Re: qmail or postfix? (was: RE: What is the best mailling list manager for qmail and Domain Tech. Control ?)

[Thomas Lamy]

Bjørnar Bjørgum Larsen wrote:

I am in the process of choosing between postfix and qmail for our
mail relays. I've not decided yet. However, I am surprised by the
fact that many people who prefer postfix, also enjoy posting
unqualified[0] statements[1][2][3] about qmail.
If anyone have properly grounded views, please share!


Qmail does _everything_ like DJB thinks is the right way:
- The FHS doesn't exist
- /sbin/init and inetd suck, because they're based on 30 year old design
- 

The biggest problem with qmail is it's license, as it permits to release 
a secure _and_ feature-rich binary distribution.  This may be no big 
reason for one or two people managing one or two servers, but in an ISP 
environment I (and many other) prefer to save time by using "apt-get 
install".

Another problem is: qmail (at least in standard configuration) is an I/O 
hog. At one client it was unable to saturate a T1 from a celeron 433 
machine with a cheap IDE drive. Postfix in standard configuration 
outperformed it by factor 5 (and maybe more, since the T1 was saturated 
then).

I was pretty confused about the number of config files. Yes, even 
Postfix has some, but there's not one config file for each subsystem. 
(That argument applies to Sam Varchawik's software [Courier MTA/-IMAP] 
as well).

[...]

[1] Michael Loftis wrote (about qmail):

First is, unless they've made design changes, it's trivial to DoS.


Really? How would you DoS qmail? Could the same attack be used to DoS
postfix?
[2] Michael Loftis also wrote (about qmail):

Second, it doesn't scale so well, but unless you're talking upwards
of about 3-5k/msgs/hr you might not run into it.


Really? Quoting Bernstein quoting Bill Weinman
(cr.yp.to/qmail/users.html): "Our busiest list is about 250 messages
X 1800 subscribers (avg mail deliveries: 450,000 transactions per
day). Sendmail was barfing badly on this, and qmail seems to be doing
real well. The machine is a Pentium 90 running Linux 2.0.13 with 64Mb
of RAM. I have the spawn limit set at 100. I am *very* impressed."
How was the qmail that didn't scale well configured? On what
hardware?
See _my_ #2.  Qmail _may_ scale well, but it *doesn't* in standard 
configuration.  Did I mention that nobody with a clean mind runs 
critical and I/O intensive tasks on such hardware?

[3] Craig Sanders wrote:

ps: qmail is a bad idea.  postfix is better.
Your conclusion may be right, but the arguments are missing. Would
you please share?
I agree. Both statements.

Thomas

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How do you manage Perl modules?

[Thomas Lamy]

Lucas Albers wrote:
I use mimedefang testing, spamaassassing unstable, and kernel 2.4.23, on
my production external mx server.
Everything else is stable.
The only externally exposed service, sendmail is stable.
I tried unstable sendmail, but TLS didn't work.
And I would not have timelly updates.
(I was trying to resolve milter sock issues.)
Works great, using perl 5.8 instaed of 5.6.1 is a much better choice for
mimedefang.
Use clamdscan instead of clamscan, I got the clamd from the clam site, in
deb format.
Clamdscan is approximatelly 200 times faster then running clamscan.
The Debian clamav packages were mostly unmaintained the last 5 months, 
but the maintainer changed now. There will be new packages this week.

Thomas

Re: How do you manage Perl modules?

[Thomas Lamy]

Lucas Albers wrote:
I use mimedefang testing, spamaassassing unstable, and kernel 2.4.23, on
my production external mx server.
Everything else is stable.
The only externally exposed service, sendmail is stable.
I tried unstable sendmail, but TLS didn't work.
And I would not have timelly updates.
(I was trying to resolve milter sock issues.)
Works great, using perl 5.8 instaed of 5.6.1 is a much better choice for
mimedefang.
Use clamdscan instead of clamscan, I got the clamd from the clam site, in
deb format.
Clamdscan is approximatelly 200 times faster then running clamscan.
The Debian clamav packages were mostly unmaintained the last 5 months, 
but the maintainer changed now. There will be new packages this week.

Thomas

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Postfix-mysql-procmail

[Thomas Lamy]

Fraser Campbell wrote:
On January 10, 2004 09:17 am, Robert Hensel wrote:

I currently have a properly working postfix-mysql setup. This all works
fine, but I would like to implement an autoresponder/other stuff. The
problem is, that for example procmail doesn't seem to work with virtual
users. I have added "mailbox_command = /usr/bin/procmail ". But this
line is completely ignored :(
Maybe someone here can help me avoid writing ugly bash scripts to do the
job ;)

The virtual delivery agent doesn't support procmail, .forward files, etc.  I 
believe you have no choice but to do some scripting (it can be ugly if you 
insist ;-)

I'll assume that your talking about an email setup similar to the one 
described at http://kirb.insanegenius.net/postfix.html ?

The only way that I can think of to do things like mail filtering, out of 
office, etc. is by having a virtual map entry that forwards the email to an 
alias as well as to the original user:

[EMAIL PROTECTED]   [EMAIL PROTECTED],fraser-filters
In the aliases file (which could be managed in mysql still) you would have the 
alias fraser-filters pipe to a command that does whatever magic you need.  
This might already be what you were thinking of?

I haven't tried this but it's the easiest way that I can think of supporting 
mail filtering, out of office and such.  You can also write postfix filters 
which might have advantages.

If you find anything please followup here as it's something I think a lot of 
people might be interested in.

Being through this, I'd like to add my 0.02 EUR.
I have a handful of servers set up with postfix, mysql, amavisd-new, 
spamassassin, and a home-brew administration interface in PHP.
I'm in the process of adding per-user support for:
- auto-replies (out of office, "your mail has been received" etc)
- auto-copy to antoher user
- auto-forward to another user (both for users on vacation)

I did the first version in PHP (as I already had a function that got me 
the final recipient mailbox), triggered by postfix's always_bcc 
parameter. This basically does the job, but at the cost of loosing the 
"for: xxx" component in the Received: header, which I also need for 
antoher component (the maillog scanner).

To make a long story short, the technically correct way is to do this 
via content-filtering. I'm not through with this, so this is the 
untested picture I have in my head for this issue. I'll post an 
announcement here when I'm through this.

A configuration example (not tested; and note I also use amavisd-new):
main.cf:
# Filter mail through amavisd-new first
content_filter = smtp:[localhost]:10024
master.cf:
localhost:10025 \
  inet  n   -   -   -   -   \
  smtpd -o content_filter=vacation
localhost:10026 \
  inet  n   -   -   -   -   \
  smtpd -o content_filter=
vacation unix n - - - - pipe user=nobody \
  argv=/usr/local/bin/my-vacation ${sender} ${recipient}
/usr/local/bin/my-vacation should handle all that vacation/forwarding 
stuff (_and_ should honor "Precedence: bulk" and "Precedence: list" 
headers properly!!!). If the mail should get to the original receiver, 
it is handed over to postfix via SMTP on port 10026. For best 
throughput, my-vacation should be a smtp-based client/server (like 
amavisd-new is).

So the mail flow will be:
internet
   |
Postfix (smtp on port 25)
   |
amavisd-new (smtp port 10024)
   |
Postfix (smtp port 10025)
   |
my-vacation (pipe) ---+
   |  |   |
Postfix (smtp port 10026)Postfix (smtp port 25)  Postfix (smtp 25)
(to original receiver)   (cc or forward) (response)
Thomas

Re: Postfix-mysql-procmail

[Thomas Lamy]

Fraser Campbell wrote:

On January 10, 2004 09:17 am, Robert Hensel wrote:


I currently have a properly working postfix-mysql setup. This all works
fine, but I would like to implement an autoresponder/other stuff. The
problem is, that for example procmail doesn't seem to work with virtual
users. I have added "mailbox_command = /usr/bin/procmail ". But this
line is completely ignored :(
Maybe someone here can help me avoid writing ugly bash scripts to do the
job ;)


The virtual delivery agent doesn't support procmail, .forward files, etc.  I 
believe you have no choice but to do some scripting (it can be ugly if you 
insist ;-)

I'll assume that your talking about an email setup similar to the one 
described at http://kirb.insanegenius.net/postfix.html ?

The only way that I can think of to do things like mail filtering, out of 
office, etc. is by having a virtual map entry that forwards the email to an 
alias as well as to the original user:

[EMAIL PROTECTED]		[EMAIL PROTECTED],fraser-filters

In the aliases file (which could be managed in mysql still) you would have the 
alias fraser-filters pipe to a command that does whatever magic you need.  
This might already be what you were thinking of?

I haven't tried this but it's the easiest way that I can think of supporting 
mail filtering, out of office and such.  You can also write postfix filters 
which might have advantages.

If you find anything please followup here as it's something I think a lot of 
people might be interested in.

Being through this, I'd like to add my 0.02 EUR.

I have a handful of servers set up with postfix, mysql, amavisd-new, 
spamassassin, and a home-brew administration interface in PHP.
I'm in the process of adding per-user support for:
- auto-replies (out of office, "your mail has been received" etc)
- auto-copy to antoher user
- auto-forward to another user (both for users on vacation)

I did the first version in PHP (as I already had a function that got me 
the final recipient mailbox), triggered by postfix's always_bcc 
parameter. This basically does the job, but at the cost of loosing the 
"for: xxx" component in the Received: header, which I also need for 
antoher component (the maillog scanner).

To make a long story short, the technically correct way is to do this 
via content-filtering. I'm not through with this, so this is the 
untested picture I have in my head for this issue. I'll post an 
announcement here when I'm through this.

A configuration example (not tested; and note I also use amavisd-new):

main.cf:
# Filter mail through amavisd-new first
content_filter = smtp:[localhost]:10024
master.cf:
localhost:10025 \
  inet  n   -   -   -   -   \
  smtpd -o content_filter=vacation
localhost:10026 \
  inet  n   -   -   -   -   \
  smtpd -o content_filter=
vacation unix n - - - - pipe user=nobody \
  argv=/usr/local/bin/my-vacation ${sender} ${recipient}
/usr/local/bin/my-vacation should handle all that vacation/forwarding 
stuff (_and_ should honor "Precedence: bulk" and "Precedence: list" 
headers properly!!!). If the mail should get to the original receiver, 
it is handed over to postfix via SMTP on port 10026. For best 
throughput, my-vacation should be a smtp-based client/server (like 
amavisd-new is).

So the mail flow will be:

internet
   |
Postfix (smtp on port 25)
   |
amavisd-new (smtp port 10024)
   |
Postfix (smtp port 10025)
   |
my-vacation (pipe) ---+
   |  |   |
Postfix (smtp port 10026)Postfix (smtp port 25)  Postfix (smtp 25)
(to original receiver)   (cc or forward) (response)
Thomas

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Mailscanner vs. amavis vs. other

[Thomas Lamy]

Fraser Campbell wrote:
Hi,
We've had some experience with amavis over the last few years and while it 
generally works it has an a tendency to lose the occassional message or just 
continually requeue messages until their queue time expires and the message 
bounces.  We're using amavisd-postfix.

I know there are also other variants of amavis such as amavis-ng that we could 
try.  Has anyone compared amavis to mailscanner and come to a definite 
conclusion as to one being better.  I know better is very subjective but I'd 
still like to hear opinions.

I'd like to eventually hook spam trapping into the filter (I think amavis-ng 
does that) as well.

Thanks!
We're using amavisd-new (in an LVS cluster), with clamav. It works 
fairly well, integrates spamassassin, and is able to fetch per user/per 
domain prefs from an LDAP or SQL DB. But it's kind of a resource hog, as 
every process eats about 20-25 MB after running a while. But I've yet to 
stumble into a better solution.

Thomas

Re: Mailscanner vs. amavis vs. other

[Thomas Lamy]

Fraser Campbell wrote:

Hi,

We've had some experience with amavis over the last few years and while it 
generally works it has an a tendency to lose the occassional message or just 
continually requeue messages until their queue time expires and the message 
bounces.  We're using amavisd-postfix.

I know there are also other variants of amavis such as amavis-ng that we could 
try.  Has anyone compared amavis to mailscanner and come to a definite 
conclusion as to one being better.  I know better is very subjective but I'd 
still like to hear opinions.

I'd like to eventually hook spam trapping into the filter (I think amavis-ng 
does that) as well.

Thanks!
We're using amavisd-new (in an LVS cluster), with clamav. It works 
fairly well, integrates spamassassin, and is able to fetch per user/per 
domain prefs from an LDAP or SQL DB. But it's kind of a resource hog, as 
every process eats about 20-25 MB after running a while. But I've yet to 
stumble into a better solution.

Thomas

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Automated solutions for a small ISP

[Thomas Lamy]

Igor Wawrzyniak wrote:

I work for a small Internet provider. I'm getting tired of
entering the same information in many places (e.g., new client's
IP into DHCP, DNS and /etc/ethers). I'd like to have a system
which automates such tasks (OK, I've got a few scripts, but that's
not enough). I have a few ideas - could you comment them?
No problem...
Idea 1) Write a system which keeps the hosts information (and in
  future   - user information) in some kind of a database (file, MySQL
  or LDAP, probably I'll choose MySQL) and generates configuration
  files. Advantages: easy to implement. Disadvantages: limited use.
This is what I use. Only limited by programming skills (and time to 
code) ;-). We use two replicating mysql servers, some perl scripts 
(configuration agents for apache), and a web interface in PHP. This came 
with an extra bonus - as I store the custoer's id in most tables, I 
built a customer self-service portal on top of what I had in only a few 
hours :-). We also use freeradius, postfix, courier-imap and mydns, 
which authenticate/read their data directly from mysql, so we only need 
to generate apache's config files. Apache virtual host accounting is 
done through a perl script parsing mod_watch's output, so there's no 
need to parse those n GB of access_log every night... Works like a 
charm, but is non-free (since my boss was paying me, eventually).


