1 SCO Office Server 4.1 Administration Series Troubleshooting.

1 SCO Office Server 4.1 Administration Series Troubleshooting

2 Today's Presenter  Sean Costello Technical Services Manager Bynari, Inc.

3 Abstract SCO Office Server 4.1 Troubleshooting This session covers topics of interest to beginning and experienced mail system administrators wishing to improve their troubleshooting skills and understanding of the SCO Office Mail Server. Focus will be on core components supporting successful mail delivery, logging, configuration, migration and data-store repair. The WebClient and the Connector will be briefly discussed.

4 Agenda  Architecture Overview 10 min  Logging10 min  Core Components & Configuration40 min  Migration20 min  WebClient & Connector10 min

Architecture Overview Component Diagrams Start Up System & Component Logging

6 High Level Mail Flow PostfixAmavisd Spamassassin ClamAV Global Disclaimers PostfixCyrus Sieve Cyrus Connector Web Client

7 Component Diagram

8 Starting SCOoffice Server (1) P86insightserver 1 /etc/init.d/insightserver 2 saslauthd 3 slurpd 3 slapd 3 clamd 3 amavisd 3 postfix 3 cyrus 3 apache 3 proftpd 3 mon 3 mon 19 mon.d scripts 20* alert.d scripts 21* clamd 7 slapd 4 slurpd 5 saslauthd 6 amavisd 8 postfix 11 cyrus master 13 imapd 14 pop3d 15 apachectl 16 httpd 17 proftpd 18 clamscan 9* spamassassin 10* qmgr 12* pickup 12* cleanup 12* trivial-rewrite 12* local 12* flush 12* smtpd 12*

9 Starting SCOoffice Server (2) P86insightserver 1 /etc/init.d/insightserver 2 saslauthd 3 slurpd 3 slapd 3 clamd 3 amavisd 3 postfix 3 cyrus 3 apache 3 proftpd 3 mon 3 mon 19 mon.d scripts 20* alert.d scripts 21* clamd 7 slapd 4 slurpd 5 saslauthd 6 amavisd 8 postfix 11 cyrus master 13 imapd 14 pop3d 15 apachectl 16 httpd 17 proftpd 18 clamscan 9* spamassassin 10* qmgr 12* pickup 12* cleanup 12* trivial-rewrite 12* local 12* flush 12* smtpd 12*

Logging Syslogd Other Log Files

11 List of log files SCO Office uses the following log files:  /var/adm/syslog  /opt/insight/logs/amavis.log  /opt/insight/logs/freshclam.log  /opt/insight/logs/access_log  /opt/insight/logs/error_log

12 Logging configuration files Where to specify component logging levels:  /etc/syslog.conf  /opt/insight/etc/postfix/master.cf  /opt/insight/etc/postfix/main.cf  /opt/insight/etc/amavisd.conf  /opt/insight/etc/clamav.conf  /opt/insight/etc/freshclam.conf  /opt/insight/etc/apache/httpd.conf  /opt/insight/etc/php.ini

13 Syslogd facility ComponentSyslogd Facility Cyrus IMAP and POP3local6 Postfixmail SASLAUTHDauth ProFTPDauthpriv Mon(coming soon) slapd/slurpdlocal4

14 Syslog events to monitor Events to monitor in syslog:  Monitor SMTPD connections: egrep “[^s]connect from|client=“ /var/adm/syslog  Monitor bounced messages: grep status=bounced /var/adm/syslog  Monitor deferred messages: grep status=deferred /var/adm/syslog  Monitor Cyrus database errors: grep DBERROR /var/adm/syslog  Monitor SASLAUTHD authentication failures: grep “auth failure” /var/adm/syslog

Server Components & Configuration ApachePostfix CyrusOpenLdap Proftpd

16 List of components Apache - HTTP(S) Web Administration Interface Web Client Interface Postfix - SMTP(S) Primary MTA for system Site Content Filtering Global Disclaimers Cyrus - IMAP(S) / POP3(S) / LMTP POP3 or IMAP Agent Sieve Rules OpenLDAP - LDAP(S) Central User Authentication Structural Configuration Repository ProFTP - FTP Freebusy Publishing

17 Apache version: Apache/1.3.29 Server port listener(s):HTTP80 HTTPS443 user: apache groups: apache modules: ssl, php shell util(s): Openssl crontab:Backup Scripts Resource Manager

18 Apache Files & Directories rc script: /opt/insight/etc/rc/apache home directory: /opt/insight/htdocs/ configuration files: /opt/insight/etc/apache/apache.conf /opt/insight/etc/apache/totalapache.conf /opt/insight/htdocs/(...)/.htaccess

19 Apache Log Files Log files: /opt/insight/logs/error_log /opt/insight/logs/access_log /opt/insight/logs/ssl-access_log /opt/insight/logs/ssl-error_log /opt/insight/logs/ssl_engine_log /opt/insight/logs/ssl_request_log Logging configuration file: /opt/insight/etc/apache/totalapache.conf ErrorLoglogs/error_log LogLevel warn CustomLog logs/access_log combined env=!VLOG SSLLog logs/ssl_engine_log SSLLogLevel info ErrorLog logs/ssl-error_log TransferLog logs/ssl-access_log CustomLog logs/ssl_request_log

20 Apache Configuration Files The base configuration file apache.conf is generated by the Web Admin interface. Updates made to this file manually must also be reflected in the SCOconfig.xml file.

