Rolling Resource

Westhost limit the size of your mailbox to 20MB, which is a bit puny these days. However, the reason that they do this is that they keep all your mail in a single file, so every time you check your email, you have to read the whole file starting from the top. This places a large load on the server if you have a huge file.

You can override this by manually editing the file /etc/features. This file contains lines of the form
username:mail=20,ftp=-1,description=Account details
Just change the mail=20 as you see fit to specify the size of your mailbox in Megabytes (MB), so for 60MB you would have
username:mail=60,ftp=-1,description=Account details

NOTE: Westhost will automatically archive and delete mailboxes over 75MB as described below

Large Mailboxes

Introduction

Your mailbox on the server is a single text file containing all of your e-mail, using the industry standard “mbox” format. Anytime you log into the incoming mail server to check your e-mail the mail server needs to read this file so your e-mail client (e.g. Outlook, Eudora, Thunderbird) can determine whether or not there is any new e-mail to download.

As the size of your mailbox increases, it takes more and more time to read that file when you check your e-mail. Large mailboxes keep the server busy for extended periods of time, needlessly degrading server performance for everything else. This translates into sluggish websites, delayed e-mail, and general unresponsiveness.

Archiving Large Mailboxes

In order to keep server performance high, we perform scans every other month and archive mailboxes that are larger than 75 megabytes. Archived mailboxes are compressed using the GNU ‘gzip’ program and are only kept until the next scan (at which point old archives will be automatically removed). If you ever need to have your archived e-mail restored please contact support for assistance.

Clearing Out a Large Mailbox

To clear out a large mailbox you will need to delete old e-mail. The easiest way to see what e-mail is being stored on the server is by checking your e-mail by logging in at http://webmail.westserver.net. From here you will be able to selectively delete any e-mail you no longer wish to keep. Deleting an e-mail off of the server will not effect any copies of a message you have already downloaded to your computer through your e-mail client.

Preventing Large Mailboxes

The best way that you can prevent your mailbox from growing too large is to configure your e-mail client to automatically remove e-mail from the server as it is downloaded. Nearly every e-mail client does this by default for you, unless you have specifically configured it not to. If needed, you can consult the help files for your particular e-mail client to learn how to change this setting.

We also strongly suggest only using a catch-all e-mail address when absolutely necessary. Spammers will try to guess e-mail addresses using your domain name. When you have a catch-all e-mail address they will always be guessing correctly, thus greatly increasing the amount of e-mail delivered to your mailbox. If you need to receive e-mail by a variety of names (e.g. sales@example.com, info@example.com, etc.) we advise you either use e-mail aliases or to setup separate mailboxes for each address. You can make all of these changes by logging into your Control Panel (Site Manager) at http://www.yourdomain.com/manager/ (make sure to replace yourdomain.com with your actual domain name) and clicking on E-mail / FTP Management on the top horizontal navigational bar.

Some files have been signed by their author to prove that nobody else has tampered with them. This is particularly true of source code or appllications you have downloaded off the web.

For example the antivirus package clamav can be downloaded from Sourceforge. There will be two files for you to download clamav-x.x.x.tar.gz and clamav-x.x.x.tar.gz.sig. The first file is the source code in a compressed format and the second is the signature for the format. In order to verify the signature, you will need GnuPG or PGP installed on the computer you are going to download the file to. I have given details of how to compile GnuPG elsewhere in this blog.

In order to verify the signature, we use the command gpg --verify clamav-x.x.x.tar.gz.sig

[mylogin][~]$ gpg --verify clamav-x.x.x.tar.gz.sig
gpg: keyring `/home/mylogin/.gnupg/secring.gpg’ created
gpg: keyring `/home/mylogin/.gnupg/pubring.gpg’ created
gpg: Signature made Mon Mar 13 17:44:03 2006 MST using DSA key ID 985A444B
gpg: Can’t check signature: public key not found

The trouble is that we do not have yet the public key for the person who signed the file. We can get this from a public keyserver such as keyserver.pgp.com or pgp.mit.edu. You will need the key ID printed in the penultimate (last but one) line above. In this case 985A444B.

