Thursday, April 18, 2024

Moving a GroupWise System

Through the life of a typical GroupWise system, it will likely move platforms at some point. No fancy migrations needed as all the database changes get done in place.

This could be hardware replacement, changing virtualization types, to hitting the limits of the OS at the time of the original installation. After all, you can only upgrade a box so much before there become issues with the OS. Even when you otherwise love that OS, a new install gains you so many of the advantages of it that are blocked in just upgrading it in place. Any GroupWise system of any real age has likely been moved a few times, such as from NetWare to NetWare to OES to OES

For this document, I will stick to current (late SLES15 era) and most common GroupWise hosting OS, with pure SLES or OES (built on SLES). Assuming GroupWise is the only application on the system so that the old box can be retired, and running an incremental copy of some sort. Imaging the data such as moving/copying a virtual drive can be done as well. This is for any and each server with a Domain and/or PostOffice on it. A GroupWise upgrade can be a part of this process if desired, but is assuming at least a GroupWise 2014 or greater source system.

This process allows you to build the new server in advance, and get the bulk of the files copied over in advance without downtime as those OFFILES are bulky, don't change much, and take a while (possibly many hours) for that initial copy. You are typically just looking at a couple of hours of downtime for the final move, under an hour if all goes smoothly.

Pre-migration is a good time to make sure your GroupWise maintenance is running properly, also check the results and files that are not part of the GroupWise system are removed from the GroupWise folders.

Build the new system with a different IP from the old server and a separate logical drive for GroupWise, either as NSS or XFS. Both are excellent options, both needing specific settings made, ideally at creation. NSS needs Salvage turned off, XFS (or any DB safe Linux type) mount points need the noatime and nodiratime set for optimal performance.

  • Install GroupWise, but do NOT configure it!
  • Restart the server at least once before the final migration to really finish that install.
  • Copy the data with either rsync or dbcopy. rsync is very native with any Linux and is worth knowing for all platforms. I find it is the faster and easier of the two. It does every file that has ended up in the source (junk included) and doesn't get you restorable db files if the GW Agents are running, which is not a problem with such a migration. DBCopy requires a mount point to the new location to work, only does GroupWise files, is slower, and doesn't delete files. A script of the combination of them make for a decent low budget backup. Example in the Community.  
  • Both tools can and the one you choose should be used incrementally, with a primary full copy of both the Domain and PostOffice folders, making sure the size at the destination is about what you see on the source. Identify any notable differences, as there may be issues to take care of. You can/should do this in the days leading to the actual flip outage of a couple of hours. If different versions, it tends to be best to use the newest dbcopy if you are using it, otherwise the direction of copy doesn't matter much.
  • Easy comparison tools:
  • # du -h --max-depth=1 /GWdomain|GWpostoffice (the PO will take a while due to OFFILES)
  • or install and use ncdu from GWdomain|GWpostoffice folders

  • Is your GroupWise system the same IP as the server it is on, this is where we will change that. It makes these moves so much easier, is mandatory if you were to go to cluster services (where I learned this trick), and is how the containerized future of IT generally works.
  • On the new server, make sure the /etc/hosts file has the GroupWise agents as FQDN entries as needed for GroupWise since 18.4, and that they match what you have in the agents' settings.

  • On the new box, make sure the GroupWise agents ports are all open on the Firewall. Firewalls on servers are becoming less and less an option in the whole Zero Trust path of things.
  • Firewall ports references
  • on MTA system: 7100, 7180, 9710
  • on POA system: 1677, 8301, 7181, 7101, 7191, 9711,
  • on GWIA system: usually an MTA set and 25, 9850
  • For the final migration, make sure the source server's agents are shutdown, and preferably can't be turned back on
  • # rcgrpwise stop
  • # systemctl disable grpwise.service
  • perform the final sync
  • While that final sync is running, copy the following files to the new system.
  • /etc/opt/novell/groupwise/gwha.conf
  • /opt/novell/groupwise/agents/share/gwdva.dva
  • /opt/novell/groupwise/certificates/*
  • # scp /etc/opt/novell/groupwise/gwha.conf root@DestinationServer:/etc/opt/novell/groupwise/
  • scp /opt/novell/groupwise/agents/share/gwdva.dva root@DestinationServer:/opt/novell/groupwise/agents/share/
  • # scp -r /opt/novell/groupwise/certificates/* root@DestinationServer: /opt/novell/groupwise/certificates/
  • Once the sync is complete, remove the secondary IP from the source server if already using such, or down that server.
  • Add the secondary IP to the new server
  • # systemctl status grpwise.service
  • may not be enabled yet. enable it and start it
  • Test system, can you send & receive email, and manage the system
  • A reboot to make sure it all behaves is a good thing as well.

