https://wiki.archlinux.org/api.php?action=feedcontributions&user=Lukeshu&feedformat=atomArchWiki - User contributions [en]2024-03-19T01:36:26ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=DeveloperWiki:Systemd&diff=544534DeveloperWiki:Systemd2018-09-28T16:25:11Z<p>Lukeshu: /* ntp-units.d */ Remove; ntp-units.d support was removed in systemd 216 (2014-08-20)</p>
<hr />
<div>[[Category:DeveloperWiki]]<br />
This page is for planning.<br />
<br />
==Packaging notes==<br />
<br />
===Units===<br />
* Use the upstream unit files whenever they exist<br />
* Try not to do anything Arch-specific. This will maximize chances of not having to change behavior in the future once the unit files are provided by upstream. In particular avoid {{ic|EnvironmentFile&#61;}}, especially if it points to the Arch-specific {{ic|/etc/conf.d}}<br />
* Always separate initialization behavior from the actual daemon behavior. If necessary, use a separate unit for the initialization, blocked on a ConditionFoo from {{ic|systemd.unit(5)}}. An example of this is {{ic|sshd.service}} and {{ic|sshdgenkeys.service}}.<br />
<br />
Not using an {{ic|EnvironmentFile&#61;}} is OK if:<br />
* Either the daemon has its own configuration file where the same settings can be specified<br />
* The default service file "just works" in the most common case. Users who want to change the behavior should then override the default service file. If it is not possible to provide a sane default service file, it should be discussed on a case-by-case basis<br />
<br />
A few comments about service files, assuming current behavior should be roughly preserved, and fancy behavior avoided:<br />
* If your service requires the network to be configured before it starts, use {{ic|After&#61;network.target}}. Do '''not''' use {{ic|Wants&#61;network.target}} or {{ic|Requires&#61;network.target}}<br />
* Use {{ic|Type&#61;forking}}, unless you know it's not necessary<br />
** Many daemons use the exit of the first process to signal that they are ready, so to minimize problems, it is safest to use this mode<br />
** To make sure that systemd is able to figure out which process is the main process, tell the daemon to write a pidfile and point systemd to it using {{ic|PIDFile&#61;}}<br />
** If the daemon in question is dbus-activated, socket-activated, or specifically supports {{ic|Type&#61;notify}}, that's a different matter, but currently only the case for a minority of daemons<br />
* Arch's rc scripts do not support dependencies, but with systemd they should be added add where necessary<br />
** The most typical case is that {{ic|A}} requires the service {{ic|B}} to be running before {{ic|A}} is started. In that case add {{ic|Requires&#61;B}} and {{ic|After&#61;B}} to {{ic|A}}.<br />
** If the dependency is optional then add {{ic|Wants&#61;B}} and {{ic|After&#61;B}} instead<br />
** Dependencies are typically placed on services and not on targets<br />
If you want to get fancy, you should know what you are doing.<br />
<br />
====Example of a simple conversion====<br />
{|<br />
|- valign="top"<br />
| {{hc|rc script|#!/bin/bash<br />
<br />
. /etc/rc.conf<br />
. /etc/rc.d/functions<br />
<br />
case "$1" in<br />
start)<br />
stat_busy "Starting NIS Server"<br />
/usr/sbin/ypserv<br />
if [ $? -gt 0 ]; then<br />
stat_fail<br />
else<br />
add_daemon ypserv<br />
stat_done<br />
fi<br />
;;<br />
stop)<br />
stat_busy "Stopping NIS Server"<br />
killall -q /usr/sbin/ypserv<br />
if [ $? -gt 0 ]; then<br />
stat_fail<br />
else<br />
rm_daemon ypserv<br />
stat_done<br />
fi<br />
;;<br />
restart)<br />
$0 stop<br />
sleep 1<br />
$0 start<br />
;;<br />
*)<br />
echo "usage: $0 {start|stop|restart}"<br />
esac}}<br />
| {{hc|systemd service file|[Unit]<br />
Description&#61;NIS/YP (Network Information Service) Server<br />
Requires&#61;rpcbind.service<br />
After&#61;network.target rpcbind.service<br />
<br />
[Service]<br />
Type&#61;forking<br />
PIDFile&#61;/run/ypserv.pid<br />
ExecStart&#61;/usr/sbin/ypserv<br />
<br />
[Install]<br />
WantedBy&#61;multi-user.target}}<br />
|}<br />
<br />
{{Note|Keep in mind that values to keys such as ExecStart and ExecStop are '''not''' run within a shell, but only passed to {{ic|execv}}}}<br />
<br />
===tmpfiles.d===<br />
* Instead of creating necessary runtime directories and files when a service is started (as some rc scripts do), ship a {{ic|tmpfiles.d(5)}} config file in {{ic|/usr/lib/tmpfiles.d}}.<br />
* A pacman hook included in systemd will run {{ic|systemd-tmpfiles --create foo.conf}} upon install to ensure the necessary runtime files are created right away, not just on the next boot<br />
{{Tip|This feature can be used for a whole lot of other things, e.g. for writing to arbitrary files, even in /sys}}<br />
<br />
===modules-load.d===<br />
* Instead of loading necessary modules when a service is started (as some rc scripts do), ship a {{ic|modules-load.d(5)}} config file in {{ic|/usr/lib/modules-load.d}}.<br />
* Add {{ic|modprobe}} lines to {{ic|post_install}} (and {{ic|post_upgrade}} if needed) to ensure the necessary modules are loaded on install, not just on the next boot<br />
<br />
===sysctl.d===<br />
* IMO(dreisner): This should generally be avoided, as tying low level kernel behavior to a package might be considered evil.</div>Lukeshuhttps://wiki.archlinux.org/index.php?title=Postfix&diff=457494Postfix2016-11-22T19:09:37Z<p>Lukeshu: /* main.cf */ since mid-2015, the default settings have been safe against POODLE, remove relevant lines</p>
<hr />
<div>[[Category:Mail server]]<br />
[[ja:Postfix]]<br />
{{Related articles start}}<br />
{{Related|PostFix Howto With SASL}}<br />
{{Related|Amavis}}<br />
{{Related|Virtual user mail system}}<br />
{{Related|Courier MTA}}<br />
{{Related|Exim}}<br />
{{Related|OpenSMTPD}}<br />
{{Related|OpenDMARC}}<br />
{{Related|OpenDKIM}}<br />
{{Related|SOGo}}<br />
{{Related articles end}}<br />
From [http://www.postfix.org/ Postfix's site]:<br />
:Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.<br />
<br />
The goal of this article is to setup Postfix and explain what the basic configuration files do. There are instructions for setting up local system user-only delivery and a link to a guide for virtual user delivery. <br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|postfix}} package.<br />
<br />
== Configuration ==<br />
<br />
=== master.cf ===<br />
<br />
{{ic|/etc/postfix/master.cf}} is the master configuration file where you can specify what kinds of protocols you will serve. It is also the place where you can put your new pipes e.g. to check for Spam!<br />
<br />
It is recommended to enable secure SMTP as described in [[#Secure SMTP]].<br />
<br />
See [http://www.postfix.org/TLS_README.html this page] for more information about encrypting outgoing and incoming email.<br />
<br />
=== main.cf ===<br />
<br />
{{Style|Needs some cleanup}}<br />
<br />
{{ic|/etc/postfix/main.cf}} is the main configuration file where everything is configured. The settings below are recommended for virtual local-only delivery.<br />
<br />
*{{ic|myhostname}} should be set if your mail server has multiple domains, and you do not want the primary domain to be the mail host. You should have both a DNS A record and an MX record point to this hostname.<br />
:{{bc|1=myhostname = mail.nospam.net}}<br />
<br />
*{{ic|mydomain}} is usually the value of {{ic|myhostname}}, minus the first part. If your domain is wonky, then just set it manually.<br />
:{{bc|1=mydomain = nospam.net}}<br />
<br />
*{{ic|myorigin}} is where the email will be seen as being sent from. I usually set this to the value of {{ic|mydomain}}. For simple servers, this works fine. This is for mail originating from a local account. Since we are not doing local delivery (except sending), then this is not really as important as it normally would be. <br />
:{{bc|1=myorigin = $mydomain}}<br />
<br />
*{{ic|mydestination}} is the lookup for local users.<br />
:{{bc|1=mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain}}<br />
<br />
*{{ic|mynetworks}} and {{ic|mynetworks_style}} control relaying, and whom is allowed to. We do not want any relaying.<br />
:For our sakes, we will simply set {{ic|mynetwork_style}} to host, as we are trying to make a standalone Postfix host, that people will use webmail on. No relaying, no other MTA's. Just webmail.<br />
:{{bc|1=mynetworks_style = host}}<br />
<br />
*{{ic|relaydomains}} controls the destinations that Postfix will relay TO. The default value is empty. This should be fine for now.<br />
:{{bc|1=relay_domains = }}<br />
<br />
*{{ic|home_mailbox}} or {{ic|mail_spool_directory}} control how mail is delivered/stored for the users.<br />
:If set, {{ic|mail_spool_directory}} specifies an absolute path where mail gets delivered. By default Postfix stores mails in {{ic|/var/spool/mail}}. <br />
<br />
:{{bc|1=mail_spool_directory = /home/vmailer}}<br />
<br />
:Alternatively, if set, {{ic|home_mailbox}} specifies a mailbox relative to the user's home directory where mail gets delivered (eg: /home/vmailer).<br />
<br />
:Courier-IMAP requires "Maildir" format, so you '''must''' set it like the following example with trailing slash:<br />
:{{bc|1=home_mailbox = Maildir/}}<br />
<br />
{{Warning|If you plan on implementing SSL/TLS, please respond safely to [https://weakdh.org/sysadmin.html FREAK/Logjam] by adding the following to your configuration:<br />
{{bc|1=<br />
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA}}<br />
<br />
Then, generate a [https://www.openssl.org/docs/apps/dhparam.html dhparam file] by following [https://weakdh.org/sysadmin.html these instructions] and then adding the following to your configuration:<br />
{{bc|1=smtpd_tls_dh1024_param_file = ${config_directory}/dhparams.pem}}<br />
<br />
Since mid-2015, the default settings have been safe against [http://disablessl3.com/ POODLE].<br />
}}<br />
<br />
==== Default message and mailbox size limits ====<br />
<br />
Postfix imposes both message and mailbox size limits by default. The message_size_limit controls the maximum size in bytes of a message, including envelope information. (default 10240000) The mailbox_size_limit controls the maximum size of any local individual mailbox or maildir file. This limits the size of '''any''' file that is written to upon local delivery, '''including files written by external commands''' (i.e. procmail) that are executed by the local delivery agent. (default is 51200000, set to 0 for no limit) If bounced message notifications are generated, check the size of the local mailbox under {{ic|/var/spool/mail}} and use postconf to check these size limits:<br />
<br />
# postconf mailbox_size_limit<br />
mailbox_size_limit = 51200000<br />
# postconf message_size_limit<br />
message_size_limit = 10240000<br />
<br />
=== Aliases ===<br />
<br />
You can specify aliases (also known as forwarders) in {{ic|/etc/postfix/aliases}}.<br />
<br />
You need to map all mail addressed to ''root'' to another account since it is not a good idea to read mail as root. <br />
<br />
Uncomment the following line, and change {{ic|you}} to a real account.<br />
root: you<br />
<br />
Once you have finished editing {{ic|/etc/postfix/aliases}} you must run the postalias command:<br />
postalias /etc/postfix/aliases<br />
For later changes you can use:<br />
newaliases<br />
<br />
{{Tip|Alternatively you can create the file {{ic|~/.forward}}, e.g. {{ic|/root/.forward}} for root. Specify the user to whom root mail should be forwarded, e.g. ''user@localhost''.<br />
<br />
{{hc|/root/.forward|<br />
user@localhost<br />
}}<br />
<br />
}}<br />
<br />
=== Local mail ===<br />
<br />
