My Hero!

Downloads

I offer no warranty other than "it works on my server" for anything listed here.

SA-user-admin
sa-useradmin-0.3.tar.gz

UPDATE: I've stoped development on sa-user-admin in favor of a new project that combines the features of sa-user-admin with simple end-user account management, such as changing their password, forwarding email or setting up an out-of-office/vacation auto responder. It is currently undergoing alpha testing (12/02), and I hope to have a public beta soon.

NOTE: The seekable patch is not longer needed for vpopmail as of 5.3.7, thanks to Bill Shupp!

Vpopmail seekable patch - this is a diff against the 5.1.4 development version. It is also been tested against 5.1.6 and 5.1.7, but it is unknown if it will work with other versions.
seekable-5.1.4.diff

Vpopmail 5.2 seekable patch - this is just a mirrored from www.thesafebox.com. I'll make the same warning that Marcus does: WARNING: This is completely untested but it does compile. I will also say that it does work on my system. I've also included this patch in the tarball for sa-useradmin-0.3, so if you grab that, you don't need to grab this as well.
seekable-5.2.diff

This is a diff that I've submitted to Ken Jones to clean up some of the zone file and named.conf parsing in dnsadmin, and store some of the options from named.conf in the mysql database as well. This is against the 0.4 release of dnsadmin, and I believe that Ken will be adding some things to it, and make a 0.5 release sometime soon.
dlw-dnsadmin-0.4.diff

qmail

I've been doing a lot of work lately with qmail and vpopmail in an Enterprise setting.  So far, I've built two qmail clusters as well as a number of qmail + vpopmail installations.  Like most hard core geeks, I've come up with my own list of prefered patches to qmail.  You can find my latest list, along with a combined diff of all of them over on the CTS qmail webpage.

Hi there....welcome to my little part of the web. This is where I'm going to experiment with CSS, talk about some of my hobbies and put up some of the code I'm working on. I'm one of the owners of a website hosting company. I work on all things Technical there, and I even sometimes get to play with neat toys doing it!

I'm going to try doing this page in all CSS, including layout. No font tags, no tables to structure the page. Just div tags wrapped around things to handle the positioning. Weee! It promises to be fun. I'm glad I've got "Cascading Style Sheets: The Definitive Guide" from O'Reilly on my shelf. I don't think I could survive in this business without my collection of titles from O'Reilly. If you're looking for a good book on a technical subject, and O'Reilly publishes one, stop looking and buy it :). Of course, if you're reading this and you're using NS 4.x, it doesn't look as good as more modern browser 'cause of the way that NS 4.x parses style sheets. But I did get NS 4.x to do the basic positioning. Not the way I'd really like it to look, but it has the same basic structure and layout, it's just not as pretty. Bite me, NS4!!

For fun, I do historical reenactment. I belong to a group called The Society for Creative Anachronism (SCA). I was the Chief Information Architect for the SCA, responsible for the corporate web page, as well as developing a number of internet related projects. The first one to be completed was the On-line Marketplace, and it's doing great!

In my copious free time, I hack on various things to make my life as a system administrator easy. For starters, we use the Apache web server. For e-mail, we use qmail, which I think is a much better choice than sendmail. Then, to make things simple for virtual domains, we use vpopmail and qmailadmin. I've started to hack on dnsadmin (from the same guys that brought us vpopmail and qmailadmin!) for dns administration. And these days, you can't offer e-mail services without offering a web based mail reader, so sqwebmail to the rescue!

Lately, viruses have been getting a lot of press, so I'm currently doing an evaluation of RAV Antivirus, which actually does the scanning at the mail server level, before it even gets into the users mailbox. So far, I'm pretty impressed with it, the pricing is reasonable. Worth checking out.

And what mail admin's life wouldn't be complete with out a healthy dose of spam? Well, as the postmaster, I get a lot of spam. I've been looking for a solution for years. The various RBL's only stop so much. Well, in my surfing and reading of mailing lists, I found SpamAssassin, and I have to say, it rocks! SpamAssassin doesn't block spam per se (although I believe it can work with other tools to bounce mail under some circumstances), but it does look at the messages, and applies a bunch of rules (details on the SpamAssassin webpage) and "scores" the e-mail If the score reaches a configurable level, then it is tagged as potential spam. It supports white lists, so if e-mail from friends and family are coming up with a high score, you can tell SA not to check their mail. It also has a black list, so you can always tag something as spam. SA can also store user preferences in an SQL backend (like MySQL), which makes it possible to make it very convenient for users to control their individual settings. There is a PHP user admin interface available that is pretty good, but I didn't like my authentication options. I wanted to not only authenticate against the system user files (/etc/passwd and /etc/shadow), but vpopmail's as well, so there wasn't a separate password required. So, SA-user-admin was born. I just finished up some modifications to it, as well as incorporating a user patch I was sent, so it now supports version 2.x of Spam Assassin. It should be considered beta code - but it works on my server :-D. There's a link to the tar file on the left, along with some other useful tidbits, like the seekable patch for vpopmail (needed if you want to use SA with vpopmail).

