INFO-VAX Tue, 03 Jul 2007 Volume 2007 : Issue 360 Contents: "Working Knowledge of UNIX, VMS, OS/400, VM/CMS, and MVS." Backup problem Re: Backup problem Re: Backup problem COBOL programmer wanted in the UK Hertfordshire Re: creating firmware floppies on FreeBSD or VMS Re: creating firmware floppies on FreeBSD or VMS Re: expanding shadow size Re: expanding shadow size Re: expanding shadow size Re: expanding shadow size Re: expanding shadow size Re: expanding shadow size Installing 8.3 on DS10L RE: OpenVMS - When downtime is not an option Re: OpenVMS - When downtime is not an option SAMBA External Field Test Announcement Re: SAMBA External Field Test Announcement Re: SSH newbie question Re: SSH newbie question Re: SSH newbie question Re: TCPIP$GET_MX: getmxrr() failed Re: TCPIP$GET_MX: getmxrr() failed Re: TCPIP$GET_MX: getmxrr() failed Re: TCPIP$GET_MX: getmxrr() failed Re: TCPIP$GET_MX: getmxrr() failed Re: TCPIP$GET_MX: getmxrr() failed Re: TCPIP$GET_MX: getmxrr() failed Re: TCPIP$GET_MX: getmxrr() failed Re: TCPIP$GET_MX: getmxrr() failed Re: TCPIP$GET_MX: getmxrr() failed Re: TCPIP$GET_MX: getmxrr() failed Re: TCPIP$GET_MX: getmxrr() failed RE: Ten years ago... Updated TCO study has OpenVMS AGAIN over AIX, Slowaris Re: Updated TCO study has OpenVMS AGAIN over AIX, Slowaris Re: Updated TCO study has OpenVMS AGAIN over AIX, Slowaris Re: Updated TCO study has OpenVMS AGAIN over AIX, Slowaris Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) Re: VMSclusters and data replication Re: VMSclusters and data replication RE: VMSclusters and data replication Re: VMSclusters and data replication Re: What is a CT-ADP80-AA? Re: What is a CT-ADP80-AA? Re: What is a CT-ADP80-AA? ---------------------------------------------------------------------- Date: Tue, 03 Jul 2007 07:52:23 -0800 From: "C.W.Holeman II" Subject: "Working Knowledge of UNIX, VMS, OS/400, VM/CMS, and MVS." Message-ID: <138koki5hsdpjb0@corp.supernews.com> I came across this: http://www.snee.com/bob/opsys.html > "Working Knowledge of UNIX, VMS, OS/400, VM/CMS, and MVS." > (I wanted to call it "Fake Your Way Through Minis and Mainframes," but > McGraw-Hill wanted something that sounded more respectable.) > Formerly a $49.50 hardcover from McGraw-Hill; now a set of Acrobat > files free for you to download! -- C.W.Holeman II | cwhii@Julian5Locals.com-5 http://JulianLocals.com/cwhii To only a fraction of the human race does God give the privilege of earning one's bread doing what one would have gladly pursued free, for passion. I am very thankful. The Mythical Man-Month Epilogue/F.P.Brooks ------------------------------ Date: Tue, 03 Jul 2007 09:08:14 -0700 From: "Tom Linden" Subject: Backup problem Message-ID: I was trying to backup a directory for commencing some modifications. = Both src and and target ar ODS-5 volumes and whether I set /PARSE-EXTENDED or not the= = results are the same. ODIN> back/ignore=3Dinterlock DISK$COMMON:[moin...] dsa11:[moin...] %BACKUP-E-OPENOUT, error opening = DSA11:[moin]moin-1^.5^.7-py2^.5.egg-info;1 as output -RMS-E-CRE, ACP fil= e = create failed -SYSTEM-W-BADFILEVER, bad file version number Any idea what this all about? -- = PL/I for OpenVMS www.kednos.com ------------------------------ Date: Tue, 03 Jul 2007 09:33:13 -0700 From: Volker Halle Subject: Re: Backup problem Message-ID: <1183480393.813726.81720@n60g2000hse.googlegroups.com> Tom, which version of OpenVMS and which BACKUP patch kit ? I can successfully do this on OpenVMS Alpha V8.2 whether I set parse- style extended or traditional: $ back/log/ign=inter/sin *.* dsa64: %BACKUP-S-CREDIR, created directory DSA64:[TEMP] %BACKUP-S-CREATED, created DSA64:[TEMP]moin-1^.5^.7-py2^.5.egg-info;1 Volker. ------------------------------ Date: Tue, 03 Jul 2007 10:28:24 -0700 From: "Tom Linden" Subject: Re: Backup problem Message-ID: On Tue, 03 Jul 2007 09:33:13 -0700, Volker Halle = wrote: > Tom, > > which version of OpenVMS and which BACKUP patch kit ? > > I can successfully do this on OpenVMS Alpha V8.2 whether I set parse- > style extended or traditional: > > $ back/log/ign=3Dinter/sin *.* dsa64: > %BACKUP-S-CREDIR, created directory DSA64:[TEMP] > %BACKUP-S-CREATED, created DSA64:[TEMP]moin-1^.5^.7-py2^.5.egg-info;1 > > > Volker. > I tried on both 8.2 and 8.3. This is the only patch since 8.3 was installed DEC AXPVMS VMS83A_UPDATE V1.0 Patch Install Val = 26-FEB-2007 -- = PL/I for OpenVMS www.kednos.com ------------------------------ Date: Tue, 3 Jul 2007 14:37:46 +0100 From: "bob" Subject: COBOL programmer wanted in the UK Hertfordshire Message-ID: <1183469879.15077.0@proxy01.news.clara.net> ------------------------------ Date: Tue, 3 Jul 2007 16:38:13 +0100 From: Anton Shterenlikht Subject: Re: creating firmware floppies on FreeBSD or VMS Message-ID: <20070703153812.GA62454@mech-aslap33.men.bris.ac.uk> On Thu, Jun 28, 2007 at 12:27:58PM -0700, IanMiller wrote: > I see The Hoff is not in favour of firmware upgrades by floppy > http://64.223.189.234/node/385 thanks a lot, I burned a cd in the end, could not buy an official HP one, nobody wanted to sell me one. One related question: I've two ds10l, one of which has DS-KGPSA-DA (2Gb fibre hba). On that box the LFU updated the pga firmware as well. Does this mean that there is some nvram on the fibre card that was updated? Is the fibre firmware upgrade performed only if a fibre hba is detected? If I want to add a fibre card to the other box, where I just upgradeed the firmware, do I have to rerun the upgrade for the fibre? thanks anton -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 928 8233 Fax: +44 (0)117 929 4423 ------------------------------ Date: Tue, 03 Jul 2007 08:53:37 -0700 From: "Tom Linden" Subject: Re: creating firmware floppies on FreeBSD or VMS Message-ID: On Tue, 03 Jul 2007 08:38:13 -0700, Anton Shterenlikht wrote: > On Thu, Jun 28, 2007 at 12:27:58PM -0700, IanMiller wrote: >> I see The Hoff is not in favour of firmware upgrades by floppy >> http://64.223.189.234/node/385 > > thanks a lot, I burned a cd in the end, could not buy an official HP one, > nobody wanted to sell me one. > > One related question: I've two ds10l, one of which has > DS-KGPSA-DA (2Gb fibre hba). On that box > the LFU updated the pga firmware as well. Does this mean that > there is some nvram on the fibre card that was updated? Yes > Is the fibre firmware upgrade performed only if a fibre hba is detected? Yes > If I want to add a fibre card to the other box, where I just upgradeed > the > firmware, do I have to rerun the upgrade for the fibre? Yes, if that card hasn't been updated Took a copy of last time I updated such a card, which you might find useful > > thanks > anton > UPD> list Device Current Revision Filename Update Revision nt 5.70 nt_fw 5.71 pga0 DS3.20X3 kgpsa_8k_fw DS3.92A2 srm 5.7-8 srm_fw 6.8-9 cipca_fw A420 dfxaa_fw 3.20 fca_2354_fw CS3.92A2 fca_2384_fw HS1.81A5 fca_2684_fw TS1.81A5 kgpsa_7k_fw SS3.20X7 kzpdc_fw 3.40 kzpsa_fw A12 UPD> update Confirm update on: nt pga0 srm [Y/(N)]y WARNING: updates may take several minutes to complete for each device. DO NOT ABORT! nt Updating to 5.71... Verifying 5.71... PASSED. pga0 Updating to DS3.92A2... Verifying DS3.92A2... PASSED. srm Updating to 6.8-9... Verifying 6.8-9... PASSED. UPD> list Device Current Revision Filename Update Revision nt 5.71 nt_fw 5.71 pga0 DS3.92A2 kgpsa_8k_fw DS3.92A2 srm 6.8-9 srm_fw 6.8-9 cipca_fw A420 dfxaa_fw 3.20 fca_2354_fw CS3.92A2 fca_2384_fw HS1.81A5 fca_2684_fw TS1.81A5 kgpsa_7k_fw SS3.20X7 kzpdc_fw 3.40 kzpsa_fw A12 UPD>exit Initializing.... *** keyboard not plugged in... 256 Meg of system memory probing hose 0, PCI probing PCI-to-ISA bridge, bus 1 bus 0, slot 9 -- ewa -- DE500-BA Network Controller bus 0, slot 11 -- ewb -- DE500-BA Network Controller bus 0, slot 13 -- dqa -- Acer Labs M1543C IDE bus 0, slot 13 -- dqb -- Acer Labs M1543C IDE bus 0, slot 17 -- pga -- KGPSA-C initializing GCT/FRU at ff42000 ewa0: link up : Negotiated 100BaseTX: full duplex ewb0: link up : Negotiated 100BaseTX: full duplex pga0.0.0.17.0 - Nvram read failed. open fibre pga0.0.0.17.0 Testing the System Testing the Disks (read only) Testing ew* devices. System Temperature is 38 degrees C AlphaServer DS10 466 MHz Console V6.8-9, Jul 30 2004 09:36:47 >>> wwidmgr -set adapter -item 9999 -topo fabric bus 0, slot 17 -- pga -- KGPSA-C >>> wwidmgr -show ada pga0.0.0.17.0 Link is down. item adapter WWN Cur. Topo Next Topo [ 0] pga0.0.0.17.0 2000-0000-c921-f8c6 FABRIC FABRIC [9999] All of the above. -- PL/I for OpenVMS www.kednos.com ------------------------------ Date: Tue, 3 Jul 2007 08:41:31 +0200 From: "Klaus-D. Bohn" Subject: Re: expanding shadow size Message-ID: <4689ef96$0$27557$9b622d9e@news.freenet.de> "Bob Gezelter" schrieb im Newsbeitrag news:1183286512.476461.48610@n2g2000hse.googlegroups.com... > > David J Dachtera wrote: > > Bob Gezelter wrote: > > > > > > On Jun 29, 8:55 pm, David J Dachtera > > > wrote: > > > > "Klaus-D. Bohn" wrote: > > > > > > > > > Hello all together, > > > > > > > > > I have an existing problem with a shadow disk. I would like to increase the > > > > > shadow size without to dismount all the shadow members. > > > > > [snip] > > > > > What must i do to get the full volume size 17773524? > > > > > > > > As Hoff pointed out, can't be done without downtime. > > > > > > > > You'll need to negotiate a scheduled downtime with your customer. Be sure to > > > > explain that this is necessary if they want to realize the desired benefit. > > > > > > David, > > > > > > A small note on the comment about downtime. > > > > > > If all that is needed is the SET VOLUME/LIMIT command, it is almost > > > wrong to call it downtime. Planned properly (and executed with a > > > command file) the downtime is limited to the availability of that > > > volume for a matter of seconds. It will take longer to restart those > > > applications that cannot quiesce and reacquire a file than it will > > > take to do the actual change. It is, in my experience, far shorter > > > than even a reboot (and if this is a data disk and not involved in the > > > actual running of the cluster) will not be needed. > > > > > > It is true that even such a "blip" is a downtime, and needs to be > > > handled appropriately, but there is a large difference between such a > > > "blip" and a multi-hour downtime. Indeed, depending on what data is > > > involved, it may not even meet the organization's definition of > > > critical information, at least on the scale of a few minutes. > > > > > > Just my US$ 0.02 to ensure a clean record of the discussion. > > > > Well, it's generally considered that "downtime" means the application is not > > available to the users, regardless of the cause. > > > > Large applications - and their underlying software infrastructure (databases, > > etc.) can, indeed, impose extensive periods of unavailability just to allow a > > single volume to be DISMOUNTed, MOUNTed privately, prepared for DVE, then > > DISMOUNTed and reMOUNTed back to the system so that the software layers can be > > restarted in the proper order. In my case, at work, it's two(2) hours, minimum. > > > > The OP simply stated that his client is downtime averse in that they will not > > allow the steps needed to permit this. > > > > Hence, my comment, as it was. > > > > -- > > David J Dachtera > > dba DJE Systems > > http://www.djesys.com/ > > > > Unofficial OpenVMS Marketing Home Page > > http://www.djesys.com/vms/market/ > > > > Unofficial Affordable OpenVMS Home Page: > > http://www.djesys.com/vms/soho/ > > > > Unofficial OpenVMS-IA32 Home Page: > > http://www.djesys.com/vms/ia32/ > > > > Unofficial OpenVMS Hobbyist Support Page: > > http://www.djesys.com/vms/support/ > > David, > > Indeed. I have seen many systems where the minimum interruption is > measured in hours. Then again, I have seen many environments, where > that is not true. I have also seen many environments where the > question is nuanced, in terms of which data is being spoken of. > > I posted the comment not to belittle the downtime issue but to > emphasize the importance of treating it as a quantitative, not a > qualitative question. > > When I am involved in design or modification of a system, I generally > try to reduce the need for interruptions, and the impact of the > inevitable disruptions that do occur, but I digress. > > Herr Bohn's original request does indeed refer to the fact that his > client is downtime adverse, but I do not see any detailed background > information upon which to judge the question of what degree of > sensitivity this particular disk volume has. Thus my comment about the > "blip" versus "downtime". > > IMHO, there is a significant difference between a blip on the order of > seconds, done under the control of a script that once initiated, > dismounts the volume, remounts the volume as private, does the needed > SET VOLUME command, dismounts the volume, and remounts the volume to > the cluster; and a multi-hour operation using BACKUP to save and > restore the contents. Also note that since the MOUNTs are orderly > (each following a controlled DISMOUNT rather than a crash), there will > not be an extensive delay while rebuilding the data structures. > > Have I seen this situation in production environments that must > otherwise maintain 24x7 availability: YES. An example is archives of > online bills and statements. They frequently grow on an ongoing basis. > However, they often do not grow on a minute to minute basis. It is > often possible to prevent additions to the volume, interrupt access to > the archive, and then re-allow access to the archive without ever > having even interrupted the 24x7 parts of the application. > > In the end analysis, it is important to understand (and even more > important to research in detail) each situation. I have seen far too > many sites where the unverified presumption has been that if a volume > is mounted at startup, it must be available continuously, forever. > > - Bob Gezelter, http://www.rlgsc.com > Sorry for the dealy! Now, i have the result (private mount with limit) on my test system: $ sh dev dsa2 Device Device Error Volume Free Trans Mnt Name Status Count Label Blocks Count Cnt DSA2: Mounted 0 TEST 8337680 1 1 $5$DKD200: (IDEFIX) ShadowSetMember 0 (member of DSA2:) $ set volume/size DSA2: $ sh dev dsa2 Device Device Error Volume Free Trans Mnt Name Status Count Label Blocks Count Cnt DSA2: Mounted 0 TEST 17717856 1 1 $5$DKD200: (IDEFIX) ShadowSetMember 0 (member of DSA2:) $ Buuuuuuuuuuuuut what is about the availability? That disk is a common disk in a high availability cluster. We must do a cluster shutdown to expand the volume size? What is that? At this point i can't understand OpenVMS (high availability, scalability, flexibility, and so on). Sorry, that is very crazy and not acceptable. Klaus ------------------------------ Date: Tue, 3 Jul 2007 09:28:58 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: expanding shadow size Message-ID: In article <4689ef96$0$27557$9b622d9e@news.freenet.de>, "Klaus-D. Bohn" writes: > Buuuuuuuuuuuuut what is about the availability? That disk is a common disk > in a high availability cluster. We must do a cluster shutdown to expand the > volume size? What is that? At this point i can't understand OpenVMS (high > availability, scalability, flexibility, and so on). Sorry, that is very > crazy and not acceptable. Think about it. You are changing something very low-level in the disk structure. I think it is OK to accept some down-time for this, especially since this is a relatively new feature of VMS. (If it was available from day one, perhaps it could have been implemented without down-time.) Note: I have not yet done this. SET VOLUME/LIMIT requires the private MOUNT. I don't think SET VOLUME/SIZE does (at least this is not mentioned in HELP, whereas it is for /LIMIT). Assume this is correct. Get a NEW DISK. Use SET VOLUME/SIZE and perhaps SET VOLUME/LIMIT to get it to the size you want. (If I understand correctly, with a cluster size of more than 8 the limit is set to the default of 1 TB, which is also the maximum.) "Size you want" should be the CURRENT size of the shadow set. Now, add this shadow set to the current shadow set (full copy); if the current shadow set already has 3 members, drop 1 (just dismount the physical disk; no shutdown or whatever needed) and add in the new one with a full copy. Now, get another NEW DISK and set it to the same size. When the shadow copy completes, drop the old disk from the shadow set and add this new disk with a full copy. (For a three-member shadow set, repeat the previous two steps.) Now, use SET VOLUME/SIZE to go to the new size. ------------------------------ Date: Tue, 3 Jul 2007 09:32:08 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: expanding shadow size Message-ID: In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes: > In article <4689ef96$0$27557$9b622d9e@news.freenet.de>, "Klaus-D. Bohn" > writes: > > > Buuuuuuuuuuuuut what is about the availability? That disk is a common disk > > in a high availability cluster. We must do a cluster shutdown to expand the > > volume size? What is that? At this point i can't understand OpenVMS (high > > availability, scalability, flexibility, and so on). Sorry, that is very > > crazy and not acceptable. > > Think about it. You are