Re: Courier-IMAPs / POP3s login question
also sprach Jens Zahner <[EMAIL PROTECTED]> [2004.12.29.1121 +0100]: > Any hints? Beyond the documentation and the comments in the files in /etc/courier, you mean? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Mailman Broken
also sprach Wouter Verhelst <[EMAIL PROTECTED]> [2004.12.29.0936 +0100]: > Actually, this looks like a bug in the package to me. You'll want to use > 'reportbug'. sed -i -e '1aset -x' /var/lib/dpkg/info/mailman.postinst apt-get -f install and include the output of that command in the bug report. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: phpBB vulnerability exploited
also sprach Jerome Vandenabeele <[EMAIL PROTECTED]> [2004.12.14.1200 +0100]: > Maybe you could make 2 partitions: /var mounted noexec and > /var/spool/postfix mounted exec I hope you are running a 2.6 kernel if you rely on the exec flag. Sorry for barking into this thread, which I have not followed. When I see PHP, I say no. Aren't postinst files also executed from within /var? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: bandwidth accounting
also sprach Simon Buchanan <[EMAIL PROTECTED]> [2004.12.13.2110 +0100]: > Hi There, Im wondering if someone can point me in the right > direction We are wanting to account bandwidth usage per IP in our > rack.. Is this possible, if so - and good ideas? read the archives. check out ipac. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: a couple of postfix questions
also sprach Craig Sanders <[EMAIL PROTECTED]> [2004.12.08.0425 +0100]: > yes, but it's generally better to pick a good horse rather than > a three-legged, half-blind bad-tempered mule that is well past > retirement age. rofl! -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: a couple of postfix questions
also sprach Stephen Gran <[EMAIL PROTECTED]> [2004.12.07.2157 +0100]: > The things that are vitally important are the ability to reject at smtp > time for invalid localparts http://www.postfix.org/LOCAL_RECIPIENT_README.html > and for viruses - I believe that postfix (at least in recent > versions) can do this, but I am just not sure. I do not want to > have to rely on something like amavis + a seperate listener to do > content scanning, postfix is a MTA not a content scanner. you will need to use something like amavisd, but you *can* make postfix refuse a message if the content scanner refuses it. i don't, so i don't have it handy. > I guess what I am asking for is people's experiences migrating > existing (especially sendmail) systems to postfix, and how easy it > is to tie other things into it, especially at smtp time. there is nothing you would want from an MTA which postfix cannot do. it all depends on your requirements. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: [ot] Re: Courier traffic accounting
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2004.11.20.1803 +0100]: > Actually... as far as a lot of users are capable of thinking, > that's exactly what SMTP should stand for: "I attach this file and > send it, could it be simpler?". And you know something? I can > see their point. Yes. I do too. > Which I suppose is a good reason why we should work towards ASMTP, > a 8-bit clean, mandatory endpoint authenticated SMTP (as in no > backscatter, something using mandatory header signing). > Beautiful! (it's just a dream, there is no such thing. Which is > fine right now, as chances are someone would have made it using > XML). I vote for WebDAV instead. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
[ot] Re: Courier traffic accounting
also sprach Teófilo Ruiz Suárez <[EMAIL PROTECTED]> [2004.11.20.1733 +0100]: > > Nov 20 16:55:22 quebrantahuesos pop3d-ssl: LOGOUT, user=teo, > > ip=[:::217.125.62.238], top=0, retr=478181 > > > > The "retr" field is in KBytes. > > As madduck said in his mail, this are bytes :) Otherwise I'd have to shoot all the people in your addressbook, teo. 478181 kilobytes in a POP3 session... teach those folks that SMTP is not the simple mass transfer protocol. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Courier traffic accounting
also sprach Philipp Kern <[EMAIL PROTECTED]> [2004.11.20.1648 +0100]:
> are there any ways of traffic accounting related to Courier POP3d and
> IMAPd? We need this on a per-domain basis. The accounting for
> incoming/outgoing mail is easy, as our mailserver of choice -- Exim v4
> -- logs the message size. When looking through Courier's logs I didn't
> notice something similar on the close of the connection.
gaia pop3d-ssl: LOGOUT, user=x, ip=[:::130.60.75.xxx],
top=0, retr=4253, time=0
imapd-ssl: LOGOUT, user=x, ip=[:::130.60.75.xxx],
headers=4241, body=290514, time=1216, starttls=1
^^
These are bytes. Be aware that this sort of accounting does not
include the respective protocol, or additional TCP, or IP traffic.
I usually calculate 112% up to 100Mb and then 108% when more than
100Mb has been transferred. With traffic >1Gb, it becomes
negligible.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
signature.asc
Description: Digital signature
Re: on-line DNS administration
also sprach Antonin Karasek <[EMAIL PROTECTED]> [2004.11.15.1619 +0100]: > And one more question - Have anybody heard about open-source (GPL) > web-based administration for bind9? webmin-bind should work -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: SV: automatically logging out users
also sprach Christofer Algotsson <[EMAIL PROTECTED]> [2004.11.15.1151 +0100]: > Idled might be a solution. > > http://www.darkwing.com/idled/ Well, this seems rather dead upstream. I'll ping. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
automatically logging out users
Is there a way to automatically log out users after a certain idle period? I would need this automatic logout on a per-service basis, thus e.g. logging out KDE and tty users while keeping SSH users logged in. Does PAM provide for this? Are there other means? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Looking for a network sniffer that collects a used-ports list to help preparing a portfilter firewall script
First, read out aloud the first line of my signature, then read the Debian list policy, then verify the Mail-Followup-To header of my posts, and then do not CC anyone again unless requested. also sprach Christian Hammers <[EMAIL PROTECTED]> [2004.11.13.1228 +0100]: > fetches data on Port 12345 but it would be easier if I would catch > that information and could ask him about this port. So it's just > meant as a help. With a properly configured firewall, you'll catch this information too. Do you think that your super-customer will have a clue what ports are used by what? Then you end up opening one port too many and the trojan horse is in. But you do as you want/need. I would impose such things on my customers since they purchase managed security with our services. They purchase security because they themselves are incapable. Thus, I would not open up an alley for them to err. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Looking for a network sniffer that collects a used-ports list to help preparing a portfilter firewall script
also sprach Christian Hammers <[EMAIL PROTECTED]> [2004.11.12.1538 +0100]: > I remember a network sniffer that could be run e.g. over a week to > collects a list of all used tcp/udp ports which could then be used > as base for creating a firewall script for hosts. What an extraordinarily bad idea. You should know what you allow. Everything else should be blocked. You can use LOG and scan the kern.log file and selectively add stuff later. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: exim or postfix
also sprach John Goerzen <[EMAIL PROTECTED]> [2004.11.12.0612 +0100]: > And I get many legitimate e-mails with a bad HELO. In fact, > I would argue that your rule here is wrong. If I send you an > e-mail from my laptop, it is not going to send you an address of > a server that can receive mail (or has a DNS entry) in HELO, but > everything else will be valid, and I argue that this is OK. If you send me mail from your laptop without going via a proper relay, I will reject it too. Use your ISP mail relays! If the suck, switch ISPs. If that's not possible, pool with others and run a proper MTA. Or convince me (or others here) that you need a proper relay, and we'll give you SASL access. Or get a gmx.net account. Mail was not supposed to be sent from leaf nodes. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: What stripe size for mail server?
