Re: Webmail application that doesn't abuse the IMAP server?
On Tue, 10 Jun 2003, Gary Mills wrote: > We do use that, and it probably does improve performance. It does have > a problem with idle browser connections that accumulate with time. > This also ties up a lot of `imapd' and `httpd' processes. It probably > needs a client timeout someplace. I haven't had time to investigate > further. I'm not sure how the httpd processes are being tied up, but "tied up" imapds that are otherwise idle don't cost you anything except some swap and a process table entry. They're basicly free. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Cyrus on Red Hat Enterprise Linux
On Tue, 2003-06-10 at 20:35, Simon Brady wrote: > Hello world, > > We're planning to retire our Solaris mail server at the end of the year > and move Cyrus to Linux. I'd intended to move to RH7.3, which we use > widely and understand quite well, but Red Hat's support policies have > killed that idea. > > Is anyone currently running Cyrus on Red Hat Enterprise, either out of the > box or self-installed? If so, have you encountered any issues beyond those > to be expected on 7.x? Having built from source on Solaris I was looking > forward to using Simon Matter's RPMs, but I don't know how they'll > interact with the RH Network "all your server are belong to us" madness. RHAS 2.1 (and ES, the difference being, AFAICT, support) are basically just 7.2/7.3 systems (more the former, I think). So, if it works with 7.2, it should work with RHAS. 3rd party RPMs should be just fine; I have a few customers using up2date and they don't have any problems with the RPMs I've installed. My current strategy for my customers is to maintain them all at 7.3 until towards the end of the year, at which time I'm guessing RHAS 2.2 will be out, to which I will them move my customers. Wil -- Wil Cooley [EMAIL PROTECTED] Naked Ape Consultinghttp://nakedape.cc * * * * Linux, UNIX, Networking and Security Solutions * * * * * Tired of spam and viruses in your e-mail? Get the * * Naked Ape Mail Defender! http://nakedape.cc/r/maildefender * signature.asc Description: This is a digitally signed message part
Cyrus on Red Hat Enterprise Linux
Hello world, We're planning to retire our Solaris mail server at the end of the year and move Cyrus to Linux. I'd intended to move to RH7.3, which we use widely and understand quite well, but Red Hat's support policies have killed that idea. Is anyone currently running Cyrus on Red Hat Enterprise, either out of the box or self-installed? If so, have you encountered any issues beyond those to be expected on 7.x? Having built from source on Solaris I was looking forward to using Simon Matter's RPMs, but I don't know how they'll interact with the RH Network "all your server are belong to us" madness. [OT: Yes, I'm aware that there other other Linuces beyond RH, but we're committed to HP hardware which is only certified for RH and SuSE (one of my colleagues has been told by an HP engineer that they support Debian but I've yet to see anything official). We have zero SuSE experience in-house, so RH kind of have us by the danglies...] Thanks for any feedback, Simon -- Simon Brady mailto:[EMAIL PROTECTED] ITS Technical Services University of Otago, Dunedin, New Zealand
Re: Webmail application that doesn't abuse the IMAP server?
On Tue, Jun 10, 2003 at 09:27:13PM -0400, Ken Murchison wrote: > > Gary Mills wrote: > >Does anyone know of an e-mail web application that doesn't abuse the > >IMAP server by making short connections? Most of them simply connect > >and disconnect with each HTTP transaction. Is there one that behaves > >the same as an IMAP client, using one connection for the duration of > >the session. An IMAP proxy is not adequate because most of them only > >cache TCP connections and perhaps authentication. These are generally > >not the source of most of the transaction overhead. > > So what part of the connection to you perceive as the most expensive? > The selection of the mailbox? This might be cacheable, but that depends > on how the webmail client is written (ie, simply caching it might screw > up some of the client's logic). I haven't determined that. I suspect, though, that there are limits to what can be cached by a proxy. A better design might involve a persistent portion of the webmail application, that maintains some state across HTTP transactions. The communications between the two portions need not involve IMAP. > FWIW, Dave McMurtrie's imapproxy (http://www.imapproxy.org/) works quite > well with IMP/Cyrus, and is very well written. It doesn't cache the > selected mailbox, but it does keep an authenticated (and optionally > encrypted) connection open with the server. We do use that, and it probably does improve performance. It does have a problem with idle browser connections that accumulate with time. This also ties up a lot of `imapd' and `httpd' processes. It probably needs a client timeout someplace. I haven't had time to investigate further. -- -Gary Mills--Unix Support--U of M Academic Computing and Networking-
Re: Webmail application that doesn't abuse the IMAP server?
