Pins 1 and 6 on the RJ11 are not connected.

With the 5 pin header to your left and the MX T122541 IC to your right, the top pin is GND, moving down the next pin is not used, the next one down is RX, then TX, the bottom pin is VCC (+3.3 volts). The CPU sends booting information from this serial interface, connect it up to your PC and set the terminal software to 9600 baud, 8 bits, no parity and 1 stop bit (96008n1). The easiest way to connect this 3.3v serial port to a PC is by using one of the cheap converter boards found on eBay/Amazon/AliExpress, they can be bought for a few pounds, just search for “FT232RL PCB”.

The next chip to the right is labelled WINBOND W9812G6JH-6 and is a 16MB RAM chip. The next chip to the right is labelled TNETV1057ZDW and is a SoC made by Texas Instruments. This is the CPU that runs the firmware for the phone. I was unable to obtain a datasheet for this, however I did manage to get hold of a datasheet for a TNETV1056 which is very similar, I don’t know the exact differences between the two but if you’re interested in hacking the chip the datasheet shows it has a JTAG interface.

You can download the datasheet here.

At the time of writing I had just bought 100 of these phones as a ‘job lot’ off eBay, they cost me £4 each and I am happy to sell them at cost. If you’re interested get in touch, you can either collect from High Wycombe, Buckinghamshire or I will post them at cost. Every phone I sell will be powered up and factory reset beforehand, they are what I would describe as “Class B” in that they may have minor signs of use but are generally in good condition, here’s a photo of one of them…

Upgrading the firmware

To upgrade the firmware you need to plug the phone into a network and power it up. You need to download the firmware from Cisco (it’s freely available) unzip it and put the .bin file onto a webserver. You then need to point your web browser at the phone’s IP address (you can find this from the “Network” menu on the phone). Click the “Admin Login” and “Advanced” buttons in the top right. There will now appear a “Provisioning” menu – click this. About halfway down the page there is a field called “Upgrade Rule:” enter the URL of the firmware you placed on the webserver here then click the “Submit All Changes” button. The phone will now download the firmware and upgrade – this can take several minutes, so be patient!

NOTE: If your phone’s current firmware is below version 7.5.2 then you must upgrade to 7.5.2b before you can upgrade to anything higher.

To save time I have placed the firmware on a webserver you can access, the URLs are:

http://p.telgw.uk/spa/spa50x-30x-7-5-2b.bin

http://p.telgw.uk/spa/spa50x-30x-7-6-2g.bin

Version 7.6.2 being the latest available on the Cisco site at the time of writing. This firmware was dated 2020 and as the devices are EOL (End Of Life) I think it unlikely Cisco will be producing any later versions.

The kit is quite straightforward to build, the only tools you will need are: fine tipped soldering iron, solder and a pair of small wire cutters.

Unfortunately the kit, as it stands is not designed particularly well, especially if you want to use it with a 5v system, such as an Arduino. The main problems that need addressing are:

1) The module is designed to be powered from between 3.3v and 4.5v. The kit contains a series diode and suggests you power it from 5v. A forward biased diode will drop approximately 0.7v this powering the module at 4.3v. Using a diode in this manner is not ideal and the data sheet advises the best voltage for the M599E module is 3.9v

2) The power rail for the module has a single 100uF capacitor, the data sheet advises additional capacitors to eliminate rf noise.

3) The serial data receive pin cannot have more than 3.3v applied to it, without risking damage to the module, but the kit simply brings the rxd line straight out to the header pins. It needs some additional circuitry if we are to connect it to a 5v / TTL system.

4) The serial data transmit pin again is brought straight out to the header. The data sheet advises a series resister to protect the module.

See figure 2 for the circuit diagram of the kit before modifications.

See figure 3 for the circuit diagram after modifications.

To address the first problem, I added an LM317 voltage regulator to the PCB to provide a regulated supply rail. This has the advantage that you can supply the board with any voltage between 6.25v and 44v. The disadvantage is that you cannot power it from 5v which many people may prefer due to the prevalence of low cost 5v power supplies. The LM317 loses between 1.5 and 2.25 volts across it at room temperature, depending on the current being pulled through it (see figure 4 taken from the datasheet).

