After having to cleanup the Squirrelmail config for work, I found that Squirrelmail is nowhere near as stupid as it might seem. You just can't use the default config.
So anyhow, I have installed squirrelmail on Siona here:
https://webmail.nibble.bz
It's up, it's SSL, and so far seems to be running sortof okay. It's a little weird about the folders with sub-folders but otherwise, it's working good. Check it out!
Ciao
Thursday, 22 February 2007
Friday, 16 February 2007
Fragging root sucks
Siona, the server, for no apparent external reason started freaking out about errors on the root partition. The drive is a Western Digital which seems to lend credence to the decline in quality of WD drives... Anyhow, syslog reported that the filesystem hit a couple of IO errors. For better or worse, it looks like the damage was contained to a single partition but there was some data loss. The files in /etc/apt were all corrupted.
Argh! Why? Siona is a headless server so repairing the root partition means digging out a db15-type monitor cable and stealing a keyboard and mouse from Friday, and booting to Knoppix. Fortunately, the file system repair went well. It looks like it was some sectors went bad so reiserfsck was able to rebuild the filesystem (less the corrupted files, of course). A pain in the ass, but no worse then that.
Now if only there was a way to repair a root filesystem remotely...
And in other news, I've become pretty convinced that I've burned out the wireless in my router :P Sucks cause I liked that router! It's just been having a rough life... Well, if Linksys didn't make such shitty firmware, then I wouldn't have needed to replace it will third party firmwares. Jerks. DDWRT is *way* nicer then the linksys firmware, they should just ship with that.
So for the wireless, it is a pain not having wireless so I think I'm going to get a second router and then setup a static route on the current router so that the wireless can be on a separate subnet so a) clients don't have to get NAT'ed twice going to the Internet and b) I can keep my current router with it's current firmware and configuration.
We shall see how that goes.
Argh! Why? Siona is a headless server so repairing the root partition means digging out a db15-type monitor cable and stealing a keyboard and mouse from Friday, and booting to Knoppix. Fortunately, the file system repair went well. It looks like it was some sectors went bad so reiserfsck was able to rebuild the filesystem (less the corrupted files, of course). A pain in the ass, but no worse then that.
Now if only there was a way to repair a root filesystem remotely...
And in other news, I've become pretty convinced that I've burned out the wireless in my router :P Sucks cause I liked that router! It's just been having a rough life... Well, if Linksys didn't make such shitty firmware, then I wouldn't have needed to replace it will third party firmwares. Jerks. DDWRT is *way* nicer then the linksys firmware, they should just ship with that.
So for the wireless, it is a pain not having wireless so I think I'm going to get a second router and then setup a static route on the current router so that the wireless can be on a separate subnet so a) clients don't have to get NAT'ed twice going to the Internet and b) I can keep my current router with it's current firmware and configuration.
We shall see how that goes.
Thursday, 8 February 2007
Restoring from Backup
A while ago I started backing up the LDAP directory on siona, just a simple cron job to slapcat the directory really. But I hadn't tested restoring from backup. Well, unlike the usual game-plan of "wait for disaster and then beg God's forgiveness for your sins and pray that restoring from backup works", I actually tested the restore! Woo!
A while ago, I had installed a base Debian/Sarge system on chevette. At the time, all I did was take an image, then shut chevette down again. I have no idea how long ago that was... At any rate, fired chevette up the other day, ran the (many) updates, and then tried to manually replicate the directory service from siona by restoring from backup. I'm pleased to say, it worked great! I even found a config error on siona in the process so I'm definitely happy!
So basically, where I'm at is I have got the directory up on chevette. Since I have been having problems upgrading the mail sub-system on siona (e.g. Postfix and periferally Dovecot), I'm going to try to replicate the mail setup from siona on chevette and see if I can get it working with the new Postfix (and everything else). And *then* if it works on chevette, I'll try it all again on siona and that way if it goes haywire on siona, I'll at least know I can wipe siona and restore the config and data from backup.
We'll see how it goes...
A while ago, I had installed a base Debian/Sarge system on chevette. At the time, all I did was take an image, then shut chevette down again. I have no idea how long ago that was... At any rate, fired chevette up the other day, ran the (many) updates, and then tried to manually replicate the directory service from siona by restoring from backup. I'm pleased to say, it worked great! I even found a config error on siona in the process so I'm definitely happy!
