Building - and maintaining home server greenblatt

Again, a new home server is being built, just like the previous home server gosper. This page tries to log the choices made and the specials done in order to make certain things work.

The server name is greenblatt. This is in line with the machine names theme at home. The name greenblatt was used before but I decided to 'recycle' it after the previous greenblatt hardware was long gone. I decided to use a different name from gosper to avoid confusion during the installation (rebooting the wrong system). Services running on the server system use cnames anyway (wwwproxy, www, imaps) so I should be able to deal with the new homeserver having a different name eventually. I'll have to update a number of my fvwmrc files to login to the right server.

Functions

Lots of stuff: Fax is gone: I have received 20 faxes on the previous setup in 9 years, and I have sent 4. I think I don't really need a fax.

The main new function I'm considering is 'home telephone server'.

Linux distribution

Linux is a given, the distribution to choose is the question. After installing some stuff at work with Ubuntu I like this distribution. The packaging system from Debian with less of the free software action front. Because the hardware is quite new I'm going to give the 64-bit edition a try. I'd also like to use the full 4G of memory. So, Ubuntu 8.04.1 Server LTS AMD64.

Hardware

New hardware: Existing hardware:

UPS

The system is connected to an APC Back-UPS CS 350 with USB cable. At first apcupsd did not want to start but browsing the Known USB issues with apcupsd found that I needed to create /etc/udev/rules.d/50-apcupds.rules with:

KERNEL="hiddev*", NAME="usb/hiddev%n"
And now apcupsd works:
koos@greenblatt:~$ apcaccess
APC      : 001,043,1036
DATE     : Mon Jan 05 21:50:03 CET 2009
HOSTNAME : greenblatt
RELEASE  : 3.14.2
VERSION  : 3.14.2 (15 September 2007) debian
UPSNAME  : greenblatt
CABLE    : USB Cable
MODEL    : Back-UPS CS 350 
UPSMODE  : Stand Alone
It even logs the real incoming voltage, which the previous version of the software ignored. I use the built-in surge filter to guard the server against lightning in the ISDN line.

Powermanagement

The mainboard and powersupply were chosen to preserve some power because this is the 'home server' and therefore switched on 24 hours per day. Succesfull choice: the UPS power usage has gone from 65 - 73 percent load to 42-45 percent.

The mainboard power is regulated by using powernowd. All harddisks are set up to spin down when not in use, using hdparm -S 59 /dev/sda. The setting of 59 (4 minutes and 55 seconds) is chosen because the harddisk temperature stats are collected every 5 minutes. One disk, a Western Digital WD3200AA does not spin down on the timer at all. This was fixed by also setting the advanced power management level to 127, using hdparm -B 127 /dev/sda.

Fixing wake-on-lan

The network interface in the system is an Attansic Technology Corp. L1 Gigabit Ethernet Adapter. Wake-on-lan wasn't working for me until I asked google nicely and found Ubuntuforums: Wake on LAN works on WinXP, but not Gutsy. The driver from ftp://ftp.hogchain.net/pub/linux/attansic/kernel_driver/ does work and makes wake-on-lan wake the card.

Network routing

The plan is to again let the home adsl arrive on one (vlan tagged) port and connect the home wired and wireless networks to other (vlan tagged) ports. One physical gigabit port. The atl1.ko driver has no problem with vlan tagged packets.

IPv6

I get enough IPv6 space via a tunnel from my provider. Nowadays with a recent kernel I can even use stateful firewalling for IPv6 with linux iptables so all outgoing traffic is trusted and some incoming traffic is trusted. I use radvd to enable IPv6 autoconfiguration on the internal lans.

IPv4

I only get one IPv4 IP, so network address translation has to happen for internal machines. I use stateful firewalling (linux iptables) for getting megabytes of logfiles of stupid attempts. Some protocols are firewalled outgoing because they should never go out and would be a sign of something terribly wrong on the inside network.

DHCPd

Simply a migration of the configuration from the old server. No surprises here. Most systems get a set IPv4 IP via dhcp (so they can roam to other networks) and there are adress pools on both wired and wireless vlans.

Arpwatch

After giving out the IPs, the next step is to check the usage. Arpwatch does this, noticing when an IP is used and noticing changes in ethernet addresses used.

Mail server: Sendmail

I prefer sendmail as MTA. On Ubuntu, sendmail seems to work better out of the box than previous Debian experiences. One thing I noticed was that sendmail was quite insistent in naming itself greenblatt.koos.koffie.dot. This comes from the file /etc/mail/m4/dialup.m4 so the solution was to edit /etc/mail/sendmail.mc to comment-out this include, like
dnl # Dialup/LAN connection overrides
dnl #
dnl # include(`/etc/mail/m4/dialup.m4')dnl
Suddenly my wanted config
dnl # General defines
define(`confDOMAIN_NAME',`kzdoos.xs4all.nl')
MASQUERADE_AS(`kzdoos.xs4all.nl')
FEATURE(`limited_masquerade')
FEATURE(local_procmail)
makes it into the generated sendmail.cf. Lots of other names also point at this instance, all enumerated in /etc/mail/local-host-names.

Delivery agent is procmail with the default rule to save mail in $HOME/Newmail/ maildir style.

