JTK – Notes and Ramblings Things we have found …

After all what’s the point of Asterisk Voicemail if you don’t enable a web interface. Unfortunately the web interface is not packaged with AsteriskNow.

We found some very useful instructions at http://www.voip-info.org/wiki/view/Asterisk+gui+vmail.cgi. The the biggest problem with those instructions is the need to download/install the asterisk source tree.

The instructions have you install apache, perl-suidperl with yum and the DBI module for perl(we used webmin for the perl module).

Then we found a copy of vmail.cgi and copied it directly to /var/www/cgi-bin. Once we made it executable and followed the rest of the instructions regarding Perl modules almost everything was ready to go.

You can grab a copy of what we used here: vmail.cgi

There is a broken image tag that can easily be resolved either by editting the .cgi file or downloading the file from the Asterisk source tree and copying it to the proper place in /var/www.

The remaining step was to make sure the apache cgi job had write access to the /var/spool/asterisk/voicemail tree. I’m sure there is a more complex and more secure means but simply adding the permissions og+rw to the tree made everything work.

You’ve already seen how to enable the Asterisk Manager interface and the GUI webserver. What is needed now is adding SSL for the added layer of security.

The /etc/asterisk/manager.conf file contains some of the info and further hints were found scattered about on the web.

Hopefully you already have OpenSSL installed. If not then try yum install openssl.

First for the manager interface. Add the block to the config.

sslenable=yes                           ; set to YES to enable it
sslbindport=5039                        ; the port to bind to
sslbindaddr=192.168.0.100               ; address to bind to, default to bindaddr
sslcert=/etc/asterisk/cert.pem          ; path to the certificate.

You can build the sslcert with:

openssl req -new -x509 -days 365 -nodes -out /etc/asterisk/cert.pem -keyout /etc/asterisk/cert.pem

The parts above are actually pretty well documented online and adds the SSL layer for the management interface. The real secret was to add a similar block to /etc/asterisk/http.conf.

sslenable=yes                           ; set to YES to enable it
sslbindport=8089                        ; the port to bind to
sslbindaddr=192.168.0.100                ; address to bind to, default to bindaddr
sslcert=/etc/asterisk/cert.pem          ; path to the certificate.

After adding this and a service asterisk restart you should be able to browse to https://yourserver:8089.

The certificate we created above is not signed by any authority and will need to be added to your browser as an exception.

When setting up our AsteriskNOW 1.7 box there were a few things we thought we should note.

All of the config files for Asterisk are located at /etc/asterisk.

You may want to edit /etc/asterisk/manager.conf to adjust usernames and passwords. The default is user=admin, password=password.

In our case we wanted to edit /etc/asterisk/manager.conf and /etc/asterisk/http.conf to have the management and http systems only bind to the internal lan interface not the public interface.

For the AsteriskNOW box we are using as our main Internet gateway we needed to support automatic updating via dyndns.org. The solution was ddclient found at sourceforge.

After downloading the tgz file and unpacking into a temp folder with tar -xzvf ddclient*, the README file included contains good instruction for installing.

You will need to edit the /etc/ddclient/ddclient.conf file. In our case, we configured using:

daemon=300			# check every 300 seconds
syslog=yes			# log update msgs to syslog
mail=root			# mail all msgs to root
mail-failure=root		# mail failed update msgs to root
pid=/var/run/ddclient.pid 	# record PID in file.
ssl=yes 			# use ssl-support. Works with ssl-library
# postscript=script 		# run script after updating. The new IP is added as argument.
#
use=if, if=ppp0
#
login=username 			# default login
password=password 		# default password
#mx=mx.for.your.host 		# default MX
#backupmx=yes|no 		# host is primary MX?
#wildcard=yes|no 		# add wildcard CNAME?
#
server=members.dyndns.org, \
protocol=dyndns2 \
somewhere.mine.nu

AsteriskNOW is very easy to setup for voicemail to email. The problem is the formats Asterisk likes for voicemail are not ideal choice to be received by todays mobile devices. wav49 and gsm are not support by many of the mobile devices that might receive the email. wav is uncompressed and therefore huge and unwieldy for email. I found an nearly ideal solution at http://bernaerts.dyndns.org/linux/179-asterisk-voicemail-mp3.