To only deliver mail to local system users (that are in {{ic|/etc/passwd}}) update {{ic|/etc/postfix/main.cf}} to reflect the following configuration. Uncomment, change, or add the following lines:<br />
<br />
myhostname = localhost<br />
mydomain = localdomain<br />
mydestination = $myhostname, localhost.$mydomain, localhost<br />
inet_interfaces = $myhostname, localhost<br />
mynetworks_style = host<br />
default_transport = error: outside mail is not deliverable<br />
<br />
All other settings may remain unchanged. After setting up the above configuration file, you may wish to set up some [[#Aliases]] and then [[#Start Postfix]].<br />
<br />
=== Virtual mail ===<br />
Virtual mail is mail that does not map to a user account ({{ic|/etc/passwd}}).<br />
<br />
See [[Virtual user mail system]] for a comprehensive guide how to set it up.<br />
<br />
=== DNS records ===<br />
<br />
An MX record should point to the mail host. Usually this is done from configuration interface of your domain provider.<br />
<br />
A mail exchanger record (MX record) is a type of resource record in the Domain Name System that specifies a mail server responsible for accepting email messages on behalf of a recipient's domain. <br />
<br />
When an e-mail message is sent through the Internet, the sending mail transfer agent queries the Domain Name System for MX records of each recipient's domain name. This query returns a list of host names of mail exchange servers accepting incoming mail for that domain and their preferences. The sending agent then attempts to establish an SMTP connection to one of these servers, starting with the one with the smallest preference number, delivering the message to the first server with which a connection can be made. <br />
<br />
{{Note|Some mail servers will not deliver mail to you if your MX record points to a CNAME. For best results, always point an MX record to an A record definition. For more information, see e.g. [[Wikipedia:List of DNS record types|Wikipedia's List of DNS Record Types]].}}<br />
<br />
=== Check configuration ===<br />
<br />
Run the {{ic|postfix check}} command. It should output anything that you might have done wrong in a config file. <br />
<br />
To see all of your configs, type {{ic|postconf}}. To see how you differ from the defaults, try {{ic|postconf -n}}.<br />
<br />
== Start Postfix ==<br />
<br />
{{Note|You must run {{ic|newaliases}} at least once for postfix to run, even if you did not set up any [[#Aliases]].}}<br />
<br />
[[Start/enable]] the {{ic|postfix.service}}.<br />
<br />
== Testing ==<br />
<br />
{{Style|Needs some cleanup. There are probably more general ways to write this.}}<br />
<br />
Now lets see if Postfix is going to deliver mail for our test user.<br />
{{bc|<br />
nc servername 25<br />
helo testmail.org<br />
mail from:<test@testmail.org><br />
rcpt to:<cactus@virtualdomain.tld><br />
data<br />
This is a test email.<br />
.<br />
quit<br />
}}<br />
<br />
=== Error response ===<br />
<br />
451 4.3.0 <lisi@test.com>:Temporary lookup failure<br />
Maybe you have entered the wrong user/password for MySQL or the MySQL socket is not in the right place.<br />
<br />
This error will also occur if you neglect to run newaliases at least once before starting postfix. MySQL is not required for local only usage of postfix.<br />
<br />
550 5.1.1 <email@spam.me>: Recipient address rejected: User unknown in virtual mailbox table.<br />
Double check content of mysql_virtual_mailboxes.cf and check the main.cf for mydestination<br />
<br />
=== See that you have received a email ===<br />
<br />
Now type {{ic|$ find /home/vmailer}}.<br />
<br />
You should see something like the following:<br />
{{bc|<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/tmp<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/cur<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new/1102974226.2704_0.bonk.testmail.org<br />
}}<br />
The key is the last entry. This is an actual email, if you see that, it is working.<br />
<br />
== Extra ==<br />
<br />
=== PostfixAdmin ===<br />
<br />
To use PostfixAdmin, you need a working Apache/MySQL/PHP setup as described in [[Apache HTTP Server]].<br />
<br />
For IMAP functionality, you will need to install {{Pkg|php-imap}} and uncomment imap.so in /etc/php/php.ini<br />
<br />
Next, [[install]] {{Pkg|postfixadmin}}.<br />
<br />
{{Style|in-code comments}}<br />
<br />
Edit the PostfixAdmin configuration file:<br />
<br />
{{hc|/etc/webapps/postfixadmin/config.inc.php|<nowiki><br />
$CONF['configured'] = true;<br />
// correspond to dovecot maildir path /home/vmail/%d/%u <br />
$CONF['domain_path'] = 'YES';<br />
$CONF['domain_in_mailbox'] = 'NO';<br />
$CONF['database_type'] = 'mysql';<br />
$CONF['database_host'] = 'localhost';<br />
$CONF['database_user'] = 'postfix_user';<br />
$CONF['database_password'] = 'hunter2';<br />
$CONF['database_name'] = 'postfix_db';<br />
<br />
// globally change all instances of ''change-this-to-your.domain.tld'' <br />
// to an appropriate value<br />
</nowiki>}}<br />
<br />
If installing dovecot and you changed the password scheme in dovecot (to SHA512-CRYPT for example), reflect that with postfix<br />
<br />
{{hc|/etc/webapps/postfixadmin/config.inc.php|<nowiki><br />
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';<br />
</nowiki>}}<br />
<br />
As of dovecot 2, dovecotpw has been deprecated. You will also want to ensure that your config reflects the new binary name.<br />
<br />
{{hc|/etc/webapps/postfixadmin/config.inc.php|<nowiki><br />
$CONF['dovecotpw'] = "/usr/sbin/doveadm pw";<br />
</nowiki>}}<br />
<br />
Create the Apache configuration file:<br />
{{hc|/etc/httpd/conf/extra/httpd-postfixadmin.conf|<nowiki><br />
Alias /postfixadmin "/usr/share/webapps/postfixAdmin"<br />
<Directory "/usr/share/webapps/postfixAdmin"><br />
DirectoryIndex index.html index.php<br />
AllowOverride All<br />
Options FollowSymlinks<br />
Require all granted<br />
</Directory><br />
</nowiki>}}<br />
<br />
To only allow localhost access to postfixadmin (for heightened security), add this to the previous <Directory> directive:<br />
Order Deny,Allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
<br />
Now, include httpd-postfixadmin.conf to {{ic|/etc/httpd/conf/httpd.conf}}:<br />
# PostfixAdmin configuration<br />
Include conf/extra/httpd-postfixadmin.conf<br />
<br />
{{Note|If you go to yourdomain/postfixadmin/setup.php and it says do not find config.inc.php, add {{ic|/etc/webapps/postfixadmin}} to the {{ic|open_basedir}} line in {{ic|/etc/php/php.ini}}.}}<br />
{{Note|If you get a blank page check the syntax of the file with {{ic|php -l /etc/webapps/postfixadmin/config.inc.php}}.}}<br />
<br />
=== Secure SMTP ===<br />
For more information, see [http://www.postfix.org/TLS_README.html Postfix TLS Support].<br />
==== STARTTLS over SMTP (port 587) ====<br />
<br />
To enable STARTTLS over SMTP (port 587, the proper way of securing SMTP), add the following lines to {{ic|main.cf}}<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_tls_security_level = may<br />
smtpd_tls_cert_file = '''/path/to/cert.pem'''<br />
smtpd_tls_key_file = '''/path/to/key.pem'''<br />
}}<br />
<br />
Also in {{ic|master.cf}} find and remove the comment from the following line to enable the service on that port:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submission inet n - n - - smtpd<br />
}}<br />
<br />
If you need support for the deprecated SMTPS port 465, read the next section.<br />
<br />
==== SMTPS (port 465) ====<br />
<br />
The deprecated method of securing SMTP is using the '''wrapper mode''' which uses the system service '''smtps''' as a non-standard service and runs on port 465.<br />
<br />
To enable it uncomment the following lines in<br />
<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
smtps inet n - n - - smtpd<br />
-o smtpd_tls_wrappermode=yes<br />
-o smtpd_sasl_auth_enable=yes<br />
</nowiki>}}<br />
<br />
And verify that these lines are in {{ic|/etc/services}}:<br />
smtps 465/tcp # Secure SMTP<br />
smtps 465/udp # Secure SMTP<br />
<br />
If they are not there, go ahead and add them (replace the other listing for port 465). Otherwise Postfix will not start and you will get the following error:<br />
<br />
''postfix/master[5309]: fatal: 0.0.0.0:smtps: Servname not supported for ai_socktype''<br />
<br />
=== SpamAssassin ===<br />
<br />
Install the {{Pkg|spamassassin}} package.<br />
<br />
Go over {{ic|/etc/mail/spamassassin/local.cf}} and configure it to your needs.<br />
<br />
==== Spam Assassin rule update ====<br />
<br />
Update the SpamAssassin matching patterns and compile them:<br />
# sa-update<br />
# sa-compile<br />
<br />
You will want to run this periodically, the best way to do so is by setting up a [[Systemd/Timers]].<br />
<br />
Create the following service, which will run these commands:<br />
{{hc|1=/etc/systemd/system/spamassassin-update.service|2=<br />
[Unit]<br />
Description=spamassassin housekeeping stuff<br />
<br />
[Service]<br />
User=spamd<br />
Group=spamd<br />
Type=oneshot<br />
ExecStart=-/usr/bin/vendor_perl/sa-update --allowplugins #You can remove the allowplugins options if you do not want direct plugin updates from SA.<br />
ExecStart=-/usr/bin/vendor_perl/sa-compile<br />
# You can automatically train SA's bayes filter by uncommenting this line and specifying the path to a mailbox where you store email that is spam (for ex this could be yours or your users manually reported spam)<br />
#ExecStart=-/usr/bin/vendor_perl/sa-learn --spam <path to your spam><br />
}}<br />
<br />
Then create the timer, which will execute the previous service daily:<br />
{{hc|1=/etc/systemd/system/spamassassin-update.timer|2=<br />
[Unit]<br />
Description=spamassassin house keeping<br />
<br />
[Timer]<br />
OnCalendar=daily<br />
Persistent=true<br />
<br />
[Install]<br />
WantedBy=timers.target<br />
}}<br />
<br />
Finally, you'll need to modify your Spamassassin systemd service file so that it knows to restart itself to read the new rules. Copy the bundled service file to a custom service file:<br />
{{bc|1=<br />
# cp /usr/lib/systemd/system/spamassassin.service /etc/systemd/system<br />
}}<br />
<br />
And edit the newly created {{ic|/etc/systemd/system/spamassassin.service}} to include:<br />
{{bc|1=<br />
[Unit]<br />
PartOf=spamassassin-update.service<br />
}}<br />
<br />
This will ensure that Spamassassin's spamd is restarted just before the timer runs. This means the rules will be available the next day if your timer runs daily. This is so that there is no long service interruption while {{ic|sa.service}} runs as it takes a while to compile rules.<br />
<br />
Now you can [[start]] and [[enable]] {{ic|spamassassin-update.service}}.<br />
<br />
==== SpamAssassin stand-alone generic setup ====<br />
<br />
{{Note|If you want to combine SpamAssassin and Dovecot Mail Filtering, ignore the next two lines and continue further down instead.}}<br />
<br />
Edit {{ic|/etc/postfix/master.cf}} and add the content filter under smtp.<br />
{{bc|1=<br />
smtp inet n - n - - smtpd<br />
-o content_filter=spamassassin<br />
}}<br />
<br />
Also add the following service entry for SpamAssassin<br />
{{bc|1=<br />
spamassassin unix - n n - - pipe<br />
flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}<br />
}}<br />
<br />
Now you can [[start]] {{ic|spamassassin.service}}.<br />
<br />
==== SpamAssassin combined with Dovecot LDA / Sieve (Mailfiltering) ====<br />
Set up LDA and the Sieve-Plugin as described in [[Dovecot#Sieve]]. But ignore the last line {{ic|mailbox_command... }}.<br />
<br />
Instead add a pipe in {{ic|/etc/postfix/master.cf}}:<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}<br />
<br />