Mail virus scanning

Using clamav and clamav-milter, incoming mail gets scanned for viruses. I disabled notifications to postmaster and especially to the receiver, modifying /etc/default/clamav-milter to start with:
OPTIONS="--max-children=2 -ol -q"
. I am a bit leery because of the combination of uucp (yes, old style!) and this: I could cause bounces with attached virus, which can cause complaints (virus sender!) which can cause one of the infamous mails from abuse@xs4all.nl telling your system is disconnected and maybe you should scan your windows systems (the lies! the slander!) for viruses. At least with nobodyreturn as part of my confPRIVACY_FLAGS the chances of bouncing body parts (hehe) should be small.

I want clamav from hardy-backports to get less warnings about it being outdated, but I'd rather not have other -backports stuff on my system (for stability). This is possible with the apt pinning mechanism. I have /etc/apt/preferences with:

Package: *
Pin: release a=hardy-backports
Pin-Priority: 400

Package: clamav
Pin: release a=hardy-backports
Pin-Priority: 990

Package: clamav-base
Pin: release a=hardy-backports
Pin-Priority: 990

Package: clamav-daemon
Pin: release a=hardy-backports
Pin-Priority: 990

Package: clamav-freshclam
Pin: release a=hardy-backports
Pin-Priority: 990

Package: clamav-milter
Pin: release a=hardy-backports
Pin-Priority: 990
The shortcut Package: clamav* did not work.

Courier imaps

Courier imaps is set up with a copy of the certificates so it knows it is named koos.idefix.net and uses a certificate signed by the idefix.net CA which I added in all mutt and thunderbird setups that use this server. Config-file /etc/courier/imapd-ssl has been set up with:
# MAILDIRPATH - directory name of the maildir directory.
#
MAILDIRPATH=Newmail

Mail notification at login

Interactive sessions like to know about their mail and have a valid $MAIL variable. This is done using pam_mail.so in /etc/pam.d/login and /etc/pam.d/ssh. Both now have:
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so dir=~/Newmail/
On login I now see:

You have new mail in folder /home/koos/Newmail/.

Web server: Apache

I use the apache2 package from ubuntu together with libapache2-mod-php5. Configuration of virtualhosts all in /etc/apache2/sites-available, enabling (all) of them in /etc/apache2/sites-enabled. Sites include: And some internal only / private stuff.

Xinetd

Now trying xinetd for a change. Lots of configurable options. I enabled finger (for internal use).

Webproxy

I am using squid version 3.1.0.2 to have IPv6 support. I use the xs4all parent proxies, but I make sure I don't use them for IPv6 destinations. Relevant part of squid.conf :
acl ipv6space dst 2000::/3

cache_peer_access proxzilla1.xs4all.nl deny ipv6space
cache_peer_access proxzilla2.xs4all.nl deny ipv6space
cache_peer_access proxzilla3.xs4all.nl deny ipv6space
cache_peer_access proxzilla4.xs4all.nl deny ipv6space

DNS server

With bind 9. I used the SIDN nameserver check and zonecheck to verify the zones. I found some stuff that worked but 'could be done better' so I fixed it. The zonecheck tool has some checks I don't agree with, and the nice thing is that it is possible to disable these tests in a modified profile.

I also automated SOA serial number generation. It has bitten me once or twice that I forgot to update a serial number and both zonecheck tools prefer the YYYYMMDDnn format, so I now use a simple SOA update script I found at work and a Makefile surrounding it. Just edit the zone files and a 'make reload' will first update the serials on updated zonefiles and issue the reload afterwards.

News

I use inn2 as newsserver. Mainly because I know and like inn2 and I exchange a number of newsfeeds over IPv4 and IPv6 with other peers.

Little bug: /var/log/news/news.* isn't writable by syslogd. That makes for quite boring daily usenet report mails. I want to know every detail about the news flow!

Ubuntu bug 314107: /var/log/news/news.* not writable by syslogd

Timekeeping

With all the power saving, this seems to be the most lousy timekeeper ever:
Jan  5 09:31:44 greenblatt ntpd[32318]: time reset +2.278768 s
Jan  5 09:36:01 greenblatt ntpd[32318]: synchronized to 193.67.79.202, stratum 1
Jan  5 09:36:04 greenblatt ntpd[32318]: synchronized to 131.211.84.189, stratum 2
Jan  5 09:46:47 greenblatt ntpd[32318]: time reset +2.236329 s
Jan  5 09:52:58 greenblatt ntpd[32318]: synchronized to 80.127.4.179, stratum 1
Jan  5 09:53:19 greenblatt ntpd[32318]: synchronized to 193.79.237.14, stratum 1
Jan  5 09:53:42 greenblatt ntpd[32318]: synchronized to 131.211.84.189, stratum 2
Well, serious timekeeping is for the sundial project. But, more people experiencing this: [ubuntu] Asus M3A-H/HDMI System Clock drift. Setting tickadj 10025 seems to fix this. The definitive fix is a BIOS update, which I confirmed later.

Home telephone exchange

Using Asterisk and an OpenVOX dual BRI card, internal ISDN phones and the external ISDN phone line are connected. And we have our own voicemail which uses IMAP as backend storage which means we can both browse and listen voicemail from everywhere.

History


Koos van den Hout e-mail: koos@kzdoos.xs4all.nl
Other webprojects: Camp Wireless The Virtual Bookcase webcam.idefix.net Weather maps