11_network-services.po

msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2015-11-17 12:22+0100\n"
"PO-Revision-Date: 2015-11-17 12:22+0100\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"Language: en-US \n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Generator: Publican v4.3.2\n"

msgid "Postfix"
msgstr ""

msgid "Apache"
msgstr ""

msgid "NFS"
msgstr ""

msgid "Samba"
msgstr ""

msgid "Squid"
msgstr ""

msgid "OpenLDAP"
msgstr ""

msgid "SIP"
msgstr ""

msgid "Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN"
msgstr ""

msgid "Network services are the programs that users interact with directly in their daily work. They are the tip of the information system iceberg, and this chapter focuses on them; the hidden parts they rely on are the infrastructure we already described."
msgstr ""

msgid "Many modern network services require encryption technology to operate reliably and securely, especially when used on the public Internet. X.509 Certificates (which may also be referred to as SSL Certificates or TLS Certificates) are frequently used for this purpose. A certificate for a specific domain can often be shared between more than one of the services discussed in this chapter."
msgstr ""

msgid "<primary>TLS</primary>"
msgstr ""

msgid "<primary>X.509</primary>"
msgstr ""

msgid "<primary>Certificates</primary>"
msgstr ""

msgid "Mail Server"
msgstr ""

msgid "The Falcot Corp administrators selected Postfix for the electronic mail server, due to its reliability and its ease of configuration. Indeed, its design enforces that each task is implemented in a process with the minimum set of required permissions, which is a great mitigation measure against security problems."
msgstr ""

msgid "<primary>email</primary><secondary>server</secondary>"
msgstr ""

msgid "<primary>mail server</primary>"
msgstr ""

msgid "<primary>Postfix</primary>"
msgstr ""

msgid "<emphasis>ALTERNATIVE</emphasis> The Exim4 server"
msgstr ""

msgid "<primary>Exim</primary>"
msgstr ""

msgid "Debian uses Exim4 as the default email server (which is why the initial installation includes Exim4). The configuration is provided by a separate package, <emphasis role=\"pkg\">exim4-config</emphasis>, and automatically customized based on the answers to a set of Debconf questions very similar to the questions asked by the <emphasis role=\"pkg\">postfix</emphasis> package."
msgstr ""

msgid "The configuration can be either in one single file (<filename>/etc/exim4/exim4.conf.template</filename>) or split across a number of configuration snippets stored under <filename>/etc/exim4/conf.d/</filename>. In both cases, the files are used by <command>update-exim4.conf</command> as templates to generate <filename>/var/lib/exim4/config.autogenerated</filename>. The latter is the file used by Exim4. Thanks to this mechanism, values obtained through Exim's debconf configuration — which are stored in <filename>/etc/exim4/update-exim4.conf.conf</filename> — can be injected in Exim's configuration file, even when the administrator or another package has altered the default Exim configuration."
msgstr ""

msgid "The Exim4 configuration file syntax has its peculiarities and its learning curve; however, once these peculiarities are understood, Exim4 is a very complete and powerful email server, as evidenced by the tens of pages of documentation. <ulink type=\"block\" url=\"http://www.exim.org/docs.html\" />"
msgstr ""

msgid "Installing Postfix"
msgstr ""

msgid "The <emphasis role=\"pkg\">postfix</emphasis> package includes the main SMTP daemon. Other packages (such as <emphasis role=\"pkg\">postfix-ldap</emphasis> and <emphasis role=\"pkg\">postfix-pgsql</emphasis>) add extra functionality to Postfix, including access to mapping databases. You should only install them if you know that you need them."
msgstr ""

msgid "<emphasis>BACK TO BASICS</emphasis> SMTP"
msgstr ""

msgid "<primary>SMTP</primary>"
msgstr ""

msgid "<primary>Simple Mail Transfer Protocol</primary>"
msgstr ""

msgid "<primary>server</primary><secondary>SMTP</secondary>"
msgstr ""

msgid "SMTP (<emphasis>Simple Mail Transfer Protocol</emphasis>) is the protocol used by mail servers to exchange and route emails."
msgstr ""

msgid "Several Debconf questions are asked during the installation of the package. The answers allow generating a first version of the <filename>/etc/postfix/main.cf</filename> configuration file."
msgstr ""

msgid "The first question deals with the type of setup. Only two of the proposed answers are relevant in case of an Internet-connected server, “Internet site” and “Internet with smarthost”. The former is appropriate for a server that receives incoming email and sends outgoing email directly to its recipients, and is therefore well-adapted to the Falcot Corp case. The latter is appropriate for a server receiving incoming email normally, but that sends outgoing email through an intermediate SMTP server — the “smarthost” — rather than directly to the recipient's server. This is mostly useful for individuals with a dynamic IP address, since many email servers reject messages coming straight from such an IP address. In this case, the smarthost will usually be the ISP's SMTP server, which is always configured to accept email coming from the ISP's customers and forward it appropriately. This setup (with a smarthost) is also relevant for servers that are not permanently connected to the internet, since it avoids having to manage a queue of undeliverable messages that need to be retried later."
msgstr ""

msgid "<emphasis>VOCABULARY</emphasis> ISP"
msgstr ""

msgid "<primary>ISP, Internet Service Provider</primary>"
msgstr ""

msgid "ISP is the acronym for “Internet Service Provider”. It covers an entity, often a commercial company, that provides Internet connections and the associated basic services (email, news and so on)."
msgstr ""

msgid "The second question deals with the full name of the machine, used to generate email addresses from a local user name; the full name of the machine ends up as the part after the at-sign (“@”). In the case of Falcot, the answer should be <literal>mail.falcot.com</literal>. This is the only question asked by default, but the configuration it leads to is not complete enough for the needs of Falcot, which is why the administrators run <command>dpkg-reconfigure postfix</command> so as to be able to customize more parameters."
msgstr ""

msgid "One of the extra questions asks for all the domain names related to this machine. The default list includes its full name as well as a few synonyms for <literal>localhost</literal>, but the main <literal>falcot.com</literal> domain needs to be added by hand. More generally, this question should usually be answered with all the domain names for which this machine should serve as an MX server; in other words, all the domain names for which the DNS says that this machine will accept email. This information ends up in the <literal>mydestination</literal> variable of the main Postfix configuration file — <filename>/etc/postfix/main.cf</filename>."
msgstr ""

msgid "<primary>server</primary><secondary>MX</secondary>"
msgstr ""

msgid "<primary>MX</primary><secondary>server</secondary>"
msgstr ""

msgid "Role of the DNS <emphasis>MX</emphasis> record while sending a mail"
msgstr ""

msgid "<emphasis>EXTRA</emphasis> Querying the MX records"
msgstr ""

msgid "When the DNS does not have an MX record for a domain, the email server will try sending the messages to the host itself, by using the matching A record (or AAAA in IPv6)."
msgstr ""

msgid "In some cases, the installation can also ask what networks should be allowed to send email via the machine. In its default configuration, Postfix only accepts emails coming from the machine itself; the local network will usually be added. The Falcot Corp administrators added <literal>192.168.0.0/16</literal> to the default answer. If the question is not asked, the relevant variable in the configuration file is <literal>mynetworks</literal>, as seen in the example below."
msgstr ""

msgid "Local email can also be delivered through <command>procmail</command>. This tool allows users to sort their incoming email according to rules stored in their <filename>~/.procmailrc</filename> file."
msgstr ""

msgid "<primary><command>procmail</command></primary>"
msgstr ""

msgid "<primary>email</primary><secondary>filtering</secondary>"
msgstr ""

msgid "<primary>filtering email</primary>"
msgstr ""

msgid "After this first step, the administrators got the following configuration file; it will be used as a starting point for adding some extra functionality in the next sections."
msgstr ""

msgid "Initial <filename>/etc/postfix/main.cf</filename> file"
msgstr ""

msgid ""
"\n"
"# See /usr/share/postfix/main.cf.dist for a commented, more complete version\n"
"\n"
"\n"
"# Debian specific:  Specifying a file name will cause the first\n"
"# line of that file to be used as the name.  The Debian default\n"
"# is /etc/mailname.\n"
"#myorigin = /etc/mailname\n"
"\n"
"smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)\n"
"biff = no\n"
"\n"
"# appending .domain is the MUA's job.\n"
"append_dot_mydomain = no\n"
"\n"
"# Uncomment the next line to generate \"delayed mail\" warnings\n"
"#delay_warning_time = 4h\n"
"\n"
"readme_directory = no\n"
"\n"
"# TLS parameters\n"
"smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem\n"
"smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key\n"
"smtpd_use_tls=yes\n"
"smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache\n"
"smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache\n"
"\n"
"# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for\n"
"# information on enabling SSL in the smtp client.\n"
"\n"
"smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination\n"
"myhostname = mail.falcot.com\n"
"alias_maps = hash:/etc/aliases\n"
"alias_database = hash:/etc/aliases\n"
"myorigin = /etc/mailname\n"
"mydestination = mail.falcot.com, falcot.com, localhost.localdomain, localhost\n"
"relayhost = \n"
"mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/16\n"
"mailbox_command = procmail -a \"$EXTENSION\"\n"
"mailbox_size_limit = 0\n"
"recipient_delimiter = +\n"
"inet_interfaces = all\n"
"inet_protocols = all"
msgstr ""

msgid "<emphasis>SECURITY</emphasis> <emphasis>Snake oil</emphasis> SSL certificates"
msgstr ""

msgid "The <emphasis>snake oil</emphasis> certificates, like the <emphasis>snake oil</emphasis> “medicine” sold by unscrupulous quacks in old times, have absolutely no value: you cannot rely on them to authenticate the server since they are automatically generated self-signed certificates. However they are useful to improve the privacy of the exchanges."
msgstr ""

msgid "In general they should only be used for testing purposes, and normal service must use real certificates; these can be generated with the procedure described in <xref linkend=\"sect.easy-rsa\" />."
msgstr ""

msgid "Configuring Virtual Domains"
msgstr ""

msgid "<primary>domain</primary><secondary>virtual</secondary>"
msgstr ""

msgid "<primary>virtual domain</primary>"
msgstr ""

msgid "The mail server can receive emails addressed to other domains besides the main domain; these are then known as virtual domains. In most cases where this happens, the emails are not ultimately destined to local users. Postfix provides two interesting features for handling virtual domains."
msgstr ""

msgid "<emphasis>CAUTION</emphasis> Virtual domains and canonical domains"
msgstr ""

msgid "None of the virtual domains must be referenced in the <literal>mydestination</literal> variable; this variable only contains the names of the “canonical” domains directly associated to the machine and its local users."
msgstr ""

msgid "Virtual Alias Domains"
msgstr ""

msgid "<primary>alias</primary><secondary>virtual alias domain</secondary>"
msgstr ""

msgid "<primary>virtual domain</primary><secondary>virtual alias domain</secondary>"
msgstr ""

msgid "A virtual alias domain only contains aliases, i.e. addresses that only forward emails to other addresses."
msgstr ""

msgid "Such a domain is enabled by adding its name to the <literal>virtual_alias_domains</literal> variable, and referencing an address mapping file in the <literal>virtual_alias_maps</literal> variable."
msgstr ""

msgid "Directives to add in the <filename>/etc/postfix/main.cf</filename> file"
msgstr ""

msgid ""
"\n"
"virtual_alias_domains = falcotsbrand.com\n"
"virtual_alias_maps = hash:/etc/postfix/virtual"
msgstr ""

msgid "The <filename>/etc/postfix/virtual</filename> file describes a mapping with a rather straightforward syntax: each line contains two fields separated by whitespace; the first field is the alias name, the second field is a list of email addresses where it redirects. The special <literal>@domain.com</literal> syntax covers all remaining aliases in a domain."
msgstr ""

msgid "Example <filename>/etc/postfix/virtual</filename> file"
msgstr ""

msgid ""
"\n"
"webmaster@falcotsbrand.com  jean@falcot.com\n"
"contact@falcotsbrand.com    laure@falcot.com, sophie@falcot.com\n"
"# The alias below is generic and covers all addresses within \n"
"# the falcotsbrand.com domain not otherwise covered by this file.\n"
"# These addresses forward email to the same user name in the\n"
"# falcot.com domain.\n"
"@falcotsbrand.com           @falcot.com"
msgstr ""

msgid "Virtual Mailbox Domains"
msgstr ""

msgid "<emphasis>CAUTION</emphasis> Combined virtual domain?"
msgstr ""

msgid "Postfix does not allow using the same domain in both <literal>virtual_alias_domains</literal> and <literal>virtual_mailbox_domains</literal>. However, every domain of <literal>virtual_mailbox_domains</literal> is implicitly included in <literal>virtual_alias_domains</literal>, which makes it possible to mix aliases and mailboxes within a virtual domain."
msgstr ""

msgid "<primary>mailbox, virtual domain</primary>"
msgstr ""

msgid "<primary>virtual domain</primary><secondary>virtual mailbox domain</secondary>"
msgstr ""

msgid "Messages addressed to a virtual mailbox domain are stored in mailboxes not assigned to a local system user."
msgstr ""

msgid "Enabling a virtual mailbox domain requires naming this domain in the <literal>virtual_mailbox_domains</literal> variable, and referencing a mailbox mapping file in <literal>virtual_mailbox_maps</literal>. The <literal>virtual_mailbox_base</literal> parameter contains the directory under which the mailboxes will be stored."
msgstr ""

msgid "The <literal>virtual_uid_maps</literal> parameter (respectively <literal>virtual_gid_maps</literal>) references the file containing the mapping between the email address and the system user (respectively group) that “owns” the corresponding mailbox. To get all mailboxes owned by the same owner/group, the <literal>static:5000</literal> syntax assigns a fixed UID/GID (of value 5000 here)."
msgstr ""

msgid ""
"\n"
"virtual_mailbox_domains = falcot.org\n"
"virtual_mailbox_maps = hash:/etc/postfix/vmailbox\n"
"virtual_mailbox_base = /var/mail/vhosts"
msgstr ""

msgid "Again, the syntax of the <filename>/etc/postfix/vmailbox</filename> file is quite straightforward: two fields separated with whitespace. The first field is an email address within one of the virtual domains, and the second field is the location of the associated mailbox (relative to the directory specified in <emphasis>virtual_mailbox_base</emphasis>). If the mailbox name ends with a slash (<literal>/</literal>), the emails will be stored in the <emphasis>maildir</emphasis> format; otherwise, the traditional <emphasis>mbox</emphasis> format will be used. The <emphasis>maildir</emphasis> format uses a whole directory to store a mailbox, each individual message being stored in a separate file. In the <emphasis>mbox</emphasis> format, on the other hand, the whole mailbox is stored in one file, and each line starting with “<literal>From </literal>” (<literal>From</literal> followed by a space) signals the start of a new message."
msgstr ""

msgid "The <filename>/etc/postfix/vmailbox</filename> file"
msgstr ""

msgid ""
"\n"
"# Jean's email is stored as maildir, with\n"
"# one file per email in a dedicated directory\n"
"jean@falcot.org falcot.org/jean/\n"
"# Sophie's email is stored in a traditional \"mbox\" file,\n"
"# with all mails concatenated into one single file\n"
"sophie@falcot.org falcot.org/sophie"
msgstr ""

msgid "Restrictions for Receiving and Sending"
msgstr ""

msgid "The growing number of unsolicited bulk emails (<emphasis>spam</emphasis>) requires being increasingly strict when deciding which emails a server should accept. This section presents some of the strategies included in Postfix."
msgstr ""

msgid "<emphasis>CULTURE</emphasis> The spam problem"
msgstr ""

msgid "<primary>spam</primary>"
msgstr ""

msgid "“Spam” is a generic term used to designate all the unsolicited commercial emails (also known as UCEs) that flood our electronic mailboxes; the unscrupulous individuals sending them are known as spammers. They care little about the nuisance they cause, since sending an email costs very little, and only a very small percentage of recipients need to be attracted by the offers for the spamming operation to make more money than it costs. The process is mostly automated, and any email address made public (for instance, on a web forum, or on the archives of a mailing list, or on a blog, and so on) will be discovered by the spammers' robots, and subjected to a never-ending stream of unsolicited messages."
msgstr ""

msgid "All system administrators try to face this nuisance with spam filters, but of course spammers keep adjusting to try to work around these filters. Some even rent networks of machines compromised by a worm from various crime syndicates. Recent statistics estimate that up to 95% of all emails circulating on the Internet are spam!"
msgstr ""

msgid "IP-Based Access Restrictions"
msgstr ""

msgid "The <literal>smtpd_client_restrictions</literal> directive controls which machines are allowed to communicate with the email server."
msgstr ""

msgid "Restrictions Based on Client Address"
msgstr ""

