Re: Per-user receive rate controls
Michael Fair wrote: If you do it any later then the initial attempt to send mail into the users inbox you have not gained anything as the mail has already gone through the pipeline. This is exactly right in a sense... but it's OK to _catch_ it later in the pipeline, and then as soon as some 'probable abuse' threshold is hit, add the user name to the check_client_access table. This can then be used to restrict RCPT TO. ... you will want to hack the Postfix daemon to check/update a counter and timestamp associated to the email address each time it receives the SMTP RCPT TO command. This integration would actually be really useful for stopping delivery for over quota users as well. Well, since I posted my plea for help, I've had a few beers with our webmaster and we've come up with a compromise which is lower resource usage but stops the worst of the abuse. Basically, the plan is to run a cron job (or daemon that sleeps for a few minutes after each loop) that checks for which accounts have been updated since last run (a quick hack is to look at the last update time of the directories in the imap message folder, although I'm sure others can suggest better ways), and do an IMAP STATUS on each to check for new messages, storing the result in a table and checking the delta against the last run to see whether the number of new messages is over a reasonble-use-threshold. We'd run this with a low 'nice' priority to ensure that it doesn't get lost if a mound of spam is arriving. Otherwise, I would either pass it off as anomolous hardly worth the resources and engineering efforts to defend against, and then wait to see if this practice actually became a larger nuisance than a one time event. Michael--many thanks for the thoughtful response. Interesting to hear that this behaviour is anomolous in your experience--we've only recently started publicising our system after 2 years beta testing with a hand-selected group, so we don't really know what level of abuse to expect now that we're out in the big wide world. I'm going to at least put in place the basic response outlined above--even if it is not really necessary; our users were subjected to a few hours of very patchy response from our server, so the least I can do is to show that they shouldn't have to put up with this again... For good measure, now that his account has been blocked I would send him an email threatening with abuse of resources and a more stringent quota as a result and request a response informing me of the correction within 72 hours. Check the logs every so often to see if the end user logs in to receive the warning and if not, nuke the account. Since the case tends to be that once you are on the spam list, you aren't getting off of it, there will most likely be nothing the end user can do about it and therefore have their account nuked for abuse anyway. Yeah, I've already sent him a message to his alternate account, but I didn't directly threaten him but rather offered help in case he's just been an unlucky target (I don't want to offend someone and just end up on the end of a DOS attack). But now that I've built a little Perl script to scan the received email headers I see that they were sent to over 500 yahoogroups mailing lists, with names like '[EMAIL PROTECTED]' and '[EMAIL PROTECTED]'... It makes me wonder if this guy was actually maintaining these lists as a way to get cheap mass mailings, and subscribed himself through his account on my system as a way of checking that they were all running smoothly. I've sent this list to abuse@yahoogroups which hopefully they'll find handy... Heh--our TC has a clause saying that damages for SPAM are assumed to be $5 per message, so we could make a good profit from this ;-) I think I've got better things to do than to get involved in this nasty business though...
