Running Microsoft Exchange from home.

Well thanks to my latest outage, I’ve gone back from having an Exchange server in the “cloud” (well really a server I rented), to a Virtual Server at home.

First my ‘plan’ is to get a VPS that I can run OpenVPN on.  From there I’m going to build a VM at home that will also run OpenVPN, and it will connect to the VPS.  I will then setup routing, so that the Exchange server can then communicate with the VPS’s internal interface, and the VPS can communicate directly with the exchange server.  I’ll then configure postfix to store & forward email to the Exchange server.  This way if the link drops, the VPS will just spool the mail.  Finally I’ll setup SpamAssasin to filter out the SPAM.

First you will need to have a tun0 interface in your VPS.  Almost everyone supports this these days so it shouldn’t be too hard… If you cannot get a tun0 interface, perhaps ppp0 with pptp..?

I followed these instructions on setting up OpenVPN on Debian 6.  Now granted, I’m using Debian 7, but the instructions are pretty much the same.  Basically you have to setup a CA (Certificate Authority), and then you generate a Server certificate, and a client certificate.  For my needs, I’m going to issue single certificates for everything(one) that connects into my VPN.  I also have a network at home that I want routed to the VPS, so this is included (192.168.0.0/24).

A simple server.conf looks like this:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 192.168.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

And a the client configuration I’m using is this:

client
dev tun
proto udp
remote MYHOST MYPORT
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert hong-kong-home.crt
key hong-kong-home.key
ns-cert-type server
comp-lzo
verb 3

In the directory /etc/openvpn/ccd on the server, I have to ensure that I have a file called ‘homefw’ which is the common name of the client certificate.  It has to contain the following line to ensure that my home network is routed to the VPS.

iroute 192.168.0.0 255.255.255.0

Don’t forget to turn on ip forwarding on both the VPS, and the local ‘tunnel router’.  For Linux based stuff you need to make sure that “/proc/sys/net/ipv4/ip_forward ” is a 1.  You can just do a simple “echo 1 > /proc/sys/net/ipv4/ip_forward ” in “/etc/rc.local” or go through your distributions networking documentation to make sure you set it up ‘correctly’.

In OpenBSD I just simply uncomment the following line from /etc/sysctl.conf

net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets

If you don’t have routing in place you’ll notice that you can only ping the tunnel interfaces, but not the IP’s on the LAN.  While this may be fine for a p2p or client setup it isn’t good enough if you want to route traffic.

I’m running VMWare ESXi 5 at home, and thankfully it does support Windows NT 4.0 Server out of the box.  I setup a Domain Controller running DNS & WINS.  The VMWare tools won’t work properly with some service pack (4 I think?) but I went all the way to 6, along with the rollup.  Until you load the service pack, the network adapter will *NOT* work.

I’m going with Exchange 5.5, so again I installed another NT 4.0 server, service packed it, and joined it with the domain controller.  Remember to install IIS, and the ASP update, as 5.5 OWA needs asp. Be sure to apply the latest service pack for Exchange, SP4 – in the case of Exchange 5.5 .

Now for routing I could go with dynamic routing, or static routing.  I chose static as I didn’t want to get too involved for this project, as I needed to get email flowing as quickly as possible.

route add 10.8.0.1 mask 255.255.255.255 192.168.0.49 -p

From Windows NT.

It is imperative no matter what version of Exchange you run, that you turn off the open relay “feature”.  A great step by step guide is available here on msexchange.org .

With the basic routing in place you should be able to talk to the Exchange servers’ SMTP engine.  You may want to setup either a local DNS and populate the VPS’s source address or put in some host entries for it.

# telnet 192.168.0.55 25
Trying 192.168.0.55…
Connected to 192.168.0.55.
Escape character is ‘^]’.
220 exchange.superglobalmegacorp.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready
HELO
250 OK

Now it would be insane to place an Exchange server directly onto the internet.  Plus when the VPN link is down, it’d be nice to have the VPS store email and forward it when it can.  So for this task I installed postfix.

For me the big changes in main.cf were:

mydestination = nodedeploy.superglobalmegacorp.com, localhost.superglobalmegacorp.com, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.8.0.0/24 192.168.0.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
relay_domains = superglobalmegacorp.com work.com
transport_maps = hash:/etc/postfix/transport
virtual_alias_domains = virtuallyfun.com
virtual_alias_maps = hash:/etc/postfix/virtual

This will permit my exchange server to relay out my VPS, and tell postfix that it’s OK to accept email for the various domains I have.