So basically, where I'm at is I have got the directory up on chevette. Since I have been having problems upgrading the mail sub-system on siona (e.g. Postfix and periferally Dovecot), I'm going to try to replicate the mail setup from siona on chevette and see if I can get it working with the new Postfix (and everything else). And *then* if it works on chevette, I'll try it all again on siona and that way if it goes haywire on siona, I'll at least know I can wipe siona and restore the config and data from backup.
We'll see how it goes...
Wednesday, 24 January 2007
OpenId and Comments
I've finally taken the step forward and setup comments on my blog. I require a login to post comments to mitigate spam, but rather then create a whole crappy registration system, I have "OpenID enabled" my blog.
Being an OpenID consumer is pretty easy. Especially since there's this facility called "simple registration" such that the OpenID server can provide a lot of common registration fields. The one I use, for example, is "nickname". Rather then lots of form input from the user, I just request the data from the OpenID server and use that instead. Very nice.
All-in-all, building a comment system in to my blog was pretty easy. They're not syndicated, but I'm okay with that. It's just enough to allow some discussion.
Being an OpenID consumer is pretty easy. Especially since there's this facility called "simple registration" such that the OpenID server can provide a lot of common registration fields. The one I use, for example, is "nickname". Rather then lots of form input from the user, I just request the data from the OpenID server and use that instead. Very nice.
All-in-all, building a comment system in to my blog was pretty easy. They're not syndicated, but I'm okay with that. It's just enough to allow some discussion.
Monday, 15 January 2007
New Year and New Identity
I've finally taken the plunge and setup an OpenID. After humming and hawing for a while, I came across this blog where the author explains how to setup your personal site (blog or whatever) to be a proxy for an OpenID. Well, I knew about this in the past, it was really some of the other stuff on his site that convinced me to create an OpenID.
First of all, it is important to understand what this "identity" does and doesn't do. It's a bit, well, it's a bit of an existential problem. "Who" am I? And "who" are you? If you give me your name and I give you mine, what do we know about eachother? Not much. As it turns out, that's basically what you get with an OpenID. A name, nothing more, nothing less.
As it turns out, following the above blog is a good illustration for how an OpenID works and what it does, so:
Okay, in "step 1", you create your identity. This is like getting your Social Insurance Number or passport. It's your official identity. It's like having your name and number on a little plastic card only in this case, the "number" is actually a URL for your OpenID. Mine is http://dlepiane.myopenid.com. Just like a SIN number, it's kind of a pain to remember, but after using it enough times, you'll remember it ;)
Now "step 2" isn't really necessary. However, just like in real life, my "official" name isn't really the name I like to use everyday. My SIN card says "Joseph Dominic" but I prefer "Dominic Joseph", so I setup a proxy for regular everyday use. Following the instructions in the blog (which involves adding two lines to my blog), I have setup my preferred name (http://dl.nibble.bz/~archangel) to be equivalent to my "official" name.
Now in "step 3", I actually use this identity which really shows how this all works. I go to LiveJournal and when I post a comment, it asks me "who are you?" Rather then debate "who" or even "what" am I, just just give my preferred name (http://dl.nibble.bz/~archangel). My name doesn't *really* mean anything, it's just something that's going to show up in my comment so anyone that actually knows me will say "hey, Dominic left this message, I know that guy!" Now LiveJournal is a bit of a stickler. It requires my official identity so what the site does is it goes to my identity page, the http://dl.nibble.bz/~archangel one, and tries to get my identity verified. What it finds is that my given identity is not my real identity and so LiveJournal gets redirected to my real OpenID, http://dlepiane.myopenid.com. Once it gets there, MyOpenID.com doesn't just hand over my information, it requires me to a) login, and b) authorized LiveJournal to access my identity. So if I'm happy with handing my SIN over to LiveJournal, I login and confirm that LiveJournal should be able to get my "official" identity.
And that's it. An OpenID is just a name and some sort of verifiable "official" number.
There are many things that an OpenID does not do. It does not create an account for every site. Like for LiveJournal, you don't get a blog just by having an OpenID because you need more then an identity for that, like some web space and such. It doesn't stop spammers, they can register any number of OpenIDs they want to spam you. It doesn't make you anonymous on the web, neither does it reveal any more information then you give.