pop3d auth
Pretty strange -- I have tuned pam_mysql to be case insensitive for usernames. If I telnet to imap port and do . login UsEr password it logs me in. If I do the same with pop3 (user UsEr pass password) according to log it says user UsEr logged in, however the response is -- ERR Invalid login ? Nick
Re: Cyrus IMAPD + OpenLDAP + PAM
I think this is the good old sasl problem. DROP PAM. Goto cyrus-utils.sf.net/faq and read the bit on death by 11 Tarjei Robinson Maureira Castillo wrote: Hi all, I know this has been posted before, but I still can't get this to work, I get the following error when trying to use cyradm: [root@ws01 RPMS]# cyradm -u rmaureira localhost Please enter your password: IMAP Password: at /usr/lib/perl5/site_perl/5.6.0/i386-linux/Cyrus/IMAP/Admin.pm line 78 cyradm: cannot authenticate to server with as rmaureira /dev/console shows: Oct 2 13:50:54 ws01 master[21339]: about to exec /usr/cyrus/bin/imapd Oct 2 13:50:54 ws01 service-/usr/cyrus/bin/imapd[21339]: executed Oct 2 13:50:54 ws01 imapd[21339]: accepted connection Oct 2 13:50:56 ws01 imapd[21339]: badlogin: localhost.localdomain[127.0.0.1] PLAIN no mechanism available Oct 2 13:51:00 ws01 slapd[18073]: daemon: conn=4 fd=7 connection from IP=127.0.0.1:35444 (IP=0.0.0.0:389) accepted. Oct 2 13:51:00 ws01 slapd[18073]: conn=4 op=0 BIND dn= method=128 Oct 2 13:51:00 ws01 slapd[18073]: conn=4 op=0 RESULT tag=97 err=0 text= Oct 2 13:51:00 ws01 slapd[18073]: conn=4 op=1 SRCH base=dc=dominio,dc=com scope=2 filter=(uid=rmaureira) Oct 2 13:51:00 ws01 slapd[18073]: conn=4 op=1 SEARCH RESULT tag=101 err=0 text= Oct 2 13:51:00 ws01 slapd[18073]: conn=4 op=2 BIND dn=CN=RMAUREIRA,DC=DOMINIO,DC=COM method=128 Oct 2 13:51:00 ws01 slapd[18073]: conn=4 op=2 RESULT tag=97 err=0 text= Oct 2 13:51:00 ws01 slapd[18073]: conn=4 op=3 BIND dn= method=128 Oct 2 13:51:00 ws01 slapd[18073]: conn=4 op=3 RESULT tag=97 err=0 text= Oct 2 13:51:00 ws01 slapd[18073]: conn=4 op=4 UNBIND Oct 2 13:51:00 ws01 slapd[18073]: conn=-1 fd=7 closed Oct 2 13:51:00 ws01 master[21307]: process 21339 exited, signaled to death by 11 As you can see, my ldap server has the information for rmaureira. Any clues? Here is my configuration: Installed packages (all from the standard RH7.1 distro): openssl-devel-0.9.6-3 openssl-0.9.6-3 openldap-2.0.7-14 openldap-servers-2.0.7-14 openldap-clients-2.0.7-14 openldap-devel-2.0.7-14 cyrus-sasl-devel-1.5.24-17 cyrus-imapd-2.0.9-3 cyrus-sasl-1.5.24-17 my /etc/imapd.conf -- configdirectory: /var/imap partition-default: /var/spool/imap admins: rmaureira allowanonymouslogin: no sasl_pwcheck_method: pam -- my /usr/lib/sasl/Cyrus.conf -- pwcheck_method:pam -- my /etc/pam.d/imap -- #%PAM-1.0 authsufficient /lib/security/pam_ldap.so account sufficient /lib/security/pam_ldap.so passwordrequired/lib/security/pam_ldap.so debug session required/lib/security/pam_deny.so -- Best Regards -- Robinson Maureira Castillo Asesor DAI INACAP
Re: pop3d auth
Pretty strange -- I have tuned pam_mysql to be case insensitive for usernames. If I telnet to imap port and do . login UsEr password it logs me in. If I do the same with pop3 (user UsEr pass password) according to log it says user UsEr logged in, however the response is -- ERR Invalid login Just to check--are you sure that pop3 is working OK when you test matching case?
Re: Per-user receive rate controls
Ralf Hildebrandt wrote: On Wed, Oct 03, 2001 at 01:15:23PM +1000, Jeremy Howard wrote: What I'd like to do is avoid this happening in the future. I've manually added this address with REJECT to check_client_access for now. Now what I'd You mean check_recipient_access? Yes I do--sorry. Something like pop-before-smtp.pl will do the trick: It will tail the maillog and then you can build an in memory database (a queue) that stores recipients, number of mails they recieved and timestamps. Nice--I'll do this, at least until I get around to hooking into the delivery process directly. However my logging is currently set in syslog to be only 'notice' or above. If I change it back to * I get much more logging than I want. Is it possible to just log the lines that say: postfix/smtp[10332]: CDA86E382: to=[EMAIL PROTECTED], relay=domain.com[0.0.0.0], delay=5, status=sent (250 TAA10932 Message accepted for delivery) This would be just enough to know how many messages were being sent out. I know how to add _more_ logging with -v, and change the _overall_ logging amount with syslog.conf, but I haven't found any info on finer-grain log control...
