Welcome to TiddlyWiki created by Jeremy Ruston, Copyright © 2007 UnaMesa Association
(Referenced [[here|http://www.maiamailguard.com/maia/wiki/AutoDelete]])
This refinement of Sebastian's method takes advantage of features in MySQL 4.x and later to encapsulate the deletions in a transaction so that data integrity is maintained even while new mail items are being received.
Start by creating the index on maia_mail.score as before:
{{{
CREATE INDEX maia_mail_idx_score ON maia_mail (score);
}}}
Next, create the view but use a temporary table to store it so that we can safely delete from the actual maia_mail table (since it's referenced in the view itself):
{{{
CREATE ALGORITHM = TEMPTABLE VIEW maia.HighScore AS
SELECT maia_mail.id AS id
FROM maia_mail
WHERE maia_mail.score >= 20;
}}}
Now copy the following SQL code to a file (e.g. maia-autodelete.sql):
{{{
START TRANSACTION WITH CONSISTENT SNAPSHOT;
DELETE FROM maia_mail_recipients
WHERE mail_id IN (SELECT * FROM maia.HighScore);
DELETE FROM maia_sa_rules_triggered
WHERE mail_id IN (SELECT * FROM maia.HighScore);
DELETE FROM maia_viruses_detected
WHERE mail_id IN (SELECT * FROM maia.HighScore);
DELETE FROM maia_banned_attachments_found
WHERE mail_id IN (SELECT * FROM maia.HighScore);
DELETE FROM maia_mail
WHERE id IN (SELECT * FROM maia.HighScore);
COMMIT;
}}}
To execute the script, just feed it to MySQL:
{{{
mysql -u root -p maia < maia-autodelete.sql
}}}
Robert's original post can be found [[here|http://www.renaissoft.com/pipermail/maia-users/2007-July/010211.html]].
''Current Postmaster stuff''
Sendmail pulled down and built - DHW $HOME
customized majordomo
majordomo aliases are in seperate file
most lists are closed
blw is configured so that members of blw or baylisa can post
milter-regex
perl script in ~dhw looks at /var/log/syslog and summarizes things
Dahon TS061 Pictures
[img[http://www.cryptomonkeys.org/~louisk/images/dahon1.jpg]]
[img[http://www.cryptomonkeys.org/~louisk/images/dahon2.jpg]]
[img[http://www.cryptomonkeys.org/~louisk/images/dahon3.jpg]]
[img[http://www.cryptomonkeys.org/~louisk/images/dahon4.jpg]]
[img[http://www.cryptomonkeys.org/~louisk/images/dahon5.jpg]]
[[Cisco|http://www.cisco.com]] Catalyst [[5505]] switch
[[Cisco|http://www.cisco.com]] [[3560G]] switch
[[Cisco|http://www.cisco.com]] [[3550|Cisco_3550]] switch
[[Cisco|http://www.cisco.com]] [[3640]] router
[[Cisco|http://www.cisco.com]] [[3620]] router
[[Cisco|http://www.cisco.com]] [[2610]] router
[[Cisco|http://www.cisco.com]] VPN (vpnc) [[password|http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode]] [[decryption|Cisco-Decrypt]]
[[Cisco|http://www.cisco.com]] [[Virtualized ASA|Virtualized_Cisco_ASA]]
<html><pre>/* Decoder for password encoding of Cisco VPN client.
Copyright (C) 2005 Maurice Massar
Thanks to HAL-9000@evilscientists.de for decoding and posting the algorithm!
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/*
Requires libgcrypt version 1.1.90 or newer
Compile with:
gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags)
Usage:
./cisco-decrypt DEADBEEF...012345678 424242...7261
*/
#include <stdio.h>
#include <stdlib.h>
#include <gcrypt.h>
#include <errno.h>
int hex2bin_c(unsigned int c)
{
if ((c >= '0')&&(c <= '9'))
return c - '0';
if ((c >= 'A')&&(c <= 'F'))
return c - 'A' + 10;
if ((c >= 'a')&&(c <= 'f'))
return c - 'a' + 10;
return -1;
}
int hex2bin(const char *str, char **bin, int *len)
{
char *p;
int i, l;
if (!bin)
return EINVAL;
for (i = 0; str[i] != '\0'; i++)
if (hex2bin_c(str[i]) == -1)
return EINVAL;
l = i;
if ((l & 1) != 0)
return EINVAL;
l /= 2;
p = malloc(l);
if (p == NULL)
return ENOMEM;
for (i = 0; i < l; i++)
p[i] = hex2bin_c(str[i*2]) << 4 | hex2bin_c(str[i*2+1]);
*bin = p;
if (len)
*len = l;
return 0;
}
int c_decrypt(char *ct, int len, char **resp, char *reslenp)
{
const char *h1 = ct;
const char *h4 = ct + 20;
const char *enc = ct + 40;
char ht[20], h2[20], h3[20], key[24];
const char *iv = h1;
char *res;
gcry_cipher_hd_t ctx;
int reslen;
if (len < 48)
return 0;
len -= 40;
memcpy(ht, h1, 20);
ht[19]++;
gcry_md_hash_buffer(GCRY_MD_SHA1, h2, ht, 20);
ht[19] += 2;
gcry_md_hash_buffer(GCRY_MD_SHA1, h3, ht, 20);
memcpy(key, h2, 20);
memcpy(key+20, h3, 4);
/* who cares about parity anyway? */
gcry_md_hash_buffer(GCRY_MD_SHA1, ht, enc, len);
if (memcmp(h4, ht, 20) != 0)
return -1;
res = malloc(len);
if (res == NULL)
return -1;
gcry_cipher_open(&ctx, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_CBC, 0);
gcry_cipher_setkey(ctx, key, 24);
gcry_cipher_setiv(ctx, iv, 8);
gcry_cipher_decrypt(ctx, (unsigned char *)res, len, (unsigned char *)enc, len);
gcry_cipher_close(ctx);
reslen = len - res[len-1];
res[reslen] = '\0';
if (resp)
*resp = res;
if (reslenp)
*reslenp = reslen;
return 0;
}
int main(int argc, char *argv[])
{
int i, len, ret = 0;
char *bin, *pw;
gcry_check_version(NULL);
for (i = 1; i < argc; i++) {
ret = hex2bin(argv[i], &bin, &len);
if (ret != 0) {
perror("decoding input");
continue;
}
ret = c_decrypt(bin, len, &pw, NULL);
free(bin);
if (ret != 0) {
perror("decrypting input");
continue;
}
printf("%s\n", pw);
free(pw);
}
exit(ret != 0);
}
</pre></html>
If you're already using clamav, I would highly recommend the add-on signatures from Sanesecurity, which are targeted at phish and scam mail. I have found these signatures to be safe and very effective. Adding these signatures add virtually no extra time to clamd scanning.
You will need a script run from cron to get updates a couple times a day; there are some very good user-contributed scripts available on the Sanesecurity web site.
http://www.sanesecurity.com/clamav/usage.htm
MSRBL also has some add-on signatures for clamav. These appear to also be safe, but mostly ineffective here - I suspect most of the spam they would stop is already rejected here by smtpd restrictions. Others have reported better results, so YMMV.
http://www.msrbl.com/msrbl-spam
http://www.msrbl.com/msrbl-images
If you're interested in using SpamAssassin, running it under the control of amavisd-new as a post-queue content_filter is a good choice. Note that SpamAssassin adds quite a bit of overhead in terms of CPU, RAM, and time.
There are a number of milters that use SpamAssassin that should work with postfix. However, doing that kind of resource-intensive content inspection pre-queue will severely limit the number of smtpd processes that can be safely run. If you go this route, you will likely need to add more MX boxes to spread the load out.
[[Security Planning|SecurityPlanning]]
[[FreeBSD|FreeBSD]]
[[Solaris|SolarisConsulting]]
[[Sendmail]]
[[Linksys]]
[[Bouncing|mailBounce]] mail
[[DNS|DNSTest]] testing (random ports)
[[Maia Mailguard|MaiaMailGuard]]
''Enable debugging (lots!)''
* cd ~Library/Preferences
* open com.pgp.engine.plist
* Change log level to 1005, enable debug menu item
* Save/Quit
''Restart Desktop''
''Encrypting with 128bit on the commandline''
{{{pgpwde --secure --cipher aes128 --disk 0 --user "user name" -p 'password'}}}
0. Recompile/reinstall Dovecot with 'managesieve' option enabled:
# cd /usr/ports/mail/dovecot
# make config
(Enable same options as pho-postfix directions and also managesieve)
# make all install clean
1. Install dovecot-sieve:
# cd /usr/ports/mail/dovecot-sieve
# make all install clean
2. Edit /usr/local/etc/dovecot.conf and add these lines:
protocol lda {
..
mail_plugins = sieve
..
}
plugin {
..
# The location of the user's active script:
sieve = /usr/local/virtual/%d/%n/.dovecot.sieve
# If the user has no personal active script (i.e. if the file
# indicated in sieve= does not exist), use this one:
sieve_global_path = /usr/local/etc/sieve/default.sieve
# The include extension fetches the :personal scripts from this
# directory. When ManageSieve is used, this is also where scripts
# are uploaded.
sieve_dir = /usr/local/virtual/%d/%n/sieve
# The include extension fetches the :global scripts from this
# directory.
sieve_global_dir = /usr/local/etc/sieve/global
..
}
3. Set up global directory and scripts (empty for now):
# mkdir -p /usr/local/etc/sieve/global
# touch /usr/local/etc/sieve/global/default.sieve
# sievec /usr/local/etc/sieve/global
4. Set up my script.
# cd /usr/local/virtual/domain.tld/username
Edit ".dovecot.sieve" to add a test case:
require ["body", "fileinto", "regex"];
# test case
if header :comparator "i;ascii-casemap" :contains "Subject" "test" {
fileinto "test";
}
((From this point on these are steps given in this URL:
http://lists.purplehat.org/pipermail/pho-postfix/2008-December/000394.html
5. Add vmail user:
# pw groupadd vmail
# pw useradd vmail -c VMail\ User -d /usr/local/virtual -s \
/usr/sbin/nologin
6. Change all references to UID/GID '125' to vmail's UID/GID in main.cf,
dovecot.conf and dovecot-ssl.conf.
Note that this does *not* include two references to postfix under auth
default:
auth default {
socket listen {
..
client {
# The client socket is generally safe to export to everyone.
Typical use
# is to export it to your SMTP server so it can do SMTP AUTH lookups
# using it.
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
Postfix would not accept mail when I changed 'postfix' to vmail's
UID/GID so I've left these alone.
7. Edit master.cf to use the vmail user in dovecot's deliver line:
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver \
-f ${sender} -d ${recipient}
8. Stop dovecot and postfix:
/usr/local/etc/rc.d/dovecot stop
/usr/local/etc/rc.d/postfix stop
9. Recursively change ownership for all virtual mail stuff to vmail's
UID/GID:
# chown -R vmail:vmail /usr/local/virtual
10. In /usr/local/etc/postfix/main.cf, change virtual_transport to
"dovecot":
virtual_transport = dovecot
11. In /usr/local/etc/dovecot.conf, uncomment master under "socket listen":
socket listen {
master {
# Master socket provides access to userdb information. It's
typically
# used to give Dovecot's local delivery agent access to userdb so it
# can find mailbox locations.
path = /var/run/dovecot/auth-master
mode = 0600
# Default user/group is the one who started dovecot-auth (root)
user = <vmail UID>
group = <vmail GID>
}
client {
..
}
}
12. Remove global permissions on dovecot's deliver LDA:
# chmod o-rx /usr/local/libexec/dovecot/deliver
13. Restart dovecot and postfix:
# /usr/local/etc/rc.d/dovecot start
# /usr/local/etc/rc.d/postfix start
[img[http://www.freebsd.org/layout/images/beastie.png]]
Howto install [[FreeBSD|http://www.freebsd.org]]
Howto install [[FreeBSD|http://www.freebsd.org]] [[Sparc64|FreeBSD_Sparc64]]
Howto setup [[ZFS]]
Howto setup [[gmirror]]
Howto setup [[GELI]]
Linux [[PGP]] on [[FreeBSD|http://www.freebsd.org]]
[[VLAN/Link Aggregation|VlanLagg]]
[[iSCSI|FreeBSD_iSCSI]]
[[DHCP|isc-dhcpd]]
[[DePenguinator|http://www.daemonology.net/blog/2008-01-29-depenguinator-2.0.html]]
[[Net-SNMP|fbsd_netsnmp]]
[[Upgrade|FreeBSDupgradeNotes]]
[[SVN Mirroring]]
Right now, this is just a couple of notes on things that weren't straight forward in the installer. More info can be found [[here|http://www.freebsdwiki.net/index.php/Sparc_-_Installing_FreeBSD]]
After the install, you need to setup openboot to boot the correct disk:label:
OK> setenv boot-device disk1:a
OK> setenv auto-boot? true
Suppose you want to use a remote iSCSI device, but you don't exactly trust either the storage or the network in between. Of course, there's a way around it :)
The setup presented here is very simple and will behave like this:
[iSCSI server] -- encrypted data on the server and over the wire -- [iSCSI client]
Note: all these instructions are valid for FreeBSD 7.0 - previous versions are probably missing some parts.
Setting up an iSCSI target
You can skip this section if you already have an iSCSI target (a "target" is where the data is stored, i.e. the "server" node of iSCSI).
1. Install the iscsi-target port.
2. Edit /usr/local/etc/iscsi/targets file and add lines similar to the following:
# NAME DEVICE START LENGTH
extent0 /dev/da2 0 5GB
# NAME ACCESS STORAGE NETMASK
target0 rw extent0 10.0.0.0/24
These lines should be self-explanatory. If you need more help, see targets(5) or NetBSD's iscsi-target HOWTO.
3. Enable iscsi-target in /etc/rc.conf by adding the following line to it:
iscsi_target_enable="YES"
4. Start the server by running /usr/local/etc/rc.d/iscsi_target start. You should see something like the following outputted to the console:
Starting iscsi_target.
Reading configuration from `/usr/local/etc/iscsi/targets'
target0:rw:10.0.0.0/24
extent0:/dev/da2:0:5368709120
DISK: 1 logical unit (10485760 blocks, 512 bytes/block), type iscsi fs
DISK: LUN 0: 5120 MB disk storage for "target0"
TARGET: TargetName is iqn.1994-04.org.netbsd.iscsi-target
Setting up the iSCSI initiator
The "initiator" is the client part in iSCSI, and it connects to the server. The following steps should be done on the client system.
1. Edit /etc/iscsi.conf and add the following lines:
target0 { # nickname
targetaddress = 10.0.0.102
targetname = iqn.1994-04.org.netbsd.iscsi-target:target0
}
2. Load the iscsi_initiator kernel module with:
# kldload iscsi_initiator
Also, add the following line to /etc/loader.conf to load the module on boot:
iscsi_initiator_load="YES"
3. Start the iSCSI session by running:
# iscontrol -n target0
Several lines should be output to the console, which should look like the following:
iscontrol[8516]: running
iscontrol[8516]: (pass3:iscsi0:0:0:0): tagged openings now 0
iscontrol[8516]: cam_open_btl: no passthrough device found at 1:0:1
iscontrol[8516]: cam_open_btl: no passthrough device found at 1:0:2
iscontrol[8516]: cam_open_btl: no passthrough device found at 1:0:3
iscontrol: supervise starting main loop
More importantly, the kernel log (which you can see with tail /var/log/messages) should now contain something similar to this output:
Jan 4 23:17:08 client kernel: da0 at iscsi0 bus 0 target 0 lun 0
Jan 4 23:17:08 client kernel: da0: Fixed Direct Access SCSI-3 device
This means the device da0 has been created - this is the local representation of the remote iSCSI drive.
