Next we need to create our virtual user list, edit the file /etc/postfix/virtual. Now by default you may find a bunch of help text in the file, you can ignore this and put you edits in there anyway, delete the content, or my favorite, move the file and create a fresh one:
mv /etc/postfix/virtual /etc/postfix/virtual.orig
touch /etc/postfix/virtual


Now we can add out entries to the file, let’s start with these:
jeff@example.com jeff
chris@example.com chris
ed@example.com ed
sales@example.com jeff
support@example.com chris
@example.com bob
In this example, the first three lines except mail for those users and deliver it directly to their local mailboxes. Lines 4 and 5 have a different address deliver mail to Jeff and Chris. And finally the last line is a “catch-all” address, this is usually very bad to have configured and WILL overwhelm the account it is pointed to, the catch-all will pick up any addresses not specified and will be a boon for spammers everywhere. But in this case we don’t really like Bob so he gets all the nasty mail.

Finally all we need to do is hash out the virtual file and restart Postfix:
postmap /etc/postfix/virtual
service postfix restart


1. Open remote GUI applications on my local desktop. What you say? You can do that? Yes you can, say open the network manager on your server to add an IP, or open the services manager to enable and start MySQL. You can do all of that through the comfort of your own desktop. Just connect via SSH with the -X command and run a GUI command.

ssh -X server1
firefox

This will open an instance of firefox on the remote server and bring the window onto your desktop. Simply close the window and your prompt returns to you. But be careful, if you run something that is resource intensive it will take up CPU cycles on the remote server and not your computer. Try it with configuration tools, in RedHat and CentOS system-config-network or system-config-services.

2. You can tunnel any protocol over SSH using -D port# option. So let’s say you are at one of those hacker conferences and you are on a shared wireless connection with everyone else and you need to check your email. Of course your running secure IMAP right? Well if you are still POPing your mail other people could sniff your traffic to see the XOXOXO’s your significant other has sent you. This is where SSH comes into play. Establish an SSH session to your server specifying the -D option and port 25 like so.

ssh server1 -D 110

Now as long as the IP for server1 is the same as the server configured in your POP client then traffic to the server will go over your SSH tunnel. Cool huh? You could do the same thing with webmail running on the standard web port 80. Or you could even setup Squid (part of Apache) and use it as a proxy for your web browser that is completely encrypted.

There is an easy way already built into SSH that allows you to connect to a known host without using a password, that is still secure and still encrypted. You can do this by using SSH keys. Basically on your workstation, you create a pair of keys for your user, a public and a private. The public key is for what it sounds like, it is the key that you can freely distribute to anyone, which can then be used to authenticate against your private key. The private key is, as you just guessed, is for private use and should never be given out to anyone. Now, you can create public keys from
private ones, but you cannot create private keys from public ones. So no one can recreate your personal private key and pretend to be you. There are other places you can use this key system, such as signing and encrypting email, but that is for another post.

So how do we set this up. Well first you need to create the key pair. On your workstation, logged in as your standard user (I am using the user Joe for example), run:

ssh-keygen -t dsa

It will ask you where to save the key, press Enter to accept the default. It will then ask for a passphrase, leave this empty and press Enter, press Enter again to confirm.
** Now, I know this is not absolutely the most secure way of doing this, but we are going for ease of use for right now. We can follow up with some more secure solutions in the future. Again this is more for managing your home network that would be secured by firewall and not publicly available, meaning if someone gained access to your workstation, nothing would prevent them from connecting to and mucking with your servers, you have been warned. **

Back to it, you are informed that two keys were created and saved as /home/joe/.ssh/id_dsa (private key) and /home/joe/.ssh/id_dsa.pub (public key). We now need to copy the public key to the server we want to connect to;

scp .ssh/id_dsa.pub joe@server:

Now ssh to the server and append the key to the end of the authorized keys directory.

cat id_dsa.pub >> .ssh/authorized_keys

And remove the original file.

rm -f id_dsa.pub

Finally make sure that the folders and files have the proper permissions.

chmod 700 .ssh
chmod 644 .ssh/authorized_keys

Exit from the ssh session and try to reconnect, you should connect without it asking for a login. Now, let’s say one of your workstations is a Windows box, you can import your private key into your connection manager. See your manager help files on how to do this. As far as Windows connection managers you have many choices, the most popular free one is PuTTY. I like to use SecureCRT by VanDyke, it’s a pay for product but it works extremely well and integrates into their other products such as SecureFX, which handles file transfers via ftp and ftp over ssh. Just google around and find one you like.

Stop back sometime as I will be covering some more SSH tricks.