21 Apache Crontab The Apache crontab is used for initiating:  Backup scripts (Ldap, Cyrus, configuration files)  Cleanup backup script  Resource manager

22 Apache Crontab Things You Should Know:  The appropriate backup script must be modified in the event that the default data storage locations are changed. FILELIST="$CONFIGDIRECTORY /opt/insight/var/spool/imap" /opt/insight/etc/imapd.conf: partition-default: /opt/insight/var/spool/imap  The cleanup backups script is scheduled to run once monthly. Verify that the cleanup backups script is not disabled and increase the frequency to avoid running out of disc space.  The cleanup backups script removes archives older than 14 days. It must be manually edited to change the retention period. /opt/insight/htdocs/is4web/cron/server-cleanup_backup_files.sh: DAYS="14"

23 Apache Crontab Things You Should Know:  The resource manager binary initiates the responses to meeting requests sent to resource accounts and updates free/busy information for all users. This process is scheduled to run every 10 minutes. /opt/insight/bin/resourcemgr.sh

24 Apache Troubleshooting If the web server will not start for no apparent reason 1.Make sure that the pid file doesn't already exists. # ls -l /opt/insight/var/run/httpd.pid -rw------- 1 root sys 6 Feb 14 19:23 /opt/insight/var/run/httpd.pid If the file exists while the server is stopped then delete this file... # rm /opt/insight/var/run/httpd.pid

25 Apache Troubleshooting (cont.) If the web server will not start for no apparent reason 2.Increase the Loglevel verbosity by updating the configuration file /opt/insight/etc/apache/totalapache.conf file. Change the entry from... LogLevel warn... to... LogLevel debug... save and exit the file then restart apache... # /opt/insight/etc/rc/apache restart

26 Apache Troubleshooting (cont.) If the web server will not start for no apparent reason 3.Start the apache process directly from the shell to capture console logging... # cd /opt/insight/etc/rc #./apache stop # /opt/insight/sbin/apachectl start dynamic linker : /opt/insight/sbin/httpd : could not open libmhash.so.2 /opt/insight/sbin/apachectl: 29125 Killed /opt/insight/sbin/apachectl start: httpd could not be started #_

27 Apache Troubleshooting (cont.) If the web server will not start for no apparent reason 3.... we find that the apache server couldn't start because it couldn't locate linked libraries. We could have also found this using ldd like so... # cd /opt/insight/sbin # ldd./httpd./httpd needs: libcurl.so.2 => /opt/insight/lib/libcurl.so.2 libldap.so.2 => /opt/insight/lib/libldap.so.2 /usr/lib/libgnuintl.so.4 dynamic linker :./httpd : could not open libmhash.so.2

28 Apache Troubleshooting (cont.) If the web server will not start for no apparent reason 3.... in this scenario we know that libmhash.so.2 resides in /opt/insight/lib/ so we found a missing symbolic link… Fix by creating a symlink to the library with the cmd... # ln -s /opt/insight/lib/libmhash.so.2 /opt/K/SCO/oms/4.1.0Ga/opt/insight/lib/libmhash.so.2 # ldd./httpd./httpd needs: libcurl.so.2 => /opt/insight/lib/libcurl.so.2 libldap.so.2 => /opt/insight/lib/libldap.so.2 /usr/lib/libgnuintl.so.4 libmhash.so.2 => /opt/insight/lib/libmhash.so.2.

29 Apache Troubleshooting (cont.) To troubleshoot resourcemgr issues we can initiate it manually by running the shell command # su - apache -c '/opt/insight/bin/resourcemgr.sh'

30 Apache Question Question: How can I force users to connect to the server via SSL?

31 Apache Question Answer: Admins can force users to be rerouted to https:// via.htaccess files. Further they can also restrict access to the admin portion of the server from the internet using this same method. RewriteEngine On RewriteCond %{REQUEST_METHOD} !^https RewriteRule ^login.php$ https://www.mydomain.com/login.php [R,L]

32 Postfix version: Postfix (2.0.20) port listener(s):SMTP25 SMTPS465 10025 user: postfix groups: postfix, postdrop content filter: Amavisd-new Global Disclaimers shell util(s): newaliases, postconf, postqueue, postmap, postsuper, post-install

33 Postfix Files & Directories rc script: /opt/insight/etc/rc/postfix home directory: /opt/insight/var/spool/postfix configuration files: /opt/insight/etc/postfix/main.cf /opt/insight/etc/postfix/master.cf /opt/insight/etc/mail/aliases...LDAP bind cfg files (4.2) /opt/insight/etc/postfix/ldap-domains.cf /opt/insight/etc/postfix/ldap-forward.cf /opt/insight/etc/postfix/ldap-recipient.cf /opt/insight/etc/postfix/ldap-sender.cf /opt/insight/etc/postfix/ldap-source.cf...other customizable cfg files /opt/insight/etc/postfix/transport /opt/insight/etc/postfix/header_checks

34 Postfix Configuration Files There are two primary Postfix configuration files. The first is master.cf. It is not generated by the Web Admin interface. The contents of this file are generally static but it is customizable based on the customers need. Each line describes how a mailer component program should be run. Below are the sections primarily used by Insight Server.

