System Administration

System Administration information

How to prevent emails from Noodle from being marked as spam.

If you are hosted by Vialect and are using mail.vialect.net in the SMTP settings half of it is already taken care of:

  • If using SPF add our mail server, then verify with.
    • Lin
      dig sub.domain.tld TXT +short | grep spf
    • Win
      nslookup -type=TXT sub.domain.tld | findstr spf
  • If using Google mail client add a filter (to add a tag) for anything with your Noodle domain name in it.
  • If you are using an SPF please add include:mail.vialect.net

If hosting Noodle on your own server or using your own SMTP server, additionally:

  • Whitelist the Noodle server (Postfix, Spamassassin, Exchange)
  • Use authentication in the Noodle setting
    • [user:pass@]domain.tld[:port][,protocol]

Another option is to use something like noreply@vialect.com in the "Send system emails from" system setting.

Restarting Noodle service

  • Microsoft
    • sc stop noodle
    • sc start noodle
  • Linux like sysvinit/Upstart
    • service noodle restart
  • Linux like Systemd
    • systemctl restart noodle
  • Linux like launchd
    • launchctl unload /System/Library/LaunchDaemons/noodle.plist
    • launchctl load /System/Library/LaunchDaemons/noodle.plist
  • Linux like SMF
    • svcadm restart noodle

  1. Make sure the port you want to use is not already in use:
    • Linux-like systems
      • netstat -ln | grep ":80 "
    • Microsoft
      • netstat -na | findstr ":80"
  2. Edit the text file cfg/multiserver.conf in the Noodle Home directory changing the line "Connection.CM_0.Port = 80" to an available port.
  3. Remember to update the OS and network firewalls.
  4. restart the Noodle service
  5. Update the Noodle setting “System Tools > Settings > URL for Noodle”

Microsoft Windows runs http.sys on port 80 by default. Disable http.sys by running these 2 commands:

  1. sc config http start= disabled
  2. net stop http /y

Or if you want to use both you can bind them to different IPs:

  1. http.sys IP (netsh http add iplisten ipaddress=192.168.0.101)
  2. Noodle IP (Connection.CM_0.BindAddress = 192.168.0.100)

LAN security options for the server:

  • Whole disk encryption (prevents bypassing security by reading the disk with another computer).
  • Dedicated server (reduces exploitable surface area).
  • Automated Linux updates
  • Firewall blocking all but ssh and the Noodle http[s] ports (reduces exploitable surface area).
  • ssh keys (prevents password guessing on ssh).

LAN security options on a network, listed from most to least secure:

  1. Network not (even indirectly) connected to the internet.
  2. Network with only auto upgraded devices only indirectly connected to the internet:
    • Encrypted VPN or better yet a ssh tunnel (use with keys will prevent MITMA from a spoofed wifi or an untrusted ISP or government).
    • Anonymity networks like tor can be used, optionally with ssl or ssh (in practice will prevent anyone, including governments, from knowing what server a user is talking to).
  3. Network only indirectly connected to the internet.
  4. Public network with a firewall or NAT port forwarding blocking all but one port.
  5. Public network.

List of most to least secure ways of connecting to the Noodle service:

  1. On a network not (even indirectly) connected to the internet.
  2. On a network only indirectly connected to the internet.
  3. On a public network with a firewall or NAT port forwarding blocking all but one port.
  4. On a public network.

Public network security options:

  • SSL (prevent passwords collection from public wifi).
  • White list (prevent passwords guessing from known hostile networks).
  • "Session Security Level" to 4 (prevent session hijacking).
  • "Minimum password length" to 8 (make password guessing harder).
  • Encrypted VPN or better yet a ssh tunnel (use with keys will prevent MITMA from a spoofed wifi or an untrusted ISP or government).
  • Anonymity networks like tor can be used, optionally with ssl or ssh (in practice will prevent anyone, including governments, from knowing what server a user is talking to).

    • Instead of downgrading we encourage you to report issues and then upgrade to a fixed version.
    • A new unwanted feature can often be made optional by adding a setting to disable it.
    • To test customizations against a new version we recommend cloning the VM or DB to a test instance to try the upgrade out before applying it to the production version.
    • If only the last number of the version has changed, downgrade by replacing its lib directory with the old version.
    • If the second number in the version changes reverting the database structure will require a custom jar.

Windows example of converting a Tomcat SSL certificate to Apache :

keytool -storepass 123 -keystore noodle.jks -export -alias domain.tld -rfc -file server.crt

keytool -storepass 123 -keystore noodle.jks -export -alias root -rfc -file server-ca.crt

keytool -importkeystore -srckeystore noodle.jks -srcalias domain.tld -srcstorepass 123456 -deststorepass 123456 -destkeystore apache.p12 -deststoretype PKCS12
openssl pkcs12 -in apache.p12 -nocerts -nodes > server.key
delete apache.p12

Official keytool manual

Official openssl manual

Noodle SSO can be setup with IWA directly, or via SAML;

For non managed users there is also an option to store the password in the web browser:

  1. Add a web shortcut to the users startup
  2. Options:
    • Enable  the "Noodle > System Tools > Settings > User Settings > Remember my login information" feature
      • http[s]://YOUR.DOMAIN.TLD[:PORT]/[IntraNet.po|Noodle.po]
      • This option will ask for a password if the user ever clicks logout.
      • A link can be downloaded from the profile page.

This page is for those who host on their own Windows server and are trying to diagnose the cause of a 404.

  1. If your browser on the server is displaying the page (http://127.0.0.1) properly, it's a networking problem:
    • check port forwarding, routing, firewalls, and dns on the server, client, and every device inbetween.
  2. If your browser on the server is displaying the wrong page or anything other than a timeout, it's a service conflict (multiserver.log contains "Address already in use"):
    • Use a different port or stop and disable other services using port 80.
      • Windows - built in:
        • sc config http start= disabled
        • net stop http /y
      • Linux - list what is using the port:
        • netstat -lnp | grep ":80"
  3. If /logs/err.log said it can't find a class:
    • use 7z to check no jar files are corrupted.
  4. If there is no multiserver.log it's a .bat or Java problem:
    • run the intranet.bat one line at a time to isolate the problem.
    • reinstall Java and update intranet.bat to the new java.exe .
  5. If there is no java.exe in the task manager it's a config problem:
    • look in the log file for errors.
    • run a copy of intranet.bat without the loop or exit to find errors not in the log.