And activate it in {{ic|/etc/postfix/main.cf}}:<br />
virtual_transport = dovecot<br />
<br />
==== SpamAssassin combined with Dovecot LMTP / Sieve ====<br />
Set up the LMTP and Sieve as described in [[Dovecot#Sieve]].<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/90-plugins.conf}} and add:<br />
<br />
sieve_before = /etc/dovecot/sieve.before.d/<br />
sieve_extensions = +vnd.dovecot.filter<br />
sieve_plugins = sieve_extprograms<br />
sieve_filter_bin_dir = /etc/dovecot/sieve-filter<br />
sieve_filter_exec_timeout = 120s #this is often needed for the long running spamassassin scans, default is otherwise 10s<br />
<br />
Create the directory and put spamassassin in as a binary that can be ran by dovecot:<br />
<br />
# mkdir /etc/dovecot/sieve-filter<br />
# ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc<br />
<br />
Create a new file, {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}} which contains:<br />
<br />
require [ "vnd.dovecot.filter" ];<br />
filter "spamc" [ "-d", "127.0.0.1", "--no-safe-fallback" ];<br />
<br />
Compile the sieve rules {{ic|spamassassin.svbin}}:<br />
<br />
# cd /etc/dovecot/sieve.before.d<br />
# sievec spamassassin.sieve<br />
<br />
Finally, [[restart]] {{ic|dovecot.service}}.<br />
<br />
==== Call ClamAV from SpamAssassin ====<br />
<br />
Install and setup clamd as described in [[ClamAV]].<br />
<br />
Follow one of the above instructions to call SpamAssassin from within your mail system.<br />
<br />
[[Install]] the {{pkg|perl-cpanplus-dist-arch}} package. Then install the ClamAV perl library as follows:<br />
<br />
# /usr/bin/vendor_perl/cpanp -i File::Scan::ClamAV<br />
<br />
Add the 2 files from http://wiki.apache.org/spamassassin/ClamAVPlugin into {{ic|/etc/mail/spamassassin/}}.<br />
Edit {{ic|/etc/mail/spamassassin/clamav.pm}} and update {{ic|$CLAM_SOCK}} to point to your Clamd socket location (default is {{ic|/var/lib/clamav/clamd.sock}}).<br />
<br />
Finally, [[restart]] {{ic|spamassassin.service}}.<br />
<br />
=== Using Razor ===<br />
Make sure you have installed SpamAssassin first, then:<br />
<br />
[[Install]] the {{Pkg|razor}} package.<br />
<br />
Register with Razor.<br />
<br />
# mkdir /etc/mail/spamassassin/razor<br />
# chown spamd:spamd /etc/mail/spamassassin/razor<br />
# sudo -u spamd -s<br />
$ razor-admin -home=/etc/mail/spamassassin/razor -register<br />
$ razor-admin -home=/etc/mail/spamassassin/razor -create<br />
$ razor-admin -home=/etc/mail/spamassassin/razor -discover<br />
<br />
Tell SpamAssassin about Razor, add<br />
<br />
razor_config /etc/mail/spamassassin/razor/razor-agent.conf<br />
<br />
to {{ic|/etc/mail/spamassassin/local.cf}}.<br />
<br />
Tell Razor about itself, add<br />
<br />
razorhome = /etc/mail/spamassassin/razor/<br />
<br />
to {{ic|/etc/mail/spamassassin/razor/razor-agent.conf}}<br />
<br />
Finally, [[restart]] {{ic|spamassassin.service}}.<br />
<br />
===Hide the sender's IP and user agent in the Received header===<br />
This is a privacy concern mostly, if you use Thunderbird and send an email. The received header will contain your LAN and WAN IP and info about the email client you used.<br />
(Original source: [http://askubuntu.com/questions/78163/when-sending-email-with-postfix-how-can-i-hide-the-senders-ip-and-username-in AskUbuntu])<br />
What we want to do is remove the Received header from outgoing emails. This can be done by the following steps:<br />
<br />
Add this line to main.cf<br />
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks<br />
Create /etc/postfix/smtp_header_checks with this content:<br />
/^Received: .*/ IGNORE<br />
/^User-Agent: .*/ IGNORE<br />
Finally, restart postfix.service<br />
<br />
=== Postfix in a chroot jail ===<br />
Postfix is not put in a chroot jail by default. The Postfix documentation [http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup] provides details about how to accomplish such a jail. The steps are outlined below and are based on the chroot-setup script provided in the postfix source code.<br />
<br />
First, go into the {{ic|master.cf}} file in the directory {{ic|/etc/postfix}} and change all the chroot entries to 'yes' (y) except for the services {{ic|qmgr}}, {{ic|proxymap}}, {{ic|proxywrite}}, {{ic|local}}, and {{ic|virtual}}<br />
<br />
Second, create two functions that will help us later with copying files over into the chroot jail (see last step)<br />
CP="cp -p"<br />
<br />
cond_copy() {<br />
# find files as per pattern in $1<br />
# if any, copy to directory $2<br />
dir=`dirname "$1"`<br />
pat=`basename "$1"`<br />
lr=`find "$dir" -maxdepth 1 -name "$pat"`<br />
if test ! -d "$2" ; then exit 1 ; fi<br />
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi<br />
}<br />
<br />
Next, make the new directories for the jail:<br />
set -e<br />
umask 022<br />
<br />
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}<br />
cd ${POSTFIX_DIR}<br />
<br />
mkdir -p etc lib usr/lib/zoneinfo<br />
test -d /lib64 && mkdir -p lib64<br />
<br />
Find the localtime file<br />
lt=/etc/localtime<br />
if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi<br />
rm -f etc/localtime<br />
<br />
Copy localtime and some other system files into the chroot's etc<br />
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc<br />
$CP -f /etc/host.conf /etc/hosts /etc/passwd etc<br />
ln -s -f /etc/localtime usr/lib/zoneinfo<br />
<br />
Copy required libraries into the chroot using the previously created function {{ic|cond_copy}}<br />
cond_copy '/usr/lib/libnss_*.so*' lib<br />
cond_copy '/usr/lib/libresolv.so*' lib<br />
cond_copy '/usr/lib/libdb.so*' lib<br />
<br />
And don't forget to reload postfix.<br />
<br />
===Rule-based mail processing===<br />
With policy services one can easily finetune postfix' behaviour of mail delivery.<br />
{{Pkg|postfwd}} and <span class="plainlinks archwiki-template-pkg">[https://aur.archlinux.org/pkgbase/policyd policyd]</span><sup><small>AUR</small></sup> provide services to do so.<br />
This allows you to e.g. implement time-aware grey- and blacklisting of senders and receivers as well as [[SPF]] policy checking.<br />
<br />
Policy services are standalone services and connected to Postfix like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
...<br />
check_policy_service unix:/run/policyd.sock<br />
check_policy_service inet:127.0.0.1:10040<br />
</nowiki>}}<br />
Placing policy services at the end of the queue reduces load, as only legitimate mails are processed. Be sure to place it before the first permit statement to catch all incoming messages.<br />
<br />
=== DANE (DNSSEC) ===<br />
==== Resource Record ====<br />
<br />
{{warning|This is not a trivial section. Be aware that you make sure you know what you are doing. You better read [https://dane.sys4.de/common_mistakes Common Mistakes] before.}}<br />
<br />
DANE supports several types of records, however not all of them are suitable in postfix.<br />
<br />
Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record.<br />
More on [[DANE#Resource Record|Resource Records]].<br />
<br />
==== Configuration ====<br />
Opportunistic DANE is configured this way:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_use_tls = yes<br />
smtp_dns_support_level = dnssec<br />
smtp_tls_security_level = dane<br />
</nowiki>}}<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
dane unix - - n - - smtp<br />
-o smtp_dns_support_level=dnssec<br />
-o smtp_tls_security_level=dane<br />
</nowiki>}}<br />
<br />
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com,<br />
use something like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
indexed = ${default_database_type}:${config_directory}/<br />
<br />
# Per-destination TLS policy<br />
#<br />
smtp_tls_policy_maps = ${indexed}tls_policy<br />
<br />
# default_transport = smtp, but some destinations are special:<br />
#<br />
transport_maps = ${indexed}transport<br />
</nowiki>}}<br />
<br />
{{hc|transport|<br />
example.com dane<br />
example.org dane<br />
}}<br />
<br />
{{hc|tls_policy|<br />
example.com dane-only<br />
}}<br />
<br />
{{Note|For global mandatory DANE, change {{ic|smtp_tls_security_level}} to {{ic|dane-only}}. Be aware that this makes postfix tempfail on all delivieres that do not use DANE at all!}}<br />
<br />
Full documentation is found [http://www.postfix.org/TLS_README.html#client_tls_dane here].<br />
<br />
== See also ==<br />
<br />
* [http://linox.be/index.php/2005/07/13/44/ Out of Office] for Squirrelmail<br />
* [https://help.ubuntu.com/community/Postfix Postfix Ubuntu documentation]<br />
* [http://sherlock.heroku.com/blog/2012/02/03/setting-up-postfix-to-use-gmail-as-an-smtp-relay-host-in-archlinux/ Use Gmail as an SMTP relay]</div>Lukeshuhttps://wiki.archlinux.org/index.php?title=Postfix&diff=457493Postfix2016-11-22T19:03:58Z<p>Lukeshu: /* main.cf */ Tix typos in FREAK/Logjam cipher exclude list. Shame on Archaurwiki for mis-instructing so many people</p>
<hr />
<div>[[Category:Mail server]]<br />
[[ja:Postfix]]<br />
{{Related articles start}}<br />
{{Related|PostFix Howto With SASL}}<br />
{{Related|Amavis}}<br />
{{Related|Virtual user mail system}}<br />
{{Related|Courier MTA}}<br />
{{Related|Exim}}<br />
{{Related|OpenSMTPD}}<br />
{{Related|OpenDMARC}}<br />
{{Related|OpenDKIM}}<br />
{{Related|SOGo}}<br />
{{Related articles end}}<br />
From [http://www.postfix.org/ Postfix's site]:<br />
:Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.<br />
<br />
The goal of this article is to setup Postfix and explain what the basic configuration files do. There are instructions for setting up local system user-only delivery and a link to a guide for virtual user delivery. <br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|postfix}} package.<br />
<br />
== Configuration ==<br />
<br />
=== master.cf ===<br />
<br />
{{ic|/etc/postfix/master.cf}} is the master configuration file where you can specify what kinds of protocols you will serve. It is also the place where you can put your new pipes e.g. to check for Spam!<br />
<br />
It is recommended to enable secure SMTP as described in [[#Secure SMTP]].<br />
<br />
See [http://www.postfix.org/TLS_README.html this page] for more information about encrypting outgoing and incoming email.<br />
<br />
=== main.cf ===<br />
<br />
{{Style|Needs some cleanup}}<br />
<br />
{{ic|/etc/postfix/main.cf}} is the main configuration file where everything is configured. The settings below are recommended for virtual local-only delivery.<br />
<br />
*{{ic|myhostname}} should be set if your mail server has multiple domains, and you do not want the primary domain to be the mail host. You should have both a DNS A record and an MX record point to this hostname.<br />
:{{bc|1=myhostname = mail.nospam.net}}<br />
<br />
*{{ic|mydomain}} is usually the value of {{ic|myhostname}}, minus the first part. If your domain is wonky, then just set it manually.<br />
:{{bc|1=mydomain = nospam.net}}<br />
<br />
*{{ic|myorigin}} is where the email will be seen as being sent from. I usually set this to the value of {{ic|mydomain}}. For simple servers, this works fine. This is for mail originating from a local account. Since we are not doing local delivery (except sending), then this is not really as important as it normally would be. <br />
:{{bc|1=myorigin = $mydomain}}<br />
<br />
*{{ic|mydestination}} is the lookup for local users.<br />
:{{bc|1=mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain}}<br />
<br />
*{{ic|mynetworks}} and {{ic|mynetworks_style}} control relaying, and whom is allowed to. We do not want any relaying.<br />
:For our sakes, we will simply set {{ic|mynetwork_style}} to host, as we are trying to make a standalone Postfix host, that people will use webmail on. No relaying, no other MTA's. Just webmail.<br />
