Re: Web-page based proxy service
On Friday 14 January 2005 03:56, Peter Clark wrote: > I would like to provide a proxy service that can be used only by > accessing a web page. In other words, I don't want users to enter proxy > details in their browser settings, but rather, if they want to go through a > proxy, they can visit a webpage, enter a URL in a form, and the page (and > all subsequent pages) will be funneled through the proxy to the user. I > believe that anonymizer.com does something similar. But hopefully you get > the idea. What about using a transparent squid proxy? Squid supports a tonne of authentication methods. If you put squid as people's default gateway then you can transparently redirect all web requests through squid, if they hadn't authenticated then you could have an authentication box pop up or redirect them to an authentication webpage if you prefer. Not sure of your topology so this may not be a suitable solution (I know it's not quite what you asked for). -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: gpg to a pipe
On Monday 03 January 2005 04:05, Antonin Karasek wrote: > I make my backups by tar and encrypt it by gpg. Are you doing this to protect the stored data or to protect the data in transit (ftp)? > Is it possible to send the file directly from a pipe? More precisely - > gpg will write it's output to a pipe and ftp will read the data from the > pipe. > > I tryed to do that, but I wasn't able to force gpg to write the > encrypted data to a pipe. An alternative would be to do things using ssh, something like this: tar cSf - / | ssh backuphost gzip - \| \ gpg --output /backups/whatever.tar.gz.gpg -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: phpBB vulnerability exploited
On Monday 13 December 2004 03:31, Marek Podmaka wrote:
> Yes, I have been doing the same with /tmp, but some debian packages
> won't install on noexec /tmp. But there are other directorieso n my
> system which are world writable - for example /var/tmp and
> /var/lock.
If you've configured apt to preconfigure packages (at least I think that's the
case) then apt will extract some stuff to /tmp and execute it from there.
The solution I use is to temporarily remount partitions with necessary
permissions during apt's run. I do this automatically with the following
commands in apt's config files:
DPkg::Pre-Install-Pkgs {"mount -o remount,rw /boot";};
DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";};
DPkg::Pre-Install-Pkgs {"mount -o remount,rw /usr";};
DPkg::Post-Invoke {"mount -o remount /boot";};
DPkg::Post-Invoke {"mount -o remount /tmp";};
DPkg::Post-Invoke {"mount -o remount /usr";};
I'd think you can get away with linking /var/tmp to /tmp but /var/lock might
be tricky to get around.
> Can entire /var be mounted noexec?
In my case I doubt it since much of postfix lives there. It might be possible
in certain cases though I'm not sure.
--
Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: phpBB vulnerability exploited
On Sunday 12 December 2004 17:46, Marek Podmaka wrote: > I don't want to give hints on how to exploit this, but the attacker > did wget the .tgz file, unpacked it in /tmp and run the program. > > So update all your phpBB installations ASAP (and of course all > installations of your customers). On a somewhat related note ... I have the habit of mount /tmp with noexec,nosuid,nodev. I also mount /usr and /boot ro. These minor changes can prevent common automated attacks (probably the one you encountered) and don't cause any problems. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Mail Delivery (failure jcoo...@planetz.com)
On Saturday 23 October 2004 16:29, John Cooper wrote: > Clearly I've touched a nerve with Mr. Coker! The virtiolic nature of his > response here, and the public posting of my private email address which I > was trying to protect, is simply inane and immature. Next time, Mr. You are sending unsolicited emails in response to every single email that is sent to your old address. You are wasting the resources of potentially thousands of people. Spam does not justify spam. I have come to this realization myself only recently (I am, unfortunately still, a TMDA user). I can understand that many people see autoresponders as essential but due care should be taken to not respond to innocent third parties and mailing lists especially. The fact that you sent your new email in the body as "johnc at planetz.com" instead of as a real email address is, I suspect, immaterial. Spammers send to millions of invalid email addresses, they scan all webpages, list archives, etc. and look for anything that looks like a valid email address ... IMO x at y is just as easy to find and parse as [EMAIL PROTECTED] They will be finding you anyway. The smarter way to let people know that your email address has changed is by rejecting the message. You can reject the message (in postfix) by using the relocated table, that will reject the message giving the error "User has moved to johnc at planetz.com" (or whatever you'd like the message to say). In this way very few innocent third parties should be subjected to your spam. > Coker, consider a private email, before publically hanging someone. When someone does something stupid there is value in making sure that everyone knows that it is stupid. Knowledge is only advanced when it is shared. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: limiting port 25 to an IP
On Saturday 23 October 2004 19:03, W.D.McKinney wrote: > We need to limit port 25 on one MTA server to a single /28 pool of > addresses. So I need to have the rule to accept the traffic from the /28 > and only through port 25. Your questions have confused people ... Some people thought that you meant "How do I make my MTA *listen* on only a single IP address?", this would be in contrast to most MTAs default behaviour of listening on 0.0.0.0:25. Other people have thought that you meant "How do I make my MTA accept connections *from* only one specific IP?". I believe that was your intent though it was certainly unclear in the original posting. > iptables -A INPUT -p tcp -s IP.YOU.WANT.TO.ACCEPT --dport 25 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j REJECT Assuming you're talking about accepting port 25 connections from a limit range of addresses then yes, you can use iptables and that would be the syntax. Someone else has suggested using shorewall for managing your firewalling policies, you may want to check that out, it is a great tool. Why would you want to limit connections to just a /28? If you just want to limit who can relay through your server iptables is a pretty heavy-handed way of achieving this, the better way IMO would be to add the /28 network to those allowed to relay, in postfix that would probably be accomplished with a config line like this: mynetworks = 127.0.0.0/8, 192.168.0.0/28 Most MTAs have built in access controls that are flexible enough to accommodate changing rules. Unless you never foresee changes to your network learn the proper tool (your MTA) to implement rules, iptables rules are a yes/no proposition and you'll regret using it instead of learning how to use the MTA. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: help with BIND SRV
On Friday 08 October 2004 15:01, Nate Duehr wrote: > I was talking about sites that have "done it wrong" (my opinion, and > probably yours too - it's just not right...) so to speak, and are > forcing port 53 traffic to different places than it was intended to go > originally. So? If DNS requests are all redirected to a valid DNS server how would that result in bogus TTLs? > "Proxying" would be the best phrase I could call it. Some commercial > active firewall implementations do something similar. Perhaps you can point me at a DNS server that when queried for a non-authoritative answer does not lower TTL (within TTL period) on subsequent requests? If the problem that you describes does exist then it must be very rare, or really old and broken software. I still hear about people running their email system through mailgate on Windows 98 with dialup, at a certain point you just have to tell those people to get with the program. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 'dialup-ranges?' Re: greylisting DNSBL hosts?
On Friday 08 October 2004 18:09, Kilian Krause wrote: > Nobody said this is the magic weapon everybody uses and nobody found > yet, it was just me wondering if these two pieces can't be matched > together for the final goal. (As I said above, I'm against massive DNSBL > use on the hardcore scale, so why not try with greylisting?) > > So do you still reckon that DNSBL are too far out for using them as a > greylisting success probability predictor? It strikes me as an idea well worth trying. I believe you mentioned exim, I haven't used exim in a long time so I can't help you there. As an aside this would be very easy to implement in postfix (from testing/unstable only) using SMTP access policy delegation. A very simple script can be plugged into postfix at the RCPT stage, perform the DUL check and greylist as appropriate. I am working on an access policy delegation script right now and may just add checks similar to your suggestion. Thanks -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: help with BIND SRV
On Thursday 07 October 2004 22:23, Nate Duehr wrote: > - They don't understand that there might be multiple DNS servers between > their top-level and the machine they're servicing (3X and 4X TTL) Let's say that I have my local (desktop if you prefer) resolver (which I'll call A is pointed to a caching nameserver B. Caching nameserver B forwards all of it's DNS requests to their ISP's larger caching server C. Caching server C makes queries to the appropriate authoritative server D. So the DNS query goes: A->B->C->D D replies to C with a record having TTL of 3600. C forwards request to B, B gives answer to A ... TTL 3600. In 1800 seconds the only server in the above loop that would serve a TTL of 3600 is D (since it is authoritative). B and C will both have decremented their TTL by 1800 seconds and will respond with a TTL of 1800 seconds. A should have decremented the TTL in it's resolver cache as well though some applications and/or operating systems are buggy in this regard. I have never seen behaviour that you are suggesting can happen nor can I imagine any way in which it can happen. We had a similar discussion not too long ago starting at http://www.mail-archive.com/debian-isp%40lists.debian.org/msg11986.html ... I never really followed up on that one, but I still believe you're wrong ;-) BTW, forwarding (to an appropriate server) is an excellent way to speed up DNS resolution, I use it frequently. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: help with BIND SRV
On Thursday 07 October 2004 13:20, August MacBeth wrote: > cache. Surprisingly, Mac OSX (unix based) cache's DNS as well, which > bum's me out. That is surprising. Are you saying that Mac OSX caches the DNS permanently and/or for longer than the TTL supplied by Bind? -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache dns reverse check
On Wednesday 06 October 2004 04:15, Daniele Becchi wrote: > Is it possible to use the Deny directive in to block IP > addresses that don't have a PTR record? It should be possible. Read http://httpd.apache.org/docs/env.html it states: Access to the server can be controlled based on the value of environment variables using the allow from env= and deny from env= directives. In combination with SetEnvIf, this allows for flexible control of access to the server based on characteristics of the client. For example, you can use these directives to deny access to a particular browser (User-Agent). I've not tried it but it certainly sounds possible. On the other hand, there's a reason that it's recommended to run apache without DNS resolution turned on, DNS can be _very_ slow! -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache 1.3 mass virtual hosting recipe
On September 22, 2004 07:44 am, Johann Botha wrote: > > > > php_admin_flag engine off > > > > hmm.. thats where I stopped investigating this option, > I dont want to be editing config files. Neither do I but in my case I anticipate 95% of the hosts being identical, if I have to setup a few sites with specific configs I can live with it. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Apache 1.3 mass virtual hosting recipe
On September 22, 2004 10:10 am, Raúl Alexis Betancort Santana wrote: > I wonder how running a script inside a mod_rewrite rule is better that > defining a new NameVirtualHost directive, moreover taking into account that It's better (IMO) because I do not have to configure apache. My admin interface is greatly simplified because apache configuration does not need to be done. I create a user who has a homedir in the appropriate location (or at least who has access to the appropriate created location) and setup is complete. > that rewriting rule will run the script EVERY TIME a request reach the > server, I hope you don't have high volume traffict to that server or you > will go into troubles. The script runs continually, it is not started for every incoming request. Apache has a filehandle for the script's stdin and stdout, the overhead of running the script will be very minimal and the script will not introduce much delay. Checking for a few directories is no different than many apache servers that check for .htaccess files all the way up to the root of the filesystem, it does so very quickly. When server traffic gets too high I will simply add servers but I see no reason why this setup can't host hundreds of typical low-volume sites, I may be proved wrong of course ;-) I would not use this for a very high traffic site, I wouldn't host a very high traffic site on a shared server period. > I better follow this way ... > > httpd.conf (apache 1.3.X, apache 2.X doit automaticatly) > ... > Include /etc/apache/domains.d > ... > > then simple create the .conf file from a template for example, and > drop it inside /etc/apached/domains.d a simple /etc/init.d/apache reload > and thats all, no need to check on every request to were should I get the > files. On previous servers I have used the template approach. I don't like to creating hundreds of nearly identical configs, to me identical means redundant. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Apache 1.3 mass virtual hosting recipe
On September 22, 2004 03:04 am, Johann Botha wrote: > running a script from mod_rewrite was not reliable, sometimes it just did > not work... restart apache and it worked again. maybe it was just the > version I used. Hmm, I don't like the sounds of that. Hopefully it was just the version you used. Or a problem with the script talking to LDAP, since my script (at least for now) is self-contained I hope I don't run into issues. If my solution proves problematic I will report back. > 2) I wanted to enable / disable things like PHPengine for the virtual > host based on LDAP settings. You could do it in the script, if file extension is .php then rewrite the request to a "cannot execute" message. Alternatively (what I had planned to do) is just disable the engine in directories where I don't want it (that would be using config files), something like this is supposed to work: php_admin_flag engine off -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Apache 1.3 mass virtual hosting recipe
Hi,
I finally got around to trying out mod_rewrite and it looks like things will
work exactly as I'd hoped. I'm posting this recipe since I was unable to
find a documented example of how to do it and I figured lots of people might
be interested in doing it. It does need some more testing but at this point
I see no reason why it will not work.
