Article

jun2003.tar

Questions and Answers

Amy Rich

In the previous issue, the CheckRcvd ruleset from the sendmail spam question had the following two lines:

R<?> $+ $| $+           $: $>LookUpDomain <$1> <?> <+ Connect> <$2>
R<?> <$+>               $: $>LookUpAddress <$1> <?> <+ Connect> <>

These should actually be:

R<?> $+ $| $+           $: $>LookUpDomain <$1> <?> <$2> <+ Connect>
R<?> <$+>               $: $>LookUpAddress <$1> <?> <> <+ Connect>

Or if you're using sendmail 8.12 instead of 8.11:

R<?> $+ $| $+           $: $>D <$1> <?> <+ Connect> <$2>
R<?> <$+>               $: $>A <$1> <?> <+ Connect> <>

In the April issue there was a question about monitoring machine/room temperature. Two additional suggestions have come in from our readers. Bob Sigillito suggests a company called Sensatronics (http://senatronics.com/TempTrax/), and Craig Dupree additionally suggests buying do-it-yourself kits from QKits (http://www.qkits.com) for those people who are comfortable with soldering.

Q I'd like to add a disclaimer footer to every message that goes through our mail server. I'm sure that someone's managed to do this already, but I don't see anything in sendmail that seems workable.

A This problem is more difficult than it first seems because the mail server has to deal with more than just plain text messages. Tacking a footer onto something like a MIME message will break the message. By itself, sendmail is not really a solution, but you can use libmilter and something like MIMEDefang to add your footer to MIME structured messages.

Q Occasionally, our upstream link goes down and we see the following error messages on our internal DNS server running Bind 9.2.2:

hostname syslog: client 192.168.1.3#20391: no more recursive clients: quota reached

The client IP addresses differ but there are usually other DNS, mail, or proxy servers. Can I alleviate this condition, or is it just something that will report errors till the link comes back up?

A The messages indicate that your name server has reached the maximum number of concurrent recursive queries. As you suspected, this is happening because your upstream link is down. Such error messages can also be indicative of a DOS attack against your name server.

You can increase the maximum number of concurrent recursive queries, but if your link is down for an extended period of time and your internal machines are doing a lot of queries, it's possible that you may just hit the ceiling again or run out of memory. Below is an excerpt from the BIND 9 Administrator Reference Manual, section 6.2.14.8. "Server Resource Limits", which is available as part of the source distribution in doc/arm/ or as a PDF from:

http://www.nominum.com/content/documents/bind9arm.pdf:

The maximum number of simultaneous recursive lookups the server will perform on behalf of clients. The default is 1000. Because each recursing client uses a fair bit of memory, on the order of 20 kilobytes, the value of the recursive-clients option may have to be decreased on hosts with limited memory.

Q I was installing a patch cluster (using the install_cluster script that came with the cluster) on a newly jumpstarted Solaris 8 02/02 machine when I got the following message:

WARNING: The / filesystem has 281493 free file nodes. The current installation requires 24 file nodes, which includes a required 25 file node buffer for temporary files. 4294685827 more file nodes are needed.

It looks like something got corrupted, because I can no longer add any of the other patches. Is there a way to recover without reinstalling my system?

A You don't give the date of the patch cluster you were installing, but earlier this year there was a cluster with a bad version of a patchadd patch, 110934-10, which caused this behavior. If you have a support contract, take a look at the following URL for the details:

http://sunsolve.sun.com/private-cgi/retrieve.pl?doc=salert%2F50401

Essentially, backout patch 110934-10 if you can, or remove/rename /var/sadm/pkg/<pkgabbrev>/install/space for all packages affected by that failed patch. Make sure to pick up a newer rev of the patchadd patch.

Q I've just installed NetBSD 1.6 onto an old SPARC I had sitting around. I received the following warning message:

"WARNING: clock gained 156 days --CHECK AND RESET THE DATE!"

I've heard about the NVRAM chips going bad on these old Suns, so I tried installing SunOS 4.1.4, too, to see if it was just NetBSD, or if something was wrong with my machine. I got the following warning:

"WARNING: preposterous time in file system - CHECK AND RESET THE DATE"

It looks like my hardware may be bad. How do I fix this?

A When the machine is going though POST, see whether your Ethernet address is set to all zeros. If it is, then most likely the battery backup for the NVRAM chip has died. If the Ethernet address looks normal, then my guess is that your hardware is fine and you're just seeing a spurious message from the kernel because you've booted off a read-only media (like a CDROM or install tape). If this is the case, just check the date of the installed system to make sure it's accurate (and if not, reset it with the date command).

