -Uvh ftp://download.fedora.redhat.com/pub/fedora/linux/updates/9/i386.newkey/fedora-release-*.noarch.rpm
- upgrade your repository if needed (N.B.: livna has now merged into RPM fusion)
- remove and reinstall thunderbird to avoid specific issue.

Upgrade from Fedora 9 to Fedora 10:
- do not forget to clean all the yum metadata with yum clean all,
- upgrade the Fedora release:
rpm -Uvh ftp://download.fedora.redhat.com/pub/fedora/linux/releases/10/Fedora/i386/os/Packages/fedora-release-*.noarch.rpm
- Be careful if you have RAID, there is an important issue which may prevent the OS from booting properly

Ensure there is no dependencies problem like explained into this post.

Then, you should perform a great configuration files merging campaign to ensure having the up to date functionalities while keeping your own specific configuration (globally the XXX.conf and XXX.conf.rpmnew files).

Have a quick look on installed packages providing services

Sometimes, it is interesting to have a quick look on installed packages providing services to check if there is possibility to clean unused packages, or to disable (temporary or not) services which are not used and which are so wasting resources.

To get information about installed packages providing services (excluding inet and xinet) which are NEVER started (and so may be removed):
for service in $( chkconfig --list |grep "1:" |grep -v "on" |awk '{print $1}' ); do rpm -qi "$( rpm -qf /etc/init.d/$service )"; done |less

Important:
- some packages provide several services so it can appear several times with this simple command
- before removing such a package, it is important to ensure it is not providing something you need (libraries, tools, various files ...)
- you may use something else than "on" according to your OS language


To get information about installed packages providing services (excluding inet and xinet) which are started (and so using resources):
for service in $( chkconfig --list |grep "5:on" |awk '{print $1}' ); do rpm -qi "$( rpm -qf /etc/init.d/$service )"; done |less

Important:
- some packages provide several services so it can appear several times with this simple command
- you can perform this check with every runlevel replacing "5" by anything else
- you may use something else than "on" according to your OS language