changing something very low-level in the disk > structure. I think it is OK to accept some down-time for this, > especially since this is a relatively new feature of VMS. (If it was > available from day one, perhaps it could have been implemented without > down-time.) > > Note: I have not yet done this. SET VOLUME/LIMIT requires the private > MOUNT. I don't think SET VOLUME/SIZE does (at least this is not > mentioned in HELP, whereas it is for /LIMIT). Assume this is correct. If this assumption is correct, then you can do what you want without down-time to the cluster. You do need "down-time" for the disk, but if it is a new disk, this doesn't matter. ------------------------------ Date: Tue, 03 Jul 2007 09:37:10 -0500 From: David J Dachtera Subject: Re: expanding shadow size Message-ID: <468A5F16.43936C88@spam.comcast.net> "Klaus-D. Bohn" wrote: > [snip] > Sorry for the dealy! > > Now, i have the result (private mount with limit) on my test system: > > $ sh dev dsa2 > > Device Device Error Volume Free Trans > Mnt > Name Status Count Label Blocks Count > Cnt > DSA2: Mounted 0 TEST 8337680 1 > 1 > $5$DKD200: (IDEFIX) ShadowSetMember 0 (member of DSA2:) > $ set volume/size DSA2: > $ sh dev dsa2 > > Device Device Error Volume Free Trans > Mnt > Name Status Count Label Blocks Count > Cnt > DSA2: Mounted 0 TEST 17717856 1 > 1 > $5$DKD200: (IDEFIX) ShadowSetMember 0 (member of DSA2:) > $ > > Buuuuuuuuuuuuut what is about the availability? That disk is a common disk > in a high availability cluster. We must do a cluster shutdown to expand the > volume size? What is that? At this point i can't understand OpenVMS (high > availability, scalability, flexibility, and so on). Well, understand a few things here: 1. The point is to get the volume into a condition where all the application files are closed and the volume can be DISMOUNTed temporarily. So, it's not strictly a VMS issue. 2. *ALL* the cluster members who have that volume MOUNTed know about it's CURRENT characteristics. No current o.s. is architected to allow such data to "change on the fly" while a volume is MOUNTed. Don't believe me? See what it takes to do DVE on UN*X, for example. 3. A "cluster shutdown" is not necessary - only the application(s) whose file(s) are on that volume and are currently open. This includes, by the way, INSTALLed images. 4. Properly prepared (during scheduled downtime or at volume INITIALIZE-ation time), all volumes can be expanded (but not contracted!) in uptime, even without HBVS. It's the preparation that needs to be done properly and in an isolated, controlled environment. > Sorry, that is very crazy and not acceptable. Show me a current system that does what you want the way you want it to happen. Hope this helps. -- David J Dachtera dba DJE Systems http://www.djesys.com/ Unofficial OpenVMS Marketing Home Page http://www.djesys.com/vms/market/ Unofficial Affordable OpenVMS Home Page: http://www.djesys.com/vms/soho/ Unofficial OpenVMS-IA32 Home Page: http://www.djesys.com/vms/ia32/ Unofficial OpenVMS Hobbyist Support Page: http://www.djesys.com/vms/support/ ------------------------------ Date: Tue, 03 Jul 2007 09:58:58 -0700 From: Malcolm Dunnett Subject: Re: expanding shadow size Message-ID: <468A8052.5080903@spammers.are.scum> Klaus-D. Bohn wrote: > Buuuuuuuuuuuuut what is about the availability? That disk is a common disk > in a high availability cluster. We must do a cluster shutdown to expand the > volume size? What is that? At this point i can't understand OpenVMS (high > availability, scalability, flexibility, and so on). Sorry, that is very > crazy and not acceptable. > I suppose the short answer is that if you'd thought ahead and set the volume expansion limit at the time the volume was created you wouldn't have to shut anything down to expand the volume now. I wonder why the INIT command doesn't by default set the volume expansion limit to be the maximum allowable by the clustersize. Is there a penalty in doing so (other than a few blocks in the bitmap?) ------------------------------ Date: Tue, 03 Jul 2007 10:17:01 -0700 From: AEF Subject: Re: expanding shadow size Message-ID: <1183483021.187178.143690@g4g2000hsf.googlegroups.com> On Jul 3, 5:28 am, hel...@astro.multiCLOTHESvax.de (Phillip Helbig--- remove CLOTHES to reply) wrote: > In article <4689ef96$0$27557$9b622...@news.freenet.de>, "Klaus-D. Bohn" > > writes: > > Buuuuuuuuuuuuut what is about the availability? That disk is a common disk > > in a high availability cluster. We must do a cluster shutdown to expand the > > volume size? What is that? At this point i can't understand OpenVMS (high > > availability, scalability, flexibility, and so on). Sorry, that is very > > crazy and not acceptable. > > Think about it. You are changing something very low-level in the disk > structure. I think it is OK to accept some down-time for this, > especially since this is a relatively new feature of VMS. (If it was > available from day one, perhaps it could have been implemented without > down-time.) > > Note: I have not yet done this. SET VOLUME/LIMIT requires the private > MOUNT. I don't think SET VOLUME/SIZE does (at least this is not > mentioned in HELP, whereas it is for /LIMIT). Assume this is correct. > > Get a NEW DISK. Use SET VOLUME/SIZE and perhaps SET VOLUME/LIMIT to get > it to the size you want. (If I understand correctly, with a cluster > size of more than 8 the limit is set to the default of 1 TB, which is > also the maximum.) "Size you want" should be the CURRENT size of the > shadow set. Now, add this shadow set to the current shadow set (full > copy); if the current shadow set already has 3 members, drop 1 (just Maybe I'm missing something, but won't the full copy operation overwrite everything on the NEW DISK, including the SET VOLUME/LIMIT effects? > dismount the physical disk; no shutdown or whatever needed) and add in > the new one with a full copy. Now, get another NEW DISK and set it to > the same size. When the shadow copy completes, drop the old disk from > the shadow set and add this new disk with a full copy. (For a > three-member shadow set, repeat the previous two steps.) Now, use SET > VOLUME/SIZE to go to the new size. AEF ------------------------------ Date: Tue, 03 Jul 2007 10:37:34 -0700 From: "Tom Linden" Subject: Installing 8.3 on DS10L Message-ID: I am trying to install on a disk in an HSG80. When prompted for a device I am given following options, but am missing the drive onto which I wish to install Enter device name for target disk: (? for choices) ? Device Device Error Volume Free Trans Mnt Name Status Count Label Blocks Count Cnt DAD0: Online 0 DQA0: Offline 1 DQA1: Offline 1 DQB0: Mounted wrtlck 0 ALPHA083 7965 87 1 DQB1: Offline 1 DVA0: Online 0 $1$DGA1: () Online 0 $1$DGA2: () Online 0 $1$DGA3: () Online 0 $1$DGA4: () Online 0 $1$DGA5: () Online 0 $1$DGA6: () Online 0 $1$DGA7: () Online 0 $1$DGA8: () Online 0 $1$DGA9: () Online 0 $1$DGA10: () Online 0 This is not picking up $1$DGA11: What do I need to do here? Seen from the cluster I have ODIN> sho dev dg Device Device Error Volume Free Trans Mnt Name Status Count Label Blocks Count Cnt $1$DGA1: (ODIN) ShadowSetMember 0 (member of DSA1:) $1$DGA2: (ODIN) ShadowSetMember 0 (member of DSA1:) $1$DGA3: (ODIN) ShadowSetMember 0 (member of DSA2:) $1$DGA4: (ODIN) ShadowSetMember 0 (member of DSA2:) $1$DGA5: (ODIN) ShadowSetMember 0 (member of DSA11:) $1$DGA6: (ODIN) ShadowSetMember 0 (member of DSA11:) $1$DGA7: (ODIN) ShadowSetMember 0 (member of DSA0:) $1$DGA8: (ODIN) ShadowSetMember 0 (member of DSA0:) $1$DGA9: (ODIN) ShadowSetMember 0 (member of DSA12:) $1$DGA10: (ODIN) ShadowSetMember 0 (member of DSA12:) $1$DGA11: (ODIN) Online 0 where $1$DGA11 is a striped mirror set seen from the controller HSG80-TOP>sho stripe Name Storageset Uses Used by ------------------------------------------------------------------------------ DVGRPSM0 stripeset MIRR_0 D11 MIRR_1 HSG80-TOP>sho mirror Name Storageset Uses Used by ------------------------------------------------------------------------------ MIRR_0 mirrorset DISK50000 DVGRPSM0 DISK60200 MIRR_1 mirrorset DISK30300 DVGRPSM0 DISK40000 -- PL/I for OpenVMS www.kednos.com ------------------------------ Date: Tue, 3 Jul 2007 08:50:08 -0400 From: "Main, Kerry" Subject: RE: OpenVMS - When downtime is not an option Message-ID: > -----Original Message----- > From: Bill Todd [mailto:billtodd@metrocast.net] > Sent: July 2, 2007 8:25 PM > To: Info-VAX@Mvb.Saic.Com > Subject: Re: OpenVMS - When downtime is not an option >=20 > david20@alpha2.mdx.ac.uk wrote: > > In article dnViYMsHBaRrbnZ2dnUVZ_v6tnZ2d@metrocastcablevision.com>, Bill Todd > writes: > >> JF Mezei wrote: > >>> Bill Todd wrote: > >>>> Please explain exactly how a virus, trojan, or worn can infect a > >>>> server via any legitimate use of email on that server. > >>> Over the years, there have been plenty of pathces issued to > prevent such > >>> things from happening on many of the unix SMTP servers. (think > buffer > >>> overflow with a TO FROM etc that are way too long and contain > code). > >> You're as welcome as Paul is to provide a *specific* example of > such an > >> exposure in a current Windows environment, JF. Otherwise, stop > blowing > >> the same kind of hot air that Kerry so often does: it's not > responsive > >> to the challenge that I posed (but then hot air never is, is it). > >> > > > > Since in this instance we are talking SMTP servers the Microsoft > equivalent is > > Exchange. > > The last such vulnerability was in May. > > See http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx > > > > in particular the MIME decoding vulnerability CVE-2007-0213 > > > > Note. That particular patch also fixes a couple of denial of > services > > vulnerabilities in IMAP and the calendar service. > > The calendar services works by sending emails with vCal or iCal > properties > > and that had a critical remotely exploitable vulnerability in May > 2006 > > see http://www.microsoft.com/technet/security/bulletin/ms06-019.mspx >=20 > I already discussed the above at length elsewhere, so won't replicate > that content here. >=20 > > > > Of course this only affects you if your server is running Exchange. >=20 > Exactly: they are *Exchange* bugs, not *Windows* bugs. My comment to > JF certainly admits your response, but its intent was that neither > email > server operation nor end-user email use should be able to compromise > the > integrity of the server *OS* (because OS stability is what has been > under discussion here). >=20 [snip ..] Ok, perhaps you could shed some light on the above. If the design and/or architecture of the OS platform allows an application bug to provide access to protected data and/or provides elevated rights on the system, does sit matter if it is an application or kernel OS issue? How does the end result (compromised system) differ from a kernel issue? Do you think a hacker or worm or Trojan cares about if it is a application or kernel issue? Regards Kerry Main Senior Consultant HP Services Canada Voice: 613-592-4660 Fax: 613-591-4477 kerryDOTmainAThpDOTcom (remove the DOT's and AT)=20 OpenVMS - the secure, multi-site OS that just works. =20 ------------------------------ Date: 3 Jul 2007 12:42:00 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: OpenVMS - When downtime is not an option Message-ID: <+gCKvqOu80+A@eisner.encompasserve.org> In article , Bill Todd writes: > Bob Koehler wrote: > > ... > > It's MS crap. I know their business model and there >> is pressure to produce low quality products so they can sell you >> a replacement next year. > > Not quite: it's pressure to push products out the door with all sorts > of bells and whistles that will entice you to buy them *this* year (or > at least this product cycle). While that is true, I know from former Microsoft employees that there is actually presure to include bugs. ------------------------------ Date: Tue, 03 Jul 2007 04:00:52 -0700 From: Neil Rieck Subject: SAMBA External Field Test Announcement Message-ID: <1183460452.445771.19230@n2g2000hse.googlegroups.com> I just received this email from HP: Common Internet File System (CIFS) based on Samba External Field Test Announcement Dear valued HP OpenVMS Customers, The CIFS Engineering group is pleased to announce the availability of HP OpenVMS Common Internet File System (CIFS) based on Samba External Field Test Version T1.0 in support of both the Alpha and Integrity platforms. The field test may be run on HP OpenVMS V8.3 Alpha and/or HP OpenVMS V8.3 Integrity. Plans are to initiate our CIFS field test on Monday, July the 2nd and have field test run through the end of August 2007. The production release of CIFS is currently planned for submission to manufacturing in "September of 2007". As a field test site, you have the opportunity of utilizing our newest technology before anyone else! In return, we would appreciate your feedback about our product. Your feedback is very important to us. Sites should test on non-production machines only. Use of field test software on production machines is highly discouraged The kits, along with documentation are available from the HP OpenVMS Common Internet File System web site: http://h71000.www7.hp.com/network/CIFS_for_Samba.html Here you will find a hot link with a registration request. The process is similar to one we employed to provide access to the evaluation down loads. Follow the easy steps to access the software and documentation: DOCUMENTATION and INSTALLATION: Before accessing the field test site, please read the enclosed document "Read Before Installing HP OpenVMS Common Internet File System (CIFS) Version T1.0 release", which describes the contents and known restrictions of the release and tells how to download and unzip the field test kits. No temporary licensing is required for field testing. NOTE:" READ BEFORE INSTALLING NOTE GOES HERE!" Please install the kits as soon as you can. Please send an e-mail message confirming your installation. Also tell me about any problems you encounter with the web site. If you have any problems with the software or documentation, please submit a problem report to "openvms-cifs-field-test@hp.com". Thank you for participating in the CIFS Version T1.0 field test. Please contact me or the CIFS account with questions at any time during the field test. As always, we appreciate your support in these matters so that we may provide you with the technologies that you need in support of your business. Sincerely, Lawrence (Larry) Woodcome OVMS Networks Business Mgr Hewlett Packard Company 110 Spit Brook Rd, MS ZKO3/4-S23 Nashua, NH 03062-2698 Tel 603-884-5419 Fax 603-884-0763 lawrence.woodcome@hp.com ### As stated in the email, you must be running OpenVMS-8.3 Neil Rieck Kitchener/Waterloo/Cambridge, Ontario, Canada. http://www3.sympatico.ca/n.rieck/ ------------------------------ Date: Tue, 03 Jul 2007 06:24:55 -0700 From: IanMiller Subject: Re: SAMBA External Field Test Announcement Message-ID: <1183469095.380854.199750@m36g2000hse.googlegroups.com> http://www.openvms.org/stories.php?story=07/06/30/7754868 Been there, got that :-) Note the points in the docs that it will run on V8.2 but performance is not good due to lack of support in the CRTL on that version. I also read a note about slow performance on OpenVMS Alpha V8.3 the kit includes sources and utilities to help transfer shares (not users) from advanced server. So give it a go on OpenVMS V8.3 (I64 preferred) and see. ------------------------------ Date: Tue, 3 Jul 2007 12:23:28 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: SSH newbie question Message-ID: In article <46881632.8010501@comcast.net>, "Richard B. Gilbert" writes: >JF Mezei wrote: >> Phillip Helbig---remove CLOTHES to reply wrote: >> >>> When you telnet into your router (presumably from outside your LAN), >>> everything echoed on your screen is potentially available. >> >> >> >> From the outside, one can only reach one machine (a vms box). The >> router is not reacheable from the outside, nor is the mac or any other >> machine from a telnet point of view. >> >> So telnet traffic is really just confined to within my lan to access >> rourters, switches, test the tcpip stack of another vms box etc etc. It >> is ridiculous to incur the additional overhead of ssh for such simple >> tasks. >> >> Now, if my systems were handling bank transactions and I had no many >> employees I couldn't know all of them, then I would consider blocking >> telnet since some folks might be listening onto the ethernet. (although >> with switches, this is getting harder to do). > >If you have the privileged password to a Cisco switch, monitoring the >traffic on a port on that switch can be done with relative ease. It's >not so easy for "Joe User" to monitor traffic on a switched ethernet >these days. > That hasn't been true since the release of dsniff see for instance http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.html There are now many publicly available tools which include this functionality. David Webb Security team leader CCSS Middlesex University ------------------------------ Date: Tue, 03 Jul 2007 06:18:13 -0700 From: "Tom Linden" Subject: Re: SSH newbie question Message-ID: On Tue, 03 Jul 2007 05:23:28 -0700, wrote: > In article <46881632.8010501@comcast.net>, "Richard