User mode linux...
Hi. Does anyone try the User Mode Linux to do virtual hosting? Is the UML enought secure for this? In the web page said that virtual hosting is posible but he doesn't know of anyone who's doing this... thanks in advance. -- Jator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
User mode linux...
Hi. Does anyone try the User Mode Linux to do virtual hosting? Is the UML enought secure for this? In the web page said that virtual hosting is posible but he doesn't know of anyone who's doing this... thanks in advance. -- Jator
Re: BIND 8 or 9 version ?
On Tue, Jul 22, 2003 at 05:06:39PM +0200, Stephane Bortzmeyer wrote: > It is partly a matter of taste. - v8 is faster - v8 is stable - v8 does not have "views" OTOH different views can't use the same files. :( bad bad bad - v9 can be used with db/sql - but i would recommend powerdns for that task (powerdns is fastest authoritive dns server around and it works with mysql/oracle/mysql, BUT it lacks ACLs and you can't have per-zone settings - only general (notify, transfer,...) there is another dns auth serevr project that ripe started, but i can't remember the name and djb is not compatible with working OSes. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: BIND 8 or 9 version ?
On Wed, Jul 23, 2003 at 09:06:51AM +0200, Stephane Bortzmeyer wrote: > > (powerdns is fastest authoritive dns server around > You must be kidding, on every benchmark we performed, i was faster then bind on those test that i made, but i don't use it because it lacks some "bind features".oh and it needs an external resolver. > That's nsd and it is no longer a project. URL? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Server Motherboards with multiple PCI buses
I am putting together a couple of servers that will become PCI bus bottlenecked. I haven't found very many motherboards that have multiple PCI buses. The Intel L44GX+ has taken the AGP port (PCI 66) and used it for PCI slots instead, but has some bug report against this second PCI where the machine locks, but otherwise sounds good. Does anyone know of some good ix86 multiple PCI bus motherboard that you have running Debian on ( even if a custom kernel was required (like for SMP))? J.Currey
Re: Server Motherboards with multiple PCI buses
On Fri, Apr 14, 2000 at 01:18:55PM +0200, Russell Coker wrote: > On Wed, 12 Apr 2000, J. Currey wrote: > >I am putting together a couple of servers that will become PCI > >bus bottlenecked. > >I haven't found very many motherboards that have multiple PCI buses. > >The Intel L44GX+ has taken the AGP port (PCI 66) and used it for > >PCI slots instead, but has some bug report against this second PCI > >where the machine locks, but otherwise sounds good. > >Does anyone know of some good ix86 multiple PCI bus motherboard that > >you have running Debian on ( even if a custom kernel was required > > (like for SMP))? > > I am curious, what are you doing that will cause a PCI bus bottleneck? I > hope you don't mind me asking. > Well supporting gigabit Ethernet for one, and 4 100Mb sub networks and logging. PCI bandwidth is about 132 MB/sec (32bit at 33MHz), and with 100MB/sec? taken by the gigabit Ethernet, it doesn't leave much room for disk writes, much less the other networks. In practicality it will rarely see that much, but it must be capable of it (and I have a one shot budget to accommodate a few years growth). A common example of a PCI bottle neck is multiple SCSI controllers with stripped drives. It would make sense for gigabyte Ethernet cards and high speed SCSI controllers to use the AGP slot (since AGP is really PCI @ 66MHZ with a funny connector <- flame target) . There are SCSI raid adapters that are using PCI 66MHZ. Make sense? Oh well :). J.Currey
Re: network printing
On Wed, May 24, 2000 at 10:55:43AM -0500, Wayne Sitton wrote: > I don't remember seeing if this posted the first time, so forgive me if it > did. > I need to set up a debian box to print to a Windows NT shared printer. > The NT server is a PDC . The printer is an HP 5000. If anyone could help, I > could use it. > > Waynes > The easiest way is # apt-get install printtool It is a Redhat product, so I don't know about it's security, like having the password for print server in clear text somewhere. ~# apt-cache depends printtool printtool Depends: file Recommends: tkstep8.0 tk8.3 tk8.2 tk8.0-ja tk8.0 Recommends: gs gs-aladdin Recommends: enscrip Try it without samba, samba-common, smbclient first, and then add them if it doesn't work. You can use any of the hp laser jet filters and have it work, and if your HP 5000 supports postscript, it will spare some processor time on your machine. J.Currey
ACN
Hello, Thank you very much for your interest for a position within ACN Europe. We will assess your application ASAP. For more information about our company we refer to our website www.acneuro.com . Kind regards/ met vriendelijke groeten, Jolie den Boer Recruiter ACN Europe B.V. +31 (0)20 355 6915
Re: remote management
Hi I'm running a BIND 8.2.2.- patch 5 and occasionaly I get this message from system (Debian): Out of memory! Callback called exit at /usr/bin/mrtg line 73. BEGIN failed--compilation aborted at /usr/bin/mrtg line 73. which is followed by crashing od BIND. In the same time the kernel is reporting: Dec 15 22:04:56 sun kernel: VM: killing process who.pl Dec 15 22:06:23 sun kernel: VM: killing process apache-ssl Dec 15 22:06:27 sun kernel: VM: killing process sendmail Dec 15 22:06:27 sun kernel: VM: killing process apache-ssl Dec 15 22:06:28 sun kernel: VM: killing process named Dec 15 22:07:51 sun kernel: VM: killing process apache-ssl Dec 15 22:09:06 sun kernel: VM: killing process apache-ssl Dec 15 22:09:10 sun kernel: VM: killing process apache-ssl But Apache and sendmail remain untouched. Is it possible that it's all about a bug (e.g. zxfr bug) which affects this version of BIND or it's just weakest of all this so it goes down? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
radius mysql no log activity
Dear Radius users,
I am having a difficult time setting up freeradius (v0.4) on a Debian
Testing system to work with SQL. Using the test program, radtest, I get
no notification whatsoever that it is making a connection to the server.
