What’s so great about Tarsnap? Here’s three things:

• Snapshot backups. Every backup you create with tarsnap is a standalone ’snapshot’ of your data, totally independent of all other snapshots.
• Backup deduplication. So your backup includes a 300mb log file that gets a few megs of data written to it every day. Tarsnap recognises this, and for each new snapshot only the changed data has to be uploaded and stored.
• Crazy Ass Security. While mild-mannered Colin Percival works on Tarsnap during the day, by night he’s the FreeBSD Security Officer. He’s been there since 2005, so must be doing something right. Plus, check out this page. How can something with that many mentions of AES, SHA and RSA be insecure?! :-)

This post isn’t a HOWTO on setting up Tarsnap, there’s a comprehensive tutorial on the subject already. This post is just to document how I use Tarsnap, on both Linux and Windows.

Linux

My Linux servers perform a simple daily backup of everything in certain folders. Technically, I could simply backup “/” and exclude the directories I don’t want, but smaller archives are faster to restore from, and there’s no monetary penalty for having more snapshots. This is my script:

#!/bin/bash
for dir in $(cat /root/tarsnap-dirs) ; do
        nice tarsnap -c -f $(hostname -s)-$(date -u +%Y%m%d-%H%M%S)-$(echo $dir | tr -d '/') --one-file-system -C / $dir
done
 
# Delete backups more than n days old
# n=10
# tarsnap --list-archives | sort | cut -d- -f1-2 | uniq | tail -n +$n > /tmp/temp.$$
# tarsnap --list-archives | fgrep -f /tmp/temp.$$ | while read archive ; do
#     echo Deleting $archive
#     tarsnap -d -f $archive
# done
# rm /tmp/temp.$$
 
tarsnap --print-stats

(This script runs from crontab, so the output gets mailed to me daily. The email is sent to the address specified as the MAILTO variable in /etc/crontab.)

My .tarsnaprc looks like this:

keyfile /root/tarsnap-key-abraxo.key
cachedir /root/tarsnap-cache/
exclude /root/tarsnap-cache/
humanize-numbers

Each day, a backup of each folder listed in the file ‘tarsnap-dirs’ is created, with names like: ‘bluebottle-20091209-200001-homeaj’. There’s commented out support for deleting old archives too, but my monthly costs are so low I keep everything.

Windows

My Windows setup is basically identical, but since there’s no native Windows (or msys) support for Tarsnap, you have to make do with Cygwin. Explaining how to install Cygwin is far beyond the scope of this document, but it’s pretty simple. Apart from the standard Tarsnap dependancies, you will probably also want to install ’ssmtp’, which will let you email Tarsnap’s output to yourself like Unix cron does.

(You can generate ssmtp’s config file by running ’ssmtp-config’.)

Again, my script:

#!/bin/bash
 
log=/tmp/tarsnap.log.$$
 
cat <$log
From: Alex Jurkiewicz 
Subject: tarsnap run $(hostname)-$(date +%Y%m%d)
To: Alex Jurkiewicz 
 
EOF
 
tarsnap -c -f $(hostname)-$(date +%Y%m%d-%H%M%S)-homeaj -C /home/ aj >>$log 2>&1
tarsnap -c -f $(hostname)-$(date +%Y%m%d-%H%M%S)-CUsersAlex -C /cygdrive/c/Users/ Alex >>$log 2>&1
tarsnap --print-stats >>$log 2>&1
 
cat $log | /usr/sbin/ssmtp.exe alex@bluebottle.net.au
rm $log

Because I want to exclude a lot of directories on Windows, I put these in my ~/.tarsnaprc file:

exclude Desktop/
exclude AppData/Local/Temp/

And so on. So there you have it. Simple, painless backups with my favourite new toy, Tarsnap.

Device         "Default Device"

If you add this line to your default screen configuration in /etc/X11/xorg.conf, nvidia-settings should be happy again.

Gripe: didn’t anyone pick this up during testing?

The Problem

The push for this came from a need to improve the testing environments our developers have been using. The old testing environments were VMs, more or less handmade at some point in the distant past to provide a rough approximation of our live environment. Since that time the developers had mostly looked after them themselves, tweaking, fixing and forking the VMs as they saw fit. New developers would copy an existing developer’s VM, and branch off from there.

This system was bad. There were problems ranging from minor version differences all the way up to entirely missing subsystems, not to mention the total lack of documentation. Every developer changed their VM slightly differently, so troubleshooting problems was as much exploration and discovery as debugging. Worse, the slowly growing number of environments made keeping them in sync (or something approximating that) with the live environment increasingly difficult. Something had to be done.

The Solution

What I’ve ended up going with is a very basic system that builds on as much of our previous infrastructure as possible. The key component is our ‘live environment image’, an OS image that we base all our live servers off. The new development environments are also based off this image, and the solution consists of a set of scripts that automate the conversion of the live environment image into a development environment. So that’s the high-level concept, how do the nitty gritty details work?

The system is made up of two separate installs of FreeBSD on one disk. The first install is a 5gb disk slice, containing a minimal install of FreeBSD. This is the Reimaging OS. The second install is on another slice taking up the rest of the disk and is the actual Development Environment.

The Reimaging OS

This copy of FreeBSD isn’t just a fresh install. There are a few changes, the most important are the installation of bash and these two lines added to the machine’s /etc/rc.local file, which start the magic:

scp -i /root/key reimageuser@fileserver:dev-environment-reimage.sh /tmp/
/usr/local/bin/bash /tmp/dev-environment-reimage.sh

And what does this script do? Well, in short:

1. Format the partitions making up the Development Environment.
2. Restore the base ‘live environment image’ into the Development Environment.
3. Modify the fresh Development Environment to actually be suitable for use as a Development Environment, rather than a live server.
4. Change the default boot slice to the second slice, and reboot the machine.

