Categories: Top ::

Tech: Voodoo networking, or How I got sendmail to like me.
Thu, 14 Jul 2005

<skeezix>Deep code is where we want to live; shallow code is where we make a living

This is another one of those posts only a few people will read, I know. I'm going to talk about 'sendmail' (a system for receiving and transmitting email on the Internet, for those who host domains. Normal people just use an email program to suck down mail, but the guys who host the email use sendmail or postfix or other tools) and LinkSys. If you're still reading, cool - its been a busy week of hacking around on our LAN and new machine to get things working, but I finally made The Big Switchover where I killed the old machine and started using the new one -- pretty successfully too, with only a few gotchas! making me swear like a sailor for a few minutes each :) The telnet BBS is still hosed and no idea why (and I bet no one notices ;), but otherwise things are up and snappy as heck. I even added a new photo gallery script since the old machine wasn't fast enough to load images. But for now I'll rant about the torture Linksys and Eric Allman put me through..

Linksys Firewall Hell

Historically I've used a BSD unix install as a router; at times I've used 'pico bsd' (booting from a cdrom, so if you get cracked you just reboot) but most of the time its a full shell machine (minus compiler and other tools) that acted as router, firewall, mail server and remote shell. A busy little box that has served well for many long years, until she got grumpy and old. Now I'm using a shiny new Linksys firewall-router that apparently runs on the Linux kernel.. I'll have to fortify the hell out of it, like I did the previous setup. But anyway, I digress..

I'm actually fairly impressed with how far things've come -- the first linksys router I tried years ago would lose 80% of the packets flying through and was a disaster to configure correctly (UI bugs etc), but this sucker came up nicely, configured as I expected and was essentially up and going in a few minutes (once I overcame my own stupidity a couple of times :) I pulled down mail, checked a few websites, ensured multiple machines NATted correctly, checked the snmp stuff out.. all good. Slick. The next day I come home and my poor wife is angry as heck at the setup, as virtually none of the websites she checked would function -- they'd just hang. Figures - all the sites I checked continued to work fine. Very weird..

A moments guesswork revealed the hang-oddity to only show when the target website featured a login-screen (a secure https type website). Port 443 was open to outbound traffic, so what could prevent port 443 sites from working while port 80 (regular) sites worked fine? No content filtering or traffic shaping was configured, and I could telnet through to port 443 myself no problem...

Making a long story short, it was the MTU setting. Sure, I chatted up a few LinkSys support folks in online chat (which was sort of cool), and they suggested setting the MTU in the router -- which would hang the sessions and prevent anything from working at all. (ie: Leaving MTU alone would work, so presumably it used a sensible default or picked up the correct value from our DSL ISP.) I didn't really get how MTU could be a factor since its 'below' the TCP layer of communication and thus shouldn't impact userland applications I figure, but apparently its quite important ;) So anyway, setting it to the standard 1492 or other values like 1400, 1500, etc wouldn't work. Curious, as everyone (including smart folks like sadrik, mindfryer, et al in IRC) sure thought it was MTU..

The really strange thing is when I configured a BSD box here to use mtu 1492 ("ifconfig fxp0 mtu 1492"), it suddenly was able to see the websites in question. Wicked. I set it back to its previous 1500 mtu for fun, and.. it could still see the websites. How odd! Turning to the other machines in the network, like a local Windows XP box... it too could see the websites now. All the LAN machines worked perfectly now. Without any configuration changes in the router or any of the machines, beyond setting an unrelated machine to the right mtu and back to the wrong one again.

Keith will remind me that obviously sunspots solved the problem. In order to keep the voodoo working on my behalf, I obviously configured the BSD box to 1492 and set up a ping to go through the router every few minutes. That ought to keep the mojo going my way... always fun to find a bug in a core infrastructure device.

Sendmail

People write books about sendmail. Big thick scary books about it. Apparently sysadmin's advice nowadays is to just use 'postfix' instead, another open source mailer application. But sendmail comes standard with the OS, and I've always had good luck with it -- its just one of those apps that works, but god help you if you need to look into the config file for it. Sadly, I did have to..

The changes I had to make were simple. Sending mail direct from a machine is frowned upon by the likes of AOL, since spammers could sign up a machine and go nuts. So instead, you deliver your mail to your ISP's mailer, and they proceed to deliver it. Well and good. Its easy to forget the voodoo in sendmail to set this up, but thankfully the default config file included enough documentation to make it easy.. a config command called 'DS' with your ISP's domain and you're good. Whew. So now the box could send email without it bouncing..

But wait, nothing worked. "HUP" sendmail? No good. Hm... ah right, theres two sendmail processes, and you need to HUP both of them. OKay, good enough.

Make sure to set the 'default user and group' that sendmail use, so that it can invoke the right applications and put files in the right places. The defaults work for normal uses, but if you're running an email-news gateway, mailing lists, or other goofy stuff.. you'll need to use the 'DefaultUser' command. I do like how some commands are English-like, where others are 'DS' -- whatever that is.

Lastly, so mail from multiple domains can come in, make sure you set up your 'local-host-names' file to list the domains. Set up a 'relay-domains' file to tell it the alternate names that can 'relay'. Lastly, set up a file detailing user name mappings so one user can be called something else - the 'virtusertable' file and also the /etc/aliases file (with a run of 'newaliases' afterwards of course.) Whew, tonnes of fiddly work that you forget about right after you do it.

Why am I writing up any of this? Oh, sorry -- so I've got it written down somewhere for next time I need to add a user to the system, I know what to look for to edit. Sorry for wasting your time :)

[ Category: / technology / bsd ] [link] [Comments]