also sprach Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [2004.11.11.0842 +0100]: > To optimize random small reads, it's best if a read can be satisfied by > touching only one disk, so large stripe sizes should be better - with your > avg file size, 8k or 16k stripes should be fine; even 4k probably wouldn't > hurt much. We are using the default, 64k on a server with 140 users and about 80 mails/second, with a mail store of 27 Gb, with an AMD K6 1.2 GHz, 1 Gb RAM, and three Maxtor Ultra9 7200 PATA disks. No problems. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: exim or postfix
also sprach Craig Sanders <[EMAIL PROTECTED]> [2004.11.10.1014 +0100]: > > I agree. But exim can do it. And even though this is the LDA > > part of it, postfix also includes an LDA, which is just not up > > to speed. > > and postfix can do it too. No, it cannot, unless you use spamassassin as the LDA, which is deprecated. Exim can use multiple sequential filters as part of the LDA (which are all run as the user). > postfix doesn't do it the same way as exim because postfix is not > a single monolithic process. Stop harping on that and respond to my points, if at all. Even a modular architecture can support filters as part of the LDA; Postfix does not. > > ... not manageable... > > of course not. but a) it works, and b) it doesn't have to be > "manageable", .forward files are not a system-wide setting, they > are a per user thing. So you suggest .forward files for a machine hosting about 1700 Windows users? > if you want it to run for every user without each user having to > do custom configuration, then use procmail as the LDA and create > a rule in /etc/procmailrc. problem solved. If you object to exim because of its monolithic setuid nature, how can you possibly advocate procmail? Sure, it's run as the user. But it's a bloody performance hog. Try that with 1700 users and about 130 to 200 mails per minute, and you'll find that it does not work. > if you don't care about using per-user settings in SA, then just > use a content filter and you'll get SA checking on ALL mail, not > just on locally-delivered mail. again, problem solved. IMO, this > is the best way to do it. If you do SA on a system-wide basis, the auto-whitelisting feature is a problem, and Bayesian filtering is basically useless. > but if the question you are asking is "i want postfix to work > exactly the same as exim", then you'll never get an answer. I did not say so. > *ALL* mail is both incoming AND outgoing. Which (sensible) MTA does not do it this way? > > I am challenging you. > > challenging me to do what? To consider that, in fact, postfix is not the best for all situations. > repeat after me: an MTA is not an LDA. use the right tool for the > job. I believe I said before that I completely agree. This is not the issue being discussed. > > I cheated. It's in there and marked 'impossible'. Exim can do > > it. > > i doubt if it's impossible. You are making a fool of yourself. > in short, the answer is "that's not a useful question". routing > based on solely the From: address is inherently broken. Did I say that the From address was the only feature to base routing on? Also you (and Wietse) are failing to see the value for store-and-forward relays. Anyway, this is pointless. You just read my last post on the issue. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: exim or postfix
also sprach Craig Sanders <[EMAIL PROTECTED]> [2004.11.10.0901 +0100]: > > Anyway, if you are so confident about postfix, then maybe you > > can teach me how to set up spamassassin to run under the local > > user's identity, > > procmail, maildrop or whatever local delivery agent you use can > run spamassassin. that's part of an LDA's job. I agree. But exim can do it. And even though this is the LDA part of it, postfix also includes an LDA, which is just not up to speed. > even on the simplest level, a .forward file which pipes to SA is > executed under the UID of the user. ... not manageable... > before you say "but i want the MTA to do it", that's just you > thinking in terms of a monolithic MTA like exim. I am challenging you. My postfix does not do said things, and I sure well know why. > > and how to route messages based on the sending address (for SPF > > reasons). > > no idea, never needed to do it. try the postfix-users archives. I cheated. It's in there and marked 'impossible'. Exim can do it. > if it's not straight-forward, i'll bet you could do it with > a policy server. A policy server has no decision on route destination. Anyway, I can't believe I am arguing against the product that I embrace the most. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: exim or postfix
also sprach Craig Sanders <[EMAIL PROTECTED]> [2004.11.10.0010 +0100]: > > There have been some very simple things that I've needed to find > > solutions to with postfix in the past which I ended up having to > > do with procmail that I can now deal with in ~ 3 lines in the exim > > config. > > my guess is that you just know exim better than postfix, so things that an > experienced postfix user would find easy aren't as easy for you as just using > exim. > > all of the things you listed as benefits of exim, my first thought was "but > postfix does that (and it does it better :)". You are not seriously arguing this, right? The exim routers are far beyond what postfix can do. IMHO, they are far beyond the job of an MTA, so it's more a plus for exim than a minus for postfix. Anyway, if you are so confident about postfix, then maybe you can teach me how to set up spamassassin to run under the local user's identity, and how to route messages based on the sending address (for SPF reasons). > ps: i've used pretty nearly all of the free software MTAs (and > some not-so-free, like qmail) over the last 15 years. So have i, but i miss in your list a mention of exim. I have also never used exim because I had settled on postfix through much the same path (I also checked out zmailer in between) as you and was thoroughly happy, before Phil Hazel published the first usable exim (3.0, in the middle of 1999 IIRC). Thus, I try to avoid categorically arguing that postfix is better. I like postfix and do not feel like starting from scratch with another MTA, otherwise I might well inspect exim more closely. In any case, I think among the strongest points for postfix are Wietse Venema, Wietse Venema, Wietse Venema, and Ralf Hildebrandt (as well as many other folks on postfix-users). If you look at Wietse's code, you'll see that it'll be hard to suggest improvements to the logic. From cursory looks at exim, I could not come to the same conclusion, /usr/sbin/exim was setuid root last I checked. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Write permission on remote machine
also sprach Bill Flanagan <[EMAIL PROTECTED]> [2004.11.09.2111 +0100]: > Any pointers on things to look at? The Linspire support community The KDE mailing lists The Samba mailing lists A Linux reference *Maybe* debian-user --> but not here. > Does putting a name and p/w into local client authentication > conflict with a remote directory having no p/w requirement? Yes, SMB is weird like that. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Value of backup MX
also sprach Dale E. Martin <[EMAIL PROTECTED]> [2004.11.09.1954 +0100]: > This got me to thinking, it would be neat if one could _easily_ > replicate RBLs on their own local DNS server. rbldns (djbdns) is (a) non-free, and (b) really nice and easy to use for this purpose. > Then you could easily point primary and secondary at your local > RBL and manage it just in your DNS config... I've seen some > references to transferring RBLs via rsync, but updates via DNS > zone transfers would be more slick as then it would be automatic. > Do any of the major RBLs allow for such a thing? only upon request, and you won't qualify. aside, if possible, please use rsync, which can be automated too. zone transfers are just too cumbersome, unless you use IXFR, which is not widely supported. @Yoe: you probably disagree. This is just my experience. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Value of backup MX
also sprach Dale E. Martin <[EMAIL PROTECTED]> [2004.11.09.1652 +0100]: > With this approach you can't bounce RBLed messages at SMTP connect > time though, right? (I realize that RBLs are semi-controversial, > especially at the ISP level.) right. i use spamassassin for RBLs -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Value of backup MX
