Older blog entries for mchirico (starting at number 53)

Postfix 2nd Instance for Sender-based Routing: Multiple Gmail and Comcast Accounts

Sender-based routing allows delivery actions on email to be made based on the sending address. This makes it possible for each Gmail and or Comcast account to have separate authentication rules. In summary, your home Postfix system can support Gmail and Comcast accounts for all of your family and friends. This tutorial walks you through an example using Gmail and Comcast, but the setup is similar for any ISP specific emails.

14 Aug 2005 (updated 14 Aug 2005 at 16:55 UTC) »
2 Linux Boxes - One Monitor

I have 2 Linux boxes. One runs Fedora 4 [closet.squeezel.com] and the other Fedora 3 [squeezel.squeezel.com]. The monitor is physically attached to FC3.

It's convienent to run both, yes both, gnome and kde on the same monitor, in the same window. The menu bar for the FC3 is at the top, and FC4 is at the bottom of the screen. Here's how I set this up. This setup is run from [squeezel.squeezel.com] , the computer with FC3, in a gnome-terminal:

        $ ssh -Y closet.squeezel.com

By default FC3 and FC4 are configured for X11 forwarding. The ``-Y'' option is for trust forwarding. After running the command above, I'm connected to closet.squeezel.com. Next, I just load the KDE session.

        $ startkde
    Or, if you want gnome instead.
         $ gnome-session

You may get a few errors above on sound cards. On my configuration, I had to setup the monitor for the correct resolution. But, that was pretty straight forward. Also, you'll want to set the menu bar for each computer for different parts of the screen. That was it. You can do this through firewalls as well - reference ``Breaking Firewalls with OpenSSH''

Ctl-Alt-F12 (What if you wanted FC4 on vt12?)

Well, of course you can have your cake and eat it too. Even with the above configuration, it's possible to run a complete session on vt12. Above, I chose startkde for the second session, but sometimes I like the gnome-session on a complete terminal, so I put that (the gnome-session) on virtual terminal 12.

The following commands are executed from the computer with the physical monitor in an xterm, which is squeezel.squeezel.com. Do it in an xterm, so you can lock the display should you walk away from it.

     $ xinit -- :1 vt12

Note above that's ``xinit [space] -- [space] :1 [space] vt12''. If you want to add even more virtual terminals, execute the command above with :2 and the desired vt[number]. Now, the screen get's a little funky, but you want to type in the following comand: ``ssh -Y [remote server]''. This is the command I use.

     $ ssh -Y closet.squeezle.com
 After it logs in.
      $ gnome-session

The above will take a few second to load. Now you just switch to the correct virtaul terminal. In my case it was as follows:

    Switch to the new virtual terminal
       Ctl-Alt-F12
    To get back
       Ctl-Alt-F7

If I've missed anything, I'll update it in Linux Tips (TIP 195 - Trusted X11 Forwarding).

I do this with computers across the Internet as well. If you're doing the same you may want to reference (TIP 13 - Securing sshd), which shows you how to limit only certain accounts access to ssh. Also, block IP address with iptables for locations that you will never connect from..

Why do this?

The biggest advantage of this setup - you save money. No expensive KVM switches, no additional monitors. Save your money for faster hardware. The boxes can mount NFS over OpenVPN so that files are accessible from both computers.

Want more ideas?

If you comb through the more than 100 pages of Linux Tips, you'll see tips for setting up OpenVPN, NFS, securing ssh and a lot of other stuff...free of course.

Hope this helps...

Mike Chirico

Postfix - IMAP (sasldb)

My home computers use Postfix/Fetchmail for sending and getting email from Comcast and Gmail (Reference: Gmail on Linux Box).

I recently added IMAP to this configuration. This greatly improves things, since I can easily preserve my mail on the server, when reading/storing it from a laptop. One thing: I hate using the Linux account passwords for email. It can be a problem if ssl isn't setup correctly on the client. Passwords, Linux account passwords, would go across the Internet unencrypted. So, IMAP is configure to use sasldb for authentication. Not PAM. That way if my kids screw the client up, Linux passwords are separate and safe.

Mutt works well with IMAP(S) by storing certificates. If you have multiple servers, you can easily configure your .muttrc file to authenticate and grab mail automatically.

I've informally documented the setup in "Linux Tips" (TIP 188 and TIP 190), which includes necessary entries in "/etc/imapd.conf", creating users with saslpasswd2, changes to "/etc/postfix/main.cf" and "/etc/postfix/master.cf", and needed RPMS to install with Fedora Core.