The basic concept is to create a directory and have apache serve it
automatically under the correct domain name (zero config apache). Let's say I
want to have wehave.net and www.wehave.net hosted on my server. I could
create a VirtualHost with "ServerName wehave.net" and "ServerAlias
www.wehave.net" or I could do this:
RewriteEngine on
RewriteLog /tmp/junk
RewriteLogLevel 9
RewriteMap vhosts-map prg:/usr/local/sbin/vhost-redirector.pl
RewriteRule ^/(.*)$ ${vhosts-map:%{HTTP_HOST}}$1
My perl script looks like this:
#!/usr/bin/perl -wT
use strict;
$| = 1;
while (<>) {
# FIXME, do we need to do syntax checking on hostname?
chomp;
my @path = split(/\./, $_);
while ( ! -d '/var/www/' . join('/', reverse(@path)) . '/web/' and @path){
shift @path;
}
if (@path) {
print '/var/www/' . join('/', reverse(@path)) . "/web/\n";
} else {
print "/var/www/web/\n";
}
}
The end result is that once dns points something at your server simply
creating the appropriate directory heirarchy is enough to host a given
website (and aliases). Given the previous example (hosting wehave.net), I
would create the directory /var/www/net/wehave/web and
http://wehave.net/whatever would translate to the filesystem
as /var/www/net/wehave/web/whatever ... requests for
http://www.wehave.net/whatever would translate to the same file unless I
wanted to serve something different for that in which case I would just need
to create /var/www/net/wehave/www/web/whatever
If I want www.wehave.ca to be the same as wehave.net then I just link ...
ln -s /var/www/net/wehave /var/www/ca/wehave
Any site pointed to your server which doesn't have an appropriate config would
end up directed to the filesystem directory /var/www/web ... there could be a
default page there stating "Site not configured".
One thing I haven't shown in my example is that you would have to either not
rewrite shared paths (such as /icons/, /squirrelmail/, etc.) or you would
have to hardcode those paths into the perl script.
The perl code starts when apache starts and stays resident so the extra
overhead is minimal (I am guessing) i.e. you are not firing up a perl process
for every single request.
Obviously under this scheme all hostnames get treated the same, you would have
to override the defaults in some cases (SSL sites for example) but that can
be done by adding normal rules in or containers.
On September 5, 2004 09:06 pm, Fraser Campbell wrote:
> Hi,
>
> I'm setting up a new server and would like to use mod_vhost_alias, or other
> mass virtual hosting method, if possible. mod_vhost_alias is very simple
> to setup and works as advertised:
>
> LoadModule vhost_alias_module /usr/lib/apache/1.3/mod_vhost_alias.so
> UseCanonicalName Off
> VirtualDocumentRoot /var/www/%0/web
>
> Unfortunately, it is as simple as it is simple to setup ;-) My question is
> in regards to ServerAlias. "Normal" clients host their website at
> http://www.abcd.com/ but they (and I) also like it when http://abcd.com/
> works as well. Is there any way (besides filesystem link) to make
> vhost_alias find the right DocumentRoot?
>
> Ideally I'd like a directory structure like this:
>
> /var/www/com/abcd/web/
> /var/www/com/abcd/subdomain/web/
>
> When serving http://www.abcd.com/ apache wouldn't
> find /var/www/com/abcd/www/web/ so it would fallback
> to /var/www/com/abcd/web/, if that were missing it would fallback
> to /var/www/com/web/ and then to /var/www/web/
>
> Perhaps something like the above is possible using mod_rewrite??? I'll
> keep plugging away for a while but if anyone knows the answer I'm all for
> shortcuts.
>
> Second question. Supposing that the above can work somehow I'd like to use
> one common logfile for all virtualhosts, with the virtualhost's name
> prepended to each log line. This is easy of course. The catch of course
> is that I'd like to have consistent names for hosts, i.e. I don't want to
> be splitting off logfiles for www.abcd.com and abcd.com when those are
> actually the same site.
>
> Basically, I'd like apache logging to be smart enough to realize that it is
> actually serving abcd.com although the hostname in the request was
> www.abcd.com.
>
> --
> Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/
> Georgetown, Ontario, Canada Debian GNU/Linux
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Apache 1.3 mod_vhost_alias, ServerAlias and logging
Hi, I'm setting up a new server and would like to use mod_vhost_alias, or other mass virtual hosting method, if possible. mod_vhost_alias is very simple to setup and works as advertised: LoadModule vhost_alias_module /usr/lib/apache/1.3/mod_vhost_alias.so UseCanonicalName Off VirtualDocumentRoot /var/www/%0/web Unfortunately, it is as simple as it is simple to setup ;-) My question is in regards to ServerAlias. "Normal" clients host their website at http://www.abcd.com/ but they (and I) also like it when http://abcd.com/ works as well. Is there any way (besides filesystem link) to make vhost_alias find the right DocumentRoot? Ideally I'd like a directory structure like this: /var/www/com/abcd/web/ /var/www/com/abcd/subdomain/web/ When serving http://www.abcd.com/ apache wouldn't find /var/www/com/abcd/www/web/ so it would fallback to /var/www/com/abcd/web/, if that were missing it would fallback to /var/www/com/web/ and then to /var/www/web/ Perhaps something like the above is possible using mod_rewrite??? I'll keep plugging away for a while but if anyone knows the answer I'm all for shortcuts. Second question. Supposing that the above can work somehow I'd like to use one common logfile for all virtualhosts, with the virtualhost's name prepended to each log line. This is easy of course. The catch of course is that I'd like to have consistent names for hosts, i.e. I don't want to be splitting off logfiles for www.abcd.com and abcd.com when those are actually the same site. Basically, I'd like apache logging to be smart enough to realize that it is actually serving abcd.com although the hostname in the request was www.abcd.com. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: LDAP & postfix
On August 12, 2004 11:38 am, Robert Waldner wrote: > >Any chance you could show me the LDAP setup along with a dump (LDIF) of > > how a few accounts are set up? > > Sure. > > main.cf: > > alias_maps = hash:/etc/aliases ldap:ldapsource > ... Excellent, thanks I'll give it a try. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: LDAP & postfix
On August 12, 2004 07:23 am, Robert Waldner wrote: > On Wed, 11 Aug 2004 20:18:02 EDT, Fraser Campbell writes: > >Does anyone know of a step-by-step howto of setting up LDAP for use with > >postfix? > > http://www.postfix.org/LDAP_README.html ? > http://www.google.com/search?q=postfix+ldap+howto ? > > > I have users in LDAP and now I want to define aliases & virtual > >domains within LDAP. I'd be happy to write the howto once I get the > > basics down ... > > What MDA are you using? I've just set up postfix/OpenLDAP/courier > for a customer. Exactly what I would like to use. My problem is mainly with LDAP, I've set up postfix many times using mysql for account storage and using virtual users. This time around I want to store accounts in LDAP and use "real" accounts (as opposed to the postfix virtual delivery agent). Any chance you could show me the LDAP setup along with a dump (LDIF) of how a few accounts are set up? Thanks -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
LDAP & postfix
Hi, Does anyone know of a step-by-step howto of setting up LDAP for use with postfix? I have users in LDAP and now I want to define aliases & virtual domains within LDAP. I'd be happy to write the howto once I get the basics down ... Thanks -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
On August 10, 2004 08:30 am, Shannon R. wrote: > i only have 1 important box yet i'm getting the same > thing also. > > by the way, won't leaving only "console" in > /etc/securetty disallow remote root logins? i did it > and my box still accepts remote root logins. any ideas > why? Because ssh doesn't refer to that file. You can probably make it check the file by adding something like "auth requisite pam_securetty.so" to /etc/pam.d/ssh (note that's completely untested so don't try it remotely of course). If you do try it let us know how it works out. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: q re transferring mysql db from redhat to debian
On July 27, 2004 03:58 am, Henrik Heil wrote: > > the reason why i don't want to do the database transfer using data > > generated by mysqldump is because i want all the auto-generated > > record_ids to stay the same in the new system. > > The record_ids will stay the same with mysqldump. > What makes you think they will not? I have seen problems with this. The existing auto-incremented fields were just fine but new ones were a little bit off. In a normal mysqldb if you have a single record with id 1 and delete it then add another record the new record will get id 2 (not filling in the missing 1). I've seen a case that after a mysqldump and restore the new records did not honour have that behaviour, "missing" ids were reused. I'm sure that I did something wrong with the dump but in that case it was not important so I didn't research it further. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: recovery from reiser
On July 26, 2004 05:36 pm, Marek L. Kozak wrote: > Is there any possibility to recover erased data from reiserfs partition There's some chance. You'll almost certainly get data back but it may not be what you want and it will be difficult to determine if you've recovered what you wanted. You can run "reiserfsck --rebuild-tree -S" on the partition. Read the manpage, understand what it will do. Backup the partition first so that if things go wrong you'll have a second chance. This command will rebuild everything that it can find on the disk that looks like a file and put it in lost+found/#somenumber The files won't have meaningful names but if you know what you're looking for a combination of file, grep, etc. can probably do it for you. Good luck and make sure you have good backups from now on ;-) -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Outlook and Qmail
Somone wrote: >I am having a problem with one of my customers who is using Outlook 2000 >SP-3 to connect to our Qmail server. When downloading messages from his > POP account, Outlook will hang. It is most likely a corrupted message, The only concrete case I've tracked down was Outlook choking on emails with non-ascii characters in the headers ... I don't recall the exact characters or circumstance. There was a patch to courier-imap/pop that solved the problem, not sure if that patch is integrated now or if it's in Debian's courier packages. The same issue might apply to other pop daemons? -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On June 26, 2004 05:27 pm, Leonardo Boselli wrote: > Just a note. Since these are infected machines, a first test could just to > try to "call back" the other server, to see if it replyes to port 25. Being unable to connect to port 25 doesn't mean anything. AFAIK there is no RFC or other standard saying that to send email with smtp you must accept email by smtp. It is normal (or at least common) to verify that the sender's domain at least appears to accept mail but a given mail relay could be dedicated to outgoing mail and there's no reason that it must accept mail. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Which Spam Block List to use for a network?
