Subject: Re: How to use ctdlmigrate successfully?
Yes, the base and target system do need to be upgraded to the same version for this to work. I did upgrade the version on the Pi to the version running on IA before doing the migrate.
You shouldn't need to upgrade the whole system, though. Do you mean the Linux distro, (i.e, apt-get update && apt-get dist-upgrade) or the hardware itself would need to be upgraded?
I'm pretty sure I didn't do a dist-ugprade on the Pi before I upgraded to the most recent version of Citadel. I did make a backup image of the Pi's SD card and tested it first, then did the Citadel Upgrade, then did the Citadel migrate.
Thank you, ParanoidDelusions, for your kind help. Put I didn't get it done. I think my citadel source system needs an upgrade first. And Ihat's not what I want to do because I would need to upgrade the whole system. Too much can go wrong. So I go the mail user agent way.
Fri Jan 08 2021 00:45:52 EST from ParanoidDelusions Subject: Re: How to use ctdlmigrate successfully?Ask the guys here - I was in such full-blown panic mode I was driving them nuts with badly formed questions I'd answer myself a day later.
But... let me think about that. It was from non-like 9xx versions - I made an image of my SD and then upgraded it to the same version, first. It was on Raspbian to Debian. I did enable the root account on the Pi, and I feel like that was a major step forward. I used a combination of ctdlmigrate
https://www.citadel.org/how_do_i_move_citadel_to_another_host.html
Rsync failed with permissions issue. I looked at the commands that failed, ran them manually under root on the source machine, and most of them worked. The ones that failed were the /files folder - which it seems like Raspbian even locks root out of that folder. Later I took ownership of it and moved it over. It helped me figure out a lot of what was going on, and going wrong, on the Pi.
Again, there is a spinning / when you run this, I believe. It would just stall out on me. I finally got it to run once, and it spun the whole time.
That is what got me looking at syslog with -f and where I noticed the series of errors as it was importing. The time I saw it was not throwing errors, I can't tell you why.
But after that I was rebuilding and tweaking it and trying to import it from one like Debian machine to another - and I think then I was playing around with ./sendcommand "MIGR export" >exported.xml and I had that file in /
The instructions for that are at:
https://www.citadel.org/system_administration_manual.html
UnderImporting/Exporting your Citadel database
Sorry - I really wish I could be more help. I'll have a look at my history and bookmarks and see if they give me any other insight what I did right. Again, if you read back a dozen or so pages, you'll see my online meltdown where I was describing what I was doing and what was happening. It could help, too.I wish you could remember, too :-)
Did you migrate between the same version of citadel on RiP 3b+ and on i5 or at least between the same major numbers like 8xx or 9xx?
Was a password set for your admin-account on citadel of RPi 3b+?
Did you copy any files from RPi 3b+ to i5 except the export of the database on RPi 3b+?
take a look at the attachments. I am using spamassassin and have the "
Perform RBL checks upon connect instead of after RCPT" option checked (citadel smtp administration tab). My failregex ckecks for smtp auth errors and rbls.
Verify the paths work for you (e.g. path to citadel or your log files)
Let me know if it worked.
Michael
Glad I was able to help Michael,
Do have a fail2ban filter file for citadel, something that would be under the 'filter.d'? I wasn't able to find a proper filter that would work for citadel with fail2ban.
If yes, could you please share it? (will save me time instead of building the filter file from scratch).
Thanks!