35 Postfix Configuration Files The second file is main.cf. It is generated by the Web Admin interface. Manual updates to this file must also be made in the SCOconfig.xml file if they are to be retained permanently. # Generated by SCOoffice Mail Server 4.1.0, 07/21/05 13:42:48 # Any changes to this file will be lost myhostname = giraffe.pdev.sco.com mydomain = pdev.sco.com myorigin = $mydomain mydestination = $myhostname,$mydomain mynetworks = 127.0.0.1,192.168.0.22 relay_domains = $mydestination local_recipient_maps = $alias_maps ldap:ldapsource alias_maps = hash:/opt/insight/etc/mail/aliases alias_database = hash:/opt/insight/etc/mail/aliases #transport_maps = mailbox_transport = lmtp:unix:/opt/insight/var/imap/socket/lmtp smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)

36 Postfix Logging Configuration log file:/usr/adm/syslog [postfix] Logging configuration file:/opt/insight/etc/postfix/main.cf smtp_tls_loglevel = 0 smtpd_tls_loglevel = 0 syslog_facility = mail syslog_name = postfix * Logs TLS (transport layer security) activity

37 Postfix Logging Configuration Logging configuration file: /opt/insight/etc/postfix/master.cf #=============================================================== # service type private unpriv chroot wakeup maxproc command + args ….. #=============================================================== smtpinetn-n--smtpd-vv qmgrfifon-n3001qmgr-v lmtpunix--n--lmtp-v smtp-amavis unix--n-3smtp-v 127.0.0.1:10025inetn-n--smtpd Reload Postfix after modifying this file with –v for debug output. #/opt/insight/sbin/postfix reload

38 Anatomy of Postfix: Mail Delivery sendmailpostdroppickupsmtpdcleanup trivial- rewrite qmgrlocalsmtppipe active incoming messages incomingmaildropbounce

39 Postfix Shell Utilities  newaliases The above command generates the system aliases file '/opt/insight/etc/mail/aliases.db' from the source file '/opt/insight/etc/mail/aliases'. #/opt/insight/bin/newaliases  postconf Displays currently running Postfix configuration parameters and their settings #/opt/insight/sbin/postconf | grep mynetworks  postqueue –p Displays current contents of the Postfix queue. #/opt/insight/sbin/postqueue -p  /postqueue -f Flushes the current contents of the Postfix queue. Used to initiate an immediate delivery retry for contents of Postfix queue item(s). #/opt/insight/bin/postqueue -f

40 Postfix Shell Utilities (cont.)  postmap Used to compile text files into Berkley DB binaries. The above command would create the file transport.db used for postfix transport entries as specified in the main.cf. This utility can also be used to generate the aliases.db file generated by the newaliases cmd. #/opt/insight/sbin/postmap /opt/insight/etc/postfix/transport  postmap -fg This command is used to test regexp: files with simulated “strings” as if called from the main.cf in runtime. #/opt/insigth/sbin/postmap –fg myemail@example.net \ regextp:/opt/insight/postfix/mydesintationsmyemail@example.net  postsuper –d This command deletes the queue id specified. The command is used to manipulate the queue contents for Postfix. Placing items on hold, un-hold, requeue, and purge. #/opt/insight/sbin/postsuper -d D67B9D8

41 Postfix Shell Utilities (cont.)  postsuper -d This command deletes the queue id specified. The command is used to manipulate the queue contents for Postfix. Placing items on hold, un-hold, requeue, and purge. #/opt/insight/sbin/postsuper -d D67B9D8  post-install Used to reset the queue directory structure and permissions. You must also fix permissions on the main.cf file so that apache has write abilities when the configuration is pushed through the web admin interface. #/opt/insight/etc/postfix/post-install set-permissions \ command_directory=/opt/insight/sbin # cd /opt/insight/etc/postfix # chmod 775 main.cf # chown root:apache main.cf # ls -l main.cf -rwxrwxr-x 1 root apache 2765 Feb 14 19:22 main.cf

42 Postfix Troubleshooting The majority of SCO Office Server issues are regarding Postfix configuration or delivery. Trouble shooting this component goes in this order... 1.Does it start? If Postfix will not start properly this almost always due to a configuration entry in the /opt/insight/etc/postfix/main.cf file. To check for this condition grep the log file for fatal error entry you see something along the lines of... postfix/cleanup[26411]: fatal: open dictionary: need "type:name" form instead of: "test" Anytime you see fatal in the logs regarding Postfix it's a sure sign that there a problem with the configuration of Postfix.

43 Postfix Troubleshooting (cont.) 2.Will it relay mail for clients via SMTP? Generally speaking Postfix will often be capable of sending email via SMTP before it can send locally. This is because local delivery requires the use of both SMTP and LMTP while relaying outside the domain only requires SMTP. If it will not relay mail for clients there are a number of possible reasons discussed in the FAQ on this topic.

44 Postfix Troubleshooting (cont.) 3.Will it deliver mail locally? First there is a need to determin if Postfix is configured to accept mail for the domain you are sending mail to. The setting that determine this are both 'mydestination' which specifies the domain that are local to this server and 'relay_domain' which are domains that this server will accept mail for (this is useful when using this server as an alternate mx destination in DNS). Testing Postfix can be accomplished through a port 25 connection from an IP address not listed in $mynetworks and attempting to send an email to root@example.com using the following command sequence... # telnet 192.168.4.100 25 EHLO sco.com MAIL FROM:test@sco.com RCPT TO: root@example.com // at this point you will either receive a '554 : Relay access denied' or '250 Ok' which means it accepts mail for this domain on this server. DATA This is a test message. quit

45 Postfix Troubleshooting (cont.) 3.(cont.) After validating that the server will accept mail for this domain We now move on to the next step in the process. There are two possible reasons for local delivery failure if the server is accepting mail for the domain... either it can't bind to the LDAP server to validate the local_recipient_maps entry or it knows it's a local address, but can't successfuly deliver via lmtp:. The first issue is easy to spot in the logs... fatal: ldap:/opt/insight/etc/postfix/main.cf(0,100): table lookup problem Cat the file contents to find out what the bind credentials should be the test these as discussed in the OpenLDAP section using the ldapsearch utility.