If you have a dead NVRAM chip, take a look at:

http://www.squirrel.com/squirrel/sun-nvram-hostid.faq.html

for instructions on replacing and reprogramming it.

Q I need to make an additional copy of an 8mm tape that I have in my possession, but I only have one tape drive attached to a Solaris 8 machine. I tried to copy the tape to disk, and then copy it back to a fresh tape using dd, but I got errors about not enough disk space. I have plenty of space and inodes on the filesystem I was trying to copy the tape to, and the new tape to which I'm copying is the exact same size. I even tried a couple different tapes, thinking I may have used a bad one. No luck. So, apparently I'm doing something wrong, or dd isn't the best choice for this job. Any suggestions?

A dd is definitely the right tool for the job here. The "not enough space" error message probably indicates that you used the wrong block size when trying to duplicate the data. If you've added a third party tape drive, you might want to check whether a device block size was specified in /kernel/drv/st.conf. Your dd commands should look something like the following. (I'll assume that you might have multiple chunks of data on the tape, so you'll want to use the norewind device. I've picked an arbitrary block size of 10k.)

dd if=/dev/rmt/0n bs=10k of=chunk1
dd if=/dev/rmt/0n bs=10k of=chunk2
...
dd if=/dev/rmt/0n bs=10k of=chunkN

Put in the fresh tape, and load the data on:

dd if=chunk1 bs=10k of=/dev/rmt/0n
dd if=chunk2 bs=10k of=/dev/rmt/0n
...
dd if=chunkN bs=10k of=/dev/rmt/0n

Q Our company would like to modify the SMTP messages visible to external clients. Specifically, the following:

220 smtp.my.domain ESMTP Sendmail 8.12.9/8.12.9; Sat, 8 Apr 2003 11:26:55 -0500 (EST)
250-smtp.my.domain Hello machine.their.domain [192.168.1.1], pleased to meet you
250 2.0.0 h28GHWw0031589 Message accepted for delivery

Is there an easy way to do this?

A You can change the first message by setting SMTP_LOGIN_MSG in your mc file (rebuilding the cf file, of course):

If you specify:

define(`confSMTP_LOGIN_MSG', `$j (NO UCE)')dnl

Your message will appear as:

220 smtp.my.domain ESMTP (NO UCE)

The latter two have no configuration settings as far as I know. You can make a couple simple changes to src/srvrsmtp.c and recompile your source code to achieve the desired results. You'll want to change the following code snippets to reflect whatever your message should say:

q = "pleased to meet you";
message ("250-%s Hello %s, %s", MyHostName, CurSmtpClient, q);
message("250 2.0.0 %s Message accepted for delivery", id);

There are actually two instances of the middle line that you'll want to change.

Q A mistyped rm command wiped out /dev on one of our test Solaris systems where we have no backups. Apparently, these test systems are not trivial to recreate. We're talking with the development team about backing up these machines in the future, but is there something we can do to recover in the meantime? We'd rather not install from scratch if we don't have to.

A If the machine is still up and running the OS, try rebuilding the /dev tree. On machines pre-Solaris 8, do:

drvconfig
disks
tapes
ports
devlinks

With Solaris 8 and later, do:

devfsadm

If the machine crashed or was already halted, boot off the CDROM and mount the root filesystem as /a. From there you can perform the same steps as above, only specify the alternate root:

drvconfig -r /a
disks -r /a
tapes -r /a
ports -r /a
devlinks -r /a

devfsadm -r /a

Q Our company has global offices that speak a variety of different languages, so I'm trying to get Apache's MultiViews option for language content negotiation to work on our internal Web servers. So far, I've had no success on getting one of the languages, Hungarian, to work correctly.

I have three versions of a file in English, German, and Hungarian, named file.en.html, file.de.html, and file.hu.html, respectively. I've specified the language and character set in each HTML file using meta tags:

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="hu" lang="hu">
  <head>
    <meta http-equiv="Content-Type" content="text/html;
       charset=iso-8859-2" />
    <meta http-equiv="Content-Language" content="hu" />
    <title>My Title</title>
  </head>

When I view http://www.my.domain/file with a client, which specifies hu as the preferred language and iso-8859-2 as the preferred charset, file.hu.html is not returned. If the client does not specify English or German as a fallback, then I get the following 406 error:

Not Acceptable

An appropriate representation of the requested resource /file could not be found on this server.

