Redundant dns entries; permitting bind9 hostfile direct edits; etc.

shinji · July 2, 2010, 9:14pm

I have a few questions to go through. Hopefully someone might be able to help me on this. Before I start I’ll go ahead and detail what I’m using for hosting. I’m using a linode 1024 plan VPS server and I’m using VirtualMin GPL. I installed VirtualMin on a clean install with some security enhancements just in case there are any gotchas. Mostly basic ssh lockdown, root account being disabled, etc.

Anyways to the questions.

1.) There are dns host entries created for m.domain and localhost.domain. Is there any reason for this? I was able to remove the entries without any negative effects that I can see.
UPDATE: I found in the bind9 server options a spot to uncheck their creation.

2.) Is there any way to give virtual server owners direct access to the bind file? I understand there are risks involved in doing that but the only other users that would be editing them I trust but don’t want to give them full access to every domain in the process.

3.) I just noticed that fcgid isn’t working for php. When I run a phpinfo check it is showing as if mod_php is running the file. system('id) returned www-data as the user rather than the site owner. Is there any particular reason why?
UPDATE: I found out why. When mod_php5 is running the handler for fcgid doesn’t kick in. I disabled mod_php5 and it switched right back over. I’m trialing a different configuration so I’ll see how things pan out with a different method. Just so you know it involves mod_php5 and apache2-mpm-itk. I had it setup on my previous os configuration and it worked ok although I never got perl working… (leading to a new 5th question)

4.) saslauthd isn’t running on the server. On the domain it does indicate that sasl auth is enabled but the service isn’t running. When I start it manually I get the error " * To enable saslauthd, edit /etc/default/saslauthd and set START=yes" every time. I understand the manual edit (I can do that) but why isn’t it getting enabled via VirtualMin?
UPDATE: I manually enabled saslauthd but my original root issue (which is why I posted the question) still is at hand. The reason I asked about saslauthd is because smtp auth isn’t working for some reason.
UPDATE: smtp auth doesn’t work with either if saslauthd is manually running or now. Doesn’t make a different if sasl auth is enabled or not in virtualmin although I do see the postfix config change. Pop/imap auth works fine. Smtp auth failed with both plain and login methods.

5.) (added on update) How do I get perl to work everywhere in the domain? I see that it works in the cgi-bin but I don’t usually keep my scripts in that folder.
UPDATE: Got that working too finally after hitting my head on the desk alot… Comment out the ScriptAlias for cgi-bin then add “AddHandler cgi-script .cgi .pl” (no quotes) and it was magic. Kinda obviousl but I could of sworn I did that before and it wouldn’t work.

Eric · July 3, 2010, 4:53am

Howdy,

Before I start I’ll go ahead and detail what I’m using for hosting. I’m using a linode 1024 plan VPS server and I’m using VirtualMin GPL

Cool, Virtualmin should work great on that Linode!

Is there any way to give virtual server owners direct access to the bind file?

Sorry, I don’t know of a way to do that with Virtualmin. Using the GUI, the best you can do is offer them the ability to set DNS records using Services -> DNS Domain.

saslauthd isn’t running on the server. On the domain it does indicate that sasl auth is enabled but the service isn’t running.

You may want to verify that in /etc/postfix/master.cf, the smtps and submission sections are uncommented.

From the looks of it, it sounds like you were able to get everything else working. If you have any other questions, just yell!

-Eric

shinji · July 3, 2010, 7:13am

Thanks for your response Eric. I looked in master.cf but I only found smtps commented out. I uncommented the line and reloaded the config to no avail. I did however after plenty of research find out the issue. I should of mentioned that I was running Ubuntu 10.04 as that might of helped out although it isn’t specific to the issue.

Part 1 of the issue is that postfix runs chrooted.
Part 2 of the issue is a missing smtpd.conf file.
Part 3 of the issue is that the saslauthd defaults file is untouched.

Reference url: https://help.ubuntu.com/community/Postfix

Now then… here are my file contents.

/etc/default/saslauthd:

#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

I have manually set start to yes, added pwdir, params, and pidfile, as well as changed the options string. There was actually a postfix users comment in there as you can see above.

/etc/postfix/sasl/smtpd.conf:

pwcheck_method: saslauthd
mech_list: plain login

The file was missing completely so I created the file and added the content.

Finally you need to run the following command as root. If you are like me and disabled root + use sudo instead then prepend the command with sudo.

dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd

That’s it. Now I don’t know how tls will work out but it should be affected. At least that’s as far as I can tell. This does appear to be a bug in VirtualMin though and not getting it setup properly from the start.

P.S. - My log indicated that it was trying to access /etc/sasldb2 for some reason. Early on it indicated unable to access, later file not found, then last permission denied. Once the above is done I think it stopped bothering with the file and went to saslauthd instead. saslauthd is default configured to use pam and VirtualMin creates a passwd entry for each mail user so pam works fine.

shinji · July 4, 2010, 4:56am

I found a solution to the issue 100%. This will use dovecot to auth in postfix via sasl. This works great and probably where the real bug is at. This does not require a smtpd.conf or a running saslauthd service (saving a little ram here).

Source: https://help.ubuntu.com/community/PostfixDovecotSASL

Modify /etc/dovecot/dovecot.conf

Look for auth default { and a little bit further down you have mechanisms. By default it is just plain auth. Change that so it does both plain and login. It will look like the following.

  mechanisms = plain login

Find socket listen {
Uncomment that line
scroll down to client {
uncomment that then within that section add:

path = /var/run/postfix/private/auth
mode = 0660
user = postfix
group = postfix

now then uncomment the last 2 closing braces ( } )

it should end up looking like this:

  socket listen {
    #master {
      # Master socket provides access to userdb information. It's typically
      # used to give Dovecot's local delivery agent access to userdb so it
      # can find mailbox locations.
      #path = /var/run/dovecot/auth-master
      #mode = 0600
      # Default user/group is the one who started dovecot-auth (root)
      #user =
      #group =
    #}
    client {
      # The client socket is generally safe to export to everyone. Typical use
      # is to export it to your SMTP server so it can do SMTP AUTH lookups
      # using it.
      #path = /var/run/dovecot/auth-client
      path = /var/spool/postfix/private/auth
      #mode = 0660
      mode = 0660
      user = postfix
      group = postfix
    }
  }

Now then we need to edit /etc/postfix/main.cf so that it knows to auth against dovecot
drop this at the end of the file and you should be good to go.

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

Hmm… the source doc probably did a better job. If you don’t understand my changes then look at the source one…