Saturday, November 24, 2007

Corporate IM gateway

Corporate Instant Messaging system.
Task: installation of corporate Instant Messaging gateway with possibility of logging of all conversations.
Including adjustment of transport for others IM networks (ICQ, MSN, AIM ) As well as authentication of users in LDAP.
The choice between LCS (Live Communication Server M$) and XMPP/Jabber has been made instantly ;) .
It is necessary to choose only which Jabber server to use.
From the considered variants:
chime (Java) http://www.codecobra.com/chime/
DJabberd (Perl) http://danga.com/djabberd/
ejabberd (Erlang) Home page and Community Site
jabberd14 (C) http://jabberd.org/
jabberd2 (C) http://jabberd2.xiaoka.com/
Openfire (Wildfire Server) (Java) http://www.igniterealtime.org/projects/openfire/
OpenIM (Java) http://www.open-im.net/
pretzel (Python) http://code.google.com/p/pretzel/
psyced (LPC) http://www.psyced.org/
Tigase (Java) http://www.tigase.org/
WPJabber (C) http://spik.wp.pl/jabber.html
xmppd.py (Python) http://xmpppy.sourceforge.net/

For comparison the following document has been taken: http://www.jabber.org/admin/jsc/

From the advantages listed above - ejabberd option has been choosen mostly for the following reasons :
1.Protocol-standards compatibility (XMPP Core, XMPP IM),
2.fully distributable
3.database can be replicated to many nodes .
4.The default database, Mnesia, is suitable for small, as well as big deployments.
5.code can be updated while ejabberd is running (feature of Erlang)
6.loading and unloading of modules while ejabberd is running is possible (feature of Erlang)
7.Modular design
Installation
I have install ejabberd on FreeBSD 6.2 , I think that there won`t be large differences in Linux operating system.
Installation performed by ports using “portinstall”.
Before starting installation - it is necessary to download following software:
diablo-jdk
tzupdater (JDK US DST Timezone Update Tool)
Let's execute following actions:
cd /usr/ports/distfiles/
lynx 'http://www.FreeBSDFoundation.org/cgi-bin/download?download=diablo-caffe-freebsd6-i386-1.5.0_07-b01.tar.bz2'
(Read and follow the license agreement)
Download via your web browser http://java.sun.com/javase/downloads/index.jsp
and copy tzupdater-x_x_x_x_x.zip to /usr/ports/distfiles/
installing ejabberd:
cd /usr/ports/
portinstall -p ejabberd-1.1.4
Don't enable support ODBC .
If all these components successfully compiled and installed - the following line should appear in /etc/rc.conf

ejabberd_enable="YES"

DNS Records

eJabberd server and clients, are able to use DNS SRV records for hostname resolution. DNS SRV records allow for delegation of services — by port — to other hosts.
I described setting for BIND , if You use other DNS server - please check following documentation: http://jabberd.jabberstudio.org/2/docs/section05.html#5_7
There are 3 SRV records that could be created for a eJabberd server installation:
_jabber._tcp.your_domain.com. 86400 IN SRV 5 0 5269 host.your_domain.com.
_xmpp-server._tcp.your_domain.com. 86400 IN SRV 5 0 5269 host.your_domain.com.
_xmpp-client._tcp.your_domain.com. 86400 IN SRV 5 0 5222 host.your_domain.com.

Replace “you_domain” with Your Domain Name and host with hostname, and don't forget to put “.” after the domain name.

Let's configure eJabber.
cp /usr/local/etc/ejabberd/ejabberd.cfg.example /usr/local/etc/ejabberd/ejabberd.cfg
cp /usr/local/etc/ejabberd/ejabberd.defaults.example /usr/local/etc/ejabberd/ejabberd.defaults
and edit fail:
vi /usr/local/etc/ejabberd/ejabberd.cfg
{acl, admin, {user, "alex"}}.
Let's add here our user who will have the Administrator permission.
Change “localhost” to Your Server name.
% Host name:
{hosts, ["host.your_domain.com"]}.
Configure support SSL:
vi /usr/local/etc/ejabberd/ejabberd.cfg
% Listened ports:
{listen,
[{5222, ejabberd_c2s, [{access, c2s},
{max_stanza_size, 65536},
starttls, {certfile, "/usr/local/etc/ejabberd/server.pem"},
{shaper, c2s_shaper}]},
{5223, ejabberd_c2s, [{access, c2s},
{max_stanza_size, 65536},
tls, {certfile, "/usr/local/etc/ejabberd/server.pem"},
{shaper, c2s_shaper}]},
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/usr/local/etc/ejabberd/server.pem"}. Full path to file sertificate !!!
Now We will create the certificate :
cd /usr/local/etc/ejabberd/
openssl req -new -x509 -nodes -newkey rsa:1024 -days 3650 -keyout privkey.pem -out server.pem -subj
"/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=host.your_domain.com/emailAddress="postmaster@your_domain.com
cat privkey.pem >> server.pem
rm privkey.pem

...and start our server by: /usr/local/etc/rc.d/ejabberd start
(Try to telnet localhost 5222 or 5223 for SSL in order to check this.)

Now you have working and reliable jabber server.

LDAP

What about authentication abilities ? We need to authenticate users against LDAP server and to use LDAP Directory as vCard storage.
Edit the file - ejabberd.cfg

 vi /usr/local/etc/ejabberd/ejabberd.cfg
% Authentication method.
%{auth_method, internal}.
<---!!! Comment this line !!!!

