The first RewriteCond allows requests for files which already exists, The second RewriteCond allowed requests for directories which already exists, The third RewriteCond makes sure to not redirect any of the data, html, css or js directories The first RewriteRule says that if any of the RewriteCond matched, we do not do anything else (i.e. return from this function) The second RewriteRule says that if we have not returned from the previous RewriteRule we will return index.html instead of what was requested (which makes html5mode work) ...

Links Awk tutorial Pattern matching (grep) # Should return one line per file ls -a | awk '//' # Should print files starting with a dot ls -a | awk '/^\./' Counting (wc) ls | awk '{i++} END {print i}' # Should return number of files Delete all svn-files with an exclamation mark in svn status svn status | awk '/^!/{print $2}' | xargs svn delete --force Find only the first match and print it echo data | awk "/$pattern/{print;exit}" Ignore the first line echo data | awk 'NR>1' Ignore duplicate lines echo data | awk '!seen[$0]++' Insert a line after a pattern echo data | awk '/match/{print;print "Inserted line";next}1' Insert a line before a pattern echo data | awk '/match/{print "Inserted line"}1' Print second column # head -n 1 | cut -d ' ' -f2 awk '{print $2; exit}'

Implementation: Login on server as root Install spamassassin through aptitude In /etc/default/spamassassin: Set ENABLED=1 Add/uncomment in /etc/spamassassin/local.cf: rewrite_header Subject *****SPAM***** report_safe 0 In /etc/postfix/master.cf: smtp inet n - - - - smtpd -o content_filter=spamassassin spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} Restart services service spamassassin start service postfix reload Verification: Email sent to server with body XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X should have subject rewritten to ****SPAM**** $header ...

Description: Setup autofs on machines client-1 and client-2, which both uses ldap (how to install is described in a previous note) Implementation: Install package autofs5-ldap Create autofs.ldif with the following data: dn: cn=autofs,cn=schema,cn=config objectClass: olcSchemaConfig cn: autofs olcAttributeTypes: {0}( 1.3.6.1.1.1.1.25 NAME 'automountInformation' DESC 'Inf ormation used by the autofs automounter' EQUALITY caseExactIA5Match SYNTAX 1. 3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.1.1.1.13 NAME 'automount' DESC 'An entry in an automounter map' SUP top STRUCTURAL MUST ( cn $ automountInformation $ object class ) MAY description ) olcObjectClasses: {1}( 1.3.6.1.4.1.2312.4.2.2 NAME 'automountMap' DESC 'An gro up of related automount objects' SUP top STRUCTURAL MUST ou ) Add the ldif to ldap: ldapadd -Y EXTERNAL -D cn=admin,(..) -W -f autofs.ldif Create ldif with automount information and a test-user: dn: ou=auto.master,ou=automount,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se ou: auto.master objectClass: top objectClass: automountMap dn: cn=/home,ou=auto.master,ou=automount,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se cn: /home objectClass: top objectClass: automount automountInformation: ldap:ou=auto.home,ou=automount,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se --timeout=60 --ghost dn: ou=auto.home,ou=automount,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se ou: auto.home objectClass: top objectClass: automountMap dn: cn=ollehome1,ou=auto.home,ou=automount,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se cn: ollehome1 objectClass: top objectClass: automount automountInformation: -fstype=nfs,nfsvers=3,rw,soft,intr,exec server.d4.sysinst.ida.liu.se:/export/home1/& Add ldif to ldap: ldapadd -D cn=admin,(..) -W -f autodata.ldif Edit/enable the following lines in /etc/default/autofs: LOGGING="verbose" LDAP_URI="ldap://server.d4.sysinst.ida.liu.se" SEARCH_BASE="ou=automount,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="ou" ENTRY_ATTRIBUTE="cn" VALUE_ATTRIBUTE="automountInformation" Add automount to /etc/nsswitch.conf: automount: files ldap Restart autofs: service autofs restart Verification: Should be able to login on both hosts with ollehome1 ...

Description: Install courier on server Implementation: Login as root Install fam and courier-imap-ssl through aptitude Create directories for web-based administration? No In /etc/postfix/main.cf, add line: home_mailbox = Maildir/ Restart service service postfix restart You may need to run maildirmake Maildir when in homedir? Verification: Should be able to login as root on imap from outside of LAN Should be able to login as root on imap with STARTTLS from outside of LAN

Description: Configure your DNS server to include SPF records for your domain. The only acceptable as a source of e-mail from your domain is your server. The SPF record should reflect this. Implementation: Add line to /etc/bind/db.d4.sysinst.ida.liu.se: @ IN TXT "v=spf1 mx -all" Restart service: service bind9 reload Verification: dig d4.sysinst.ida.liu.se TXT should return the above line Sending an email from server.d4.sysinst.ida.liu.se to e.g. a gmail should have a ‘Received-SPF: pass’ in the header. Sending an email from another client should have a ‘Received-SPF: fail’ in the header