However, when I disable the SQL module and just use the 'users' file,
I get authentication messages.
I have attached several of my configuration files. If more are
needed, I would be happy to provide them.
When configured for SQL use, here is the output of 'radiusd -X':
intrepid:~# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: //etc/raddb/clients.conf
Config: including file: //etc/raddb/snmp.conf
Config: including file: //etc/raddb/sql.conf
main: prefix = "/"
main: localstatedir = "//var"
main: logdir = "/var/log/radiusd-freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radiusd-freeradius/radacct"
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "//var/run/radiusd/radiusd.pid"
main: bind_address = 127.0.0.1 IP address [127.0.0.1]
main: user = "root"
main: group = "root"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: proxy_requests = no
main: debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded System
unix: cache = no
unix: passwd = "/etc/passwd"
unix: shadow = "(null)"
unix: group = "/etc/group"
unix: radwtmp = "/var/log/radiusd-freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded SQL
sql: driver = "rlm_sql_mysql"
sql: server = "localhost"
sql: port = ""
sql: login = "radius"
sql: password = "**"
sql: radius_db = "radius"
sql: acct_table = "radacct"
sql: acct_table2 = "radacct"
sql: authcheck_table = "radcheck"
sql: authreply_table = "radreply"
sql: groupcheck_table = "radgroupcheck"
sql: groupreply_table = "radgroupreply"
sql: usergroup_table = "usergroup"
sql: nas_table = "nas"
sql: dict_table = "dictionary"
sql: sqltrace = off
sql: sqltracefile = "/var/log/radiusd-freeradius/sqltrace.sql"
sql: deletestalesessions = yes
sql: num_sql_socks = 32
sql: sql_user_name = "%{User-Name}"
sql: authorize_check_query = "SELECT id,UserName,Attribute,Value FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
sql: authorize_group_check_query = "SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value
FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id"
sql: authorize_group_reply_query = "SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value
FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id"
sql: authenticate_query = "SELECT Value,Attribute FROM radcheck WHERE
UserName = '%{User-Name}' AND ( Attribute = 'Password' OR Attribute = 'Crypt-Password'
) ORDER BY Attribute DESC"
sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = %{Acct-Delay-Time} WHERE
AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND
AcctStartTime <= '%S'"
sql: accounting_update_query = "UPDATE radacct SET FramedIPAddress =
'%{Framed-IP-Address}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'"
sql: accounting_start_query = "INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId
Colorado Tape Backup Problems
Hello, I have an old Colorado Tap backup – floppy controller – that I've been trying to get working for sometime now. I have searched on the net for possible solutions but have been unsuccessful in finding information. I have installed debian’s ftape software and played with, but alas, I am unsuccessful. Does anyone have suggestions on this matter? I appreciate any ideas or suggestions. Sincerely, Daniel J. Rychlik " Money does not make the world go round , Gravity does ."
Look and See script
Title: Look and See script Hello, I have a mud game that runs on a Debian’s system running the 2.2 kernel. Occasionally the mud game crashes and stops accepting connections. I have to manually log in to restart the game. I am wandering if there is a way (which I am sure there is) to automatically restart the mud after it crashes. Is their a way to write a script that monitors the behavior of the pid or some other kind of process that it runs from to check for either yes its running or no its not? I have honestly looked at trying to find an answer for myself and my problem, but I need to be pointed in the right direction. Any information would helpful. Sincerely, Daniel J. Rychlik " Money does not make the world go round , Gravity does ."
Re: [Question] Harddisk Error!!!
