Installing the INN Server

previous Managing Mail and News Servers in Linux

This section describes how to configure InterNetNews (INN), a TCP/IP-based news server. First you have to install INN.

In Debian, Ubuntu, and Xandros, type dpkg -l inn* to see if inn is installed. In Fedora and SUSE, type rpm -q inn and see if the inn package is installed.

In Debian and Ubuntu, type apt-get install inn to install the INN server. In Fedora, log in as root, mount the DVD, and type cd /media/ cdrom/Fedora/RPMS followed by rpm -ivh inn*. In SUSE, click Software Management in the YaST Control Center’s Software category. Then use YaST’s search feature to look for inn, select the relevant packages from the search results, and install them. In Xandros, first run Xandros Networks, choose Edit»Set Application Sources, and click the Debian Unsupported Site link as a source. Then type apt-get install inn to install the INN server.

Configuring and Starting the INN Server

Much of the INN (InterNetNews) software is ready to go as soon as you install it. All you need to do is to brush up a bit on the various components of INN, edit the configuration files, and start innd — the INN server. The INN server is sometimes referred to as the news server.

If you want to run a news server that supports a selection of Internet newsgroups, you also have to arrange for a news feed — the source from which your news server gets the newsgroup articles. Typically, you can get a news feed from an ISP, but the ISP charges an additional monthly fee to cover the cost of resources required to provide the feed. (Your normal ISP charges cover reading news from the ISP’s server; you have to pay additional charges only if you want to run your own server and get a news feed.) You need the name of the upstream server that provides the news feed, and you have to provide that server with your server’s name and the newsgroups you want to receive.

By the way, you don’t need an external news feed if you’re running a news server to support local newsgroups that are available only within your organization’s network. How to set up local newsgroups is described in the “Setting Up Local Newsgroups” section of this chapter.

Depending on the newsgroups you want to receive and the number of days you want to retain articles, you have to set aside appropriate disk space to hold the articles. The newsgroups are stored in a directory hierarchy (based on the newsgroup names) in the /var/spool/news directory of your system. If you’re setting up a news server, you may want to devote a large disk partition to the /var/spool/news directory.

In your news server’s configuration files, enter the name of the server providing the news feed. At the same time, add to the configuration files the names of any downstream news servers (if any) that receive news feeds from your server. Then you can start the news server and wait for news to arrive. Monitor the log files to ensure that the news articles sort and store properly in the /var/spool/news directory on your system.

The following sections introduce you to INN setup, but you can find out more about INN from the Internet Systems Consortium (ISC), a nonprofit corporation dedicated to developing and maintaining open source Internet software, such as BIND (an implementation of Domain Name System), DHCP (Dynamic Host Configuration Protocol), and INN. Rich Salz originally wrote INN; ISC took over the development of INN in 1996. You can find out more about INN and can access other resources at ISC’s INN Web page at www. isc.org/sw/inn/.

InterNetNews components

INN includes several programs that deliver and manage newsgroups. It also includes a number of files that control how the INN programs work. The most important INN programs are the following:

• innd: Accepts connections from other feed sites, as well as from local newsreader clients, but it hands off local connections to the nnrpd. The news server. innd runs as a daemon (a background process that keeps itself running to provide a specific service) and listens on the NNTP port (TCP port 119).
• nnrpd: Handles requests from local newsreader clients. nnrpd is a special server invoked by innd.
• expire: Removes old articles based on the specifications in the text file /etc/news/expire.ctl.
• nntpsend: Invokes the innxmit program to send news articles to a remote site by using NNTP. The configuration file /etc/news/ nntpsend.ctl controls the nntpsend program.
• ctlinnd: Enables you to control the innd server interactively. The ctlinnd program can send messages to the control channel of the innd server.

The other vital components of INN are the control files. Most of these files are in the /etc/news directory of your Linux system, although a few are in the /var/lib/news directory. Between those two directories, you have more than 30 INN control files. Some important files include the following:

• /etc/news/inn.conf: Specifies configuration data for the innd server. (To view online help for this file, type man inn.conf.)
• /etc/news/newsfeeds: Specifies what articles to feed downstream to other news servers. (The file is complicated, but you can get help by typing man newsfeeds.)
• /etc/news/incoming.conf: Lists the names and addresses of hosts that provide news feeds to this server. (To view online help for this file, type man incoming.conf.)
• /etc/news/storage.conf: Specifies the storage methods to be used when storing news articles. (To view online help for this file, type man storage.conf.)
• /etc/news/expire.ctl: Controls expiration of articles, on a per newsgroup level, if desired. (To view online help for this file, type man expire.ctl.)
• /var/lib/news/active: Lists all active newsgroups, showing the oldest and newest article number for each, and each newsgroup’s posting status. (To view online help for this file, type man active.)
• /var/lib/news/newsgroups: Lists newsgroups and a brief description of each.
• /etc/news/readers.conf: Specifies hosts and users who are permitted to read news from this news server and post news to newsgroups. The default file allows only the localhost to read news; you have to edit it if you want to allow other hosts in your local area network to read news. (To view online help for this file, type man readers.conf.)

The next few sections describe how to set up some of the important control files.

The inn.conf file

The inn.conf file holds configuration data for all INN programs — which makes it the most important file. Each line of the file has the value of a parameter in the following format:

parameter: value

Depending on the parameter, the value is a string, a number, or true or false. As in many other configuration files, comment lines begin with a pound sign (#).

Most of the parameters in the default inn.conf file in the /etc/news directory do not require changes. You may want to edit one or more of the parameters shown in Table 2-2.

Table 2-2

The newsfeeds file

The newsfeeds file (found at /etc/news/newsfeeds) specifies how incoming news articles are redistributed to other servers and to INN processes. If you provide news feeds to other servers, you have to list these news feeds in this file. (You also must have an entry labeled ME, which serves a special purpose explained later in this section.)

The newsfeeds file contains a series of entries, one for each feed. Each feed entry has the following format:

site[/exclude,exclude . . . ]\
:pattern,pattern . . . [/distrib,distrib . . . ]\
:flag,flag . . . \
:param

Each entry has four fields separated by a colon (:). Usually, the entries span multiple lines, and a backslash (\) at the end of the line continues a line to the next. Here’s what the four fields mean:

• The first field, site, is the name of the feed. Each name must be unique, and for feeds to other news servers, the name is set to the hostname of the remote server. Following the name is an optional slash and an exclude list (/exclude,exclude . . . ) of names. If any of the names in this list appear in the Path line of an article, that article isn’t forwarded to the feed. You can use an exclude list if you don’t want to receive articles from a specific source.
• The second field is a comma-separated list of newsgroup patterns, such as *,@alt.binaries.warez.*,!control*,!local*, followed by an optional distribution list. The distribution list is a list of comma-separated keywords, with each keyword specifying a specific set of sites to which the articles are distributed. The newsgroup patterns essentially define a subscription list of sites that receive this news feed. An asterisk (*) matches all newsgroups. A pattern beginning with @ causes newsgroups matching that pattern to be dropped. A pattern that begins with an exclamation mark (!) means the matching newsgroups are not sent. The simple pattern-matching syntax used in INN configuration files is referred to as a wildmat pattern.
• The third field is a comma-separated list of flags — fields that determine the feed-entry type and set certain parameters for the entry. You see numerous flags; type man newsfeeds and read the man page for more information about the flags.
• The fourth field is for parameters whose values depend on the settings in the third field. Typically, this field contains names of files or external programs that the INN server uses. You can find more about this field from the newsfeeds man page.