Idea 2) Install a full-blown ISP managemant system, probably based on
  LDAP - for example the one described here:
  http://www.tldp.org/linuxfocus/English/September2000/article173.shtml
  Advantages: it fully automates many mundane tasks, scales very
  well, has a web interface that can be used by not-so-technical
  personnel. Disadvantages: hard to implement, such a complicated
  system can screw up the system in more ways then I can imagine,
  security hole in this system could cause a total breakdown.
Or maybe there's another system I can use? Preferably something
modular, so that I can LDAPize some things (it doesn't really need
to be LDAP, but I feel it is the future) and keep good old
config files for other stuff? Maybe it'll be better to write
my own system (Idea 1), but with scalability in mind - that way
I will know what it does and it will minimize the risk of screwing
the system up?
Best regards

Seems I have done (2) in mysql, and I don't regret it. IMHO there's too 
much relational data in such a system to implement it with a LDAP 
backend. After all, mysql has replication, too.

Thomas

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: splitting a subnet in an odd way

[Thomas Lamy]

Leonardo Boselli wrote:
> 
> You forget one thing: there are 10 other machines (addresses 3 to 13) 
> that need not to be firewalled, and must be accessible from 
> ANY pother 
> ost either internally and externally, without passing the FW.
> The second group really is not a problem, since are just virtual 
> addresses for a machine in the first group, that self-firewall !
> However user in the third, internal group should access these 
> machines 
> direclty.
> About proxy-arping 230 machines: what commands would you suggest 
> for dcoing that , the way i used for a small group did havoc on some 
> network monitoring tools !
> 
I think the best solution would be a briding firewall. No need for 230
proxy-arps, and (if correctly set up) nearly invisible to the outside world.

See
 for more info and links.


Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Where to get 'DCC' and 'pyzor' packages from?

[Thomas Lamy]

Dominik Schulz wrote:
> 
> Dear List,
> since Spam is becoming more and more unpleasant I'm currently looking
> deeper into configuring SpamAssassin better.
> When running spamd in Debug mode I realized that dcc (distributed
> checksum clearinghouse) und pyzor were not installed. So I've started
> looking for Debian packages ... and now I'm still looking.
> 
> Anyone knows of deb packages of one (or both) of these two programs?
> Shall I install them from source?
> Or shouldn't I use them at all?
> 
Pyzor is in testing and unstable, and we use it here with good results. I
didn't find dcc packaged for debian (not even on http://www.apt-get.org/),
though.

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Apache clustering w/ load balancing and failover

[Thomas Lamy]

Mathieu Martin wrote:
> 
> Mario Lopez wrote:
> 
> >>Why not using 'roundrobin' ???
> >>
> >>Install a couple of Web-Servers, give each Server an IP and 
> >>then setup for each Server a A-Record on your DNS-Server 
> >>pointing to the same hostname.
> >>
> >>
> >
> >
> >The problem with round robin is that when one server fails 
> over it keeps sending them connections, I once saw a DNS 
> server implemented in Perl which worked in a round robin 
> fashion but making some kind of test to know if the server 
> was up and running correctly, I remeber it was called 
> something like "lb-named"
> >
> >Mario.
> >
> Why not use (keepalived?) with round robin dns then?. You get load 
> balancing, redundancy, and you don't need unnecessary additionnal 
> servers or kernel patches or whatever. Even with a lot of servers, it 
> should scale pretty well. Works too with servers in several 
> locations on 
> different internet pipes, as long as there are at least two 
> servers on 
> each pipe for redundancy.
> 
You're wrong. round robin dns isn't HA, isn't load balancing, it's just
request spreading. You can't control how many (DNS-)clients cache one of the
RR IP's, therefore you won't get even load on your RR'ed servers.
Plus you _have_ to use a tool like "lb-named" to keep your round robin dns
from giving out the IP of a failed server.

It really comes down to using LVS+(keepalived|heartbeat|...) or pen.

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Apache clustering w/ load balancing and failover

[Thomas Lamy]

Michelle Konzack wrote:
> 
> Am 2003-09-17 01:49:31, schrieb Shri Shrikumar:
> >Hi,
> >
> >I am looking to implement an Apache cluster with Load Balancing and
> >failover and after going through several options, the only 
> one that is
> >not too complex and does everything that I need seems to be pen
> 
> Why not using 'roundrobin' ???
> 
> Install a couple of Web-Servers, give each Server an IP and 
> then setup for each Server a A-Record on your DNS-Server 
> pointing to the same hostname.
> 
Because this is only "poor man's load balancing". You maybe get (more or
less) equal load on rr'ed servers, but you can't fix your DNS servers (and
every other one caching your results) to not give out the A record of a
failed server.

It really comes donw to using LVS/keepalived or pen (I didn't even know it
exists before this discussion), or an expensive black-box solution (From F5,
Cisco, ).

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Apache clustering w/ load balancing and failover

[Thomas Lamy]

Shri Shrikumar wrote:
> On Wed, 2003-09-17 at 18:46, Markus Oswald wrote:
> > On Wed, 2003-09-17 at 15:00, Shri Shrikumar wrote:
> > 
> > > Looking at the documentation for LVS, it mentions that it 
> needs two
> > > nodes, a primary node and a backup node which then feeds 
> into n real
> > > servers. 
> > 
> > Actually I never saw this mentioned in the documentation - I haven't
> > looked at it for quite some time now, tough.
> > 
> > LVS definitely works with ONE machine which acts as the 
> loadbalancer.
> > You can use a second machine for failover if you need the 
> redundancy,
> > but as far as I know, LVS can't handle this by itself so 
> you would have
> > to use keepalived or heartbeat for that.
> Hi,
> 
> Thanks for the response. Let me just clarify. If I have two 
> boxes, I can
> configure both of them to be webservers and one of them to be the lvs
> node. I dont need a third machine to be a dedicated node. Is this
> correct ?
> 
Ascii art:

internet
+---+
+---+   + - - - - - - - +
|  LVS Director |   |   Director 2  |
+---+   +- - - - - - - -+
|   |
 ---| SWITCH | -+
  |  |  |
  +---+  |  +---+
  |  |  |
  +---+  +---+  + - - - - - - - +
  |   Webserver   |  |   Webserver   |  |   Webserver   |
  +---+  +---+  +- - - - - - - -+

You need at least 1 LVS Director (balancer) and two servers to start.
The second LVS director and additional server are optional.

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Apache clustering w/ load balancing and failover

[Thomas Lamy]

Shri Shrikumar wrote:
> 
> On Wed, 2003-09-17 at 08:50, Markus Oswald wrote:
> > Personally I would suggest LVS / keepalived - IMHO it's the 
> most robust
> > and powerful solution you can currently get. Definitely 
> worth a look...
> > 
> > It's not as hard to setup as you think - you need a little bit of
> > experience for planing your cluster setup, but the software 
> installation
> > and configuration is probably the easier part.
> > 
> > I installed/run multiple clusters, some with quite a lot of traffic
> > (well, that's what load-balancing is good for) some just 
> needed the HA
> > features. No serious problems with keepalived and no problems at all
> > with LVS.

Full ACK. Same here. Runs like a charm for > 2 years.

> 
> Looking at the documentation for LVS, it mentions that it needs two
> nodes, a primary node and a backup node which then feeds into n real
> servers. 
> 
> Does this mean that I will need two additional machines to be 
> able to do
> LVS or would I be able to double up a couple of the webservers as the
> nodes ?
> 
You need at least 2 servers, and one director (balancer). In this setup, the
director is a SPOF, so running with redundant directors makes sense.
Most of our customers started with one director, and upgraded to the second
within 3-4 months (when budget permitted or they had the first director
failure).

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Sendmail or Qmail ? ..

[Thomas Lamy]

martin f krafft wrote:
> 
> also sprach Dale E Martin <[EMAIL PROTECTED]> 
> [2003.09.04.1447 +0200]:
> > Has it been covered before on this list?  I for one would be
> > interested in elaboration, if there is something technically
> > inferior about exim or postfix to qmail or sendmail?  Or
> > politically, I suppose, since much of people's dislike about qmail
> > has more to due with "political" than technical reasons.
> 
> random notes (these are facts and opinions, please don't flame me):
> 
> - sendmail and exim are both single setuid binaries. bad.
> - postfix is the most performant of all four.
> - qmail has an interesting but possibly confusing 
> configuration paradigm
> - postfix has the easiest configuration, IMHO.
> - qmail has a good integration with one of the fastest mailing list
>   servers, ezmlm.
> - exim is very extensible.
> - qmail does not come with anything but basic mail transfer stuff. if
>   you want things like tls or sasl, you have to patch.
> - qmail isn't available as a binary package for Debian.
> - qmail support includes being flamed by the author
> - postfix and exim support are available here, and if only be me and
>   dman respectively (note that you have to mention my name in a post
>   if you want me to see it. i am writing my phd and am thus
>   filtering messages to not be flooded)
> - ralf hildebrandt uses postfix (he's the guru, next to wietse.
> 
> can't think of any more.
> 
Complete ACK. I'm also willing to give support, as I use
postfix+mysql+sasl at a couple of clients.

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Servers with X.

[Thomas Lamy]

Jeff Waugh wrote:
> 
> On Tue, 2003-08-19 at 09:28, Rudi Starcevic wrote:
> > Is it bad practise to use X on your Debian ISP/Hosting machines ?
> > Here I have 4 boxes all without X. I've always been of the 
> impression
> > X on servers was not good.
> 
> It's not a terrible thing to do, unless you forget to 
> correctly firewall
> your machines. :-)
> 
> > [...]
> 
> You don't need to install an X server on the local machine to 
> use it. If
> you install the tcl app, and ssh to the box using X 
> forwarding (-X), you
> can display the program on your own local X server.
> 
> [ desktop ]   -->   [ firewall ]   -->   [ db-server ]
>  X server ssh  sshno X server
> 
> Fully encrypted, secure access to X software on your 
> db-server, without
> running (or even having) a full X server on the machine. :-)
> 
But you need at least xbase-clients (and it's dependants) on your client
machine for X authentication and stuff.

Beside this, I was under the impression that the default X config is _not_
to listen on public interfaces or TCP sockets (not sure on this one). At
least KDE's desktop is by default configured this way.

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Apache + PHP4

[Thomas Lamy]

Depends on which php version and php4 modules you have installed. There was
an upload of a more recent php version + modules on wednesday or thursday,
so it's not made it's way into testing...

The php4-imap module (4:4.1.2) is known to cause such problems; remove it if
u don't need it.

-- 
Thomas Lamy[EMAIL PROTECTED]
Softwareentwicklunghttp://www.netwake.de/

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: Friday, August 15, 2003 3:10 PM
> To: [EMAIL PROTECTED]
> Subject: Apache + PHP4
> 
> 
> Dear,
> 
> I have a problem.
> I have instaled apache and php4 with apt-get, but when i 
> don't comment the line:
> LoadModule php4_module /usr/lib/apache/1.3/mod_php4.so
> apache don't start.
> Help-me
> 
> Rafael Domingues Pires
> Ourinhos - Brasil
> 
> 
> 
> ---
> webmail.farolbr.com
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact 
> [EMAIL PROTECTED]
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: Count traffic

[Thomas Lamy]

Daniel Kradolfer wrote:
> 
> Hi,
> 
> I'm searching a solution to count in- and outgoing traffic for each
> virtual user (domain). Our boxes are running Apache, Proftpd 
> and qmail.
> Does anybody know some good working GPLed software/tool to do one of
> these tasks.
> 
> thanks
> 
> kradi
> 
We use mod_watch 
to gather accounting data for name-based virtual hosts.
Basically, you get a simple html table with SNMP-like "interface" counters
for each virtual host. They also provide a perl script to import this data
into mrtg, and I wrote a simple one to store the accounting data in our
homebrew mysql accounting database.

It's not perfect, since HTTP headers (neither received nor sent) are not
accounted, but still better than a script digging through each vhosts
acess_log.


Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: PHP 4.3?

[Thomas Lamy]

Tomàs Núñez Lirola wrote:
> 
> Can anyone tell me why Debian php is still at version 4.2.3 
> while official PHP 
> is at version 4.3.2 (4.3.3RC1)? Is there any reason not to 
> upgrade to 4.3.2?
> 
The maintainers seem to be busy re-debianizing the whole package, trying to
sort out all SSL and/or kerberos versioning related problems that
cause/caused various apache crashes, perhaps coming from different third
party libraries (like imap and snmp).

There even was a bug filed today re this, and me (and I bet others) are now
independently maintaining private php packages. I posted a link to my diffs
some weeks ago, but got no replys even if they got downloaded several times
_and_ had problems (at least with the imap stuff).

My offer for help got no reply from Adam Conrad (official maintainer), and
only a short "we're busy, be patient. no, we don't want/need help" from
Steve Langasek, who seems to be the inofficial co-maintainer these days.


I can say nothing than "compile you own", as 4.3.x IMHO adds some really
useful bits, while fixing loads of bugs. I'll post an updated URL to my
diffs as soon as I have these IMAP/Kerberos thing worked out (working on my
development machine, but not on another - strange).