So now the machine reboots, and when the bootloader starts up, it loads…

The Development Environment

Remember step three above? The hand-wavey “turn the live environment into a dev. environment” step? Well, you can’t fully complete that step from the Reimaging OS. There are some things you just don’t know. What hostname should you set for the machine? What email address should all outgoing mail be redirected to? It turns out that the first time a dev. environment boots, the developer has to answer some questions. After developers reimage their machine, the final step is to run a script on first login: dev-environment-rechristen.sh. This script goes through and makes all the changes to the system that require user input, plus a few workplace specific changes.

Of course, the developer also needs to be able to kick off a reimage of their environment at some point in the future. How do they do that? Another script sets the default boot OS to the Reimaging OS and reboots the machine. Developer goes away for a coffee and comes back to a fresh machine.

The Scripts

So that’s how it works, how about some sample code? Please note that these are edited versions of the scripts I run with anything even vaguely revealing about our configuration/infrastructure stripped out. They’re a starting point for you, but you still need to do a fair amount of work to get these scripts working for you.

• reimage-setup.txt. This is a short script I wrote to help quickly deploy the Reimaging OS to new machines. Put it on a thumbdrive with a FreeBSD dump(8) image, then boot off a FreBSD install CD, and select Fixit -> Live CD Filesystem. Mount the USB key at /mnt (something like mount /dev/da0s1 /mnt) and then run the script like so: /mnt/reimage-setup.sh /dev/ad0 (where /dev/ad0 is the drive you want to use for the dev. environment. The script (or something like it) has worked well for me across a number of heterogeneous systems, but, of course, YMMV. For the record, the rest of these scripts are written in bash, so make sure that’s available in your OSes.
• reimage-do.txt. This script is the basic skeleton of our dev-environment-reimage.sh script. It shares many of the assumptions the previous script makes: what the partitions are, where they are located and so on. I’ve excised the more site-specific customisation, but it’s ready to go otherwise.
• reimage-begin.txt. This script completes the trio. It’s what you run from within the development environment to kick off the reimaging process. Nice and simple, and again shares all the assumptions the previous two scripts made.
• Bonus: a starting point for your reimage-rechristen.sh script. A couple of functions that ours does. Most of the rest of our script does site-specific work, like checking some files out of an SVN repository, changing the hostname in a few config files, and so on.

if (!-e $request_filename) { rewrite ^/blog /blog/index.php?q=$1 last; }

This is Bad. Try this:

if (!-e $request_filename) { rewrite ^/blog /blog/index.php last; }

What’s the difference? Well, the latter form doesn’t set a GET variable. Why is that better? wp-super-cache, should you choose to use it, refuses to create supercache files when the GET URL has variables in it. If you turn on the debug log, you see errors like these stream past:

Supercache caching disabled. Non empty GET request.
Supercache disabled: GET or feed detected or disabled by config.

You can find a full example of the required Super Cache config here.
 
 
Update:
For nginx >0.6.36 you can use the try_files directive instead:

location /blog { try_files $uri $uri/blog.index.php; }

There’s a full example with this new method in this mailing list post.

• Install new Nvidia drivers from the Nvidia website. The included ones are too ancient to be much good, and don’t support Aero or other fancy stuff.
• Touchpad driver doesn’t support scroll zones or middle click emulation. Install the touchpad driver for the Latitude E6400 (this one in particular). This driver has somewhat weird default settings. I dropped sensitivity a few notches and reduced the scroll detection threshold to minimum.

So we know what a feedback loop is and how to use it to identify customers complaining about our mails. The next step is to automate removal of these people.

It turns out many (most?) feedback loop emails you get from ISPs follow the same format. The message is made up of three sections:

• The first section is a generic message from the feedback loop provider, “this is an email abuse report, yadda yadda yadda”.
• The second section is basically useless. It contains some information from the abuse report, but is usually heavily censored.
• The third section is a copy of the original email you sent. Some information is redacted, like the recipient, and the sender address.

To process this we need two pieces of information:

• Which ISP our feedback loop email comes from.
• Who we sent the original email to.

This is relatively easy with Python, which includes the email library module and will do most of the heavy lifting for you.

The ’standard’ feedback loop format is ARF, and is used by (at least) AOL, Comcast and Yahoo. To process an email in this format:

import email
message = email.message_from_string(foo)
 
messagefrom = message['From'] # This is how you pull headers out.
                              # Note the keys are not case sensitive
 
messagebody = message.get_payload() # This returns three sections, as described above
 
originalmessage = messagebody[2].get_payload()[0] # This returns the original message.
                                       # We need to explicitly get the single payload.
 
originalmessagesender = originalmessage['Return-Path'] # Ta-da! The original sender.

You can then process originalmessagesender as required to retrieve your UID. Once you have that, send a request through to the appropriate interface and you’re done.