Works
syslog: mail citserver[1467]: citserver[1467]: user_ops: bad password specified for <> Service <SMTP-MTA> Port <port #> Remote <OP address / IP addrress>
mail.log: mail citserver[1467]: user_ops: bad password specified for <> Service <SMTP-MTA> Port <port #> Remote <OP address / IP addrress>
Thanks a bunch for taking another look at it. I implemented the change to citadel.service and will do some smpt auth testing later today. FYI - there is a failregex sample described in the Citadel Security room here on this bbs
I may have found the solution to the problem I experienced in my previous answer/solution below: The '-d' parameter was originally supposed to cause Citserver to run as a daemon. But possibly with systemd it is not needed anymore, or not supported correctly since in fact it caused citserver to have two instances in memory. I removed the '-d' parameter so the line in /etc/systemd/system/citadel.service is now:
/usr/local/citadel/citserver -lmail -x6
and now I am able to see bad login attempts in /var/log/mail.log so fail2ban mail filter should be able to find it and activate blocking. The bad login attempt error line contains the text "user_ops: bad password specified for" as well as the IP number of the offending machine trying to log in, which can be used in the fail2ban filter. I haven't tested yet with fail2ban, but will do so shortly.
By the way, in case you need, the highest level of logging is X7 (the levels are 0-7, 0 being the minimum and 7 being the maximum)
I have a partial answer for you, but also extend your question so hope that someone else would be able to complete the answer - since I am also trying to use fail2ban with Citadel and it doesn't work as it should:
In previous versions of Citadel, there was an option to add command line parameters that will set the log level. I used to use:
/usr/local/citadel/citserver -lmail -d -x6
which means using the most verbose logging level and using /var/log/mail.log as the log file (although I think it is the default now, in the past it went only to syslog)
With systemd Citadel is running as a service, so I tried to make this changes to the /etc/systemd/system/citadel.service file but I after the change and restart I am not seeing any difference in the log level. I can verify (with 'ps x | grep citserver') that the command line parameters are sent to citserver, BUT I DO NOT see any difference in the log level at mail.log
Another problem - I can see that some of the Citadel logging data is saved at /var/log/mail.log and some of it is at /var/log/syslog - specifically the login authorization data (bad login attempts, which fail2ban needs to monitor).
That is a problem since fail2ban can only monitor a single log file per 'jail'. Of course I can try and bypass and create 2 fail2ban jails for Citadel but that complicate things quite a bit and it is not supposed to be that way.
Can anyone share further advice on that? Thank you!
Hi,
Happy new year!
I'm running Citadel 930 and Webcit 927, installed with easyinstall on my Odroid C2 (updating config.guess in libcitadel.tar and citadel-easyinstall.tar would be great).
I would like to change the log level for smtp events to let Fail2ban block IPs (i.e. telnet connects on port 25). What would I need to do to generate that information in either mail.log or syslog?
Regards.
Michael
Hello
No email is sent and this error appears
requested action not taken mailbox unavailable or relaying denied
Possible solution to this error !?
Thanks
Hello
No email is sent and this error appears
requested action not taken mailbox unavailable or relaying denied
Possible solution to this error !?
Thanks
Thanks Michael,
I also noticed that warbaby posted a 'Quick and dirty fail2ban filter for Citadel' in the Citadel Security room:
http://uncensored.citadel.org/webcit/webcit/dotgoto?room=Citadel%20Security
take a look at the attachments. I am using spamassassin and have the "
Perform RBL checks upon connect instead of after RCPT" option checked (citadel smtp administration tab). My failregex ckecks for smtp auth errors and rbls.Verify the paths work for you (e.g. path to citadel or your log files)
Let me know if it worked.
Michael
Glad I was able to help Michael,
Do have a fail2ban filter file for citadel, something that would be under the 'filter.d'? I wasn't able to find a proper filter that would work for citadel with fail2ban.
If yes, could you please share it? (will save me time instead of building the filter file from scratch).
Thanks!