Thomas


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: BIND 8 or 9 version ?

[Thomas Lamy]

[EMAIL PROTECTED] wrote:
> 
> On Tue, Jul 22, 2003 at 05:06:39PM +0200, Stephane Bortzmeyer wrote:
> 
> > It is partly a matter of taste.
> 
> - v8 is faster
> - v8 is stable
> - v8 does not have "views" OTOH different views can't use the same
>   files. :( bad bad bad
> - v9 can be used with db/sql - but i would recommend powerdns for that
>   task
> 
> (powerdns is fastest authoritive dns server around and it works with
> mysql/oracle/mysql, BUT it lacks ACLs
> and you can't have per-zone settings - only general (notify,
> transfer,...)
> 
> there is another dns auth serevr project that ripe started, but i
> can't remember the name
> 
Or one may try mydns, an auth-only dns server running directly from a mysql
or pgsql backend. I use it for some 10.000 zones, and it's perfect.

> and djb is not compatible with working OSes. :)
> 
DJB is it's own kind of a story. But don't be offensive - it's just that his
license makes it impossible for most distributions to include his software,
which in turn has it's own odor.


Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Weird Reboots

[Thomas Lamy]

Russell Coker wrote:
> On Sun, 20 Jul 2003 03:40, Blu wrote:
> > On Sun, Jul 20, 2003 at 01:09:29AM -0500, Rod Rodolico wrote:
> > > I don't understand what is going on. My machine has 
> rebooted 5 times
> > > between 10:00 and 18:00. I looked in syslog and the line 
> contains 109 at
> > > signs (@).
> >
> > That could be somebody or something trying to use a buffer overflow
> > attack. That kind of attack often crashes the target 
> machine and leaves
> 
> "less" tends to display zeros in a file as '@' characters.  A 
> sudden reboot 
> when a file is being written can often result in zeros at the 
> end of the file 
> when the meta-data has been updated before the file contents.
> 
> Most likely it's a symptom of minor FS corruption.
> 
I second that. Some (SuSE-specific?) versions of reiserfs did that pretty
often, it's a FAQ in the suse-security mailing list.
So I'd vote for bad memory or a dying cpu fan (which yields to freezes or
sudden reboots).

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Traffic Accounting

[Thomas Lamy]

Volker Tanger wrote:
> 
> Greetings!
> 
> On 19 Jul 2003 23:35:08 +0300 kgb <[EMAIL PROTECTED]> wrote:
> 
> > Which is best way for traffic accounting i use ipac-ng but i don't
> > like it anymore because it make my system under high load.
> 
> If you don't want to mess around with IPtables just to do traffic
> accounting, you could try
> 
>   http://wyae.de/software/trafan/
> 
> which works even from a third machine - just plug in and be 
> happy. I do
> not have any experiences with high load scenarios, though.
> 
Don't use it. I've been through many open source and self-made IP accounting
tools, and using tcpdump is not what one would like. It gets really messy on
high throughput.
The greatest problem with ipac-ng is it's resource consumption under high
loads.

I've been through all of this, and built my own package. It uses iptables,
because it's easy to set up and got relatively fast lookup times, a C
program to parse iptables output and write "database" files, and some small
shell/awk scripts to summarize the database. Data is stored inside a
directory tree, nearly no data is looked up/parsed from that, and it's laid
out that it's easy to summarize on a monthly basis.

It works for me (on an E3) and at some customers' sites for at least 1.5
years, basically unchanged. System load maximizes at ~1.5 on a 1100 Athlon
w/ 3xIntel eepro and 3 slow IDE HDDs.

I'm planning to separate all those accounting chains by class-c though, this
should speed up both kernel lookup latency and iptables output.

I can make my scripts available, but (as it's not packaged in any way), only
on personal request.

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Server hacked - next...?

[Thomas Lamy]

Shri Shrikumar:
> On Thu, 2003-07-03 at 22:30, Mario Lopez wrote:
> > In any case if you have a lkm rootkit, your done, dosent matter if 
> > you upload static, dinamic or whatever, kernel root kits are hard to
> > find, not even lsmod, rmmod can help you because it is 
> quite easy to 
> > make a kernel module unloadable or even hiden, some of you may be 
> > thinking that they are safe to those kind of attacks because they
> > have disabled kernel module support in theyr kernel, well they are 
> > wrong :), there is code, and nice white papers explaining how to 
> > insert kernel code through /proc/kmem, if I am not wrong Silvio 
> > Cesare developed this technique two or three years ago, although it 
> > hasent being exploited too much you must be aware of it's existance.
> 
> I dont have module support and I dont have /proc/kmem. Am I missing
> something ? Running 2.4.20.
> 
I'm sure he meant /dev/kmem

Re: Server hacked - next...?

[Thomas Lamy]

Shri Shrikumar:
> On Thu, 2003-07-03 at 22:30, Mario Lopez wrote:
> > In any case if you have a lkm rootkit, your done, dosent matter if 
> > you upload static, dinamic or whatever, kernel root kits are hard to
> > find, not even lsmod, rmmod can help you because it is 
> quite easy to 
> > make a kernel module unloadable or even hiden, some of you may be 
> > thinking that they are safe to those kind of attacks because they
> > have disabled kernel module support in theyr kernel, well they are 
> > wrong :), there is code, and nice white papers explaining how to 
> > insert kernel code through /proc/kmem, if I am not wrong Silvio 
> > Cesare developed this technique two or three years ago, although it 
> > hasent being exploited too much you must be aware of it's existance.
> 
> I dont have module support and I dont have /proc/kmem. Am I missing
> something ? Running 2.4.20.
> 
I'm sure he meant /dev/kmem


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Server hacked - next...?

[Thomas Lamy]

Mario Lopez wrote:
> 
> Hi!,
> 
> >First. We need some fresh & clean tools;
> >
> >kill, killall, ps, more, netstat, ls, dpkg, apt-tools, 
> chattr, lsattr,  bash (or whatever shell you prefer).
> >
> >
> >Replace your shell with the clean one (the /etc/passwd -race).
Better, boot off a clean medium (I prefer KNOPPIX for that, as all needed
tools are there, and it runs completely from CD). Only _this_ way you can
make pretty sure that neither some nasty kernel module, nor some hacked
shared library is loaded while cleaning the compromised system.
When you have Knoppix up and running, the other posts apply (re-install base
debs, clean up /etc/{init.d,rc?d,passwd,shadow,modules(!)), move away that
nasty root kit (via chkrootkit, may be included on the knoppix cd, but I'm
not sure).
But - as others already stated - it's highly recommended to set up from
scratch. Boot from CD, take a full backup via rsync or scp or whatever you
prefer, set up a blank system, and restore the "user" parts thorougly.


Thomas

Re: Woody Stable and Kernel 2.4.21

[Thomas Lamy]

Jason Lim wrote:
> 
> Hi Eduard,
> 
> > > Nowadays, many motherboards have built-in ethernet ports. The most
> > > common seem to be either the SiS chipset (SIS900) or Intel's one 
> > > (don't know what model number... but i think eepro or something?)
> > >
> > > Realtek is the most common PCI one... virtually all cheap PCI LAN
> > > cards have Realtek chipsets.
> >
> > All mentioned cards are supported by the bf2.4 kernel or will be
> > supported by the next generations of boot-floppies. What is your
> > problem? The broadcom things are not supported just because 
> the stupid
> > drivers are not part of the normal vanilla kernel.

AFAIR Realtek support is compiled into bf24.


> 
> Never heard of "broadcom" on a motherboard... never used 
> one... never seen
> one... so no complaints from me. I just hope the boot 
> floppies in the next
> stable version will support these very common chipsets, 
> because i remember
> when installing the current stable, it is a headache.
> 
Me too (tm). Never heard/used broadcom. If space permits, I would also like
to see the e100 and 3c59x drivers compiled into bf24.
I'd rather have some kind of bootable ISO where one could manually load
modules from, instead of using an ext2 floppy. I got around that on some
weird system by creating a ramdisk, extract drivers.tgz from the cd, and
load the module manually, but that sux.
Anyway, the sarge installer isn't nearly as comfortable as woody's. I tried
it 2 times, because all my systems run sarge now. Haven't found some nice
how-to to build my own basedebs-iso (I'd like to build one with the woddy
installer, but for installing a basic sarge)...


> > > Not THAT many.
> > >
> > > Actually, I like the way Redhat does it. IMHO Redhat has 
> > > one of the best
> > > installation "procedures" going. With the 3ware card installed, it
> > > automatically loads up the 3w.o (i think that's what it's
> > > called?).
AFAIR the sarge installer has some nice hardware detection module. Didn't
try it on some weird/unusual/pro hardware though.
> >
> > bf2.4 loads the 3ware driver. Some exotic controllers are 
> > only supported
> > if you insert a module-preload disk with scsi drivers and load them
> > manually. There is no good way to fix it, we cannot include 
> > every driver on _one_ floppy.

I had no problems installing woody on a 3ware 7400 controller-based system.


> Perhaps have "the one" floppy detect what is needed, and then 
> direct the
> user to either download/insert the other relevent driver disk?

Who needs disks nowadays, anyway? Each and every system one may buy today
either has a CD-/DVD-ROM drive to boot from, or you can plug one temporarily
for installation.

> 
> Bah, you guys know more about this stuff. I'm just a sysadmin that uses
> it... so not sure if it is even possible... or advantageous, to have a
> "detection" thing tell the user to download a certain driver 
> to a disk.
> maybe the detection routines would be too long/big/complicated? I think
> there is a hardware detection project already?
> 
Try a recent copy of the sarge installer. Not nearly finished, but enough to
get the idea.


Thomas

Re: Server hacked - next...?

[Thomas Lamy]

Mario Lopez wrote:
> 
> Hi!,
> 
> >First. We need some fresh & clean tools;
> >
> >kill, killall, ps, more, netstat, ls, dpkg, apt-tools, 
> chattr, lsattr,  bash (or whatever shell you prefer).
> >
> >
> >Replace your shell with the clean one (the /etc/passwd -race).
Better, boot off a clean medium (I prefer KNOPPIX for that, as all needed
tools are there, and it runs completely from CD). Only _this_ way you can
make pretty sure that neither some nasty kernel module, nor some hacked
shared library is loaded while cleaning the compromised system.
When you have Knoppix up and running, the other posts apply (re-install base
debs, clean up /etc/{init.d,rc?d,passwd,shadow,modules(!)), move away that
nasty root kit (via chkrootkit, may be included on the knoppix cd, but I'm
not sure).
But - as others already stated - it's highly recommended to set up from
scratch. Boot from CD, take a full backup via rsync or scp or whatever you
prefer, set up a blank system, and restore the "user" parts thorougly.


Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Woody Stable and Kernel 2.4.21

[Thomas Lamy]

Jason Lim wrote:
> 
> Hi Eduard,
> 
> > > Nowadays, many motherboards have built-in ethernet ports. The most
> > > common seem to be either the SiS chipset (SIS900) or Intel's one 
> > > (don't know what model number... but i think eepro or something?)
> > >
> > > Realtek is the most common PCI one... virtually all cheap PCI LAN
> > > cards have Realtek chipsets.
> >
> > All mentioned cards are supported by the bf2.4 kernel or will be
> > supported by the next generations of boot-floppies. What is your
> > problem? The broadcom things are not supported just because 
> the stupid
> > drivers are not part of the normal vanilla kernel.

AFAIR Realtek support is compiled into bf24.


> 
> Never heard of "broadcom" on a motherboard... never used 
> one... never seen
> one... so no complaints from me. I just hope the boot 
> floppies in the next
> stable version will support these very common chipsets, 
> because i remember
> when installing the current stable, it is a headache.
> 
Me too (tm). Never heard/used broadcom. If space permits, I would also like
to see the e100 and 3c59x drivers compiled into bf24.
I'd rather have some kind of bootable ISO where one could manually load
modules from, instead of using an ext2 floppy. I got around that on some
weird system by creating a ramdisk, extract drivers.tgz from the cd, and
load the module manually, but that sux.
Anyway, the sarge installer isn't nearly as comfortable as woody's. I tried
it 2 times, because all my systems run sarge now. Haven't found some nice
how-to to build my own basedebs-iso (I'd like to build one with the woddy
installer, but for installing a basic sarge)...


> > > Not THAT many.
> > >
> > > Actually, I like the way Redhat does it. IMHO Redhat has 
> > > one of the best
> > > installation "procedures" going. With the 3ware card installed, it
> > > automatically loads up the 3w.o (i think that's what it's
> > > called?).
AFAIR the sarge installer has some nice hardware detection module. Didn't
try it on some weird/unusual/pro hardware though.
> >
> > bf2.4 loads the 3ware driver. Some exotic controllers are 
> > only supported
> > if you insert a module-preload disk with scsi drivers and load them
> > manually. There is no good way to fix it, we cannot include 
> > every driver on _one_ floppy.

I had no problems installing woody on a 3ware 7400 controller-based system.


> Perhaps have "the one" floppy detect what is needed, and then 
> direct the
> user to either download/insert the other relevent driver disk?

Who needs disks nowadays, anyway? Each and every system one may buy today
either has a CD-/DVD-ROM drive to boot from, or you can plug one temporarily
for installation.

> 
> Bah, you guys know more about this stuff. I'm just a sysadmin that uses
> it... so not sure if it is even possible... or advantageous, to have a
> "detection" thing tell the user to download a certain driver 
> to a disk.
> maybe the detection routines would be too long/big/complicated? I think
> there is a hardware detection project already?
> 
Try a recent copy of the sarge installer. Not nearly finished, but enough to
get the idea.


Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Server hacked - next...?

[Thomas Lamy]

Jason Lim:> Hi Russell,
> 
> Well, SE Linux certainly seems like something that needs to 
> be installed.
> Most annoying is that all the recent security updates were 
> already done!
> 
> The user CGIs run as the user's UID... suexec.
Consider to chroot apache, and keep available binaries to a minimum.
> 
> 
> Re-installing from scratch would be a real pain... the server 
> runs on a
> 3ware array, and has hundreds of users, all active :-/
IMHO there's only one save way to go after being hacked: reinstall.
While you are re-installing (on another machine), limit the traffic to this
machine to port 80 only, and either do web site updates yourself and/or
refuse them totally until you have a replacement up and running.
> 
> Is there any way to verify the Integrity of the files somehow, and
> download/re-install any binaries that do not match the checksums or
> something? Does dpkg or some other Debian tool have this ability?
Dunno - rpm has the option of checking md5 sums, but the dpkg manpage isn't
promising in this regard.
> 
> If just a list of packages could be shown that do not match what is
> actually on the disk, those could be re-downloaded and 
> re-installed, so at
> least the system can start working (right now, just typing 
> "gcc" produces
> garbage on the screen, no doubt because some libraries have been
> replaced).
Check the packages that get installed in debootstrap (perhaps you could just
exactly do that in a sperate tree/partition), and download and install them
manually. This should get at least login, libc et al overwritten with proper
binaries. If you choose to run debootstrap on a sperate partition (or
machine), you may have to write a little script to gather md5sums for the
fresh install, and compare to the hosed machine.
> 
> Is there any tool that could search the system for root suid 
> scripts (so
> the hacker can login again and gain root easily)?

chkrootkit. Get it from http://www.chkrootkit.org/


Thomas 

Re: Server hacked - next...?

[Thomas Lamy]

Jason Lim:> Hi Russell,
> 
> Well, SE Linux certainly seems like something that needs to 
> be installed.
> Most annoying is that all the recent security updates were 
> already done!
> 
> The user CGIs run as the user's UID... suexec.
Consider to chroot apache, and keep available binaries to a minimum.
> 
> 
> Re-installing from scratch would be a real pain... the server 
> runs on a
> 3ware array, and has hundreds of users, all active :-/
IMHO there's only one save way to go after being hacked: reinstall.
While you are re-installing (on another machine), limit the traffic to this
machine to port 80 only, and either do web site updates yourself and/or
refuse them totally until you have a replacement up and running.
> 
> Is there any way to verify the Integrity of the files somehow, and
> download/re-install any binaries that do not match the checksums or
> something? Does dpkg or some other Debian tool have this ability?
Dunno - rpm has the option of checking md5 sums, but the dpkg manpage isn't
promising in this regard.
> 
> If just a list of packages could be shown that do not match what is
> actually on the disk, those could be re-downloaded and 
> re-installed, so at
> least the system can start working (right now, just typing 
> "gcc" produces
> garbage on the screen, no doubt because some libraries have been
> replaced).
Check the packages that get installed in debootstrap (perhaps you could just
exactly do that in a sperate tree/partition), and download and install them
manually. This should get at least login, libc et al overwritten with proper
binaries. If you choose to run debootstrap on a sperate partition (or
machine), you may have to write a little script to gather md5sums for the
fresh install, and compare to the hosed machine.
> 
> Is there any tool that could search the system for root suid 
> scripts (so
> the hacker can login again and gain root easily)?

chkrootkit. Get it from http://www.chkrootkit.org/


Thomas 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Large Hard Disks and Debian

[Thomas Lamy]

Jason Lim wrote:
> 
> Well, since no one has said it yet, I'll chip in...
> 
> We've have great results by using 3ware cards. Their drivers are fully
> open source, and are available as part of the source kernel 
> as well, so
> you don't have to wait for the right drivers to come out for 
> a particular
> kernel release (very annoying when the kernel is wy ahead of their
> binary driver releases)
> 
> I don't know about the price, but when we were considering 
> all the various
> RAID cards, 3ware's price was approximately the same as those from
> Promise. If Promise's cards were significantly cheaper, our 
> decision might
> have been different, but as is, the 3ware cards won out :-)
> 
> Sincerely,
> Jas
> 
> "Jesse Molina" wrote:
> 
> >
> > I honestly regret to say the same, but it's true.  Promise cards are
> > great under an MS Windows OS, but not GNU/Linux.  It's the driver
> issues.
> >
> >
> >
> > Thomas Kirk wrote:
> >
> > > On Tue, Jun 24, 2003 at 07:02:21PM +1000, Brad Lay wrote:
> > >
> > >
> > >>I'd stay well clear of promise if you want it to work 
> under Debian.
> > >
> > >
> > > I would like to support that statement. Ive had nothing 
> but trouble
> > > with promise under debian :(
> > >
> >

Some of our clients use the Promise 20286R with success with Debian. But my
personal impression is: If you have the choice, go with 3ware. Their card
design is superb, 3ware cards are definitly the best IDE Raid controllers
when it comes to Linux support.

Just my 2c,
  Thomas

-- 
Thomas Lamy[EMAIL PROTECTED]

Re: Large Hard Disks and Debian

[Thomas Lamy]

Jason Lim wrote:
> 
> Well, since no one has said it yet, I'll chip in...
> 
> We've have great results by using 3ware cards. Their drivers are fully
> open source, and are available as part of the source kernel 
> as well, so
> you don't have to wait for the right drivers to come out for 
> a particular
> kernel release (very annoying when the kernel is wy ahead of their
> binary driver releases)
> 
> I don't know about the price, but when we were considering 
> all the various
> RAID cards, 3ware's price was approximately the same as those from
> Promise. If Promise's cards were significantly cheaper, our 
> decision might
> have been different, but as is, the 3ware cards won out :-)
> 
> Sincerely,
> Jas
> 
> "Jesse Molina" wrote:
> 
> >
> > I honestly regret to say the same, but it's true.  Promise cards are
> > great under an MS Windows OS, but not GNU/Linux.  It's the driver
> issues.
> >
> >
> >
> > Thomas Kirk wrote:
> >
> > > On Tue, Jun 24, 2003 at 07:02:21PM +1000, Brad Lay wrote:
> > >
> > >
> > >>I'd stay well clear of promise if you want it to work 
> under Debian.
> > >
> > >
> > > I would like to support that statement. Ive had nothing 
> but trouble
> > > with promise under debian :(
> > >
> >

Some of our clients use the Promise 20286R with success with Debian. But my
personal impression is: If you have the choice, go with 3ware. Their card
design is superb, 3ware cards are definitly the best IDE Raid controllers
when it comes to Linux support.

Just my 2c,
  Thomas

-- 
Thomas Lamy[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: PHP versioning and security information

[Thomas Lamy]

-- 
I wrote:
> 
> Fraser Campbell wrote:
> > 
> > Hi,
> > 
> > I have backported unstable's php 4.2.3 packages to woody and 
> > I've been using 
> > them successfully for a few months.  I am rather concerned 
> > about security so 
> > I sent the following message to the php-general mailing list. 
> >  So far I have 
> > no response (granted less than a full day since I posted).  
> > I'm wondering if 
> > someone here might be able to help me with my questions ...
> > 
[]
> 
> For personal and client's needs, I debianized 4.3.2 (for the 
> testing branch,
> for woody this will need some tweaking) lately and offered them to the
> official deb maintainer, with no answer for at least a week 
> now. If anyone
> likes to get them, I'll make them available for download 
> somewhere (only the
> diffs, not the complete debs).
> 
As requested, the diffs are avaiable for download. Apply with "patch -p 1".
Some notes:
- I didn't get the domxml stuff working, so this extension is not really
built. I'll fix that soon.
- the "php4" binary from php4-cgi is in fact the CLI binary, which doesn't
output Content-type headers and friends
- the "php4.cgi" binary is the one for CGI usage.
- Both share the same config file, /etc/php4/cgi/php.ini
- I throughly tested the mysql and gd extensions, as most of the application
I need 4.3.x for rely on these
- all tests from "make test" passed

The URL: http://www.netwake.de/php-4.3.2-debian_sarge-diff.gz

Have fun! Comments, suggestions and bug fixes are welcome ;-)

Re: PHP versioning and security information

[Thomas Lamy]

-- 
I wrote:
> 
> Fraser Campbell wrote:
> > 
> > Hi,
> > 
> > I have backported unstable's php 4.2.3 packages to woody and 
> > I've been using 
> > them successfully for a few months.  I am rather concerned 
> > about security so 
> > I sent the following message to the php-general mailing list. 
> >  So far I have 
> > no response (granted less than a full day since I posted).  
> > I'm wondering if 
> > someone here might be able to help me with my questions ...
> > 
[]
> 
> For personal and client's needs, I debianized 4.3.2 (for the 
> testing branch,
> for woody this will need some tweaking) lately and offered them to the
> official deb maintainer, with no answer for at least a week 
> now. If anyone
> likes to get them, I'll make them available for download 
> somewhere (only the
> diffs, not the complete debs).
> 
As requested, the diffs are avaiable for download. Apply with "patch -p 1".
Some notes:
- I didn't get the domxml stuff working, so this extension is not really
built. I'll fix that soon.
- the "php4" binary from php4-cgi is in fact the CLI binary, which doesn't
output Content-type headers and friends
- the "php4.cgi" binary is the one for CGI usage.
- Both share the same config file, /etc/php4/cgi/php.ini
- I throughly tested the mysql and gd extensions, as most of the application
I need 4.3.x for rely on these
- all tests from "make test" passed

The URL: http://www.netwake.de/php-4.3.2-debian_sarge-diff.gz

Have fun! Comments, suggestions and bug fixes are welcome ;-)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: PHP versioning and security information

[Thomas Lamy]

Fraser Campbell wrote:
> 
> Hi,
> 
> I have backported unstable's php 4.2.3 packages to woody and 
> I've been using 
> them successfully for a few months.  I am rather concerned 
> about security so 
> I sent the following message to the php-general mailing list. 
>  So far I have 
> no response (granted less than a full day since I posted).  
> I'm wondering if 
> someone here might be able to help me with my questions ...
> 

> My questions are:
> 
> - is php 4.2.3 vulnerable to any known security issues?
Not easy to answer unless you study the changelog from newer versions

> 
> - what is the meaning of php's versioning scheme?  I see from the
>   changelogs that features are added throughout the 4.x branches.  I am
used
>   to schemes where 4.2.x would be feature frozen with just bu and security
>   fixes being applied.
Yes, this is the current PHP policy.
> 
> - is the 4.3.x branch the only one that is being maintained?
Yes.
> 
> I do not relish moving my servers from 4.2.3 to 4.3.? since I have
> encountered enough problems already with the move from 4.0.6 to 4.2.3. 
> Most of the problems were from sloppy coding that should never have worked
> but hey it did work with 4.0.6 and does not work with 4.2.3.  If the code
> were all mine I wouldn't be so concerned but I don't want to be telling
> clients every 6-12 months, that we're upgrading their php version and that
> things might break for them.
Yes, 4.0.6 was pretty stable, that's why so many ISPs (and SUN with their
Cobalt's) only use this version.
4.1 introduced that "SuperGlobals" (_GET, _POST, _REQUEST, _FILES, _SERVER),
that became the default to use in 4.2 (which is triggered thru php.inc, so
BC is granted).
4.3 introduced some new nifty commands (like debug_backtrace or
get_file_contents), and they started bundling the GD library, which was a
real pain to add in past versions.
IMHO there shouldn't be no more beasty changes like that in 4.0 to 4.2. From
the php-internals ML i see that most core and extension developers _do_ care
about BC whatever they do.
> 
> Is there an official policy as to how long a branch is supported?
Bug fixes are mostly applied to the current PHP4 branch. There were some
security issues with file uploads, that were also applied to the previous
branch, but these were exeptions. 
> PHP 4.2.0 is just over a year old, php 4.2.3 about 6 months old ...
And 4.3.2 was out recently, which fixed a ton of bugs. The first RC for
4.3.3 will be out next week I guess, fixing serious problems on sparcs, but
the fixes came in too late (when 4.3.2RC3 was out) and were too heavy to get
into 4.3.2.


I'm not too happy with the php packages in debian, because 4.3.x is not even
in unstable (while I run most servers from testing, where 4.1.2 seems to be
current).

For personal and client's needs, I debianized 4.3.2 (for the testing branch,
for woody this will need some tweaking) lately and offered them to the
official deb maintainer, with no answer for at least a week now. If anyone
likes to get them, I'll make them available for download somewhere (only the
diffs, not the complete debs).