also sprach John Goerzen <[EMAIL PROTECTED]> [2004.11.09.1514 +0100]: > It seems to make a lot of sense to me, but it seems too that > I must be missing something. if the backup MX is configured exactly like the primary, then it makes sense. but it's all too easy to get out of sync. i usually have my backup MX accept everything and then don't treat them specially on the primary. thus, policy is still enforced on the primary, but there is a proper backup path *under my control* should the primary be unreachable for whatever reason. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: postfix sasl auth problem
also sprach sin <[EMAIL PROTECTED]> [2004.11.08.0958 +0100]: > telnet machine.domain.tld 25 use netcat. or swaks in this case. > 250-AUTH LOGIN PLAIN yeah! clear-text passwords! > smtpd_client_restrictions = permit_sasl_authenticated, > permit_mynetworks, reject_rbl_client sbl-xbl.spamhaus.org, > reject_unauth_destination s/_client_/_recipient_/ -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: apt-cacher transition from apache to apache2
also sprach Alexandros Papadopoulos <[EMAIL PROTECTED]> [2004.11.08.0929 +0100]: > There's this already: > helios:/etc/apache2/conf.d# ls -l apt* > lrwxrwxrwx 1 root root 27 Nov 8 08:51 apt-cacher -> > /etc/apt-cacher/apache.conf > > Does that mean it's included? Yes. > So it seems the cgi is called, but then something (?) goes wrong... I can't help you further. I never got apt-cacher to work. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: apt-cacher transition from apache to apache2
also sprach Alexandros Papadopoulos <[EMAIL PROTECTED]> [2004.11.08.0734 +0100]: > changing /etc/apt-cacher/apt-cacher.conf and then > reloading/restarting apache2 does not honor the changes. Well, you should not need to restart apache2 since apt-cacher is a CGI. Apparently, apache2 loads it permanently though, which is news to me. Does it work at all? > I think it has something to do with the > /etc/apt-cacher/apache.conf snippet which I need to install > somewhere, but I have no idea where. Leave it right there and 'include' it from the vhost definition. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: exim or postfix
also sprach Teófilo Ruiz Suárez <[EMAIL PROTECTED]> [2004.11.07.1529 +0100]: > Do you have an URL with more info about that policy framework?. Not handy. Please write to , he's the author. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Limiting User Commands
also sprach Steve Kemp <[EMAIL PROTECTED]> [2004.11.07.1514 +0100]: > If you're operating a shared system and want to keep seperate > web users isolated from each other using rbash, chroots or > similar should be sufficient. Neither rbash not chroots are security measures. They are hurdles at most, but can be easily circumvented. Use virtual machines instead of chroots, and process and filesystem ACLs instead of rbash. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: exim or postfix
also sprach Brett Parker <[EMAIL PROTECTED]> [2004.11.07.1440 +0100]: > Then, I've always prefered exim, I like having control at my > finger tips, and things to do what I expect :) Ha! Flamebait! Consider yourself whacked. I won't even respond to this. :) /me embraces /etc/postfix/main.cf > Just out of interest, were your tests exim3 or exim4 vs postfix. exim3; sorry, I should have mentioned that. > FWICT there's been a lot of work gone in to exim4, and it does > seem to be faster than exim3, I haven't done a straight speed > comparison between postfix and exim4, though. I have not either for exim4. I would be interested though. I am very happy with postfix, but I do at times eye over to the router config of exim. You are right, I cannot get rid of procmail at the moment, which is definitely a pain. However, I've been using postfix for like 7 years now and I really don't want to start to learn to swim again in icy waters. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: NFS-mounting crontabs
also sprach Mark Ferlatte <[EMAIL PROTECTED]> [2004.11.07.1012 +0100]: > Okay. I guess my next question is: why do you want your user > crontabs NFS mounted from your clients? The cluster nodes are frequently reinstalled, so the crontabs need to be installed automatically. > This actually closes a security hole; if you are NFS mounting your > crons, then all I have to do is spoof your client's NFS mount (or > response) to get cron to run any command I want as any user on > that system. Hey, it's NFS. It's inherently insecure. Until I switch it all to IPsec, the cluster is open to everyone with physical access. > > One idea I had last night is a crontab wrapper, along with > > a root_squash NFS export. A cron job copies the files from there to > > /var/spool/cron/crontabs as you describe. But when the user calls > > crontab, what happens is that the file is first explicitly copied > > from the NFS mount, then crontab(1) is invoked, and upon exit, the > > user crontab is saved back to the NFS. I think this would work fine, > > don't you think? > > Sure, if you want to go that way, a wrapper around crontab is fine. that, in addition with an @reboot cron job to initialise /var/spool/cron/crontabs from the NFS mounted /var/local/crontabs did the trick. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: exim or postfix
also sprach Mark Ferlatte <[EMAIL PROTECTED]> [2004.11.07.1013 +0100]: > Don't know about most; I use Postfix. I don't think exim is a bad choice, > though; I just liked Postfix better, and it performs well enough to meet my > needs. Well said. also sprach Brett Parker <[EMAIL PROTECTED]> [2004.11.07.1226 +0100]: > exim4 and postfix, depending on the machine, and who origionally set it > up. New machines are getting exim4 because it is far more flexible and > powerful that postfix (in my experience). Well, my last tests have shown postfix to be more performant by about a factor of 1.6. In addition, there is the single setuid binary thing about exim. You are right that exim has a lot more features than postfix. However, are they needed? To me, exim tries to be more than an MTA, which is why I surely prefer postfix. I can't wait until I have time to try/use/improve Md's policy framework. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: DoS on my OnlineStore (PHP)
also sprach Michelle Konzack <[EMAIL PROTECTED]> [2004.11.06.1339 +0100]: > Can anyone give me some hints how to prevent abusing my PHP Scripts ? You could use something that can handle high load instead. Alternatively, put a reverse proxy in front of them, using a cache expiration policy of several seconds. We did that with tokyolectures.org, which got 25+ hits/minute at peak times. > Oh yes, spider my pages all 2-4 seconds too... Ban them with robots.txt -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: NFS-mounting crontabs
also sprach Michelle Konzack <[EMAIL PROTECTED]> [2004.11.06.1313 +0100]: > > This is definitely one idea. However, then my users cannot use > > crontab(1) anymore, thus there will be no syntax checks, and > > You must educate them... :-) You are funny. I work at a university where people are worse users than elsewhere. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: NFS-mounting crontabs
also sprach Mark Ferlatte <[EMAIL PROTECTED]> [2004.11.06.0123 +0100]:
> > I am trying to set up persistent crontabs in a FAI cluster by using
> > NFS to export /var/spool/cron/crontabs to the clients, thus
> > effectively storing the crontabs on the server. I further would like
> > to use root_squash.
>
> Do you really want your user's crontabs to run on every host in your cluster?
They are mounted from master:/srv/var/spool/crontabs/${HOSTNAME}, so
they are per host.
> > The question now is: how do I make this work? I do not want to
> > set no_root_squash because laptops could be used to mount the
> > crontabs export and modify away, subverting the user accounts.
>
> What about a script that looks in each users homedir for .crontab,
> and runs crontab -u $USER ~$USER/.crontab every, say hour or so?
> Put that script in your client /etc/cron.hourly, and push it.
This is definitely one idea. However, then my users cannot use
crontab(1) anymore, thus there will be no syntax checks, and
finally, this raises the issue of how to run a system-wide cron job
for all users. Where do I get the user list from? Everything with
a UID between 1000 and 1 ?