Works
syslog: mail citserver[1467]: citserver[1467]: user_ops: bad password specified for <> Service <SMTP-MTA> Port <port #> Remote <OP address / IP addrress>
mail.log: mail citserver[1467]: user_ops: bad password specified for <> Service <SMTP-MTA> Port <port #> Remote <OP address / IP addrress>
Thanks a bunch for taking another look at it. I implemented the change to citadel.service and will do some smpt auth testing later today. FYI - there is a failregex sample described in the Citadel Security room here on this bbs
I may have found the solution to the problem I experienced in my previous answer/solution below: The '-d' parameter was originally supposed to cause Citserver to run as a daemon. But possibly with systemd it is not needed anymore, or not supported correctly since in fact it caused citserver to have two instances in memory. I removed the '-d' parameter so the line in /etc/systemd/system/citadel.service is now:
/usr/local/citadel/citserver -lmail -x6
and now I am able to see bad login attempts in /var/log/mail.log so fail2ban mail filter should be able to find it and activate blocking. The bad login attempt error line contains the text "user_ops: bad password specified for" as well as the IP number of the offending machine trying to log in, which can be used in the fail2ban filter. I haven't tested yet with fail2ban, but will do so shortly.
By the way, in case you need, the highest level of logging is X7 (the levels are 0-7, 0 being the minimum and 7 being the maximum)
I have a partial answer for you, but also extend your question so hope that someone else would be able to complete the answer - since I am also trying to use fail2ban with Citadel and it doesn't work as it should:
In previous versions of Citadel, there was an option to add command line parameters that will set the log level. I used to use:
/usr/local/citadel/citserver -lmail -d -x6
which means using the most verbose logging level and using /var/log/mail.log as the log file (although I think it is the default now, in the past it went only to syslog)
With systemd Citadel is running as a service, so I tried to make this changes to the /etc/systemd/system/citadel.service file but I after the change and restart I am not seeing any difference in the log level. I can verify (with 'ps x | grep citserver') that the command line parameters are sent to citserver, BUT I DO NOT see any difference in the log level at mail.log
Another problem - I can see that some of the Citadel logging data is saved at /var/log/mail.log and some of it is at /var/log/syslog - specifically the login authorization data (bad login attempts, which fail2ban needs to monitor).
That is a problem since fail2ban can only monitor a single log file per 'jail'. Of course I can try and bypass and create 2 fail2ban jails for Citadel but that complicate things quite a bit and it is not supposed to be that way.
Can anyone share further advice on that? Thank you!
Hi,
Happy new year!
I'm running Citadel 930 and Webcit 927, installed with easyinstall on my Odroid C2 (updating config.guess in libcitadel.tar and citadel-easyinstall.tar would be great).
I would like to change the log level for smtp events to let Fail2ban block IPs (i.e. telnet connects on port 25). What would I need to do to generate that information in either mail.log or syslog?
Regards.
Michael
My citadel server, which is being used only for email, has degraded to the point that it no longer runs. I can't log into the web interface. My devices can't fetch mail. It is running on an ubuntu server and was configured after easy install.
After it stopped working, I attempted to do an easy install from an updated package. When I ssh into the box I get the following messages:
citserver[3250]: db: cdb_fetch(9): BDB0075 DB_PAGE_NOTFOUND: Requested page not found
I was seeing these messages even before attempting to patch with the latest. Not sure what to do from here.
Hi,
I‘m by no means an expert, but every problem I’ve had so far with Citadel has been a database one.
If it’s not happy with the data, the server won’t start. Do you have any backups of the data directory?
I type the address of 192.168.1.xxx of the raspberry pi to get the citadel login page...no login page appears?
How do i get the login page to come up?
On the Pi, open the browser, and try http://127.0.0.1
Did you leave it on the default port (80?)
If so, do you have Apache running and installed on the default port too?
I type the address of 192.168.1.xxx of the raspberry pi to get the citadel login page...no login page appears?
How do i get the login page to come up?
Subject: trying to configure nntp on private citadel server
So as the subject says I'm trying to configure nntp access for my rooms on a private server how would I do this?
Hi, If you wish to bad mouth me well OK
I have or think I have installed CITADEL but cannot find out how to log in.
Could someone kindly direct me to relevent information please or better still tell me how to
Cheers
Syd
I will badmouth you for posting your support request in the LOBBY instead of in the CITADEL SUPPORT room.
But to answer your question: connect your web browser to the port specified for WebCit during the setup process. The default username is "admin" and the default password is "citadel".