Thomas

Re: PHP versioning and security information

[Thomas Lamy]

Fraser Campbell wrote:
> 
> Hi,
> 
> I have backported unstable's php 4.2.3 packages to woody and 
> I've been using 
> them successfully for a few months.  I am rather concerned 
> about security so 
> I sent the following message to the php-general mailing list. 
>  So far I have 
> no response (granted less than a full day since I posted).  
> I'm wondering if 
> someone here might be able to help me with my questions ...
> 

> My questions are:
> 
> - is php 4.2.3 vulnerable to any known security issues?
Not easy to answer unless you study the changelog from newer versions

> 
> - what is the meaning of php's versioning scheme?  I see from the
>   changelogs that features are added throughout the 4.x branches.  I am
used
>   to schemes where 4.2.x would be feature frozen with just bu and security
>   fixes being applied.
Yes, this is the current PHP policy.
> 
> - is the 4.3.x branch the only one that is being maintained?
Yes.
> 
> I do not relish moving my servers from 4.2.3 to 4.3.? since I have
> encountered enough problems already with the move from 4.0.6 to 4.2.3. 
> Most of the problems were from sloppy coding that should never have worked
> but hey it did work with 4.0.6 and does not work with 4.2.3.  If the code
> were all mine I wouldn't be so concerned but I don't want to be telling
> clients every 6-12 months, that we're upgrading their php version and that
> things might break for them.
Yes, 4.0.6 was pretty stable, that's why so many ISPs (and SUN with their
Cobalt's) only use this version.
4.1 introduced that "SuperGlobals" (_GET, _POST, _REQUEST, _FILES, _SERVER),
that became the default to use in 4.2 (which is triggered thru php.inc, so
BC is granted).
4.3 introduced some new nifty commands (like debug_backtrace or
get_file_contents), and they started bundling the GD library, which was a
real pain to add in past versions.
IMHO there shouldn't be no more beasty changes like that in 4.0 to 4.2. From
the php-internals ML i see that most core and extension developers _do_ care
about BC whatever they do.
> 
> Is there an official policy as to how long a branch is supported?
Bug fixes are mostly applied to the current PHP4 branch. There were some
security issues with file uploads, that were also applied to the previous
branch, but these were exeptions. 
> PHP 4.2.0 is just over a year old, php 4.2.3 about 6 months old ...
And 4.3.2 was out recently, which fixed a ton of bugs. The first RC for
4.3.3 will be out next week I guess, fixing serious problems on sparcs, but
the fixes came in too late (when 4.3.2RC3 was out) and were too heavy to get
into 4.3.2.


I'm not too happy with the php packages in debian, because 4.3.x is not even
in unstable (while I run most servers from testing, where 4.1.2 seems to be
current).

For personal and client's needs, I debianized 4.3.2 (for the testing branch,
for woody this will need some tweaking) lately and offered them to the
official deb maintainer, with no answer for at least a week now. If anyone
likes to get them, I'll make them available for download somewhere (only the
diffs, not the complete debs).


Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: XEON SMP KERNEL 2.4.20 tree

[Thomas Lamy]

Emile van Bergen wrote:
> 
> Hi,
> 
> On Wed, Jun 11, 2003 at 09:21:27AM -0400, Theodore Knab wrote:
> 
> > 
> > I have 3 dual processor IBM Netfinity Servers with the XEON 
> P3 (1Mb Cache).
> > 
> > [...]
> > 
> > Does anyone know of any SMP problems with the 2.4.20 kernel ?
> > 
> > If not, who should I report this too and what information should I
> > provide them ?
> 
> Which compiler did you use? GCC 2.95.4 is known to create buggy SMP
> kernels, at least it did in my experience. If you used that 
> one, you may
> want to try using 3.x.
> 
But note that when using gcc-3.2, you have to patch the kernel sources to
compile. There was a patch posted somewhere, but I just don't have the
googlink handy...

Thomas 

Re: XEON SMP KERNEL 2.4.20 tree

[Thomas Lamy]

Emile van Bergen wrote:
> 
> Hi,
> 
> On Wed, Jun 11, 2003 at 09:21:27AM -0400, Theodore Knab wrote:
> 
> > 
> > I have 3 dual processor IBM Netfinity Servers with the XEON 
> P3 (1Mb Cache).
> > 
> > [...]
> > 
> > Does anyone know of any SMP problems with the 2.4.20 kernel ?
> > 
> > If not, who should I report this too and what information should I
> > provide them ?
> 
> Which compiler did you use? GCC 2.95.4 is known to create buggy SMP
> kernels, at least it did in my experience. If you used that 
> one, you may
> want to try using 3.x.
> 
But note that when using gcc-3.2, you have to patch the kernel sources to
compile. There was a patch posted somewhere, but I just don't have the
googlink handy...

Thomas 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

AW: {G} Problem Compiling Exim on woody

[Thomas Lamy]

Gregory Machin wrote:
> 
> I have compiled exim on this system before no problem , but 
> no when i try
> and compile i get the following error.
> " If file include from exim.h:341,
>   from exim_dbmbuild.c:30:
> dbstuff.h:101: db.h: No such file or directory
> make[1]: *** [exim_dbmbuild.o] Error 1
> make[1] Levbing directory '/home/installs/exim-4.14/build-Linux-i386'
> make: *** [go] Error 2
> 
> Is there a list anyware of all the libraries requied for a 
> full compile of
> exim . As i need to do the same on other versions of linux , and don't
> want to have to experiment every time ..
> 
> Many thanks
> Gregory Machin
> 
You need one of the libdb*-devel packages (don't know which in woody, in
sarge it's 4.1)

AW: {G} Problem Compiling Exim on woody

[Thomas Lamy]

Gregory Machin wrote:
> 
> I have compiled exim on this system before no problem , but 
> no when i try
> and compile i get the following error.
> " If file include from exim.h:341,
>   from exim_dbmbuild.c:30:
> dbstuff.h:101: db.h: No such file or directory
> make[1]: *** [exim_dbmbuild.o] Error 1
> make[1] Levbing directory '/home/installs/exim-4.14/build-Linux-i386'
> make: *** [go] Error 2
> 
> Is there a list anyware of all the libraries requied for a 
> full compile of
> exim . As i need to do the same on other versions of linux , and don't
> want to have to experiment every time ..
> 
> Many thanks
> Gregory Machin
> 
You need one of the libdb*-devel packages (don't know which in woody, in
sarge it's 4.1)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

AW: loadbalancing

[Thomas Lamy]

Joost Veldkamp wrote:
> 
> Hi,
> 
> We're using old cisco Localdirectors for loadbalancing between
> webservers. These need to be replaced by something else, because they
> are EOL.
> Are there software packages that can do the same as the localdirector,
> with failover functionality?  
> I looked at ultramonkey.org, (it has woody packages;-) ) and i'm
> wondering if this is the best solution, or if there are other packages
> around that might be of more use.
> 
> Thanks,
> 
> Joost
> 
You can use Linux Virtual Server (http://www.linuxvirtualserver.org/). It
consists of a Kernel patch and some user space tools. In conjunction with
keepalived (http://keepalived.sf.net/) you can build a stable high
availability load balancing system. I built a few myself, and they're rock
stable.


Thomas

Re: Antivirus license

[Thomas Lamy]

Tomàs Núñez Lirola wrote:
> 
> I have a doubt respecting amavis...
> I've read there are some antiviruses that run in daemon mode 
> (clamav-daemon,
> sophie) because if you want to check a lot of files every 2 
> or 3 seconds
> (like a mail server does), it takes a lot of resources to load virus
> definitions every time, so they load definitions once and 
> stay as a daemon.
> But I thought AMaViS implemented this. Am I certain? Does 
> AMaViS load virus
> definitions every time a mail is checked? I mean, is useless a daemon
> antivirus with amavis?
> 
It's a bit different. You're right in that clamav-daemon/sophie run as
daemons to reduce pattern load time and system load.

But it's also true that perl scripts (like amavis) also take a while to load
(on my testing machine it takes even longer to load and initialize amavis
than h+b antivir), so amavis has also been daemonized (in the various
spin-offs, like amavisd, amavisd-snap, amavisd-new).

So with amavisd-new (which I prefer to run) you have an MTA, conenctiong to
the amavis daemon, which connects to (eg) the clamav-daemon. Everything sits
in memory and is ready to rumple upon incoming mail :-)

Thomas

AW: loadbalancing

[Thomas Lamy]

Joost Veldkamp wrote:
> 
> Hi,
> 
> We're using old cisco Localdirectors for loadbalancing between
> webservers. These need to be replaced by something else, because they
> are EOL.
> Are there software packages that can do the same as the localdirector,
> with failover functionality?  
> I looked at ultramonkey.org, (it has woody packages;-) ) and i'm
> wondering if this is the best solution, or if there are other packages
> around that might be of more use.
> 
> Thanks,
> 
> Joost
> 
You can use Linux Virtual Server (http://www.linuxvirtualserver.org/). It
consists of a Kernel patch and some user space tools. In conjunction with
keepalived (http://keepalived.sf.net/) you can build a stable high
availability load balancing system. I built a few myself, and they're rock
stable.


Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Antivirus license

[Thomas Lamy]

Tomàs Núñez Lirola wrote:
> 
> I have a doubt respecting amavis...
> I've read there are some antiviruses that run in daemon mode 
> (clamav-daemon,
> sophie) because if you want to check a lot of files every 2 
> or 3 seconds
> (like a mail server does), it takes a lot of resources to load virus
> definitions every time, so they load definitions once and 
> stay as a daemon.
> But I thought AMaViS implemented this. Am I certain? Does 
> AMaViS load virus
> definitions every time a mail is checked? I mean, is useless a daemon
> antivirus with amavis?
> 
It's a bit different. You're right in that clamav-daemon/sophie run as
daemons to reduce pattern load time and system load.

But it's also true that perl scripts (like amavis) also take a while to load
(on my testing machine it takes even longer to load and initialize amavis
than h+b antivir), so amavis has also been daemonized (in the various
spin-offs, like amavisd, amavisd-snap, amavisd-new).

So with amavisd-new (which I prefer to run) you have an MTA, conenctiong to
the amavis daemon, which connects to (eg) the clamav-daemon. Everything sits
in memory and is ready to rumple upon incoming mail :-)

Thomas


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Antivirus license

[Thomas Lamy]

Brad Lay wrote:
> 
> On Tue, 10 Jun 2003, [iso-8859-1] Tomàs Núñez Lirola wrote:
> 
> > Hi
> > I want to put an antivirus on the mail server (BugBear 
> helped me to convince
> > my boss). Now is time for wondering about licenses.
> >
> > Kaspersky and F-Prot (two examples) have a product for a 
> mail server. If I use
> > their product for a personal use (wich license price is a 
> 5% of the mail
> > server license) with amavis, am I doing something illegal? 
> Does the license
> > permit its use with amavis?
> > I need to know it for sure... so can anyone help me?
> >
> > However, the open alternatives (clamav, openantivirus, etc) 
> are stable enough?
> > They get updated fast enough?
> 
> Openantivirus is outdated by clamav, and clamav is very 
> stable on all 3 of
> my servers, bugbear was picked up by quickly enough for me. Definetly
> worth using IMHO. works with amavis (all MTA's), exiscan (exim3), and
> MIMEDEfang (sendmail milter), in my setups. I'm very pleased.
> 
I second that. We use amavisd-new with clamav on all our externally visible
MX boxen. The software is rock stable, but clamav's database site is down
from time to time. This is fixed in mainstream (different download server),
eventually I'll put updated debs somewhere. I also filed a bug for that,
hoping the pkgmnt will pick it up soon.


Thomas

Re: Antivirus license

[Thomas Lamy]

Brad Lay wrote:
> 
> On Tue, 10 Jun 2003, [iso-8859-1] Tomàs Núñez Lirola wrote:
> 
> > Hi
> > I want to put an antivirus on the mail server (BugBear 
> helped me to convince
> > my boss). Now is time for wondering about licenses.
> >
> > Kaspersky and F-Prot (two examples) have a product for a 
> mail server. If I use
> > their product for a personal use (wich license price is a 
> 5% of the mail
> > server license) with amavis, am I doing something illegal? 
> Does the license
> > permit its use with amavis?
> > I need to know it for sure... so can anyone help me?
> >
> > However, the open alternatives (clamav, openantivirus, etc) 
> are stable enough?
> > They get updated fast enough?
> 
> Openantivirus is outdated by clamav, and clamav is very 
> stable on all 3 of
> my servers, bugbear was picked up by quickly enough for me. Definetly
> worth using IMHO. works with amavis (all MTA's), exiscan (exim3), and
> MIMEDEfang (sendmail milter), in my setups. I'm very pleased.
> 
I second that. We use amavisd-new with clamav on all our externally visible
MX boxen. The software is rock stable, but clamav's database site is down
from time to time. This is fixed in mainstream (different download server),
eventually I'll put updated debs somewhere. I also filed a bug for that,
hoping the pkgmnt will pick it up soon.


Thomas


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: German KK-applications and domain transfers

[Thomas Lamy]

Cameron Moore wrote:
> 
> This is a little off-topic, but I figure someone here has to 
> know this.
> 
> A customer of mine is wanting to buy a domain from a German citizen.
> They tell me that the German told them to fill out a KK-application to
> get the domain transferred.  Can anyone tell me where to get more info
> on this KK-application (preferrably in English)?  My googling 
> has turned
> up nothing informative.
> 
> Also, does anyone know if this is really necessary?  Can we not just
> request the tranfer with our Registrar and let the registrars 
> take care
> of the authentication and validation?  Thanks

The procedure for .de domain transfers is:

- the wannabe domain holder (or his registrar) instructs a DENIC member
(list on http://www.denic.de/doc/DENIC/mitglieder.en.shtml) to start a KK
for the domain in question, including new admin,tech and zone contacts and
at least two (already setup) authoritative name servers
- the current DENIC member gets a notification for that, and has to agree or
disagree (KK ACK or KK NACK) within some working days. It should only ACK if
it has a cancellation notice or clearance from their current customer (the
domain admin)
- if denic gets ACK, the domain is updated


So these steps are neccessary to transfer a .de domain:
(1) the current domain holder instructs the DENIC member which is currently
maintaining the domain that  will issue an KK
and that they shoudl ack that
(2) you (or your registrar) set up at least two authoritative name servers
for the domain
(3) you request the transfer with your registrar (which, if not a DENIC
member, in turn requests it to a DENIC member)
(4) the current maintaining DENIC member will ACK (if [1] was ok)
(5) You're done (within ~1 week if everything goes fine)


Thomas

Re: Using hash directories

[Thomas Lamy]

Emmanuel Lacour wrote:
> 
> Hi,
> 
> 
> I would like to understand why some softwares such as postfix or squid
> uses hash of directories like:
> 
> a/a/
> b/a/
> c/a/
> d/a/darmond
> e/a/
> f/a/
> 
> 
> for their spools.
> 
> I will set up a server for a lot of mail accounts (~2) with
> postfix+ldap+maildrop+courier-imap, so is it better to put 
> all Maildirs
> in /home/vmail/ directly or using hash directories? What are the
> benefits?
> 
Hi,

this is because many file systems out there get very slow when they have
some 1000 files in one directory. This is true for at least "older" file
systems, like ext2, minix, probably ext3 too (because it's basically
ext2+journal).

