HOWTO – Setup ESVA 2.0

Andrew MacLachlan

This guide will help you to setup ESVA 2.0 to process and forward mail for your domains.

1. Introduction

1.1 Copyright

This document is © 2007 by Andrew MacLachlan. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found in Appendix A.

1.2 Disclaimer

Use the information in this document at your own risk. I disavow any potential liability for the contents of this document. Use of the concepts, examples, and/or other content of this document is entirely at your own risk.
All copyrights are owned by their owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.
Naming of particular products or brands should not be seen as endorsements.
You are strongly recommended to take a backup of your system before major installation and backups at regular intervals.

1.3 Credits

A big thank you to all the clever people that have contributed to the success of ESVA over the last 14 months since v 1.7 was released. As is the nature of online forums the population tends to be transient, however that doesn’t mean that the quality of advice, fixes and general discussion has suffered.
Because of the sheer amount of useful suggestions that have made their way into this release I can’t thank everyone personally, however special thanks has to go to the guys who made it all possible with the excellent software upon which ESVA is based on:
Julian Field – MailScanner
Steve Freegard – MailWatch for MailScanner
Also a mention to everyone on the MailScanner and Mailwatch mailing lists.
From the ESVA community I’d like to thank everyone, but special thanks to Dave Waldron who was instrumental in getting the momentum going again for the 2.0 release.
Any comments or suggestions should be posted to the official ESVA forum at: http://www.global-domination.org/forum/

2. Prerequisites

• VMware Server 1.0.2 (for Windows or Linux) or ESX v3.x or Citrix XenServer v5.0 or later.
• Minimum 12GB free disk space (40 GB for the XenServer version)
• Minimum 512 MB unreserved memory
• A basic grasp of VMware principles and terminology
• Internet DNS mx records configured for your domain(s) pointing toward ESVA (or the public interface of your firewall, with appropriate port forwarding configured)

3. Default Usernames and Passwords

 
 
Important: All passwords should be changed from the defaults before ESVA is exposed to untrusted networks (e.g. Internet)

4. Setup

4.1 VMware host Setup

Once you have downloaded, unzipped and registered ESVA with your VMware software, you should configure ESVA to start automatically at host start-up and to shut down gracefully at system shut down.

In VMware Server 1.x (For Windows) you will find these options by navigating through VM > Settings, then choosing the options tab.

Select Startup/Shutdown and configure the options as displayed below.
Once this is configured, click OK and power ESVA on.

4.2 Initial set-up

• Login as root
• Type esva-configure to enter the quick setup program and answer the questions. For clarification of
what some of the questions mean, and sample answers, please see the table below.

