Switching…

Well it has been a few days since I got the email for the new release of Apache and I was going to write about it sooner. But as happens often I got sidetracked and didn’t think of it until error reports came in via email and comments that there was something wrong with my compilation instructions.

It looks like we need an extra flag to compile properly namely the “--with-included-apr” option to force internal APR functionality and not from another package. The installation page has been updated accordingly !

There are more changes and bugs fixed besides this change, you can read all about them at the download page of apache, read the Changes file. I can’t link to it directly as it is dynamically altered to link to a mirror in your neighborhood.

My network provider had some major problems today, I was out for most of the morning. It looks like some hardware at one of the central network failed and all customers where affected. The helpdesk phone had a taped message that they where replacing hardware from their vendor. I guess one of the central routers failed ?

I guess the new owner of the network isn’t keeping up with maintenance. I hope it wasn’t too much of a problem to you…

I’ve just upgraded this blog to run the latest release of WordPress, it was announced a few days ago and finally had some time to kill today to run the upgrade. It was rather painless as usual. If you run WordPress on your system please upgrade as well as there are some inportant security fixes in this release, besides that, other updates to 2.0.6 include:

• HTML quicktags now work in Safari browsers
• Comments are filtered to prevent them from messing up your blog layout
• Compatibility with PHP/FastCGI setups
• New anti-XSS function called attribute_escape(), and a new filter called “query” which allows you filter any SQL at runtime

There was however a small bug which affected users who use feedburner, the bug got solved and here’s how to do it yourself. It will be included in the 2.0.7 release which as it looks like, will be released soon. 2.1 is scheduled to be released pretty soon as well. The first beta is already available.

Sam Varshavchik has spend the last days of 2006 cleaning up unreleased patches and fixes so that he can start 2007 with a clean slate. The changes aren’t critical and even he says that if everything is working for you you don’t need to update.

The items that are of interest to us are the changes to IMAP, Authlib and maildrop. This updates them to the following versions: Courier-IMAP 4.1.2, Courier-Authlib 0.59 and Maildrop 2.0.3.

IMAP changes:

• Fixed 64-bit issue with quota indication
• Try to log bandwidth usage before getting killed by a signal
• Fixed many compiler warnings
• maildirmake: Clarify some error messages
• Fixed some typos in man pages
• message files created by the IMAP server will use the umask setting

Auth changes:

• Fixed many compiler warnings
• Try again if the LDAP server apparently closes the socket due to inactivity
• Fix LDAP account enumeration
• Fix up an error message
• Added -f option to makeuserdb
• Ported to openldap 2.3.27
• Cleaned up RPM spec file
• Ported code to gcc 4.1.1
• courier-authlib should now be buildable by Solaris’s linker

maildrop changes:

• Updated autoconf/automake/libtool build toolchain
• Fixed several compiler warnings
• Cleanup. Consolidate multiple quoted-printable implementations into one
• Fixed an obscure bug in quoted-printable encoding

Don’t forget the command:

chmod o+x /usr/local/var/spool/authdaemon

After you installed the authlib binaries. Otherwise you’ll get the error: SASL authentication failure: cannot connect to Courier authdaemond: Permission denied.

I wanted to wish you all a Merry Christmas, and a happy 2007.

I’ll try to make 2007 as good as 2006 was with new features and help you in running a stable mail and web-server for your customers, friends or family.

To get into the Christmas spirit it really helps to have some snow but here in the Netherlands that isn’t going to happen this year. So I’ve downloaded this little gem to give me some snow even it it is artificial. If you don’t have snow this year yourself you might like this program running on your Mac as well

I, like most people, am sloppy in my backup procedures. Every now and then I created a tar archive of the important stuff and burned it to a DVD for safekeeping. But the time in between those backups was usually more than six months. I was looking for a cheap solution that would solve all my problems. Buying extra external harddisks came to mind but as it is now they would mostly be used to store more movies.