B. Gilbert" > writes: >> JF Mezei wrote: >>> Phillip Helbig---remove CLOTHES to reply wrote: >>> >>>> When you telnet into your router (presumably from outside your LAN), >>>> everything echoed on your screen is potentially available. >>> >>> >>> >>> From the outside, one can only reach one machine (a vms box). The >>> router is not reacheable from the outside, nor is the mac or any other >>> machine from a telnet point of view. >>> >>> So telnet traffic is really just confined to within my lan to access >>> rourters, switches, test the tcpip stack of another vms box etc etc. It >>> is ridiculous to incur the additional overhead of ssh for such simple >>> tasks. >>> >>> Now, if my systems were handling bank transactions and I had no many >>> employees I couldn't know all of them, then I would consider blocking >>> telnet since some folks might be listening onto the ethernet. (although >>> with switches, this is getting harder to do). >> >> If you have the privileged password to a Cisco switch, monitoring the >> traffic on a port on that switch can be done with relative ease. It's >> not so easy for "Joe User" to monitor traffic on a switched ethernet >> these days. >> > That hasn't been true since the release of dsniff see for instance > > http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.html Have any of these tools been ported to VMS? > > There are now many publicly available tools which include this > functionality. > > > David Webb > Security team leader > CCSS > Middlesex University > -- PL/I for OpenVMS www.kednos.com ------------------------------ Date: Tue, 3 Jul 2007 15:05:35 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: SSH newbie question Message-ID: In article , "Tom Linden" writes: >On Tue, 03 Jul 2007 05:23:28 -0700, wrote: > >> In article <46881632.8010501@comcast.net>, "Richard B. Gilbert" >> writes: >>> JF Mezei wrote: >>>> Phillip Helbig---remove CLOTHES to reply wrote: >>>> >>>>> When you telnet into your router (presumably from outside your LAN), >>>>> everything echoed on your screen is potentially available. >>>> >>>> >>>> >>>> From the outside, one can only reach one machine (a vms box). The >>>> router is not reacheable from the outside, nor is the mac or any other >>>> machine from a telnet point of view. >>>> >>>> So telnet traffic is really just confined to within my lan to access >>>> rourters, switches, test the tcpip stack of another vms box etc etc. It >>>> is ridiculous to incur the additional overhead of ssh for such simple >>>> tasks. >>>> >>>> Now, if my systems were handling bank transactions and I had no many >>>> employees I couldn't know all of them, then I would consider blocking >>>> telnet since some folks might be listening onto the ethernet. (although >>>> with switches, this is getting harder to do). >>> >>> If you have the privileged password to a Cisco switch, monitoring the >>> traffic on a port on that switch can be done with relative ease. It's >>> not so easy for "Joe User" to monitor traffic on a switched ethernet >>> these days. >>> >> That hasn't been true since the release of dsniff see for instance >> >> http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.html >Have any of these tools been ported to VMS? Not that I'm aware of. David Webb Security team leader CCSS Middlesex University >> >> There are now many publicly available tools which include this >> functionality. >> >> >> David Webb >> Security team leader >> CCSS >> Middlesex University >> > > > >-- >PL/I for OpenVMS >www.kednos.com ------------------------------ Date: Tue, 3 Jul 2007 06:07:40 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: In article <43b64$46893609$cef8887a$14076@TEKSAVVY.COM>, JF Mezei writes: > Phillip Helbig---remove CLOTHES to reply wrote: > >> > > Phillip Helbig---remove CLOTHES to reply wrote: > >> > > > getmxrr: name = 87.139.7.213]) > > > The question is, what does the error mean? And why the funny format > > Well, it is pretty obvious: SMTP cannot obtain the mx record (DNS) for > ip 87.139.7.213 Right. However, why the "])" at the end? Why does SMTP want to obtain the mx record for this IP? > Is it alwasy the same IP mentioned ? Yes. > Is it always present no matter what the sender is ? Yes. It is in TCPIP$SMTP_RECV_RUN.LOG which doesn't mention the sender; I would have to compare timestamps of these log files with entries in OPERATOR.LOG, but since the error is always present, the answer is "yes". > Is your mail routed to some forwarding SMTP server before getting to you > ? Would that IP belong to that forwarding SMTP server ? No, mail comes in directly. (If there is a problem at my end, then there are lower priority MX servers, but they are not neded now.) Again, this started happening sometime last week and I have never seen it before. ------------------------------ Date: Tue, 03 Jul 2007 10:41:46 +0200 From: "P. Sture" Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) wrote: > > > > getmxrr: name = 87.139.7.213]) > > > > > getmxrr: res_search() failed > > > > > TCPIP$GET_MX: getmxrr() failed > > > > > > Yes. My ISP is 1&1. Legally, my internet connection has nothing to do > with Deutsche Telekom, but behind the scenes the DSL connection from 1&1 > is a "resell" connection from Deutsche Telekom. > > The question is, what does the error mean? And why the funny format > with "])" at the end? Since everything appears to be working, what > effects does the error have? Has anyone else seen this? FWIW getmxrr is documented here: It looks as if garbage is being passed in the name field, but of course that doesn't give us the why. Note this bit in the source at the above URL: ---- case HOST_NOT_FOUND: #if BROKEN_RES_SEARCH case 0: /* Ultrix resolver retns failure w/ h_errno=0 */ #endif /* host doesn't exist in DNS; might be in /etc/hosts */ ---- Could it be picking up some garbage that has found its way into the TCPIP SET HOST entries? -- Paul Sture ------------------------------ Date: Tue, 3 Jul 2007 09:31:01 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: In article , "P. Sture" writes: > In article , > helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to > reply) wrote: > > > > > > getmxrr: name = 87.139.7.213]) > > > > > > getmxrr: res_search() failed > > > > > > TCPIP$GET_MX: getmxrr() failed > > > > > > > > > Yes. My ISP is 1&1. Legally, my internet connection has nothing to do > > with Deutsche Telekom, but behind the scenes the DSL connection from 1&1 > > is a "resell" connection from Deutsche Telekom. > > > > The question is, what does the error mean? And why the funny format > > with "])" at the end? Since everything appears to be working, what > > effects does the error have? Has anyone else seen this? > > FWIW getmxrr is documented here: > > t=apps&rev=1.2> > > It looks as if garbage is being passed in the name field, but of course > that doesn't give us the why. > > Note this bit in the source at the above URL: > > ---- > case HOST_NOT_FOUND: > #if BROKEN_RES_SEARCH > case 0: /* Ultrix resolver retns failure w/ h_errno=0 */ > #endif > /* host doesn't exist in DNS; might be in /etc/hosts */ > ---- > > Could it be picking up some garbage that has found its way into the > TCPIP SET HOST entries? Again, this started happening last week. I hadn't changed anything for a while before that, in particular, I hadn't change anything in the local host database (which is small and looks fine). It's also been a while since the last changed to the TCPIP software. ------------------------------ Date: Tue, 3 Jul 2007 09:48:00 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes: > Again, this started happening last week. I hadn't changed anything for > a while before that, in particular, I hadn't change anything in the > local host database (which is small and looks fine). It's also been a > while since the last changed to the TCPIP software. Problem solved! It was a typo in SMTP.CONFIG (which I do update relatively often) in a bad-clients entry! I normally rely mainly on RBLs, but when I notice (I have the corresponding console next to my main graphics terminal) repeated rejections of a certain IP due to being in an RBL, I add the entry to the bad-clients list to cut down on noise. (I noticed the typo because I added 88.238.119.197 to the bad-clients list just now; today, there have been 100 connection attempts from it. I just added 122.167.178.184 as well after several repeated attempts.) This demonstrates one of the disadvantages of configuration files as opposed to SET/SHOW commands: syntax errors are not caught early enough. (In this case, the indication of a syntax error in the log file, instead of the error indicated, would have at least