Now that you know the layout of the /etc/news/newsfeeds file, you can study that file as an example. The default file contains many sample feed entries, but only two are commented out:

• ME is a special feed entry that’s always required. It serves two purposes. First, the newsgroup patterns listed in this entry are used as a prefix for all newsgroup patterns in all other entries. Second, the ME entry’s distribution list determines what distributions your server accepts from remote sites.
• The controlchan feed entry is used to set up INN so that an external program is used to handle control messages. (These messages are used to create new newsgroups and remove groups.) For example, the following controlchan entry specifies the external program /usr/ lib/news/bin/controlchan to handle all control messages, except cancel messages (meant for canceling an article):

  controlchan!\
  :!*,control,control.*,!control.cancel\
  :Tc,Wnsm:/usr/lib/news/bin/controlchan

In addition to these feed entries, you add entries for any actual sites to which your news server provides news feeds. Such entries have the format

feedme.domain.com\
:!junk,!control/!foo\
:Tm:innfeed!

where feedme.domain.com is the fully qualified domain name of the site to which your system sends news articles.

The incoming.conf file

The incoming.conf file describes which hosts are allowed to connect to your host to feed articles. For a single feed, you can add an entry like

peer mybuddy {
hostname: a-feed-site.domain.com
}

where mybuddy is a label for the peer and a-feed-site.domain.com identifies the site that feeds your site.

Keep in mind that simply adding a site’s name in the incoming.conf file does not cause that remote site to start feeding news to your site; it simply enables your server to accept news articles from the remote site. At the remote site, your buddy has to configure his or her server to send articles to your site.

The readers.conf file

The readers.conf file specifies the host names or IP addresses from which newsreader clients (such as Mozilla) can retrieve newsgroups from your server. For example, the following readers.conf file allows read access and post access (meaning you can submit articles) from localhost and from any host in the network 192.168.0.0:

auth “localhost” {
hosts: “localhost, 127.0.0.1, stdin”
default: “<localhost>”
}
access “localhost” {
users: “<localhost>”
newsgroups: “*”
access: RPA
}
auth “localnet” {
hosts: 192.168.0.0/24
default: “<localnet>”
}
access “localnet” {
users: “<localnet>”
newsgroups: “*”
access: RPA
}

InterNetNews startup

In addition to the configuration files, you also have to initiate cron jobs that perform periodic maintenance of the news server. In Fedora, these cron jobs are already set up. Therefore, you’re now ready to start the INN server — innd.

Before you start innd, you must run makehistory and makedbz to initialize and rebuild the INN history database. Type man makehistory and man makedbz to find out more about these commands. To create an initial history database, associated indexes, and set the ownerships and permissions of some files, type the following commands:

/usr/lib/news/bin/makehistory -b -f history -O -l 30000 -I
cd /var/lib/news
/usr/lib/news/bin/makedbz -s `wc -l < history` -f history
chown news.news *
chown news.news /var/spool/news/overview/group.index
chmod 664 /var/spool/news/overview/group.index

To start innd in Fedora, log in as root and type /etc/init.d/innd start. (Alternatively, you can type service innd start.) In Debian, SUSE, Ubuntu, and Xandros, type /etc/init.d/inn start. To ensure that innd starts at boot time, type chkconfig --level 35 innd on in Fedora and chkconfig --level 35 inn on in SUSE. In Debian and Xandros, type update-rc.d inn defaults.

If you make any changes to the INN configuration files, remember to restart the server by invoking the /etc/init.d script with restart as the argument.

Setting Up Local Newsgroups

If you want to use newsgroups as a way to share information within your company, you can set up a hierarchy of local newsgroups. Then you can use these newsgroups to create virtual communities within your company, where people with shared interests can informally discuss issues and exchange knowledge.

Defining a newsgroup hierarchy

The first task is to define a hierarchy of newsgroups, deciding what each newsgroup discusses. For example, if your company name is XYZ Corporation, here’s a partial hierarchy of newsgroups you might define:

• xyz.general: General items about XYZ Corporation

• xyz.weekly.news: Weekly news

• xyz.weekly.menu: The weekly cafeteria menu and any discussions about it

• xyz.forsale: A listing of items offered for sale by employees

• xyz.jobs: Job openings at XYZ Corporation

• xyz.wanted: Wanted (help, items to buy, and so on) postings by employees

• xyz.technical.hardware: Technical discussions about hardware

• xyz.technical.software: Technical discussions about software

Updating configuration files

Following are the steps you follow to update the configuration files for your local newsgroups and restart the news server:

1. Add descriptive entries for each newsgroup to the /var/lib/news/newsgroups file.

   Add to this file a line for each local newsgroup — type its name followed by a brief description. For example, here’s what you might add for the xyz.general newsgroup:

   xyz.general General items about XYZ Corporation

2. Edit the ME entry in the /etc/news/newsfeeds file and add the phrase ,!xyz.* to the comma-separated list of newsgroup patterns.

   This step ensures that your local newsgroups are not distributed outside your site.

3. Add a storage method to use for the local newsgroups.

   For example, you can add the following lines in /etc/news/storage. conf to define the storage method for the new xyz hierarchy of newsgroups (change xyz to whatever you name your local newsgroups):

   method tradspool {
   class: 1
   newsgroups: xyz.*
   }

4. To make these changes effective, restart the news server.

   Type service innd restart in Fedora or /etc/init.d/inn restart in Debian, SUSE, Ubuntu, and Xandros.)

Adding the newsgroups

The final step is to add the newsgroups. After you update the configuration files and run innd, adding a local newsgroup is easy. Log in as root and use ctlinnd to perform this task. For example, here’s how you add a newsgroup named xyz.general:

/usr/lib/news/bin/ctlinnd newsgroup xyz.general

That’s it! That command adds the xyz.general newsgroup to your site. If you use the traditional storage method, the innd server creates the directory /var/spool/news/articles/xyz/general the first time an article is posted and stores articles for that newsgroup in that directory.

After you create all the local newsgroups, users from your intranet can post news articles and read articles in the local newsgroups. If they have problems accessing the newsgroups, make sure that the /etc/news/readers. conf file contains the IP addresses or names of the hosts that have access to the innd server.

Testing your newsgroups

For example, add a newsgroup named local.news on an INN server running on your Linux system by using the instructions explained in the previous sections. Then start a newsreader and set up a new news account with the news server set to the INN server. Then access the local.news newsgroup. Try it! You’ll like it.

next Managing DNS in Linux

Managing Mail and News Servers in Linux

previous Linux Servers

Electronic mail (e-mail) is one of the popular services available on Internet hosts. E-mail software comes in two parts: a mail transport agent (MTA), which physically sends and receives mail messages, and a mail user agent (MUA), which reads messages and prepares new messages. This chapter describes the e-mail service and shows you how to configure the sendmail server on a Linux PC.

Internet newsgroups provide another convenient way, besides e-mail, to discuss various topics and share your knowledge with others. Linux comes with the software you need to read newsgroups and set up your own system as a news server. This chapter also describes how to configure and run the popular InterNetNews server and shows how to set up local newsgroups for your corporate intranet (or even your home network).

Installing the Mail Server

Depending on the choices you made during your Linux installation, you may have already installed the mail server software on your system. You can choose from several mail servers, such as exim, postfix, and sendmail — your sendmail is briefly covered in this chapter. If sendmail is not installed, you can easily install it.

In Debian, Ubuntu, and Xandros, type dpkg -l sendmail* to see if sendmail is installed. In Fedora and SUSE, type rpm -qa | grep sendmail to see if the sendmail package is installed.

In Debian and Ubuntu, type apt-get install sendmail to install the sendmail server. In Fedora, log in as root, and type rpm -ivh sendmail*. In SUSE, click Software Management in the YaST Control Center’s Software category. Then use YaST’s search facility to find the sendmail package and install it.