46 Postfix Troubleshooting (cont.) 3.(cont.) The second is also easy to spot in the logs... postfix/lmtp[27745]: 35170199D5: to=, relay=/opt/insight/var/imap/socket/lmtp[/opt/insight/var/imap/socket/lmtp], delay=0, status=bounced (host /opt/insight/var/imap/socket/lmtp[/opt/insight/var/imap/socket/lmtp] said: 550-Mailbox unknown. Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command)) This always relates to the defaultdomain entry in the /opt/insight/etc/imapd.conf file.

47 Postfix Question Question: My users are can only send email internally via SMTP. When external addresses are specified they get "Relay access denied".

48 Postfix Question Answer: This error is the result of Postfix's configuration to restrict delivery to authenticated users or connections coming from ranges specified on the mynetworks parameter in the main.cf configuration file. Ranges supplied via the mynetworks entry are generally internal network number or the specific ip address of machines known to relay SMTP traffic for. For all other circumstances authenticated SMTP is required. IC2: to specify SMTP authentication in Outlook goto Tools > Accounts > View or change existing > select the POP3 account name >Change > More settings > Outgoing Server tab and check the box that says "Myserver requires SMTP authentication". IC3: to specify SMTP authentication in Outlook go to Tools > Accounts > View or change existing > select the Insight Connector IMAP account > Change > Advanced Tab and check the box that says "SMTP server requires authentication". Customers concerned about sending uid/pwd in the clear should also click the checkbox titled "Use Transport Layer Security (TLS)".

49 Postfix Question Answer: (cont.) Pix firewall: there is a known issue with Cisco Pix Firewall using a protocol hardening technique. This process allows SMTP delivery to Postfix but breaks the SMTP authentication ability of Postfix. To disable this use the configuration option in the Pix configuration... no fixup protocol smtp Postfix: the configuration entry called "mynetworks" specified in the web admin interface at Configuration > Services > Postfix. The default setting for the mynetworks configuration entry is localhost and the boxes own ip address like so... # /opt/insight/sbin/postconf | grep mynetworks mynetworks = 127.0.0.1,192.168.3.211...

50 Postfix Question Answer: (cont.) Networks in this configuration entry are comma seperated values. Whenever a four octet number is specified by it self without a network number the assumption is that it is host specific. The following line is exactly the same as above... mynetworks = 127.0.0.1/32,192.168.3.1/32 When no network portion of the configuration value is supplied then /32 is implied. If we wanted to append a class C subnet for an internal network it would look as follows... mynetworks = 127.0.0.1,192.168.3.1,172.16.8.0/24 This would mean that any source ip address on the 172.16.8.1-255 would be allowed to relay SMTP traffic through Postfix without authentication. Any number of bits for the network address may be specified (0-32). CAUTION: The IP portion of the network number MUST be a valid network boundary for the number of bits specified. If it is not then Postfix may start but will not deliver mail locally or otherwise.

51 Postfix Question Question: I have created a new Domain. Postfix is rejecting mail to all users in the Domain.

52 Postfix Question Answer: The mydestinations parameter in the main.cf file must list all Domains hosted by the server.

53 Postfix Question Question: Postfix is rejecting mail for some users in a Domain but not others.

54 Postfix Question Answer: This is due to a pre-MP1/MP2 bug that set the Ldap attributes mailSenderAccess and mailRecipientAccess to a value of OK when ‘Send only local mail’ or ‘Receive only local mail’ restrictions were turned off for the user. These two attributes should only be present when these restrictions are turned on. The correct value for these attributes when the restriction is enabled are: mailSenderAccess = local_sender_only maliRecipientAccess = local_recipient_only Occurenes of these attributes = OK need to be removed from Ldap.

55 Postfix Question To Fix: 1.Verify the domain for the users is listed in the mydestinations paramter in the main.cf file. 2.Use ldapsearch to identify the users with the incorrect attribute settings. # ldapsearch -x -D cn=admin -w admin o mailrecipientaccess # Scott Simmons, pdev.sco.com dn: cn=Scott Simmons,o=pdev.sco.com mailRecipientAccess: OK 3.Use the ldapmodify utility to remove instances of mailSenderAccess = OK and mailRecipientAccess = OK. # ldapmodify –x –D cn=admin –w admin dn: cn=Scott Simmons,o=pdev.sco.com changetype: modify delete: mailRecipientAccess modifying entry "cn=Scott simmons,o=pdev.sco.com" #

56 Postfix Question Question: Mail is getting stuck in the mail queue and in the maillog I see "Mail loops back to myself". What's wrong?

57 Postfix Question Answer: When this happens it means that when Postfix see's the email's destination address it doesn't consider the domain to be local. Check in Configuration > Services > Postfix > mydestination entry. The default appears as below... # /opt/insight/sbin/postconf | grep mydestination mydestination = $myhostname,$mydomain By defualt the machines hostname (FQDN) and domain are Postfix variables that are considered to be local destinations. This is not a requirement and additional domains can be appended to this list seperated by a comma as folllows... mydestination = $myhostname,$mydomain,example.com,example.net Restart Postfix with these settings and Postfix will consider the domain example.com and example.net as local destinations.

58 Postfix Question Question: When users send to a single unknown recipient in a list of users the server responds with no transport available. I would rather the server send the email to the known recipients and only bounce the email to the unknown address. How do I configure Postfix to do this?