Prompt Description
Keyboard (GUI) The correct keyboard layout for your location
Timezone (menu) The correct Timezone for your location
Host set to UTC time? Is the VMware host set to use UTC time?
IP Address The IP Address you want your ESVA to use
Netmask The netmask in dotted format – e.g 255.255.255.0
Gateway Default gateway
Hostname The name of your ESVA – use a fully qualified name. e.g. mailgw.
yourdomain.com. This should be the same as the Internet DNS A
record.
Organisation Name A short name without spaces. E.g. your-domain
Organisation Long Name A longer name. Spaces are OK. E.g. Your Domain PLC
Organisation Mailserver The mailserver that ESVA forwards scanned (clean) mail to. This can be
either a name or an IP address.
Email address for system
messages
ESVA sends regular messages to keep you informed of any problems
and log summaries etc. This should be a real monitored mailbox.
Watermark Secret A random string of alpha-numeric characters. This should be consistent
across all ESVAs in your enterprise.
Maximum number of MailScanner
child processes
The default of 2 should be kept unless you have a very busy system
(more than 2000 messages/hour). Increasing this beyond 3 will require
additional memory to be assigned to your ESVA:
5 children: 600MB, 1 processor core
6-10 children: 1024MB memory, 2 processor cores.
What is your two-letter IANA
country code?
The two letter code assigned to your country. The full list can be found at
http://www.iana.org/domains/root/db/#
Regular user account A username that can login to ESVA remotely via SSH session. Defaults to
the username portion of the email address supplied for system messages.
Regular user password The password for the regular user account.
Root password Your new root password. Avoid using the @ symbol in the password as
webmin doesn’t like it.
Country Name The same IANA country code used earlier
State or province Your state or province name
Locality Name Your town or city
Organization Name Your organisation’s name
Organization Unit A dot (period) is usually appropriate here
Common Name The fully qualified name of your ESVA – as entered earlier
Email Address The same email address entered earlier for system messages to be sent
to.
After the last question is answered the changes are committed and your ESVA will reboot. As soon as the Virtual
Machine has rebooted it is ready to start processing mail.
If you make a mistake during the setup process, press ctrl-c to exit the setup program. You can then restart the
program.
Unlike previous versions of ESVA, esva-configure can be run many times without issue.
5.3 MailWatch set-up
Point your browser at http://the-ip-address-or-name-you-configured-esva-to-use
5.3.1 Securing the admin account
Sign in using username admin and the default password (listed in section 3)
Click on Tools/Links, then User Management
Edit the admin user
Change the password for admin, and for extra safety change the username as well.
Click update when done. You will need to login with the new details.
5.3.2 Creating Domain Administrator accounts
Domain Administrator accounts can manage the messages for a given email domain (e.g.
global-domination.org). This means that the Domain Administrator can create new user
accounts for that domain as well as manage spam, white/black lists and create reports for
all users in the domain.
Login to MailWatch as the admin account secured in section 5.3.1.
Click on Tools/Links, then User Management and finally click on New User.
Complete the form, supplying real names and email addresses (This is where MailWatch
decides which domain the user will be administrator of). Make sure that Domain
Administrator is the User Type.
Click on the Create button when the fields have been filled in correctly.
5.3.3 Creating User Accounts
User accounts have the ability to manage only their own spam, whitelists and blacklists.
Login to MailWatch as the admin account secured in section 5.3.1 or as the appropriate
Domain Administrator account created in 5.5.2.
Click on Tools/Links, then User Management and finally click on New User.
Complete the form, supplying real names and email addresses (This is how MailWatch
decides which messages belong to a particular user). Make sure that User is the User
Type.
Click on the Create button when the fields have been filled in correctly.
5.3.4 Whitelisting and Blacklisting within MailWatch
There are many types of circumstances where you would need to use Whitelisting and Blacklisting.
It is important to understand the precedence of how these are processed: If a message matches both the whitelist
and blacklist, the whitelist wins and the message will be delivered. Additionally, the options you see on the Lists
screen will vary depending on the type of logged-in user (User, Domain Admin, or System Admin)
To modify your whitelists and blacklists, use the “Lists” text link in the upper left portion of the MailWatch interface.
It’s best to illustrate how this works by examples.
Example 1: Always accept mail from bob@example.co.uk illustrated at various user privilege levels.
Notice that the To: fields are grey-ed out. This is the case if you are logged in as a normal user.
If you were logged in as a Domain Administrator, it would appear like so:
In this case, the Domain Administrator may choose to always whitelist bob@example.co.uk to everyone in his
domain by adding this to the whitelist.
Finally, you can whitelist bob@example.co.uk system-wide. Note that in many cases you wouldn’t see this, but
