Build Exim from Source on Centos 7

Pre-requisites:

#yum install gcc

#yum install libdb libdb-devel

#yum install opendmarc libopendmarc libopendmarc-devel

#yum install libspf2 libspf2-devel

#yum install libX11 libX11-devel

#yum install libXt libXt-devel

#yum install libXaw libXaw-devel

#yum install openldap openldap-devel

Install iconv library –

1. Download cert-forensics-tools-release-el7 rpm:
https://forensics.cert.org/cert-forensics-tools-release-el7.rpm

2. Install cert-forensics-tools-release-el7 rpm:
# rpm -Uvh cert-forensics-tools-release*rpm

3. Install libiconv rpm package:
# yum –enablerepo=forensics install libiconv

Create exim user and group

Exim Build:

Download exim source code tar file (see exim.org) and unpack it. Switch to the main distribution directory. The install instructions are in the README file.

Edit the makefile as instructed to include the following functions –

LDAP lookup
PCRE
Content scan
DMARC
SPF
TLS
TLS and plaintext AUTH
ICONV

Then –

# make
# make install

Upgrade Exim:

Download the latest distribution from exim.org and unpack it as above. Switch to the main distribution directory and copy the Local/Makefile from the current source distribution into the Local directory. The ‘make install’ process should detect the presence of an existing configuration file (/usr/exim/configure) and should not overwrite it. You may want to take a copy of the configuration file before installing as a precaution.

Then –

# make
# make install

This will replace the old version with the new one. You will need to restart the daemon for it to take effect i.e.

# systemctl restart exim

Rsyslog and Log Analyzer

These are the steps I took to create a centralised location of system logs. In this scenario multiple servers (earth, venus, mars) send their system logs to a central server (sun 192.168.1.1). I’m not going to cover the configuration of Apache, MySql except were it applies to Log Analyzer. Most of the servers are running Red Hat / CentOS 5. In this setup I am using 192.168.0.0 as the subnet and topsecret as the password. Change as appropriate.

Central Server (sun):

On the central server (sun) which will be running Log Analyzer, these steps only need to be taken once. If you only want to add more servers sending their syslogs to sun skip this section:

yum install httpd php mysql php-mysql mysql-server wget rsyslog rsyslog-mysql

Create the rsyslog database structure in MySQL:

mysql -u root -p < /usr/share/doc/rsyslog-mysql-3.22.1/createDB.sql

Create the MySQL user:

mysql -u root -p mysql
mysql> GRANT ALL ON Syslog.* TO rsyslog@localhost IDENTIFIED BY ‘topsecret’;
mysql> flush privileges;
mysql> exit

Edit the rsyslog config file:

vi /etc/rsyslog.conf

Add the following at the top:

$AllowedSender UDP, 127.0.0.1, 192.168.0.0/16
$AllowedSender TCP, 127.0.0.1, 192.168.0.0/16

#UDP log
$ModLoad imudp
$UDPServerRun 514
#TCP log
$ModLoad imtcp
$InputTCPServerRun 514

$ModLoad ommysql
*.info :ommysql:127.0.0.1,Syslog,rsyslog,topsecret

Amend the rsyslog startup options:

vi /etc/sysconfig/rsyslog

Set the options as follows:

SYSLOGD_OPTIONS=”-r -t154 -m 0″

Now disable the standard syslog and enable rsyslog:

chkconfig syslog off
service syslog stop
chkconfig rsyslog on
service rsyslog start

Install Log Analyzer:

cd /tmp
wget http://download.adiscon.com/loganalyzer/loganalyzer-3.0.7.tar.gz
tar xzf loganalyzer-3.0.7.tar.gz
mv loganalyzer-3.0.7/src /var/www/html/loganalyzer
mv loganalyzer-3.0.7/contrib/* /var/www/html/loganalyzer
cd /var/www/html/loganalyzer
chmod u+x configure.sh secure.sh
./configure.sh

Now browse the website e.g. http://sun/loganalyzer
Follow the installer adding your MySQL credentials when requested.