On June 26, 2004 05:27 pm, Leonardo Boselli wrote: > Just a note. Since these are infected machines, a first test could just to > try to "call back" the other server, to see if it replyes to port 25. Being unable to connect to port 25 doesn't mean anything. AFAIK there is no RFC or other standard saying that to send email with smtp you must accept email by smtp. It is normal (or at least common) to verify that the sender's domain at least appears to accept mail but a given mail relay could be dedicated to outgoing mail and there's no reason that it must accept mail. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DF bit - Dont Fragment
On June 21, 2004 09:50 am, Andrew Miehs wrote: > tried that... But that seemed just to disable PMTU Discovery, and not > disbale the 'DF' bit... (After the traffic between myself and the server > via a CIPE tunnel stopped working when the packets got tooo large) > - Or is there a bug in packet fragmentation in the linux kernel? Hmmm, I did try it hear and my outgoing packets lacked the DF bit as soon as I made that change. Replies are up to the other side of the connection so they may or may not set DF as far as I can tell. If large packets are being blocked then there is definitely a bug, whether it's in the Linux kernel (doubtful), cipe, your firewall (?) or in an upstream router is impossible for me to tell. My bet would be that someone is blocking icmp messages (you, your firewall, your ISP?). There's a really good explanation of PMTU at http://www.netheaven.com/pmtu.html that should explain all that for you. As someone else suggested you can lower the MTU and probably get around the problem but it would be better to try and figure out which router is blocking your PMTU attempts ... play with the -M option to ping (at least in iputils-ping from testing). Of course I've never used CIPE so I may be totally off base. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: DF bit - Dont Fragment
On June 21, 2004 09:50 am, Andrew Miehs wrote: > tried that... But that seemed just to disable PMTU Discovery, and not > disbale the 'DF' bit... (After the traffic between myself and the server > via a CIPE tunnel stopped working when the packets got tooo large) > - Or is there a bug in packet fragmentation in the linux kernel? Hmmm, I did try it hear and my outgoing packets lacked the DF bit as soon as I made that change. Replies are up to the other side of the connection so they may or may not set DF as far as I can tell. If large packets are being blocked then there is definitely a bug, whether it's in the Linux kernel (doubtful), cipe, your firewall (?) or in an upstream router is impossible for me to tell. My bet would be that someone is blocking icmp messages (you, your firewall, your ISP?). There's a really good explanation of PMTU at http://www.netheaven.com/pmtu.html that should explain all that for you. As someone else suggested you can lower the MTU and probably get around the problem but it would be better to try and figure out which router is blocking your PMTU attempts ... play with the -M option to ping (at least in iputils-ping from testing). Of course I've never used CIPE so I may be totally off base. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DF bit - Dont Fragment
On June 21, 2004 07:36 am, Andrew Miehs wrote: > I can't find it How do I turn off the 'Don't Fragment' bit? without > using IP Tables/ Chains? Is there a proc setting? or do I need to > re-compile ther Kernel? and if so, where is the jumper? You're probably looking for /proc/sys/net/ipv4/ip_no_pmtu_disc -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: DF bit - Dont Fragment
On June 21, 2004 07:36 am, Andrew Miehs wrote: > I can't find it How do I turn off the 'Don't Fragment' bit? without > using IP Tables/ Chains? Is there a proc setting? or do I need to > re-compile ther Kernel? and if so, where is the jumper? You're probably looking for /proc/sys/net/ipv4/ip_no_pmtu_disc -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how to relocate servers transparently
On June 18, 2004 12:49 am, Nate Duehr wrote: > No, this isn't right. You must lower the TTL time at a bare minimum 2 * > (Current TTL) ahead of time. Why? Because nameservers out in the real > world will not even query your nameservers again until the TTL has > expired, meaning that if you change it today, the FIRST time another > nameserver that has already cached your records will ask for it again is > after the *current* TTL expires. Now take the case where one nameserver > is a forwarder for another (rare, but there are environments where it's > needed) and the one behind the forwarder could take up to 2 * TTL to > come ask for new information. Can you explain that a little further? If my nameserver caches a record with TTL 86400, and someone asks for it again an hour later I hand them the record from my cache using TTL 82800 (not 86400). This is certainly what bind does, if other caching nameservers do it differently then it's a bug IMHO. I would be very surprised if it is different when DNS queries are being forward from one DNS server to another. Or did you mean something else? -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: how to relocate servers transparently
On June 18, 2004 12:49 am, Nate Duehr wrote: > No, this isn't right. You must lower the TTL time at a bare minimum 2 * > (Current TTL) ahead of time. Why? Because nameservers out in the real > world will not even query your nameservers again until the TTL has > expired, meaning that if you change it today, the FIRST time another > nameserver that has already cached your records will ask for it again is > after the *current* TTL expires. Now take the case where one nameserver > is a forwarder for another (rare, but there are environments where it's > needed) and the one behind the forwarder could take up to 2 * TTL to > come ask for new information. Can you explain that a little further? If my nameserver caches a record with TTL 86400, and someone asks for it again an hour later I hand them the record from my cache using TTL 82800 (not 86400). This is certainly what bind does, if other caching nameservers do it differently then it's a bug IMHO. I would be very surprised if it is different when DNS queries are being forward from one DNS server to another. Or did you mean something else? -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: how to relocate servers transparently
On Monday 14 June 2004 09:57, Adrian 'Dagurashibanipal' von Bidder wrote: > This may be obvious, but not to me... is there any difference compared > to using iptables DNAT? I believe that you'd have some problems if you used DNAT. Think of what happens to a packet coming into your old colo and being NATed to the completely different set of IPs at your new colo ... - packet from client arrives at oldcolo - packet is DNATed to newcolo - newcolo receives packet with source address client, destination address newcolo (self) - newcolo responds to packet by looking in it's routing table, it sees that it is responding to a non-local source address and so replies via it's default route Basically, the client would initiate communications with oldcolo but recieve replies with from the address of newcolo. The simple way around this is to use a proxy as other people have suggested. Personally I wouldn't bother with supporting things on the old address, set TTLs on the A records very low (let's say 10 minutes) at the point where you wish to switch the servers and just do it. If DNS is done correctly then there should be very little downtime. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: how to relocate servers transparently
On Monday 14 June 2004 09:57, Adrian 'Dagurashibanipal' von Bidder wrote: > This may be obvious, but not to me... is there any difference compared > to using iptables DNAT? I believe that you'd have some problems if you used DNAT. Think of what happens to a packet coming into your old colo and being NATed to the completely different set of IPs at your new colo ... - packet from client arrives at oldcolo - packet is DNATed to newcolo - newcolo receives packet with source address client, destination address newcolo (self) - newcolo responds to packet by looking in it's routing table, it sees that it is responding to a non-local source address and so replies via it's default route Basically, the client would initiate communications with oldcolo but recieve replies with from the address of newcolo. The simple way around this is to use a proxy as other people have suggested. Personally I wouldn't bother with supporting things on the old address, set TTLs on the A records very low (let's say 10 minutes) at the point where you wish to switch the servers and just do it. If DNS is done correctly then there should be very little downtime. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cyrus / Sieve
On Wednesday 09 June 2004 09:45, Ulrich Scholler wrote: > > One feature I'd like to add to my system is server based email filtering > > for clients, this way whether they use webmail or something like Outlook > > their filtering policies could still apply. Are there email clients that > > can directly manipulated sieve scripts? > > There are two web-based sieve clients I know of: websieve and > smartsieve. We use smartsieve at our site and it does the job nicely. > > AFAIK there are plugins for the major webmail systems; squirrelmail and > horde/imp have one for sure. I also just noticed that OpenGroupware (http://www.opengroupware.org/) has support for sieve filtering and vacation scripts. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Cyrus / Sieve
On Wednesday 09 June 2004 09:45, Ulrich Scholler wrote: > > One feature I'd like to add to my system is server based email filtering > > for clients, this way whether they use webmail or something like Outlook > > their filtering policies could still apply. Are there email clients that > > can directly manipulated sieve scripts? > > There are two web-based sieve clients I know of: websieve and > smartsieve. We use smartsieve at our site and it does the job nicely. > > AFAIK there are plugins for the major webmail systems; squirrelmail and > horde/imp have one for sure. I also just noticed that OpenGroupware (http://www.opengroupware.org/) has support for sieve filtering and vacation scripts. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cyrus / Sieve
On Tuesday 08 June 2004 12:19, Christian Storch wrote: > If you use cyrus21 from debian with pam as authentication it's > a fast and easy installation - thanks to Henrique de Moraes Holschuh! > We're using a backport to stable without problems. > > For sorting email between your subfolders or managing spam by scores etc. > SIEVE is unbeatable and undepended of your client. > > But I don't know about a client to manipulate your personal script. > I've written a short perl script for it. Use 'Cyrus::SIEVE::managesieve' in > your script and be happy about immediate syntax checking after a > 'sieve_put_file_withdest()'. What do you feel are the major advantages of cyrus over other systems, is it just SIEVE support? > PS: Can't imagine how it was possible to live without SIEVE. :) Procmail, the syntax is hideous but it does the job ;-) -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Cyrus / Sieve
On Tuesday 08 June 2004 12:19, Christian Storch wrote: > If you use cyrus21 from debian with pam as authentication it's > a fast and easy installation - thanks to Henrique de Moraes Holschuh! > We're using a backport to stable without problems. > > For sorting email between your subfolders or managing spam by scores etc. > SIEVE is unbeatable and undepended of your client. > > But I don't know about a client to manipulate your personal script. > I've written a short perl script for it. Use 'Cyrus::SIEVE::managesieve' in > your script and be happy about immediate syntax checking after a > 'sieve_put_file_withdest()'. What do you feel are the major advantages of cyrus over other systems, is it just SIEVE support? > PS: Can't imagine how it was possible to live without SIEVE. :) Procmail, the syntax is hideous but it does the job ;-) -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Cyrus / Sieve
Hi, I'm looking for some information about the cyrus email system. Is cyrus worth it? Is it significantly more management overhead than a more typical user/imap system? Currently I am using postfix/courier-imap/mysql to manage all email and I'm very happy with it, my customers can create their own email accounts and manage their own aliases. However, I'd like to make a more polished "product" and I'm wondering if cyrus offers any significant advantages. I've been hunting for a blow-by-blow comparison of cyrus versus "standard" mail implementations but haven't found much. One feature I'd like to add to my system is server based email filtering for clients, this way whether they use webmail or something like Outlook their filtering policies could still apply. Are there email clients that can directly manipulated sieve scripts? Any pointers to documentation and feedback from experienced cyrus admins greatly appreciated! Thanks -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Cyrus / Sieve
Hi, I'm looking for some information about the cyrus email system. Is cyrus worth it? Is it significantly more management overhead than a more typical user/imap system? Currently I am using postfix/courier-imap/mysql to manage all email and I'm very happy with it, my customers can create their own email accounts and manage their own aliases. However, I'd like to make a more polished "product" and I'm wondering if cyrus offers any significant advantages. I've been hunting for a blow-by-blow comparison of cyrus versus "standard" mail implementations but haven't found much. One feature I'd like to add to my system is server based email filtering for clients, this way whether they use webmail or something like Outlook their filtering policies could still apply. Are there email clients that can directly manipulated sieve scripts? Any pointers to documentation and feedback from experienced cyrus admins greatly appreciated! Thanks -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache banner