understanding that the use of the word “default” as the To: field allows this type of system-wide rule.
Example 2: Always reject mail from spammy@badhost.net, illustrated at various user privilege levels.
User view: Note again that the To: field cannot be modified by individual users. Mail from this address will be
blocked, but only blocked when sending to this user.
This is the same view, but a Domain Administrator can block mail from this user across the entire domain.
Similar to Example 1, this might not be of much actual use in practice, but the system will blocking an email
address systemwide by putting in a blacklist entry at the System Administrator user level.
Understanding MailWatch Lists when used with Filters.
Filters in MailWatch allow a MailWatch user to have access in MailWatch to mail messages that might be to an
additional alias which he controls. For example, user joe@company.com has an alias of info@company.com.
MailWatch needs to know this so that Joe can actually manipulate (release from quarantine) mail that was sent to
the info@ address. In MailWatch, the System Administrator can set up a “filter” for joe@company.com allowing
him to also see info@company.com.
It is important to understand that MailWatch, in the current version, does not automatically apply whitelist and
blacklist rules against addresses that you specify via a filter.
For example, joe@company.com has filter info@company.com. Joe’s business advertising advisor at
advert@example.co.uk. Because of the nature of what they’re sending back and forth, they decide it’s best to
whitelist each other to avoid false positives. So Joe@company.com has a whitelist entry of
advert@example.co.uk. However, a message was sent to info@company.com, and was subsequently caught as
spam because the joe@company.com whitelist did not apply. This is a known issue and there are some hacks in
the forums to work around this issue.
5.3.5 Greylist options
When you click on the Greylist menu, a sub-menu opens below the main menu bar:
A brief explanation of the terminology is included in the main screen (above).
All details displayed in the following lists can be sorted by clicking on the relevant column heading.
5.3.5.1 Greylisted
This screen lists all addresses that are awaiting verification. If an address isn’t validated within 24hours it will be
automatically removed from this list. It is worthwhile keeping an eye on this list to capture any addresses or
domains that are valid, yet don’t resend (this is common with website forum notifications – notably the VMware
VMTN forums). Addresses in this list can be manually whitelisted or deleted by clicking on the appropriate link.
It is possible to delete all entries before a specific time via the form at the bottom of the page.
5.3.5.2 AWL Addresses
Once an address has been validated, it is automatically whitelisted and appears in this list. Addresses in this list
can be deleted by clicking on the delete link to the right of each address.
At the bottom of the screen, there is a form to manually add individual addresses to the AWL. For the fields, follow
the example below. The Source field is for the source IP address in either class c notation (first 3 octets -
xxx.xxx.xxx – this will allow messages to be sent from any host within that class c address range) or class d
notation (full IP address – xxx.xxx.xxx.xxx)
You will probably notice that some of the automatically whitelisted addresses are class c and some are class d –
this is determined by SQLgrey and is a sign of how much it trusts an address – A class d is less trusted, and
probably comes from dynamic address space or doesn’t have a matching reverse lookup.
Please note that any spam that survives greylisting will be added to the AWL. In the screenshot below the bottom
address was a spam which was detected by and dealt with by MailScanner. If successful spam comes from a
particular host or domain regularly, consider adding them to the Grey Domains or Grey Addresses lists to force a
retry on every message sent, doubling the effort required for them to send to your domains.
5.3.5.3 AWL Domains
Once a domain has sent messages from multiple source addresses to multiple destination addresses, it will be
automatically whitelisted (and will appear in this list) – all senders from that domain will be trusted to send to all
recipients, as long as the source remains the same (class c or d).
As for the AWL Addresses list, any domain can be deleted manually and entries can be manually added as long
as you have the correct source address and class.
5.3.5.4 White Domains
The domain that is referred to here is the domain in the FQDN determined by reverse lookup, not the senders
domain name. For example, company yyy sends all their mail through their ISPs (zzz) smarthost. The mail from
address will be yyy.com, but the reverse lookup on the mail server sending the message is zzz.com.
If you decide to trust all hosts that resolve to zzz.com hostnames, you can manually add zzz.com to the white
domain list.
Of course any domain can be deleted as well.
5.3.5.5 White Addresses
This is similar to the White Domains list, however is for specific servers rather than entire domains.
5.3.5.6 Grey Domains
If you get a lot of spam from a particular domain or subdomain, you can force all hosts on that domain to be
permanently greylisted, meaning they won’t be automatically whitelisted.
5.3.5.7 Grey Addresses
The same as for Grey Domains, but for individual hosts.
6. Migration
Depending on how large your quarantine is, you might need to follow the procedure to extend your /var filesystem
