System Administration: September 2012

Thursday, September 20, 2012

VMware vSphere Features

What is a thin provisioned disk?

When creating a virtual disk file, by default, VMware ESX uses a thick type of virtual disk. The thick disk pre-allocates all of the space specified during the creation of the disk. For example, if you create a 10 megabyte disk, all 10 megabytes are pre-allocated for that virtual disk.

In contrast, a thin virtual disk does not pre-allocate all of the space. Blocks in the VMDK file are not allocated and backed by physical storage until they are written during the normal course of business. A read to an unallocated block returns zeroes, but not back the block with physical storage until it is written.

Update Manager

Simplify VMware vSphere management by automating patches and updates. vSphere Update Manager makes it easy to manage tracking and patching of vSphere hosts.

Keep machines up to date and in compliance

Reduce risks of patching

Eliminate vSphere downtime related to host patching

vMotion

vSphere vMotion enables the live migration of running virtual machines from one physical server to another with zero downtime, continuous service availability and complete transaction integrity. vMotion is a key enabling technology for creating the dynamic, automated and self-optimizing datacenter.

Storage vMotion

Perform live migration of virtual machine disk files within and across storage arrays with vSphere Storage vMotion. Relocate virtual machine disk files while maintaining continuous service availability and complete transaction integrity.

Storage APIs

VMware vSphere provides an API and SDK environment to allow customers and independent software vendors (ISVs) to enhance and extend the functionality of vSphere in the following areas:

Storage Awareness

Array Integration

Multipathing

Data protection

Replication

Replicates powered-on virtual machines over the network from one vSphere host to another without needing storage array-based native replication. vSphere Replication provides a number of unique advantages

Reduce bandwidth needs
Eliminate storage lock-in
Build flexible disaster recovery configurations

Fault Tolerance

vSphere Fault Tolerance (FT) provides continuous availability for applications in the event of server failures by creating a live shadow instance of a virtual machine that is in virtual lockstep with the primary instance. By allowing instantaneous failover between the two instances in the event of hardware failure, FT eliminates even the smallest chance of data loss or disruption.

Automatically trigger seamless stateful failover when the protected virtual machines fail to respond for zero downtime, zero data loss continuous availability
Automatically trigger the creation of a new secondary virtual machine after failover, to ensure continuous protection to the application

Distributed Resources Scheduler (DRS), Distributed Power Management (DPM)

vSphere Distributed Resource Scheduler (DRS) continuously monitors utilization across vSphere servers and intelligently allocates available resources among virtual machines according to business needs.

vSphere Distributed Power Management (DPM) continuously optimizes power consumption in the datacenter. When virtual machines in a DRS cluster need fewer resources, such as during nights and weekends, DPM consolidates workloads onto fewer servers and powers off the rest to reduce power consumption. When virtual machine resource requirements increase, DPM brings powered-down hosts back online to ensure service levels are met.

Data Protection

Many backup products write their data to tape, which is great for long-term archiving but often difficult and time-consuming to restore. vSphere Data Protection (VDP) protects against data loss in your virtual environment by enabling fast backups to disk and, more importantly, fast and complete recovery.

vShield Zones - Secure vSphere Deployments

vShield Zones provides basic protection from network-based threats in virtual datacenters. The solution is included with most VMware vSphere packages and offers an application firewall with policies based on basic traffic information. vShield Zones is deployed per vSphere host.

Get visibility and control over network communications between virtual machines

Improve hardware resource utilization while implementing application security

Simplify compliance with comprehensive logging of all virtual machine network activity

vShield Endpoint

Leverage existing investments and manage antivirus and anti-malware policies for virtualized environments with the same management interfaces you use to secure physical environments. VMware vShield™ Endpoint strengthens security in VMware vSphere and VMware View environments while improving performance for endpoint protection by orders of magnitude, offloading antivirus and anti-malware agent processing to a dedicated secure virtual appliance delivered by VMware partners

High Availability (HA)

VMware vSphere High Availability (HA) provides easy-to-use, cost effective high availability for applications running in virtual machines. In the event of physical server failure, affected virtual machines are automatically restarted on other production servers with spare capacity. In the case of operating system failure, vSphere HA restarts the affected virtual machine on the same physical server.

vCPU and Entitlement

Below are some basic question about vCPU entitlement comes in our mind and there answers respectively.

I have 2 Physical CPU , each is dual core.

suppose I'll create 1 virtual machine with 1 vCPU and Entitlement 40% .

Q1: how many virtual machines i can create with this entitlement.

Q2: This 40% is a percentage of each CPU or each Core?
Q3: what is the maximum Entitlement which i can assign to any virtual machine? Can i assign for example 150% as Entitlement for one virtual machine?
Q4: Numbers of vCPUs must be less than or equal to number of physical CPUs or physical Cores ?

Q1 : Your question should be "how many virtual machines i can RUN..." because you can CREATE as many guest as you want.

Well : on your 4 core physical host, you can theorically run simultaneously 10 virtual machines with 1 vCPU / 40 % entitlement each. Total entitlement = 400 % wich doesn't exceed the whole processing power of the host

In fact its is not so simple, because you will start no more than 8 virtual machines in the configuration you have described.