I hope this helps.

oprofile - a system-wide profiler

This is a powerful tool with a lot of options. It comes installed with the Fedora distributions, but to take full advantage of this tool the kernel should be recompiled from source, to reference the uncompressed kernel image with the ``--vmlinux'' option.

This article ``Performance Monitoring on Linux'' walks you through the necessary steps for compiling the source kernel on Fedora installs. Also included is a quick look at iozone, and smartmontools.

The article isn't finished. cfengine has interesting system monitoring features as well (cfenvd components), but that article is taking its time.

Advanced Programming in the UNIX Environment: Second Edition

I picked up a copy of ``Advanced Programming in the UNIX Environment: Second Edition'', by W. Richard Stevens, Stephen A. Rago. Pub Date: June 17, 2005, 960 pages. Stevens passed on in 1999 - boating accident I think. Rago is carrying on the tradition.

cfengine

This package will intelligently push and pull updates to multiple servers, with built in locking to prevent system overloading. In addition, there are tripwire features (md5sum in a BerkeleyDB database), for system monitoring.

That's not all. There is an intrusion detection component, well, let's call it "sophisticated environment monitoring" where deviations from "normal" and "abnormal" behavior can be detected, with flexibility to customize...

Some of the articles written about cfengine seem to gloss over the full functionality. I saw one popular article mention rsync, which isn't needed. Cfengine will perform its own updates ... look for traffic on port 5308. Setting up keys and admit rights can be a bit tricky, especially since error messages can be misleading. Anyway, I'm making cfengine my next article. It could be 40+ pages.

tcpdump

A document that goes beyond methodically listing tcpdump options and engages the reader with short programs using raw sockets (for sending with flag manipulation) and libpcap (for receiving), may be worth writing. Perhaps it maybe worth reading if it is given a bit of a security spin, since I got a lot of comments on the Breaking Firewalls with OpenSSH and PuTTY article.

Personally, I think tcpdump is indispensable for system administration.

Fedora Core 4

So far I like it. Bind 9 is setup securely, or specifically more secure than FC3. I did have compiler errors with cyrus-sasl-2.1.21.tar.gz; but, for setting up postfix to interact with gmail, the installed package work fine, unlike FC3.

Writing

Wietse listed my Postfix Tutorial under the Howtos and FAQs, so I feel good about making a small contribution. Reviews have been positive.

openvpn

I've been very impressed with openvpn. The documentation is well written; however, I still think there's room for an article. Specifically, I was thinking of creating a tutorial that would complement the Live Linux CD; but, have openvpn installed, with NFS in conjunction with UnionFS. Perhaps add instructions on compiling GCC? Nothing yet; I'm still in meticulous testing phase.

Linux Device Drivers, 3rd Editon

This book is extremely good, and it's released under the creative commons license. For $65 you can get a Delcom USB device. I've done a simple one here, which may help if you're thinking of doing a 2.6 kernel module for it and need help getting started.

SourceForge

I noticed SourceForge is using Fedora Core 2 for their servers. Interesting, it seems the Red Hat 9.0 and 8.0 users may be gravitating to the Fedora releases. Originally, from companies that I surveyed, there was the issue of on-going support. However, from my personal experience, I prefer working with the 2.6 kernel. I don't want to keep a server running an old version of the OS and dated applications for years. With SourceForge going with Fedora Core 2, it may throw some weight behind this decision as well. True, there is Debian. But, I prefer grub over lilo especially when configuring for software raid. Again true, you can get all of this under Debian, I'm starting to see Fedora pull ahead - just my observation.

Articles

The MySQL Tips is averaging 40 downloads per hour. I think the SQLite Tutorial and Gmail article are more interesting. The Live Linux CD gets a lot of reads from the UK. And Breaking Firewalls generated the most hate mail - seems System Administrators are shutting down port 22 because of this article. I would encourage them to reread and re-think the article before taking such actions. In reality, I think it's just a few people complaining loudly.

Today's Tip

Instead of using ``ps auxf|grep 'someprocess' try the following. For example, suppose you start working with openvpn, and you want to see if it's running.

        ps -fC openvpn
  UID        PID  PPID  C STIME TTY          TIME CMD
  nobody   27092     1  0 09:45 ?        00:00:00 openvpn server.conf

I think the above method is cleaner.