On Monday 15 April 2002 12:02 am, axacheng wrote:
> Hello List :
>
> i have some problem as following :
>
> fileserver:/# e2fsck -v -y /dev/hda
> bash: /sbin/e2fsck: Input/output error
>
> then,i check /var/log/mesagg
>
> fileserver:/# tail -10 /var/log/messages
> Apr 15 03:09:37 fileserver kernel: ide0: reset: success
> Apr 15 03:09:37 fileserver kernel: hda: set_geometry_intr: status=0x61 {
> DriveReady DeviceFault Error } Apr 15 03:09:37 fileserver kernel: hda:
> set_geometry_intr: error=0x04 { DriveStatusError } Apr 15 03:09:37
> fileserver kernel: end_request: I/O error, dev 03:03 (hda), sector 37492776
> Apr 15 03:09:37 fileserver kernel: hda: recal_intr: status=0x61 {
> DriveReady DeviceFault Error } Apr 15 03:09:37 fileserver kernel: hda:
> recal_intr: error=0x04 { DriveStatusError } Apr 15 03:09:37 fileserver
> kernel: ide0: reset: success
> Apr 15 03:09:37 fileserver kernel: hda: set_geometry_intr: status=0x61 {
> DriveReady DeviceFault Error } Apr 15 03:09:37 fileserver kernel: hda:
> set_geometry_intr: error=0x04 { DriveStatusError } Apr 15 03:09:37
> fileserver kernel: ide0: reset: success
>
> it seems, my harddisk crash?or my kernel problem?
>
> anybody knows how to solve this problem?? @_@
I am by no means an expert about HD's, but I just had an IBM TravelStar 48GB
laptop HD bite the dust with errors identical to these. Bad blocks growing
rapidly. In fact I am just now getting everything back up on the replacement
from Dell, but because of many many errors in /usr when tranferring from the
bad HD to the replacement, I am going to wipe it and reinstall.
I don't know what you're hardware is, and I don't know about generic utils,
but I used Dell's 32bit Diagnostic util in order to get them to
replace the drive under warrenty.
Good luck,
--
J. Patrick Lanigan
Debian Linux - 2.4.18 on vagabond
00:17:46 up 7:58, 1 users, load average: 1.13, 1.16, 1.10
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Some Help with the mail side of things
Agreed,.. /bin/false works nicely. Sincerely, Daniel J. Rychlik " Money does not make the world go round , Gravity does ." -Original Message- From: Glenn Hocking [mailto:[EMAIL PROTECTED]] Sent: Sunday, May 05, 2002 7:54 PM To: Johnno; [EMAIL PROTECTED] Subject: Re: Some Help with the mail side of things Try setting their shell to /bin/false. This should allow pop3 access but disable ftp/telnet/ssh logins. Best regards Glenn Hocking Publish Media Pty Ltd http://www.sitegeneral.com Johnno wrote: >Hello All, > >I am running Postfix 1.1.3 and ipop3d. > >What I am wanting to do instead of going a adduser etc.. to add a user >mailbox it have it like a virtual system where I can add a user in and when >they pop in there account pick up mail.. at the moment I have to use the >adduser command to make it work so there have a mailbox on the system... > >I have mapped various email addresses to that account and it works find... > >The problem I find is that if a use the adduser they can also ssh or ftp >into there accounts.. this is not want I want to happen... > >how do a get around (apart from running other mail server) hosting domains >and they want the same name.. > >ie.. [EMAIL PROTECTED] and [EMAIL PROTECTED] these are 2 different people... > >I am thinking of maybe a database system.. > >Many Thanks, > Johnno > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Free PGP sigs~
Title: Free PGP sigs~ Hello, Are there any free pgp servers out there? That brings up another question , Is their a debian package that I could install and run my own PGP? Sincerely, Daniel J. Rychlik " Money does not make the world go round , Gravity does ."
Apache and Front Page extensions
Title: Apache and Front Page extensions Helo, Is there a debian package for frontpage extensions for apache? Sincerely, Daniel J. Rychlik " Money does not make the world go round , Gravity does ."