msgid ""
"\n"
"smtpd_client_restrictions = permit_mynetworks,\n"
"    warn_if_reject reject_unknown_client,\n"
"    check_client_access hash:/etc/postfix/access_clientip,\n"
"    reject_rbl_client sbl-xbl.spamhaus.org,\n"
"    reject_rbl_client list.dsbl.org"
msgstr ""

msgid "When a variable contains a list of rules, as in the example above, these rules are evaluated in order, from the first to the last. Each rule can accept the message, reject it, or leave the decision to a following rule. As a consequence, order matters, and simply switching two rules can lead to a widely different behavior."
msgstr ""

msgid "The <literal>permit_mynetworks</literal> directive, used as the first rule, accepts all emails coming from a machine in the local network (as defined by the <emphasis>mynetworks</emphasis> configuration variable)."
msgstr ""

msgid "The second directive would normally reject emails coming from machines without a completely valid DNS configuration. Such a valid configuration means that the IP address can be resolved to a name, and that this name, in turn, resolves to the IP address. This restriction is often too strict, since many email servers do not have a reverse DNS for their IP address. This explains why the Falcot administrators prepended the <literal>warn_if_reject</literal> modifier to the <literal>reject_unknown_client</literal> directive: this modifier turns the rejection into a simple warning recorded in the logs. The administrators can then keep an eye on the number of messages that would be rejected if the rule were actually enforced, and make an informed decision later if they wish to enable such enforcement."
msgstr ""

msgid "<emphasis>TIP</emphasis> <emphasis>access</emphasis> tables"
msgstr ""

msgid "The restriction criteria include administrator-modifiable tables listing combinations of senders, IP addresses, and allowed or forbidden hostnames. These tables can be created from an uncompressed copy of the <filename>/usr/share/doc/postfix-doc/examples/access.gz</filename> file. This model is self-documented in its comments, which means each table describes its own syntax."
msgstr ""

msgid "The <filename>/etc/postfix/access_clientip</filename> table lists IP addresses and networks; <filename>/etc/postfix/access_helo</filename> lists domain names; <filename>/etc/postfix/access_sender</filename> contains sender email addresses. All these files need to be turned into hash-tables (a format optimized for fast access) after each change, with the <command>postmap /etc/postfix/<replaceable>file</replaceable></command> command."
msgstr ""

msgid "The third directive allows the administrator to set up a blacklist and a whitelist of email servers, stored in the <filename>/etc/postfix/access_clientip</filename> file. Servers in the whitelist are considered as trusted, and the emails coming from there therefore do not go through the following filtering rules."
msgstr ""

msgid "The last two rules reject any message coming from a server listed in one of the indicated blacklists. RBL is an acronym for <emphasis>Remote Black List</emphasis>; there are several such lists, but they all list badly configured servers that spammers use to relay their emails, as well as unexpected mail relays such as machines infected with worms or viruses."
msgstr ""

msgid "<primary>RBL</primary>"
msgstr ""

msgid "<primary>Remote Black List</primary>"
msgstr ""

msgid "<emphasis>TIP</emphasis> White list and RBLs"
msgstr ""

msgid "Blacklists sometimes include a legitimate server that has been suffering an incident. In these situations, all emails coming from one of these servers would be rejected unless the server is listed in a whitelist defined by <filename>/etc/postfix/access_clientip</filename>."
msgstr ""

msgid "Prudence therefore recommends including in the whitelist all the trusted servers from which many emails are usually received."
msgstr ""

msgid "Checking the Validity of the <literal>EHLO</literal> or <literal>HELO</literal> Commands"
msgstr ""

msgid "Each SMTP exchange starts with a <literal>HELO</literal> (or <literal>EHLO</literal>) command, followed by the name of the sending email server; checking the validity of this name can be interesting."
msgstr ""

msgid "<primary><literal>HELO</literal></primary>"
msgstr ""

msgid "<primary><literal>EHLO</literal></primary>"
msgstr ""

msgid "Restrictions on the name announced in <literal>EHLO</literal>"
msgstr ""

msgid ""
"\n"
"smtpd_helo_restrictions = permit_mynetworks,\n"
"    reject_invalid_hostname,\n"
"    check_helo_access hash:/etc/postfix/access_helo,\n"
"    reject_non_fqdn_hostname,\n"
"    warn_if_reject reject_unknown_hostname"
msgstr ""

msgid "The first <literal>permit_mynetworks</literal> directive allows all machines on the local network to introduce themselves freely. This is important, because some email programs do not respect this part of the SMTP protocol adequately enough, and they can introduce themselves with nonsensical names."
msgstr ""

msgid "The <literal>reject_invalid_hostname</literal> rule rejects emails when the <literal>EHLO</literal> announce lists a syntactically incorrect hostname. The <literal>reject_non_fqdn_hostname</literal> rule rejects messages when the announced hostname is not a fully-qualified domain name (including a domain name as well as a host name). The <literal>reject_unknown_hostname</literal> rule rejects messages if the announced name does not exist in the DNS. Since this last rule unfortunately leads to too many rejections, the administrators turned its effect to a simple warning with the <literal>warn_if_reject</literal> modifier as a first step; they may decide to remove this modifier at a later stage, after auditing the results of this rule."
msgstr ""

msgid "Using <literal>permit_mynetworks</literal> as the first rule has an interesting side effect: the following rules only apply to hosts outside the local network. This allows blacklisting all hosts that announce themselves as part of the <literal>falcot.com</literal>, for instance by adding a <literal>falcot.com REJECT You are not in our network!</literal> line to the <filename>/etc/postfix/access_helo</filename> file."
msgstr ""

msgid "Accepting or Refusing Based on the Announced Sender"
msgstr ""

msgid "Every message has a sender, announced by the <literal>MAIL FROM</literal> command of the SMTP protocol; again, this information can be validated in several different ways."
msgstr ""

msgid "<primary><literal>MAIL FROM</literal></primary>"
msgstr ""

msgid "<primary>email</primary><secondary>filtering on the sender</secondary>"
msgstr ""

msgid "Sender checks"
msgstr ""

msgid ""
"\n"
"smtpd_sender_restrictions = \n"
"    check_sender_access hash:/etc/postfix/access_sender,\n"
"    reject_unknown_sender_domain, reject_unlisted_sender,\n"
"    reject_non_fqdn_sender"
msgstr ""

msgid "The <filename>/etc/postfix/access_sender</filename> table maps some special treatment to some senders. This usually means listing some senders into a white list or a black list."
msgstr ""

msgid "The <literal>reject_unknown_sender_domain</literal> rule requires a valid sender domain, since it is needed for a valid address. The <literal>reject_unlisted_sender</literal> rule rejects local senders if the address does not exist; this prevents emails from being sent from an invalid address in the <literal>falcot.com</literal> domain, and messages emanating from <literal>joe.bloggs@falcot.com</literal> are only accepted if such an address really exists."
msgstr ""

msgid "Finally, the <literal>reject_non_fqdn_sender</literal> rule rejects emails purporting to come from addresses without a fully-qualified domain name. In practice, this means rejecting emails coming from <literal>user@machine</literal>: the address must be announced as either <literal>user@machine.example.com</literal> or <literal>user@example.com</literal>."
msgstr ""

msgid "Accepting or Refusing Based on the Recipient"
msgstr ""

msgid "Each email has at least one recipient, announced with the <literal>RCPT TO</literal> command in the SMTP protocol. These addresses also warrant validation, even if that may be less relevant than the checks made on the sender address."
msgstr ""

msgid "<primary>RCPT TO</primary>"
msgstr ""

msgid "<primary>email</primary><secondary>filtering on the recipient</secondary>"
msgstr ""

msgid "Recipient checks"
msgstr ""

msgid ""
"\n"
"smtpd_recipient_restrictions = permit_mynetworks, \n"
"    reject_unauth_destination, reject_unlisted_recipient, \n"
"    reject_non_fqdn_recipient"
msgstr ""

msgid "<literal>reject_unauth_destination</literal> is the basic rule that requires outside messages to be addressed to us; messages sent to an address not served by this server are rejected. Without this rule, a server becomes an open relay that allows spammers to send unsolicited emails; this rule is therefore mandatory, and it will be best included near the beginning of the list, so that no other rules may authorize the message before its destination has been checked."
msgstr ""

msgid "The <literal>reject_unlisted_recipient</literal> rule rejects messages sent to non-existing local users, which makes sense. Finally, the <literal>reject_non_fqdn_recipient</literal> rule rejects non-fully-qualified addresses; this makes it impossible to send an email to <literal>jean</literal> or <literal>jean@machine</literal>, and requires using the full address instead, such as <literal>jean@machine.falcot.com</literal> or <literal>jean@falcot.com</literal>."
msgstr ""

msgid "Restrictions Associated with the <literal>DATA</literal> Command"
msgstr ""

msgid "The <literal>DATA</literal> command of SMTP is emitted before the contents of the message. It doesn't provide any information per se, apart from announcing what comes next. It can still be subjected to checks."
msgstr ""

msgid "<primary><literal>DATA</literal></primary>"
msgstr ""

msgid "<literal>DATA</literal> checks"
msgstr ""

msgid "\n"
"smtpd_data_restrictions = reject_unauth_pipelining"
msgstr ""

msgid "The <literal>reject_unauth_pipelining</literal> directives causes the message to be rejected if the sending party sends a command before the reply to the previous command has been sent. This guards against a common optimization used by spammer robots, since they usually don't care a fig about replies and only focus on sending as many emails as possible in as short a time as possible."
msgstr ""

msgid "Applying Restrictions"
msgstr ""

msgid "Although the above commands validate information at various stages of the SMTP exchange, Postfix only sends the actual rejection as a reply to the <literal>RCPT TO</literal> command."
msgstr ""

msgid "This means that even if the message is rejected due to an invalid <literal>EHLO</literal> command, Postfix knows the sender and the recipient when announcing the rejection. It can then log a more explicit message than it could if the transaction had been interrupted from the start. In addition, a number of SMTP clients do not expect failures on the early SMTP commands, and these clients will be less disturbed by this late rejection."
msgstr ""

msgid "A final advantage to this choice is that the rules can accumulate information during the various stages of the SMTP exchange; this allows defining more fine-grained permissions, such as rejecting a non-local connection if it announces itself with a local sender."
msgstr ""

msgid "Filtering Based on the Message Contents"
msgstr ""

msgid "The validation and restriction system would not be complete without a way to apply checks to the message contents. Postfix differentiates the checks applying to the email headers from those applying to the email body."
msgstr ""

msgid "Enabling content-based filters"
msgstr ""

msgid ""
"\n"
"header_checks = regexp:/etc/postfix/header_checks\n"
"body_checks = regexp:/etc/postfix/body_checks"
msgstr ""

msgid "<primary>email</primary><secondary>filtering on contents</secondary>"
msgstr ""

msgid "Both files contain a list of regular expressions (commonly known as <emphasis>regexps</emphasis> or <emphasis>regexes</emphasis>) and associated actions to be triggered when the email headers (or body) match the expression."
msgstr ""

msgid "<emphasis>QUICK LOOK</emphasis> Regexp tables"
msgstr ""

msgid "The <filename>/usr/share/doc/postfix-doc/examples/header_checks.gz</filename> file contains many explanatory comments and can be used as a starting point for creating the <filename>/etc/postfix/header_checks</filename> and <filename>/etc/postfix/body_checks</filename> files."
msgstr ""

msgid "Example <filename>/etc/postfix/header_checks</filename> file"
msgstr ""

msgid ""
"\n"
"/^X-Mailer: GOTO Sarbacane/ REJECT I fight spam (GOTO Sarbacane)\n"
"/^Subject: *Your email contains VIRUSES/ DISCARD virus notification"
msgstr ""

msgid "<emphasis>BACK TO BASICS</emphasis> Regular expression"
msgstr ""

msgid "The <emphasis>regular expression</emphasis> term (shortened to <emphasis>regexp</emphasis> or <emphasis>regex</emphasis>) references a generic notation for expressing a description of the contents and/or structure of a string of characters. Certain special characters allow defining alternatives (for instance, <literal>foo|bar</literal> matches either “foo” or “bar”), sets of allowed characters (for instance, <literal>[0-9]</literal> means any digit, and <literal>.</literal> — a dot — means any character), quantifications (<literal>s?</literal> matches either <literal>s</literal> or the empty string, in other words 0 or 1 occurrence of <literal>s</literal>; <literal>s+</literal> matches one or more consecutive <literal>s</literal> characters; and so on). Parentheses allow grouping search results."
msgstr ""

msgid "The precise syntax of these expressions varies across the tools using them, but the basic features are similar. <ulink type=\"block\" url=\"http://en.wikipedia.org/wiki/Regular_expression\" />"
msgstr ""

msgid "The first one checks the header mentioning the email software; if <literal>GOTO Sarbacane</literal> (a bulk email software) is found, the message is rejected. The second expression controls the message subject; if it mentions a virus notification, we can decide not to reject the message but to discard it immediately instead."
msgstr ""

msgid "Using these filters is a double-edged sword, because it is easy to make the rules too generic and to lose legitimate emails as a consequence. In these cases, not only the messages will be lost, but their senders will get unwanted (and annoying) error messages."
msgstr ""

msgid "Setting Up <foreignphrase>greylisting</foreignphrase>"
msgstr ""

msgid "<primary>greylisting</primary>"
msgstr ""

msgid "“Greylisting” is a filtering technique according to which a message is initially rejected with a temporary error code, and only accepted on a further try after some delay. This filtering is particularly efficient against spam sent by the many machines infected by worms and viruses, since this software rarely acts as a full SMTP agent (by checking the error code and retrying failed messages later), especially since many of the harvested addresses are really invalid and retrying would only mean losing time."
msgstr ""

msgid "Postfix doesn't provide greylisting natively, but there is a feature by which the decision to accept or reject a given message can be delegated to an external program. The <emphasis role=\"pkg\">postgrey</emphasis> package contains just such a program, designed to interface with this access policy delegation service."
msgstr ""

msgid "Once <emphasis role=\"pkg\">postgrey</emphasis> is installed, it runs as a daemon and listens on port 10023. Postfix can then be configured to use it, by adding the <literal>check_policy_service</literal> parameter as an extra restriction:"
msgstr ""

msgid ""
"\n"
"smtpd_recipient_restrictions = permit_mynetworks,\n"
"    [...]\n"
"    check_policy_service inet:127.0.0.1:10023"
msgstr ""

msgid "Each time Postfix reaches this rule in the ruleset, it will connect to the <command>postgrey</command> daemon and send it information concerning the relevant message. On its side, Postgrey considers the IP address/sender/recipient triplet and checks in its database whether that same triplet has been seen recently. If so, Postgrey replies that the message should be accepted; if not, the reply indicates that the message should be temporarily rejected, and the triplet gets recorded in the database."
msgstr ""

msgid "The main disadvantage of greylisting is that legitimate messages get delayed, which is not always acceptable. It also increases the burden on servers that send many legitimate emails."
msgstr ""

msgid "<emphasis>IN PRACTICE</emphasis> Shortcomings of greylisting"
msgstr ""

msgid "Theoretically, greylisting should only delay the first mail from a given sender to a given recipient, and the typical delay is in the order of minutes. Reality, however, can differ slightly. Some large ISPs use clusters of SMTP servers, and when a message is initially rejected, the server that retries the transmission may not be the same as the initial one. When that happens, the second server gets a temporary error message due to greylisting too, and so on; it may take several hours until transmission is attempted by a server that has already been involved, since SMTP servers usually increase the delay between retries at each failure."
msgstr ""

msgid "As a consequence, the incoming IP address may vary in time even for a single sender. But it goes further: even the sender address can change. For instance, many mailing-list servers encode extra information in the sender address so as to be able to handle error messages (known as <emphasis>bounces</emphasis>). Each new message sent to a mailing-list may then need to go through greylisting, which means it has to be stored (temporarily) on the sender's server. For very large mailing-lists (with tens of thousands of subscribers), this can soon become a problem."
msgstr ""

msgid "To mitigate these drawbacks, Postgrey manages a whitelist of such sites, and messages emanating from them are immediately accepted without going through greylisting. This list can easily be adapted to local needs, since it is stored in the <filename>/etc/postgrey/whitelist_clients</filename> file."
msgstr ""

msgid "<emphasis>GOING FURTHER</emphasis> Selective greylisting with <emphasis role=\"pkg\">milter-greylist</emphasis>"
msgstr ""

msgid "The drawbacks of greylisting can be mitigated by only using greylisting on the subset of clients that are already considered as probable sources of spam (because they are listed in a DNS blacklist). This is not possible with <emphasis role=\"pkg\">postgrey</emphasis> but <emphasis role=\"pkg\">milter-greylist</emphasis> can be used in such a way."
msgstr ""

msgid "In that scenario, since DNS blacklists never triggers a definitive rejection, it becomes reasonable to use aggressive blacklists, including those listing all dynamic IP addresses from ISP clients (such as <literal>pbl.spamhaus.org</literal> or <literal>dul.dnsbl.sorbs.net</literal>)."
msgstr ""