Bonus Notes

• Some providers also strip the return path from the original message. We solved this by hand setting the message-id header on all outgoing mail. If you also do that, make sure you set each message-id to a unique value. We use the same string as our sender address, but change the generic ‘@noreply.ourcompany.com’ domain to the real machine involved in sending and also include the output of time.time(), which gives us useful troubleshooting info too.
• The original plan was to process feedback loop messages as they come in by spawning a script for every returned mail. This turned out to be a bad idea because abuse messages seem to come in bursts, making it possible we’d accidentally DOS our own mailserver with tens of python scripts. Now every feedback email will be delivered to a Maildir. We iterate over every message in the Maildir with Python’s mailbox module (which returns an email object as above for each message).
• If your feedback loop is in another format, it’s pretty easy to work out the structure by playing with a sample message in the Python interpreter (IDLE).

‘You Looked So Good’. Off the acoustic bonus disc of ‘The Moon Looked On‘.

[See post to listen to audio]
 
 
 
 
 
 
 

Neko Case

‘The Next Time You Say “Forever”‘. Off ‘Middle Cyclone‘.

[See post to listen to audio]
 
 
 
 
 
 
 

Florence & The Machine

‘You Got The Love’. The B-Side off the ‘Dog Days‘ single.

[See post to listen to audio]

The company I currently work for sends out periodic mailouts to paying customers of our site. We comply with the CAN-SPAM act and give people a simple way to unsubscribe from our mailings, but some people still mark them as spam. This is a problem, because when people do this from the webmail interface of some ISPs, it records this, and if there are enough spam markings, starts refusing all connections from our mail servers until they process our removal request.

Many of the larger US ISPs allow you to sign up for an email ‘feedback loop’ where they notify you whenever they detect a ’spam’ mail coming from your nominated IPs. We decided to try and use these feedback loops to automatically unsubscribe people from our mailing lists when they mark us as spam. There are two advantages:

• We have a lower chance of getting unilaterally blocked by some ISPs,
• People who don’t want our messages won’t get them.

All we need to do is pass the feedback loop messages to a script, extract the recipient address and send an unsubscribe request to the relevant part of our website. Sounds simple, right? I should be able to write something up using Python and procmail in an hour. Unfortunately life is a little more complex.

The first stumbling block is that most (all?) feedback loops remove some information from their notification emails. Of the two I’ve played with so far (AOL & Comcast), both remove the destination address. They don’t do it sloppily either: every reference to the destination address is replaced with <redacted>. How can you tell who the message was sent to? In our case, we decided to modify our mailouts. Now, the envelope sender address we use in our mailouts includes a UID we can use to identify the sender. Previously our ‘Return-Path’ header looked like this:

Return-Path: <blah@ourdomain.com>

Now it looks like:

Return-Path: <blah+UID@ourdomain.com>

So now the feedback loop emails we get are useful! Next post I’ll describe the simple procedure of parsing feedback loop emails with Python. If you want to skip ahead, here’s a hint.

Part 2 here.

…when it feels like a paid beta. Demigod – a DotA clone – was released yesterday. This game is one of many games that is only fun when played against other people. There are bots, but they basically suck. So the multiplayer functionality of this game is critical: if it doesn’t work properly, there are serious problems. Guess what Demigod’s multiplayer support is like so far:

Yes, the multiplayer is completely broken. So broken that one of the game developers has said on the support forums that there’s less than a 50% chance for games with more than two people from even starting properly, let alone playing smoothly.

So what’s the problem? The game went through multiple months of private beta testing, how could it be this bad? Two words: “UDP p2p”. Seemingly introduced in an attempt to combat the evils of lag, so far it appears to be an expensive exercise in not letting people play the game at all, laggy or not. Demigod requires a UDP connection to every other player in your game. If one of these connections doesn’t work, the game doesn’t start. For anyone.

The big problem seems to be how the game handles NAT, or other situations where incoming UDP connections are blocked. How do you handle NAT traversal? Should you try STUN or some other punchthrough technique? Should you try and use UPnP to negotiate this? What happens if the game has two (or more) people who just can’t accept incoming connections? Do you proxy their communication through other players? What about personal firewalls? What about firewalls elsewhere on the network?

The whitepaper written about the backend multiplayer tech suggests NAT traversal is implemented, but so far in game it appears to fail more often than it succeeds, when it really should be succeeding well over 99% of the time for a task like this.

Demigod is a promising game, and I’d really like to play it against other humans. So far though, it’s been an expensive reminder that you should read reviews of games before you buy them.

.htoprc – for htop

.screenrc – for GNU Screen

.config/terminator/config – for Terminator terminal

.vimrc – for Vim

.ssh/config – for ssh/sshd

Permanent link here. I use this .zshrc regularly on both Linux and FreeBSD machines, some quite old, so it’s reasonably compatible. Includes an interesting prompt that changes the colour of the depending on the hostname (thanks, nameless coworker).

Note that this zshrc writes quite a few files and overwrites existing ones in some cases. Caveat emptor.

ajlaptop:~> sudo apt-get install smbfs
[...]
ajlaptop:~> sudo mount -t cifs '\\AJ\Music' /mnt/home-music -o username=alex
ajlaptop:~>

Into fstab:

\\AJ\Music    /mnt/home-music    smbfs    credentials=/home/aj/.smbpasswd-home-aj,noauto,uid=aj,gid=aj,ro    0    0

See Also:

mount.smbfs(8)

The solution is a little strange: enable compatibility mode and set it to NT4 mode. The installer should get to the main wizard screen now, and then fail because it thinks your OS is too old. Now, disable compatibility mode, and re-run the installer. Voila!

You can work around this weirdness with a kludge. When you’re in the wizard, pick another random preset (I used Vodafone). Then, after the wizard is complete, manually fix the settings. All I had to do was change the profile name & APN (to exetel1). Voila!