Re: DNS servers
Craig Sanders writes: > nobody with more than a handful of domains is going to throw everything > away and convert to a new nameserver program Five of the top ten domain-hosting companies on the Internet---including Namezero, the largest---have switched to djbdns (tinydns) to publish their domains. > that they know nothing about...and haven't been able to test > adequately because it can't (won't!) read their hundreds or > thousands of existing zone files. djbdns can simply transfer the zones from BIND. The upgrade instructions explain this in detail: http://cr.yp.to/djbdns/run-cache-bind-1.html http://cr.yp.to/djbdns/run-server-bind.html You say that you want ``native support'' for BIND's configuration files and zone files, not just a zone importer. Could you please explain what advantage this ``native support'' would have? If the BIND file formats are so wonderful, why does the BIND company keep changing them? I have a comparison table at http://cr.yp.to/djbdns/blurb/easeofuse.html showing that all sorts of operations are easier with djbdns than with BIND. Have you actually tried using the djbdns configuration mechanism? What specific operations did you find easier with BIND? > plain-text config files like everyone/everything else rather than > magic filenames inside a hard-coded directory tree Let's try a concrete example. With djbdns, to authorize clients with IP address 10.*, you touch /service/dnscache/root/ip/10. With BIND, you edit named.conf and add something to the allow-query line. The obvious point is that djbdns makes the configuration change easier for people than BIND does. The more subtle, and more important, point is that djbdns makes the configuration change much easier for _programs_ than BIND does. If someone wants to write a tool providing another configuration UI, he'll have a much easier time with djbdns than with BIND, because the file formats are much simpler. Everyone benefits. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DNS servers
Craig Sanders writes: [ http://cr.yp.to/djbdns/blurb/easeofuse.html ] > almost every bind solution ends with "Look for errors in your system's > logs." but not one of the djbdns solutions does the same What you fail to realize is that djbdns puts the errors on your screen, in response to the command you just typed, right before the next prompt. That's why the extra step of looking at logs is unnecessary for djbdns. [ zone files ] > i have scripts and procedures in place to manage them. Ah. Did it ever occur to you to mention this site-specific issue before you made broad comments about the usability of djbdns? Did it ever occur to you to ask for scripts that do the same thing with djbdns? What do your scripts actually do? > i can't see why it's so difficult to provide native support for > bind zonefiles. Because those files are in an unstable, horribly complicated format. Crude parsing is easy, but reliable parsing is extremely difficult. > 3. bind zonefiles are human readable. tinydns-data zonefiles are not. Let's try a simple example. I find =bear.heaven.af.mil:1.2.3.6 @heaven.af.mil:1.2.3.4 much easier to read than bear.heaven.af.mil. 86400 IN A 1.2.3.6 6.3.2.1.in-addr.arpa. 86400 IN PTR bear.heaven.af.mil heaven.af.mil.86400 IN MX mx.heaven.af.mil mx.heaven.af.mil. 86400 IN A 1.2.3.4 and much less error-prone. Don't you? > > Let's try a concrete example. With djbdns, to authorize clients with > > IP address 10.*, you touch /service/dnscache/root/ip/10. With BIND, > > you edit named.conf and add something to the allow-query line. > yes. a good example of something that you believe is easier but isn't. You ask how to add notes: vi ip/10. You ask how to comment out entries: mkdir ipbak; mv ip/10 ipbak. And so on. But the more important point, again, is that the clean file format in djbdns allows easy development of tools providing other user interfaces. For example, a trivial script can combine the ip directory entries into a file that looks like 10 # local network #192.168 # not using this any more for you to edit, after which it revises the directory accordingly. It can support address ranges, or some fancy GUI, or automatic interaction with other tools. You assert that the djbdns configuration isn't ``any easier'' for programs to parse than the BIND configuration. That's ludicrous. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DNS servers
The ``DNS and BIND'' book repeatedly tells people to check their logs. Page 313 (3rd edition): ``Unless you [happen to see erroneous output or] scan your syslog file assiduously, you might never notice the syntax error!'' Page 80: ``Check the syslog file for error messages.'' So I put ``Look for errors in your system's logs'' into my BIND table. Craig Sanders goes ballistic: he says this is ``self-serving propaganda peppered with prejudicial language that attempts to make trivial operations seem difficult or prone to error.'' Even if I didn't have previous experience with Sanders, I'd find it difficult to take his comments seriously after that. Meanwhile, Sanders says that the BIND zone-file syntax bear.heaven.af.mil. 86400 IN A 1.2.3.6 6.3.2.1.in-addr.arpa. 86400 IN PTR bear.heaven.af.mil is ``human readable'' while the tinydns data syntax =bear.heaven.af.mil:1.2.3.6 is ``not human readable.'' Even worse, when he first says this, he doesn't give any examples---he makes it sound as if the tinydns format is some insanely complicated format that can't be edited by hand. When I give an example, Sanders goes ballistic again: ``You assume that your way is so much better than any other way that you refuse to see alternate viewpointsif you were right that would be tolerable, but in inherently subjective matters like this one you're not right.'' This outburst comes from someone who baldly claimed that the tinydns data syntax is ``not human readable.'' Wow. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DNS servers
We're discussing the example
cd /service/tinydns/root
./add-host lion.x.mil 1.2.3.4
make
from http://cr.yp.to/djbdns/blurb/easeofuse.html. These commands will
automatically stop and display a message if there are any syntax errors,
disk-write errors, etc. (Of course, there won't be any syntax errors
added by add-host, but maybe you edited the data manually.)
The ``DNS and BIND'' book says that you have to check syslog because
otherwise ``you might never notice'' syntax errors. That's true for
BIND, but it's not true for djbdns. The extra step of checking logs is
unnecessary for djbdns.
Sanders claims that I'm telling people to ignore the possibility of
errors introduced by editing. That claim is completely incorrect. I'm
saying---and, in fact, the same web page mentions a little later---that
these errors are automatically put on your screen in response to your
commands. (Exactly as you would expect from normal UNIX commands.)