However, for even these "flaws", having an identity helps address the problems. You may not get a blog on LiveJournal, but you can comment on LiveJournal without a blog. It also can make registering for LiveJournal easier. It may not prevent spammers, but if you could keep an OpenID address book, then you would have a better idea of who's messages were legit, and who's were spam. And even though your "identity" doesn't hide itself, it's just a URL. It doesn't say who you are.
I hope that eventually, OpenIDs will replace all the crappy centralized identities, .Net passport, we're talking about you here, and eventually have wide adoption on the web. It's useful enough that I will use one, but I think it should, and could, become ubiquitous someday.
And that's all I have to say about OpenID.
First of all, it is important to understand what this "identity" does and doesn't do. It's a bit, well, it's a bit of an existential problem. "Who" am I? And "who" are you? If you give me your name and I give you mine, what do we know about eachother? Not much. As it turns out, that's basically what you get with an OpenID. A name, nothing more, nothing less.
As it turns out, following the above blog is a good illustration for how an OpenID works and what it does, so:
- Go to http://myopenid.com and register for an OpenID,
- Configure your homepage as a proxy for that OpenID,
- Go to a site that supports OpenID, like LiveJournal, and post a comment.
Okay, in "step 1", you create your identity. This is like getting your Social Insurance Number or passport. It's your official identity. It's like having your name and number on a little plastic card only in this case, the "number" is actually a URL for your OpenID. Mine is http://dlepiane.myopenid.com. Just like a SIN number, it's kind of a pain to remember, but after using it enough times, you'll remember it ;)
Now "step 2" isn't really necessary. However, just like in real life, my "official" name isn't really the name I like to use everyday. My SIN card says "Joseph Dominic" but I prefer "Dominic Joseph", so I setup a proxy for regular everyday use. Following the instructions in the blog (which involves adding two lines to my blog), I have setup my preferred name (http://dl.nibble.bz/~archangel) to be equivalent to my "official" name.
Now in "step 3", I actually use this identity which really shows how this all works. I go to LiveJournal and when I post a comment, it asks me "who are you?" Rather then debate "who" or even "what" am I, just just give my preferred name (http://dl.nibble.bz/~archangel). My name doesn't *really* mean anything, it's just something that's going to show up in my comment so anyone that actually knows me will say "hey, Dominic left this message, I know that guy!" Now LiveJournal is a bit of a stickler. It requires my official identity so what the site does is it goes to my identity page, the http://dl.nibble.bz/~archangel one, and tries to get my identity verified. What it finds is that my given identity is not my real identity and so LiveJournal gets redirected to my real OpenID, http://dlepiane.myopenid.com. Once it gets there, MyOpenID.com doesn't just hand over my information, it requires me to a) login, and b) authorized LiveJournal to access my identity. So if I'm happy with handing my SIN over to LiveJournal, I login and confirm that LiveJournal should be able to get my "official" identity.
And that's it. An OpenID is just a name and some sort of verifiable "official" number.
There are many things that an OpenID does not do. It does not create an account for every site. Like for LiveJournal, you don't get a blog just by having an OpenID because you need more then an identity for that, like some web space and such. It doesn't stop spammers, they can register any number of OpenIDs they want to spam you. It doesn't make you anonymous on the web, neither does it reveal any more information then you give.
However, for even these "flaws", having an identity helps address the problems. You may not get a blog on LiveJournal, but you can comment on LiveJournal without a blog. It also can make registering for LiveJournal easier. It may not prevent spammers, but if you could keep an OpenID address book, then you would have a better idea of who's messages were legit, and who's were spam. And even though your "identity" doesn't hide itself, it's just a URL. It doesn't say who you are.
I hope that eventually, OpenIDs will replace all the crappy centralized identities, .Net passport, we're talking about you here, and eventually have wide adoption on the web. It's useful enough that I will use one, but I think it should, and could, become ubiquitous someday.
And that's all I have to say about OpenID.
Monday, 25 December 2006
I Dream of Debian
Last night I had several odd dreams. In my last dream, I dreamt I was working in some sort of office with my desk facing a coworker. We were sitting there and a colleague came in and started talking to my coworker something about installed packages. My coworker started typing away to figure something out when the colleague tossed in his two bits saying:
"Why don't you just rpm -qa"
This infuriated me! I jumped up and shouted:
"There's not fucking RPM in Debian, you son of a bitch!"
