Re: reverse name resolution
I'm sorry I thought the given config had 0/25 in it. It has been a while since I was current on RFC2317 but I think it actually uses the netmask not the remaining bits that the network is on. So in the case of a /25 if you have the lower 128 addresses like the gentlemen who started the tread then it would like like: 0/25.37.247.200.in-addr.arpa but if he had the upper 128 then it would be more like: 128/25.37.247.200.in-addr.arpa vec - Original Message - From: "Kilian Krause" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 23, 2004 5:18 PM Subject: Re: reverse name resolution well yes (though there was no notion of the /25 in the given config, so how should i have known).. ;) Assuming it's the inverse of the DNS it should be a "7/0.37.247.200.in-addr.arpa" for a /25, right? (as in 32-25=7) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: reverse name resolution
Hi JB,
Am Dienstag, den 23.11.2004, 14:39 -0700 schrieb JB:
> You are on the right track. Saying
> zone "0/25.36.247.200.in-addr.arpa"
> has nothing to do with the file/directory.
> The file property inside the section deals with that.
> This is proper RFC2317 reverse delegation but Nate is right in that your ISP
> must be on the same page with you when they do the delegation. A couple
> years ago, I was working with an ISP in southern cal that was big enough to
> hire a full time DNS administration staff and they were all incompetent. I
> had to teach them how to do this so don't be surprised if you have to do the
> same. Making it read like this:
> zone "36.247.200.in-addr.arpa" {...
> is a dirty hack and should not be done. It also breaks reverse lookups for
> the rest of the hosts in that class C for you.
well yes (though there was no notion of the /25 in the given config, so
how should i have known).. ;)
Assuming it's the inverse of the DNS it should be a
"7/0.37.247.200.in-addr.arpa" for a /25, right?
(as in 32-25=7)
--
Best regards,
Kilian
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
Re: reverse name resolution
You are on the right track. Saying
zone "0/25.36.247.200.in-addr.arpa"
has nothing to do with the file/directory.
The file property inside the section deals with that.
This is proper RFC2317 reverse delegation but Nate is right in that your ISP
must be on the same page with you when they do the delegation. A couple
years ago, I was working with an ISP in southern cal that was big enough to
hire a full time DNS administration staff and they were all incompetent. I
had to teach them how to do this so don't be surprised if you have to do the
same. Making it read like this:
zone "36.247.200.in-addr.arpa" {...
is a dirty hack and should not be done. It also breaks reverse lookups for
the rest of the hosts in that class C for you.
vec
- Original Message -
From: "Nate Duehr" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 23, 2004 11:34 AM
Subject: Re: reverse name resolution
Kilian Krause wrote:
Hi Djalma,
my named.conf.local:
zone "0/25.36.247.200.in-addr.arpa" {
i'd try making this read:
zone "36.247.200.in-addr.arpa" {
for a start.. i.e. without the 0/25.
Yes, this would be problematic unless for some odd reason you had a
directory named "0".
The other comments about having to have your upstream ISP delegate the
reverses properly is important also - and they can't just do it and tell
you "it's done". They have to provide you their naming convention for the
delegated zones so you can line yours up with theirs.
(I guess they *could* just tell you "it's done" and then you'd have to use
dig to figure out exactly how they did it, which is fine also...)