3. Set up GEOM_GELI on the new device:
# geli init /dev/da0
The utility will ask you for a passphrase which will be used to encrypt the data. GEOM_ELI (as is the encryption layer known) has many more options, but the defaults are good enough. It will use AES encryption with sane defaults.
4. Load the GEOM_ELI kernel module:
# kldload geom_eli.ko
Also, add the following to /boot/loader.conf to load the module at boot time:
geom_eli_load="YES"
5. Attach the encrypted device:
# geli attach /dev/da0
Lines similar to the following should appear in the kernel log:
Jan 4 23:33:28 client kernel: GEOM_ELI: Device da0.eli created.
Jan 4 23:33:28 client kernel: GEOM_ELI: Encryption: AES-CBC 128
Jan 4 23:33:28 client kernel: GEOM_ELI: Crypto: software
The device da0.eli has been created - this is the end-point device that can be used by file systems and for other purposes (swap, etc.).
6. Make the file system and mount it!
# newfs -U -L mydata /dev/da0.eli
A successful run of newfs looks something like this:
/dev/da0.eli: 5120.0MB (10485756 sectors) block size 16384, fragment size 2048
using 28 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
with soft updates
super-block backups (for fsck -b #) at:
160, 376512, 752864, 1129216, 1505568, 1881920, 2258272, 2634624, 3010976, 3387328,
3763680, 4140032, 4516384, 4892736, 5269088, 5645440, 6021792, 6398144,
6774496, 7150848, 7527200, 7903552, 8279904, 8656256, 9032608, 9408960, 9785312,
10161664
Since we used a volume label for the file system, observe the following message in the kernel log:
Jan 4 23:38:17 client kernel: GEOM_LABEL: Label for provider da0.eli is ufs/mydata.
Now you can mount the file system:
# mount /dev/ufs/mydata /mydata
And that's it!
There are two points that can't be readily automated right now: the iscontrol step which starts the iSCSI initiator, and the geli requiring a password. The former can be approximated by creating a small shell script that does the step and putting it in /usr/local/etc/rc.d but the second cannot be, since the whole point of having an encrypted storage is that it isn't accessible by unwanted people.
The way this setup works is that the unencrypted data is used by the file system (as it should - you wouldn't be able to use it otherwise) via the da0.eli device. This data is encrypted and the encrypted data is written to da0 device. This is the iSCSI client device and the data is tranferred to the server in its encrypted form. The server and the network never see unencrypted data.
Due to GEOM's modularity, other components could be added to the data processing graph, such as journaling (gjournal), caching (gcache), etc. in which case the end-point device name will "grow" suffixes, such as da0.eli.journal. Even RAID levels can be added, though it makes little sense to do it on the client (it's perfectly fine on the server).
''7.0R -> 7.2R''
''System:''
''Ports:''
maia - disable spf query (and uninstall)
php5 - pkg_delete -f php5-pcre-5.2.6; pkgdb -F; portupgrade -o archivers/php5-zip archivers/pecl-zip; portupgrade -o devel/php5-json devel/pecl-json; portupgrade -o security/php5-hash security/pecl-hash; portupgrade -ap
''Parts''
1x [[FreeNAS 0.7|http://www.freenas.org/index.php?option=com_versions&Itemid=51]]
1x [[CoolerMaster CM690|http://www.coolermaster-usa.com/product.php?category_id=19&product_id=2710]]
1x [[Antec Trio 550W|http://www.antec.com/usa/productDetails.php?lan=us&id=23550]]
1x [[EliteGroup PT890T-A|http://www.ecs.com.tw/ECSWebSite/Products/ProductsDetail.aspx?CategoryID=1&TypeID=32&DetailID=692&DetailName=Feature&MenuID=1&LanID=0]]
1x [[E2180 Core2Duo|http://search.pricewatch.com/cpu/core_2_duo_e2180-0.htm]]
2x [[2GB RAM|http://search.pricewatch.com/system_memory/ddr2-667_pc2-5300_2gb-0.htm]]
1x Intel Pro1000 (Ebay)
1x 3Ware 8port IDE RAID (Ebay)
7x [[Seagate 750G IDE|http://search.pricewatch.com/hard_removable_drives/refurb_750gb-0.htm]]
1x 2G USB flash
2x [[120mm Thermaltake Smart Case Fan II|http://www.thermaltakeusa.com/Product.aspx?C=1164&ID=1726]]
''Tuning''
-> Network|Interfaces|LAN
-> Advanced Configuration -> MTU 9000
-> System|Advanced
->Tuning
-> Enable tuning of some kernel variables
-> System|Advanced|sysctl.conf
{{indent{hw.ata.to = 15}}}
{{indent{# ATA disk timeout vis-a-vis power-saving}}}
{{indent{kern.coredump = 0}}}
{{indent{# Disable core dump}}}
{{indent{kern.ipc.maxsockbuf = 16777216}}}
{{indent{# System tuning - Original -> 2097152}}}
{{indent{kern.ipc.nmbclusters = 32768}}}
{{indent{# System tuning}}}
{{indent{kern.ipc.somaxconn = 8192}}}
{{indent{# System tuning}}}
{{indent{kern.maxfiles = 65536}}}
{{indent{# System tuning}}}
{{indent{kern.maxfilesperproc = 32768}}}
{{indent{# System tuning}}}
{{indent{net.inet.tcp.delayed_ack = 0}}}
{{indent{# System tuning}}}
{{indent{net.inet.tcp.inflight.enable = 0}}}
{{indent{# System tuning}}}
{{indent{net.inet.tcp.path_mtu_discovery = 0}}}
{{indent{# System tuning}}}
{{indent{net.inet.tcp.recvbuf_auto = 1}}}
{{indent{# http://acs.lbl.gov/TCP-tuning/FreeBSD.html}}}
{{indent{net.inet.tcp.recvbuf_inc = 524288}}}
{{indent{# http://fasterdata.es.net/TCP-tuning/FreeBSD.html}}}
{{indent{net.inet.tcp.recvbuf_max = 16777216}}}
{{indent{# http://acs.lbl.gov/TCP-tuning/FreeBSD.html}}}
{{indent{net.inet.tcp.recvspace = 65536}}}
{{indent{# System tuning}}}
{{indent{net.inet.tcp.rfc1323 = 1}}}
{{indent{# http://acs.lbl.gov/TCP-tuning/FreeBSD.html}}}
{{indent{net.inet.tcp.sendbuf_auto = 1}}}
{{indent{# http://acs.lbl.gov/TCP-tuning/FreeBSD.html}}}
{{indent{net.inet.tcp.sendbuf_inc = 16384}}}
{{indent{# http://fasterdata.es.net/TCP-tuning/FreeBSD.html}}}
{{indent{net.inet.tcp.sendbuf_max = 16777216}}}
{{indent{# http://acs.lbl.gov/TCP-tuning/FreeBSD.html}}}
{{indent{net.inet.tcp.sendspace = 65536}}}
{{indent{# System tuning}}}
{{indent{net.inet.udp.maxdgram = 57344}}}
{{indent{# System tuning}}}
{{indent{net.inet.udp.recvspace = 65536}}}
{{indent{# System tuning}}}
{{indent{net.local.stream.recvspace = 65536}}}
{{indent{# System tuning}}}
{{indent{net.local.stream.sendspace = 65536}}}
{{indent{# System tuning}}}
{{indent{net.inet.tcp.hostcache.expire = 1}}}
{{indent{# http://fasterdata.es.net/TCP-tuning/FreeBSD.html}}}
[[Intel 945GCLF2|http://www.ctlcorp.com/v4/p-743-intel-945gclf2-motherboard.aspx]]
[[Promise SATA Card|http://cgi.ebay.com/Promise-SATA300-TX2PLUS-2-1-SATA-PATA-PCI-Adapter_W0QQitemZ190337193652QQcmdZViewItemQQptZLH_DefaultDomain_0?hash=item2c50fb16b4&_trksid=p3286.c0.m14#ht_500wt_1182]]
[[2G Memory|http://www.pricewatch.com/browse/system_memory/ddr2-667_pc2-5300_2gb]]
[[1.5T Drives|http://www.newegg.com/Product/Product.aspx?Item=N82E16822152175]]
[[HTPC Cases|http://www.newegg.com/Product/ProductList.aspx?Submit=ENE&SubCategory=690&N=2010090690]]
Only other thing you might need is a couple more SATA cables. Got CPU/Motherboard, Memory, Disks, Case, SATA controller (providing extra 2 ports).
[img[http://tedwise.com/wp-content/uploads/2009/02/picture-4.png]]
|Element | Shell Command | Font | Location | Size | Update Period (sec) |
|The day | date +%A | Helvetica, Regular, 27point with drop shadow | 10x, 727y | 200w x 40h | 60 |
|The month | date +%B | Helvetica, Regular, 36point with drop shadow | 10x, 750y | 200w x 50h | 60 |
|The day of the month | date +%d | Helvetica, Regular, 64point with drop shadow | 210x, 720y | 100w x 80h | 60 |
|The time | date "+%I:%M" | Helvetica, Bold, 72point with drop shadow | 20x, 780y |200w x 80h | 10 |
|am/pm | date +%p | Helvetica, Regular, 48point with drop shadow | 210x, 785y | 100w x 70h | 10 |
|The temperature | <bin>/weather.rb -t | Helvetica, Bold, 18point | 20x, 855y | 70w x 25h | 300 |
|The weather | <bin>/weather.rb -d | fmt -w 40 | Helvetica, Regular, 10point | 90x, 855y | 210w x 38h | 300 |
|When the weather was updated | <bin>/weather.rb -w | Helvetica, Regular, 8point | 35x, 878y | 64w x 25h | 300 |
//{{{
#!/usr/bin/ruby
require 'rss/2.0'
require 'open-uri'
require 'optparse'
require 'fileutils'
summary = false
forecast = false
temperature = false
today = false
weatherdate = false
opts = OptionParser.new
opts.on("-s") { |val| summary = true }
opts.on("-f") { |val| forecast = true }
opts.on("-t") { |val| temperature = true }
opts.on("-d") { |val| today = true }
opts.on("-w") { |val| weatherdate = true }
opts.parse!
# Check if another process is downloading the weather and block until it's done
while File.file?('/tmp/weather.rb.tmp.lck')
sleep(0.1)
end
# Download the weather if it's out of date
if !File.file?("/tmp/weather.rb.tmp") || ((Time.now - File.mtime("/tmp/weather.rb.tmp")) > 1800)
FileUtils.touch('/tmp/weather.rb.tmp.lck')
`curl --silent -m 30 "http://rss.wunderground.com/auto/rss_full/<your-state>/<your-city>.xml?units=english" > /tmp/weather.rb.tmp`
if File.size("/tmp/weather.rb.tmp") == 0
FileUtils.rm("/tmp/weather.rb.tmp")
end
FileUtils.rm('/tmp/weather.rb.tmp.lck')
end
# Parse out the weather results
File.open('/tmp/weather.rb.tmp') do |f|
response = f.read
result = RSS::Parser.parse(response, false)
result.items.each_with_index do |item, i|
puts "#{item.title.gsub(/ - .*/, '')}" if summary == true and i == 0
puts "#{item.description.strip}\n\n" if forecast == true and i > 0
puts "#{item.title.gsub(/Current Conditions : /, '').gsub(/,.*/, '')}" if temperature == true and i == 0
puts "#{item.description.gsub(/Today - /,'').gsub(/Tonight - /,'').gsub(/This Afternoon - /,'').gsub(/[\r\n\t]/, '')}" if today == true and i == 1
hour = item.pubDate.hour()
if hour < 12
ampm = "AM"
else
ampm = "PM"
end
if hour == 0
hour = 12
end
if hour > 12
hour = hour - 12
end
puts "#{item.pubDate.mon()}/#{item.pubDate.day()} #{hour}:#{'%02d' % item.pubDate.min()} #{ampm}" if weatherdate == true and i == 0
end
end
//}}}
''Using growl for commandline status output''
growlnotify -s -m <output of the curl/perl command>
''Goal'': Ability to play music, and watch movies, DVDs, or TV shows all from one interface, with one remote (to rule them all)
''Hardware''
{{indent{[[Mac Mini|http://store.apple.com/us/browse/home/shop_mac/family/mac_mini?mco=MTE3MDM]]}}}
{{indent{{{indent{1GB RAM}}}}}}
{{indent{{{indent{80GB Disk}}}}}}
{{indent{{{indent{DVI -> Component for SD TV}}}}}}
{{indent{{{indent{1Gbit link connects mini and [[NAS|FreeNAS]]}}}}}}
{{indent{[[Logitech 720 Remote|http://www.logitech.com/index.cfm/remotes/universal_remotes/]]}}}
{{indent{[[Apple BT keyboard|http://store.apple.com/us/product/MB167LL/A?fnode=MTY1NDA1Mg&mco=MjE0Njk2Mg]]}}}
''Software''
{{indent{[[Plex|http://www.plexapp.com]]: Used to read files from my [[NAS|FreeNAS]]}}}
{{indent{[[FrontRow Plugins|http://www.holeintheceiling.com/blog/front-row-plugins/]]: Launching Plex from FrontRow}}}
{{indent{[[iTunes|http://www.apple.com/itunes]]: Easy creation and management of playlists}}}
''Result'': Better than I had hoped for. FrontRow lets me have easy access to DVDs, and Plex lets me stream all sorts of things, from files on the FreeNAS to Netflix.
<script label="◊" title="Redisplay initial page content without reloading">
story.closeAllTiddlers(); restart(); refreshPageTemplate();
return false;
</script>
IOPS per disk x No. of disks x Segment size = MB/sec
Blackberry and Leopard
[[Blackberry I have|http://www.pocketmac.net/products/devices/blackberry_8830.html]]
[[Pocket Mac|http://www.discoverblackberry.com/discover/mac_solutions.jsp]]
------------------------
''Getting Time Machine to work on an Unsupported NAS''
Some of us may own Network Attached Storage (NAS) devices, and/or may feel that an Apple Time Capsule is too expensive, and hence would rather buy a seperate router, NAS and Hard Disk Drives. This guide will help you to enable Time Machine on any NAS, allowing you to have the functionality of a Time Capsule, with hardware of your own choosing.
1. Prepare your NAS. Make sure it is fully functioning. This mini-guide assumes you already have one that is functioning well, and you know how to manage it.
2. It would be preferable to assign your NAS a Static IP address. Check your router and NAS documentation for guidelines on how to do this.
3. In OS X, open up Terminal and enter the following command to enable Time Machine to work with your NAS: defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1
4. Log out of OS X and Log in again. You do not need to reboot your machine.
5. Time Machine saves backups in a very specific format, and we will use a sparsebundle to get this done. The sparsebundle name consists of your Computername_MACaddress.sparsebundle.