documented at http://www.global-domination.org/pdf/howto-esva-bigquarantine.pdf first. If you followed that
procedure for the 1.x ESVA you will also need to extend your new 2.0 ESVA by following the same procedure if
you are using VMware Server 1.x. If you are using VMware Server 2.x, you can follow the procedure at
http://www.global-domination.org/forum/viewtopic.php?t=1041. If you are using ESX server, you can use
vmkfstools to extend the virtual disks then follow the procedure above.
Important
Before you start, backup your ESVAs by shutting them down and tarring or zipping them up (Don’t use a snapshot
if you need to extend the disk). This will be your rollback if it all goes wrong!
Please read this procedure in full before proceeding with any of the steps!
This procedure requires use of the command line interface.
All databases on the destination server will be over-written by the imported databases.
From ESVA 1.6
On the source ESVA (1.6)
Don’t use this procedure if you are migrating from version 1.7 or 2.0
1. Log in using an SSH client (putty or similar) as root
2. Enter the following commands:
service MailScanner stop
cd /var/spool/MailScanner
mkdir /var/tmp/export
tar –cvzf /var/tmp/export/quarantine.tgz ./quarantine/
cd /var/tmp/export
sa-learn -–backup>bayes.txt
mysqldump mailscanner>mailscanner.sql
cd /var/tmp
tar –cvzf export.tgz ./export/
3. Using WinSCP or similar, copy export.tgz to your desktop or somewhere else temporarily.
4. Shutdown the source ESVA (1.6)
On the destination ESVA (2.0)
1. Power on your configured ESVA 2.0
2. Log in using an SSH client (putty or similar) as the username created during the setup process, then
switch to the root account (type su -l and enter the root password when prompted)
3. Run the following command:
esva-import-1
4. Using WinSCP or similar, copy export.tgz to /var/tmp
5. Run the following command (this might take a long time, and will overwrite all the information already in
the mailwatch database on your new ESVA…):
esva-import-2
6. Your ESVA should now have all the MailScanner database information and quarantined messages from
your old ESVA, as well as your old Bayes database migrated to the mySQL database used in ESVA 2.0
7. You should now log out of the puTTY and WinSCP clients.
From ESVA 1.7 or 2.0
On the source ESVA
Run the following commands as root:
service MailScanner stop
cd /var/spool/MailScanner
mkdir /var/tmp/export
tar cvzf /var/tmp/export/quarantine.tgz ./quarantine/
cd /var/tmp/export
mysqldump mailscanner>mailscanner.sql
mysqldump FuzzyOcr>FuzzyOcr.sql
mysqldump sa_bayes>sa_bayes.sql
mysqldump sqlgrey>sqlgrey.sql
cd /var/tmp
tar cvzf export.tgz ./export/
Use winscp to copy /var/tmp/export.tgz off the source ESVA
Shut the source ESVA down
On the destination ESVA
Run the following commands as root:
esva-import-1
Copy export.tgz to /var/tmp/ on the destination ESVA and run the following commands:
cd /var/tmp
tar -xvzf export.tgz
rm -f export.tgz
cd export
mysql mailscanner<mailscanner.sql
mysql FuzzyOcr<FuzzyOcr.sql
mysql sa_bayes<sa_bayes.sql
mysql sqlgrey<sqlgrey.sql
cd /var/spool/MailScanner
tar -xvzf /var/tmp/export/quarantine.tgz
sed -i 's/#PermitRootLogin/PermitRootLogin/g' /etc/ssh/sshd_config
service sshd restart
service MailScanner start
8. Firewall Settings
• Regular tcp SMTP port (25) (bi-directional)
• Razor2 (tcp ports 2703 and 7 outbound)
• Pyzor (udp port 24441 outbound)
• DCC (udp port 6277 outbound)
• DNS (port 53 outbound)
• HTTP (TCP port 80 bi-directional)
• HTTPS (TCP port 443 inbound)
• Optionally, SSH (TCP port 22 Inbound)
If you are using an enterprise class firewall such as Cisco PIX or Checkpoint, you might find the following link
useful:
DCC: http://www.rhyolite.com/anti-spam/dcc/firewall.html
Appendix A - GNU Free Documentation License
GNU Free Documentation License
Version 1.2, November 2002
Copyright (C) 2000,2001,2002 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
0. PREAMBLE
The purpose of this License is to make a manual, textbook, or other
functional and useful document "free" in the sense of freedom: to
assure everyone the effective freedom to copy and redistribute it,
with or without modifying it, either commercially or noncommercially.
Secondarily, this License preserves for the author and publisher a way
to get credit for their work, while not being considered responsible
for modifications made by others.
This License is a kind of "copyleft", which means that derivative
works of the document must themselves be free in the same sense. It
complements the GNU General Public License, which is a copyleft
license designed for free software.
We have designed this License in order to use it for manuals for free
software, because free software needs free documentation: a free
program should come with manuals providing the same freedoms that the
software does. But this License is not limited to software manuals;
it can be used for any textual work, regardless of subject matter or
whether it is published as a printed book. We recommend this License
principally for works whose purpose is instruction or reference.
1. APPLICABILITY AND DEFINITIONS
This License applies to any manual or other work, in any medium, that
contains a notice placed by the copyright holder saying it can be
distributed under the terms of this License. Such a notice grants a
world-wide, royalty-free license, unlimited in duration, to use that
work under the conditions stated herein. The "Document", below,