% For LDAP authentication use these lines instead of above one:
{auth_method, ldap}.
{ldap_servers, ["ldap.your_domain.com"]}. % List of LDAP servers
{ldap_uidattr, "uid"}. % LDAP attribute that holds user ID
{ldap_base, "ou=People,dc=
your_domain,dc=com"}. % Search base of LDAP directory
{ldap_rootdn, "cn=jabber,ou=DSA,dc=
your_domain
,dc=com"}. % LDAP manager
{ldap_password, "password"}. % Password to LDAP manager

Now We want to use user`s LDAP-info as their vCard. In order to implement this - find and edit the following
line in section

% Used modules:

{mod_vcard_ldap, [{host, "ldapyour_domain.com"}]},
and then just restart eJabber /usr/local/etc/rc.d/ejabberd restart

Logging Messages

I usеd for this purpose "Bandersnatch" software. http://funkypenguin.co.za/
Originally , this soft works perfectly , but have a little issue with different encoding.
I need to log different languages such a France, Russian, Hebrew, Spain in my company.
So, I made a little correction in the Perl script and Data Base structure for "Bandersnatch".
If someone will be interested - please ask me by e-mail, I will send you by the reply
attached files.

...unpack "Bandersnatch" archive to special directory and make executable bandersnatch Perl script

chmod +x bandersnatch

Cofigure ejabberd:

Edit ejabberd.cfg and add this line to the 'modules' section:

{mod_service_log, [{loggers, ["bandlog.your_domain.com"]}]},

Add the following lines to 'listen' section to give eJabberd ability to listen for Bandersnatch connect.
% listen for Bandersnatch connections
{5526, ejabberd_service, [{ip, {127, 0, 0, 1}}, {access, all},
{hosts, ["bandlog.your_domain.com"],
[{password, "password"}]}]}


Create DB for Log System
mysql -u root -pPassword bandlog < bandersnatch.sql (I recommend use my file bandersnatch.sql)

Configure Bandersnatch:
edit config.xml
<server>
<connectiontype>tcpip</connectiontype>
<hostname>localhost</hostname>
<port>5526</port>
<secret>password</secret>
</server>
<component>
<name>bandersnatch@bandlog.your_domain.com</name>
</component>
<mysql>
<server>localhost</server>
<dbname>bandlog</dbname>
<username>bandlog</username>
<password>bandlog</password>
</mysql>

Do not forget to add to DNS a new A record ( like this example ):

bandlog A 192.168.1.1 ( jabber server's IP)

Now restart Your eJabberd server:
/usr/local/etc/rc.d/ejabberd restart
And run in "screen" bandersnatch:
./path/to/bandersnatch/bandrsnatch config.xml
if You see output like this:
Bandersnatch: Connected to Jabber server (localhost) ...
Bandersnatch: Connected to MySQL database (bandlog@localhost) ...
You have successfully installed the system !


Transports
I srongly recomend read befor:
http://wiki.blathersource.org/wiki/index.php/PyICQt
http://wiki.blathersource.org/wiki/index.php/PyAIMt
http://delx.cjb.net/pymsnt/docs/user.html
but if you have reached this point without a problem, with "transport" installation You should not have any problems.
I describe it together (ICQ, MSN, AIM) . At the moment of a writing of this article in OS FreeBSD port jabber-yahoo-2.3.2_2 has been marked IGNORE (broken)
please check for status of Yahoo transport on site http://yahoo-transport-2.jabberstudio.org/

So, let's install all needed software:
portinstall -p jabber-pyicq-transport-0.8a
portinstall -p jabber-pymsn-transport-0.11.2_2,1
portinstall -p jabber-pyaim-transport-0.8a


Add following "A" records to DNS
icq.your_domain.com
msn.
your_domain.com
aim.your_domain.com

Edit following rc scripts in /usr/local/etc/rc.d:
jabber-pyaim-transport
: ${jabber_pyaim_enable="YES"}
: ${jabber_pyaim_dir="/usr/local/lib/jabber/pyaim"}
: ${jabber_pyaim_piddir="/var/spool/ejabberd/pid"}
: ${jabber_pyaim_user="ejabberd"}

jabber-pyicq-transport
: ${jabber_pyicq_enable="YES"}
: ${jabber_pyicq_dir="/usr/local/lib/jabber/pyicq"}
: ${jabber_pyicq_piddir="/var/spool/ejabberd/pid"}
: ${jabber_pyicq_user="ejabberd"}

jabber-pymsn-transport
: ${jabber_pymsn_enable="YES"}
: ${jabber_pymsn_dir="/usr/local/lib/jabber/pymsn"}
: ${jabber_pymsn_piddir="/var/spool/ejabberd/pid"}
: ${jabber_pymsn_user="ejabberd"}

Do not forgot make symlink and change owner:
chown -R
/usr/local/lib/jabber/
chown -R
/var/spool/ejabberd/
ln -s /var/spool/ejabberd /var/spool/jabber

Now let's edit config of eJabberd server:
vi /usr/local/etc/ejabberd/ejabberd.cfg

in section
% Listened ports:
add
% listen for PyICQt connections
{5347, ejabberd_service, [{access, all},{host, "icq.your_domain.com",
[{password, "preved"}]}]},

% listen for PyMSNt connections
{5348, ejabberd_service, [{host, "msn.
your_domain.com",
[{password, "password"}]}]},

% listen for PyAIMt connections
{5349, ejabberd_service, [{host, "aim.
your_domain.com",
[{password, "password"}]}]}