Enjoy your cheap 3g :)

• Application volume sliders
• Volume slider in top menu (double click it)
• alsamixer

While I was running up a collapsing tower my brother walked past and asked me “what movie is that?”.

The graphics are nice, the game flows well, and the quicktime events are happily unimportant. It feels very much like a game that ticks all the boxes of what a modern game should have — and I don’t mean that in a bad way. It’s genuinely fun to play, and I actually found myself caring about the main characters by the end of the game.

The ending is inspired.

A few years ago this would have been mostly impossible but I now use Konsole on all my machines! There are a few solutions for using a better terminal emulator on Windows. In order of usability:

• Use Konsole in a VMWare Workstation VM and enable Unity – Unity is like Parallels for Mac, except it’s on Windows. You boot up your Windows / Linux VM and enable it, and the windows in the VM become native windows on the host. The emulation isn’t perfect, but alt-tab and copy/paste work which are the important two. Drag & Drop between the two OSes works well in VMware too. The biggest problem is that it’s relatively slow compared to other solutions and dragging windows around makes it obvious there is trickery going on.
• Use Konsole in VirtualBox and enable Seamless Mode – Like VMWare Workstation, but it doesn’t work as well and costs less (ie, free). Copy/paste is a little flaky (don’t try to do anything but plain text), alt-tab isn’t unified. On the plus side, the emulation feels a lot snappier than VMWare.
• Use Konsole in andLinux – Definitely the fastest solution, alt-tab works properly and copy/paste is pretty good too. The only issue is that andLinux communicates between the host & client OS via a special loopback NIC it installs, and this played havoc with my Windows Vista laptop. With the device enabled Windows would ignore other NICs installed (like a ethernet or wifi connection) and refuse to talk to the internet. Dis/Enabling the andLinux NIC and rebooting the guest would get it working eventually, but it was a lot of work. I suspect with more work a simple solution could be found, but I gave up.
• Use Konsole in KDE for Windows – fgsfds, try this only if you have a lot of patience and willingness to hack stuff. I couldn’t get everything installed sucessfully, much less working. Once it’s setup properly I’m sure it will win, though.

Unfortunately, it’s not in the repository of many distros anymore (at least not Debian and Ubuntu). You can still install it by hand reasonably easily. These instructions apply to Debian, but are pretty generic and should work with a little tweaking on any distro.

1. Install the required tools: gcc, libpam0g-dev, libdb-dev (likely any 4.x version would work)
2. Download the .tar.gz from the official project.
3. Extract: tar xzf pam_abl-0.2.3.tar.gz
4. Compile: cd pam_abl; make
5. Install: sudo make install
6. Create the configuration file in /etc/security/pam_abl.conf. I use something like the below. You can read more about the available options in the doc/ folder of the .tar.gz:

host_db=/var/lib/abl/hosts.db
host_purge=1d
host_rule=*:10/1h,30/1d

7. Add pam_abl to SSH’d PAM stack. Edit /etc/pam.d/sshd and add this line right before real authentication begins (usually the reference to pam_unix). See the documentation for more info again:

auth	required	pam_abl.so config=/etc/security/pam_abl.conf

8. Enjoy your SSH bruteforce protected server!

A few other tips:

• You should manually run pam_abl –purge every day or so, it doesn’t seem to purge automatically all the time.
• You can add pam_abl to the PAM stack of other applications if you want, it works the same way.
• You can see the contents of the pam_abl database with the program pam_abl. A useful trick to see all currently blocked hosts: pam_abl | grep –before-context=1 “*”
• If the database gets too large pam_abl will stop working properly. Make sure you set a sane purge rule.
• Remember you don’t need to be very aggressive to catch 99.9% of bruteforce attempts.

Me: Hi, I’d like to get a static IP on my account.

Vodafone: Hmm, why do you need this?

Me: Ermm… stuff.

Vodafone: I’ll just put you on hold…

[30 seconds pass]

Vodafone: Hi, OK it’s done. Enjoy!

Yes, it really is that easy :). Since that time, I’ve had a static IP, and my signal quality has improved in both places I regularly use the modem (home & work). Before at home I was lucky to hit 100kbytes/sec download (usually 50kbytes/sec or so), now I am consistently above 200kbytes/sec.

My old 1310 had an Intel Wifi-N chip, but this new one has some sort of super obscure Broadcom chip that Ubuntu doesn’t recognise out of the box. Because using ndiswrapper is almost always as much benefit as cost, I decided to skip Linux on this machine.

I’m running Vista (because it has better notebook features / integration) Business (because unlike Home, you get an RDP server, and it has less crap than Ultimate) 32-bit (because the laptop will never have more than 3gb of RAM).

Drivers are all on the Dell website, and all worked fine apart from these caveats:

• The synaptic touchpad drivers are useless! It doesn’t even have the option to emulate a middle click, let alone enable a scroll zone. Grab the touchpad drivers for the Latitude D820 and you get better functionality. Thanks to this thread for discovering the solution for me.
• Although the wifi card is a Broadcom chip, Dell refer to it as a ‘Dell Wireless 1505 Draft 802.11n’ card. The driver is similarly named. On Vista, the driver installed the very useful Dell Wifi Utility, which is accessible from the Network & Sharing Center (bottom left). It doesn’t try to take over the normal wireless connection functions from Windows either, which is nice.
• The fingerprint reader software does exactly what I want (fingerprint logon, stores prints for all my fingers, can be used as an app launcher once you are logged on). It also does a lot of stuff I don’t want (saved passwords in IE, encrypted file storage), but it’s possible to mostly hide it. The dell website distributes the drivers in a standalone pack without the utility, maybe one day I will look at bypassing the app for at least Windows logon.

