Sunday 11 November 2007

Using Procmail to Notify Senders of a Change of Address

Here is a procmail recipe that auto-responds to email messages addressed to an email address that is going to be removed. It's totally simple, it just avoids looping and auto-responding to mail daemons. This can just go at the end of your .procmailrc file (in your home directory).

Basically, the lines starting with * are the conditions so it reads do not match FROM_DAEMON, FROM_MAILER or our X-Loop headers, and only take messages addressed To: (including CC:) . Then the line starting with | is the action which is to use formail to send a reply, insert our X-Loop header then use a file (or two in this case) for the message body.

The one thing to point out is that if you want to setup this reply for many email addresses at once just put a | between them. This is a "regex" pattern so you can do fancier matching criteria if you want.

# bounce messages addressed to
* !^X-Loop: email-dsn
* ^TO_(
| (formail -rt -A"Precendence: junk (autoreply)"\
-A"X-Loop: email-dsn" ; \
cat $HOME/.procmail/change-of-address.txt $HOME/.signature) | $SENDMAIL -t

Monday 30 July 2007

Processing Arguments in BASH

There are many ways to skin a cat, but in a bash script, this is probably the "most right" way to processes command line arguments:


while getopts vf: opt ; do
case "$opt" in
v) echo "verbose set" ;;
f) echo "f: $OPTARG" ;;
\\?) echo "Error: unknown flag" >&2 ;;

shift `expr $OPTIND - 1`

Basically, you run "getopts" giving it a "parameter string" and a variable name. The parameter string is a list of letters you want to pull arguments from and each one that takes an argument itself is followed by a colon (:).

Loop through the arguments as above, and then use "shift" and the "OPTIND" to shift off all the arguments that were processed, leaving only the "regular" arguments, e.g. take out all the "-v" and such but leave the list of file names.

Props: SHELLdorado

Tuesday 24 July 2007

Configuring Postfix to Relay to a Server with SMTP AUTH

If your system has a mail server installed and is not an actual mail server, it is preferable that your system relays through a host that is a regular mail server. In this example, we are configuring Postfix to relay to a host that requires SMTP and TLS.

Make these changes to your Postfix configuration, either by editing /etc/postfix/ or using "postconf -e":
relayhost = []
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes

The given password map file will need to be created and it is in the format of: username:password

The name of the mail server must match your "relayhost" above, and the username and password are the credentials of some user with permission to relay mail. You can use your own credentials or create an account on the server to specifically allow mail relaying.

Once you have created the password map file, run:
postmap /etc/postfix/sasl_passwd

This should create a corresponding "sasl_passwd.db" file. Since both these files contain the above password in plaintext, you should protect them as much as possible:
chmod 600 /etc/postfix/sasl_passwd
chmod 640 /etc/postfix/sasl_passwd.db
chgrp mail /etc/postfix/sasl_passwd.db

Once you have edited your Postfix configuration and created the password map, just restart or reload postfix (just run "postfix reload") and you're done!

Optionally, you can enable SSMTP (on port 465) in addition to TLS on the standard SMTP port (25) which is useful for users who are connecting from sites which block outbound SMTP. It's trivial, un-comment these lines in master.conf and do "postfix reload" again:

smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

Props to the following resources:

Friday 13 July 2007

Connect to Nibble Jabber with iChat on a Mac

Connecting to Nibble Jabber with iChat on a Mac requires OS X 10.4 or above and it is super easy to setup. The screenshots below are for OS X 10.4 (Tiger). Note: If you are already using iChat for other types of instant messaging, scroll down to the end to see how to enable Jabber.

When iChat is first run, it will come up and tell you how great it is:
iChat First Run

Then it will ask you for your name, just check that it is correct, and your .Mac account info which is optional:
iChat Basic Settings

Then you can enable a Jabber account. Just check the box as show, and provide your Jabber ID:
iChat Jabber Account

Basically you're done at this point. You will get a couple screens asking you about enabling Bonjour (optional) and configuring your web-camera (if you have one), and then you're done:
iChat Done

When iChat connects, you will probably get this warning about security, choose "continue":
iChat Security Warning

And then you will be logged in and you should see your buddy list:
iChat Buddy List

On the other hand, if you are already using iChat, you just need to go in to "Preferences" to enable Jabber. Open the "Preferences" for iChat, and go to the "Accounts" tab as shown:
iChat Account Settings

Now just choose "Jabber" from the drop-down box and provide your Jabber ID:
iChat New Jabber Account

That's it! You should get the security warning and buddy list as shown above.