I investigated using a low dropout (LDO) regulator, the LM1086 is a pin-compatible replacement that has a maximum of 1.3volts dropout at full load (1.5Amps) and only 1.0volts dropout at 500mA, so it could be used at a push as the M590 module only pulls high currents when it is transmitting and then only in short pulses. If you replace the 100uF capacitor on the PCB with a 1,000uF capacitor you could use an LDO regulator and supply it from 5volts. I have tested this successfully, I used the LM317 because it is cheaper and I intended powering it from a 12volt battery. Incidentally, the LM317 does not require a heatsink due to the intermittent nature of the higher current drawn by the M590 module.

The second issue was addressed by adding a 100nF ceramic capacitor across the 100uF capacitor.

The third issue was addressed by adding a diode and a pull up resistor (D2 & R5) in the second circuit diagram (Figure 3). If you use a surface mount device for R5 it can soldered directly between pins 6 & 7 on the LM590 module. Pin 6 outputs 2.85 volts when the module is running.

The fourth issue is solved by adding a 220R series resistor, R6. The datasheet suggests 200R but 220R is a more commonly available value and works just as well.

The modules I modified were to be used for remote data logging. An Arduino Nano was used to collect the data and sent the data on demand via SMS. I wrote a sketch that waits for a received SMS message, it then sends the current data back via SMS. I wanted the M590 modules to boot up as soon as power was applied, so I soldered the BOOT pin directly to GND. In this configuration the module will boot up as soon as power is applied.

Modification Details

Start by carefully cutting the TX & RX tracks with a Stanley knife:

Then add D2 (BAT42) and R6 (220R).

Now you can add C4 (100pF):

The LM317 adjustable voltage regulator goes in next:

Now add R3 (1k0) & R3 (2k2), followed by C3 (100nF):

Finally add C2 (100nF) across C1 and R5:

Testing

From the photo’s you can see that I modified a PCB that I had already built. My advice would be to do the modifications BEFORE building the PCB. Once you’ve done the mods, check the voltage on VBAT (pins 2 & 3 of the M590E module), it should be 4.0 volts (or very nearly).

Now you can add your SIM card, I use GiffGaff (www.giffgaff.co.uk) as they are about the cheapest you can get here in the UK.

I tested the unit by connecting it to my iMac via a TTL to USB board, available from ebay for a couple of pounds. The units default to 115200 baud. Try sending “AT” followed by a carriage return, you should see “OK” returned if all is well.

Once I had tested it was working on my Mac, I hooked it up to an Arduino Nano using the SoftwareSerial library (built into the core since v1.0). I found, by trial and error, that a baud rate of 38400 is about right: too high and the software serial library starts to miss characters, too low a rate and the Arduino spends too long in interrupts and the main loop is affected.

References:

neoway-m590-hardware-design-manual-v1

Neoway_M590_AT_Command_Sets_V3.0

I had been remotely logging in via SSH and doing the following to turn the power off on port 1:

configure terminal
interface FastEthernet1/0/1
power inline never
exit
exit

Then after a few seconds:

configure terminal
interface FastEhernet1/0/1
no power inline never
exit
exit

This got to be a real nuisance so I looked for something that I could script, SNMP seemed the logical choice. The first step is to configure a R/W community string on the switch:

configure terminal
snmp-server community MyCommunityString rw
exit
write memory

After a bit of digging I found the appropriate OID by using snmpwalk (here we assume my switch is on IP address 1.2.3.4):

snmpwalk -v2c -On -c MyCommunityString 1.2.3.4 1.3.6.1.2.1.105.1.1.1.3.1

My 24 port switch returned the following:

.1.3.6.1.2.1.105.1.1.1.3.1.3 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.4 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.5 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.6 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.7 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.8 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.9 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.10 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.11 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.12 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.13 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.14 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.15 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.16 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.17 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.18 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.19 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.20 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.21 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.22 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.23 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.24 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.25 = INTEGER: 1
.1.3.6.1.2.1.105.1.1.1.3.1.26 = INTEGER: 1

The port number go from .3 to .26 corresponding to the 24 FastEthernet ports.