If this feels overwhelming, and you are in Canada, please reach out to us, as we can help. For other feedback and comments, post a comment below. 

Posted by at No comments:
Labels: , ,

Tuesday, January 30, 2024

Is your email system ready to keep delivering email as the spam wars escalate?

Google's new restrictions on the email they will accept starting February 1st 2024 are just good practices we should be following.  But what are they really, and how can we make sure they are in place?

This applies to any sending email system, whether on your own servers, or hosted in the cloud such as with Microsoft or Google, to be successfully delivered. 

The pieces have all been here for a while as good optional settings, but now Google is just the first enforcing them:

  1. The IP address of the server(s) your mail comes from must-have a reverse lookup.  PTR
  2. The server must have a functioning encryption running.  STARTTLS
  3. You must have published where your domain's mail is coming from.  SPF
  4. Your server has to sign the message (like a wax seal).  DKIM
  5. You have to publish your domain's alignment rules for #3 & #4, and where to send reports. DMARC
Note:
#3 & #4 are either/or for low volume senders, but both must be there for high volume senders.
#5 is mandatory for large volume senders.

It is a good idea to get all of them working, as inevitably, we will need to have this for all systems. #5 is the part that ties SPF and DKIM together to close the loop holes the spammers found in them. 

How to check:

Much of this is checked in DNS, checking the header/source of an email from the system, and talking directly to your mail server from another "mail server".  

  • You can see if your system is good to go, or if you have problems by sending an email to a Gmail account you can log into. For each message in Gmail, you can check much of the status of a message that was sent to you, as to how the sending system was working or not at the new levels, at the time the message was sent.
  • in Gmail, open the message,  then from the message 'more' stacked dots, select "<> Show original
  • This view will show any results for any SPF, DKIM, or DMARC settings that are in place. If doesn't show, then that protection level doesn't yet exist for that internet domain or mailserver (i.e. it needs to be added).
  • To check if it was encrypted, Ctl-F(search) for TLS, and there should be at least one (such as TLS1_3 or TLS1_2) for the connection from the sending server to Gmail's first server in.   

Summary:

Google is just the first, Yahoo! and AOL have committed to doing the same thing very soon, and Microsoft won't be far behind (looks like they may just be letting the others take the heat for being more secure)

These are also all good things to check and filter at your inbound / receiving mail systems.

Offering:

Would you like someone from outside your organization to validate how ready your organization is for these upcoming changes. Konecny Consulting for $99CDN + HST (payment via credit card) will do this checking for you. To engage with us please complete the contact form and we will get back to you. This offer is available to organizations within North America.

 


 

Posted by at No comments:
Labels: , , , , , ,

Thursday, January 18, 2024

Google making major changes to email acceptance requirements

Will your email be blocked by Google, or are you ready for the changes they are making? Google will be blocking emails from weakly configured systems as of February 1st, 2024. Make sure your system isn’t one of them that will be blocked.

Starting February 1st, Google will be imposing requirements on any emails being sent to a Gmail account.  They are asking for you to have some basic email system hygiene in place for your mail system.  If you are at all responsible for your own domain (the part after the @ symbol, such as username@gmail.com), then you must pay attention, whether you have an email server in your own data centre, or your email is hosted such as with 365 or Google.

Two other large email systems (Yahoo! and AOL) have already stated they are following in Google's footsteps, Microsoft is expected to follow before long.

These are Googles new requirements as of February 1st, 2024, and your email administrators need to make sure they are in place:

  • All your outbound email servers must now do TLS encryption.  Without this, your email can be intercepted and read, or worse. There are still so many systems running without this, as it is Not a default on most of the ones you setup yourself.  Most hosted solutions do have this already, but not a bad thing to check.
  • For systems with lower send rate, you need at least one of SPF and/or DKIM setup and working correctly.
  • For systems that sometimes send more than 5,000 messages a day to Google Mail servers (including their customer domains they are hosting), then you must have both SPF AND DKIM working correctly AND DMARC setup.

 The most basic SPF and DMARC records you can setup for you domain is (in standard BIND notation):

@ TXT "v=spf1 a mx ~all"

_dmarc TXT "v=DMARC1; p=none; rua=mailto:{emailAddress2processReports}"

That SPF record is NOT guaranteed to work, as it must identify your email server(s). That DMARC record is very safe with an email address that does accept mail. Checking DKIM requires a proper analysis of those DMARC reports, though some spot checking can be done looking at the source header of received messages. 