Gary Mills wrote: Does anyone know of an e-mail web application that doesn't abuse the IMAP server by making short connections? Most of them simply connect and disconnect with each HTTP transaction. Is there one that behaves the same as an IMAP client, using one connection for the duration of the session. An IMAP proxy is not adequate because most of them only cache TCP connections and perhaps authentication. These are generally not the source of most of the transaction overhead. So what part of the connection to you perceive as the most expensive? The selection of the mailbox? This might be cacheable, but that depends on how the webmail client is written (ie, simply caching it might screw up some of the client's logic). FWIW, Dave McMurtrie's imapproxy (http://www.imapproxy.org/) works quite well with IMP/Cyrus, and is very well written. It doesn't cache the selected mailbox, but it does keep an authenticated (and optionally encrypted) connection open with the server. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: SQUAT: Unknown error 1 (Closing index)
Unfortunately, I don't have any more time to work on this, so I'm going to have to give up and stop using squat until it's fixed by someone else. It looks like something is making a SquatWordTable, but then not filling it in. Inside the write_trie_word_data function, it checks to see if t->first_valid_entry >= VECTOR_SIZE(offsets), and this is what actually makes it fail. I don't understand the code well enough to figure out where it might be forgetting to set t->first_valid_entry to something other than 256. Im assuming that (t->first_valid_entry >= VECTOR_SIZE(offsets)) should never be true, and the fact that it is indicates a bug in squatter. I could easily be wrong. Hope this is some help to someone... -Dylan > Dylan Martin wrote: > > >I've been trying to run down the problem I've been having with squatter, > >and it looks like quite a few people on the list are having the same > >problem. Here's what I've got so far, and I'll post more if/when I get > >it. > > > >It looks like in squat_build.c in write_trie_word_data, if len > 2 it > >calls write_trie_word_data on the SquatWordTable new_t. When it breaks, > >new_t has these values: new_t->first_valid_entry = 256 > >new_t->last_valid_entry = 0. When it doesn't break, first_valid_entry is > >less than or equal to last_valid entry. > > > >I don't really know what values mean what, so I can't really say what this > >means or even if it's significant. I'll see if I can find more. Let me > >know if this means anything to any of you. > > > >Thanks > >-Dylan > > > For me it fails at exactly the same place with the same error ! I > collected some of the messages for which squatter reproducable fails but > cannot say which unique liddle difference in them squatter does not > like. They are from different mailers in different charsets and > encodings. The only thing they seem to have in common is > Content-Transfer-Encoding: 8 Bit in at least one body part of a mime > message. Even messages I personally sent using squirrelmail could not be > processed by squatter without crashing! During tracing I had a closer > look on some I-do-not-remember-receiver-function in squatter.c in which > I tried to figure out if cyrus has problems in decoding the messages > and building the "to-index-strings" but that all looked reasonable. One > thing I did not quite understand was that somehow cyrus does not seem to > pay attention on the charset being used in the message to index. I think > there were messages which were explicitly (and correctly) defined in > charset iso-8859-15 (all messages for which squatter fails seem to have > this charset in use but for my system 99% of all messages are using > iso-8859-15 charset and so this may not be an issue) but during > index-canonicalization 8 bit characters got replaced by 'X' characters > and so the index would never contain words containing e.g. german > umlauts correctly (Maybe I am totally wrong here, of course!). > I tried setting reject8bit and stopped all mta-mail-conversions but > messages which cause squatter to crash still come in! The error I get > seems to be > > #define EPERM1 /* Operation not permitted */ > > --Christian > > >
Re: Webmail application that doesn't abuse the IMAP server?