I’ll repeat the core of the article here.

You will need to be sure you have lame and dos2unix installed on your system. For my AsteriskNOW distro dos2unix was already present and a yum install lame solved the rest.

The main script is copied to /usr/sbin/sendmailmp3. Be sure to make the script executable.

You will need to add/modify the mailcmd line in /etc/asterisk/voicemail.conf.

mailcmd=/usr/sbin/sendmailmp3

I found it necessary to also change the format line in /etc/asterisk/voicemail.conf

format = wav|gsm|wav49

Asterisk will save the voicemail in all three formats but the first one listed is the format emailed. By putting wav first you send the uncompressed wav file to our new script and make the re-encoding process simpler.

The main script:

#! /bin/sh
# save the current directory
CURDIR=`pwd`

# create a temporary directory and cd to it
TMPDIR=/tmp/mail`head -1 /dev/urandom | od -N 1 | awk '{ print $2 }'`
if [ ! -d $TMPDIR ] ; then mkdir $TMPDIR ; fi
cd $TMPDIR

# dump the stream to a temporary file
cat >> stream.org

# get the boundary
BOUNDARY=`grep "boundary=" stream.org | cut -d'"' -f 2`

# cut the file into parts
# stream.part - header before the boundary
# stream.part1 - header after the bounday
# stream.part2 - body of the message
# stream.part3 - attachment in base64 (WAV file)
# stream.part4 - footer of the message
awk '/'$BOUNDARY'/{i++}{print > "stream.part"i}' stream.org

# cut the attachment into parts
# stream.part3.head - header of attachment
# stream.part3.wav.base64 - wav file of attachment (encoded base64)
sed '7,$d' stream.part3 > stream.part3.wav.head
sed '1,6d' stream.part3 > stream.part3.wav.base64

# convert the base64 file to a wav file
dos2unix -o stream.part3.wav.base64
base64 -di stream.part3.wav.base64 > stream.part3.wav

# convert wav file to mp3 file
# -V 2 is a good compromise between quality and size for voice audio files
lame -V 2 stream.part3.wav stream.part3.mp3

# convert back mp3 to base64 file
base64 stream.part3.mp3 > stream.part3.mp3.base64

# generate the new mp3 attachment header
# change Type: audio/x-wav to Type: audio/mpeg
# change name="msg----.wav" to name="msg----.mp3"
sed 's/x-wav/mpeg/g' stream.part3.wav.head | sed 's/.wav/.mp3/g' > stream.part3.mp3.head

# generate first part of mail body, converting it to LF only
mv stream.part stream.new
cat stream.part1 >> stream.new
cat stream.part2 >> stream.new
cat stream.part3.mp3.head >> stream.new
dos2unix -o stream.new

# append base64 mp3 to mail body, keeping CRLF
unix2dos -o stream.part3.mp3.base64
cat stream.part3.mp3.base64 >> stream.new

# append end of mail body, converting it to LF only
echo "" >> stream.tmp
echo "" >> stream.tmp
cat stream.part4 >> stream.tmp
dos2unix -o stream.tmp
cat stream.tmp >> stream.new

# send the mail thru sendmail
cat stream.new | sendmail -t

# go back to original directory
cd $CURDIR

# remove all temporary files and temporary directory
rm -Rf $TMPDIR

It was a real PITA to get sendmail to cooperate with sending via a secure SMPT relay. I found instructions on several websites that resulted in a 95% solution.