msgid "Since milter-greylist uses Sendmail's milter interface, the postfix side of its configuration is limited to “<literal>smtpd_milters = unix:/var/run/milter-greylist/milter-greylist.sock</literal>”. The <citerefentry><refentrytitle>greylist.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> manual page documents <filename>/etc/milter-greylist/greylist.conf</filename> and the numerous ways to configure milter-greylist. You will also have to edit <filename>/etc/default/milter-greylist</filename> to actually enable the service."
msgstr ""

msgid "Customizing Filters Based On the Recipient"
msgstr ""

msgid "<xref linkend=\"sect.restrictions-for-receiving-and-sending\" /> and <xref linkend=\"sect.setting-up-greylisting\" /> reviewed many of the possible restrictions. They all have their use in limiting the amount of received spam, but they also all have their drawbacks. It is therefore more and more common to customize the set of filters depending on the recipient. At Falcot Corp, greylisting is interesting for most users, but it hinders the work of some users who need low latency in their emails (such as the technical support service). Similarly, the commercial service sometimes has problems receiving emails from some Asian providers who may be listed in blacklists; this service asked for a non-filtered address so as to be able to correspond."
msgstr ""

msgid "Postfix provides such a customization of filters with a “restriction class” concept. The classes are declared in the <literal>smtpd_restriction_classes</literal> parameter, and defined the same way as <literal>smtpd_recipient_restrictions</literal>. The <literal>check_recipient_access</literal> directive then defines a table mapping a given recipient to the appropriate set of restrictions."
msgstr ""

msgid "Defining restriction classes in <filename>main.cf</filename>"
msgstr ""

msgid ""
"smtpd_restriction_classes = greylisting, aggressive, permissive\n"
"\n"
"greylisting = check_policy_service inet:127.0.0.1:10023\n"
"aggressive = reject_rbl_client sbl-xbl.spamhaus.org,\n"
"        check_policy_service inet:127.0.0.1:10023\n"
"permissive = permit\n"
"\n"
"smtpd_recipient_restrictions = permit_mynetworks,\n"
"        reject_unauth_destination,\n"
"        check_recipient_access hash:/etc/postfix/recipient_access"
msgstr ""

msgid "The <filename>/etc/postfix/recipient_access</filename> file"
msgstr ""

msgid ""
"\n"
"# Unfiltered addresses\n"
"postmaster@falcot.com  permissive\n"
"support@falcot.com     permissive\n"
"sales-asia@falcot.com  permissive\n"
"\n"
"# Aggressive filtering for some privileged users\n"
"joe@falcot.com         aggressive\n"
"\n"
"# Special rule for the mailing-list manager\n"
"sympa@falcot.com       reject_unverified_sender\n"
"\n"
"# Greylisting by default\n"
"falcot.com             greylisting"
msgstr ""

msgid "Integrating an Antivirus"
msgstr ""

msgid "<primary>antivirus</primary>"
msgstr ""

msgid "The many viruses circulating as attachments to emails make it important to set up an antivirus at the entry point of the company network, since despite an awareness campaign, some users will still open attachments from obviously shady messages."
msgstr ""

msgid "The Falcot administrators selected <command>clamav</command> for their free antivirus. The main package is <emphasis role=\"pkg\">clamav</emphasis>, but they also installed a few extra packages such as <emphasis role=\"pkg\">arj</emphasis>, <emphasis role=\"pkg\">unzoo</emphasis>, <emphasis role=\"pkg\">unrar</emphasis> and <emphasis role=\"pkg\">lha</emphasis>, since they are required for the antivirus to analyze attachments archived in one of these formats."
msgstr ""

msgid "<primary><command>clamav</command></primary>"
msgstr ""

msgid "<primary><command>clamav-milter</command></primary>"
msgstr ""

msgid "The task of interfacing between antivirus and the email server goes to <command>clamav-milter</command>. A <emphasis>milter</emphasis> (short for <emphasis>mail filter</emphasis>) is a filtering program specially designed to interface with email servers. A milter uses a standard application programming interface (API) that provides much better performance than filters external to the email servers. Milters were initially introduced by <emphasis>Sendmail</emphasis>, but <emphasis>Postfix</emphasis> soon followed suit."
msgstr ""

msgid "<emphasis>QUICK LOOK</emphasis> A milter for Spamassassin"
msgstr ""

msgid "<primary><emphasis role=\"pkg\">spamass-milter</emphasis></primary>"
msgstr ""

msgid "The <emphasis role=\"pkg\">spamass-milter</emphasis> package provides a milter based on <emphasis>SpamAssassin</emphasis>, the famous unsolicited email detector. It can be used to flag messages as probable spams (by adding an extra header) and/or to reject the messages altogether if their “spamminess” score goes beyond a given threshold."
msgstr ""

msgid "Once the <emphasis role=\"pkg\">clamav-milter</emphasis> package is installed, the milter should be reconfigured to run on a TCP port rather than on the default named socket. This can be achieved with <command>dpkg-reconfigure clamav-milter</command>. When prompted for the “Communication interface with Sendmail”, answer “<literal>inet:10002@127.0.0.1</literal>”."
msgstr ""

msgid "<emphasis>NOTE</emphasis> Real TCP port vs named socket"
msgstr ""

msgid "The reason why we use a real TCP port rather than the named socket is that the postfix daemons often run chrooted and do not have access to the directory hosting the named socket. You could also decide to keep using a named socket and pick a location within the chroot (<filename>/var/spool/postfix/</filename>)."
msgstr ""

msgid "The standard ClamAV configuration fits most situations, but some important parameters can still be customized with <command>dpkg-reconfigure clamav-base</command>."
msgstr ""

msgid "The last step involves telling Postfix to use the recently-configured filter. This is a simple matter of adding the following directive to <filename>/etc/postfix/main.cf</filename>:"
msgstr ""

msgid ""
"\n"
"# Virus check with clamav-milter\n"
"smtpd_milters = inet:[127.0.0.1]:10002"
msgstr ""

msgid "If the antivirus causes problems, this line can be commented out, and <command>service postfix reload</command> should be run so that this change is taken into account."
msgstr ""

msgid "<emphasis>IN PRACTICE</emphasis> Testing the antivirus"
msgstr ""

msgid "Once the antivirus is set up, its correct behavior should be tested. The simplest way to do that is to send a test email with an attachment containing the <filename>eicar.com</filename> (or <filename>eicar.com.zip</filename>) file, which can be downloaded online: <ulink type=\"block\" url=\"http://www.eicar.org/86-0-Intended-use.html\" />"
msgstr ""

msgid "This file is not a true virus, but a test file that all antivirus software on the market diagnose as a virus to allow checking installations."
msgstr ""

msgid "All messages handled by Postfix now go through the antivirus filter."
msgstr ""

msgid "Authenticated SMTP"
msgstr ""

msgid "Being able to send emails requires an SMTP server to be reachable; it also requires said SMTP server to send emails through it. For roaming users, this may need regularly changing the configuration of the SMTP client, since Falcot's SMTP server rejects messages coming from IP addresses apparently not belonging to the company. Two solutions exist: either the roaming user installs an SMTP server on their computer, or they still use the company server with some means of authenticating as an employee. The former solution is not recommended since the computer won't be permanently connected, and it won't be able to retry sending messages in case of problems; we will focus on the latter solution."
msgstr ""

msgid "SMTP authentication in Postfix relies on SASL (<emphasis>Simple Authentication and Security Layer</emphasis>). It requires installing the <emphasis role=\"pkg\">libsasl2-modules</emphasis> and <emphasis role=\"pkg\">sasl2-bin</emphasis> packages, then registering a password in the SASL database for each user that needs authenticating on the SMTP server. This is done with the <command>saslpasswd2</command> command, which takes several parameters. The <literal>-u</literal> option defines the authentication domain, which must match the <literal>smtpd_sasl_local_domain</literal> parameter in the Postfix configuration. The <literal>-c</literal> option allows creating a user, and <literal>-f</literal> allows specifying the file to use if the SASL database needs to be stored at a different location than the default (<filename>/etc/sasldb2</filename>)."
msgstr ""

msgid ""
"\n"
"<computeroutput># </computeroutput><userinput>saslpasswd2 -u `postconf -h myhostname` -f /var/spool/postfix/etc/sasldb2 -c jean</userinput>\n"
"<computeroutput>[... type jean's password twice ...]</computeroutput>"
msgstr ""

msgid "Note that the SASL database was created in Postfix's directory. In order to ensure consistency, we also turn <filename>/etc/sasldb2</filename> into a symbolic link pointing at the database used by Postfix, with the <command>ln -sf /var/spool/postfix/etc/sasldb2 /etc/sasldb2</command> command."
msgstr ""

msgid "Now we need to configure Postfix to use SASL. First the <literal>postfix</literal> user needs to be added to the <literal>sasl</literal> group, so that it can access the SASL account database. A few new parameters are also needed to enable SASL, and the <literal>smtpd_recipient_restrictions</literal> parameter needs to be configured to allow SASL-authenticated clients to send emails freely."
msgstr ""

msgid "Enabling SASL in <filename>/etc/postfix/main.cf</filename>"
msgstr ""

msgid ""
"\n"
"# Enable SASL authentication\n"
"smtpd_sasl_auth_enable = yes\n"
"# Define the SASL authentication domain to use\n"
"smtpd_sasl_local_domain = $myhostname\n"
"[...]\n"
"# Adding permit_sasl_authenticated before reject_unauth_destination\n"
"# allows relaying mail sent by SASL-authenticated users\n"
"smtpd_recipient_restrictions = permit_mynetworks,\n"
"    permit_sasl_authenticated,\n"
"    reject_unauth_destination,\n"
"[...]"
msgstr ""

msgid "<emphasis>EXTRA</emphasis> Authenticated SMTP client"
msgstr ""

msgid "Most email clients are able to authenticate to an SMTP server before sending outgoing messages, and using that feature is a simple matter of configuring the appropriate parameters. If the client in use does not provide that feature, the workaround is to use a local Postfix server and configure it to relay email via the remote SMTP server. In this case, the local Postfix itself will be the client that authenticates with SASL. Here are the required parameters:"
msgstr ""

msgid ""
"\n"
"smtp_sasl_auth_enable = yes\n"
"smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd\n"
"relay_host = [mail.falcot.com]"
msgstr ""

msgid "The <filename>/etc/postfix/sasl_passwd</filename> file needs to contain the username and password to use for authenticating on the <literal>mail.falcot.com</literal> server. Here is an example:"
msgstr ""

msgid "\n"
"[mail.falcot.com]   joe:LyinIsji"
msgstr ""

msgid "As for all Postfix maps, this file must be turned into <filename>/etc/postfix/sasl_passwd.db</filename> with the <command>postmap</command> command."
msgstr ""

msgid "Web Server (HTTP)"
msgstr ""

msgid "The Falcot Corp administrators decided to use the Apache HTTP server, included in Debian <emphasis role=\"distribution\">Jessie</emphasis> at version 2.4.10."
msgstr ""

msgid "<primary><command>apache</command></primary>"
msgstr ""

msgid "<primary>server</primary><secondary>web</secondary>"
msgstr ""

msgid "<primary>web server</primary>"
msgstr ""

msgid "<primary>server</primary><secondary>HTTP</secondary>"
msgstr ""

msgid "<primary>HTTP</primary><secondary>server</secondary>"
msgstr ""

msgid "<emphasis>ALTERNATIVE</emphasis> Other web servers"
msgstr ""

msgid "Apache is merely the most widely-known (and widely-used) web server, but there are others; they can offer better performance under certain workloads, but this has its counterpart in the smaller number of available features and modules. However, when the prospective web server is built to serve static files or to act as a proxy, the alternatives, such as <emphasis role=\"pkg\">nginx</emphasis> and <emphasis role=\"pkg\">lighttpd</emphasis>, are worth investigating."
msgstr ""

msgid "<primary><emphasis role=\"pkg\">nginx</emphasis></primary>"
msgstr ""

msgid "<primary><emphasis role=\"pkg\">lighttpd</emphasis></primary>"
msgstr ""

msgid "Installing Apache"
msgstr ""

msgid "Installing the <emphasis role=\"pkg\">apache2</emphasis> package is all that is needed. It contains all the modules, including the <emphasis>Multi-Processing Modules</emphasis> (MPMs) that affect how Apache handles parallel processing of many requests (those used to be provided in separate <emphasis role=\"pkg\">apache2-mpm-*</emphasis> packages). It will also pull <emphasis role=\"pkg\">apache2-utils</emphasis> containing the command line utilities that we will discover later."
msgstr ""

msgid "The MPM in use affects significantly the way Apache will handle concurrent requests. With the <emphasis>worker</emphasis> MPM, it uses <emphasis>threads</emphasis> (lightweight processes), whereas with the <emphasis>prefork</emphasis> MPM it uses a pool of processes created in advance. With the <emphasis>event</emphasis> MPM it also uses threads, but the inactive connections (notably those kept open by the HTTP <emphasis>keep-alive</emphasis> feature) are handed back to a dedicated management thread."
msgstr ""

msgid "The Falcot administrators also install <emphasis role=\"pkg\">libapache2-mod-php5</emphasis> so as to include the PHP support in Apache. This causes the default <emphasis>event</emphasis> MPM to be disabled, and <emphasis>prefork</emphasis> to be used instead, since PHP only works under that particular MPM."
msgstr ""

msgid "<emphasis>SECURITY</emphasis> Execution under the <literal>www-data</literal> user"
msgstr ""

msgid "<primary><literal>www-data</literal></primary>"
msgstr ""

msgid "<primary>suexec</primary>"
msgstr ""

msgid "By default, Apache handles incoming requests under the identity of the <literal>www-data</literal> user. This means that a security vulnerability in a CGI script executed by Apache (for a dynamic page) won't compromise the whole system, but only the files owned by this particular user."
msgstr ""

msgid "Using the <emphasis>suexec</emphasis> modules allows bypassing this rule so that some CGI scripts are executed under the identity of another user. This is configured with a <literal>SuexecUserGroup <replaceable>user</replaceable><replaceable>group</replaceable></literal> directive in the Apache configuration."
msgstr ""

msgid "<primary><emphasis role=\"pkg\">libapache2-mpm-itk</emphasis></primary>"
msgstr ""

msgid "Another possibility is to use a dedicated MPM, such as the one provided by <emphasis role=\"pkg\">libapache2-mpm-itk</emphasis>. This particular one has a slightly different behavior: it allows “isolating” virtual hosts (actually, sets of pages) so that they each run as a different user. A vulnerability in one website therefore cannot compromise files belonging to the owner of another website."
msgstr ""

msgid "<emphasis>QUICK LOOK</emphasis> List of modules"
msgstr ""

msgid "The full list of Apache standard modules can be found online. <ulink type=\"block\" url=\"http://httpd.apache.org/docs/2.4/mod/index.html\" />"
msgstr ""

msgid "Apache is a modular server, and many features are implemented by external modules that the main program loads during its initialization. The default configuration only enables the most common modules, but enabling new modules is a simple matter of running <command>a2enmod <replaceable>module</replaceable></command>; to disable a module, the command is <command>a2dismod <replaceable>module</replaceable></command>. These programs actually only create (or delete) symbolic links in <filename>/etc/apache2/mods-enabled/</filename>, pointing at the actual files (stored in <filename>/etc/apache2/mods-available/</filename>)."
msgstr ""

msgid "With its default configuration, the web server listens on port 80 (as configured in <filename>/etc/apache2/ports.conf</filename>), and serves pages from the <filename>/var/www/html/</filename> directory (as configured in <filename>/etc/apache2/sites-enabled/000-default.conf</filename>)."
msgstr ""

msgid "<emphasis>GOING FURTHER</emphasis> Adding support for SSL"
msgstr ""

msgid "<primary>HTTPS</primary>"
msgstr ""

msgid "<primary>HTTP</primary><secondary>secure</secondary>"
msgstr ""

msgid "Apache 2.4 includes the SSL module required for secure HTTP (HTTPS) out of the box. It just needs to be enabled with <command>a2enmod ssl</command>, then the required directives have to be added to the configuration files. A configuration example is provided in <filename>/etc/apache2/sites-available/default-ssl.conf</filename>. <ulink type=\"block\" url=\"http://httpd.apache.org/docs/2.4/mod/mod_ssl.html\" />"
msgstr ""

msgid "Some extra care must be taken if you want to favor SSL connections with <emphasis>Perfect Forward Secrecy</emphasis> (those connections use ephemeral session keys ensuring that a compromission of the server's secret key does not result in the compromission of old encrypted traffic that could have been stored while sniffing on the network). Have a look at Mozilla's recommandations in particular: <ulink type=\"block\" url=\"https://wiki.mozilla.org/Security/Server_Side_TLS#Apache\" />"
msgstr ""