cyradm error
Hi friends, I am running cyrus-imapd-2.0.16 along with postfix under Red Hat Linux 7.1. Who can help to decide this problem me ? # cyradm -u cyrus localhost Can't locate Cyrus/IMAP/Shell.pm in @INC (@INC contains: /usr/lib/perl5/5.6.0/i386-linux /usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .). BEGIN failed--compilation aborted. Anderson Ferreira Analista de Suporte APPI Informática LTDA. Av. Atáufo de Paiva nº 135/1410 Leblon - Rio de janeiro Tel - 55 21 2529-5600 Fax - 55 21 2511-0785
New server
Good morning folks! I want to draw on your collective experience on cyrus servers hardware. I currently have a Sun Ultra 10 with a 400Mhz processor and half gig of ram. An average of 150+ concurrent users is pegging my CPU at high 90's between kernel use and user. If I break it down it is the heavy IMAP traffic. So I need to spec out a new ideal server. I am thinking 2 processor and a full gig of ram. However I want to plan on 400+ concurrency just to have some elbow room. This is a school so we get a a lot of surprise email traffic. Any suggestions? I really appreciate you taking the time to help me with this! -Kiarna
Re: cyradm error
Anderson: The problem you reports is one of the many (I do not remember exactly which of them) integration problems that are fixed by the building process of the RPM packages mantained by the people of Red Hat. Additionally I'm maintaing an indepentend set of rpm packages of Cyrus for Red Hat Linux = 6.2. Perhaps you can opt for try installing one of these rpms or at least try to mimic the building process of one of these packages (and changing the switches you pass to ./configure if you wish to adapt it to your environment) The source rpm package of Red Hat contains Cyrus version 2.0.9 and you can find it in the Powertools CD of Red Hat 7.1 or in the Powertools section of Rawhide (the WIP to RHL 7.1). BTW It's strange they have not updated it for serveral months now. The source rpm for the package set I maintain can be downloadeed from: http://rmrpms.tripod.com/cyrus-imapd/ And are of version 2.0.16 (relase of the packages is 1 and release 2 with several bugfixes is due in a couple of days). Good luck! Anderson [EMAIL PROTECTED] wrote: Hi friends, I am running cyrus-imapd-2.0.16 along with postfix under Red Hat Linux 7.1. Who can help to decide this problem me ? # cyradm -u cyrus localhost Can't locate Cyrus/IMAP/Shell.pm in @INC (@INC contains: /usr/lib/perl5/5.6.0/i386-linux /usr/lib/perl5/5.6.0 /usr/lib/perl5/site_perl/5.6.0/i386-linux /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .). BEGIN failed--compilation aborted. Anderson Ferreira Analista de Suporte APPI Informática LTDA. Av. Atáufo de Paiva nº 135/1410 Leblon - Rio de janeiro Tel - 55 21 2529-5600 Fax - 55 21 2511-0785 Get free e-mail and a permanent address at http://www.amexmail.com/?A=1
Re: sieve parse error, expecting `$'
Frank Richter wrote: Hi, using 2.0.16 I see sporadic Sieve errors: Oct 2 07:20:56 pat lmtpd[21021]: sieve parse error for rink: line 3: address '[EMAIL PROTECTED]': parse error, expecting `$' The Sieve filter is very simple: - # PHP-Sieve 1.1: forward redirect [EMAIL PROTECTED]; - The result of this error: Mail is deliverd to users INBOX, not redirected. Other deliveries for this user work (are redirected). Any ideas? Where to debug? No. Sounds like the lexer is freaking out, because a '$' should never be expected in an address as far as I can remember (its been a while since I read RFC[2]822 and wrote the grammar). Do you always see this problem with the same address? Does this script always fail? What happens if you check the syntax of the script by running it through sieve/test? Ken -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: Per-user receive rate controls