Using sendmail

To set up your system as a mail server, you must configure the sendmail mail transport agent properly. sendmail has the reputation of being a complex but complete mail-delivery system. Just one look at sendmail’s configuration file — /etc/mail/sendmail.cf in Fedora or /etc/sendmail. cf in SUSE — can convince you that sendmail is indeed complex. Luckily, you don’t have to be an expert on the sendmail configuration file. All you need is one of the predefined configuration files — such as the one installed on your system — to use sendmail.

Your system already has a working sendmail configuration file — /etc/ mail/sendmail.cf. The default file assumes you have an Internet connection and a name server. Provided that you have an Internet connection and that your system has an official domain name, you can send and receive e-mail from your Linux PC.

To ensure that mail delivery works correctly, your system’s name must match the system name that your ISP has assigned to you. Although you can give your system any hostname you want, other systems can successfully deliver mail to your system only if your system’s name is in the ISP’s name server.

A mail-delivery test

To try the sendmail mail transfer agent, you can use the mail command to compose and send a mail message to any user account on your Linux system. As a test, compose a message and send it to yourself. For example, here’s how to send a message using the mail command. (Input appears in boldface.)

mail edulaney
Subject: Testing e-mail
This is from my Linux system.
.

The mail command is a simple mail user agent. In the preceding example, the addressee (edulaney) is specified in the command line. The mail program prompts for a subject line. Following the subject, enter the message and end it with a line that contains only a period. You will be prompted for a Cc:, but leave that blank. After ending the message, the mail user agent passes the message to sendmail (the mail transport agent) for delivery to the specified address. sendmail delivers the mail message immediately. To verify the delivery of mail, type mail to run the mail command again and read the message.

If any of your mail server software is not properly installed, you should be prompted during this test to install any needed components and resolve the problem.

Thus, the initial sendmail configuration file is adequate for sending and receiving e-mail, at least within your Linux system. External mail delivery also works, provided that your Linux system has an Internet connection and a registered domain name.

If you have an ISP account that provides your Linux system with a dynamic IP address, you have to use a mail client such as Evolution or Mozilla Mail, which contacts your ISP’s mail server to deliver outbound e-mail.

The mail-delivery mechanism

On an Internet host, the sendmail mail transport agent delivers mail using the Simple Mail Transfer Protocol (SMTP). SMTP-based mail transport agents listen to TCP port 25 and use a small set of text commands to exchange information with other mail transport agents. SMTP commands are simple enough that you can use them manually from a terminal to send a mail message. The telnet command opens a TELNET session to port 25 (the port on which sendmail expects SMTP commands). The sendmail process on the Linux system immediately replies with an announcement.

You can type HELP to view a list of SMTP commands. To get help on a specific command, type HELP commandname. Type HELO localhost to initiate a session with the host. The sendmail process replies with a greeting. To send the mail message, start with the MAIL FROM: command, which specifies the sender of the message. Next, use the RCPT TO: command to specify the recipient of the message. If you want to send the message to several recipients, provide each recipient’s address with the RCPT TO: command.

To enter the mail message, use the DATA command. In response to the DATA command, sendmail displays an instruction that you have to end the message with a period on a line by itself. After doing this, the sendmail process displays a message indicating that the message is accepted for delivery. You can then quit the sendmail session with the QUIT command.

The sendmail configuration file

You don’t have to understand everything in the sendmail configuration file, sendmail.cf, but you need to know how that file is created. That way, you can make minor changes if necessary and regenerate the sendmail.cf file.

In SUSE, you can configure sendmail through the YaST Control Center — choose System➪Control Center (YaST) from the main menu. Click Network Services in the left side of the window, and then click Mail Transfer Agent in the right side of the window. YaST displays a window that you can use to configure sendmail. First you specify the general settings, then the settings for outgoing mail, and finally the settings for incoming mail. After you exit the mail configuration utility, YaST stores the mail settings in the files /etc/ sysconfig/sendmail and /etc/sysconfig/mail and then runs SuSE config to update the sendmail configuration file (/etc/sendmail.cf).

You can also generate the sendmail.cf file from a number of m4 macro files (text files in which each line eventually expands to multiple lines that mean something to some program). These macro files are organized into a number of subdirectories in the /usr/share/sendmail-cf directory in Fedora or the /usr/share/sendmail directory in SUSE. You can read the README file in that directory to find out more about the creation of sendmail configuration files.

The m4 macro processor

The m4 macro processor generates the sendmail.cf configuration file, which comes with the sendmail package in Linux. The main macro file, named sendmail.mc, generic_linux.mc, or linux.mc, is included with the sendmail package.

So what’s a macro? A macro is basically a symbolic name for code that handles some action, usually in a shorthand form that substitutes for a long string of characters. A macro processor such as m4 usually reads its input file and copies it to the output, processing the macros along the way. The processing of a macro generally involves performing some action and generating some output. Because a macro generates a lot more text in the output than merely the macro’s name, the processing of macros is referred to as

macro expansion.

The m4 macro processor is stream-based. That means it copies the input characters to the output while it’s busy expanding any macros. The m4 macro processor does not have any concept of lines, so it copies newline characters (that mark the end of a line) to the output. That’s why in most m4 macro files you see dnl, an m4 macro that stands for delete through newline. The dnl macro deletes all characters starting at the dnl up to and including the next newline character. The newline characters in the output don’t cause any harm; they merely create unnecessary blank lines. The sendmail macro package uses dnl to avoid such blank lines in the output configuration file. Because dnl basically means delete everything up to the end of the line, m4 macro files also use dnl as the prefix for comment lines.

To see a simple use of m4, consider the following m4 macro file, which defines two macros — hello and bye — and uses them in a form letter:

dnl ###################################################
dnl # File: ex.m4
dnl # A simple example of m4 macros
dnl ###################################################
define(`hello’, `Dear Sir/Madam’)dnl
define(`bye’,
`Sincerely,
Customer Service’)dnl
dnl Now type the letter and use the macros
hello,
This is to inform you that we received your recent inquiry.
We will respond to your question soon.
bye

Type this text (using your favorite text editor) and save it in a file named ex.m4. You can name a macro file anything you like, but using the .m4 extension for m4 macro files is customary.

Before you process the macro file by using m4, note the following key points about the example:

• Use the dnl macro to start all the comment lines, as in the first four lines in the example.
• End each macro definition with the dnl macro. Otherwise, when m4 processes the macro file, it produces a blank line for each macro definition.
• Use the built-in m4 command define to define a new macro. The macro name and the value are both enclosed between a pair of left and right single quotes (‘ . . . ’). Note that you cannot use the plain single quote to enclose the macro name and definition.

Now process the macro file ex.m4 by typing the following command:

m4 ex.m4

m4 processes the macros and displays the following output:

Dear Sir/Madam,
This is to inform you that we received your recent inquiry.
We will respond to your question soon.
Sincerely,
Customer Service
Sounds just like a typical customer service form letter, doesn’t it?

If you compare the output with the ex.m4 file, you see that m4 prints the form letter on standard output, expanding the macros hello and bye into their defined values. If you want to save the form letter in a file called letter, use the shell’s output redirection feature, like this:

m4 ex.m4 > letter

What if you want to use the word hello or bye in the letter without expanding them? You can do so by enclosing these words in a pair of single quotes (‘ . . . ’). You have to do so for other predefined m4 macros, such as define. To use define as a plain word, not as a macro to expand, type ‘define’.

The sendmail macro file

The simple example in the preceding section gives you an idea of how m4 macros are defined and used to create configuration files such as the sendmail.cf file. You find many complex macros stored in files in the /usr/share/sendmail-cf directory in Fedora or the /usr/share/ sendmail directory in SUSE. A top-level macro file (called sendmail.mc in Fedora and linux.mc in SUSE), described later in this section, brings in these macro files with the include macro (used to copy a file into the input stream).