Other random notes:

• Scores 4.1 on the Windows Experience Index. I can attest that the system is as responsive as my desktop – at least for the moment. I’ve left Superfetch enabled and in a few weeks will compare performance with and without.
• The Vostro’s sound output levels are low. Just low enough to be slightly annoying when I want to listen to very loud music. The inbuilt speaker is also a joke, you have to use headphones.
• Winamp obeys the media keys up the top if you tell it to, but pressing the volume button freezes explorer.exe for me… I have to investigate this whole area more.
• 6-cell battery life = just under 3hrs of battery life with normal use (wifi, screen fully bright, music playing, surfing the net).

Overall, I’m happy with the laptop. Will post more if I think of more.

• Random crashes have continued, still haven’t managed to pin down why or how. Almost all of my hardware is on the Windows HCL, the two which aren’t are the Intel ICH8 chipset (which Windows found a driver for anyway), and my Nvidia 8800GT (which I’ve installed the Vista64 driver). It seems to crash less after being up for a while. Since the crashing is hard resets, it’s almost certainly driver / hardware related, but I’m pretty stumped.
• Hyper-V is pretty sucky. Performance is below even VMWare for any OS but Server 2008, and it seemed to make my system less stable too. Server 2008 Performance is very good though. There are promised improvements coming for Vista Business, but they aren’t here yet.
• Using 6gb of RAM instead of 3gb has made no difference to the feel of the system. Or maybe it has, and Server 2008 is just significantly slower than XP32.
• The server manager tool is nifty, especially the performance viewer:

I’m undecided as to whether to keep Server 2008, move to Vista Business x64, or back to XP32. They all seem roughly equally acceptable right now.

• On my motherboard (Asus P5B-E (Intel ICH8 chipset)), Windows took a number of attempts to reinstall. Very aggravating! I finally installed it by plugging my boot into an ICH8 socket (as opposed to one controlled by the non ICH8 chip) and setting the ICH8 SATA drive mode to ‘RAID’ in the motherboard. IDE didn’t work and AHCI didn’t either.
• DEP is the devil. I had random crashes until I changed it from opt-out to opt-in. The setting is in the same place as on WinXP.
• This site has lots of useful info on setting up Server 2008 to be a little more usable.
• NVidia Vista64 drivers work fine.
• Opt in to the customer experience program. It has so far direct linked me to the latest ICH8 drivers, I’m hopeful it will prove more useful than the WinXP version.
• My machine still hardlocks instead of shutting down, but it happens after windows has done all its housekeeping and only seems to hurt my pride.

First, dump the SourceForge repository to your local machine:

mkdir PROJECTNAME
cd PROJECTNAME
#Add –progress and -v for more detail during transfer
rsync -az PROJECTNAME.svn.sourceforge.net::svn/PROJECTNAME/ .

Create the new repository:

svnadmin create /path/to/new/repo

Now you need to convert the SF.net data into a SVN dump file:

svnadmin dump . > ~/PROJECTNAME.dump

Then load the dump file into the new repo:

svnadmin load /path/to/new/repo < ~/PROJECTNAME.dump

You can combine those last two steps into one too:

svnadmin dump . | svnadmin load /path/to/new/repo

Received: from [192.168.0.200] (203-59-192-211.dyn.iinet.net.au [203.59.192.211])

	by mx.bluebottle.net.au (Postfix) with ESMTPSA id E3345C34170

	for <user@domain.com>; Wed, 25 Jun 2008 22:45:41 +0800 (WST)

This caused problems with a few misconfigured SpamAssassin installs, which did RBL checks against every IP in the Received chain(!) and marked the message as being in the PBL or whatever. To work around this, I did the following:

/etc/postfix/main.cf:

header_checks = regexp:/etc/postfix/header_checks

/etc/postfix/header_checks:

/^Received:.*by\ mx.bluebottle.net.au\ \(Postfix\)\ with\ ESMTPSA/              IGNORE

This won’t fire on incoming mail, because the ‘A’ in ESMTPSA stands for ‘Authenticated’, that is, the client used SMTP-AUTH to login before sending the mail.

This action totally drops the header, which has a number of consequences you should be aware of:

• bounce processing can be disrupted
• you lose any in-message records of the source of mail

If you don’t mind the above problems, this is a nice method. If you want a more robust solution you can change the IGNORE action to a REPLACE, and write up a dummy ‘Received’ header entry.

Instead of running dkimproxy.out with lots of commandline arguments I’d have to re-setup after a reboot, I used a configuration file. The only catch is that I couldn’t figure out how to add –daemonize in there, so the command is:

sudo dkimproxy.out –conf_file=/usr/local/dkimproxy/etc/dkimproxy_out.conf –daemonize

Important details:

$ cat dkimproxy_out.conf

# specify what address/port DKIMproxy should listen on

listen    127.0.0.1:10027

# specify what address/port DKIMproxy forwards mail to

relay     127.0.0.1:10028

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)

domain    bluebottle.net.au

# specify what signatures to add

signature dkim(c=relaxed)

signature domainkeys(c=nofws)

# specify location of the private key

keyfile   /usr/local/dkimproxy/keys/private.key

# specify the selector (i.e. the name of the key record put in DNS)

selector  selector1

# user & group permissions

user    dkim

group   dkim

$ grep dkim /etc/passwd

dkim:x:1012:1012:DKIM,,,:/home/dkim:/bin/bash

$ grep dkim /etc/group

dkim:x:1012:

$ grep “relevant bits” /etc/postfix/master.cf

smtp      inet  n       -       -       -       -       smtpd

submission inet n       -       -       -       -       smtpd

-o smtpd_tls_security_level=encrypt

-o smtpd_etrn_restrictions=reject

-o content_filter=dksign:[127.0.0.1]:10027

-o receive_override_options=no_address_mappings

-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

smtps     inet  n       -       -       -       -       smtpd

-o smtpd_etrn_restrictions=reject

-o content_filter=dksign:[127.0.0.1]:10027

-o receive_override_options=no_address_mappings

-o smtpd_tls_wrappermode=yes

-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

127.0.0.1:10028 inet  n  -      n       -       10      smtpd

-o content_filter=

-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

-o smtpd_helo_restrictions=

-o smtpd_client_restrictions=

-o smtpd_sender_restrictions=

-o smtpd_recipient_restrictions=permit_mynetworks,reject

-o mynetworks=127.0.0.0/8

-o smtpd_authorized_xforward_hosts=127.0.0.0/8

The app does a lot more than just wvdial, you can In Theory send/receive SMSes, as well as follow your quota usage. I say ‘In Theory’, because the former doesn’t seem to work for me, and the latter is just painfully slow to draw and update when dragged around the screen. Other problems:

• Moving the USB Device between ports while the laptop is on (yay USB hotswap!) fails 100% of the time for me,
• Using the device when it wasn’t plugged in at boot time is sketchy,
• Tends to think you’re plugging in a new device every time you use it.
• Randomly borks far more than wvdial ever did (which was never), not too much if you don’t poke it while it’s working though.

None of those problems really matter for me, and since it can minimise to the tray I’ve happily migrated across. Far more newbie friendly too.

Into lighttpd.conf:

$HTTP["host"] == “bluebottle.net.au” {
[...]
url.rewrite-once = ( “^/blog/(200./.*)” => “/blog/index.php?$1″ )
}

Into Wordpress admin -> settings -> permalinks -> custom structure:

/%year%/%postname%

If you don’t speak regex, here’s what you should know:

• Guaranteed to break 1st January 2010 or your money back.
• Don’t make any files / folders under ‘blog’ called ‘200x’, where x is any single character. (You shouldn’t make any folders under there anyway, because that makes upgrading painful.)

My new Vostro 1500 cost about the same, and has similar specs. Main differences:

• T8100 CPU. Slower, just.
• Geforce 8600M 256mb GPU. Significantly better, but still won’t play Crysis.
• 15.1″ 1680×1050 screen. A little brighter, but the far better resolution has only been awesome so far.
• 9-cell battery. This lasts for a lot longer, despite the bigger screen. About 3.5hrs while doing stuff. Even more if I play with the power settings.

The keyboard is a lot better. Same size as my old Inspiron 1501. The only bad part is the the Home/End/PgUp/Down keys are full size keys added as an extra column on the far right, instead of half sized buttons along the top. Unusual placement, and the bottom two are hard to push anyway. Related: the arrow keys are full sized, but there’s no spare space around them, which is also confusing.

Has Bluetooth, no fingerprint reader. Everything worked out of the box with Ubuntu 8.04.

Because I got a 9-cell battery you get a beefier power brick, which probably helps charging. BTW, the charger plug for all three of my Dell laptops is the same, they bricks are 100% interchangeable.

Socket layout on the laptop is saner than the 1310, but still not as nice as the 1501. Power cable is near the middle of the back, the ethernet is on the right side towards the back. Headphones are on the right, CDROM is on the right front. Only the ethernet port is annoying.

Either the CD Drive randomly ejects, or I am accidentally pushing the button a lot. The latter is probably what I’m doing, although the eject button on the drive is small. Will probably get used to this.

Overall: Smaller laptops have their place, but that place is not on my desk! My new near-desktop replacement was a wise choice.

• Intel Core2 T8300 2.4Ghz. The new ‘Penryn’ series of core2 chips. Single interesting new feature is SSE4.
• 3gb RAM.
• 250gb Hard Drive. My other option was a 160gb with ‘free fall sensor’, which reduces the chance the drive will die if you drop it. Nothing important / not backed up is going on this laptop, so I’m happier with more space.
• TrueLife screen. Sucks outside, which is where I use this on the weekend. It’s usable outside, but only if you can angle the screen so it’s reflecting something dark. Significantly better than non-truelife when used inside.
• 6-cell battery. The standard size is 4-cell. Ubuntu estimates the lifetime of my 6-cell at 2hrs, while idle.
• 8400GS Video Card. It plays Tux Racer, I’m happy. When I get around to it, it will also play Civilization IV for me and other games from that era or before.
• 15-day money back guarantee. What really convinced me to buy this laptop. If I find it’s too small for me, I can swap it after a week and get a 14 or 15” instead. w00t.
• All the other standard stuff that comes with every laptop.

The chassis is solid, not flimsy like some smaller laptops. It strongly reminds me of an IBM ThinkPad, which is not a bad thing at all — hopefully some of the indestructibility has been carried over.