refers to any such manual or work. Any member of the public is a
licensee, and is addressed as "you". You accept the license if you
copy, modify or distribute the work in a way requiring permission
under copyright law.
A "Modified Version" of the Document means any work containing the
Document or a portion of it, either copied verbatim, or with
modifications and/or translated into another language.
A "Secondary Section" is a named appendix or a front-matter section of
the Document that deals exclusively with the relationship of the
publishers or authors of the Document to the Document's overall subject
(or to related matters) and contains nothing that could fall directly
within that overall subject. (Thus, if the Document is in part a
textbook of mathematics, a Secondary Section may not explain any
mathematics.) The relationship could be a matter of historical
connection with the subject or with related matters, or of legal,
commercial, philosophical, ethical or political position regarding
them.
The "Invariant Sections" are certain Secondary Sections whose titles
are designated, as being those of Invariant Sections, in the notice
that says that the Document is released under this License. If a
section does not fit the above definition of Secondary then it is not
allowed to be designated as Invariant. The Document may contain zero
Invariant Sections. If the Document does not identify any Invariant
Sections then there are none.
The "Cover Texts" are certain short passages of text that are listed,
as Front-Cover Texts or Back-Cover Texts, in the notice that says that
the Document is released under this License. A Front-Cover Text may
be at most 5 words, and a Back-Cover Text may be at most 25 words.
A "Transparent" copy of the Document means a machine-readable copy,
represented in a format whose specification is available to the
general public, that is suitable for revising the document
straightforwardly with generic text editors or (for images composed of
pixels) generic paint programs or (for drawings) some widely available
drawing editor, and that is suitable for input to text formatters or
for automatic translation to a variety of formats suitable for input
to text formatters. A copy made in an otherwise Transparent file
format whose markup, or absence of markup, has been arranged to thwart
or discourage subsequent modification by readers is not Transparent.
An image format is not Transparent if used for any substantial amount
of text. A copy that is not "Transparent" is called "Opaque".
Examples of suitable formats for Transparent copies include plain
ASCII without markup, Texinfo input format, LaTeX input format, SGML
or XML using a publicly available DTD, and standard-conforming simple
HTML, PostScript or PDF designed for human modification. Examples of
transparent image formats include PNG, XCF and JPG. Opaque formats
include proprietary formats that can be read and edited only by
proprietary word processors, SGML or XML for which the DTD and/or
processing tools are not generally available, and the
machine-generated HTML, PostScript or PDF produced by some word
processors for output purposes only.
The "Title Page" means, for a printed book, the title page itself,
plus such following pages as are needed to hold, legibly, the material
this License requires to appear in the title page. For works in
formats which do not have any title page as such, "Title Page" means
the text near the most prominent appearance of the work's title,
preceding the beginning of the body of the text.
A section "Entitled XYZ" means a named subunit of the Document whose
title either is precisely XYZ or contains XYZ in parentheses following
text that translates XYZ in another language. (Here XYZ stands for a
specific section name mentioned below, such as "Acknowledgements",
"Dedications", "Endorsements", or "History".) To "Preserve the Title"
of such a section when you modify the Document means that it remains a
section "Entitled XYZ" according to this definition.
The Document may include Warranty Disclaimers next to the notice which
states that this License applies to the Document. These Warranty
Disclaimers are considered to be included by reference in this
License, but only as regards disclaiming warranties: any other
implication that these Warranty Disclaimers may have is void and has
no effect on the meaning of this License.
2. VERBATIM COPYING
You may copy and distribute the Document in any medium, either
commercially or noncommercially, provided that this License, the
copyright notices, and the license notice saying this License applies
to the Document are reproduced in all copies, and that you add no other
conditions whatsoever to those of this License. You may not use
technical measures to obstruct or control the reading or further
copying of the copies you make or distribute. However, you may accept
compensation in exchange for copies. If you distribute a large enough
number of copies you must also follow the conditions in section 3.
You may also lend copies, under the same conditions stated above, and
you may publicly display copies.
3. COPYING IN QUANTITY
If you publish printed copies (or copies in media that commonly have
printed covers) of the Document, numbering more than 100, and the
Document's license notice requires Cover Texts, you must enclose the
copies in covers that carry, clearly and legibly, all these Cover
Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on
the back cover. Both covers must also clearly and legibly identify
you as the publisher of these copies. The front cover must present
