Chronophage.net Blog

Postfix is surprisingly flexible. When I initially set it up two years ago, I set it up to reference a database, but I had a flaw in my logic. Basically, Postfix had no idea if a domain was marked active or inactive in the database. All it knew was whether a domain was in the database or not. Postfix has a default query, that looks for key information. However, you can supercede it in your config files. So I simply commented out the old variables that it passed to the default query, and wrote a new one:

user = DB_USER
password = supersecretpassword
hosts = 127.0.0.1
dbname = DB_NAME
table = domain
#select_field = domain < -- old version, commented out
#where_field = domain <-- old version, commented out
#New Query:
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true

Yes, I have backupmx enabled, even though that’s a titanically bad idea, and I would never use it. Why is it a bad idea to fuction as a Backup MX server? Because spammers don’t play by the RFCs and often send spam to lower weighted MX records in an attempt to bypass spam protection.

But I never know what people may ask for in the future.

This is a live and learn moment. When I did my last update, I had a lot of old libraries hanging around. I thought that portupgrade would recompile all of my ports, but it didn’t. Most had been recompiled in the interim as I had been upgrading, but Apache, well, Apache upgrades are hardly for the weak. So, when I deleted a bunch of crud laying around. I broke SUEXEC. SUEXEC is what allows scripts to be executed under my various users’ home directories. Well, a recompile and reinstall, and things are working much much faster. Always fix your architecture kids.

People are so curious nowadays… Today I’ve received one NMAP ping from Colorado State (I’m guessing since I recently downloaded NMAP) and one “Version” query from ISC.org. Or at least, I think I have. Oh well, no harm done.

Ok, so I’ve been working on PubSub, and getting it to work with Openfire. A herculean task. Turns out a couple properties were the key.

First this is an invaluable resource for getting things to work with Openfire. There’s not a lot of documentation for the project, and frankly, the community seems a little shy on sharing basic solutions.

The properties I added were:
xmpp.pubsub.create.anyone
xmpp.pubsub.multiple-subscriptions
xmpp.pubsub.root.creator
xmpp.pubsub.sysadmin.jid

Now I can use the Jabber Feed plugin for WordPress! Hopefully it works

Jabberd 2.0, unfortunately, was a beast to configure, and a beast to keep running. It was, for lack of a better word fragile. And, most unforgivably, IM+ could not authenticate to it properly. So I started investigating Jabber server alternatives. I originally wanted to try Ejabberd, but the long list of dependencies ultimately forced me to move on. OpenFire’s install, while not exactly daunting, flirted with my tolerance for jumping through hoops. Sun liscences + FreeBSD ports + annoying, multiple download, Google searches. (I’m looking at you TimeZone Update tool)

In anycase, once I installed OpenFire, everything fell into place. Concepts that I was trying to execute in jabberd, were a mere clicks and toggle in OpenFire. Transports, Multi-user Conferencing, Broadcasting (courtesy of a plugin) The only thing I was missing from Jabberd was multi-domain support. Oh well. Maybe one day OpenFire will support it. If not, and if I’ll need it, I’ll find something else.

One problem did cause me to think that I chose the wrong product was the seemingly random way it routed messages when you have more than one session open. Generally, the last login got the message, but not always. I use jabber for NAGIOS notifications, and my iPhone and Desktop machines seemed to fight over the message routing.

After a bit of searching, I found the system property route.all-resources, set it to true and whammo! Everything worked!

Now to figure out PubSub…

Spam is fun. Watching spammers in action is even more fun. Via a friend, I have a very old domain that for which I handle mail. Since only one address is legitimate, it’s easy to use a wild card alias to catch and analyze spam. I implemented some Policies via Policyd2, aka “ClueBringer” (linux kids are cute, aren’t they?) Basically, I added a 20/hour recipient quota, and a 5/hour /24 based sender quota, hoping to bounce a few messages. It never happens. The bot network that sends these messages implements a simple, but effective interpolation scheme where the same address NEVER receives mail from the same ip address, and it always jumps /24s after 2 messages. It’s fascinating to watch.

Say what you want about Kaminsky. I mean, the man is crazy. However, being on call when your employer, a regional ISP, reboots both the primary and secondary DNS servers, makes you appreciate how important DNS is in the grand scheme of internet things. Granted, his attack is fairly novel, but yeah… I’m glad ISC makes updating BIND nice and easy.

So, I discovered that .org is signed. Unfortunately, I discovered this the hard way. I think there’s a DNSSEC bug in the version of BIND that I’m running. So time to update world on Calypso. Wee!

*UPDATE*

I upgraded to BIND 9.6.0 and all appears to be well.
I followed these instructions: http://closedsrc.org/_static/dn-articles/bind9.html
and overwrote the base install. I like to live dangerously…after testing it on one or two test machines.

Jabber is…touchy. There is no margin for error.

It makes sense, as jabber seems to be a consortium of various modules that communicate via streams. It is, in a sense, a true UNIX application; each module does one thing, and passes the data on. However, since it’s such multifaceted app, it handles errors in a very simple way: One error tears down the whole system.

I set up Jabberd2 with three goals:

1) Database Backend.

2) Multi-domain support.

3) Conferencing.

Goal 1 was rather easy, just follow the config file. Goal 2 was considerably more challenging, XML is not a friendly format to the unfamiliar eye, and I had a few typos. Goal 3 was the most challenging, as getting yet another module working increased the failure chance exponentially.

I have not gotten Jabberd to log proplerly. It just seems to ignore whatever log method I set up. So, while troubleshooting, I had manually run the daemon (as the jabber user, hurray sudo -u) and try to deciphy the cryptic XML messages as the scrolled rapidly by. I think I have it sorted out, aside from logging.

I wish I had seen http://www.jms1.net/jabberd2/ when I first started. That guide has proven invaluable.

I host mail for a few friends and family. I use Postfix as my MTA with Dovecot as my SASL/LDA/POP/IMAP server. Users are authenticated via MySQL and PAM, so I can have local, and virtual accounts. To manage things, I user PostfixAdmin, with a few¬† tweeks to accomodate my virtual user’s file structure. Logins are either the full email address (virtual accounts) or the username.

I user a combination of SQLGrey and ClamAV and Maia(SpamAssassin frontend) for my anti-spam/anti-virus protection. SquirrelMail and RoundCube are both availible for webmail. Mutt and Alpine are installed on the server as well.

The Settings are as follows:

Main Settings:

The POP3/IMAP4  and SMTP server is mail.chronophage.net

SMTP Authentication is ON

Ports are: 110/993* 143/995* and 25/587/465* for SMTP.

After switching LDA and SASL over to Dovecot, I have magnanimously set up Sieve scripting for my valuable users. And it works for both virtual and shell accounts.
Shell accounts can use either Squirrelmail, or upload Sieve scripts via the Sieve Thunderbird plugin or place them in your .sieve folder.
Virtual accounts will either have to use Squirrelmail or a program that can speak Sieve (standard port, 2000)
Sieve scripts DO count against your quota, so be careful Virtual Users.
This is LDA level filtering, so I can’t see what it’s doing via my logs, so watch your filters!

There are a lot of Sieve scripts out there, have fun!

Procmail and Maildrop are installed on the system, and can be used for shell users via a .forward file.

Webmail:

http://mail.chronophage.net for SquirrelMail

http://mail.chronophage.net/rc for RoundCube

Postfix Admin

http://mail.chronophage.net/admin redirects to https://calypso.chronophage.net/mailadmin

Shell users should be able to log in with their email address but passwords don’t sync with local passwords.

Send me an email to change passwords.