Entitlement is a GUARENTEED % of processing power of a core. GUARANTEED means that a guest will not be started if the entitlement can't be honored by the host. If 8 VMs, with 1 vCPU and a 40% entitlement each, are started on your 4 cores host, you will get :

- core1 : vm1 and vm2 with 40% entitlement each --> 80%. So the host can only guarantees 20% for running an other VM on this core
- core2 : vm3 and vm4 with 40% entitlement each --> 80%. So the host can only guarantees 20% for running an other VM on this core
- core3 : vm5 and vm6 with 40% entitlement each --> 80%. So the host can only guarantees 20% for running an other VM on this core
- core4 : vm7 and vm8 with 40% entitlement each --> 80%. So the host can only guarantees 20% for running an other VM on this core

Q2 : ... of each core mapped to each vCPU of the guest

Q3 : 100% is the maximum entitlement. On a 1 vCPU guest it means you can have 100% of one physical core, on a 2 vCPU guest it means you can have 100% of 2 physical cores, and so on ...

Q4 : a vCPU relies on a physical core. Simply forget CPU on the host, and just think in term of core. So number of vCPU in a given guest must be less or equal than physical cores.

As a summary and a guideline, you must think to vCPU in term of a thread running at a time on a given physical core. Several vCPU of a given virtual machine can't run on the same physical core.

vRAM Entitlement In vSphere

here is a comparison of the previously announced and the currently unveiled vSphere 5 vRAM entitlements per vSphere edition

vSphere Edition	Previous vRAM Entitlement	New vRAM Entitlement
vSphere Enterprise+	48 GB	96 GB
vSphere Enterprise	32 GB	64 GB
vSphere Standard	24 GB	32 GB
vSphere Essentials+	24 GB	32 GB
vSphere Essentials	24 GB	32 GB
Free vSphere Hypervisor	8 GB	32 GB[ii]
vSphere Desktop	Unlimited	Unlimited

The release of VMware vSphere 5 comes with a new licensing model. This model is based on licensing “per CPU with vRAM entitlement limitation”. As I mentioned in my previous licensing post this is a difference with regards to the previous vSphere version. :

“Also I need to mention that VMware changed it’s licensing model from a “per CPU with core / physical memory” to a “per CPU with vRAM entitlement limitation”. No longer the limitation is on the amount of cores or physical RAM memory in a server, but the limitation is in the amount of virtual memory (vRAM) consumed by the hosted virtual machines.”

In this post I will try to explain the per CPU with vRAM licensing model by using the example below. I hope this will make things a lot easier to grasp. After all it’s about licensing, so it’s about money! And in the end you don’t want to end up in a situation that you’re unable to power-on new virtual machines.

In the example we have 2 ESXi host that both have 2 processors. The amount of cores does not matter anymore when using vSphere 5. There is no longer a limitation on the amount of cores or the amount of physical memory in a server. But as mentioned above, VMware has introduced a new limitation with regards to licensing : vRAM entitlement.

vRAM entitlement

vRAM entitlement comes with each “per CPU” license. The amount of vRAM depends on the vSphere edition that is being used.

* vSphere 5 Standard Edition gives you 24 GB vRAM
* vSphere 5 Enterprise Edition gives you 32 GB vRAM
* vSphere 5 Enterprise Plus Edition gives you 48 GB vRAM

So this means that for each CPU license that you buy, you’ll get a certain amount of vRAM entitled. In the example above there are 2 physical CPUs in each ESXi host. Making a total of (2 x 2 = ) 4 physical CPUs you’ll need to license for VMware vSphere 5. In the example I’m using Enterprise licenses, which entitle me to 32 GB of vRAM per CPU license. This makes a grant total of 128 GB of vRAM which I can use.

The total vRAM is also known as a vRAM entitlement pool. This is the combined total of all the ESXi hosts managed by a vCenter instance or a set of linked vCenter instances. Every vRAM entitlement is aggregated into one pool which can be used by all virtual machines managed by vCenter.

vRAM usage

The usage of vRAM comes with the amount of virtual machines that is powered-on. Each time a virtual machines is powered-on, licensing will check if enough vRAM is available in the vRAM pool. The amount of vRAM used by the virtual machine is then added to the total amount of vRAM used by all virtual machines combined.

The total of the used amount of vRAM must be equal of lower then the total amount of vRAM in the vRAM pool. If this is not the case, the virtual machine will not be powered on and you’ll need to buy more licenses or upgrade to a higher vSphere Edition (if possible).

In the example above we have 18 virtual machines, all configured with different amounts of vRAM per virtual machine. The total amount of vRAM used by all virtual machines is 68 GB.

Summary

So looking at the example again. I’ve got 128 GB of vRAM in my vRAM pool. At this moment I’ve got 18 virtual machines that combined have a vRAM usage of 68 GB.

So to calculate the amount of vRAM I still have left I need to take total licensed vRAM minus the vRAM that is already used by the virtual machines :

Total licensed vRAM – Used vRAM = Available vRAM

In the end this comes down to 128 GB (Total licensed vRAM) – 68 GB (Used vRAM) = 60 GB of vRAM that still available for new “to-be-powered-on” virtual machines.

I hope this gives a good impression of how the vRAM entitlement works in vSphere 5. For more information have a look at the VMware vSphere 5 Licensing, Pricing and Packaging Whitepaper overhere.