Prayer does. You'll have to google it, though. I don't know much about it. Thanks, Dave -- Dave McMurtrie, Systems Programmer University of Pittsburgh Computing Services and Systems Development, Development Services -- UNIX and VMS Services 717P Cathedral of Learning (412)-624-6413 On Tue, 10 Jun 2003, Gary Mills wrote: > Does anyone know of an e-mail web application that doesn't abuse the > IMAP server by making short connections? Most of them simply connect > and disconnect with each HTTP transaction. Is there one that behaves > the same as an IMAP client, using one connection for the duration of > the session. An IMAP proxy is not adequate because most of them only > cache TCP connections and perhaps authentication. These are generally > not the source of most of the transaction overhead. > > -- > -Gary Mills--Unix Support--U of M Academic Computing and Networking- >
Re: SQUAT: Unknown error 1 (Closing index)
Dylan Martin wrote: I've been trying to run down the problem I've been having with squatter, and it looks like quite a few people on the list are having the same problem. Here's what I've got so far, and I'll post more if/when I get it. It looks like in squat_build.c in write_trie_word_data, if len > 2 it calls write_trie_word_data on the SquatWordTable new_t. When it breaks, new_t has these values: new_t->first_valid_entry = 256 new_t->last_valid_entry = 0. When it doesn't break, first_valid_entry is less than or equal to last_valid entry. I don't really know what values mean what, so I can't really say what this means or even if it's significant. I'll see if I can find more. Let me know if this means anything to any of you. Thanks -Dylan For me it fails at exactly the same place with the same error ! I collected some of the messages for which squatter reproducable fails but cannot say which unique liddle difference in them squatter does not like. They are from different mailers in different charsets and encodings. The only thing they seem to have in common is Content-Transfer-Encoding: 8 Bit in at least one body part of a mime message. Even messages I personally sent using squirrelmail could not be processed by squatter without crashing! During tracing I had a closer look on some I-do-not-remember-receiver-function in squatter.c in which I tried to figure out if cyrus has problems in decoding the messages and building the "to-index-strings" but that all looked reasonable. One thing I did not quite understand was that somehow cyrus does not seem to pay attention on the charset being used in the message to index. I think there were messages which were explicitly (and correctly) defined in charset iso-8859-15 (all messages for which squatter fails seem to have this charset in use but for my system 99% of all messages are using iso-8859-15 charset and so this may not be an issue) but during index-canonicalization 8 bit characters got replaced by 'X' characters and so the index would never contain words containing e.g. german umlauts correctly (Maybe I am totally wrong here, of course!). I tried setting reject8bit and stopped all mta-mail-conversions but messages which cause squatter to crash still come in! The error I get seems to be #define EPERM1 /* Operation not permitted */ --Christian
Webmail application that doesn't abuse the IMAP server?