Monday 9 July 2007

The ReadyNAS Does Everything

Infrant, a subsidiary of NetGear, makes this NAS (a file-server in a box) called the "ReadyNAS NV+". If you need a network file server and are willing to look at ~$1,000 price range, this is the way to go, hands down.

Just let this Jesuit tell you how great it is:

No, really, he's serious. It does *everything*. One-touch external drive backup, expandable by attaching a USB drive, or many through a USB hub... It will fold your laundry and walk the dog!

Not to be a product whore or anything, but I want me one of these!

Sunday 8 July 2007

Connect to Nibble Jabber with Pidgin

To connect to Nibble Jabber with Pidgin, just add a new "XMPP" account. Give your Nibble login name as the "Screen name", and "" as the "Domain". That's it! Just click "Save".

For example, in Windows, it looks like this:
Pidgin in Windows

Wednesday 20 June 2007

Livejournal Chatting

According to this post, Livejournal is in the process of setting up an integrated instant messaging service for their users. And unlike MySpaceIM, it is properly integrated with the service such that if you have Livejournal friends, they will automatically be available for chatting, and Livejournal will use the standard instant messaging protocol/network (XMPP/Jabber) so that you can chat to users on other services including Google Talk and Nibble Jabber.

With one small step, there's now 12 million more Jabber people in the world :D

Monday 18 June 2007

Sometimes, You Just Have to Reboot

Well, Sunday I was messing around with the systems at home. Installing updates, kicking the NFS server for fun, only to find that when I logged in to my workstation, KDE wouldn't start. I got a solid blue background and a cursor that I could move around, but nothing was happening. Nothing suspicious in top, ps, or even .xsession-errors per se. I just could not figure it out for the life of me.

So I started thinking, well, maybe it is just me. Some config file for KDE got corrupted and it is holding the whole thing up. So I started poking around, but couldn't see anything obvious. So I trashed some configs I figured might be the problem, still no change so I restored them. Then I figured I should test whether it was a config thing so I stomped the whole config directory in .kde, still not change. I was still convinced at that point that it was just me and in particular, something with KDE, so I stomped my whole .kde folder. Still no change.

I had to admit I had assumed I knew what was wrong when clearly, I was just making an ass of u and me... Mostly just me.

So then I tested whether other user accounts were affected. Sure enough, other accounts were affected. Precisely, the network accounts, but not the local accounts. Something was wrong with NFS.

I poked at siona a bunch and rebooted the workstation a bunch, but still no change. Every time, friday would reboot and I could authenticate, but then nothing would happen on login. Well, not quite nothing. It was just so slow that login/logout took something like a half hour.

Finally admitting I could not fix the problem by hand, I installed the latest kernel on siona (the only good reason for rebooting a GNU/Linux box other then adding new hardware), and rebooted. "Lo and behold", as Professor Tang used to say.

That was it. Kicking the portmapper, restarting the NFS services, re-exporting the shares, nothing I tried made a difference. Rebooting was just the easiest and most effective solution.

But it did cost siona 116 days of uptime for which we are all very sad :( Not a record, but still a good run. We'll miss you, 116 days uptime.

Monday 11 June 2007

Backup to an Encrypted Disk

For external backup, I got a nice encrypted disk setup. Well, I don't know about "nice", but it works and it's easy enough for me to use. Basically, I took an old 80GB IDE drive, bought a cheap ($15 cdn) external drive enclosure, setup a LUKS/dm-crypt partition on it, an ext filesystem on that, and away we go!

The drive enclosure is basically just a tin shell you stuff the drive into with two plugs (one for power, one for USB), a switch, and an LED. That's it. Once the drive is in there, flip it on, then hook it up to the computer. This turns out to be very important, on my workstation, if I connected it to the computer, then flipped it on, Linux would spew some cryptic error in dmesg and then ignore the drive. I had to have the drive on and ready before plugging it in to the computer. Quirks aside, I basically have an 80GB USB drive. Very nice.