System requirements for Citrix XenApp

Operating system

The required operating system is Windows 2003 Server. Client versions of Windows, such as Windows XP, cannot be used because Citrix XenApp requires Terminal Server, which is not available on client versions of Windows.

The recommended version of Windows Server 2003 is Enterprise Edition. You can also use Windows Server 2003 Standard Edition, but you might need to reduce the maximum heap size for the Java virtual machine that is used by the Message Broker Toolkit.

Software prerequisites

Citrix XenApp (previously known as Citrix Presentation Server 4.0 or 4.5) and its prerequisites must be installed on the Windows 2003 server.

Hardware prerequisites

The server must have enough CPU, RAM, disk space, and network bandwidth for each concurrent user. Performance depends on the tasks that are being performed, and on the hardware, software and networking setup. As a guide, the server should have a minimum of 1 GB of RAM per concurrent user and at least 4 GB of RAM in total. If the tasks require frequent disk access, it should help performance to have a separate physical disk for each user so that they do not slow each other down.

Note: Although there is a maximum 75 number of users who are authorized to use
an XenApp Fundamentals server, the number who can use XenApp Fundamentals
at the same time depends on the limitations of your server hardware (such as total
memory, processor speed, disk space, and so on).

What is SMTP relay?

Many administrators misunderstand the concept of SMTP relay. Some over-cautious administrators block SMTP relay completely and others leave it open for any Internet user to misuse their servers. Problems exist in both extremes. Therefore, it is important to understand exactly what SMTP relay is and how to configure your SMTP server so that is does not leave you vulnerable to outside attacks and allows legitimate users to send and receive emails. This article should clear up some of the confusion on this topic and show how to effectively turn off an open relay.

What is SMTP

Before we dive into SMTP Relay, it is important to know how the SMTP protocol works. SMTP is an acronym for Simple Mail Transfer Protocol. Most of Internet service providers nowadays use this protocol to send email. Email clients, also known as Mail User Agents (MUA), utilize this protocol and act as an SMTP client to distribute email messages to the recipients. When a MUA sends an email messages, it connects to the configured SMTP server and communicates to it using the SMTP protocol.

Internet mail works pretty much like our postal mail. When you wish to send a letter or a package via snail mail, you put the letter inside an envelope, write the recipient's as well as your return address and drop it off at your local post office. The local post office figures out the final destination of the package and sends it to the appropriate post office in the recipient's town. One important factor to notice here is that if both sender and recipient are in the same town no other post office gets involved.

Electronic mail works pretty much the same. SMTP servers act as local post offices. When a user wishes to send an email, he or she sends it to the SMTP server, which then forwards it to the recipient's SMTP server. Rather than street address and apartment numbers, electronic mail recipients are identified by unique email addresses. Every SMTP server is configured to handle one or more domain names. Analogous to snail mail, if both sender and recipient are in the same domain no other SMTP server gets involved. Following characteristics are common between snail mail and electronic mail.

Snail Mail	Electronic Mail
Every mail package is wrapped within an envelope that contains: Sender's name and address. Recipient's name and address. Post office's stamp. A timestamp when package was received.	Every electronic mail is wrapped within an envelope as well and contains: Sender's name and email address. List of recipients and their email address. SMTP server's signature. There can be more than one SMTP server involved. The date and time the email was received. Electronic mail can have more elements than mentioned above.
There is no guarantee that the sender's name and address will always be correct. It is very easy to forge the sender's identity.	Similarly, it is very easy to hide the sender's true identity in an electronic mail.
If the sender and receiver are in the same town, your local post office will not send the package to any other post office.	If the sender and receiver are handled by the same SMTP server, no other server will get involved.
Although the sender's identity cannot be trusted, you can still find a few things about the package by looking at the envelope such as the town letter was mailed from and time.	Similarly, the SMTP envelope (also known as header) contains information such as sender's IP Address and date/time stamp the mail was sent.
Every post office is assigned a postal code or zip code, which is used to identify it location. It is possible that in one post office may handle multiple zip codes.	These postal/zip codes are known as domain names in SMTP speak. Every SMTP server is configured to handle one or more domains. Domain name is the text that appears after the @ sign in an email address.

What is mail relay

In case of snail mail, the local post office is a government agency and there are no restrictions on who can send a package. Consider a scenario where you live in town A and you want to send a package to town B. When one town's post office accepts packages from another town it is said to "Relay" your message.

Similarly, if you work for company A and want to send an email to someone in company B, you connect to your SMTP server which then relays your message to the SMTP server owned by company B. The notion that an SMTP server accepts an email that is destined for a different SMTP server is called relaying.

It would be impossible to send email if every SMTP server in the world stopped relaying

User authentication
The electronic world is a bit different than the real world: you can do things faster, cheaper and distances do not matter. Imagine every time you wanted to send a snail mail you were asked to show your passport or any other document that proved your identity. This would add extra security at a cost of frustration and time. However, the frustration level associated with asking for a user's id and password in an electronic transaction is much lower than the burden of having to carry your passport.

Most SMTP servers ask for the user's credentials in terms of their id and password. The SMTP server will allow users to relay their message to a different server only if these credentials are correct. This authentication mechanism ensures that no one outside the organization can use the company's SMTP server to send message to a third party recipient.