The integer values need to be 1 to enable POE and 2 to disable it.

So using snmpset we can turn the power on port 1 off:

snmpset -v2c -c MyCommunityString 1.2.3.4 1.3.6.1.2.1.105.1.1.1.3.1.7 i 2

and back on again:

snmpset -v2c -c MyCommunityString 1.2.3.4 1.3.6.1.2.1.105.1.1.1.3.1.7 i 1

That’s it! Simple really. Adding the commands to a script I will leave to the imagination of the reader…

The reason for this is that the o/s removes and re-creates the /run/asterisk directory on reboot. The solution is to place a “RuntimeDirectory=” entry in the systemd service script:

/usr/lib/systemd/system/asterisk.service

The “RuntimeDirectory=” needs a directory name relative to /run so you can’t do this:

RuntimeDirectory=/run/asterisk

nor this:

RuntimeDirectory=/var/run/asterisk

You need to do this:

RuntimeDirectory=asterisk

Here is my fully working script (/usr/lib/systemd/system/asterisk.service):

[Unit]
Description=Asterisk PBX and telephony daemon.
Wants=network.target
After=network.target

[Service]
Type=simple
User=asterisk
Group=asterisk
RuntimeDirectory=asterisk
Environment=HOME=/var/lib/asterisk
WorkingDirectory=/var/lib/asterisk

ExecStart=/usr/sbin/asterisk -f -C /etc/asterisk/asterisk.conf
ExecStop=/usr/sbin/asterisk -rx 'core stop now'
ExecReload=/usr/sbin/asterisk -rx 'core reload'

# safe_asterisk emulation
Restart=always
RestartSec=10

#Nice=0
#UMask=0002
LimitCORE=infinity
#LimitNOFILE=

# Prevent duplication of logs with color codes to /var/log/messages
#StandardOutput=null

PrivateTmp=true

[Install]
WantedBy=multi-user.target

How to setup a single master with one or more readonly slaves

First configure the master by editing the mysql configuration file, this could be /etc/my.cnf or on Centos 7 it is /etc/my.cnf.d/server.cnf

Find the [server] section and add the following lines:

bind-address = 12.34.56.78 # replace 12.34.56.78 with the IP of your server
log_bin
server_id = 1
log_basename = master1
datadir = /var/lib/mysql
binlog-ignore-db = mysql

The binlog-ignore-db line tells the master not to replicate the ‘mysql’ database, you can add additional entries to not replicate other databases if you wish, e.g.

binlog-ignore-db = information_schema
binlog-ignore-db = performance_schema

Adding the following additional entries allows you to tweak the performance of your server:

max_allowed_packet=64M
max_heap_table_size = 64M
tmp_table_size = 128M
join_buffer_size = 128M
innodb_buffer_pool_size = 256M
innodb_doublewrite = OFF
innodb_additional_mem_pool_size = 128M
innodb_flush_log_at_timeout = 4
innodb_read_io_threads = 48
innodb_write_io_threads = 32
max_connections = 128

Following any changes to the config files you will need to restart MySQL (or MariaDB if you use that instead), so you would do one of the following:

systemctl restart mysqld
systemctl restart mariadb

Now login to your local MySQL server, e.g.

mysql -u root -p

Once logged into the MySQL CLI add a user that the slaves will use to replicate:

GRANT REPLICATION SLAVE ON *.* TO 'replication'@'1.2.3.4' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;

Replace 1.2.3.4 with the IP of your slave server. You can run the above command multiple times, once for each slave server. Remember to change ‘password’ to an actual password, a good choice would be 12 (or more) characters consisting of a random mix of upper/lowercase letters, numbers and punctuation characters.

