Chronophage.net Blog

So, I changed mail, splitting mail.chronophage.net into a 3 host mail cluster, and a shell server.

Unfortunately, I have shell users who were using mail.chronophage.net as their moniker for pop/imap. This also broke their ability to log in to the antispam area and change their spam settings. I have fixed both of these issues.

Dovecot has a passwd-file facility, which uses passwd formatted files to do authentication. I simply added such a file to my mail cluster, with the shell username and {CRYPT} hashes (out of master.passwd) and added a proxy=y statement and a host=(shell server’s ip)

So now, when they log in, it’ll authenticate them, and then pass the authentication over to the shell server’s POP3 or IMAP server. Since they authenticate locally first, SASL works for sending mail.

This gives them one point for external clients, and still lets them log in via the shell server, or use procmail (via a .forward) if they so choose.

Unfortunately, this means that I have to manually keep password in sync in two places. But my users don’t change their passwords often, and there aren’t too many of them

So, for posterity

mail.chronophage.net (POP3, IMAP, SMTP)
https://mail.chronophage.net (webmail via roundcube)
https://mail.chronophage.net/squirrelmail (webmail via squirrelmail)
https://mail.chronophage.net/antispam (for antispam services)
gaia.chronophage.net (shell server)

So I did a little bit of load testing on my new web cluster.

Not bad for not having a real load balancer…

(continue reading…)

I’ve been waiting, and working.

I’ve been waiting for my work to release a its new product. I’ve been waiting, politely, for my boss to blog about it. I’ve been waiting to show off this new product.

I’ve been working on provisioning, and working with customers on beta testing the new product. I’ve been working on templates, and auto install media, to make everyone’s life easier. I’ve been working on documentation for customers.

I’ve been waiting for, and working on, a VMware vCloud Director based product known as vmForge VDC.

This is cool stuff!

(continue reading…)

So…

It’s been awhile.

Recently, I’ve decided to make sure that all of my servers were IPv6 addressable. This was made infinitely easier by working at a forward thinking ISP. So a quick email to our network admin and bam! IPv6 routed to my vlan!
Now, what to do with it?

(continue reading…)

(..sigh) There’s a lot I like about RedHat. I like the fact that they’re worth more than a billion dollars as an OpenSource company. I like how they’ve been in the Linux game for a long time, and keep finding new ways to innovate and expand. I like how they have a competitive, yet accessible application stack, that runs on a wide variety of hardware. Their partner program, and resources are outstanding, especially when compared to other software vendors. I like a lot about RedHat. I just don’t like their operating system.

(continue reading…)

So, some of my users are avid World of Warcraft players. They’ve been complaining that they keep getting phishing schemes in their email accounts. Since Bayesian Filtering isn’t catching on, I think it’s time for custom SpamAssassin rules.

(continue reading…)

Certain…Parties… Have intoned I am  goofy for implementing weird “mail bouncy thing” that is sometimes frustrating and is a silly anti-spam technique. Well, that would be Greylisting, and while it’s weird, it also drops a lot of spam getting through.

(continue reading…)

Postfix is surprisingly flexible. When I initially set it up two years ago, I set it up to reference a database, but I had a flaw in my logic. Basically, Postfix had no idea if a domain was marked active or inactive in the database. All it knew was whether a domain was in the database or not. Postfix has a default query, that looks for key information. However, you can supercede it in your config files. So I simply commented out the old variables that it passed to the default query, and wrote a new one:

user = DB_USER
password = supersecretpassword
hosts = 127.0.0.1
dbname = DB_NAME
table = domain
#select_field = domain < -- old version, commented out
#where_field = domain <-- old version, commented out
#New Query:
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true

Yes, I have backupmx enabled, even though that’s a titanically bad idea, and I would never use it. Why is it a bad idea to fuction as a Backup MX server? Because spammers don’t play by the RFCs and often send spam to lower weighted MX records in an attempt to bypass spam protection.

But I never know what people may ask for in the future.

Spam is fun. Watching spammers in action is even more fun. Via a friend, I have a very old domain that for which I handle mail. Since only one address is legitimate, it’s easy to use a wild card alias to catch and analyze spam. I implemented some Policies via Policyd2, aka “ClueBringer” (linux kids are cute, aren’t they?) Basically, I added a 20/hour recipient quota, and a 5/hour /24 based sender quota, hoping to bounce a few messages. It never happens. The bot network that sends these messages implements a simple, but effective interpolation scheme where the same address NEVER receives mail from the same ip address, and it always jumps /24s after 2 messages. It’s fascinating to watch.

Spam is the bane of all email servers and services. As I wrote in my email entry, I use Maia, which is a frontend to Amavis, which is a daemon that ties various anti-spam and anti-virus programs together. When I originally set things up, I followed a guide on NEOHAPSIS. That guide was written in Russian, but had English examples. Basically, you set up Amavis, have Postfix route mail to it (it acts as an ESMTP server) and Amavis takes care of the rest. My anti-virus program is ClamAV. It works, it’s fairly painless, and simple. My anti-spam choice, SpamAssassin, was not quite as easy.

SpamAssassin is basically a Perl script, maintained by the Apache group, that incorporates various config scripts to filter out spam. There are several modules that you can incorporate, including DKIM checking, URI scanning and, RBL incorporation. You can customize your scoring of each component, making it very flexible. The default modules include SA-Blacklist, a massive blacklist that should not be used. Ever. Disable it, otherwise you will monopolize the CPU on your server. Maia integrates with SpamAssassin very well, allowing for quarantining, with digests and reminders, statistics on each rule for customization, and end user blacklisting/whitelisting, setting up honeypots, among other options. It’s very useful, effective, and not prone to false positives.