The default MDA in OpenBSD is popa3d, but it's pretty limited, so some tips on installing and configuring the IMAP and POP3 portions of Courier and Cyrus are also below.. You could read
Trang 1The default MDA in OpenBSD is popa3d, but it's pretty limited, so some tips on installing and configuring the IMAP and POP3 portions of Courier and Cyrus are also below
7.5.1 popa3d
This is OpenBSD's default POP3 MDA You could read the popa3d manpage and then figure out a good command to put into /etc/rc.local to start it at boot time, but it's more easily initialized through inetd Edit /etc/inetd.conf and uncomment this line:
#pop3 stream tcp nowait root /usr/sbin/popa3d popa3d
popa3d requires no configuration because it only fetches mail from local
mailboxes, so you have to have a user account on the system with a non-null
password It's pretty simple, and should do perfectly for most servers that only need email for a small number of users If you need IMAP, or if you need
something a little more complex, you should probably use Courier-IMAP instead
7.5.2 Courier-IMAP
Technically Courier is a complete MTA, but many people just use the MDA
portion of it to deliver messages to local or virtual user accounts In OpenBSD, only the MDA portion of Courier (Courier-IMAP) is available, and it's in
/usr/ports/mail/courier-imap Before you install it, make sure you check out the pkg directory and the Makefile to see what flavors are available Specifically, you can build in support for LDAP, MySQL, PostgreSQL, and POP3
At the end of the Courier-IMAP installation you'll be given a screenful of
instructions Basically they are:
1 Make a configuration directory:
2 mkdir /etc/courier-imap
3 Copy over the default configuration files to it:
4 cp /usr/local/share/examples/courier-imap/* /etc/courier-imap/
Trang 25 Put this line in /etc/rc.local to start Courier-IMAP at boot time:
6 mkdir -p /var/run/courier-imap && /usr/local/libexec/authlib/authdaemond start
7 Edit your config files in /etc/courier-imap, then generate OpenSSL
certificates with the mkimapdcert script
7.5.3 Cyrus-IMAPd
There's a memory mapping incompatibility between Cyrus and OpenBSD, so if you use this MDA, you could have some performance problems under heavy loads Courier-IMAP is a better choice for a full-featured MDA
If you're committed to using Cyrus anyway, you can find it in
/usr/ports/mail/cyrus-imapd Make sure you check out the DESCR file in the pkg directory to see the warnings, recommendations, and the different flavors you can build
7.6 OpenLDAP
OpenLDAP is not included with OpenBSD by default, but you can install the client libraries and tools through the /usr/ports/databases/openldap directory If you want
to run an OpenLDAP server on OpenBSD, you need the -server package, which is not compiled by default in Ports You can either hack the Makefile or use the
pkg_add command to install the openldap-client and openldap-server packages
Once installed, you can find the system-wide client configuration file in
/etc/openldap/ldap.conf, or you can create a user-specific client configuration in
~/.ldaprc file (it doesn't exist; you have to create it)
Configuring an OpenLDAP server is just as easy: the config file is
/etc/openldap/slapd.conf, and there are some sample schemas in
/etc/openldap/schema
To start the slapd and slurpd daemons automatically at boot time, add these two lines to /etc/rc.local (they should go before any LDAP-dependent services if you're running any):
/usr/local/libexec/slapd
Trang 3/usr/local/libexec/slurpd
Of course, there are a few switches that can be run with these daemons, so if you need to do more than just this basic configuration, see the slapd and slurpd
manpages There is also more to configuring OpenLDAP, but such configuration has nothing to do specifically with OpenBSD There are, however, many LDAP-specific manpages in OpenBSD 4.0:
ldap
ldap.conf
slapd
slapd.conf
slapd.access
slapacl
slapadd
slapauth
slapcat
slapdn
slapindex
slaptest
slappasswd
slurpd
ldappasswd
ldapmodify
7.7 NFS
If you need to run an NFS server on OpenBSD, edit /etc/rc.conf and change the NO to a YES in these lines:
nfs_server=NO # see sysctl.conf for nfs client configuration
portmap=NO # Note: inetd(8) rpc services need portmap too
Then scroll down a bit and find this line:
nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver
These default options should be fine for most people The -tu flags mean that both TCP and UDP clients will be served, and the -n 4 flag sets the
concurrent connections to four, so up to four clients will be able to connect
at once Set this to a higher number if necessary, but if you do, edit the