I did some tests with ext2 and reiserfs for some project, and found it was
fastest to only have _one_ hash level (256 dirs) for ~5 files, as system
load went up dramatically when I introduced the second hash level. But
that's another story.

Thomas

Re: can't compile courier-imap with authmysql *G*

[Thomas Lamy]

Gregory Machin wrote:
> 
> I can't compile with authmysql on debian 3 woody...
> 
> yes i do have all the require lib's for mysql got a full 
> server install
> and libmysqlclient10 installed.
> 
> I have tried the following as sergested by the faq and in 
> mailing list...
> 
> CPPFLAGS="-I/usr/local/ssl/include"
> LDFLAGS="-L/usr/local/ssl/lib"
> export CPPFLAGS
> export LDFLAGS
> 
> ./configure \
> --with-mysql-libs=/usr/local/mysql/lib/mysql \
> --with-mysql-includes=/usr/local/mysql/include/mysql \
> --with-authmysql \ --with-authmysql=yes ...
> 
> and i still get .
> configure: error: --with-authmysql specified but no mysqlclient.so
> configure: error: /bin/sh ' .configure' failed for authlib
You need libmysqlclient10-dev to compile packages using the mysql client.
You also have to specify --with-mysql-{libs,includes} to point to
/usr/include/mysql and /usr/lib respectively.

I also think that there's no need to compile it yourself, since courier-imap
and authmysql are in stable (Woody). If you realyy want to compile your own,
then get the debianized sources with build dependencies and satisfy them. In
most cases backporting to woody is easier than building from un-debianized
sources.

In general, me (and most debian using people I know of) prefer to (in this
order):
- use the maintainer debs (from woody or sarge)
- backport (or use) debs from sid
- build own debs (merge fresh mainstream sources and the debianized stuff
from the maintainer)
- use mainstream sources only

Most of us are in the ISP business or work for medium to large sized
companies, and IMHO in this position it's wise to benefit from a packet
maintainer's work. If you need a software with no deb maintainer, give back
to the community and actually _become_ a maintainer for that software
package.

Just my 0.02 Euros.

  Thomas

> 
> Please help
> many thanks
> greg
> 

Re: Re making routes permanent

[Thomas Lamy]

Tarragon Allen wrote:
> >
> > e.g. something like this in /etc/network/interfaces:
> >
> > iface eth0 inet static
> >   address x.x.x.x
> >   netmask 255.255.255.0
> >   broadcast x.x.x.255
> >   up route add -net y.y.y.y gw z.z.z.z
> >   up route add -net a.a.a.a gw z.z.z.z
> 
> And you should really put corresponding "route del"s in there 
> too, otherwise 
> you could end up with duplicated routes and all sorts of 
> funniness if your IP 
> is changing a bit (not too likely, but better to be neat than sorry).
> 
This is not needed, since AFAIK routes through one interface are
automatically removed when the interface is reconfigured or goes down

Thomas

Re: Network monitor

[Thomas Lamy]

Ghe Rivero wrote:
> 
> Hi! 
>   I would like to monitor a complex and heterogeneus 
> network, but i dont
> know what to use for it. It should be almost real time monitor and has
> any kind of alerts (sound, sms..) Any idea? Thx
> 
> Ghe  Rivero

I use netsaint, and heard of other tools like big brother or big sister.

Netsaint sends emails by default, and supports 2 different email addrs. I
set up one of them to point to an sms gateway. It also supports sounds
(playing from the web browser). It's successor, Nagios, is currently in
unstable, and supports databases (mysql for sure, and I think postgres too).

Thomas

Re: Open File Limit

[Thomas Lamy]

Rus Foster wrote:
> 
> On Thu, 1 May 2003, Matthew Walkup wrote:
> 
> > However, every morning, I run a Perl script that processes 
> all of my apache
> > logs into webalizer.  I believe it is this script, that 
> cause me to get
> > several errors in the /var/log/daemon.log (The cron.daily is run at
> > 06:25:00):
> > May  1 06:32:40 a-web inetd[17351]: getpwnam: mail: No such user
> > May  1 06:32:42 a-web inetd[17354]: getpwnam: cyrus: No such user
> > <-- several logs removed, just named information -->
> > May  1 08:45:55 a-web inetd[13332]: execv /usr/sbin/exim: 
> Too many open
> > files in system
> > May  1 08:45:56 a-web inetd[13336]: execv /usr/sbin/exim: 
> Too many open
> > files in system
> 
> Try
> 
>  echo bignumber > /proc/sys/fs/file-max
> 
Or, fix file descriptor leaks on your perl script. I have yet to see a web
server crawling on fd limits.


Thomas

AW: Exim 4 giving trouble compiling on woody HELP

[Thomas Lamy]

Gregory Machin wrote:
> 
> This is my make output .
> As far as i can the all the files that arequired on the 
> system are there.
> and the Makefile is set to point to the correct loactions.
> 
> [...]
>
> gcc -o exim  acl.o child.o crypt16.o daemon.o dbfn.o debug.o deliver.o
> directory.o dns.o drtables.o enq.o exim.o expand.o filter.o globals.o
> header.o host.o ip.o log.o lss.o match.o moan.o os.o parse.o 
> queue.o rda.o
> readconf.o receive.o retry.o rewrite.o route.o search.o smtp_in.o
> smtp_out.o spool_in.o spool_out.o store.o string.o tls.o 
> tod.o transport.o
> tree.o verify.o local_scan.o  version.o \
>   pcre/libpcre.a \
>   routers/routers.a transports/transports.a lookups/lookups.a \
>   auths/auths.a \
>   -lresolv -lnsl -lcrypt\
>-ldb -L/usr/lib -lmysqlclient -lpq  -lssl -lcrypto/
> /usr/bin/ld: cannot find -lpq

Your system is missing the package "postgresql-dev", I think. I'm not an
Exim guru, but as you're also linking against the mysql libraries maybe you
don't want postgres support and forgot to disable it somewhere?


Thomas

Re: making routes permanent

[Thomas Lamy]

[EMAIL PROTECTED] (get yourself a real name) wrote:
> 
> i currently have 2 route add -net statments in my inittab file..
> 
> Where is the corret place to save route setting.
> 
> I have a number of routes that need to be permanent and must survive a
> system resart.
> 
> Gregory Machin
> 
I learned that /etc/network/interfaces is the right place for it. Just add
statements like

up route add -net 192.168.0.0 netmask 255.255.0.0 gw 1.2.3.4

into the same interface block the gateway address is in (indented with
). all "up" commands are executed when the corresponding interface
comes up. Theres also "pre-up", "down" and "post-down", which you don't need
here. man 5 interfaces is your friend.

Thomas

Re: Squid 2

[Thomas Lamy]

Andreas Krüger wrote:
> Hello people.
> 
> I have just installed Squid 2 on my debian box and started it.
> However, it seems to not work, when I enter the information in my
> browser for a proxy (gatekeeper.no-9.dk and 3125) then it just says
> it has not any access to the proxy.
>
> Could it be because I have not opened any ports in my firewall?
> I just cannot see why it will not cache any homepages.
>
> I would like, if some of you people could send me your squid 2 conf. 
>
You have to configure squid's access lists first.

Look into /etc/squid.conf, there's some comment near "http_access deny any".


Thomas

PS: Don't use HTML on mailing lists...

AW: Raid 1 woes

[Thomas Lamy]

Craig wrote:
> 
> Hi guys
> 
> I am getting the following error message from cron
> 
> Does anyone know what steps I need to take to resync these 
> broken mirrors ?
> 
> And what the U stands for ?
> 
> [...]
> Personalities : [raid1]
> read_ahead 1024 sectors
> md2 : active raid1 ide/host0/bus0/target0/lun0/part4[0]
>   2704 blocks [2/1] [U_]
> 
> md1 : active raid1 ide/host0/bus0/target0/lun0/part3[0]
>   1951808 blocks [2/1] [U_]
> 
> md0 : active raid1 ide/host0/bus0/target0/lun0/part2[1]
> ide/host0/bus0/target1/lun0/part2[0](F)
>   979840 blocks [2/1] [_U]
> 
U means "up", so this output says your second disk has failed
(ide/host0/bus0/target1/lun0/part2[0](F)).

Repair should start autmatically after next reboot (if the disk works).
Otherwise get another disk, same partitioning as the first disk, reboot and
the reconstruction should start.

Thomas

Re: which dns server to use ?

[Thomas Lamy]

Oliver Hitz wrote:
> 
> On 08 Apr 2003, Thomas Lamy wrote:
> > I recently switched to mydns (http://mydns.bboy.net/). As 
> all data is stored
> > in a mysql (or pgsql) backend, it's easy to edit 
> zones/resource records. And
> 
> While I see that it may be useful to have zone data in an sql
> backend, I don't like the idea of plugging a mission-critical
> service such as a dns server directly to an sql database. A dns
> server has to be as simple as possible, with as few dependencies as
> possible. Serving zone data directly from an sql database increases
> the complexity of your system and adds new points of failure, what
> is especially undesirable in the case of a dns server.
> 
Your are right (in part); I had the same concerns, and not only with DNS.
Most of our services depend on MySQL right now: customer-db, webserver
config, mail users, dns records, radius db.

I did take some counter-measures again SPOF's:
- Three db-servers (2 in active-active replication, and a third running from
the last daily db export)
- the mysql connection procedure in mission critical programs (mydns, snmp
gatherer) is hacked to try both main servers in r/w mode, and then the third
one in r/o mode.

I'm also prepared to build a tretetary dns based on whatever software, with
zone files generated from the database, if our current doesn't prove to be
stable. But it has worked for months now w/o a problem.

Thomas

Re: which dns server to use ?

[Thomas Lamy]

Stephane Bortzmeyer wrote:
> 
> On Sat, Apr 05, 2003 at 06:30:48PM +0200,
>  Markus Welsch <[EMAIL PROTECTED]> wrote 
> 
> > Which dns server would you suggest ?
> 
> Why not PowerDNS http://www.powerdns.com/>, the only one which is
> fully extensible?
>  
> >  BIND ( http://www.isc.org/products/BIND/ )
> 
> Why not? The Apache of the DNS servers, feature-rich and very
> configurable.
BIND is more sendmail then apache (3-5 years ago): most used DNS server
software, bloated code (IMHO), and a remote exploit every now and then. Just
because most of the internet uses it, it may (is) not the best software
around.
> 
> >  djbdns   ( http://cr.yp.to/djbdns.html )
> 
> The author stated very clearly several times that he will not
> implement the DNS but only the thngs he likes.
> 
> Also, while you should not choose a program on the basis of the
> author's personnality, I'm ready to make an exception for this one.

IMHO, DJB's Software offers some interesting new ways to solve problems. But
it is based on a non-free license, paired with DJB steadily refusing
backwards compatibility (related to config files) for the programs he'd like
to replace.
I don't think DJB will change his mind in this life, so I choose _free_
software with open development.
> >  NSD  ( http://www.nlnetlabs.nl/nsd/ )
> 
> Very good program, quite recommended.
>  
> > Pretty much importance is performance and security. 
> 
> You will probably be happy with nsd.
> 
Can't comment on that.

I recently switched to mydns (http://mydns.bboy.net/). As all data is stored
in a mysql (or pgsql) backend, it's easy to edit zones/resource records. And
it perfectly fits into our web-based administration interface. It's small,
fast, and does it's job. Took me 10 minutes to understand and install. I
also find the code very readable (one of the things I look at when it comes
to missin critical software). Note that mydns is _not_ a caching server, but
there are other free packages that do this job.


Just my 0.02 Euros
  Thomas

Re: Postfix log analizer

[Thomas Lamy]

Andre Luis Lopes wrote:
> 
> Hi,
> 
>   Does someone know a good Postfix log analizer which could generate
> reports featuring the sender and recipient addressess for each message
> which went through Postfix ?
> 
> -- 
> André Luís Lopes
> [EMAIL PROTECTED]
> 
You should give pflogsumm a try.

-- 
Thomas Lamy[EMAIL PROTECTED]
Softwareentwicklunghttp://www.netwake.de/ 

Re: Postfix log analizer

[Thomas Lamy]

Andre Luis Lopes wrote:
> 
> Hi,
> 
>   Does someone know a good Postfix log analizer which could generate
> reports featuring the sender and recipient addressess for each message
> which went through Postfix ?
> 
> -- 
> André Luís Lopes
> [EMAIL PROTECTED]
> 
You should give pflogsumm a try.