So for setting up drive encryption, I roughly followed this. And by roughly followed, I meant that I didn't recompile my kernel (how very 1999), I just loaded the aes and dm-crypt modules and then in the last step, I used the correct syntax for closing the device (cryptsetup luksClose <name>, not luksClose /dev/mapper/<name>).

Basicallly, setting up the drive encryption was easy:
  1. Wipe the drive (with random data),

  2. create a partition,

  3. run cryptsetup luksSetup on the partition to create the encrypted volume,

  4. initialize the encrypted volume with cryptsetup luksOpen,

  5. create the file system,

  6. mount the file system and enjoy!

Well, okay, it's hardly like boiling water, but once it is setup, it is slightly easier. Before mounting the drive, you just run cryptsetup luksOpen and after unmounting the drive, it is cryptsetup luksClose.

So the last question is: How slow is it? Well, not to put too fine a finger on it, but it's fucking slow. The initial rsync to local un-encrypted disk as mentioned in my earlier post takes about an hour. The rsync to the encrypted disk? Well, I don't know but it was over eight hours, less then fourteen hours. So it appears roughly an order of magnitude slower. Fortunately, not bad since I'm only going to be doing it once a month or so. An hour is okay, but man, I wouldn't want to be doing it on a larger volume.

But there you have it. Encrypted external backups for $15.

Tuesday 5 June 2007

Here's a First: It Works!

It feels like the first time in a while that having left town for more then a week, nothing seems to have failed with siona. Mail servers all happy, no known network outages, no disks filling up. Seems a little creepy for it to be so quiet after two weeks with zero maintenance... I had better install some updates and break some stuff just to get back in the swing of things.

Thursday 3 May 2007

Local backups

The motto of a good sys admin is backup often, and backup automatically, and make sure you can recover from a disaster. In general, my practices have been sorely lacking. No copies, no RAID, no external backup other then a couple random backups and dumping the databases (from MySQL) and the directory (from OpenLDAP).

I finally just went with one of the many rsync backup script/utilties: rsnapshot. There is a article about it on It's simple, supports remote backups using rsync over SSH, and gives you nice rotated backups. Easy, effective, automated. What more do you want?

So now the one thing I have still to do is do an external backup. The current backup is ~17GB. As much as I'd like to burn about two dozen CDs (or even 5 DVDs) with a spanned tarball, that sounds like a pain in the ass. I guess that means an external drive which I take off-site. Ah well, a problem to solve another day.

Tuesday 1 May 2007

APT repository by SSH

So while on the site today I noticed an article about Restricting access to your private Debian repository where amongst other gems, they mention that you can use "ssh://" URIs in your sources.list file. Pretty nice, yes?

Well on top of that, mixed in with the comments, someone points out there's a helper utility called ssh-copy-id which copies your SSH public key(s) to a specified machine. It takes care of appending your key to the existing authorized_keys file and fixing file permissions on .ssh and the authorized_keys file.

As Borat says: "Verry nasse!"

Monday 23 April 2007

Fiesty Fawns and ATI drivers

I succesfully updated Friday, my computer at home, to Fiesty Fawn! Hooray! It was only a little be of a pain. The GUI updater thing seized up during the upgrade. Sucks, but I just did "apt-get dist-upgrade" from the terminal a couple times and all was well. As an added bonus, Fiesty now boots way faster. At some point, probably since Dapper, Friday would hang waiting to connect to the directory server on siona. It would go through a half dozen exponential timeouts before it would proceed so overall, that added 5 minutes to the boot time. Anyhow, with Fiesty, Friday just boots right up!

Now on Santana, my workstation at work, apache was totally messed. I ended up having to blow away apache and all the modules before the update would proceed. I don't know what happened there. Some crazy dependancy hell.

Now in other news, I've been having problems with the proprietary ATI drivers (the fglrx drives) on my office workstation for a long time. Every time I logged out, system freezes. Argh! But I worked around that by only logging out once a week ;) Anyhow, it turns out, the Gentoo people know it's a problem and even have a solution. Well, more of a workaround. Apparently the problem stems from a memory leak or some such. Bad. So I'm going to try their work-around and if it doesn't work *shrug* I'll go to the F/OSS ATI driver. I haven't been playing much UT2004 at work recently which was the only reason I bothered with the fglrx driver in the first place.