Just a heads up... yesterday and today, when I try to send a message, the editor kind of refreshes - you know, you can see the frame resizing and the raw HTML in it, then it comes back up in the editor, not looking like the message was sent. I go and check Sent Messages, and the message is not there - but I've gotten responses on ones I thought didn't send, so my guess is that they are sending. I can't describe it more technically than this. It looks like the message didn't send, but I get a response, so it must have.
Yes i changed the citadel to 8080. apache2 comes up with 192.168.1.50 and also 127.0.01!!
How do i get past the apache2 to citadel....sorry really new to this!!!
Kevin
I probably thought of this so quickly because I'm not super good at this, myself.
Type in http://127.0.0.1:8080
or http://192.168.1.50:8080
Both should open at your Citadel screen.
Yes i changed the citadel to 8080. apache2 comes up with 192.168.1.50 and also 127.0.01!!
How do i get past the apache2 to citadel....sorry really new to this!!!
Kevin
Is there a way to send a systemwide page to all logged in users without restarting?
Also:
When trying to restart with page all users, I get:
didn't find Template [box_serverrestartpage] 21 21
So...
In order to change my default port for https from 4916 to 443...
Do I...
run /etc/webcit ./setup and change it there to 443
then change the redirects from lobby at /etc/systemd/system/webcit-https.service from p4916 to p443
I've done this on my test system, and after restarting citadel, rebooting the entire machine, it no longer redirects on connect from lobby the the welcome room.
I am connecting to https://127.0.0.1
Is there something I'm missing?
Warbaby was right - it does fix the broken SSL messages in my logs - and seems to speed up the response time of the Citadel - at least, when connecting to localhost.
Something is definitely wrong.
Jan 17 14:10:49 secure webcit[3500]: Attempting to bind to port 443...
Jan 17 14:10:49 secure webcit[3500]: Can't bind: Address already in use
Sun Jan 17 2021 15:52:48 EST from ParanoidDelusionsSo...
In order to change my default port for https from 4916 to 443...
Do I...
run /etc/webcit ./setup and change it there to 443
then change the redirects from lobby at /etc/systemd/system/webcit-https.service from p4916 to p443
I've done this on my test system, and after restarting citadel, rebooting the entire machine, it no longer redirects on connect from lobby the the welcome room.
I am connecting to https://127.0.0.1
Is there something I'm missing?
Warbaby was right - it does fix the broken SSL messages in my logs - and seems to speed up the response time of the Citadel - at least, when connecting to localhost.
Subject: Change SSL Port in Webcit (Was:PD Forgot a subject again)
I'll post my ramblings on it somewhere else - but I got it sorted.
Sun Jan 17 2021 16:11:06 EST from ParanoidDelusionsSomething is definitely wrong.
Jan 17 14:10:49 secure webcit[3500]: Attempting to bind to port 443...
Jan 17 14:10:49 secure webcit[3500]: Can't bind: Address already in use
WEBCIT/EASYINSTALL
root@mail:/etc# ag -i webcit
systemd/system/webcit-https.service
5:ExecStart=/usr/local/webcit/webcit -s -p2001 uds /usr/local/citadel
systemd/system/webcit-http.service
5:ExecStart=/usr/local/webcit/webcit -p8080 uds /usr/local/citadel
root@ellen:/etc#
OR, there are some older init scripts in /etc/init.d/webcit # if you have a package version..
You'll have to hack the files right there.. if it's in systemd, just cp or mv to some safe place, before you mess with them..
cp /etc/systemd/system/webcit-http ~/webcit-backup # etc.. or
cp webcit-http webcit-http.dist # something like that..
If you're using NGINX for Proxy pass, webcit is still running on a port somewhere, but NOT 80/443! .. just think your way through it..
use 'netstat -lnp' see what is running on which port..
ParanoidDelusions, remember if you want to do the Start Page, you have to add the URL to the startup line.. [I forget the exact syntax, but you should have it.. You had it setup in the past.]