Restrict incoming and outgoing mail on #exim4 with #ldap

When I first had to set up an emailserver with Exim4, it took me some time to figure out how to restrict incoming and outgoing mail. This way some accounts were allowed to send mail outside the domain and others could receive mail from the outside world and most could do both.

This turned out to be very useful. I managed to do this with a list including all names. allowed_out and allowed_in. The next step was to figure out how to setup this within the ldap database. Setting up a list, wasn't hard to manage. Finding out the router settings was a lot harder, but I finally found out.

First you'll have to make an ldap entry containing all the users allowed to send mail outside your domain. The ObjectClass for now is inetOrgPerson, better would be something like PosixGroup in combination with memberUid attribute. (I'll change this later)

dn: cn=allowed_out,dc=example,dc=com
cn: allowed_out
objectClass: inetOrgPerson
objectClass: top
o: EXAMPLE
sn: Allowed out
mail: cow@example.com
mail: horse@example.com

Now, you'll have to make a router for your Exim4 config. /etc/exim4/conf.d/router/081_local-config_check_out (whatever filename you like in that dir, but make sure, it's one of the first routers checked)

check_outgoing:
driver = redirect
#don't check local mail
domains = ! +local_domains
#if the sender doens't match the ldap list allowed_out
senders = ! : !{${sg {${lookup ldapm {ldap://127.0.0.1/cn=allowed_out,dc=example,dc=com?mail?sub?}}}{\\s+}{:}}}
# fail sending the mail
allow_fail
# giving the sender next message
data = :fail: You are not allowed the send mail outside this domain. example.com

You can do the exact same thing for incoming mail.

dn: cn=allowed_out,dc=example,dc=com
cn: allowed_in
objectClass: inetOrgPerson
objectClass: top
o: EXAMPLE
sn: Allowed out
mail: cat@example.com
mail: horse@example.com

This time you'll have put some lines in /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt just above the line "acl_check_rcp"

#deny if the mail address is not in the ldap list specified
deny
# but don't check this if the sender is from within the same domain
!hosts = +relay_from_hosts
recipients = !:! {${sg {${lookup ldapm {ldap://127.0.0.1/cn=allowed_in,dc=example,dc=com?mail?sub?}}}{\\s+}{:}}}
message = This email-address isn't allowed to receive mail outside of it's own domain. example.com

That's all, now don't forget to update your Exim4 config and restart the service.

update-exim4.conf
/etc/init.d/exim4 restart

Restrict incoming and outgoing mail on #exim4 with #ldap

Virtualisation: firewall and webserver on ESXi

In this article I'll explain howto put a firewall (IPCOP), a webserver (apache) and if you like a small PDC (Primary Domain Controller) on one Server. We will use VMware ESXi for the virtualisation. It's free, but you will need to register.

Before you start downloading, you'll have to be sure, your hardware is recognized by ESXi. Or you could just download it and test the iso image, as I did.

I used an HP Proliant DL120 G5. It is not mentioned in the hardware list as being compatable with ESXi. But I tried any way and succeeded. But There are some things you need to know.

- For any ESXi installation you'll need more than 1 GB ram(less just wont do, I found out the hard way), go for 4GB
- on the HP Proliant you can't use SATA raid (it actually is a software raid and ESXi has no drivers for RAID setup), so you'll have to disable it in the BIOS
- also you'll have to put SATA in native mode
- For this setup you'll need at last 2 nic's

Once you installed ESXi, witch is not more than downloading the iso, burning it on a cd an than booting your server with the CD. You will be able to do a minor config on the console.



You'll need the set a root password, the name, domainname, IP address (pick out the right nic. if you only connect 1 nic with a cable, you can see witch one you'll have to pick), subnetmask, gateway and DNS. When your done, you should be able to browse to the servers ip address. http://ip-address-server You might get something about wrong certificat, just add it. The site you'll see shows you a link for downloading the VMware Infrastructure Client. Go download and install this.



Once your done, you can run the cliënt and login in to your ESXi host. So, now you Host has been set up and ready to be configured. First thing you should do, is configure the netwerkcards, because we will have some real nic's and some virtual ones.

Before we continue I should explain a bit about IPCOP, the firewall we will use.

IPCop Firewall is a Linux firewall distribution geared towards home and SOHO (Small Office/Home Office) users. The IPCop interface is very user-friendly and task-based. IPCop offers the critical functionality of an expensive network appliance using stock, or even obsolete, hardware and OpenSource Software. This is what you'll find on IPCOP:

Luckly it doesn't much of computer to run: a 386 processor, 32Mb of RAM, and 300Mb hard disk. Very nice. If we want to put up a firewall we will need at last a network interface for the connection with the internet and one for the connection with our own network. Running a webserver, will give you the need to have a third. and here is the beauty of ESXi, we will use a virtual nic.