First you will need to install sendmail-cf. It is a separate package the is require to modify recompile the sendmail config.

dnl# This is the default sendmail .mc file for Slackware. To generate
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`Linux Home Automation FC6 Gmail')dnl
OSTYPE(`linux')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
dnl FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
EXPOSED_USER(`root')dnl
FEATURE(`authinfo',`hash /etc/mail/authinfo')dnl
LOCAL_DOMAIN(`yourlocaldomainhere.com')dnl
define(`SMART_HOST',`smtp.gmail.com')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')
define(`ESMTP_MAILER_ARGS', `TCP $h 587')
dnl#
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl#
define(`confCACERT_PATH', `/etc/pki/tls/certs')
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')
define(`confCLIENT_CERT', `/etc/pki/tls/certs/sendmail.pem')
define(`confCLIENT_KEY', `/etc/pki/tls/certs/sendmail.pem')
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
MASQUERADE_AS(`yourdomain.com') dnl
FEATURE(genericstable, `hash -o /etc/mail/genericstable') dnl
dnl GENERICS_DOMAIN_FILE(`/etc/mail/genericsdomain')dnl
dnl #
dnl # Leave these at the end, sendmail prefers these last (for the most part)
dnl #
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

Rebuild the csendmail.cf with m4 sendmail.mc > sendmail.cf

You will need to create /etc/mail/authinfo.

AuthInfo:smtp.gmail.com "U:smmsp" "I:username" "P:mysecret" "M:PLAIN"
AuthInfo:smtp.gmail.com:587 "U:smmsp" "I:username" "P:mysecret" "M:PLAIN"

This is built into authinfo.db with makemap hash /etc/mail/authinfo < /etc/mail/authinfo

Be sure to chmod o-rx /etc/mail/authinfo.

You will also want to edit /etc/mail/local-host-names to include your hostname.

At this point you should be able to mail outside the system using sendmail and the gmail SMTP servers.

Using the AsteriskNOW 1.7 distribution as the starting point for the gateway we needed to get the right stuff into iptables.

# Generated by iptables-save v1.3.5 on Sun Aug 7 00:35:02 2011
*mangle
:PREROUTING ACCEPT [527652:250920735]
:INPUT ACCEPT [83766:27202814]
:FORWARD ACCEPT [443523:223508833]
:OUTPUT ACCEPT [81940:39515916]
:POSTROUTING ACCEPT [525477:263026885]
COMMIT
# Completed on Sun Aug 7 00:35:02 2011
# Generated by iptables-save v1.3.5 on Sun Aug 7 00:35:02 2011
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -i ppp1 -j ACCEPT
-A INPUT -p tcp -m tcp -i ppp+ --dport 0:1023 -j DROP
-A INPUT -p udp -m udp -i ppp+ --dport 0:1023 -j DROP
-A INPUT -p tcp -m tcp -i ppp+ --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -p icmp -m icmp -i ppp+ --icmp-type 8 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i ppp1 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.5.0/255.255.255.0 -i ppp0 --dport 1723 -j ACCEPT
-A FORWARD -p gre -s 192.168.5.0/255.255.255.0 -i ppp0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
# Completed on Sun Aug 7 00:35:02 2011
# Generated by iptables-save v1.3.5 on Sun Aug 7 00:35:02 2011
*nat
:PREROUTING ACCEPT [14513:1101990]
:POSTROUTING ACCEPT [18:2069]
:OUTPUT ACCEPT [2186:142852]
-A POSTROUTING -o ppp+ -j MASQUERADE
COMMIT
# Completed on Sun Aug 7 00:35:02 2011

Most of the actual creation was done via the webmin interface. The basics are:

1. For FORWARD we DENY by default and only allow specific traffic.
2. For INPUT we DENY by default and only allow certain traffic.
3. For OUTPUT we ACCEPT by default and do nothing to change that.
4. For the nat table we MASQUERADE ppp0.
5. miniupnpd will be used.