helped to solve the problem more quickly.) By the way, since 1-JUN-2007 there are 28245 RBL rejections mentioned in the operator log, but only 12 due to bad clients, at least 6 of the latter being from today. ------------------------------ Date: Tue, 3 Jul 2007 09:53:08 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes: > By the way, since 1-JUN-2007 there are 28245 RBL rejections mentioned in > the operator log, but only 12 due to bad clients, at least 6 of the > latter being from today. Up from 12 to 22 now. I'm assuming that it is more efficient in terms of resources to reject stuff at the bad-clients stage as opposed to the RBL stage. ------------------------------ Date: Tue, 3 Jul 2007 10:09:37 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: Of course, since the problematic address is definitely due to the typographical error in SMTP.CONFIG, why is STMP doing an MX lookup on it? If the address is in the bad-clients list, then the connection should just be dropped. As far as I can tell, the translation is not reported in OPERATOR.LOG nor in the SMTP log files, so why bother with the lookup at all? True, the log files do occasionally say, e.g., Client IP address 85.103.243.252 unbacktranslatable (gethostbyaddr returned NULL) (I'm NOT using this as a rejection criterion at the moment.) However, if the address is in the bad-clients list, wouldn't it be better to just drop the connection then and there, without doing further processing? Especially considering the fact that addresses in the bad-clients list are probably there because of repeated attempts. Of course, it would be even better to reject stuff based on addresses much earlier on. This is possible, but the number of such addresses is limited. What is needed is something like the bad-clients list in SMTP.CONFIG, but for TCPIP or even TCP (i.e. including UDP). ------------------------------ Date: Tue, 03 Jul 2007 13:12:40 +0200 From: "P. Sture" Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) wrote: > In article , helbig@astro.multiCLOTHESvax.de > (Phillip Helbig---remove CLOTHES to reply) writes: > > > Again, this started happening last week. I hadn't changed anything for > > a while before that, in particular, I hadn't change anything in the > > local host database (which is small and looks fine). It's also been a > > while since the last changed to the TCPIP software. > > Problem solved! It was a typo in SMTP.CONFIG (which I do update > relatively often) in a bad-clients entry! > Good. > I normally rely mainly on RBLs, but when I notice (I have the > corresponding console next to my main graphics terminal) repeated > rejections of a certain IP due to being in an RBL, I add the entry to > the bad-clients list to cut down on noise. (I noticed the typo because > I added 88.238.119.197 to the bad-clients list just now; today, there > have been 100 connection attempts from it. I just added 122.167.178.184 > as well after several repeated attempts.) > > This demonstrates one of the disadvantages of configuration files as > opposed to SET/SHOW commands: syntax errors are not caught early enough. > (In this case, the indication of a syntax error in the log file, instead > of the error indicated, would have at least helped to solve the problem > more quickly.) Syntax checkers for config files seem to be common in the unix world. I wonder if there's something suitable for the SMTP.CONFIG file. > By the way, since 1-JUN-2007 there are 28245 RBL rejections mentioned in > the operator log, but only 12 due to bad clients, at least 6 of the > latter being from today. I had 4 hours worth of RBL rejections for the same IP address yesterday. I have "SPAM-Action: OPCOM, ACCOUNTING" in my SMTP.CONFIG, but no RBL messages in operator.log (they were being broadcast to the console though). Does the ACCOUNTING specification mean that they don't go to operator.log? -- Paul Sture ------------------------------ Date: Tue, 03 Jul 2007 13:24:32 +0200 From: "P. Sture" Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) wrote: > Of course, since the problematic address is definitely due to the > typographical error in SMTP.CONFIG, why is STMP doing an MX lookup on > it? If the address is in the bad-clients list, then the connection > should just be dropped. As far as I can tell, the translation is not > reported in OPERATOR.LOG nor in the SMTP log files, so why bother with > the lookup at all? > > True, the log files do occasionally say, e.g., > > Client IP address 85.103.243.252 unbacktranslatable (gethostbyaddr returned > NULL) > > (I'm NOT using this as a rejection criterion at the moment.) However, > if the address is in the bad-clients list, wouldn't it be better to just > drop the connection then and there, without doing further processing? > Especially considering the fact that addresses in the bad-clients list > are probably there because of repeated attempts. > > Of course, it would be even better to reject stuff based on addresses > much earlier on. This is possible, but the number of such addresses is > limited. What is needed is something like the bad-clients list in > SMTP.CONFIG, but for TCPIP or even TCP (i.e. including UDP). My 4 hour attack yesterday was also doing a header enquiry on port 80. Both SMTP and HTTP at the rate of 2 per minute. I eventually did a TCPIP SET COMM/REJECT=NETWORKS=Ip-address whoops - that defaults to a network mask of 255.0.0.0, so I blocked the whole of 80.0.0.0. It stopped whatever was having a go in short order though :-) The IP concerned actually belongs to my ISP. If it happens again, and I'm around at the time, I could drop the RBL check just long enough to get more details and do a full report. With the information on hand though, I have little to report. -- Paul Sture ------------------------------ Date: Tue, 3 Jul 2007 13:45:13 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: In article , "P. Sture" writes: > I had 4 hours worth of RBL rejections for the same IP address yesterday. > I have "SPAM-Action: OPCOM, ACCOUNTING" in my SMTP.CONFIG, but no RBL > messages in operator.log (they were being broadcast to the console > though). Why not? > Does the ACCOUNTING specification mean that they don't go to > operator.log? I have OPCOM but not ACCOUNTING. They go to the console AND to the log file. Are you sure you looked in the OPERATOR.LOG for the node doing the SMTP receiving? ------------------------------ Date: Tue, 03 Jul 2007 10:40:51 -0400 From: JF Mezei Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: <291cf$468a6022$cef8887a$15227@TEKSAVVY.COM> >> > > > getmxrr: name = 87.139.7.213]) I woudln't worry too much about the ] since it could very well be part of the "printf" statement instead of being part of the IP value. (But could be either way). Have you tried to enable the receiver tracing ? $DEFINE/SYSTEM TCPIP$SMTP_RECV_TRACE 1 This *might* give you a better idea of the situation if the incoming call goes anywhere with the receiver before that error is issued. Do you have a router that logs incoming calls ? If you can associate this error with the actual IP that is calling you, you might have a better idea. ------------------------------ Date: Tue, 3 Jul 2007 14:50:40 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes: >In article <43b64$46893609$cef8887a$14076@TEKSAVVY.COM>, JF Mezei > writes: > >> Phillip Helbig---remove CLOTHES to reply wrote: >> >> > > Phillip Helbig---remove CLOTHES to reply wrote: >> >> > > > getmxrr: name = 87.139.7.213]) >> >> > The question is, what does the error mean? And why the funny format >> >> Well, it is pretty obvious: SMTP cannot obtain the mx record (DNS) for >> ip 87.139.7.213 > >Right. However, why the "])" at the end? Why does SMTP want to obtain >the mx record for this IP? > MX records are used when sending mail messages to identify which system to connect to. Could it be that someone is sending mail through your system to an address of the form user@[87.139.7.213] which is a perfectly valid email address using a domain-literal and that the DEC TCPIP SMTP software is mishandling this case and is trying to lookup a MX record for [87.139.7.213] instead of just trying to connect to the server at address 87.139.7.213 David Webb Security team leader CCSS Middlesex University >> Is it alwasy the same IP mentioned ? > >Yes. > >> Is it always present no matter what the sender is ? > >Yes. It is in TCPIP$SMTP_RECV_RUN.LOG which doesn't mention the sender; >I would have to compare timestamps of these log files with entries in >OPERATOR.LOG, but since the error is always present, the answer is >"yes". > >> Is your mail routed to some forwarding SMTP server before