What is an open relay

Your server is said to be an open relay if it accepts messages on behalf of other domains and does NOT require user authentication. In the case of an open relay, a person sitting in Singapore can send an email to California through your server, which could be in London.

Open relay servers are frequently misused by spammers sending unsolicited emails. Once a malicious user finds out about an open relay server on the Internet, he/she can send millions of messages all over the world, potentially bringing your network to its knees.

Several organizations have setup databases of IP Addresses that list and track open relay servers. If you have an open relay server you run the risk of having your IP listed in one of these databases. As a result many SMTP servers may not accept emails from you.

How to check for open relay

The easiest way to test for an open relay is using QuickTest at AboutMyX.com

Workstation 8 and bridged connection - don't work at all

When I upgraded my VMware Workstation from 7.1 to 8, I can't use bridged connection at all in any VM, I just don't have any internet connection then.

I always need to use NAT. Even when I installed Windows 8, I still can't bridge it, only NAT is working.

Before on 7.1 everything was working fine. How I can solve it?

The solution is:-

by choosing restore to default in virtual network editor. It removed all the VMNet adapters that were present from Version 7.x and left met with only 3 VMNetAdapters.

Wednesday, September 19, 2012

how can we check the current SharePoint Installation type?

Here are the steps:

Launch regedit.exe
For MOSS 2007, navigate to:
HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\12.0\WSS
For Sharepoint 2010, navigate to:
HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\14.0\WSS
Check the ServerRole key

Here are the valid values:

SINGLESERVER => Stand Alone
APPLICATION => Farm Complete
WFE => Web Front End

Tuesday, September 18, 2012

How to set 2:1 Compression Ratio

Twice the native capacity of a media is usually given as the maximum possible amount of data that could be written to a tape. It should be noted that this figure is rarely achieved. This is due to the varied types of data that are found in most environments. Each data type has its own compression ratio, and, therefore, there is no standard achievable for the total compression ratio that results. For example, database data (see Note at the end of this document for exceptions), encrypted files, executables, and graphics files will generally achieve a small amount of compression (or none at all). Regular text, log files, and data files will have a very high compression rate.

If hardware data compression is used, then the compression is done by the tape drive. Backup Exec (tm) only sends instruction to the tape drive to do compression. If data is not compressing (either because hardware compression on the tape drive is disabled or because the tape drive does not support it), software compression may be used. Software compression, however, consumes additional system resources and media can only be cataloged and restored from with the Backup Exec software.Even the Sgmon log will show if the compression is on or off.

Solution

To enable hardware compression, follow the instructions given below:

1. Right-click on a tape device

2. Select Properties

3. Select the Configuration tab below

Figure 1

The method is similar for Backup Exec 9.x and 10.x for Windows Servers (Figure 2).

Figure 2

If Enable compression appears greyed, the tape drive may not support compression, or the drivers/firmware for the device may need to be updated. Contact the manufacturer of the device for more information.

Note: Backup Exec offers the choice of either hardware or software compression. Software compression may be a viable alternative if poor results are achieved with the use of hardware compression. The use of hardware or software compression can be configured through the Advancedtab within the Backup Job Properties dialog box (Figure 3).

Figure 3

Figure 4 displays the Compression type option in Backup Exec 9.0 for Windows Servers.

Figure 4

The following can also affect hardware compression:

1. The tape drive may be trying to compress data that is already compressed or encrypted. If the data cannot be compressed any further than it already is, the attempt may cause the data to expand. Run a test backup with no compression to compare how much data can be written to the tape media without compression. When using hardware compression, software compression should be turned off, and vice-versa.

2. The system may not be able to keep up with the tape drive. If data is sent to the tape drive at a rate that is either slower or faster than the rate at which the tape drive can write the data to the tape, then the tape device must stop and wait for the computer. Each time the tape drive stops, it writes tracks of undefined data (gap tracks), repositioning the read/write heads for the time when more data becomes available. This causes the tape drive to stop and restart frequently, affecting tape capacity.

3. The tape media may be ready for retirement. When tapes are written to for longer than what the manufacturer recommends, an excessive number of rewrites can occur, causing a reduction in performance and tape capacity. Use a new tape to test compression and confirm that the media is the correct type for the tape drive.

4. The tape drive may need to be cleaned. A buildup of oxidation and debris on the tape heads can cause soft/hard write errors and eventually could cause damage to the tape media and tape drive. Clean the device as per the manufacturer's recommendation and replace the cleaning tape when necessary.

If in doubt about whether the software or the environment is the cause of a reduced media capacity with hardware compression enabled, it is suggested that the services for Backup Exec be stopped in the control panel, and a backup should be performed with the native Windows NT Backup. In most cases, the results should be identical between the two applications.

SMTP error messages

421 Connection timeout

If there is a timeout while hMailServer is waiting for a command from the SMTP client, this error message is sent to the client before hMailServer disconnects the client. The SMTP timeout in hMailServer is 10 minutes.

421 Excessive amounts of data sent to server.

This error is generated by hMailServer if a client sends a large chunk of data to hMailServer not containing a newline character (command terminator). A client should never do this, but incorrectly configured clients could cause this problem.