My transport database is very simple.  For the email accounts I’m using two domains, so I simply instruct postfix to forward emails destined to these domains to the exchange server

superglobalmegacorp.com smtp:192.168.0.55
work.com smtp:192.168.0.55

And for domains I couldn’t be bothered to create mailboxes for, instead I have their email setup to forward to an existing box using a virtual domain in the ‘virtual’ file.

[email protected] [email protected]
[email protected] [email protected]

Now due to the nature of postfix you need to generate database hashes for it to work, so my script to kick this off is:

postmap hash:/etc/postfix/transport
postmap /etc/postfix/virtual
newaliases
postfix reload

Which isn’t too involved once you get the bits in the right place.

Assuming you’ve got your MX records setup on the outside, with any luck you should start seeing some mail flow through.  If not telnet to port 25 and start talking to your mail server.

One problem I have is that superglobalmegacorp.com is an old domain, and it’s lapsed a few times to different idiots who not only added to the ridiculous spam lists I’m on, but also spammed from it as well.  So to deal with SPAM, I went ahead and installed spamassassin, as described in this page.

As mentioned adding the two lines to master.cf got it going

smtp inet n – – – – smtpd -o content_filter=spamassassin -o syslog_name=postfix/submission
spamassassin unix – n n – – pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

And I did change the spamassasin local.cf

use_razor2 1
use_dcc 1
use_pyzor 1

As I do get a lot of spam.

I don’t think most people will care, but this is more so for me keeping my notes straight.  So yeah I run Exchange 5.5 at home (which I got on ebay for $25!) with Outlook 2003 on Windows XP x64.  It works well enough for me.

Web Rendering Proxy

(note this is a guest post from Tenox)

WRP is a HTTP proxy service that renders web pages in to GIF images associated with a clickable imagemap of the original web links. It basically allows to use historical and obsolete web browsers on the modern web.

See a gallery of today’s news sites. All links are clickable!

CNN via Internet Explorer 1.5
CNN via Internet Explorer 1.5

 

Reuters via IBM Web Explorer
Reuters via IBM Web Explorer

 

BBC News via Mac Mosaic
BBC News via Mac Mosaic

 

Reddit via NextStep OmniWeb
Reddit via NextStep OmniWeb

 

netscape3
Netscape 3.x visiting DNA Lounge

 

For more background information and screenshots you can see my previous post on the matter.

There are two versions. Cocoa-webkit for Mac OS X and QT-Webkit for Linux/BSD/etc. The script can be downloaded here.

Kali

My friend, Mara’akate is working on locating all the versions of Kali, and it’s precursor iDoom/iFrag.  His collection is available here.

Briefly this software let you play Doom (and other Doom variants) with other people over the internet.

I’ll have to write something up about this later on, but before I head out this Friday evening I thought I should at least give him a quick shout out, and hope that anyone out there has anything further to contribute could do so.

I wonder how hard it’d be to organize a Doom match in 2013…. probably just as hard as it was in 1993 if not more difficult.  Although the main issue today would be time, not finding a capable machine like it was back then.

From reading slashdot there was this fine article:

Why Didn’t the Internet Take Off In 1983?

Well I’d say it was a few simple reasons.  First the internet in 1983 was a very limited ARPANET, which was a big deal for an institution to get onto, let along an individual.

In the quick Slashdot post, they go on about the Viewtron service offered by AT&T.  And why did it not become such a major success, where the internet trumped everything?

Its quite simple, nobody likes a walled garden.  You can bet that AT&T wouldn’t allow people to just spout off their opinion wherever on their network.  Even today there is a limit on what you can say on corporate networks, and on corporate systems.  The big thing about the internet is that anyone can not only register a domain, but easily get access to server software and become their own ‘site’ on the internet independent of what large corporations may think, or wish.

The other thing to remember is the state of personal computing in 1983.  While the rise of personal eight bit computing, there was no ‘open’ networking standards on which to build large scale networks.  Because everything had to be licensed, and people were expected to pay big money for those technologies, people (hackers!) ended up writing them on their own.  Even the mighty internet today is more so because of hackers, and not from major corporations.  And fill the gap they did with what limited systems were available with BBSes and FIDONET.

What about UNIX?

