Squid proxy servers are a great way to control your inter browsing for your company. In a previous post I have mentioned all the good reasons why you should get one, and in this post I will try and show you and explain to you where and how to do this.
You need to edit the main configuration file located under /etc/squid/squid.conf. In this file the following options must / can be used:
http_port 8080 - This is where you specify what port the proxy server must listen on. If you go to your Internet explorer to set your proxy and proxy port, this is the port number.
cache_mem 64 MB - This line specify the amount of memory that squid can use for caching. There are many theories out there how to calculate, but a good understanding could be obtained from the following criteria: ( from www.devshed.com )
x=Size of cache dir in KB (i.e. 6GB=~6,000,000KB) y=Average object size
(just use 13KB z=Number of directories per first level directory
(((x / y) / 256) / 256) * 2 = # of directories
As an example, I use 6GB of each of my 13GB drives, so:
6,000,000 / 13 = 461538.5 / 256 = 1802.9 / 256 = 7 * 2 = 14
So my cache_dir line would look like this:
cache_dir 6000 14 256
cache_swap_low 80 - When you set your cache_dir to lets say 2048 Mb or 2 GB, then this value is the low mark for squid to stop rotating or clean out the cache.
cache_swap_high 90 - Same as explanation above, but this will tell squid when to start free up old cache when it gets to the set level, and stop when it gets to the percentage of disk size ( 80 percent ).
maximum_object_size 1024 KB - This will tell squid not to cache any objects or files larger than 1 MB. It depends on how big the squid server is and how fast you want your cache to be, but also the amount of disk space you have, because you might fill up the space before you know it !
minimum_object_size 0 KB - This specify what the minimum size of a file or object is allowed to be, set this to 0 if you don't want to specify anything.
maximum_object_size_in_memory 64 KB - This specify the size of an object or file that is allowed to be placed in cache_mem amount of memory, Normally used for fast accees type files for browsing, don't make too high, it will hog the memory pool.
cache_dir ufs /var/spool/squid 2048 256 256 - This is where you specify what the disk space or disk space usage is for squid cache on your server. The cache_swap_high and cache_swap_low will look at this value and know when to rotate the cache when it hits the 90 an 80 percent mark.
cache_access_log /var/log/squid/access.log - This will tell squid where to write the access details to. You will run your reporting software on this file to see who browsed where on the Internet, amount of bandwidth used etc. You can use the below script file to concatenate the log files each month, so you have a directory will monthly access.log files in them :
#!/bin/bash
############################################################################## #Copyright : LDS - www.lds.za.net
#
# Variables : ARCHIVE - directory where the SQUID files are archived
# : LOGDIREC - location
# : SQUIDLOG - SQUID log file name
##############################################################################
ARCHIVE=/var/log/archive/squid
LOGDIREC=/var/log/squid
SQUIDLOG=access.logrm $ARCHIVE/$SQUIDLOG -f
cp -dp $LOGDIREC/$SQUIDLOG $ARCHIVE/$SQUIDLOG
cp /dev/null $LOGDIREC/$SQUIDLOG
cd $ARCHIVE
mv ./`date +'%Y%m'`.gz ./temp.gz
gunzip ./temp.gz
(cat ./temp $SQUIDLOG gzip > ./`date +'%Y%m'`.gz) && rm temp mv temp
failed-`date +'%Y%m%d'`
#
# END OF SCRIPT
##############
ftp_user squid@aosl.co.za - This specify the default username to send to Anonymous FTP sites.
auth_param basic program /usr/lib/squid/smb_auth -W CORE -U
The above line to to send authentication to a Microsoft based authentication server ( normally a domain controller )
auth_param basic children 8
auth_param basic realm AOSL Proxy Server
auth_param basic credentialsttl 2 hours
The above line sets options for the Authentication module.
client_lifetime 1 hour - This option prevent open connections to hog the squid process ( Internet Explorer browser left open on a PC )
half_closed_clients off - This works in conjunction with the above line to kill inactive connections
shutdown_lifetime 3 seconds - This option is to speed up the shutdown time when you stop squid.
acl password proxy_auth REQUIRED - This option work with the authentication options you have set, this will force authentication when a request comes through.