To avoid repeatedly mentioning different file and directory names for different distributions such as Fedora and SUSE, I use the file and directory names for Fedora in the following discussions. The general discussions apply to sendmail in all Linux distributions, but you have to replace the file and directory names with those for your specific distribution.

By defining its own set of high-level macros in files located in the /usr/ share/sendmail-cf directory, sendmail essentially creates its own macro language. The sendmail macro files use the .mc extension. The primary sendmail macro file you configure is sendmail.mc, located in the / etc/mail directory.

Compared to the /etc/mail/sendmail.cf file, the /etc/mail/send mail.mc file is shorter and easier to work with. Here are some lines from the /etc/mail/sendmail.mc file that comes with Fedora:

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl # /etc/mail/make
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4’)dnl
VERSIONID(`setup for linux’)dnl
OSTYPE(`linux’)dnl
dnl #
dnl # Do not advertise sendmail version.
dnl #
dnl define(`confSMTP_LOGIN_MSG’, `$j Sendmail; $b’)dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL’, `9’)dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST’, `smtp.your.provider’)dn
. . . lines deleted . . .
dnl #
dnl MASQUERADE_AS(`mydomain.com’)dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl

If you make changes to the /etc/mail/sendmail.mc file, you must generate the /etc/mail/sendmail.cf file by running the sendmail.mc file through the m4 macro processor with the following command. (You have to log in as root.)

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

The comments also tell you that you need the sendmail-cf package to process this file.

From the previous section’s description of m4 macros, you can see that the sendmail.mc file uses define to create new macros. You can also see the liberal use of dnl to avoid inserting too many blank lines into the output.

The other uppercase words (such as OSTYPE, FEATURE, and MAILER) are sendmail macros. These are defined in the .m4 files located in the subdirectories of the /usr/share/sendmail-cf directory and are incorporated into the sendmail.mc file with the following include macro:

include(`usr/share/sendmail-cf/m4/cf.m4’)dnl

The /usr/share/sendmail-cf/m4/cf.m4 file, in turn, includes the cfhead.m4 file, which includes other m4 files, and so on. The net effect is as follows: As the m4 macro processor processes the sendmail.mc file, the macro processor incorporates many m4 files from various subdirectories of /usr/share/sendmail-cf.

Here are some key points to note about the /etc/mail/sendmail.mc file:

• VERSIONID(‘setup for linux’) macro inserts the version information enclosed in quotes into the output.
• OSTYPE(‘linux’) specifies Linux as the operating system. You have to specify this macro early to ensure proper configuration. Placing this macro right after the VERSIONID macro is customary.
• MAILER(smtp) describes the mailer. According to instructions in the /usr/share/sendmail-cf/README file, MAILER declarations are always placed at the end of the sendmail.mc file and MAILER(smtp) always precedes MAILER(procmail). The mailer smtp refers to the SMTP mailer.
• FEATURE macros request various special features. For example, FEATURE(`blacklist_recipients’) turns on the capability to block incoming mail for certain usernames, hosts, or addresses. The specification for what mail to allow or refuse is placed in the access database (stored in /etc/mail/access.db file). You also need the FEATURE(`access_db’) macro to turn on the access database.
• MASQUERADE_AS(`mydomain.com’) causes sendmail to label outgoing mail as having come from the host mydomain.com (replace my domain with your domain name). The idea is for a large organization to set up a single sendmail server that handles the mail for many subdomains and makes everything appear to come from a single domain. (For example, mail from many departments in a university appears to come from the university’s main domain name.)
• MASQUERADE_DOMAIN(subdomain.mydomain.com) instructs send mail to send mail from an address such as user@subdomain.my domain.com as having originated from the same username at the domain specified by the MASQUERADE_AS macro.

The sendmail macros such as FEATURE and MAILER are described in the /usr/share/sendmail-cf/README file. Consult that file to find out more about the sendmail macros before you make changes to the sendmail.mc file.

Syntax of the sendmail.cf file

The sendmail.cf file’s syntax is designed to be easy to parse by the send mail program because sendmail reads this file whenever it starts. Human readability was not a primary consideration when the file’s syntax was designed. Still, with a little explanation, you can understand the meaning of the control lines in sendmail.cf.

Each sendmail control line begins with a single-letter operator that defines the meaning of the rest of the line. A line that begins with a space or a tab is considered a continuation of the previous line. Blank lines and lines beginning with a pound sign (#) are comments.

Often, no space is between the single-letter operator and the arguments that follow the operator, which makes the lines even harder to understand. For example, sendmail.cf uses the concept of a class — essentially a collection of phrases. You can define a class named P and add the phrase REDIRECT to that class with the following control line:

CPREDIRECT

Because everything runs together, the command is hard to decipher. On the other hand, to define a class named Accept and set it to the values OK and RELAY, write the following:

C{Accept}OK RELAY

This command may be slightly easier to understand because the delimiters (such as the class name, Accept) are enclosed in curly braces.

Other, more recent control lines are even easier to understand. For example, the line

O HelpFile=/etc/mail/helpfile

defines the option HelpFile as the filename /etc/mail/helpfile. That file contains help information that sendmail uses when it receives a HELP command.

Table 2-1 summarizes the one-letter control operators used in sendmail. cf. Each entry also shows an example of that operator. This table helps you understand some of the lines in sendmail.cf.

Table 2-1	Control Operators Used in sendmail.cf
Operator	Description
C	Defines a class; a variable (think of it as a set) that can contain several values. For example, Cwlocalhost adds the name localhost to the class w.
D	Defines a macro, a name associated with a single value. For example, DnMAILER-DAEMON  defines the macro n as MAILER-DAEMON.
F	Defines a class that’s been read from a file. For example, Fw/etc/mail/local-host-names reads the names of hosts from the file /etc/mail/local-host-names and adds them to the class w.
H	Defines the format of header lines that sendmail inserts into a message. For example, H?P?Return-Path:  <$g> defines the Return-Path: field of the header.
K	Defines a map (a key-value pair database). For example, Karitharith defines the map named arith as the compiled-in map of the same name.
M	Specifies a mailer. The following lines define the procmail mailer: Mprocmail,P=/usr/bin/procmail,F=DFMSPh nu9,S=EnvFromSMTP/HdrFromSMTP,R=EnvToSMTP/ HdrFromSMTP,T=DNS/RFC822/X-Unix,A=procmail -Y  -m  $h  $f  $u.
O	Assigns a value to an option. For example, O  AliasFile=/etc/aliases defines the AliasFile option to /etc/ aliases, which is the name of the sendmail alias file.
P	Defines values for the precedence field. For example, Pjunk=-100 sets to -100 the precedence of messages marked with the header field Precedence:  junk.
R	Defines a rule. (A rule has a left side and a right side; if input the left side, the right side replaces it. This rule is called rewriting.) For example, the rewriting rule R$* ;  $1 strips trailing semicolons.
S	Labels a ruleset you can start defining with subsequent R control lines. For example, Scanonify=3 labels the next ruleset as canonify and ruleset 3.
T	Adds a username to the trusted class (class t). For example, Troot adds root to the class of trusted users.
V	Defines the major version number of the configuration file. For example, V10/Berkeley defines the version number as 10.