Edit following config of transports:

jabber-pyicq.xml
<jid>icq.your_domain.com</jid>
<spooldir>/var/spool/ejabberd</spooldir>
<pid>/var/spool/ejabberd/pid/PyICQt.pid</pid>
<mainServer>127.0.0.1</mainServer>
<port>5347</port>
<secret>preved</secret>
jabber-pymsn.xml
<jid>msn.your_domain.com</jid>
<spooldir>/var/spool/ejabberd</spooldir>
<pid>/var/spool/ejabberd/pid/PyMSNt.pid</pid>
<mainServer>127.0.0.1</mainServer>
<port>5348</port>
<secret>password</secret>

<getAllAvatars/>
jabber-pyaim.xml
<jid>aim.your_domain.com</jid>
<spooldir>/var/spool/ejabberd</spooldir>
<pid>/var/spool/ejabberd/pid/PyAIMt.pid</pid>
<mainServer>127.0.0.1</mainServer>
<port>5349</port>
<secret>password</secret>


Last stap - add to /etc/rc.conf following lines:
jabber_pyicq_enable="YES"
jabber_pymsn_enable="YES"
jabber_pyaim_enable="YES"

Now restart Your eJabberd server:
/usr/local/etc/rc.d/ejabberd restart

and run all transports:
/usr/local/etc/rc.d/jabber-pyaim-transport start
/usr/local/etc/rc.d/jabber-pyicq-transport start
/usr/local/etc/rc.d/jabber-pymsn-transport start



P.S.
about a Jabber Client software You can find more here http://en.wikipedia.org/wiki/List_of_Jabber_client_software
I recommend "PSI" and "Gajem".







Sunday, November 11, 2007

PostgreSQL checkpoints

PostgreSQL checkpoints.

In documentation ( http://www.postgresql.org/docs/ ) PostgreSQL checkpoints are described as follows:
checkpoint_segments
Maximum distance between automatic WAL checkpoints, in log file segments (each segment is normally 16 megabytes). The default is three segments. This parameter can only be set in the postgresql.conf file or on the server command line.
checkpoint_timeout
Maximum time between automatic WAL checkpoints, in seconds. The default is five minutes (5min). This parameter can only be set in the postgresql.conf file or on the server command line.
checkpoint_warning
Write a message to the server log if checkpoints caused by the filling of checkpoint segment files happen closer together than this many seconds (which suggests that checkpoint_segments ought to be raised). The default is 30 seconds (30s). Zero disables the warning. This parameter can only be set in the postgresql.conf file or on the server command line.
I shall describe it is more expanded:

When the transaction log no longer has available space, the installation of a so-called control checkpoint takes place. This serves as an order for the system to remove all the unprocessed material to a disk, so the log can become available for use once again. Additionally, the control checkpoint may be installed not upon occasion, but after a certain period of time, typically standing at 5 min. When there is massive logging to the database, the transaction log can become overloaded too rapidly. This, in turn, will lead to a substantial deceleration of the aforementioned material removal to a disk.

Establishing the installation frequency of control checkpoints:

The installation of control checkpoints must take place every couple of minutes. If the installation takes place too frequently (for instance, every minute), the productivity of the system would notably decrease. To establish the current frequency, at which the system installs control checkpoints, you can use the log's analysis of timestamps. First, however, make sure that you've allowed access to the log. Check follow options in the file postgresql.conf:

log_timestamp = true

After that changes the file of a configuration will be automatically re-read, and you can observe in a logfile of server PostgreSQL following records:
2007-02-11 21:17:32 LOG: recycled transaction log file 0000000000000000
2007-02-11 21:17:33 LOG: recycled transaction log file 0000000000000001
2007-02-11 21:17:33 LOG: recycled transaction log file 0000000000000002
Estimate the period between two control points. It will allow you to define their frequency.
In the example resulted above you can see, that control points were made each 40 seconds that is too frequent operation ,
and that slows down productivity of system as a whole. By the way, be not surprised, having found out records with the same
time mark (see above). Frequently the same control point enters the name in the log several times.

Reduction of frequency of installation of Control points

Reduction of frequency of Control points leads to increase in number of files of anticipatory caching, created in data/pg_xlog. Each file has the size of 16 mbyte, that as a result can affect considerably the general free space on a disk. Installation by default means minimization of number of such files. For reduction of frequency of control points you should change following parameter:

checkpoint_segments = 3
Its initial value is equal 3.
Gradually increase this value until the interval between control
points not begins to be equaled to several minutes.
The next record in the logfile , which you can observe, can be like this:
LOG: XLogWrite: new log file created - consider increasing WAL_FILES

It means, that the parameter wal_files requiers increase in a file
postgresql.conf.





Tuesday, November 6, 2007

Postfix and Cyrus TLS howto

Cyrus Postfix AUTH TLS
Here comes TLS into play. Before we put it to work we need a certificate. Either you get it from a Certificate Authority whom you have to pay, or you create it for yourself. I will not describe how to become a Certificate Authority; instead I will show you how you can create a self signed .pem certificate.

This howto is meant as a practical guide, it does not cover the theoretical backgrounds.

