Setup Postfix with Client connect -TLS support

SSL (Secure Sockets Layer) and its descendant TLS (Transport Layer Security) are the most widely used protocols for encrypting data that is exchanged between a server and a client. These protocols often use X.509 certificates and asymmetric cryptography.
STARTTTLS is another method of securing plain-text communication. This protocol also encrypts data with SSL or TLS, but with the same port as the plain-text protocols, instead of using separate ports for SSL/TLS-encrypted communications. For example, IMAP over STARTTLS uses the same port as IMAP (143), while IMAPS (IMAP over SSL) uses a separate port 993.

Certificates needed for TLS/SSL can be self-signed, signed by a free certification authority (e.g., CAcert) or signed by a commercial authority (e.g., VeriSign), and can be generated with utilities like OpenSSL. We are going to use a self-signed certificate in this tutorial.

Enable TLS Encryption for Postfix

A self-signed certificate can be created with the following command.

# openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/postfixcert.pem -keyout /etc/ssl/private/postfixkey.pem

The above command requests a new certificate which is of type X.509, and remains valid for 365 days. The optional -nodes parameter specifies that the private key should not be encrypted. An output certificate file is saved as postfixcert.pem, and an output key file as postfixkey.pem .
All necessary values for the certificate can be given:

Country Name (2 letter code) [AU]:BD 
State or Province Name (full name) [Some-State]:Dhaka 
Locality Name (eg, city) []:Dhaka 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:Example.tst 
Common Name (e.g. server FQDN or YOUR name) []:mail.example.tst 
Email Address []:sarmed@example.tst 

Now that the certificate is ready, necessary parameters are adjusted in postfix configuration file.

root@mail:~# vim /etc/postfix/main.cf

### STARTTLS is enabled ###
smtpd_tls_security_level = may 

smtpd_tls_received_header = yes 
smtpd_tls_auth_only = yes 

### loglevel 3 should be used while troubleshooting ###
smtpd_tls_loglevel = 1

### path to certificate and key file
smtpd_tls_cert_file = /etc/ssl/certs/postfixcert.pem 
smtpd_tls_key_file = /etc/ssl/private/postfixkey.pem 
smtpd_use_tls=yes 

Restart postfix to enable TLS.

root@mail:~# service postfix restart

At this point, postfix is ready to encrypt data to and from the server. More details about Postfix TLS support can be found in their official README.

Enable SSL Encryption for Dovecot

Configuring dovecot for encryption is similar to postfix.
First of all, a self-signed certificate is created with openssl:

# openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecotcert.pem -keyout /etc/ssl/private/dovecotkey.pem

The above command requests a new X.509 certificate which is valid for 365 days. -nodes is an optional parameter which specifies that the stored private key should not be encrypted. An output certificate file will be dovecotcert.pem, and an output key file will be dovecotkey.pem.
All necessary parameters need to be specified in the certificate:

Country Name (2 letter code) [AU]:BD
State or Province Name (full name) [Some-State]:Dhaka
Locality Name (eg, city) []:Dhaka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:Example.tst
Common Name (e.g. server FQDN or YOUR name) []:mail.example.tst
Email Address []:sarmed@example.tst

Next, the path to the certificate is added in dovecot configuration.

root@mail:~# vim /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/ssl/certs/dovecotcert.pem
ssl_key = </etc/ssl/private/dovecotkey.pem

Finally, dovecot is restarted to enable SSL with the new certificate.

root@mail:~# service dovecot restart

Troubleshooting

First of all, make sure that all necessary ports are allowed in the firewall.
Second, try telnet to a mail server. You should be able to get through. Some examples are given below for reference.

Connect to IMAPS

$ telnet mail.example.tst 993

Trying mail.example.tst... 
Connected to mail.example.tst. 
Escape character is '^]'. 
exit 
exit 
Connection closed by foreign host. 

Connect to POP3S

$ telnet mail.example.tst 995

Trying mail.example.tst... 
Connected to mail.example.tst. 
Escape character is '^]'. 
exit 
exit 
Connection closed by foreign host. 