getting to you >> ? Would that IP belong to that forwarding SMTP server ? > >No, mail comes in directly. (If there is a problem at my end, then >there are lower priority MX servers, but they are not neded now.) > >Again, this started happening sometime last week and I have never seen >it before. > ------------------------------ Date: Tue, 03 Jul 2007 17:51:11 +0200 From: "P. Sture" Subject: Re: TCPIP$GET_MX: getmxrr() failed Message-ID: In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) wrote: > In article , "P. > Sture" writes: > > > I had 4 hours worth of RBL rejections for the same IP address yesterday. > > I have "SPAM-Action: OPCOM, ACCOUNTING" in my SMTP.CONFIG, but no RBL > > messages in operator.log (they were being broadcast to the console > > though). > > Why not? I was hoping you could answer that. > > Does the ACCOUNTING specification mean that they don't go to > > operator.log? > > I have OPCOM but not ACCOUNTING. They go to the console AND to the log > file. > > Are you sure you looked in the OPERATOR.LOG for the node doing the SMTP > receiving? Yep. I am going to try with just "SPAM-Action: OPCOM" to see if that makes a difference. -- Paul Sture ------------------------------ Date: Tue, 03 Jul 2007 17:34:43 GMT From: Alfred Falk Subject: RE: Ten years ago... Message-ID: "Main, Kerry" wrote in news:FA60F2C4B72A584DBFC6091F6A2B8684024C08D0@tayexc19.americas.cpqcorp.n et: > Re: takeovers .. I still remember laughing when someone suggested to > me that Compaq might buy Digital. "Heck, we are worth $10B - who in > the world has that type of money?" I had similar thoughts, $10B Wow!. Then a week later I saw an item in the local paper about some Canadian energy company buying out another for $9B Cdn. Not quite as much but in the same league. These were companies you have never heard of (and I can't remember either). We think IT is big business. Peanuts compared to energy. -- ---------------------------------------------------------------- A L B E R T A Alfred Falk falk@arc.ab.ca R E S E A R C H Information Systems Dept (780)450-5185 C O U N C I L 250 Karl Clark Road Edmonton, Alberta, Canada http://www.arc.ab.ca/ T6N 1E4 http://outside.arc.ab.ca/staff/falk/ ------------------------------ Date: Tue, 03 Jul 2007 07:40:08 -0700 From: ultradwc@gmail.com Subject: Updated TCO study has OpenVMS AGAIN over AIX, Slowaris Message-ID: <1183473608.863453.139260@n2g2000hse.googlegroups.com> notice the virus/worm downtime ... zero for VMS, not so good for the others ... sorry Andrew, more proof to validate CERT counts ... http://h71028.www7.hp.com/ERC/downloads/TechWise_TCO2007.pdf ------------------------------ Date: Tue, 03 Jul 2007 10:53:11 -0400 From: JF Mezei Subject: Re: Updated TCO study has OpenVMS AGAIN over AIX, Slowaris Message-ID: <66c1b$468a6301$cef8887a$18188@TEKSAVVY.COM> ultradwc@gmail.com wrote: > notice the virus/worm downtime ... zero for VMS, not so good for > the others ... sorry Andrew, more proof to validate CERT counts ... Boob, if the currently vulnerability in POP doesn't make it to CERT, it means that CERT doesn't cover VMS viulnerabilities and hence, you cannot in good conscience claim VMS is more secure because it has no CERT listings. ------------------------------ Date: Tue, 03 Jul 2007 07:59:29 -0700 From: ultradwc@gmail.com Subject: Re: Updated TCO study has OpenVMS AGAIN over AIX, Slowaris Message-ID: <1183474769.136563.82710@k79g2000hse.googlegroups.com> On Jul 3, 10:53 am, JF Mezei wrote: > ultra...@gmail.com wrote: > > notice the virus/worm downtime ... zero for VMS, not so good for > > the others ... sorry Andrew, more proof to validate CERT counts ... > > Boob, if the currently vulnerability in POP doesn't make it to CERT, it > means that CERT doesn't cover VMS viulnerabilities and hence, you cannot > in good conscience claim VMS is more secure because it has no CERT listings. PMDF and TCPware POP have NO vulnerability ... ------------------------------ Date: Tue, 3 Jul 2007 15:46:36 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: Updated TCO study has OpenVMS AGAIN over AIX, Slowaris Message-ID: In article <1183474769.136563.82710@k79g2000hse.googlegroups.com>, ultradwc@gmail.com writes: >On Jul 3, 10:53 am, JF Mezei wrote: >> ultra...@gmail.com wrote: >> > notice the virus/worm downtime ... zero for VMS, not so good for >> > the others ... sorry Andrew, more proof to validate CERT counts ... >> >> Boob, if the currently vulnerability in POP doesn't make it to CERT, it >> means that CERT doesn't cover VMS viulnerabilities and hence, you cannot >> in good conscience claim VMS is more secure because it has no CERT listings. > >PMDF and TCPware POP have NO vulnerability ... > And even with DEC TCPIP services implementation of POP. The logging of IP addresses can apparently be enabled by defining TCPIP$POP_LOG_LEVEL to THREAD The ability to determine whether a username exists or not from the error message can be controlled by defining TCPIP$POP_SECURITY to SECURE Hence, although one can argue that these should be the defaults and possibly a setting which records the IP address but less other information than THREAD should be provided, this part of the problem is down to incorrect configuration. As to Intrusion protection can someone remind me which Unix implementations of POP servers provide this ? David Webb Security team leader CCSS Middlesex University ------------------------------ Date: Tue, 3 Jul 2007 05:59:39 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: VMS security vulnerability (POP server) Message-ID: Note that this was posted to the ovms-lists@openvms.org by Hoff: From: SMTP%"ovms-lists@openvms.org" 2-JUL-2007 21:50:28.68 To: "Patch and Security Alerts" Subj: [OVMS-Alert] TCP/IP Services POP3 Security Vulnerability Report in Wild From Stephen Hoffman, Hoffman Labs: JF Mezei has posted details of a security vulnerability in the OpenVMS TCP/IP Services POP3 implementation (current versions) into the comp.os.vms newsgroup, reportedly after contacting HP with the initial report of the vulnerability. Mr Mezei indicates a local OpenVMS Alpha system was targeted by a POP3 dictionary attack. Remote IP-based POP3-based dictionary attacks appear feasible against passwords using this vulnerability, and no breakin evasion processing is performed. I've posted a quick review of the newsgroup report and some suggestions at the HoffmanLabs site: http://64.223.189.234/node/395 The original report is available here: http://groups.google.com/group/comp.os.vms/msg/8a42e91fe1e9cd36 It is unclear if other components of TCP/IP Services are similarly afflicted. _______________________________________________ NOTICE: Patches/Kits may not be available for several hours. -KF _______________________________________________ You are subscribed to: alerts@openvms.org To subscribe: alerts-subscribe@openvms.org To unsubscribe: alerts-unsubscribe@openvms.org Send administrative queries to Please forward to friends and co-workers. OpenVMS.org lists are not affiliated with HP. OpenVMS is a trademark of HP. ------------------------------ Date: Tue, 3 Jul 2007 13:18:24 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: VMS security vulnerability (POP server) Message-ID: In article , "Tom Linden" writes: >On Sun, 01 Jul 2007 23:00:44 -0700, JF Mezei = > > wrote: > >> Michael Moroney wrote: >>> That is a nasty one, since much of what makes VMS resistant to such = > >>> attacks is the ability to sense a breakin attempt and deny access fro= >m >>> the breakin source even when it gets the password correct. >>> Did the attempt seem to target VMS or was it a script kiddie hacking= > at >>> a Windoze box or Unix box (accounts like administrator or root being = > = > >>> tried) >> >> >> Brute force. And VMS is even worse: >> >> $ telnet/port=3D110 chain >> %TELNET-I-TRYING, Trying ... 