IE9’s toolbar size versus other browsers

It seems with every new version of a web browser, the toolbar gets smaller and smaller. This makes a lot of sense since, as a user, you want as much space as possible for the websites you’re visiting.

In the latest version of Internet Explorer 9, the toolbar panel takes the most minimalist approach ever taken with IE. It actually beats Google Chrome in terms of least amount of space used:

This is partially achieved by combining the search and the address bar as Chrome has done when it was first released, and by leaving only the most essential navigation buttons.

The size difference becomes even more drastic when compared to Firefox 3, which, even when you remove the default bookmarks toolbar, is at least twice the size of IE9’s toolbar.

You can definitely tell that Microsoft is making every effort in making sure users don’t have any need for alternative browsers, and has learned a few lessons from its competitors while implementing its own innovations.

AT&T’s Tethering Costs Infinity Per Megabyte

I was recently sent this article:

http://www.crunchgear.com/2008/07/01/atts-text-messages-cost-1310-per-megabyte/

It basically talks about how text messaging fees have you paying $1,310 per megabyte of data. Which is true – texting fees were always ridiculous and somehow wireless carriers were able to capitalize on that.

Tethering is a little different. When you use tethering (a feature that was built into the iphone in 3.0 over a year ago: http://gizmodo.com/5171796/iphone-30-os-guide-everything-you-need-to-know) your phone acts as an internet connection relay/access point for your laptop. You’re using your data plan on your laptop instead of your phone.

Naturally a person would use more data on their laptop than on their phone as it’s more convenient to watch online videos, write emails, etc. on a laptop. In the past a carrier would charge extra for tethering since data plans were unlimited but more data usage is a higher load on a network that a carrier has to maintain and pay for. However, with data caps on all of AT&T’s plans, using more data than your plan covers already results in heavy fees ($10 for every 1GB overage in the 2GB plan).

So charging an extra $20 a month just to be able to tether is just AT&T saying “we own your asses.”

An excerpt from an interview with Mark Collins, senior VP of data and voice products at AT&T:

GigaOM: What about the $20 tethering fee? It looks like a convenience charge.

Collins: That capability is enabling something you can’t do today. You can use one device and get multiple connections so it’s more useful to you. You’re going to use more data so the price is based on the value that will be delivered.

Enabling something AT&T disabled last year. Using data which already increases in cost depending on how much you use.

Simple analogy: Imagine Apple introduced a feature in their older iPhones (original, 3g) that allowed them to record videos using the camera and email them to your friends. AT&T disabled that feature on the account that you will probably end up using more data with it since you will be emailing videos. However, they finally decided they are going to charge $20 per month for “enabling” it and because “you’re going to use more data.”

Firewall (iptables) rules for Zimbra in CentOS

In my previous posts I have documented how to set up a Raid-5 CentOS system, test that RAID’s reliability, and install Zimbra on said system.

In this post I will go over strengthening the security for your system by editing the default port for SSH access and configuring iptables to only accept traffic on ports required by Zimbra, only from certain IP addresses.

1) To change your SSH server port, edit the following line in /etc/ssh/sshd_config

Port 22

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }You can change the number to whichever you prefer (I changed mine to 130). In many cases, this will cut down on outside brute force attacks by as much as 99%.

However, one of Zimbra’s services uses the SSH port for access, so if you do change it, you have to also follow the procedure in step 2 to prevent Zimbra from giving you errors when you try to access some details in Administration Console.

2) From: http://www.zimbra.com/forums/administrators/11796-change-port-22-a.html

1. Check /etc/ssh/sshd_config and be sure it’s set to 130 (or the port you’re using)

2. stop/start/restart sshd

Code:

service sshd restart

3. su zimbra

4. Be sure zimbra’s ssh port is set to 130 (or the port you’re using), and change “server.domain.com” in the following code to your full hostname.

Code:

zmprov ms server.domain.com zimbraRemoteManagementPort 130

5. Generate new ssh keys

Code:

cd /opt/zimbra/bin/
./zmsshkeygen

6. Deploy the keys

Code:

./zmupdateauthkeys

To test this, you can check the admin console mail queues area/servers/certificates. If you don’t get any errors, then the port has been changed successfully.

3) Unfortunately, I was too lazy to figure out how iptables works, but you can read about it here:

http://wiki.centos.org/HowTos/Network/IPTables

So basically what I did was take an existing line for allowing access to a port in my iptables file (/etc/sysconfig/iptables): 

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

Then, if you want to limit access to that port (the web server port in this case, which lets you access Zimbra’s web mail client) to a specific network, like my school network, you append –s and the network range like so:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -s 130.245.0.0/16 -j ACCEPT

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

and copy/paste it a whole bunch of times for each port you want to have open for incoming traffic. In nano you can do this by pressing ctrl+k and then ctrl+u a bunch of times, on any line you want to paste.

You can see which ports Zimbra uses here:

http://wiki.zimbra.com/wiki/Ports

It seems to work correctly with just the external access ports enabled in iptables. I’m guessing that’s because all the internal ports are open due to the following line in iptables:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }I believe it means that all incoming traffic from the system itself (localhost) is accepted.

Don’t forget to add a rule for the reconfigured SSH port as well, if you happened to change it.

Also, if you want to be able to receive email from anywhere, make sure you don’t add the –s parameter to port 25.

Here’s how my iptables looks after I edited it for Zimbra and SSH access:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 130 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 130 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 130 -s 71.247.43.111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -s 71.247.43.111 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

Install and Setup Zimbra in CentOS

Zimbra is a suite of tools for Unix/Linux/MacOS systems, which includes a secure mail server, web mail, anti-spam/anti-virus controls, a Web management interface, integrated calendaring, mobile device sync, and more. In many ways, Zimbra is the Unix equivalent to Microsoft Exchange.

