NFS, LDAP, Email

NFS: Network File System

NFS Basics

NFS versions

Released in 1989 and only used UDP. Had several issues include 32bit filesize limitations as well as performance & security issues. Should not be used today.
Released in 1995, has support for either UDP or TCP and improves performance, large file support and other various fixes on the protocol. Still in use today.
Released in 2000, only supports TCP and was a major overhaul of the protocol. Version 4.1 was released in 2010 to provide support for clustered deployments. Most servers should be using at least v3 or v4 today.

NFS v4 major improvements

NFS: Stateless vs. Stateful

Version 2 & 3
  • Stateless
  • Server cannot track which clients have a volume mounted
  • Uses a cookie
Version 4
  • Stateful
  • When the server fails, client assists in the recovery
  • Returning server waits for clients before permitting new operations and locks
  • Does not use the cookie system

NFS: Security

AUTH_NONE no authentication
AUTH_SYS UNIX-style user and group access control
RPCSEC_GSS a powerful flavor that ensures integrity and privacy in addition to authentication

Kerberos integration provides the additional layer of security in V4.

NFS: Server-side daemons

On CentOS 7 machines

NFS server and appropriate RPC services
Mandatory service that starts the appropriate RPC processes allowing NFS clients to lock files on the server
Accepts port reservations from local RPC services. Not used with NFSv4.
This process is used by an NFS server to process MOUNT requests from NFSv3 clients.

NFS: Server-side daemons

Allows explicit NFS versions and protocols the server advertises to be defined
Implements the Network Lock Manager (NLM) protocol, which allows NFSv3 clients to lock files on the server
Implements the Network Status Monitor (NSM) RPC protocol, which notifies NFS clients when an NFS server is restarted without being gracefully brought down.

NFS: Server-side daemons

Provides user quota information for remote users
Provides NFSv4 client and server upcalls, which map between on-the-wire NFSv4 names (strings in the form of user@domain) and local UIDs and GIDs

The /etc/exports Configuration file

Controls which file systems are exported to remote hosts and specifies options. It follows the following syntax rules:


export host(options)
# multiple hosts
export host1(options) host2(options) host3(options)
The directory being exported
The host or network to which the export is being shared
The options to be used for host

See man exports for more options

/etc/exports -- Hostname formats

Single Machine
A fully-qualified domain name (that can be resolved by the server), hostname (that can be resolved by the server), or an IP address.
Series of machines specified with wildcards
Use the * or ? character to specify a string match. Wildcards are not to be used with IP addresses. Does not include sub-domains of a wildcard.

/etc/exports -- Hostname formats

IP networks
Use a.b.c.d/z, where a.b.c.d is the network and z is the number of bits in the netmask (for example
Use the format @group-name, where group-name is the NIS netgroup name.

/etc/exports -- Default options

The exported file system is read-only.
The NFS server will not reply to requests before changes made by previous requests are written to disk. To enable asynchronous writes instead, specify the option async.
The NFS server will delay writing to the disk if it suspects another write request is imminent.
This prevents root users connected remotely (as opposed to locally) from having root privileges; instead, the NFS server will assign them the user ID nfsnobody.

/etc/exports -- Gotchas

These do not mean the same thing!

/data (rw)

Discovering NFS Exports

First, on any server that supports NFSv2 or NFSv3, use the showmount command:

$ showmount -e
Export list for

Second, on any server that supports NFSv4, mount / and look around:

$ mount /mnt/
$ cd /mnt
$ ls data

LDAP: Lightweight Directory Access Protocol


Database service that makes a few assumptions:

LDAP Use Cases

LDIF: LDAP Data Interchange Format

Simplified example which expresses /etc/passwd:

uid: john
cn: John Doe
userPassword: {crypt}$sa3tHJ3/KuYvI
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/john

LDAP Hierarchy

dn: uid=john,ou=People,dc=oregonstate,dc=edu

LDAP Packages

A package containing the libraries necessary to run the OpenLDAP server and client applications.
A package containing the command line utilities for viewing and modifying directories on an LDAP server.
A package containing both the services and utilities to configure and run an LDAP server. This includes the Standalone LDAP Daemon, slapd.
A package containing nslcd, a local LDAP name service that allows a user to perform local LDAP queries.

LDAP Server

# Install server package
$ yum install openldap-servers

# Start the service
$ systemctl slapd start

# Do a simple search
$ ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

LDAP Server utility applications

slapacl     slapauth    slapd       slapindex   slapschema
slapadd     slapcat     slapdn      slappasswd  slaptest
Output entire LDAP tree in LDIF output. Useful for simple backups.
Allows you to add entries from an LDIF file to an LDAP directory
Allows you to create an encrypted user password to be used with the ldapmodify utility, or in the slapd configuration file.