One idea I had last night is a crontab wrapper, along with
a root_squash NFS export. A cron job copies the files from there to
/var/spool/cron/crontabs as you describe. But when the user calls
crontab, what happens is that the file is first explicitly copied
from the NFS mount, then crontab(1) is invoked, and upon exit, the
user crontab is saved back to the NFS. I think this would work fine,
don't you think?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
signature.asc
Description: Digital signature
NFS-mounting crontabs
Hi all, I am trying to set up persistent crontabs in a FAI cluster by using NFS to export /var/spool/cron/crontabs to the clients, thus effectively storing the crontabs on the server. I further would like to use root_squash. Using ACLs on the server, I managed to give nobody read access, so now cron kinda starts up, but then reports WRONG INODE INFO I think it's related to the fact that the ACL mask makes the permissions appear as 640, which cron does not tolerate. The question now is: how do I make this work? I do not want to set no_root_squash because laptops could be used to mount the crontabs export and modify away, subverting the user accounts. The solution would be to for cron to setuid to the user of each crontab file to read it, rather than making use of the root rights. However, I doubt that this functionality will be included in upstream cron, so it's not worth pursuing. Are there cron alternatives that can handle this? Or maybe even cron alternatives optimised for cluster use? Thanks, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: saslauthd
also sprach W.Andrew Loe III <[EMAIL PROTECTED]> [2004.11.05.1034 +0100]: > I am trying to get PLAIN authentication over TLS to work with postfix. > I am having a problem with getting saslauthd (checking against system > users) to run. /etc/init.d/saslauthd exists, but it doesn't do anything make sure START=yes is set in /etc/default/saslauthd. sh -x helps... :) albatross:/etc/postfix# cat /etc/default/saslauthd START=yes MECHANISMS="pam" PARAMS="-O /etc/saslauthd.conf -m /var/spool/postfix/var/run/saslauthd" The last one makes sure to put the multiplexer into the postfix chroot. You have to create the appropriate directories: albatross:/etc/postfix# ls -la /var/spool/postfix/var/run/saslauthd [314] total 64 drwxr-xr-x2 root root 53 2004-10-20 15:52 ./ drwxr-xr-x3 root root 22 2004-07-10 12:37 ../ srwxrwxrwx1 root root0 2004-10-20 15:52 mux= -rw---1 root root0 2004-10-20 15:52 mux.accept -rw---1 root root4 2004-10-20 15:52 saslauthd.pid Then start saslauthd and see if the three files are created. > properly use sasl2 not sasl, but it seems that it never finds my > smtpd.conf, so it doesn't know to use saslauthd to check if the user > authenticates - leaving me out in the cold :( albatross:/etc/postfix# cat /etc/postfix/sasl/smtpd.conf pwcheck_method: saslauthd mech_list: plain login Finally, here are the relevant parts from postfix: main.cf: smtpd_use_tls = yes smtpd_enforce_tls = no smtpd_tls_wrappermode = no smtpd_sasl_auth_enable = no smtpd_sasl_local_domain = smtprelay.madduck.net smtpd_sasl_security_options = noanonymous, noplaintext broken_sasl_auth_clients = no master.cf: smtps inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_sasl_security_options=noanonymous This will make SASL work only if you connect to port 465, which is the standard SMTP-SSL/TLS port. Thus, use SSL/TLS on connect, not STARTTLS. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: network monitoring
also sprach Andrew Miehs <[EMAIL PROTECTED]> [2004.10.31.0907 +0100]: > On the one hand, you are happy to install via nfs, but on the > other hand, you want monitoring done via 'ssh'? Well, I agree that NFS is somewhat of a kludge. However, I want SSH to contact the servers to execute commands to prevent that someone else just executes them without authenticating. > If you really need this much security, you should probably look at > implementing ALL your connections via IPSEC - and possibly look at > storing your ssl keys on a floppy, or usb stick as someone else > suggested. Hey, IPsec is a good idea. I will be looking into that. Does anyone have stats on NFS over IPsec? These are 2 GHz machines... > Nagios mainly uses SNMP to pull its data - authenitcated but not > encrypted. Big Sister - Have heard its similar to big brother > - simple to set up (compared to nagios) and for your small network > should be more than adequate. Big Brother (and probably big > sister) have client software that runs on each machine that sends > the status info back to the display server. Yeah, but I want a pulll approach, not a push approach! > To be honest, I don't know what sort of data you have running on > these boxes, Nothing special. > but I would create a relatively secure gateway, and have my > cluster behind this. Done. > This way you could possibly reduce your internal secuity > requirements, and not need encryption everywhere. Just make sure > you back up your data regularily The problem is people plugging laptops in on the cluster side. > All logins via the gateway - squid access to the internet from the > cluster network. I think I am going to make IPsec mandatory. That's the best way probably to shield the local network. Thanks for the pointer. I did not think about it myself. Doh! -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: distributing SSH keys in a cluster environment
also sprach Blair Strang <[EMAIL PROTECTED]> [2004.10.30.0237 +0200]: > Based on a cursory look at how FAI works, if you're worried about > a 'laptop attack' -- i.e, an untrusted person with access to your > network media -- I think there are more problems than just SSH > keys. Well, you are too right, unfortunately. I am beginning to believe FAI really needs to be extended to allow for the use of security tokens on the clients (whatever that may be), and switch to getting the configuration space via WebDAV or the like. CVS is already supported, but CVS also adds an extra level of indirection, which may cause problems. The way to do it would be to use a token, such as a USB stick, or a manually keyed passphrase, which then allows (encrypted) access to the master server, from which the configuration space is obtained. After all, at the moment, /etc/fai is exported via NFS, and /etc/fai/class/DEFAULT.var contains the root password to be used on all the nodes. Uh oh. > [Unless I've misunderstood the threat model you're positing here] No, you have not. I was about to invest too much time into this key business though, when in fact, I was forcefully ignoring the fact that the whole thing is as insecure as . I wonder if it's possible to make a secure cluster environment with automatic installations. I guess I will have to go for the /scratch idea... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: network monitoring
also sprach Markus Oswald <[EMAIL PROTECTED]> [2004.10.30.1508 +0200]: > Just use the source and compile it yourself - it doesn't have many > dependencies (works like a charm with woody) and has a quite good > configuration-sample. No way. :) PS: Please read the first sentence of my signature. It's list policy... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: network monitoring
also sprach martin f krafft <[EMAIL PROTECTED]> [2004.10.30.1454 +0200]: > > Have you already looked at Nagios? (http://www.nagios.org) > > No. I will. Argh. Even with nagios-text, it wants to pull in Samba and MySQL stuff. I don't want either of these installed. Plus, it has just been orphaned... :/ -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: network monitoring
also sprach Markus Oswald <[EMAIL PROTECTED]> [2004.10.30.1442 +0200]: > How big is your cluster and what do you want to monitor? 40 nodes, and I basically need availability and ssh. > Have you already looked at Nagios? (http://www.nagios.org) No. I will. > You'll have to write a few configuration files for all the > services and each client you want to monitor, but if all nodes in > the cluster are similar, it wont be too much work... Mh, I *hate* writing configuration files under time pressure... :) Thanks, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
network monitoring
I would like to monitor all the nodes of a cluster, but I am rather pressed for time so that I cannot investigate all the options. I tried spong, but it's pretty bad especially because it requires changes to the client to specify which tests to run. Ideally, a network monitoring system should consist of a client (running on the master), and servers on all nodes, which can then do as the client instructs. Obviously, this should be within limits, and strongly authenticated. Maybe SSH would work for this. So my question is: which network monitoring system would you recommend, given my requirements? Thanks, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: dropping vs rejecting for non exixtent services
also sprach Russell Coker <[EMAIL PROTECTED]> [2004.10.30.1106 +0200]: > If you block with tcp-reset then not only will the person > connecting get a fast response, but someone who port scans you > won't know which ports don't have anything listening on them and > which ports are blocked by iptables. While it can be considered "kind" to let people know which ports are inaccessible, I always treat access to ports that I did not open for the public as an offence. Thus, I do not feel obliged to let the offender know that s/he is accessing an inaccessible port. As an added benefit, DROP obscures who is dropping. It could be the host or a firewall before it. Now that I think of it, however, a firewall would spoof the sending IP when rejecting with tcp-reset, right? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: nscd: Was Re: long delays with LDAP nss/pam