On Tuesday 06 April 2004 10:39, Robert Page wrote: > I think to actually change it you need to edit the source but you can use > the ServerSignature directive to switch it off. I use these directives: ServerSignature On ServerTokens Prod This way people know I'm running apache (which I don't mind) but they don't see the version or all of the different modules that I am running. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Apache banner
On Tuesday 06 April 2004 10:39, Robert Page wrote: > I think to actually change it you need to edit the source but you can use > the ServerSignature directive to switch it off. I use these directives: ServerSignature On ServerTokens Prod This way people know I'm running apache (which I don't mind) but they don't see the version or all of the different modules that I am running. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ldap
On Wednesday 24 March 2004 12:48, mimo wrote: > Most exploits and vulnerabilities are local -- they only apply to your > machine if you have (other) local users. So it's more secure to have > "virtual" users via nsswitch / pam /etc and some db (ldap, mysql > preferably). > There are more reasons - but this is the most compelling one I think. Yes and no ... - an ldap user account made available through /etc/pam.d/xxx files or in /etc/nsswitch.conf) is a local user - whether credentials are fetched and checked against ldap (or mysql) versus against etc/passwd and /etc/shadow doesn't necessarily change anything. For me the advantage of password database alternatives is that they can be distributed, managed and replicated more easily. If you're talking about completely virtual accounts such as postfix and courier's ability to lookup users in mysql (likely ldap and others as well) then I would agree, but in this case no pam or nsswitch tricks are used. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: ldap
On Wednesday 24 March 2004 12:48, mimo wrote: > Most exploits and vulnerabilities are local -- they only apply to your > machine if you have (other) local users. So it's more secure to have > "virtual" users via nsswitch / pam /etc and some db (ldap, mysql > preferably). > There are more reasons - but this is the most compelling one I think. Yes and no ... - an ldap user account made available through /etc/pam.d/xxx files or in /etc/nsswitch.conf) is a local user - whether credentials are fetched and checked against ldap (or mysql) versus against etc/passwd and /etc/shadow doesn't necessarily change anything. For me the advantage of password database alternatives is that they can be distributed, managed and replicated more easily. If you're talking about completely virtual accounts such as postfix and courier's ability to lookup users in mysql (likely ldap and others as well) then I would agree, but in this case no pam or nsswitch tricks are used. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fun with routes
On Wednesday 17 March 2004 07:24, aCaB wrote: > I was trying to figure out a cheap solution to increase upload speed for > one of my customers (currently using ADSL). > > I soon realized that dedicated lines such as CDN, HDSL etc are too > expensive in respect to common ADSL and come up with a brain-dead idea > of bounding various ADSL lines together... > > Let's say I have ISP-A and ISP-B providing me 2 lines with static > addresses IP-A and IP-B; both ISP's allows source address spoofing. > For simplicity let's also say I will only accept incoming connections on > IP-A, but, to increase upload speed, I want reply packets to come out > both from ISP-A (with no modifications) AND ISP-B (with source address > spoofing). > > I'm quite sure this can be done, but I'm not sure if iproute2 would do > this. I've set up lots of multiple connection gateways but outbound load balancing wasn't a concern (only inbound). Still, I'm pretty sure that iproute2 is the correct tool and that this is pretty trivial to setup. Forget ip spoofing, just set things up so that traffic alternates which connection it goes out. Look at load balancing in the LARTC (http://lartc.org/howto/lartc.rpdb.multiple-links.html). If you truly want double the bandwidth you won't get it but if you just want to share the load across multiple connections then this is the answer. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Fun with routes
On Wednesday 17 March 2004 07:24, aCaB wrote: > I was trying to figure out a cheap solution to increase upload speed for > one of my customers (currently using ADSL). > > I soon realized that dedicated lines such as CDN, HDSL etc are too > expensive in respect to common ADSL and come up with a brain-dead idea > of bounding various ADSL lines together... > > Let's say I have ISP-A and ISP-B providing me 2 lines with static > addresses IP-A and IP-B; both ISP's allows source address spoofing. > For simplicity let's also say I will only accept incoming connections on > IP-A, but, to increase upload speed, I want reply packets to come out > both from ISP-A (with no modifications) AND ISP-B (with source address > spoofing). > > I'm quite sure this can be done, but I'm not sure if iproute2 would do > this. I've set up lots of multiple connection gateways but outbound load balancing wasn't a concern (only inbound). Still, I'm pretty sure that iproute2 is the correct tool and that this is pretty trivial to setup. Forget ip spoofing, just set things up so that traffic alternates which connection it goes out. Look at load balancing in the LARTC (http://lartc.org/howto/lartc.rpdb.multiple-links.html). If you truly want double the bandwidth you won't get it but if you just want to share the load across multiple connections then this is the answer. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: anyone got a quad/tri port ethernet card for sale?!!
On Saturday 28 February 2004 21:08, Chris Evans wrote: > Do you know if these (D-link 570 or 580) are supported with the basic > Debian stable?? If so, I'm off to place bids! The 570 is definitely supported in stable. It uses the tulip module and has worked for ages, IIRC it also can use the de4x5 module. AFAIK the 580 needs a fairly new kernel or at least patches. We only run it on Redhat boxes right now so perhaps I'm mistaken. On the redhat boxes we had to build our own driver sundance-new to get things working. The regular sundance modules in the newer kernels (at least from Redhat) see to work fine with the 580. We've had both 570s and 580s that turned out to be duds but as long as they work, they work well. In your circumstances I'd definitely try and get the 570 (I believe full model number is DFE-570TX). -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Courier-imap Outlook problem - RE: Imap && imap-ssl && pop3-ssl
On February 12, 2004 11:31 pm, Debian ISP wrote: > One problem we keep having involves M$ Outlook clients. It seems that > something breaks with the communication between the server and Outlook > clients (or posssible corrupts the pst files created for each maildir). I haven't heard of that but most clients I have won't let go of pop3. When imap is used Outlook (and other mail clients) like to make quite a few connections to the server, it could be that some connections are getting refused. I've run into this and it's not an obvious problem. I usually increase MAXPERIP to 10, it's default is 4. The parameter is found in /etc/courier/imapd -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Courier-imap Outlook problem - RE: Imap && imap-ssl && pop3-ssl
On February 12, 2004 11:31 pm, Debian ISP wrote: > One problem we keep having involves M$ Outlook clients. It seems that > something breaks with the communication between the server and Outlook > clients (or posssible corrupts the pst files created for each maildir). I haven't heard of that but most clients I have won't let go of pop3. When imap is used Outlook (and other mail clients) like to make quite a few connections to the server, it could be that some connections are getting refused. I've run into this and it's not an obvious problem. I usually increase MAXPERIP to 10, it's default is 4. The parameter is found in /etc/courier/imapd -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Postfix doesn't reject empty senders
On January 28, 2004 12:48 pm, Tomàs Núñez Lirola wrote:
> My smtp server (postfix) was receiving a lot of mails with empty senders
> ("mail from:<>"), and it sends them as they was from
> "[EMAIL PROTECTED]". I want to change this behaviour, so I added to
> main.cf the line
Bounces are sent from the null sender, blocking such messages is usually a bad
idea.
--
Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
Re: Postfix doesn't reject empty senders
On January 28, 2004 12:48 pm, Tomàs Núñez Lirola wrote:
> My smtp server (postfix) was receiving a lot of mails with empty senders
> ("mail from:<>"), and it sends them as they was from
> "[EMAIL PROTECTED]". I want to change this behaviour, so I added to
> main.cf the line
Bounces are sent from the null sender, blocking such messages is usually a bad
idea.
--
Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: routing help
On Tuesday 27 January 2004 11:57, Demian Wandelow wrote: > On Mon, Jan 26, 2004 at 12:59:03PM +0800, Jason Lim wrote: > > I believe there is a way to force a refresh or such of the ARP cache. Not > > sure how... but it can be done somehow. I'd be interested to learn the > > method under Linux as well, so if you find out, share it with the group > > ip route flush cache No that flushes the routing cache, not the arp cache. With the ip command you'd flush the arp cache with "ip neigh flush all", you can also cycle through all arp entries and delete them with "arp -d address" Original poster's question (sorry lost original mail) ... On Mon, 26 Jan 2004 14:02:21 +1100 Lauchlin wrote: > If I simply do "ifconfig eth0:1 203.221.41.12 netmask 255.255.255.224 > broadcast 203.221.41.3" I can ping the IP address from the machine that is > on the same switch (e.g. from 203.221.41.1) but I can not ping or trace to > the ip aliased interface. I have searched around on google but can't seem to > find what I am doing wrong! Is the router at 203.220.47.153 aware of the 203.221.41.0/27 network? If the router doesn't know about the local 203.221.41.0/27 network it will assume that the network is not local and try to reach it through the Internet. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: routing help
On Tuesday 27 January 2004 11:57, Demian Wandelow wrote: > On Mon, Jan 26, 2004 at 12:59:03PM +0800, Jason Lim wrote: > > I believe there is a way to force a refresh or such of the ARP cache. Not > > sure how... but it can be done somehow. I'd be interested to learn the > > method under Linux as well, so if you find out, share it with the group > > ip route flush cache No that flushes the routing cache, not the arp cache. With the ip command you'd flush the arp cache with "ip neigh flush all", you can also cycle through all arp entries and delete them with "arp -d address" Original poster's question (sorry lost original mail) ... On Mon, 26 Jan 2004 14:02:21 +1100 Lauchlin wrote: > If I simply do "ifconfig eth0:1 203.221.41.12 netmask 255.255.255.224 > broadcast 203.221.41.3" I can ping the IP address from the machine that is > on the same switch (e.g. from 203.221.41.1) but I can not ping or trace to > the ip aliased interface. I have searched around on google but can't seem to > find what I am doing wrong! Is the router at 203.220.47.153 aware of the 203.221.41.0/27 network? If the router doesn't know about the local 203.221.41.0/27 network it will assume that the network is not local and try to reach it through the Internet. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: upgrading to MySQL 4 on woody
On Monday 19 January 2004 08:43, Andreas Vent-Schmidt wrote: > is there any way to do an upgrade for a single Deb package which is > NOT listed in the stable package list? > > I want to upgrade only MySQL to version 4.0.x (because of the fine > transaction feature), but want not to change the apt source list in > general (I want to keep the *stable* system). Two ways that I can think of: - find or build a package designed for woody (check http://www.backports.org/ and http://www.apt-get.org/) - set up sources.list with stable, testing and unstable sources. Set up apt to prefer the stable distribution but selectively install what you want from testing or unstable (apt-get -t testing install mysql-server) I prefer the first solution if it's available (and it is for mysql-server). -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: upgrading to MySQL 4 on woody
On Monday 19 January 2004 08:43, Andreas Vent-Schmidt wrote: > is there any way to do an upgrade for a single Deb package which is > NOT listed in the stable package list? > > I want to upgrade only MySQL to version 4.0.x (because of the fine > transaction feature), but want not to change the apt source list in > general (I want to keep the *stable* system). Two ways that I can think of: - find or build a package designed for woody (check http://www.backports.org/ and http://www.apt-get.org/) - set up sources.list with stable, testing and unstable sources. Set up apt to prefer the stable distribution but selectively install what you want from testing or unstable (apt-get -t testing install mysql-server) I prefer the first solution if it's available (and it is for mysql-server). -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH Privat key and login as root without a passwort
On January 18, 2004 10:45 am, ournewsletter wrote: > put it in /root/.ssh/authorized_keys. I don't know if it works with the key > produced by Putty, but with a "ssh-keygen"-generated public key it does. If > you need more public keys to log in, simply name the key > files /root/.ssh/authorized_keys2, /root/.ssh/authorized_keys3 ... Putty keys do works with openssh but you must edit them first. Putty keys look rather like the ascii export of a gpg key, you must edit them so that they look like this: ssh-rsa 89yh23wrnhjfdg... #all one line -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: SSH Privat key and login as root without a passwort