59 Postfix Question Answer: If the address for a local destination domain is not found in the LDAP database or in the system aliases the SMTP server initates a 550 error "Unknown local recipient" in the actual SMTP connection. There are times when you may wish to supress this behavior such as the use of luser_relay or other delivery scenarios. In these cases you must update the Postfix configuration entry from... local_recipient_maps = $alias_maps ldap:/opt/insight/etc/postfix/ldap-source.cf... to... local_recipient_maps = After restarting Postfix the server will bounce only the email destined to the unknown recipient and deliver the message to all other addresses.

60 Postfix Question Question: How do I configure Postfix to use a relayhost that requires authentication?

61 Postfix Question Answer: Perform the following steps to configure Postfix to use authentication in it SMTP relayhost connection: 1.Update the existing Postfix entry... relayhost = mail.example.com In /opt/insight/etc/postfix/main.cf, add the lines: smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/opt/insight/etc/postfix/sasl_passwd smtp_sasl_security_options = noplaintext,noanonymous

62 Postfix Question Answer: NOTE: The above entries must also be added to the configuration file /opt/insight/htdocs/is4web/xml/config.xml in Insight Server. This will allow the entries to also be seen from the Web Admin interface. 2.Next create the file /opt/insight/etc/postfix/sasl_passwd with theinformation you use to login to your mail account for example.com: mail.example.com user:password 3.Then create the postfix database by loggin in as root and running: # /opt/insight/sbin/postmap /opt/insight/etc/postfix/sasl_passwd 4.Finally restart Postfix... # /opt/insight/etc/rc/postfix restart

63 Recommended Reading The Book of Postfix: State-of-the-Art Message Transport by Ralf Hildebrandt, Patrick Koetter (Paperback)

64 Cyrus version: Cyrus IMAP4 v2.2.10 port listener(s):IMAP143 POP3110 IMAPS993 POP3S 995 SASL2003 Sieve2000 user: cyrus groups: cyrus, mail rules filter: Sieve shell util(s): reconstruct, ctl_mboxlist ctl_cyrusdb, db_recover sieveshell, nc

65 Cyrus Files & Directories rc script: /opt/insight/etc/rc/cyrus home directory: /opt/insight/var/cyrus default partition: /opt/insight/var/spool/imap configuration files: /opt/insight/etc/cyrus.conf /opt/insight/etc/imapd.conf /opt/insight/etc/saslauthd.conf log file:/usr/adm/syslog imap, pop3, master

66 Cyrus configuration files The Cyrus server component actually consists of various processes each performing a specific task. All of these tasks are controlled by the cyrus master. There is a specific process started for imap, pop3, saslauthd, sieve, and lmtp. Each of these items is a spawned process by the cyrus master process and the startup parameters can be found in /opt/insight/etc/cyrus.conf as shown below. This configuration file for the most part remains static and is not generated by the Web Admin interface. The only parameter that may need to be tuned is the lmtpunix line which on larger installation may need to be increased. The ‘maxchild=10’ throttles the number of threads available for the local delivery of messages. If you increase the ‘local_destination_concurrency_limit’ in the Postfix configuration you must also increase the maxchild parameter so that process are available to receive the increased number of local delivery attempts.

67 Cyrus configuration files The primary configuration file used to configure the Cyrus server is the imapd.conf file. This file is generated by the Web Admin interface so any changes would also need to be applied to the config.xml to make them permanent. The majority of imapd.conf entries primarily remain static except for three. Two of these entries are only changed upon initial installation while the third reflects every domain available to login to the imap server. partition-default designates the root directory used for the the file system level mail store of messages. defaultdomain is a majority of cases the also the primary domain on the server. Occasionally when Postfix is unable to send to lmtp this setting can be the root cause. Postfix logs an access denied while writing to the lmtp socket. loginrealms represents every domain hosted on the server and is used by saslauthd to search domains in LDAP. If all users from a particular domain are unable to login to the server then proper configuration of this entry is the always the culprit.

68 Cyrus shell util(s) reconstruct # su - cyrus -c '/opt/insight/bin/reconstruct -rfx "user"' - This is used to manually reonstruct the Cyrus files used for tracking folder contents. If Reconstruct can find existing header and index files, it attempts to preserve any data in them that is not derivable from the message files themselves. The state reconstruct attempts to preserve includes the flag names, flag state, and internal date. Reconstruct derives all other information from the message files. NOTE: The reconstruct does not update the quota files so if the reconstruct was run on a folder with a quota it is advisable to run the quota command with the -f option to update these files as well. # su - cyrus -c '/opt/insight/sbin/quota -f‘ ctl_mboxlist # su cyrus -c "/opt/insight/bin/ctl_mboxlist -d" > /opt/insight/var/imap/mboxlist-backup.txt - Ctl_mboxlist is used to perform various administrative operations on the mailbox list database. This use of the command dumps the contents of the mailbox database to a flat file called mboxlist-backup.txt. # su cyrus -c "/opt/insight/bin/ctl_mboxlist -u < /opt/insight/var/imap/mboxlist-backup.txt" -Imports the same flat file into the database thus building the mailboxes.db file from scratch. NOTE: The original mailboxes.db file should be removed between the command sequence.

