Tuesday, 28 April 2015

SIP Protocol Messages

Requests


  • INVITE Indicates that a user is being invited to join a session.
  • ACK Confirms that client has received a response to the invite message.
  • BYE Terminates a call.
  • CANCEL Cancels any Pending Searches.
  • OPTIONS Queries for Capabilities.
  • REGISTER Registers the Address listed in the header field with a SIP Server

Responses


1xx Informational Messages

  • 100 Trying: Indicates that a request has been initiated by the caller and the called party has yet not been located.
  • 180 Ringing: Indicates that the called party has been located and is being notified of the call.
  • 181 Call is being forwarded: Indicates that the called party has rerouted the call to another.
  • 182 Queued: Indicates that the called party is currently not available, and have put the call in queue.
  • 183 Session in Progress


2xx Successful Responses

  • 200 OK: Indicates that the request has been successfully processed.


3xx Redirection Responses

  • 300 Multiple Choices: Indicates that the address resolved to more than one location.
  • 301 Moved permanently: Indicates user is no longer available at this location, an alternate location should be included in the header.
  • 302 Moved Temporarily: Indicates that the user in temporarily unavailable, an alternate location should be included in the header.
  • 305 Use Proxy: This response indicates that the caller must use a proxy to contact the called party.
  • 380 Call is not successful but alternate services are available.


4xx Request Failure Responses

  • 400 Bad Request: Indicates the request sent could not be understood.
  • 401 Unauthorized Request: Indicates the request requires authorization.
  • 402 Payment Required: Indicates payment is required to complete the call.
  • 403 Forbidden: Indicates Server has received the request but will not provide the service.
  • 404 Not Found: Indicates the server was not found.
  • 405 Method Not Allowed: Indicates that the request contains a list of methods that are not allowed.
  • 406 Not acceptable: Indicates that the request can not be processed by the client.
  • 407 Proxy Authentication Required: Client must first authenticate itself with a proxy.
  • 408 Request Timeout: The server could not produce a response before a given time out.
  • 409 Conflict: Indicates a conflict with the current state of the resource.
  • 410 Gone: Resource is no longer available at the server and no forwarding address was found.
  • 411 Length Required: User refuses request without a specified length.
  • 412 Request Entity Too Large: Server refuses to process request because URI is too long.
  • 415 Unsupported Media: Indicates the format of the body is not supported by the destination endpoint.
  • 420 Bad Extension: The server could not understand the protocol extension indicated in the required header.
  • 480 Temporarily Unavailable: Indicates that the called party was contacted but was temporarily unavailable.
  • 481 Call Leg Transaction Does Not Exist: Indicates that the server was ignoring the request of bye or cancel since there is no matching Invite transaction.
  • 482 Loop Detected: (Also, Request Merged) Server received a request which has it self in the path.
  • 483 Too Many Hops: The server received a request that required more hops than allowed.
  • 484 Incomplete Address: The server received a request with an incomplete address.
  • 485 Ambiguous: Server received a request in which the called address is ambiguous.
  • 486 Busy Here: The called party was contacted but the system was not able to receive any more calls.
  • 487 Request Terminated: The calling party canceled the request before the dialog was established with a 200 OK.
  • 488 Not Acceptable Here
  • 489 Bad Event: See RFC3265
  • 491 Request Pending
  • 493 Undecipherable
  • 494 Security Agreement Required: See RFC3329


5xx Server Failure Responses

  • 500 Server Internal Error: Server encountered an unexpected error and could not process the request
  • 501 Not Implemented: Server does not support the functions required to complete the request.
  • 502 Bad Gateway: Server received an invalid request upstream.
  • 503 Service Unavailable: Server has an overload or maintenance problem.
  • 504 Gateway Timeout: Server did not receive a timely response from another server.
  • 505 Version Not Supported: Server does not support the SIP protocol used in the request.


6xx Global Failure Responses

  • 600 Busy Everywhere: Called party is busy and cannot take the call at this time.
  • 603 Decline: Called party was contacted but does not want to take part in the call.
  • 604 Does Not Exist Anywhere: Called Party does not exist anywhere in the network.
  • 606 Not Acceptable: Called party has rejected some part of the call session description as unacceptable.