Tuesday 17 April 2007

Now running: Openfire

The Jive Software XMPP server has gone through a name change from Wildfire to Openfire. Gosh, I remember back in the day when it used to be called "Jive Messenger", those were the days. You had to pack your Jabber messages on your back in the hot sun with no water... Oh nevermind, the Jive XMPP server has always been a treat. The icon of "ease of use" with a good enough balance of functionality for many installations.

So anyhow, the upgrade from Wildfire 3.2.4 to Openfire 3.3.0 went great. It's up and running and seems to be in great shape!

Wednesday 11 April 2007

What time is it?

I just stumbled across this interesting page here: It lists all the calendar quirks we have scheduled for the foreseeable future. It's pretty cool :D This pages covers everything from relatively minor bugs, like VBScript returning the wrong week number once every 28 years, to the supposedly catastrophic including the disastrous Y2k bug and the end of 32b UNIX time in 2038. Some stuff is just quirks of computing, like the y2k bug, some are basic calendar ones, like the non-non-leap-year in 2000, and others are political/calendar changes like the change in DST in the US (and regions following adopting the change based on the US).

By the way, the end is nigh! On May 19th, MS-DOS CLOCK$ daycount 10000. Whatever that means. Oh, and June 7th works out to be the same as 1999-99-99... If that causes a bug, then someone has written some bad-bad-bad software :P

Tuesday 3 April 2007

More routers = more confusion

Apparently, this whole two routers thing is a little messed up. In summary: I have an older (e.g. better) Linksys WRT54G running DDWRT as my Gateway and primary LAN router and a second Linksys WRT54G, newer and shitter, running the Linksys firmware running the WLAN. And basically, it ran as two subnets with just the DDWRT router doing any NAT.

Everything *seemed* fine. The traffic from the WLAN passed to the wired LAN then through the NAT to the Internet then back. However, we started noticing a problem were a WLAN machine was having problems accessing services on Siona when having to pass from WLAN -> LAN -> NAT -> Siona -> NAT -> LAN -> WLAN ... Not exactly the world's simplest setup, but it *should* work since LAN -> NAT -> Siona -> NAT -> LAN always works... It was just being flaky. Nine times out of ten, the connection would just disappear. Other Internet connections were fine, addressing Siona by her non-routable IP was working fine.

So after much poking and testing to identify *where* these connections were disappearing, I found they weren't disappearing at all. I guess the WLAN router just need to be reset or some such. Stupid Linksys... Ah well, what can you do, right?

When all else fails and you're using shitty firmware (or operating system), reboot!

Wednesday 28 March 2007

Mindmapping Like Cthulhu

I have finally started using a mind-mapping tool, Kdissert, and I have to say, it's pretty cool. Mindmapping tools are great for organizing many related ideas so you can map out what's what.

The other thing is that mind-maps can look kinda snazzy. In Kdissert, by default, it draws straight lines from one idea to another. However, you can make it draw splines instead and then the ideas look like they're being grappled by tentacles, it's really cool. Here's a mindmap I'm working on, apparently, my mind looks like the coming of Cthulhu:


Friday 23 March 2007

More routers = more power

As per my earlier posts, my existing wireless router has been having problems. After "playing" with the transmit power settings using DDWRT, I managed to blow my wireless. Connectivity was intermittent no matter what I did, with or without encryption running on top. In summmary, the wireless was dead.

So then came the question of replacing the router. Well, since Linksys, in their grace and wisdom, has been selling the same router (the WRT54G) for at least the two years I've had this one but stripping down the hardware to be cheaper and crappier every year, my options were to either find another router to replace the current one that would be beefy enough for my needs, or else by the cheapest wireless AP possible and run it on the LAN in addition to my current router.

After some hemming and hawing, I decided to go with the cheapest and easiest option. So I bought one of the "new and improved" Linksys WRT54Gs. Well it turns out that since Linksys has been able to cut costs, they've decided to pass those savings directly to the shareholders. I paid the same f&^$%ing price for the stripped down version of my old router. But, at the cost of 70$ plus a sore ass, I now have a working wireless router.