And I would recommend will familiarize with the Documentation at leisure:

http://www.postfix.org/TLS_README.html


+++++++++ CERTIFICATE ++++++++++++++

Now we have to generate the certificate files needed for TLS:
mkdir /var/imap
cd /var/imap

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

Enter a password for smtpd.key.
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

Again, enter your password for smtpd.key.
Enter your Country Name (e.g., "CA").
Enter your State or Province Name.
Enter your City.
Enter your Organization Name (e.g., the name of your company).
Enter your Organizational Unit Name (e.g. "IT Department").
Enter the Fully Qualified Domain Name of the system (e.g. "mail.mydomain.com").
Enter your Email Address. (postmaster@mydomain.com)
The following information is optional:
Enter a challenge password.
Enter an optional company name.

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
Again, enter your password for smtpd.key.
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
Again, enter your password for smtpd.key.
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out ca-cert.pem -days 3650

Again, enter your password for smtpd.key.
Enter your Country Name (e.g., "DE").
Enter your State or Province Name.
Enter your City
Enter your Organization Name (e.g., the name of your company).
Enter your Organizational Unit Name (e.g. "IT Department").
Enter the Fully Qualified Domain Name of the system (e.g. "mail.mydomain.com").
Enter your Email Address. (postmaster@mydomain.com)



Make certificat and key file accessible by postfix and Cyrus
chown -R cyrus:mail /var/imap/


+++++++++++++++++++++++++++++++++++++++

+++++++++++++ POSTFIX +++++++++++++++++

Let's enable SMTP AUTH and TLS in Postfix

Add to the file /etc/postfix/main.cf following lines:

smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_CApath = /var/imap
smtpd_tls_CAfile = /var/imap/ca-cert.pem
smtpd_tls_cert_file = /var/imap/smtpd.crt
smtpd_tls_key_file = /var/imap/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes


And uncomment in file /etc/postfix/master.cf lines:

smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes

And restart MTA /etc/init.d/postfix restart

++++++++++++++++++++++++++++++++++++++++


+++++++++++ Cyrus ++++++++++++++++

For access to IMAP server using secure authentcation add/uncomment following lines:

/etc/imapd.conf

tls_cert_file: /var/imap/smtpd.crt
tls_key_file: /var/imap/smtpd.key
tls_ca_file: /var/imap/ca-cert.pem
tls_ca_path: /var/imap/

/etc/cyrus.conf

imaps cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
pop3s cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=50

Then restart IMAP server /etc/init.d/cyrus2.2 restart

.



Friday, November 2, 2007

Filtering Image Spam With FuzzyOCR And SpamAssassin

Struggle against a spam.... An episode the third.


This article describes how to scan emails for image spam with FuzzyOCR. FuzzyOCR is a plugin for SpamAssassin which is aimed at unsolicited bulk mail containing images using different methods, it analyzes the content and properties of images to distinguish between normal and spam mails. Installation will reviewed on Debian(Etch).

I assume that SpamAssassin (and MailServer) is already installed and working :) and exist symlink /etc/mail/spamassassin (other case ln -s /etc/spamassassin /etc/mail/spamassassin ).
For the beginning We install necessary dependences:
aptitude install netpbm gifsicle libungif-bin gocr ocrad libstring-approx-perl libmldbm-sync-perl imagemagick tesseract-ocr libdbd-mysql-perl libdbi-perl libtie-cache-perl
Next step We download unpack and install the latest FuzzyOCR :
cd /usr/src/
wget http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-3.5.1-devel.tar.gz
tar -zxvf fuzzyocr-3.5.1-devel.tar.gz
cd FuzzyOcr-3.5.1/

cp -r FuzzyOcr* /etc/spamassassin/ (include directory FuzzyOcr/ !!! )

Source directory /usr/src/FuzzyOcr-3.5.1/ contain directory sapmples/ with sample spam emails, that we need later for testing.
So, installation finished, now we start to configure it. All configs are in /etc/spamassassin/
In the file /etc/mail/spamassassin/FuzzyOcr.cf
uncomment follow line:
focr_global_wordlist /etc/mail/spamassassin/FuzzyOcr.words

The file /etc/mail/spamassassin/FuzzyOcr.words
is the predetermined list of words which goes with FuzzyOCR. You can recustomize оr to add it under the needs.
Replace these two lines
focr_bin_helper pnmnorm, pnminvert, pamthreshold, ppmtopgm, pamtopnm

focr_bin_helper tesseract
on following
focr_bin_helper pnmnorm, pnminvert, convert, ppmtopgm, tesseract

Finally we add or uncomment next lines:
focr_path_bin /usr/local/netpbm/bin:/usr/local/bin:/usr/bin

focr_preprocessor_file /etc/mail/spamassassin/FuzzyOcr.preps
focr_scanset_file /etc/mail/spamassassin/FuzzyOcr.scansets
focr_enable_image_hashing 2
focr_digest_db /etc/mail/spamassassin/FuzzyOcr.hashdb
focr_db_hash /etc/mail/spamassassin/FuzzyOcr.db
focr_db_safe /etc/mail/spamassassin/FuzzyOcr.safe.db
The last 4 lines - adjustment hashing instead of MySQL.
Now we can feed all samples-spam mails to spamassassin, for check of its connected with Fuzzy.
/usr/bin/spamassassin --debug FuzzyOcr < /usr/src/FuzzyOcr-3.5.1/samples/ocr-gif.eml > /dev/null

As you see FuzzyOCR is working.

Now restart Spamassassin and closely check (tail -f /var/log/mail.info) on presence of errors from spamassassin or Perl modules.
........Your SpamAssassin is now able to recognize image spam!



Wednesday, October 31, 2007

Corporate Mail Server

Fast Start with mail server.