On January 18, 2004 10:45 am, ournewsletter wrote: > put it in /root/.ssh/authorized_keys. I don't know if it works with the key > produced by Putty, but with a "ssh-keygen"-generated public key it does. If > you need more public keys to log in, simply name the key > files /root/.ssh/authorized_keys2, /root/.ssh/authorized_keys3 ... Putty keys do works with openssh but you must edit them first. Putty keys look rather like the ascii export of a gpg key, you must edit them so that they look like this: ssh-rsa 89yh23wrnhjfdg... #all one line -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Still no success: two router one host
On Thursday 15 January 2004 12:45, Leonardo Boselli wrote: > I follewed your suggestion but still no success ... > any attempt to contact from outside g.f.e.246 fails. > of course if i unconnect also eth0 i cannot access anything, unless i > set an ad-hoc route on eth1. > But i need to be accessible on both addresses. Something is wrong with your routing rules (or perhaps firewall rules?). > If i try to connect from outside without success i can see that my > packet arrives but are not answered on either port. Most obvious reasons why your machine wouldn't respond (that I can think of): - firewall rules that are blocking them - lack of a default route (and not necessarily the default route in the main routing table) > I tried also to add the option from adv-iproute howto for load > balancing, using ip route slist table main is shown correctly , but not > honoured. I have not experimented with load balancing but I don't believe that would interfere with the routing rules I gave you. > I begin to fear that the kernel I have (a plain 2.22 from debian) is not > ok ? Look at the file how your kernel was compiled, I'm not running any 2.2 based kernels anymore and I'm not certain that Debian's 2.2 kernel included advanced routing support (though I'd be very surprised if they didn't). Look for kernel options CONFIG_IP_ADVANCED_ROUTER=y and CONFIG_IP_MULTIPLE_TABLES=y ... you should be able to see those options in the /boot/config-2.2.X-whatever file included with your kernel. > Where am i wrong ? Not sure. If you post your rules and routes I can probably help you out: ip rule list ip route list table 5# 5 just as an example ip route list table 10 # 10 just as an example Here are rules and routes from one such firewall that I manage (names and addresses changed to protect the innocent): [EMAIL PROTECTED]:~$ ip rule list 0: from all lookup local 100:from all to 192.168.0.0/24 lookup main 100:from all to 192.168.1.0/24 lookup main 100:from all to 10.10.10.0/24 lookup main 100:from all to 159.99.99.192/27 lookup main 100:from all to 216.129.212.0/24 lookup main 200:from 192.168.1.11 lookup wiznet 200:from 192.168.1.20 lookup wiznet 200:from 192.168.1.30 lookup wiznet 200:from 192.168.1.194 lookup sprint 200:from 192.168.1.197 lookup sprint 200:from 192.168.1.199 lookup sprint 200:from 10.10.10.165 lookup wiznet 300:from 159.99.99.192/27 lookup sprint 300:from 216.129.212.0/24 lookup wiznet 32766: from all lookup main 32767: from all lookup default [EMAIL PROTECTED]:~$ ip route list table sprint default via 159.99.99.193 dev eth3 [EMAIL PROTECTED]:~$ ip route list table wiznet default via 216.129.212.1 dev eth3 Routing rules are traversed in order, first matching rule results in a routing decision and no further rules are consulted. Here is a description of the logic in these rules: rules 0, 32766 and 32767 are there by default and implement normal routing behaviour, I'll skip discussing those. Rules with priority 100 make sure that all traffic destined for local addresses just looks up the main routing table (I like to call main the "normal" routing table). Rules with priority 200 are to make sure that SNATed traffic is sent to the correct routing table. This firewall runs shorewall; shorewall DNATs appropriate incoming traffic to various DMZ services, responses from these machines must be directed to the correct routing table or it will just exit on the default route (since SNAT happens POSTROUTING). IIRC you're installing these rules on a host so rules like this shouldn't be necessary for you. Rules with priority 300 ensure that all outgoing traffic not caught by a previous rule is sent to the correct routing table based on it's source address. In this case the routing tables are named sprint and wiznet for convenience (those are names of upstream ISPs). If you wish to name your routing tables rather than refer to them by number use /etc/iproute2/rt_tables -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Still no success: two router one host
On Thursday 15 January 2004 12:45, Leonardo Boselli wrote: > I follewed your suggestion but still no success ... > any attempt to contact from outside g.f.e.246 fails. > of course if i unconnect also eth0 i cannot access anything, unless i > set an ad-hoc route on eth1. > But i need to be accessible on both addresses. Something is wrong with your routing rules (or perhaps firewall rules?). > If i try to connect from outside without success i can see that my > packet arrives but are not answered on either port. Most obvious reasons why your machine wouldn't respond (that I can think of): - firewall rules that are blocking them - lack of a default route (and not necessarily the default route in the main routing table) > I tried also to add the option from adv-iproute howto for load > balancing, using ip route slist table main is shown correctly , but not > honoured. I have not experimented with load balancing but I don't believe that would interfere with the routing rules I gave you. > I begin to fear that the kernel I have (a plain 2.22 from debian) is not > ok ? Look at the file how your kernel was compiled, I'm not running any 2.2 based kernels anymore and I'm not certain that Debian's 2.2 kernel included advanced routing support (though I'd be very surprised if they didn't). Look for kernel options CONFIG_IP_ADVANCED_ROUTER=y and CONFIG_IP_MULTIPLE_TABLES=y ... you should be able to see those options in the /boot/config-2.2.X-whatever file included with your kernel. > Where am i wrong ? Not sure. If you post your rules and routes I can probably help you out: ip rule list ip route list table 5# 5 just as an example ip route list table 10 # 10 just as an example Here are rules and routes from one such firewall that I manage (names and addresses changed to protect the innocent): [EMAIL PROTECTED]:~$ ip rule list 0: from all lookup local 100:from all to 192.168.0.0/24 lookup main 100:from all to 192.168.1.0/24 lookup main 100:from all to 10.10.10.0/24 lookup main 100:from all to 159.99.99.192/27 lookup main 100:from all to 216.129.212.0/24 lookup main 200:from 192.168.1.11 lookup wiznet 200:from 192.168.1.20 lookup wiznet 200:from 192.168.1.30 lookup wiznet 200:from 192.168.1.194 lookup sprint 200:from 192.168.1.197 lookup sprint 200:from 192.168.1.199 lookup sprint 200:from 10.10.10.165 lookup wiznet 300:from 159.99.99.192/27 lookup sprint 300:from 216.129.212.0/24 lookup wiznet 32766: from all lookup main 32767: from all lookup default [EMAIL PROTECTED]:~$ ip route list table sprint default via 159.99.99.193 dev eth3 [EMAIL PROTECTED]:~$ ip route list table wiznet default via 216.129.212.1 dev eth3 Routing rules are traversed in order, first matching rule results in a routing decision and no further rules are consulted. Here is a description of the logic in these rules: rules 0, 32766 and 32767 are there by default and implement normal routing behaviour, I'll skip discussing those. Rules with priority 100 make sure that all traffic destined for local addresses just looks up the main routing table (I like to call main the "normal" routing table). Rules with priority 200 are to make sure that SNATed traffic is sent to the correct routing table. This firewall runs shorewall; shorewall DNATs appropriate incoming traffic to various DMZ services, responses from these machines must be directed to the correct routing table or it will just exit on the default route (since SNAT happens POSTROUTING). IIRC you're installing these rules on a host so rules like this shouldn't be necessary for you. Rules with priority 300 ensure that all outgoing traffic not caught by a previous rule is sent to the correct routing table based on it's source address. In this case the routing tables are named sprint and wiznet for convenience (those are names of upstream ISPs). If you wish to name your routing tables rather than refer to them by number use /etc/iproute2/rt_tables -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: two router one host
On Thursday 15 January 2004 12:40, Leonardo Boselli wrote: > I have got a second connection. > My server is in one class C subnet, say a.b.c.d with a default gateway > a.b.c.1 > I have added a second connection eth1 g.f.e.246/30 (whose router, you > can guess, is g.f.e.245) . > Of course with this setup i can only access the router via the second NIC. > If i add a second default route it end always using the second nic, it > works for some addresses, but not for most: it looks that some host use the > "other" route and the packet are not answered . If a.b.c.1 is your default gateway and someone on the Internet connects to g.f.e.246 then there is a problem. Your firewall will respond by sending the reply packets to it's default route, this will not work well (or at all depending on your ISP). You need to use the iproute utility to create multiple routing tables and a few routing rules. There are probably many ways to arrange your rules but here is the style that I stick to: First create a routing table for each connection (5 and 10 are randomly chosen table numbers): ip route add default via a.b.c.1 table 5 ip route add default via g.f.e.245 table 10 Next create some rules to ensure that local traffic stays local: ip rule add to a.b.c.0/24 lookup main pri 100 ip rule add to g.f.e.246/30 lookup main pri 100 Now create some rules based on source address so that you're outgoing packets get sent to the correct router: ip rule add from a.b.c.0/24 lookup 5 pri 200 ip rule add from g.f.e.246/30 lookup 10 pri 200 Flush routing cache so that rules take immediate effect: ip route flush cache > I fear that it sends packets via eth1 with a.b.c.d address. Yes it does. If you find out the MAC address of your routers you can use tcpdump in conjunction with a filter (by MAC address) to confirm that. > What is the setup i have to add to have it working correctly. > Also is there a script to change default route from one NIC to the Other if > the connection is broken ? Depends on what you're doing but you probably won't need a script once ip routing is setup correctly. Documents are at http://www.lartc.org/ IIRC. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: two router one host
On Thursday 15 January 2004 12:40, Leonardo Boselli wrote: > I have got a second connection. > My server is in one class C subnet, say a.b.c.d with a default gateway > a.b.c.1 > I have added a second connection eth1 g.f.e.246/30 (whose router, you > can guess, is g.f.e.245) . > Of course with this setup i can only access the router via the second NIC. > If i add a second default route it end always using the second nic, it > works for some addresses, but not for most: it looks that some host use the > "other" route and the packet are not answered . If a.b.c.1 is your default gateway and someone on the Internet connects to g.f.e.246 then there is a problem. Your firewall will respond by sending the reply packets to it's default route, this will not work well (or at all depending on your ISP). You need to use the iproute utility to create multiple routing tables and a few routing rules. There are probably many ways to arrange your rules but here is the style that I stick to: First create a routing table for each connection (5 and 10 are randomly chosen table numbers): ip route add default via a.b.c.1 table 5 ip route add default via g.f.e.245 table 10 Next create some rules to ensure that local traffic stays local: ip rule add to a.b.c.0/24 lookup main pri 100 ip rule add to g.f.e.246/30 lookup main pri 100 Now create some rules based on source address so that you're outgoing packets get sent to the correct router: ip rule add from a.b.c.0/24 lookup 5 pri 200 ip rule add from g.f.e.246/30 lookup 10 pri 200 Flush routing cache so that rules take immediate effect: ip route flush cache > I fear that it sends packets via eth1 with a.b.c.d address. Yes it does. If you find out the MAC address of your routers you can use tcpdump in conjunction with a filter (by MAC address) to confirm that. > What is the setup i have to add to have it working correctly. > Also is there a script to change default route from one NIC to the Other if > the connection is broken ? Depends on what you're doing but you probably won't need a script once ip routing is setup correctly. Documents are at http://www.lartc.org/ IIRC. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Postfix-mysql-procmail
On January 10, 2004 09:17 am, Robert Hensel wrote: > I currently have a properly working postfix-mysql setup. This all works > fine, but I would like to implement an autoresponder/other stuff. The > problem is, that for example procmail doesn't seem to work with virtual > users. I have added "mailbox_command = /usr/bin/procmail ". But this > line is completely ignored :( > > Maybe someone here can help me avoid writing ugly bash scripts to do the > job ;) The virtual delivery agent doesn't support procmail, .forward files, etc. I believe you have no choice but to do some scripting (it can be ugly if you insist ;-) I'll assume that your talking about an email setup similar to the one described at http://kirb.insanegenius.net/postfix.html ? The only way that I can think of to do things like mail filtering, out of office, etc. is by having a virtual map entry that forwards the email to an alias as well as to the original user: [EMAIL PROTECTED] [EMAIL PROTECTED],fraser-filters In the aliases file (which could be managed in mysql still) you would have the alias fraser-filters pipe to a command that does whatever magic you need. This might already be what you were thinking of? I haven't tried this but it's the easiest way that I can think of supporting mail filtering, out of office and such. You can also write postfix filters which might have advantages. If you find anything please followup here as it's something I think a lot of people might be interested in. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Postfix-mysql-procmail