Nate
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: LDAP Expert's help please
1.- Be shure what service is what. I mean, if youre running imap, we are talking about 10 different possible imap servers that are provided in debian. So, make shure you know which of them are you running. Same goes for smtp, ftp...etc. 2.- Each of those you can research separately to see where are their auth settings taken care of. If you can assert that no funnny ldap/ldap auth stuff is happening in each config file, you can start looking at PAM to see if everything is being authed there (a shure hit is that there is a config file for each service in the pam.d config directory, and the services are directed to auth against PAM -most, but not necesarily all, are by default- ). 3.- LDAP is an easy thing. It aint much really, just data ordered to some schema. So, the sysadm is right if he says with the root password you can check everything out. 4.- You can possibly get whats the diff between what ldap.conf is by default, and what does it look like now. A big part of this thing is what schema files are included in this file. That will tell you at least what schemas your ldap server supports appart from the default. For example, if you are using qmail as the smtp, there will probably be a file with the speciffic qmail-ldap schema (carefull about assumptions, thats not true the other way arround, nor is it analogous in every other mta). On Tue, 2004-11-23 at 12:13 -0700, Omar wrote: > Hi Alex, > The problem is that reading the documentation assumes that you are starting > from Scratch, and installing everything. Which in turn means that you have > the > passwords and all the settings, but I am starting it backwards, everything is > there, and I need to dig it up. The previous admin said that with root > password > everything can be figured out. Partially true, but it is time consuming. > How can I find out if the system is using PAM against LDAP, in the > documentation it says using LDAP authentication nothing else. > As for the insurance I am up for the challenge, but it'a ironic as I work > for > an ISP and I don't have the net at home, which would greatly help me :( > I have downloaded an LDAP browser, but had no luck connecting to the > server. I > used slapcat to get user info, but it doesn't mean much to me, since I can't > figure out how to create a new user, using which schema and so on. Life goes > on > :) Thanks for teh suggestion I am looking at the Safari bookself right now :) > Omar > > On Tue Nov 23 11:30 , Alex Borges <[EMAIL PROTECTED]> sent: > > >1) Relax. Youre in the right place. > >2) Worry. You need to learn ldap fast > >3) Use GQ (ldap browser) to get an idea of whats in there > >4) Get a safari account and get yourself a couple of good ldap books. > >5) Read the most relevant chapters for an intro to htf (how the fuck) > >does this ldap stuff works > >5.bis) Many of the apps that are being ldap authentified may support > >ldap directly (can be a lame setup unless you know what youre doing), or > >really everyone is authenting against PAM, and then thats against LDAP > >(better setup in many medium to small cases) which is plain POSIX over > >ldap which point 5 will clear up best. I do hope youre in this later > >scenario. > >6) Be shure to have medical inssurance. Throwing you to the lions like > >this can cause permanent health damage due to stress. > > > > > >:) > > > >If everything fails. Send an RFP here. Many will gleefully charge some > >money and fix your stuff straight up. > > > > > > > >On Tue, 2004-11-23 at 10:49 -0700, Omar wrote: > >> Hi all, > >> I need help with LDAP. I just got two servers that use LDAP > >> authentication for > >> FTP, E-mail and other login's, problem is I only got the root user name and > >> password. I have no idea how to reverse engineer the login's and schema > >> info and > >> so on.. Any and all help is appreciated :) Thanks in Advance, Omar > >> > >> > > > > > >-- > >To UNSUBSCRIBE, email to [EMAIL PROTECTED] > >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: reverse name resolution
On Tue, 23 Nov 2004 18:52:38 +0100
Kilian Krause <[EMAIL PROTECTED]> wrote:
> Hi Djalma,
>
> > my named.conf.local:
> > zone "0/25.36.247.200.in-addr.arpa" {
>
> i'd try making this read:
> zone "36.247.200.in-addr.arpa" {
you're right. Without 25/0 worked, but when I installed (some months ago), it
was working by that way, that is the way I read in BIND tutorial.
the server was upgraded recently.
do you know if this was changed in later versions?
is there some problem to keep zone "36.247.200.in-addr.arpa" since I have set a
/25 mask from my ISP? (from 0 to 127).
