So I wasn’t pleased to find my postfix-dovecot installation dying on upgrade from 11.04 to 11.10. I couldn’t sent outgoing mail or receive inbound.

Fortunately I wasn’t an “early upgrader”… both issues were easy to find and fix.

Fixing inbound mail

Messages sent to my address were being returned as undeliverable with the following error:

            < my-server.com #5.3.0 x-unix; /usr/lib/dovecot/deliver: invalid option -- 'n' Usage:    dovecot-lda [-c ] [-a 
] [-d ] [-p ]    [-f ] [-m ] [-e] [-k]>

This is fairly self-explanatory: In the new version of Dovecot, the “n” option is no longer used. If you receive this error, type the following commands:

sudo postconf -e "mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-mail-stack-delivery.conf -m \"\${EXTENSION}\""
sudo service postfix restart 

Done.

Fixing outbound mail

My errors were caused by the SASL authentication server, saslauthd. A bug report is here.

The problem can be fixed by rolling back saslauthd packages to a previous version, then “sticking” them so that they don’t get updated with regular system updates. Keep track of this so that you can remember to un-stick them when it comes time to upgrade.

First get the old packages. Replace “i386″ in the links below with “amd64″ if your server is 64-bit

mkdir ~/saslfixes
cd ~/saslfixes
wget http://archive.ubuntu.com/ubuntu/pool/main/c/cyrus-sasl2/libsasl2-2_2.1.23.dfsg1-5ubuntu3_i386.deb http://archive.ubuntu.com/ubuntu/pool/main/c/cyrus-sasl2/libsasl2-modules_2.1.23.dfsg1-5ubuntu3_i386.deb http://archive.ubuntu.com/ubuntu/pool/main/c/cyrus-sasl2/libsasl2-dev_2.1.23.dfsg1-5ubuntu3_i386.deb http://archive.ubuntu.com/ubuntu/pool/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.23.dfsg1-5ubuntu3_i386.deb http://archive.ubuntu.com/ubuntu/pool/main/c/cyrus-sasl2/sasl2-bin_2.1.23.dfsg1-5ubuntu3_i386.deb

Then remove the old packages and install the new ones:

sudo /etc/init.d/saslauthd stop
sudo dpkg -r libsasl2-dev
sudo dpkg -r libsasl2-modules-sql
sudo dpkg -r sasl2-bin
sudo dpkg -r --force-all libsasl2-2 libsasl2-2:i386
sudo dpkg -r --force-all libsasl2-modules
sudo dpkg -i --force-all *.deb

Then restart the servers:

sudo /etc/init.d/saslauthd restart
sudo /etc/init.d/postfix restart

And finally “stick” the packages so they aren’t updated:

Type these commands as root (sudo su - will get you a root shell)

echo libsasl2-dev hold | dpkg --set-selections
echo libsasl2-modules-sql hold | dpkg --set-selections
echo libsasl2-2 hold | dpkg --set-selections
echo libsasl2-modules hold | dpkg --set-selections
echo sasl2-bin hold | dpkg --set-selections

This is now much easier than it used to be. Last time I tried to set up a VPN on an Ubuntu server, I had trouble with reconnections and had to manually compile OpenSwan. These all seem to be fixed.

Instructions are already all over the internet, but there are a few extra steps for a default Ubuntu linode in order to get routing to work.

These instructions are tested with Ubuntu 11.04 (Natty), but should also work on 11.10. We will set up an OpenSwan IPSec server with l2tp encryption provided by xl2tpd.

1. Install everything:
   

   sudo apt-get install openswan ppp xl2tpd

2. When OpenSwan installs, answer “No” to the question about certificates… on mobile devices you will use a shared secret rather than a certificate.
3. Follow the rest of the directions in this post to set up the configuration files, up until it asks you to restart the three servers. Be sure to substitute the Ubuntu Server IP Address
   and your Gateway Internal IP with the Public IP and Default Gateway provided by Linode. These can be found on your Linode Manager under the “Remote Access” tab.

   When editing the /etc/xl2tpd/xl2tpd.conf file, you can choose any private subnet for “IP Range” and “local IP”. The “Local IP” will be assigned to the server, and clients will be assigned IPs from the “IP Range”. For example, I chose 192.168.0.2 – 192.168.0.20 for the range and 192.168.0.1 for the local IP.

   In addition, in the /etc/ppp/options.xl2tpd file, change the ms-dns line to point to your DNS name servers. You will probably want to use those provided by Linode too — you can add multiple ms-dns lines, one for each resolver.

4. Now edit your /etc/rc.local file, and add the following, before the exit 0; line. Change the 192.168.0.0/24 IP range to match the IP range you chose above in the xl2tpd.conf file.

   iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
   iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
   iptables -A FORWARD -j REJECT
   iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
   echo 1 > /proc/sys/net/ipv4/ip_forward
   for each in /proc/sys/net/ipv4/conf/*
   do
       echo 0 > $each/accept_redirects
       echo 0 > $each/send_redirects
   done
   /etc/init.d/ipsec restart

5. This sets up the necessary kernel routing options and firewall rules for traffic to be routed through to the Internet. The file will be executed at each boot.. but you can run it now without rebooting with sudo /etc/rc.local.
6. Now restart all the servers:
   

   sudo /etc/init.d/pppd-dns restart
   sudo /etc/init.d/xl2tpd restart
   sudo /etc/init.d/ipsec restart

7. Check that everything is working… you should get “OK” for everything other than “Opportunistic encryption” and RSA key:
   

   sudo ipsec verify
   

8. All done! You can follow the directions for iPhone setup at the bottom of the same post