msgid "<primary><emphasis>Perfect Forward Secrecy</emphasis></primary>"
msgstr ""

msgid "Configuring Virtual Hosts"
msgstr ""

msgid "A virtual host is an extra identity for the web server."
msgstr ""

msgid "<primary>virtual host</primary>"
msgstr ""

msgid "Apache considers two different kinds of virtual hosts: those that are based on the IP address (or the port), and those that rely on the domain name of the web server. The first method requires allocating a different IP address (or port) for each site, whereas the second one can work on a single IP address (and port), and the sites are differentiated by the hostname sent by the HTTP client (which only works in version 1.1 of the HTTP protocol — fortunately that version is old enough that all clients use it already)."
msgstr ""

msgid "The (increasing) scarcity of IPv4 addresses usually favors the second method; however, it is made more complex if the virtual hosts need to provide HTTPS too, since the SSL protocol hasn't always provided for name-based virtual hosting; the SNI extension (<emphasis>Server Name Indication</emphasis>) that allows such a combination is not handled by all browsers. When several HTTPS sites need to run on the same server, they will usually be differentiated either by running on a different port or on a different IP address (IPv6 can help there)."
msgstr ""

msgid "The default configuration for Apache 2 enables name-based virtual hosts. In addition, a default virtual host is defined in the <literal>/etc/apache2/sites-enabled/000-default.conf</literal> file; this virtual host will be used if no host matching the request sent by the client is found."
msgstr ""

msgid "<emphasis>CAUTION</emphasis> First virtual host"
msgstr ""

msgid "Requests concerning unknown virtual hosts will always be served by the first defined virtual host, which is why we defined <literal>www.falcot.com</literal> first here."
msgstr ""

msgid "<emphasis>QUICK LOOK</emphasis> Apache supports SNI"
msgstr ""

msgid "<primary>Server Name Indication</primary>"
msgstr ""

msgid "The Apache server supports an SSL protocol extension called <emphasis>Server Name Indication</emphasis> (SNI). This extension allows the browser to send the hostname of the web server during the establishment of the SSL connection, much earlier than the HTTP request itself, which was previously used to identify the requested virtual host among those hosted on the same server (with the same IP address and port). This allows Apache to select the most appropriate SSL certificate for the transaction to proceed."
msgstr ""

msgid "Before SNI, Apache would always use the certificate defined in the default virtual host. Clients trying to access another virtual host would then display warnings, since the certificate they received didn't match the website they were trying to access. Fortunately, most browsers now work with SNI; this includes Microsoft Internet Explorer starting with version 7.0 (starting on Vista), Mozilla Firefox starting with version 2.0, Apple Safari since version 3.2.1, and all versions of Google Chrome."
msgstr ""

msgid "The Apache package provided in Debian is built with support for SNI; no particular configuration is therefore needed."
msgstr ""

msgid "Care should also be taken to ensure that the configuration for the first virtual host (the one used by default) does enable TLSv1, since Apache uses the parameters of this first virtual host to establish secure connections, and they had better allow them!"
msgstr ""

msgid "Each extra virtual host is then described by a file stored in <filename>/etc/apache2/sites-available/</filename>. Setting up a website for the <literal>falcot.org</literal> domain is therefore a simple matter of creating the following file, then enabling the virtual host with <command>a2ensite www.falcot.org</command>."
msgstr ""

msgid "The <filename>/etc/apache2/sites-available/www.falcot.org.conf</filename> file"
msgstr ""

msgid ""
"\n"
"&lt;VirtualHost *:80&gt;\n"
"ServerName www.falcot.org\n"
"ServerAlias falcot.org\n"
"DocumentRoot /srv/www/www.falcot.org\n"
"&lt;/VirtualHost&gt;"
msgstr ""

msgid "The Apache server, as configured so far, uses the same log files for all virtual hosts (although this could be changed by adding <literal>CustomLog</literal> directives in the definitions of the virtual hosts). It therefore makes good sense to customize the format of this log file to have it include the name of the virtual host. This can be done by creating a <filename>/etc/apache2/conf-available/customlog.conf</filename> file that defines a new format for all log files (with the <literal>LogFormat</literal> directive) and by enabling it with <command>a2enconf customlog</command>. The <literal>CustomLog</literal> line must also be removed (or commented out) from the <filename>/etc/apache2/sites-available/000-default.conf</filename> file."
msgstr ""

msgid "The <filename>/etc/apache2/conf.d/customlog.conf</filename> file"
msgstr ""

msgid ""
"\n"
"# New log format including (virtual) host name\n"
"LogFormat \"%v %h %l %u %t \\\"%r\\\" %&gt;s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" vhost\n"
"\n"
"# Now let's use this \"vhost\" format by default\n"
"CustomLog /var/log/apache2/access.log vhost"
msgstr ""

msgid "Common Directives"
msgstr ""

msgid "This section briefly reviews some of the commonly-used Apache configuration directives."
msgstr ""

msgid "<primary>Apache directives</primary>"
msgstr ""

msgid "<primary>directives, Apache</primary>"
msgstr ""

msgid "The main configuration file usually includes several <literal>Directory</literal> blocks; they allow specifying different behaviors for the server depending on the location of the file being served. Such a block commonly includes <literal>Options</literal> and <literal>AllowOverride</literal> directives."
msgstr ""

msgid "<primary><literal>Options</literal>, Apache directive</primary>"
msgstr ""

msgid "<primary><literal>AllowOverride</literal>, Apache directive</primary>"
msgstr ""

msgid "Directory block"
msgstr ""

msgid ""
"\n"
"&lt;Directory /var/www&gt;\n"
"Options Includes FollowSymlinks\n"
"AllowOverride All\n"
"DirectoryIndex index.php index.html index.htm\n"
"&lt;/Directory&gt;"
msgstr ""

msgid "The <literal>DirectoryIndex</literal> directive contains a list of files to try when the client request matches a directory. The first existing file in the list is used and sent as a response."
msgstr ""

msgid "<primary><literal>DirectoryIndex</literal>, Apache directive</primary>"
msgstr ""

msgid "The <literal>Options</literal> directive is followed by a list of options to enable. The <literal>None</literal> value disables all options; correspondingly, <literal>All</literal> enables them all except <literal>MultiViews</literal>. Available options include:"
msgstr ""

msgid "<literal>ExecCGI</literal> indicates that CGI scripts can be executed. <indexterm><primary><literal>ExecCGI</literal>, Apache directive</primary></indexterm>"
msgstr ""

msgid "<literal>FollowSymlinks</literal> tells the server that symbolic links can be followed, and that the response should contain the contents of the target of such links. <indexterm><primary><literal>FollowSymlinks</literal>, Apache directive</primary></indexterm>"
msgstr ""

msgid "<literal>SymlinksIfOwnerMatch</literal> also tells the server to follow symbolic links, but only when the link and the its target have the same owner. <indexterm><primary><literal>SymlinksIfOwnerMatch</literal>, Apache directive</primary></indexterm>"
msgstr ""

msgid "<literal>Includes</literal> enables <emphasis>Server Side Includes</emphasis> (<emphasis>SSI</emphasis> for short). These are directives embedded in HTML pages and executed on the fly for each request. <indexterm><primary><literal>Includes</literal>, Apache directive</primary></indexterm>"
msgstr ""

msgid "<literal>Indexes</literal> tells the server to list the contents of a directory if the HTTP request sent by the client points at a directory without an index file (ie, when no files mentioned by the <literal>DirectoryIndex</literal> directive exists in this directory). <indexterm><primary><literal>Indexes</literal>, Apache directive</primary></indexterm>"
msgstr ""

msgid "<literal>MultiViews</literal> enables content negotiation; this can be used by the server to return a web page matching the preferred language as configured in the browser. <indexterm><primary><literal>MultiViews</literal>, Apache directive</primary></indexterm>"
msgstr ""

msgid "<emphasis>BACK TO BASICS</emphasis> <filename>.htaccess</filename> file"
msgstr ""

msgid "The <filename>.htaccess</filename> file contains Apache configuration directives enforced each time a request concerns an element of the directory where it is stored. The scope of these directives also recurses to all the subdirectories within."
msgstr ""

msgid "<primary><filename>.htaccess</filename></primary>"
msgstr ""

msgid "Most of the directives that can occur in a <literal>Directory</literal> block are also legal in a <filename>.htaccess</filename> file."
msgstr ""

msgid "The <literal>AllowOverride</literal> directive lists all the options that can be enabled or disabled by way of a <filename>.htaccess</filename> file. A common use of this option is to restrict <literal>ExecCGI</literal>, so that the administrator chooses which users are allowed to run programs under the web server's identity (the <literal>www-data</literal> user)."
msgstr ""

msgid "Requiring Authentication"
msgstr ""

msgid "<primary>web authentication</primary>"
msgstr ""

msgid "In some circumstances, access to part of a website needs to be restricted, so only legitimate users who provide a username and a password are granted access to the contents."
msgstr ""

msgid "<filename>.htaccess</filename> file requiring authentication"
msgstr ""

msgid ""
"\n"
"Require valid-user\n"
"AuthName \"Private directory\"\n"
"AuthType Basic\n"
"AuthUserFile /etc/apache2/authfiles/htpasswd-private"
msgstr ""

msgid "<emphasis>SECURITY</emphasis> No security"
msgstr ""

msgid "The authentication system used in the above example (<literal>Basic</literal>) has minimal security as the password is sent in clear text (it is only encoded as <emphasis>base64</emphasis>, which is a simple encoding rather than an encryption method). It should also be noted that the documents “protected” by this mechanism also go over the network in the clear. If security is important, the whole HTTP connection should be encrypted with SSL."
msgstr ""

msgid "The <filename>/etc/apache2/authfiles/htpasswd-private</filename> file contains a list of users and passwords; it is commonly manipulated with the <command>htpasswd</command> command. For example, the following command is used to add a user or change their password: <indexterm><primary><command>htpasswd</command></primary></indexterm>"
msgstr ""

msgid ""
"\n"
"<computeroutput># </computeroutput><userinput>htpasswd /etc/apache2/authfiles/htpasswd-private <replaceable>user</replaceable>\n"
"</userinput><computeroutput>New password:\n"
"Re-type new password:\n"
"Adding password for user <replaceable>user</replaceable>\n"
"</computeroutput>"
msgstr ""

msgid "Restricting Access"
msgstr ""

msgid "<primary>web access restriction</primary>"
msgstr ""

msgid "The <literal>Require</literal> directive controls access restrictions for a directory (and its subdirectories, recursively)."
msgstr ""

msgid "<primary><literal>Require</literal>, Apache directive</primary>"
msgstr ""

msgid "It can be used to restrict access based on many criteria; we will stop at describing access restriction based on the IP address of the client, but it can be made much more powerful than that, especially when several <literal>Require</literal> directives are combined within a <literal>RequireAll</literal> block."
msgstr ""

msgid "Only allow from the local network"
msgstr ""

msgid "Require ip 192.168.0.0/16"
msgstr ""

msgid "<emphasis>ALTERNATIVE</emphasis> Old syntax"
msgstr ""

msgid "The <literal>Require</literal> syntax is only available in Apache 2.4 (the version in <emphasis role=\"distribution\">Jessie</emphasis>). For users of <emphasis role=\"distribution\">Wheezy</emphasis>, the Apache 2.2 syntax is different, and we describe it here mainly for reference, although it can also be made available in Apache 2.4 using the <literal>mod_access_compat</literal> module."
msgstr ""

msgid "The <literal>Allow from</literal> and <literal>Deny from</literal> directives control access restrictions for a directory (and its subdirectories, recursively)."
msgstr ""

msgid "<primary><literal>Allow from</literal>, Apache directive</primary>"
msgstr ""

msgid "<primary><literal>Deny from</literal>, Apache directive</primary>"
msgstr ""

msgid "<primary><literal>Order</literal>, Apache directive</primary>"
msgstr ""

msgid "The <literal>Order</literal> directive tells the server of the order in which the <literal>Allow from</literal> and <literal>Deny from</literal> directives are applied; the last one that matches takes precedence. In concrete terms, <literal>Order deny,allow</literal> allows access if no <literal>Deny from</literal> applies, or if an <literal>Allow from</literal> directive does. Conversely, <literal>Order allow,deny</literal> rejects access if no <literal>Allow from</literal> directive matches (or if a <literal>Deny from</literal> directive applies)."
msgstr ""

msgid "The <literal>Allow from</literal> and <literal>Deny from</literal> directives can be followed by an IP address, a network (such as <literal>192.168.0.0/255.255.255.0</literal>, <literal>192.168.0.0/24</literal> or even <literal>192.168.0</literal>), a hostname or a domain name, or the <literal>all</literal> keyword, designating everyone."
msgstr ""

msgid "For instance, to reject connections by default but allow them from the local network, you could use this:"
msgstr ""

msgid ""
"\n"
"Order deny,allow\n"
"Allow from 192.168.0.0/16\n"
"Deny from all"
msgstr ""

msgid "Log Analyzers"
msgstr ""

msgid "A log analyzer is frequently installed on a web server; since the former provides the administrators with a precise idea of the usage patterns of the latter."
msgstr ""

msgid "The Falcot Corp administrators selected <emphasis>AWStats</emphasis> (<emphasis>Advanced Web Statistics</emphasis>) to analyze their Apache log files."
msgstr ""

msgid "<primary><emphasis>AWStats</emphasis></primary>"
msgstr ""

msgid "<primary>web logs analyzer</primary>"
msgstr ""

msgid "<primary>logs</primary><secondary>web logs analyzer</secondary>"
msgstr ""

msgid "<primary>analyzer of web logs</primary>"
msgstr ""

msgid "The first configuration step is the customization of the <filename>/etc/awstats/awstats.conf</filename> file. The Falcot administrators keep it unchanged apart from the following parameters:"
msgstr ""

msgid ""
"\n"
"LogFile=\"/var/log/apache2/access.log\"\n"
"LogFormat = \"%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot\"\n"
"SiteDomain=\"www.falcot.com\"\n"
"HostAliases=\"falcot.com REGEX[^.*\\.falcot\\.com$]\"\n"
"DNSLookup=1\n"
"LoadPlugin=\"tooltips\""
msgstr ""

msgid "All these parameters are documented by comments in the template file. In particular, the <varname>LogFile</varname> and <varname>LogFormat</varname> parameters describe the location and format of the log file and the information it contains; <varname>SiteDomain</varname> and <varname>HostAliases</varname> list the various names under which the main web site is known."
msgstr ""

msgid "For high traffic sites, <varname>DNSLookup</varname> should usually not be set to <literal>1</literal>; for smaller sites, such as the Falcot one described above, this setting allows getting more readable reports that include full machine names instead of raw IP addresses."
msgstr ""

msgid "<emphasis>SECURITY</emphasis> Access to statistics"
msgstr ""

msgid "AWStats makes its statistics available on the website with no restrictions by default, but restrictions can be set up so that only a few (probably internal) IP addresses can access them; the list of allowed IP addresses needs to be defined in the <varname>AllowAccessFromWebToFollowingIPAddresses</varname> parameter"
msgstr ""

msgid "AWStats will also be enabled for other virtual hosts; each virtual host needs its own configuration file, such as <filename>/etc/awstats/awstats.www.falcot.org.conf</filename>."
msgstr ""

msgid "AWStats configuration file for a virtual host"
msgstr ""

msgid ""
"\n"
"Include \"/etc/awstats/awstats.conf\"\n"
"SiteDomain=\"www.falcot.org\"\n"
"HostAliases=\"falcot.org\""
msgstr ""

msgid "AWStats uses many icons stored in the <filename>/usr/share/awstats/icon/</filename> directory. In order for these icons to be available on the web site, the Apache configuration needs to be adapted to include the following directive:"
msgstr ""

msgid "\n"
"Alias /awstats-icon/ /usr/share/awstats/icon/"
msgstr ""

msgid "After a few minutes (and once the script has been run a few times), the results are available online: <ulink type=\"block\" url=\"http://www.falcot.com/cgi-bin/awstats.pl\" /><ulink type=\"block\" url=\"http://www.falcot.org/cgi-bin/awstats.pl\" />"
msgstr ""

msgid "<emphasis>CAUTION</emphasis> Log file rotation"
msgstr ""

msgid "In order for the statistics to take all the logs into account, <emphasis>AWStats</emphasis> needs to be run right before the Apache log files are rotated. Looking at the <literal>prerotate</literal> directive of <filename>/etc/logrotate.d/apache2</filename> file, this can be solved by putting a symlink to <filename>/usr/share/awstats/tools/update.sh</filename> in <filename>/etc/logrotate.d/httpd-prerotate</filename>:"
msgstr ""