Other sendmail files

The /etc/mail directory contains other files that sendmail uses. These files are referenced in the sendmail configuration file, /etc/mail/sendmail.cf in Fedora and /etc/sendmail.cf in SUSE. For example, here’s how you can search for the /etc/mail string in the /etc/mail/sendmail.cf file in Fedora:

grep “\/etc\/mail” /etc/mail/sendmail.cf

Here’s what the grep command displays as a result of the search on a typical Fedora system:

Fw/etc/mail/local-host-names
FR-o /etc/mail/relay-domains
Kmailertable hash -o /etc/mail/mailertable.db
Kvirtuser hash -o /etc/mail/virtusertable.db
Kaccess hash -T<TMPF> -o /etc/mail/access.db
#O ErrorHeader=/etc/mail/error-header
O HelpFile=/etc/mail/helpfile
O UserDatabaseSpec=/etc/mail/userdb.db
#O ServiceSwitchFile=/etc/mail/service.switch
#O DefaultAuthInfo=/etc/mail/default-auth-info
Ft/etc/mail/trusted-users

You can ignore the lines that begin with a hash mark, or number sign (#) because sendmail treats those lines as comments. The other lines are sendmail control lines that refer to other files in the /etc/mail directory.

Here’s what some of these sendmail files are supposed to contain. (Note that not all of these files have to be present in your /etc/mail directory, and even when present, some files may be empty.)

• /etc/mail/access: Names or IP addresses or both of hosts allowed to send mail (useful in stopping spam — unwanted e-mail).
• /etc/mail/access.db: Access database generated from the /etc/mail/access file.
• /etc/mail/helpfile: Help information for SMTP commands.
• /etc/mail/local-host-names: Names by which this host is known.
• /etc/mail/mailertable: Mailer table used to override how mail is routed. (For example, the entry comcast.net smtp:smtp.comcast. net tells sendmail that mail addressed to comcast.net has to be sent to smtp.comcast.net.)
• /etc/mail/relay-domains: Hosts that permit relaying.
• /etc/mail/trusted-users: List of users allowed to send mail using other user’s names without a warning.
• /etc/mail/userdb.db: User database file containing information about each user’s login name and real name.
• /etc/mail/virtusertable: Database of users with virtual-domain addresses hosted on this system.

The /etc/mail directory sometimes contains other files — /etc/mail/ certs and the files with the .pem extension — that are meant for supporting Privacy Enhanced Mail (PEM) in sendmail by using the STARTTLS extension to SMTP. The STARTTLS extension uses TLS (more commonly known as SSL — Secure Sockets Layer) to authenticate the sender and encrypt mail. RFC 2487 describes STARTTLS. (This RFC is available online at http://ietf.org/rfc/rfc2487.txt.)

If you edit the /etc/mail/mailertable file, you have to type the following command before the changes take effect:

makemap hash /etc/mail/mailertable < /etc/mail/mailertable

Here is an easier way to make sure that you rebuild everything necessary after making any changes — just type the following commands while logged in as root:

cd /etc/mail
make
The first command changes the current directory to /etc/mail, and the second command runs the make command, which reads a file named Makefile in /etc/mail to perform the steps necessary to rebuild everything.
The .forward file

Users can redirect their own mail by placing a .forward file in their home directory. The .forward file is a plain-text file with a comma-separated list of mail addresses. Any mail sent to the user is instead forwarded to these addresses. If the .forward file contains a single address, all e-mail for that user is redirected to that single e-mail address. For example, suppose a .forward file containing the following line is placed in the home directory of a user named emily:

ashley
This line causes sendmail to automatically send all e-mail addressed to emily to the username ashley on the same system. User emily does not receive mail at all.

You can also forward mail to a username on another system by listing a complete e-mail address. For example, you can add a .forward file with the following line to send messages addressed to username wilbur to the mail address wilbur@somewhereelse.net:

wilbur@somewhereelse.net

To keep a copy of the message on the original system, in addition to forwarding to the preceding specified address, add the following line to the .forward file:

wilbur@somewhereelse.net, wilbur\

Simply append the username and end the line with a backslash (\). The backslash at the end of the line stops sendmail from repeatedly forwarding the message.

The sendmail alias file

In addition to the sendmail.cf file, sendmail also consults an alias file named /etc/aliases to convert a name into an address. The location of the alias file appears in the sendmail configuration file.

Each alias is typically a shorter name for an e-mail address. The system administrator uses the sendmail alias file to forward mail, to create a mailing list (a single alias that identifies several users), or to refer to a user by several different names. For example, here are some typical aliases:

brown: glbrown
all: jessica, isaac, alex, caleb, glbrown

After defining any new aliases in the /etc/aliases file, you must log in as root and make the new alias active by typing the following command:

sendmail –bi

next Installing the INN Server

Linux Servers

previous Performing Computer Security Audits

Managing Internet Services

The Internet is a world of clients and servers. Clients make requests to servers, and servers respond to the requests. For example, your Web browser is a client that downloads information from Web servers and displays it to you. Of course, the clients and servers are computer programs that run on a wide variety of computers. A Linux system is an ideal system to run different types of servers — from a Web server to a Windows file and print server. This chapter provides an overview of a typical Internet service and its client/server architecture, and discusses how to manage the servers in Linux. You can use the information in this chapter to manage any server running on your Linux system.

Understanding Internet Services

Internet services are network applications designed to deliver information from one system to another. By design, each Internet service is implemented in two parts — a server that provides information and one or more clients that request information.

Such a client/server architecture is the most common way to build distributed information systems. The clients and servers are computer programs that run on these computers and communicate through the network. The neat part is that you can run a client at your desktop computer and access information from a server running on a computer anywhere in the world (as long as it’s on the Internet).

The Web itself, e-mail, and FTP (File Transfer Protocol) are examples of Internet services that use the client/server model. For example, when you use the Web, you use the Web browser client to download and view Web pages from the Web server.

Client/server architecture requires clients to communicate with the servers. That’s where the Transmission Control Protocol/Internet Protocol — TCP/IP — comes in. TCP/IP provides a standard way for clients and servers to exchange packets of data. The next few sections explain how TCP/IP-based services communicate.

TCP/IP and sockets

Client/server applications such as the Web and FTP use TCP/IP for data transfers between client and server. These Internet applications typically use TCP/IP communications utilizing the Berkeley sockets interface (so named because the socket interface was introduced in Berkeley UNIX around 1982). The sockets interface is nothing physical — it’s simply some computer code that a computer programmer can use to create applications that can communicate with other applications on the Internet.

Even if you don’t write network applications using sockets, you may have to use or set up many network applications. Knowledge of sockets can help you understand how network-based applications work, which in turn helps you find and correct any problems with these applications.

Socket definition

Network applications use sockets to communicate over a TCP/IP network. A socket represents one end-point of a connection. Because a socket is bidirectional, data can be sent as well as received through it. A socket has three attributes:

• The network address (the IP address) of the system
• The port number, identifying the process (a process is a computer program running on a computer) that exchanges data through the socket
• The type of socket, identifying the protocol for data exchange

Essentially, the IP address identifies a computer (host) on the network; the port number identifies a process (server) on the node; and the socket type determines the manner in which data is exchanged — through a connectionoriented (stream) or connectionless (datagram) protocol.

Connection-oriented protocols

The socket type indicates the protocol being used to communicate through the socket. A connection-oriented protocol works like a normal phone conversation. When you want to talk to your friend, you have to dial your friend’s phone number and establish a connection before you can have a conversation. In the same way, connection-oriented data exchange requires both the sending and receiving processes to establish a connection before data exchange can begin.

In the TCP/IP protocol suite, TCP — Transmission Control Protocol — supports a connection-oriented data transfer between two processes running on two computers on the Internet. TCP provides reliable two-way data exchange between processes.

As the name TCP/IP suggests, TCP relies on IP — Internet Protocol — for delivery of packets. IP does not guarantee delivery of packets; nor does it deliver packets in any particular sequence. IP does, however, efficiently move packets from one network to another. TCP is responsible for arranging the packets in the proper sequence, detecting whether errors have occurred, and requesting retransmission of packets in case of an error.