4 May 2005 (updated 4 May 2005 at 19:54 UTC) »
Google Gmail on Home Linux Box using Postfix and Fetchmail

Yes, you can relay all your mail to Google Gmail from your home system, if you have a Gmail account. Plus, you can get it delivered, fetched, locally.

Postfix has to be configured with TLS and SASL. The following listing will probably make sense, if you're familiar with Postfix. If you've never used Postfix, then, you might want to read the complete tutorial ``Google Gmail on Home Linux Box using Postfix and Fetchmail''

 /etc/postfix/main.cf
      transport_maps = hash:/etc/postfix/transport
      smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
     smtp_generic_maps = hash:/etc/postfix/generic

/etc/postfix/transport # Contents of /etc/postfix/transport # # This sends mail to Gmail gmail.com smtp:[smtp.gmail.com] # # Except mail going to the tape and closet server tape.squeezel.com relay:[tape.squeezel.com] closet.squeezel.com relay:[closet.squeezel.com]

/etc/postfix/generic # Note hostname is squeezel.squeezel.com chirico@squeezel.squeezel.com mchirico@gmail.com

/etc/postfix/sasl_passwd # Contents of sasl_passwd # [smtp.gmail.com] mchirico@gmail.com:pa33w0r8

Fetchmail

I would strongly recommend using Fetchmail with the ``sslcertck'' option, after you verify and copy the certificates. See the tutorial for a complete step by step approach on how to do this.

    # 
    #
    # Sample /home/chirico/.fetchmailrc file for Gmail
    #
    # Check mail every 90 seconds
    set daemon 90
    set syslog
    set postmaster chirico
    #set bouncemail
    #
    # Google Gmail  is mchirico but on computer it is chirico
    #  To keep mail on the server use the you would put keep at the end.
    # user 'mchirico@gmail.com' with pass "pa33w0r8"  is 'chirico' here options ssl sslcertck  sslcertpath '/home/chirico/certs/.certs' keep    
    #
    poll pop.gmail.com with proto POP3 and options no dns 
         user 'mchirico@gmail.com' with pass "pa33w0r8"  is 'chirico' here options ssl sslcertck  sslcertpath '/home/chirico/certs/.certs' 
         smtphost localhost    
    # You would use this to by-pass Postfix
    # mda '/usr/bin/procmail -d %T'


Regards,

Mike Chirico

8 Apr 2005 (updated 8 Apr 2005 at 02:07 UTC) »
Microsoft DNS cache poisoning

I noticed a lot of Internet Explorer users complaining about annoying pop-ups. And when they run ad-aware, it looks like lots of spyware. Also, I hear an inordinate number of complaints regarding ISP service yesterday and today...check the DNS, especially Comcast users.

Maybe you've noticed a slow email day?

I think this cache poisoning is going to get worse. But, I've been wrong before.

References

Microsoft has posted an update on this.

The following is the DNS CACHE POISONING DETAILED ANALYSIS REPORT Version 2, which gives a history and some good details.

30 Mar 2005 (updated 31 Mar 2005 at 00:39 UTC) »
C++ Tip

I picked up a copy of ``C++ Common Knowledge: Essential Intermediate Programming'' by Stephen C. Dewhurst, 2005. I like his example (Item 6: Array Formal Arguments), dealing with array formal arguments. In fact, there are no array formal arguments. Arrays decay to a first element pointers. What does this mean? It's not possible to find the size of an array, that is passed to a function with ``sizeof(array)/sizeof(Array[0])'', because sizeof(array) finds the size of the pointer, and not the array. Yes, when you create the array, you can find the size of it; but, when it decays to a pointer, which it does when you pass an array to a function, you cannot use this method. Don't take my word for it. Try it.

Dewhurst gives an interesting way around this - I've added initialization of the array as well.

#include <iostream>
#include <string>
using namespace std;

template <typename T,int n, typename T2> int give_size_init(T (&array)[n],T2 init_val) { int i; for(i=0; i<n; i++) array[i]=init_val; return n; }

int main(void) { int a[13]; string s[15]; string s_init; cout << "Size of array is " << give_size_init(a,5) << endl; cout << "Size of array is " << give_size_init(s,"ta da") << endl; s_init="more"; cout << "Size of array is " << give_size_init(s,s_init) << endl; return 0; }

OpenSSH and PuTTY This article was updated that details connecting beyond a firewall. In addition, I rarely see people using the config option with openSSH, which is peculiar, since it's convenient and powerful. Also the RemoteForward option for presenting remote websites through multiple firewalls, is my favorite option.

44 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!