also sprach Donovan Baarda <[EMAIL PROTECTED]> [2004.10.30.0447 +0200]: > I prefer to run a caching dns server on one machine, and nscd on > all the clients. In my case I'm using libnss-ldap on the clients > so I kinda need to run it anyway. I thought so too, but with proper indexing on the server, you hardly notice the difference with or without now. I took it out again. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: distributing SSH keys in a cluster environment
also sprach Craig Sanders <[EMAIL PROTECTED]> [2004.10.30.0340 +0200]: > of course, you can be a bit looser with with keys if you're > confident that physical access to the machines AND to the network > segment they are on is properly restricted, AND you have firewall > or other access rules to prevent external machines from fetching > the key files. the switches are under the tables. :/ -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: distributing SSH keys in a cluster environment
also sprach Mark Ferlatte <[EMAIL PROTECTED]> [2004.10.30.0059 +0200]: > Very little. I would use cfengine to push your ssh keys from your > cfengine host right after FAI. FWIW, there is no cfengine host (yet). I am still somewhat taken aback by its complexity. Just reinstalling the machines with FAI seems simpler and cleaner. > You could, I suppose allow the nodes to FAI, and generate new > keys, and have the master scp their correct keys out (ignoring the > temporary key) and kick sshd. Well, this is what I was thinking too. Use an unprivileged account on the master to drop a sentinel, which makes the master distribute the keys via SSH. That would work, except now the attacker simply has to disable a machine and take over its IP, drop said sentinel, and wait for the master to push the SSH keys. > However, I think this is your best shot for an unattended > installation where you care about the host keys. Yeah, possibly you are right. *This* would be the perfect use for a TPM in the nodes. > FYI: I use systemimager which is rsync based, so I just end up > putting the same ssh key on every sim node in the cluster. Since > I don't care if node42 is spoofing node21 or or not, this works > well for me. We used systemimager for years and it drove us crazy as new hardware was added and multiple people made changes, causing the images to get out of sync, and multiple images to be created without people knowing what they were. Yes, it's a policy issue, really... Now we have an NFS/LDAP solution managed by FAI, which looks very promising and flexible. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: additional dns search spaces
also sprach Mark Ferlatte <[EMAIL PROTECTED]> [2004.10.30.0050 +0200]: > DHCP doesn't let you specify the DNS search path. You'll need to > do it some other way, should you desire this functionality. I found -- to my surprise -- that it's possible to have multiple search lines in /etc/resolv.conf. Thus, problem solved since now I can just add the additional search line to /etc/resolvconf/resolv.conf.d/tail Now I wonder why dhclient-script transforms the domain-name to a search line instead of setting the domain in /etc/resolv.conf, but I guess there is a reason too... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: distributing SSH keys in a cluster environment
also sprach Craig Sanders <[EMAIL PROTECTED]> [2004.10.30.0015 +0200]: > 3. when a machine is being built or rebuilt, install the correct > ssh keys in /etc/ssh. they can be fetched via password-protected > http or https or ftp or even tftp, then decrypted and untarred. > since they're encrypted you don't have to be completely paranoid > about them - normal security precautions are adequate. well, the decryption requires a password, so the installation is not unattended anymore. since we have a number of headless number crunchers in the cluster, this is essential. i am beginning to believe that i am looking for a solution where non exists... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: nscd: Was Re: long delays with LDAP nss/pam
also sprach Wouter Verhelst <[EMAIL PROTECTED]> [2004.10.29.1508 +0200]: > It assumes that all DNS servers use the same configuration format, > or that all DNS servers in a given zone run the same software, > which simply is an incorrect assumption. It has suited me just fine. I am thankful that djbdns provides me with a strong basis upon which I can converge. axfrdns additionally offers zone transfers to AXFR servers, and scripts exist to convert AXFR transfers to djbdns format. If you've ever seen the djbdns config file format, you aren't going back. Or are you going to argue that BIND zone files are intuitive, not error-prone, and easy to manage? > Using BIND9, nsupdate, and domain keys, you have an IXFR > implementation that is complete, secure (at least as secure as > BIND itself and the key you're using), and that works: My last status was that the encryption used was not much better than MIME64. I may well be wrong. > Yes, obviously this requires you to do some configuration first. > So what? Well, I have better things to do. No, I don't want a flame war, so please don't reply. You use BIND, I used djbdns, makes two happy people. In any case, please don't advocate to run BIND to everyone. Too much can go wrong. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: distributing SSH keys in a cluster environment
also sprach Mark Bucciarelli <[EMAIL PROTECTED]> [2004.10.29.1920 +0200]: > what about some kind of cheap usb storage for each machine? Then I could just take the USB stick, put it onto my laptop, and subvert the NFS home directories. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: distributing SSH keys in a cluster environment
also sprach Arnt Karlsen <[EMAIL PROTECTED]> [2004.10.29.2054 +0200]: > ..have each node scp those keys and whatever else you want from > the boot server, say from each node's /etc/rc.local. _Combine_ some > node hardware based ID schemes, say nics mac addresses, cpuid, etc. How do you suggest to combine a hardware based ID scheme with SSH? Also, which hardware ID should be used, so that it's not forgeable? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
distributing SSH keys in a cluster environment
Dear wizards, [I assume cluster stuff to be better here than -user. Please tell me if you think otherwise] We have just converted our 40 node cluster to FAI and now it's running shiny sarge at the press of the on button. Thanks to Thomas Lange for a really incredible solution (FAI), and Mark Burgess for cfengine2! As far as I can tell, there remains one problem: we use SSH hostbased authentication between the nodes, and while I finally got that to work, every machine gets a new host key on every reinstallation, requiring the global database to be updated. Of course, ssh-keyscan makes that easy, but people *will* forget to call it, and I refuse to automate the process because there is almost no intrusion detection going on, so that it would be trivial to take a get access to the cluster with a laptop. As it stands, I kept the attack vector small with respect to the data stored on the cluster, physical security is good, and the whole thing is behind a fascist firewall anyway. So what can I do about these SSH keys? The nodes have a /scratch partition, which is local, but it's /scratch and thus already by name not suited for permanent storage of something like the SSH keys. I could put the keys on NFS, but then they float around the network for everyone to sniff. I was thinking of using SSH during the installation to get the right key from the server, but in order for that to work in the unattended fashion we require, I must somehow get an SSH privkey to the nodes, and the same problem reappears in blue. Using HTTPS, WebDAV, or any other of the securable problems reduces the challenge to IP/Mac-based authentication, which is easy to subvert. So these are the four possible ways I can think of, and not a single one is satisfactory. What would you do? What have you done in a similar situation? -- Martin F. KrafftArtificial Intelligence Laboratory Ph.D. Student Department of Information Technology Email: [EMAIL PROTECTED] University of Zurich Tel: +41.(0)44.63-54323 Andreasstrasse 15, Office 2.18 http://ailab.ch/people/krafft CH-8050 Zurich, Switzerland Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! Spamtraps: [EMAIL PROTECTED] [EMAIL PROTECTED] "the vast majority of our imports come from outside the country." - george w. bush signature.asc Description: Digital signature
Re: nscd: Was Re: long delays with LDAP nss/pam
also sprach Wouter Verhelst <[EMAIL PROTECTED]> [2004.10.29.1112 +0200]: > How is djbdns good? In that it doesn't correctly implement the > RFCs on some crucial parts of the DNS protocol? > > (hint: search for 'AXFR' or 'IXFR', and see what mr. Bernstein has > to say about that. No, rsync is /not/ a suitable protocol to > synchronise DNS configuration!) Neither AXFR nor IXFR are crucial, and instead of your proof by assertion, would you care to tell me why rsync is not suitable? It works far better here. Anyway, with the confidence that boldly jumps out of your post, I am sure you know about axfrdns, which is part of djbdns. That provides AXFR but not IXFR. I have yet to see an implementation of IXFR that works. If you now way BIND, I am just going to laugh at you. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: additional dns search spaces