6. Find the MAC address of the machine’s internal Ethernet port with ifconfig en0 | grep ether | sed s/://g | sed s/ether// in Terminal. This will return one line of output, which is the MAC address for the Ethernet port, which will be a string of 14 hexadecimal characters (letters and numbers, for example, 001ec4b8f9b3).
Even if the network backups will be done using a different port (e.g. AirPort: usually en1), the system will use the MAC address of en0 as part of the system identifier.
7. Make a new “sparsebundle” on a local disk (NOT the Time Machine disk!). This sparsebundle is a virtual filesystem image which we’ll copy to the NAS, and Time Machine will then access it remotely (that way Time Machine’s not limited by the filesystem features of whatever NAS it’s using: all the funky stuff happens within the sparsebundle). By default sparsebundles can keep growing until they fill up the NAS, but in this scenario we keep other things on the NAS as well as backups, and we’re going to limit the sparsebundle size to 70 GB.Enter the following command in Terminal:
sudo hdiutil create -size 70g -type SPARSEBUNDLE -nospotlight -volname “Backup of My Mac” -fs “Case-sensitive Journaled HFS+” -verbose ./Computername_MACaddress. This will create a 70GB sparse-bundle as a case-sensitive, journaled HFS+ without spotlight indexing. Substitute variables in red for values you need. Computername_MACaddress may be in the form of “DansComputer_001ec4b8f9b3
8. Log into your NAS and create a user Account (Eg, “TimeMachine”). You may want to assign disk space quotas for this user if you need to.
9. On your NAS, create a shared folder (Eg, “TimeMachine”). Add the user account you created in step 8 above, and grant that user Read+Write privileges.
10. In Finder, select Go>Connect to Server. For the server address, type smb://TimeMachine@ip-address-of-nas/TimeMachine. Click Connect and when prompted, enter the password and save in your keychain.
11. Now copy your locally created sparsebundle into the TimeMachine share. If you did not change the folder when you entered command prompt, you may find this sparsebundle in your Home folder (/Users/yourusername).
12. On your NAS, check to see that the file is copied under the correct user account.
13. Open up Time Machine, select your “TimeMachine”-folder as the desired destination, and the backup will start.
14. Tip: For the first backup it is recommended to connect via LAN, as you will be able to get a throughput of 10-30MB/sec.
15. If your NAS allows for it, you may now hide your TimeMachine folder so they do not show up over the network share list.
------------------------
''AddressBook iSyncing''
''Step 1''
Open up Terminal.app, but if you aren’t confortable with the terminal you might want to follow this tip instead. Once you have Terminal open, navigate to ~/Library/Preferences/. We will need to edit the com.apple.iPod.plist file located here. First make a backup of this file then take a look at its contents. If the file is a binary file you will need to execute the following command:
plutil -convert xml1 com.apple.iPod.plist
Now you should be able to edit the file with your favorite text editor (TextWrangler, vim, etc). Change whatever number is below ‘Family ID’ to 10001 as shown below.
[img[http://www.zaphu.com/v1/wp-content/uploads/2008/05/plist-file.png]]
Save your changes and run the following command to convert the file back to a binary:
plutil -convert binary1 com.apple.iPod.plist
Note: You may want to duplicate the iPod entry to prevent this from being disabled by future iPod syncs. To do so copy everything contained within the <dict> and </dict> below,
<key>000B27111236C6CB</key>
<dict>
…
</dict>
and paste just below the original entry. Then simply change the <key> number slightly to prevent overwriting.
''Step 2''
Open Address Book and go to the Preferences-General pane and check the box to enable Synchronize with Gmail. You’ll be prompted to enter your Gmail account information (see below).
If you don’t have any iSync devices such as mobile phones or PDAs then you will also need to enable Yahoo syncing for this to work, see this guide for more information.
[img[http://www.zaphu.com/v1/wp-content/uploads/2008/05/gmail-sync-prefs.png]]
''Step 3''
Now open iSync.app and go to the Preferences panel. Check the box to show status in the menu bar (see below). Quit iSync.app.
[img[http://www.zaphu.com/v1/wp-content/uploads/2007/11/isync1.png]]
''Step 4''
Make sure iSync.app is not running and go the the iSync menu bar icon and select ‘Sync Now’. You will be prompted to replace or merge with your Google Gmail Address Book.
Sometimes getting “Sync Now” to show up can be tricky, my only suggestion right now is to reboot and try again.
[img[http://www.zaphu.com/v1/wp-content/uploads/2008/04/sync-menubar.png]]
Repeat
Simply repeat steps 1-4 on any other Macs where you want your address book to be available.
To change the Google sync client type, open a terminal window and type (one line)
sudo defaults write /System/Library/PrivateFrameworks/GoogleContactSync.framework/Resources/ClientDescription Type 'server'
Then type the following one line command to restore the permissions on the plist file:
sudo chmod 644 /System/Library/PrivateFrameworks/GoogleContactSync.framework/Resources/ClientDescription.plist
------------------------
''Stop auto-switching in Spaces''
Problem: Spaces is great and all, but it forces me to sort by applications instead of tasks. For example, if I select {application} from the Dock, then it automatically switches me to the virtual desktop space in which I first started {application}. However, what I really wanted was to start another instance of {application} running in my current virtual desktop space. Assigning {application} to all desktops in the Spaces preferences isn't the solution, because then Spaces just drags around all {application} windows onto all desktop spaces.
Solution: Issue the following command in a Terminal or xterm (X11) window:
defaults write com.apple.dock workspaces-auto-swoosh -bool NO
Restart the Dock using the following command:
killall Dock
Spaces will now allow you to start multiple instances of an application in separate desktop spaces. Note that implementing this setting can result in confusing behavior if you have used the Spaces preferences to assign a specific application to a specific desktop spaces (although assigning appplications to all desktop spaces appears to be fine). Repeat with “NO” replaced by “YES” to restore the default behavior. The file modified by defaults in this case is ~/Library/Preferences/com.apple.Dock.plist.
OS Version Compatibility: Leopard (10.5.2+) only.
[[WRT54G]]
[[WRT54GC]]
[[WAP55AG]]
[[Auto-Deleting|AutoDelete]] entries that score >= X
Backing up [[Apple Mail|http://www.mothsoftware.com/ma_1.html]]
Backups are important. As Joni Mitchell reminds us, “Don’t it always seem to go / that you don’t know what you’ve got ’til it’s gone”.
Details about what to backup in Mail are provided in a [[tech note from Apple|http://docs.info.apple.com/article.html?artnum=151500]]. A complete backup set of Mail includes the following:
1. All the files located in ~/Library/Mail.
2. The “Mail Downloads” folder located in ~/Library
3. The “com.apple.mail.plist” file located in ~/Library/Preferences.
4. The “AddressBook” folder located in ~/Library/Application Support
(”~” is a symbol for your user or home directory. “~/Library” is the Library folder in your home directory.)
There are at least five ways to do the backup:
1. You could simply copy those files onto a blank CD-Rom mounted on your Desktop and burn them off once a week.
2. You could incorporate those files in a daily or weekly backup using [[Dantz Retrospect|http://www.versiontracker.com/dyn/moreinfo/macosx/13108]], [[RsyncX|http://www.versiontracker.com/dyn/moreinfo/macosx/16814]], [[Synk|http://www.versiontracker.com/dyn/moreinfo/macosx/7842]], [[Deja Vu|http://www.versiontracker.com/dyn/moreinfo/macosx/16206]] or one of the many other backup apps. This is what I do. I use [[Deja Vu|http://www.versiontracker.com/dyn/moreinfo/macosx/16206]], because it is clean, flexible and easy and the developer is a nice guy. I back up email and documents daily and the Home directory once a week onto an external drive. With [[Deja Vu|http://www.versiontracker.com/dyn/moreinfo/macosx/16206]] scheduling, it’s a “set and forget” kind of thing.
3. If you have a .Mac account you could use the new [[Backup 3 software|http://www.apple.com/support/downloads/backup.html]] from Apple. It is very pretty, but seems rather slow on my PowerBook, although I’m trying it out for the first time today.
4. [[Mail Archiver X|http://www.mothsoftware.com/ma_1.html]] is a dedicated Mail backup app. It offers to backup your mail, and also to clean it for archiving. It can strip out HTML and other useless things, so that you only save the important parts of your correspondence. It also offers a browser to search and manipulate your mail archives.
* Currently, the release version of the software doesn’t support the new message format in Mail 2.0. I emailed the developers about this and they replied:
** The beta 2 of version 1.3 adds compatibility for Mail in 10.4…. Please be aware that a new and improved interface will be available in the next version of [[Mail Archiver X|http://www.mothsoftware.com/ma_1.html]]. If all goes well, a new beta can be ready within the next two weeks.
* It costs USD 34.95. Wait and see would be my advice.
5. You could use one of the archiving apps like [[MailSteward|http://www.hawkwings.net/2005/10/13/mailsteward-powerful-archiving-and-searching/]] or [[FastMailBase|http://www.hawkwings.net/2005/10/14/fastmailbase-more-archiving-for-apple-mail/]] which offer features above and beyond merely backing up your email. They won’t back up your preferences or your Address Book though.
[[Reconnoiter]]
[[Dovecot]]
<html>
<pre>
MySQL Replication Notes
Converting from MyISAM -> INNODB
NOTE: FULL TEXT SEARCH is not available using INNODB in the failure sort of way
* dump the database, if reloading after, use --add-drop-table
* sed -e 's/MyISAM/INNODB/g' dump.sql -> new-dump.sql
* echo 'SET AUTOCOMMIT = 0;' > foo.sql && cat new-dump.sql >> foo.sql && echo 'COMMIT;' >> foo.sql && mv foo.sql new-dump.sql
o This has the side effect of treating the entire db load as a single transaction, which will be much faster
Master1
* grant replication slave on *.* to 'replication'@'%' identified by 'slave';
* change master to master_host='<master2 IP>', master_port=3306, master_user='replication', master_password='slave';
* slave start;
query_cache_type=1
query_cache_size=100M
set-variable = max_allowed_packet=50M
server-id=1
log_bin = /var/run/mysqld/mysql-bin.log
auto_increment_increment = 2
auto_increment_offset = 1
query_cache_type=1 query_cache_size=100M set-variable = max_allowed_packet=50M server-id=1 log_bin = /var/run/mysqld/mysql-bin.log auto_increment_increment = 2 auto_increment_offset = 1
Master2
* grant replication slave on *.* to 'replication'@'%' identified by 'slave';
* change master to master_host='<master1 IP>', master_port=3306, master_user='replication', master_password='slave';
* slave start;
query_cache_type=1
query_cache_size=100M
set-variable = max_allowed_packet=50M
server-id=2
log_bin = /var/run/mysqld/mysql-bin.log
auto_increment_increment = 2
auto_increment_offset = 2
query_cache_type=1 query_cache_size=100M set-variable = max_allowed_packet=50M server-id=2 log_bin = /var/run/mysqld/mysql-bin.log auto_increment_increment = 2 auto_increment_offset = 2
Import the data
* mysql -u root <database name> < dump.sql
Troubleshooting
To find out whether replication is/is not working and what has caused to stop it, you can take a look at the logs. On Debian, for example, MySQL logs to /var/log/syslog:
grep mysql /var/log/syslog
server1:/home/admin# grep mysql /var/log/syslog
May 29 09:56:08 http2 mysqld[1380]: 080529 9:56:08 [ERROR] Slave: Error 'Table 'mydb.taggregate_temp_1212047760' doesn't exist' on query. Default database: 'mydb'. Query: 'UPDATE thread AS thread,taggregate_temp_1212047760 AS aggregate
May 29 09:56:08 http2 mysqld[1380]: ^ISET thread.views = thread.views + aggregate.views
May 29 09:56:08 http2 mysqld[1380]: ^IWHERE thread.threadid = aggregate.threadid', Error_code: 1146
May 29 09:56:08 http2 mysqld[1380]: 080529 9:56:08 [ERROR] Error running query, slave SQL thread aborted. Fix the problem, and restart the slave SQL thread with "SLAVE START". We stopped at log 'mysql-bin.001079' position 203015142
server1:/home/admin#
grep mysql /var/log/syslog server1:/home/admin# grep mysql /var/log/syslog May 29 09:56:08 http2 mysqld[1380]: 080529 9:56:08 [ERROR] Slave: Error 'Table 'mydb.taggregate_temp_1212047760' doesn't exist' on query. Default database: 'mydb'. Query: 'UPDATE thread AS thread,taggregate_temp_1212047760 AS aggregate May 29 09:56:08 http2 mysqld[1380]: ^ISET thread.views = thread.views + aggregate.views May 29 09:56:08 http2 mysqld[1380]: ^IWHERE thread.threadid = aggregate.threadid', Error_code: 1146 May 29 09:56:08 http2 mysqld[1380]: 080529 9:56:08 [ERROR] Error running query, slave SQL thread aborted. Fix the problem, and restart the slave SQL thread with "SLAVE START". We stopped at log 'mysql-bin.001079' position 203015142 server1:/home/admin#
You can see what query caused the error, and at what log position the replication stopped.
To verify that the replication is really not working, log in to MySQL:
mysql \-u root \-p
mysql \-u root \-p
On the MySQL shell, run:
mysql> SHOW SLAVE STATUS \G
If one of Slave_IO_Running or Slave_SQL_Running is set to No, then the replication is broken:
mysql> SHOW SLAVE STATUS \G
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 1.2.3.4
Master_User: slave_user
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.001079
Read_Master_Log_Pos: 269214454
Relay_Log_File: slave-relay.000130
Relay_Log_Pos: 100125935
Relay_Master_Log_File: mysql-bin.001079
Slave_IO_Running: Yes
Slave_SQL_Running: No
Replicate_Do_DB: mydb
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 1146
Last_Error: Error 'Table 'mydb.taggregate_temp_1212047760' doesn't exist' on query. Default database: 'mydb'.