/etc/sysctl.conf file and uncomment this line and change the 4 to the same number you just set in rc.conf:
Trang 4 #vfs.nfs.iothreads=4 # number of nfsio kernel threads
You'll also want to set your remote mount points in the /etc/exports file (see the exports manpage for details) There are two other NFS-related programs that you should know about: nfsstat, which monitors NFS statistics, and mount_nfs, which mounts NFS volumes
7.8 NIS
First of all, you do know that OpenLDAP is a more secure, scalable, and in general more modern alternative to NIS, right? If possible, you should use OpenLDAP over NIS If it's not possible, no big dealOpenBSD has tools in the base system to handle NIS (or, more accurately, YP, which stands for either Yellow Pages or Yellow Pee, depending on whom you ask) YP is compatible with NIS, but not NIS+
You can enable YP and set some options for it in /etc/rc.conf:
ypserv_flags= # E.g -1 for YP v1, -d for DNS etc
yppasswdd_flags=NO # "-d /etc/yp" if passwd files are in /etc/yp
Enabling the yppasswd_flags means that you have to create an /etc/yp file It's best to read the manpages for yp and ypinit to figure out what has to go into it You also need to enable portmap in /etc/rc.conf by changing the NO
to a YES in the following line:
portmap=NO # Note: inetd(8) rpc services need portmap too
Now go to the /var/yp directory and make sure that the Makefile.yp file is configured properly for your situation Next you need to create an
/etc/defaultdomain file and put this machine's domain name in it Then type this command, substituting the master domain name you just put into the
/etc/defaultdomain file for domainname:
ypinit -m domainname
You'll then be asked a series of questions Answer them in accordance with your configuration When the process is complete, YP will be initialized and should start automatically at boot time
7.9 BIND
BIND version 9.3.2-P1 is part of the OpenBSD base system, so it's installed
by default You can find the generic configuration files in /var/named/etc (the only one that is used is named.conf, which is a clone of
named-simple.conf), and your domain zone files go in /var/named/master and
/var/named/slave You might think that /var/named looks a little strange with
Trang 5its /etc and /dev directories and such; the reason for this silliness is that the name daemon runs in a chroot jail with /var/named as the root directory So
if BIND is compromised, the furthest an attacker can get is /var/named and all levels below it
BIND is started through /etc/rc.conf, and the line you want to enable in specific is:
named_flags=NO # for normal use: ""
Change the NO to "".7.10 CARP
CARP stands for Common Address Redundancy Protocol, and it's useful for
failover protection for networked computers Basically you create a CARP
interface that routes traffic to a group of computers that all share the same IP
address Among those computers, there is one that handles all traffic by default If that computer fails to properly announce its availability, CARP redirects its traffic
to one or more machines This means that you have to have at least two computers that are configured for the same services and/or contain identical data so that when the main machine fails or experiences too high a load, the backup machine can pick up where the main machine left off CARP must therefore be configured on at least three machines: the gateway, the primary host, and the backup host The primary host will advertise its availability at an interval that you specify; if the gateway and the backup host don't receive that advertisement within the allotted time, the backup host will take over until the primary host is available If your primary host has multiple interfaces that connect to different networks, you can set
up a CARP interface for all of them or some of themit's up to you, but the primary host must match its backup hosts if you want all network traffic to be rerouted to the backup server (or servers)
In the above explanation, the "gateway" machine is just a nickname; it does not have to be your Internet gateway, but since CARP is so frequently used for firewall failover protection, it makes sense in that context The "gateway" machine could just as easily be a workstation or nearly any kind of server that depends on a
persistent network connection to another computer
Note that CARP doesn't sync your data or settings between machines If one
interface or machine goes down, all CARP does is pass the network connection on
to the next available CARP interface (which is presumably but not necessarily on another computer) in the group For this reason, CARP is frequently paired with pfsync to transfer firewall state, or rsync to transfer data to a failover machine