Hideki A. Ikeda (HidekiAI) [池田英紀] ["Tony" Ikeda] – BLog

Just recently, there was an update which I’ve no clue of what, but it is happening on both my x86 server and x86_64 dev-box Gentoo…  I was down for few hours with this message in /var/log/apache2/error_log file:

[Sun Aug 02 16:07:53 2009] [info] Init: Initialized OpenSSL library
[Sun Aug 02 16:07:53 2009] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]

I first disabled SSL_DEFAULT_VHOST so that I can at least get this BLog up and running began investigating on my dev-box (none-server) what needs to be looked at.  For those who wish to do the same, on Gentoo it would be modifications in your /etc/conf.d/apache2 and removing the “-D SSL_DEFAULT_VHOST”, you can keep the “-D SSL” because it”s not the mod_ssl is the problem.  By the way if you have very long APACHE2_OPTS, you can append variables like below and just comment the ones you are trying to test:

## First, setup default (without SSL vhost, but SSL enabled)
APACHE2_OPTS="-e debug -D DEFAULT_VHOST -D INFO -D MANUAL -D STATUS -D SUEXEC -D LANGUAGE -D PHP5 -D ERRORDOCS"

## Now start adding anything else (per app based)
#APACHE2_OPTS="$APACHE2_OPTS "

## Note: If you need MEM_CACHE, you have to enable CACHE
APACHE2_OPTS="$APACHE2_OPTS -D FTPD -D CACHE -D MEM_CACHE -D USERDIR -D DNSBL"

## Enable SSL vhost
## As of Apache 2.2.8 and older, SNI (Server Name Indication) is capable for SSL
APACHE2_OPTS="$APACHE2_OPTS -D SSL -D SSL_DEFAULT_VHOST"

## NOTE: SSL and GNUTLS are _MUTUALLY_EXCLUSIVE_!!!  It is either one or the other!
## -D GNUTLS seems to be broken, fails on symbol gnutls_mallor
#APACHE2_OPTS="$APACHE2_OPTS -D GNUTLS -D GNUTLS_DEFAULT_VHOST"

## SVN, you need minimum of:
APACHE2_OPTS="$APACHE2_OPTS -D SVN -D SVN_AUTHZ -D DAV -D DAV_FS -D DAV_SVN"

## PAM, LDAP and auth
APACHE2_OPTS="$APACHE2_OPTS -D LDAP -D AUTH_LDAP -D AUTHNZ_LDAP -D AUTH_PAM -D VHOST_LDAP -D AUTH_OPENID -D AUTH_MYSQL"

# adding "-D SECURITY" causes blogs to fail because it catches some words it doesn't like and it think I'm injecting it
#  you'll need to tweak /etc/apache2/modules.d/mod_security/* to allow pass-throughs
#APACHE2_OPTS="$APACHE2_OPTS -D SECURITY"

## Mailman
APACHE2_OPTS="$APACHE2_OPTS -D MAILMAN"

## Python
APACHE2_OPTS="$APACHE2_OPTS -D PYTHON"

This way, you can comment (using “#”) the lines that is specific to the modules you are debugging.

(continue reading…)

Related posts

• Use your O/S to Multi-Process (0)
• Linux Partition Size (0)
• In the Beginning (0)
• Compiling Apache on Gentoo (0)
• Android: First Encounter (AT&T/Cingular) (0)

I’m not too much of a cell-phone user these days, during the analog phone days, just like when e-mail became very popular back in mid-90′s, I was addicted to it.

Last time I bought my cell-phone, I specifically inquired to see if I can purchase an unit which had no CCD/camera because I did not see any use for it (I did find a use for it, although I ride motorcycle now, I used to drive and whenever I got cut-off or reckless drivers pissed me off, I took their license plate with the camera;  One of these days, I am going to create a web-site called assholedrivers.comwhere I’d post their plates and until they make a public apologies to all drivers, it will stay up).  I wanted a Sony/Ericsson phone because it had the capabilities to download Java.  But that didn’t go so well when I discovered that I was getting charged so much for data-usage from AT&T.

A colleague of mine (http://www.sjbaker.org/wiki – this person is a guru of graphics and everything else, he is incredibly wealthy with so much knowledge, to me it is always a treat to talk to him – not only is he the original author of TuxKart and plib, but you must check out his Simple 3D Scanner link on his page!) gave me this link http://developer.android.com/guide/developing/device.html#dev-phone-1after few discussions about games on phones (including recent discussions we had on OpenGL ES 2.0 – by the way, currently Android is OpenGL ES 1.x).