69 Cyrus shell util(s) cont. ctl_cyrusdb # su cyrus -c "/opt/insight/bin/ctl_cyrusdb -r“ // repairs the Cyrus datbase # su cyrus -c "/opt/insight/bin/ctl_cyrusdb -c“ // checkpoints the transaction log for the Cyrus database -This command is used to recover the Cyrus databases after an application or system failure. The -c option checkpoint and archives the databases. Changes to the database which are part of committed transactions are written to disk. Also, a hot backup of the databases is made and inactive log files are removed. db_recover # su cyrus -c "/opt/insight/bin/db_recover -v -h /opt/insight/var/imap/db" - The db_recover utility must be run after an unexpected application, DB, or system failure to restore the database to a consistent state. All committed transactions are guaranteed to appear after db_recover has run, and all uncommitted transactions will be completely undone. sieveshell # /opt/insight/bin/sieveshell -a jdoe localhost You will receive an error if you do not edit the sieveshell script and modify the following line... exec perl -x -S $0 ${1+"$@"} # -*-perl-*-... to read... exec /opt/insight/bin/perl -x -S $0 ${1+"$@"} # -*-perl-*-

70 Cyrus shell util(s) cont. Sieveshell (cont)

71 Cyrus shell util(s) cont. nc # echo ". login admin admin\n. list \"user/jdoe/*\" *\n. logout\n" | /opt/insight/bin/nc localhost 143 * OK mail2.example.com Cyrus IMAP4 v2.2.10 server ready. OK User logged in * LIST (\HasNoChildren) "/" "user/jdoe/Calendar" * LIST (\HasNoChildren) "/" "user/jdoe/Contacts" * LIST (\HasNoChildren) "/" "user/jdoe/Deleted Items" * LIST (\HasNoChildren) "/" "user/jdoe/Drafts" * LIST (\HasNoChildren) "/" "user/jdoe/Journal" * LIST (\HasNoChildren) "/" "user/jdoe/Junk E-mail" * LIST (\HasNoChildren) "/" "user/jdoe/Notes" * LIST (\HasNoChildren) "/" "user/jdoe/Outbox" * LIST (\HasNoChildren) "/" "user/jdoe/Sent Items" * LIST (\HasNoChildren) "/" "user/jdoe/Tasks" * LIST (\HasChildren) "/" "user/jdoe/test". OK Completed (0.000 secs 13 calls) * BYE LOGOUT received. OK Completed - The netcat utility is great for writing quick script for IMAP command sequences. This first command demonstraits how to retrieve a list of folders for the user jdoe. Now we can take this output and create another IMAP command sequencesuch as getacl for each of the folders found... # echo ". login admin admin\n. list \"user/jdoe/*\" *\n. logout\n" | /opt/insight/bin/nc localhost 143|grep "^* LIST"| awk -F '"' '{print ". getacl \""$4"\""}'

72 Cyrus Troubleshooting With Cyrus there are generally three types of issues: 1.The user is unable to login which indicates an issue with saslauthd. Check the bind credentials in the saslauthd.conf file used for connecting to the LDAP database. 2.I can't delete or rename this folder. First attempt to rename or delete the folder directly in IMAP using the. rename or. delete commands which would be the least impact to the server. If this doesn't work see the FAQ for exporting the mailboxlist to a text file so that these types of folders can be manuly deleted from the database. You must then import the flat file that is updated thus deleting any refference to the folder in the mailboxes.db file. 3.The users folder list appears to have multiple sets of root folders or displays folders that you can't select through the web admin interface. Under these circumstances the admin should reconstruct the users folders. See the reconstruct shell command mentioned above.

73 Authentication smtpd saslauthd slapd …/etc/saslauthd.conf ldap_servers: ldap://127.0.0.1/ ldap_filter: login=%u …/lib/sasl2/smtpd.conf pwcheck_method: saslauthd mech_list: plain login imapd/pop3d …/etc/imapd.conf sasl_pwcheck_method: saslauthd cyrusmaster …/etc/cyrus.conf imapcmd=“imapd –p 2 … pop3cmd=“pop3d” … … SASL AUTHENTICATION

74 Cyrus Question Question: I know I have new messages in my Inbox but I can't see them when I log in via IMAP or POP3. In the log file I see an error that refers to a DBERROR. What's wrong?

75 Cyrus Question Answer: These are usually caused when the database that contains the user information is in a file lock state. If the error continues perform a database recovery. # /etc/init.d/insightserver stop # ps -aux |grep slapd (Be sure all slapd processes are killed) # /etc/init.d/insightserver recover # /etc/init.d/insightserver start It is also possible to see the errors with a specific user. In this case this may be a corrupted.seen file. To resolve the issue locate the file and delete it. When Cyrus see's that the.seen file is missing it will automatically recreate it alleviating the DBERROR condition. The name and location of the file is dependant on the user id. The format is: /opt/insight/var/imap/user/[a-z]/{uid}.seen Therefore if we were looking for the user jdoe's.seen file it would be in the following location... /opt/insight/var/imap/user/j/jdoe.seen

76 Cyrus Question Question: How do I dump of the folder list from the Cyrus IMAP database to a text file that edit and then use to repair or rebuild the Cyrus Database?

77 Cyrus Question Answer: To do this run the following command from a shell... # /opt/insight/etc/rc/cyrus dump This will create a dump file in the cyrus users home directory (/opt/insight/var/cyrus/) called mboxlist-{date}.txt. *Before starting the procedure it would be a good idea to have a current backup of the mailstore. You can now edit this file and remove the folder that is causing the problem. You will also want to rm -rf the specific folder structure causing the issue in the users mailstore at the file system level.

