 Questions
and Answers
Amy Rich
Q I've just started a new job and
inherited a Solaris 8 machine running ipfilter. This machine
acts as the company's gateway to the Internet. I've used ipfilter
and Solaris 8 together before, so I'm not a complete novice here.
The log file is filled with lines claiming that there's a gethostbyaddr
mismatch, though, and I'm not sure what's causing the issue. It
seems to log this error for every host, not just one or two. And
I've verified several of them using dig. Both the A and PTR records
for these hosts match perfectly without any errors. Here are a couple
sample log entries separated by about 12 hours. I've deleted the
different hosts and IPs, since they don't seem to be significant.
Do you know what the issue might be?
Dec 1 00:13:29 gateway.my.domain ipmon[186]: \
[ID 484914 local0.notice] gethostbyaddr: HOST != IP
Dec 1 12:26:05 gateway.my.domain ipmon[186]: \
[ID 484914 local0.notice] gethostbyaddr: HOST != IP A Since you don't provide
the hostnames and IPs, I can't independently verify that the A and
PTR records match. Since you said that this happens with all packets,
though, you're likely right that it's not the cause of the problem.
I've seen ipfilter act this way if it was compiled for a kernel
that's different from the one running.
Perhaps an OS patch was applied or the machine was upgraded since
the last time ipfilter was built? You might want to turn
down the logging level so that you're only seeing blocked packets,
or, better yet, upgrade/recompile ipfilter on the gateway
machine. If you don't have a compiler on the gateway machine, be
sure to build the software on a reasonably identical machine so
you don't run into the same kernel patch level or library issues.
Q Is there a GUI interface I could
use to configure sendmail instead of modifying the cf file directly?
A You should never modify the cf
file directly. Any modern version of sendmail should be using m4
to generate the cf file from an mc file. That said, Sendmail switch,
from sendmail.com, has a Web-based front end for doing common sendmail
configuration tasks. Various other Sendmail products also integrate
with the GUI front end if you're looking for add-on features.
Some people also opt to use Webmin:
http://www.webmin.com/
with the sendmail module:
http://www.webmin.com/download/modules/
However, this is not an integrated part of sendmail like the commercial
product is. On the other hand, if you're running an MTA other than
sendmail, Webmin might be your best bet for GUI configuration tasks.
Q I'm running FreeBSD 4.9 with Apache
2.0.45 from the ports collection. I installed Apache ages ago, and
it's been running fine ever since. Recently we had a power outage
in our data center and when the machine came back up, Apache wasn't
started. I was able to log in and start it from the script /usr/local/etc/rc.d/apache2.sh,
though. I looked through the log files and couldn't see anything
suspicious. I installed Apache on one of the clone test boxes and
rebooted it to see if I could reproduce the problem. Indeed, Apache
didn't start at boot time but would start when I ran the init script
by hand. I'm rather baffled here, so any pointers would be useful.
A I suspect your problem might
be that you haven't enabled apache2 in /etc/rc.conf. If your
/usr/local/etc/rc.d/apache2.sh looks like the following:
/usr/local/etc/rc.subr
name="apache2"
rcvar='set_rcvar'
command="/usr/local/sbin/httpd"
pidfile="/var/run/httpd.pid"
required_files=/usr/local/etc/apache2/httpd.conf
[ -z "$apache2_enable" ] && apache2_enable="NO"
[ -z "$apache2ssl_enable" ] && apache2ssl_enable="NO"
[ -z "$apache2_flags" ] && apache2_flags=""
[ -z "$apache2limits_enable" ] && apache2limits_enable="NO"
[ -z "$apache2limits_args" ] && apache2limits_args="-e -U www"
load_rc_config $name
checkyesno apache2ssl_enable && apache2_flags="-DSSL $apache2_flags"
checkyesno apache2limits_enable && \
start_precmd="usr/bin/limits ${apache2limits_args}
sig_reload=SIGUSR1
run_rc_command "$1"
you should have added something like the following to /etc/rc.conf
when you installed apache2:
# APACHE2
# Set to "NO" by default. Set it to "YES" to enable apache2
apache2_enable="YES"
# Set to "NO" by default. Set it to "YES" to start apache with SSL
# if <IfDefined SSL> exists in httpd.conf)
apache2ssl_enable="NO"
# Set to "NO" by default. Set it to yes to run limits $limits_args
# just before apache starts.
apache2limits_enable="NO"
# Set to "" by default. Extra flags passed to start command
apache2_flags=""
# Default to "-e -U www". Arguments of pre-start limits run.
apache2limits_args="-e -U www"
You might also want to verify that you're not experiencing temporary
DNS issues when the machine first boots. If you're using hostnames
to bind Apache, then those names must be resolvable when Apache starts.