The below options is to have control over which Internal IP's can do anything, which sites are blocked etc.
acl openip src "/etc/squid/openip.cfg"
acl badsites dstdomain "/etc/squid/badsites.cfg"
acl opensites dstdomain "/etc/squid/opensites.cfg"
acl restricted_sites dstdomain "/etc/squid/restricted_sites"
acl restricted_users proxy_auth "/etc/squid/restricted_users"
acl priv_sites dstdomain "/etc/squid/priv_sites"
acl priv_users proxy_auth "/etc/squid/priv_users"
acl BONYUSERS dst 160.254.119.0/24
From the file names at the end ( which you should create ) explains what the file contain and what it will do for you.
The below lines is to "activate" the above lines
http_access allow BONYUSERS
http_access allow openip
http_access allow opensites
http_access allow restricted_users restricted_sites
http_access deny restricted_users
http_access allow priv_users priv_sites
http_access deny badsites
http_access allow password
The rest of the configuration files is not much needed, but the short explanation for that config line is given inside the /etc/squid directory.
As stated earlier, please post a comment to get more help.
Monday, July 28, 2008
Friday, July 25, 2008
Sendmail support - sendmailreload script
I have made this simple script you can use for your mail server when you need to activate any changes you have made to any of the config files inside the /et/mail directory. I know I have made a posting before with the script in it, but this one is a bit better, and this post is dedicated to it ;-)
Here is the script:
#!/bin/bash
MAILDIR="/etc/mail"
cd /etc/mail
makemap hash $MAILDIR/virtusertable.db < $MAILDIR/virtusertable
makemap hash $MAILDIR/mailertable.db < $MAILDIR/mailertable
makemap hash $MAILDIR/access.db < $MAILDIR/access
makemap hash $MAILDIR/aliases.db < $MAILDIR/aliases
makemap hash $MAILDIR/domaintable.db < $MAILDIR/domaintable
newaliases > /dev/null 2> /dev/null
wait
ps auxw grep sendmail grep accepting awk '{print "kill -HUP "$2}' sh
echo "Rebuild aliases run now - "`date` >> /var/log/maillog
The reason why it is better to use this script is that when you start to get a very busy mail server, with huge amount of mail in the mail queue, you don't want to restart the sendmail service everytime you made a change, rather run this script.
Here is the script:
#!/bin/bash
MAILDIR="/etc/mail"
cd /etc/mail
makemap hash $MAILDIR/virtusertable.db < $MAILDIR/virtusertable
makemap hash $MAILDIR/mailertable.db < $MAILDIR/mailertable
makemap hash $MAILDIR/access.db < $MAILDIR/access
makemap hash $MAILDIR/aliases.db < $MAILDIR/aliases
makemap hash $MAILDIR/domaintable.db < $MAILDIR/domaintable
newaliases > /dev/null 2> /dev/null
wait
ps auxw grep sendmail grep accepting awk '{print "kill -HUP "$2}' sh
echo "Rebuild aliases run now - "`date` >> /var/log/maillog
The reason why it is better to use this script is that when you start to get a very busy mail server, with huge amount of mail in the mail queue, you don't want to restart the sendmail service everytime you made a change, rather run this script.
Sendmail support - aliases file
Sendmail use this file to "alias" email to users, groups, script files or even Mailmanagers.
With a standard Linux installation, this file is for some reason located in the /etc directory and not in the /etc/mail directory like the rest of the email configuration files.
I believe it is best to keep all the email configuration files in one directory, so I suggest you MOVE the /etc/aliases and the /etc/aliases.db files into the /etc/mail directory. Once you have done this, you MUST edit the /etc/mail/sendmail.cf file and change the location where sedmail is looking for the alias file. so you need to edit /etc/mail/sedmail.cf and look for the line:
" O AliasFile=/etc/aliases "
Change this line to read the following:
"O AliasFile=/etc/mail/aliases"
Write and quit the file, and again do a " service sendmail reload " or just run that sendmailreload script I have posted previously.
Lets look at the contents and the uses for the aliases file.
Option 1:
If you need to forward mail to more than one mailbox, example is sales, then you would use the aliases file. Inside the virtusertable file, you will state that sales@lds.za.net goes to user account lin001.