In this post, I will be installing Zimbra onto a CentOS virtual machine I created in a previous post. The machine will need at least 1024mb of memory to run the default Zimbra services. I was unable to make it run without errors with any less memory.

1) You will need to install some required packages to proceed with the setup and avoid errors further on:

  • wget – download utility we will be using to download the latest version of Zimbra Open Source Edition.
  • postfix – an open-source mail transfer agent (MTA) that routes and delivers electronic mail; installation of Zimbra will fail without this package, according to my professor
  • ntp – a protocol designed to synchronize the clocks of computers over a network

You can install these packages with the following command:

yum install wget postfix ntp

2) Make sure your time and date are set correctly. You can check time/date by running ‘date’.

If you need to change them you use the same command followed by the current time and date in the format of MMDDhhmm. So for example, if it’s currently April 30 5:55pm, the command would be:

date 04301755

 

3) Another step that may be important, and that my professor always told the class to complete, is to disable SElinux due to the various errors it may cause considering its stringent security policies. To disable it, use your favorite editor (mine is nano!) and change the SELINUX value in /etc/sysconfig/selinux to the following:

SELINUX=disabled

Then reboot your system.

4) In addition, you may want to turn off your firewall temporarily while installing and setting up Zimbra. I will make a post later about how to configure your firewall so that Zimbra’s required ports are accessible but everything else is secured. To turn off the firewall in CentOS, run:

service iptables stop

 

5) To find the latest version of Zimbra OSE, visit the following link:

http://www.zimbra.com/downloads/os-downloads.html

I will be using the 32bit x86 version, Red Hat Enterprise Linux 5 (as instructed by my professor). Since I’m installing it on a remote machine, I’m going to use wget to download the software:

wget http://files2.zimbra.com/downloads/6.0.6_GA/zcs-6.0.6_GA_2324.RHEL5.20100406144520.tgz

 

6) Extract files from the downloaded archive:

 tar -xf zcs-6.0.6_GA_2324.RHEL5.20100406144520.tgz

7) Run the install script with a platform-override argument (since we’re installing on CentOS and not Red Hat) and then follow the instructions by installing whatever external packages the setup tells you are required and selecting options that correspond to your configuration (I used the default option at practically every step):

cd zcs-6.0.6_GA_2324.RHEL5.20100406144520
./install.sh --platform-override

8) If you had any errors during installation, see step 9. Otherwise, if you’ve reached the configuration menu part of the installation, all you’re required to do is to set up the administrator password, as will be denoted by the many * symbols. There are other options you can tinker with if you have more complex needs, but the defaults worked fine for me.

* If you can’t see all the configuration options because the terminal scrolled down too far, you can usually scroll up with the shift+pageup key combination.

9) During installation, I had the following errors:

a)

ERROR: Installation can not proceed.  Please fix your /etc/hosts file

to contain:

127.0.0.1 localhost.localdomain localhost

Zimbra install grants mysql permissions only to localhost and

localhost.localdomain users.  But Fedora/RH installs leave lines such

as these in /etc/hosts:

127.0.0.1     myhost.mydomain.com myhost localhost.localdomain localhost

This causes MySQL to reject users coming from 127.0.0.1 as users from

myhost.mydomain.com.  You can read more details at:

http://bugs.mysql.com/bug.php?id=11822

This error is self-explanatory. Using an editor like vi or nano, edit /etc/hosts to match the error’s suggested fix. Here’s an example of my /etc/hosts file.

127.0.0.1               localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6
130.245.127.62          rsheyd.oslab.cs.sunysb.edu rsheyd

 

b)

Checking for port conflicts
Port conflict detected: 25 (zimbra-mta)
Port conflicts detected! - Any key to continue

That means that some service is using a port Zimbra needs open for one of its services (in this case zimbra-mta). You can proceed with the installation despite the port conflict, but you will need to fix it later to avoid errors.

After you’ve finished Zimbra installation you can check what ports your system is currently using by running:

netstat -tulpn

In my case, postfix, which I installed earlier as per professor’s instruction, was using port 25. According to him it’s needed for Zimbra to function correctly but should be turned off. I’m not exactly sure how that works, but in any case, to turn it off you have to use the following command.

service postfix stop

And to prevent it from starting the next time you reboot your system, run:

chkconfig postfix off

If you don’t clear up the port conflict, there will be MTA-related errors when you try sending emails in Zimbra.

As a side note, postfix is already included in Zimbra-MTA so you may not need to install it separately to begin with, but I haven’t tried installing Zimbra without it.

*Some people may have sendmail blocking port 25 instead. Apply the same steps to sendmail as I did to postfix.

10) Zimbra has pretty basic spam protection as soon as you install it. In addition, its spam protection improves as you receive mail and mark spam as junk mail, due to heuristics and spam-learning algorithms. Google it if you want to know more =).

However, emails that may contain attachments which may be viruses are NOT filtered out by default. In order to filter out attachment formats which may be malicious you have to access the global settings in your administration console, which is accessed using the ‘admin’ account and the password you set during installation, at hostname:7071. In my case, that was: https://rsheyd.oslab.cs.sunysb.edu:7071/.

In Global Settings there should be an attachments tab, which lists all possible malicious attachment formats. I recommend selecting all of them and adding them to the blacklist since none of them are commonly attached files like PDFs, documents, photos, etc. Most are executable files used to infect a client’s computer with viruses.

In my next post I will talk about restricting access to Zimbra and your CentOS machine with iptables (firewall).

Helpful links:

http://library.linode.com/email/zimbra/install-zimbra-centos-5

http://www.zimbra.com/docs/ne/latest/single_server_install/

* Post any questions in my comments and I’ll try my best to answer them!