Various interesting things I noticed:

• Front top corners are hard edges. This means you can’t rest the side of your palms on the edge of the laptop. You won’t notice this while typing (I don’t, and I have big hands), but it’s just a weird design choice.
• Slot load optical drive rather than a tray.
• Really nice fan on the side. This fan is smaller than the one in my old 15” Inspiron I’m replacing, but it pushes out a lot more air. While the fan is running the machine is not exactly quiet, but it’s not an annoying sound. There’s another fan on the bottom for the video card, it didn’t spin up unless I was doing something 3d.
• Capacitance touch media buttons up the top, including one to eject the CD. Capacitance touch is cool and all, but they are (obviously) hypersensitive. While stretching out my fingers I mushed them more than a few times, doing weird things to my media playback and/or CD.
• Power plug is on the right hand side, Ethernet port on the rear left, headphones on the left side front. Are they trying to make me have to keep every side clear?! I much prefer the layout of my (admittedly bigger) Inspiron, which seemed saner in general.
• My Vostro came with Windows XP Home. On the Dell website, you can’t go lower than XP Professional, but when I called up they were more than happy to downgrade to Home.

I’ve installed Ubuntu 8.04 x64 and tested everything I can. Everything I tested works perfectly, unless noted below:

• Fingerprint Reader not tested
• Memory card reader didn’t read an ancient MMC card I have lying around. Works fine with SD.
• Microphone port not tested
• VGA out not tested

Raw hardware data from the machine after the jump.

$ cat /proc/cpuinfo
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 23
model name	: Intel(R) Core(TM)2 Duo CPU     T8300  @ 2.40GHz
stepping	: 6
cpu MHz		: 800.000
cache size	: 3072 KB
physical id	: 0
siblings	: 2
core id		: 0
cpu cores	: 2
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm ida
bogomips	: 4792.40
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:
$ lspci
00:00.0 Host bridge: Intel Corporation Mobile PM965/GM965/GL960 Memory Controller Hub (rev 0c)
00:01.0 PCI bridge: Intel Corporation Mobile PM965/GM965/GL960 PCI Express Root Port (rev 0c)
00:1a.0 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #4 (rev 03)
00:1a.1 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #5 (rev 03)
00:1a.7 USB Controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #2 (rev 03)
00:1b.0 Audio device: Intel Corporation 82801H (ICH8 Family) HD Audio Controller (rev 03)
00:1c.0 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 1 (rev 03)
00:1c.1 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 2 (rev 03)
00:1c.3 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 4 (rev 03)
00:1c.4 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 5 (rev 03)
00:1d.0 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #1 (rev 03)
00:1d.1 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #2 (rev 03)
00:1d.2 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #3 (rev 03)
00:1d.7 USB Controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #1 (rev 03)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev f3)
00:1f.0 ISA bridge: Intel Corporation 82801HEM (ICH8M) LPC Interface Controller (rev 03)
00:1f.1 IDE interface: Intel Corporation 82801HBM/HEM (ICH8M/ICH8M-E) IDE Controller (rev 03)
00:1f.2 SATA controller: Intel Corporation 82801HBM/HEM (ICH8M/ICH8M-E) SATA AHCI Controller (rev 03)
00:1f.3 SMBus: Intel Corporation 82801H (ICH8 Family) SMBus Controller (rev 03)
01:00.0 VGA compatible controller: nVidia Corporation GeForce 8400M GS (rev a1)
06:00.0 Network controller: Intel Corporation PRO/Wireless 4965 AG or AGN Network Connection (rev 61)
07:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev ff)
08:05.0 FireWire (IEEE 1394): O2 Micro, Inc. Firewire (IEEE 1394) (rev 02)
08:05.2 SD Host controller: O2 Micro, Inc. Integrated MMC/SD Controller (rev 02)
08:05.3 Mass storage controller: O2 Micro, Inc. Integrated MS/xD Controller (rev 01)
$ lsusb
Bus 007 Device 001: ID 0000:0000
Bus 006 Device 004: ID 0c45:63e0 Microdia
Bus 006 Device 001: ID 0000:0000
Bus 005 Device 001: ID 0000:0000
Bus 004 Device 001: ID 0000:0000
Bus 003 Device 001: ID 0000:0000
Bus 002 Device 001: ID 0000:0000
Bus 001 Device 003: ID 413c:8140 Dell Computer Corp.
Bus 001 Device 002: ID 0483:2016 SGS Thomson Microelectronics Fingerprint Reader
Bus 001 Device 001: ID 0000:0000

I have a vodafone mobile broadband. My modem is a external USB dongle: Huawei E220. It was detected automagically by Ubuntu 8.04 (x86) when I plugged it in. I use wvdial to connect, with this configuration:

aj@aj-laptop:~$ cat /etc/wvdial.conf
[Dialer Defaults]
New PPPD = yes
[Dialer vf]
Phone = *99***1#
Username = vodafone
Password = vodafone
Stupid Mode = 1
Dial Command = ATDT
Modem = /dev/ttyUSB0
Baud = 460800
Init2 = ATZ
Init3 = ATE0V1&D2&C1S0=0+IFC=2,2
ISDN = 0
Modem Type = Analog Modem
Init5 =AT+CGDCONT=1,"IP","vfinternet.au";

To connect to the net:

• Postfix 2.3
• Dovecot 1.0
• MailScanner 4.68.8

On CentOS 5.

Postfix is setup with all domains as virtual domains, delivering to Maildirs in an arbitrary location. Virtual alias maps is implemented as hash db.

Dovecot makes the maildirs availble via IMAP. Authentications details are stored in a flat file.

MailScanner is configured to scan all incoming mail with SpamAssassin and ClamAV. It delivers all mail with modified headers only (no untraceable bouncing or subject mangling).

SMTP-AUTH is enabled with Postfix deferring to Dovecot.