Ralf Hildebrandt wrote: Something like pop-before-smtp.pl will do the trick: It will tail the maillog and then you can build an in memory database (a queue) that stores recipients, number of mails they recieved and timestamps. Nice--I'll do this, at least until I get around to hooking into the delivery process directly. However my logging is currently set in syslog to be only 'notice' or above. If I change it back to * I get much more logging than I want. Is it possible to just log the lines that say: postfix/smtp[10332]: CDA86E382: to=[EMAIL PROTECTED], relay=domain.com[0.0.0.0], delay=5, status=sent (250 TAA10932 Message accepted for delivery) This would be just enough to know how many messages were being sent out. I know how to add _more_ logging with -v, and change the _overall_ logging amount with syslog.conf, but I haven't found any info on finer-grain log control... I don't know how pop-before-smtp.pl is implemented, but if you can get it to read from a named pipe you can set up a separate channel from syslog to the perl script. Create a named pipe in some appropriate location such as /var/local for the perl script to read from, mkfifo /var/local/lmtpmon Then add an entry to the syslog.conf file to send mail.info messages to the pipe separate from the entry currently sending mail.notice to maillog mail.=info|/var/local/lmtpmon Now your perl script will get the info messages it needs to work without cluttering your maillog file. Cheers Chris
Cyrus MySQL
it's posible to compile Cyrus-IMAP in FreeBSD and with MySql support, not Berkeley DB 3.x? Thank's
Re: New server
It's much more important that you understand what is causing such a high load on your system right now. We support over 5000 concurrent connections on two 450 MHz UltraSpace-II processors and 2 gigs of memory, and run at peak times at around a 3 load average. It's also important to think about I/O channels. You also didn't mention what version of Cyrus you're running. Larry From: Kiarna Boyd [EMAIL PROTECTED] Date: Wed, 3 Oct 2001 08:27:31 -0400 Organization: GSD Good morning folks! I want to draw on your collective experience on cyrus servers hardware. I currently have a Sun Ultra 10 with a 400Mhz processor and half gig of ram. An average of 150+ concurrent users is pegging my CPU at high 90's between kernel use and user. If I break it down it is the heavy IMAP traffic. So I need to spec out a new ideal server. I am thinking 2 processor and a full gig of ram. However I want to plan on 400+ concurrency just to have some elbow room. This is a school so we get a a lot of surprise email traffic. Any suggestions? I really appreciate you taking the time to help me with this! -Kiarna
Re: Move existing users (imail) to new cyrus box?
On Tue, Oct 02, 2001 at 11:01:46AM -0400, djinn wrote: Obviously, three things need to happen: 1) saslpasswd username/password saslpasswd has some support for being called from other programs. So that shouldn't be too bad. You might want to write a little setuid script to protect the database from getting entries whose username/passwords can not be verified with the old username/password. That way, if there is a weakness in one of your CGI scripts, someone can't take over your customer's accounts and start spamming or doing other nasty things. It shouldnt require setuid root, just some user who has access to write to the back end database for saslpasswd. 2) cyradm cm user.username 3) transfer of mail/mailboxes from old server to new According to the imail web page, it supports imap. There are a bunch of imap access libraries for perl. Mail::IMAPClient has an example program copy_folder.pl which will copy imap mailboxes between servers, including creating the mailbox. It could probably be modified pretty quickly to do what you want. -- Andrew EasonSystem Administrator[EMAIL PROTECTED]
perl script for adding users
Anyone have a sample perl script for adding new users for cyrus? Thanks. -- Vincent Stoessel [EMAIL PROTECTED] Java Linux Apache Mysql Php (JLAMP) Engineer (301) 362-1750 Mobile (410) 419-8588
Re: Per-user receive rate controls
Chris Audley wrote: Create a named pipe in some appropriate location such as /var/local for the perl script to read from, mkfifo /var/local/lmtpmon Then add an entry to the syslog.conf file to send mail.info messages to the pipe separate from the entry currently sending mail.notice to maillog mail.=info|/var/local/lmtpmon Now your perl script will get the info messages it needs to work without cluttering your maillog file. Brilliant Chris--I knew in theory that you could put a pipe into syslog, but I'd never thought to try it... This is a fantastic solution!