msgid ""
"<computeroutput>$ </computeroutput><userinput>cat /etc/logrotate.d/apache2\n"
"</userinput><computeroutput>/var/log/apache2/*.log {\n"
"  daily\n"
"  missingok\n"
"  rotate 14\n"
"  compress\n"
"  delaycompress\n"
"  notifempty\n"
"  create 644 root adm\n"
"  sharedscripts\n"
"  postrotate\n"
"    if /etc/init.d/apache2 status &gt; /dev/null ; then \\\n"
"      /etc/init.d/apache2 reload &gt; /dev/null; \\\n"
"    fi;\n"
"  endscript\n"
"  prerotate\n"
"    if [ -d /etc/logrotate.d/httpd-prerotate ]; then \\\n"
"      run-parts /etc/logrotate.d/httpd-prerotate; \\\n"
"    fi; \\\n"
"  endscript\n"
"}\n"
"$ </computeroutput><userinput>sudo mkdir -p /etc/logrotate.d/httpd-prerotate\n"
"</userinput><computeroutput>$ </computeroutput><userinput>sudo ln -sf /usr/share/awstats/tools/update.sh \\\n"
"  /etc/logrotate.d/httpd-prerotate/awstats\n"
"</userinput>"
msgstr ""

msgid "Note also that the log files created by <command>logrotate</command> need to be readable by everyone, especially AWStats. In the above example, this is ensured by the <literal>create 644 root adm</literal> line (instead of the default <literal>640</literal> permissions)."
msgstr ""

msgid "FTP File Server"
msgstr ""

msgid "<primary>FTP (<emphasis>File Transfer Protocol</emphasis>)</primary>"
msgstr ""

msgid "FTP (<emphasis>File Transfer Protocol</emphasis>) is one of the first protocols of the Internet (RFC 959 was issued in 1985!). It was used to distribute files before the Web was even born (the HTTP protocol was created in 1990, and formally defined in its 1.0 version by RFC 1945, issued in 1996)."
msgstr ""

msgid "This protocol allows both file uploads and file downloads; for this reason, it is still widely used to deploy updates to a website hosted by one's Internet service provider (or any other entity hosting websites). In these cases, secure access is enforced with a user identifier and password; on successful authentication, the FTP server grants read-write access to that user's home directory."
msgstr ""

msgid "Other FTP servers are mainly used to distribute files for public downloading; Debian packages are a good example. The contents of these servers is fetched from other, geographically remote, servers; it is then made available to less distant users. This means that client authentication is not required; as a consequence, this operating mode is known as “anonymous FTP”. To be perfectly correct, the clients do authenticate with the <literal>anonymous</literal> username; the password is often, by convention, the user's email address, but the server ignores it."
msgstr ""

msgid "Many FTP servers are available in Debian (<emphasis role=\"pkg\">ftpd</emphasis>, <emphasis role=\"pkg\">proftpd-basic</emphasis>, <emphasis role=\"pkg\">pyftpd</emphasis> and so on). The Falcot Corp administrators picked <emphasis role=\"pkg\">vsftpd</emphasis> because they only use the FTP server to distribute a few files (including a Debian package repository); since they don't need advanced features, they chose to focus on the security aspects."
msgstr ""

msgid "<primary><emphasis role=\"pkg\">vsftpd</emphasis></primary>"
msgstr ""

msgid "Installing the package creates an <literal>ftp</literal> system user. This account is always used for anonymous FTP connections, and its home directory (<filename>/srv/ftp/</filename>) is the root of the tree made available to users connecting to this service. The default configuration (in <filename>/etc/vsftpd.conf</filename>) requires some changes to cater to the simple need of making big files available for public downloads: anonymous access needs to be enabled (<literal>anonymous_enable=YES</literal>) and read-only access of local users needs to be disabled (<literal>local_enable=NO</literal>). The latter is particularly important since the FTP protocol doesn't use any form of encryption and the user password could be intercepted over the wire."
msgstr ""

msgid "NFS File Server"
msgstr ""

msgid "NFS (<emphasis>Network File System</emphasis>) is a protocol allowing remote access to a filesystem through the network. All Unix systems can work with this protocol; when Windows systems are involved, Samba must be used instead."
msgstr ""

msgid "<primary>NFS</primary>"
msgstr ""

msgid "<primary><emphasis>Network</emphasis></primary><secondary><emphasis>File System</emphasis></secondary>"
msgstr ""

msgid "<primary>filesystem</primary><secondary>network</secondary>"
msgstr ""

msgid "<primary>file</primary><secondary>server</secondary>"
msgstr ""

msgid "<primary>server</primary><secondary>file</secondary>"
msgstr ""

msgid "NFS is a very useful tool but, historically, it has suffered from many limitations, most of which have been addressed with version 4 of the protocol. The downside is that the latest version of NFS is harder to configure when you want to make use of basic security features such as authentication and encryption since it relies on Kerberos for those parts. And without those, the NFS protocol must be restricted to a trusted local network since data goes over the network unencrypted (a <emphasis>sniffer</emphasis> can intercept it) and access rights are granted based on the client's IP address (which can be spoofed)."
msgstr ""

msgid "<emphasis>DOCUMENTATION</emphasis> NFS HOWTO"
msgstr ""

msgid "Good documentation to deploy NFSv4 is rather scarce. Here are some pointers with content of varying quality but that should at least give some hints on what should be done. <ulink type=\"block\" url=\"https://help.ubuntu.com/community/NFSv4Howto\" /> <ulink type=\"block\" url=\"http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration\" />"
msgstr ""

msgid "Securing NFS"
msgstr ""

msgid "<primary>NFS</primary><secondary>security</secondary>"
msgstr ""

msgid "If you don't use the Kerberos-based security features, it is vital to ensure that only the machines allowed to use NFS can connect to the various required RPC servers, because the basic protocol trusts the data received from the network. The firewall must also block <emphasis>IP spoofing</emphasis> so as to prevent an outside machine from acting as an inside one, and access to the appropriate ports must be restricted to the machines meant to access the NFS shares."
msgstr ""

msgid "<emphasis>BACK TO BASICS</emphasis> RPC"
msgstr ""

msgid "RPC (<emphasis>Remote Procedure Call</emphasis>) is a Unix standard for remote services. NFS is one such service."
msgstr ""

msgid "<primary>RPC</primary>"
msgstr ""

msgid "<primary><emphasis>Remote Procedure Call</emphasis></primary>"
msgstr ""

msgid "RPC services register to a directory known as the <emphasis>portmapper</emphasis>. A client wishing to perform an NFS query first addresses the <emphasis>portmapper</emphasis> (on port 111, either TCP or UDP), and asks for the NFS server; the reply usually mentions port 2049 (the default for NFS). Not all RPC services necessarily use a fixed port."
msgstr ""

msgid "Older versions of the protocol required other RPC services which used dynamically assigned ports. Fortunately, with NFS version 4, only port 2049 (for NFS) and 111 (for the portmapper) are needed and they are thus easy to firewall."
msgstr ""

msgid "<primary><command>portmapper</command></primary>"
msgstr ""

msgid "NFS Server"
msgstr ""

msgid "The NFS server is part of the Linux kernel; in kernels provided by Debian it is built as a kernel module. If the NFS server is to be run automatically on boot, the <emphasis role=\"pkg\">nfs-kernel-server</emphasis> package should be installed; it contains the relevant start-up scripts."
msgstr ""

msgid "The NFS server configuration file, <filename>/etc/exports</filename>, lists the directories that are made available over the network (<emphasis>exported</emphasis>). For each NFS share, only the given list of machines is granted access. More fine-grained access control can be obtained with a few options. The syntax for this file is quite simple:"
msgstr ""

msgid "<primary><filename>exports</filename></primary>"
msgstr ""

msgid "<primary><filename>/etc/exports</filename></primary>"
msgstr ""

msgid "\n"
"/directory/to/share machine1(option1,option2,...) machine2(...) ..."
msgstr ""

msgid "Note that with NFSv4, all exported directories must be part of a single hierarchy and that the root directory of that hierarchy must be exported and identified with the option <literal>fsid=0</literal> or <literal>fsid=root</literal>."
msgstr ""

msgid "Each machine can be identified either by its DNS name or its IP address. Whole sets of machines can also be specified using either a syntax such as <literal>*.falcot.com</literal> or an IP address range such as <literal>192.168.0.0/255.255.255.0</literal> or <literal>192.168.0.0/24</literal>."
msgstr ""

msgid "Directories are made available as read-only by default (or with the <literal>ro</literal> option). The <literal>rw</literal> option allows read-write access. NFS clients typically connect from a port restricted to root (in other words, below 1024); this restriction can be lifted by the <literal>insecure</literal> option (the <literal>secure</literal> option is implicit, but it can be made explicit if needed for clarity)."
msgstr ""

msgid "<primary>NFS</primary><secondary>options</secondary>"
msgstr ""

msgid "By default, the server only answers an NFS query when the current disk operation is complete (<literal>sync</literal> option); this can be disabled with the <literal>async</literal> option. Asynchronous writes increase performance a bit, but they decrease reliability since there is a data loss risk in case of the server crashing between the acknowledgment of the write and the actual write on disk. Since the default value changed recently (as compared to the historical value of NFS), an explicit setting is recommended."
msgstr ""

msgid "In order to not give root access to the filesystem to any NFS client, all queries appearing to come from a root user are considered by the server as coming from the <literal>nobody</literal> user. This behavior corresponds to the <literal>root_squash</literal> option, and is enabled by default. The <literal>no_root_squash</literal> option, which disables this behavior, is risky and should only be used in controlled environments. The <literal>anonuid=<replaceable>uid</replaceable></literal> and <literal>anongid=<replaceable>gid</replaceable></literal> options allow specifying another fake user to be used instead of UID/GID 65534 (which corresponds to user <literal>nobody</literal> and group <literal>nogroup</literal>)."
msgstr ""

msgid "With NFSv4, you can add a <literal>sec</literal> option to indicate the security level that you want: <literal>sec=sys</literal> is the default with no special security features, <literal>sec=krb5</literal> enables authentication only, <literal>sec=krb5i</literal> adds integrity protection, and <literal>sec=krb5p</literal> is the most complete level which includes privacy protection (with data encryption). For this to work you need a working Kerberos setup (that service is not covered by this book)."
msgstr ""

msgid "Other options are available; they are documented in the <citerefentry><refentrytitle>exports</refentrytitle> <manvolnum>5</manvolnum></citerefentry> manual page."
msgstr ""

msgid "<emphasis>CAUTION</emphasis> First installation"
msgstr ""

msgid "The <filename>/etc/init.d/nfs-kernel-server</filename> boot script only starts the server if the <filename>/etc/exports</filename> lists one or more valid NFS shares. On initial configuration, once this file has been edited to contain valid entries, the NFS server must therefore be started with the following command:"
msgstr ""

msgid "\n"
"<computeroutput># </computeroutput><userinput>service nfs-kernel-server start</userinput>"
msgstr ""

msgid "NFS Client"
msgstr ""

msgid "<primary>client</primary><secondary>NFS</secondary>"
msgstr ""

msgid "<primary>NFS</primary><secondary>client</secondary>"
msgstr ""

msgid "As with other filesystems, integrating an NFS share into the system hierarchy requires mounting. Since this filesystem has its peculiarities, a few adjustments were required in the syntaxes of the <command>mount</command> command and the <filename>/etc/fstab</filename> file."
msgstr ""

msgid "Manually mounting with the <command>mount</command> command"
msgstr ""

msgid "\n"
"          <computeroutput># </computeroutput><userinput>mount -t nfs4 -o rw,nosuid arrakis.internal.falcot.com:/shared /srv/shared</userinput>"
msgstr ""

msgid "NFS entry in the <filename>/etc/fstab</filename> file"
msgstr ""

msgid "\n"
"arrakis.internal.falcot.com:/shared /srv/shared nfs4 rw,nosuid 0 0"
msgstr ""

msgid "The entry described above mounts, at system startup, the <filename>/shared/</filename> NFS directory from the <literal>arrakis</literal> server into the local <filename>/srv/shared/</filename> directory. Read-write access is requested (hence the <literal>rw</literal> parameter). The <literal>nosuid</literal> option is a protection measure that wipes any <literal>setuid</literal> or <literal>setgid</literal> bit from programs stored on the share. If the NFS share is only meant to store documents, another recommended option is <literal>noexec</literal>, which prevents executing programs stored on the share. Note that on the server, the <filename>shared</filename> directory is below the NFSv4 root export (for example <filename>/export/shared</filename>), it is not a top-level directory."
msgstr ""

msgid "The <citerefentry><refentrytitle>nfs</refentrytitle> <manvolnum>5</manvolnum></citerefentry> manual page describes all the options in some detail."
msgstr ""

msgid "Setting Up Windows Shares with Samba"
msgstr ""

msgid "Samba is a suite of tools handling the SMB protocol (also known as “CIFS”) on Linux. This protocol is used by Windows for network shares and shared printers."
msgstr ""

msgid "<primary>Windows share</primary>"
msgstr ""

msgid "<primary>Samba</primary>"
msgstr ""

msgid "<primary>SMB</primary>"
msgstr ""

msgid "<primary>CIFS</primary>"
msgstr ""

msgid "Samba can also act as an Windows domain controller. This is an outstanding tool for ensuring seamless integration of Linux servers and the office desktop machines still running Windows."
msgstr ""

msgid "Samba Server"
msgstr ""

msgid "The <emphasis role=\"pkg\">samba</emphasis> package contains the main two servers of Samba 4, <command>smbd</command> and <command>nmbd</command>."
msgstr ""

msgid "<primary><command>smbd</command></primary>"
msgstr ""

msgid "<primary><command>nmbd</command></primary>"
msgstr ""

msgid "<emphasis>DOCUMENTATION</emphasis> Going further"
msgstr ""

msgid "The Samba server is extremely configurable and versatile, and can address a great many different use cases matching very different requirements and network architectures. This book only focuses on the use case where Samba is used as a standalone server, but it can also be a NT4 Domain Controller or a full Active Directory Domain Controller, or a simple member of an existing domain (which could be a managed by a Windows server)."
msgstr ""

msgid "<primary>domain controller</primary>"
msgstr ""

msgid "<primary>Windows domain</primary>"
msgstr ""

msgid "The <emphasis role=\"pkg\">samba-doc</emphasis> package contains a wealth of commented example files in <filename>/usr/share/doc/samba-doc/examples/</filename>."
msgstr ""

msgid "<emphasis>TOOL</emphasis> Authenticating with a Windows Server"
msgstr ""

msgid "Winbind gives system administrators the option of using a Windows server as an authentication server. Winbind also integrates cleanly with PAM and NSS. This allows setting up Linux machines where all users of a Windows domain automatically get an account."
msgstr ""

msgid "<primary>Winbind</primary>"
msgstr ""

msgid "More information can be found in the <filename>/usr/share/doc/samba-doc/examples/pam_winbind/</filename> directory."
msgstr ""

msgid "Configuring with <command>debconf</command>"
msgstr ""

msgid "The package sets up a minimal configuration during the initial installation but you should really run <command>dpkg-reconfigure samba-common</command> to adapt it:"
msgstr ""

msgid "The first piece of required information is the name of the workgroup where the Samba server will belong (the answer is <literal>FALCOTNET</literal> in our case)."
msgstr ""

msgid "The package also proposes identifying the WINS server from the information provided by the DHCP daemon. The Falcot Corp administrators rejected this option, since they intend to use the Samba server itself as the WINS server."
msgstr ""

msgid "<primary>WINS</primary>"
msgstr ""

msgid "Configuring Manually"
msgstr ""

msgid "Changes to <filename>smb.conf</filename>"
msgstr ""

msgid "The requirements at Falcot require other options to be modified in the <filename>/etc/samba/smb.conf</filename> configuration file. The following excerpts summarize the changes that were effected in the <literal>[global]</literal> section."
msgstr ""

msgid ""
"\n"
"[global]\n"
"\n"
"## Browsing/Identification ###\n"
"\n"
"# Change this to the workgroup/NT-domain name your Samba server will part of\n"
"   workgroup = FALCOTNET\n"
"\n"
"# Windows Internet Name Serving Support Section:\n"
"# WINS Support - Tells the NMBD component of Samba to enable its WINS Server\n"
"   wins support = yes <co id=\"smb.conf.wins\"></co>\n"
"\n"
"[...]\n"
"\n"
"####### Authentication #######\n"
"\n"
"# Server role. Defines in which mode Samba will operate. Possible\n"
"# values are \"standalone server\", \"member server\", \"classic primary\n"
"# domain controller\", \"classic backup domain controller\", \"active\n"
"# directory domain controller\". \n"
"#\n"
"# Most people will want \"standalone sever\" or \"member server\".\n"
"# Running as \"active directory domain controller\" will require first\n"
"# running \"samba-tool domain provision\" to wipe databases and create a\n"
"# new domain.\n"
"   server role = standalone server\n"
"\n"
"# \"security = user\" is always a good idea. This will require a Unix account\n"
"# in this server for every user accessing the server.\n"
"   security = user <co id=\"smb.conf.security\"></co>\n"
"\n"
"[...]"
msgstr ""