Fast forward to today. I needed to move my XP machine to a different place in my house but I still wanted to be able to play my audio files from the same spot. I decided to dump BSD and install Fedora, since I mainly only work with Linux. Picked up an el-cheapo sound card, copied off the data to a portable drive, and reinstalled with Fedora Core 6. The install btw went flawless. I copied the data back, then setup Samba and NFS to share it on my network. Everything went so smoothly, I was pleasantly surprised, these new Linux releases have come along way. So I plugged in my speakers and launched the included player, browsed to my file store and nothing…… Apparently the player only supports Ogg format out of the box, FC does not support any proprietary filetypes. WTF.

So after calming down I started to search around. I came across a site rpm.livna.org that carried everything a Fedora user could ask for. From the site:

“rpm.livna.org is a community maintained add-on repository for Fedora Core that provides many useful packages that can not be distributed in Fedora Core or Fedora Extras for one reason or another, including multimedia applications such as xine and VideoLanClient, video drivers for ATI and Nvidia cards and firmware for common wireless cards.”

That basically says it all. So, first thing is first, let’s get yum configured to use them as an additional repository. For FC6 users:

rpm -ivh http://rpm.livna.org/livna-release-6.rpm

They also have releases for FC5 and FC4 users, for FC3, see their website for special instructions. So now you have a couple options as to what you want to run, whether it be MPlayer, GStreamer, Xine. Since i’m running KDE I chose to install Kplayer:

yum -y install kplayer

And off I went, playing my 33,000 songs. For those of you that are interested, rpm.livna.org also has the proprietary video drivers for both NVidia and ATI. You may also be interested in the products from Fluendo. They offer fully licensed (read legal) multimedia plug-ins for GStreamer. For a small fee you can be able to play and encode in Windows Media, MPEG2 and MPEG4. They will be adding support for even more codecs this year.

First let’s su - to root (you didn’t log in as root did you? You are a bad admin!), and run:

yum update

Now the server will connect to the internet, and check the repositories for updates. It will probably come back and ask if you wish to download the updates, I would say yes, as well as importing the GPG keys (for checking the validity of the packages). This is a Beta release and so I do not think you will run into many packages to be updated. Let’s have a quick look at our system shall we. Do a:

uname -r
2.6.18-1.2747.el5

That’s our kernel version, 2.6.18, not bad, the current kernel release is 2.6.20. But wait a sec, i’ve got 2 Xeon processors in this box, i’m supposed to have an SMP kernel, NOW WHAT?…….. Relax, with RedHat Enterprise 5, they decided to drop the standard kernel and make the SMP kernel the default, and now your only other kernel option is the HugeMem kernel. Don’t believe me? Take a look by running:

uname -v
#1 SMP Mon Dec 11 21:17:21 EST 2006

See, told you so . So now we have a blank slate to do whatever it is to the server. Stop back and see what I do to this box!

Fresh on the heels of the official RedHat release of Enterprise 5, I decided to start my test platform on the newest CentOS release, which is still the RH beta (not knocking the CentOS guys, I thank them deeply for what they do).

Download the iso’s and burn them, check.
Grab some free hardware, check.
Create hardware RAID, check.
Run the installer, err… wait, what? no drives?

Okay, ran into this issue before with an I20 based RAID cards and CentOS. I can’t grab the drivers from Adaptec, they are way too old and the installer would just bitch about them. I know they must be included with the distro, but are not loaded, or another driver is loaded by default for that chipset.

So, I ran the installer with the linux noprobe command. Now I can select the I20_block driver, but nothing else was recognized, gotta find that that PS2 keyboard, now were is it….. Okay got it,

I20_block driver, check.

Man it’s a real pain to setup custom partitions with just a keyboard in the GUI installer, next time I must remember to run in text mode, or at least see if I can load the USB drivers. So, pretty much nothing else hardware wise was found, hence the noprobe worked. Hopefully everything else will be discovered on the reboot.

It was, set the NIC parameters, set the firewall options to only allow SSH, configure SELinux to permissive (I am not running any services except for SSH at the moment, it’s okay). The Gnome interface is behaving a bit quirky and not opening certain system-config-x screens. Doesn’t matter, gonna be running from the command line anyway. Set inittab to boot to runlevel 3 and reboot.

As a side note. The install required 5 of the 6 cd’s!. To install the base, X w/ Gnome, Programming Tools, and the System Tools. And the CD that was skipped was number 4! I know this is not a CentOS issue but a RedHat one, and I know, I could do an NFS install and not have to swap CD’s, but I haven’t gotten to it yet. This has actually been talked about in the Fedora forums for a bit, FC is already 6 CD’s and the Extra’s alone come on a DVD. And I think there is talk of merging Extras into the main FC release. Oh, that should be fun.