Connect to SMTP

$ telnet mail.example.tst 25

Trying mail.example.tst... 
Connected to mail.example.tst. 
Escape character is '^]'. 
220 mail.example.tst ESMTP Postfix (Ubuntu) 

### Command ###
ehlo mail.example.tst 
250-mail.example.tst 
250-PIPELINING 
250-SIZE 10240000 
250-VRFY 
250-ETRN 
250-STARTTLS 
250-ENHANCEDSTATUSCODES 
250-8BITMIME 
250 DSN

VMware Virtual SAN (vSAN) is out now!

VMware announced the general availability of VMware Virtual SAN, a new and radically simple storage solution optimized for virtual environments. This was done during a VMware Virtual SAN online event  of which you can view the replay here. It includes a demonstration of the product, experiences of  beta customers, and highlighted performance and scalability details.
For those of you who don’t know Virtual SAN, Virtual SAN is an object based storage system and a platform for VM Storage Policies that aims to simplify virtual machine storage placement decisions for vSphere administrators. It leverages the local storage from a number of ESXi hosts which are part of a cluster and creates a
distributed vsanDatastore. Virtual SAN is fully integrated with vSphere so it can be used for VM placement, and of course supports all the core vSphere technologies like vMotion, DRS and vSphere HA.

Scalability

VMware Virtual SAN scales up to 32 nodes in a cluster allowing for linear scalability of performance to 2 million IOPS on read-only workloads and 640,000 IOPS on mixed workloads. 
You will need at least 3 ESXi hosts to deploy Virtual SAN and you will also need at least one hard disk per host and at least one SSD per host. There are a couple of best practices I found online:

1. VMware recommends at least a 1:10 ratio of SSD vs HDD.
   When your performance demands increase, you may need to up this ratio 2:10 or 3:10.
2. VMware recommends as a best practice that all hosts in the VSAN cluster be configured similarly if not identically from a storage and compute perspective.

The choice of SSD is essential to Virtual SAN performance. VMware is providing a HCL which will grade SSDs on performance.
Because you can vary the SSD vs HDD ratio you can simply scale a vSphere cluster with Virtual SAN for capacity or performance.

Versions & licensing

Staying true to the value proposition of simplicity, VMware uses a per socket based pricing model with no limits on scalability, performance or capacity that make forecasting and budgeting significantly easier without impacting hardware components selection and node configurations.
VMware Virtual SAN is available in three editions/bundles.

All editions feature the complete set of Virtual SAN capabilities – data persistency, read/write caching, storage policy based management, etc. – and include the vSphere Distributed Switch. This means that customers can take advantage of simplified network management of vSphere Distributed Switch for their Virtual SAN storage regardless of the underlying vSphere edition they use. Data services such as snapshots, clones, linked-clones and replication are available directly through vSphere, and are already available with every vSphere edition (Essentials Plus and above).
For customers seeking to complete their storage solution with backup and recovery capabilities, VMware is offering Virtual SAN with Data Protection. A promotional bundle available for a limited time, it brings together Virtual SAN with vSphere Data Protection Advanced, VMware’s simple, efficient, and robust backup product for vSphere environments.

The VMware Virtual SAN Design and Sizing Guide can be downloaded here.
If you want a testdrive with VMware Virtual SAN, you can visit the free Hands-on Lab (HOL) which enables you to play and explore all you want.
vSphere 5.5 Update 1 which includes Virtual SAN can be downloaded here.

Useful Command for Troubleshooting - RHEL 6

• Look at the boot time kernel messages:

# less /var/log/dmesg
 

• Look at the latest kernel messages:

# dmesg|tail
 

• Look for any entries in /var/log/messages pertaining to eth0 but exclude any entries containing DHCP:

# grep -i eth0 /var/log/messages*|grep -v DHCP
​

• Look for the rsyslogd process in ps output:

# ps ax |grep rsyslogd
 

• Look for the rsyslogd or init processes in ps output:

​# ps ax | grep -E "rsyslogd|init"
 

• Look at the first line in /etc/passwd:

# head -1 /etc/passwd
 

• Look at the last two lines in /etc/passwd.

# tail -2 /etc/passwd
 

• Show the output of a command, then show it again but remove the first line (header text) only:

# swapon -s # swapon -s|tail -n +2
 

• Get the output of df (-P removes line breaks), remove the header text, and only print the last column which consists of the mounted filesystems:

# df -P | tail -n +2 |awk '{print $6}'
 

• Run the lspci command with extra verbosity:

# lspci -vvv|less