thanks you all
--
Djalma Fadel Junior
Diretor Técnico
Ferasoft Corporation Ltda
+55 (19) 3542-3490
[EMAIL PROTECTED]
Re: reverse name resolution
He can look at the problem later, at the moment It seems that his name server isn't working correctly... If he wants other people to see his reverse entries, he will have to go talk to his provider Andrew On Tue, 23 Nov 2004 18:53:16 +0100 andrew <[EMAIL PROTECTED]> wrote: Shouldnt this just be zone "36.247.200.in-addr.apra" i tried, but doesn't work. so I got the following error Host 2.36.247.200.in-addr.arpa not found: 2(SERVFAIL) what do you have in your /etc/resolv.conf? dns server resolv.conf file: search helium.prodar.com.br prodar.com.br nameserver 127.0.0.1 On 23.11.2004, at 19:04, Jacob S wrote: On Tue, 23 Nov 2004 15:02:40 -0200 Djalma Fadel Junior <[EMAIL PROTECTED]> wrote: Hi there, I'm using debian with bind 9 and itsn't reverse resolving. bind version: ii bind9 9.2.4-1 The problem is that I cannot resolve IPs. # host 200.247.36.2 Host 2.36.247.200.in-addr.arpa not found: 3(NXDOMAIN) # host helium.prodar.com.br helium.prodar.com.br has address 200.247.36.2 Are you sure that reverse dns has been delegated to you? Even the T1 provider we use at work won't give us a reverse delegation these days. You have to talk to them and get them to setup reverse dns to look like you want it to - even though name to ip resolution works normally. HTH, Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: LDAP Expert's help please
1) Relax. Youre in the right place. 2) Worry. You need to learn ldap fast 3) Use GQ (ldap browser) to get an idea of whats in there 4) Get a safari account and get yourself a couple of good ldap books. 5) Read the most relevant chapters for an intro to htf (how the fuck) does this ldap stuff works 5.bis) Many of the apps that are being ldap authentified may support ldap directly (can be a lame setup unless you know what youre doing), or really everyone is authenting against PAM, and then thats against LDAP (better setup in many medium to small cases) which is plain POSIX over ldap which point 5 will clear up best. I do hope youre in this later scenario. 6) Be shure to have medical inssurance. Throwing you to the lions like this can cause permanent health damage due to stress. :) If everything fails. Send an RFP here. Many will gleefully charge some money and fix your stuff straight up. On Tue, 2004-11-23 at 10:49 -0700, Omar wrote: > Hi all, > I need help with LDAP. I just got two servers that use LDAP authentication > for > FTP, E-mail and other login's, problem is I only got the root user name and > password. I have no idea how to reverse engineer the login's and schema info > and > so on.. Any and all help is appreciated :) Thanks in Advance, Omar > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: reverse name resolution
Kilian Krause wrote:
Hi Djalma,
my named.conf.local:
zone "0/25.36.247.200.in-addr.arpa" {
i'd try making this read:
zone "36.247.200.in-addr.arpa" {
for a start.. i.e. without the 0/25.
Yes, this would be problematic unless for some odd reason you had a
directory named "0".
The other comments about having to have your upstream ISP delegate the
reverses properly is important also - and they can't just do it and tell
you "it's done". They have to provide you their naming convention for
the delegated zones so you can line yours up with theirs.
(I guess they *could* just tell you "it's done" and then you'd have to
use dig to figure out exactly how they did it, which is fine also...)
Nate
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
switching to dovecot from uw-imapd (was: Re: Runaway processes ?)
Craig Sanders wrote: - uw-imap-ssl (starting from inetd) replace with something sane. dovecot or courier-imapd for example. dovecot works with mbox and Maildir mail boxes, courier-imapd only with Maildir. you probably have mbox if you're running an old sendmail machine. it's a trivial upgrade - "apt-get install dovecot". btw, both dovecot and courier support both SSL encrypted and unencrypted versions of the protocols. dovecot does pop & imap in the one package, while courier has separate packages: courier-imapd and courier-popd. Just a side-note here, I attempted to switch an old but lightly used server from uw-imapd that was an old Potato machine that had been continually upgraded to Woody to dovecot via this method and it didn't work. The reason appeared to be that wy back when mail directories were in /home//~Mail vs. ~mail and other things, hacks were added to uw-imapd's pre-inst scripts to deal with all the changes as they came and went... dovecot's packages didn't seem to have this level of intelligence in their pre-inst scripts. I just mention it because I never had time to screw around with it on that box, I just reinstalled uw-imapd and forgot about it... it was more an exercise in getting all the boxes I admin on the same toolset, but in the case of that box, it just wasn't worth messing around with that day. Nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: reverse name resolution
On Tue, 23 Nov 2004 15:02:40 -0200 Djalma Fadel Junior <[EMAIL PROTECTED]> wrote: > Hi there, > > I'm using debian with bind 9 and itsn't reverse resolving. > > bind version: ii bind9 9.2.4-1 > > The problem is that I cannot resolve IPs. > > # host 200.247.36.2 > Host 2.36.247.200.in-addr.arpa not found: 3(NXDOMAIN) > > > # host helium.prodar.com.br > helium.prodar.com.br has address 200.247.36.2 Are you sure that reverse dns has been delegated to you? Even the T1 provider we use at work won't give us a reverse delegation these days. You have to talk to them and get them to setup reverse dns to look like you want it to - even though name to ip resolution works normally. HTH, Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: reverse name resolution
On Tue, 2004-11-23 at 18:02, Djalma Fadel Junior wrote:
> my named.conf.local:
> zone "0/25.36.247.200.in-addr.arpa" {
25 (if this is a direct delegation -- your value otherwise)
> $TTL 3D
$ORIGIN 36.247.200.in-addr.arpa
You need your nameserver in your resolv.conf or a proper rDNS delegation
by your provider.