Other helpful djbdns features illustrated by the same example:
* you can simply run a program instead of manually editing files;
* you don't have to repeat the host information in PTR format;
* the add-host program automatically stops if the name or IP address
was used before (if you want repetitions, use add-alias);
* the update is saved to disk (atomically!) just in case there's a
power outage;
* you don't have to worry about serial numbers;
* you don't have to worry about trailing dots.
A bunch of little improvements like this add up to a quite noticeable
overall improvement in ease of use: time saved, errors avoided,
confidence gained. (By the way, when Sanders claims that ease of use is
inherently subjective, he's ignoring decades of UI research.)
A more subtle point illustrated by this example is how easy the tinydns
data format is for programs to parse. The add-{host,alias,mx,ns,childns}
scripts, and the tinydns-edit program that they use, are small and
straightforward.
Sanders claims that the tinydns configuration syntax isn't ``any easier
for programs'' than the BIND configuration syntax. That's ludicrous.
Where's the equivalent of add-host for BIND zone files? To do the job
right, you'd have to parse named.conf in enough detail to reliably
locate the relevant forward and reverse zone files, then parse those
files in enough detail to check for prior use of the name and address,
update serial numbers, and so on. Yes, BIND can do all this parsing, but
BIND is a huge piece of code!
Nate Campi pointed out a few of the complications of the BIND zone-file
syntax that are avoided by the tinydns syntax. Sanders responds that
``programs should do the extra work.'' Gee: I thought he was claiming a
moment ago that there wasn't any extra work.
Talking to Sanders is like talking to Microsoft users who don't
understand why so few UNIX programs read Microsoft's document formats.
Some of those users scream that the UNIX people aren't paying attention
and don't care about compatibility. When programmers try to explain that
the limited software choice is caused by the unnecessary complexity of
the file format, the users respond that it's the programmer's job to
deal with that complexity. What's really sad is that they continue
blithely creating files in overly complicated formats.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
P.S. I wonder whether Sanders is bothered by the ``magic'' filenames in
the cron file hierarchy, and the terminfo file hierarchy, and the init
system, and many other UNIX configuration mechanisms. Is it so hard to
grasp the concept that the filesystem is a database?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DNS servers
Sanders writes:
> the alleged documentation for tinydns-data is atrocious too, it's ALL
> done by example, no syntax definition, no overview.
In fact, http://cr.yp.to/djbdns/tinydns-data.html contains the syntax
definition, a bunch of examples, and a link to a tutorial page.
[ the tinydns data syntax is ``bizarre and broken'' because ]
> the PTR record is automagically created when you create the A record
In fact, you're perfectly free to create just an A record (+fqdn:ip),
just a PTR record (^blah.arpa:fqdn), just an MX record (@fqdn::mx), just
an NS record (&fqdn::ns), just an SOA record (Z...), etc. You can play
with TTLs, serial numbers, and so on, in as much detail as with BIND.
Or you can work with slightly higher-level concepts such as hosts
(=fqdn:ip, creating A+PTR), mail exchangers (@fqdn:ip, creating MX+A),
and name servers (.fqdn:ip, creating SOA+NS+A)---concepts that BIND
doesn't support because they can involve more than one zone.
> get this, it really takes the cake, either or both of the A & PTR
> records are completely ignored unless there are appropriately
> corresponding NS records somewhere in the file.
In fact, the text you're talking about---``Remember to specify name
servers for some suffix of fqdn; otherwise tinydns will not respond to
queries about fqdn''---refers to a basic part of the DNS architecture.
The equivalent BIND rule is that every record needs to be in a zone.
> you can't find the A records for a given hostname just by searching
> for the "=" lines, you also have to parse every other line in case an
> A record is automagically defined elsewhere, e.g. in "&" or "." or "@"
> lines.
If you want a program to work with A records rather than higher-level
concepts, you can use tinydns-get to do a particular address lookup, or
you can use the following script to print out every address and name:
#!/bin/sh
sed 's/[ ]*$//' /service/tinydns/root/data | awk -F: '
function printx(type) {
if (!match($3,/\./)) $3 = $3 "." type "." substr($1,2)
sub(/^\./,"",$3)
print $2,$3
}
/^@/ { if ($2) printx("mx") }
/^[\.&]/ { if ($2) printx("ns") }
/^[=+]/ { if ($2) print $2,substr($1,2) }
'
This is another example of how easy it is to parse the tinydns
configuration syntax. Can you show me a script for BIND that reliably
does the same thing? Parse named.conf to figure out the active zone
files; parse the zone files; don't forget to deal with $ORIGIN and
$INCLUDE and $GENERATE ...