also sprach Wouter Verhelst <[EMAIL PROTECTED]> [2004.10.29.1126 +0200]: > Most DHCP clients allow you to override configuration sent by the DHCP > server. I am using this on my home LAN server in /etc/dhclient.conf: > > supersede domain-name "grep.be debian.org"; > prepend domain-name-servers 127.0.0.1; Would you please read what I wrote? This does not work simply because that's the domain name, and the domain name is a single item. I specifically noted that prepend or supersede are not options. Thin clients will not properly work when their $(hostname --fqdn) outputs "node10.cluster.ailab.ch ailab.ch ifi.unizh.ch" as that is not a FQDN. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
additional dns search spaces
In /etc/resolv.conf, the search parameter can take multiple values. However, when using DHCP, this field is populated by 'option domain-name', which lists the domain name only, and must not do anything else, or headless clients won't work anymore. The same happens with changing domain-name in /etc/dhcp3/dhclient.conf. My question is how to add additional domain names to search when using dhcp in the smartest possible way. We are using resolvconf if it matters. Thanks, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: nscd: Was Re: long delays with LDAP nss/pam
also sprach Darrel O'Pry <[EMAIL PROTECTED]> [2004.10.29.0133 +0200]: > I've even been able to offload dns management for my colo clients > through VegaDNS. Unfortunately, it's PHP and thus not an option for anyone with a tad bit of a security concern. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: CBQ
also sprach Alexandre <[EMAIL PROTECTED]> [2004.10.25.1553 +0200]: > Como posso configurar o CBQ no Debian? This list is in English. The best resource for CBQ and others is http://lartc.org/. It's the same across all Linux distributions. Debian does not have any special provisions for traffic shaping. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: nscd: Was Re: long delays with LDAP nss/pam
also sprach Russell Coker <[EMAIL PROTECTED]> [2004.10.28.1520 +0200]: > Run named on localhost. What an extraordinarily bad advice, IMHO. BIND is too much a piece of crap. I really suggest djbdns. I know, it's nonfree. But it's damn good. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
ACLs and NFS
I noticed -- with pleasure -- that the Debian NFS kernel server enforces ACLs, but I guess this is a feature to be expected from providing filesystem access at the kernel level. What I miss, however, is the ability for NFS clients to view and manipulate the ACLs. I tried the patches over at http://acl.bestbits.at, but they do not apply to recent kernels. Does anyone of you support ACLs over NFS? How? Thanks, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: long delays with LDAP nss/pam
also sprach Theodore Knab <[EMAIL PROTECTED]> [2004.10.27.2100 +0200]: > Be careful with indexing and slapindex. Thanks for the heads-up! I will make sure that slapindex gets enough intelligence so that it will refuse to index a running database. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: long delays with LDAP nss/pam
also sprach charlie derr <[EMAIL PROTECTED]> [2004.10.27.1519 +0200]: > index default eq [...] > index objectClass eq ^^ that's the default anyway. Thanks for your tips. It's starting to make sense. > and (depending on your version of openldap) don't forget to stop the > directory, run slapindex and then restart after any changes you may make > to your index options oh, i did not know about slapindex. I will try this when I return to the cluster tomorrow. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: nscd: Was Re: long delays with LDAP nss/pam
also sprach Donovan Baarda <[EMAIL PROTECTED]> [2004.10.27.1007 +0200]: > Is there any reason why nscd should not be installed on a system? It's often a pain to use if you make frequent changes? It's got a weird caching policy that I can't seem to control the way I interpret it? -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: long delays with LDAP nss/pam
also sprach Donovan Baarda <[EMAIL PROTECTED]> [2004.10.27.0955 +0200]: > nscd stopped running? No, I think I verified that in all cases. > Either that or your LDAP Indexes need tweaking. Does anyone have a good set I could use as a basis. I am completely new to LDAP... -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
long delays with LDAP nss/pam
We run a big cluster, managed by FAI, using LDAP and NFS to provide users with homogenous environments across all nodes. All machines run sarge, and slapd is tunnelled via SSL for security purposes. Read-only access to the passwd/group directory is anonymous. All nodes are running nscd. While this worked beautifully last week, I returned this week to find everything taking ages. ls /home takes about 3 seconds before listing the directories (libnss apparently takes so long to map uid->login), even when there are only 10 directories at the moment (the cluster is still in beta). Furthermore, logging in takes between 2 and 10 seconds. If I tune in to the slapd debug output, I can see it working big time and accessing millions of keys. This was not the case last week, or slapd was about 100 times faster then. The only change I can remember was adding a new group and placing a bunch of people in there. This should not have the aforementioned effect really. Has anyone experienced the above before? What could be the reason? How can I fix this? Would this post have been better over at -user? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Debian file server to WinXP clients
also sprach Chris G. <[EMAIL PROTECTED]> [2004.10.27.0226 +0200]: > Tried the windows server but had major fragmentation problems and > a hard time keeping up with the problem. Switched to linux but > Samba's performance seems to be sub par. (Maybe 5-10 meg/sec > transfer rate) That's a configuration problem. Samba is not fast enough to saturate a 1000Mbps link, but more than 10meg/sec is doable. > I know a lot of this may depend on the file system and hardware > being used but what networked file systems has returned good > through put on multi OS networks? There is only CIFS (Samba) if you use WinXP. NFS does not work reliably. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: ACL inheritance, group supervisors, rwX access
also sprach Marc Schiffbauer <[EMAIL PROTECTED]> [2004.10.27.0037 +0200]: > That would indeed be a nice feature. How can I drop users CAPs on > login? Are there such things as user capabilities without SELinux or GrSecurity or RSBAC? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: yahoo problems please help
also sprach [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2004.10.26.2230 +0200]: > why doi freeze up when on yahoo messenger and voice chat because they suck? try another software. and please use another list. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: ACL inheritance, group supervisors, rwX access
also sprach Marc Schiffbauer <[EMAIL PROTECTED]> [2004.10.26.2233 +0200]: > Uups. Mea culpa. But I think this will not make it better in your > case. If someone creates a file he can do whatever he wants with > that file including removing your supervisor from the files ACL. The merit is arguable, but I think it would be a good feature to be able to prevent a user from changing ACLs/permission bits on files. Like a capability I could drop with PAM on login... > > Ha! And I'll use CIFS instead of NTFS in a Linux-only cluster. Yeah > > right. > > sorry for trying to help... I appreciate it. My comment was, of course, in no way personal. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: ACL inheritance, group supervisors, rwX access
also sprach Marc Schiffbauer <[EMAIL PROTECTED]> [2004.10.26.1944 +0200]: > AFAIK what you want to do is not possible because Samba does not > support NT ACLs yet. With NT ACLs you could say "Students are not > allowed to change ACLs" and you were done. Uh, there is no samba. This is all Linux and NFS. > IIRC samba4 will support NT ACLs. The this will be not a problem > anymore... Ha! And I'll use CIFS instead of NTFS in a Linux-only cluster. Yeah right. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: fetchmail errors ..
also sprach johon Doe <[EMAIL PROTECTED]> [2004.10.26.1614 +0200]: > Hi, I have some problems with fetchmail.. I fetch mail > from different mailserver and everythings seem work > well, here is a fetchmail's piece of log: This is hardly a question for debian-isp. Please go to debian-user in the future! > fetchmail: SMTP> MAIL FROM:<[EMAIL PROTECTED]> > SIZE=49281 > fetchmail: SMTP< 250 Ok > fetchmail: SMTP> RCPT TO:<[EMAIL PROTECTED]> > fetchmail: SMTP< 250 Ok > fetchmail: SMTP> DATA > fetchmail: SMTP< 354 End data with . > #*fetchmail: SMTP>. (EOM) > fetchmail: SMTP< 250 Ok: queued as 7490AC80 > flushed > fetchmail: POP3> DELE 1 > fetchmail: POP3< > fetchmail: POP3> QUIT > fetchmail: POP3< --=_NextPart_000_54183524 > fetchmail: client/server protocol error while fetching > from mail1.isp.it MDaemon (the mail server) is thoroughly broken. Get a better one. This is not a fetchmail problem but one related to MDaemon. If you can, somehow delete the messages on the server. > anyway how can I solve this ? Go to a different provider. Or use IMAP? > P.S. If I download the mails with sylpheed, everything go well. So sylpheed is more tolerant against MDaemon's errors. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
ACL inheritance, group supervisors, rwX access
If you are good with POSIX ACLs, I would appreciate if you could take a look at http://people.debian.org/%7Eterpstra/message/20041026.105727.f688af8f.en.html Post your comments here, if you wish, I shall funnel the solution and important points over to the other list... (unless you tell me not to). -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Can we build a proper email cluster? (was: Re: Why is debian.org email so unreliable?)