-- 
Thomas Lamy[EMAIL PROTECTED]
Softwareentwicklunghttp://www.netwake.de/ 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Free Radius Software

[Thomas Lamy]

Tomàs Núñez Lirola wrote:
> []
> mic:/etc/apt# apt-cache search radiusd-freeradius
> radiusd-freeradius - A high-performance and highly 
> configurable RADIUS server
> 
> 
> []
> tom:/etc/apt# apt-cache search radiusd-freeradius
> tom:/etc/apt# apt-get install radiusd-freeradius
> Reading Package Lists... Done
> Building Dependency Tree... Done
> E: Couldn't find package radiusd-freeradius
> tom:/etc/apt#
> 
> 
> Why, if the sources are the same, there is differences with 
> freeradius?
> Can't figure out!
> 
It seems like raduisd-freeradius has been dropped from unstable after you
installed it. Searching for radiusd on a sarge machine gives:

proxy:~# apt-cache search radiusd
radiusd-cistron - Radius server written by Cistron.
radiusd-livingston - Remote Authentication Dial-In User Service (RADIUS)
server
xtradius - Free radius server implementation.

No more freeradius... We use it, but compiled directly because I didn't want
to go unstable on production machines.

Apparently freeradius has been removed from the pool for having "grave"-bugs
for longer that 3 months. There was some discussion on linux.debian.devel
which clarifies this issue; here is the google link:

Unfortunately, nobody seems to have taken package management since.

Thomas

Re: Free Radius Software

[Thomas Lamy]

Tomàs Núñez Lirola wrote:
> []
> mic:/etc/apt# apt-cache search radiusd-freeradius
> radiusd-freeradius - A high-performance and highly 
> configurable RADIUS server
> 
> 
> []
> tom:/etc/apt# apt-cache search radiusd-freeradius
> tom:/etc/apt# apt-get install radiusd-freeradius
> Reading Package Lists... Done
> Building Dependency Tree... Done
> E: Couldn't find package radiusd-freeradius
> tom:/etc/apt#
> 
> 
> Why, if the sources are the same, there is differences with 
> freeradius?
> Can't figure out!
> 
It seems like raduisd-freeradius has been dropped from unstable after you
installed it. Searching for radiusd on a sarge machine gives:

proxy:~# apt-cache search radiusd
radiusd-cistron - Radius server written by Cistron.
radiusd-livingston - Remote Authentication Dial-In User Service (RADIUS)
server
xtradius - Free radius server implementation.

No more freeradius... We use it, but compiled directly because I didn't want
to go unstable on production machines.

Apparently freeradius has been removed from the pool for having "grave"-bugs
for longer that 3 months. There was some discussion on linux.debian.devel
which clarifies this issue; here is the google link:

Unfortunately, nobody seems to have taken package management since.

Thomas


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Neighbour table overflow problem

[Thomas Lamy]

Jeff S Wheeler wrote:
> Dear list,
> 
> I have a linux 2.4 box running zebra and acting as a default 
> gateway for
> a number of machines.  I am concerned about "Neighbour table overflow"
> output in my dmesg.  From some articles I've read on usenet, this is
> related to the arp table becoming full.  Most of the posters solved
> their problems by configuring a previously unused loopback 
> interface, or
> realizing that they had a /8 configured on one IP interface 
> and a router
> on their subnet that was using proxy-arp to fulfill the arp requests.
> 
This was true with some redhat release (unconfigured loopback). But as you
realized, this is not your problem.
> When the network is busy I've seen as many as 230+ arp
> entries, but it never seems to break 256.  Is this an artificial limit
> on the number of entries that can be present in my arp table? 
No, it's just the default (guess: 254 ARP entries per NIC?). Had the same
problem, one (err, actually two; different story) machine acted as default
router for various /22 subnets on each of the 4 NICs. It was just massive
ARP requests, as we got our networks from previously shut down ISP. I guess
even unfulfilled ARP request take a slot in the kernel neighbor table.
>  If so, I
> would like to increase the limit by to 2048 or so and give myself some
> headroom.  I am concerned that might slow down packet 
> forwarding, but I can probably live with that.
After some googling, I found:
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

Up to now I found no drawbacks, "only" the kernel message is gone.

> 
> Has anyone on the list encountered similar problems?  If so, 
> is this the
> approach you took to solve them or did you do something else?
> 
> Thanks,
> 
> --
> Jeff S Wheeler <[EMAIL PROTECTED]>

Thomas

Re: Neighbour table overflow problem

[Thomas Lamy]

Jeff S Wheeler wrote:
> Dear list,
> 
> I have a linux 2.4 box running zebra and acting as a default 
> gateway for
> a number of machines.  I am concerned about "Neighbour table overflow"
> output in my dmesg.  From some articles I've read on usenet, this is
> related to the arp table becoming full.  Most of the posters solved
> their problems by configuring a previously unused loopback 
> interface, or
> realizing that they had a /8 configured on one IP interface 
> and a router
> on their subnet that was using proxy-arp to fulfill the arp requests.
> 
This was true with some redhat release (unconfigured loopback). But as you
realized, this is not your problem.
> When the network is busy I've seen as many as 230+ arp
> entries, but it never seems to break 256.  Is this an artificial limit
> on the number of entries that can be present in my arp table? 
No, it's just the default (guess: 254 ARP entries per NIC?). Had the same
problem, one (err, actually two; different story) machine acted as default
router for various /22 subnets on each of the 4 NICs. It was just massive
ARP requests, as we got our networks from previously shut down ISP. I guess
even unfulfilled ARP request take a slot in the kernel neighbor table.
>  If so, I
> would like to increase the limit by to 2048 or so and give myself some
> headroom.  I am concerned that might slow down packet 
> forwarding, but I can probably live with that.
After some googling, I found:
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

Up to now I found no drawbacks, "only" the kernel message is gone.

> 
> Has anyone on the list encountered similar problems?  If so, 
> is this the
> approach you took to solve them or did you do something else?
> 
> Thanks,
> 
> --
> Jeff S Wheeler <[EMAIL PROTECTED]>

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Tayloring Debian Installs

[Thomas Lamy]

Adrian 'Dagurashibanipal' von Bidder wrote:
> On Thu, 2003-03-06 at 17:54, Thomas Lamy wrote:
> [installing multiple servers]
> 
> For large scale/frequent installation happenings: fai
> Don't use it myself, but I hear it's really great when you've 
> set it all
> up.
> 
I also received some direct replies mentioning FAI
(http://www.informatik.uni-koeln.de/fai/), which, from the docs, sounds very
promising.

For saving / restoring the list of installed/selected packages the way to go
is:
> 
> What you're looking for: 'dpkg --get-selections > file' and 
> 'dpkg --set-selections < file && dselect'
> 

Thank you all.

  Thomas

PS. Google is fine, but only if you know what you're looking for :-)

Re: Tayloring Debian Installs

[Thomas Lamy]

Adrian 'Dagurashibanipal' von Bidder wrote:
> On Thu, 2003-03-06 at 17:54, Thomas Lamy wrote:
> [installing multiple servers]
> 
> For large scale/frequent installation happenings: fai
> Don't use it myself, but I hear it's really great when you've 
> set it all
> up.
> 
I also received some direct replies mentioning FAI
(http://www.informatik.uni-koeln.de/fai/), which, from the docs, sounds very
promising.

For saving / restoring the list of installed/selected packages the way to go
is:
> 
> What you're looking for: 'dpkg --get-selections > file' and 
> 'dpkg --set-selections < file && dselect'
> 

Thank you all.

  Thomas

PS. Google is fine, but only if you know what you're looking for :-)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Tayloring Debian Installs

[Thomas Lamy]

Hi,

some days ago I had the task of setting up 6 debian servers for our web
server farm. It was rather boring to do the base install, alter the apt.conf
and sources.list (we run a combo of testing/stable), de-select unwanted
default packages (you know the score...).

I'd like to streamline that task, as there are another 10 servers next month
that need the same procedure.

In SuSE, it was an easy task, as you could save the state of installed
packages on a running machine, and inject that at the base install stage, so
there were only custom packes (and configuration) left.

I thought it would be the easiest way to use tasksel for that, but I didn't
find a way to import external data (even hand-made) to define a new "task".

Another thought was to use some netinstall iso, and tweak it (alter the
basedebs.tar, sources.list) to my needs.

HD cloning is not really an option, as most times the source HDD won't match
the new ones, and I'd also like to use this procedure to convert the rest of
the SuSE machines here.

So, what are you using? 


Thomas

Re: Small Debian Installs

[Thomas Lamy]

Randy Kramer wrote:
> On Wednesday 05 March 2003 02:42 pm, Russell Coker wrote:
> > Just install a small Debian system.
> 
> That might be exactly what I want to do (for a different purpose).

Me too!

> 
> What's the smallest someone on the list has installed, and what's the 
> easiest way to go about doing it?
I needed a WLAN Router 3 weeks ago, and didn't want to start with a new
distro (I really like debian).
I did the standard install (basedebs only), and removed portmap, NFS, lpr,
gcc and the like, added only wireless tools and shorewall. That way I
brought it down to ~200 MB (which would fit on a 256 MB CF-Card), and I'm
sure it would be possible to even get under 100 MB (delete /usr/share/doc
etc).
> 
> I'd like to have a small Linux partition on a dos \ Windows disk to 
> include a bootloader (lilo) and some utilities for partitioning, 
> formatting, and making and restoring disk images.
The german c't magazine included a Knoppix-CD (which is debian-based) some
weeks ago, which basically is a complete "Run From CD" distro. Not small,
but really useful. Not a limited rescue disc, as most/all of the tools one
needs are included.
> 
> I started working with a Vector root / boot set and have made 
> progress, 
> but I have a lot to learn and many problems remain -- if there is an 
> easier way I'd like to try it.
Sorry, I never went that path. Sounds like an adventure, though :-)
> 
> Randy Kramer
> 
Thomas Lamy

Tayloring Debian Installs

[Thomas Lamy]

Hi,

some days ago I had the task of setting up 6 debian servers for our web
server farm. It was rather boring to do the base install, alter the apt.conf
and sources.list (we run a combo of testing/stable), de-select unwanted
default packages (you know the score...).

I'd like to streamline that task, as there are another 10 servers next month
that need the same procedure.

In SuSE, it was an easy task, as you could save the state of installed
packages on a running machine, and inject that at the base install stage, so
there were only custom packes (and configuration) left.

I thought it would be the easiest way to use tasksel for that, but I didn't
find a way to import external data (even hand-made) to define a new "task".

Another thought was to use some netinstall iso, and tweak it (alter the
basedebs.tar, sources.list) to my needs.

HD cloning is not really an option, as most times the source HDD won't match
the new ones, and I'd also like to use this procedure to convert the rest of
the SuSE machines here.

So, what are you using? 


Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Small Debian Installs

[Thomas Lamy]

Randy Kramer wrote:
> On Wednesday 05 March 2003 02:42 pm, Russell Coker wrote:
> > Just install a small Debian system.
> 
> That might be exactly what I want to do (for a different purpose).

Me too!

> 
> What's the smallest someone on the list has installed, and what's the 
> easiest way to go about doing it?
I needed a WLAN Router 3 weeks ago, and didn't want to start with a new
distro (I really like debian).
I did the standard install (basedebs only), and removed portmap, NFS, lpr,
gcc and the like, added only wireless tools and shorewall. That way I
brought it down to ~200 MB (which would fit on a 256 MB CF-Card), and I'm
sure it would be possible to even get under 100 MB (delete /usr/share/doc
etc).
> 
> I'd like to have a small Linux partition on a dos \ Windows disk to 
> include a bootloader (lilo) and some utilities for partitioning, 
> formatting, and making and restoring disk images.
The german c't magazine included a Knoppix-CD (which is debian-based) some
weeks ago, which basically is a complete "Run From CD" distro. Not small,
but really useful. Not a limited rescue disc, as most/all of the tools one
needs are included.
> 
> I started working with a Vector root / boot set and have made 
> progress, 
> but I have a lot to learn and many problems remain -- if there is an 
> easier way I'd like to try it.
Sorry, I never went that path. Sounds like an adventure, though :-)
> 
> Randy Kramer
> 
Thomas Lamy


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Mail server

[Thomas Lamy]

Russell Coker wrote:
> 
> On Mon, 24 Feb 2003 18:34, Colin Ellis wrote:
> > Email doesn't really need much processing, but does take 
> > surprisingly large amounts of disk space.
> 
> Obviously such things differ depending on exactly who is 
> using the service and what they are doing.
> 
> But my experience is that with modern disks a mail server 
> will run out of seek 
> performance before it runs out of space.
> 
> [...]
> 
> If a message delivery takes 10 disk writes (actually it 
> probably takes more 
> once you count writing to two files in the queue then writing 
> it to the spool 
> and deleting the queue files with lots of fsync() along the 
> way) then such a 
> machine can only deliver 13 messages per second.
> 
> I have been considering modifying the Qmail and maildrop code 
> to not use 
> fsync() etc to allow more users per server (yes I know about 
> the reliability 
> issues, but there are lots of more important things to worry about).

Well, qmail is an I/O hog. We have a (small) list-server at a customer which
was set up with qmail (w/ el-cheapo 20 GB IDE HDDs). Could only send at ~512
kbit. Then replaced qmail with postfix, now it saturates the customer's T1
without problems...

>From my experience, you should use a hardware raid controller w/ (at least)
1 UPM SCSI disks, and postfix+courier imap. CPU power should be no
problem, it's seek I/O that matters.