Wednesday, 1 April 2015

G.729 and G.723 Codec installation on Asterisk

Installation and Configuration of G.729 and G.723 codecs on asterisk
  1. Download the codec binary file from http://asterisk.hosting.lv/bin/codec_g729-ast14-gcc4-glibc-pentium4.so
  2. Copy it to the /usr/lib/asterisk/modules folder.
  3. Restart the Asterisk: /etc/init.d/asterisk restart

Estimating the Number of G.729 Channels Required

If you choose to purchase the G.729 license from Digium you will need to compute the number of G.729 channels required by your configuration. You can estimate the required value by using the following information:
  • a call between two SIP extensions usually requires two G.729 channels, unless the pass-thru mode is used (http://voip-info.org/wiki/view/Asterisk+G.729+pass-thru), in which case it doesn’t require any G.729 channel.
  • a call between a SIP extension and a Zaptel/DAHDI extension/trunk requires one G.729 channel.
  • a call to Voice Mail or another Asterisk service where IVR messages must be played requires one G.729 channel.

Thursday, 19 March 2015

SIP Trunking - IP Based authentication and Password based authentication

SIP trunking is the method of sending calls to ITSP service provider using sip protocol.

Indepth details refer RFC 3261

There are two types of authentications

1. IP based authentication
2.Username and Password based authentication


For IP Based Authentication
You need to do the following changes in the sip.conf


[siptrunk]
type=friend
fromuser=X.X.X.X ( your asterisk server ip ) which will send traffic to the service provider
host=X.X.X.X ( service provider ip )
canreinvite=no
qualify=no
dtmfmode=RFC2833
context=intenal
disallow=all
allow=g729
allow=ulaw
allow=alaw
port=5060


Then you need to edit extensions.conf[intenal]
exten => _9X.,1,Dial(SIP/${EXTEN}@siptrunk)


For Username and password based authentication

[siptrunk]
type=friend
username=
fromuser=X.X.X.X
host=X.X.X.X
canreinvite=no
secret=
qualify=no
dtmfmode=RFC2833
context=intenal
disallow=all
allow=g729
allow=ulaw
allow=alaw
port=5060

define username and password to it

Wednesday, 11 March 2015

Setup DKIM on Postfix with OpenDKIM

Introduction

DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.

We will be using the OpenDKIM implementation Centos, OpenDKIM is a fork of dkim-milter.

Installation

yum install opendkim

Generate the Keys

opendkim-genkey -d  -s 
Replace with the domain name you will be signing the mail for, and with a selector name it can be anything (but just one word). The command will create two files.
  • .txt - contains the public key you publish via DNS
  • .private - the private key you use for signing your email
Create a sub directory in /etc/opendkim/keys to store your key, i prefer to use the domain name as the sub directory name.
# mv .private /etc/opendkim/keys//.pem
# chmod 600 /etc/opendkim/keys//.pem
# chown opendkim.opendkim /etc/opendkim/keys//.pem

DNS Setup

You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of .txt is the record you need to add to your zone file a sample, is below (it uses default as the selector and example.com as the domain_name)
default._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA
DCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDv
wn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+z
JVW+CKpUcI8BJD03iW2l1CwIDAQAB" ; ----- DKIM default for example.com

Configuration

Edit /etc/opendkim.conf comment out "KeyFile /etc/opendkim/keys/default.private" and uncomment "#KeyTable /etc/opendkim/KeyTable"

Edit the file /etc/opendkim/KeyTable and add your domain using the following format
._domainkey. ::/etc/opendkim/keys//.pem
Add your servers IP addresses to /etc/opendkim/TrustedHosts
More advanced configuration options can be set in the file /etc/opendkim.conf

Configure Postfix

You need to add the following options to the postfix main.cf file to enable it to use the milter.
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
Append the OpenDKIM options to the existing milters if you have other milters already configured.
Start OpenDKIM and restart postfix
# service opendkim start
# service postfix restart

Testing

Send an email to sa-test@sendmail.net or autorespond+dkim@dk.elandsys.com, you will receive a response stating if your setup is working correctly. If you have a Gmail account you can send an email to that account and look at the message details similar to the picture below, you should see signed-by “your domain” if your setup was done correctly.