:{{bc|1=mynetworks_style = host}}<br />
<br />
*{{ic|relaydomains}} controls the destinations that Postfix will relay TO. The default value is empty. This should be fine for now.<br />
:{{bc|1=relay_domains = }}<br />
<br />
*{{ic|home_mailbox}} or {{ic|mail_spool_directory}} control how mail is delivered/stored for the users.<br />
:If set, {{ic|mail_spool_directory}} specifies an absolute path where mail gets delivered. By default Postfix stores mails in {{ic|/var/spool/mail}}. <br />
<br />
:{{bc|1=mail_spool_directory = /home/vmailer}}<br />
<br />
:Alternatively, if set, {{ic|home_mailbox}} specifies a mailbox relative to the user's home directory where mail gets delivered (eg: /home/vmailer).<br />
<br />
:Courier-IMAP requires "Maildir" format, so you '''must''' set it like the following example with trailing slash:<br />
:{{bc|1=home_mailbox = Maildir/}}<br />
<br />
{{Warning|If you plan on implementing SSL/TLS, please respond safely to [http://disablessl3.com/ POODLE] and [https://weakdh.org/sysadmin.html FREAK/Logjam] by adding the following to your configuration:<br />
{{bc|1=<br />
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3<br />
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3<br />
smtpd_tls_protocols=!SSLv2,!SSLv3<br />
smtp_tls_protocols=!SSLv2,!SSLv3<br />
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA}}<br />
<br />
Then, generate a [https://www.openssl.org/docs/apps/dhparam.html dhparam file] by following [https://weakdh.org/sysadmin.html these instructions] and then adding the following to your configuration:<br />
{{bc|1=smtpd_tls_dh1024_param_file = ${config_directory}/dhparams.pem}}<br />
}}<br />
<br />
==== Default message and mailbox size limits ====<br />
<br />
Postfix imposes both message and mailbox size limits by default. The message_size_limit controls the maximum size in bytes of a message, including envelope information. (default 10240000) The mailbox_size_limit controls the maximum size of any local individual mailbox or maildir file. This limits the size of '''any''' file that is written to upon local delivery, '''including files written by external commands''' (i.e. procmail) that are executed by the local delivery agent. (default is 51200000, set to 0 for no limit) If bounced message notifications are generated, check the size of the local mailbox under {{ic|/var/spool/mail}} and use postconf to check these size limits:<br />
<br />
# postconf mailbox_size_limit<br />
mailbox_size_limit = 51200000<br />
# postconf message_size_limit<br />
message_size_limit = 10240000<br />
<br />
=== Aliases ===<br />
<br />
You can specify aliases (also known as forwarders) in {{ic|/etc/postfix/aliases}}.<br />
<br />
You need to map all mail addressed to ''root'' to another account since it is not a good idea to read mail as root. <br />
<br />
Uncomment the following line, and change {{ic|you}} to a real account.<br />
root: you<br />
<br />
Once you have finished editing {{ic|/etc/postfix/aliases}} you must run the postalias command:<br />
postalias /etc/postfix/aliases<br />
For later changes you can use:<br />
newaliases<br />
<br />
{{Tip|Alternatively you can create the file {{ic|~/.forward}}, e.g. {{ic|/root/.forward}} for root. Specify the user to whom root mail should be forwarded, e.g. ''user@localhost''.<br />
<br />
{{hc|/root/.forward|<br />
user@localhost<br />
}}<br />
<br />
}}<br />
<br />
=== Local mail ===<br />
<br />
To only deliver mail to local system users (that are in {{ic|/etc/passwd}}) update {{ic|/etc/postfix/main.cf}} to reflect the following configuration. Uncomment, change, or add the following lines:<br />
<br />
myhostname = localhost<br />
mydomain = localdomain<br />
mydestination = $myhostname, localhost.$mydomain, localhost<br />
inet_interfaces = $myhostname, localhost<br />
mynetworks_style = host<br />
default_transport = error: outside mail is not deliverable<br />
<br />
All other settings may remain unchanged. After setting up the above configuration file, you may wish to set up some [[#Aliases]] and then [[#Start Postfix]].<br />
<br />
=== Virtual mail ===<br />
Virtual mail is mail that does not map to a user account ({{ic|/etc/passwd}}).<br />
<br />
See [[Virtual user mail system]] for a comprehensive guide how to set it up.<br />
<br />
=== DNS records ===<br />
<br />
An MX record should point to the mail host. Usually this is done from configuration interface of your domain provider.<br />
<br />
A mail exchanger record (MX record) is a type of resource record in the Domain Name System that specifies a mail server responsible for accepting email messages on behalf of a recipient's domain. <br />
<br />
When an e-mail message is sent through the Internet, the sending mail transfer agent queries the Domain Name System for MX records of each recipient's domain name. This query returns a list of host names of mail exchange servers accepting incoming mail for that domain and their preferences. The sending agent then attempts to establish an SMTP connection to one of these servers, starting with the one with the smallest preference number, delivering the message to the first server with which a connection can be made. <br />
<br />
{{Note|Some mail servers will not deliver mail to you if your MX record points to a CNAME. For best results, always point an MX record to an A record definition. For more information, see e.g. [[Wikipedia:List of DNS record types|Wikipedia's List of DNS Record Types]].}}<br />
<br />
=== Check configuration ===<br />
<br />
Run the {{ic|postfix check}} command. It should output anything that you might have done wrong in a config file. <br />
<br />
To see all of your configs, type {{ic|postconf}}. To see how you differ from the defaults, try {{ic|postconf -n}}.<br />
<br />
== Start Postfix ==<br />
<br />
{{Note|You must run {{ic|newaliases}} at least once for postfix to run, even if you did not set up any [[#Aliases]].}}<br />
<br />
[[Start/enable]] the {{ic|postfix.service}}.<br />
<br />
== Testing ==<br />
<br />
{{Style|Needs some cleanup. There are probably more general ways to write this.}}<br />
<br />
Now lets see if Postfix is going to deliver mail for our test user.<br />
{{bc|<br />
nc servername 25<br />
helo testmail.org<br />
mail from:<test@testmail.org><br />
rcpt to:<cactus@virtualdomain.tld><br />
data<br />
This is a test email.<br />
.<br />
quit<br />
}}<br />
<br />
=== Error response ===<br />
<br />
451 4.3.0 <lisi@test.com>:Temporary lookup failure<br />
Maybe you have entered the wrong user/password for MySQL or the MySQL socket is not in the right place.<br />
<br />
This error will also occur if you neglect to run newaliases at least once before starting postfix. MySQL is not required for local only usage of postfix.<br />
<br />
550 5.1.1 <email@spam.me>: Recipient address rejected: User unknown in virtual mailbox table.<br />
Double check content of mysql_virtual_mailboxes.cf and check the main.cf for mydestination<br />
<br />
=== See that you have received a email ===<br />
<br />
Now type {{ic|$ find /home/vmailer}}.<br />
<br />
You should see something like the following:<br />
{{bc|<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/tmp<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/cur<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new<br />
/home/vmailer/virtualdomain.tld/cactus@virtualdomain.tld/new/1102974226.2704_0.bonk.testmail.org<br />
}}<br />
The key is the last entry. This is an actual email, if you see that, it is working.<br />
<br />
== Extra ==<br />
<br />
=== PostfixAdmin ===<br />
<br />
To use PostfixAdmin, you need a working Apache/MySQL/PHP setup as described in [[Apache HTTP Server]].<br />
<br />
For IMAP functionality, you will need to install {{Pkg|php-imap}} and uncomment imap.so in /etc/php/php.ini<br />
<br />
Next, [[install]] {{Pkg|postfixadmin}}.<br />
<br />
{{Style|in-code comments}}<br />
<br />
Edit the PostfixAdmin configuration file:<br />
<br />
{{hc|/etc/webapps/postfixadmin/config.inc.php|<nowiki><br />
$CONF['configured'] = true;<br />
// correspond to dovecot maildir path /home/vmail/%d/%u <br />
$CONF['domain_path'] = 'YES';<br />
$CONF['domain_in_mailbox'] = 'NO';<br />
$CONF['database_type'] = 'mysql';<br />
$CONF['database_host'] = 'localhost';<br />
$CONF['database_user'] = 'postfix_user';<br />
$CONF['database_password'] = 'hunter2';<br />
$CONF['database_name'] = 'postfix_db';<br />
<br />
// globally change all instances of ''change-this-to-your.domain.tld'' <br />
// to an appropriate value<br />
</nowiki>}}<br />
<br />
If installing dovecot and you changed the password scheme in dovecot (to SHA512-CRYPT for example), reflect that with postfix<br />
<br />
{{hc|/etc/webapps/postfixadmin/config.inc.php|<nowiki><br />
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';<br />
</nowiki>}}<br />
<br />
As of dovecot 2, dovecotpw has been deprecated. You will also want to ensure that your config reflects the new binary name.<br />
<br />
{{hc|/etc/webapps/postfixadmin/config.inc.php|<nowiki><br />
$CONF['dovecotpw'] = "/usr/sbin/doveadm pw";<br />
</nowiki>}}<br />
<br />
Create the Apache configuration file:<br />
{{hc|/etc/httpd/conf/extra/httpd-postfixadmin.conf|<nowiki><br />
Alias /postfixadmin "/usr/share/webapps/postfixAdmin"<br />
<Directory "/usr/share/webapps/postfixAdmin"><br />
DirectoryIndex index.html index.php<br />
AllowOverride All<br />
Options FollowSymlinks<br />
Require all granted<br />
</Directory><br />
</nowiki>}}<br />
<br />
To only allow localhost access to postfixadmin (for heightened security), add this to the previous <Directory> directive:<br />
Order Deny,Allow<br />
Deny from all<br />
Allow from 127.0.0.1<br />
<br />
Now, include httpd-postfixadmin.conf to {{ic|/etc/httpd/conf/httpd.conf}}:<br />
# PostfixAdmin configuration<br />
Include conf/extra/httpd-postfixadmin.conf<br />
<br />
{{Note|If you go to yourdomain/postfixadmin/setup.php and it says do not find config.inc.php, add {{ic|/etc/webapps/postfixadmin}} to the {{ic|open_basedir}} line in {{ic|/etc/php/php.ini}}.}}<br />
{{Note|If you get a blank page check the syntax of the file with {{ic|php -l /etc/webapps/postfixadmin/config.inc.php}}.}}<br />
<br />
=== Secure SMTP ===<br />
For more information, see [http://www.postfix.org/TLS_README.html Postfix TLS Support].<br />
==== STARTTLS over SMTP (port 587) ====<br />
<br />
To enable STARTTLS over SMTP (port 587, the proper way of securing SMTP), add the following lines to {{ic|main.cf}}<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_tls_security_level = may<br />
smtpd_tls_cert_file = '''/path/to/cert.pem'''<br />
smtpd_tls_key_file = '''/path/to/key.pem'''<br />
}}<br />
<br />
Also in {{ic|master.cf}} find and remove the comment from the following line to enable the service on that port:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submission inet n - n - - smtpd<br />
}}<br />
<br />
If you need support for the deprecated SMTPS port 465, read the next section.<br />
<br />
==== SMTPS (port 465) ====<br />
<br />
The deprecated method of securing SMTP is using the '''wrapper mode''' which uses the system service '''smtps''' as a non-standard service and runs on port 465.<br />
<br />
To enable it uncomment the following lines in<br />
<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
smtps inet n - n - - smtpd<br />
-o smtpd_tls_wrappermode=yes<br />
-o smtpd_sasl_auth_enable=yes<br />
</nowiki>}}<br />
<br />
And verify that these lines are in {{ic|/etc/services}}:<br />
smtps 465/tcp # Secure SMTP<br />
smtps 465/udp # Secure SMTP<br />
<br />
