Improve performance of Thunderbird 3 (IMAP).

When I did a new installation of Fedora 13 and configured Thunderbird 3.0.4 for IMAP, I found that the performance was just atrocious. It was downloading all the messages from all my folders.

The release notes for Thunderbird gave me a hint:

IMAP Folder Synchronization

Thunderbird will download IMAP messages by default in the background to allow for faster message loading and better offline operation. This feature can be enabled on an individual folder basis via Folder properties, or for all folders in an account via Account Settings / ‘Synchronize & Storage’.


I turned this “feature” off for my account. It is in “Account Settings” and then “Synchronization & Storage” for my IMAP account. From here, I unchecked “Keep messages for this account on this computer.” Also, I changed the “Disk Space” setting from “Synchronize all messages locally regardless of age” to “Synchronize the most recent 1 Weeks.” These two settings made a huge improvement to my performance. Yes, I lose offline access, but that does not matter to this desktop computer.

How to verify via command line.

The following is a good way to verify whether your squid configuration with NTLM authentication is properly set up to utilize Windows Active Directory group memberships:

# echo “username windowsgroup” | /usr/lib/squid/ -d
Debugging mode ON.
Got username windowsgroup from squid
User: –username
Group: –windowsgroup
SID: -S-1-5-21-915438365-207112795-1232828436-3341-
GID: -16777237-
Sending OK to squid

Howto Join An Active Directory Server using RHEL5.x/CentOS5.x and Samba 3.0.x

I used the following procedure to join a simple Windows 2003 Active Directory.

Ensure that your time is synced with the ADS machines via ntp.conf.

I used the following to sync time to my NTP server:
# cat /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery

restrict -6 ::1

fudge stratum 10

driftfile /var/lib/ntp/drift

keys /etc/ntp/keys

restrict mask nomodify notrap noquery

Ensure that your name resolution is configured properly. If needed, modify via /etc/sysconfig/network with the fully qualified name. Also, the /etc/resolv.conf should use the same DNS servers that handle the dynamic updates for the ADS domain.

For example:
# hostname

# cat /etc/resolv.conf
search domain.local

Configure kerberos:

For example:
# cat /etc/krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

kdc = pdc.domain.local:88
admin_server = pdc.domain.local:749
default_domain = domain.local

.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

Test kerberos:
kinit -V administrator@DOMAIN.LOCAL

You should get the following kind of output:
Authenticated to Kerberos v5

Configure samba:
# cat /etc/samba/smb.conf
workgroup = DOMAIN
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 600-200000
idmap gid = 600-200000
;template primary group = “Domain Users”
template shell = /bin/bash

comment = Home Direcotries
valid users = %S
read only = No
browseable = No

comment = All Printers
path = /var/spool/cups
browseable = no
printable = yes
guest ok = yes

Use the testparm command to verify your samba configuration:
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section “[homes]”
Processing section “[printers]”
Loaded services file OK.
‘winbind separator = +’ might cause problems with group membership.
Press enter to see a dump of your service definitions

Join the domain:
net ads join -U administrator

You will be prompted for the administrator password. If successful a message will be displayed stating as such.
For example:
Using short domain name – DOMAIN

Joined ‘RHEL5’ to realm ‘domain’

From here you can execute several commands to test:

# net ads testjoin DOMAIN
Join is OK

Start up the samba related services:

# service smb start
# service winbind start

The following will list both local user IDs and ADS user IDs:
# wbinfo -u

The will list ADS group names:
# wbinfo -g

The following will verify ADS authentication (In this example, “password” is the administrator account password.):
# wbinfo -a administrator%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

Modify nsswitch.conf to support ADS authentication:
# cat /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus

This is very important. Make sure you are logged into a couple virtual terminals as root in case there is a problem. You can end up locking yourself out.

Make a backup copy of /etc/pam.d/system-auth-ac:
# cd /etc/pam.d
# cp -rp system-auth-ac system-auth-ac.orig

Edit the system-auth-ac file:
# cat /etc/pam.d/system-auth-ac
auth required
auth sufficient likeauth nullok
auth sufficient use_first_pass
auth required

account required
account sufficient uid < 100 quiet account sufficient use_first_pass account required password requisite retry=3 type= password sufficient nullok use_authtok md5 shadow password sufficient use_first_pass password required session required session required session required use_first

Nagios installation procedures used on CentOS5.

Ensure that you have the following installed:
httpd, gcc, glibc, glibc-common, gd, gd-devel

Create accounts and groups.
useradd -m nagios
passwd nagios
groupadd nagcmd
usermod -a -G nagcmd nagios
usermod -a -G nagcmd apache

Build nagios from the source.
cd /usr/local/src
Download nagios and nagios-plugins from to /usr/local/src.
tar -zxvf nagios-3.0.5.tar.gz
cd nagios-3.0.5
./configure –with-command-group=nagcmd
make all 2>&1 | tee MAKEALL.log
make install 2>&1 | tee MAKEINSTALL.log
make install-init 2>&1 | tee MAKEINSTALLINIT.log
make install-config 2>&1 | tee MAKEINSTALLCONFIG.log
make install-commandmode 2>&1 | tee MAKEINSTALLCOMMANDMODE.log
cd /usr/local/nagios/etc/objects/
cp -rp contacts.cfg contacts.cfg.orig
vi contacts.cfg
htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
cd /usr/local/src/nagios-3.0.5
make install-webconf 2>&1 | tee MAKEINSTALLWEBCONF.log
service httpd restart
cd ..
tar -zxvf nagios-plugins-1.4.13.tar.gz
cd nagios-plugins-1.4.13
./configure –with-nagios-user=nagios –with-nagios-group=nagios
make 2>&1 | tee MAKE.log
make install 2>&1 | tee MAKEINSTALL.log
chkconfig –add nagios
chkconfig nagios on

This is a great way to debug errors in your configuration files:
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

service nagios start

I created configuration files based the template.cfg provided in the distribution in the objects directory.
cd /usr/local/nagios/etc/objects/

You have to make changes to your nagios.cfg file based on any new configuration files you created above.
vi ../nagios.cfg

Check your configuration:
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

You have restart nagios whenever you make a change to the configuration files.
service nagios restart

Installed NSClient on a Windows 2003 server to monitor it in nagios.
Edit nsc.ini. The file is pretty well documented.