We should be able to use the command gpg --keyserver pgp.mit.edu --recv-keys 0x985A444B to retrieve the key automatically, but get the error
[mylogin][~]$ gpg --keyserver pgp.mit.edu --recv-keys 0x985A444B
gpg: requesting key 985A444B from hkp server pgp.mit.edu
/usr/mylocal/libexec/gnupg/gpgkeys_hkp: error while loading shared libraries: libcurl.so.3: cannot open shared object file: No such file or directory
gpg: no handler for keyserver scheme `hkp’
gpg: keyserver receive failed: keyserver error

So we downloaded the public key from pgp.mit.edu instead and saved it to the file clamav.key. NOTE: In order to lookup the public key, you will need to add ’0x’ (zero x) to the front of the key ID, so 985A444B becomes 0x985A444B. The public key can be a large file, so copy and paste it rather than trying to type it.
[mylogin][~]$ gpg --import clamav.key
gpg: key 985A444B: public key “Tomasz Kojm ” imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found

Once we have added the key to our public keyring, we can verify the signature [mylogin][~]$ gpg --verify clamav-0.90RC1.1.tar.gz.sig
gpg: Signature made Mon Oct 16 02:56:15 2006 MDT using DSA key ID 985A444B
gpg: Good signature from “Tomasz Kojm “
gpg: aka “Tomasz Kojm “
gpg: aka “Tomasz Kojm “
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0DCA 5A08 407D 5288 279D B434 5482 2DC8 985A 444B

Note that we still do not trust this key - we have just proven that the downloaded file has not been tampered with.

Most of the time this is a painless task. You just set up your email client and hit the Send/Receive button and away you go. But what happens when things go wrong? How do you troubleshoot the problem? Our Knight in shining armour is telnet. You can use this program to manually perform the sequence of commands as shown below.

telnet mail.xxx.com 25

A typical conversation goes something like this (your entry in bold)

Sending Email

telnet mail.mydomain.com 25
220 mydomain.com ESMTP Sendmail 8.11.6/8.11.6; Thu, 26 Oct 2006 11:18:07 -0600
HELO fromme.com
250 mydomain.com Hello [xxx.xxx.xxx.xxx], pleased to meet you
MAIL FROM: test@
250 2.1.0 test@ Sender ok
RCPT TO: validuser@mydomain.com
250 2.1.5 validuser@mydomain.com… Recipient ok
DATA
354 Enter mail, end with “.” on a line by itself
Date: Sun,17 Aug 1997 18:48:15 +0200
From: Me <forged@dummy.com>
To: “You@Yours.com” <You@Yours.com>
Subject: This is a test message

This is the message body
.
250 2.0.0 k9QHLHX00862 Message accepted for delivery
QUIT
221 2.0.0 mydomain.com closing connection

Connection to host lost.

If your server supports ESMTP, it is also possible to start the conversation with EHLO instead of HELO. ESMTP allows for delivery status notifications and multiple attachment encodings

220 mydomain.com ESMTP Sendmail 8.11.6/8.11.6; Thu, 26 Oct 2006 16:11:25 -0600
EHLO fromme.com
250-mydomain.com Hello [xxx.xxx.xxx.xxx], pleased to meet you
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE
250-DSN
250-ONEX
250-ETRN
250-XUSR
250-AUTH PLAIN LOGIN
250 HELP