Now we’re ready to take a backup of the master, for this you will need to open a second session on your master server. In the first session, still logged into the MySQL CLI issue the following commands:

FLUSH TABLES WITH READ LOCK;
SHOW MASTER STATUS;

You should see something along these lines:

+--------------------+----------+--------------+------------------+
| File               | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+--------------------+----------+--------------+------------------+
| master1-bin.000001 |   456    |              | mysql            |
+--------------------+----------+--------------+------------------+
1 row in set (0.00 sec)

Leave this session in place whilst you move to the second session to backup the databases you want to replicate by using your preferred method, e.g.

mysqldump -u root -p --all-databases > dump.sql

Now you can go back to the first window and release the lock:

UNLOCK TABLES;
QUIT;

Now copy this backup to your slave server(s). I use scp for this, e.g.

scp dump.sql username@12.34.56.78:.

Now login to the slave server and import the dumped databases:

mysql -u root -p < dump.sql

Now configure MySQL (or mariadb) to be a slave by editing it’s configuration file, e.g. /etc/my.cnf.d/server.cnf and add the following to the [server] section:

server-id = 2
datadir = /var/lib/mysql
relay-log = /var/lib/mysql/mysql-relay-bin.log
log_bin = /var/lib/mysql/mysql-bin.log

As per the master server, following any changes to the config files you will need to restart MySQL (or MariaDB if you use that instead), so you would do one of the following:

systemctl restart mysqld
systemctl restart mariadb

The next step is to login to the MySQL CLI and tell it where to find the master along with the login details and the starting position in the log:

CHANGE MASTER TO MASTER_HOST='12.34.56.78',MASTER_USER='replication', MASTER_PASSWORD='password', MASTER_LOG_FILE='master1-bin.000001', MASTER_LOG_POS=456;

The last thing we need to do is start the slave process, and check it is running. Do this by issuing the following commands on the slave MySQL CLI:

START SLAVE;
SHOW SLAVE STATUS\G

You can repeat the slave part on each server you want to setup replication, just remember to give each slave a different server_id

Setup the file structure:

mkdir /root/ca
cd /root/ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

Create a config file /root/ca/openssl.cnf

# OpenSSL root CA configuration file.
# Copy to `/root/ca/openssl.cnf`.

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = /root/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/ca.key.pem
certificate       = $dir/certs/ca.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = GB
stateOrProvinceName_default     = Buckinghamshire
localityName_default            = High Wycombe
0.organizationName_default      = The Communication Gateway Ltd
organizationalUnitName_default  = Main Office
emailAddress_default            = postmaster@comgw.co.uk

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

Now we can generate the root key:

openssl genrsa -aes256 -out private/ca.key.pem 4096
chmod 400 private/ca.key.pem

Create the root certificate:

openssl req -config openssl.cnf \
      -key private/ca.key.pem \
      -new -x509 -days 7300 -sha256 -extensions v3_ca \
      -out certs/ca.cert.pem
chmod 444 certs/ca.cert.pem

Verify the root certificate:

openssl x509 -noout -text -in certs/ca.cert.pem

Create the intermediate certificate:

mkdir /root/ca/intermediate
cd /root/ca/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

Add a crlnumber file to the intermediate CA directory tree. crlnumber is used to keep track of certificate revocation lists:

echo 1000 > /root/ca/intermediate/crlnumber

Copy the intermediate CA configuration file: /root/ca/intermediate/openssl.cnf from the main one we created above and alter the following settings:

[ CA_default ]
dir             = /root/ca/intermediate
private_key     = $dir/private/intermediate.key.pem
certificate     = $dir/certs/intermediate.cert.pem
crl             = $dir/crl/intermediate.crl.pem
policy          = policy_loose

Create the intermediate key:

cd /root/ca
openssl genrsa -aes256 \
      -out intermediate/private/intermediate.key.pem 4096
chmod 400 intermediate/private/intermediate.key.pem

Create the intermediate certificate:
Use the intermediate key to create a certificate signing request (CSR). The details should generally match the root CA. The Common Name, however, must be different.