Then in the aliases file, you will have the following line to forward the mail to 4 other users as well, even external mail account, the following is the exact line:
lin001: user1, user2, user3, bill@gates.com
or
sales@lds.za.net: user1, user2, user3, bill@gates.com
Option 2:
If you need to forward mail for a specific user to himself and someone else, because he is on leave, then you would do the following.
jdoe@lds.za.net: \jdoe, user2
The \ in front of the username prevents the mail from looping that that user. Since the virtusertable already relay the mail to that user, you will create a loop of mail to that user by sending it to them again in the alias file.
Option 3:
You need to run a script file when someone sends an email to your server, almost like list managers, but normally used to send someone a legal disclaimer or something. The following line in the aliases file must be used.
disclaimer@lds.za.net: /path/to/script/file
Option 4:
The MD is going oversee on a business trip, and wants his email forwarded somewhere else, or to the branch where he is going, do the following.
ltrovald@lds.za.net: ltrovald@usa.lds.za.net
This will forward all mail to another mail address as specified.
Option 5:
The MD wants his mail to be kept on the server AND sent to the other email address as well, then do the following:
ltrovald@lds.za.net: \ltrovald, ltrovald@usa.lds.za.net
Remember to write a quit the /etc/mail/aliases file, and run the following command before reloading sendmail
makemap hash /etc/mail/aliases.db < /etc/mail/access
service sendmail reload
That is it, please post comments if you need more help.
With a standard Linux installation, this file is for some reason located in the /etc directory and not in the /etc/mail directory like the rest of the email configuration files.
I believe it is best to keep all the email configuration files in one directory, so I suggest you MOVE the /etc/aliases and the /etc/aliases.db files into the /etc/mail directory. Once you have done this, you MUST edit the /etc/mail/sendmail.cf file and change the location where sedmail is looking for the alias file. so you need to edit /etc/mail/sedmail.cf and look for the line:
" O AliasFile=/etc/aliases "
Change this line to read the following:
"O AliasFile=/etc/mail/aliases"
Write and quit the file, and again do a " service sendmail reload " or just run that sendmailreload script I have posted previously.
Lets look at the contents and the uses for the aliases file.
Option 1:
If you need to forward mail to more than one mailbox, example is sales, then you would use the aliases file. Inside the virtusertable file, you will state that sales@lds.za.net goes to user account lin001.
Then in the aliases file, you will have the following line to forward the mail to 4 other users as well, even external mail account, the following is the exact line:
lin001: user1, user2, user3, bill@gates.com
or
sales@lds.za.net: user1, user2, user3, bill@gates.com
Option 2:
If you need to forward mail for a specific user to himself and someone else, because he is on leave, then you would do the following.
jdoe@lds.za.net: \jdoe, user2
The \ in front of the username prevents the mail from looping that that user. Since the virtusertable already relay the mail to that user, you will create a loop of mail to that user by sending it to them again in the alias file.
Option 3:
You need to run a script file when someone sends an email to your server, almost like list managers, but normally used to send someone a legal disclaimer or something. The following line in the aliases file must be used.
disclaimer@lds.za.net: /path/to/script/file
Option 4:
The MD is going oversee on a business trip, and wants his email forwarded somewhere else, or to the branch where he is going, do the following.
ltrovald@lds.za.net: ltrovald@usa.lds.za.net
This will forward all mail to another mail address as specified.
Option 5:
The MD wants his mail to be kept on the server AND sent to the other email address as well, then do the following:
ltrovald@lds.za.net: \ltrovald, ltrovald@usa.lds.za.net
Remember to write a quit the /etc/mail/aliases file, and run the following command before reloading sendmail
makemap hash /etc/mail/aliases.db < /etc/mail/access
service sendmail reload
That is it, please post comments if you need more help.
Thursday, July 24, 2008
Sendmail support - mailertable file
Sendmail use this file to forward mail for a domain itself as a whole to another host on the Internet or inside your network. Let say you have an internal exchange server, and the Linux server acts as a gateway on the internet, you can send all your email to the Linux server ( MX records ) and from there forward the mail internal to your exchange server.
The mailertable file can also be used to send an entire domain to one local user by doing:
domainname.com local:username
The virtusertable file can do the same as the above, by adding a line in the virtusertable file like:
@domainname.com username
The syntax to use in the mailertable file to send a domain email to another host, is done with the following example:
domainname.com smtp:[internalserver.domain.com]
That is it, again like always, send me your comments or questions so we can make this better for you !
