Providing Campus Mail Services with a Linux Cluster
- Slides: 25
Providing Campus Mail Services with a Linux Cluster Giles Malet University of Waterloo gdmalet@uwaterloo. ca University of Waterloo OUCC 2004
Overview • • • What our department does Our mail problems Our proposed solutions What we have done so far Problems we’re aware of What to do next • 25 slides… but feel free to interrupt! University of Waterloo OUCC 2004 2
Introductions • Information Systems & Technology (IST) • Provide services & expertise to campus • Project members – Dawn Keenan - sendmail, MRTG – Giles Malet - project lead, software – Rob Schmidt - Clam. AV, J-chkmail – Jeff Voskamp - LDAP, systems stuff – plus assistance from others…. University of Waterloo OUCC 2004 3
Why do this? • • • More and more spam and viruses More demand on IST for solution Want to centralize the problem (xhier) Want something everyone can use Old system overwhelmed • See project charter University of Waterloo OUCC 2004 4
Services Desired • Robust user@uwaterloo. ca mail server • Virus scanning with immediate rejection • Refuse executables etc. by file extension • Spam identification so people can filter – Also DNS blacklists – People can opt out of (only) spam processing • LDAP needed internally – perhaps allow user lookups? University of Waterloo OUCC 2004 5
What we considered • Using Solaris and Red. Hat Linux already…. . • “Cluster” problem – needed scalability – – – Open. Mosix Open. Knoppix Linux Cluster Project Linux HA Red. Hat Enterprise • …and so on. – But what does “cluster” mean? Vague. University of Waterloo OUCC 2004 6
Decisions • Start simple, try more involved setup if load is too high • Keep detailed statistics so we know what’s changing (more later) • Ask for (some) input from campus • Do our own load balancing (else Cisco) • 4 cheap systems or 3 “good” systems? – Spread load, reduce impact of failure University of Waterloo OUCC 2004 7
Hardware Purchased • 4 Dell servers – 1 with mirrored SCSI disks, 3. 2 Ghz CPU – 3 with single IDE disk, 3. 0 Ghz CPU • 1 gig memory • 1 x 100 + 1 x 1000 Mbps ethernet • Rack-mounted, serial consoles (Annex, Cyclades) University of Waterloo OUCC 2004 8
Hardware Configuration University of Waterloo OUCC 2004 9
Hardware – ‘head’ server • Most powerful, most robust • Runs LDAP, My. SQL, web servers, incoming mail • Mirrored disk, NFS shared to slaves – all cluster data in one place (mail queues) • Only machine that is backed up • Firewall / load balancing University of Waterloo OUCC 2004 10
Hardware - slaves • 3 identical machines, run all services • Only software difference is IP configuration (fix with DHCP) • Increasing the number provides more CPU, less exposure to software failure • Local disk only stores O/S – logs copied up to cerberus overnight • Firewall: only incoming connection is ssh from maintenance server • No user accounts: ssh as root from head server University of Waterloo OUCC 2004 11
Software Details • Will try Open. Source first, spend money second. • Looked at AFS etc, went to NFS (simple) • Use things we know, plus some experimentation • Emphasis was to get this going quickly, will fine-tune it later. University of Waterloo OUCC 2004 12
Sendmail • We know sendmail, and it works • Wanted “stock” system – no more phlookup --- thus LDAP • Something flexible: “milter” interface allows addons; can direct TCP connections from campus sendmails back to cluster University of Waterloo OUCC 2004 13
Clam Anti-Virus • Open source • Auto-updating from remote server – allows submission of ‘fingerprints’ • 3 components (freshclam, milter, clamd) – Some stability problems with latter two – Too many threads: 375 * 8 megs = 3 gigs – Deeply nested messages are problematic University of Waterloo OUCC 2004 14
J-Checkmail • Disallow incoming mail based on contents (regex) and extension • Also a milter interface • Lots of ongoing development (integrate virus scanning etc. ) University of Waterloo OUCC 2004 15