DKIM signed mail in google

Tuesday, 10 March 2015

PHP 5.3 on CentOS/RHEL 5.11 via Yum

To install, first you must install the yum repository information:

rpm -Uvh http://mirror.webtatic.com/yum/centos/5/latest.rpm
 
Now you can install php by doing:

yum --enablerepo=webtatic install php
 
Or update an existing installation of php, which will also update all of the other php modules installed:

yum --enablerepo=webtatic update php

Wednesday, 25 February 2015

PHP5 with IMAP and SSL support

Building your own PHP with IMAP support is not that hard, but i noticed a lot of people tend to have problems when they want SSL support in it.
You might run into stuff like this (when reconfiguring php f.e.):
configure: error: utf8_mime2text() has new signature, but U8T_CANONICAL is missing. This should not happen. Check config.log for additional information.


This exact same problem came up for me on Fedora when trying to compile PHP 5.5.0.
The problem is related to the '--with-imap' configuration parameter.
In order to solve this problem I compiled my own version of imap from the latest source (currently imap-2007f) and to do that I had to install some prerequisites. On fedora I did this...

yum install openssl openssl-devel pam-devel
wget ftp://ftp.cac.washington.edu/imap/imap-2007f.tar.gz
tar zxvf imap-2007f.tar.gz
 
Then I had to make a soft link so the compiler could find the libraries. In my case I did the following:

mkdir /usr/local/ssl
ln -s /usr/include /usr/local/ssl/include
 
and then compile:

cd imap-2007f
make lnp SSLTYPE=unix EXTRACFLAGS=-fPIC
 
Then I was able to compile PHP by adding the imap source path to the config param like so:

/path/to/php/src> ./configure ...other_params...  
              '--with-imap=/path/to/imap-2007f' '--with-imap-ssl' 
make
make install

Sunday, 1 February 2015

Installing ClamAV & SpamAssassin to CentOS 5 with Sendmail

Installing these Mail Server open-source software sets to CentOS 5 with Sendmail on a 64-bit CentOS 5.4 (or higher) Linux host.
1. Install RPMForge Repo to get access to more Software Packages for CentOS5
Install (using rpm -Uvh) http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm

2. Use yum to install from the previously installed RPMForge Repo the necessary software packages
yum -y install spamass-milter clamav-milter
yum -y install perl-Mail-SPF
yum -y install sendmail-cf


Restart spamd after installing the new SPF package with
/etc/init.d/spamassassin restart

Install DKIM for Message Signing with
yum -y install perl-Mail-DKIM

Check DKIM use by sending yourself an email from GMail and saving that message (headers and all) to a local text file, processing that file with
spamassassin -D < /tmp/gmail-msg.txt 2>&1 |grep -i dk

Install GeoIP for regional/geographic message filtering
yum -y install geoip

Check that all of ClamAV is installed with
yum -y install clamav clamav-db clamav-milter clamd

Check then on the settings in /etc/sysconfig/clamav-milter & then set/check on the following in /etc/clamav-milter.conf

MilterSocket unix:/var/clamav/clmilter.socket
User clamav
AllowSupplementaryGroups yes
ClamdSocket unix:/var/run/clamav/clamd.sock
LogFile /var/log/clamav/clamav-milter.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes


Set/check the following in /etc/clamd.conf

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket yes
TCPSocket 3310
TCPAddr 127.0.0.1
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User clamav
AllowSupplementaryGroups yes
ScanPE yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
ScanMail yes
ScanArchive yes
ArchiveBlockEncrypted no


Install SPF capabilities with
yum -y install smf-spf

3. Start Configuring main software servers

3a. Sendmail for ClamAV & SpamAssassin
Load the following to /etc/mail/sendmail.mc, placed above any MAILER definition and I place it after the line “FEATURE(use_ct_file)dnl”
dnl # LOCAL ADDITIONS before Mailers
dnl # clamav-milter - z README ... dnl
INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/clamav/clmilter.socket, F=,T=S:4m;R:4m;E:10m')dnl
dnl #
dnl # SPAMASSASSIN dnl
dnl **
dnl ** enable spamassassin-milter to scan for spam using spamassassin **
dnl **
INPUT_MAIL_FILTER(`spamassassin', `S=unix:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl
dnl # END LOCAL ADDITIONS
dnl #