If they are not there, go ahead and add them (replace the other listing for port 465). Otherwise Postfix will not start and you will get the following error:<br />
<br />
''postfix/master[5309]: fatal: 0.0.0.0:smtps: Servname not supported for ai_socktype''<br />
<br />
=== SpamAssassin ===<br />
<br />
Install the {{Pkg|spamassassin}} package.<br />
<br />
Go over {{ic|/etc/mail/spamassassin/local.cf}} and configure it to your needs.<br />
<br />
==== Spam Assassin rule update ====<br />
<br />
Update the SpamAssassin matching patterns and compile them:<br />
# sa-update<br />
# sa-compile<br />
<br />
You will want to run this periodically, the best way to do so is by setting up a [[Systemd/Timers]].<br />
<br />
Create the following service, which will run these commands:<br />
{{hc|1=/etc/systemd/system/spamassassin-update.service|2=<br />
[Unit]<br />
Description=spamassassin housekeeping stuff<br />
<br />
[Service]<br />
User=spamd<br />
Group=spamd<br />
Type=oneshot<br />
ExecStart=-/usr/bin/vendor_perl/sa-update --allowplugins #You can remove the allowplugins options if you do not want direct plugin updates from SA.<br />
ExecStart=-/usr/bin/vendor_perl/sa-compile<br />
# You can automatically train SA's bayes filter by uncommenting this line and specifying the path to a mailbox where you store email that is spam (for ex this could be yours or your users manually reported spam)<br />
#ExecStart=-/usr/bin/vendor_perl/sa-learn --spam <path to your spam><br />
}}<br />
<br />
Then create the timer, which will execute the previous service daily:<br />
{{hc|1=/etc/systemd/system/spamassassin-update.timer|2=<br />
[Unit]<br />
Description=spamassassin house keeping<br />
<br />
[Timer]<br />
OnCalendar=daily<br />
Persistent=true<br />
<br />
[Install]<br />
WantedBy=timers.target<br />
}}<br />
<br />
Finally, you'll need to modify your Spamassassin systemd service file so that it knows to restart itself to read the new rules. Copy the bundled service file to a custom service file:<br />
{{bc|1=<br />
# cp /usr/lib/systemd/system/spamassassin.service /etc/systemd/system<br />
}}<br />
<br />
And edit the newly created {{ic|/etc/systemd/system/spamassassin.service}} to include:<br />
{{bc|1=<br />
[Unit]<br />
PartOf=spamassassin-update.service<br />
}}<br />
<br />
This will ensure that Spamassassin's spamd is restarted just before the timer runs. This means the rules will be available the next day if your timer runs daily. This is so that there is no long service interruption while {{ic|sa.service}} runs as it takes a while to compile rules.<br />
<br />
Now you can [[start]] and [[enable]] {{ic|spamassassin-update.service}}.<br />
<br />
==== SpamAssassin stand-alone generic setup ====<br />
<br />
{{Note|If you want to combine SpamAssassin and Dovecot Mail Filtering, ignore the next two lines and continue further down instead.}}<br />
<br />
Edit {{ic|/etc/postfix/master.cf}} and add the content filter under smtp.<br />
{{bc|1=<br />
smtp inet n - n - - smtpd<br />
-o content_filter=spamassassin<br />
}}<br />
<br />
Also add the following service entry for SpamAssassin<br />
{{bc|1=<br />
spamassassin unix - n n - - pipe<br />
flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}<br />
}}<br />
<br />
Now you can [[start]] {{ic|spamassassin.service}}.<br />
<br />
==== SpamAssassin combined with Dovecot LDA / Sieve (Mailfiltering) ====<br />
Set up LDA and the Sieve-Plugin as described in [[Dovecot#Sieve]]. But ignore the last line {{ic|mailbox_command... }}.<br />
<br />
Instead add a pipe in {{ic|/etc/postfix/master.cf}}:<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}<br />
<br />
And activate it in {{ic|/etc/postfix/main.cf}}:<br />
virtual_transport = dovecot<br />
<br />
==== SpamAssassin combined with Dovecot LMTP / Sieve ====<br />
Set up the LMTP and Sieve as described in [[Dovecot#Sieve]].<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/90-plugins.conf}} and add:<br />
<br />
sieve_before = /etc/dovecot/sieve.before.d/<br />
sieve_extensions = +vnd.dovecot.filter<br />
sieve_plugins = sieve_extprograms<br />
sieve_filter_bin_dir = /etc/dovecot/sieve-filter<br />
sieve_filter_exec_timeout = 120s #this is often needed for the long running spamassassin scans, default is otherwise 10s<br />
<br />
Create the directory and put spamassassin in as a binary that can be ran by dovecot:<br />
<br />
# mkdir /etc/dovecot/sieve-filter<br />
# ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc<br />
<br />
Create a new file, {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}} which contains:<br />
<br />
require [ "vnd.dovecot.filter" ];<br />
filter "spamc" [ "-d", "127.0.0.1", "--no-safe-fallback" ];<br />
<br />
Compile the sieve rules {{ic|spamassassin.svbin}}:<br />
<br />
# cd /etc/dovecot/sieve.before.d<br />
# sievec spamassassin.sieve<br />
<br />
Finally, [[restart]] {{ic|dovecot.service}}.<br />
<br />
==== Call ClamAV from SpamAssassin ====<br />
<br />
Install and setup clamd as described in [[ClamAV]].<br />
<br />
Follow one of the above instructions to call SpamAssassin from within your mail system.<br />
<br />
[[Install]] the {{pkg|perl-cpanplus-dist-arch}} package. Then install the ClamAV perl library as follows:<br />
<br />
# /usr/bin/vendor_perl/cpanp -i File::Scan::ClamAV<br />
<br />
Add the 2 files from http://wiki.apache.org/spamassassin/ClamAVPlugin into {{ic|/etc/mail/spamassassin/}}.<br />
Edit {{ic|/etc/mail/spamassassin/clamav.pm}} and update {{ic|$CLAM_SOCK}} to point to your Clamd socket location (default is {{ic|/var/lib/clamav/clamd.sock}}).<br />
<br />
Finally, [[restart]] {{ic|spamassassin.service}}.<br />
<br />
=== Using Razor ===<br />
Make sure you have installed SpamAssassin first, then:<br />
<br />
[[Install]] the {{Pkg|razor}} package.<br />
<br />
Register with Razor.<br />
<br />
# mkdir /etc/mail/spamassassin/razor<br />
# chown spamd:spamd /etc/mail/spamassassin/razor<br />
# sudo -u spamd -s<br />
$ razor-admin -home=/etc/mail/spamassassin/razor -register<br />
$ razor-admin -home=/etc/mail/spamassassin/razor -create<br />
$ razor-admin -home=/etc/mail/spamassassin/razor -discover<br />
<br />
Tell SpamAssassin about Razor, add<br />
<br />
razor_config /etc/mail/spamassassin/razor/razor-agent.conf<br />
<br />
to {{ic|/etc/mail/spamassassin/local.cf}}.<br />
<br />
Tell Razor about itself, add<br />
<br />
razorhome = /etc/mail/spamassassin/razor/<br />
<br />
to {{ic|/etc/mail/spamassassin/razor/razor-agent.conf}}<br />
<br />
Finally, [[restart]] {{ic|spamassassin.service}}.<br />
<br />
===Hide the sender's IP and user agent in the Received header===<br />
This is a privacy concern mostly, if you use Thunderbird and send an email. The received header will contain your LAN and WAN IP and info about the email client you used.<br />
(Original source: [http://askubuntu.com/questions/78163/when-sending-email-with-postfix-how-can-i-hide-the-senders-ip-and-username-in AskUbuntu])<br />
What we want to do is remove the Received header from outgoing emails. This can be done by the following steps:<br />
<br />
Add this line to main.cf<br />
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks<br />
Create /etc/postfix/smtp_header_checks with this content:<br />
/^Received: .*/ IGNORE<br />
/^User-Agent: .*/ IGNORE<br />
Finally, restart postfix.service<br />
<br />
=== Postfix in a chroot jail ===<br />
Postfix is not put in a chroot jail by default. The Postfix documentation [http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup] provides details about how to accomplish such a jail. The steps are outlined below and are based on the chroot-setup script provided in the postfix source code.<br />
<br />
First, go into the {{ic|master.cf}} file in the directory {{ic|/etc/postfix}} and change all the chroot entries to 'yes' (y) except for the services {{ic|qmgr}}, {{ic|proxymap}}, {{ic|proxywrite}}, {{ic|local}}, and {{ic|virtual}}<br />
<br />
Second, create two functions that will help us later with copying files over into the chroot jail (see last step)<br />
CP="cp -p"<br />
<br />
cond_copy() {<br />
# find files as per pattern in $1<br />
# if any, copy to directory $2<br />
dir=`dirname "$1"`<br />
pat=`basename "$1"`<br />
lr=`find "$dir" -maxdepth 1 -name "$pat"`<br />
if test ! -d "$2" ; then exit 1 ; fi<br />
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi<br />
}<br />
<br />
Next, make the new directories for the jail:<br />
set -e<br />
umask 022<br />
<br />
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}<br />
cd ${POSTFIX_DIR}<br />
<br />
mkdir -p etc lib usr/lib/zoneinfo<br />
test -d /lib64 && mkdir -p lib64<br />
<br />
Find the localtime file<br />
lt=/etc/localtime<br />
if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi<br />
rm -f etc/localtime<br />
<br />
Copy localtime and some other system files into the chroot's etc<br />
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc<br />
$CP -f /etc/host.conf /etc/hosts /etc/passwd etc<br />
ln -s -f /etc/localtime usr/lib/zoneinfo<br />
<br />
Copy required libraries into the chroot using the previously created function {{ic|cond_copy}}<br />
cond_copy '/usr/lib/libnss_*.so*' lib<br />
cond_copy '/usr/lib/libresolv.so*' lib<br />
cond_copy '/usr/lib/libdb.so*' lib<br />
<br />
And don't forget to reload postfix.<br />
<br />
===Rule-based mail processing===<br />
With policy services one can easily finetune postfix' behaviour of mail delivery.<br />
{{Pkg|postfwd}} and <span class="plainlinks archwiki-template-pkg">[https://aur.archlinux.org/pkgbase/policyd policyd]</span><sup><small>AUR</small></sup> provide services to do so.<br />
This allows you to e.g. implement time-aware grey- and blacklisting of senders and receivers as well as [[SPF]] policy checking.<br />
<br />
Policy services are standalone services and connected to Postfix like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_recipient_restrictions =<br />
...<br />
check_policy_service unix:/run/policyd.sock<br />
check_policy_service inet:127.0.0.1:10040<br />
</nowiki>}}<br />
Placing policy services at the end of the queue reduces load, as only legitimate mails are processed. Be sure to place it before the first permit statement to catch all incoming messages.<br />
<br />
=== DANE (DNSSEC) ===<br />
==== Resource Record ====<br />
<br />
{{warning|This is not a trivial section. Be aware that you make sure you know what you are doing. You better read [https://dane.sys4.de/common_mistakes Common Mistakes] before.}}<br />
<br />
DANE supports several types of records, however not all of them are suitable in postfix.<br />
<br />
Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record.<br />
More on [[DANE#Resource Record|Resource Records]].<br />
<br />
==== Configuration ====<br />
Opportunistic DANE is configured this way:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
smtpd_use_tls = yes<br />
smtp_dns_support_level = dnssec<br />
smtp_tls_security_level = dane<br />
</nowiki>}}<br />
{{hc|/etc/postfix/master.cf|<nowiki><br />
dane unix - - n - - smtp<br />
-o smtp_dns_support_level=dnssec<br />
-o smtp_tls_security_level=dane<br />
</nowiki>}}<br />
<br />
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com,<br />
use something like this:<br />
{{hc|/etc/postfix/main.cf|<nowiki><br />
indexed = ${default_database_type}:${config_directory}/<br />
<br />
# Per-destination TLS policy<br />
#<br />
smtp_tls_policy_maps = ${indexed}tls_policy<br />
<br />
# default_transport = smtp, but some destinations are special:<br />
#<br />
transport_maps = ${indexed}transport<br />
</nowiki>}}<br />
<br />
{{hc|transport|<br />
example.com dane<br />
example.org dane<br />
}}<br />
<br />
{{hc|tls_policy|<br />
example.com dane-only<br />