Query: 'UPDATE thread AS thread,taggregate_temp_1212047760 AS aggregate
SET thread.views = thread.views + aggregate.views
WHERE thread.threadid = aggregate.threadid'
Skip_Counter: 0
Exec_Master_Log_Pos: 203015142
Relay_Log_Space: 166325247
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: NULL
1 row in set (0.00 sec)
mysql>
mysql> SHOW SLAVE STATUS \G If one of Slave_IO_Running or Slave_SQL_Running is set to No, then the replication is broken: mysql> SHOW SLAVE STATUS \G *************************** 1. row *************************** Slave_IO_State: Waiting for master to send event Master_Host: 1.2.3.4 Master_User: slave_user Master_Port: 3306 Connect_Retry: 60 Master_Log_File: mysql-bin.001079 Read_Master_Log_Pos: 269214454 Relay_Log_File: slave-relay.000130 Relay_Log_Pos: 100125935 Relay_Master_Log_File: mysql-bin.001079 Slave_IO_Running: Yes Slave_SQL_Running: No Replicate_Do_DB: mydb Replicate_Ignore_DB: Replicate_Do_Table: Replicate_Ignore_Table: Replicate_Wild_Do_Table: Replicate_Wild_Ignore_Table: Last_Errno: 1146 Last_Error: Error 'Table 'mydb.taggregate_temp_1212047760' doesn't exist' on query. Default database: 'mydb'. Query: 'UPDATE thread AS thread,taggregate_temp_1212047760 AS aggregate SET thread.views = thread.views + aggregate.views WHERE thread.threadid = aggregate.threadid' Skip_Counter: 0 Exec_Master_Log_Pos: 203015142 Relay_Log_Space: 166325247 Until_Condition: None Until_Log_File: Until_Log_Pos: 0 Master_SSL_Allowed: No Master_SSL_CA_File: Master_SSL_CA_Path: Master_SSL_Cert: Master_SSL_Cipher: Master_SSL_Key: Seconds_Behind_Master: NULL 1 row in set (0.00 sec) mysql>
2 Repairing The Replication
Just to go sure, we stop the slave:
mysql> STOP SLAVE;
mysql> STOP SLAVE;
Fixing the problem is actually quite easy. We tell the slave to simply skip the invalid SQL query:
mysql> SET GLOBAL SQL_SLAVE_SKIP_COUNTER = 1;
mysql> SET GLOBAL SQL_SLAVE_SKIP_COUNTER = 1;
This tells the slave to skip one query (which is the invalid one that caused the replication to stop). If you'd like to skip two queries, you'd use SET GLOBAL SQL_SLAVE_SKIP_COUNTER = 2; instead and so on.
That's it already. Now we can start the slave again...
mysql> START SLAVE;
mysql> START SLAVE;
... and check if replication is working again:
mysql> SHOW SLAVE STATUS \G
mysql> SHOW SLAVE STATUS \G
mysql> SHOW SLAVE STATUS \G
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 1.2.3.4
Master_User: slave_user
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.001079
Read_Master_Log_Pos: 447560366
Relay_Log_File: slave-relay.000130
Relay_Log_Pos: 225644062
Relay_Master_Log_File: mysql-bin.001079
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB: mydb
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 447560366
Relay_Log_Space: 225644062
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: 0
1 row in set (0.00 sec)
mysql>
mysql> SHOW SLAVE STATUS \G *************************** 1. row *************************** Slave_IO_State: Waiting for master to send event Master_Host: 1.2.3.4 Master_User: slave_user Master_Port: 3306 Connect_Retry: 60 Master_Log_File: mysql-bin.001079 Read_Master_Log_Pos: 447560366 Relay_Log_File: slave-relay.000130 Relay_Log_Pos: 225644062 Relay_Master_Log_File: mysql-bin.001079 Slave_IO_Running: Yes Slave_SQL_Running: Yes Replicate_Do_DB: mydb Replicate_Ignore_DB: Replicate_Do_Table: Replicate_Ignore_Table: Replicate_Wild_Do_Table: Replicate_Wild_Ignore_Table: Last_Errno: 0 Last_Error: Skip_Counter: 0 Exec_Master_Log_Pos: 447560366 Relay_Log_Space: 225644062 Until_Condition: None Until_Log_File: Until_Log_Pos: 0 Master_SSL_Allowed: No Master_SSL_CA_File: Master_SSL_CA_Path: Master_SSL_Cert: Master_SSL_Cipher: Master_SSL_Key: Seconds_Behind_Master: 0 1 row in set (0.00 sec) mysql>
As you see, both Slave_IO_Running and Slave_SQL_Running are set to Yes now.
Now leave the MySQL shell...
mysql> quit;
mysql> quit;
... and check the log again:
grep mysql /var/log/syslog
server1:/home/admin# grep mysql /var/log/syslog
May 29 09:56:08 http2 mysqld[1380]: 080529 9:56:08 [ERROR] Slave: Error 'Table 'mydb.taggregate_temp_1212047760' doesn't exist' on query. Default database: 'mydb'. Query: 'UPDATE thread AS thread,taggregate_temp_1212047760 AS aggregate
May 29 09:56:08 http2 mysqld[1380]: ^ISET thread.views = thread.views + aggregate.views
May 29 09:56:08 http2 mysqld[1380]: ^IWHERE thread.threadid = aggregate.threadid', Error_code: 1146
May 29 09:56:08 http2 mysqld[1380]: 080529 9:56:08 [ERROR] Error running query, slave SQL thread aborted. Fix the problem, and restart the slave SQL thread with "SLAVE START". We stopped at log 'mysql-bin.001079' position 203015142
May 29 11:42:13 http2 mysqld[1380]: 080529 11:42:13 [Note] Slave SQL thread initialized, starting replication in log 'mysql-bin.001079' at position 203015142, relay log '/var/lib/mysql/slave-relay.000130' position: 100125935
server1:/home/admin#
grep mysql /var/log/syslog server1:/home/admin# grep mysql /var/log/syslog May 29 09:56:08 http2 mysqld[1380]: 080529 9:56:08 [ERROR] Slave: Error 'Table 'mydb.taggregate_temp_1212047760' doesn't exist' on query. Default database: 'mydb'. Query: 'UPDATE thread AS thread,taggregate_temp_1212047760 AS aggregate May 29 09:56:08 http2 mysqld[1380]: ^ISET thread.views = thread.views + aggregate.views May 29 09:56:08 http2 mysqld[1380]: ^IWHERE thread.threadid = aggregate.threadid', Error_code: 1146 May 29 09:56:08 http2 mysqld[1380]: 080529 9:56:08 [ERROR] Error running query, slave SQL thread aborted. Fix the problem, and restart the slave SQL thread with "SLAVE START". We stopped at log 'mysql-bin.001079' position 203015142 May 29 11:42:13 http2 mysqld[1380]: 080529 11:42:13 [Note] Slave SQL thread initialized, starting replication in log 'mysql-bin.001079' at position 203015142, relay log '/var/lib/mysql/slave-relay.000130' position: 100125935 server1:/home/admin#
The last line says that replication has started again, and if you see no errors after that line, everything is ok.
</pre>
</html>
''Sept. 28, 1998'' Programming 1 - [[Java|http://java.sun.com]] - I had a Mac. Class required [[Java 1.0.2|http://java.sun.com/products/archive/]], Apple offered Java 1.0.1. *sigh* I had the option of doing my labs in the CS Lab on Windows, or telnet to the Sun E10k and learn how to use [[Emacs|http://www.gnu.org/software/emacs/]] and UNIX shell. Of course I had to choose the more difficult option. I opted to learn UNIX. Over the course of the next 3mo, I researched every option I could find on how I could do [[Java|http://java.sun.com]] programming on a Mac. I only found 1 solution. Run Linux (at the time, [[MkLinux|http://www.mklinux.org/]]). This would let me have a modern [[JDK (1.0.2)||http://java.sun.com/products/archive/]] so I wouldn't have to suffer the horror of Windows or telnet to [[Solaris|http://www.sun.com/software/solaris/index.jsp]]. The only catch to this was that [[MkLinux|http://www.mklinux.org/]] wouldn't run on the Performa 5200 that I had gotten for school (not more than 4mo. old).
''Dec. 25, 1998'' I managed to talk Mom into getting the pair of PowerMac 8600 units that were on clearance at the University Book store (where I worked and got an additional discount). These were the 200MHz PPC 604e with an AV I/O board. One was for her (to replace the SE30 she'd had for 5-6yrs), the second was to replace my Performa 5200.
''Jan. 1999'' I picked up a Hitachi 21" display to go with my shiny new PowerMac 8600. I started experimenting with [[MkLinux|http://www.mklinux.org/]]. It was a pretty big learning curve for somebody used to Mac OS 6-8. The (compressed) [[Linux|http://www.linux.org]] [[kernel (2.1.x)|http://www.kernel.org/pub/linux/kernel/v2.1/]] was stored in the System Folder on the Mac side, and a control panel allowed you to pick which OS during the boot. After about 20 installs of [[MkLinux|http://www.mklinux.org/]] I finally got all the settings correct and successfully booted [[Linux|http://www.linux.org]] to a command-line login. This got me able to do my [[java|http://java.sun.com]] homework in my dorm room. You'd think I'd reached my goal, I could relax and enjoy it. After a little while, [[MkLinux|http://www.mklinux.org/]] was replaced by [[LinuxPPC|http://penguinppc.org/]]. I spent the next 4 years discovering new features/capabilities in Linux and generally trying to learn everything I could about how it worked, how to break it, and how to fix it.
''Spring of 2001'' I started volunteering in the Research Lab at school. There I was reintroduced to [[Solaris|http://www.sun.com/software/solaris/index.jsp]] and Sun hardware. I didn't fool around with it too much, but there were some Ultra 5 boxes that weren't being used, installed Solaris 8 a few times, did a little playing around.
''Summer of 2001'' I was introduced to [[FreeBSD|http://www.freebsd.org]]. On the surface it seemed a lot like Linux, but under the hood, it was totally different. I played with it a bit, but had trouble finding documentation, and it wasn't long before I reverted back to the Linux I knew how to work.
''Fall of 2001'' I took over the management of the Research Lab.
''Summer of 2002'' I got a second introduction to [[FreeBSD|http://www.freebsd.org]]. By this time I had tried every major [[Linux|http://www.linux.org]] distribution (RedHat, Slackware, Mandrake, Debian, Gentoo) and was tired of either the community behind the distribution, or the distribution itself. I had investigated [[Solaris|http://www.sun.com/software/solaris/index.jsp]], and I was running my own server (Sun E4500) as a production web/mail/etc. server. I had tried [[IRIX|http://www.sgi.com/products/software/irix/]] on SGI Indy (as well as [[Linux|http://www.linux.org]] on Indy). [[IRIX|http://www.sgi.com/products/software/irix/]] turned out to be a PITA, mostly due to licensing of dev tools, and lack of community for 3rd party pkgs. [[Solaris|http://www.sun.com/software/solaris/index.jsp]] was OK as a server, but for a desktop it was wanting. Things I thought were basic, [[Solaris|http://www.sun.com/software/solaris/index.jsp]] didn't offer them, such as wireless. It took a little bit, but [[FreeBSD|http://www.freebsd.org]] [[4.8|http://ftp.freebsd.org/pub/FreeBSD/ISO-IMAGES-i386/]] supported my Thinkpad x30, including the 802.11b.
''2002-2003 School year'' - This year I took a parallel programming class and learned how to use [[lam MPI|http://www.lam-mpi.org/]]. The instructor was teaching us how to have multiple instances running on a single computer. This seemed silly to me. I also knew that we had 22 ancient workstations sitting in a closet. A friend and I decided we would put together a Beowulf cluster so we could do real parallel programming. It sounds silly, but the combined compute power of the cluster was about the same as a "modern" laptop or desktop. It would however, more properly model parallel execution of code, and that was the real goal.
''Summer of 2003'' I spent doing my Capstone project. The project comprised changing the networking of the lab from being behind the campus firewalls to out in front of them. It required configuration of a PIX (don't ever use these as routers, they are horrible routers) to segment the network into a DMZ and a private network. The DMZ would contain a myraid of servers to provide web, DNS, CVS, and mail services for the lab, while the private network contained all the workstations. There was also a parallel compute cluster (generation 2) comprised of (not kidding here) a master node (Sun SPARC center 1000 with StorageArray 1010 acting as NFS storage) and 22 slave nodes (Sun Ultra 2). The creation of the compute cluster was one of the more interesting projects I got to do. I learned how to do automated installations with [[Sun's JumpStart|http://www.sun.com/bigadmin/content/jet/]]. Once I got that under control, I added [[cfengine|http://www.cfengine.org]] to the mix. This took longer to get a handle on, and then a while to get all my configurations defined. Once all this was setup, I was able to do the OS install and production deployment for each node in 15min. I could also do all the installs in parallel. Adding new nodes to the cluster was about a 20min process. Very cool.
''2003-2004'' Senior year.
[[Snow Leopard|http://www.apple.com/osx]] [[Notes|SnowLeopardNotes]]
Leopard [[Notes|LeopardNotes]]
Tiger [[Notes|TigerNotes]]
[[GeekTool]]
[[Growl]]
[[Mail.app]]
[[TFTP Setup|TFTPsetup]]
[img[http://www.pgp.com/images/navtop_logo.jpg]]
Install:
* emulators/linux_base-fc4
* textproc/linux-libxml2
* create ~/.pgp or it will complain about "permission denied" in obscure ways
* you can use existing gnupg keys, just copy them to the .pgp directory and change the extension to skr
* may want to add /compat/linux/usr/bin to your PATH so you don't have to keep typing it in
[[Debugging Desktop|DebuggingPGPDesktop]]
[[FreeBSD]]
[[OSX]]
[[Xen]]
[[Storage]]
[[Cisco]]
[[HTPC]]
[[FreeNAS]]
[[FreeNAS_Vinnie]]
[[Photography]]
[[Bicycles]]
[[Wishlist]]
[[PGP]]
[[Nerdly Inspiration|Nerdly_Inspiration]]
[[TiddlyWiki]]
[[BayLISA]]
* graphics/ufraw - The Unidentified Flying Raw ([[UFRaw|http://ufraw.sourceforge.net]]) is a utility to read and manipulate raw images from digital cameras. It can be used on its own or as a Gimp plug-in. It reads raw images using Dave Coffin's raw conversion utility - ~DCRaw. ~UFRaw supports basic color management using Little CMS, allowing the user to apply color profiles. For Nikon users ~UFRaw has the advantage that it can read the camera's tone curves. Even if you don't own a Nikon, you can still apply a Nikon curve to your images.
* graphics/dcraw
| Item + Review | Sale |
|Canon [[EOS-1Ds Mark III|http://www.dpreview.com/reviews/specs/Canon/canon_eos1dsmkiii.asp]]|[[ShopCartUSA|http://www.shopcartusa.com/P_Canon_EOS_1Ds_Mark_III_2011B002/]]|
|Canon [[EF 24-70mm f/2.8L USM|http://www.usa.canon.com/consumer/controller?act=ModelInfoAct&fcategoryid=149&modelid=8503]] | [[ShopCartUSA|http://www.shopcartusa.com/P_Canon_Zoom_Wide_Angle-Telephoto_EF_24-70mm_f_2.8L_USM_Autofocus_8014A002/View_Overview/]]|
|Canon [[EF 70-200mm f/2.8L IS USM|http://www.usa.canon.com/consumer/controller?act=ModelInfoAct&fcategoryid=150&modelid=7469]] | [[ShopCartUSA|http://www.shopcartusa.com/P_Canon_Zoom_Telephoto_EF_70-200mm_f_2.8L_IS_(Image_Stabilizer)_7042A002/View_Overview/]]|
|[[Lowepro CompuRover AW Camera Backpack|http://products.lowepro.com/product/CompuRover-AW,1923,16.htm]] | |
|[[Epson Stylus Photo R2400|http://www.epson.com/cgi-bin/Store/consumer/consDetail.jsp?BV_UseBVCookie=yes&oid=53540920]] | [[Pricewatch|http://castle.pricewatch.com/s/search.asp?s=Epson+Stylus+Photo+R2400]]|
| Gorillapod Flexible Tripod | [[Amazon|http://www.amazon.com/Joby-GP3-01EN-Gorillapod-SLR-Zoom-Flexible/dp/B000KFRSG4/ref=pd_bbs_sr_2?ie=UTF8&s=electronics&qid=1206580697&sr=8-2]]|
| Canon LA-DC58H Conversion Lens Adapter G9 | [[Amazon|http://www.amazon.com/Canon-Conversion-Adapter-Digital-Cameras/dp/B000JILHDC/ref=pd_bbs_sr_4?ie=UTF8&s=electronics&qid=1206760197&sr=8-4]]|
| Canon TC-DC58C Tele Converter Lens G9 | [[Amazon|http://www.amazon.com/Canon-TC-DC58C-Converter-Digital-Cameras/dp/B000JILHF0/ref=pd_bbs_sr_7?ie=UTF8&s=electronics&qid=1206760197&sr=8-7]]|
| Canon WC-DC58B Wide Converter Lens G9 | [[Amazon|http://www.amazon.com/Canon-WC-DC58B-Converter-Digital-Cameras/dp/B000JILHFU/ref=pd_bbs_sr_9?ie=UTF8&s=electronics&qid=1206760197&sr=8-9]]|
autoconf
./configure LDFLAGS=-L/usr/local/lib CPPFLAGS=-I/usr/local/include
change src/Makefile.in stratcond.conf -> stratcon.conf
mkdir /usr/local/java/lib
edit crontab to have correct location of psql
<html>
<pre>
Secure Shell (ssh and Its Friends)
By default ssh on the Mac is not set up to accept incoming connections. So from the Mac you could use scp to copying files in or out, but you couldn't sit at a remote machine and connect to the Mac. So, to get ssh started, issue this command:
sudo /sbin/service ssh start
You should just have to issue that command once and it will then be running the next time you reboot or whatever.