So since I just wanted an additional WLAN to the existing LAN, the setup was actually really easy and is working really well. On my existing router, I configured a static router pointing to the new router. I setup the new router with a static external IP addres, setup the internall network on a new subnet, and changed it from "gateway" mode to "router" mode which disables the NAT. So now I have to networks at home, for the wired LAN and external gateway, and for the WLAN. Worked like a charm!

The last issue was, of course, wireless security. I have to say that the WiFi group and people implementing WiFi stuff still need to uncork their collective asses. On the router, I've got the option of WEP, WPA, and WPA2. For WPA, there's "personal" and "enterprise". Now, given this is a router setup, the terms "personal" and "enterprise" tell me nothing either technically (when they should be saying "pre-shared key" or "RADIUS/802.1x" instead) or as a non-technical user. Nevertheless, this was a moot point because on the client side, after fight with Ubuntu, I couldn't get it to connect to the WLAN with WPA encryption (pre-shared key) and I just didn't have the energy to trouble-shoot. So I ended up going with WEP (the "wireless sortof-encryption protocol") which was, if not secure, at least feasible to setup. Sadly, I think most of the local WLANs are encrypted (either WEP or WPA) so we're no more and no less a target. Ugh, stupid WEP.

On the other hand, since all the systems on our LAN/WLAN are firewalled and updated and basically good for taking care of themselves, I may yet go back to running wide-open. The only people likely to piggy-back are our neighbours and they're a pretty harmless lot.

Thursday 22 February 2007

Ooo! Email on the Web!

After having to cleanup the Squirrelmail config for work, I found that Squirrelmail is nowhere near as stupid as it might seem. You just can't use the default config.

So anyhow, I have installed squirrelmail on Siona here:

It's up, it's SSL, and so far seems to be running sortof okay. It's a little weird about the folders with sub-folders but otherwise, it's working good. Check it out!


Friday 16 February 2007

Fragging root sucks

Siona, the server, for no apparent external reason started freaking out about errors on the root partition. The drive is a Western Digital which seems to lend credence to the decline in quality of WD drives... Anyhow, syslog reported that the filesystem hit a couple of IO errors. For better or worse, it looks like the damage was contained to a single partition but there was some data loss. The files in /etc/apt were all corrupted.

Argh! Why? Siona is a headless server so repairing the root partition means digging out a db15-type monitor cable and stealing a keyboard and mouse from Friday, and booting to Knoppix. Fortunately, the file system repair went well. It looks like it was some sectors went bad so reiserfsck was able to rebuild the filesystem (less the corrupted files, of course). A pain in the ass, but no worse then that.

Now if only there was a way to repair a root filesystem remotely...

And in other news, I've become pretty convinced that I've burned out the wireless in my router :P Sucks cause I liked that router! It's just been having a rough life... Well, if Linksys didn't make such shitty firmware, then I wouldn't have needed to replace it will third party firmwares. Jerks. DDWRT is *way* nicer then the linksys firmware, they should just ship with that.

So for the wireless, it is a pain not having wireless so I think I'm going to get a second router and then setup a static route on the current router so that the wireless can be on a separate subnet so a) clients don't have to get NAT'ed twice going to the Internet and b) I can keep my current router with it's current firmware and configuration.

We shall see how that goes.

Thursday 8 February 2007

Restoring from Backup

A while ago I started backing up the LDAP directory on siona, just a simple cron job to slapcat the directory really. But I hadn't tested restoring from backup. Well, unlike the usual game-plan of "wait for disaster and then beg God's forgiveness for your sins and pray that restoring from backup works", I actually tested the restore! Woo!

A while ago, I had installed a base Debian/Sarge system on chevette. At the time, all I did was take an image, then shut chevette down again. I have no idea how long ago that was... At any rate, fired chevette up the other day, ran the (many) updates, and then tried to manually replicate the directory service from siona by restoring from backup. I'm pleased to say, it worked great! I even found a config error on siona in the process so I'm definitely happy!

So basically, where I'm at is I have got the directory up on chevette. Since I have been having problems upgrading the mail sub-system on siona (e.g. Postfix and periferally Dovecot), I'm going to try to replicate the mail setup from siona on chevette and see if I can get it working with the new Postfix (and everything else). And *then* if it works on chevette, I'll try it all again on siona and that way if it goes haywire on siona, I'll at least know I can wipe siona and restore the config and data from backup.