the full title with all words of the title equally prominent and
visible. You may add other material on the covers in addition.
Copying with changes limited to the covers, as long as they preserve
the title of the Document and satisfy these conditions, can be treated
as verbatim copying in other respects.
If the required texts for either cover are too voluminous to fit
legibly, you should put the first ones listed (as many as fit
reasonably) on the actual cover, and continue the rest onto adjacent
pages.
If you publish or distribute Opaque copies of the Document numbering
more than 100, you must either include a machine-readable Transparent
copy along with each Opaque copy, or state in or with each Opaque copy
a computer-network location from which the general network-using
public has access to download using public-standard network protocols
a complete Transparent copy of the Document, free of added material.
If you use the latter option, you must take reasonably prudent steps,
when you begin distribution of Opaque copies in quantity, to ensure
that this Transparent copy will remain thus accessible at the stated
location until at least one year after the last time you distribute an
Opaque copy (directly or through your agents or retailers) of that
edition to the public.
It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give
them a chance to provide you with an updated version of the Document.
4. MODIFICATIONS
You may copy and distribute a Modified Version of the Document under
the conditions of sections 2 and 3 above, provided that you release
the Modified Version under precisely this License, with the Modified
Version filling the role of the Document, thus licensing distribution
and modification of the Modified Version to whoever possesses a copy
of it. In addition, you must do these things in the Modified Version:
A. Use in the Title Page (and on the covers, if any) a title distinct
from that of the Document, and from those of previous versions
(which should, if there were any, be listed in the History section
of the Document). You may use the same title as a previous version
if the original publisher of that version gives permission.
B. List on the Title Page, as authors, one or more persons or entities
responsible for authorship of the modifications in the Modified
Version, together with at least five of the principal authors of the
Document (all of its principal authors, if it has fewer than five),
unless they release you from this requirement.
C. State on the Title page the name of the publisher of the
Modified Version, as the publisher.
D. Preserve all the copyright notices of the Document.
E. Add an appropriate copyright notice for your modifications
adjacent to the other copyright notices.
F. Include, immediately after the copyright notices, a license notice
giving the public permission to use the Modified Version under the
terms of this License, in the form shown in the Addendum below.
G. Preserve in that license notice the full lists of Invariant Sections
and required Cover Texts given in the Document's license notice.
H. Include an unaltered copy of this License.
I. Preserve the section Entitled "History", Preserve its Title, and add
to it an item stating at least the title, year, new authors, and
publisher of the Modified Version as given on the Title Page. If
there is no section Entitled "History" in the Document, create one
stating the title, year, authors, and publisher of the Document as
given on its Title Page, then add an item describing the Modified
Version as stated in the previous sentence.
J. Preserve the network location, if any, given in the Document for
public access to a Transparent copy of the Document, and likewise
the network locations given in the Document for previous versions
it was based on. These may be placed in the "History" section.
You may omit a network location for a work that was published at
least four years before the Document itself, or if the original
publisher of the version it refers to gives permission.
K. For any section Entitled "Acknowledgements" or "Dedications",
Preserve the Title of the section, and preserve in the section all
the substance and tone of each of the contributor acknowledgements
and/or dedications given therein.
L. Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers
or the equivalent are not considered part of the section titles.
M. Delete any section Entitled "Endorsements". Such a section
may not be included in the Modified Version.
N. Do not retitle any existing section to be Entitled "Endorsements"
or to conflict in title with any Invariant Section.
O. Preserve any Warranty Disclaimers.
If the Modified Version includes new front-matter sections or
appendices that qualify as Secondary Sections and contain no material
copied from the Document, you may at your option designate some or all
of these sections as invariant. To do this, add their titles to the
list of Invariant Sections in the Modified Version's license notice.
These titles must be distinct from any other section titles.
You may add a section Entitled "Endorsements", provided it contains
nothing but endorsements of your Modified Version by various
parties--for example, statements of peer review or that the text has
been approved by an organization as the authoritative definition of a
standard.
You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list
of Cover Texts in the Modified Version. Only one passage of
Front-Cover Text and one of Back-Cover Text may be added by (or