451 Please try again later.

This error message is issued if grey listing is enabled, and the sender, recipient and IP address triplet does not match an existing greylisting triplet.

500 Line too long

If a SMTP client sends a SMTP command which hMailServer considers beeing too long, hMailServer issues this error. This error typically indicates a client defect or a hacking attempt.

501 EHLO Invalid domain address.

This error message is issued if the domain address given in the EHLO command does not have the correct syntax.

501 HELO Invalid domain address.

This error message is issued if the domain address given in the HELO command does not have the correct syntax.

502 TURN disallowed

If a SMTP client tries to use the TURN command hMailServer responds with this error code. hMailServer does not include support for the TURN verb.

502 Unimplemented command

If a SMTP client tries to use a command which hMailServer has no implementation for, this error message is sent to the client.

502 Use HELO/EHLO first

After a SMTP client has connected to a SMTP server, the first thing it should do is to identify itself using the HELO or EHLO command. If the client does not do this, hMailServer responds with this error message.

502 VRFY disallowed

If a SMTP client tries to use the command VRFY, hMailServer responds with this error code. hMailServer does not include support for the VRFY verb.

503 Issue a reset if you want to start over

When an email client delivers an email message to an email server, it starts of by telling the server the senders address. After it has done this, a transaction is started which is not finished before the entire message has been delivered to the email server. If the client wishes to abort the transaction and send another message, it should issue the RSET command. If a client, in the middle of a transaction, tries to send a new email without first aborting the current transaction, hMailServer issues this error message. This indicates a bug in the SMTP client.

503 Must have sender and recipient first.

When a SMTP client is delivering an email to a SMTP server, it must specify both the sender and recipient before trying to submit the actual message content. If a client fails to tell hMailServer the senders or recipients address prior to trying to submit the message content, hMailServer will respond with this error. This indicates a bug in the SMTP client.

503 Must have sender first.

When a SMTP client is delivering an email to a SMTP server, it must specify both the sender and recipient before trying to submit the actual message content. The client must first tell the server the sender address and after that the recipient address. If the client tries to tell hMailServer the recipient address before the sender address, this error message is issued. This indicates a bug in the SMTP client.

504 Authentication mechanism not supported.

This error message is issued if a client tries to authenticate using a method which is not supported by hMailServer.

504 Authentication type not specified.

This error message is issued by hMailServer if a client tries to authenticate without specifying authentication method. This error indicates a bug in the used SMTP client.

530 SMTP authentication is required.

You have enabled SMTP authentication for the IP range that the user is connecting from, but the user has not configured his client to use SMTP authentication. There's two ways to solve this problem. Either configure your email client to use SMTP authentication. This setting is normally found in the account settings in your email client. Or, disable SMTP authentication for the IP range. The first solution is recommended since it reduces the risk that anyone will send spam through your server.

By default, hMailServer does not require SMTP authentication for connections coming from localhost / 127.0.0.1. For connections coming from other hosts, SMTP authentication is required for deliveries to external recipients. By default, hMailServer never requires SMTP authentication for deliveries to local accounts, since that would prevent other e-mail servers to deliver email to your installation. For information on how to enable SMTP authentication, check the HOWTO.

If you are using a Cisco router, you may need to disable SMTP Fixup protocol. If this is enabled, the router will sometimes intercept SMTP traffic and replace data in it before it reaches hMailServer which will cause problems.

535 Authentication failed. Restarting authentication process.

If a SMTP client authenticates but the username or password is incorrect, or the account is disabled, hMailServer sends this error message to the client.

550 A valid address is required

hMailServer issues this error message if a SMTP client tries to specify a recipient address which is not valid (which has an incorrect syntax).

550 Account is not active.

If a SMTP client tries to send an email message to an account which is not enabled, this error message is given to the client.

550 Alias is not active.

If a SMTP client tries to send an email message to an alias which is not enabled, this error message is given to the client.

550 Blocked by SPF

If an email message is rejected during SPF checks, this error message is issued.

550 Delivery is not allowed to this address

This error means that the sender is trying to send an email to an address which he is not allowed to send to. This message is generated after hMailServer has checked the IP range settings. As an example, the default IP range configuration does not allow external users to send messages to other external users. This is to prevent people from using your server to send spam. So if an external user tries to send a message to another external user, he will get this message.

550 Distribution list is not active.

If a SMTP client tries to send an email message to a distribution list which is not enabled, this error message is given to the client.

550 Domain has been disabled.

If a SMTP client tries to send an email message to a domain which has been disabled, this error message is given to the client.

550 Invalid syntax. Syntax should be MAIL FROM:<userdomain>[crlf]

If a client issues a MAIL FROM command with an incorrect syntax, hMailServer issues this error message.

550 Login credentials no longer valid. Please re-authenticate.

During a SMTP session, a SMTP sender can send multiple email messages. Each time a SMTP client tries to deliver a new message to hMailServer, the client is re-authenticated to ensure that the username and password is still valid. This is needed since there is no limitation on how long a SMTP client may stay connected to hMailServer as long as it is sending messages. If hMailServer did not re-authenticate connected users, there would be no way to disconnect a user which were sending spam (without stopping the.