msgid "Indicates that Samba should act as a Netbios name server (WINS) for the local network."
msgstr ""

msgid "This is the default value for this parameter; however, since it is central to the Samba configuration, filling it explicitly is recommended. Each user must authenticate before accessing any share."
msgstr ""

msgid "Adding Users"
msgstr ""

msgid "Each Samba user needs an account on the server; the Unix accounts must be created first, then the user needs to be registered in Samba's database. The Unix step is done quite normally (using <command>adduser</command> for instance)."
msgstr ""

msgid "Adding an existing user to the Samba database is a matter of running the <command>smbpasswd -a <replaceable>user</replaceable></command> command; this command asks for the password interactively."
msgstr ""

msgid "A user can be deleted with the <command>smbpasswd -x <replaceable>user</replaceable></command> command. A Samba account can also be temporarily disabled (with <command>smbpasswd -d <replaceable>user</replaceable></command>) and re-enabled later (with <command>smbpasswd -e <replaceable>user</replaceable></command>)."
msgstr ""

msgid "Samba Client"
msgstr ""

msgid "The client features in Samba allow a Linux machine to access Windows shares and shared printers. The required programs are available in the <emphasis role=\"pkg\">cifs-utils</emphasis> and <emphasis role=\"pkg\">smbclient</emphasis> packages."
msgstr ""

msgid "<primary><emphasis>smbclient</emphasis></primary>"
msgstr ""

msgid "<primary><emphasis>cifs-utils</emphasis></primary>"
msgstr ""

msgid "The <command>smbclient</command> Program"
msgstr ""

msgid "The <command>smbclient</command> program queries SMB servers. It accepts a <literal>-U <replaceable>user</replaceable></literal> option, for connecting to the server under a specific identity. <command>smbclient //<replaceable>server</replaceable>/<replaceable>share</replaceable></command> accesses the share in an interactive way similar to the command-line FTP client. <command>smbclient -L <replaceable>server</replaceable></command> lists all available (and visible) shares on a server."
msgstr ""

msgid "Mounting Windows Shares"
msgstr ""

msgid "The <command>mount</command> command allows mounting a Windows share into the Linux filesystem hierarchy (with the help of <command>mount.cifs</command> provided by <emphasis role=\"pkg\">cifs-utils</emphasis>)."
msgstr ""

msgid "<primary><command>mount.cifs</command></primary>"
msgstr ""

msgid "<primary>Windows share, mounting</primary>"
msgstr ""

msgid "Mounting a Windows share"
msgstr ""

msgid ""
"\n"
"mount -t cifs //arrakis/shared /shared \\\n"
"      -o credentials=/etc/smb-credentials"
msgstr ""

msgid "The <filename>/etc/smb-credentials</filename> file (which must not be readable by users) has the following format:"
msgstr ""

msgid ""
"\n"
"username = <replaceable>user</replaceable>\n"
"password = <replaceable>password</replaceable>"
msgstr ""

msgid "Other options can be specified on the command-line; their full list is available in the <citerefentry><refentrytitle>mount.cifs</refentrytitle> <manvolnum>1</manvolnum></citerefentry> manual page. Two options in particular can be interesting: <literal>uid</literal> and <literal>gid</literal> allow forcing the owner and group of files available on the mount, so as not to restrict access to root."
msgstr ""

msgid "A mount of a Windows share can also be configured in <filename>/etc/fstab</filename>:"
msgstr ""

msgid "\n"
"//<replaceable>server</replaceable>/shared /shared cifs credentials=/etc/smb-credentials"
msgstr ""

msgid "Unmounting a SMB/CIFS share is done with the standard <command>umount</command> command."
msgstr ""

msgid "Printing on a Shared Printer"
msgstr ""

msgid "CUPS is an elegant solution for printing from a Linux workstation to a printer shared by a Windows machine. When the <emphasis role=\"pkg\">smbclient</emphasis> is installed, CUPS allows installing Windows shared printers automatically."
msgstr ""

msgid "<primary>printing</primary><secondary>network</secondary>"
msgstr ""

msgid "Here are the required steps:"
msgstr ""

msgid "Enter the CUPS configuration interface: <literal>http://localhost:631/admin</literal>"
msgstr ""

msgid "Click on “Add Printer”."
msgstr ""

msgid "Choose the printer device, pick “Windows Printer via SAMBA”."
msgstr ""

msgid "Enter the connection URI for the network printer. It should look like the following:"
msgstr ""

msgid "<literal>smb://<replaceable>user</replaceable>:<replaceable>password</replaceable>@<replaceable>server</replaceable>/<replaceable>printer</replaceable></literal>."
msgstr ""

msgid "Enter the name that will uniquely identify this printer. Then enter the description and location of the printer. Those are the strings that will be shown to end users to help them identify the printers."
msgstr ""

msgid "Indicate the manufacturer/model of the printer, or directly provide a working printer description file (PPD)."
msgstr ""

msgid "Voilà, the printer is operational!"
msgstr ""

msgid "HTTP/FTP Proxy"
msgstr ""

msgid "An HTTP/FTP proxy acts as an intermediary for HTTP and/or FTP connections. Its role is twofold:"
msgstr ""

msgid "Caching: recently downloaded documents are copied locally, which avoids multiple downloads."
msgstr ""

msgid "Filtering server: if use of the proxy is mandated (and outgoing connections are blocked unless they go through the proxy), then the proxy can determine whether or not the request is to be granted."
msgstr ""

msgid "<primary>HTTP/FTP proxy</primary>"
msgstr ""

msgid "<primary>proxy cache</primary>"
msgstr ""

msgid "Falcot Corp selected Squid as their proxy server."
msgstr ""

msgid "<primary>Squid</primary>"
msgstr ""

msgid "Installing"
msgstr ""

msgid "The <emphasis role=\"pkg\">squid3</emphasis> Debian package only contains the modular (caching) proxy. Turning it into a filtering server requires installing the additional <emphasis role=\"pkg\">squidguard</emphasis> package. In addition, <emphasis role=\"pkg\">squid-cgi</emphasis> provides a querying and administration interface for a Squid proxy."
msgstr ""

msgid "Prior to installing, care should be taken to check that the system can identify its own complete name: the <command>hostname -f</command> must return a fully-qualified name (including a domain). If it does not, then the <filename>/etc/hosts</filename> file should be edited to contain the full name of the system (for instance, <literal>arrakis.falcot.com</literal>). The official computer name should be validated with the network administrator in order to avoid potential name conflicts."
msgstr ""

msgid "Configuring a Cache"
msgstr ""

msgid "Enabling the caching server feature is a simple matter of editing the <filename>/etc/squid3/squid.conf</filename> configuration file and allowing machines from the local network to run queries through the proxy. The following example shows the modifications made by the Falcot Corp administrators:"
msgstr ""

msgid "The <filename>/etc/squid3/squid.conf</filename> file (excerpts)"
msgstr ""

msgid ""
"\n"
"# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS\n"
"\n"
"# Example rule allowing access from your local networks. Adapt\n"
"# to list your (internal) IP networks from where browsing should\n"
"# be allowed\n"
"acl our_networks src 192.168.1.0/24 192.168.2.0/24\n"
"http_access allow our_networks\n"
"http_access allow localhost\n"
"# And finally deny all other access to this proxy\n"
"http_access deny all"
msgstr ""

msgid "Configuring a Filter"
msgstr ""

msgid "<command>squid</command> itself does not perform the filtering; this action is delegated to <command>squidGuard</command>. The former must then be configured to interact with the latter. This involves adding the following directive to the <filename>/etc/squid3/squid.conf</filename> file:"
msgstr ""

msgid "<primary><command>squidGuard</command></primary>"
msgstr ""

msgid "\n"
"url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf "
msgstr ""

msgid "The <filename>/usr/lib/cgi-bin/squidGuard.cgi</filename> CGI program also needs to be installed, using <filename>/usr/share/doc/squidguard/examples/squidGuard.cgi.gz</filename> as a starting point. Required modifications to this script are the <varname>$proxy</varname> and <varname>$proxymaster</varname> variables (the name of the proxy and the administrator's contact e-mail, respectively). The <varname>$image</varname> and <varname>$redirect</varname> variables should point to existing images representing the rejection of a query."
msgstr ""

msgid "The filter is enabled with the <command>service squid3 reload</command> command. However, since the <emphasis role=\"pkg\">squidguard</emphasis> package does no filtering by default, it is the administrator's task to define the policy. This can be done by creating the <filename>/etc/squid3/squidGuard.conf</filename> file (using <filename>/etc/squidguard/squidGuard.conf.default</filename> as template if required)."
msgstr ""

msgid "The working database must be regenerated with <command>update-squidguard</command> after each change of the <command>squidGuard</command> configuration file (or one of the lists of domains or URLs it mentions). The configuration file syntax is documented on the following website: <ulink type=\"block\" url=\"http://www.squidguard.org/Doc/configure.html\" />"
msgstr ""

msgid "<primary><command>update-squidguard</command></primary>"
msgstr ""

msgid "<emphasis>ALTERNATIVE</emphasis> DansGuardian"
msgstr ""

msgid "<primary><emphasis role=\"pkg\">dansguardian</emphasis></primary>"
msgstr ""

msgid "<primary>PICS</primary>"
msgstr ""

msgid "The <emphasis role=\"pkg\">dansguardian</emphasis> package is an alternative to <emphasis>squidguard</emphasis>. This software does not simply handle a blacklist of forbidden URLs, but it can take advantage of the PICS system (<emphasis>Platform for Internet Content Selection</emphasis>) to decide whether a page is acceptable by dynamic analysis of its contents."
msgstr ""

msgid "LDAP Directory"
msgstr ""

msgid "<primary>LDAP</primary>"
msgstr ""

msgid "<primary>OpenLDAP</primary>"
msgstr ""

msgid "<primary>directory, LDAP</primary>"
msgstr ""

msgid "OpenLDAP is an implementation of the LDAP protocol; in other words, it is a special-purpose database designed for storing directories. In the most common use case, using an LDAP server allows centralizing management of user accounts and the related permissions. Moreover, an LDAP database is easily replicated, which allows setting up multiple synchronized LDAP servers. When the network and the user base grows quickly, the load can then be balanced across several servers."
msgstr ""

msgid "LDAP data is structured and hierarchical. The structure is defined by “schemas” which describe the kind of objects that the database can store, with a list of all their possible attributes. The syntax used to refer to a particular object in the database is based on this structure, which explains its complexity."
msgstr ""

msgid "The <emphasis role=\"pkg\">slapd</emphasis> package contains the OpenLDAP server. The <emphasis role=\"pkg\">ldap-utils</emphasis> package includes command-line tools for interacting with LDAP servers."
msgstr ""

msgid "<primary><emphasis>slapd</emphasis></primary>"
msgstr ""

msgid "Installing <emphasis role=\"pkg\">slapd</emphasis> usually asks very few questions and the resulting database is unlikely to suit your needs. Fortunately a simple <command>dpkg-reconfigure slapd</command> will let you reconfigure the LDAP database with more details:"
msgstr ""

msgid "Omit OpenLDAP server configuration? No, of course, we want to configure this service."
msgstr ""

msgid "DNS domain name: “<literal>falcot.com</literal>”."
msgstr ""

msgid "Organization name: “Falcot Corp”."
msgstr ""

msgid "An administrative passwords needs to be typed in."
msgstr ""

msgid "Database backend to use: “MDB”."
msgstr ""

msgid "Do you want the database to be removed when <emphasis role=\"pkg\">slapd</emphasis> is purged? No. No point in risking losing the database in case of a mistake."
msgstr ""

msgid "Move old database? This question is only asked when the configuration is attempted while a database already exists. Only answer “yes” if you actually want to start again from a clean database, for instance if you run <command>dpkg-reconfigure slapd</command> right after the initial installation."
msgstr ""

msgid "Allow LDAPv2 protocol? No, there is no point in that. All the tools we are going to use understand the LDAPv3 protocol."
msgstr ""

msgid "<emphasis>BACK TO BASICS</emphasis> LDIF format"
msgstr ""

msgid "An LDIF file (<emphasis>LDAP Data Interchange Format</emphasis>) is a portable text file describing the contents of an LDAP database (or a portion thereof); this can then be used to inject the data into any other LDAP server."
msgstr ""

msgid "<primary>LDIF</primary>"
msgstr ""

msgid "A minimal database is now configured, as demonstrated by the following query:"
msgstr ""

msgid ""
"\n"
"<computeroutput>$ </computeroutput><userinput>ldapsearch -x -b dc=falcot,dc=com</userinput>\n"
"<computeroutput># extended LDIF\n"
"#\n"
"# LDAPv3\n"
"# base &lt;dc=falcot,dc=com&gt; with scope sub\n"
"# filter: (objectclass=*)\n"
"# requesting: ALL\n"
"#\n"
"\n"
"# falcot.com\n"
"dn: dc=falcot,dc=com\n"
"objectClass: top\n"
"objectClass: dcObject\n"
"objectClass: organization\n"
"o: Falcot Corp\n"
"dc: falcot\n"
"\n"
"# admin, falcot.com\n"
"dn: cn=admin,dc=falcot,dc=com\n"
"objectClass: simpleSecurityObject\n"
"objectClass: organizationalRole\n"
"cn: admin\n"
"description: LDAP administrator\n"
"\n"
"# search result\n"
"search: 2\n"
"result: 0 Success\n"
"\n"
"# numResponses: 3\n"
"# numEntries: 2\n"
"</computeroutput>"
msgstr ""

msgid "The query returned two objects: the organization itself, and the administrative user."
msgstr ""

msgid "Filling in the Directory"
msgstr ""

msgid "Since an empty database is not particularly useful, we are going to inject into it all the existing directories; this includes the users, groups, services and hosts databases."
msgstr ""

msgid "The <emphasis role=\"pkg\">migrationtools</emphasis> package provides a set of scripts dedicated to extract data from the standard Unix directories (<filename>/etc/passwd</filename>, <filename>/etc/group</filename>, <filename>/etc/services</filename>, <filename>/etc/hosts</filename> and so on), convert this data, and inject it into the LDAP database."
msgstr ""

msgid "<primary><emphasis role=\"pkg\">migrationtools</emphasis></primary>"
msgstr ""

msgid "Once the package is installed, the <filename>/etc/migrationtools/migrate_common.ph</filename> must be edited; the <varname>IGNORE_UID_BELOW</varname> and <varname>IGNORE_GID_BELOW</varname> options need to be enabled (uncommenting them is enough), and <varname>DEFAULT_MAIL_DOMAIN</varname>/<varname>DEFAULT_BASE</varname> need to be updated."
msgstr ""

msgid "The actual migration operation is handled by the <command>migrate_all_online.sh</command> command, as follows:"
msgstr ""

msgid ""
"\n"
"<computeroutput># </computeroutput><userinput>cd /usr/share/migrationtools</userinput>\n"
"<computeroutput># </computeroutput><userinput>LDAPADD=\"/usr/bin/ldapadd -c\" ETC_ALIASES=/dev/null ./migrate_all_online.sh</userinput>"
msgstr ""

msgid "The <command>migrate_all_online.sh</command> asks a few questions about the LDAP database into which the data is to be migrated. <xref linkend=\"tab-migrate-all\" xrefstyle=\"select: label nopage\" /> summarizes the answers given in the Falcot use-case."
msgstr ""

msgid "Answers to questions asked by the <command>migrate_all_online.sh</command> script"
msgstr ""

msgid "Question"
msgstr ""

msgid "Answer"
msgstr ""

msgid "X.500 naming context"
msgstr ""

msgid "<literal>dc=falcot,dc=com</literal>"
msgstr ""

msgid "LDAP server hostname"
msgstr ""

msgid "<literal>localhost</literal>"
msgstr ""

msgid "Manager DN"
msgstr ""

msgid "<literal>cn=admin,dc=falcot,dc=com</literal>"
msgstr ""

msgid "Bind credentials"
msgstr ""

msgid "the administrative password"
msgstr ""

msgid "Create DUAConfigProfile"
msgstr ""

msgid "no"
msgstr ""

msgid "We deliberately ignore migration of the <filename>/etc/aliases</filename> file, since the standard schema as provided by Debian does not include the structures that this script uses to describe email aliases. Should we want to integrate this data into the directory, the <filename>/etc/ldap/schema/misc.schema</filename> file should be added to the standard schema."
msgstr ""

msgid "<emphasis>TOOL</emphasis> Browsing an LDAP directory"
msgstr ""

msgid "The <command>jxplorer</command> command (in the package of the same name) is a graphical tool allowing to browse and edit an LDAP database. It is an interesting tool that provides an administrator with a good overview of the hierarchical structure of the LDAP data."
msgstr ""