In this article given an example setup and adjustments of post system on the basis of operational system Debian "Etch" with a following set of applications:

  • Postfix-SMTP

  • Saslauthd

  • Saslbd2

  • Cyrus-imap

  • Amavisd-new

  • Spamassasin

  • Clamav

First of all, for continuation of setup it is necessary to adjust an environment.
Add to /etc/apt/sources.list additional source for latest version of ClamAV
deb http://volatile.debian.org/debian-volatile etch/volatile main contrib
Further we shall update the list of packages:
apt-get update
On it all preparatory measures is finished. Let's establish necessary for work of a Mail Server packages.
apt-get install postfix libsasl2 libsasl2-modules sasl2-bin cyrus-imapd-2.2 cyrus-pop3d-2.2 cyrus-admin-2.2

Let's adjust a server of authorization saslauthd on use of a database of passwords sasldb2.
For this we shall edit a file /etc/default/saslauthd :
START=yes
MECHANISMS="sasldb"
and start the service /etc/init.d/saslauthd start
Now we shall check up correctly it works, but for the beginning it is necessary to add even one user:

mailserver:~# saslpasswd2 test
Password:
Again (for verification):
mailserver:~# sasldblistusers2
test@mailserver: userPassword
mailserver:~# testsaslauthd -u test -p test

If you have received the message "0: OK "Success." Means everything is all right.
If authorization has not passed- check file
/var/log/auth.log
Now We need to transfer socket of saslauthd to "cherooted" working directory of postfix /var/spool/postfix/ make this by editing /etc/fstab
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd none rw,bind 0 0
Also it is necessary make directory where we shall mount a socket of saslauthd:
mkdir -p /var/spool/postfix/var/run/saslauthdmount /var/run/saslauthd
Now we shall configure postfix for use sasl authorizations:
edit /etc/postfix/main.cf:
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_authenticated_header = yes
smtpd_sasl_application_name = smtpd

Now we forbid to send mail through ours SMTP without authorization,
For this purpose we shall create a file
/etc/postfix/sasl/smtpd.conf with following contents:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Restart the Postfix server and let's closely see following files for mistakes:

  1. /var/log/mail.err

  2. /var/log/mail.info

  3. /var/log/mail.warn

  4. /var/log/mail.log

That "to be friends" saslauthd and postfix it is necessary to execute the following:
adduser postfix sasl

Cyrus-imapd: cyrus will be engaged in rreceive of mail from postfix, sorting it on folders and granting to it of access to users.

Let's edit a file /etc/imapd.conf

admins: cyrus
allowplaintext: yes
sasl_mech_list: PLAIN
sasl_pwcheck_method: saslauthd auxprop
sasl_auxprop_plugin: sasldb

Pay attention, cyrus the same as and saslauthd, it is necessary to cooperate with postfix, therefore they need to be made available each other. We take advantage of already known mechanism (by editing /etc/fstab):

/var/run/cyrus /var/spool/postfix/var/run/cyrus none rw,bind 0 0

It is not forgotten to create a folder for cyrus:

mkdir -p /var/spool/postfix/var/run/saslauthd
mkdir -p /var/spool/postfix/var/run/cyrus
mount /var/spool/postfix/var/run/saslauthd
mount /var/spool/postfix/var/run/cyrus

mount /var/run/cyrus

Now we give an opportunity cyrus to take away mails at postfix by editing /etc/postfix/main.cf :
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
local_recipient_maps =

Let's add our Mail Server to lmtp group:
addgroup lmtp
adduser postfix lmtp

and make following:
dpkg-statoverride --remove /var/run/cyrus/socket
dpkg-statoverride --force --update --add cyrus lmtp 750 /var/run/cyrus/socket

Names and passwords are stored in a format which is distinct from system, it is necessary to specify the given option. Above mentioned added options "local_recipient_maps =" It means " to accept letters for any addressee ". We add the user cyrus in our base of registration records:
saslpasswd2 -c cyrus

Enter password, and restart the services:
/etc/init.d/postfix restart
/etc/init.d/cyrus2.2 restart
/etc/init.d/saslauthd restart

By this moment can already receive and send mails, create and delete folders on an IMAP-server, establish quotas and access rights on folders means of the utility cyradm. As all the further actions on adjustment for testing will demand to send and receive mail, I result the brief instruction on creation of IMAP accounts (mailboxes).



saslpasswd2 –c
cyradm –user cyrus localhost
localhost>cm user.
localhost>cm user..INBOX
localhost>cm user..Sent
localhost>cm user..Spam
localhost>cm user..Draft
localhost>cm user..Trash



"Be protected, sir". It is necessary to protect itself from a spam and viruses

Let's start installation:
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip unarj unrar bzip2
And make some changes to configuration files amavisd:

Edit /etc/amavis/conf.d/50-user

use strict;
$forward_method = 'smtp:127.0.0.1:10025';
$notify_method = $forward_method;
$virus_quarantine_to = 'undef';
$sa_local_tests_only = 0;
@inet_acl = qw( 127.0.0.1 [::1] xxx.xxx.xxx.xxx );
#------------ Do not modify anything below this line -------------
1; # insure a defined return

Edit /etc/amavis/conf.d/20-debian_defaults

use strict;
$QUARANTINEDIR = '/var/lib/amavis/virusmails';

$log_recip_templ = undef; # disable by-recipient level-0 log entries
$DO_SYSLOG = 1; # log via syslogd (preferred)
$syslog_ident = 'amavis'; # syslog ident tag, prepended to all messages
$syslog_facility = 'mail';
$syslog_priority = 'debug'; # switch to info to drop debug output, etc
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
$inet_socket_port = 10024; # default listenting socket
$sa_spam_subject_tag = '***SPAM*** ';
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
##$sa_tag_level_deflt = -999;
$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
##$sa_kill_level_deflt = 999;
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0; # only tests which do not require internet access?