So the colleague ducked his head and bolted from the room and my coworker sat there flabbergasted. I sat down rubbing my jaw because I had yelled so loud I had strained it. And then I woke up.
So I guess this is just a subconcious warning: Don't make RedHat jokes about Debian systems. I get very upset, apparently.
"Why don't you just rpm -qa"
This infuriated me! I jumped up and shouted:
"There's not fucking RPM in Debian, you son of a bitch!"
So the colleague ducked his head and bolted from the room and my coworker sat there flabbergasted. I sat down rubbing my jaw because I had yelled so loud I had strained it. And then I woke up.
So I guess this is just a subconcious warning: Don't make RedHat jokes about Debian systems. I get very upset, apparently.
Saturday, 23 December 2006
Postfix Cleanup
The number of users and domains being hosted on Siona has been growing for quite a while. We're now up to 29 users and 13 domains. Being an order of magnitude beyond the single-user/single-domain setup means there are some complications even though the server configuration is pretty basic.
For example, it is getting important to ensure that domains only deliver mail for a subset of the users. For a while, the domains were all just being appended to the "mydestination" attribute in the Postfix configuration which meant that a) any changes required a mail server restart and b) there was no way to separate which users where in which domains.
A while ago, new domains were being added to the "virtual_alias_domain" hash file. This is really the way to go since modifying the list of domains and modifying the valid relay recipients was easy and allowed control over who was in which domains. The process is still manual, 13 domains is not that much to manage, but it is much easier.
So the latest cleanup issue in the configuration was to move all the extra domains out of the "mydestination" attribute and into the "virtual_alias_domains" hash file where they belong. Well, it was interesting. I had to check through the logs to see which users were actually receiving mail in which domains. Not too tricky at least.
It is really unfortunate that some of the old names, like "uro.mine.nu" and "dulcea.nibble.bz" still have to be maintained. It would be nice to retire those old domains. But the cost of keeping them is way less significant then the energy required to ensure that everyone has current email addresses for all the users.
So other then moving all logical domains to virtual domains, the other change was that I changed the server to no longer relay mail on the basis of "mynetworks". The SASL authenticated SMTP is working great so there's no need to just white-list the LAN. It's cool :D I'm excited because this is the way SMTP should be! Servers only accepting mail if they are either going to deliver the mail or if the connecting user or host is authenticated! Every SMTP server should be setup like this! There are fewer and fewer excuses to accept mail from an un-authenticated connection and more and more reason to validate all mail all the time.
All-in-all, the cleaned up Postfix config is a much better setup for my current and future needs. It's good :)
For example, it is getting important to ensure that domains only deliver mail for a subset of the users. For a while, the domains were all just being appended to the "mydestination" attribute in the Postfix configuration which meant that a) any changes required a mail server restart and b) there was no way to separate which users where in which domains.
A while ago, new domains were being added to the "virtual_alias_domain" hash file. This is really the way to go since modifying the list of domains and modifying the valid relay recipients was easy and allowed control over who was in which domains. The process is still manual, 13 domains is not that much to manage, but it is much easier.
So the latest cleanup issue in the configuration was to move all the extra domains out of the "mydestination" attribute and into the "virtual_alias_domains" hash file where they belong. Well, it was interesting. I had to check through the logs to see which users were actually receiving mail in which domains. Not too tricky at least.
It is really unfortunate that some of the old names, like "uro.mine.nu" and "dulcea.nibble.bz" still have to be maintained. It would be nice to retire those old domains. But the cost of keeping them is way less significant then the energy required to ensure that everyone has current email addresses for all the users.
So other then moving all logical domains to virtual domains, the other change was that I changed the server to no longer relay mail on the basis of "mynetworks". The SASL authenticated SMTP is working great so there's no need to just white-list the LAN. It's cool :D I'm excited because this is the way SMTP should be! Servers only accepting mail if they are either going to deliver the mail or if the connecting user or host is authenticated! Every SMTP server should be setup like this! There are fewer and fewer excuses to accept mail from an un-authenticated connection and more and more reason to validate all mail all the time.
All-in-all, the cleaned up Postfix config is a much better setup for my current and future needs. It's good :)
Subscribe to:
Comments (Atom)