Alternatively, Aaron Whiteman clued me in to the "proper" way to start ssh. Open "System Preferences", choose "Sharing", and select "Remote Login". Done!
Aaron also writes:
Look into "SSH Agent" (http://www.phil.uu.nl/~xges/ssh/), which puts your ssh keys in the keychain, doing the same as what ssh-agent/ssh-add do on a unix box. It also has the added benifits of being able to set env variables before you are completely logged in, so Terminal.app and any other MacOS application have them as needed.
General instructions for generating keys (and getting this going on a generic box) can be found here.
For the Mac, first generate these keys (and put the "pub" part on the machines you want to get to). Then start SSH Agent and click the "Add Identity..." button. You want to add the id_dsa file. Enter your password to unlock the keys and then you should be done! No more need to enter passwords for your ssh-related connections (well, until you log-out and log-in again or shut down SSH Agent).
If you use SSH Agent, be sure to go to its Preferences and check the "Make Agent Global" box.
I also have found it very useful (especially in the context of using a cluster), to be able to get authentication working from the command line. That requires that you issue various commands that, among other things, set some environmental variables. Since I don't know how to set environmental variables of the parent process via a shell script, instead I wrote a script which will echo the commands I need to run. I then copy those commands and paste them back onto the command line. Here is the shell script (commands are shamelessly stolen from http://mah.everybody.org/docs/ssh):
#!/bin/bash -norc
echo This is not a true script! Copy the following commands onto the
echo "command line (and you will be prompted for your password)."
echo
cat - <<EOF
==========================================================================
SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS="-s"
if [ -z "\$SSH_AUTH_SOCK" -a -x "\$SSHAGENT" ]; then
eval \`\$SSHAGENT \$SSHAGENTARGS\`
trap "kill \$SSH_AGENT_PID" 0
fi
ssh-add ~/.ssh/id_dsa
==========================================================================
EOF
exit
########################################################################
# This gives the commands to fire up ssh-agent from the command line.
#
# You can copy the follow commands into the command line manually.
# That's the only way I know to have the environmental variables
# properly set.
#
# These commands were shamelessly stolen from:
# http://mah.everybody.org/docs/ssh
########################################################################
SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS="-s"
if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
eval `$SSHAGENT $SSHAGENTARGS`
trap "kill $SSH_AGENT_PID" 0
fi
ssh-add ~/.ssh/id_dsa
Note that this shell script also includes a copy of the commands at the bottom of the file. To get the command to be written properly using cat, a few characters had to be quoted (using the backslash character). The version at the end of the file has these "quotes" removed and hence can be cut from the file verbatim and pasted to the command line. Nevertheless, the echoed commands which appear on the screen after running the script should be ready to cut-and-paste too (since they will then lack the quotes).
Terry Jones pointed out that there is a way to work-around the problem of setting environmental variables in the parent process. Instead of using a shell script, use a shell function. To quote Terry:
So instead of a file called mycommand
#!/bin/sh
export MYVAR=fred
create a file called ~/.bash-functions with
mycommand (){
export MYVAR=fred
}
and then from your shell (from your .bash_profile most likely),
you just
. ~/.bash-functions
(or source ~/.bash-functions if you insist).
That seems like a much cleaner way to do things.
Finally, there is a chance you may have to add the following to /etc/ssh_config to get things working:
Host *
PubkeyAuthentication yes
</pre>
</html>
* Crontab entries
{{{
30 01 * * * root echo "svnsync started at `date`" >>/var/log/svnsync.log && /usr/local/bin/svnsync sync --non-interactive file:///svn/freebsd/src/base >>/var/log/svnsync.log; echo "svnsync ended at `date` exit status $?" >>/var/log/svnsync.log
30 03 * * * root echo "svnsync started at `date`" >>/var/log/svnsync.log && /usr/local/bin/svnsync sync --non-interactive file:///svn/freebsd/src/base >>/var/log/svnsync.log; echo "svnsync ended at `date` exit status $?" >>/var/log/svnsync.log
1 1 * * 0-5 root /usr/local/etc/cvs-repo-freebsd -p > /dev/null
1 4 * * 0-5 root /usr/local/etc/cvs-repo-freebsd -p > /dev/null
1 1 * * 6 root /usr/local/etc/cvs-repo-freebsd -p -s > /dev/null
1 4 * * 6 root /usr/local/etc/cvs-repo-freebsd -p -s > /dev/null
}}}
* csup(1) mirroring script
{{{
#!/bin/sh -
#
# Script to re-sync a CVS repository. Based on a script that Julian
# Elischer had last modified before I got my grubby hands on it and
# twisted it beyond recognition.
# -- David Wolfskill
# Further twisted - Louis Kowolowski
#
PATH=/bin:/usr/bin:/sbin:/usr/sbin
#
# Refresh the cvs tree.
#
test_mode=""
do_ports=""
do_strictrcs=""
while getopts "pst" COMMAND_LINE_ARGUMENT ; do
case "${COMMAND_LINE_ARGUMENT}" in
p)
do_ports="yes"
;;
s)
do_strictrcs="yes"
;;
t)
test_mode="yes"
;;
esac
done
CVSROOT=/cvs;export CVSROOT
FBSDROOT=${CVSROOT}/freebsd
#LOG=/var/tmp/cvsup.log
LOG=/var/tmp/csup.log
#H_LOG=/var/log/cvsup-history.log
H_LOG=/var/log/csup-history.log
CMD_PFX=""
HALTFILE=/usr/local/etc/cvsup/cvsupd.HALT
if [ "${test_mode}" = "yes" ]; then
echo "Test mode; logging to /dev/tty instead of ${LOG} and ${H_LOG}..."
LOG=/dev/tty
H_LOG=/dev/tty
CMD_PFX="echo Would issue"
fi
umask 002
SUPFILE=/tmp/$$.supfile
RELEASE="release=cvs"
HOSTBASE="hostbase=/cvs"
BASE="base=/cvs/freebsd"
PREFIX="prefix=/cvs/freebsd"
#OPTIONS="delete old use-rel-suffix"
OPTIONS="delete use-rel-suffix"
if [ "${do_strictrcs}" = "yes" ]; then
OPTIONS="${OPTIONS} strictrcs"
fi
echo "" > ${LOG}
${CMD_PFX} touch ${HALTFILE}
echo "new CVSup requests disabled at `date`" > ${LOG}
cvsupd="stopped"
if [ -d ${FBSDROOT} ]; then
s=`/usr/local/bin/fastest_cvsup -Q -c us`
if ping -q -c 3 ${s} >/dev/null ; then
SERVER=${s}
fi
if [ -z "${SERVER}" ]; then
echo "Unable to reach CVSup server ${s}" >>${LOG}
continue
fi
echo "CVSup begin from ${SERVER} at `date`" >>${H_LOG}
HOST="host=${SERVER}"
#ARGS="${RELEASE} ${HOST} ${HOSTBASE} ${BASE} ${PREFIX} ${OPTIONS}"
ARGS="${RELEASE} ${HOST} ${BASE} ${PREFIX} ${OPTIONS}"
cat >${SUPFILE} <<DONE
cvsroot-all ${ARGS}
src-all ${ARGS}
ports-all ${ARGS}
doc-all ${ARGS}
DONE
if [ "${test_mode}" = "yes" ]; then
echo "Supfile is:"
cat ${SUPFILE} >/dev/tty
fi
if ${CMD_PFX} /usr/bin/csup -1 -g -L1 ${SUPFILE} >>$LOG 2>&1; then
echo "CVSup ended from ${SERVER} at `date`" >>${H_LOG}
echo "CVSup ended from ${SERVER} at `date`" >>${LOG}
chgrp -R wheel ${FBSDROOT} >>$LOG 2>&1
chmod -R g+rw ${FBSDROOT} >>$LOG 2>&1
${CMD_PFX} /bin/rm -f ${HALTFILE}
echo "new CVSup requests enabled at `date`" >> ${LOG}
cvsupd="started"
${CMD_PFX} cd /usr/doc && ${CMD_PFX} cvs -Rr update -d -P >>$LOG 2>&1
if [ "${do_ports}" = "yes" ]; then
${CMD_PFX} cd /usr/ports && ${CMD_PFX} cvs -Rr update -d -P >>$LOG 2>&1
echo "/usr/ports update ended at `date`" >>${LOG}
else
echo "/usr/ports update skipped at `date`" >>${LOG}
fi
break
fi
fi
if [ "${cvsupd}" = "stopped" ]; then
${CMD_PFX} /bin/rm -f ${HALTFILE}
echo "new CVSup requests enabled at `date`" >> ${LOG}
fi
rm ${SUPFILE}
}}}
Authenticaed Sending:
<html>
<pre>
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl # Drop the "p" if you want to allow non-encrypted login
dnl # (e.g. for testing your configuration)
dnl #
define(`', `A p')dnl
</pre>
</html>
REGEXP
qr/^
([^\n]{14}) : [ ]
from = ([^\n]+?) , [ ]
size = (\d+?) , [ ]
class = (-? \d+?) , [ ]
nrcpts = (\d+?) , [ ]
(?: msgid = ([^\n]+?) , [ ])?
(?: bodytype = ([^\n]+?) , [ ])?
(?: proto = ([^\n]+?) , [ ])?
(?: daemon = ([^\n]+?) , [ ])?
relay = ([^\n]+)
/x;
qr/^
([^\n]{14}) : [ ]
rejecting [ ]
commands [ ]
from [ ]
([^\n]+?) [ ]
due [ ]
to [ ]
pre-greeting [ ]
traffic
/x;
qr/^
([^\n]{14}) : [ ]
(<[^\n]+?>)
\. \. \. [ ]
User [ ]
unknown
/x;
qr/^
([^\n]{14}) : [ ]
([^\n]+) [ ]
did [ ]
not [ ]
issue
/x;
qr/^
([^\n]{14}) : [ ]
lost [ ]
input [ ]
channel [ ]
from [ ]
([^\n]+) [ ]
to [ ]
MTA [ ]
after [ ]
data
/x;
qr/^
([^\n]{14}) : [ ]
lost [ ]
input [ ]
channel [ ]
from [ ]
([^\n]+) [ ]
to [ ]
MTA [ ]
after [ ]
rcpt
/x;
qr/^
WorkList [ ]
for [ ]
([^\n]+?) [ ]
maxed [ ]
out [ ]
at [ ]
(\d+)
/x;
qr/^
([^\n]{14}) : [ ]
timeout [ ]
waiting [ ]
for [ ]
input [ ]
from [ ]
([^\n]+?) [ ]
during [ ]
server [ ]
cmd [ ]
read
/x;
qr/^
([^\n]{14}) : [ ]
collect : [ ]
premature [ ]
EOM : [ ]
unexpected [ ]
close
/x;
qr/^
([^\n]{14}) : [ ]
ruleset = ([^\n]+?) , [ ]
arg1 = ([^\n]+?) , [ ]
relay = ([^\n]+?) , [ ]
reject = (\d+?) [ ]
([\d \.]+?) [ ]
Domain
[^\n]+
resolve
/x;
qr/^
([^\n]{14}) : [ ]
ruleset = ([^\n]+?) , [ ]
arg1 = ([^\n]+?) , [ ]
relay = ([^\n]+?) , [ ]
reject = (\d+?) [ ]
([\d \.]+?) [ ]
([^\n]+?)
\. \. \. [ ]
Domain
[^\n]+
exist
/x;
qr/^
([^\n]{14}) : [ ]
collect : [ ]
premature [ ]
EOM : [ ]
Connection [ ]
reset [ ]
by [ ]
([^\n]+)
/x;
qr/^
STARTTLS = ([^\n]+?) , [ ]
relay = ([^\n]+?) , [ ]
version = ([^\n]+?) , [ ]
verify = ([^\n]+?) , [ ]
cipher = ([^\n]+?) , [ ]
bits = ([\d \|]+)
/x;
qr/^
runqueue : [ ]
Flushing [ ]
queue [ ]
from [ ]
([^\n]+?) [ ]
\(
pri [ ]
(\d+) , [ ]
LA [ ]
(\d+) , [ ]
(\d+) [ ]
of [ ]
(\d+)
/x;
qr/^
([^\n]{14}) : [ ]
to = ([^\n]+?) , [ ]
delay = ([^\n]+?) , [ ]
(?: xdelay = ([^\n]+?) , [ ])?
mailer = ([^\n]+?) , [ ]
pri = (\d+?) , [ ]
(?: relay = ([^\n]+?) , [ ])?
(?: dsn = ([^\n]+?) , [ ])?
stat = ([^\n]+)
/x;
qr/^
ruleset = (.+?) , [ ]
arg1 = (.+?) , [ ]
arg2 = (.+?) , [ ]
(?: relay = (.+?) , [ ])?
reject = (\d+?) [ ]
([\d \.]+?) [ ]
Rejected: [ ]
([\d \.]+?) [ ]
listed [ ]
at [ ]
(.+)
/x;
qr/^
(.{14}) : [ ]
Milter : [ ]
to = (.+?) , [ ]
reject = (\d+?) [ ]
([\d \.]+?) [ ]
server [ ]
\[
(.+?)
\] [ ]
for [ ]
(.+?) [ ]
rejected [ ]
address [ ]
saying : [ ]
(.+)
/x;
qr/^
(.{14}) : [ ]
Milter : [ ]
from = (.+?) , [ ]
reject = (\d+?) [ ]
([\d \.]+?) [ ]
invalid [ ]
domain [ ]
name
/x;
qr/^
(.{14}) : [ ]
SYSERR \( root \) : [ ]
collect : [ ]
I \/ O [ ]
error [ ]
on [ ]
connection [ ]
from [ ]
(.+?) , [ ]
from = (.+?)