Receiving EMail

A typical POP3 (receiving) conversation is

telnet mail.mydomain.com 110
+OK AVG POP3 Proxy Server <9397.1161883939@mydomain.com> 7.1.400/7.1.408 [268.13.11/494]
USER validuser
+OK Password required for validuser
PASS xxxxxxxx
+OK validuser has 10 visible messages (0 hidden) in 1275592 octets.
STAT
+OK 10 1275592
LIST
+OK 10 visible messages (1275592 octets)
1 20018
2 19726
……..
9 18883
10 519
.
RETR 10
+OK 519 octets
Return-Path: <test>test@
Received: from fromme.com ([xxx.xxx.xxx.xxx])
by mydomain.com (8.11.6/8.11.6) with SMTP id k9QHLHX00862
for validuser@mydomain.com; Thu, 26 Oct 2006 11:21:48 -0600
Message-Id: <200610261721.k9QHLHX00862@mydomain.com>
X-Envelope-From: test@
X-Envelope-To: validuser@mydomain.com
X-Protocol: SMTP
Date: Sun,17 Aug 1997 18:48:15 +0200
From: Me <forged@dummy.com>
To: “You@yours.com” <You@Yours.com>
Subject: This is a test message
X-UIDL: O*5!!PS:”!7Jk”!~+=”!
X-Antivirus: AVG for E-mail 7.1.408 [268.13.11/494]
Mime-Version: 1.0
Content-Type: text/plain

This is the message body

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.408 / Virus Database: 268.13.11/494 - Release Date: 24/10/2006

.
QUIT
+OK Pop server at mydomain.com signing off.

Connection to host lost.

You can see how easy it is for spammers to send fake or phishing emails - the only genuine piece of information in this header is my IP Address, which I have blanked out [xxx.xxx.xxx.xxx]

Other Tests

The other thing to do is to go to http://www.dnsstuff.com and fill out the DNS Lookup for the MX records of your domain in the top right box

Step 1 - Download source

The first thing we need to do is download the source file from GnuPG.  I like to download the files directly to my server rather than downloading them to my PC and then uploading them to my server, so lets use a SSH session.  There are plenty of SSH Clients available, but PuTTY is available for free and does the job.  Instructions for configuring PuTTY for Westhost are available here.  Once you have logged in, create a directory to download your files to (for example, apps/dl) using the mkdir
[mylogin][~]$mkdir apps
[mylogin][~]$mkdir apps/dl

The files we need are only available via FTP from GnuPG.  If you clicked on the link to their site above, you will have found the latest version - at the time of writing this is 1.4.5.  Hover your mouse over the FTP link and you will find that the file we want to download is located at ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.5.tar.bz2, that is to say the file gnupg-1.4.5.tar.bz2 is located on the server called ftp.gnupg.org in the directory gcrypt/gnupg Follow the example below to download your own copy (user input is in bold).  It is good practice to download the signature file gnupg-1.4.5.tar.bz2.sig as well. 

If you prefer, you can download the gzipped file gnupg-1.4.5.tar.gz instead of gnupg-1.4.5.tar.bz.  You do not need both sets, although I download them in the example below.  GZip is just an older piece of software.  The command to extract the files would be gunzip instead of bunzip2

Step 2 - Checking the download

Now that we have the source files on our server, we need to check that they have not been tampered with.  The simplest way is to issue the command bunzip2 -t gnupg-1.4.5.tar.bz2

[mylogin][~/apps/dl]$ bunzip2 -tv gnupg-1.4.5.tar.bz2
gnupg-1.4.5.tar.bz2: ok

However, this only checks that the archive is not corrupt.  You really need to check the file’s digital signature, but we don’t have any means to do that yet.  We can verify the checksum but GnuPG only publish the SHA1 checksum for the code and we do not have sha1sum installed on our server.  However, I can reveal that the MD5sum is

811525965b4c0987e6418a7729a6444d gnupg-1.4.5.tar.bz2

If you save this text to the file gnupg-1.4.5.tar.bz2.md5, then enter md5sum -c gnupg-1.4.5.tar.bz2.md5 on the command line, you should get this response

[mylogin][~/apps/dl]$ md5sum -c gnupg-1.4.5.tar.bz2.md5
gnupg-1.4.5.tar.bz2: OK

If there was a problem with your download, you will get the following error message when testing the archive

bunzip2: gnupg-1.4.5.md5: data integrity (CRC) error in data

You can use the `bzip2recover’ program to attempt to recover
data from undamaged sections of corrupted files.