Of course, the above script can easily be modified to change a selected
IP address, or to start your editor on the appropriate line in the data
file, or to adjust TTLs, etc.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: e-commerce
On Sun, 23 Jul 2000, Dariush Pietrzak wrote: > > > a good solution to implement a virtual store? > consider minivend And then find a better alternative. Unless you have more free time than sense stay *away* from minivend. Far, far, away. It is quirky. -- J-Mag Guthrie/"\ Brokersys \ / 281-580-3358 (voice) X Now offering DSL in Houston. 281-586-0628 (fax) / \ http://www.brokersys.com
Re: e-commerce
On Mon, 24 Jul 2000 [EMAIL PROTECTED] wrote: > On Mon, Jul 24, 2000 at 11:08:21AM -0500, J-Mag Guthrie wrote: > > On Sun, 23 Jul 2000, Dariush Pietrzak wrote: > > > > > > > > > a good solution to implement a virtual store? > > > consider minivend > > > > And then find a better alternative. Unless you have more free time than > > sense stay *away* from minivend. Far, far, away. It is quirky. > > > > -- > > J-Mag Guthrie/"\ Brokersys > > \ / > > 281-580-3358 (voice) X Now offering DSL in Houston. > > 281-586-0628 (fax) / \ http://www.brokersys.com > > Can you share with us why? I'll agree Minivend is not for the > faint of heart and not for people that only need an order blank > for half a dozen items. I've steered a lot of people away from > it that lack system abilities and/or have poor infrastructures. > > However, Minivend is very powerful. Ultimately, you can do > pretty much anything with it. Better might be what, OpenMarket? > If part of your business as an ISP is online commerce, minivend > is a good option; if you are a merchant running a single store, > it might be overkill. IMCO minivend is better suited to ISP > than individual. If you are only ever going to set up one site, minivend isn't a good solution. Also, it works much better if the site isn't run by committee. If you're looking for something to specialize in, minivend is a good choice. But for a quick one-off virtual store, you can find solutions that cost tens of dollars/month. Unless you have zero money and lots of time, you're better off investing a little money in an easier solution. I'm not denying that minivend is powerful. And it's macho to be able to make minivend work. Because of its power (and complexity) it would take you less time to do any remotely simple site from scratch. Further affiant sayeth not. -- J-Mag Guthrie/"\ Brokersys \ / 281-580-3358 (voice) X Now offering DSL in Houston. 281-586-0628 (fax) / \ http://www.brokersys.com
Re: Dual port serial card required
On Tue, 22 Aug 2000, Andy Gardner wrote: > In the past I've helped out a Net Cafe in a small town in Mexico get > their dial-up going, so the local people don't get fleeced by the > telco's. Why the .nz e-mail addy? Isn't it a little far from .mx? -- J-Mag Guthrie/"\ Brokersys WWTD? \ / 281-580-3358 (voice) X Now offering DSL in Houston. 281-586-0628 (fax) / \ http://www.brokersys.com
Re: ISP Billing Software
On Mon, 11 Sep 2000, Eric Jennings wrote: > We use a product called Optigold (www.digitalpoint.com). I'm a big > fan of open source software, but as far as functionality and support > goes, you cannot go wrong with this software. A new release is > posted every two weeks, and I believe that a new feature or bug fix > has been added just about every week since its inception several > years ago. If you want a new feature, you post it to the mailing > list, and Shawn Hogan (the author of the software) will respond usu. > immediately, and never later than 24 hours. Rarely does he say no to > features, unless it compromises the functionality of the system. I'm concerned because of my unfamiliarity with Windows. How much Windows do I need to know to make this puppy work? (I really do *not* know Windows). -- J-Mag Guthrie/"\ "Even Microsoft's product managers privately Brokersys\ / concede that this new version, with its 281-580-3358 (voice) Xwarm-and-fuzzy nickname of Windows Me, 281-586-0628 (fax) / \ is not for everyone." -- Dwight Silverman
Re: ISP Billing Software
On Tue, 12 Sep 2000, John Gonzalez/netMDC admin wrote: > On Tue, 12 Sep 2000, J-Mag Guthrie wrote: > > | I'm concerned because of my unfamiliarity with Windows. How much Windows > | do I need to know to make this puppy work? (I really do *not* know > | Windows). > > It should be trivial for you to learn. Let me put it this way, you've > talked to (l)users of an ISP for tech support before, no? If so, you know > how many COMPLETE IDIOTS there are out there using this type of stuff. If > they can do it, surely you can do it. LOL! You have a point... -- J-Mag Guthrie/"\ "Even Microsoft's product managers privately Brokersys\ / concede that this new version, with its 281-580-3358 (voice) Xwarm-and-fuzzy nickname of Windows Me, 281-586-0628 (fax) / \ is not for everyone." -- Dwight Silverman
Free PGP sigs~
Title: Free PGP sigs~ Hello, Are there any free pgp servers out there? That brings up another question , Is their a debian package that I could install and run my own PGP? Sincerely, Daniel J. Rychlik " Money does not make the world go round , Gravity does ."
Apache and Front Page extensions
Title: Apache and Front Page extensions Helo, Is there a debian package for frontpage extensions for apache? Sincerely, Daniel J. Rychlik " Money does not make the world go round , Gravity does ."
RE: Logrotate weekly prerotate everyday?
At least yours runs. I finally gave up and wrote a perl script to
rotate mine. ugh
Sincerely,
Daniel J. Rychlik
" Money does not make the world go round , Gravity does ."