550 Mail server configuration error. Too many recursive forwards.

When an email client tells hMailServer who the email message is for, hMailServer tries to determine the "end recipient". The email address the client has given hMailServer may not be the end recipient. For example, if you have set up an alias, alias@example.com which points at account@example.com, and the email client tells hMailServer that the message is for alias@example.com, the end recipient is actually account@example.com.

It is possible to configure hMailServer in an incorrect way in this area. For example, say you have an alias named alias@example.com pointing at alias2@example.com, and the alias alias2@example.com is pointing at alias@example.com. When hMailServer is trying to determine the end recipient for an email to alias@example.com, it will give up since there is none and report the above error message. The error will always be reported if hMailServer can not determine the end recipient.

The following causes are the most common ones:

A catch-all address has been specified for the recipient domain, but no account exists which matches the specified catch-all address.
The message is being sent to an alias which does not point at a valid account

550 Not authorized.

If a client tries to send an email message to a distribution list which it has not permission to send to, this error message is issued.

550 Recipient not in route list.

If a client tries to send an email message where the recipient domain matches a route, but the recipient address is not in the list of valid addresses, this error message is given to the client.

550 Sender address must be specified.

If hMailServer is configured to reject empty sender addresses, and a SMTP client tries to use an empty sender address, this error is issued.

550 Sender domain does not have any MX records.

If an email message is rejected due to the MX check, this error message is issued.

550 The address is not valid.

hMailServer issues this error message if a SMTP client specifies a sender address which is not valid (which has an incorrect syntax).

550 The host name specified in HELO does not match IP address.

This error message is a part of the spam protection mechanism in hMailServer. When a sending email server delivers an email message to hMailServer, one of the first things it needs to do is to identify itself. It does this by sending the command HELO <HOSTNAME> where <HOSTNAME> is replaced with its host name. The host name the sending server gives in the HELO command should resolve to the IP address of the same server.

For example, if one of Hotmails servers tries to deliver an email to your server, it will send a command similar to HELO mx1.hotmail.com. If the option Check host in the HELO command has been enabled in the spam protection settings in hMailServer, hMailServer will check that the host name Hotmails server sent, mx1.hotmail.com, matches the IP address the connection is being made from. If the IP address does not match the host name, hMailServer considers the email message to be spam. If you have configured hMailServer to delete e-mail which is considered spam, hMailServer will report the above error message to the sender.

If someone tries to send you an email and you they get this error, take one of the following actions:

Notify the administrator of the server sending the email that they have not specified the correct host name in the HELO command.
Disable the "Check host in the HELO command" option in the spam protection settings using hMailServer Administrator or PHPWebAdmin. This option is disabled by default.
In the spam protection settings, select that hMailServer should deliver spam messages, but modify the message headers. Also select to modify the message subject. Then the email will be delivered, but the subject will be prepended with [SPAM].

550 Unknown user

This error message is issued if the SMTP client tries to deliver an email to a domain hosted by hMailServer but the recipient account cannot be found and no catch-all address has been specified for the recipient domain.

550 <Other error message>

In DNS blacklist and SURBL configuration, it is possible to specify custom error messages to be used when an email message is being rejected.

552 Message size exceeds fixed maximum message size. Size: x KB, Max size: y KB

In hMailServer it's possible to specify a maximum message size in the SMTP settings and in the domain settings. If a message is sent which has a size which exceeds these limits, this error message is issued.

554 Rejected

If a hMailServer script running on the OnAcceptMessage event rejects a message without specifying an error message, this error is issued.

554 Your message was received but it could not be saved. Please retry later.

If the email message was received by hMailServer but could not be saved in the database, this error message is sent to the client. To resolve this issue, the hMailServer logs leading up to the error needs to be analyzed. Normally an error message with more details will be logged when this error is reported to the client.

554 Rejected - Message containing bare LF's.

According to the SMTP specification, every line in an email message should be separated by the ASCII-codes 13 and 10 - carriage return (CR) and line feed (LF). Some spammers and incorrectly working software sends messages which are not correctly formatted. Use this setting to reject these messages. Please note that legitimate email might have incorrectly formatted line endings, if the sending software contains bugs.

If you who are a developer receive this problem, confirm that each line of your email message (both header and body) is ended with a carriage return and a line feed, and not just a line feed. How to do this depends on what programming language you are working with. In .C++, C#, and PHP add \r\n to the end of every line. In Visual Basic, add vbNewLine or vbCRLF.

On Windows, the default line separator is CRLF. On Linux and UNIX, the default separator is only LF. However, when sending an email message from a Linux/UNIX system, CRLF must always be used. Some email servers under Linux (such as Postfix) automatically replaces LF with CRLF. Hence, setting the line separator in the email to CRLF will cause it to be changed to CRCRLF.

554 Rejected - No data saved.

If hMailServer received an email message from a SMTP client but could not save the message file on disk, this error message is issued. The problem will occur if the data directory specified in hMailServer.ini is not writeable by the hMailServer service.

554 Rejected - <other error message>

When a hMailServer script rejects a message in the OnAcceptMessage event, it can specify an error message to be sent to the client. If a script does this, hMailServer sends this error message to the client. <Other error message> is replaced with the error message given by the script.

554 Tagged as Spam by SpamAssassin

If an email message is rejected by SpamAssassin, this error message is issued.