You can test / check the newly installed & configured SpamAssassin with the command:
spamassassin -D < /usr/share/doc/spamassassin-3.2.5/sample-spam.txt 2>&1 |grep -i spf
Looking for lines like:
[1290] dbg: spf: using Mail::SPF for SPF checks
&
[1290] dbg: spf: def_spf_whitelist_from: already checked spf and didn’t get pass, skipping whitelist check
[1290] dbg: spf: whitelist_from_spf: already checked spf and didn’t get pass, skipping whitelist check

3b. Now rebuild the sendmail.cf from your updated sendmail.mc in /etc as root with
make

3c. Ensure all the dependent & requisite servers are running for Clam & SA with
chkconfig clamd on
chkconfig clamav-milter on
chkconfig spamass-milter on
chkconfig sendmail on
chkconfig dovecot on


3d. Then start everything in the same order as per their init.d files, with
service clamd start
service clamav-milter start
service spamass-milter start


3e. Then restart Sendmail with
service sendmail restart

3z. SPF config & enabling <- not="" optional="" p="" working="" yet=""> Configure for the SMF-SPF support in /etc/mail/sendmail.mc and remake sendmail.cf with
cd /etc/mail
cat >> sendmail.mc < END
dnl **
dnl ** enable smf-spf (Sender Policy Framework) **
dnl **
define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO`, {verify}')dnl
INPUT_MAIL_FILTER(`smf-spf', `S=unix:/var/run/smfs/smf-spf.sock, T=S:30s;R:1m')dnl
END
make


In /etc/mail as root run make to generate the new sendmail.cf & submit.cf Sendmail config files.
Start SPF and restart Sendmail with
/etc/init.d/smf-spf restart
/etc/init.d/sendmail restart


4. Testing / Verifying Setup

4a. Check /var/log/maillog

4b. Test with a manual SMTP dialog using the telnet command to the server from another remote host on the Internet (ie: NOT from the server itself) to port 25 on your Sendmail host.

Saturday, 24 January 2015

Apache: service httpd does not support chkconfig

As you know, when you installed your Apache service to your Centos/Redhat server manually (make & make install but not yum) and could like to run the service automatically, you should copy the apachectl from the Apache bin folder to /etc/init.d/ folder as named httpd.
Then you might want to set the chkconfig and facing the error as below,

1
service httpd does not support chkconfig

To fix this issue, you may simply add the following line to your file at /etc/init.d/httpd.
 
 
1
2
3
4
5
6
7
8
9
#
# Startup script for the Apache Web Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve
# HTML files and CGI.
# processname: httpd
# pidfile: /usr/local/apache/logs/httpd.pid
# config: /usr/local/apache/conf/httpd.conf

Then you may chkconfig again,

1
chkconfig --level 235 httpd on

And now restart your httpd service.

Thursday, 22 January 2015

Issues with firewall on HW Node - Impossible to use ip_nat and ipt_state modules

Information

Symptoms vary and may include:
  • Some iptables rules are not working
  • You see the following error when trying to create an iptables rule in the NAT table or when trying to use the STATE module:
    # iptables -t nat -L
    iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
    #
    

Cause

This problem usually occurs because connection tracking (the "conntracks" module) is disabled on your Parallels Virtuozzo Containers (PVC) hardware node (HW Node) by default. This means iptables is not statefull in the default installation.
You can verify this by checking whether you get the same output as below:
~# grep conntrac /etc/modprobe.d/vz-parallels.conf
options nf_conntrack ip_conntrack_disable_ve0=1
When support for connection tracking is disabled, the NAT table is absent in the list of available tables:
~# cat /proc/net/ip_tables_names
mangle
filter
Therefore, it is impossible to use the nf_nat and xt_state modules on the HW Node.