Starting from the AsteriskNow 1.7 CD image we built a router/gateway. One of the more complicated parts was the install of miniupnpd to handle UPnP and NAT-PMP. The project homepge is miniupnp.free.fr. As of this writing the current stable version is 1.6.

The INSTALL instruction file included in the tgz distribution is a very good start. You will need to install iptables-devel. According to the miniupnp.tuxfamily.org forums you may need to:

what you need to do is determine the exact version of iptables you have installed:

rpm -q iptables
rpm -q iptables-devel

Then download the source from netfilter.org, and copy the include/libiptc directory to your /usr/include/libiptc directory (create it if it’s not there)

The INSTALL notes will guide you through the little bit that needs to be configured fro interfaces and ports.

The forum discussion mentioned above also includes a replacement /etc/init.d/miniupnpd script for Red Hat/CentOS. This allows for start, stop and status in the same manner as other services. You may need to copy the netfilter/iptables_display.sh script to the /etc/miniupnpd folder.

use chkconfig --add miniupnpd to add to startup.

#!/bin/sh
#
# "$Id: miniupnpd.init.d.rhel,v 1.00 2008/10/25 03:16:12 pmcgee Exp $"
#
#   Startup/Shutdown/Restart script for miniupnpd daemon (init.d)
#   on Red Hat Enterprise Linux
#
#   Linux chkconfig stuff:
#
#   chkconfig: 2345 90 30
#   description: startup/shutdown/reset script for miniupnpd \
#                on Red Hat Enterprise Linux
#
#   processname: miniupnpd
#   pidfile:  /var/run/miniupnpd.pid
#   configpath: /etc/miniupnpd/
#   configfile: miniupnpd.conf

# Source function library.
. /etc/init.d/functions

# Include user config file if available
if [ -f /etc/sysconfig/miniupnpd ]; then
        . /etc/sysconfig/miniupnpd
fi

# assign default values if nothing specific in /etc/sysconfig/miniupnpd
prog=${BINARY-"miniupnpd"}
binpath=${BINPATH-"/usr/sbin/"}
pidfile=$"${PIDPATH-"/var/run/"}$prog.pid"
configpath=${CONFIGPATH-"/etc/miniupnpd/"}
configfile=${CONFIGFILE-"miniupnpd.conf"}
iptinit=${IPTABLES_INIT-"iptables_init.sh"}
iptrm=${IPTABLES_REMOVE-"iptables_removeall.sh"}
iptshow=${IPTABLES_SHOW-"iptables_display.sh"}

ARGS=$"-f $configpath$configfile"
PROG=$"$binpath$prog"
IPT_INIT=$"$configpath$iptinit"
IPT_DELE=$"$configpath$iptrm"
IPT_SHOW=$"$configpath$iptshow"
RETVAL=0

start() {
        echo -n $"Starting miniupnpd ($PROG): "
        $IPT_INIT > /dev/null 2>&1
        $PROG $ARGS && success || failure
        RETVAL=$?
        echo
}

stop() {
        echo -n $"Stopping miniupnpd ($PROG): "
        if [ -n "`pidfileofproc $PROG`" ] ; then
                killproc $PROG
        else
                failure $"Stopping miniupnpd ($PROG)"
        fi
        RETVAL=$?
        $IPT_DELE > /dev/null 2>&1
        echo
}

mystatus() {
        status $PROG
        RETVAL=$?
        echo
        echo -n "Dumping IPTABLES Information: "
        if [ -f $IPT_SHOW ]; then
                echo
                $IPT_SHOW
        else
                failure $"IP Tables display script not found"
        fi
        echo
}

# Parse CLI arguments
case "$1" in
        start)
                start
                ;;
        stop)
                stop
                ;;
        restart|reload|force-reload)
                stop
                sleep 2
                start
                ;;
        status)
                mystatus
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|status}"
                RETVAL=1
esac

exit $RETVAL

After install we tested using a Transmission as the client. We also tested the resulting firewall against several online scanner with good results.