TCP is useful for applications intended to exchange large amounts of data at a time. In addition, applications that need reliable data exchange use TCP. (For example, FTP uses TCP to transfer files.)

In the sockets model, a socket that uses TCP is referred to as a stream socket.

Connectionless protocols

A connectionless data-exchange protocol does not require the sender and receiver to explicitly establish a connection. It’s like shouting to your friend in a crowded room — you can’t be sure that your friend hears you.

In the TCP/IP protocol suite, the User Datagram Protocol (UDP) provides connectionless service for sending and receiving packets known as datagrams. Unlike TCP, UDP does not guarantee that datagrams ever reach their intended destinations. Nor does UDP ensure that datagrams are delivered in the order they’re sent.

UDP is used by applications that exchange small amounts of data at a time or by applications that don’t need the reliability and sequencing of data delivery. For example, SNMP (Simple Network Management Protocol) uses UDP to transfer data.

In the sockets model, a socket that uses UDP is referred to as a datagram socket.

Sockets and the client/server model

Two sockets are needed to complete a communication path. When two processes communicate, they use the client/server model to establish the connection. Figure 1-1 illustrates the concept. The server application listens on a specific port on the system — the server is completely identified by the IP address of the system where it runs and the port number where it listens for connections. The client initiates a connection from any available port and tries to connect to the server (identified by the IP address and port number).

When the connection is established, the client and the server can exchange data according to their own protocol.

Figure 1-1: Client and server processes use two sockets to communicate.

The sequence of events in socket-based data exchanges depends on whether the transfer is connection-oriented (TCP) or connectionless (UDP).

For a connection-oriented data transfer using sockets, the server listens on a specific port, waiting for clients to request connection. Data transfer begins only after a connection is established.

For connectionless data transfers, the server waits for a datagram to arrive at a specified port. The client does not wait to establish a connection; it simply sends a datagram to the server.

Regardless of whether it’s a server or a client, each application first creates a socket. Then it associates (binds) the socket with the local computer’s IP address and a port number. The IP address identifies the machine (where the application is running), and the port number identifies the application using the socket.

Servers typically listen to a well-known port number so that clients can connect to that port to access the server. For a client application, the process of binding a socket to the IP address and port is the same as that for a server, but the client can use 0 as the port number — the sockets library automatically uses an unused port number for the client.

For a connection-oriented stream socket, the communicating client and server applications have to establish a connection. The exact steps for establishing a connection depend on whether the application is a server or a client.

In the client/server model, the server has to be up and running before the client can run. After creating a socket and binding the socket to a port, the server application sets up a queue of connections, which determines how many clients can connect to the server. Typically, a server listens to anywhere from one to five connections. However, the size of the listen queue is one of the parameters you can adjust (especially for a Web server) to ensure that the server responds to as many clients as possible. After setting up the listen queue, the server waits for a connection from a client.

Establishing the connection from the client side is somewhat simpler. After creating a socket and binding the socket to an IP address, the client establishes a connection with the server. To make the connection, the client must know the host name or IP address of the server, as well as the port on which the server accepts connection. All Internet services have well-known standard port numbers.

After a client establishes a connection to a server via a connection-oriented stream socket, the client and server can exchange data by calling the appropriate sockets’ API functions. Like a conversation between two persons, the server and client alternately send and receive data — the meaning of the data depends on the message protocol that the server and clients use. Usually, a server is designed for a specific task; inherent in that design is a message protocol that the server and clients use to exchange necessary data. For example, the Web server and the Web browser (client) communicate using HTTP (HyperText Transfer Protocol).

Internet services and port numbers

The TCP/IP protocol suite is the lingua franca of the Internet because the Internet services speak TCP/IP. These services make the Internet tick by making possible the transfer of mail, news, and Web pages. Each Internet service has its own protocol that relies on TCP/IP for the actual transfer of the information. Each service also has one or more assigned port numbers that it uses to do whatever it’s designed to do. Here are some well-known Internet services and their associated protocols:

• DHCP (Dynamic Host Configuration Protocol): Dynamically configures TCP/IP network parameters on a computer. DHCP is used, primarily, to assign dynamic IP addresses and other networking information such as name server, default gateway, and domain names that are needed to configure TCP/IP networks. The DHCP server listens on port 67.
• FTP (File Transfer Protocol): Transfers files between computers on the Internet. FTP uses two ports: Data is transferred on port 20, and control information is exchanged on port 21.
• HTTP (HyperText Transfer Protocol): Sends documents from one system to another. HTTP is the underlying protocol of the Web. By default, the Web server and client communicate on port 80.
• SMTP (Simple Mail Transfer Protocol): Exchanges e-mail messages between systems. SMTP uses port 25 for information exchange.
• NNTP (Network News Transfer Protocol): Distributes news articles in a store-and-forward fashion across the Internet. NNTP uses port 119.
• SSH (Secure Shell): Enables secure remote login and other secure network services over an insecure network. SSH uses port 22.
• TELNET: Enables a user on one system to log into another system on the Internet. (The user must provide a valid user ID and password to log into the remote system.) TELNET uses port 23 by default, but the TELNET client can connect to any specified port.
• NFS (Network File System): Shares files among computers. NFS uses Sun’s Remote Procedure Call (RPC) facility, which exchanges information through port 111.
• NTP (Network Time Protocol): Synchronizes the system time on a client computer with that on a server with a more accurate clock. NTP uses port 123.
• SNMP (Simple Network Management Protocol): Manages all types of network devices on the Internet. Like FTP, SNMP uses two ports: 161 and 162.
• TFTP (Trivial File Transfer Protocol): Transfers files from one system to another. (It’s typically used by X terminals and diskless workstations to download boot files from another host on the network.) TFTP data transfer takes place on port 69.

Each service is provided by a server process — a computer program that runs on a system awaiting client requests that arrive at the well-known port associated with its service. Thus, the Web server expects client requests at port 80, the standard port for HTTP service.

The /etc/services text file on your Linux system stores the association between a service name and a port number (as well as a protocol). Here is a small subset of entries in the /etc/services file from a Linux system:

ftp-data 20/tcp
ftp 21/tcp
fsp 21/udp fspd
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp
telnet 23/tcp
smtp 25/tcp mail
time 37/tcp timserver
time 37/udp timserver
rlp 39/udp resource # resource location
nameserver 42/tcp name # IEN 116
whois 43/tcp nicname
tacacs 49/tcp # Login Host Protocol (TACACS)

A quick look through the entries in the /etc/services file shows the breadth of networking services available under TCP/IP.

Port number 80 is designated for Web services. In other words, if you set up a Web server on your system, that server listens to port 80. By the way, IANA — the Internet Assigned Numbers Authority (www.iana.org) — is the organization responsible for coordinating the assignment of port numbers below 1,024.

Using the Internet Super Server

The client/server architecture of Internet services requires that the server be up and running before a client makes a request for service. It’s probably a bad idea to run all the servers all the time — doing so is impractical because each server process uses up system resources in the form of memory and processor time. Besides, you don’t really need all the services up and ready at all times. Instead, run a single server that listens to all the ports and then starts the appropriate server when a client request comes in. Such a server is known as the Internet super server because it starts various services on demand.

The two Internet super servers are inetd and xinetd. The inetd server is the older one and is still used in some Linux distributions such as Debian, Knoppix, Ubuntu, and Xandros. The xinetd server is a replacement for inetd, offering improved access control and logging. The name xinetd stands for extended inetd. Distributions such as Fedora and SUSE use xinetd.