After doing some researches, I finally purchased it for these reasons:

• I loved the fact that it was Linux 2.6 at the heart of it
• The SDK and NDK by Google proved to me that this is serious (NDK is the native developer’s kit which lets you access the OpenGL ES and other low-level directly)
• It has built-in WiFi, so I won’t get charged by AT&T on DATA
• It’s unlocked
• This Stanford Video: http://www.youtube.com/watch?v=WUrMI9ZGxQ8
• This “it makes it look easier than it is” video: http://www.youtube.com/watch?v=I6ObTqIiYfE

(continue reading…)

Related posts

• Use your O/S to Multi-Process (0)
• Linux Partition Size (0)
• Linksys RV082 Dual-WAN Setup (0)
• In the Beginning (0)
• Crossdev i586 and i686 on x86_64 (0)

When setting up Postfix’s authentications, if you are setting up fresh install and/or do not have Cyrus-SASL working, my recommendations are to use Dovecot instead.

If on the other hand, you’ve been persistent and have Cyrus/SASL working, leave it alone, you’ve probably got one of the few systems that are rare but functional and you don’t want to break and/or disturb what is not broken.

Setting up Courier (IMAP and POP3) authentications through MySQL was trivial for PLAIN password schema.  The only hard part I’d imagine is writing your own authmysqlrc in your /etc/courier/authlib folder to query the username/password/uid/gid correctly.  But if you know your way around SQL queries, sooner or later you’ll get it right (if you need help, e-mail me and I’ll help you out – if I don’t respond, it’s most likely because my SASL is broken and I cannot get authenticated to send out *grin* what an irony – just kidding).

It used to be that you would guard your mailbox from prying eyes because back then, e-mails were more authentic.  Sort of like when you receive an hand-written letter from somebody important.  Today, you’d receive e-mails for just about anything, to a point where they aren’t so genuine anymore…  Or there are so much SPAMs in your INBOX that you’d rather just delete all the mails than to read it.  In any case, you want to protect your server so at least you’re not responsible to participate in these SPAMs (make sure to run SMTP relay testers), or at least to admit that you’ve done all you can to avoid issues.

In any case the whole point of that story is that you want to make sure your out-going mails are authenticated (password protected) as well as in-coming.  With Postfix + Courier, you can make an assumptions that if you logged on with POP3 and have been authenticated, you are most likely the same person thus SMTP should not require any password on the same session. Similarly, you can argue the same point for IMAP sesssion.

This is where SASL comes into play.  Just because Carnegie Mellon University was the origin of the SASL RFC and they are the one who maintains Cyrus, it doesn’t mean it’s the best.  To me, Dovecot is better than Cyrus for one simple reason.  Dovecot has documentations and wiki pages…  A damned good wiki, I might add…  It’s so good that I’ve been able to get SASL based authentications for Postfix in less than a day!

With Dovecot, it is (currently) authenticating in the following order:

1. PAM – I have PAM look-up for both LDAP and password, and in that respective order of look-up priorities.
2. MySQL – this is so other accounts that may be on LDAP but is using PLAIN can get authenticated from the Postfix database and/or other users who do not have LDAP account but have virtual mail accounts.

As mentioned, because I’m using PAM to authenticate, I don’t need to have Dovecot integrate with LDAP.  Whenever you can have PAM do the authentications, let it do so rather than adding another link.  By the way, PAM can only be plaintext auth, so do try to make sure you get SSL working.

Meaning, you have PAM linking to your LDAP server for example for SSH and session login, you’ve got it functional and you have a centralized location (single poing of authentications) for all your domain accounts.  Now, if you enable LDAP for Dovecot, that’s another management you’d have to debug (or alter if the server gets moved to another hostname).

Let PAM be your middle-layer between all your services and LDAP (and shadow), the beauty of it all (and it’s a common sense) is that you get PAM working and the rest just fits in.  If something goes wrong with your LDAP server, you only have to deal with PAM.  The converse to that of course is that if PAM breaks, all breaks.  But I prefer to take that chance for management of Linux services can be a nightmare compared to Microsoft services (if you’ve installed Active Directory and OpenLDAP, you’d know which is easier/quicker to setup and what I mean).

I’ve learned a lot from Cyrus, but I wish I wasn’t stubborn about it and gave in to Dovecot earlier.  I wouldn’t have been able to construct my own opinions about how difficult it is to setup Cyrus (but if you’d Google’d for Cyrus, I’d imagine you’d find quite a few that complains about Cyrus), but if you have found this BLog and is in the midst or about to setup SASL authentications for Postfix, try Dovecot first because you should be spending your time on something more productive…

Related posts

• Testing Postfix + Courier (authlib and imap) + MySQL (0)
• Postfix + Courier + SquirrelMail:configtest.php (0)
• Serving SVN repositories (0)
• Networking: AD + Linux (0)
• Compiling Apache on Gentoo (0)