Re: Eudora and ssl/tls and cyrus
Sorry about the late response, but I just got some time to look into this. Your fix allows Eudora to negotiate TLSv1, but does NOT fix the STARTTLS problem. I still can not get Eudora to do STARTTLS with an unmodified Cyrus. If you look closely at the log of your connection, you connected to an imaps daemon, meaning that you're doing what Eudora calls an Alternate Port connection (SSL wrapped IMAP on port 993). So, we're back to square one -- Eudora is still broken. Ken Nick Simicich wrote: I just successfully got Eudora to negotiate TLS with Cyrus. This applies to Eudora 5.1. A log extract which shows that I was able to connect in TLS is below --- you will have to trust me that I did it from Eudora. The way to accomplish this is to stop Eudora, and using an editor like emacs or notepad, edit the eudora.ini file. In the [Settings] part of the file, find a entry labeled SSLReceiveVersion If it is there, change the value specified to 0. If it is not there, add a line reading SSLReceiveVersion=0 Then start Eudora again. This parameter defaults to 6, which allows SSL Version 3 only. A setting of 0 allows any of the settings it will speak. 7 forces TLS 1.0, other settings force various other combinations. But 0 makes Eudora permissive and allows it to speak what the other end wants to speak, thus allowing it to use TLS version 1.0. Why Eudora decided to make this parameter default to 6, I have no idea. I believe that this will allow Eudora 5.1 to talk to an unmodified Cyrus. The FAQ should probably be changed to mention this parameter -- and maybe when people contact Eudora it should be to ask that the parameter be changed. Sep 27 22:37:40 parrot master[30495]: about to exec /usr/cyrus/bin/imapd Sep 27 22:37:40 parrot service-imaps[30495]: executed Sep 27 22:37:40 parrot imapd[30495]: accepted connection Sep 27 22:37:44 parrot imapd[30495]: starttls: TLSv1 with cipher DES-CBC3-SHA (1 68/168 bits) no authentication Sep 27 22:37:45 parrot imapd[30495]: login: glock.squawk.com[208.176.124.157] ni ck CRAM-MD5+TLS User logged in Sep 27 22:37:45 parrot imapd[30495]: seen_db: user nick opened /var/imap/user/n/ nick.seen Sep 27 22:37:45 parrot imapd[30495]: open: user nick opened INBOX -- We often hear of war described as if it were some kind of impersonal affliction, such as the Black Plague or famine.The fact is that war is not just something that happens, it is something that people make happen, and they make it happen for reasons. As Clausewitz said, war is the continuation of politics by other means. Exactly. War is neither a hurricane nor a flood. It is, on the contrary, the cutting edge of ideology. -- Jeff Cooper Nick Simicich - [EMAIL PROTECTED] - http://scifi.squawk.com/njs.html -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp
Re: Per-user receive rate controls
Thus spake Chris Audley ([EMAIL PROTECTED]): I don't know how pop-before-smtp.pl is implemented, but if you can get it to read from a named pipe you can set up a separate channel from syslog to the perl script. I've had good luck with smtp-poplock -- the only issue, and it took me a while to figure out, was that when syslog restarted weekly (after log rotation), the auth daemon would die since the fifo was cut. Now I just tail imapd.log directly. -- | Justin R. Miller / [EMAIL PROTECTED] / 0xC9C40C31 | Of all the things I've lost, I miss my pants the most. -- PGP signature
RE: New server
At 02:25 PM 10/3/2001 -0400, Kiarna Boyd wrote: Wow. Yes you are right if that is a base performance. I have 2.0.16 currently for cyrus. Sendmail 8.22. Is there specific tuning I need to do? Are there FAQ's available? I was running sendmail on a P-100 which primarily served as a mailing list host. I was sending out about 140,000 pieces of mail a week, and it was slamming the poor P-100. My average queue delay was about 1 hour 40 minutes for mail delivered without bounceback. I am now running postfix, still on the same hardware, my average delay in queue is under 10 minutes and instead of the delivery process being cpu bound, postfix takes less than 10% of the cpu and mail runs i/o bound. Postfix was essentially a drop-in replacement for sendmail, I think I had to change one place where I was invoking sendmail because I used an odd option that postfix's sendmail compatibility interface did not support. On a different system, I have postfix and cyrus well integrated. I am not nearly at your load levels on that system, so I can't provide any guidance. But if I were running 42% of my CPU for mail delivery, I would look to postfix or another mail system as a way of saving most of that. My mail queue is high and I have about 20 imap seesions at peak. Nfs auto mounts to user home dirs. Mailboxes are local to the server though. I show 7 sendmail processes each at around 6 %. Thanks for your help! -- War is an ugly thing, but it is not the ugliest of things. The decayed and degraded state of moral and patriotic feeling which thinks that nothing is worth war is much worse. A man who has nothing for which he is willing to fight, nothing he cares about more than his own personal safety, is a miserable creature who has no chance of being free, unless made so by the exertions of better men than himself. -- John Stuart Mill Nick Simicich - [EMAIL PROTECTED]