Basic SMTP sender checks are done in postfix (including RBLs).

TLS is enabled for all systems.

Postfix

main.cf settings to remember:

• header_checks = regexp:/etc/postfix/header_checks -- to stick everything incoming into the Hold queue for MailScanner. Remove if not using MailScanner.

• inet_interfaces = localhost, mx.bluebottle.net.au

• smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org – RBLs as desired

• smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname — don’t use reject_unknown_helo_hostname, breaks too many real servers

• smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

• smtpd_sasl_auth_enable = yes

• smtpd_sasl_path = private/auth – the same path as in dovecot conf

• smtpd_sasl_type = dovecot

• smtpd_tls_cert_file = /etc/pki/postfix/certs/postfix.pem

• smtpd_tls_key_file = /etc/pki/postfix/private/postfix.pem

• smtpd_tls_security_level = may

openssl req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365
chown root:root $CERTFILE $KEYFILE
chmod 0600 $CERTFILE $KEYFILE

OPENSSLCONFIG:
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
C=AU
ST=Western Australia
L=Perth
O=bluebottle.net.au
OU=SMTP server
CN=mx.bluebottle.net.au
emailAddress=postmaster@bluebottle.net.au
[ cert_type ]
nsCertType = server

CERTFILE:
/etc/pki/postfix/certs/postfix.pem

KEYFILE:
/etc/pki/postfix/private/postfix.pem

• virtual_mailbox_domains = bluebottle.net.au
• virtual_alias_maps = hash:/etc/postfix/virtmap
• virtual_mailbox_maps = hash:/etc/postfix/virtdeliver
• virtual_mailbox_base = /home/vmail
• virtual_uid_maps = static:5000 – whatever the vmail UID is
• virtual_gid_maps = static:5000

/etc/postfix/virtmap:
# Contains all the addresses this server accepts
# And their mappings to final address
# Don’t forget postmap /etc/postfix/virtmap
alex@bluebottle.net.au        alex@bluebottle.net.au
root@bluebottle.net.au        root@bluebottle.net.au
abuse@bluebottle.net.au        root@bluebottle.net.au

/etc/postfix/virtdeliver:
# Contains mappings from accepted addresses to
# local mailbox location
alex@bluebottle.net.au                  bluebottle.net.au/alex/
root@bluebottle.net.au                  rootemails/

Dovecot

Generate SSL certificate. vi `locate dovecot-openssl.cnf` to edit details. Then exec `locate dovecot-1.0/examples/mkcert.sh`.

• mail_location: maildir:/home/vmail/%d/%n

• auth default { mechanisms = plain login cram-md5 — cram-md5 is aka hmac-md5 in non-current versions of Dovecot. This lets you logon with the password hash, eg ‘Secure Authentication’ in Thunderbird and a few other clients
• … passdb passwd-file { args = /home/vmail/passwd }

• … userdb static { args = uid=vmail gid=vmail /home/vmail/%d/%n/ }

• … socket listen { client { path = /var/spool/postfix/private/auth ; mode = 0660 ; user = postfix ; group = postfix } }

/home/vmail/passwd:
# Contains username and password for all user accounts
# Take note how username interacts with mail_location
# Generate password hash with dovecotpw
alex@bluebottle.net.au:{HMAC-MD5}999999a9bc23ca3b828faf15f9efb17152f71d9d0e5bc473194a05cebe34eaf
rootemails:{HMAC-MD5}999999a5e380b6b4ff3c1805c6d8661456dd2565c6d9fe63e5fe72c78cc4941

MailScanner

• Install via RH RPM from http://mailscanner.info/downloads.html

• Setup according to http://mailscanner.info/postfix.html

• Install the “ClamAV and SpamAssassin easy installation package” from downloads page above

Requires much tweaking to make it not modify the message apart from adding headers:

• Scan Messages = %rules-dir%/scan.messages.rules – you want to exclude your own domain(s) so nothing coming from your domain is listed as spam (especially for users sending via SMTP-AUTH from a dynamic IP range, which will set off various RBLs)

• Dangerous Content Scanning = no

• Mail Header = X-%org-name%-MailScanner-VirusCheck: – the default never made much sense to me

• #Information Header = X-%org-name%-MailScanner-Information: – useless

• Clean Header Value = Clean ; Infected Header Value = Infected ; Disinfected Header Value = Disinfected

• Always Include SpamAssassin Report = no

• Multiple Headers = add

• Sign Clean Messages = no

• Mark Infected Messages = no

• Mark Unscanned Messages = no

• Notify Senders = no – really not a good idea
  

• Scanned Modify Subject = no ; Virus Modify Subject = no — etc etc

• Add Watermark = yes ; Watermark Secret = %org-name%-Secret-111111 – set this section as appropriate

• Max SpamAssassin Size = 200k trackback

• Spam Actions = deliver header “X-Spam-Status: Yes”

• High Scoring Spam Actions = deliver header “X-Spam-Status: Yes”

• Non Spam Actions = deliver header “X-Spam-Status: No”

• MCP Checks = no

/etc/MailScanner/rules/scan.messages.rules:
# We want to scan everything by default, but ignore mail that is sent from our SMTP-AUTH users.
#They’ll probably be in a dynamic IP range which is in various RBLs like the PBL.
From:           bluebottle.net.au       no
FromOrTo:       default                 yes

Other Notes:

• postfix reload (may require a stop; start for some settings)

• service dovecot restart

• service MailScanner restart (also restarts postfix)