Regards,
Philipp Kern
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: reverse name resolution
Hi Djalma,
> my named.conf.local:
> zone "0/25.36.247.200.in-addr.arpa" {
i'd try making this read:
zone "36.247.200.in-addr.arpa" {
for a start.. i.e. without the 0/25.
--
Best regards,
Kilian
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
LDAP Expert's help please
Hi all, I need help with LDAP. I just got two servers that use LDAP authentication for FTP, E-mail and other login's, problem is I only got the root user name and password. I have no idea how to reverse engineer the login's and schema info and so on.. Any and all help is appreciated :) Thanks in Advance, Omar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
reverse name resolution
Hi there,
I'm using debian with bind 9 and itsn't reverse resolving.
bind version: ii bind9 9.2.4-1
The problem is that I cannot resolve IPs.
# host 200.247.36.2
Host 2.36.247.200.in-addr.arpa not found: 3(NXDOMAIN)
# host helium.prodar.com.br
helium.prodar.com.br has address 200.247.36.2
---
my named.conf.local:
zone "0/25.36.247.200.in-addr.arpa" {
type master;
file "/etc/bind/zones/200.247.36";
};
---
my 200.247.36 file:
$TTL 3D
@ IN SOA helium.prodar.com.br. hostmaster.prodar.com.br (
200411193
604800
86400
2419200
604800 )
IN NS helium.prodar.com.br.
1 IN PTR hydrogenium.prodar.com.br.
2 IN PTR helium.prodar.com.br.
---
can someone give me a light?
thanks in advance.
--
Djalma Fadel Junior
Diretor Técnico
Ferasoft Corporation Ltda
+55 (19) 3542-3490
[EMAIL PROTECTED]
Re: [HELP] courier-authdaemon frustration
On Tue, 2004-11-23 at 17:27, Bob Billson wrote:
> The customized query maybe the way to go; although it seems to be a bad
> hack to solve the underlaying problem, no? I am missing something?
I used courier-webadmin to set the MySQL authdaemon as the way to go...
Then I have this set of queries:
MYSQL_SELECT_CLAUSE SELECT CONCAT(localpart, '@', domain), \
ENCRYPT(password), \
password, \
uid, \
gid, \
'/var/mail/vdomains/$(domain)/$(local_part)', \
'', \
quota, \
fullname, \
options \
FROM users \
WHERE localpart = '$(local_part)' \
AND domain = '$(domain)'
MYSQL_ENUMERATE_CLAUSE SELECT CONCAT(localpart, '@', domain), \
uid, \
gid, \
'/var/mail/vdomains/$(domain)/$(local_part)', \
'' \
FROM users \
WHERE localpart = '$(local_part)' \
AND domain = '$(domain)'
MYSQL_CHPASS_CLAUSE UPDATE users \
SET password='$(newpass)' \
WHERE localpart='$(local_part)' \
AND domain='$(domain)'
Although I don't know of the latter that it really works. You get rid of
all the other fields except of MySQL session information.
You could replace things like ``uid'' and ``gid'' to the integer value
used on your system (I used DEFAULT values in the table instead) like
common in SQL. There's also the possibility to use
CONCAT('/var/mail/vdomains/', domain, '/', localpart)
instead of the hackish way I chose.