# Quota limits to avoid bombs (like 42.zip)
$MAXLEVELS = 14;
$MAXFILES = 1500;
$MIN_EXPANSION_QUOTA = 100*1024; # bytes
$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes

### DM ####
$final_virus_destiny = D_REJECT; # (defaults to D_BOUNCE)
$final_banned_destiny = D_REJECT; # (defaults to D_BOUNCE)
$final_spam_destiny = D_PASS; # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS; # (defaults to D_PASS), D_BOUNCE suggested
$viruses_that_fake_sender_re = new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
qr'@mm|@MM', # mass mailing viruses as labeled by f-prot and uvscan
qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc
[qr'^(EICAR|Joke\.|Junk\.)'i => 0],
[qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
[qr/.*/ => 1], # true by default (remove or comment-out if undesired)
);

$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
# Leave empty (undef) to add no header
$X_HEADER_LINE = "Debian $myproduct_name at $mydomain";

@viruses_that_fake_sender_maps = (new_RE(
[qr'\bEICAR\b'i => 0], # av test pattern name
[qr/.*/ => 1], # true for everything else
));
@keep_decoded_original_maps = (new_RE(
# qr'^MAIL$', # retain full original message for virus checking (can be slow)
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data', # don't trust Archive::Zip
));

# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample
$banned_filename_re = new_RE(
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components

# block certain double extensions anywhere in the base name
qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Windows Class ID CLSID, strict

qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,

# qr'^application/x-msmetafile$'i, # Windows Metafile MIME type
# qr'^\.wmf$', # Windows Metafile file(1) type

# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types

# [ qr'^\.(Z|gz|bz2)$' => 0 ], # allow any in Unix-compressed
# [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within such archives

qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
# inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
# ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
# wmf|wsc|wsf|wsh)$'ix, # banned ext - long

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.

qr'^\.(exe-ms)$', # banned file(1) types
# qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
@score_sender_maps = ({ # a by-recipient hash lookup table,
# results from all matching recipient tables are summed
# ## per-recipient personal tables (NOTE: positive: black, negative: white)
# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}],
# 'user3@example.com' => [{'.ebay.com' => -3.0}],
# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0,
# '.cleargreen.com' => -5.0}],
## site-wide opinions about senders (the '.' matches any recipient)

'.' => [ # the _first_ matching sender determines the score boost

new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
),
# read_hash("/var/amavis/sender_scores_sitewide"),
{ # a hash-type lookup table (associative array)
'nobody@cert.org' => -3.0,
'cert-advisory@us-cert.gov' => -3.0,
'owner-alert@iss.net' => -3.0,
'slashdot@slashdot.org' => -3.0,
'securityfocus.com' => -3.0,
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
'security-alerts@linuxsecurity.com' => -3.0,
'mailman-announce-admin@python.org' => -3.0,
'amavis-user-admin@lists.sourceforge.net'=> -3.0,
'amavis-user-bounces@lists.sourceforge.net' => -3.0,
'spamassassin.apache.org' => -3.0,
'notification-return@lists.sophos.com' => -3.0,
'owner-postfix-users@postfix.org' => -3.0,
'owner-postfix-announce@postfix.org' => -3.0,
'owner-sendmail-announce@lists.sendmail.org' => -3.0,
'sendmail-announce-request@lists.sendmail.org' => -3.0,
'donotreply@sendmail.org' => -3.0,
'ca+envelope@sendmail.org' => -3.0,
'noreply@freshmeat.net' => -3.0,
'owner-technews@postel.acm.org' => -3.0,
'ietf-123-owner@loki.ietf.org' => -3.0,
'cvs-commits-list-admin@gnome.org' => -3.0,
'rt-users-admin@lists.fsck.com' => -3.0,
'clp-request@comp.nus.edu.sg' => -3.0,
'surveys-errors@lists.nua.ie' => -3.0,
'emailnews@genomeweb.com' => -5.0,
'yahoo-dev-null@yahoo-inc.com' => -3.0,
'returns.groups.yahoo.com' => -3.0,
'clusternews@linuxnetworx.com' => -3.0,
lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

# soft-blacklisting (positive score)
'sender@example.net' => 3.0,
'.example.net' => 1.0,
},
], # end of site-wide tables
});
1; # insure a defined return

Add user clamav to group amavis:
adduser clamav amavis
Now we force postfix to give mail for check to antivirus,
Add to file
/etc/postfix/master.cf
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
As add in the end of file /etc/postfix/main.cf :
content_filter=smtp-amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

Restart the Postfix it also look there are no error in a logfile
/etc/init.d/postfix restart
tail /var/log/mail.log

Let's still more some tools and we adjust spamassassin:
apt-get install razor pyzor dcc-client

Edit file /etc/spamassassin/local.cf
(take into consideration difference between version 3.0. and 3.1. We review 3.1)

# rewrite_header Subject *****SPAM*****
# report_safe 1
# trusted_networks 10.0.1.
# lock_method flock
# dcc
use_dcc 1
#pyzor
use_pyzor 1
#razor
use_razor2 1
#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

and uncoment follow line in file /etc/spamassassin/v310.pre :
loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::AntiVirus

Now it is necessary to allow spamassassin to be started:

Edit /etc/default/spamassassin :
ENABLED=1

And restart following services:

  • /etc/init.d/clamav-freshclam restart

  • /etc/init.d/clamav-daemon restart

  • /etc/init.d/spamassassin restart

  • /etc/init.d/amavis restart

  • /etc/init.d/postfix restart


The theme of setup and maintains of a MailServer under Linux can be developed infinitely, :-)
but in this article it is considered fast and easy way of install and configure of corporate Mail Server with IMAP access and antispam antivirus protection.