Available variants:

  * file.de.html , type text/html, language de
  * file.en.html , type text/html, language en

I know that this is not a permissions problem or anything like that, because I can go directly to file.hu.html and view it just fine. So, why can't it see my Hungarian file?

A Apache's mod_negotiation doesn't look at the content of your files to determine the language or character set. You must configure the server to assign the .hu extension to the language hu by using the AddLanguage directive. You may also want to assign the charset by using the AddCharset directive.

AddLanguage hu .hu
AddCharset ISO-8859-2 .hu

Take a look at the mod_mime page for more information:

http://httpd.apache.org/docs/mod/mod_mime.html

Q I'm writing a Perl script using getopts to parse command-line flags. My code looks like this:

use Getopt::Std;
getopts('ab:c:d');
...

If I invoke the program thusly:

./myscript -z

it outputs this error:

Unknown option: z

How do I silence the default output of getopts and add my own message in its place?

A You can set a WARN handler in your script to override the default message:

#!/usr/bin/perl

$SIG{'__WARN__'} = sub {
  print "My error\n"
};

use Getopt::Std;
getopts('ab:c:d');

The WARN handler is actually assigned an expression, even though it looks like a subroutine declaration. This is why the semicolon is outside of the closing brace. The above statement could be generically written as:

$SIG{__WARN__} = expr;

Q I'm getting a "mail loops back to me" error now that I've upgraded sendmail from 8.11.6 to 8.12.8. The same sendmail.cf works fine under 8.11.6, but exhibits this problem on 8.12.8 when sending mail from a user local to the system to another user local to the system. Mail that's handled via SMTP works just fine. I verified that /etc/mail/local-host-names contains all of names this machine uses, and I have FEATURE(use_cw_file) in my sendmail.mc file.

Here's an entry from my syslog:

Apr 12 15:13:17 myhost sendmail[2731]: h269e0w0031144: SYSERR(nobody): 
my.domain. config error: mail loops back to me (MX problem?)

Here are the permissions on the important files and directories:

-rw-r--r--   1 root   root     1452 Dec  7  2002 /etc/mail/aliases
-rw-r--r--   1 root   root    32768 Dec  7  2002 /etc/mail/aliases.db
-r--r--r--   1 root   root     5588 Mar 12 10:13 /etc/mail/helpfile
-r--r--r--   1 root   root       29 Jun 23  2002 /etc/mail/local-host-names
-rw-r--r--   1 root   root    58348 Apr 12 15:00 /etc/mail/sendmail.cf
-rw-r--r--   1 root   root    34946 Oct 31 11:54 /etc/mail/submit.cf
-r-sr-sr-x   1 root   smmsp  640970 Apr 12 14:40 /usr/sbin/sendmail
drwxrwx---   2 smmsp  smmsp    4096 Aug 29 15:38 /var/spool/clientmqueue
drwx------   2 root   mail     4096 Jan  2 08:00 /var/spool/mqueue

And the possibly pertinent bits from my sendmail.mc:

MASQUERADE_AS('my.domain')dnl
FEATURE('use_cw_file')dnl
FEATURE('always_add_domain')dnl
FEATURE('masquerade_envelope')dnl
FEATURE('masquerade_entire_domain')dnl
FEATURE('allmasquerade')dnl
define('ALIAS_FILE', '/etc/mail/aliases')
MAILER(local)dnl
MAILER(smtp)dnl

I'd think that I'd be seeing issues with external senders, too, so I'm not quite sure what the problem is.

A Generally you wouldn't install 8.12 /usr/sbin/sendmail as setuid root because of security concerns. Since you're talking about mail from local users to local users, and you don't have any problems with SMTP transactions, check your submit.mc and/or submit.cf. My best guess is that you've done something to the msp feature declaration:

FEATURE('msp')dnl

or perhaps written as one of the following:

FEATURE('msp', '[127.0.0.1]')dnl
FEATURE('msp', '[IPv6:::1]')dnl

To make your sendmail installation non-suid, make sure you have the msp declaration in your submit.mc file (and rebuild the submit.cf file). Then remove the suid permissions from the sendmail binary:

chmod u-s /usr/sbin/sendmail

If, for some reason, you need sendmail to be setuid root, then delete /etc/mail/submit.cf and leave the permissions on /usr/sbin/sendmail alone. I would highly recommend making sendmail non-suid.

Amy Rich, president of the Boston-based Oceanwave Consulting, Inc. (http://www.oceanwave.com), has been a UNIX systems administrator for more than 10 years. She received a BSCS at Worcester Polytechnic Institute, and can be reached at: qna@oceanwave.com.