msgid "<primary><command>jxplorer</command></primary>"
msgstr ""

msgid "Also note the use of the <literal>-c</literal> option to the <command>ldapadd</command> command; this option requests that processing doesn't stop in case of error. Using this option is required because converting the <filename>/etc/services</filename> often generates a few errors that can safely be ignored."
msgstr ""

msgid "Managing Accounts with LDAP"
msgstr ""

msgid "Now the LDAP database contains some useful information, the time has come to make use of this data. This section focuses on how to configure a Linux system so that the various system directories use the LDAP database."
msgstr ""

msgid "Configuring NSS"
msgstr ""

msgid "The NSS system (Name Service Switch, see sidebar <xref linkend=\"sidebar.intro-nss\" />) is a modular system designed to define or fetch information for system directories. Using LDAP as a source of data for NSS requires installing the <emphasis role=\"pkg\">libnss-ldap</emphasis> package. Its installation asks a few questions; the answers are summarized in <xref linkend=\"tab-libnss-ldap\" xrefstyle=\"select: label nopage\" />."
msgstr ""

msgid "<primary><emphasis>libnss-ldap</emphasis></primary>"
msgstr ""

msgid "Configuring the <emphasis role=\"pkg\">libnss-ldap</emphasis> package"
msgstr ""

msgid "LDAP server Uniform Resource Identifier"
msgstr ""

msgid "<literal>ldap://ldap.falcot.com</literal>"
msgstr ""

msgid "Distinguished name of the search base"
msgstr ""

msgid "LDAP version to use"
msgstr ""

msgid "<literal>3</literal>"
msgstr ""

msgid "Does the LDAP database require login?"
msgstr ""

msgid "Special LDAP privileges for root"
msgstr ""

msgid "yes"
msgstr ""

msgid "Make the configuration file readable/writeable by its owner only"
msgstr ""

msgid "LDAP account for root"
msgstr ""

msgid "LDAP root account password"
msgstr ""

msgid "The <filename>/etc/nsswitch.conf</filename> file then needs to be modified, so as to configure NSS to use the freshly-installed <command>ldap</command> module."
msgstr ""

msgid "The <filename>/etc/nsswitch.conf</filename> file"
msgstr ""

msgid ""
"\n"
"# /etc/nsswitch.conf\n"
"#\n"
"# Example configuration of GNU Name Service Switch functionality.\n"
"# If you have the `glibc-doc' and `info' packages installed, try:\n"
"# `info libc \"Name Service Switch\"' for information about this file.\n"
"\n"
"passwd: ldap compat\n"
"group: ldap compat\n"
"shadow: ldap compat\n"
"\n"
"hosts: files dns ldap\n"
"networks: ldap files\n"
"\n"
"protocols: ldap db files\n"
"services: ldap db files\n"
"ethers: ldap db files\n"
"rpc: ldap db files\n"
"\n"
"netgroup: ldap files"
msgstr ""

msgid "The <command>ldap</command> module is usually inserted before others, and it will therefore be queried first. The notable exception is the <literal>hosts</literal> service since contacting the LDAP server requires consulting DNS first (to resolve <literal>ldap.falcot.com</literal>). Without this exception, a hostname query would try to ask the LDAP server; this would trigger a name resolution for the LDAP server, and so on in an infinite loop."
msgstr ""

msgid "If the LDAP server should be considered authoritative (and the local files used by the <command>files</command> module disregarded), services can be configured with the following syntax:"
msgstr ""

msgid "<literal><replaceable>service</replaceable>: ldap [NOTFOUND=return] files</literal>."
msgstr ""

msgid "If the requested entry does not exist in the LDAP database, the query will return a “not existing” reply even if the resource does exist in one of the local files; these local files will only be used when the LDAP service is down."
msgstr ""

msgid "Configuring PAM"
msgstr ""

msgid "This section describes a PAM configuration (see sidebar <xref linkend=\"sidebar.intro-pam\" />) that will allow applications to perform the required authentications against the LDAP database."
msgstr ""

msgid "<emphasis>CAUTION</emphasis> Broken authentication"
msgstr ""

msgid "Changing the standard PAM configuration used by various programs is a sensitive operation. A mistake can lead to broken authentication, which could prevent logging in. Keeping a root shell open is therefore a good precaution. If configuration errors occur, they can be then fixed and the services restarted with minimal effort."
msgstr ""

msgid "The LDAP module for PAM is provided by the <emphasis role=\"pkg\">libpam-ldap</emphasis> package. Installing this package asks a few questions very similar to those in <emphasis role=\"pkg\">libnss-ldap</emphasis>; some configuration parameters (such as the URI for the LDAP server) are even actually shared with the <emphasis role=\"pkg\">libnss-ldap</emphasis> package. Answers are summarized in <xref linkend=\"tab-libpam-ldap\" xrefstyle=\"select: label nopage\" />."
msgstr ""

msgid "<primary><emphasis>libpam-ldap</emphasis></primary>"
msgstr ""

msgid "Configuration of <emphasis>libpam-ldap</emphasis>"
msgstr ""

msgid "Allow LDAP admin account to behave like local root?"
msgstr ""

msgid "Yes. This allows using the usual <command>passwd</command> command for changing passwords stored in the LDAP database."
msgstr ""

msgid "Does the LDAP database require logging in?"
msgstr ""

msgid "the LDAP database administrative password"
msgstr ""

msgid "Local encryption algorithm to use for passwords"
msgstr ""

msgid "crypt"
msgstr ""

msgid "Installing <emphasis role=\"pkg\">libpam-ldap</emphasis> automatically adapts the default PAM configuration defined in the <filename>/etc/pam.d/common-auth</filename>, <filename>/etc/pam.d/common-password</filename> and <filename>/etc/pam.d/common-account</filename> files. This mechanism uses the dedicated <command>pam-auth-update</command> tool (provided by the <emphasis role=\"pkg\">libpam-runtime</emphasis> package). This tool can also be run by the administrator should they wish to enable or disable PAM modules."
msgstr ""

msgid "<primary><filename>common-auth</filename></primary>"
msgstr ""

msgid "<primary><filename>/etc/pam.d/common-auth</filename></primary>"
msgstr ""

msgid "<primary><filename>common-password</filename></primary>"
msgstr ""

msgid "<primary><filename>/etc/pam.d/common-password</filename></primary>"
msgstr ""

msgid "<primary><filename>common-account</filename></primary>"
msgstr ""

msgid "<primary><filename>/etc/pam.d/common-account</filename></primary>"
msgstr ""

msgid "Securing LDAP Data Exchanges"
msgstr ""

msgid "<primary>LDAP</primary><secondary>secure</secondary>"
msgstr ""

msgid "By default, the LDAP protocol transits on the network as cleartext; this includes the (encrypted) passwords. Since the encrypted passwords can be extracted from the network, they can be vulnerable to dictionary-type attacks. This can be avoided by using an extra encryption layer; enabling this layer is the topic of this section."
msgstr ""

msgid "Configuring the Server"
msgstr ""

msgid "<primary><foreignphrase>OpenSSL</foreignphrase></primary><secondary>creating keys</secondary>"
msgstr ""

msgid "<primary>key pair</primary>"
msgstr ""

msgid "The first step is to create a key pair (comprising a public key and a private key) for the LDAP server. The Falcot administrators reuse <emphasis>easy-rsa</emphasis> to generate it (see <xref linkend=\"sect.easy-rsa\" />). Running <command>./build-key-server ldap.falcot.com</command> asks a few mundane questions (location, organization name and so on). The answer to the “common name” question <emphasis>must</emphasis> be the fully-qualified hostname for the LDAP server; in our case, <literal>ldap.falcot.com</literal>."
msgstr ""

msgid "This command creates a certificate in the <filename>keys/ldap.falcot.com.crt</filename> file; the corresponding private key is stored in <filename>keys/ldap.falcot.com.key</filename>."
msgstr ""

msgid "Now these keys have to be installed in their standard location, and we must make sure that the private file is readable by the LDAP server which runs under the <literal>openldap</literal> user identity:"
msgstr ""

msgid ""
"<computeroutput># </computeroutput><userinput>adduser openldap ssl-cert\n"
"</userinput><computeroutput>Adding user `openldap' to group `ssl-cert' ...\n"
"Adding user openldap to group ssl-cert\n"
"Done.\n"
"# </computeroutput><userinput>mv keys/ldap.falcot.com.key /etc/ssl/private/ldap.falcot.com.key\n"
"</userinput><computeroutput># </computeroutput><userinput>chown root:ssl-cert /etc/ssl/private/ldap.falcot.com.key\n"
"</userinput><computeroutput># </computeroutput><userinput>chmod 0640 /etc/ssl/private/ldap.falcot.com.key\n"
"</userinput><computeroutput># </computeroutput><userinput>mv newcert.pem /etc/ssl/certs/ldap.falcot.com.pem\n"
"</userinput>"
msgstr ""

msgid "The <command>slapd</command> daemon also needs to be told to use these keys for encryption. The LDAP server configuration is managed dynamically: the configuration can be updated with normal LDAP operations on the <literal>cn=config</literal> object hierarchy, and the server updates <filename>/etc/ldap/slapd.d</filename> in real time to make the configuration persistent. <command>ldapmodify</command> is thus the right tool to update the configuration:"
msgstr ""

msgid "Configuring <command>slapd</command> for encryption"
msgstr ""

msgid ""
"<computeroutput># </computeroutput><userinput>cat &gt;ssl.ldif &lt;&lt;END\n"
"dn: cn=config\n"
"changetype: modify\n"
"add: olcTLSCertificateFile\n"
"olcTLSCertificateFile: /etc/ssl/certs/ldap.falcot.com.pem\n"
"-\n"
"add: olcTLSCertificateKeyFile\n"
"olcTLSCertificateKeyFile: /etc/ssl/private/ldap.falcot.com.key\n"
"-\n"
"END\n"
"</userinput><computeroutput># </computeroutput><userinput>ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif\n"
"</userinput><computeroutput>SASL/EXTERNAL authentication started\n"
"SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\n"
"SASL SSF: 0\n"
"modifying entry \"cn=config\"\n"
"</computeroutput>"
msgstr ""

msgid "<emphasis>TOOL</emphasis> <command>ldapvi</command> to edit an LDAP directory"
msgstr ""

msgid "<primary><command>ldapvi</command></primary>"
msgstr ""

msgid "With <command>ldapvi</command>, you can display an LDIF output of any part of the LDAP directory, make some changes in the text editor, and let the tool do the corresponding LDAP operations for you."
msgstr ""

msgid "It is thus a convenient way to update the configuration of the LDAP server, simply by editing the <literal>cn=config</literal> hierarchy."
msgstr ""

msgid "<computeroutput># </computeroutput><userinput>ldapvi -Y EXTERNAL -h ldapi:/// -b cn=config\n"
"</userinput>"
msgstr ""

msgid "The last step for enabling encryption involves changing the <varname>SLAPD_SERVICES</varname> variable in the <filename>/etc/default/slapd</filename> file. We'll play it safe and disable unsecured LDAP altogether."
msgstr ""

msgid "The <filename>/etc/default/slapd</filename> file"
msgstr ""

msgid ""
"\n"
"# Default location of the slapd.conf file or slapd.d cn=config directory. If\n"
"# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to\n"
"# /etc/ldap/slapd.conf).\n"
"SLAPD_CONF=\n"
"\n"
"# System account to run the slapd server under. If empty the server\n"
"# will run as root.\n"
"SLAPD_USER=\"openldap\"\n"
"\n"
"# System group to run the slapd server under. If empty the server will\n"
"# run in the primary group of its user.\n"
"SLAPD_GROUP=\"openldap\"\n"
"\n"
"# Path to the pid file of the slapd server. If not set the init.d script\n"
"# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by\n"
"# default)\n"
"SLAPD_PIDFILE=\n"
"\n"
"# slapd normally serves ldap only on all TCP-ports 389. slapd can also\n"
"# service requests on TCP-port 636 (ldaps) and requests via unix\n"
"# sockets.\n"
"# Example usage:\n"
"# SLAPD_SERVICES=\"ldap://127.0.0.1:389/ ldaps:/// ldapi:///\"\n"
"SLAPD_SERVICES=\"ldaps:/// ldapi:///\"\n"
"\n"
"# If SLAPD_NO_START is set, the init script will not start or restart\n"
"# slapd (but stop will still work).  Uncomment this if you are\n"
"# starting slapd via some other means or if you don't want slapd normally\n"
"# started at boot.\n"
"#SLAPD_NO_START=1\n"
"\n"
"# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,\n"
"# the init script will not start or restart slapd (but stop will still\n"
"# work).  Use this for temporarily disabling startup of slapd (when doing\n"
"# maintenance, for example, or through a configuration management system)\n"
"# when you don't want to edit a configuration file.\n"
"SLAPD_SENTINEL_FILE=/etc/ldap/noslapd\n"
"\n"
"# For Kerberos authentication (via SASL), slapd by default uses the system\n"
"# keytab file (/etc/krb5.keytab).  To use a different keytab file,\n"
"# uncomment this line and change the path.\n"
"#export KRB5_KTNAME=/etc/krb5.keytab\n"
"\n"
"# Additional options to pass to slapd\n"
"SLAPD_OPTIONS=\"\""
msgstr ""

msgid "Configuring the Client"
msgstr ""

msgid "On the client side, the configuration for the <emphasis>libpam-ldap</emphasis> and <emphasis>libnss-ldap</emphasis> modules needs to be modified to use an <literal>ldaps://</literal> URI."
msgstr ""

msgid "LDAP clients also need to be able to authenticate the server. In a X.509 public key infrastructure, public certificates are signed by the key of a certificate authority (CA). With <emphasis>easy-rsa</emphasis>, the Falcot administrators have created their own CA and they now need to configure the system to trust the signatures of Falcot's CA. This can be done by putting the CA certificate in <filename>/usr/local/share/ca-certificates</filename> and running <command>update-ca-certificates</command>."
msgstr ""

msgid ""
"<computeroutput># </computeroutput><userinput>cp keys/ca.crt /usr/local/share/ca-certificates/falcot.crt\n"
"</userinput><computeroutput># </computeroutput><userinput>update-ca-certificates\n"
"</userinput><computeroutput>Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.\n"
"Running hooks in /etc/ca-certificates/update.d....\n"
"Adding debian:falcot.pem\n"
"done.\n"
"done.\n"
"</computeroutput>"
msgstr ""

msgid "Last but not least, the default LDAP URI and default base DN used by the various command line tools can be modified in <filename>/etc/ldap/ldap.conf</filename>. This will save quite some typing."
msgstr ""

msgid "The <filename>/etc/ldap/ldap.conf</filename> file"
msgstr ""

msgid ""
"#\n"
"# LDAP Defaults\n"
"#\n"
"\n"
"# See ldap.conf(5) for details\n"
"# This file should be world readable but not world writable.\n"
"\n"
"BASE   dc=falcot,dc=com\n"
"URI    ldaps://ldap.falcot.com\n"
"\n"
"#SIZELIMIT      12\n"
"#TIMELIMIT      15\n"
"#DEREF          never\n"
"\n"
"# TLS certificates (needed for GnuTLS)\n"
"TLS_CACERT      /etc/ssl/certs/ca-certificates.crt"
msgstr ""

msgid "Real-Time Communication Services"
msgstr ""

msgid "Real-Time Communication (RTC) services include voice, video/webcam, instant messaging (IM) and desktop sharing. This chapter gives a brief introduction to three of the services required to operate RTC, including a TURN server, SIP server and XMPP server. Comprehensive details of how to plan, install and manage these services are available in the Real-Time Communications Quick Start Guide which includes examples specific to Debian. <ulink type=\"block\" url=\"http://rtcquickstart.org\" />"
msgstr ""

msgid "<primary>VoIP</primary><secondary>server</secondary>"
msgstr ""

msgid "<primary>RTC</primary><secondary>server</secondary>"
msgstr ""

msgid "<primary>Instant Messaging</primary><secondary>server</secondary>"
msgstr ""

msgid "<primary>Chat</primary><secondary>server</secondary>"
msgstr ""

msgid "Both SIP and XMPP can provide the same functionality. SIP is slightly more well known for voice and video while XMPP is traditionally regarded as an IM protocol. In fact, they can both be used for any of these purposes. To maximize connectivity options, it is recommended to run both in parallel."
msgstr ""

msgid "<primary>SIP</primary>"
msgstr ""

msgid "<primary>XMPP</primary>"
msgstr ""

msgid "These services rely on X.509 certificates both for authentication and confidentiality purposes. See <xref linkend=\"sect.easy-rsa\" /> for details on how to create them. Alternatively the <emphasis>Real-Time Communications Quick Start Guide</emphasis> also has some useful explanations: <ulink type=\"block\" url=\"http://rtcquickstart.org/guide/multi/tls.html\" />"
msgstr ""