Step 3 - Other libraries

We need to download and install the libcurl, libiconv and gettext libraries before we can build GnuPG.  Also, since we do not have root access at Westhost, we need to tell all Linux packages to install to a different directory other than /usr/local.  We do this by specifying

./configure --prefix=/usr/mylocal
NOTE: Create the directory /usr/mylocal if it does not already exist

libiconv and gettext depend on each other, so we need to build libiconv then gettext and the rebuild libiconv.

Build libcurl

wget http://curl.haxx.se/download/curl-7.16.0.tar.bz2
wget http://curl.haxx.se/download/curl-7.16.0.tar.bz2.asc
bunzip2 -c curl-7.16.0.tar.bz2 | tar x
cd curl-7.16.0
./configure --prefix=/usr/mylocal
make
make install
cd ..


Build libiconv

wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.11.tar.gz
wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.11.tar.gz.sig
gunzip -c libiconv-1.11.tar.gz | tar x
cd libiconv-1.11
./configure --prefix=/usr/mylocal
make
make install
cd ..


Build gettext

ftp mirrors.usc.edu
 anonymous
 anon@
 cd pub/gnu/gettext
 mode image
 passive
 get gettext-0.16.tar.gz
 get gettext-0.16.tar.gz.sig
 quit
gunzip -c gettext-0.16.tar.gz |tar x
cd gettext-0.16
./configure --prefix=/usr/mylocal
make
make install


Rebuild libiconv

cd ../libiconv-1.11
make distclean
./configure --prefix=/usr/mylocal
make
make install
libtool --dry-run --finish /usr/mylocal/lib
libtool --finish /usr/mylocal/lib
cd ..


Step 4 - Creating the Executable

bunzip2 -c gnupg-1.4.5.tar.bz2 |tar x
cd gnupg-1.4.5
./configure --prefix=/usr/mylocal
make
make install


Once you have built GnuPG, you will need to create a few links as our directory is not in the PATH.

ln -s /usr/mylocal/bin/gpg /usr/local/bin/gpg

Alternatively, edit the PATH definition in /.bashrc to include /usr/mylocal/bin

You will also need to copy the configuration file
mkdir ~/.gnupg
cp -p /usr/mylocal/share/gnupg/options.skel ~/.gnupg/options

• Download source from xinetd The current version is 2.3.14, so the command to download it is wget http://xinetd.org/xinetd-2.3.14.tar.gz.
• Unzip the file using the command gunzip -c xinetd-2.3.14.tar.gz|tar x and change into the directory this creates (cd xinetd-2.3.14)
• Configure it using the command ./configure --prefix=/usr/mylocal >log.config 2>err.config
• Check err.config for any errors
• Build the source code using the command make >log.make 2>err.make
• Check err.make for errors
• Install the package using the command make install >log.install 2>err.install
• Check err.install for any errors
• Now create the configuration file for the services you want to run using the command pico /etc/xinetd.conf. It should look something like this example:
  PLAIN TEXT
  C:

  1. # Configuration file for xinetd
  2. #
  3.  
  4. defaults
  5. {
  6.         instances               = 25
  7.         log_type                = FILE /var/log/xinetd
  8.         log_on_success  = HOST PID
  9.         log_on_failure = HOST
  10. }
  11.  
  12. #service imapd
  13. #{
  14. #       socket_type             = stream
  15. #       wait                    = no
  16. #       user                    = vuser
  17. #       server                  = /usr/local/sbin/imapd
  18. #       log_on_failure += USERID
  19. #}
  20.  
  21. #service imaps
  22. #{
  23. #       socket_type             = stream
  24. #       wait                    = no
  25. #       user                    = vuser
  26. #       server                  = /usr/local/sbin/imapd
  27. #       log_on_failure += USERID
  28. #}
  29.  
  30. ## rsyncd can't run on 873/tcp because WestHost's own backup
  31. ## tools are running there.
  32. #service rsync-alt
  33. #{
  34. #       disable                 = no
  35. #       type                    = UNLISTED
  36. #       port                    = 8730
  37. #       socket_type             = stream
  38. #       wait                    = no
  39. #       user                    = vuser
  40. #       server                  = /usr/local/bin/rsync
  41. #       server_args             = --daemon
  42. #       log_on_failure += USERID
  43. #}

