Oct 02 2016

Microsoft Exchange Multiple Mail Relays

Published by under Exchange




This works for Exchange 2003, 2007, 2010 and 2013. Haven’t tested on 2016 but it should. Please let me know if you do.
 
You have an Exchange server (or cluster) that communicates to the outside through a mail relay (also called smarthost), usually in the DMZ. You’d now like to double the infrastructure on a second site – siteB – in case something goes wrong on site A, meaning a relay on each site, with their own Internet connection.
 
Routing incoming mail is only a matter of creating DNS MX records for each mail relay and forwarding mail to Exchange servers. External mail servers will automatically fall back to the second mail relay if the first goes down.
 
Routing mail to the outside can be a bit more complicated.
If you add a 2nd mail relay to the Exchange send connector, it will load balance emails over the 2 relays wether they’re up or not, and will not fail over. But there is a way.
 
Create DNS entries for relays, each in his own subdomain:
SiteA: RelayA.siteA.mydomain.com
SiteB: RelayB.siteB.mydomain.com
These could be aliases indeed pointing to real hostnames.
 
Create 2 MX records for siteA subdomain, the local relay having the lowest number (highest priority):

siteA.mydomain.com.	3600	IN	MX	5  relayA.siteA.mydomain.com.
siteA.mydomain.com.	3600	IN	MX	10 relayB.siteB.mydomain.com.

Do the same for siteB if there’s also an Exchange server on the site.
 
All you need to do is to create a send connector pointing to siteA.mydomain.com. Before resolving the DNS hostname, Exchange will first attempt to do an MX lookup, even though this is not clearly stated in Exchange EAC.
 

 
With this flexible solution, you have loads of possible setups. You could:
– Send traffic to the local relay and fail over to the remote site
– Load balance the traffic on the 2 sites and fail over if one goes down (same MX priority)
– Load balance the traffic on 2 local mail relays and failover to a single remote (two equal high priority MX and a lower for the remote relay)
And so on
All is fully automated if a relay becomes unreachable and new relay hosts are managed through DNS. Simple, really

 

No responses yet

Sep 24 2016

Reuse Exchange Certificate on Apache Web Server

Published by under Security




While generating a Microsoft Exchange/IIS certificate, take the opportunity to add extra domain names and reuse it on Apache web server. This will save you a few bucks and time, unless the CA provides a certificate for multiple platforms.
First off, copy the pfx file generated with Exchange on the Apache web server. The pfx file is in PKCS#12 format that contains a certificate and its private key.
 
Extract the private key

openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes

Extract the certificate

openssl pkcs12 -in cert.pfx -nokeys -out cert.pem

Process the RSA key

openssl rsa -in key.pem -out cert.key

 
Move the certificate and private key to the appropriate directories (I’m on Linux Redhat)

mv cert.pem /etc/pki/tls/certs/
mv cert.key /etc/pki/tls/private/
chmod 600 /etc/pki/tls/private/cert.key

Failing to run chmod leads to an Apache error on restart.
 
If selinux is enabled, run

restorecon -RvF /etc/pki

to restore the proper rights on the new files, or you will get the following error message:
[error] (13)Permission denied: Init: Can’t open server certificate file /etc/pki/tls/certs/cert.pem
 
Declare the new certificate in the Apache virtual host configuration file:
SSLCertificateFile /etc/pki/tls/certs/cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/cert.key
 
And apply changes:

/etc/init.d/httpd reload

 
Now you have the same certificate on Exchange and the web server.
Check with your certification authority beforehand, they may provide multiple format certificates for different piece of software, saving you the hassle of running these commands.

 

No responses yet

Aug 25 2016

List AS400 Profiles JOBQ

Published by under AS400




I want to do a bit of cleanup because users jobs are running in all sort of queues. JOBQ are defined within JOBD (Job Description) that are assigned to user profiles. I can get the job descriptions easily with the WRKUSRPRF command but getting all job queues at once is trickier.
If you’re familiar with PASE, it’s easy to get the job done and even assign new JOBD to profiles based on their current value.
 
Connect to PASE environment either running ‘CALL QP2TERM’ or SSH if the service is up and running.
Copy the following shell code into a file (let’s call it listJobq.sh) in the IFS, on your home directory for instance, make it executable
chmod +x listJobq.sh
and run:
./listJobq.sh
 

#!/QOpenSys/usr/bin/ksh

IFS='
'
# Uncomment or run once and for all from a 5250 session
# Make sure the ADMIN library exists
#system "DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) OUTFILE(ADMIN/USERLIST)"

printf "%11s%11s%11s\n" "USRPRF" "JOBD" "JOBQ"

for i in $(db2 "select upuprf,upjbds from ADMIN.USERLIST" | \
      sed -e '1,3 d' -e '/^$/ d' | sed -e '$ d'); do
  unset IFS
  set -A user $i
  jobq=`system -i "DSPJOBD JOBD(${user[1]})" | awk '/^ Fi/ {print $NF;exit;}'`
  printf "%11s%11s%11s\n" "${user[0]}" "${user[1]}" "$jobq"
done

 
Here’s the output:

     USRPRF       JOBD       JOBQ
  ABERTRAND    DEFAULT     QBATCH
  GBOUBOURS    DEFAULT     QBATCH
    IBURNET         IT      QPGMR
   PBUISSON    DEFAULT     QBATCH
    PMARTIN    DEFAULT     QBATCH
        ...        ...        ...

 
The system may return a “db2: cannot execute” or “/usr/bin/db2: Permission denied” message. Create a symbolic link like this:
ln -s /QOpenSys/usr/bin/qsh /QOpenSys/usr/bin/db2
The reason lies in this explanation.
 
The downside is the “system” command slowness. -i speeds things up a bit but it’s still not quick enough. If you have installed the OPS (Open Source) package from IBM along with matching PTF and bash, you can try this optimized version with hash tables in bash.
It stores jobd/jobq in a hash table to act as a cache since a jobd definition always returns the same job. If a lot of users have the same JOBD, it can be very efficient (35 times quicker in my case).
 

#!/usr/bin/bash

IFS='
'
declare -A JOBQ

# Uncomment or run once and for all from a 5250 session
# Make sure the ADMIN library exists
#system "DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) OUTFILE(ADMIN/USERLIST)"

printf "%11s%11s%11s\n" "USRPRF" "JOBD" "JOBQ"

for i in $(db2 "select upuprf,upjbds from ADMIN.USERLIST" | \
      sed -e '1,3 d' -e '/^$/ d' | sed -e '$ d'); do
  unset IFS
  # Sets username and jobd in user[0] and user[1]
  user=($i)
  # Add jobq to hash table
  if [ -z ${JOBQ[${user[1]}]} ]; then
    jobq=`system -i "DSPJOBD JOBD(${user[1]})" | awk '/^ Fi/ {print $NF;exit;}'`
    JOBQ[${user[1]}]=$jobq
  fi
  printf "%11s%11s%11s\n" "${user[0]}" "${user[1]}" "${JOBQ[${user[1]}]}"
done
 

No responses yet

« Prev - Next »