Re: which dns server to use ?
On 08 Apr 2003, Thomas Lamy wrote: > I recently switched to mydns (http://mydns.bboy.net/). As all data is stored > in a mysql (or pgsql) backend, it's easy to edit zones/resource records. And While I see that it may be useful to have zone data in an sql backend, I don't like the idea of plugging a mission-critical service such as a dns server directly to an sql database. A dns server has to be as simple as possible, with as few dependencies as possible. Serving zone data directly from an sql database increases the complexity of your system and adds new points of failure, what is especially undesirable in the case of a dns server. Just my 0.02 francs. Cheers, Oliver
Re: which dns server to use ?
On Tue, Apr 08, 2003 at 10:24:32PM +0200, Markus Welsch wrote: > > I've been using djbdns for a few years now, and I'm not aware of any > > interoperability/compatibility problems between it and BIND. I've been > > perfectly happy with djbdns. > > Would you mind mentioning a bit about the extense of use like number of > domains, etc and very interesting would also be the resource usage > anything strange you have came accross so far, etc ... I use tinydns for a company that serves over one billion web hits per day (not visitors, hits, and no I'm not exaggerating). The authoritative nameservers serve between 100 and 300 queries/sec on each of five nameservers, for between 50 and 90 million queries answered per day. I'd use tinydns first, then probably nsd, then something else before BIND (maybe powerDNS). I know BIND better than most people, I did a technical review for the "DNS & BIND Coobook" at the request of Cricket Liu, and I still don't use it anywhere I'm not forced to. -- Nate Campihttp://www.campin.net
Re: using spamassassin in an isp environment ?
If you have external MX boxes that are not your main mail server, through dns you can ponit the domains you want filtered to the mx hosts, and the other non-filtered domains to the main mail server. I currently run a mail system somewhat like that and we use qmail with spamassassin combined with several dnsbl lists like the one spamcop offers (www.spamcop.net). I would not use only spamassassin. Since it is public information, spammers use this to avoid getting caught by it. It works great for virus scanning, but it does not catch too much spam. I do have ours turned down, but you will have to do that if you are scanning mail for clients. What do you mean 15GB mail traffic / server? Mine currently handles about 300k pieces of mail, and it's load balanced over two dual piii-733 dell power edges running debian. They run about 75% loaded all day, with a load of about 1.5. CPU speed is important, but don't forget about ram. The machines would not handle the load with 256 megs of ram (random crashing). -Jason Markus Welsch wrote: hi all, does any of you use latest version of spamassassin in your isp environment? i'm considering installing it as content-filter (Postfix 2.07 as MTA) on both mx servers ... the only thing that holds me back is how it responses to performance for 15 GB mail traffic / server. how are your experiences with it? since it's written in perl it will be a huge performance decrease, right? would it be possible to do filtering just for specified domains ? greetings, markus
Re: which dns server to use ?
> I've been using djbdns for a few years now, and I'm not aware of any > interoperability/compatibility problems between it and BIND. I've been > perfectly happy with djbdns. > Would you mind mentioning a bit about the extense of use like number of domains, etc and very interesting would also be the resource usage anything strange you have came accross so far, etc ...
Re: which dns server to use ?
On Tue, Apr 08, 2003 at 07:36:33PM +0200, Markus Welsch wrote: > Well BIND is more like the standard DNS server. djbdns looks nice but > I'm wondering about it's compability with BIND servers since the author > is pretty much hostile to any other DNS servers. I've been using djbdns for a few years now, and I'm not aware of any interoperability/compatibility problems between it and BIND. I've been perfectly happy with djbdns. -- Art Sackett http://www.artsackett.com/ PGP/GPG Public Key: [EMAIL PROTECTED] (autoresponder) There are no winners in life, only survivors.
using spamassassin in an isp environment ?
hi all, does any of you use latest version of spamassassin in your isp environment? i'm considering installing it as content-filter (Postfix 2.07 as MTA) on both mx servers ... the only thing that holds me back is how it responses to performance for 15 GB mail traffic / server. how are your experiences with it? since it's written in perl it will be a huge performance decrease, right? would it be possible to do filtering just for specified domains ? greetings, markus
Re: which dns server to use ?