Untill I found out earlier this week about the solution Alex King (of wordpress fame) came up with for his backups. The Amazon Simple Storage Service or Amazon S3 for short. It’s like a very cheap online disk using the same highly scalable, reliable, fast, inexpensive data storage infrastructure that Amazon uses to run its own global network of web sites. So it looks like it will be there for some time. It’s cheap as well, $0.15 per GB/Month and $0.20 per GB of traffic. Someone else has done the math for us and it looks like it is cheaper than buying external disks. At least it will be more reliable. The only downside is the speed at which I can up or download information.

The only thing I didn’t like about Alex’s setup was the use of JungleDisk. While doing some googling I found other solutions that could help me in my accomplish a simple off-site backup solution. I really liked the s3sync.rb solution as it resembles the rsync command which I know how to use. The only problem was that it used the language Ruby which was a big unknown to me. I’ve heard and read about Ruby on rails for some time now but never had the urge to try it out. But I was willing to give it a go.

I’ve got it all working and documented now so you can use this service as well. Currently I’m backing up like never before. The first time I ran the backup it took forever, but then after that first time only the new or altered files would be uploaded saving a lot of time and bandwidth. I’m currently backing up all my websites and the virtual maildirs on my server on a daily basis. This is about 200 MB of information which will cost my about $0.02 a Month to store plus say $0.15 for data transfer fees. Which means that I will have a full secure online backup which I can access from anywhere all the time for say $0.25 a Month !

Next up I’m going to write some scripts to upload my iPhoto stuff as well.

It’s time again for a security update. This time it’s a pure client patch and not really server related. It fixes a security hole in Quicktime. I’ve installed it on my servers and didn’t run into any issues as I expected because of the affected components. Read more about the update here.

Sorry for not posting this long but I’ve been doing to many things at once without finishing one single thing or getting somewhere with all the time put in it. I should really learn to focus a bit more. All these features of the new programs and requests I get are just to tempting not to touch. But back to the business at hand:

Wietse has got a new patch level release out for our beloved Postfix mailserver. Mostly bugfixes, some of them don’t bother us like problems with Redhat of FreeBSD but the others might. So I’ve compiled and checked it and I’m running it on my test servers and production servers without a problem. Just follow the install documentation and you’ll be alright.

Some of the bugfixes are:

• Message headers longer than 65535 broke the Milter protocol. To
  make matters worse the cleanup server could then dereference a
  null pointer. When Milter support is enabled, the length of each
  message header is now limited to 60000.
• Several fixes to improve worst-case behavior of the (new) queue
  manager with multi-recipient mail. The queue manager now reads
  new recipients earlier from the queue file, instead of becoming
  starved while waiting for the slowest in-memory recipients to
  complete; and it now reads recipients in smaller chunks to avoid
  spending too much time not talking to delivery agents.
• With remote SMTP server tarpit delays larger than the Postfix
  SMTP client’s smtp_rset_timeout (default: 20s), the client would
  get out of sync with the server while reusing a connection. The
  symptoms were “recipient rejected .. in reply to DATA”.

The software update icon was jumping in my dock again after a longer time then expected. This time I was a bit more carefull after the unexpected Postfix issues with the last update. The updates are mostly security related and I think you need to apply this asap. I didn’t notice any problems after the reboot and everything is working. Read more about the update here.

I’ve been reading up on the topic of greylisting and the techniques behind it and found out that it doesn’t quite work if you have a backup MX mailserver that does not have the same policy as your primary server. That is the situation I’m in and I think most of you as well.

If you have greylisting implemented on your primary server any email arriving will be checked against a stored list of previous encountered mailservers and mailadresses. If the combination is not known the sending mailserver will be asked to try again later. Most spammers will leave it at that. If you have received an x amount of mails from the same mailserver and mailaddress that combo will be whitelisted and always accepted directly.

The problem with backup MX servers is that they will be whitelisted and you need to accept all mail from that server because it will keep trying (as it is intended to do) ! If you don’t have control over the backup MX server and they don’t have a greylisting policy like you have or don’t do spamfiltering you have a backdoor that is wide open for spammers.

Read more on the subject in this whitepaper which describes it all in more detail.

Before we can use/implement greylisting we need to turn of our current backup MX and find someone else who will use the same policies and will want to be our backup MX, or just live without a backup mail server…

I would like to know your thoughts on this. What can I/we do to work this out ?