The mailertable file can also be used to send an entire domain to one local user by doing:
domainname.com local:username
The virtusertable file can do the same as the above, by adding a line in the virtusertable file like:
@domainname.com username
The syntax to use in the mailertable file to send a domain email to another host, is done with the following example:
domainname.com smtp:[internalserver.domain.com]
That is it, again like always, send me your comments or questions so we can make this better for you !
Sendmail support - virtusertable file
Sendmail use this file to do mail routing between all the domains that is on your mail server. How do you think sendmail cope with all the support@ or sales@ email addresses for all the domains. This file and the aliases file are used to group and relay the email addresses to the correct user on the mail server. There is 5 ways to distributing the mail in this file, which I will show examples for ;-)
Edit this file by typing : " vi /etc/mail/virtusertable "
Inside this file, you need to do the config as follow:
# BEGIN
webmaster@lds.za.net ldsuser1
smith@lds.za.net jsmith
gbates@lds.za.net ldsuser2
# Domain linuxhelp.za.net
webmaster@linuxhelp.za.net lin001
smith@linuxhelp.za.net lin002
gbates@linuxhelp.za.net lin003
# END
As you can see from this example file, we tried to show that you can have exactly the same email address or name for each domain name, and this shows you how you route it to the different users on the system. to create a email user on a Linux server, use the following command, we will use the username lin001 as example:
" useradd -d /home/lin001 -s /bin/false -c "Linuxhelp mail user" -g mail lin001 "
This will create a user without bash access, so this is a safe way of adding mail users. The -d option is the home directory location, this will NOT move the pop3 mailbox from /var/spool/mail to /home/lin001.
The -s option specify the shell access, the reason why we use /bin/false is to prevent a mail user with a simple password to have bash access which will lead to security problems.
The -c option is to add a comment line in the /etc/passwd file to identify a username, this works great to find any suspicious users that could have been created by a hacker
again, just reload sendmail after you have made the changes, or use the sendmailreload script I have made.
Edit this file by typing : " vi /etc/mail/virtusertable "
Inside this file, you need to do the config as follow:
# BEGIN
webmaster@lds.za.net ldsuser1
smith@lds.za.net jsmith
gbates@lds.za.net ldsuser2
# Domain linuxhelp.za.net
webmaster@linuxhelp.za.net lin001
smith@linuxhelp.za.net lin002
gbates@linuxhelp.za.net lin003
# END
As you can see from this example file, we tried to show that you can have exactly the same email address or name for each domain name, and this shows you how you route it to the different users on the system. to create a email user on a Linux server, use the following command, we will use the username lin001 as example:
" useradd -d /home/lin001 -s /bin/false -c "Linuxhelp mail user" -g mail lin001 "
This will create a user without bash access, so this is a safe way of adding mail users. The -d option is the home directory location, this will NOT move the pop3 mailbox from /var/spool/mail to /home/lin001.
The -s option specify the shell access, the reason why we use /bin/false is to prevent a mail user with a simple password to have bash access which will lead to security problems.
The -c option is to add a comment line in the /etc/passwd file to identify a username, this works great to find any suspicious users that could have been created by a hacker
again, just reload sendmail after you have made the changes, or use the sendmailreload script I have made.
Sendmail support - local-host-names file
This file is very simple, and does nothing else besides specifying what domains names is hosted on the server. Any domain name found in this file, will expect to find entries in the virtusertable file as well. If you have only one domain on this server, then you will have your domain in this file, and in the relay-domains file, and only users set up in the /etc/passwd file.
simply edit the file and add your domain name by issuing the command:
" vi /etc/mail/virtusertable"
Inside this file , add only your domain name like
lds.za.net
google.com
linuxhelp.za.net
write and save the file, and that is it. Add all the domain names you add here into the /etc/mail/relay-domains file as well. you will see that by default the relay-domains file does not exist, so just create it ;-)
That is all I can say about that file ;-)
simply edit the file and add your domain name by issuing the command:
" vi /etc/mail/virtusertable"
Inside this file , add only your domain name like
lds.za.net
google.com
linuxhelp.za.net
write and save the file, and that is it. Add all the domain names you add here into the /etc/mail/relay-domains file as well. you will see that by default the relay-domains file does not exist, so just create it ;-)
That is all I can say about that file ;-)
Sendmail Support and Installation
My favorite SMTP mail program of all time is Sendmail. This was obviously the first Linux SMTP MTA that I have used, and I still do. There are many more MTA's out there, but this one is mine ;-)
Ok, once you have installed a brand new Linux server, the standard sendmail installation is secure enough not to allow anyone or any other network besides the localhost to send any email. You will see when you do a " netstat -anop grep LIST " that sendmail is running on port 25 on 127.0.0.1. This is perfect since in the old day people will forget that they have not secured their sendmail installations, and become a SPAM host for the Internet.