While UNIX was a popular OS and the hackers dream, in 1983, getting a PC to run UNIX was a BIG endeavor, as the hardware was super expensive, and licensing was very restrictive.  The big ‘player’ of course was Microsoft via SCO with Xenix. For example in 1983, an Apple Lisa was $9,999. And Xenix could easily set you back some $2000 for the OS alone.

Even by 1987 a decent Xenix machine could still set you back some $15,000! That would be $27,567.45 in 2010 dollars!  And that is just a ‘runtime’ machine, no STREAMS, TCP/IP, and NO COMPILER!

$14,559 for UNIX in 1987!

 

This of course raises me to the next point about the lack of affordable 32bit general computing in 1983, and software.  Even at the university level the kind of machine that was going to be connected to the internet was a massive ‘mid’ range machine like the VAX 11/780 running BSD Unix.  Even back then BBN was trying to get its proprietary TCP/IP stack into a ‘base’ UNIX, which would further encumber the distribution of UNIX, while Bill Joy freed us all by providing BSD 4.2, and licensing it for free with only four clauses to be redistributed, and altered at will.  Which was fantastic, but the hardware requirements vs what anyone could buy off the shelf was.. a massive gulf. While a VAX with 8 MB of ram, a 500MB disk, and an Ethernet adapter (which was again an open standard) would cost several hundred thousand dollars, the 68000 chip from Motorola was changing everything, and was democratizing network stations first with Apollo, then with SUN.

Heck even SUN was founded on trying to bring BSD 4.2 to the masses, and the SUN-1 didn’t even run BSD UNIX but rather a UniSoft port of UNIX v7. Even from the business plan, the expected price at retail was $7000.

Of course as good as the hardware was getting “affordable” where a workstation would cost as much as a mid level car, the software however was *NOT* free.  This is where Richard Stallman stepped in with the FSF, and started to replace piece by piece all the software on SunOS with free & open equivalents.  It wasn’t until 1991 that there was enough GNU/Free software from that end to even start to bootstrap a free system (Linux).  Even the BSD people with their NET/2 release wasn’t ready until 1991 as well.

In addition take a look at this computer from 1991:

It is comparable to the $14,500 IBM PS/2 model 80, but at $2,295 it is something that the average user could afford.  And even in 1991 there was the beginnings of free & Open UNIX via Linux & 386 BSD to run.

So as you can see with the rise of affordable 32bit computing, open software with open networking standards in software and hardware that made an open network prevalent.

As we move into the future the larger question to me is, are people going to accept the big networks trying to turn the clock backwards to these ‘gardens’ where you must obey your corporate owners, never speak ill of them, and live with all the censorship.. I still believe that what made the internet unique is that not only could you participate in a global network, but you could with little investment become part of it.  Just as someone like me who had an issue with blogger being down for a protracted amount of time, was able to take my content and host it myself.  Something you cannot do in the walled garden of networks.

Trumpet Winsock 2.0b

So while browsing around k7tty, I came across this file, internet.zip, that pretty much has everything you need for a windows 3.1 machine to get into the internet using Trumpet Winsock.

I used a packet driver, along with Qemu’s built in ne2000 and it works pretty well!

While I never used Trumpet back in the day, setting it up for LAN access was pretty easy, and while Trumpet 1.0 loads on Windows 3.0 I never could find any applications that actually work with it. Trumpet 2.0 seems more along the line of the finalized Winsock 1.1 stacks, with applications abound to run with it and Windows 3.1

Twinsock and early windows internet usage

A friend of mine let me know that there is a current drive by former users of trumpet winsock to actually send the author the $25 ($35 in adjusted money) that he had asked for the shareware program. While I’ve seen Trumpet, it required a SLIP or PPP connection which I just didn’t have back in 1993/1994 timeline. Sure there was SLiRP, but it was far more involved to compile on the Ultrix machine university gave us access to, or the pay internet connection (sefl.satelnet.org!) that ran IRIX. So I ran Troy Rollo’s Twinsock.

Besides being GPL’d twinsock proxied the socket access from your Windows 3.1 computer, and ran the requests on the Unix host you connected to. The best part is that they didn’t have to know that you even ran it. Twinsock transformed the internet from being a Unix shell account that kept many people away, into a graphical experience with windows applications executing on our desktop. Since it wasn’t a real TCP/IP stack, it effectively firewalled us, and seeing we were running Windows 3.1 that was a good thing.