P.S.
All of the credentials are sent in cleartext which means they can be sniffedm the wire.
... What about TLS ?




Tuesday, October 30, 2007

DNSBL server for Postfix

Personal DNSBL(RBL) server for Postfix

In this article described an example of installation and configuring local DNSBL (RBL) server,
for subsequent using it in the POSTFIX. For the simplicity DNSBL-server, DNS-server BIND and Postfix are being deployed altogether on one machine. The following software is being used in this example: Debian Linux, rbldnsd, BIND, rblcheck and Postfix.

* Configuring rbldnsd
* Configuring of DNS-Server BIND
* Configuring Postfix
* Checking

1) Configuring rbldnsd

First of all rbldnsd is being installed:

# apt-get install rbldnsd rblcheck

Everything is very simple
Further we need to download several DNSBL-zones from internet sites that manage it. For this purpose we will use included in Debian Linux software "rsync"

# rsync -tvPz rsync.dsbl.org::dsbl/rbldns-list.dsbl.org /var/db/rbldnsd/rbldns-list.dsbl.org
# rsync -tvPz rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-1.uceprotect.net
/var/db/rbldnsd/dnsbl- 1.uceprotect.net
# rsync -tvPz rsync.spamcannibal.org::zonefiles/bl.spamcannibal.org.in.ip4set.rbl
/var/db/rbldnsd/bl.spamcannibal.org.in.ip4set.rbl

It will be more than enough for the beginning - in "useful links" you may find some additional sites
that allow free access to their DNSBL-lists.
Continue with configuring of rbldnsd in the file /etc/default/rbldnsd:

RBLDNSD="dnsbl -r /var/db/rbldnsd -b 127.0.0.1/530 \
list.dsbl.org:ip4tset:rbldns-list.dsbl.org \
dnsbl-1.uceprotect.net:ip4tset:dnsbl-1.uceprotect.net \
rbl.spamcannibal.org:ip4set:bl.spamcannibal.org.in.ip4set.rbl \
"
Pay attention, that rbldnsd will use UDP-port 530, because UDP-port 53 will remain free for BIND.
Right now let launch rbldnsd and let add it to run level by default.

# /etc/init.d/rbldnsd start

2) Setting up DNS-Server-BIND

Installing
# apt-get install bind


Configuring the following file "/etc/bind/named.conf"

zone "list.dsbl.org" IN {
type forward;
forward first;
forwarders {
127.0.0.1 port 530;
};
};

zone " dnsbl-1.uceprotect.net" IN {
type forward;
forward first;
forwarders {
127.0.0.1 port 530;
};
};

zone "rbl.spamcannibal.org " IN {
type forward;
forward first;
forwarders {
127.0.0.1 port 530;
};
};

- this way we will point BIND to address regarding specified zones to our rbldnsd which is listening on
UDP-port 530 . Let's start BIND add it to run level by default.
# /etc/init.d/named start

Don`t forget to edit "/etc/resolv.conf" for addressing to our local BIND

nameserver 127.0.0.1

3) Configuring Postfix

We are consuming that Postfix already installed and basically configured. We will edit only one section in the following file: "/etc/postfix/main.cf"

smtpd_sender_restrictions =
reject_rbl_client list.dsbl.org,
reject_rbl_client dnsbl-1.uceprotect.net,
reject_rbl_client rbl.spamcannibal.org

We will add only the following lines: reject_rbl_client ..., - Let's consume that you already configured
all other restrictions and rejections.


let launch Postfix and let add it to run level by default.

# /etc/init.d/postfix start

4) Check out

For the check out very simple and comfortable to set up rblcheck software

For instance, let's grab IP address from file DNSBL of DSBL-zone.

# tail -n1 /var/db/rbldnsd/rbldns-list.dsbl.org
1.2.3.4

(the address is fake here) and lets check if our rbldnsd server will consider it as a spam:

# rblcheck -s l27.0.0.1 1.2.3.4
1.2.3.4 RBL filtered by bl.dsbl.org

-Yes, the answer is positive ! In case that IP address is missing from current DNSBL-zone, so answer will be
- not RBL filtered by -

Very simple, easy and short. As far as you see there is nothing complicated to set up and configure your own dedicated DNSBL server for using it with group of mail server and not only...



Friday, October 26, 2007

Samba and SSHFS


Sharing remote file system via Samba
In given article reviewed example installation and configuration "Fuse" for sharing via Samba file system of other server.