/x;
qr/^
(.{14}) : [ ]
collect : [ ]
unexpected [ ]
close [ ]
on [ ]
connection [ ]
from [ ]
(.+?) , [ ]
sender = (.+)
/x;
[[VerboseBooting]]
Set printing options that aren't in the gui [[here|http://localhost:631/admin/]]
<html>
<pre>
# If DB_File then I would suggest setting 'bayes_learn_to_journal 1' in
# spam.assassin.prefs.conf as from experience it will reduce the lock
# contention and speed-up batch processing considerably.
bayes_learn_to_journal 1
</pre>
</html>
cbl.abuseat.org is a feed to xbl.spamhaus.org. If you dig around on abuseat's site, they have a policy prohibiting using cbl directly if you'd need a datafeed to use xbl.
The other feed into xbl is the open proxy list from njabl, and they have no such restrictions.
bl.spamcop.net works pretty well, but does have some significant FPs now that they list backscatter sites (in the SpamAssassin 3.2 mass-checks, the hits on spamcop were 87.1% spam, and therefore 12.9% nonspam)
mail-abuse.org isn't free, and hasn't been for years. It's now a part of Trend's "Email Reputation Services", which is a for-pay service.
In general you might want to look at the STATISTICS file that comes with SA and see what the SpamAssassin mass-checks came up with. A "perfect" spam rule will have a S/O of 1.0 (for 100% of matches being spam, 0% nonspam), so look for RBL tests (RCVD_IN_*) with S/O's above 0.95 (95% spam, 5% nonspam). Also look for ones that match a decent amount of mail, because a perfectly accurate list with really low hit-rate isn't helpful. I'd look for at least 5% in the spam% column.
http://svn.apache.org/repos/asf/spamassassin/branches/3.2/rules/STATISTICS-set3.txt
This Perl module allows SpamAssassin to make use of the results of DSpam. This is my first hack at it and it is working very well in my production environment. All comments/concerns are certainly welcome.
DSpam Perl Module: [[dspam.pm]]
DSpam Config File: [[dspam.cf]]
When using dspam in conjuction with SpamAssassin and amavisd-new, amavisd-new automatically has dspam calculate the probabability of a message being HAM/SPAM and then insert headers. If you have SA installed, the dspam information goes to waste. That is unless you take advantage of this plugin. Using dspam’s results, this module adds a tag/token to the message that SA picks up and based on the score you assign it in the ruleset configuration file, it adds/subtracts that score.
To use this module, put the perl module in /usr/share/perl5/Mail/SpamAssassin/Plugin/ (or wherever your SA Plugin dir is). Put the config file (dspam.cf) with the rest of the SpamAssassin config files (usually located in /etc/spamassassin). First, edit the local.cf file and add the following line anywhere in the file:
include dspam.cf
Next, edit the init.pre file and add the following line anywhere near the other lodplugin lines (Note: This should be the Perl @INC path to the location that you put your dspam.pm plugin):
loadplugin Mail::SpamAssassin::Plugin::dspam
Then edit the dspam.cf and put your desired values for each of the hits. Start low to see how the response is and watch your logs closely.
I have also found it handy to create METAs that where SA reads a message as BAYES_99 and dspam reads a message as DSPAM_SPAM_99 add a substantial amount of points. The same goes for the reverse, if SA reads a message at BAYES_00 and dspam reads that same message at DSPAM_HAM_99, then subtract a substantial number of points.
Links:
This SpamAssassin plugin is listed on the SpamAssassin Wiki Custom Plugins page.
SpamAssassin extra rules/scripts
http://www.sanesecurity.com/clamav/usage.htm
http://taint.org/2007/08/15/004348a.html
711227
default from ATL for L1000 and L1800
[[Tiddly Formatting|Tiddly_Formatting]]
<html>
<iframe height = "100%" width = "100%" src = "http://tiddlywiki.org/wiki/TiddlyWiki_Markup">
</html>
If you, like me, come from a strong UNIX background, then I think you’ll really enjoy the following tip. By default, the OS X boot sequence is hidden from the user. This doesn’t sit well with me and so I’ve sought out a way to make it show me exactly what was going on (instead of simply showing the small Apple logo and the rotating circle).
You can do one of two things. If you occasionally want to see the bootup sequence, then simply hold down cmd-V after you’ve hit the power button (until you see text on the screen). If you’d like to enable this verbose output each time your machine boots, then execute the following command from a terminal:
sudo nvram boot-args="-v"
I used this on CentOS 5.2 under vmware.
In CentOS 5.2 installation i chosed development tools and untick everything other (except some editors).
For the disk configuration i deleted suggested LVM/PVM (very important) and make my own hda2 and hda3 partition (hda1 is boot,100mb), hda2 is swap of 512mb, hda3 is rest of 8gb image i chosed in vmware.
Then, after the install and boot i downloaded 2.6.26.5 kernel (latest) in the /usr/src/kernels/ and extract it with tar xvfj linux-2.6.26.6.bz2.
I then get the bigphysarea patch from here:
http://www.feise.com/~jfeise/Downloads/zr36120/bigphysarea-2.6.26.diff
and put it into the extracted linux directory (linux-2.6.26.5).
Then, i run patch -p1 < bigphysarea-2.6.26.diff.
After that i do
cp /boot/config-2.6.18-92.el5 /usr/src/kernels/linux-2.6.26.5/.config
make menuconfig
Here i ticked the “Support for big physical area reservation” and unticked all unneded stuff like linux video, sound, bluetooth, wireless etc…
I also unticked to build relocable kernel and 64bit support)
(relocable kernel cannot be built for some reason and 64bit support is incompatible with bigphysarea patch, and if you miss my instructions about lvm, kernel wouldn’t recognize it - no lvm support).
I then saved the config and do
make all
make install
make modules_install
Then with “nano /boot/grub/grub.conf” i edited the file and added one line above other boots:
title Cisco_ASA (8.02)
root (hd0,0)
kernel /vmlinuz_asa root=/dev/hda3 rw console=tty0 console=ttyS0,9600n8 auto nousb ide1=noprobe bigphysarea=16384 hda=980,16,32
initrd /asa802-k8
Then i did:
mkdir /asa
cd /asa
and downloaded and extracted the ASA image from here:
http://rs7l34.rapidshare.com/files/39992741/dl/802.zip
doing wget http://rs7l34.rapidshare.com/files/39992741/dl/802.zip
unzip 802.zip
hexdump -C asa802-k8.bin > asa802-k8.hd
grep “1f 8b 08 00 1d” asa802-k8.hd
ls -la asa802-k8.bin
tail -c 13334352 asa802-k8.bin > asa802-k8.gz
gzip -d asa802-k8.gz
mkdir /asa_mount
cd /asa_mount
cpio -i –make-directories < ../asa/asa802-k8
In /asa_mount directory i got all files extracted
Then i copied the file asa802-k8 to /boot (there the centos is holding the boot files, like kernel) with
cp /asa/asa802-k8
cp /asa_mount/vmlinuz /boot
That’s all for the linux.
Now i downloaded vmwaregateway.exe and started it with:
vmwaregateway.exe -t
Then connected to it with putty: localhost, port 567
In VMWARE configuration on serial ports i put:
* Use named pipe
\\.\pipe\vmwaredebug
This end is client
Other end is application
* Yield cpu….
Then i started the centos and under grub i chosed the first configuration
Cisco_ASA (8.02)
I got only Uncompressing kernel…
But in the putty window i got all the output.
That’s all.
cloned_interfaces="lagg0 vlan0 vlan1"
ifconfig_em0="up"
ifconfig_em1="up"
ifconfig_lagg0="laggproto failover laggport em0 laggport em1 up"
ifconfig_vlan0="vlan 2 vlandev lagg0 up"
ifconfig_vlan1="vlan 3 vlandev lagg0 up"
ifconfig_vlan0_alias0="inet 192.160.132.20/24"
ifconfig_vlan0_alias1="inet 192.160.132.22/24"
ifconfig_vlan0_alias2="inet 192.160.132.23/24"
ifconfig_vlan0_alias3="inet 192.160.132.24/24"
ifconfig_vlan0_alias4="inet 192.160.132.25/24"
ifconfig_vlan0_alias5="inet 192.160.132.26/24"
ifconfig_vlan0_alias6="inet 192.160.132.27/24"
ifconfig_vlan0_alias7="inet 192.160.132.28/24"
ifconfig_vlan0_alias8="inet 192.160.132.29/24"
ifconfig_vlan0_alias9="inet 192.160.132.30/24"
ifconfig_vlan0_alias10="inet 192.160.132.31/24"
ifconfig_vlan0_alias11="inet 192.160.132.32/24"
ifconfig_vlan0_alias12="inet 192.160.132.33/24"
ifconfig_vlan0_alias13="inet 192.160.132.34/24"
ifconfig_vlan1_alias0="inet 192.168.1.41/24"
ifconfig_vlan1_alias1="inet 172.16.0.20/24"
Default IP 192.168.1.246, doesn't give any indication that it's on the network, not accessible for several minutes (5-10)
Default login "" password "admin"
Default IP 192.168.1.1
Default login "" password "admin"
Default IP 192.168.1.1
Default login "" password "admin"
''Tools''
[[Screwdriver set|http://www.skhandtool.com/Default.aspx?fusemode=10&pid=73518]]
''Misc''
[[Laser Toy|http://www.thinkgeek.com/gadgets/lights/cae2/]]
''Shirts''
[[Identity Shirt|http://t-shirts.cafepress.com/item/group-identity-white-tshirt/150824441]]
[[Here's looking at Euclid Shirt|http://t-shirts.cafepress.com/item/euclid-white-tshirt/63205782]]
[[Story Problem Shirt|http://t-shirts.cafepress.com/item/062804-dark-tshirt/230323639]]
[[I used u Shirt|http://t-shirts.cafepress.com/item/usubsitution-integration-mens-dark-tshirt/122732462]]
[[2 Pi r squared Shirt|http://t-shirts.cafepress.com/item/two-pie-are-squared-fitted-tshirt/27502426]]
[[Get Real Shirt|http://t-shirts.cafepress.com/item/white-tshirt/163959009]]
''Computer''
''Phone''
[[B & O EarSet2|http://www.bang-olufsen.com/page.asp?id=183]]
''Guns''
[[Extended Slide Release|http://www.topglock.com/item/3797_Glock_Parts_GLOCK_EXT_SLD_REL_ALL_9_4.aspx]]
''Movies/TV''
''Music''
[[Loreena McKennitt - An Ancient Muse|http://www.amazon.com/Ancient-Muse-Loreena-McKennitt/dp/B000J3EEBY/ref=sr_1_1?ie=UTF8&s=music&qid=1257180934&sr=8-1]]
[[Dubai Chill Lounge 1|http://www.amazon.com/Dubai-Chill-Lounge/dp/B001W35LSU/ref=sr_1_2?ie=UTF8&s=dmusic&qid=1256011020&sr=8-2]]
[[Dubai Chill Lounge 2|http://www.amazon.com/Dubai-Chill-Lounge-Vol-2/dp/B000BV5SH8/ref=sr_1_1?ie=UTF8&s=music&qid=1256011020&sr=8-1]]
[[Dubai Chill Lounge 3|http://www.amazon.com/Dubai-Chill-Lounge-Vol-3/dp/B000GUJZXM/ref=sr_1_3?ie=UTF8&s=music&qid=1256011020&sr=8-3]]
[[Asskickers|http://cdbaby.com/cd/asskickers]]
[[Macao Cafe: Balearic Lounge Collection, Vol. 1|http://tinyurl.com/685xzh]]
[[Macao Cafe: Balearic Lounge Collection, Vol. 2|http://tinyurl.com/6qf35v]]
[[Macao Cafe: Balearic Lounge Collection, Vol. 4|http://tinyurl.com/64glmh]]
[[Macao Cafe: Balearic Lounge Collection, Vol. 3|http://tinyurl.com/567usa]]
[[Café del Mar, Vol. 1|http://tinyurl.com/565b7k]]
[[Café del Mar, Vol. 2|http://www.amazon.com/Café-del-Mar-Ibiza-Vol/dp/B0000074XB/ref=sr_1_1?ie=UTF8&s=music&qid=1255899471&sr=8-1]]
[[Café del Mar, Vol. 3|http://tinyurl.com/6aa97c]]
[[Café del Mar, Vol. 4|http://www.amazon.com/Cafe-Del-Mar-%28Series%29/e/B000AQ3W3Q/ref=ntt_mus_gen_pel]]
[[Café del Mar, Vol. 5|http://tinyurl.com/6gbvuo]]
[[Café del Mar, Vol. 6|http://tinyurl.com/6dbj4y]]
[[Café del Mar, Vol. 7|http://tinyurl.com/5gd5zt]]
[[Café del Mar, Vol. 8|http://tinyurl.com/5khv2b]]
[[Café del Mar, Vol. 9|http://tinyurl.com/65jqty]]
[[Café del Mar, Vol. 10|http://tinyurl.com/6ez8y7]]
[[Café del Mar, Vol. 11|http://www.amazon.com/Cafe-Del-Mar-Volumen-Once/dp/B00026WSUW/ref=sr_1_1?ie=UTF8&s=music&qid=1255899529&sr=8-1]]
[[Café del Mar, Vol. 12|http://www.amazon.com/Café-del-Mar-Volumen-Doce/dp/B0009JM3WA/ref=sr_1_1?ie=UTF8&s=music&qid=1255899562&sr=8-1]]
[[Café del Mar, Vol. 13|http://tinyurl.com/6c69ba]]
[[Café del Mar, Vol. 14|http://tinyurl.com/5n89tc]]
[[Café del Mar, Vol. 15|http://tinyurl.com/5b9fug]]
[[Buddha Bar 1|http://www.amazon.com/Buddha-Bar-Claude-Challe/dp/B00009XBYK/ref=sr_1_1?ie=UTF8&s=music&qid=1255899585&sr=8-1]]
[[Buddha Bar 2|http://www.amazon.com/Buddha-Bar-Vol-II-Claude-Challe/dp/B00004TRET/ref=sr_1_4?ie=UTF8&s=music&qid=1255899585&sr=8-4]]
[[Buddha Bar 3|http://tinyurl.com/6n527j]]
[[Buddha Bar 4|http://tinyurl.com/65ay35]]
[[Buddha Bar 5|http://tinyurl.com/5k5t2y]]
[[Buddha Bar 6|http://tinyurl.com/67o9xg]]
[[Buddha Bar 7|http://tinyurl.com/679mzw]]
[[Buddha Bar 8|http://tinyurl.com/55fq65]]
[[Buddha Bar 9|http://tinyurl.com/62mdzy]]
[[Buddha Bar 10|http://tinyurl.com/5rggux]]
[[Buddha Bar|http://tinyurl.com/5mnpb8]]
[[Buddha Bar Vol. II|http://tinyurl.com/6lkx69]]
[[Buddha Bar Vol. III|http://tinyurl.com/6xrah2]]
[[Ultra.Dance 05|http://tinyurl.com/dz7a4w]]
[[Ultra.Chilled 04|http://tinyurl.com/bjjzls]]
[[Ultra.Chilled 05|http://tinyurl.com/cks789]]
[[Ultra.Trance 05|http://tinyurl.com/bbvtr7]]
[[Ultra.Trance 07|http://tinyurl.com/bcdg8o]]
[[Ultra.Trance 08|http://tinyurl.com/bcdg8o]]
<html>
<!--
Acoustic Soul
Beneath The Surface
Surrender: The Unexpected
KMFDM: Angst
KMFDM: UAIOE
KMFDM: What Do You Know Deutschland?