That sort of problem should show up in error output, though.
If you're still having issues, you might try modifying your startup
script to turn on debugging and/or trace the execution of httpd.
Q We're running sendmail 8.12.11
on our primary mail servers, and we're using a number of DNSBLs
to reject spam from various bad hosts. This is working fine, but
I want to customize the error message that people receive when we
bounce their mail. I've achieved the simple case of this, but I
want to expand it to be a multi-line response. Right now we have
the following example in our sendmail.mc file:
FEATURE('dnsbl', 'dnsbl.njabl.org', '"550 5.7.1 ACCESS DENIED \
to "$&{client_addr}" by dnsbl.najbl.org \
(see http://njabl.org/)"', '')dnl
I'd like to change it to something like the following so people stop
contacting us directly about their rejected email. As you can see,
I've added \n\n to indicate newlines:
FEATURE('dnsbl', 'dnsbl.njabl.org', '"550 5.7.1\n\nYour message
to our server has been rejected because your IP
address,\n\n$&{client_addr}, is listed in the database at
dnsbl.najbl.org. We here at\n\n(ISP NAME) do not have the
ability to remove you from this list.\n\nIf you feel that this
listing is in error, please visit\n\nhttp://njabl.org/ and
contact them directly.', '')dnl
The \n characters are not recognized as newlines, though, so
I was hoping you could point me at something that would work.
A Stock sendmail does not support
multi-line messages as part of a dnsbl feature line. You can use
a milter to obtain this behavior, or you can upgrade and try one
of the experimental patches to 8.13 that Joe Maimon posted to Usenet.
Documentation on the patch and how to recompile sendmail to use
it is available at:
http://www.jmaimon.com/sendmail/
The patches themselves can be found at:
http://www.jmaimon.com/sendmail/patches/
Q We're trying to come up
with a solution to do backups of one of our filesystems. I suggested
tar, but I'm not certain that will do the job adequately. Does
tar handle sparse files correctly? If not, is there something
that will, besides doing a full dump/restore? We only want to back
up partial data sets, not the entire filesystem.
A You don't mention which operating
system or version of tar you are using, and the answer is
heavily dependent on that information. If you are using a sparse
file-compatible tar, the option to preserve sparse files
is often -S. Generally, the information about the location
of holes in sparse files is something provided by the kernel. The
program star, available from:
http://freshmeat.net/projects/star/
will read this data when available, such as in earlier versions of
Solaris. From the star documentation:
* accurate sparse files star is able to reproduce holes in sparse
files accurately if the OS includes the needed support functions.
This is currently true for Solaris-2.3 to Solaris-2.5.1.
From star manpage:
On Solaris-2.3 ... Solaris-2.5.1 there is a special ioctl() called
_FIOAI that allows root to get the allocation info more efficiently.
Other operating systems lack support to get the real allocation
list and force star to scan the files to look for blocks that only
contain null characters. This may cause star to assume more holes
to be present than the number that the file really contains.
On some OSs, the cp and mv utilities will preserve
sparse files, but these may not fit your needs if you're trying
to bundle/compress your backups into a single file. Other possibilities
you might want to look at include pax and cpio.
Q I've just inherited a SunFire
V880 with a 3310 array attached to it. The filesystem on the array
is out of space, so I need to increase its size. From the documentation,
I can't figure out whether the 3310 is a JBOD or a true hardware
RAID, though, or how many of them I can daisy chain together (if
any). Can you offer some insight on what configurations will work?
A The 3310 array is available in
a few different configurations, so you may have a JBOD or actual
hardware RAID depending on your box(es). The first configuration
is just a vanilla 3310 with 12 disk slots. This is a JBOD and must
be controlled by some sort of RAID software like Sun Volume manager
if you don't want to access each disk separately.