Does anyone know of an e-mail web application that doesn't abuse the IMAP server by making short connections? Most of them simply connect and disconnect with each HTTP transaction. Is there one that behaves the same as an IMAP client, using one connection for the duration of the session. An IMAP proxy is not adequate because most of them only cache TCP connections and perhaps authentication. These are generally not the source of most of the transaction overhead. -- -Gary Mills--Unix Support--U of M Academic Computing and Networking-
RE: Tuning Suggestions
> > I come seeing suggestions for things I could check or > change in order > > to resolve this before it gets to being more of a problem > than it is. > > I figured I'd start with Cyrus and then move down to the OS level. > > One thing you might want to try is to use /dev/urandom > instead of /dev/random for SASL on your system (recent > versions have a --with-devrandom configure switch, otherwise > you need to edit config.h). > > Additionally, you may want to increase the number of > preforked processes, but this will only allow you to prevent > larger spikes of activity from affecting you adversely, it > won't help if the load is sustained at a higher level. Since it was simplest, I started with the preforking. I set it to an arbitrary number of 10. Here's the good news. It works. No more broken IMAP connections. I'll try that recompile as well as time allows but I thought I'd let everyone know that for today, that got it working smooth again. Thank you kindly for the suggestions John
SQUAT: Unknown error 1 (Closing index)
I've been trying to run down the problem I've been having with squatter, and it looks like quite a few people on the list are having the same problem. Here's what I've got so far, and I'll post more if/when I get it. It looks like in squat_build.c in write_trie_word_data, if len > 2 it calls write_trie_word_data on the SquatWordTable new_t. When it breaks, new_t has these values: new_t->first_valid_entry = 256 new_t->last_valid_entry = 0. When it doesn't break, first_valid_entry is less than or equal to last_valid entry. I don't really know what values mean what, so I can't really say what this means or even if it's significant. I'll see if I can find more. Let me know if this means anything to any of you. Thanks -Dylan
Re: Tuning Suggestions
I can't tell precicely from your report, but it may have something to do with a problem we've seen several times. In case of memory exhaustion, Cyrus can begin to behave badly. What happens is the master ends up with an incorrect number of available processes, such that it believes there are sufficient workers to handle the incoming connections, when in fact there are not. The easiest way to check this is to look at those times when you see failed connections, and look to see if you've had any memory bottlenecks shortly before then. If you see any problems with memory exhaustion, it's generally a good idea to restart the cyrus server. (If you're daring, you can attach to it with a debugger and manually modify the Services[] array, but that's a bit dicey...) Michael --On Tuesday, June 10, 2003 10:51:19 -0400 John Straiton <[EMAIL PROTECTED]> wrote: Funny that I haven't found much in the lines of tuning suggestions for Cyrus on googlegroups or in the info-cyrus archives but I think I may be in need of it. I'm using a 4.8-STABLE FreeBSD machine, Dual 600Mhz with 1.5GB of RAM and plenty of RAID5 space. We use Cyrus+Postfix+AMAVISd+SpamAssassin and are rather happy with the combination. Our postfix feeds 5K addresses into 4K cyrus mailboxes. Load on the machine usually rides between 0.5 and 1.0. top normally reports around 60%-70% idle levels. In normal operations, I'll see around 30-50 connections to the server at all times since most of our users use pop3. We also limit mailboxes to no more than 25MB other than employees. All employees use IMAP tho'. Our entire message store only contains 5.6GB of messages. The problem I'm having started about 2 days ago when our Nagios monitoring started reporting that connectivity to the server (pop3/imap) was failing. Then we'd get recovery notifications immediately after. Kinda like the server was only unable to handle itself for a brief moment and then would get back to business. I also personally noticed that I'd get notifications in Outlook that some of the 5 IMAP connections I keep to the server would time out periodically. I would assume since send/receives occur every 5 minutes that these are not idle timeouts. This has never been a problem before, but obviously with a company that's still growing, every day we have more users on the system than the day before. I fear that something on the machine or in cyrus' configuration is holding us back. I come seeing suggestions for things I could check or change in order to resolve this before it gets to being more of a problem than it is. I figured I'd start with Cyrus and then move down to the OS level. Thanks, John Straiton [EMAIL PROTECTED] Clickcom, Inc 704-365-9970x101
Re: Weird pop3d hang problem (fd blocked?!)