Hi, On Tue, Apr 08, 2003 at 12:14:50PM -0700, Splash Tekalal wrote: > At 03:17 PM 4/8/2003 +0200, you wrote: > >Hi, > > > >On Tue, Apr 08, 2003 at 01:36:56PM +0200, Stephane Bortzmeyer wrote: > > > >> > BIND ( http://www.isc.org/products/BIND/ ) > >> > >> Why not? The Apache of the DNS servers, feature-rich and very > >> configurable. > > > >Apache is more elegant. The only thing that can equal BIND in terms of > >bloat, root exploits and general ugliness is perhaps sendmail. > > Now, maybe I'm just ignorant, but are there any root exploits on Bind9? > (specifically 9.x, not anything older.. we know 8.x was unstable =P) Well, maybe I'm just a bit cynical, but I don't think that any piece of software can evolve to gain a more inherently secure design. Frankly, no amount of partial rewrites would make me trust BIND. Even if it would have been rewritten from scratch, I'd have some trouble believing that it took them till 2001, but that now, finally, the ISC understands that you shouldn't trust user input, that you should free your mallocs, and, most importantly, that you should check if a string fits before you copy it somewhere. Some people think C makes these things hard, but I think that you can only have as trouble as the ISC's been having with it if you have a fundamentally broken programming style. All IMHO, of course. Cheers, Emile. -- E-Advies - Emile van Bergen [EMAIL PROTECTED] tel. +31 (0)70 3906153 http://www.e-advies.nl pgpqYHHMDn1ws.pgp Description: PGP signature
Re: which dns server to use ?
8.x was/is a stable branch, but there were security issues. These are fixed, and reason to install BIND 8.x with care (like chrooting, see the Securing Debian Manual). There is quite a difference between unstable (is usually referred to as development status) and insecure. Bind 9.x had some security issues though. See http://www.securityfocus.com/cgi-bin/sfonline/vulns.pl But for Bind counts the same for all software: you've got to keep up to date with issues and fix/upgrade them when found. That software has never had any issues doesn't mean there won't be any in the future. Well BIND is more like the standard DNS server. djbdns looks nice but I'm wondering about it's compability with BIND servers since the author is pretty much hostile to any other DNS servers. I'm considering switching to djbdns on a TEST system since the DNS servers HAVE to be reliable ...
Re: which dns server to use ?
Splash Tekalal wrote: Apache is more elegant. The only thing that can equal BIND in terms of bloat, root exploits and general ugliness is perhaps sendmail. Now, maybe I'm just ignorant, but are there any root exploits on Bind9? (specifically 9.x, not anything older.. we know 8.x was unstable =P) -Splash 8.x was/is a stable branch, but there were security issues. These are fixed, and reason to install BIND 8.x with care (like chrooting, see the Securing Debian Manual). There is quite a difference between unstable (is usually referred to as development status) and insecure. Bind 9.x had some security issues though. See http://www.securityfocus.com/cgi-bin/sfonline/vulns.pl But for Bind counts the same for all software: you've got to keep up to date with issues and fix/upgrade them when found. That software has never had any issues doesn't mean there won't be any in the future. Greetings, Arend van Waart
Re: which dns server to use ?
At 03:17 PM 4/8/2003 +0200, you wrote: Hi, On Tue, Apr 08, 2003 at 01:36:56PM +0200, Stephane Bortzmeyer wrote: > > BIND ( http://www.isc.org/products/BIND/ ) > > Why not? The Apache of the DNS servers, feature-rich and very > configurable. Apache is more elegant. The only thing that can equal BIND in terms of bloat, root exploits and general ugliness is perhaps sendmail. Now, maybe I'm just ignorant, but are there any root exploits on Bind9? (specifically 9.x, not anything older.. we know 8.x was unstable =P) -Splash
Re: which dns server to use ?