78 Cyrus Question Answer: (cont.) If the folder name was "d@ntdothis" in user jdoe's mailbox the rm command would look like... # rm -rf /opt/insight/var/spool/imap/j/user/jdoe/d\@ntdothis You can now use the updated file to rebuild the folder list and permissions for the Cyrus database from scratch using the following command sequence.......move the "mailboxes.db" on the server... # mv /opt/insight/var/imap/mailboxes.db /opt/insight/var/imap/mailboxes.db.old #cd /opt/insight/var/imap #rm -fr *.db db/* db.* #su cyrus #/opt/insight/bin/ctl_cyrusdb -r #/opt/insight/bin/ctl_cyrusdb -c #/opt/insight/bin/ctl_cyrusdb -r #/opt/insight/bin/ctl_mboxlist -u < /path/to/curus/dump/mboxlist-xxxxx.txt...now reconstruct the mail store... # su - cyrus -c '/opt/insight/sbin/reconstruct -rfx "user"'

79 OpenLDAP version: OpenLDAP: 2.1.29 port listener(s):LDAP389 LDAPS636 user: root groups: shell util(s): ldapsearch, ldapmodify ldapadd, ldapdelete ldapmodrdn, slapcat slapindex, slapadd

80 OpenLDAP Files & Directories rc script: /opt/insight/etc/rc/slapd home directory: /opt/insight/var/openldap-data configuration files: /opt/insight/etc/openldap/slapd.conf /opt/insight/etc/openldap/slurpd.conf log file:/usr/adm/syslog slapd[], slurpd[]

81 OpenLDAP Container Structures The LDAP schemas included in the default slapd configuration file are as follows: include /opt/insight/etc/openldap/schema/core.schema include /opt/insight/etc/openldap/schema/cosine.schema include /opt/insight/etc/openldap/schema/inetorgperson.schema include /opt/insight/etc/openldap/schema/insight.schema The LDAP schema used consists of domain containers (dc=), organizational units (o=), and nested group’s (ou=) as container objects. These containers retain the individual records (cn=). Any objectclass included in the default schemas may be refferenced by the records. One example of a general objectclass: defined would be inetorgperson as defined in the inetorgperson.schema file. The additional fields used for store various aspect of the records are documented in the FAQ’s regarding LDIF importing into OpenLDAP. The rootdn is always “cn=admin” and the object classes used by SCO Office Server records are insightPerson, insightResource, insightService or insightAlias. The default objects created upon installlation are the cn=admin, the service account, and the domain name of the server.

82 OpenLDAP Container Structure # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (objectclass=*) # requesting: ALL # # admin dn: cn=admin cn: admin objectClass: insightAdmin login: admin sn: admin userPassword:: mail: admin@pdev.sco.com # InsightServer dn: cn=InsightServer cn: InsightServer insightServerVersion: 4.1.0 insightAllowUserAliasCreate: TRUE objectClass: insightServer insightServerState: single # pdev.sco.com dn: o=pdev.sco.com objectClass: insightDomain objectClass: insightOrganization dc: pdev.sco.com insightAllowUserAliasCreate: YES insightLocalDomain: OK o: pdev.sco.com description: pdev.sco.com

83 OpenLDAP shell util(s) ldapsearch # /opt/insight/bin/ldapsearch -x -h osr.bynari.net -D "cn=admin" -w admin -b 'o=bynari.net' dn |grep "^dn: dn: o=bynari.net dn: cn=John Doe,o=bynari.net - This utility opens a connection to an LDAP server, binds, and performs a search using specified parameters. The filter should conform to the string representation for search filters as defined in RFC 2254. If not provided, the default filter, (objectClass=*), is used. If ldapsearch finds one or more entries, the attributes specified by attrs are returned. If * is listed, all user attributes are returned. If + is listed, all operational attributes are returned. If no attrs are listed, all user attributes are returned. If only 1.1 is listed, no attributes will be returned. In the example ldapsearch only organizational unit of o=bynari.net is searched and only the dn: entries are returned. ldapmodify # /opt/insight/bin/ldapmodify -x -h osr.bynari.net -D "cn=admin" -w admin dn: cn=John Doe,o=bynari.net changetype: modify mailForward: jdoe@example.net modifying entry "cn=John Doe,o=bynari.net" - Some of the changetype: supported by ldapmodify are add, modify, delete, and modrdn.

84 OpenLDAP shell util(s) cont. slapindex # /opt/insight/sbin/slapindex - Slapindex is used to regenerate slapd indices based upon the current contents of a database. It opens the given database determined by the database number or suffix and updates the indices for all values of all attributes of all entries. slapcat # slapcat > /tmp/bynari.ldif - This utility is used to generate an LDAP Directory Interchange Format (LDIF) output based upon the contents of a slapd database. It opens the given database determined by the database number or suffix and writes the corresponding LDIF to standard output or the specified file. The LDIF generated by this tool is suitable for use with slapadd. As the entries are in database order, not superior first order, they cannot be loaded with ldapadd without being reordered. slapadd # cat /tmp/bynari.ldif |/opt/insight/sbin/slapadd -c - This utility is used to add entries specified in LDAP Directory Interchange Format (LDIF) to a slapd(8) database. It opens the given database determined by the database number or suffix and adds entries corresponding to the provided LDIF to the database. The LDIF input is read from standard input or the specified file. As slapadd is designed to accept LDIF in database order, as produced by slapcat, it does not verify that superior entries exist before adding an entry, does not perform all user and system schema checks, and does not maintain operational attributes (such as createTimeStamp and modifiersName).

85 OpenLdap Question Question: My LDAP server won't start and none of my users can login. How do I recovering the LDAP database?

86 OpenLdap Question Answer: The following commands will recover the LDAP database... # /etc/init.d/insightserver stop # ps -ea |grep slapd 2854 ? 00:00:00 slapd // if the process is still running manually kill it. # kill -9 2854 # /opt/insight/etc/rc/slapd recover

87 OpenLdap Question Question: How do I start LDAP in debug mode?

88 OpenLdap Question Answer: To see debugging info logged to console perform the following in a shell... # /opt/insight/etc/rc/slapd stop # /opt/insight/libexec/slapd -d1 -h "ldap://:389/ ldaps://:636/" This can be very useful when tracking down erroneous configurations values customers change in the slapd.conf file.