KMFDM: Don't Blow Your Top
KMFDM: Naive/Hell To Go
Grace: If I Could Fly
Paul Oakenfold: Bust A Groove
Journeys By DJ: Paul Oakenfold
Global Underground: Oslo
A Voyage Into Trance (Deluxe)
Paul Oakenfold: Perfecto Collection 2
Perfecto Presents... Paul Oakenfold: Great Wall
Resident: 2 Years Of Paul Oakenfold At Cream
Starry Eyed Surprise (Enhanced)
Paul Oakenfold: Travelling
Paul Oakenfold: Ny (V.7)
Perfecto Chills Vol. 1
Southern Sun (Enhanced)
Andrea Bocilli: Sueno
-->
</html>
''Books''
''Legos''
(links are for reference of what set looks like)
''Idea Books''
[[Idea Book 226|http://www.bricklink.com/catalogItem.asp?B=226]]
[[Idea Book 250|http://www.bricklink.com/catalogItemPic.asp?B=250]]
[[Idea Book 260|http://www.bricklink.com/catalogItemPic.asp?B=260]]
[[Idea Book 6000|http://www.bricklink.com/catalogItem.asp?B=6000]]
[[Idea Book 697|http://www.bricklink.com/catalogItem.asp?B=697]]
[[Idea Book 7777|http://www.bricklink.com/catalogItem.asp?B=7777]]
[[Idea Book 8888|http://www.bricklink.com/catalogItem.asp?B=8888]]
[[Idea Book 8889|http://www.bricklink.com/catalogItem.asp?B=8889]]
[[Idea Book 8890|http://www.bricklink.com/catalogItem.asp?B=8890]]
[[Idea Book 8891|http://www.bricklink.com/catalogItem.asp?B=8891]]
[[Idea Book B506|http://www.bricklink.com/catalogItem.asp?B=B506]]
''Expert Builder''
[[Tractor Set #952|http://www.bricklink.com/catalogItem.asp?S=952-1]]
[[Motorcycle #8857|http://www.bricklink.com/catalogItem.asp?S=8857-2]]
[[Go-Cart #948|http://www.bricklink.com/catalogItem.asp?S=948-1]]
[[Engine #8858|http://www.bricklink.com/catalogItem.asp?S=8858-2]]
[[Auto Chassis #8860|http://www.bricklink.com/catalogItem.asp?S=8860-1]]
[[Power Truck #8848|http://www.bricklink.com/catalogItem.asp?S=8848-1]]
[[Bulldozer #951|http://www.bricklink.com/catalogItem.asp?S=951-1]]
[[Auto Car Chassis #853 |http://www.bricklink.com/catalogItem.asp?S=853-1]]
[[Auto Car Chassis #8860 |http://www.bricklink.com/catalogItem.asp?S=8860-1]]
[[Backhoe #8862|http://www.bricklink.com/catalogItem.asp?S=8862-1]]
[[Airtech Claw Rig #8868|http://www.bricklink.com/catalogItem.asp?S=8868-1]]
[[Whirlwind Rescue #8856|http://www.bricklink.com/catalogItem.asp?S=8856-1]]
[[Universal Building Set #8034|http://www.bricklink.com/catalogItem.asp?S=8034-1]]
[[Mobile Crane #8421|http://www.bricklink.com/catalogItem.asp?S=8421-1]]
[[Pneumatic Backhoe #8455|http://www.bricklink.com/catalogItem.asp?S=8455-1]]
[[Pneumatic Forklift #8843|http://www.bricklink.com/catalogItem.asp?S=8843-1]]
''Space''
Galaxy Explorer #928 http://www.bricklink.com/catalogItem.asp?S=928-1
Space Cruiser #487 http://www.bricklink.com/catalogItem.asp?S=487-1
Space Command Center #926 http://www.bricklink.com/catalogItem.asp?S=926-1
Transport Ship #924 http://www.bricklink.com/catalogItem.asp?S=924-1
Alpha-1 RocketBase #483 http://www.bricklink.com/catalogItem.asp?S=483-1
Space Set #1593 http://www.bricklink.com/catalogItem.asp?S=1593-1
Mobile Tracking Station #452 http://www.bricklink.com/catalogItem.asp?S=452-1
One Man Space Ship #918 http://www.bricklink.com/catalogItem.asp?S=918-1
Space Station #6970 http://www.bricklink.com/catalogItem.asp?S=6970-1
''Universal Sets''
Universal Motorized Building Set #744 http://www.bricklink.com/catalogItem.asp?S=744-1
Universal Building Set #733 http://www.bricklink.com/catalogItem.asp?S=733-1
''Brick Arms''
Black Bandit http://brickarms.com/Toys/Minifigs/Bandit_Black.aspx
Gray Bandit http://brickarms.com/Toys/Minifigs/Bandit_Gray.aspx
White Bandit http://brickarms.com/Toys/Minifigs/Bandit_White.aspx
K9 Kop http://brickarms.com/Toys/Minifigs/K9_Kop.aspx
WW2 US Marine Sargent http://brickarms.com/Toys/Minifigs/WW2_US_Marine_Sargent.aspx
WW2 US Sargent http://brickarms.com/Toys/Minifigs/WW2_US_Sargent.aspx
Spy Bond http://brickarms.com/Toys/Minifigs/SpyBond.aspx
Colonial Marine http://brickarms.com/Toys/Minifigs/ColonialMarine.aspx
WW2 German SS Major http://brickarms.com/Toys/Minifigs/WW2_German_SS_Major.aspx
WW2 German Colonel http://brickarms.com/Toys/Minifigs/WW2_German_Colonel.aspx
WW2 German Soldier Grenadier http://brickarms.com/Toys/Minifigs/WW2_German_Soldier_Grenadier.aspx
WW2 German Soldier Gunner http://brickarms.com/Toys/Minifigs/WW2_German_Soldier_Gunner.aspx
WW2 German Soldier PanzerGren http://brickarms.com/Toys/Minifigs/WW2_German_Soldier_PanzerGren.aspx
Arsenal Pack http://brickarms.com/Toys/Weapons_Packs/Arsenal_Pack.aspx
[[Consulting]]
[[Hosting]]
[[CV|http://www.cryptomonkeys.org/~louisk/cv/]]
[[Security|SecurityNotes]]
Before starting the OS install
* Setup raid groups as such:
** 2 disks in RAID1 for OS install
** all remaining disks setup in RAID10 for VMs
* Be sure to install the x86_64 (64 bit) version of Centos, it will allow both 64 and 32-bit VMs to run at the same time.
OS Install / Disk layout
* sda is the RAID1 disks.
** sda1 is 100MB, mounted at /boot, formatted as ext2 or ext3. Also make sure it is set as a primary partition in the options.
** sda2 is the same size as the RAM installed on the machine, formatted as swap and primary partition
** sda3 is the remaining space, mounted at /, formatted as ext3 and primary partition
* sdb is the RAID10 disks.
** DO NOT FORMAT OR OTHERWISE USE THIS DISK AT THIS TIME
OS Install / Installation options
* Be sure to check the "Virtualization" option during the install process.
Post Install / Prepping LVM
* Run "yum update" to update all packages
** This process can take quite some time.
* To prep sdb for LVM, run pvcreate /dev/sdb
** Output should tell of some success
* Create the volume group: vgcreate <insert shortname of machine here> /dev/sdb
** ie: vgcreate xenpod02 /dev/sdb on xenpod02.pgp.com
* Create a logical volume for the VM: lvcreate -L<size in GB>G -n <name of VM> <machine name from above>
** ie: lvcreate -L50G -n tinderwin8c xenpod02
* The path layout for accessing the LV is: /dev/<machine name>/<VM name>
** ie: /dev/xenpod02/tinderwin8c
* For xen configuration files, you can also use the following path: /dev/mapper/<machine name>-<VM name>
** ie: /dev/mapper/xenpod02-tinderwin8c
Post Install / OS Install
* Visit http://wiki.centos.org/HowTos/Xen/InstallingCentOSDomU for some ideas
pvcreate /dev/foo
vgcreate volName /dev/foo
Yum repo for new(er) Xen (3.3.x): http://www.gitco.de/repo/
http://jailtime.org/download:centos:v5.2 for images
Recommended reading:
[[FreeBSD|http://www.freebsd.org]]'s [[ZFS|http://wikipedia.org/wiki/ZFS]] [[wiki|http://wiki.freebsd.org/ZFS]]
[[Sun|http://www.sun.com]]'s [[OpenSolaris|http://www.opensolaris.org/os/]] [[ZFS|http://www.opensolaris.org/os/community/zfs/]]
How to install FreeBSD 7.0 under ZFS
ZFS is an exciting new file system developed by Sun and recently ported to FreeBSD. Many people are excited by the possibilities of ZFS (including us) as it promises to simplify a great many things. It offers:
* increased reliability through checksums, multiple copies of data and self-healing RAID
* elimination of that dreaded “oh, if only I’d made the /var partition larger” feeling. Partitions can now be resized at any time and in fact can each be allocated up to the full size of the storage media.
* built-in compression and encryption
* built-in NFS file sharing
* clean, easy to use toolset for creating storage pools, volumes and much more
* snapshots and rollbacks for backups
Read more about some of the powerful commands here
Installing ZFS on FreeBSD
Since it is early days for ZFS on BSD, the installer doesn’t yet support ZFS natively. So there are a few tricks to getting it up and running. Also, you cannot boot directly from a ZFS partition since adding that functionality to the boot loader in FreeBSD is a huge undertaking.
Step One: installing FreeBSD
* Boot up on the FreeBSD Current 7.0 CD
* Choose Country and Locale
* Go Custom install
* Partition fdisk with Auto option (one slice, whole disk)
* Disklabel with options
A: 512Mb UFS2 /
B: swap
D: rest of disk
To create D you’ll need to enter any mount point you want and then use the M option to clear it. This ensures that it will not mount or be created as a file system.
* Distribution choose Minimal install
* Media Select CD/DVD
System will install to the small 512Mb UFS root partition you created.
Step Two: creating the ZFS pool
* Once installation is complete, remove CD and reboot into our new FreeBSD system.
* Boot into FreeBSD partition and select “4” for single user mode.
* Hit ENTER to accept /bin/sh shell.
# mount -w /
Now create a Disk pool using the D label we prepared during the install. In this example we have a SATA disk at ad4.
# zpool create tank /dev/ad4s1d
Firstly stop ZFS from creating default mountpoints for shares
# zfs set mountpoint=none tank
Create some extra/common mountpoints
# zfs create tank/root
# zfs create tank/usr
# zfs create tank/var
# zfs create tank/tmp
Now set the mountpoints of the shares
# zfs set mountpoint=/tank tank/root
# zfs set mountpoint=/tank/usr tank/usr
# zfs set mountpoint=/tank/var tank/var
# zfs set mountpoint=/tank/tmp tank/tmp
Have a look to what we have done
#df -h
#zfs list
Beautiful isn’t it? :)
Edit /etc/rc.conf and enable ZFS
# echo 'zfs_enable="YES"' >> /etc/rc.conf
Now copy the UFS bootable slice to the ZFS mountpoint. This gives us a workable FreeBSD installation under ZFS.
# find -x / | cpio -pmd /tank
(you can ignore any errors here if you get them)
Step Three: solving the ZFS boot problem
The problem which remains is that FreeBSD will not be able to boot directly into ZFS since the bootloader doesn’t know anything about ZFS. So a little trick is that we put the kernel onto /boot which lives on the UFS partition. This gets the system running to the point where ZFS can be mounted and the rest of the boot proceeds.
Remove the /tank/boot just copied over from the UFS system:
# rm -rf /tank/boot
Now make the directory in which our UFS partition will be mounted. This will be useful later on when we want to update the contents of that slice from a running system. We also need to make sure that when the ZFS is booting up it can see the UFS bootdir.
# mkdir /tank/bootdir
# cd /tank
# ln -s bootdir/boot boot
Now we tell the loader on the UFS slice to load and boot from the contents of the ZFS volume:
# echo 'zfs_load="YES"' >> /boot/loader.conf
# echo 'vfs.root.mountfrom="zfs:tank/root"' >> /boot/loader.conf
Edit /tank/etc/fstab so our UFS slice is mounted in the right location for when ZFS boots.
/dev/ad4s1a /bootdir ufs rw 1 1
When we reboot in a minute, we want the ZFS tank to mount in /var /usr /tmp and/ and not within the /tank location it is now. So set the true mountpoints:
# zfs set mountpoint=/tmp tank/tmp
# zfs set mountpoint=/usr tank/usr
# zfs set mountpoint=/var tank/var
Set root mount point to ’legacy’ so ZFS won’t try to mount it automatically. It should already have been mounted by the loader:
# cd /
# zfs set mountpoint=legacy tank/root
All Done!
Reboot and login as root. df -h and zfs list and you will see everything.
# df -h
Filesystem Size Used Avail Capacity Mounted on
tank/root 282G 454M 281G 0% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/ad4s1a 496M 317M 139M 69% /bootdir
tank/tmp 281G 1.1M 281G 0% /tmp
tank/usr 287G 5.7G 281G 2% /usr
tank/var 281G 76M 281G 0% /var
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
tank 6.27G 281G 454M none
tank/root 16.2M 51.3G 16.2M legacy
tank/tmp 1.10M 281G 1.10M /tmp
tank/usr 5.75G 281G 5.75G /usr
tank/var 75.5M 281G 75.5M /var
All is done. :) Basic install completed. At this point you might want to install a more complete version of FreeBSD, install the ports system or anything else you normally do.
Creating a Mirror
That was pretty exciting.
Now let’s say that we have some important data on that drive and we are pretty keen not to lose it. So, let’s add another drive as a mirror under ZFS. In some ways this is even superior to a hardware RAID setup since ZFS is able to monitor the checksums on the disk and automatically detect which of the two drives has corrupted a block of data, transparently using the other and repairing if necessary.
* Install the HDD and boot up on the system.
* Login as root
* Run sysinstall
* Enter Custom Install
* Partition fdisk with Auto option (one slice, who disk) and press ’w’ to write changes
* Label with options
A: 512Mb /
B: swap
D: rest of disk empty (for zfs later)
and once again, press ’w’ to save changes and state ’YES’ to the question it asks you about applying now. You’ll need to make this identical to the labels on the first drive.
* Exit sysinstall.
Check out what we have:
#zpool status
Add the 2nd drive to our mirror (our second drive comes up as ad6)
# zpool attach tank ad4s1d ad6s1d
# zpool status
and it will now show the two HDD’s in a mirror
pool: tank
state: ONLINE
scrub: none requested
config:
NAME STATE READ WRITE CKSUM
tank ONLINE 0 0 0
mirror ONLINE 0 0 0
ad4s1d ONLINE 0 0 0
ad6s1d ONLINE 0 0 0
errors: No known data errors
Now we have a mirror, but if we lose the first drive we will need the contents of the UFS slice copied to the second drive in order to reboot.