So in short this is our setup( follow this link for more info on IPCOP's nic setup):

GREEN + ORANGE + RED (ipcop interface setup)

VMNIC0 + VSWITCH2 + VMNIC1 (ESXi setup)

I'll explain a bit more about the virtual nic's and virtual switches you'll have to setup. In you your cliënt console, go to configuration > Networking. You'll see allready a virtual switch is pressent and it's connected to a nic. Click on properties of this virtual switch and add a virtual nic and call it GREEN. Next we'll have to add a new virtual switch and connect it to the other free real nic. Call this one RED.



For our webserver we will use a virtual nic and a virtual switch , that will be connected to a virtual nic (ORANGE) on our firewall, so we wont need a real nic. When you're finished adding your nic's and switches, you can now start adding virtual machines. Setting up a custom machine, other 32-bit linux system with 256 Mb ram, 1 cpu and about 500 MB disk space will do fine. Add 3 virtual nic's (GREEN + ORANGE + RED) and your ready to install ipcop. Download the ipcop iso image, you don't have to burn a cd, you can connect an iso with your cliënt as a CD. reboot you virtual machine (CTRL+ALT+Insert) when your in console mode and follow the IPCOP's installation guide

Now you can add a new virtual machine and install a webserver on it. You only have add a new virtual nic on the same switch of your IPCOP's ORANGE virtual nic. And if you want, you can even add another Virtual machine as an PDC. Just add a new virtual nic on the same switch of your IPCOP's GREEN virtual nic.

Virtualisation: firewall and webserver on ESXi

CeBIT 2009: ASUS, secrets not on the Flyers

As you all know, Asus had a very big stand on CeBIT 2009. Lot's of new stuff, we already knew about, but now had the change to touch. And I really mean touch. Lot's of EeePC T91 and Eee PC T101H to try out. Very nice of ASUS.





And yes, a "new" concept: no keyboards, only 2 screens. Behold, the dual-screen-notebook.



Also the Eee keyboard, the Eeetop and the Eee box B202, B204 and B206 were there to touched, alltough the Eee keyboard was keept behind big locks. Only on demand it came out of its cave and no touchy touchy.

I could post some more video's an pictures, but make google your friend and you'll find plenty of those on the net. What I'm about to tell you, is probably not that easy to find on other places.

The first day on CeBIT, I just tried to see as mutch as possible. The second day, I started to ask questions. So on the Asus stand, I went to an Asian looking guy and started asking questions. At first that person didn't feel much in anwsering my questions. But he came along, and this is what I found out.

NO MORE LINUX on the new devices. I asked this question because I wanted to buy a Eeebox B206 (this should do HD), but no go for Linux. The Asus person even told me I wouldn't be able to put Linux on it. Why? problems with the drivers for some components. He even told me (of the record), it is not only the graphics chipset that distinguishes the B202 from its two other brothers (B204 and B206). And the drivers were the main problem to get Linux on those devices. His advices: Buy a B202 model. Is this true? Time will tell.

Now about the Eeekeyboard, no linux on it for sure, but this thing is only a prototype. I might come out, it probably will come out, but they are still developing the gadget. And for now, it won't do anything (yet?)

And what about the dual-screen-notebook? Should I still remind you: No Linux. Well The dual-screen is not more than actually 2 screens put together. There is no computer in it. It's only a showcase. Not for real. They even don't know if it will ever come out.

So what should you remember of this: No more Linux for ASUS. Damn, one of the reasons I loved ASUS is gone now. But there are enough brave souls out there, that will find there way to put linux on all Asus devices.

CeBIT 2009: ASUS, secrets not on the Flyers

Cebit Hannover 2009: the overview.

Before telling what I saw and how it was, let me give you some tips, if your planning to go yourself. Wear a tie, learn german and make some business cards. I do speak some German (enough to ask questions and understand the answers), I do have real business cards, but I didn't wear a tie (not our company policy) and that my friends, kept people from sharing there precious information.

So what did I expect and what did I see. Hoping to see OLED, colour e-ink and lot's of e-readers seemed to be an illusions. Found one e-reader though. Furthermore, I wanted to find out more about Document management solutions, Anti Virus Solutions and Infrastructure. Nothing new. Lot's of scanning, but no new management solutions. Same story on Anti Virus, but I did find the infromation I wanted on Infrastructure and Wireless Technologies.

But there were others things that made the trip worth going. True 3D screens, without the need of glasses., Tobii Eye Tracking system, that makes you controll a system with your eyes, and people it really workes. ART+COM shows a real surface touch table, not some little childeren surface table. We also found the Open Source Section, the Asus and Msi stand.

If you ask me, you should visit hall 6,9,19,20,21 and 25, but for the resellers part in hall 25, you'll need to disguise into a reseller, or you're not getting in. I've seen things I didn't expect and expected things I haven't seen, but I'm happy I went, though I can't feel my legs any more. Man, Hannover Messe I one big site. I forgot all about that, since I last went to EXPO2000.

I just want to thank some companies for there very helpfull and good information: ART+COM, Asus, BenQ, CBL, Foxit, OpenOffice, SAXNET, Tobii for answering all of my questions without searching for my tie. On Asus, I'll do some more later on.

Cebit Hannover 2009: the overview.