Stephane Bortzmeyer wrote: > > On Sat, Apr 05, 2003 at 06:30:48PM +0200, > Markus Welsch <[EMAIL PROTECTED]> wrote > > > Which dns server would you suggest ? > > Why not PowerDNS http://www.powerdns.com/>, the only one which is > fully extensible? > > > BIND ( http://www.isc.org/products/BIND/ ) > > Why not? The Apache of the DNS servers, feature-rich and very > configurable. BIND is more sendmail then apache (3-5 years ago): most used DNS server software, bloated code (IMHO), and a remote exploit every now and then. Just because most of the internet uses it, it may (is) not the best software around. > > > djbdns ( http://cr.yp.to/djbdns.html ) > > The author stated very clearly several times that he will not > implement the DNS but only the thngs he likes. > > Also, while you should not choose a program on the basis of the > author's personnality, I'm ready to make an exception for this one. IMHO, DJB's Software offers some interesting new ways to solve problems. But it is based on a non-free license, paired with DJB steadily refusing backwards compatibility (related to config files) for the programs he'd like to replace. I don't think DJB will change his mind in this life, so I choose _free_ software with open development. > > NSD ( http://www.nlnetlabs.nl/nsd/ ) > > Very good program, quite recommended. > > > Pretty much importance is performance and security. > > You will probably be happy with nsd. > Can't comment on that. I recently switched to mydns (http://mydns.bboy.net/). As all data is stored in a mysql (or pgsql) backend, it's easy to edit zones/resource records. And it perfectly fits into our web-based administration interface. It's small, fast, and does it's job. Took me 10 minutes to understand and install. I also find the code very readable (one of the things I look at when it comes to missin critical software). Note that mydns is _not_ a caching server, but there are other free packages that do this job. Just my 0.02 Euros Thomas
Re: Courier-IMAP+Postfix+LDAP
On Tue, Apr 08, 2003 at 11:41:06AM +0200, Carlos L.M. wrote: > Perfect !! Thank you very much for all. > I recently started a wiki page on this at; http://wiki.debian.net/EmailConfiguration In there is how to configure postfix+procmail for Maildir... after this courier-imap just works. Please correct, extend, whatever. -- Donovan Baardahttp://minkirri.apana.org.au/~abo/
Re: which dns server to use ?
Hi, On Tue, Apr 08, 2003 at 01:36:56PM +0200, Stephane Bortzmeyer wrote: > > BIND ( http://www.isc.org/products/BIND/ ) > > Why not? The Apache of the DNS servers, feature-rich and very > configurable. Apache is more elegant. The only thing that can equal BIND in terms of bloat, root exploits and general ugliness is perhaps sendmail. Cheers, Emile. -- E-Advies - Emile van Bergen [EMAIL PROTECTED] tel. +31 (0)70 3906153 http://www.e-advies.nl
Re: which dns server to use ?
On Sat, Apr 05, 2003 at 06:30:48PM +0200, Markus Welsch <[EMAIL PROTECTED]> wrote a message of 29 lines which said: > Which dns server would you suggest ? Why not PowerDNS http://www.powerdns.com/>, the only one which is fully extensible? > BIND ( http://www.isc.org/products/BIND/ ) Why not? The Apache of the DNS servers, feature-rich and very configurable. > djbdns ( http://cr.yp.to/djbdns.html ) The author stated very clearly several times that he will not implement the DNS but only the thngs he likes. Also, while you should not choose a program on the basis of the author's personnality, I'm ready to make an exception for this one. > NSD ( http://www.nlnetlabs.nl/nsd/ ) Very good program, quite recommended. > Pretty much importance is performance and security. You will probably be happy with nsd.
Re: [HELP] .htaccess problem.......thanks.