cd /root/ca
openssl req -config intermediate/openssl.cnf -new -sha256 \
      -key intermediate/private/intermediate.key.pem \
      -out intermediate/csr/intermediate.csr.pem

To create an intermediate certificate, use the root CA with the v3_intermediate_ca extension to sign the intermediate CSR. The intermediate certificate should be valid for a shorter period than the root certificate.

cd /root/ca
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
      -days 3650 -notext -md sha256 \
      -in intermediate/csr/intermediate.csr.pem \
      -out intermediate/certs/intermediate.cert.pem
chmod 444 intermediate/certs/intermediate.cert.pem

The index.txt file is where the OpenSSL ca tool stores the certificate database. Do not delete or edit this file by hand. It should now contain a line that refers to the intermediate certificate.

Verify the intermediate certificate:

openssl x509 -noout -text \
      -in intermediate/certs/intermediate.cert.pem

Verify the intermediate certificate against the root certificate. An OK indicates that the chain of trust is intact.

openssl verify -CAfile certs/ca.cert.pem \
      intermediate/certs/intermediate.cert.pem

Create the certificate chain file:

cat intermediate/certs/intermediate.cert.pem \
      certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem

NOTE: Our certificate chain file must include the root certificate because no client application knows about it yet. A better option, particularly if you’re administrating an intranet, is to install your root certificate on every client that needs to connect. In that case, the chain file need only contain your intermediate certificate.

We can now sign client and server certificates!

Create a key:

cd /root/ca
openssl genrsa -aes256 \
      -out intermediate/private/www.example.com.key.pem 2048
chmod 400 intermediate/private/www.example.com.key.pem

If you don’t want a prompt for a password each time the certificate is used leave out the -aes256 parameter.

Create a certificate Signing Request:

cd /root/ca
openssl req -config intermediate/openssl.cnf \
      -key intermediate/private/www.example.com.key.pem \
      -new -sha256 -out intermediate/csr/www.example.com.csr.pem

Sign the CSR:

cd /root/ca
openssl ca -config intermediate/openssl.cnf \
      -extensions server_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/www.example.com.csr.pem \
      -out intermediate/certs/www.example.com.cert.pem
chmod 444 intermediate/certs/www.example.com.cert.pem

Verify the certificate:

openssl x509 -noout -text \
      -in intermediate/certs/www.example.com.cert.pem

Verify the chain of trust:

openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
      intermediate/certs/www.example.com.cert.pem

Deploy the certificate:
ca-chain.cert.pem
www.example.com.key.pem
www.example.com.cert.pem

Reference:
https://jamielinux.com/docs/openssl-certificate-authority/introduction.html

1. Just in case, remove sendmail and install postfix:

yum remove sendmail
yum install postfix

Make sure it starts on reboot:

systemctl enable postfix

Install amavis and clamav and make sure it starts on reboot:

yum install amvisd-new clamav clamav-scanner-systemd
systemctl enable amavisd

Fix the issue with clamd not starting:

cd /usr/lib/systemd/system
cp clamd\@scan.service clamd\@amavisd.service

systemctl start clamd@amavisd
systemctl enable clamd@amavisd
systemctl restart amavisd

Install OpenDKIM:

yum install opendkim

Create keys and check:

opendkim-default-keygen
cd /etc/opendkim/keys/
ll

Edit the following files:
/etc/opendkim.conf (Main configuration file for opendkim)
/etc/opendkim/KeyTable (Defines the path of private key for the domain)
/etc/opendkim/SigningTable (Tells OpenDKIM how to apply the keys)
/etc/opendkim/TrustedHosts (Defines which hosts are allowed to use keys)

If you’re just verifying incoming mail you don’t actually need to edit any of the above files, the defaults are fine.

Start and enable on reboot:

systemctl start opendkim
systemctl enable opendkim

Next you need to add the following lines to your Postfix main.cf

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

and restart Postfix.

Now we can install OpenDMARC:

yum install opendmarc

Edit the file /etc/opendmarc.conf and uncomment the line
# AuthservID name
and set “name” to the hostname of your server.