SO the first step is to change the listen IP from 127.0.0.1 to either 0.0.0.0 or your IP of your server. To do this, you need to edit the sendmail.cf and make the following changes:
" vi /etc/mail/sendmail.cf "
Inside this file, look for the line that looks like this:
"O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA"
Now, what you need to do it to change the MTA agent to listen on 0.0.0.0 and not just the localhost ip 127.0.0.1, so change the line to:
"O DaemonPortOptions=Port=smtp,Addr=0.0.0.0, Name=MTA"
Once you have done this, create a file called " relay-domains " in the /etc/mail directory, and in this file you need to put your domain name and the first 3 octets of your IP range like example 192.168.0 , just that
Then you can issue the following command to activate your changes:
" service sendmail reload "
You will see that the MAT now listen on 0.0.0.0:25 and by adding your domain name and IP range to that relay-domains file, you will be able to start using your mail server.
Below is a script I have written which you can use to activate new changes " on-the'fly" without having to restart sendmail. If you have a sendmail server you use in an ISP environment, you don't want to restart sendmail all the time, you will run into issues. See script below:
#!/bin/bash
cd /etc/mail
makemap hash virtusertable.db < virtusertable
makemap hash mailertable.db < mailertable
makemap hash access.db < access
newaliases > /dev/null 2> /dev/null
wait
ps auxw grep sendmail grep accepting awk '{print "kill -HUP "$2}' sh
echo "Rebuild aliases run now - "`date` >> /var/log/maillog
Call this file “sendmailreload” or something, make the file executable by typing " chmod 755 sendmailreload" and place the file under /usr/sbin.
I will add more pages for sendmail from here, each page dedicated to each file sendmail uses like local-host-names , mailertable etc.
Ok, once you have installed a brand new Linux server, the standard sendmail installation is secure enough not to allow anyone or any other network besides the localhost to send any email. You will see when you do a " netstat -anop grep LIST " that sendmail is running on port 25 on 127.0.0.1. This is perfect since in the old day people will forget that they have not secured their sendmail installations, and become a SPAM host for the Internet.
SO the first step is to change the listen IP from 127.0.0.1 to either 0.0.0.0 or your IP of your server. To do this, you need to edit the sendmail.cf and make the following changes:
" vi /etc/mail/sendmail.cf "
Inside this file, look for the line that looks like this:
"O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA"
Now, what you need to do it to change the MTA agent to listen on 0.0.0.0 and not just the localhost ip 127.0.0.1, so change the line to:
"O DaemonPortOptions=Port=smtp,Addr=0.0.0.0, Name=MTA"
Once you have done this, create a file called " relay-domains " in the /etc/mail directory, and in this file you need to put your domain name and the first 3 octets of your IP range like example 192.168.0 , just that
Then you can issue the following command to activate your changes:
" service sendmail reload "
You will see that the MAT now listen on 0.0.0.0:25 and by adding your domain name and IP range to that relay-domains file, you will be able to start using your mail server.
Below is a script I have written which you can use to activate new changes " on-the'fly" without having to restart sendmail. If you have a sendmail server you use in an ISP environment, you don't want to restart sendmail all the time, you will run into issues. See script below:
#!/bin/bash
cd /etc/mail
makemap hash virtusertable.db < virtusertable
makemap hash mailertable.db < mailertable
makemap hash access.db < access
newaliases > /dev/null 2> /dev/null
wait
ps auxw grep sendmail grep accepting awk '{print "kill -HUP "$2}' sh
echo "Rebuild aliases run now - "`date` >> /var/log/maillog
Call this file “sendmailreload” or something, make the file executable by typing " chmod 755 sendmailreload" and place the file under /usr/sbin.
I will add more pages for sendmail from here, each page dedicated to each file sendmail uses like local-host-names , mailertable etc.
Subscribe to:
Posts (Atom)
Posts