also sprach martin f krafft <[EMAIL PROTECTED]> [2004.10.17.1626 +0200]: > I volunteer to join the postmaster team and help out. Though my experience is really 98% postfix, 1.5% qmail, 0.4% MDaemon, and 0.1% Exchange. So absolutely no exim in there. I've had my fair share with single setuid binaries. :) -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Can we build a proper email cluster? (was: Re: Why is debian.org email so unreliable?)
also sprach Russell Coker <[EMAIL PROTECTED]> [2004.10.17.1622 +0200]: > Are you going to be involved in doing the work? I volunteer to join the postmaster team and help out. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Advice for an IP accounting program
also sprach Alex Borges <[EMAIL PROTECTED]> [2004.10.15.1742 +0200]: > The best ive seen was not in debian when i chacked. Its an ipacc > but patched to lazyly report to a mysql database. This way the > measurement doesnt take a lot of resources in a really demanding > environment Yeah, except for the resources eaten by MySQL, which has no place in a "really demanding environment", IMHO. Not wanting to start a religious war... it is my opinion when I suggest to use a proper database server instead. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Advice for an IP accounting program
also sprach Francesco P. Lovergine <[EMAIL PROTECTED]> [2004.10.15.1702 +0200]: > The main purpose is identify periodically boxes on an internal private > network which cause very high traffic, due to worms, virus and so. > A per-IP simple report a la mrtg could be nice. apt-cache search ip accounting -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Can we build a proper email cluster? (was: Re: Why is debian.org email so unreliable?)
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2004.10.15.1512 +0200]: > And it better be live, or it gets wy easier for it to fall > out-of-sync with what was done to the primary machine. That's a policy issue. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Can we build a proper email cluster? (was: Re: Why is debian.org email so unreliable?)
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2004.10.15.1455 +0200]: > In other words, your point is not that two MX are not more > "resilient to failure", but rather that the work of administrating > them is not worth the gain in resilience ? This is frequently a problem people do not (like to) see. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Can we build a proper email cluster? (was: Re: Why is debian.org email so unreliable?)
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2004.10.15.1448 +0200]: > Just to make it clear, I am advocating two *good* machines. ENOSUCHTHING wrt it not failing. > > Which is another good reason for not having such redundant > > servers. > > Now, that is a bit too far. The correct answer is to monitor the > damn things. And any sort of monitoring that would not catch > a problem is not good enough. A good enough reacive (as opposed > to predictive) monitoring for email is rather easy to do (just > send one directly to the MX, and freak if it does not send it back > to you in a given time window). While I understand Russell's concerns, I think that we should have a second machine to be able to swap in. If the primary every goes down, then the secondary must be able to take over, or else we will have problems with the project. We cannot assume that the MX admin will be able to fix the problem ASAP. About backup MX... well, we can put them elsewhere. I run a couple reliable MXs and could also serve as backup for Debian. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Can we build a proper email cluster? (was: Re: Why is debian.org email so unreliable?)
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2004.10.12.2329 +0200]: > We have a lot of resources, why can't we invest some of them into > a small three or four machine cluster to handle all debian email > (MLs included), and tune the entire thing for the ground up just > for that? And use it *only* for that? I agree. And I would offer my time to assist. I do have quite some experience with mail administration. > and tune it for spool work (IMHO a properly tunned ext3 would be > best, as XFS has data integrity issues on crashes even if it is > faster (and maybe the not-even-data=ordered XFS way of life IS the > reason it is so fast). I don't know about ReiserFS 3, and ReiserFS > 4 is too new to trust IMHO). This does not belong here, but you misunderstand XFS. It does not have data integrity issues on crashes; all other JFS's do. XFS takes a somewhat rigorous approach, but it makes perfect sense. When there is a crash, journaling filesystems primarily ensure the consistency of the meta data. XFS does so perfectly. The problems you raise relate to the infamous zeroing of files, I assume. Well, no performant filesystem can ensure the consistency of the file content, and rather than trying heuristically to reconnect sectors with inodes after a crash, XFS zeroes all the data over which it is unsure. I think this is important, or else you may one day find /etc/passwd connected to the /etc/login.defs inode. I say performant filesystems in the above because I do not see ext3/journal as a performant filesystem. Nevertheless, it is a very mature filesystem (already!) and works well for a mail spool, though I suggest synchronous writes (chattr +S). That said, I find any filesystem that requires a recheck of its metadata every X mounts to be fundamentally flawed -- did the authors assume it would accumulate inconsitencies, or what is the real reason here? That said, I am using XFS effectively, successfully, and happily on all the mail spools I administer. For critical servers, I mount it with 'wsync', which effectively makes sure that I never lose mail, but which also brings about a 250% performance impact (based on some rudimentary tests, and assuming the worst case). I can suggest XFS confidently. > The third is to not use LDAP for lookups, but rather cache them > all in a local, exteremly fast DB (I hope we are already doing > that!). That alone could get us a big speed increase on address > resolution and rewriting, depending on how the MTA is configured. The way we do it here is to use a local LDAP server which sync's with the external one. Using an external LDAP is definitely a no-do because of the SSL and TCP overheads. I have had much success with using PostgreSQL, both for direct use and to dump postfix Berkeley DB files from its data at regular intervals when the user data does not change every couple of minutes. Berkeley DB is definitely the fastest, IME. > Others in here are surely even better experienced than me in this > area, and I am told exim can be *extremely* fast for mail HUBs. > Why can't we work to have an email infrastructure that can do 40 > messages/s sustained? postfix does this here on a Dual Itanium 2GHz with 2 Gb of RAM and an XFS filesystem, 2.6.8.1 and Debian sarge. The mail spool is on a software RAID 1, the machine also does Amavis/F-prot mail scanning and it rarely ever breaks a sweat. At peaks, we measure about 40 mails/second. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Can we build a proper email cluster? (was: Re: Why is debian.org email so unreliable?)
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [2004.10.14.1525 +0200]: > Or we can do it in two, with capacity to spare AND no downtime. I would definitely vote for two systems, but for high-availability, not load-sharing. Unless we use a NAS or similar in the backend with Maildirs to avoid locking problems. Then again, that's definitely overkill... -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Networking Between eth0 & eth1
also sprach Johnno <[EMAIL PROTECTED]> [2004.10.14.1034 +0200]: > how do I get my local network to access the internet on eth0?? RTFM: http://www.tldp.org/HOWTO/Ethernet-HOWTO.html http://www.tldp.org/HOWTO/Home-Network-mini-HOWTO.html http://www.tldp.org/HOWTO/Linux-Modem-Sharing/index.html http://www.tldp.org/HOWTO/NET3-4-HOWTO.html http://www.tldp.org/HOWTO/Networking-Overview-HOWTO.html -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
this thread moved (was: Can we build a proper email cluster?)
Note: this thread was moved from debian-private to here. As soon as I have the okay from all previous posters, I will make the other posts available... -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Spamassassin only scanning mails for local users
also sprach Marcel Hicking <[EMAIL PROTECTED]> [2004.10.05.1123 +0200]: > What does "better" mean? Faster? More flexible? Easier to > use/extend? Just curious. Having talked to Sven Mueller about this, he said that "one reason why I prefer spampd over amavisd-new is the better header tagging spampd provides. Amavisd-new is still used, but only for virus scanning." I am not sure what he means, nor have I tried spampd. However, if you do, I am sure many here would be interested to hear your impressions. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Spamassassin only scanning mails for local users
also sprach Ben Vinger <[EMAIL PROTECTED]> [2004.10.05.1018 +0200]: > How can I get a Postfix/Spamassassin server to also scan mails > that it is relaying (transporting) to other mail servers? At the > moment it is only scanning mails for local users. use amavisd-new or spampd. The latter seems to be better than amavisd-new. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: Sendmail or Qmail ? ..
also sprach Thomas Lamy <[EMAIL PROTECTED]> [2003.09.05.1414 +0200]: > Complete ACK. I'm also willing to give support, as I use > postfix+mysql+sasl at a couple of clients. did you ever get sasl to work with mozilla clients in any but the non-plaintext forms? i'd really appreciate help here! -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! pgp0.pgp Description: PGP signature
Re: Sendmail or Qmail ? ..