  Replace vuser with your user name

• Test your installation of xinetd by typing /usr/mylocal/sbin/xinetd -d. Fix any errors. If there are none, then terminate the daemon using Control-X
• Create the file /etc/rc.d/init.d/xinetd which will be used to start and stop the xinetd task using the command pico /etc/rc.d/init.d/xinetd
  PLAIN TEXT
  C:

  1. #!/bin/bash
  2. #
  3. # Startup script for the xinetd server
  4. #
  5. # chkconfig: - 86 14
  6. # description: xinetd
  7. # processname: xinetd
  8. # pidfile: /var/run/xinetd.pid
  9. # config: /etc/xinetd.conf
  10.  
  11. # Source function library.
  12. . /etc/rc.d/init.d/functions
  13.  
  14. xinetd=/usr/mylocal/sbin/xinetd
  15. prog=xinetd
  16. RETVAL=0
  17.  
  18. start() {
  19.         echo -n $"Starting $prog: "
  20.         pidfile=/var/run/xinetd.pid
  21.         pid=`cat $pidfile 2>/dev/null`
  22.         [ "$pid" ] && \
  23.                 [ "`find  /proc/${pid}/exe -printf '%l%U\n' 2>/dev/null |
  24. awk -F'/' '{print $NF}'`" != "xinetd`id -u`" ] && \
  25.                                 /bin/rm -f $pidfile
  26.         daemon $xinetd
  27.         RETVAL=$?
  28.         echo
  29.         [ $RETVAL = 0 ] && touch /var/lock/subsys/xinetd
  30.         return $RETVAL
  31. }
  32. stop() {
  33.         echo -n $"Stopping $prog: "
  34.         killproc $xinetd
  35.         RETVAL=$?
  36.         echo
  37.         if [ $RETVAL = 0 ] ; then
  38.                 rm -f /var/lock/subsys/xinetd /var/run/xinetd.pid
  39.                 pid=`pidof -o $$ -o $PPID -o %PPID -x ${xinetd} || pidof -o $$ -o $PPID -o %PPID -x ${prog}`
  40.                 if [ "$pid" ] ; then
  41.                         killproc $xinetd
  42.                         RETVAL=$?
  43.                 fi
  44.         fi
  45. }
  46. reload() {
  47.         echo -n $"Reloading $prog: "
  48.         killproc $xinetd -HUP
  49.         RETVAL=$?
  50.         echo
  51. }
  52.  
  53. # See how we were called.
  54. case "$1" in
  55.   start)
  56.         start
  57.         ;;
  58.   stop)
  59.         stop
  60.         ;;
  61.   status)
  62.         status $xinetd
  63.         RETVAL=$?
  64.         ;;
  65.   restart)
  66.         stop
  67.         start
  68.         ;;
  69.   condrestart)
  70.         if [ -f /var/run/xinetd.pid ] ; then
  71.                 stop
  72.                 start
  73.         fi
  74.         ;;
  75.   reload)
  76.         reload
  77.         ;;
  78.   *)
  79.         echo $"Usage: $prog
  80. {start|stop|restart|condrestart|reload|status}"
  81.         exit 1
  82. esac
  83.  
  84. exit $RETVAL

• Make this file executable by using chmod u+x /etc/rc.d/init.d/xinetd
• Create the links Snnxinetd and Knnxinetd in /etc/rc.d/rc2.d so that xinetd will start and stop whenever you restart and shutdown your VPS. Choose suitable unique numbers for nn. Packages are started and stopped in ascending order. I chose nn=100.
  • ln -s /etc/rc.d/init.d/xinetd /etc/rc.d/rc2.d/S100xinetd
  • ln -s /etc/rc.d/init.d/xinetd /etc/rc.d/rc2.d/K100xinetd