We'll see how it goes...

Wednesday 24 January 2007

OpenId and Comments

I've finally taken the step forward and setup comments on my blog. I require a login to post comments to mitigate spam, but rather then create a whole crappy registration system, I have "OpenID enabled" my blog.

Being an OpenID consumer is pretty easy. Especially since there's this facility called "simple registration" such that the OpenID server can provide a lot of common registration fields. The one I use, for example, is "nickname". Rather then lots of form input from the user, I just request the data from the OpenID server and use that instead. Very nice.

All-in-all, building a comment system in to my blog was pretty easy. They're not syndicated, but I'm okay with that. It's just enough to allow some discussion.

Monday 15 January 2007

New Year and New Identity

I've finally taken the plunge and setup an OpenID. After humming and hawing for a while, I came across this blog where the author explains how to setup your personal site (blog or whatever) to be a proxy for an OpenID. Well, I knew about this in the past, it was really some of the other stuff on his site that convinced me to create an OpenID.

First of all, it is important to understand what this "identity" does and doesn't do. It's a bit, well, it's a bit of an existential problem. "Who" am I? And "who" are you? If you give me your name and I give you mine, what do we know about eachother? Not much. As it turns out, that's basically what you get with an OpenID. A name, nothing more, nothing less.

As it turns out, following the above blog is a good illustration for how an OpenID works and what it does, so:

  1. Go to and register for an OpenID,

  2. Configure your homepage as a proxy for that OpenID,

  3. Go to a site that supports OpenID, like LiveJournal, and post a comment.

Okay, in "step 1", you create your identity. This is like getting your Social Insurance Number or passport. It's your official identity. It's like having your name and number on a little plastic card only in this case, the "number" is actually a URL for your OpenID. Mine is Just like a SIN number, it's kind of a pain to remember, but after using it enough times, you'll remember it ;)

Now "step 2" isn't really necessary. However, just like in real life, my "official" name isn't really the name I like to use everyday. My SIN card says "Joseph Dominic" but I prefer "Dominic Joseph", so I setup a proxy for regular everyday use. Following the instructions in the blog (which involves adding two lines to my blog), I have setup my preferred name ( to be equivalent to my "official" name.

Now in "step 3", I actually use this identity which really shows how this all works. I go to LiveJournal and when I post a comment, it asks me "who are you?" Rather then debate "who" or even "what" am I, just just give my preferred name ( My name doesn't *really* mean anything, it's just something that's going to show up in my comment so anyone that actually knows me will say "hey, Dominic left this message, I know that guy!" Now LiveJournal is a bit of a stickler. It requires my official identity so what the site does is it goes to my identity page, the one, and tries to get my identity verified. What it finds is that my given identity is not my real identity and so LiveJournal gets redirected to my real OpenID, Once it gets there, doesn't just hand over my information, it requires me to a) login, and b) authorized LiveJournal to access my identity. So if I'm happy with handing my SIN over to LiveJournal, I login and confirm that LiveJournal should be able to get my "official" identity.

And that's it. An OpenID is just a name and some sort of verifiable "official" number.

There are many things that an OpenID does not do. It does not create an account for every site. Like for LiveJournal, you don't get a blog just by having an OpenID because you need more then an identity for that, like some web space and such. It doesn't stop spammers, they can register any number of OpenIDs they want to spam you. It doesn't make you anonymous on the web, neither does it reveal any more information then you give.

However, for even these "flaws", having an identity helps address the problems. You may not get a blog on LiveJournal, but you can comment on LiveJournal without a blog. It also can make registering for LiveJournal easier. It may not prevent spammers, but if you could keep an OpenID address book, then you would have a better idea of who's messages were legit, and who's were spam. And even though your "identity" doesn't hide itself, it's just a URL. It doesn't say who you are.

I hope that eventually, OpenIDs will replace all the crappy centralized identities, .Net passport, we're talking about you here, and eventually have wide adoption on the web. It's useful enough that I will use one, but I think it should, and could, become ubiquitous someday.

And that's all I have to say about OpenID.

Popular Posts