10.0.0.11 >> %TELNET-I-SESSION, Session 01, host chain, port 110 >> +OK TCPIP POP server V5.6-9, OpenVMS V8.3 Alpha at chain.vaxination.ca= >, = > >> up sinc> >> USER canada >> -ERR No such user "canada" >> USER system >> +OK Password required for "system" >> PASS chocolate >> -ERR password supplied for "system" is incorrect. >> %TELNET-S-REMCLOSED, Remote connection closed >> -TELNET-I-SESSION, Session 01, host chain, port 110 >> >> >> So by checking whether the USER command returns an -ERR or +OK, you ca= >n = > >> narrow down which usernames are valid, and then proceed to guess their= > = > >> passwords by brute force. >> >What happens if you disable telnet and only allow ssh? > Telnet in this instance is just being used to setup a connection to the POP server port and then to pass the same commands that a pop client would send. Telnet is often used in this manner. The telnet connection could come from anywhere and the only way to stop telnet connections to the POP server port would basically be to stop anyone connecting to that port eg not to run the POP server. David Webb Security team leader CCSS Middlesex University > >-- = > >PL/I for OpenVMS >www.kednos.com ------------------------------ Date: 3 Jul 2007 07:48:34 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: VMSclusters and data replication Message-ID: In article <1183399772.237201.114300@k29g2000hsd.googlegroups.com>, Bob Gezelter writes: > > However, long distance replication of a limited volume of data is a > far different story. A detailed review of what must actually be > synchronized (vs recovered in the event of a problem) must be done, > with a full inventory. Yes, I've done enough data transfers across the pond to agree with this approach. I've used DECnet Phase IV for this with no problem and I suggest DECnet over IP as the most promising solution. Other possibilities include naked IP (if you don't mind fixing up file attributes); or DFS (DECnet File System?), a sort of NFS analog for DECnet. ------------------------------ Date: Tue, 03 Jul 2007 06:12:16 -0700 From: Bob Gezelter Subject: Re: VMSclusters and data replication Message-ID: <1183468336.339416.176380@m36g2000hse.googlegroups.com> On Jul 3, 7:48 am, koeh...@eisner.nospam.encompasserve.org (Bob Koehler) wrote: > In article <1183399772.237201.114...@k29g2000hsd.googlegroups.com>, Bob Gezelter writes: > > > > > However, long distance replication of a limited volume of data is a > > far different story. A detailed review of what must actually be > > synchronized (vs recovered in the event of a problem) must be done, > > with a full inventory. > > Yes, I've done enough data transfers across the pond to agree with > this approach. I've used DECnet Phase IV for this with no problem > and I suggest DECnet over IP as the most promising solution. > > Other possibilities include naked IP (if you don't mind fixing up > file attributes); or DFS (DECnet File System?), a sort of NFS > analog for DECnet. Bob, Yes. I should re-emphasize that while 9/11 is often cited as the reason for concern, many do not realize the extent of the lessons learned in the aftermath of the event. While OpenVMS clusters is an extremely useful technology, it is not magic nor is it the cure-all for all reasons. Speaking as an IT professional, and not minimizing the loss of life in the Trade Center attack, the far more disruptive event was the destruction of the AT&T (if I recall correctly) switching center adjacent to the Trade Center, which was a junction point for many data connections to/from Manhattan. Many companies very far from Ground Zero was disrupted by this event for a very extended period of time. My concern is that trans-oceanic clusters make use of a limited set of high speed circuits. In the event of a problem, bandwidth may be reduced on these circuits with little warning. If these are mission critical, then severe problems can result. Thus my suggestion to carefully evaluate (and possibly retain a consultant) the issues before going down this route. Archiving logs remotely can survive with far less bandwidth than a cluster. If that accomplishes the need, it is a better choice. Note that transcontinental clusters do not necessarily suffer the same problem, although verifying alternate communications paths is important. - Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Tue, 3 Jul 2007 09:22:04 -0400 From: "Main, Kerry" Subject: RE: VMSclusters and data replication Message-ID: > -----Original Message----- > From: mb301@hotmail.com [mailto:mb301@hotmail.com] > Sent: July 2, 2007 12:56 PM > To: Info-VAX@Mvb.Saic.Com > Subject: VMSclusters and data replication >=20 > Using OpenVMS 7.3-2 >=20 > Looking for ways to replicate lots of data across from London To New > York > Would any sort of SAN software do the job? > I guess having nodeA in NY and nodeB in London In a cluster just isn't > going to work? > What about host based raid or volume shadoing? > Any ideas about the network pipe you can get? Well, one option might be an active-active-passive (sync-sync-asynch) multiple site solution. This is emerging as a good solution for large enterprises which offers the benefits of local synch access between two sites 25-50 miles apart while at the same time providing the ability to go to a third site for critical business functions should some catastrophic event take out the two local sites. For anyone looking at cross Atlantic data replication, I suspect the HW costs will not be the major concern as an hour or two of application unavailability in prime time would likely pay for it all. In view of recent events, I suspect more and more companies will be looking at solutions like this. It certainly does come up a lot during the discussions I have around DC consolidation. And as someone else mentioned, the bandwidth costs have dropped significantly across the pond. A number of providers beefed up cross ocean delivery capabilities significantly during the Internet dot com days - only to have the bottom drop out of that market. Get a number of quotes, but also take into consideration the providers long term stability as well. Challenges in this area are that you typically have to get a long term contract (2-3 years), so you need to do some sizing work before contracting anything.=20 In some of the DC consolidation engagements like this, I would typically recommend a local network simulator pilot project be implemented to test all of the various bandwidth, latency, error rates, fail over scenarios. Network simulators range from freeware to $30k+ appliances, so YMMV - likely something in between is what you would need. Regards Kerry Main Senior Consultant HP Services Canada Voice: 613-592-4660 Fax: 613-591-4477 kerryDOTmainAThpDOTcom (remove the DOT's and AT)=20 OpenVMS - the secure, multi-site OS that just works. ------------------------------ Date: 3 Jul 2007 12:45:56 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: VMSclusters and data replication Message-ID: In article <1183468336.339416.176380@m36g2000hse.googlegroups.com>, Bob Gezelter writes: > > My concern is that trans-oceanic clusters make use of a limited set of > high speed circuits. In the event of a problem, bandwidth may be > reduced on these circuits with little warning. If these are mission > critical, then severe problems can result. I didn't say anything about clusters and I would not use VMScluster in across-the-pond configurations. ------------------------------ Date: Tue, 03 Jul 2007 07:40:17 -0700 From: Galen Subject: Re: What is a CT-ADP80-AA? Message-ID: <1183473617.178664.135590@g4g2000hsf.googlegroups.com> > > So it looks like it really could be a DS10L in a AS800 box. What does > > ADP stand for here? When I have a chance to shut one of these three systems down perhaps I can take a look at the motherboard. That would reveal all. ------------------------------ Date: Tue, 3 Jul 2007 07:53:26 -0700 From: DeanW Subject: Re: What is a CT-ADP80-AA? Message-ID: <3f119ada0707030753q18a8bcc4td9996ca74c2fbd25@mail.gmail.com> On 7/2/07, Galen wrote: > > > VMS V7.3 SHOW CPU calls it a DS10L but it is in a cabinet that's a lot > > > like an AlphaServer 800. It has several internal disk drives and an > > > external SCSI connection as well. > > Thanks, Dave. I'm not surprised to see you answer this. > > So it looks like it really could be a DS10L in a AS800 box. What does > ADP stand for here? ADP writes (amongst other things) a package for car dealers; it does everything from print out loan doc paperwork to run the service department and inventory. But I'm surprised; they haven't used DEC stuff in ages. I'll ask a friend who works there if he might remember anything about those. -- Dean Woodward =o&o dean.woodward@gmail.com ------------------------------ Date: Tue, 03 Jul 2007 08:06:04 -0700 From: Galen Subject: Re: What is a CT-ADP80-AA? Message-ID: <1183475164.478405.98310@k79g2000hse.googlegroups.com> > ADP writes (amongst other things) a package for car dealers; it does > everything from print out loan doc paperwork to run the service > department and inventory. > > But I'm surprised; they haven't used DEC stuff in ages. I'll ask a > friend who works there if he might remember anything about those. > These three servers have been running for several years in our lab, since before I began working here. We no doubt bought them used-- sorry, Dave T., it wasn't from Islandco. :-| ------------------------------ End of INFO-VAX 2007.360 ************************