foobar wrote: See word *theoretically* , didn't urandom gather some data from network-interfaces too so it may be affected. Nobody knows when it takes data from device nr X. My point was simply before you decide to link random to urandom for the sake of Cyrus, you should consider the impact that will have on other applications that need random numbers. If others have access to your machine and you are generating private keys, they could exhaust all the entropy from /dev/random, read enough of /dev/urandom to determine the position in the sequence, and then know what random numbers your key generation code used. Granted, it is far-fetched and a lot of work, but when you are building a key that will be used for years and could compromise other keys if revealed, it pays to be safe. /dev/urandom appeared in solaris since version8 (patch). random's device-number is 8 while urandom's is 9. What about if there is config-option for this device? When you build SASL, just define -DDEV_RANDOM=/dev/urandom. -- John A. Tamplin Unix System Administrator Emory University, School of Public Health +1 404/727-9931
Re: cyrus-imapd-2.1.13 sieve curiosity
On Mon, Jun 09, 2003 at 12:07:34PM -0500, Amos Gouaux wrote: > > On Mon, 9 Jun 2003 12:50:16 -0400 (EDT), > > Rob Siemborski <[EMAIL PROTECTED]> (rs) writes: > > rs> I don't think so, I'm pretty sure its only caused by errors during > rs> sieve_script_parse, not during sieve_execute_script. > > I'm not sure yet, but I think I might have found the culprit. The > other day my boss was playing with uploading Sieve scripts using > Mulberry. Is there any documentation on how to do this? I get mixed up between the server scripts and the local ones... Cheers, Patrick
Re: Weird pop3d hang problem (fd blocked?!)
On Thu, 5 Jun 2003, John Alton Tamplin wrote: > And in particular you may not want to do this if you are generating RSA > private keys or equivalent on a machine that anyone else may have shell > access to. > Yes in theory, The /dev/random device is suitable for use when very high quality randomness is desired (e.g. for key generation), as it will only return a maximum of the number of bits of randomness (as estimated by the random number generator) contained in the entropy pool. The /dev/urandom device does not have this limit, and will return as many bytes as are requested. As more and more random bytes are requested without giving time for the entropy pool to recharge, this will result in lower quality random numbers. For many applications, however, this is acceptable. the returned values are theoretically vulnerable to aryptographic attack on the algorithms used by the driver. Knowledge of how to do this is not available in the current non-classified literature, but it is theoretically possible that such an attack may exist. If this is a concern in your application, use /dev/random instead. See word *theoretically* , didn't urandom gather some data from network-interfaces too so it may be affected. Nobody knows when it takes data from device nr X. /dev/urandom appeared in solaris since version8 (patch). random's device-number is 8 while urandom's is 9. What about if there is config-option for this device? Best regards, ++Titus | Veli Pirttila
Re: Tuning Suggestions
On Tue, 10 Jun 2003, John Straiton wrote: > I come seeing suggestions for things I could check or change in order to > resolve this before it gets to being more of a problem than it is. I > figured I'd start with Cyrus and then move down to the OS level. One thing you might want to try is to use /dev/urandom instead of /dev/random for SASL on your system (recent versions have a --with-devrandom configure switch, otherwise you need to edit config.h). Additionally, you may want to increase the number of preforked processes, but this will only allow you to prevent larger spikes of activity from affecting you adversely, it won't help if the load is sustained at a higher level. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Tuning Suggestions
Funny that I haven't found much in the lines of tuning suggestions for Cyrus on googlegroups or in the info-cyrus archives but I think I may be in need of it. I'm using a 4.8-STABLE FreeBSD machine, Dual 600Mhz with 1.5GB of RAM and plenty of RAID5 space. We use Cyrus+Postfix+AMAVISd+SpamAssassin and are rather happy with the combination. Our postfix feeds 5K addresses into 4K cyrus mailboxes. Load on the machine usually rides between 0.5 and 1.0. top normally reports around 60%-70% idle levels. In normal operations, I'll see around 30-50 connections to the server at all times since most of our users use pop3. We also limit mailboxes to no more than 25MB other than employees. All employees use IMAP tho'. Our entire message store only contains 5.6GB of messages. The problem I'm having started about 2 days ago when our Nagios monitoring started reporting that connectivity to the server (pop3/imap) was failing. Then we'd get recovery notifications immediately after. Kinda like the server was only unable to handle itself for a brief moment and then would get back to business. I also personally noticed that I'd get notifications in Outlook that some of the 5 IMAP connections I keep to the server would time out periodically. I would assume since send/receives occur every 5 minutes that these are not idle timeouts. This has never been a problem before, but obviously with a company that's still growing, every day we have more users on the system than the day before. I fear that something on the machine or in cyrus' configuration is holding us back. I come seeing suggestions for things I could check or change in order to resolve this before it gets to being more of a problem than it is. I figured I'd start with Cyrus and then move down to the OS level. Thanks, John Straiton [EMAIL PROTECTED] Clickcom, Inc 704-365-9970x101
cyradm can't make autentification by sasl
Hello all.