}}<br />
<br />
{{Note|For global mandatory DANE, change {{ic|smtp_tls_security_level}} to {{ic|dane-only}}. Be aware that this makes postfix tempfail on all delivieres that do not use DANE at all!}}<br />
<br />
Full documentation is found [http://www.postfix.org/TLS_README.html#client_tls_dane here].<br />
<br />
== See also ==<br />
<br />
* [http://linox.be/index.php/2005/07/13/44/ Out of Office] for Squirrelmail<br />
* [https://help.ubuntu.com/community/Postfix Postfix Ubuntu documentation]<br />
* [http://sherlock.heroku.com/blog/2012/02/03/setting-up-postfix-to-use-gmail-as-an-smtp-relay-host-in-archlinux/ Use Gmail as an SMTP relay]</div>Lukeshuhttps://wiki.archlinux.org/index.php?title=NetworkManager&diff=235018NetworkManager2012-11-12T05:21:05Z<p>Lukeshu: 65kid is a liar, the rule still works if you have logind sessions working</p>
<hr />
<div>[[Category:Networking]]<br />
[[cs:NetworkManager]]<br />
[[de:Networkmanager]]<br />
[[es:NetworkManager]]<br />
[[fr:NetworkManager]]<br />
[[it:NetworkManager]]<br />
[[pt:NetworkManager]]<br />
[[ru:NetworkManager]]<br />
[[tr:NetworkManager]]<br />
[[zh-CN:NetworkManager]]<br />
{{Article summary start}}<br />
{{Article summary text|Covers installation and configuration of NetworkManager &ndash; a set of co-operative tools that make networking simple and straightforward.}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Networking overview}}}}<br />
{{Article summary end}}<br />
<br />
[http://projects.gnome.org/NetworkManager/ NetworkManager] is a program for providing detection and configuration for systems to automatically connect to network. NetworkManager's functionality can be useful for both wireless and wired networks. For wireless networks, NetworkManager prefers known wireless networks and has the ability to switch to the most reliable network. NetworkManager-aware applications can switch from online and offline mode. NetworkManager also prefers wired connections over wireless ones, has support for modem connections and certain types of VPN. NetworkManager was originally developed by Red Hat and now is hosted by the [[GNOME]] project.<br />
<br />
== Base install ==<br />
<br />
NetworkManager can be installed with the package {{Pkg|networkmanager}}, available in the [[official repositories]].<br />
<br />
=== VPN support ===<br />
<br />
Network Manager VPN support is based on a plug-in system. If you need VPN support via network manager you have to install one of the following packages in [[official repositories]]:<br />
<br />
networkmanager-openvpn<br />
networkmanager-pptp<br />
networkmanager-vpnc<br />
<br />
== Graphical front-ends ==<br />
<br />
To configure and have easy access to NetworkManager most people will want to install an applet. This GUI front-end usually resides in the system tray (or notification area) and allows network selection and configuration of NetworkManager. Various applets exist for different types of desktops.<br />
<br />
=== GNOME ===<br />
<br />
GNOME's {{Pkg|network-manager-applet}} (formerly gnome-network-manager) is lightweight enough and works across all environments.<br />
<br />
If you want to store authentication details (Wireless/DSL) and enable global connection settings, i.e "available to all users" install and configure [[GNOME Keyring]].<br />
<br />
=== KDE4 ===<br />
<br />
The KNetworkManager front-end has been made available since KDE 4.4 as a Plasma widget available in the official repositories:<br />
{{Pkg|kdeplasma-applets-networkmanagement}}.<br />
<br />
The GNOME counterpart works just as nicely, or even better (has more features and detects more hardware).<br />
<br />
{{Note|If you are changing from another network managing tool like [[Wicd]], do not forget to set the default 'Network Management Backend' in <br />
System Settings -> Hardware -> Information Sources}}<br />
<br />
If you have both the Plasma widget and {{ic|nm-applet}} installed and do not want to start {{ic|nm-applet}} when using KDE, add the following line to {{ic|/etc/xdg/autostart/nm-applet.desktop}}:<br />
NotShowIn=KDE<br />
<br />
=== KDE3 ===<br />
Though no longer supported, {{AUR|kdemod3-knetworkmanager}} can be found in the [[AUR]]. This is a modified version of KNetworkManager for the [[Trinity]] DE and requires NetworkManager 0.8.<br />
<br />
=== XFCE ===<br />
{{Pkg|network-manager-applet}} will work fine in XFCE, but in order to see notifications, ''including error messages'', {{ic|nm-applet}} needs an implementation of the Freedesktop desktop notifications specification (see the [http://www.galago-project.org/specs/notification/0.9/index.html Galapago Project]) to display them. To enable notifications install {{Pkg|xfce4-notifyd}}, a package that provides an implementation for the specification.<br />
<br />
Without such a notification daemon, {{ic|nm-applet}} outputs the following errors to stdout/stderr:<br />
<br />
(nm-applet:24209): libnotify-WARNING **: Failed to connect to proxy<br />
<br />
** (nm-applet:24209): WARNING **: get_all_cb: couldn't retrieve<br />
system settings properties: (25) Launch helper exited with unknown<br />
return code 1.<br />
<br />
** (nm-applet:24209): WARNING **: fetch_connections_done: error<br />
fetching connections: (25) Launch helper exited with unknown return<br />
code 1.<br />
<br />
** (nm-applet:24209): WARNING **: Failed to register as an agent:<br />
(25) Launch helper exited with unknown return code 1<br />
<br />
{{ic|nm-applet}} will still work fine, though, but without notifications.<br />
<br />
=== Openbox ===<br />
<br />
To function properly in Openbox, the GNOME applet requires the {{Pkg|xfce4-notifyd}} notification daemon for the same reason as in XFCE and the {{Pkg|gnome-icon-theme}} package to be able to display the applet in the systray.<br />
<br />
If you want to store authentication details (Wireless/DSL) install and configure [[gnome-keyring]].<br />
<br />
{{Note|If the ''networkmanager'' daemon is in {{ic|rc.conf}}, the following settings are obsolete or the applet will be started twice.}}<br />
<br />
To have Openbox's autostart start {{ic|nm-applet}} properly, you may need to delete the file {{ic|/etc/xdg/autostart/nm-applet.desktop}} (You may need to delete this file again after every update to {{Pkg|network-manager-applet}}).<br />
<br />
Then in {{ic|autostart}}, start {{ic|nm-applet}} with this line:<br />
<br />
(sleep 3 && /usr/bin/nm-applet --sm-disable) &<br />
<br />
If you experience errors connecting, make sure you have your [[D-Bus]] user session started.<br />
<br />
=== Other desktops and window managers ===<br />
<br />
In all other scenarios it is recommended to use the GNOME applet. You will also need to be sure that the {{Pkg|gnome-icon-theme}} package is installed to be able to display the applet.<br />
<br />
To store connection secrets install and configure [[gnome-keyring]].<br />
<br />
In order to run {{ic|nm-applet}} without a systray, you can use {{Pkg|trayer}} or {{Pkg|stalonetray}}. For example, you can add a script like this one in your path:<br />
{{hc|nmgui|<nowiki><br />
#!/bin/sh<br />
nm-applet > /dev/null 2>/dev/null &<br />
stalonetray > /dev/null 2>/dev/null<br />
killall nm-applet<br />
</nowiki>}}<br />
<br />
When you close the stalonetray window, it closes {{ic|nm-applet}} too, so no extra memory is used once you are done with network settings.<br />
<br />
=== Command line ===<br />
<br />
The {{Pkg|networkmanager}} package contains [http://manpages.ubuntu.com/manpages/maverick/man1/nmcli.1.html nmcli] since version 0.8.1.<br />
<br />
== Configuration ==<br />
<br />
NetworkManager will require some additional steps to be able run properly.<br />
<br />
Verify that your {{ic|/etc/hosts}} is correct before continuing. If you previously tried to connect before doing this step, NetworkManager may have altered it. An example hostname line in {{ic|/etc/hosts}}:<br />
<br />
{{bc|<br />
#<ip-address> <hostname.domain.org> <hostname> <br />
127.0.0.1 localhost.localdomain localhost dell-latitude<br />
}}<br />
<br />
=== Disable current network setup ===<br />
<br />
You will want to disable your current network setup to be able to properly test NetworkManager:<br />
# If using the Arch Linux network scripts, [[Daemon|stop]] the network daemon.<br />
# Bring down your NIC's (Network Interface Controllers, i.e. network cards). For example (using the {{Pkg|iproute2}} package):<br />
<br />
ip link set down eth0<br />
ip link set down wlan0<br />
<br />
# Edit {{ic|/etc/rc.conf}} where DHCP or a static IP address are defined by commenting them out:<br />
{{Note|Following settings are obsolete in the most recent rc.conf.}}<br />
{{bc|<nowiki><br />
#eth0="dhcp" <br />
#wlan0="dhcp" <br />
INTERFACES=(!eth0 !wlan0)<br />
</nowiki>}}<br />
<br />
# Finally, edit {{ic|/etc/rc.conf}} to '''remove''' the default ''network'' daemon or any other network management daemons you may be using.<br />
<br />
=== Enable NetworkManager ===<br />
<br />
How you enable NetworkManager depends on how your system is configured. New installations now use [[systemd]] by default. Many users have transitioned to systemd, which will become the default in the future.<br />
<br />
Once the NetworkManager daemon is started, it will automatically connect to any available "system connections" that have already been configured. Any "user connections" or unconfigured connections will need {{ic|nmcli}} or an applet to configure and connect.<br />
<br />
==== Enable NetworkManager under initscripts ====<br />
<br />
To enable NetworkManager at startup, edit the ''DAEMONS'' line in {{ic|/etc/rc.conf}} by '''adding''' the ''networkmanager'' daemon, after the dbus daemon:<br />
<br />
DAEMONS=( ...'''dbus networkmanager'''... )<br />
<br />
Be sure that the package {{Pkg|dbus}} is installed as NetworkManager will require it. To start other services (daemons) that require a network connection see the next section on how to set them up.<br />
<br />
You can start the NetworkManager daemon immediately with the following commands:<br />
<br />
{{bc|# rc.d start dbus}}<br />
{{bc|# rc.d start networkmanager}}<br />
<br />
==== Enable NetworkManager under systemd system ==== <br />
<br />
You can enable NetworkManager at startup with the following command:<br />
<br />
{{bc|# systemctl enable NetworkManager.service}}<br />
<br />
You can start the NetworkManager daemon immediately with the following command:<br />
<br />
{{bc|# systemctl start NetworkManager.service}}<br />
<br />
{{Note|If you have services which fail if they are started before the network is up, you have to use {{ic|NetworkManager-wait-online.service}} instead. This is however hardly ever necessary since most network daemons start up fine, even if the network has not been configured yet.}}<br />
<br />
=== Set up PolicyKit permissions ===<br />
<br />
See [[General Troubleshooting#Session permissions]] for setting up a working session.<br />
<br />
With a working session, you have several options for granting the necessary privileges to NetworkManager:<br />
<br />
''Option 1.'' Run a [[PolicyKit]] authentication agent when you log in, such as {{ic|/usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1}} (part of {{Pkg|polkit-gnome}}). You will be prompted for your password whenever you add or remove a network connection.<br />
<br />
''Option 2.'' Add yourself to the {{ic|wheel}} group. You will not have to enter your password, but your user account may be granted other permissions as well, such as the ability to use [[sudo]] without entering the root password.<br />
<br />
''Option 3.'' Add yourself to the {{ic|network}} group and create the following file:<br />
{{hc|/etc/polkit-1/localauthority/50-local.d/org.freedesktop.NetworkManager.pkla|<nowiki><br />