On January 10, 2004 09:17 am, Robert Hensel wrote: > I currently have a properly working postfix-mysql setup. This all works > fine, but I would like to implement an autoresponder/other stuff. The > problem is, that for example procmail doesn't seem to work with virtual > users. I have added "mailbox_command = /usr/bin/procmail ". But this > line is completely ignored :( > > Maybe someone here can help me avoid writing ugly bash scripts to do the > job ;) The virtual delivery agent doesn't support procmail, .forward files, etc. I believe you have no choice but to do some scripting (it can be ugly if you insist ;-) I'll assume that your talking about an email setup similar to the one described at http://kirb.insanegenius.net/postfix.html ? The only way that I can think of to do things like mail filtering, out of office, etc. is by having a virtual map entry that forwards the email to an alias as well as to the original user: [EMAIL PROTECTED] [EMAIL PROTECTED],fraser-filters In the aliases file (which could be managed in mysql still) you would have the alias fraser-filters pipe to a command that does whatever magic you need. This might already be what you were thinking of? I haven't tried this but it's the easiest way that I can think of supporting mail filtering, out of office and such. You can also write postfix filters which might have advantages. If you find anything please followup here as it's something I think a lot of people might be interested in. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Searching for a simple chroot-solution
On January 8, 2004 10:00 am, Peter wrote: > can anybody recommend a simple chroot solution? At the moment I am > using http://jail.sourceforge.net/ that´s not bad at all, but > something that would integrate more into debian and possible to > install with an "apt-get jail" or similar would be also nice. > > Is there a debianized standard solution? It depends what you're using the chroot for. Someone already mentioned debootstrap and that is a trivial method of building chroot filesystems, perhaps that is all you need. Otherwise have you considered user mode Linux (http://user-mode-linux.sourceforge.net/). -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Searching for a simple chroot-solution
On January 8, 2004 10:00 am, Peter wrote: > can anybody recommend a simple chroot solution? At the moment I am > using http://jail.sourceforge.net/ that´s not bad at all, but > something that would integrate more into debian and possible to > install with an "apt-get jail" or similar would be also nice. > > Is there a debianized standard solution? It depends what you're using the chroot for. Someone already mentioned debootstrap and that is a trivial method of building chroot filesystems, perhaps that is all you need. Otherwise have you considered user mode Linux (http://user-mode-linux.sourceforge.net/). -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Mailscanner vs. amavis vs. other
Hi, We've had some experience with amavis over the last few years and while it generally works it has an a tendency to lose the occassional message or just continually requeue messages until their queue time expires and the message bounces. We're using amavisd-postfix. I know there are also other variants of amavis such as amavis-ng that we could try. Has anyone compared amavis to mailscanner and come to a definite conclusion as to one being better. I know better is very subjective but I'd still like to hear opinions. I'd like to eventually hook spam trapping into the filter (I think amavis-ng does that) as well. Thanks! -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Mailscanner vs. amavis vs. other
Hi, We've had some experience with amavis over the last few years and while it generally works it has an a tendency to lose the occassional message or just continually requeue messages until their queue time expires and the message bounces. We're using amavisd-postfix. I know there are also other variants of amavis such as amavis-ng that we could try. Has anyone compared amavis to mailscanner and come to a definite conclusion as to one being better. I know better is very subjective but I'd still like to hear opinions. I'd like to eventually hook spam trapping into the filter (I think amavis-ng does that) as well. Thanks! -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: bind9 vs tinydns vs others
On December 3, 2003 04:04 pm, David Zejda wrote: > thanks for reply! > i only guess, as well as your dns depends on some database (RDBMS or LDAP > or something else), it increases the danger of attacks, especially DoS (db > is down -> dns respectively). flat files can't be "down". wouldn't be > better to generate flat files from the backend db to avoid such risks? > have you ever had such problems? I would agree with you, others may not. It's trivial to generate appropriate zone files from a database so (assuming you want your zones in a database) I'd still go with generating the files periodically rather than having DNS constantly polling the db. > > David Zejda wrote: > > > what do you prefer for authoritative dns? > > > experiences/stability...? > > > i have no verbose bind knowledge yet. > > > > > > thanks > > > David > > > > We are running mydns on our auth name servers, feeding them data from a > > self made PHP-based web interface. Works like a charm. Only drawback is > > it's only available in testing and unstable (but most of our servers un > > testing and are rock stable) > > > > Thomas -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: bind9 vs tinydns vs others
On December 3, 2003 04:04 pm, David Zejda wrote: > thanks for reply! > i only guess, as well as your dns depends on some database (RDBMS or LDAP > or something else), it increases the danger of attacks, especially DoS (db > is down -> dns respectively). flat files can't be "down". wouldn't be > better to generate flat files from the backend db to avoid such risks? > have you ever had such problems? I would agree with you, others may not. It's trivial to generate appropriate zone files from a database so (assuming you want your zones in a database) I'd still go with generating the files periodically rather than having DNS constantly polling the db. > > David Zejda wrote: > > > what do you prefer for authoritative dns? > > > experiences/stability...? > > > i have no verbose bind knowledge yet. > > > > > > thanks > > > David > > > > We are running mydns on our auth name servers, feeding them data from a > > self made PHP-based web interface. Works like a charm. Only drawback is > > it's only available in testing and unstable (but most of our servers un > > testing and are rock stable) > > > > Thomas -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: bind9 vs tinydns vs others
On December 2, 2003 10:46 am, David Zejda wrote: > what do you prefer for authoritative dns? > experiences/stability...? > i have no verbose bind knowledge yet. For an authoritative only server there is nsd. It's only available in unstable but it should be easy enough to backport. I've only used it on my home network so far but I do plan to eventually use it in my hosting business, I rather like the idea of diversity (bind being the defacto standard for dns it is subject to much more attacks). -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: bind9 vs tinydns vs others
On December 2, 2003 10:46 am, David Zejda wrote: > what do you prefer for authoritative dns? > experiences/stability...? > i have no verbose bind knowledge yet. For an authoritative only server there is nsd. It's only available in unstable but it should be easy enough to backport. I've only used it on my home network so far but I do plan to eventually use it in my hosting business, I rather like the idea of diversity (bind being the defacto standard for dns it is subject to much more attacks). -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: the best email solution
On Monday 13 October 2003 05:53, David Zejda wrote: > And one question more: What's the best storage system for user accounts? > RDBMS? LDAP? Best, I don't know. I use RDBMS (mysql) and am very happy, many people prefer LDAP. > Is there any way, how to manage user accounts for all services (webmail, > pop3, smtp, imap) from one place? > > The site will serve about up to hundreds accounts. I use the setup described at http://kirb.insanegenius.net/postfix.html I have written a rudimentary web interface that allows mangement of aliases, email forwarding and accounts. In the case of multiple domains each domain has an administrator (or more than one) who can manage email within their domain. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit
On Friday 26 September 2003 09:33, mimo wrote: > I have just discovered this exploit report but couldn't find anything > about other distros than Slackware > http://proftpd.linux.co.uk/index.html > Does any body know if the debian version is affected too? You should always take a look at bug reports if you're worried about a security issue. Here's the bug report on this for Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212416 According to the bug report, woody is not vulnerable. ISS says that versions 1.2.7 through 1.2.9rc2 (and possibly versions prior to 1.2.7) are vulnerable. I suspect that someone somewhere has since tested ealier versions (woody runs a patched 1.2.4) and decided that those versions are not vulnerable. It would be nice if the bug report noted on what evidence stable is not affected. > All I could think of for the moment was disabling donwloading via FTP > globally. Any ideas? Yes it sounds like denying either uploads or downloads would have saved you. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: splitting a subnet in an odd way
On Wednesday 24 September 2003 10:47, Leonardo Boselli wrote: > I have a /24 subnet. > .1 is the gateway and almost all IP from 2 to 254 are occupied. > I would like to split the host in three groups: > 12 that can have full access, 12 thought one firewall and the other 205 > throught a second firewall. > I cannot chanmge the number of some machines, so the only option is > that the first 12 and the two firewalls are .2 to .14 > the second group is .18 to .29 and the third vould keep is present > numbers between .36 and .254. Why not have a single firewall? If you want to have two firewalls make an HA cluster out of them. If you are interested in physically separating the subnets then I would just put extra interfaces on the firewall (basically multiple DMZs). - assume subnet is 1.1.1.0/24 - all machines behind firewall get 1.1.1.0/24 subnet - firewall gets 1.1.1.2/24 assigned to it's external interface (side facing router) - firewall does proxy arp for all IPs in the subnet on it's external interface - if you like, firewall does proxy arp for 1.1.1.1 on it's internal interface and then machines shouldn't even have to change their gateway - firewall rules are written as you require. Even though the subnet 1.1.1.0/28 doesn't really exist you can write your firewall rules in that way The firewall will probably need an IP on it's internal interface, you might be able to use the same IP on both inside and outside interfaces. If you're using 1.1.1.1 as the gateway and proxy arping for it on the internal interface then I have a suspicion that no IP would be needed. You can avoid doing any proxy arp if you setup the routing correctly on your router at 1.1.1.1. If these computers are Internet hosts (webservers, mailservers, etc.) I prefer to stick with private IPs on the hosts and to use DNAT to forward traffic to the machines. On another note, shorewall is an excellent framework for managing iptables rules, it will even manage proxy arp for you when you need to use that. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Dovecot
On Wednesday 10 September 2003 19:32, Mark Devin wrote: > Yes, I have been experimenting with dbmail. I would say the pros and > cons are as follows: > > Pros: > 1. Uses mysql or postgresql backend for storing mail (both headers and > bodies). What is the advantage of the emails being stored within a database versus in Maildir or mbox format on the filesystem? > 2. Ease of management for virtual user accounts. Just need to add user > details into the database to create a new account. This negates any > need to give users unix accounts on the system. You can hook ldap or mysql into postfix (and no doubt most mailservers) to do this. I use the postfix-mysql package in many places with great success. > 3. A separate application (dbmail-smtp) is used to take emails for > configured domains and put them in the database. This runs as a separate > user and does not need root permissions since it does not write to the > filesystem at all. It simply connects to the database and so only needs > permissions at the database level. Most email servers these days do not deliver as root. Whether you use procmail, maildrop, postfix, etc. generally the local delivery agent is non-priviledged. > 4. Similarly, the imap and pop3 servers that are part of dbmail also drop > their privileges to simple users and don't need root level access past the > initial binding to the 143/110 ports. Common to most imap and pop servers. Check the "Postfix+Courier-IMAP+MySQL for multiple domains HOWTO" at http://kirb.insanegenius.net/postfix.html ... everything you need to accomplish such a system is packaged up in Debian stable. I've been using systems such as this for 6 months and haven't had any glitches yet, the systems are not high volume but they're steadily used. With user accounts stored in a database whipping up an administrative interface for domains is quite trivial, I just don't see the advantages of going the extra step of putting the emails themselves into a database. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Software for WLAN Hotspot
On August 15, 2003 03:46 pm, Kay-Michael Voit wrote:
> Yes, I know, I'm just too stupid, reading my message again you will
> notice, that I wanted to write MAC adress.