UPDATE: I've stoped development on sa-user-admin in favor of a new project that combines the features of sa-user-admin with simple end-user account management, such as changing their password, forwarding email or setting up an out-of-office/vacation auto responder. It is currently undergoing alpha testing (12/02), and I hope to have a public beta soon.

I just finished playing around with pop and imap over ssl, using courier-imap. Overall, I'd have to say it's pretty easy, especially if you have openssl installed. The only real gotcha is if you're using the self-signed pop and imap certificates that courier-imap generates, your Outlook Express users are going to get a warning about the certificate the every time they start OE and check mail for the first time. The warning (at least in OE 6) looks like this. I believe OE5 and OE5.5 are similar.

Certificate Warning

I've also just found out (01/20/2002) that this will also work with the TLS/SSL patch to qmail (either directly, Bill Shupp's qmail-toaster patch, or my mega-qmail patch). You can either sym-link the control/servercert.pem to either the imap or pop certificate from courier-imap (if the hostname is the same) or generate a new certificate (if the hostname is different). The certificate needs to be owned by qmaild:qmail. This isn't a problem if your running courier-imap and/or courier-pop3d as root. If you're running it as a different user, you may need to copy the certifcate into control/, or see if you can run courier-imap/pop3d as qmaild:qmail. I haven't tested this with a copy of qmail that hasn't been patched with one of the outgoing-ip patches that are available. If you're not running one of these, you may get a hostname mis-match error from your MTA. Thanks to my buddy Josh for pointing me in the right direction and helping me debug the procedure!

The solution (at least for Outlook Express, Netscape 6.2.x and Mozilla) isn't that hard:

  1. Create a local Certificate Authority (CA)
  2. Create a certificate request for your pop and imap servers
  3. Have your CA (from step 1) sign the certificate(s) from step 2
  4. Create the pem file that courier-imap wants
  5. Have your users install your CA's root certificate in IE
  6. Tell your mail program to use ssl for your pop or imap connection

I do have plans on investigating the steps required for Netscape Mail and Eudora, but if somebody has already done it, please email me, and I'll put them up!

You'll need the following packages installed to do this:

1. Create a local Certificate Authority

The commands listed here are extracted from The Open-source PKI Book. If you wish to know more about PKI in general, it is the definitive reference. For these steps, you'll need openssl installed. First, we need a workspace that should only be accessible by root. I used /root/CA, but any location will do. Next, generate an RSA key pair:

# openssl genrsa -des3 -out ca.key 2048

You'll see the following after executing this command:

Generating RSA private key, 2048 bit long modulus
.....+++
.........................+++
e is 65537 (0x10001)
Enter PEM pass phrase: enter a password here
Verifying password - Enter PEM pass phrase: re-enter your password here

This will create an 2048 bit RSA key, stored in ca.key. Now, you need to create a self-signed CA Certificate:

# openssl req -new -x509 -days 3652 -key ca.key -out ca.crt

You'll see the following after executing this command:

Using configuration from /usr/lib/ssl/openssl.cnf
Enter PEM pass phrase: enter your password for the key here
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Pennsylvania
Locality Name (eg, city) []:Horsham
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WebMasters, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:WebMasters, Inc.
Email Address []:certs@webmast.com

This will create a self-signed certificate called ca.crt valid for 10 years. The file names (ca.key and ca.crt) are important, as the sign.sh shell script that comes with mod_ssl looks for these specific file names. That's it, you're now have a root certificate ready to be used to sign other certificates or to be installed in a browser!

2. Create a certificate request for your pop and imap servers

Ok, now that you've created a self-signed CA certificate, it's time to generate the certificate(s) for your pop and imap servers. The number of certificates you need depends on how many host names you are using. If you use the same host name (i.e., mail.example.com) then you only need a single certificate. Basicly, you need a certificate for each unique host name. The instructions are the same for each. The only difference is the Common Name, and possibly Organizational Unit Name. Let's get started!

# openssl genrsa -out pop3d.key 2048

This will create a 2048-bit RSA key that doesn't require you to enter the password when the pop3d-ssl or imapd-sll server starts. The output from this command is very similar to when you created the key for the CA, except you won't be prompted for a password.