[nm-applet]<br />
Identity=unix-group:network<br />
Action=org.freedesktop.NetworkManager.*<br />
ResultAny=yes<br />
ResultInactive=no<br />
ResultActive=yes</nowiki>}}<br />
All users in the {{ic|network}} group will be able to add and remove networks without a password. This will not work under systemd if you do not have an active session with [[Systemd#Using_systemd-logind|systemd-logind]].<br />
<br />
=== Network services with NetworkManager dispatcher===<br />
<br />
There are quite a few network services that you will not want running until NetworkManager brings up an interface. Good examples are [[OpenNTPD]] and network filesystem mounts of various types (e.g. '''netfs'''). NetworkManager has the ability to start these services when you connect to a network and stop them when you disconnect.<br />
<br />
To use this feature, scripts can be added to the {{ic|/etc/NetworkManager/dispatcher.d}} directory. These scripts will need to have executable, user permissions. For security, it is good practice to make them owned by '''root:root''' and writable only by the owner.<br />
<br />
The scripts will be run in alphabetical order at connection time, and in reverse alphabetical order at disconnect time. They receive two arguments: the name of the interface (e.g. ''eth0'') and the status (''up'' or ''down''). To ensure what order they come up in, it is common to use numerical characters prior to the name of the script (e.g. {{ic|10_portmap}} or {{ic|30_netfs}} (which ensures that the portmapper is up before NFS mounts are attempted).<br />
<br />
{{Warning|For security reason. You should disable write access for group and other. For example use 755 mask.<br />
In other case it can refuse to execute script, with error message "nm-dispatcher.action: Script could not be executed: writable by group or other, or set-UID." in {{ic|/var/log/messages.log}} }}<br />
{{Warning|if you connect to foreign or public networks, be aware of what services you are starting and what servers you expect to be available for them to connect to. You could make a security hole by starting the wrong services while connected to a public network.}}<br />
<br />
==== Start OpenNTPD ====<br />
<br />
The following example starts the OpenNTPD daemon when an interface is brought up. Save the file as {{ic|/etc/NetworkManager/dispatcher.d/20_openntpd}} and make it executable.<br />
{{bc|<nowiki><br />
#!/bin/sh<br />
<br />
INTERFACE=$1 # The interface which is brought up or down<br />
STATUS=$2 # The new state of the interface<br />
<br />
case "$STATUS" in<br />
'up') # $INTERFACE is up<br />
exec rc.d start openntpd<br />
;;<br />
'down') # $INTERFACE is down<br />
# Check for active interface and down if no one active<br />
if [ ! `nm-tool|grep State|cut -f2 -d' '` = "connected" ]; then<br />
exec rc.d stop openntpd<br />
fi<br />
;;<br />
esac<br />
</nowiki>}}<br />
<br />
==== Mount remote folder with sshfs ====<br />
<br />
As the script is run in a very restrictive environment, you have to export {{ic|SSH_AUTH_SOCK}} in order to connect to your SSH agent. There are different ways to accomplish this, see [https://bbs.archlinux.org/viewtopic.php?pid=1042030#p1042030 this link] for more information. The example below works with [[gnome-keyring]], and will ask you for the password if not unlocked already. In case NetworkManager connects automatically on login, it is likely gnome-keyring has not yet started and the export will fail (hence the sleep). The {{ic|UUID}} to match can be found in {{ic|/etc/NetworkManager/system-connections/}}). <br />
<br />
#!/bin/bash<br />
USER=<your sshfs user><br />
if [ $CONNECTION_UUID == <connection UUID> ]; then<br />
case "$2" in<br />
<br />
up)<br />
#sleep 10<br />
export SSH_AUTH_SOCK=$(find /tmp/keyring-*/ -type s -user $USER -group users -name ssh)<br />
su $USER -c "/usr/bin/sshfs user@host:/remote/folder /local/folder/"<br />
;;<br />
<br />
down)<br />
fusermount -u /local/folder<br />
;;<br />
esac<br />
fi<br />
<br />
==== Use dispatcher to connect to a VPN after a network-connection is established ====<br />
<br />
In this example we want to connect automatically to a previously defined VPN connection after connecting to a specific WiFi network. First thing to do is to create the dispatcher script that defines what to do after we are connected to the network. <br />
<br />
:1. Create the dispatcher script:<br />
{{hc|/etc/NetworkManager/dispatcher.d/vpn-up|<nowiki><br />
VPN_NAME=<name of VPN connection defined in NetworkManager><br />
ESSID=<wifi network ESSID (not connection name)><br />
if [ "$2" = "up" -o "$2" = "vpn-down" ]; then # -o "$2" = "vpn-down" makes VPN reconnect after VPN connection interrupt<br />
if [ "$(iwgetid | grep ':"'$ESSID'"')" ]; then # check for ESSID match<br />
nmcli con up id "$VPN_NAME"; # parentheses needed for VPN connection names with spaces<br />
fi<br />
elif [ "$2" = "down" ]; then # disconnect VPN prior to disconnecting from the network<br />
if [ "$(iwgetid | grep ':"'$ESSID'"')" ]; then # check for ESSID match and that VPN is actually connected<br />
if [ $(nmcli con status id "$VPN_NAME" | grep -c activated) ]; then<br />
nmcli con down id "$VPN_NAME";<br />
fi<br />
fi<br />
fi<br />
</nowiki>}}<br />
Remember to make it executable with {{ic|chmod +x}} and to make the VPN connection available to all users. <br />
<br />
Trying to connect using this setup will fail and NetworkManager will complain about 'no valid VPN secrets', because of [http://projects.gnome.org/NetworkManager/developers/migrating-to-09/secrets-flags.html the way VPN secrets are stored] which brings us to step 2:<br />
<br />
:2. Edit your VPN connection configuration file to make NetworkManager store the secrets by itself rather than inside a keyring [https://bugzilla.redhat.com/show_bug.cgi?id=710552 that will be inaccessible for root]: open up {{ic|/etc/NetworkManager/system-connections/<name of your VPN connection>}} and change the {{ic|password-flags}} and {{ic|secret-flags}} form {{ic|1}} to {{ic|0}}.<br />
<br />
{{Note|It may now be necessary to re-open the NetworkManager connection editor and re-enter the VPN passwords/secrets.}}<br />
<br />
==== Use /etc/rc.conf to control services started by networkmanager ====<br />
<br />
Some Arch users may dislike having two places where the launching of daemons is configured. Using this method, network services started by NetworkManager are controlled from {{ic|rc.conf}} by the use of a {{ic|NET_DAEMONS}} array in the same fashion as the typical {{ic|DAEMONS}} array<br />
<br />
# Install {{AUR|networkmanager-dispatcher-net_daemons}} from the [[AUR]].<br />
# Ensure ''dbus'' and ''networkmanager'' are both in the {{ic|DAEMONS}} line in {{ic|rc.conf}}.<br />
# Add a {{ic|NET_DAEMONS}} line to rc.conf which includes all services you do not want started until after the network connection is established.<br />
<br />
Example {{ic|DAEMONS}} and {{ic|NET_DAEMONS}} in {{ic|rc.conf}} are shown below:<br />
<br />
{{bc|<nowiki><br />
# DAEMONS<br />
# -------<br />
#<br />
DAEMONS=(syslog-ng crond dbus networkmanager)<br />
NET_DAEMONS=(iptables nscd sshd samba avahi-daemon avahi-dnsconfd openntpd)<br />
</nowiki>}}<br />
<br />
=== Proxy settings ===<br />
<br />
NetworkManager does not directly handle proxy settings, but if you are using GNOME, you could use [http://marin.jb.free.fr/proxydriver/ proxydriver] wich handles proxy settings using NetworkManager's informations. You can find the package for {{AUR|proxydriver}} in the [[AUR]].<br />
<br />
In order for proxydriver to be able to change the proxy settings, you would need to execute this command, as part of the GNOME startup process (System -> Preferences -> Startup Applications):<br />
<br />
xhost +si:localuser:your_username<br />
<br />
See: [[Proxy settings]]<br />
<br />
== Testing ==<br />
<br />
NetworkManager applets are designed to load upon login so no further configuration should be necessary for most users. If you have already disabled your previous network settings and disconnected from your network, you can now test if NetworkManager will work. The first step is to [[Daemon|start]] the ''networkmanager'' daemon.<br />
<br />
Some applets will provide you with a {{ic|.desktop}} file so that the NetworkManager applet can be loaded through the application menu. If it does not, you are going to either have to discover the command to use or logout and login again to start the applet. Once the applet is started, it will likely begin polling network connections with for auto-configuration with a DHCP server.<br />
<br />
To start the GNOME applet in non-xdg-compliant window managers like [[Awesome]]:<br />
<br />
nm-applet --sm-disable &<br />
<br />
For static IPs you will have to configure NetworkManager to understand them. The process usually involves right-clicking the applet and selecting something like 'Edit Connections'.<br />
<br />
== Troubleshooting ==<br />
<br />
Some fixes to common problems.<br />
<br />
=== No traffic via PPTP tunnel ===<br />
<br />
PPTP connection logins successfully, you see ppp0 interface with correct VPN IP, but you cannot even ping remote IP. It is due to lack of MPPE (Microsoft Point-to-Point Encryption) support in stock Arch pppd. It is recommended to first try with the stock Arch {{Pkg|ppp}} as it may work as intended.<br />
<br />
To solve the problem it should be sufficient to install {{AUR|ppp-mppe}} from the [[AUR]].<br />
<br />
=== Network management disabled ===<br />
<br />
Sometimes when NetworkManager shuts down but the pid (state) file does not get removed and you will get a 'Network management disabled' message. If this happens, you'll have to remove it manually:<br />
<br />
# rm /var/lib/NetworkManager/NetworkManager.state<br />
<br />
If this happens upon reboot, you can add an action to your {{ic|/etc/rc.local}} to have it removed upon bootup:<br />
<br />
{{bc|<nowiki>nmpid=/var/lib/NetworkManager/NetworkManager.state<br />
[ -f $nmpid ] && rm $nmpid</nowiki>}}<br />
<br />
=== NetworkManager prevents DHCPCD from using resolv.conf.head and resolv.conf.tail ===<br />
<br />
Sometimes it is problematic to add static items to {{ic|resolv.conf}} when it is constantly rewritten by NetworkManager and {{ic|dhcpcd}}. A simple solution is using the following script:<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
# <br />
# /etc/NetworkManager/dispatcher.d/99-resolv.conf-head_and_tail<br />
# Include /etc/resolv.conf.head and /etc/resolv.conf.tail to /etc/resolv.conf<br />
#<br />
# scripts in the /etc/NetworkManager/dispatcher.d/ directory<br />
# are called alphabetically and are passed two parameters:<br />
# $1 is the interface name, and $2 is “up” or “down” as the<br />
# case may be.<br />
<br />
resolvconf='/etc/resolv.conf';<br />
cat "$resolvconf"{.head,,.tail} 2>/dev/null > "$resolvconf".tmp<br />
mv -f "$resolvconf".tmp "$resolvconf"<br />
</nowiki>}}<br />
<br />
=== Preserving changes to resolv.conf ===<br />
<br />
NetworkManager will attempt to write DNS information from DHCP into {{ic|/etc/resolv.conf}}, overwriting the existing contents. To prevent this, you can set the immutable bit on the file:<br />
# chattr +i /etc/resolv.conf<br />
<br />
To modify the file in the future, first remove the immutable bit:<br />
# chattr -i /etc/resolv.conf<br />
<br />
=== DHCP problems ===<br />
<br />
If you have problems with getting an IP via DHCP, try to add the following to your {{ic|/etc/dhclient.conf}}:<br />
interface "eth0" {<br />
send dhcp-client-identifier 01:aa:bb:cc:dd:ee:ff;<br />
}<br />
Where {{ic|aa:bb:cc:dd:ee:ff}} is the MAC address of this NIC. The MAC address can be found using the {{ic|ip link show eth0}} command from the {{Pkg|iproute2}} package.<br />