-Original Message-
From: Ward Willats [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 03, 2002 11:14 AM
To: debian-isp@lists.debian.org
Subject: Logrotate weekly prerotate everyday?
Hello Folks:
I call a local script from...
/etc/logrotate.d/apache
...in Debian 3.0 to run Analog reports. It is supposed to run once a
week, but it runs every day:
/var/log/apache/*.log {
weekly
missingok
rotate 52
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
postrotate
/etc/init.d/apache reload > /dev/null
endscript
# -- added by ward 28Jul02
prerotate
/etc/run_weekly_analog_reports.sh
endscript
# -- end ward
}
My tiny mind thinks a "prerotate" block should only be executed
"weekly" once it has been decided to perform a rotation. Not every
time cron/logrotate peeks into this "apache" file. What as I missing?
(I have fixed the problem by checking the day of the week in my local
reporting script, but I'd still like to understand my disconnect with
Perfect Understanding of the One True Way(tm).)
Thanks,
-- Ward
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
Kuvert Application Problem
Hello, I have recently installed the kuvert application from debian. I'm running Debian testing on a 2.4 kernel. When I run the kuvert application from command line, I get this error - Sh: /tmp/kuvert.0.26244/subprocess: No such file or directory Cant clean /tmp/kuvert.0.26244: cant opedir/tmpkuver.0.26244: No such file or directory. Any Ideas? Sincerely, Daniel J. Rychlik " Money does not make the world go round , Gravity does ."
Re: lilo on /dev/hdb to work as /dev/hda
On Tue, 6 Aug 2002, Jeremy C. Reed wrote: > Again, it seems like the bios= option is not relevant, because it really > will be /dev/hda. This is a shot in the dark, but could you use the bios option to install lilo onto that drive. Then use a boot disk to boot off of it. Once it's up, you could then change the bios option back to 0x80, and rerun lilo, and should be all set. I think I did something similar once, and it worked for me. -- Kevin
Email Virus Scanner
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gentlemen, I am wanting to setup a good virus scanner for exim. I tried out mailscanner, but it bombs with an error. I tried to fix the error, but I got frustrated. I would like to use mailscanner or even the santizer. Do you guys have any suggestions or even a preference over one or the other? Sincerely, Daniel J. Rychlik " Money does not make the world go round , Gravity does ." -BEGIN PGP SIGNATURE- Version: PGP 7.1.1 iQA/AwUBPVhaIOgW0zo5qpEdEQINiwCgy33QLmdqVpjsHy0dh1om2tUt/q8AoJT3 soHEdM9HMqdePuLWBsloImIq =7dW0 -END PGP SIGNATURE-
Mail relay attempts
H=mail.sopovico.pt (eircom.net) [194.38.132.105] 2002-08-26 19:36:16 refused relay (host) to <[EMAIL PROTECTED]> from <[EMAIL PROTECTED]> H=mail.sopovico.pt (eircom.net) [194.38.132.105] 2002-08-26 19:36:16 refused relay (host) to <[EMAIL PROTECTED]> from <[EMAIL PROTECTED]> H=mail.sopovico.pt (eircom.net) [194.38.132.105] 2002-08-26 19:36:16 refused relay (host) to <[EMAIL PROTECTED]> from <[EMAIL PROTECTED]> H=mail.sopovico.pt (eircom.net) [194.38.132.105] 2002-08-26 19:36:16 refused relay (host) to <[EMAIL PROTECTED]> from <[EMAIL PROTECTED]> H=mail.sopovico.pt (eircom.net) [194.38.132.105] 2002-08-26 19:36:16 refused relay (host) to <[EMAIL PROTECTED]> from <[EMAIL PROTECTED]> H=mail.sopovico.pt (eircom.net) [194.38.132.105] 2002-08-26 19:36:16 refused relay (host) to <[EMAIL PROTECTED]> from <[EMAIL PROTECTED]> H=mail.sopovico.pt (eircom.net) [194.38.132.105] 2002-08-26 19:36:24 refused relay (host) to <[EMAIL PROTECTED]> from <[EMAIL PROTECTED]> H=mail.sopovico.pt (eircom.net) [194.38.132.105] 2002-08-26 19:36:25 refused relay (host) to <[EMAIL PROTECTED]> from <[EMAIL PROTECTED]> H=mail.sopovico.pt (eircom.net) [194.38.132.105] Sincerely, Daniel J. Rychlik " Money does not make the world go round , Gravity does ." -BEGIN PGP SIGNATURE- Version: PGP 7.1.1 iQA/AwUBPWtes+gW0zo5qpEdEQIafACcDOYkDe5JFwzSUsvo6n7mOVM+n2YAn2HB z8NN05XWV1VQdT+x5pDbu9Sn =Qumk -END PGP SIGNATURE-
Re: DNS servers
Craig Sanders writes: > nobody with more than a handful of domains is going to throw everything > away and convert to a new nameserver program Five of the top ten domain-hosting companies on the Internet---including Namezero, the largest---have switched to djbdns (tinydns) to publish their domains. > that they know nothing about...and haven't been able to test > adequately because it can't (won't!) read their hundreds or > thousands of existing zone files. djbdns can simply transfer the zones from BIND. The upgrade instructions explain this in detail: http://cr.yp.to/djbdns/run-cache-bind-1.html http://cr.yp.to/djbdns/run-server-bind.html You say that you want ``native support'' for BIND's configuration files and zone files, not just a zone importer. Could you please explain what advantage this ``native support'' would have? If the BIND file formats are so wonderful, why does the BIND company keep changing them? I have a comparison table at http://cr.yp.to/djbdns/blurb/easeofuse.html showing that all sorts of operations are easier with djbdns than with BIND. Have you actually tried using the djbdns configuration mechanism? What specific operations did you find easier with BIND? > plain-text config files like everyone/everything else rather than > magic filenames inside a hard-coded directory tree Let's try a concrete example. With djbdns, to authorize clients with IP address 10.