« Archives in July, 2010

Qnap TS419u port trunking with Cisco 4500

This powerful NAS (linux core inside) have 2 NICs that you can use in various mode.
I've choose to  aggregate these 2 NICs to have load balance and failover.
Through the web page go to System administration, then to network; here flag "Enable port trunking" option.
in the dropdown menu ou have to choose "IEEE 802.3ad". and apply settings.

Let's go to the cisco switch ( I have Cisco IOS, not CAT OS)
i'm assuming the two NICs are connectet to Gi1/1 and Gi1/2 (adapt to you)

interface GigabitEthernet1/1
 description to NAS
 switchport access vlan 10
 switchport mode access
 speed 1000
 duplex full
 channel-protocol lacp
 channel-group 64 mode active
end

interface GigabitEthernet1/2
 description to NAS
 switchport access vlan 10
 switchport mode access
 speed 1000
 duplex full
 channel-protocol lacp
 channel-group 64 mode active
end

interface Port-channel64
 description Connessione NAS
 switchport
 switchport access vlan 10
 switchport mode access
end

With this configuration on the switch, when you disconnect one NIC you will not loose connection to the NAS even if you are transferring data.

Fighting spam with Postfix+postgrey+clamav

After year working with Mailscanner installed I've decided to try another way;

So, in our servers room (after server consolidation) I had an IBM x226 configured with

  • 2x Intel Xeon 3GHz;
  • 6 GB RAM,
  • 4x 40GB SCSI
  • IBM Server Raid controller
  • 2X NetXtreme BCM5703 Gigabit Ethernet controller

I know this is too to do this job, but in future I don't know if will be sufficient.

Installed Centos 5.5 final; purged and updated; next installed postfix, postgrey, and after enable (only this time ) rpmforge repo I've installed clamav-milter.

Next I've configured postfix to act as mailgateway for our internal mailserver, and I've enabled some controls on sender, look my posfix.conf:

smtpd_recipient_restrictions =  reject_invalid_hostname,
                                reject_non_fqdn_hostname,
                                reject_non_fqdn_sender,
                                reject_unauth_destination,
                                reject_unauth_pipelining,
                                check_sender_access hash:/etc/postfix/whitelist
                                reject_rbl_client zen.spamhaus.org,
                                reject_rbl_client dnsbl.njabl.org,
                                reject_unknown_recipient_domain,
                                reject_unverified_recipient

in "check_sender_access" I've Whitelists some sender that use blacklisted mailservers.
Now It's time to setup postgrey, so in "smtpd_recipient_restrictions" section of main.cf add this line at the end of the section:

check_policy_service inet:127.0.0.1:10025

In /etc/sysconfig/postgrey you have to set options. This is mine:

OPTIONS="--greylist-text=\"You are greylisted...try again later. \"
--inet=127.0.0.1:10025  --user=postfix --group=postfix"

You can also use unix socket instead of tcp socket It's your choice.
Clamav-milter need to be configured, his configuration file is in /etc/clamav-milter.conf,
I've changed these parameter:

MilterSocket unix:/var/clamav/clmilter.socket
User clamav
AllowSupplementaryGroups yes
ClamdSocket unix:/var/run/clamav/clamd.sock
LogFile /var/log/clamav/clamav-milter.log
LogSyslog yes
LogFacility LOG_MAIL
LogInfected Basic

To instruct postfix to use clamav-milter, add these two lines in /etc/postfix/main.cf after "smtpd_recipient_restrictions" section:

smtpd_milters = unix:/var/clamav/clmilter.socket
non_smtpd_milters = unix:/var/clamav/clmilter.socket

With this settings we have no false positive, and we can catch 99 % of spam.