Hello Cato: First , i must say "Thank you for ur help" :-) You got me a very useful advices and you are right ! when i use command line search without (-D "uid=tester,dc=ezplay,dc=tv") its have NOT search any entry in my ldap.result as follow: ldapsearch -W -x -h localhost -b "dc=ezplay,dc=tv" '(&(objectclass=*)(uid=axa.cheng))' Enter LDAP Password: version: 2 # # filter: (&(objectclass=*)(uid=axa.cheng)) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 ^ no more "numEntries" entry above..yy Anyway, could u explain ur advice that "Try doing the command line search without the -D parameter. If you get no match, you may look at the access rights to your directory." Sorry, i dont know which "access rights to your directory" that i need to check ? Apache RootDocument directory permission??? or .htaccess or slapd.conf or whatever??? BTW , i have tried use .htpasswd + .htaccess to restrict web WITHOUT ldap+.htaccess! IT IS WORKING! i CAN use legal account to pass through .htaccess authenication ● Non-ldap .htaccess as follow: AuthType Basic AuthName "NON LDAP testing" AuthUserFile /var/www/admin/.htpasswd order deny,allow deny from all allow from all require valid-user Do You want more configuration or information in my OpenLDAP server ??? Feel free to let me knows, i would provide it to u :-) > Hello, > > your problem seems to be that when Apache is doing the LDAP search, it > does not get any match, while when you are doing a command line search, > you get one match. > > One difference between the searches is that you specify a user which is > used to bind to the LDAP directory (-D "uid=tester,dc=ezplay,dc=tv"), > while Apache doesn't bind as a specific user. > Try doing the command line search without the -D parameter. If you get > no match, you may look at the access rights to your directory. > > Regards, > > Cato Aune -- Trust & Unique ... axacheng <[EMAIL PROTECTED]>
Re: Courier-IMAP+Postfix+LDAP
Perfect !! Thank you very much for all. --- Emmanuel Lacour <[EMAIL PROTECTED]> escribió: > On Tue, Apr 08, 2003 at 09:42:55AM +0200, Carlos > L.M. wrote: > > Hi all, > > > > Next week, we have to install a new server with > > Courier IMAP, Postfix and OpenLDAP for 200 users. > > > > Are there any site with documentation about this > ?? > > > I've found this : > http://annapolislinux.org/docs/plc/postfix-courier-howto.txt > > > And another question: How can I migrate mailbox > > accounts to Maildir boxes ??? > > > > http://perfectmaildir.home-dn.net > > And a little bit of shell scripting;-) > > -- > Emmanuel Lacour > Easter-eggs > 44-46 rue de l'Ouest - 75014 Paris - France - > Métro Gaité > Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 > 41 35 00 76 > mailto:[EMAIL PROTECTED] - > http://www.easter-eggs.com > > > -- > To UNSUBSCRIBE, email to > [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > ___ Yahoo! Messenger - Nueva versión GRATIS Super Webcam, voz, caritas animadas, y más... http://messenger.yahoo.es
Re: Courier-IMAP+Postfix+LDAP
On Tue, Apr 08, 2003 at 09:42:55AM +0200, Carlos L.M. wrote: > Hi all, > > Next week, we have to install a new server with > Courier IMAP, Postfix and OpenLDAP for 200 users. > > Are there any site with documentation about this ?? > I've found this : http://annapolislinux.org/docs/plc/postfix-courier-howto.txt > And another question: How can I migrate mailbox > accounts to Maildir boxes ??? > http://perfectmaildir.home-dn.net And a little bit of shell scripting;-) -- Emmanuel Lacour Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com
Re: [HELP] .htaccess problem.......thanks.
Hello, your problem seems to be that when Apache is doing the LDAP search, it does not get any match, while when you are doing a command line search, you get one match. One difference between the searches is that you specify a user which is used to bind to the LDAP directory (-D "uid=tester,dc=ezplay,dc=tv"), while Apache doesn't bind as a specific user. Try doing the command line search without the -D parameter. If you get no match, you may look at the access rights to your directory. Regards, Cato Aune tirsdag 8. april 2003, 06:36, skrev axacheng: > Very Thanks for all reply. :-) > > > Now , i type correct username & password in box that the web browser > pops up when i attempts to access resource in protected area . > > its