Just my 0.02 Euros
   Thomas

Re: Mail server

[Thomas Lamy]

Russell Coker wrote:
> 
> On Mon, 24 Feb 2003 18:34, Colin Ellis wrote:
> > Email doesn't really need much processing, but does take 
> > surprisingly large amounts of disk space.
> 
> Obviously such things differ depending on exactly who is 
> using the service and what they are doing.
> 
> But my experience is that with modern disks a mail server 
> will run out of seek 
> performance before it runs out of space.
> 
> [...]
> 
> If a message delivery takes 10 disk writes (actually it 
> probably takes more 
> once you count writing to two files in the queue then writing 
> it to the spool 
> and deleting the queue files with lots of fsync() along the 
> way) then such a 
> machine can only deliver 13 messages per second.
> 
> I have been considering modifying the Qmail and maildrop code 
> to not use 
> fsync() etc to allow more users per server (yes I know about 
> the reliability 
> issues, but there are lots of more important things to worry about).

Well, qmail is an I/O hog. We have a (small) list-server at a customer which
was set up with qmail (w/ el-cheapo 20 GB IDE HDDs). Could only send at ~512
kbit. Then replaced qmail with postfix, now it saturates the customer's T1
without problems...

>From my experience, you should use a hardware raid controller w/ (at least)
1 UPM SCSI disks, and postfix+courier imap. CPU power should be no
problem, it's seek I/O that matters.

Just my 0.02 Euros
   Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

AW: Bandwidth monitoring

[Thomas Lamy]

Fraser Campbell wrote:
> 
> Hi,
> 
> When installing servers in a colocated environment what do people
> suggest for monitoring bandwidth used by virtual hosts on that server?
> 
> Traffic will be http, https and smtp.  I'm hoping this can be
> accomplished without dedicating an IP to each host/domain (with the
> exception of https of course).
> 
> Thanks,
> 
> Fraser
> 
We use mod_watch (http://www.snert.com/Software/mod_watch/) for apache vhost
accounting. Works good, but looses some bytes and/or requests when
restarting apache. But much much better than parsing apache logs. Works with
any vhost (http or https) and provides an snmp-like table for accounting. As
with everything apache logs, it's not really accurate (the size of the
request itself is not logged), but that's ok.
For smtp traffic, most of the time it's not really neccessary to monitor,
or, at least, not worth the effort. Although I'm thinking about having
syslog write mail.log to a pipe, and parse the logs in realtime to a
database...

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Easy trouble ticket system?

[Thomas Lamy]

Hi,

can anybody recommend a simple (to set up and maintain) TTS for ISP use?
We want to
- auto-assign ticket ids to incoming support requests (by mail or web form)
- assign tickets to individuals or groups
- have a simple ticket report system (where customers can look up the state
of their ticket)


I looked into phpgroupware (didn't like it for many reasons) and
request-tracker (failed dependencies in stable/testing, and seems too
bloated).

I don't want to write one myself, but I will have to extend any solution to
interface with the existing homebrew customer database...


Any hints?

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Multiple servers for 1 domain name?

[Thomas Lamy]

Eric Jennings wrote:
> On Monday, February 10, 2003, at 02:24 PM, Thomas Lamy wrote:
> 
> > Eric Jennings wrote:
> >>> On Mon, 2003-02-10 at 16:28, Jason Lim wrote:
> >>>> Hi All,
> >>>>
> >>>> I was wondering if you guys are aware of any solution 
> for multiple
> >>>> servers
> >>>> to server 1 domain name?
> >>>>
> >>
> >> If you start implementing the server farm architecture, 
> and have the
> >> problem of PHP sessions, SSL sessions, etc... Then you may want to
> >> invest in a hardware web switch, like an F5 or Foundry.  
> > One may also use LVS (http://linuxvirtualserver.org/) for 
> that. It's 
> > free,
> > and it runs like a charm. There is also connection 
> persistence, one may
> > choose between different weighting algo's, etc etc. And 
> with keepalived
> > (http://keepalived.sourceforge.net/) you may set up two LVS 
> directors 
> > in a
> > high available fashion, and have full control of how and 
> how often the
> > server's health is being checked (stoopid thigs like tcp 
> connect only, 
> > or
> > md5-hashes of different pages, or ...).
> >
> > We have taken this approach, and are very happy with it.
> >
> > []
> 
> Interesting to hear about this approach.  I tried to deploy 
> LVS around 
> three years ago, and it seemed like a huge unstable mess, and at that 
> time it made sense to go ahead and purchase the Foundry.  
> It's good to 
> hear that you have it running successfully in a production 
> environment.
One of our clients started with LVS around 2 years ago for his community
sites (serving ~500GB / month). I did a complete rebuild last year, with 2.4
kernels and LVS releases around 1.0. It's much more stable since 0.95 (?),
and the directors operate like a charm with 2.4's new SMP-able networking
code.
> 
> My question though, is how would you set up redundant LVS directors?  
> Could you offer a simple schematic?
This is keepalived implementing VRRP (Virtual Router Redundancy
Protocol, see <ftp://ftp.isi.edu/in-notes/rfc2338.txt>,
or, more readable,
<http://www.hanetworks.com/networks/nokia/vrrp/analysis_of_vrrpv2.htm>
).

[Note: I'll use both the terms "director" and "router", as this 
applies to both routers and LVS directors]

Basically, you have two (or more) machines running, and keepalived
(http://keepalived.sf.net/) assigns a virtual IP address to the
external interface of the current "master" server.
All of your Routers/Directors announce their availabilty to an IP
multicast address (224.0.0.18), along with their priority, and all
of the routers also listen to those announcements.
If the current "master" goes down, the remaining router with the
highest prority takes over the virtual IP address of the failed one
doing some ARP magic, and you're online (again).

There is also other software which mimicks this ("fake", "mon",
"heartbeat", used in the redhat HA project named "piranha"), but
thei're messy to set up, while VRRP is kinda standard.
I also set up an ipchains-based accounting gateway w/ failover (in lab only)
using VRRP one day, and the results were promising.


> 
> And how often does your rsync run to sync the web servers to 
> the master 
> server?  Seems with the amount of clients we have FTPing 
> things up and 
> down, that this would be a big problem if rsyncs were anything other 
> than immediate.  (A lot of our clients are web developers who do the 
> whole "upload-test-debug-repeat" development cycle with PHP, and if 
> they have to wait 5 minutes after each upload for the files 
> to rsync to 
> the web servers, then they're unhappy customers.  And you know what 
> they say about unhappy customers... :)
As this is for a customer's web site, we have scheduled updates two times a
day, which isn't really an option in your case. But you can monitor
/var/log/xferlog, and rsync only updated files. Or really try NFS.

> 
> Your thoughts?
> Eric
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Multiple servers for 1 domain name?

[Thomas Lamy]

Eric Jennings wrote:
> > On Mon, 2003-02-10 at 16:28, Jason Lim wrote:
> >> Hi All,
> >>
> >> I was wondering if you guys are aware of any solution for multiple 
> >> servers
> >> to server 1 domain name?
> >>
> >> That is... like those big ISPs that have "user" webhosting.
> >>
> >> http://members.isp.com/joe/ (goes to server no. 5)
> >> http://members.isp.com/jane/ (goes to server no. 3)
> >> http://members.isp.com/someone/ (goes to server no. 2)
> > [...]
> >> Basically the reason for doing this is because the existing single 
> >> server
> >> is overloaded, and need to split the workload to 1 or 2 
> more servers.
> >
> > Some of the problem might be solved by moving the database to a
> > dedicated machine. If that doesn't spread the load enough, 
> doing a DNS
> > round-robin (having member.isp.com resolve to two different machines
> > with exactly the same setup) might solve the problem. The web
> > directories etc. (especially writeable areas for cgi programs) would
> > need to be shared, with NFS for example (which might create some 
> > locking
> > problems so you'd need to be careful...).
> >
> > Of course, this causes requests going to a random server - so PHPs
> > session tracking ability etc. will have problems. If you use such
> > things, investigating just upgrading the server first could already
> > bring relief (where is the performance problem exactly? Disk? CPU?
> > Memory?)
> 
> If you start implementing the server farm architecture, and have the 
> problem of PHP sessions, SSL sessions, etc... Then you may want to 
> invest in a hardware web switch, like an F5 or Foundry.  Yep, they're 
> expensive, but super fast and they will hold a particular user's 
> session to a single server for the duration of that session, 
> fixing the 
> problems of the PHP/SSL issues.
> 
> Also, they have the added feature of being able to check 
> heartbeat/pings of each server in the cluster.  A particular server 
> goes down, and the switch will automatically redirect 
> requests to other 
> servers, until that broken server comes back online.  DNS round robin 
> will continue to resolve to a broken server, thus making your uptime 
> availability = numgoodservers / totalservers.   Not a good thing if 
> you're running two servers, and one goes bad.  Instant 50% 
> availability.  Furthermore, you can assign weights to each server, so 
> if you have some old system that you still want to be in the cluster, 
> you can add them with a lower weight, and they'll get hit 
> less than the 
> brand new Dells you just bought (<- that one's for you 
> Russell Coker. :)
> 
One may also use LVS (http://linuxvirtualserver.org/) for that. It's free,
and it runs like a charm. There is also connection persistence, one may
choose between different weighting algo's, etc etc. And with keepalived
(http://keepalived.sourceforge.net/) you may set up two LVS directors in a
high available fashion, and have full control of how and how often the
server's health is being checked (stoopid thigs like tcp connect only, or
md5-hashes of different pages, or ...).

We have taken this approach, and are very happy with it.

We solved the problem of having only one MySQL server (SPoF) by adding a
second one, replicating from the main server, but the problem regarding
syncing file systems on the web servers is yet to be resolved. I dropped the
first idea of using one central file server with NFS - mostly because of NFS
itself, and because this would be another SPoF. Our tests with coda were
also stopped, because of (a) problems with lock-ups, and (b) the admin
involved with the tests leaving. For now we stick to one master server
(located on one of the LVS directors), regulary rsync'ing to the web
servers. 


Hope this helps (and saves $).

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Evolution/Courier-IMAP acting strange

[Thomas Lamy]

Hi,

just a quick guess, but maybe Evolution tries to open too many parallel imap
connections. The courier default is max 4 connections per IP, you can change
this is /etc/courier/imapd (parameter name is MAXPERIP)

Thomas


-- 
Thomas Lamy[EMAIL PROTECTED]
Softwareentwicklunghttp://www.netwake.de/


> -Ursprüngliche Nachricht-
> Von: Pete Billson [mailto:[EMAIL PROTECTED]]
> Gesendet: Sonntag, 29. Dezember 2002 20:59
> An: Justin Ryan
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Betreff: Re: Evolution/Courier-IMAP acting strange
> 
> 
> Justin,
>  1) The extraneous files should not affect things - I just 
> tried adding
> them to my ~/Maildir to confirm this and still everything works OK.
> 
>  2) There should be a ~/Maildir/courierimapuiddb file that lists the
> contents of your INBOX. Does this exist?
> 
>  3) There should also be a ~/Maildir/courierimapsubscribed file which
> listed your subscribed folders.
> 
>  4) All sub-mailboxes should also have the new,cur,tmp 
> directories (i.e.
> ~/Maildir/.debianlists/new) and they should have there own
> courierimapuiddb file.
> 
>  5) Logs show anything?
> 
> 
> Pete
> -- 
> http://www.elbnet.com
> ELB Internet Services, Inc.
> Web Design, Computer Consulting, Internet Hosting
> 
> 
> On Sun, 2002-12-29 at 14:18, Justin Ryan wrote:
> 
> > Once again, using maildir this shouldn't be an issue.  My 
> INBOX has the
> > least messages of all, compared to ~6 months of debian-* 
> lists, lugs,
> > etc..
> > 
> > I'm wondering if extraneous files in ~/Maildir could be a problem. 
> > There are msgid.lock and msgid.cache files from 
> procmail/formail keeping
> > track of duplicate messages - should these be moved to ~/.procmail ?
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact 
> [EMAIL PROTECTED]
> 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: SCSI or IDE

[Thomas Lamy]

Thomas Kirk [mailto:[EMAIL PROTECTED]] wrote:
> 
> Hep
> 
> On Mon, Nov 25, 2002 at 11:57:33AM +1300, Jones, Steven wrote:
> 
> > u can get hot swap ide 
> > 
> > promise do one (hot swap ide), dunno how good it is mind.
> 
> If you are thinking on this one ->
> http://www.promise.com/product/product_detail_eng.asp?productI
> d=90&familyId=6
> 
> Dont buy it! It as simple as that. 1 year ago i bought one of those
> bastards from promise and its slooow. Im running it as filer on a
> debian 3.0 system filesystem xfs and i havent been able to push it to
> a sustain throughput on more than 3MB/sec. This is with 8 
> 60GB IBM deskstar
> 7200rpm disks in raid5. 
> [...]
> Next time i have to buy ideraid ill try 3ware for sure.

I have one ofe those thingies running our local samba server, raid 5 w/ 3+1
80 Gig 7200 IBM HDDs. Works flawlessly and fast. hdparm shows the following
throughput:

 Timing buffer-cache reads:   128 MB in  0.87 seconds =147.13 MB/sec
 Timing buffered disk reads:  64 MB in  1.31 seconds = 48.85 MB/sec

This is on a dual PIII/500 w/ 256 MB.

Not the cheapest one, but it's actually worth it.

Thomas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]