through arrangements made by) any one entity. If the Document already
includes a cover text for the same cover, previously added by you or
by arrangement made by the same entity you are acting on behalf of,
you may not add another; but you may replace the old one, on explicit
permission from the previous publisher that added the old one.
The author(s) and publisher(s) of the Document do not by this License
give permission to use their names for publicity for or to assert or
imply endorsement of any Modified Version.
5. COMBINING DOCUMENTS
You may combine the Document with other documents released under this
License, under the terms defined in section 4 above for modified
versions, provided that you include in the combination all of the
Invariant Sections of all of the original documents, unmodified, and
list them all as Invariant Sections of your combined work in its
license notice, and that you preserve all their Warranty Disclaimers.
The combined work need only contain one copy of this License, and
multiple identical Invariant Sections may be replaced with a single
copy. If there are multiple Invariant Sections with the same name but
different contents, make the title of each such section unique by
adding at the end of it, in parentheses, the name of the original
author or publisher of that section if known, or else a unique number.
Make the same adjustment to the section titles in the list of
Invariant Sections in the license notice of the combined work.
In the combination, you must combine any sections Entitled "History"
in the various original documents, forming one section Entitled
"History"; likewise combine any sections Entitled "Acknowledgements",
and any sections Entitled "Dedications". You must delete all sections
Entitled "Endorsements".
6. COLLECTIONS OF DOCUMENTS
You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this
License in the various documents with a single copy that is included in
the collection, provided that you follow the rules of this License for
verbatim copying of each of the documents in all other respects.
You may extract a single document from such a collection, and distribute
it individually under this License, provided you insert a copy of this
License into the extracted document, and follow this License in all
other respects regarding verbatim copying of that document.
7. AGGREGATION WITH INDEPENDENT WORKS
A compilation of the Document or its derivatives with other separate
and independent documents or works, in or on a volume of a storage or
distribution medium, is called an "aggregate" if the copyright
resulting from the compilation is not used to limit the legal rights
of the compilation's users beyond what the individual works permit.
When the Document is included in an aggregate, this License does not
apply to the other works in the aggregate which are not themselves
derivative works of the Document.
If the Cover Text requirement of section 3 is applicable to these
copies of the Document, then if the Document is less than one half of
the entire aggregate, the Document's Cover Texts may be placed on
covers that bracket the Document within the aggregate, or the
electronic equivalent of covers if the Document is in electronic form.
Otherwise they must appear on printed covers that bracket the whole
aggregate.
8. TRANSLATION
Translation is considered a kind of modification, so you may
distribute translations of the Document under the terms of section 4.
Replacing Invariant Sections with translations requires special
permission from their copyright holders, but you may include
translations of some or all Invariant Sections in addition to the
original versions of these Invariant Sections. You may include a
translation of this License, and all the license notices in the
Document, and any Warranty Disclaimers, provided that you also include
the original English version of this License and the original versions
of those notices and disclaimers. In case of a disagreement between
the translation and the original version of this License or a notice
or disclaimer, the original version will prevail.
If a section in the Document is Entitled "Acknowledgements",
"Dedications", or "History", the requirement (section 4) to Preserve
its Title (section 1) will typically require changing the actual
title.
9. TERMINATION
You may not copy, modify, sublicense, or distribute the Document except
as expressly provided for under this License. Any other attempt to
copy, modify, sublicense or distribute the Document is void, and will
automatically terminate your rights under this License. However,
parties who have received copies, or rights, from you under this
License will not have their licenses terminated so long as such
parties remain in full compliance.
10. FUTURE REVISIONS OF THIS LICENSE
The Free Software Foundation may publish new, revised versions
of the GNU Free Documentation License from time to time. Such new
versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns. See
http://www.gnu.org/copyleft/.
Each version of the License is given a distinguishing version number.
If the Document specifies that a particular numbered version of this
License "or any later version" applies to it, you have the option of
following the terms and conditions either of that specified version or
of any later version that has been published (not as a draft) by the
Free Software Foundation. If the Document does not specify a version
number of this License, you may choose any version ever published (not
as a draft) by the Free Software Foundation.