> IP is |$_SERVER[REMOTE_ADDR] but I don't think this is usefull here.
> Any solution how to determine the MAC automatically?|
If it's communicating with your firewall/webserver/whatever then your machine
knows the MAC, you could use a system call like this:
arp $_SERVER[REMOTE_ADDR] | tail -1 | awk '{ print $3 }'
--
Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/
Halton Hills, Ontario, Canada Debian GNU/Linux
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Frame Relay & tail -f hanging
On August 1, 2003 04:30 am, Brian May wrote: > If I ssh from the melbourne site directly to the auckland site and type > in "tail -f /var/log/messages" the ssh connection hangs, and Ctrl+C, > Ctrl+Q, and nothing else works. The only option I have is to kill the ssh > connection with "\n~.\n". If I leave the connection, eventually it times > out. Is it safe to say that anything which generates significant traffic is causing the connection to freeze? At the same time as the connection is frozen, you can ssh in, exactly as before, and all seems well? I would expect that cat'ing /var/log/messages (or any file of significant size) will also freeze things up. What about scp'ing or ftp'ing a file over the connection? > Standard shorewall firewalls are used on both ends, but I really doubt > this would be an issue. Firewalls can't filter packets based on the > encrypted data transferred via a ssh connection... My guesses: - someone somewhere is dropping important icmp messages (types 3, 4, 11 or 12) - someone somewhere is dropping fragmented packets. In the case of icmp I would just duplicate the problem and run a tcpdump on either end (filtering specifically for icmp messages). If you see an icmp message on either end that doesn't reach the other side that could very well be the problem. Be 100% sure that your firewalls are allowing all ICMP (at least during debugging), the problem could still be outside of your immediate control though. If you're seeing fragments going out over the network make sure that they're _all_ received at the other end. With many cable and dsl connections (around here anyway) this is a common problem. Make sure that it isn't your firewalls dropping fragments. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Root-like filesystem permissions.
On July 31, 2003 10:07 pm, Wade Richards wrote: > There may be an operating system limit on the number of groups a > single user can be a member of, but as long as you don't hit that > limit (if it even exists), you should be OK. 32 groups in Linux. You could always run an apache instance under a different user, per 32 groups. The 32 group limit is a compile time option in the kernel but I believe other utilities need to be recompiled should you try to change it ... haven't tried myself. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Courier IMAP/POP
On July 16, 2003 05:52 am, Craig wrote: > Can anyone tell me how to configure Courier to read mail from user > maildirs > in the path and format /var/spool/mail/[EMAIL PROTECTED] ? > > ie /var/spool/mail/[EMAIL PROTECTED] Set the user's home to /var/spool/mail/[EMAIL PROTECTED]/ and have their mail stored in /var/spool/mail/[EMAIL PROTECTED]/Maildir/ ... that should just work. I have set up a few systems recently where there are no real users on the machine, user's are set up in mysql and postfix and courier both do lookups into mysql. All mail is delivered via postfix's virtual delivery agent ... perhaps that's what you're looking for? There's very good documentation on how to set it up at http://kirb.insanegenius.net/postfix.html -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
International character sets and apache
Hi, I am currently struggling to understand internationalization issues. Woody's apache by default seems to set this http header: Content-type: text/html; charset=iso-8859-1 I am needing to support some websites with polish now, which requires iso-8859-2. If a meta tag is set within the html it seems to be ignored (the http header takes precedence). Does anyone know of a good tutorial on handling these issues, since I've spent most of my life dealing only with English this is pretty new to me. Can I just set the default charset to utf-8? Thanks, -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux
International character sets and apache
Hi, I am currently struggling to understand internationalization issues. Woody's apache by default seems to set this http header: Content-type: text/html; charset=iso-8859-1 I am needing to support some websites with polish now, which requires iso-8859-2. If a meta tag is set within the html it seems to be ignored (the http header takes precedence). Does anyone know of a good tutorial on handling these issues, since I've spent most of my life dealing only with English this is pretty new to me. Can I just set the default charset to utf-8? Thanks, -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mysqld listening to the network interface
On July 8, 2003 06:46 pm, David Wilk wrote: > I have another mysql question for ya. I remember setting up mysqld in > slink and it was a breeze to get it listening on the network. For many Debian packages FAQs such as this are answered in /usr/share/doc/packagename/README.Debian ... in your case it's mentioned in /usr/share/doc/mysql-server/README.Debian -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux
Re: mysqld listening to the network interface
On July 8, 2003 06:46 pm, David Wilk wrote: > I have another mysql question for ya. I remember setting up mysqld in > slink and it was a breeze to get it listening on the network. For many Debian packages FAQs such as this are answered in /usr/share/doc/packagename/README.Debian ... in your case it's mentioned in /usr/share/doc/mysql-server/README.Debian -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gFTP problems?
On July 5, 2003 09:07 pm, Martin Wheeler wrote: > This is the information I wanted -- thanks for confirming my suspicions. > (I'd actually checked my own firewall settings, and port 20 is open for > ftp; I tried opening up another port to see if the remote would find it, > but it didn't. So I was at a bit of a loss as to which of us had a > problem.) Are you certain that you're allowing port 20? In active-mode (i.e. not passive) the ftp server makes a connection to the client, the client does not establish the connection to port 20. > Guess I now have to persuade the ISP to tell me which port they have open > for ftp traffic -- presumably they've closed down port 20 to discourage the > black-hats. If it's working for other clients (Cute FTP?) then it should work for you. Are you using a Linux firewall? In a Linux 2.2 firewall you should load the ip_masq_ftp module. In a Linux 2.4 firewall you should use the ip_conntrack_ftp module. Have you run a tcpdump on you Internet interface to ensure that the packets from source port 20 are indeed not reaching you? -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux
Re: gFTP problems?
On July 5, 2003 09:07 pm, Martin Wheeler wrote: > This is the information I wanted -- thanks for confirming my suspicions. > (I'd actually checked my own firewall settings, and port 20 is open for > ftp; I tried opening up another port to see if the remote would find it, > but it didn't. So I was at a bit of a loss as to which of us had a > problem.) Are you certain that you're allowing port 20? In active-mode (i.e. not passive) the ftp server makes a connection to the client, the client does not establish the connection to port 20. > Guess I now have to persuade the ISP to tell me which port they have open > for ftp traffic -- presumably they've closed down port 20 to discourage the > black-hats. If it's working for other clients (Cute FTP?) then it should work for you. Are you using a Linux firewall? In a Linux 2.2 firewall you should load the ip_masq_ftp module. In a Linux 2.4 firewall you should use the ip_conntrack_ftp module. Have you run a tcpdump on you Internet interface to ensure that the packets from source port 20 are indeed not reaching you? -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Wrapping CGI and PHP Scripts
On July 2, 2003 09:34 pm, Anand Atreya wrote: > Any recommendations on how to do this with PHP - without needing the > #!/usr/bin/php at the top and without using PHP Safe mode - which is a lame > workaround...? I haven't tried this but it appears that you can do what you're looking for with the combination of mod_fastcgi and suexec, see http://www.fastcgi.com/docs/faq.html#PHP -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux
Re: Wrapping CGI and PHP Scripts
On July 2, 2003 09:34 pm, Anand Atreya wrote: > Any recommendations on how to do this with PHP - without needing the > #!/usr/bin/php at the top and without using PHP Safe mode - which is a lame > workaround...? I haven't tried this but it appears that you can do what you're looking for with the combination of mod_fastcgi and suexec, see http://www.fastcgi.com/docs/faq.html#PHP -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
trying to understand 8bit emails
Hi, I'm trying to understand 8bit emails. Using mutt I send an email with a jpeg attached, for the jpeg I specify 8bit encoding. I send the email off and although it's viewable on the other end and appears to be intact (i.e. I can view it) doing a diff between the emailed jpeg and the original shows that there are differences. All servers along the way are postfix. I've tried sending 8bit email with kmail as well and with kmail the files are different as well, so different that the emailed copy doesn't resemble the original in any way when viewed. I always use base64 encoding personally (well occasionally uuencoding) I am asking this because a customer of mine seems convinced of the need for 8bit encoding. According to what I see in postfix docs and http://www.faqs.org/rfcs/rfc1652.html things should work. Does anyone have some pointers on where things might be going wrong? Is there an 8bit email FAQ somewhere (doesn't have to be postfix specific). Here the smtp session captured with sniffing session on the remote server: EHLO mail.customer.com MAIL FROM:<[EMAIL PROTECTED]> SIZE=27501 BODY=8BITMIME RCPT TO:<[EMAIL PROTECTED]> DATA Received: by mail.customer.com (Postfix, from userid 500) id 49B193FF2; Mon, 23 Jun 2003 14:04:59 -0400 (EDT) Date: Mon, 23 Jun 2003 14:04:59 -0400 From: Fraser Campbell <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: test Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="tThc/1wpZn/ma/RB" Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5.1i --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline asdf --tThc/1wpZn/ma/RB Content-Type: image/jpeg Content-Disposition: attachment; filename="self_service.jpg" Content-Transfer-Encoding: 8bit 8bit garbage starts here ... -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux
trying to understand 8bit emails
Hi, I'm trying to understand 8bit emails. Using mutt I send an email with a jpeg attached, for the jpeg I specify 8bit encoding. I send the email off and although it's viewable on the other end and appears to be intact (i.e. I can view it) doing a diff between the emailed jpeg and the original shows that there are differences. All servers along the way are postfix. I've tried sending 8bit email with kmail as well and with kmail the files are different as well, so different that the emailed copy doesn't resemble the original in any way when viewed. I always use base64 encoding personally (well occasionally uuencoding) I am asking this because a customer of mine seems convinced of the need for 8bit encoding. According to what I see in postfix docs and http://www.faqs.org/rfcs/rfc1652.html things should work. Does anyone have some pointers on where things might be going wrong? Is there an 8bit email FAQ somewhere (doesn't have to be postfix specific). Here the smtp session captured with sniffing session on the remote server: EHLO mail.customer.com MAIL FROM:<[EMAIL PROTECTED]> SIZE=27501 BODY=8BITMIME RCPT TO:<[EMAIL PROTECTED]> DATA Received: by mail.customer.com (Postfix, from userid 500) id 49B193FF2; Mon, 23 Jun 2003 14:04:59 -0400 (EDT) Date: Mon, 23 Jun 2003 14:04:59 -0400 From: Fraser Campbell <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: test Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="tThc/1wpZn/ma/RB" Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5.1i --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline asdf --tThc/1wpZn/ma/RB Content-Type: image/jpeg Content-Disposition: attachment; filename="self_service.jpg" Content-Transfer-Encoding: 8bit 8bit garbage starts here ... -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
PHP versioning and security information
Hi, I have backported unstable's php 4.2.3 packages to woody and I've been using them successfully for a few months. I am rather concerned about security so I sent the following message to the php-general mailing list. So far I have no response (granted less than a full day since I posted). I'm wondering if someone here might be able to help me with my questions ... I'm trying to figure out if the version of php that I am running is secure against all known exploits and I am finding that task very difficult. I haven't been able to find a security page on either http://www.php.net/ or http://www.zend.com/ My questions are: - is php 4.2.3 vulnerable to any known security issues? - what is the meaning of php's versioning scheme? I see from the changelogs that features are added throughout the 4.x branches. I am used to schemes where 4.2.x would be feature frozen with just bu and security fixes being applied. - is the 4.3.x branch the only one that is being maintained? I do not relish moving my servers from 4.2.3 to 4.3.? since I have encountered enough problems already with the move from 4.0.6 to 4.2.3. Most of the problems were from sloppy coding that should never have worked but hey it did work with 4.0.6 and does not work with 4.2.3. If the code were all mine I wouldn't be so concerned but I don't want to be telling clients every 6-12 months, that we're upgrading their php version and that things might break for them. Is there an official policy as to how long a branch is supported? PHP 4.2.0 is just over a year old, php 4.2.3 about 6 months old ... Thanks, -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux
PHP versioning and security information
Hi, I have backported unstable's php 4.2.3 packages to woody and I've been using them successfully for a few months. I am rather concerned about security so I sent the following message to the php-general mailing list. So far I have no response (granted less than a full day since I posted). I'm wondering if someone here might be able to help me with my questions ... I'm trying to figure out if the version of php that I am running is secure against all known exploits and I am finding that task very difficult. I haven't been able to find a security page on either http://www.php.net/ or http://www.zend.com/ My questions are: - is php 4.2.3 vulnerable to any known security issues? - what is the meaning of php's versioning scheme? I see from the changelogs that features are added throughout the 4.x branches. I am used to schemes where 4.2.x would be feature frozen with just bu and security fixes being applied. - is the 4.3.x branch the only one that is being maintained? I do not relish moving my servers from 4.2.3 to 4.3.? since I have encountered enough problems already with the move from 4.0.6 to 4.2.3. Most of the problems were from sloppy coding that should never have worked but hey it did work with 4.0.6 and does not work with 4.2.3. If the code were all mine I wouldn't be so concerned but I don't want to be telling clients every 6-12 months, that we're upgrading their php version and that things might break for them. Is there an official policy as to how long a branch is supported? PHP 4.2.0 is just over a year old, php 4.2.3 about 6 months old ... Thanks, -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
How to not trigger auto-responders?