For more details of Google’s current requirements, including the other 'little' details, read their "Email sender guidelines." https://support.google.com/a/answer/81126

Expect Google and others to increase their requirements in the future, such as the number of messages per day trigger point to be reduced, as well as requiring DMARC enforcement (not just reporting).

Yes, this can seem overwhelming. If you would like some assistance checking to see if your email system is ready for this major change, we may be able to assist you. Please reach out to us and we can discuss this with you.

Posted by at No comments:
Labels: , ,

Tuesday, May 9, 2023

If you want a thing done, Get out of my way!

If you want me to do something, give me the goal and authority, then get out of my way.

Many people will sit and complain that something isn’t working correctly, but they won’t give someone else the authority to investigate the issue and get it resolved. They may talk about wanting someone to do that work, but don’t give the actual authority to do so and/or the desired outcome.

I have encountered individuals/clients that will complain that the system isn’t doing what they expected. The reason it’s not working, is that no one has been given the responsibility of learning and taking on the system, and then setting up a progress to maintain it.  This happens in all sizes of organizations, and it is something that I keep tripping over.  

One of the issues I see, is that some managers don’t want someone else to understand a system that they don’t. Managers can’t know every system and all the different ins and outs that are required to make it work. Being a good manager means giving someone the authority to take on that specific program/system and get it working the best they can, and a process documented. In some (too many) cases, authority or task might be given in an unclear and undefined way, so that no one knows what really needs to be done. A simple email to the team/individuals involved is all that it takes to give that authority, e.g. ‘x’ is now doing “the thing”, articulate the goal, and please support and assist ‘x’ where needed/requested.

So yes, get out of my way is one way for that to happen. It can be difficult for a manager to do this, but if they want to be a good manager, they need to be able to do just that. Getting out of someone’s way can result in a process being developed that will work for everyone, and more people will understand the system.  It will end up resulting in a better overall system, as well as processes being developed and documented for your organization's use and support of the system.

Now, if you want to me to do the task, simply give me a clear goal and the authority, then get out of my way.

 

Posted by at No comments:
Labels: ,

Monday, April 10, 2023

Rebooting your computer

This is an email that we recently wrote for a client to help them communicate with their end users that rebooting their computers are important. Watch for another blog entry that will provide additional feedback that you, as IT can use when you get questioned about this.

Subject: Why you need to reboot at least one or twice a month

Why reboots are required.

  • Many computer device patches require a restart of your system for them to be applied. Patches can be installed while you are working, but will not get applied until a reboot/restart of your computer has been done.
  • IT can also push out other necessary patches that don’t trigger a reboot, but still require a reboot to complete the patch being applied.

How often is a reboot required?

  • It is ideal that a reboot be done at least once or twice a month (reboot with patches when applicable) to ensure that your system is up-to-date with all the necessary patches. A system can be compromised if the patch has been installed but not applied.
  • Ideally, rebooting once a week would ensure you are keeping your system up to date.
  • IT could schedule reboots, but it is ideal that everyone manage their system themselves, as they know when the best time to reboot is. (Sleeping or hibernating your computer is not a reboot). If systems continue not to be rebooted, IT can schedule forced updates on these systems.

Why does my computer reboot itself?

  • Some operating system patches force a reboot, and they usually do it automatically overnight. By keeping your system patched and up to date, these forced rebooted happen less frequently.

By rebooting our systems, we are not only keeping our systems up to date, it is contributing to ensure that the company data is kept safe.

Posted by at No comments:
Labels: ,

Saturday, November 19, 2022

Let Sleeping Services Be

AKA, latest scam attempted on me, with most of the caller's fumbles of his script left out.

A call claiming to be my ISP (never used it for home internet, but the phone number had been with them at one point, so others may have a match claiming your ISP based on who your phone has been with), that they had a failure on their server and that there 70% services stopped, and we need to fix them. 

Caller: How many devices do you have using the internet?  

Me: (quickly count the list) I have 15 IPs active today as seen on WhoIsConnectedSniffer (software I have running on my computer most of the time), but some of them should never get to the internet.   

Caller:  Then I need you to get in front of your computer.

Me:  OK, since that is where you caught me, where did you think I had WhoIsConnectedSniffer running?  yes I am there.

Caller: confused sounding
(a bit of back and forth with this drone in a call centre, to get him back on track of the scam to see where it is going)

Caller:  Do you see the Windows key?  Hold it down and press R

Me:  Ah, you want the Run prompt, OK, I am there.

Caller:  type in msconfig   and then press the OK button

Me: (I know this first bit is safe, so I proceed) Oh, it looks a bit different since I last looked this way, I see the Tabs: General, Boot, Services, ...

Caller:  OK, need you to click on Services, now see how many are stopped. 