Now enable it on reboot and fire it up:

systemctl enable opendmarc
systemctl start opendmarc

Now we need to hook it into Postfix, just add the port in main.cf as for opendkim above, i.e. the line in main.cf should now read:

smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893

This will pass incoming mail through OpenDKIM first, then OpenDMARC.

It’s a good idea to enable the PublicSuffixList in the opendmarc.conf file and create a weekly cronjob to keep the list up to date, so create the file /etc/cron.weekly/opendmarc

#!/bin/sh
#
#Get latest effective_tld_names for OpenDMARC
/usr/bin/wget --no-check-certificate -q -N -P /etc/opendmarc https://publicsuffix.org/list/effective_tld_names.dat

and restart Postfix.

Remove any existing packages:

yum remove maria*

Update:

yum update

Add the official repo for MariaDB by creating the file /etc/yum.repos.d/MariaDB.repo

[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

Now install MariaDB:

yum install -y MariaDB-server MariaDB-client MariaDB-compat galera socat jemalloc

Setup MariaDB:

systemctl start mariadb
mysql_secure_installation
systemctl stop mariadb

To generate the CA certificate:

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

To generate the server certificate, remove passphrase, and sign it:

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial -1 -out server-cert.pem

(Optional) To generate the client certificate, remove passphrase, and sign it:

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

Edit the file: /etc/my.cnf.d/server.cnf

[sst]
encrypt=4
ssl-ca=/etc/pki/ca.pem
ssl-cert=/etc/pki/server-cert.pem
ssl-key=/etc/pki/server-key.pem

[galera]
wsrep_on=ON
wsrep_provider=/usr/lib64/galera/libgalera_smm.so
wsrep_cluster_address='gcomm://a.a.a.a,b.b.b.b,c.c.c.c'
wsrep_cluster_name='cluster.name'
wsrep_node_address='10.0.0.11'
wsrep_node_name='node1'
wsrep_sst_method=rsync
wsrep_sst_receive_address='x.x.x.x'
wsrep_provider_options='socket.ssl_key=/etc/pki/server-key.pem;socket.ssl_cert=/etc/pki/server-cert.pem;socket.ssl_ca=/etc/pki/ca.pem;evs.inactive_timeout=PT45S;evs.install_timeout=PT45S;evs.keepalive_period=PT3S;evs.max_install_timeouts=8;evs.send_window=512;evs.suspect_timeout=PT30S;evs.user_send_window=256;'
binlog_format=row
default_storage_engine=InnoDB
innodb_autoinc_lock_mode=2

In the file above the line “wsrep_sst_receive_address=’x.x.x.x'” is required if any of the nodes are behind a NAT router on private IP addresses, where x.x.x.x is the public IP address of the router. Without this SST donors will try to send snapshot data to the nodes private IP address which will invariably fail.

The “wsrep_provider_options” are tailored to for nodes that talk to each other over a WAN (i.e. the internet). If your nodes are all on the same LAN then you can leave this option out completely – it adjusts some timeout default values to better cope with varying connectivity quality across a WAN.

Start the primary node:

galera_new_cluster

Start the other nodes:

systemctl start mariadb

Login to any of the nodes and check status:

show status like 'wsrep%';

Put wiki into readonly mode by editing the LocalSettings.php file and adding the line:

$wgReadOnly = 'Wiki is currently undergoing maintenance, as a result it is in read only mode for a while';

Backup the SQL database, e.g. mysqldump -h host -u wiki -p wiki > wiki.sql

Backup the entire wiki folder:

mkdir backups/20170218
cp -rp http/* backups/20170218/.

Download latest version of MediaWiki from www.mediawiki.org/wiki/Download e.g.

wget https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.2.tar.gz

Unpack the file over the existing installation:

tar zxvf mediawiki-1.28.2.tar.gz -C http/w --strip-components=1

Now run the update:

cd http/w/maintenance
php update.php

Don’t forget to take it out of readonly mode by removing or commenting out the $wgReadOnly line in LocalSettings.php