LDAP Client utility application

ldapadd      ldapdelete   ldapmodify   ldappasswd   ldapurl
ldapcompare  ldapexop     ldapmodrdn   ldapsearch   ldapwhoami
Allows you to modify entries in an LDAP directory, either from a file, or from standard input.
Allows you to search LDAP directory entries.
Allows you to add entries to an LDAP directory, either from a file, or from standard input. It is a symbolic link to ldapmodify -a.

Configuring a system to use LDAP

$ yum install openldap openldap-clients nss-pam-ldapd

# Using authconfig
$ authconfig --enableldap --enableldapauth \
  --ldapserver="" \
  --ldapbasedn="dc=example,dc=com" --update

Email Servers

Mail system components

Mail User Agent (MUA)
Allows users to read and compose email. (i.e. Thunderbird, Outlook, etc)
Mail Submission Agent (MSA)
Accepts outgoing mail from a MUA and submits it to the transport system.
Mail Transport Agent (MTA)
Routes messages among machines. (i.e. postfix, sendmail)
Local Delivery Agent (LDA)
Places the messages in a local store (i.e. procmail)
Access Agent (AA)
Connect the user agent to the message store (i.e. IMAP or POP)

Mail system components


Mail Submission Agents (MSA)

Mail Transport Agents (MTA)

A mail sender and receiver

  • Receiving email messages from remote mail servers
  • Understanding the recipients' addresses
  • Rewriting addresses to a form understood by the delivery agent
  • Forwarding the message to the next responsible mail server OR passing it to a local delivery agent

MTA's do the bulk of the work

Examples: postfix, email, sendmail

Local Delivery Agents (LDA)

Message Stores

Final resting place for an email message

Access Agents

IMAP (Internet Message Access Protocol)

  • Most popular
  • Best to use IMAPS
  • Delivers the mail one message at a time

POP (Post Office Protocol)

  • Assumes all email is downloaded from the server to the client
  • Typically configured to delete or archive on server after retrieval
  • Best to use POP3S

Anatomy of a Mail Message

Contains three parts:

The envelope
Determines where the message will be delivered, or where to be returned if it can't be delivered. Delivered-To and Return-Path headers.
The headers
Collection of property/value pairs. Contains a record of when and where the message went to get delivered.
The body of the message
Content to be sent to the recipient, usually plain text but can contain HTML and other content.

Reading Mail Headers

Received: from ( [])
  by (Postfix) with ESMTP id 7D6221C0FB2
  for <>; Mon,  1 Feb 2016 20:16:38 +0000 (UTC)

Troubleshooting Email

ash $ grep 7D6221C0FB2 /var/log/mail.log
Feb  1 20:16:38 postfix/smtpd[3857]: 7D6221C0FB2:[]
Feb  1 20:16:38 postfix/cleanup[1466]: 7D6221C0FB2:
Feb  1 20:16:38 postfix/qmgr[9680]: 7D6221C0FB2:
  from=<>, size=3442, nrcpt=1 (queue active)
Feb  1 20:16:38 postfix/qmgr[9680]: 7D6221C0FB2: removed
Feb  1 20:16:38 postfix/local[1420]: 7D6221C0FB2:
  to=<>, orig_to=<>, relay=local, delay=0.03,
  delays=0.01/0/0/0.02, dsn=2.0.0, status=sent (delivered to command: IFS=' ' &&
  exec /usr/bin/procmail -f- || exit 75)

SMTP Authentication

  1. Client says EHLO, announcing it speaks ESMTP
  2. The server responds and advertises its authentication mechanisms
  3. The clients says AUTH and names the specific mechanism that it wants to use
  4. The server accepts the data sent with AUTH or starts a challenge/response sequent with the client
  5. The server either accepts or denies the authentication attempt

Usually this is done over SSL or TLS

Functions of an email system

  1. To accept outgoing mail from MSAs or user agents
  2. To receive incoming mail from the outside world
  3. To filter mail for spam, viruses, and other malware
  4. To deliver mail to end-users’ mailboxes
  5. To allow users to access their mailboxes with IMAP or POP

Mail System Design

Split between internet-facing and internal servers


Mail aliases


mailer-daemon:  root

Spam filtering

Choosing an MTA

Simple to use and configure. Decent performance overall
Default MTA on Debian, also simple and easy to use.
Highly configurable, high performance but can be complicated to configure and maintain.
Just stay away from this one :)