I have a Cyrus server with IMAP & sIMAP services. It work perfect. i cna
cinnect to server recieve and manage messages in my mail box.
But provlem I cant create/delete mailboxes because cyradm can't make
autorisation on server:
I found what it a problem with that sasl try read password from
/etc/sasldb2 but my server used autorisation from /etc/shadow
Anybody can help me with this problem?
*Thare is log I have next records after connection by cyradm:*
imapd[20589]: accepted connection
imapd[20589]: badlogin: localhost[127.0.0.1] OTP [SASL(-13): user
not found: no OTP secret in database]
Configuration:
*There is start script:*
echo -n $"Starting $prog: "
daemon /usr/local/sbin/saslauthd -a shadow
daemon /usr/cyrus/bin/${prog} &
RETVAL=$?
echo
touch /var/lock/subsys/cyrus
return $RETVAL
*Thereis imap.conf *
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: cyrus root
imap_admins: cyrus root
srvtab: /var/imap/srvtab
sievedir: /var/sieve
allowanonymouslogin: no
sasl_pwcheck_method: saslauthd
allowplaintext: yes
lmtp_allowplaintext: yes
sasl_minimum_layer: 0
sasl_auto_transition: no
timeout: 30
tls_cert_file: /var/imap/server.pem
tls_key_file: /var/imap/server.pem
tls_imap_cert_file: /var/imap/imap-server.pem
tls_imap_key_file: /var/imap/imap-server.pem
tls_pop3_cert_file: /var/imap/pop3-server.pem
tls_pop3_key_file: /var/imap/pop3-server.pem
tls_lmtp_cert_file: /var/imap/lmtp-server.pem
tls_lmtp_key_file: /var/imap/lmtp-server.pem
*There is cyrus.conf
*
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
# pop3 cmd="pop3d" listen="pop3" prefork=0
pop3s cmd="pop3d -s" listen="pop3s" prefork=0
# sievecmd="timsieved" listen="sieve" prefork=0
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd -a" listen="[127.0.0.1]:lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/var/imap/socket/notify"
proto="udp" prefo
}
--
Sergey Merkuriev
Re: Murder and another IMAP server than cyrus-imapd
On Mon, 10 Jun 2003, [ISO-8859-1] Raphaƫl "SurcouF" Bordet wrote: > Can I using another IMAP server than cyrus-imapd with cyrus-murder > ? If not, how can I add a "IMAP proxy" for remote IMAP server to my > local IMAP server ? Only if the other imap server speaks MUPDATE properly. (Unless something surprising has happened, your answer is "no"). I'm not sure I understand your second question. You can try a generic IMAP proxy such as perdition. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
Re: Some kind of bug in cyrus-imapd-2.2.0-alpha in vacation handling
This has already been fixed in CVS. Dmitry Novosjolov wrote: Dear List Members, I've found that every message which gets answered with vacation facility of sieve has a subject "subject". I do not think it's intended :) I also do not think that I'm the first discoverer of this. For your information: in the file source_code_root/sieve/bc_eval.c should be made some changes in order to have subjects adjusting more correctly. what I did is shown below: 989c989 < if (i->getheader(m, buf, &s) != SIEVE_OK || --- if (i->getheader(m, subject, &s) != SIEVE_OK || 1001d1000 < 1007a1007 1009c1009 < xstrdup(subject), message, --- xstrdup(buf), message, 1010a1011 I hope to find a healthy sieve in the next release of such a great thing as cyrus server :) Best regards, Novosjolov Dmitry. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
