Hello,
I'm trying to setup a POC of EFA in a very restricted private environment. Consequently the EFA server I'm trying to build cannot resolve external DNS entries or reach any of the required update mirrors. I can request for access to be allowed but I must be very specific in my request. Right now if I attempt to do the initial setup I get a message back saying the following:
Starting unbound:
[ERROR] Unable to resolve efa-project.org.
Check your connectivity to the Internet and
ensure that DNS is functional.
Then try to run EFA-Init again.
I searched the forums but did not find anything that seems to fit my use case.
Thanks in advance.
TD
How to get updates in very restricted environment
Re: How to get updates in very restricted environment
sounds like the DNC mail serverIn a very restricted private environment
If you have no access to DNS, it makes no sense to run EFA
Based on the limited info, if you need to request access (by security?), I'm sure they will not allow access to the outside world in any way, and it's not only DNS you need to be able to receive/send mail.
You should be more specific in your question, but to be true, I don't think that wil happen.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: How to get updates in very restricted environment
I have management and security buy in to do a POC but I have to work within the rules. We need to keep the scope as narrow as possible for the locations we allow through firewalls and/or available via our proxy service. The devil is in the details and right now I don't know what the specific external requirements are to even complete the installation.
The https://wiki.efa-project.org/doku.php?id=firewall_ports page lists ports needed but not destinations required for installation and updates.
The https://wiki.efa-project.org/doku.php?id=firewall_ports page lists ports needed but not destinations required for installation and updates.
Re: How to get updates in very restricted environment
As you found your way to EFA, compare it to your current spam fighting situation. You can configure efa as paranoid as you want, and really don't need a POC, it works!
Anyway my two cents:
You could build an VM EFA machine at home and update everything once. Copy the VM, thus skipping additional repo's problems one time.
( or build it in a less restricted environment and copy it)
But then what?
You still need DNS.
How do you want to receive mail from the outside world? Just for EFA as POC?
How do you want to send (valid) mail to the outside world? EFA is not a mail server.
As you already know the ports requirements, ask security to open them just for you.
Normally security will not bend the rules, and root access/bypassing the proxy service is bending the rules, a lot.
Long story short: the devil is not in the details, but in the big picture and sometimes in the mail.
Anyway my two cents:
You could build an VM EFA machine at home and update everything once. Copy the VM, thus skipping additional repo's problems one time.
( or build it in a less restricted environment and copy it)
But then what?
You still need DNS.
How do you want to receive mail from the outside world? Just for EFA as POC?
How do you want to send (valid) mail to the outside world? EFA is not a mail server.
As you already know the ports requirements, ask security to open them just for you.
Normally security will not bend the rules, and root access/bypassing the proxy service is bending the rules, a lot.
Long story short: the devil is not in the details, but in the big picture and sometimes in the mail.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: How to get updates in very restricted environment
POC is somewhat of a misnomer, it will be a non-production instance to work out the requirements and familiarize staff with eFa.
Unfortunately I don't have an option to build the VM offsite due to restrictions on removable media.
The DNS issue will be addressed, we have a solution place to get external DNS resolution.
The will be an SMTP relay server that will send the mail out to the world. Receive is not needed.
I still need to know what update mirror sites to have white listed. The scope has to be the minimum required to install and keep eFa updated. I can't open the ports to any/any.
Unfortunately I don't have an option to build the VM offsite due to restrictions on removable media.
The DNS issue will be addressed, we have a solution place to get external DNS resolution.
The will be an SMTP relay server that will send the mail out to the world. Receive is not needed.
I still need to know what update mirror sites to have white listed. The scope has to be the minimum required to install and keep eFa updated. I can't open the ports to any/any.
Re: How to get updates in very restricted environment
Receive is not needed? Then what's the point? E.F.A. is best at fighting inbound spam.
Anyway.
The repos needed:
[root@sansspam ~]# yum repolist
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* EFA: dl3.efa-project.org
* base: mirrors.noction.com
* epel: epel.mirror.wearetriple.com
* extras: mirrors.supportex.net
* mariadb: ftp.nluug.nl
* remi-php72: remi.mirror.wearetriple.com
* remi-safe: remi.mirror.wearetriple.com
* updates: mirror.proserve.nl
repo id repo name
EFA EFA-Project
base CentOS-6 - Base
epel Extra Packages for Enterprise Linux 6 - x86_64
extras CentOS-6 - Extras
mariadb MariaDB
remi-php72 Remi's PHP 7.2 RPM repository for Enterprise Linux 6 - x86_64
remi-safe Safe Remi's RPM repository for Enterprise Linux 6 - x86_64
updates CentOS-6 - Updates
additional:
http://db.XX.clamav.net/ Where XX->your countrycode
http://dl.efa-project.org/MailScanner/
https://www.pccc.com/downloads/SpamAssassin/contrib/
razor
dcc servers
Anyway.
The repos needed:
[root@sansspam ~]# yum repolist
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* EFA: dl3.efa-project.org
* base: mirrors.noction.com
* epel: epel.mirror.wearetriple.com
* extras: mirrors.supportex.net
* mariadb: ftp.nluug.nl
* remi-php72: remi.mirror.wearetriple.com
* remi-safe: remi.mirror.wearetriple.com
* updates: mirror.proserve.nl
repo id repo name
EFA EFA-Project
base CentOS-6 - Base
epel Extra Packages for Enterprise Linux 6 - x86_64
extras CentOS-6 - Extras
mariadb MariaDB
remi-php72 Remi's PHP 7.2 RPM repository for Enterprise Linux 6 - x86_64
remi-safe Safe Remi's RPM repository for Enterprise Linux 6 - x86_64
updates CentOS-6 - Updates
additional:
http://db.XX.clamav.net/ Where XX->your countrycode
http://dl.efa-project.org/MailScanner/
https://www.pccc.com/downloads/SpamAssassin/contrib/
razor
dcc servers
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: How to get updates in very restricted environment
Thanks, that got me in the right direction.
As to the first question, I'm working on something that requires outbound emails be scanned. There may come a time in the future that inbound could need to be included but its out of scope for the foreseeable future.
As to the first question, I'm working on something that requires outbound emails be scanned. There may come a time in the future that inbound could need to be included but its out of scope for the foreseeable future.
-
shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: How to get updates in very restricted environment
How about a yum update proxy?
Then you'd just need to point to it. One dns entry.
Then you'd just need to point to it. One dns entry.