Regards,
Philipp Kern
signature.asc
Description: This is a digitally signed message part
Re: [HELP] courier-authdaemon frustration
On Mon, Nov 22, 2004 at 10:10:19PM +0100, Philipp Kern wrote: > > The authmysqlrc for courier is a real pain.. it took me about 10 try's to > > get it right. When I started over for the last time, I took the following > > in account; > > It isn't. It *is* commented ok, and the easiest thing to do is to put in > a customized MySQL query to suit your needs. I agree authmysqlrc is mostly commented well. Although, it is somewhat silent on where (or not) single/double quotes are needed. Unfortunately, my experience, thusfar, even following the comments is no guarantee of success. This seems to be the sticking point with all Courier's config files. The config file parser is very pedantic, which is fine to a point. The error message "imaplogin: authdaemon: TEMPFAIL - no more modules will be tried" is terribly unhelpful. Kind of like many Windows' error messages. You know something is wrong, but where? :-/ The customized query maybe the way to go; although it seems to be a bad hack to solve the underlaying problem, no? I am missing something? bob -- bob billsonemail: [EMAIL PROTECTED] ham: kc2wz /) [EMAIL PROTECTED] beekeeper -8|||} "Níl aon tinteán mar do thinteán féin." --DorothyLinux geek \) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [HELP] courier-authdaemon frustration
On Mon, Nov 22, 2004 at 09:44:54PM +0100, Mark Lijftogt wrote: > Well.. looking back at my reply it was a bit short, rude and not realy > helpfull (and that can be seen as an understatement). Sorry for that. Hi Mark... No prob. No offensive taken. :-) > The authmysqlrc for courier is a real pain.. it took me about 10 try's to > get it right. When I started over for the last time, I took the following > in account; I have noticed the same thing. Looking on Google, it appears we aren't alone. Even Courier's web site mentions authdaemon it is hit and miss with some people. :-/ That's not right. I'm at more than 10 attempts myself. If the debug info was more verbose, I could figure it out. I am seriously considering filing a wish-list bug report against the Debian package when I finally get this working. Things shouldn't be this difficult to configure. > I checked the mysql account information (could it be a simple username and > password error), Done. It looks correct. The same username and password work correctly when postfix+mysql delivers to the virtual mailbox. I have tried other virtual mailboxes on the server besides the dummy 'foobar' one. Same result and in every case postfix+mysql delivers the mail but imap login fails. I'm almost to the point of hacking the source to see what's going on. But I shouldn't have to. :-/ > made sure there were no (trailing) spaces in the authmysqlrc Done. re-done and done again. > (only tabs), done and re-done. Tried only spaces, too, but that no difference. > usage of only single quotes (around the GID_FIELD, UID_FIELD > and HOME_FIELD) Ahhh, okay partially done. Only around HOME_FIELD but not the other two. Will change that. > and that the GID_FIELD and UID_FIELD are the uid and gid of > postfix.. and NOT mysql. Okay, I'm a little confused here. According to Christoph Haas's tutorial on workaround.org, he set up separate user:group for the virtual mailboxes: vmail:vmail. In my current re-attempt, I followed Christoph's instructions to the letter thinking previously I was doing something wrong. The UID:GID for vmail is 5000:5000. These are what I used in authmysqlrc GID_FIELD and UID_FIELD (but without single quotes). On my server, postfix is UID:GID 101:103 and mysql is 103:105. Are you suggesting that despite Christoph's instructions I should be using 101 and 103 for UID_FIELD and GID_FIELD, respectively? > That was apparently enough to get that part running. Well, if I can get passed this problem of logging into the Courier's imap-ssl server, I think I will be in good shape! Thanks for the advice! bob -- bob billsonemail: [EMAIL PROTECTED] ham: kc2wz /) [EMAIL PROTECTED] beekeeper -8|||} "Níl aon tinteán mar do thinteán féin." --DorothyLinux geek \) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Runaway processes ?