89 OpenLdap Question Question: I’ve forgotten the ‘admin’ password. Can I find out what it is?

90 OpenLdap Question Answer: 1.Change the password in the /opt/insight/etc/openldap/slapd.conf file rootpw 2.Restart slapd # /opt/insight/etc/rc/slapd restart

Migration PST migration Exchange migration

92 Migration Migration Tools:  Simple tools with basic functionality for most tasks  GUI: Import PST file (uses readpst)  GUI: Exchange migration wizard (uses readpst)  Command line: migrate.php (uses readpst)  Outlook (File->Import/Export) New Functionality in MP2a:  Readpst can migrate mail, Calendar and Contacts folders  Readpst can migrate the.seen flags  Organizations can be migrated from Exchange

93 Migration Limitations:  Outlook 2003 PST files are not supported. Export the mail to an Outlook 2000 or XP format PST file.  The Exchange 5.5 native address format is X500. It is also known as the Exchange legacy format. Migration of Exchange PST files may result in addresses that are not converted from X500 to SMTP format. In such cases, ‘Reply’ or ‘Reply All’ will not be available for messages that contain X500 format addresses.  Active Directory (AD) can be organized in hundreds of different ways. Because of this flexibility it is difficult to provide a tool that can properly migrate AD Organizations, Groups and Users in all cases. Many sites work properly and some will require manual intervention.

94 Migration import-pst.sh shell script [root@mail2 root]# /opt/insight/htdocs/is4web/bin/import-pst.sh This utility imports PST files into SCO Office Server. Would you like to search the directory [/root] for PST files to import? [y/n] n Syntax: /opt/insight/htdocs/is4web/bin/import-pst.sh {full path to PST file} {password} Note: If no PST file is specified user is prompted to search the current directory for PST files to import. The password attribute is only required if you would like to import the PST as the user. See documentation for additional details...

95 Migration Exchange Server Account Migration: To find the LDAP Suffix to be used for an Exchange 2000 Server, open a shell on the Insight Server and login as root to run the following commands... # /opt/insight/bin/ldapsearch -x -h [ip address] -p 3268|more // this returns the following output... # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (objectclass=*) # requesting: ALL # # md1email.testemail.com dn: DC=md1email,DC=testemail,DC=com... take above dn: information and add CN=Users, to this line. This is the LDAP Suffix entry to be used. CN=Users,DC=md1email,DC=testemail,DC=com

96 Migration Exchange Server Bind Credentials: The following command are used to further test the LDAP Suffix and bind credentials to be used during an Exchange migration. From a shell prompt as root run the following command… # /opt/insight/bin/ldapsearch -x -h [ip address] -p 3268 –D \ “administrator@md1email.testemail.com” –w password \ –o ‘CN=Users,DC=md1email,DC=testemail,DC=com’; # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (objectclass=*) # requesting: ALL # # md1email.testemail.com dn: DC=md1email,DC=testemail,DC=com...

97 Migration Exchange Server Bind Credentials: In the above line –D represents the account name and the –w represents the password used for testing the bind credentials. The ‘–o’ represents the base search string to be tested. The search base search portion of this test is optional. If the command doesn’t work remove this option for further testing. If the command still doesn’t work try using the DN for the administrator account instead of the RDN. In this case the DN for this account would be: CN=Administrator,CN=Users,DC=md1email,DC=testemail,DC=com

98 Migration Configuring Postfix to co-exist with Exchange Postfix Configuration Changes myhostname=sco.example.net mydomain = sco.example.net relayhost=mail.example.net mydestination=$myhostname,$mydomain relay_domain=example.net

WebClient Things to know

100 WebClient Folders display in Outlook but not in WebClient  Remove the /opt/insight/icc/data/ / /mailsettings file and restart the WebClient The right-hand side of the toolbar does not display in the Calendar folder >  Set screen resolution 1024x768 minimum  Use normal font size (large may be too big)  Maximize the window

101 WebClient My special folders (Calendar, Contacts etc.) display as if they are ordinary mail folders  The synchronization message which indicates the folder type has been removed.  Create the synchronization message as the file 1. and reconstruct the users folder (script available from Support).

Connector 2.5 Duplicates

103 Connector 2.5 How to remove duplicates  Support script for type mail folders only  MAPILABS tool – cheap & excellent http://www.mapilab.com/outlook/duplicate_remover/ Preventing Duplicates  Always create a new profile when moving the account to a new server. Never just change the server hostname in the account configuration.  Never open >1 PST file with active Connector mappings to the same account.

Professional Services Assistance What services can SCO PS provide?

105 Professional Services Assistance  MS Exchange migration assistance  Email virus protection  Spam filtering  Integration services (LDAP, Exchange)  Business continuity  WebClient customization  Mail appliance customization  Customized training

106 Professional Services  North America Phone: (831)430-4510 Email: yasmink@sco.com  International Phone: 44 1707 22668 Email: rsutton@sco.com  On the web www.sco.com/consulting

Thank You SCO Office Server 4.1 Troubleshooting

1 SCO Office Server 4.1 Administration Series Troubleshooting.

Similar presentations

Presentation on theme: "1 SCO Office Server 4.1 Administration Series Troubleshooting."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

1 SCO Office Server 4.1 Administration Series Troubleshooting.

Similar presentations

Presentation on theme: "1 SCO Office Server 4.1 Administration Series Troubleshooting."— Presentation transcript:

Similar presentations

About project

Feedback