also sprach Nathan Eric Norman <[EMAIL PROTECTED]> [2003.09.05.2025 +0200]: > News flash: the FHS specifies how distributions should (or should not) > lay out filesystems. The FHS does not prohibit end users from > creating new root-level directories. executables alongside configuration files in /var is just wrong. the user does not have a choice. that's the last thing i'll say about this. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! pgp0.pgp Description: PGP signature
Re: Sendmail or Qmail ? ..
also sprach martin f krafft <[EMAIL PROTECTED]> [2003.09.05.0740 +0200]: > This is illegal. And in any case, it's not official. Correction, this is not illegal, but only if you install a package that violates the FHS[1] big time. I don't see the merits in qmail to account for this compromise. 1. http://www.pathname.com/fhs -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! pgp0.pgp Description: PGP signature
Re: Sendmail or Qmail ? ..
also sprach W.D. McKinney <[EMAIL PROTECTED]> [2003.09.05.0448 +0200]: > > - qmail isn't available as a binary package for Debian > > Wrong. See http://smarden.org/pape/Debian/ This is illegal. And in any case, it's not official. > > - qmail support includes being flamed by the author > > Wrong. Ask a question and find out. Many helpful people who don't > flame but as they highly experienced folks they expect one to > think through the issue and post the needed info to reply with > help. I don't want to get into this, so I won't comment. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! pgp0.pgp Description: PGP signature
Re: Sendmail or Qmail ? ..
also sprach Dale E Martin <[EMAIL PROTECTED]> [2003.09.05.0207 +0200]: > I'd add: > - exim has the most extensive and useful documentation > > (But I'd love to be proven wrong!) possible, although i do find the stuff on postfix.org adequate. maybe not for MTA newbies but for people with experience it's all you need. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! pgp0.pgp Description: PGP signature
Re: Sendmail or Qmail ? ..
also sprach Dale E Martin <[EMAIL PROTECTED]> [2003.09.04.1447 +0200]: > Has it been covered before on this list? I for one would be > interested in elaboration, if there is something technically > inferior about exim or postfix to qmail or sendmail? Or > politically, I suppose, since much of people's dislike about qmail > has more to due with "political" than technical reasons. random notes (these are facts and opinions, please don't flame me): - sendmail and exim are both single setuid binaries. bad. - postfix is the most performant of all four. - qmail has an interesting but possibly confusing configuration paradigm - postfix has the easiest configuration, IMHO. - qmail has a good integration with one of the fastest mailing list servers, ezmlm. - exim is very extensible. - qmail does not come with anything but basic mail transfer stuff. if you want things like tls or sasl, you have to patch. - qmail isn't available as a binary package for Debian. - qmail support includes being flamed by the author - postfix and exim support are available here, and if only be me and dman respectively (note that you have to mention my name in a post if you want me to see it. i am writing my phd and am thus filtering messages to not be flooded) - ralf hildebrandt uses postfix (he's the guru, next to wietse. can't think of any more. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! pgp0.pgp Description: PGP signature
Re: Courier MTA
also sprach Andrew Miehs <[EMAIL PROTECTED]> [2003.03.24.1626 +0100]: > Have had a look at this, but cyrus supports sasl2 and postfix sasl1. so backport postfix from testing. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html Get my key here: http://madduck.net/me/gpg/publickey pgpPj5abXuOzk.pgp Description: PGP signature
Re: Courier MTA
also sprach Andrew Miehs <[EMAIL PROTECTED]> [2003.03.24.1626 +0100]: > Have had a look at this, but cyrus supports sasl2 and postfix sasl1. so backport postfix from testing. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html Get my key here: http://madduck.net/me/gpg/publickey pgp0.pgp Description: PGP signature
Re: Courier MTA
also sprach Andrew Miehs <[EMAIL PROTECTED]> [2003.03.23.2147 +0100]: > Can I use it as a replacement for postfix, or am I better off sticking > to postfix? why would you want to replace postfix? it's an excellent MTA, and it interacts with the other courier servers without any problems. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html Get my key here: http://madduck.net/me/gpg/publickey pgpy9Jq7ITSaF.pgp Description: PGP signature
Re: Courier MTA
also sprach Andrew Miehs <[EMAIL PROTECTED]> [2003.03.23.2147 +0100]: > Can I use it as a replacement for postfix, or am I better off sticking > to postfix? why would you want to replace postfix? it's an excellent MTA, and it interacts with the other courier servers without any problems. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html Get my key here: http://madduck.net/me/gpg/publickey pgp0.pgp Description: PGP signature
Re: what is postNuke for?
also sprach J.C. Diosdado <[EMAIL PROTECTED]> [2003.03.18.2256 +0100]: > I have to develop a web site with web services like forum´s, ftp > services, mail services, etc. Something like web site > http://groups.msn.com/ > > Is postNuke my tool to develop this? i doubt it, but i am not sure. > Where can i found informatión about it´s posibilities, and > funcionalities. ? Is there any other option in Linux? www.postnuke.org other options would include Zope (this would be my choice) and ezpublish. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html Get my key here: http://madduck.net/me/gpg/publickey pgpx2x5CH0thf.pgp Description: PGP signature
Re: what is postNuke for?
also sprach J.C. Diosdado <[EMAIL PROTECTED]> [2003.03.18.2256 +0100]: > I have to develop a web site with web services like forum´s, ftp > services, mail services, etc. Something like web site > http://groups.msn.com/ > > Is postNuke my tool to develop this? i doubt it, but i am not sure. > Where can i found informatión about it´s posibilities, and > funcionalities. ? Is there any other option in Linux? www.postnuke.org other options would include Zope (this would be my choice) and ezpublish. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html Get my key here: http://madduck.net/me/gpg/publickey pgp0.pgp Description: PGP signature
Re: easy lilo question
also sprach Marco Kammerer <[EMAIL PROTECTED]> [2003.03.16.0231 +0100]: > how can i get lilo again to work? you need to configure your SCSI adapter's BIOS to claim 0x80 for its first disk. This has nothing to do with lilo. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc pgpqACELIY9Fe.pgp Description: PGP signature
Re: easy lilo question
also sprach Marco Kammerer <[EMAIL PROTECTED]> [2003.03.16.0231 +0100]: > how can i get lilo again to work? you need to configure your SCSI adapter's BIOS to claim 0x80 for its first disk. This has nothing to do with lilo. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc pgp0.pgp Description: PGP signature
Re: DNS server
also sprach Eduard Ballester <[EMAIL PROTECTED]> [2003.03.14.1717 +0100]: > BIND 9.2.x of course, ugh. > * DNS Security > DNSSEC (signed zones) > TSIG (signed DNS requests) TSIG: there may well be patches to djbdns. However, for internal clients, IPsec is really the way to go. > One server process can provide multiple "views" of the DNS > namespace, e.g. an "inside" view to certain clients, and an > "outside" view to others. djbdns can do that. nevertheless, this is not a feature but a hack. if you need two DNS servers for internal and external hosts, run them separately. there is no reason to make them share a process! > You can configure it in chroote jail > http://www.linuxsecurity.com/docs/LDP/Chroot-BIND-HOWTO.html http://www.bpfh.net/simes/computing/chroot-break.html -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc pgp6mfV5cZZgN.pgp Description: PGP signature
Re: DNS server
also sprach martin f krafft <[EMAIL PROTECTED]> [2003.03.14.1805 +0100]: > > o support for DNSSec > > i am sure there are patches out there. wait, djbdns doesn't need DNSSEC at all. it doesn't suffer from AXFR/IXFR problems like BIND. seriously, djbdns is nice. you should try it. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc pgpe34mvb21vh.pgp Description: PGP signature
