[Network Administration] : Postfix and LDAP recipients

Given that I’ve already put my addresses into the LDAP directory, I’m going to use that to pull my recipients for local delivery. There is information on the Postfix website, here and here.

Appropriate section of /etc/postfix/main.cf

# all main to the domain is slated for local delivery
mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost
# Set aliases to the postfix configuration directory
alias_maps = hash:${config_directory}/aliases
alias_database = hash:${config_directory}/aliases
# Local recipients are stored in ldap
# Alias maps also needs to be added here to accept mail for aliases locally
local_recipient_maps = ldap:${config_directory}/ldap-recipients.cf $alias_maps

The file ldap-recipients.cf file has the information to connect to the LDAP server.

server_host = <SERVER>
search_base = ou=users,dc=example,dc=com
version = 3
query_filter = mail=%s
result_attribute = uid
start_tls = yes
tls_require_cert = yes
tls_ca_cert_file = <CA certificate chain>

We require the verification of the LDAP certificate, so we need to specify the certificate chain.


[Network Administration] : Kerberized Postfix

I updated my mail server and connected this into the kerberized system that was put in place earlier. Previously I had my mail accounts defined in a MYSQL database, which worked alright, but was really more of a hassle since any password changes needed to be done both in the system, and in the mysql database which was used by postfix. Either I had a single password, and needed to update both databases if it was changed, or I had to let them diverge. I’ll need an authentication mechanism so that I can submit mail from the mail client (MUA) for delivery. This time, I connected postfix, which I use as my MTA, to the Kerberos server to do the authentication. Postfix supports SASL mechanisms for authentication and can use it for both GSSAPI and PLAIN authentication against the Kerberos system. The postfix website has a whole page describing use of SASL with Postfix. I used Cyrus SASL from Carnegie Mellon University to do the authentication.
Continue reading “[Network Administration] : Kerberized Postfix”

[AWS] Mail Relay

I got my AWS account up and running.

Getting set up

First, I got an AWS account on the site. It was pretty easy, and free to start. I don’t expect to have any issues in terms of compute time, so it should be really cheap.

I did use IAM to setup some other accounts so that I don’t need to use my AWS account every time I wanted to log in. There is a user guide here. Following that, I gave myself an admin account that I could then use to administer everything else. I’m planning on using it for some other items than just an MTA, so I wanted to separate them.

After getting my accounts setup, I needed to find a suitable AMI to run. What I eventually want is an Ubuntu image that I can load postfix onto. There is a Ubuntu community page to find a suitable image to run on the EC2 machines that you can search by release. There are a number of official releases that they provide for EC2 use. I’m using ami-1cf1db59, which is a 64-bit 12.04 LTS release

Now that I’ve picked out my AMI, I launched it into their farm. My account only supports VPC, so that’s where it’s going. I just used the web console for this. I selected a t1.micro machine. At the end, I got a key pair(.pem RSA private key) that I downloaded to my machine. I’ll need that in a little bit.

[Update]: You can also bring up a new AMI from the command line using a command like:

$EC2_HOME/bin/ec2-run-instances ami-acf9cde9 -g <SECURITY_GROUP> -k <KEY_PAIR>

[Update]: For t1.micro instances, you’ll have to pass it on the command line as the m1.small instance is the default:

$EC2_HOME/bin/ec2-run-instances ami-acf9cde9 --instance-type t1.micro -g <SECURITY_GROUP> -k <KEY_PAIR>

The key pair is the one that will be loaded that allows you to SSH into the instance. You will need to create one beforehand. You can do this with the ec2-add-keypair command. The security group describes the ports that are open. If you are using the default, you may need to open ports to communicate with it. You can use the command ec2-authorize, or ec2-modify-instance-attribute to change the security group after the fact. Note, if you use ec2-modify-instance-attribute to change the security group, you need to give it the ID, and not the name. You can get the ID from the ec2-describe-group command.

Getting the command line working

It took me a while to get the command line tools working. I installed the EC2 command line tools which I got from the Amazon website. It doesn’t have any real instructions. There are some on the web that you can find.

I had to add some information into my csh environment.

AWS stuff
# Tell it where java is
setenv JAVA_HOME /usr
# Optionally, set up paths for command line tools.
setenv AWS_HOME /usr/local/aws
setenv EC2_HOME $AWS_HOME/ec2

# Setup ec2 wide env
setenv EC2_URL https://ec2.us-west-1.amazonaws.com

# Load the access keys into the environment for EC2 command line tools.

Most of the stuff that I found on the web used EC2_PRIVATE_KEY and EC2_CERT, but according to the EC2 user guide, these are deprecated, and should no longer be used. The new options to use AWS_ACCESS_KEY and AWS_SECRET_KEY instead. Personally, I find this a little annoying as this means that my keys are in my environment instead of read from a file.

I did have to add the EC2_URL env variable so that I can connect with the us-west-1 server farm which I’m using. The default is the east coast one. I’m in California, so it’s the closest to me.

IP addresses

I got an elastic IP address from amazon. I can now assign this to my instance. This is a static IP address that is associated with my account. I can move this from instance to instance as I need. It’s kinda like a static IP address that I get from Amazon that I can use as I see it.

I got an EIP with the allocate address command
ec2-allocate-address -d vlc

I had to add the VPC option as the domain since that’s what I’m using.
I then associate this with the instance
ec2-associate-address -i <INSTANCE-ID> <IP_ADDRESS>

The address in the command above is what is returned from the allocate address command in the previous step. The instance ID can be determined either from the EC2 web console, or from the ec2-describe-instances command.

After this, I updated my DNS records for my domain to point at the EIP that I associated with my running instance.

Getting into the machine

I can now ssh into my machine.

The private key is what was generated when the instance was started. It should be a .pem file. In my case the user to log in was “ubuntu”, but it probably depends on the image that you’re using.

apt-get install postfix
configure as internet to smarthost