Using inetd

In Linux distributions that use inetd, the system starts inetd when the system boots. The inetd server reads a configuration file named /etc/ inetd.conf at startup. This file tells inetd which ports to listen to and what server to start for each port. For example, the entry in the /etc/ inetd.conf file that starts the IMAP (Internet Message Access Protocol) on one server looks like this:

imaps stream tcp nowait root /usr/sbin/tcpd /usr/sbin/imapd

The first item on this line, imaps, tells inetd the name of the service. inetd uses this name to look up the port number from the /etc/services file. If you type grep imaps /etc/services, you find that the port number of the IMAP service is 993. This tells inetd to listen to port 993 for FTP service requests.

The rest of the fields on the IMAP entry have the following meanings:

• The second and third fields of the entry, stream and tcp, tell inetd that the FTP service uses a connection-oriented TCP socket to communicate with the client. For services that use the connectionless UDP sockets, these two fields are dgram and udp.
• The fourth field, nowait, tells inetd to start a new server for each request. If this field is wait, inetd waits until the server exits before starting the server again.
• The fifth field provides the user ID that inetd uses to run the server. In this case, the server runs the FTP server as root.
• The sixth field specifies the program to run for this service and the last field is the argument that inetd passes to the server program. In this case, the /usr/sbin/tcpd program is provided /usr/sbin/imapd as an argument.

The /usr/sbin/tcpd program is an access control facility, or a TCP wrapper, for Internet services. Because unnecessary Internet services are often the sources of security vulnerabilities, you may want to turn off any unneeded services or at least control access to the services. The tcpd program can start other services, such as FTP and TELNET, but before starting the service, tcpd consults the /etc/hosts.allow file to see if the host requesting service is allowed that service. If nothing is in /etc/hosts. allow about that host, tcpd checks the /etc/hosts.deny file to see if the service should be denied. If both files are empty, tcpd allows the host access to the requested service. You can place the line ALL:ALL in the /etc/hosts.deny file to deny all hosts access to any Internet services.

Browse through the /etc/inetd.conf file on your system to find out the kinds of services that inetd is set up to start. Nowadays, most inetd services are turned off, and many others, such as FTP, are started by standalone servers. In any case, if you should see any services that you want to turn off, simply place a hash mark (#) at the beginning of the lines that start these services. When you make such a change to the /etc/inetd.conf file, type /etc/init.d/inetd restart to restart the inetd server.

Using xinetd

Linux distributions that use xinetd start xinetd when the system boots. The xinetd server reads a configuration file named /etc/xinetd.con fat startup. This file tells xinetd which ports to listen to and what server to start for each port. The file can contain instructions that include other configuration files. In Linux, the /etc/xinetd.conf file looks like the following:

# Simple configuration file for xinetd
#
# Set some defaults and include /etc/xinetd.d/
defaults
{
instances = 30
log_type = FILE /var/log/xinetd.log
log_on_success = HOST EXIT DURATION
log_on_failure = HOST ATTEMPT
cps = 50 10
}
includedir /etc/xinetd.d
Comment lines begin with the hash mark (#). The defaults block of attributes, enclosed in curly braces ({ . . . }), specifies default values for some attributes. These default values apply to all other services in the configuration file. The instances attribute is set to 30, which means that no more than 30 servers can be simultaneously active for any service.

last line in the /etc/xinetd.conf file uses the includedir directive to include all files inside the /etc/xinetd.d directory, excluding files that begin with a period (.). The idea is that the /etc/xinetd.d directory contains all service-configuration files — one file for each type of service the xinetd server is expected to manage. Type ls /etc/xinetd.d to see the xinetd configuration files for your system. Each file in /etc/xinetd.d specifies attributes for one service that xinetd can start.

For example, SUSE Linux uses xinetd to start some services, including the vsftpd (Very Secure FTP daemon) server. (A daemon is a process that runs continuously and never dies.) Type cat /etc/xinetd.d/vsftpd to see the xinetd configuration for the vsftpd service. Here’s a typical listing of that file on a SUSE system:

# default: off
# description:
# The vsftpd FTP server serves FTP connections. It uses
# normal, unencrypted usernames and passwords for authentication.
# vsftpd is designed to be secure.
service ftp
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/vsftpd
}

The filename (in this case, vsftpd) can be anything; what matters is the service name that appears next to the service keyword in the file. In this case, the line service ftp tells xinetd the name of the service. xinetd uses this name to look up the port number from the /etc/services file.

The attributes in /etc/xinetd.d/vsftpd, enclosed in curly braces ({ . . . }), have the following meanings:

• The socket_type attribute is set to stream, which tells xinetd that the FTP service uses a connection-oriented TCP socket to communicate with the client. For services that use the connectionless UDP sockets, this attribute is set to dgram.
• The wait attribute is set to no, which tells xinetd to start a new server for each request. If this attribute is set to yes, xinetd waits until the server exits before starting the server again.
• The user attribute provides the user ID that xinetd uses to run the server. In this case, the server runs the TELNET server as root.
• The server attribute specifies the program to run for this service. In this case, xinetd runs the /usr/sbin/vsftpd program to provide the FTP service.

Browse through the files in the /etc/xinetd.d directory on your Linux system to find out the kinds of services xinetd is set up to start. If you want to turn off any service (many are already disabled), you can do so by editing the configuration file for that service and adding the following line inside the curly braces that enclose all attributes:

disable = yes

When you make such a change to the xinetd configuration files, you must restart the xinetd server by typing the following command:

/etc/init.d/xinetd restart

You can typically configure services to run under xinetd or as a standalone service. For example, SUSE starts the Very Secure FTP daemon (vsftpd) under the control of xinetd. Debian and Fedora, however, run vsftpd as a standalone server.

Running Standalone Servers

Starting servers through inetd or xinetd is a smart approach but not always efficient. A Web server controlled by inetd or xinetd, would be started often because every time a user clicks a link on a Web page, a request arrives for the Web service. For such high-demand services, starting the server in a standalone manner is best. In standalone mode, the server can run as a daemon. That means the server listens on the assigned port, and whenever a request arrives, the server handles it by making a copy of itself. In this way, the server keeps running as long as the machine is running — in theory, forever. A more efficient strategy, used for Web servers, is to run multiple copies of the server and let each copy handle some of the incoming requests.

You can easily configure your Linux system to start various standalone servers automatically, as shown in this section.
Starting and stopping servers manually

To start a service that’s not running, use the server command. For example, if the Web server (called httpd in Fedora) isn’t running, you can start it by issuing a special shell script with the following command:

/etc/init.d/httpd start

That command runs the /etc/init.d/httpd script with start as the argument. If the httpd server is already running and you want to stop it, run the same command with stop as the argument, like this:

/etc/init.d/httpd stop

To stop and start a server again, just use restart as the argument:

/etc/init.d/httpd restart

You can also check the status of any service by using status as the argument:

/etc/init.d/httpd status

In Debian, Ubuntu, and SUSE, where the Web server program is called apache2, type /etc/init.d/apache2 start to start the Web server. In Knoppix and Xandros, type /etc/init.d/apache start. Use that same command with arguments stop or restart to stop the Web server or restart it.

What are all the services that you can start and stop? Well, the answer is in the files in the /etc/init.d directory. To get a look at it, type the following command:

ls /etc/init.d

All the files you see listed in response to this command are the services installed on your Linux system — and you can start and stop them as needed. You typically find 65 to 70 services listed in the /etc/init.d directory.

Starting servers automatically at boot time

You can start, stop, and restart servers manually by using the scripts in the /etc/init.d directory, but you want some of the services to start as soon as you boot the Linux system. You can configure servers to start automatically at boot time by using a graphical server-configuration utility or a command.