msgid "DNS settings for RTC services"
msgstr ""

msgid "RTC services require DNS SRV and NAPTR records. A sample configuration that can be placed in the zone file for <literal>falcot.com</literal>:"
msgstr ""

msgid "<primary>DNS</primary><secondary>SRV record</secondary>"
msgstr ""

msgid "<primary>DNS</primary><secondary>NAPTR record</secondary>"
msgstr ""

msgid ""
"\n"
"; the server where everything will run\n"
"server1            IN     A      198.51.100.19\n"
"server1            IN     AAAA   2001:DB8:1000:2000::19\n"
"\n"
"; IPv4 only for TURN for now, some clients are buggy with IPv6\n"
"turn-server        IN     A      198.51.100.19\n"
"\n"
"; IPv4 and IPv6 addresses for SIP\n"
"sip-proxy          IN     A      198.51.100.19\n"
"sip-proxy          IN     AAAA   2001:DB8:1000:2000::19\n"
"\n"
"; IPv4 and IPv6 addresses for XMPP\n"
"xmpp-gw            IN     A      198.51.100.19\n"
"xmpp-gw            IN     AAAA   2001:DB8:1000:2000::19\n"
"\n"
"; DNS SRV and NAPTR for STUN / TURN\n"
"_stun._udp  IN SRV    0 1 3467 turn-server.falcot.com.\n"
"_turn._udp  IN SRV    0 1 3467 turn-server.falcot.com.\n"
"@           IN NAPTR  10 0 \"s\" \"RELAY:turn.udp\" \"\" _turn._udp.falcot.com.\n"
"\n"
"; DNS SRV and NAPTR records for SIP\n"
"_sips._tcp  IN SRV    0 1 5061 sip-proxy.falcot.com.\n"
"@           IN NAPTR  10 0 \"s\" \"SIPS+D2T\" \"\" _sips._tcp.falcot.com.\n"
"\n"
"; DNS SRV records for XMPP Server and Client modes:\n"
"_xmpp-client._tcp  IN     SRV    5 0 5222 xmpp-gw.falcot.com.\n"
"_xmpp-server._tcp  IN     SRV    5 0 5269 xmpp-gw.falcot.com."
msgstr ""

msgid "TURN Server"
msgstr ""

msgid "TURN is a service that helps clients behind NAT routers and firewalls to discover the most efficient way to communicate with other clients and to relay the media streams if no direct media path can be found. It is highly recommended that the TURN server is installed before any of the other RTC services are offered to end users."
msgstr ""

msgid "<primary>TURN</primary><secondary>server</secondary>"
msgstr ""

msgid "TURN and the related ICE protocol are open standards. To benefit from these protocols, maximizing connectivity and minimizing user frustration, it is important to ensure that all client software supports ICE and TURN."
msgstr ""

msgid "<primary>ICE</primary>"
msgstr ""

msgid "For the ICE algorithm to work effectively, the server must have two public IPv4 addresses."
msgstr ""

msgid "Install the TURN server"
msgstr ""

msgid "Install the <emphasis role=\"pkg\">resiprocate-turn-server</emphasis> package."
msgstr ""

msgid "Edit the <filename>/etc/reTurn/reTurnServer.config</filename> configuration file. The most important thing to do is insert the IP addresses of the server."
msgstr ""

msgid ""
"\n"
"# your IP addresses go here:\n"
"TurnAddress = 198.51.100.19\n"
"TurnV6Address = 2001:DB8:1000:2000::19\n"
"AltStunAddress = 198.51.100.20\n"
"# your domain goes here, it must match the value used\n"
"# to hash your passwords if they are already hashed\n"
"# using the HA1 algorithm:\n"
"AuthenticationRealm = myrealm\n"
"\n"
"UserDatabaseFile = /etc/reTurn/users.txt\n"
"UserDatabaseHashedPasswords = true"
msgstr ""

msgid "Restart the service."
msgstr ""

msgid "Managing the TURN users"
msgstr ""

msgid "Use the htdigest utility to manage the TURN server user list."
msgstr ""

msgid "<computeroutput># </computeroutput><userinput>htdigest /etc/reTurn/users.txt myrealm joe</userinput>"
msgstr ""

msgid "Use the HUP signal to make the server reload the <filename>/etc/reTurn/users.txt</filename> file after changing it or enable the automatic reload feature in <filename>/etc/reTurn/reTurnServer.config</filename>."
msgstr ""

msgid "SIP Proxy Server"
msgstr ""

msgid "A SIP proxy server manages the incoming and outgoing SIP connections between other organizations, SIP trunking providers, SIP PBXes such as Asterisk, SIP phones, SIP-based softphones and WebRTC applications."
msgstr ""

msgid "<primary>SIP</primary><secondary>server</secondary>"
msgstr ""

msgid "<primary>SIP</primary><secondary>proxy</secondary>"
msgstr ""

msgid "<primary>SIP</primary><secondary>PBX</secondary>"
msgstr ""

msgid "<primary>SIP</primary><secondary>trunk</secondary>"
msgstr ""

msgid "It is strongly recommended to install and configure the SIP proxy before attempting a SIP PBX setup. The SIP proxy normalizes a lot of the traffic reaching the PBX and provides greater connectivity and resilience."
msgstr ""

msgid "Install the SIP proxy"
msgstr ""

msgid "Install the <emphasis role=\"pkg\">repro</emphasis> package. Using the package from <emphasis role=\"distribution\">jessie-backports</emphasis> is highly recommended, as it has the latest improvements for maximizing connectivity and resilience."
msgstr ""

msgid "<primary>repro</primary>"
msgstr ""

msgid "Edit the <filename>/etc/repro/repro.config</filename> configuration file. The most important thing to do is insert the IP addresses of the server. The example below demonstrates how to setup both regular SIP and WebSockets/WebRTC, using TLS, IPv4 and IPv6:"
msgstr ""

msgid ""
"\n"
"# Transport1 will be for SIP over TLS connections\n"
"# We use port 5061 here but if you have clients connecting from\n"
"# locations with firewalls you could change this to listen on port 443\n"
"Transport1Interface = 198.51.100.19:5061\n"
"Transport1Type = TLS\n"
"Transport1TlsDomain = falcot.com\n"
"Transport1TlsClientVerification = Optional\n"
"Transport1RecordRouteUri = sip:falcot.com;transport=TLS\n"
"Transport1TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem\n"
"Transport1TlsCertificate = /etc/ssl/public/falcot.com.pem\n"
"\n"
"# Transport2 is the IPv6 version of Transport1\n"
"Transport2Interface = 2001:DB8:1000:2000::19:5061\n"
"Transport2Type = TLS\n"
"Transport2TlsDomain = falcot.com\n"
"Transport2TlsClientVerification = Optional\n"
"Transport2RecordRouteUri = sip:falcot.com;transport=TLS\n"
"Transport2TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem\n"
"Transport2TlsCertificate = /etc/ssl/public/falcot.com.pem\n"
"\n"
"# Transport3 will be for SIP over WebSocket (WebRTC) connections\n"
"# We use port 8443 here but you could use 443 instead\n"
"Transport3Interface = 198.51.100.19:8443\n"
"Transport3Type = WSS\n"
"Transport3TlsDomain = falcot.com\n"
"# This would require the browser to send a certificate, but browsers\n"
"# don't currently appear to be able to, so leave it as None:\n"
"Transport3TlsClientVerification = None\n"
"Transport3RecordRouteUri = sip:falcot.com;transport=WSS\n"
"Transport3TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem\n"
"Transport3TlsCertificate = /etc/ssl/public/falcot.com.pem\n"
"\n"
"# Transport4 is the IPv6 version of Transport3\n"
"Transport4Interface = 2001:DB8:1000:2000::19:8443\n"
"Transport4Type = WSS\n"
"Transport4TlsDomain = falcot.com\n"
"Transport4TlsClientVerification = None\n"
"Transport4RecordRouteUri = sip:falcot.com;transport=WSS\n"
"Transport4TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem\n"
"Transport4TlsCertificate = /etc/ssl/public/falcot.com.pem\n"
"\n"
"# Transport5: this could be for TCP connections to an Asterisk server\n"
"# in your internal network.  Don't allow port 5060 through the external\n"
"# firewall.\n"
"Transport5Interface = 198.51.100.19:5060\n"
"Transport5Type = TCP\n"
"Transport5RecordRouteUri = sip:198.51.100.19:5060;transport=TCP\n"
"\n"
"HttpBindAddress = 198.51.100.19, 2001:DB8:1000:2000::19\n"
"HttpAdminUserFile = /etc/repro/users.txt\n"
"\n"
"RecordRouteUri = sip:falcot.com;transport=tls\n"
"ForceRecordRouting = true\n"
"EnumSuffixes = e164.arpa, sip5060.net, e164.org\n"
"DisableOutbound = false\n"
"EnableFlowTokens = true\n"
"EnableCertificateAuthenticator = True"
msgstr ""

msgid "Use the <command>htdigest</command> utility to manage the admin password for the web interface. The username must be <emphasis>admin</emphasis> and the realm name must match the value specified in <filename>repro.config</filename>."
msgstr ""

msgid "<computeroutput># </computeroutput><userinput>htdigest /etc/repro/users.txt repro admin</userinput>"
msgstr ""

msgid "Restart the service to use the new configuration."
msgstr ""

msgid "Managing the SIP proxy"
msgstr ""

msgid "Go to the web interface at <literal>http://sip-proxy.falcot.com:5080</literal> to complete the configuration by adding domains, local users and static routes."
msgstr ""

msgid "The first step is to add the local domain. The process must be restarted after adding or removing domains from the list."
msgstr ""

msgid "The proxy knows how to route calls between local users and full SIP address, the routing configuration is only necessary for overriding default behavior, for example, to recognize phone numbers, add a prefix and route them to a SIP provider."
msgstr ""

msgid "XMPP Server"
msgstr ""

msgid "An XMPP server manages connectivity between local XMPP users and XMPP users in other domains on the public Internet."
msgstr ""

msgid "<primary>XMPP</primary><secondary>server</secondary>"
msgstr ""

msgid "<emphasis>VOCABULARY</emphasis> XMPP or Jabber?"
msgstr ""

msgid "<primary>Jabber</primary>"
msgstr ""

msgid "XMPP is sometimes referred to as Jabber. In fact, Jabber is a trademark and XMPP is the official name of the standard."
msgstr ""

msgid "Prosody is a popular XMPP server that operates reliably on Debian servers."
msgstr ""

msgid "<primary>Prosody</primary>"
msgstr ""

msgid "Install the XMPP server"
msgstr ""

msgid "Install the <emphasis role=\"pkg\">prosody</emphasis> package. Using the package from <emphasis role=\"distribution\">jessie-backports</emphasis> is highly recommended, as it has the latest improvements for maximizing connectivity and resilience."
msgstr ""

msgid "Review the <filename>/etc/prosody/prosody.cfg.lua</filename> configuration file. The most important thing to do is insert JIDs of the users who are permitted to manage the server."
msgstr ""

msgid "\n"
"admins = { \"joe@falcot.com\" }"
msgstr ""

msgid "An individual configuration file is also needed for each domain. Copy the sample from <filename>/etc/prosody/conf.avail/example.com.cfg.lua</filename> and use it as a starting point. Here is <literal>falcot.com.cfg.lua</literal>:"
msgstr ""

msgid ""
"\n"
"VirtualHost \"falcot.com\"\n"
"        enabled = true\n"
"        ssl = {\n"
"                key = \"/etc/ssl/private/falcot.com-key.pem\";\n"
"                certificate = \"/etc/ssl/public/falcot.com.pem\";\n"
"                }"
msgstr ""

msgid "To enable the domain, there must be a symlink from <filename>/etc/prosody/conf.d/</filename>. Create it that way:"
msgstr ""

msgid "<computeroutput># </computeroutput><userinput>ln -s /etc/prosody/conf.avail/falcot.com.cfg.lua /etc/prosody/conf.d/</userinput>"
msgstr ""

msgid "Managing the XMPP server"
msgstr ""

msgid "Some management operations can be performed using the <literal>prosodyctl</literal> command line utility. For example, to add the administrator account specified in <filename>/etc/prosody/prosody.cfg.lua</filename>:"
msgstr ""

msgid "\n"
"# prosodyctl adduser joe@falcot.com"
msgstr ""

msgid "See the <ulink url=\"http://prosody.im/doc/configure\"> Prosody online documentation</ulink> for more details about how to customize the configuration."
msgstr ""

msgid "Running services on port 443"
msgstr ""

msgid "Some administrators prefer to run all of their RTC services on port 443. This helps users to connect from remote locations such as hotels and airports where other ports may be blocked or Internet traffic is routed through HTTP proxy servers."
msgstr ""

msgid "To use this strategy, each service (SIP, XMPP and TURN) needs a different IP address. All the services can still be on the same host as Linux supports multiple IP addresses on a single host. The port number, 443, must be specified in the configuration files for each process and also in the DNS SRV records."
msgstr ""

msgid "Adding WebRTC"
msgstr ""

msgid "Falcot wants to let customers make phone calls directly from the web site. The Falcot administrators also want to use WebRTC as part of their disaster recovery plan, so staff can use web browsers at home to log in to the company phone system and work normally in an emergency."
msgstr ""

msgid "<primary>WebRTC</primary>"
msgstr ""

msgid "<primary>SIP</primary><secondary>WebSockets</secondary>"
msgstr ""

msgid "<emphasis>IN PRACTICE</emphasis> Try WebRTC"
msgstr ""

msgid "<primary>WebRTC</primary><secondary>demonstration</secondary>"
msgstr ""

msgid "If you have not tried WebRTC before, there are various sites that give an online demonstration and test facilities. <ulink type=\"block\" url=\"http://www.sip5060.net/test-calls\" />"
msgstr ""

msgid "WebRTC is a rapidly evolving technology and it is essential to use packages from the <emphasis role=\"distribution\">jessie-backports</emphasis> or <emphasis role=\"distribution\">Testing</emphasis> distributions."
msgstr ""

msgid "JSCommunicator is a generic, unbranded WebRTC phone that does not require any server-side scripting such as PHP. It is built exclusively with HTML, CSS and JavaScript. It is the basis for many other WebRTC services and modules for more advanced web publishing frameworks. <ulink type=\"block\" url=\"http://jscommunicator.org\" />"
msgstr ""

msgid "<primary>JSCommunicator</primary>"
msgstr ""

msgid "The package <emphasis role=\"pkg\">jscommunicator-web-phone</emphasis> is the quickest way to install a WebRTC phone into a web site. It requires a SIP proxy with a WebSocket transport. The instructions in <xref linkend=\"sect.sip-server-install\" /> include the necessary details to enable the WebSocket transport in the <emphasis role=\"pkg\">repro</emphasis> SIP proxy."
msgstr ""

msgid "After installing <emphasis role=\"pkg\">jscommunicator-web-phone</emphasis>, there are various ways to use it. A simple strategy is to include or copy the configuration from <filename>/etc/jscommunicator-web-phone/apache.conf</filename> into an Apache virtual host configuration."
msgstr ""

msgid "Once the web-phone files are available in the web server, customize the <filename>/etc/jscommunicator-web-phone/config.js</filename> to point at the TURN server and SIP proxy. For example:"
msgstr ""

msgid ""
"\n"
"JSCommSettings = {\n"
"\n"
"  // Web server environment\n"
"  webserver: {\n"
"    url_prefix: null            // If set, prefix used to construct sound/ URLs\n"
"  },\n"
"\n"
"  // STUN/TURN media relays\n"
"  stun_servers: [],\n"
"  turn_servers: [\n"
"    { server:\"turn:turn-server.falcot.com?transport=udp\", username:\"joe\", password:\"j0Ep455d\" }\n"
"  ],\n"
"\n"
"  // WebSocket connection\n"
"  websocket: {\n"
"      // Notice we use the falcot.com domain certificate and port 8443\n"
"      // This matches the Transport3 and Transport4 example in\n"
"      // the falcot.com repro.config file\n"
"    servers: 'wss://falcot.com:8443',\n"
"    connection_recovery_min_interval: 2,\n"
"    connection_recovery_max_interval: 30\n"
"  },\n"
"\n"
"  ..."
msgstr ""

msgid "More advanced click-to-call web sites typically use server-side scripting to generate the <literal>config.js</literal> file dynamically. The <ulink url=\"http://drucall.org\">DruCall</ulink> source code demonstrates how to do this with PHP."
msgstr ""

msgid "<primary>DruCall</primary>"
msgstr ""

msgid "This chapter sampled only a fraction of the available server software; however, most of the common network services were described. Now it is time for an even more technical chapter: we'll go into deeper detail for some concepts, describe massive deployments and virtualization."
msgstr ""