Spam. Assassin • Only marks spam – up to you to filter • Configurable preferences – must be on host initiating scan, thus problems with MX’d machines • Use My. SQL internally • Not foolproof: lose mail on false positive University of Waterloo OUCC 2004 16
Open. LDAP • Sendmail understands LDAP • It is fast! (2 hours versus 5 mins) • Used only for mail address lookups, thus rebuild every few hours • “Hidden” users have minimal details • Starting to need LDAP for other systems, and ADS is tricky (Oracle Calendar) University of Waterloo OUCC 2004 17
IPTables firewall & routing • Route incoming connections to available hosts – DNAT (load balancing) • SNAT outgoing mail connections • Firewall the rest – reduce patching • nodewatch does auto-updating – runs on head server, talks multicast – simple polling of available servers – written in-house (C program + shell scripts) University of Waterloo OUCC 2004 18
Statistics • Important to know what “normal” is • Heavy use of MRTG and friends • See graphs: http: //mailservices. uwaterloo. ca • Who’s using it? connections. txt University of Waterloo OUCC 2004 19
Gotchas • 3 gigs is not enough virtual memory – 8 megs stack / thread • Set ulimits: memory, number of processes • Logging is main load on disk – separate from mail spools • System will get a lot of unwanted attention – Dictionary attacks on sendmail – rate limit – LDAP scans – limit to campus, limit number of results, CPU per request – Firewall heavily, and hide the slaves • How to test without losing mail? University of Waterloo OUCC 2004 20
More gotchas… • What if a slave machine dies? – others can handle the load • What if the head machine dies? – – Lose NFS, My. SQL, LDAP Could rebuild in a few hours from backups Backup MX gets to do the work Need a similar system somewhere, to share • Need better way to distribute configs • It helps if a single netmask covers all hosts • Duplicate scanning (next slide) University of Waterloo OUCC 2004 21
Duplicate scanning • Machines tux and ist MX’d to cluster – mail to user@ist goes: cluster -> ist -> cluster -> tux when. forward on ist to tux. • Also, mail to user@cluster gets forwarded to destination, which also scans. • Currently it’s not worth the effort to prevent this University of Waterloo OUCC 2004 22
Undeliverable postmaster mail • Sendmail aborts when postmaster mail is undeliverable, queues grow and grow • Mail containing virus from off-campus goes to user@machine-1 – tries to forward to user@machine-2 but is blocked, so – tries to bounce, but bogus From: header – tries to send to postmaster@machine-1, which is forwarded to machine-2…. University of Waterloo OUCC 2004 23
Where we’re going • 3 system cluster for development – try new ideas: RH cluster, others – new sendmail, scanners etc. • Disaster recovery – head or slave dies • Centralised LDAP server, but need to deal with MS Active Directory • Document all this, and how to use it – hand it over to Production Support University of Waterloo OUCC 2004 24
Winding down • Spam / virus problems are getting worse, so we’ll be busy for a while. • Contact us if you want more info, exchange ideas, give advice • Slides will be made available University of Waterloo OUCC 2004 25
- Linux virtual server cluster
- Linux os high performance
- Torvalds on where will into linux
- Give 5 personal characteristics required by a valet
- What types of housekeeping requests guests make
- Providing support services facilities and other amenities
- Kernel linux security module m1 support
- Uclinux
- Parallelism examples
- Priority mail vs priority mail express
- Google docshttps://mail.google.com/mail/u/0/#inbox
- Key issue 1: why do services cluster downtown?
- What activities are excluded from cbds
- Xinetd vs inetd
- Alfresco
- Buyers matrix
- Mail recovery services
- Uwaterloo mail services
- Unit 15:3 providing first aid for bleeding and wounds
- Partially ventilated single stack system
- Setting objectives and providing feedback
- Dylan wiliam feedback on learning
- Engineering controls examples
- Protective equipment in sports ppt
- Reinforcing effort and providing recognition examples
- Chapter 17:4 providing first aid for shock