still didn't work-- > > its made me a pretty BAD mess of this problem ...Help ... > help.i wanna die... > > > ● My LDAP tree as follow : > > dc=ezplay,dc=tv > > |>uid=tester > | > |>uid=axa.cheng > | > |__ou=td > | > | |>uid=bigbrother > | |>uid=bigcow > | > |__ou=md > | > |>uid=freesec > > ● However, when i execute "ldapsearch" command , the result as > follow: > > ldapsearch -W -x -h localhost -b "dc=ezplay,dc=tv" -D > "uid=tester,dc=ezplay,dc=tv" '(&(objectclass=*)(uid=tester))' > version: 2 > > # > # filter: (&(objectclass=*)(uid=tester)) > # requesting: ALL > # tester, ezplay, tv > dn: uid=tester,dc=ezplay,dc=tv > uid: tester > cn: tester > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > userPassword:: > e2NyeXB0fSQxJDddf5VU0YU5SJEQvQjRd3kFVdkppNTFQsdsISzl5WS8= > shadowLastChange: 12128 > shadowMax: 9 > shadowWarning: 7 > loginShell: /bin/bash > uidNumber: 1008 > gidNumber: 100 > homeDirectory: /home/tester > # search result > search: 2 > result: 0 Success > # numResponses: 2 > # numEntries: 1 > ^^ > i got a entry now... :-) > > > > ● My .htaccess as follow : > > AuthName "For Student to login" > AuthLDAPUrl ldap://192.168.8.8/dc=ezplay,dc=tv?uid? > AuthType Basic > > > Order deny,allow > Deny from all > Allow from all > require user tester > > > > > ● in /var/log/apache/error.log as following : > > [Mon Apr 7 15:31:27 2003] [error] [client 192.168.10.254] Search > must return exactly 1 entry; found 0 entries for search > (&(objectclass=*)(uid=tester)): URI /admin [Mon Apr 7 15:31:28 2003] > [error] [client 192.168.10.254] Search must return exactly 1 entry; > found 0 entries for search (&(objectclass=*)(uid=tester)): URI /admin > > > > ● in /var/log/syslog : > > Apr 7 15:50:03 backup slapd[17788]: conn=3 op=4 SRCH > base="dc=ezplay,dc=tv" scope=2 > filter="(&(objectClass=*)(uid=tester))" Apr 7 15:50:03 backup > slapd[17788]: conn=3 op=4 SEARCH RESULT tag=101 err=0 text= Apr 7 > 15:50:05 backup slapd[17789]: conn=7 op=2 SRCH base="dc=ezplay,dc=tv" > scope=2 filter="(&(objectClass=*)(uid=tester))" Apr 7 15:50:05 > backup slapd[17789]: conn=7 op=2 SEARCH RESULT tag=101 err=0 text= > > > > == > Hello List : > > i using .htaccess to restrict user to use web resource . > > However, i type correct username & password in box that the web > browser pops up when i attempts to access resource in protected area. > > i got error message > > ● in /var/log/apache/error.log as following : > > [Mon Apr 7 15:31:27 2003] [error] [client 192.168.10.254] Search > must return exactly 1 entry; found 0 entries for search > (&(objectclass=*)(uid=tester)): URI /admin [Mon Apr 7 15:31:28 2003] > [error] [client 192.168.10.254] Search must return exactly 1 entry; > found 0 entries for search (&(objectclass=*)(uid=tester)): URI /admin > > > > ● in /var/log/syslog : > > Apr 7 15:50:03 backup slapd[17788]: conn=3 op=4 SRCH > base="dc=ezplay,dc=tv" scope=2 > filter="(&(objectClass=*)(uid=tester))" Apr 7 15:50:03 backup > slapd[17788]: conn=3 op=4 SEARCH RESULT tag=101 err=0 text= Apr 7 > 15:50:05 backup slapd[17789]: conn=7 op=2 SRCH base="dc=ezplay,dc=tv" > scope=2 filter="(&(objectClass=*)(uid=tester))" Apr 7 15:50:05 > backup slapd[17789]: conn=7 op=2 SEARCH RESULT tag=101 err=0 text= > Apr 7 15:50:07 backup slapd[17788]: conn=4 op=4 SRCH > base="dc=ezplay,dc=tv" scope=2 > filter="(&(objectClass=*)(uid=tester))" Apr 7 15:50:07 backup > slapd[17788]: conn=4 op=4 SEARCH RESULT tag=101 err=0 text= Apr 7 > 15:50:09 backup slapd[17789]: conn=5 op=5 SRCH base="dc=ezplay,dc=tv" > scope=2 filter="(&(objectClass=*)(uid=tester))" > > === > > ● My .htaccess as follow : > > AuthName "For Student to login" > AuthLDAPUrl ldap://192.168.8.8/dc=ezplay,dc=tv?uid? > AuthType Basic > > > Order deny,allow > Deny from all > Allow from all > require user test > > > > > ● However, when i execute "ldapsearch" command , the result as > follow: > > back
Courier-IMAP+Postfix+LDAP
Hi all, Next week, we have to install a new server with Courier IMAP, Postfix and OpenLDAP for 200 users. Are there any site with documentation about this ?? And another question: How can I migrate mailbox accounts to Maildir boxes ??? Thank you very much for your help and sorry for my bad english. ___ Yahoo! Messenger - Nueva versión GRATIS Super Webcam, voz, caritas animadas, y más... http://messenger.yahoo.es