Resolution

Note: STATE module functionality of iptables may be replaced by adding explicit complimentary rules for INPUT and OUTPUT chains.
If you are not satisfied by that workaround or if you need the NAT table functionality, continue reading further.
Before you enable connection tracking support, we strongly recommend considering the following notes and warnings:
Warning 1: Enabling connection tracking uses a lot of resources.
Warning 2: With "conntracks" enabled, the HW Node may become completely unreachable from the network when you have a high network load. If a hosted container has malicious software running, a kernel panic can occur.
That is because the number of connection tracking slots is limited for a physical server. Enabling "conntracks" is especially dangerous for a PVC HW Node, because it allocates two tracking slots for each connection to a container รข€“ one for external connection and another one for connecting the HW Node with the container. So if a container opens too many connections, the HW Node will not be able to create any new connections.
This sort of situation might arise due to a DDoS attack of any container. The HW Node administrator would not be able to stop it by stopping a CT or adding iptables rules, because the administrator could not log in to the Node.

How to enable "conntracks":

  1. Check that all necessary modules are loaded on the Hardware Node:
    ~# lsmod | grep -E "state|nat"
    nf_nat_ftp              3489  0
    nf_conntrack_ftp       12927  1 nf_nat_ftp
    iptable_nat             6236  0
    nf_nat                 23178  3 vzrst,nf_nat_ftp,iptable_nat
    nf_conntrack_ipv4       9848  3 iptable_nat,nf_nat
    ip_tables              18021  3 iptable_nat,iptable_mangle,iptable_filter
    xt_state                1474  2
    nf_conntrack           80758  8 vzrst,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
    
  2. Add those modules to the iptables configuration on the Node:
    ~# egrep '^IPTABLES_MODULES' /etc/sysconfig/iptables-config
    IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length xt_length xt_hl xt_tcpmss xt_TCPMSS xt_multiport xt_limit xt_dscp nf_conntrack iptable_nat"
    IPTABLES_MODULES_UNLOAD="yes"
    
  3. Edit /etc/modprobe.d/vz-parallels.conf and set ip_conntrack_disable_ve0=0:
    ~# grep conntrac /etc/modprobe.d/vz-parallels.conf
    options nf_conntrack ip_conntrack_disable_ve0=0
    
  4. Enable iptables, logging to verify that it works:
    ~# egrep '^kern' /etc/rsyslog.conf
    kern.*                                                 /var/log/messages
    
  5. Restart iptables:
    ~]# service iptables restart
    iptables: Applying firewall rules:                         [  OK  ]
    iptables: Loading additional modules: ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length xt_length xt_hl xt_tcpmss xt_TCPMSS xt_multiport xt_limit xt_dscp ip_conntrack iptable_nat                                         [  OK  ]
    
    (Please note that unloading of kernel modules can fail if modules are in use by running containers.)
  6. Restart syslog:
    ~# service rsyslog restart
    Shutting down system logger:                               [  OK  ]
    Starting system logger:                                    [  OK  ]
    
  7. Add a test rule, e.g., one to track new SSH connections:
    ~# iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name ssh_attempt --rsource -j LOG --log-prefix "SSH connection attempt: "
    
  8. Avoid tracking any other TCP connections to save system resources:
    ~# iptables -t raw -I PREROUTING -p tcp !  --dport 22 -j NOTRACK
    
    Note: setting rules in the raw table might cause issues with CT #1 restart. Update PVA Agent to the latest version.
  9. Try to log in to the server via SSH while monitoring the log:
    Jan 11 02:29:19 pvclin47 kernel: [  106.459592] SSH connection attempt: IN=eth0 OUT= MAC=00:1c:42:ac:d1:c9:00:1e:67:07:55:95:08:00 SRC=192.168.55.3 DST=10.39.3.111 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=44446 DF PROTO=TCP SPT=51889 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
    Jan 11 02:29:19 pvclin47 kernel: [  106.459592] SSH connection attempt: IN=eth0 OUT= MAC=00:1c:42:ac:d1:c9:00:1e:67:07:55:95:08:00 SRC=192.168.55.3 DST=10.39.3.111 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=44446 DF PROTO=TCP SPT=51889 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
    

FAQ

Q: What exactly does this option do?
A: This option controls the tracking of packets in the Node's environment. When it is disabled, packets are accepted, routed, etc., but the kernel does not store any information about the packet's connections, as it considers each packet to be a complete unit.
This option also has implications for NAT. For NAT, you need to have the following information: you need to determine the first packet of a connection and decide which of the next packets belongs to this first packet, i.e., which packet should be considered as a "connection."

Additional information