<br />
For some (incompliant) routers, you will not be able to connect properly unless you comment the line<br />
require dhcp_server_identifier<br />
in {{ic|/etc/dhcpcd.conf}} (note that this file is distinct from {{ic|dhcpd.conf}}). This should not cause issues unless you have multiple DHCP servers on your network (not typical); see [http://technet.microsoft.com/en-us/library/cc977442.aspx this page] for more information.<br />
<br />
=== Missing default route ===<br />
<br />
On at least one KDE4 system, no default route was created when establishing wireless connections with NetworkManager. Changing the route settings of the wireless connection to remove the default selection "Use only for resources on this connection" solved the issue.<br />
<br />
=== 3G modem not detected ===<br />
<br />
If NetworkManager (from v0.7.999) does not detect your 3G modem, but you still can connect using [[wvdial]], try installing <br />
{{Pkg|modemmanager}} and restart NetworkManager daemon with {{ic|rc.d restart networkmanager}}. It may also be necessary to replug or restart your modem. This utility provides support for hardware not in NetworkManager's default database.<br />
<br />
=== VPN problems in Networkmanager 0.7.999 ===<br />
<br />
If you get the error message "invalid secrets" when trying to connect to your VPN provider using the PPTP protocol, try installing the development versions from [[AUR]]: {{AUR|networkmanager-git}}, {{AUR|network-manager-applet-git}} and the PPTP plugin {{AUR|networkmanager-pptp-git}}.<br />
<br />
=== Switching off WLAN on laptops ===<br />
<br />
Sometimes NetworkManager will not work when you disable your WiFi adapter with a switch on your laptop and try to enable it again afterwards. This is often a problem with {{ic|rfkill}}. Install {{Pkg|rfkill}} from the [[official repositories]] and use <br />
<br />
$ watch -n1 rfkill list all<br />
<br />
to check if the driver notifies {{ic|rfkill}} about the wireless adapter's status.<br />
If one identifier stays blocked after you switch on the adapter you could try to manually unblock it with (where X is the number of the identifier provided by the above output):<br />
<br />
# rfkill event unblock X<br />
<br />
=== Static IP settings revert to DHCP ===<br />
<br />
Due to an unresolved bug, when changing default connections to static IP, {{ic|nm-applet}} may not properly store the configuration change, and will revert to automatic DHCP.<br />
<br />
To work around this issue you have to edit the default connection (e.g. "Auto eth0") in {{ic|nm-applet}}, change the connection name (e.g. "my eth0"), uncheck the "Available to all users" checkbox, change your static IP settings as desired, and click '''Apply'''. This will save a new connection with the given name.<br />
<br />
Next, you will want to make the default connection not connect automatically. To do so, run<br />
<br />
$ sudo nm-connection-editor # you must use sudo, not su<br />
<br />
In the connection editor, edit the default connection (eg "Auto eth0") and uncheck "Connect automatically". Click '''Apply''' and close the connection editor.<br />
<br />
=== Cannot edit connections as normal user ===<br />
<br />
See [[#Set_up_PolicyKit_permissions]].<br />
<br />
=== Forget hidden wireless network ===<br />
<br />
Since hidden network are not displayed in the selection list of the Wireless view, they cannot be forgotten (removed) with the GUI. You can delete one with the following command:<br />
<br />
# rm /etc/NetworkManager/system-connections/[SSID]<br />
$ sudo rm /etc/NetworkManager/system-connections/[SSID] # sudo equivalent<br />
<br />
This works for any other connection.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Checking if networking is up inside a cron job or script ===<br />
<br />
Some cron jobs require networking to be up to succeed. You may wish to avoid running these jobs when the network is down. To accomplish this, add an '''if''' test for networking that queries NetworkManager's {{ic|nm-tool}} and checks the state of networking. The test shown here succeeds if any interface is up, and fails if they are all down. This is convenient for laptops that might be hardwired, might be on wireless, or might be off the network. <br />
if [ `nm-tool|grep State|cut -f2 -d' '` == "connected" ]; then<br />
#Whatever you want to do if the network is online<br />
else<br />
#Whatever you want to do if the network is offline - note, this and the else above are optional<br />
fi<br />
<br />
This useful for a {{ic|cron.hourly}} script that runs {{ic|fpupdate}} for the F-Prot virus scanner signature update, as an example. Another way it might be useful, with a little modification, is to differentiate between networks using various parts of the output from {{ic|nm-tool}}; for example, since the active wireless network is denoted with an asterisk, you could grep for the network name and then grep for a literal asterisk.<br />
<br />
=== Automatically unlock keyring after login ===<br />
<br />
==== GNOME ====<br />
<br />
# Right click on the {{ic|nm-applet}} icon in your panel and select Edit Connections and open the Wireless tab<br />
# Select the connection you want to work with and click the Edit button<br />
# Check the boxes “Connect Automatically” and “Available to all users”<br />
Log out and log back in to complete.<br />
<br />
{{Note|The following method is dated and known not to work on at least one machine!}}<br />
* In {{ic|/etc/pam.d/gdm}} (or your corresponding daemon in {{ic|/etc/pam.d}}), add these lines at the end of the "auth" and "session" blocks if they do not exist already: <br />
auth optional pam_gnome_keyring.so<br />
session optional pam_gnome_keyring.so auto_start<br />
<br />
* In {{ic|/etc/pam.d/passwd}}, use this line for the 'password' block:<br />
password optional pam_gnome_keyring.so<br />
<br />
:Next time you log in, you should be asked if you want the password to be unlocked automatically on login.<br />
<br />
==== KDE ====<br />
{{Note|See http://live.gnome.org/GnomeKeyring/Pam for reference, and if you are using KDE with KDM, you can use {{AUR|pam-keyring-tool}} from the [[AUR]].}}<br />
<br />
Put a script like the following in {{ic|~/.kde4/Autostart}}:<br />
#!/bin/sh<br />
echo PASSWORD | /usr/bin/pam-keyring-tool --unlock --keyring=default -s<br />
Similar should work with Openbox, LXDE, etc.<br />
<br />
==== SLiM login manager ====<br />
<br />
*In {{ic|/etc/pam.d/slim}}, add these lines at the end of the "auth" and "session" blocks if they do not exist already: <br />
auth optional pam_gnome_keyring.so<br />
session optional pam_gnome_keyring.so auto_start<br />
<br />
*In {{ic|/etc/pam.d/passwd}}, use this line for the 'password' block:<br />
password optional pam_gnome_keyring.so<br />
<br />
*In {{ic|~/.xinitrc}}, add this at the very top, before launching your window manager and other applications:<br />
# test for an existing bus daemon, just to be safe<br />
if test -z "$DBUS_SESSION_BUS_ADDRESS" ; then<br />
# if not found, launch a new one<br />
eval `dbus-launch --sh-syntax --exit-with-session`<br />
echo "D-Bus per-session daemon address is: $DBUS_SESSION_BUS_ADDRESS"<br />
fi<br />
<br />
:Next time you log in, you should be asked if you want the password to be unlocked automatically on login.<br />
<br />
=== Ignore specific devices ===<br />
<br />
Sometimes it may be desired that NetworkManager ignores specific devices and does not try to configure addresses and routes for them.<br />
<br />
:1. You can quickly and easily ignore devices by MAC by using the following in {{ic|/etc/NetworkManager/NetworkManager.conf}} :<br />
[keyfile]<br />
unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4<br />
:After you have put this in, [[Daemon|restart]] NetworkManager, and you should be able to configure interfaces without NetworkManager altering what you have set.<br />
<br />
:2. If that is not appropriate, you could ignore by HAL.<br />
::* First you have to find out the Hal UDI (e.g. with {{ic|lshal}}):<br />
...<br />
info.product = 'Networking Interface' (string)<br />
info.subsystem = 'net' (string)<br />
info.udi = '/org/freedesktop/Hal/devices/net_00_1f_11_01_06_55' (string)<br />
linux.hotplug_type = 2 (0x2) (int)<br />
linux.subsystem = 'net' (string)<br />
...<br />
<br />
::* Add the udi to {{ic|/etc/NetworkManager/nm-system-settings.conf}}:<br />
[keyfile]<br />
unmanaged-devices=/org/freedesktop/Hal/devices/net_00_1f_11_01_06_55<br />
<br />
:Multiple devices can be specified, delimited by semicolons:<br />
<br />
[keyfile]<br />
unmanaged-devices=/org/freedesktop/Hal/devices/net_00_1f_11_01_06_55;/org/freedesktop/Hal/devices/net_00_2c_6d_e2_08_af<br />
<br />
:You do not need to restart NetworkManager for the changes to take effect.<br />
<br />
:3. Devices could also be ignored at boot time by using following script (change {{ic|NetworkManager.conf}} with {{ic|nm-system-settings.conf}} if using a version of NetworkManager smaller than 0.8.1):<br />
#!/bin/sh<br />
# author: tim noise <darknoise@drkns.net><br />
COUNT=0<br />
TARGET_FILE="/etc/NetworkManager/NetworkManager.conf"<br />
for i in `lshal | grep -A6 'Networking Interface' | awk -F "'" '/info.udi = / {print $2}'`; do<br />
if [ $COUNT = 0 ]; then<br />
COUNT=$COUNT+1;<br />
echo "unmanaged-devices=$i" >> $TARGET_FILE<br />
else<br />
echo -n ";$i" >> $TARGET_FILE<br />
fi<br />
done<br />
printf "\n" >> $TARGET_FILE<br />
<br />
:It can be changed to ignore WiFi devices, etc. being used on a non-persistant filesystem.<br />
<br />
=== Connect faster ===<br />
<br />
==== Disabling IPv6 ====<br />
<br />
Slow connection or reconnection to the network may be due to superfluous IPv6 queries in NetworkManager. If there is no IPv6 support on the local network, connecting to a network may take longer than normal while NetworkManager tries to establish an IPv6 connection that eventually times out. The solution is to disable IPv6 within NetworkManager which will make network connection faster. This has to be done once for every network you connect to.<br />
<br />
* Right-click on the network status icon.<br />
* Click on "Edit Connections".<br />
* Go to the "Wired" or "Wireless" tab, as appropriate.<br />
* Select the name of the network.<br />
* Click on "Edit".<br />
* Go to the "IPv6 Settings" tab.<br />
* In the "Method" dropdown, choose "Ignore/Disabled".<br />
* Click on "Save".<br />
<br />
==== Speed up DHCP by disabling ARP probing in DHCPCD ====<br />
<br />
{{ic|dhcpcd}} contains an implementation of a recommendation of the DHCP standard ([http://www.ietf.org/rfc/rfc2131.txt RFC2131] section 2.2) to check via ARP if the assigned IP address is really not taken. This seems mostly useless in home networks, so you can save about 5 seconds on every connect by adding the following line to {{ic|/etc/dhcpcd.conf}}:<br />
<br />
noarp<br />
<br />
This is equivalent to passing {{ic|--noarp}} to {{ic|dhcpcd}}, and disables the described ARP probing, speeding up connections to networks with DHCP.<br />
<br />
==== Use OpenDNS servers ====<br />
<br />
Create {{ic|/etc/resolv.conf.opendns}} with the nameservers:<br />
<br />
nameserver 208.67.222.222<br />
nameserver 208.67.220.220<br />
<br />
And have the dispatcher replace the discovered DHCP servers with the OpenDNS ones:<br />
<br />
{{hc|/etc/NetworkManager/dispatcher.d/dns-servers-opendns|<nowiki><br />
#!/bin/bash<br />
# Use OpenDNS servers over DHCP discovered servers<br />
<br />
cp -f /etc/resolv.conf.opendns /etc/resolv.conf</nowiki>}}<br />
<br />
Make the script executable:<br />
<br />
# chmod +x /etc/NetworkManager/dispatcher.d/dns-servers-opendns</div>Lukeshu