Amend the firewall on the central (sun) server to allow other servers:

vi /etc/sysconfig/iptables

Add:

-A RH-Firewall-1-INPUT -p udp -m udp –dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 514 -j ACCEPT

Restart iptables:

service iptables restart

Remote Servers
Configure Other Servers (mars, venus, earth) to send their syslogs to the central server (sun):
Install rsyslog:

yum install rsyslog

Edit the config:

vi /etc/rsyslog.conf

Add:

*.info  @192.168.1.1:514

I add this on line number 2 below $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
Set rsyslog as the default syslogger:

/sbin/chkconfig syslog off
/sbin/chkconfig rsyslog on
service syslog stop
service rsyslog start

Using *.info could collect a lot of messages so customise as necessary, for example changing to *.crit will collect less messages of higher importance.

Red Hat CentOS Yum Repositories

This is my summary of Yum repositories for future reference. Yum (and apt on Debian systems) is an easy way to install software on Red Hat/CentOS systems and to keep those systems up-to-date. There are a variety of repositories with different software packages available which is why I like to use most of the following repositories. To install a new package with yum:

yum install packagename

To search for available packages

yum list php*

To update all packages on a system

yum update

For more info

man yum

Don’t forget you can install the yum-priorities package, then add priority=1 or priority=5 – any number to set a priority for the particluar repo. I usually set the centos ones to 1, rpmforge to 5 and the others to about 10.
CentOS
The main yum repositories are installed by default and you will find them at: /etc/yum.repos.d
They will be named CentOS-Base.repo and CentOS-Media.repo
Enable the sections you want in these files and set priority=1 as we prefer the well tested versions of software.

RPMForge
RPMforge has a wider range of packages available than the standard Red Hat/CentOS repositories including: clam, phpmyadmin
Installation instructions are at: http://www.rpmrepo.org/RPMforge/Using
Following these instructions for CentOS 5 64-bit we would install with:

su -c ‘rpm -Uvh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm’

Check the rpmforge.repo file is now in /etc/yum.repos.d and add a priority=5 line if you want.

EPEL
I used the EPEL repository at one point to get a specific PHP version which had not been released (and tested) on the other repositories and also a fairly specific scientific program. Installation instructions are at: http://fedoraproject.org/wiki/EPEL/FAQ#howtouse
For example for CentOS x86:

su -c ‘rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm’

REMI
I used the REMI repository at one point to get a specific
PHP version which had not been released (and tested) on the other
repositories . Installation
instructions are at: http://dev.antoinesolutions.com/remi-repository
For example for CentOS x86:

su -c ‘rpm -Uvh http://rpms.famillecollet.com/el5.i386/remi-release-5-6.el5.remi.noarch.rpm

Atomic ART
The Atomic repository has some extra packages mainly focused at servers running Plesk but I found the packages for OpenVAS on there that were not available on other repositories.
Download the following shell script:

wget http://atomicorp.com/installers/atomic

Make it executable and then run it.

chmod +x atomic && ./atomic

Answer the questions and you will have the atomic.repo file in /etc/yum.repos.d

Summary
For all these repositories it is worth checking the /etc/yum.repos.d/*.repo files for the following options:

  1. Enable the Repository
    Change enabled=0 to enabled=1
  2. Set priority for the Repository
    Add priority=3 to the end of the section

Using extra package repositories makes life easier for being notified of updates and installing new packages/updates, however if a package is not available or you need extra configuration you can always compile the traditional way ./configure make make install

Refreshing ARP table entries

Taking an IP address down on one host:

/sbin/ifconfig eth0:1 down

Taking the IP address up on another host:

/sbin/ifconfig eth0:1 111.222.111.222 netmask 255.255.225.0 up

Use arping to update the ARP tables:

/sbin/arping -S 111.222.111.222 -B

So the switch should cache the new arp entry invalidating the existing one.
The arping utility appears to be part of the iputils package which should already be installed but if not:

yum install iputils

Centos Timezone

To set a timezone on Centos some Admins recomend a link such as

ln -s /usr/share/zoneinfo/Europe/London /etc/localtime

However some processes write to the localtime file and this can get corrupted so {counter-intuitively} its is better to copy the file to /etc. If the incorrect timezone persists try removing /etc/localtime it should then revert to UTC {GMT}. Also there appears to be a process synchronising the UK timezone files so if the London file gets corrupted so will the Belfast one. To repair copy a file from another system – but use London as copying and using Belfast will get overwritten again by the corrupted London file.

certwatch

Certwatch checks for Apache certificates which are due to expire. By default on Red Hat / Centos there is a cron job in /etc/cron.daily which runs and sends its output to root. To configure it:

vi /etc/sysconfig/httpd

Add a line such as:

CERTWATCH_OPTS=”–period 30 –address my.user@domain.tld”

It is also possible to switch it off with:

NOCERTWATCH=yes

Tar Backup/Restore Grub Boot Issues

We have two machines with identical hardware. The second machine is a backup to the first machine to be used if any issues arise with the primary machine/service.
So we created a tar backup of the primary machine using:

#!/bin/bash
/bin/nice /bin/tar czpf /www/archive/backup/system/system_full.tar.gz \
–same-owner  \
–exclude=/proc/* –exclude=/media/* \
–exclude=/dev/* –exclude=/mnt/* –exclude=/sys/* –exclude=/tmp/* \
–exclude=/home/* –exclude=/var/backups/* –exclude=/var/lib/mysql/* \
–exclude=/var/www/* –exclude=/www/* / \
2>/var/log/system_backup_error.log

We could consid also exclude the /boot directory so as not to run in to boot problems on the second machine.
When we extracted this tar file onto the second machine and rebooted we encountered two issues which would need to be resolved  before the secondary backup machine could be used for the primary service:
1. Grub did not boot with the following error message
2. The network interfaces would not come up as the mac addresses were obviously different

GRUB PROBLEM
The error message we received when booting was:

filesystem type unknown partition type 0x8e

Type 0x8e represents an LVM partition but we need 0x83 ext2 filesystem.
Examining the /boot/grub/menu.lst config file we can see that Grub was trying to boot the following:

title CentOS (2.6.18-128.2.1.el5)
        root (hd0,1)
        kernel /vmlinuz-2.6.18-128.2.1.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
        initrd /initrd-2.6.18-128.2.1.el5.img

The problem was the “root (hd0,1)” line which should be “root (hd0,0)” on the secondary machine. On the first primary machine /dev/sda2 was mounted to /boot but on the secondary machine /dev/sda1 was mounted to /boot. So I am putting this issue down to slightly different partitioning during initial setup (even though we tried to get them completely mirrored I think there was some Sun FAT partitions left on the primary machine as /dev/sda1).

To resolve the issue temporarily from within Grub:

  • Go to the command line by typing ‘c’
  • Set the root device:
    root (hd0,0)
  • Boot
    boot

It is also possible to set the kernel and ramdisk as explained in this post:

  • Set the kernel
    kernel /vmlinuz[tab to find available kernels]
  • Set the ram disk
    initrd /initrd[tab to find available ram disks]
  • Boot
    boot

To resolve the boot issue permanently: 
After booting edit the menu.lst file:

vi /boot/grub/menu.lst

Replace root (hd0,1) with root (hd0,0)

NETWORK INTERFACES
When the secondary machine booted the interface configuration files in /etc/sysconfig/network-scripts contained the MAC addresses for the primary machine which did obviously not exist on the secondary machine. Red Hat/Centos thankfully backed up the existing config files with a .bak extension and created new ones with the correct mac addresses. So To keep the secondary machine as a potential backup to the primary machine I will create 2 sets of network config files with the relevant IP addresses and mac addresses.