Hi, Autoresponders that I have setup before were based on procmail, they used the FROM_DAEMON check to not send responses to lists plus as a safety measure they'd only send one email to each sender per day. I host a club's website that has about 5,000 members, there are mailings to members done through the site and unfortunately the members love autoresponders. The site actually sends emails one-by-one to people and there are no headers to indicate that the email essentially from a mailing list. I am thinking of adding a "Precedence: list" or "Precedence: bulk" header to the emails in the hope that at least some of these autoresponders have some smarts. I know I can just send from an address that is aliased to /dev/null but I'd really like the emails to continue being sent from functional email addresses so that bounces and replies can be handled properly. Looking at the headers from the autoresponders, some identify themselves, many do not. I found "Internet Mail Service", Microsoft Exchange, OSM Client, and SMTP 32 vX. How have you guys gotten around the autoresponder problem in the past? Is there hope? -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux
How to not trigger auto-responders?
Hi, Autoresponders that I have setup before were based on procmail, they used the FROM_DAEMON check to not send responses to lists plus as a safety measure they'd only send one email to each sender per day. I host a club's website that has about 5,000 members, there are mailings to members done through the site and unfortunately the members love autoresponders. The site actually sends emails one-by-one to people and there are no headers to indicate that the email essentially from a mailing list. I am thinking of adding a "Precedence: list" or "Precedence: bulk" header to the emails in the hope that at least some of these autoresponders have some smarts. I know I can just send from an address that is aliased to /dev/null but I'd really like the emails to continue being sent from functional email addresses so that bounces and replies can be handled properly. Looking at the headers from the autoresponders, some identify themselves, many do not. I found "Internet Mail Service", Microsoft Exchange, OSM Client, and SMTP 32 vX. How have you guys gotten around the autoresponder problem in the past? Is there hope? -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
How to not trigger auto-responders?
Hi, Autoresponders that I have setup before were based on procmail, they used the FROM_DAEMON check to not send responses to lists plus as a safety measure they'd only send one email to each sender per day. I host a club's website that has about 5,000 members, there are mailings to members done through the site and unfortunately the members love autoresponders. The site actually sends emails one-by-one to people and there are no headers to indicate that the email essentially from a mailing list. I am thinking of adding a "Precedence: list" or "Precedence: bulk" header to the emails in the hope that at least some of these autoresponders have some smarts. I know I can just send from an address that is aliased to /dev/null but I'd really like the emails to continue being sent from functional email addresses so that bounces and replies can be handled properly. Looking at the headers from the autoresponders, some identify themselves, many do not. I found "Internet Mail Service", Microsoft Exchange, OSM Client, and SMTP 32 vX. How have you guys gotten around the autoresponder problem in the past? Is there hope? -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux
How to not trigger auto-responders?
Hi, Autoresponders that I have setup before were based on procmail, they used the FROM_DAEMON check to not send responses to lists plus as a safety measure they'd only send one email to each sender per day. I host a club's website that has about 5,000 members, there are mailings to members done through the site and unfortunately the members love autoresponders. The site actually sends emails one-by-one to people and there are no headers to indicate that the email essentially from a mailing list. I am thinking of adding a "Precedence: list" or "Precedence: bulk" header to the emails in the hope that at least some of these autoresponders have some smarts. I know I can just send from an address that is aliased to /dev/null but I'd really like the emails to continue being sent from functional email addresses so that bounces and replies can be handled properly. Looking at the headers from the autoresponders, some identify themselves, many do not. I found "Internet Mail Service", Microsoft Exchange, OSM Client, and SMTP 32 vX. How have you guys gotten around the autoresponder problem in the past? Is there hope? -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: good open source (or other) MUAs that work under Windoze
On June 1, 2003 07:49 am, Chris Evans wrote: > It's suddenly occurred to me that I may be wrong to assume that there > are no good open source MUAs that run under windoze, and I thought > that this might be a good place to ask the people most likely to have > had to try them or deal with the problems that they and other MUAs > cause, so here I am asking a little OT but hoping people will point me > to things I can try. As far as OSS, have you considered mozilla mail, although integrated with mozilla browser there's a move afoot to change that (see http://www.mozilla.org/projects/thunderbird/). Another client that I know of is Mulberry (not OSS), see http://www.cyrusoft.com/mulberry/ ... both of these clients have the advantage of working on many operating systems. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: good open source (or other) MUAs that work under Windoze
On June 1, 2003 07:49 am, Chris Evans wrote: > It's suddenly occurred to me that I may be wrong to assume that there > are no good open source MUAs that run under windoze, and I thought > that this might be a good place to ask the people most likely to have > had to try them or deal with the problems that they and other MUAs > cause, so here I am asking a little OT but hoping people will point me > to things I can try. As far as OSS, have you considered mozilla mail, although integrated with mozilla browser there's a move afoot to change that (see http://www.mozilla.org/projects/thunderbird/). Another client that I know of is Mulberry (not OSS), see http://www.cyrusoft.com/mulberry/ ... both of these clients have the advantage of working on many operating systems. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux
Re: Selecting source ip
On May 30, 2003 05:40 pm, Marc Haber wrote: > <[EMAIL PROTECTED]> wrote: > >As someone else already pointed not possible. You can accomplish this on > > an app-by-app basis, examples: > > > >- telnet and ssh option -b > > Which telnet package in Debian stable does have -b? You might have problems finding one (I did), obviously I remeber the -b from darker days ;-) -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Brampton, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Selecting source ip
On May 30, 2003 05:40 pm, Marc Haber wrote: > <[EMAIL PROTECTED]> wrote: > >As someone else already pointed not possible. You can accomplish this on > > an app-by-app basis, examples: > > > >- telnet and ssh option -b > > Which telnet package in Debian stable does have -b? You might have problems finding one (I did), obviously I remeber the -b from darker days ;-) -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Brampton, Ontario, Canada Debian GNU/Linux
Re: Selecting source ip
On May 28, 2003 05:02 pm, Stefan Neufeind wrote: > when I request a file from a linux box using lynx the source ip of my > request is the ip of eth0. But how can I change the source ip to > other ips which are also bound to eth0 (via eth0:0 etc.)? Do I need > to change the default gate from eth0 to eth0:0 for example? Isn't > there a way to just change the source ip for all programs I will > execute in my current environment / bash without affecting other > programs / tasks? As someone else already pointed not possible. You can accomplish this on an app-by-app basis, examples: - telnet and ssh option -b - ping option -I - wget option --bind-address I don't know what you need this for but if you can use wget instead of lynx you might be all set ... I don't see a similar option for wget. Alternatively, you could run a proxy (squid for example) and bind the proxy to the specific IP of your choice. If you request webpages through that proxy I would expect it to use the chosen source IP in it's requests. Most command line web clients will honour the http_proxy environment variable. If you're concerned about more than just web clients you might be able to acheive the desired effect with advanced routing (see iproute package). Hope that helps, if not let us know more about what you're trying to achieve. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Brampton, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Selecting source ip
On May 28, 2003 05:02 pm, Stefan Neufeind wrote: > when I request a file from a linux box using lynx the source ip of my > request is the ip of eth0. But how can I change the source ip to > other ips which are also bound to eth0 (via eth0:0 etc.)? Do I need > to change the default gate from eth0 to eth0:0 for example? Isn't > there a way to just change the source ip for all programs I will > execute in my current environment / bash without affecting other > programs / tasks? As someone else already pointed not possible. You can accomplish this on an app-by-app basis, examples: - telnet and ssh option -b - ping option -I - wget option --bind-address I don't know what you need this for but if you can use wget instead of lynx you might be all set ... I don't see a similar option for wget. Alternatively, you could run a proxy (squid for example) and bind the proxy to the specific IP of your choice. If you request webpages through that proxy I would expect it to use the chosen source IP in it's requests. Most command line web clients will honour the http_proxy environment variable. If you're concerned about more than just web clients you might be able to acheive the desired effect with advanced routing (see iproute package). Hope that helps, if not let us know more about what you're trying to achieve. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Brampton, Ontario, Canada Debian GNU/Linux