The command for configuring services to start automatically depends on the distribution. In Debian, Knoppix, Ubuntu, and Xandros, use the updaterc.d command. In Fedora and SUSE, use the chkconfig command. Both commands are explained in the following sections.

Using the chkconfig command in Fedora and SUSE

The chkconfig program is a command-line utility in Fedora and SUSE for checking and updating the current setting of servers in Linux. Various combinations of servers are set up to start automatically at different run levels. Each run level represents a system configuration in which a selected set of processes runs. You’re usually concerned about run levels 3 and 5 because run level 3 is for text mode login and run level 5 is for logging in through a graphical interface.

The chkconfig command is simple to use. For example, suppose that you want to automatically start the named server at run levels 3 and 5. All you have to do is log in as root and type the following command at the shell prompt:

chkconfig --level 35 named on

To see the status of the named server, type the following command:

chkconfig --list named

You see a line of output similar to the following:

named 0:off 1:off 2:off 3:on 4:off 5:on 6:off

The output shows you the status of the named server at run levels 0 through 6. As you can see, named is set to run at run levels 3 and 5.

If you want to turn off named, you can do so with this command: chkconfig --level 35 named off

You can use chkconfig to see the status of all services, including the ones started through xinetd. For example, you can view the status of all services by typing the following command:

chkconfig --list | more

The output shows the status of each service for each of the run levels from 0 through 6. For each run level, the service is either on or off. At the very end of the listing, chkconfig displays a list of the services that xinetd controls. Each xinetd-based service is also marked on or off, depending on whether xinetd is configured to start the service.

Using the update-rc.d command in Debian, Knoppix, Ubuntu, and Xandros

In Debian, Knoppix, Ubuntu, and Xandros, you can use the update-rc.d command to set up services that should start when the system boots at specific boot levels. The easiest way to set up is to use the defaults option in a command of this form:

update-rc.d service defaults

where service is the name of the script file in the /etc/init.d directory that starts and stops the service, among other things.

you use the defaults option, update-rc.d sets up symbolic links — shortcuts, in other words — to start the service in run levels 2, 3, 4, and 5 and stop the service in run levels 0, 1, and 6. A sequence number controls the order in which each service is started. (Services with smaller sequence numbers start before those with larger sequence numbers, and the numbers typically range from 00 through 99.) If you do not specify a sequence number explicitly, update-rc.d uses a sequence number of 20 when you use the defaults option.

You can also start and stop a service at specific run levels as well as in a specific sequence. For example, to start a service at run levels 2 and 5 at a sequence number of 85 and stop it at run levels 0, 1, and 6 at a sequence of 90, use the following command:

update-rc.d service start 85 2 5 . stop 90 0 1 6 .

Remember that service must be the name of a script file in the /etc/ init.d directory.

If you need to stop a service from starting at system startup, type updaterc.d -f service remove in a terminal window, where service is the name of the script file in /etc/init.d that starts or stops that service.

Using a GUI service configuration utility

If you don’t like typing commands, you may be able to use a GUI tool to configure the services. Fedora and SUSE include such tools to manage the services.

In Fedora, choose System»System Settings»Service Manager from the KDE desktop and enter the root password when prompted. You can then turn on or off services from the Service Configuration window, as shown in Figure 1-2.

Figure 1-2: In Fedora, this is where you set services to start automatically at boot time.

The Service Configuration utility shows the names of services in a scrolling list. Each line in the list shows the name of a service with a check box in front of the name. A check mark in the box indicates that the service is selected to start at boot time for the current run level. When the dialog box first appears, many services are already selected.

You can scroll up and down the list and click the check box to select or deselect a service. If you click the check box, the check mark alternately turns on and off. Additionally, the utility also shows you whether the selected service is currently running.

After you select all the servers you want to start when the system boots, click the Apply button on the toolbar to save the changes.

By default, the service configuration utility configures the selected services for the current run level. That means if you’re selecting services from the graphical desktop, the system is in run level 5 and the services you configure are set to start at run level 5. If you want to set up the services for a different level, select that run level from the Edit Runlevel menu.

In SUSE, you can configure the services from YaST Control Center by opening the main menu and choosing System➪Control Center (YaST). Click System in the left window and then click System Services (Runlevel). YaST opens the System Services (Runlevel) window, as shown in Figure 1-3. To enable or disable services at specific run levels, click the Expert Mode button and edit the services in the new list that appears.

Figure 1-3: In SUSE, use this YaST window to specify services that start at boot time.

Table 1-1 shows a list of the services, along with a brief description of each one. The first column shows the name of the service, which is the same as the name of the program that has to run to provide the service. You may not see all these services listed when you run the GUI service configuration utility on your system because the exact list of services depends on what is installed on your Linux system.

Table 1-1	Some Common Services in Linux
Service Name	Description
Acpid	Listens to Advanced Configuration and Power Interface(ACPI) events from the kernel and notifies other programs when such events occur. ACPI events can occur when the kernel puts the computer into a low-power state (for example, standby mode) to save energy.
apache, apache2, or httpd	Runs the Apache World Wide Web (WWW) server.
Apmd	Monitors the Advanced Power Management (APM) BIOS and logs the status of electric power (AC or battery backup).
Atd	Runs commands scheduled by the at and cron commands.
Autofs	Automatically mounts file systems (for example, when you insert a CD-ROM in the CD-ROM drive).
cron or crond	Runs user-specified programs according to a periodic schedule set by the crontab command.
Gpm	Enables the use of the mouse in text mode screens.
Innd	The InterNetNews daemon — the Internet news server you can use to support local newsgroups on your system.
Isdn	Starts and stops ISDN (Integrated Services Digital Network) services — a digital communication service over regular phone lines (enable only if you have ISDN service).
Named	Translates host names into IP addresses. named is a server for the Domain Name System (DNS). You can run a copy on your system if you want.
network or networking	Enables you to activate or deactivate all network interfaces configured to start at system boot time.
nfs or nfsserver	Enables sharing of file systems specified in the /etc/ exports file using the Network File System (NFS) protocol.
Nfslock	Provides file-locking capability for file systems exported using the Network File System (NFS) protocol, so other systems (running NFS) can share files from your system.
Pcmcia	Provides support for PCMCIA devices.
Portmap	Works with any software that relies on Remote Procedure Calls (RPC). For example, NFS requires the portmap service.
samba, smb, or smbfs	Starts and stops the Samba smbd and nmbd services, which support LAN Manager services on a Linux system.
Sendmail	Moves mail messages from one machine to another. Start this service if you want to send mail from your Linux system. If you don’t plan to use your Linux system as a mail server, don’t start the sendmail server because it can slow down the booting process and consume unnecessary resources.
Snmpd	Manages networks. snmpd stands for Simple Network Management Protocol daemon.
Spamassassin	Runs spamd — the SpamAssassin mail filter program.
ssh or sshd	Runs the OpenSSH (Secure Shell) secure remote login facility.
syslog or syslogd	Logs various error and status messages in a log file (usually, the /var/log/messages file). This service is used by many other programs (including other services). Always run this service.
vsftpd	Transfers files using the File Transfer Protocol (FTP). vsftpd stands for Very Secure FTP daemon.
winbind	Starts and stops the Samba winbindd server, which provides a name-switch capability similar to that provided by the /etc/nsswitch.conf file.
xfs	Starts and stops the X font server.
xinetd	Starts other Internet services, such as TELNET and FTP, whenever they are needed. This server is the Internet super server, a replacement for the older inetd.
ypbind	Runs on Network Information System (NIS) clients and binds the clients to an NIS domain. You don’t have to start ypbind unless you’re using NIS.

next Managing Mail and News Servers in Linux