So to make this experence more… realistic, I took the 386BSD 0.1 image from sourceforge, and made one tweak into how it runs. I added the following to the Qemu execution:

-serial tcp:127.0.0.1:4445,server,nowait

Then I installed MS-DOS, Windows 3.1, a terminal program, and some tcp/ip programs to test into another Qemu virtual machine. I then connected the two Qemu instances like a null modem like this:

-serial tcp:127.0.0.1:4445

This way COM1 on both machines now talk together. The only major downside I’ve seen is that if the client VM is killed re-starting it doesn’t get the serial connection working, both VM’s have to be restarted from the command line.

The cool thing was I was able to use a dos terminal program and zmodem to transfer the source to 386BSD to build. Surprisingly this part went pretty smooth on all the versions of Twinsock that I tested, but version 1.3 and higher was the version that actually worked.

So with the executable built on the Unix machine, you launch the windows program, which included a minimal terminal program. And from there you can dial up, login to your Unix account, then launch the twinsock Unix component and the window minimizes and now you are ‘connected’.

Launching Twinsock
WinVN

One of the most popular programs & protocols of the “early” internet was NNTP or Net News. Net News transitioned the world from BBS’s and Forum Software. The topics were incredibly diverse, and the system was distributed by nature. And news traversed the internet in a semiquick fashion. Especially the nodes that had T1 or faster access at the time. Unlike down stream UUCP BBS’s that may only take a small feed once a day, now with Twinsock you could get whatever groups and feeds you wanted, and as fast as your little modem could download it.

So for this fun experiment, I downloaded a suitably old version of WinVN, 0.92.1. The first thing I went looking around for was a public NNTP server. A great resource for locating various news servers that have certain groups is newzbot.

So with a suitable server in hand, I was able to connect up and check a news group. It was slow and clunky like it was in the old days, but it was neat in that client server feel to know that it was running on my desktop.

MS Telnet

Naturally it wouldn’t be the internet if you still telneted all over the world for MUD’s, and even access to compilers, different systems, and school work. I had a chore of a time finding a ‘good’ telnet client, so I ended up settling with the one that Microsoft had released their own stack, ‘Wolverine’ as part of a TCP/IP protocol update for Windows for Workgroups. This stack was also significant in that this was the first time a ‘full’ and ‘real’ TCP/IP stack had been released for free. As mentioned above with Trumpet winsock, and the rest, you had to buy the network stack. This free stack was only meant for LAN access, though I’ve heard of people trying to hack PPP/SLIP stuff at the dos level, but again it wouldn’t help me, since I couldn’t SLiRP. But this was the forshadowing of how the internet was going to finally take off, and the short thriving window of 3rd party TCP/IP stacks for Windows was about to slam shut in the next release of Windows.

Mosaic 0.7

And finally we come the program that basically changed the way we do everything – Mosaic. The first web browser only worked on the NeXTSTEP, and I don’t think that Mosaic was the first PC browser, but at the time it certainly was the best. I loaded up an old version to see if it could at least hit a site by IP address, and it worked. Sadly downloading files causes the browser to crash. Mosaic was rather touchy back in the day too. Because Mosaic came from the Unix world of browsers it was a 32bit program, and needed large amounts of memory. It also was a large exe too, around 2MB! Which is far larger then doom & the dos extender! So Mosaic was the first program I can recall that needed the magical Win32s add on. I’ve mentioned Win32s before so I won’t go on and on, but like the TCP/IP from Microsoft, this also basically killed the DOS Extender market.

The first time I saw Mosaic, I was blown away, we left the world of terminals and archie/gopher/veronica to something you could use a mouse with, and enter in your own URL! It was amazing, but at the same time I thought the internet was doomed to failure as you had to READ. Oh how wrong I was to be shown later. But in the time between Windows NT 3.1 and Windows 95, there was a lot of reading expected to be done. Much like everyone at the time would reply with RTFM in the news groups for stupid questions, why there even was the “Big Dummies Guide to the Internet“, thankfully made available online, put on various shovelware CD’s and saved thanks to cd.textfiles.com.

I couldn’t get MiRC to work.. I forget what other IRC programs would actually work with Twinsock. But I didn’t spend that much time on IRC.

Oh well, that is how the internet stood in that pre Windows 95, pre wide scale PPP world. It really was amazing how fast things changed.