From the beginning I use Samba as a gateway to export NFS volumes of other server to Windows clients.
I am using FreeBSD as NFS server and another Linux box (Debian) to mount the remote NFS volume locally, and this box also runs Samba3, export the local directory (on which the NFS volume is mounted) as CIFS shares.
My problem is that when using smbclient to access the CIFS share, I can get a directory listing, but after connecting I received “Error in dskattr: code 0” . If access from Windows clients, it takes a long time to display the directory contents, and then the Explorer window will keep hanging.
I've found other solution instead of NFS. What if I connected to the remote machines via SSHFS on FreeBSD machine and then shared the mounted directories via Samba on Linux machine ??
...So, We going to install SSHFS on Linux box (Debian in my case).
apt-get install sshfs
If You need mount directory as a regular user, you need to be added to the "fuse" group, which the package created:
adduser your-username fuse
Create a file at /etc/fuse.conf
touch /etc/fuse.conf
Put the following line in /etc/fuse.conf:
echo “user_allow_other” > /etc/fuse.conf
now I try to mount remote file system
sshfs root@192.168.0.1:/remotefolder /data/localfolder
and then receive ......failure:
fuse device not found, try 'modprobe fuse' first FATAL: Module fuse not found.
I found that needed to create a module for the kernel “fuse” . for installing fuse-source add following source to your Apt source.list:
deb http://ftp.de.debian.org/debian lenny main
apt-get update
apt--get install fuse-source
apt-get install dpatch ### Dependences
apt-get install module-assistant ### Dependences
apt-get install kernel-headers-`uname -r` ### Dependences
apt-get install kernel-source-`uname -r` ### Dependences
module-assistant build fuse #### Build module from source
m-a install fuse-source #### Installing module
Before loading the fuse kernel module, create the device node manually:
mknod -m 666 /dev/fuse c 10 229
modprobe fuse #### Loading the fuse kernel module
At this point You can rerun mounting : sshfs root@192.168.0.1:/remotefolder /data/localfolder




Postfix - second instance

How-To run Postfix second instance

Adding a second Postfix instance
1.Add new IP address to the server.
2.Copy /etc/postfix to /etc/postfix_new_instance cp ­rp /etc/pstfix /etc/postfix_new_instance
3.Create an additional spool directory /var/spool/postfix_new_instance
4.Edit the new config files (/etc/postfix_new_instance/main.cf):
a) add queue_directory = /var/spool/postfix_new_instance
b) add inet_interfaces = xxx.xxx.xxx.xxx (127.0.0.1 not need)
mynetwork = xxx.xxx.xxx.xxx
c)myhostname = .... , mydomain = ..... , myorigin = $mydomain
d)mydestination = $myhostname, $mydomain
5.Edit the old config file (/etc/postfix/main.cf)
add inet_interfaces = 127.0.0.1 , xxx.xxx.xxx.xxx all needed IP's
(don't forget 127.0.0.1 !!!!)
6.Let Postfix create the appropriate subdirectories and permissions:
postfix ­c /etc/postfix_new_instance check
cp ­rp /var/spool/postfix/etc /var/spool/postfix_new_instance
cp ­rp /var/spool/postfix/usr /var/spool/postfix_new_instance
cp ­rp /var/spool/postfix/lib /var/spool/postfix_new_instance
7.Create startup script for secondary instance:
cd /etc/init.d/
touch postfix_new_instance
paste in fail
#!/bin/sh
# Start or stop second Postfix Instances
PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/sbin/postfix
NAME=Postfix
case "$1" in
start)
echo ­n "Starting mail transport agent: Postfix­priv"
$DAEMON ­c /etc/postfix_new_instance start 2>&1 |
(grep ­v 'starting the Postfix' 1>&2 || /bin/true)
echo "."
;;
stop)
echo ­n "Stopping mail transport agent: Postfix­out"
$DAEMON ­c /etc/postfix_new_instance stop 2>&1 |
(grep ­v 'stopping the Postfix' 1>&2 || /bin/true)
echo "."
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: /etc/init.d/postfix_new_instance {start|stop|restart}"
exit 1
;;
esac
exit 0
8.pwd ­> /etc/init.d Ok. !
9. update­rc.d postfix_new_instance defaults
Adding system startup for /etc/init.d/postfix_priv ...
/etc/rc0.d/K20postfix_new ­> ../init.d/postfix_new
/etc/rc1.d/K20postfix_new ­> ../init.d/postfix_new
/etc/rc6.d/K20postfix_new ­> ../init.d/postfix_new
/etc/rc2.d/S20postfix_new ­> ../init.d/postfix_new
/etc/rc3.d/S20postfix_new ­> ../init.d/postfix_new
/etc/rc4.d/S20postfix_new ­> ../init.d/postfix_new
/etc/rc5.d/S20postfix_new ­> ../init.d/postfix_new
/etc/init.d/postfix restart
/etc/init.d/postfix_new_instance start



Curiculum Vitae

Talented, results-driven Unix oriented System Administrator, with extensive background in
Systems and network Engineering, Design, Support, and Installation. Proven ability to design and implement large-scale network and system infrastructures at the national and global levels.
Adept at determining requirements, project scheduling, and technology planning.

QUALIFICATIONS

Install configure and patch Linux (such as Debian, SuSE), FreeBSD Operating System.
Build, install, and configure complex Open Source software.
Create and maintain scripts of various kinds. (Perl, PHP, Bash, Ksh).
Ability to code/troubleshoot low-complexity web-applications in PHP, Perl.
Develop web-based and console tools that assist other teams in configuring and maintain services.
Manipulate data and log files to provide extensive statistical reporting.
Execute new system roll-outs, migrations and modifications.
VMWare, architecture/design and network experience. Install and configure GSX, ESX.
Hight skill level in hardware design, diagnosis, repair / upgrade, strong troubleshooting abilities
and electronic repair.
Network professional (CCNA level).Good knowledge of Protocol Stacks / OSI model
(TCP/IP, HTTP, STP, RSTP, RIP,OSPF, etc)
Fast self-learner.