Error messages in bounce messages

The mail server software tried to deliver e-mail to the local machine

This error message typically indicates a server configuration error. hMailServer does a number of checks before message delivery to prevent infinite message looping. When an email is sent and the recipient can not be found in the local installation, hMailServer will normally try to connect to the recipients email server to deliver the email message.

Before hMailServer connects to the recipients email server, hMailServer checks that the IP it is going to connect to is not a local IP address. If the IP is a local IP address, this would mean that hMailServer would connect to itself, which would likely cause a message loop. In this case, hMailServer rejects the message delivery and returns an error message to the sender instead.

The following causes are common for this problem:

A host name or IP address which points at the local computer has been entered as SMTP relayer. Go to the Delivery of e-mail section in the SMTP settings. Check the SMTP Relayer setting. If you have entered localhost, 127.0.0.1, your-own-domain-name.com, or something similar in this textbox, this is likely the cause of the problem. If this is the case, read more about this setting in the SMTP reference guide, and then correct it.
One of the MX records for the domain points at your server, but the domain has not been added to your installation.

No mail servers exists for the address.

When hMailServer delivers an email to an external recipient, it does a DNS query to determine where the email message should be delivered. If this DNS query fails, the above error message is reported. For example, the query may fail if the DNS server is unavailable or if the recipient domain does not exist. For further troubleshooting, check the hMailServer error log. The hMailServer error log will contain error codes from the DNS-client in Windows.

Error messages not generated by hMailServer

550 Mailbox unavailable

hMailServer never generates this error message. If hMailServer is trying to deliver an email message to another server, but the recipient account cannot be found on that server, the recipients server may issue this error message.

The error message indicates that you are sending the email to an incorrect address. If you are sure that the address is correct, it may be a problem in the recipients DNS configuration.

550 Sender verification failed

When hMailServer deliver an email to another server, the receiving SMTP server may try to validate that the email sender really exist. If this verification fails, it may respond with the error message 'Sender verification failed'. In these cases, the email will be bounced back to the sender. This verification works the following way:

hMailServer connects to the recipients SMTP server
hMailServer tells the recipients SMTP server that the email is from example@example.com
The recipients SMTP server looks up a MX record for the domain example.com.
The recipients SMTP server connects to the host specified in the MX record - which is likely where your hMailServer server is running if the MX records are set up properly.
After this, the recipients SMTP server issues the commands HELO, MAIL FROM<> and RCPT TO:
If hMailServer confirms that the recipient example@example.com exist, the recipients SMTP server will allow the delivery initiated in step 2 above.

There are a few things which can go wrong in these steps:

If the MX records for the domain example.com is not set up properly, the recipients SMTP server may correct to an incorrect SMTP host and the sender address verification will fail.
If the account example@example.com does not exist, the sender verification will fail.
If you have disabled Allow empty sender address, the sender verification will fail, since the recipients SMTP server tries to verify by using an empty sender address.

Monday, September 17, 2012

Using NSlookup.exe

To use Nslookup.exe, please note the following:

The TCP/IP protocol must be installed on the computer running Nslookup.exe
At least one DNS server must be specified when you run the IPCONFIG /ALL command from a command prompt.
Nslookup will always devolve the name from the current context. If you fail to fully qualify a name query (that is, use trailing dot), the query will be appended to the current context. For example, the current DNS settings are att.com and a query is performed on www.microsoft.com; the first query will go out as www.microsoft.com.att.com because of the query being unqualified. This behavior may be inconsistent with other vendor's versions of Nslookup, and this article is presented to clarify the behavior of Microsoft Windows NT Nslookup.exe
If you have implemented the use of the search list in the Domain Suffix Search Order defined on the DNS tab of the Microsoft TCP/IP Properties page, devolution will not occur. The query will be appended to the domain suffixes specified in the list. To avoid using the search list, always use a Fully Qualified Domain Name (that is, add the trailing dot to the name).

Nslookup.exe can be run in two modes: interactive and noninteractive. Noninteractive mode is useful when only a single piece of data needs to be returned. The syntax for noninteractive mode is:

   nslookup [-option] [hostname] [server]

To start Nslookup.exe in interactive mode, simply type "nslookup" at the command prompt:

   C:\> nslookup
   Default Server:  nameserver1.domain.com
   Address:  10.0.0.1
   >

Typing "help" or "?" at the command prompt will generate a list of available commands. Anything typed at the command prompt that is not recognized as a valid command is assumed to be a host name and an attempt is made to resolve it using the default server. To interrupt interactive commands, press CTRL+C. To exit interactive mode and return to the command prompt, type exit at the command prompt.