Now that you have a key, let's generate a Certificate Signing Request (CSR)

# openssl req -new -key pop3d.key -out pop3d.csr

Using configuration from /usr/lib/ssl/openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Pennsylvania
Locality Name (eg, city) []:Horsham
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WebMasters, Inc.
Organizational Unit Name (eg, section) []:WMI pop-3 mail server
Common Name (eg, YOUR name) []:pop3.webmast.com
Email Address []:postmaster@webmast.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3. Sign the certificate(s) with your CA certificate

Ok, now that we've generated the pop3d.csr, let's sign it with our CA's key (adjust the path to sign.sh as needed):

# /usr/lib/ssl/mod_ssl/sign.sh pop3d.csr
CA signing: pop3d.csr -> pop3d.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Pennsylvania'
localityName :PRINTABLE:'Horsham'
organizationName :PRINTABLE:'WebMasters, Inc.'
organizationalUnitName:PRINTABLE:'WMI pop-3 mail server'
commonName :PRINTABLE:'pop3.webmast.com'
emailAddress :IA5STRING:'postmaster@webmast.com'
Certificate is to be certified until Jan 19 21:42:14 2003 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: pop3d.crt <-> CA cert
pop3d.crt: OK

4. Create the pem file.

Now you need to create the pem file in the format that courier-imap wants. First, you'll need to edit the pop3d.crt created when you signed the csr. The sign.sh script includes a human-readable description of the key. We want to delete all those lines, and only have:

-----BEGIN CERTIFICATE-----
MIIDtzCCAp8CAQEwDQYJKoZIhvcNAQEEBQAwgY4xCzAJBgNVBAYTAlVTMRUwEwYD
VQQIEwxQZW5uc3lsdmFuaWExEDAOBgNVBAcTB0hvcnNoYW0xGTAXBgNVBAoTEFdl
.
.
.
BBL3CLqzb6ZMHSm+6eVr2RrsaePChPhb+/1PCgvJESqVEoR4RO5RHywiyg==
-----END CERTIFICATE-----

Ok, now combine the pop3d.key and pop3d.crt files into pop3d.pem

# cat pop3d.key pop3d.crt > pop3d.pem

And now add the Diffie-Hellman code-block that courier-imap wants

# openssl gendh >> pop3d.pem
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
..........+.............++*++*++*++*++*++*

Copy the pop3d.pem file into the default certificate directory for courier-imap and make sure that it's not group or world read/write:

# cp pop3d.pem /usr/lib/courier-imap/share/
# chmod 0600 /usr/lib/courier-imap/share/pop3d.pem

5. Have your users install your CA's root certificate in IE

We're almost done now! The next two steps are IE/OE specific. Other browser and mail program combinations will be added as I have the time to install and test them. This has been tested on IE5.5 and IE6, but IE4 and IE5 should be similar. Move a copy of your ca.crt file to somewhere in websites document root. Create a link to this file on a page in your website explaining the benefits of pop or imap over ssl to your users. When your user clicks on the link, your root certificate will be downloaded. When prompted to save or open the file, tell your users to open it. This should bring up the IE Certificate Information window. Click on 'Import Certificate'. This will then start the 'Certificate Manager Import Wizard'. Accept the defaults, and you will then be prompted for confirmation at the end that you want to add this certificate to the 'Root Store'. This is where we want it. If your CA certificate is not in IE's 'Root Store', OE will continue to give that warning everytime you start it up. That's it, your root certificate is now installed in your users MS certificate manager, which is used by both IE and OE.

6. Tell OE to use ssl for your pop or imap connection

Hey, you've made it to the final step! This one is pretty easy. In OE, Click on Tools -> Accounts, select the account you will be using to get your mail with, click on Properties, then the Advanced tab. Check This server requires a secure connection (SSL). Close the properites window, and then the account list. That's it, you're now setup to use SSL for your pop or imap connection, and your users won't get that security warning at all!

Using your certificate with Netscape and Mozilla

Netscape 4.7.x is pretty much the same. Go to the link for the root certificate. The certificate import window will open. Click 'Next' three times, then check at least 'Accept this Certificate Authority for Certifying e-mail users', Click 'Next' two more times, enter the name of your CA, then click 'Finish'. But, it's pretty much a moot point, 'cause I wasn't able to get IMAP over SSL to work with NS 4.7.x Messenger, and it doesn't even look like it supports POP over SSL.

I just tested the certificate import in Netscape 6.2 and Mozilla 0.9.7 (BuildID: 2001122106), and it pretty much works the same as IE. Click on the link, and the following dialog box comes up:

Mozilla/Netscape 6 Certifice Import

Just check at least 'Trust this CA to identify email users', and then click the 'Ok' button. For Netscape/Mozilla mail, go into the account settings, expand the account you want to use SSL with, click on 'Server Settings' and check 'Use secure connection (SSL)'. That's it!

ENJOY!

Dave