On Tue, Nov 23, 2004 at 02:28:43PM +0200, Ulf Pensar wrote: > We have an emailserver that we had to reboot the hard way a couple > of times a week.Now its a couple of time a day (perhaps because > the number of users have been growing) > [...] > the inetd generates root owned processes and > it doesnt stop before inetd is being killed. Then we have to reboot > the server to go on working. if you really must run your imap server from inetd, then consider using xinetd which allows limits on the number of simultaneous connections. or get rid of uw-imapd junk and replace it with something better (see below) > I guess it is the webmail that is creating those imap-processes but > I'm not sure (could be imaps-clients of course). > > Have you seen anything like that and what could be done? > > Facts: > dell power edge 600 Sc, intel celeron 1,7 GHz, 2 GB ECC memory > running: > - woody (kernel compiled from debian package kernel-source-2.4.18) fine so far. fortunately, there's a lot you can do to help performance. > - uw-imap-ssl (starting from inetd) replace with something sane. dovecot or courier-imapd for example. dovecot works with mbox and Maildir mail boxes, courier-imapd only with Maildir. you probably have mbox if you're running an old sendmail machine. it's a trivial upgrade - "apt-get install dovecot". btw, both dovecot and courier support both SSL encrypted and unencrypted versions of the protocols. dovecot does pop & imap in the one package, while courier has separate packages: courier-imapd and courier-popd. > - sendmail (with milter and clam) replace with postfix. watch your mail transport related load vanish instantly. > - bind, dhcp, mysql, radiusd-cistron (latest woody packages) it kind of makes sense to have radius on your mail server, IF you are authenticating against /etc/passwd. dhcp, and mysql could be moved to other machines. bind probably can't be moved without a lot of pain, if you have domains delegated to this IP address. if you're just using it as a caching resolver, then consider replacing it with something lighter - perhaps maradns or djbdns. > - webmail (the latest stable imp/horde) > - php-4.3.9 > - imapproxy, just for the webmail (the latest) imp doesn't have to run on the mail server. consider moving these to another machine, perhaps your web server. or consider using a different webmail program. imp is pretty heavy on resources like memory. courier-sqwebmail is fairly light and integrates well with the other programs in the courier suite, courier-maildrop, courier-imap, etc. there are other lightweight ones around too, if you don't like sqwebmail. other things you can do: 1. encourage people to delete mail from the server rather than leaving it on there. you can do this by implementing quotas. start by setting a quota which is several megabytes *above* the largest mailbox (i.e. the "unofficial, temporary quota"). announce that you are setting a quota of what your eventual target is (i.e. the "official quota"). gradually reduce the quota every week until target is reached. don't tell your users how much leeway they have at any given moment because they will abuse that knowledge. if they ask just tell them the official quota and mention that some *unspecified* leeway is given for a short *unspecified* time. if you don't want to compile the kernel for quota support and install the quota package, you can crudely simulate it for mailboxes with postfix's 'mailbox_size_limit' parameter. this is per mailbox file. imap users can get around the quota by saving messages to different mailbox files. alternatively, if you must allow users to have huge mailboxes, then: 2. switch to Maildir rather than mbox. craig -- craig sanders <[EMAIL PROTECTED]> (part time cyborg) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Runaway processes ?
Hi, We have an emailserver that we had to reboot the hard way a couple of times a week.Now its a couple of time a day (perhaps because the number of users have been growing) From the logs we can't see anything, it just stops logging. From a process-logging-script (runs 'ps axu' every minute) there is neither anything unusual except some old (several days) root owned imap-processess that, as I understand it, shouldn't be there. The load goes up very quickly (normally it is something between 1-4 with peaks up to 10). From a nagios-server we can see that the load and the number of processes are rising fast (up to 50, 70 and 100 and then there is nothing to do). Twice I have been able to see what happens: the inetd generates root owned processes and it doesnt stop before inetd is being killed. Then we have to reboot the server to go on working. I guess it is the webmail that is creating those imap-processes but I'm not sure (could be imaps-clients of course). Have you seen anything like that and what could be done? Facts: dell power edge 600 Sc, intel celeron 1,7 GHz, 2 GB ECC memory running: - woody (kernel compiled from debian package kernel-source-2.4.18) - uw-imap-ssl (starting from inetd) - webmail (the latest stable imp/horde) - php-4.3.9 - sendmail (with milter and clam) - bind, dhcp, mysql, radiusd-cistron (latest woody packages) - imapproxy, just for the webmail (the latest) -uffe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