Re: Eudora and ssl/tls and cyrus
At 05:02 PM 10/3/2001 -0400, Ken Murchison wrote: Sorry about the late response, but I just got some time to look into this. Your fix allows Eudora to negotiate TLSv1, but does NOT fix the STARTTLS problem. I still can not get Eudora to do STARTTLS with an unmodified Cyrus. Well, I just ran a bunch of tests, and I'm pretty sure I know what confused me. If you simply change the connection method, it uses the old connection method, until and unless you change the server name. Once you do that, it will try and reconnect, but it is pretty badly hosed. During testing, I got my client into a state where it would not make any TLS connection. I tried a bunch of stuff. Finally, in desperation, I sent a message to my tls protected smtp server, and then I was able to do at least an alternate port connection. But if you have made a connection, even i you turn off alternate port, it still uses the alternate port. I think that was why I was confused. If you look closely at the log of your connection, you connected to an imaps daemon, meaning that you're doing what Eudora calls an Alternate Port connection (SSL wrapped IMAP on port 993). Because it says service-imaps? Yep, that is what was happening,even though I set it to required, starttls. I assumed it had flipped back to the primary port. I should have run ethereal on the network connection. So, we're back to square one -- Eudora is still broken. Yep. The only way it works is on the alternate port, which, I guess, is better than nothing. Ken Nick Simicich wrote: I just successfully got Eudora to negotiate TLS with Cyrus. This applies to Eudora 5.1. A log extract which shows that I was able to connect in TLS is below --- you will have to trust me that I did it from Eudora. The way to accomplish this is to stop Eudora, and using an editor like emacs or notepad, edit the eudora.ini file. In the [Settings] part of the file, find a entry labeled SSLReceiveVersion If it is there, change the value specified to 0. If it is not there, add a line reading SSLReceiveVersion=0 Then start Eudora again. This parameter defaults to 6, which allows SSL Version 3 only. A setting of 0 allows any of the settings it will speak. 7 forces TLS 1.0, other settings force various other combinations. But 0 makes Eudora permissive and allows it to speak what the other end wants to speak, thus allowing it to use TLS version 1.0. Why Eudora decided to make this parameter default to 6, I have no idea. I believe that this will allow Eudora 5.1 to talk to an unmodified Cyrus. The FAQ should probably be changed to mention this parameter -- and maybe when people contact Eudora it should be to ask that the parameter be changed. Sep 27 22:37:40 parrot master[30495]: about to exec /usr/cyrus/bin/imapd Sep 27 22:37:40 parrot service-imaps[30495]: executed Sep 27 22:37:40 parrot imapd[30495]: accepted connection Sep 27 22:37:44 parrot imapd[30495]: starttls: TLSv1 with cipher DES-CBC3-SHA (1 68/168 bits) no authentication Sep 27 22:37:45 parrot imapd[30495]: login: glock.squawk.com[208.176.124.157] ni ck CRAM-MD5+TLS User logged in Sep 27 22:37:45 parrot imapd[30495]: seen_db: user nick opened /var/imap/user/n/ nick.seen Sep 27 22:37:45 parrot imapd[30495]: open: user nick opened INBOX -- We often hear of war described as if it were some kind of impersonal affliction, such as the Black Plague or famine.The fact is that war is not just something that happens, it is something that people make happen, and they make it happen for reasons. As Clausewitz said, war is the continuation of politics by other means. Exactly. War is neither a hurricane nor a flood. It is, on the contrary, the cutting edge of ideology. -- Jeff Cooper Nick Simicich - [EMAIL PROTECTED] - http://scifi.squawk.com/njs.html -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp -- War is an ugly thing, but it is not the ugliest of things. The decayed and degraded state of moral and patriotic feeling which thinks that nothing is worth war is much worse. A man who has nothing for which he is willing to fight, nothing he cares about more than his own personal safety, is a miserable creature who has no chance of being free, unless made so by the exertions of better men than himself. -- John Stuart Mill Nick Simicich - [EMAIL PROTECTED]