The second configuration is a true hardware RAID unit. You get
the same box, but it can have one or two RAID controllers installed.
The third configuration is a combination of the first two. You have
one 3310 with RAID controllers in it and one 3310 with none (effectively
a JBOD, but controlled by the RAID controllers in the first box).
You can add up to two expansion units for a total of 36 disks.
You can tell whether you have a JBOD or a RAID unit by using the
sccli command and querying the unit. The following is partial
output from a show configuration issued to a 3120 JBOD unit,
for example:
/usr/sbin/sccli
sccli> show configuration
* inquiry-data
Vendor: SUN
Product: StorEdge 3120 D
Revision: 1159
Peripheral Device Type: 0x3
Page 80 Serial Number: 0069D6
Device Type: Enclosure
* enclosure-status
Id Chassis Vendor Product ID Rev Package Status
--------------------------------------------------------------
5 0069D6 SUN StorEdge 3120 D 1159 1159 OK
Enclosure Component Status:
Type Unit Status FRU P/N FRU S/N Add'l Data
--------------------------------------------------------------
Fan 0 OK 370-6193 651402 --
Fan 1 OK 370-6193 651333 --
PS 0 OK 370-6193 651402 --
PS 1 OK 370-6193 651333 --
Temp 0 OK 370-6195 0069D6 temp=25
Temp 1 OK 370-6195 0069D6 temp=25
Temp 2 OK 370-6193 651402 temp=26
Temp 3 OK 370-6195 0069D6 temp=25
Temp 4 OK 370-6195 0069D6 temp=25
Temp 5 OK 370-6195 0069D6 temp=25
Temp 6 OK 370-6193 651333 temp=23
DiskSlot 0 OK 370-6195 0069D6 addr=8,led=off
DiskSlot 1 OK 370-6195 0069D6 addr=9,led=off
DiskSlot 2 OK 370-6195 0069D6 addr=10,led=off
DiskSlot 3 OK 370-6195 0069D6 addr=11,led=off
Q I'm running sendmail
8.12.11 and I've separated my queue directory into multiple different
directories so that the queue containing supposed spam messages is
handled differently from those containing first run messages. I'm
trying to change the number of processes per queue so that the spam
queue has fewer processes and doesn't swamp the machine. Here's the
change I've made to my mc file so far:
define(QUEUE_DIR,'/var/spool/mqueue/qd*')dnl
QUEUE_GROUP('mqueue','F=f, R=75, I=5m, P=/var/spool/mqueue/qd*')dnl
QUEUE_GROUP('spam','F=f, R=75, I=60m, P=/var/spool/mqueue/spam*')dnl
I'd like to limit the spam queue to 25 processes total without limiting
the rest of the queue directories at all, but I'm not sure how to
do that.
A From the 8.12.11 documentation
in doc/op/op.txt:
The maximum number of queue runners for an individual queue group
can be controlled via the Runners option. If set to 0, entries in
the queue will not be processed, which is useful to "quarantine"
queue files. The number of runners per queue group may also be set
with the option MaxRunnersPerQueue, which applies to queue groups
that have no individual limit. That is, the default value for Runners
is MaxRunnersPerQueue if set, otherwise 1.
Your mc file excerpt above shows that you've set both queue runners
at 75. If you want to change the spam queue to 25, change your lines
to:
QUEUE_GROUP('spam','F=f, R=25, I=240m, P=/var/spool/mqueue/spam*')dnl
You can't explicitly say that there should be no maximum number of
queue runners for a group. You can set the number sufficiently high
by changing the R= value or you can use the MaxRunnersPerQueue
option to set a default that will be applied to any queue group without
a specified R= value. The following example sets the default
value, which is then applied to mqueue, to 1000:
define('confMAX_RUNNERS_PER_QUEUE','1000')dnl
QUEUE_GROUP('mqueue','F=f, I=5m, P=/var/spool/mqueue/qd*')dnl
Amy Rich has more than a decade of Unix systems administration
experience in various types of environments. Her current roles include
that of Senior Systems Administrator for the University Systems Group
at Tufts University, Unix systems administration consultant, and author.
She can be reached at: qna@oceanwave.com. | 
