Category Archives: NetBSD

My view on the NetBSD operating system

Using S.M.A.R.T. under NetBSD

NetBSD has supported S.M.A.R.T. for a long time. But this functionality is well hidden. You can enable S.M.A.R.T. and check a single disk like this:

# atactl wd0 smart enable
SMART supported, SMART enabled
# atactl wd0 smart status
SMART supported, SMART enabled
id value thresh crit collect reliability description                    raw
1 200   51     yes online  positive    Raw read error rate            0
3 151   21     yes online  positive    Spin-up time                   9441
4 100    0     no  online  positive    Start/stop count               16
5 200  140     yes online  positive    Reallocated sector count       0
7 200    0     no  online  positive    Seek error rate                0
9  89    0     no  online  positive    Power-on hours count           8477
10 100    0     no  online  positive    Spin retry count               0
11 100    0     no  online  positive    Calibration retry count        0
12 100    0     no  online  positive    Device power cycle count       15
192 200    0     no  online  positive    Power-off retract count        4
193 134    0     no  online  positive    Load cycle count               199998
194 114    0     no  online  positive    Temperature                    38
196 200    0     no  online  positive    Reallocated event count        0
197 200    0     no  online  positive    Current pending sector         0
198 100    0     no  offline positive    Offline uncorrectable          0
199 200    0     no  online  positive    Ultra DMA CRC error count      0
200 100    0     no  offline positive    Write error rate               0

While this is very useful for manual checks it doesn’t provide automatic health reporting. And the recent abrupt failure of the backup hard disk in a friend’s machine reminded me of the importance of such monitoring. I therefore decided to implement an automated solution on top of NetBSD’s S.M.A.R.T. support.

The first step was to enable S.M.A.R.T. at system startup. I added the following lines to /etc/rc.local to make that happen:

echo "Turning on S.M.A.R.T.:"
for disk in $(sysctl -n hw.disknames | tr " " \\n | grep ^wd)
do
        echo -n "${disk}: "
        atactl $disk smart enable
done

Now I only needed something that checks the reported metrics every night. I therefore added the following snippet to /etc/daily.local:

found=
for disk in $(sysctl -n hw.disknames | tr " " \\n | grep ^wd)
do
        relocated=$(atactl $disk smart status |
          sed -n -e 's/.* Reallocated sector count[^0-9]*//p')
        if [ $relocated -gt 0 ]; then
                if [ -z "$found" ]; then
                        found=true
                        echo ""
                        echo "SMART checks:"
                fi
                echo "Disk $disk has $relocated relocated sectors."
        fi
done
unset disk found relocated

The above shell code reports any IDE and SATA hard disks with relocated sectors. If a hard disk reports a lot of relocated sectors or their number is growing quickly in a short time frame the disk will probably fail very soon.

Let’s hope that this way I will get an advance warning before the next major catastrophe.

Automated attacks against Postfix

Yesterday evening I discovered thousands of lines like these in my server’s mail logfile:

Jun 12 08:58:37 colwyn postfix/smtpd[25605]: warning: unknown[212.154.6.176]: SASL CRAM-MD5 authentication failed: PDM3MjM3NzE1Mzk1NjU1MDEuMTMwNzg2NTUxNUBjb2x3eW4uemhhZHVtLm9yZy51az4=
Jun 12 08:58:44 colwyn postfix/smtpd[25605]: warning: unknown[212.154.6.176]: SASL CRAM-MD5 authentication failed: PDU0MDA0NDczMjgzNjU2NDAuMTMwNzg2NTUyMkBjb2x3eW4uemhhZHVtLm9yZy51az4=
[...]
Jun 12 23:00:15 colwyn postfix/smtpd[12864]: warning: unknown[212.154.6.176]: SASL CRAM-MD5 authentication failed: PDQ2NjM4MzI0NTAyNTQ2ODIuMTMwNzkxNjAxM0Bjb2x3eW4uemhhZHVtLm9yZy51az4=
Jun 12 23:00:26 colwyn postfix/smtpd[12864]: warning: unknown[212.154.6.176]: SASL CRAM-MD5 authentication failed: PDMxMTA4OTY1MjgzOTM0OTkuMTMwNzkxNjAyNEBjb2x3eW4uemhhZHVtLm9yZy51az4=

It looks like somebody has written a program which tries to exploit a security vulnerability in Postfix’s Cyrus SASL component.

Fortunately NetBSD isn’t affected as the bundled Postfix binaries don’t include Cyrus SASL support. But if you are using Postfix 2.8.2 or older from pkgsrc with the sasl option enabled you should update to Postfix 2.8.3 or newer as soon as possible.

Postfix and Dovecot: a Perfect Combination

Over a year ago I replaced Sendmail with Postfix on my main mail server. The new mail setup has worked very well ever since. There was however still room for improvement:

  1. I still used UW IMAP as the IMAP and POP3 server. This software works fine in general but is neither particular fast nor under active development anymore.
  2. As the Postfix binaries distributed with NetBSD don’t support SMTP Authentication out of the box my end users had to use my home grown mini SMTP server (listening on port 587) to send e-mails. This setup unfortunately made configuring e-mail client software more complicated and didn’t support STARTTLS for encrypting outgoing e-mail.

A week ago I decided to try out Dovecot. Dovecot is a secure IMAP and POP3 server for UNIX-like operating systems. In addition it can also serve as an authentication backend which adds support for SMTP Authentication to Postfix. After reading the excellent documentation in the Dovecot Wiki it took me only an hour to install Dovecot via pkgsrc , configure it and hook it up to Postfix. My system now supported SMTP Authentication and STARTTLS on both port 25 and 587.

Encouraged by this easy success I migrated the IMAP and POP3 services to Dovecot as well on the following day. I simply changed the Dovecot configuration as suggested in the migration instructions, turned off the old services, reloaded Dovecot and everything worked fine immediately.

My new setup still works reliable and fast after more than a week of service. The only compatibility problem was caused by a user who tried to use an uppercase account name. The old IMAP server had silently converted account names to lower case. Dovecot however needs to be explicitly configured to behave in this way.

Overall I can highly recommend the combination of Postfix and Dovecot. You get a fully-fleged e-mail solution with complete encryption support, a single user database and very good performance.