The following is how I installed nrpe on a linux system to allow nagios to monitor it.
Install nrpe to allow nagios access to system status
cd /usr/local/src
useradd nagios
passwd nagios
tar zxvf nagios-plugins-1.4.13.tar.gz
cd nagios-plugins-1.4.13
./configure 2>&1 | tee CONFIGURE.log
make 2>&1 | tee MAKE.log
make install 2>&1 | tee MAKEINSTALL.log
chown nagios.nagios /usr/local/nagios
chown -R nagios.nagios /usr/local/nagios/libexec/
cd ..
tar zxvf nrpe-2.12.tar.gz
cd nrpe-2.12
./configure 2>&1 | tee CONFIGURE.log
make all 2>&1 | tee MAKEALL.log
make install-plugin 2>&1 | tee MAKEPLUGIN.log
make install-daemon 2>&1 | tee MAKEDAEMON.log
make install-daemon-config 2>&1 | tee MAKEDAEMONCONFIG.log
make install-xinetd 2>&1 | tee MAKEXINETD.log
vi /etc/xinetd.d/nrpe

only_from =

vi /etc/services

nrpe 5666/tcp # NRPE

yum install xinetd
service xinetd start
netstat -at | grep nrpe

Verify nrpe is working:
/usr/local/nagios/libexec/check_nrpe -H localhost
/usr/local/nagios/libexec/check_nrpe -H localhost -c check_users
/usr/local/nagios/libexec/check_nrpe -H localhost -c check_load

Add customized commands to support the machine
vi /usr/local/nagios/etc/nrpe.cfg

# Customized for this machine
command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20
command[check_hda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda1
command[check_hda2]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda2
command[check_hdd1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hdd1
command[check_hdd2]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hdd2
command[check_hdd5]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hdd5
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 150 -c 200
command[check_mailq_timeout]=/usr/local/nagios/libexec/check_mailq -M postfix -w 5 -c 15
command[check_mailq]=/usr/local/nagios/libexec/check_mailq -w 10 -c 20
command[check_procs_named]=/usr/local/nagios/libexec/check_procs -C named -t 3 -w 1:1

How to NAT a Linux virtual interface.

I was able to use the following iptables configuration to NAT from a linux virtual interface (eth1:1) to an email/web server on my LAN (192.168.0.x). virt_ip_addr is the IP address I assigned to eth1:1, and is the IP address of the server on my LAN. This works with both INPUT and FORWARD chains set to DROP.

This may not be the best solution, but it took quite a while to figure out how get something in place that works.

# nat PREROUTING Chain Rules

-A PREROUTING -d virt_ip_addr -p tcp –dport 25 -j DNAT –to
-A PREROUTING -d virt_ip_addr -p tcp –dport 80 -j DNAT –to

# nat POSTROUTING Chain Rules

-A POSTROUTING -o eth1 -j SNAT –to-source virt_ip_addr

# filter FORWARD Chain Rules

-A FORWARD -p tcp -i eth0 -o eth1 -s -m multiport –sports 25 -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 -d -m multiport –dports 25 -m state –state NEW -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 -d -m multiport –dports 25 -j ACCEPT

-A FORWARD -p tcp -i eth0 -o eth1 -s -m multiport –sports 80 -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 -d -m multiport –dports 80 -m state –state NEW -j ACCEPT
-A FORWARD -p tcp -i eth1 -o eth0 -d -m multiport –dports 80 -j ACCEPT

VMWare Fusion boot delay.

From the Virtual Machine Library, select the machine and hold down the control key. Right mouse click and select “Show in Finder.” Right mouse click the .vmwarevm file, and select “Show Package Contents.” From here, use TextEdit to add the following line to the .vmx file listed in the directory:

bios.bootDelay = “3000”

How to find a tab character in vi.

To display all the special characters or escape sequences:

: set list

To find the tab character (^I). Hold down control and hit vi.:


Now supporting mobile devices.

I installed the WordPress Mobile Edition plugin, so now the site can be easily read from a mobile device. It gets me to the information pretty quickly. It even supports search. Works fine from my phone, although I like the WordPress mobile application better to create new posts.

Test imap via telnet.

Here is how you can do a basic test of an IMAP server via telnet:

telnet IMAP Server Name 143
? LOGIN username password
? LIST “” “*”

This will log you in and list the accounts mail folders. Note: This is testing a basic unencrypted login to an IMAP server. Not the way you would want to implement in production, unless implement via localhost.

Apache – Redirect from http to https.

I used the following rewrite rules to redirect squirrelmail from http to https automatically. I added this to the end of the /etc/httpd/conf.d/squirrelmail.conf in RHEL5.x.

vi /etc/httpd/conf.d/squirrelmail.conf

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]

Return top