The following is the help output and contains the complete list of options:

Commands:   (identifiers are shown in uppercase, [] means optional)

 NAME            - print info about the host/domain NAME using default 
                   server
 NAME1 NAME2     - as above, but use NAME2 as server
 help or ?       - print info on common commands
 set OPTION      - set an option

    all                 - print options, current server and host
    [no]debug           - print debugging information
    [no]d2              - print exhaustive debugging information
    [no]defname         - append domain name to each query
    [no]recurse         - ask for recursive answer to query
    [no]search          - use domain search list
    [no]vc              - always use a virtual circuit
    domain=NAME         - set default domain name to NAME
    srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1, N2, 
                          and so on
    root=NAME           - set root server to NAME
    retry=X             - set number of retries to X
    timeout=X           - set initial time-out interval to X seconds
    type=X              - set query type (for example, A, ANY, CNAME, MX, 
                          NS, PTR, SOA, SRV)
    querytype=X         - same as type
    class=X             - set query class (for example, IN (Internet), ANY)
    [no]msxfr           - use MS fast zone transfer
    ixfrver=X           - current version to use in IXFR transfer request

 server NAME     - set default server to NAME, using current default server
 lserver NAME    - set default server to NAME, using initial server
 finger [USER]   - finger the optional NAME at the current default host
 root            - set current default server to the root
 ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to 
                  FILE)

    -a          -  list canonical names and aliases
    -d          -  list all records
    -t TYPE     -  list records of the given type (for example, A, CNAME, 
                   MX, NS, PTR, and so on)

 view FILE       - sort an 'ls' output file and view it with pg
 exit            - exit the program

A number of different options can be set in Nslookup.exe by running the set command at the command prompt. A complete listing of these options is obtained by typing set all. See above, under the set command for a printout of the available options.

Looking up Different Data Types

To look up different data types within the domain name space, use the set type or set q[uerytype] command at the command prompt. For example, to query for the mail exchanger data, type the following:

   C:\> nslookup
   Default Server:  ns1.domain.com
   Address:  10.0.0.1

   > set q=mx
   > mailhost
   Server:  ns1.domain.com
   Address:  10.0.0.1

   mailhost.domain.com     MX preference = 0, mail exchanger =
                           mailhost.domain.com
   mailhost.domain.com     internet address = 10.0.0.5
   >

The first time a query is made for a remote name, the answer is authoritative, but subsequent queries are nonauthoritative. The first time a remote host is queried, the local DNS server contacts the DNS server that is authoritative for that domain. The local DNS server will then cache that information, so that subsequent queries are answered nonauthoritatively out of the local server's cache.

Querying Directly from Another Name Server

To query another name server directly, use the server or lserver commands to switch to that name server. The lservercommand uses the local server to get the address of the server to switch to, while the server command uses the current default server to get the address.

Example:

   C:\> nslookup

   Default Server:  nameserver1.domain.com
   Address:  10.0.0.1

   > server 10.0.0.2

   Default Server:  nameserver2.domain.com
   Address:  10.0.0.2
   >

Using Nslookup.exe to Transfer Entire Zone

Nslookup can be used to transfer an entire zone by using the ls command. This is useful to see all the hosts within a remote domain. The syntax for the ls command is:

   ls [- a | d | t type] domain [> filename]

Using ls with no arguments will return a list of all address and name server data. The -a switch will return alias and canonical names, -d will return all data, and -t will filter by type.

Example:

   >ls domain.com
   [nameserver1.domain.com]
    nameserver1.domain.com.    NS     server = ns1.domain.com
    nameserver2.domain.com                 NS     server = ns2.domain.com
    nameserver1                            A      10.0.0.1
    nameserver2                            A      10.0.0.2

   >

Zone transfers can be blocked at the DNS server so that only authorized addresses or networks can perform this function. The following error will be returned if zone security has been set:

*** Can't list domain example.com.: Query refused

For additional information, see the following article or articles in the Microsoft Knowledge Base:

193837 Windows NT 4.0 DNS Server Default Zone Security Settings

Troubleshooting Nslookup.exe

Default Server Timed Out

When starting the Nslookup.exe utility, the following errors may occur:

*** Can't find server name for address w.x.y.z: Timed out

NOTE: w.x.y.z is the first DNS server listed in the DNS Service Search Order list.

*** Can't find server name for address 127.0.0.1: Timed out

The first error indicates that the DNS server cannot be reached or the service is not running on that computer. To correct this problem, either start the DNS service on that server or check for possible connectivity problems.

The second error indicates that no servers have been defined in the DNS Service Search Order list. To correct this problem, add the IP address of a valid DNS server to this list.

For additional information, see the following article or articles in the Microsoft Knowledge Base:

172060 NSLOOKUP: Can't Find Server Name for Address 127.0.0.1

Can't Find Server Name when Starting Nslookup.exe

When starting the Nslookup.exe utility, the following error may occur:

*** Can't find server name for address w.x.y.z: Non-existent domain

This error occurs when there is no PTR record for the name server's IP address. When Nslookup.exe starts, it does a reverse lookup to get the name of the default server. If no PTR data exists, this error message is returned. To correct make sure that a reverse lookup zone exists and contains PTR records for the name servers.

For additional information, see the following article or articles in the Microsoft Knowledge Base:

172953 How to Install and Configure Microsoft DNS Server

Nslookup on Child Domain Fails

When querying or doing a zone transfer on a child domain, Nslookup may return the following errors:

*** ns.domain.com can't find child.domain.com.: Non-existent domain

*** Can't list domain child.domain.com.: Non-existent domain

In DNS Manager, a new domain can be added under the primary zone, thus creating a child domain. Creating a child domain this way does not create a separate db file for the domain, thus querying that domain or running a zone transfer on it will produce the above errors. Running a zone transfer on the parent domain will list data for both the parent and child domains. To work around this problem, create a new primary zone on the DNS server for the child domain.

Pages