Description: Add greylisting to postfix through postgrey Implementation: Login to server as root Install postgrey through aptitude Append to /etc/postgrey/whitelist-clients: d4.sysinst.ida.liu.se Restart service: service postgrey reload Add to/edit in /etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_policy_service inet:127.0.0.1:10023 Restart service: service postfix reload Verification: Email from any local host should not be greylisted Email from unknown address should be greylisted

Description: Criterias: Accept mail from any SMTP server in the world. Be able to send mail to any SMTP server in the world. Not accept mail for any other destinations than your domain. Meet the requirements of RFC 2821, section 4.5.1 concerning the postmaster address. Should rewrite local usernames to real names through LDAP lookups Forwarded email from satellite systems should have their FQDN rewritten to this server’s Implementation (Main server): Login on server as root: Install postfix through aptitude Select type Internet Site Set System Mail Name to d4.sysinst.ida.liu.se In /etc/postfix/main.cf, add the following lines: mynetworks = 127.0.0.0/8 130.236.179.88/29 [::ffff:127.0.0.0]/104 [::1]/128 masquerade_domains = $mydomain local_header_rewrite_clients = permit_mynetworks sender_canonical_maps = ldap:/etc/postfix/canonical_sender recipient_canonical_maps = ldap:/etc/postfix/canonical_recipent Create /etc/postfix/canonical_sender: search_base = ou=People,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se server_host = server.d4.sysinst.ida.liu.se bind = no version = 3 domain = d4.sysinst.ida.liu.se query_filter = uid=%u result_attribute = mail Create /etc/postfix/canonical_recipent: search_base = ou=People,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se server_host = server.d4.sysinst.ida.liu.se bind = no version = 3 domain = d4.sysinst.ida.liu.se query_filter = mail=%s result_attribute = uid Set MX record. Add line to /etc/bind/db.d4.sysinst.ida.liu.se: @ IN MX 10 server.d4.sysinst.ida.liu.se. Restart the services: service postfix restart service bind9 restart Implementation (Satellite Systems/Clients): Install postfix through aptitude Select type Satellite System Set System Mail Name to d4.sysinst.ida.liu.se Set SMTP Relay Host to server.d4.sysinst.ida.liu.se Verification: Test that the server can receive email from generic server outside of LAN Test that the server can send email to generic server outside of LAN Test that the server does not accept email for other domains than d4.sysinst.ida.liu.se Test that all clients can send email to *@d4.sysinst.ida.liu.se and they should end up on server Test that all clients do not have smtp open to LAN/WAN

Description: Install the NFS Kernel Server and allow mappings from the subnet 130.236.179.88/29 Implementation (Server-side): Login as root Install package nfs-kernel-server Add the following line to /etc/hosts.allow: portmap: 130.236.179.88/255.255.255.248 Add the following line to /etc/exports: /usr/local 130.236.179.88/29(ro,root_squash,subtree_check) Restart the services service portmap restart service nfs-kernel-server restart Implementation (Client-side): Login as root Install package nfs-common Attempt a mount: mount -o ro,vers=3 -t nfs server.d4.sysinst.ida.liu.se:/usr/local /usr/local If it works, add the following line to /etc/fstab: server.d4.sysinst.ida.liu.se:/usr/local /usr/local nfs ro,vers=3 0 0 Verification: Create file /usr/local/bin/hello which echoes hello. Run hello on client, should echo hello. Make sure it’s not possible to mount from other host

Clean #! /usr/bin/env expect set host [lindex $argv 0]; set user [lindex $argv 1]; set passwd [lindex $argv 2]; set timeout 5 spawn ssh $user@$host expect { "yes/no" { send "yes\r" exp_continue } "password:" { send "$passwd\r" exp_continue } "$user@$host:~? " { exit 0 } timeout { exit 2 } } exit 1 Wrapped inside bash #! /usr/bin/env bash assert_ssh_login() { local host="${1}" local user="${2}" local passwd="${3}" local details="$(echo -e "\ set timeout 5 \n\ spawn ssh ${user}@${host} \n\ expect { \n\ \"yes/no\" { \n\ send \"yes\r\" \n\ exp_continue \n\ } \n\ \n\ \"password:\" { \n\ send \"${passwd}\r\" \n\ exp_continue \n\ } \n\ \n\ \"${user}@${host}:~? \" {\n\ exit 0 \n\ } \n\ \n\ timeout { \n\ exit 2 \n\ } \n\ } \n\ \n\ exit 1 \n\ " | expect)" case "${?}" in "0") echo "Can login as ${user} on ${host}" ;; "1") echo "${user} can not login on ${host}. Details: ${details}" ;; "2") echo "${user} can not login on ${host} (Timeout). Details: ${details}" ;; * ) echo "${user} can not login on ${host} (Error ${?}): Details: ${details}" ;; esac }