Me:  Yes, I see many of  them stopped and that is the normal amount I expect there.

Caller: Then we need to remote into your computer to fix these stopped services as part of the service you paid for.

Me: But those services aren't needed, in fact some of them really shouldn't be running most of the time, rather like one doesn't leave their car running in the garage when they aren't driving it.

Caller:  But you paid for this service, so we need to restart them for you.

Note: This goes on back and forth for nearly 5 minutes until a meeting reminder gets me to wrapping up.  I could have so dragged him along for ages if I had the free time.

Me:  I have several ways to prove you are a scammer. 

  • I'm not with the ISP you claim to be, though I have worked with them.
  • It is normal for Windows to have stopped services as many are use only occasionally and the system knows how to trigger them on when needed, or are only on when the applicable hardware is turned on, example: the Bluetooth support service is stopped because I don't currently have Bluetooth turned on. 
  • Clearly, as someone who mainly works on Linux servers, I still know way more about Windows than you do. 

Caller:    Ahh..ahh....ahhh..........

The line goes dead.  He was clearly very new at this, or was just following the script in front of him. 

Summary:

If you ask a question and they immediately re-ask their question, it is almost certainly a scam. 

Stopped Services on your computer is a normal thing, just like your microwave or shower are not running much of the time.  A server failure at your ISP is not going to impact the services on your computer, as, if necessary, a reboot of your system is all you should need.  Never let one of those callers remote into your system, as that is a disaster waiting to happen.  What exactly they will do varies, bit it won't be in your interest. 



Posted by at No comments:
Labels: , ,

Monday, November 7, 2022

Billing and working with clients

As a bookkeeper and an office manager, people have asked me some questions about managing getting paid by clients. I have put together my recommendation of both billing and receiving payments from clients. This may not work for everyone, but I have seen it work, and it means you aren’t working for free.

How often should I bill a client?

  • I recommend that if you are a consultant and working with clients, it is a good idea to bill them monthly. Billing at the end or the first of the month means it is easier to track when bills have been issued. If you have a standard flat rate for the clients, it is recommended to bill that at the beginning of the month. I also have a recommendation of either doing net 15 or net 30 days. I normally go with net 30 days for existing clients.

Client hasn’t paid the invoice, what do I do?

  • When the invoice is close to the 30 days since issuing it, I recommend sending a reminder email letting the client know that the invoice is still outstanding. The working I normally use is “can you let me know the status of the invoice?” This gives the client the chance to look into it without you saying it’s due. If you don’t receive a reply, you start slowing down the response time for emails.
  • At 45 days, another email is sent, but this time you do mention that the invoice is overdue and would like to know when you can expect payment. This lets the client know that payment hasn’t been received and maybe there is an issue on their end or some communication with you is required. At this point, if you are not getting a reply to emails, a phone call is required to talk to the client about payment. If you don’t get any answers, this is when work really starts to slow down.
  • At 60 days from the billing date, this is when another email will be sent and requested payment. Also, letting the client know that work will need to be slowed down or discontinued until payment is received. If a client says, "I promise to pay the bill, trust me", be careful because this could be a sign of other issues. Try and set up a meeting with the client to discuss the situation.

Handling new clients

  • When you are approached by a new client, there are a couple of different ways to handle payment.
    • You can request a deposit via credit card for the work, as this ensures that you will receive some money for work being done.
    • You can let the client know that a bill will be sent immediately after the work has been completed, with net 15 days. This is the one time that billing monthly is not applied.

Can I do a credit check on a potential or existing client?

  • The simple answer to this question is yes. If you are going to be doing major work with a client that you have got out of the blue, it might be a good idea to do a credit check on them. Also, the biggest piece of advice I give is if you don’t get the first payment, and you just get a “trust me”, it’s time to do that credit check.
  • You can also do a credit check on an existing client if you are going to be doing major work with them.  Remember, you are the one that will be providing your services, and you need to make sure that you will be receiving payment for it as we have seen this happen in the past.

 

Summary

It is difficult when you don’t receive payments from clients, but if you make sure that you are fair with them, there should be open communication. When clients start not answering your emails or phone calls, it’s time to start looking at how you can let them know that work is going to have to be reduced until some payments are received. Remember, do not spend the money that is owed to you until it’s in your bank account. Using the money before it’s in your bank account can result in a big financial challenge for your own business.

Billing and working with clients can be a challenge, but if you establish a standard way of billing and communicating with a client, it does help a lot. Don’t be afraid to ask for advice from other small businesses because it helps to hear what other people do as well. Asking a client for payment can be a challenge, but it’s better than just sitting back and hoping, that one day you will receive payment for what they owe you.


 

 

Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)