# newfs /dev/ad6s1a
# mkdir /mnt/bootdir
# mount /dev/ad6s1a /mnt/bootdir
# find -x /bootdir | cpio -pmd /mnt
This gives us another ready to use system on the 2nd HDD in case we have a failure on the 1st HDD with all the necessary zfs tools to move forward.
/boot/Loader.conf tweaks
As you know, ZFS within Freebsd is and Experimental system and there are still some bugs to iron out, if the system has so much disk access you crash, you can kernel panic with “kmem_suballoc” you can fix this by placing the following in /boot/loader.conf.
vm.kmem_size_max=”512M”
vm.kmem_size=”512M”
vfs.zfs.zil_disable=1
The amount for the kmem size is up to you but if you make sit too large you will kernel panic on boot up.
Disaster recovery
(Maybe necessary if you have just completed the before mentioned tweaks and rebooted)
With the way we have setup our system if the ZFS fails to boot or function for whatever reason we can still boot off the original minimal install at any time. To do this do the following:
* Boot up
* Choose #6 (Escape to Loader Prompt) at the boot menu.
* Suppress the mounting of the ZFS volumes like this and disable the zfs module:
# unset vfs.root.mountfrom
# disable-module zfs
* Suppress of kmem sizes
# unset vm.kmem_size
# unset vm.kmem_size_max
* Single user mode and boot
# set boot_single
# boot
* Login
and edit the /boot/loader.conf as necessary
# df -h
# zpool list
You will notice that it has not picked up the ZFS drives or the pool. Never fear we can import it!
#zpool import -d /boot/zfs
This loads the zpool data so the libraries can find the information it needs, now we need to import our pool using an alternate root.
#zpool import -f -R /tank tank
And check out that it has worked.
# df -h
# zpool list
Useful Commands
Create a mirror
#zpool create -m /usr/local/www/ mirror <mirror name> ad4s1g ad6s1g
Show available pool/resources
#zfs list
Show Status of Disk/pool
#zfs status
Changing Mount points for created resources
#zfs set mountpoint=/<mountpoint> <pool resources>
Data Limiting
# zfs set quota=10g testpool/testfs/dir1
(logically limits space)
# zfs set reservation=20g testpool/testfs/dir2
(logically preallocates space)
Unloading a kernel and choosing another one (in the boot loader mode)
''Upgrading'' (such as 7.x -> 8.x)
* Follow steps in /usr/src/UPDATING
* buildworld/kernel
* reboot single user
* mount -o rw tank/root /
* mount -t zfs tank/usr /usr
* mount -t zfs tank/var /var
* cd /usr/src
* mergemaster -U -u 0022 -p
* rm -fr /usr/include.old && date && mv /usr/include{,.old} && date
* make NO_FSCHG=yes installworld
* make delete-old
* mergemaster -U -u 0022 -i
* reboot
# unload kernel
# boot/boot/kernel.old/kernel
--------------------------------
Replacing a failed drive
zpool replace tank <disk>
zpool status
--------------------------------
Ok...
the scripts are at:
http://dist.k1.com.br/scripts/baselist_amd64
http://dist.k1.com.br/scripts/baselist_i386
http://dist.k1.com.br/scripts/makebootdisk
http://dist.k1.com.br/scripts/zfsetup
install these scripts on /root
makebootdisk:
formats the disk (or usb stick) at da0,da1...) make a bsdlabel on it
and using the baselist file, copies the running system files into the
USB
it will work on FreeBSD versions greater 7.0
this way the usb is bootable, have a filesystem on it.
the same root password...
you can fix the files /etc/rc.conf, /boot/loader.conf in the usb
filesystem in
order for it to boot from your kernel.
remeber to check for an "a" partition on your usb stick
the script needs to have access to install bash (pkg_add -r bash) so it
needs internet of a package repository with bash in it.
Once boot from your usb stick, you can do the same procedure to
transport the running system to another disk
if you intend to make a zfs running filesytem on the target disk (hd)
make the disklabel (bsdlabel) this way
a: 1gb 16 unused
b: 4gb * swap
d: * * unused
that is:
a partition 1gb at offset 16
b swap partition 4gb after partion A
d: the rest of the disk (this will hold the zpool).
the makebootdisk will install a running system on A (about 300mb...)
ZFSETUP
is a script that, when boot from the hd created with makebootdisk
moves the running system (booted from "a" partition) to the the zfspool
created, in the "d" partition mentioned above..
it edits the loader.conf in order to boot on zfs.. in order to boot
from
After that, you are running on ZFS...
Make sure you compile with --enable-mfd-rewrites to allow for 64bit counters
(This will keep network graphs from going above ~120Mbit)
''Setup''
------------------------
''Replacing a failed disk''
gmirror forget mirror/gm0
gmirror insert mirror/gm0 <newDisk>
------------------------
lease-file-name "/var/db/dhcpd.leases";
ddns-update-style none;
authoritative;
option agent.circuit-id 2 ;
default-lease-time 3100; # 51 minutes.
max-lease-time 604800; # 1 week
subnet 10.10.10.0 netmask 255.255.255.0 {
option routers 10.10.10.1;
option subnet-mask 255.255.255.0;
option broadcast-address 10.10.10.255;
# The latest input from layer-9 required us to shift the dynamic
# range from the top half of the subnet down to the bottom half.
# This pool clause will elicit NAKs for the old leases while the
# clients migrate. Remember to remove this once they've all booted
# once or expired.
pool {
range 10.10.10.12 10.10.10.127;
}
if exists agent.circuit-id
{
log ( info, concat( "Lease for ", binary-to-ascii (10, 8, ".",
leased-ad
dress), " is connected to interface ",
binary-to-ascii (10, 8, "/", suffix ( option agent.circuit-id,
2)), " (a
dd 1 to port number!), VLAN ",
binary-to-ascii (10, 16, "", substring( option agent.circuit-id,
2, 2)),
" on switch ",
binary-to-ascii(16, 8, ":", substring( option agent.remote-id,
2, 6))));
log ( info, concat( "Lease for ", binary-to-ascii (10, 8, ".",
leased-ad
dress),
" raw option-82 info is CID: ", binary-to-ascii (10, 8, ".",
option agen
t.circuit-id), " AID: ",
binary-to-ascii(16, 8, ".", option agent.remote-id)));
Eric Anderson wrote:
> Dan Ross wrote:
>
>> Eric,
>> Thanks I have tried using that in my conf file but the original
>> author didnt seem to know where he got his stuff for data entries. I
>> am struggling to even understand his logging entry in the conf file.
>> How does one submit a mail to the isc-org. dhcp server mailing
>> list. I have the entry in my conf file but no entries are added to
>> my log file even though the server spews out an address. Any ideas?
>
>
> Can you post your config file? (minus any extra junk we don't need)
>
> Eric
>
>
>
>> Eric Anderson wrote:
>>
>>> Dan Ross wrote:
>>>
>>>> Hello;
>>>> I am trying to configure my freebsd ISC dhcp server to support and
>>>> log option 82 requests. Can anybody direct me to a how to page or
>>>> even maybe render some assistance if they have done this before?
>>>
>>>
>>>
>>>
>>> I don't know all the details, but maybe these snippets and links can
>>> help you:
>>>
>>> agent.circuit-id is also known as option 82
>>>
>>> http://www.archivum.info/dhcp-server%40isc.org/2005-02/msg00026.html
>>> http://www.archivum.info/dhcp-server%40isc.org/2005-06/msg00142.html
>>>
>>> man dhcp-options
>>> man dhcp-eval
>>>
>>> http://www.faqs.org/rfcs/rfc3046.html
>>>
>>> dhcpd.conf hints:
>>> Top of dhcpd.conf (you may have to do this, you may not):
>>> option agent.circuit-id code 82 = string; # is it a string?
>>>
>>> That's all I could conjure up..
>>>
>>> Eric
>>>
<html>
<pre>
bounce_queue_lifetime = 2d
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 30
default_process_limit = 500
disable_vrfy_command = yes
html_directory = no
in_flow_delay = 0s
initial_destination_concurrency = 1000
local_recipient_maps =
mail_owner = postfix
mailbox_size_limit = 102400000
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 300s
maximal_queue_lifetime = 5d
message_size_limit = 52428800
minimal_backoff_time = 100s
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 168.61.15.0/24, 127.0.0.0/8
newaliases_path = /usr/local/bin/newaliases
qmgr_message_recipient_limit = 100000
queue_directory = /var/spool/postfix
rbl_reply_maps = hash:/$config_directory/rbl_reply
readme_directory = no
relay_domains = /usr/local/etc/postfix/relay
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_destination_concurrency_limit = 100
smtp_helo_timeout = 30s
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:/tmp/postfix_smtpcache
smtp_use_tls = yes
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 10
smtpd_client_restrictions = check_client_access hash:/usr/local/etc/postfix/access_client, permit
smtpd_error_sleep_time = 0
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_recipient_limit = 100000
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,
check_recipient_access hash:/usr/local/etc/postfix/pre_rbl_trialdisabledlist,
check_client_access hash:/usr/local/etc/postfix/pre_rbl_whitelist,
check_policy_service unix:private/policy,
reject_rbl_client ST8STXEZCKZJGT8L6242848WKFQBAZH.r.mail-abuse.com,
check_recipient_access hash:/usr/local/etc/postfix/pre_rbl_skipqillist,
reject_rbl_client ST8STXEZCKZJGT8L6242848WKFQBAZH.q.mail-abuse.com,
reject_unknown_sender_domain,
warn_if_reject reject_unknown_hostname,
warn_if_reject reject_non_fqdn_hostname,
warn_if_reject reject_unauth_pipelining,
warn_if_reject reject_unknown_recipient_domain,
warn_if_reject reject_non_fqdn_recipient,
warn_if_reject reject_unknown_client,
warn_if_reject reject_invalid_hostname,
warn_if_reject reject_non_fqdn_sender,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options =
smtpd_soft_error_limit = 5
smtpd_timeout = 30s
smtpd_tls_CAfile = /usr/local/etc/postfix/cert/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/cert/in.sjc.mx.trendmicro.com-cert.pem
smtpd_tls_key_file = /usr/local/etc/postfix/cert/in.sjc.mx.trendmicro.com-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:/tmp/postfix_smtpdcache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/random
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
parent_domain_matches_subdomains =
debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
# Cyrus-imapd
mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
</pre>
<pre>
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
disable_vrfy_command = yes
html_directory = no
local_destination_concurrency_limit = 5
local_destination_recipient_limit = 300
mail_owner = postfix
mailbox_size_limit = 102400000
mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 192.160.132.0/24, 127.0.0.0/8
parent_domain_matches_subdomains =
debug_peer_list,
fast_flush_domains,
mynetworks,
permit_mx_backup_networks,
qmqpd_authorized_clients,
smtpd_access_maps
readme_directory = no
smtp_destination_concurrency_limit = 100
smtp_helo_timeout = 30s
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 10
smtpd_error_sleep_time = 0
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_recipient_limit = 100000
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
warn_if_reject reject_unknown_sender_domain,
warn_if_reject reject_unknown_hostname,
warn_if_reject reject_non_fqdn_hostname,
warn_if_reject reject_unauth_pipelining,
warn_if_reject reject_unknown_recipient_domain,
warn_if_reject reject_non_fqdn_recipient,
warn_if_reject reject_unknown_client,
warn_if_reject reject_invalid_hostname,
warn_if_reject reject_non_fqdn_sender
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options =
smtpd_soft_error_limit = 5
smtpd_timeout = 30s
smtpd_tls_CAfile = /usr/local/etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/ssl/txt.com.signed.cert.pem
smtpd_tls_key_file = /usr/local/etc/postfix/ssl/txt.com.key.pem
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/random
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/valias
virtual_mailbox_domains = hash:/usr/local/etc/postfix/vdomains
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox
virtual_transport = lmtp:unix:/var/imap/socket/lmtp
</pre>
</html>
As you have not posted your whole configuration ('postconf -n' output) that cannot be answered with certainty. It depends on whether you have set smtpd_delay_reject=no or if you are using the default behavior of postponing the evaluation of helo, client, and sender restrictions until the recipient phase. Many people don't bother splitting up the pre-data restrictions between smtpd_helo_restrictions, smtpd_client_restrictions, smtpd_sender_restrictions, and smtpd_recipient_restrictions, because of that useful default behavior.
You may run into enough trouble with reject_non_fqdn_helo_hostname (the modern name for reject_non_fqdn_hostname) due to a lot of sloppiness in the configuration of mail servers that handle wanted mail. If you deal with a lot of small to medium sized businesses outside of the IT industry, maintaining a whitelist against that rule can become a daily chore.
An alternative is check_helo_access with a regexp or pcre map. The map might look something like the one below (mine, partly sanitized) and catch most of the bad actors and the careless admins but put the exceptions right next to the rules:
| REGEX | Response |
| /^localhost\./ | REJECT you are not me |
| /^\[*192\.168\.254\.12/ | REJECT you are not me |
| /^\[*66\.73\.230\.190/ | REJECT you are not on my network |
| /^\[*66\.73\.230\.18[4-9]/ | REJECT you are not on my network |
| /^\[*127\.0\.0\./ | REJECT you are not me |
| /^hostname\.in\.my\.mx\.records$/ | REJECT you are not me |
| /^my\.internal\.true\.hostname$/ | REJECT you are not me |
| /^virtual\.domain\.i\.service$/ | REJECT you are not me |
| /^scconsult.com$/ | REJECT you are not me |
| /^some\.fools\.exchange\.local/ | DUNNO |
| /\.local$/ | REJECT You are not local to me |
| /\.localdomain$/ | REJECT You are not local to me |
| /^-/ | REJECT Stop being so negative |
| /^nonfqdnthatilike$/ | DUNNO |
| /^[^.]*$/ | REJECT Care to qualify that claim? |
| /user.veloxzone.com.br$/ | REJECT Veloxzone user space not welcome here. |
| /^mail.com$/ | REJECT Suresh says that no one is mail.com |
Note that this depends on permit_mynetworks and/or permit_sasl_authenticated to protect truly local and/or authenticated clients. The 'DUNNO' lines are the exceptions. The rest of the rules catch the observed behaviors of some spammers in using HELO arguments that claim one or another sort of local identity, start with a '-', or have no periods (i.e. non-FQDN hostnames) The last 2 catch the tangle of botnets using a Brazilian ISP and a once-common habit of bots using 'mail.com' in HELO.
The advantage to this approach is that it lets you do the fairly simple thing that reject_non_fqdn_helo_hostname does, whitelist against it directly, and add in other things that are useful in looking at HELO names.
<html>
<pre>
ST8STXEZCKZJGT8L6242848WKFQBAZH.r.mail-abuse.com 550 Service unavailable; $rbl_class [$rbl_what] blocked using Trend Micro RBL+. Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=$rbl_what${rbl_reason?; $rbl_reason}
</pre>
<pre>
ST8STXEZCKZJGT8L6242848WKFQBAZH.q.mail-abuse.com 450 Service temporarily unavailable; $rbl_class [$rbl_what] blocked using Trend Micro Network Anti-Spam Service. Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=$rbl_what${rbl_reason?; $rbl_reason}
</pre>
</html>