*, you touch /service/dnscache/root/ip/10. With BIND, you edit named.conf and add something to the allow-query line. The obvious point is that djbdns makes the configuration change easier for people than BIND does. The more subtle, and more important, point is that djbdns makes the configuration change much easier for _programs_ than BIND does. If someone wants to write a tool providing another configuration UI, he'll have a much easier time with djbdns than with BIND, because the file formats are much simpler. Everyone benefits. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago
Re: DNS servers
Craig Sanders writes: [ http://cr.yp.to/djbdns/blurb/easeofuse.html ] > almost every bind solution ends with "Look for errors in your system's > logs." but not one of the djbdns solutions does the same What you fail to realize is that djbdns puts the errors on your screen, in response to the command you just typed, right before the next prompt. That's why the extra step of looking at logs is unnecessary for djbdns. [ zone files ] > i have scripts and procedures in place to manage them. Ah. Did it ever occur to you to mention this site-specific issue before you made broad comments about the usability of djbdns? Did it ever occur to you to ask for scripts that do the same thing with djbdns? What do your scripts actually do? > i can't see why it's so difficult to provide native support for > bind zonefiles. Because those files are in an unstable, horribly complicated format. Crude parsing is easy, but reliable parsing is extremely difficult. > 3. bind zonefiles are human readable. tinydns-data zonefiles are not. Let's try a simple example. I find =bear.heaven.af.mil:1.2.3.6 @heaven.af.mil:1.2.3.4 much easier to read than bear.heaven.af.mil. 86400 IN A 1.2.3.6 6.3.2.1.in-addr.arpa. 86400 IN PTR bear.heaven.af.mil heaven.af.mil.86400 IN MX mx.heaven.af.mil mx.heaven.af.mil. 86400 IN A 1.2.3.4 and much less error-prone. Don't you? > > Let's try a concrete example. With djbdns, to authorize clients with > > IP address 10.*, you touch /service/dnscache/root/ip/10. With BIND, > > you edit named.conf and add something to the allow-query line. > yes. a good example of something that you believe is easier but isn't. You ask how to add notes: vi ip/10. You ask how to comment out entries: mkdir ipbak; mv ip/10 ipbak. And so on. But the more important point, again, is that the clean file format in djbdns allows easy development of tools providing other user interfaces. For example, a trivial script can combine the ip directory entries into a file that looks like 10 # local network #192.168 # not using this any more for you to edit, after which it revises the directory accordingly. It can support address ranges, or some fancy GUI, or automatic interaction with other tools. You assert that the djbdns configuration isn't ``any easier'' for programs to parse than the BIND configuration. That's ludicrous. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago
Re: DNS servers
The ``DNS and BIND'' book repeatedly tells people to check their logs. Page 313 (3rd edition): ``Unless you [happen to see erroneous output or] scan your syslog file assiduously, you might never notice the syntax error!'' Page 80: ``Check the syslog file for error messages.'' So I put ``Look for errors in your system's logs'' into my BIND table. Craig Sanders goes ballistic: he says this is ``self-serving propaganda peppered with prejudicial language that attempts to make trivial operations seem difficult or prone to error.'' Even if I didn't have previous experience with Sanders, I'd find it difficult to take his comments seriously after that. Meanwhile, Sanders says that the BIND zone-file syntax bear.heaven.af.mil. 86400 IN A 1.2.3.6 6.3.2.1.in-addr.arpa. 86400 IN PTR bear.heaven.af.mil is ``human readable'' while the tinydns data syntax =bear.heaven.af.mil:1.2.3.6 is ``not human readable.'' Even worse, when he first says this, he doesn't give any examples---he makes it sound as if the tinydns format is some insanely complicated format that can't be edited by hand. When I give an example, Sanders goes ballistic again: ``You assume that your way is so much better than any other way that you refuse to see alternate viewpointsif you were right that would be tolerable, but in inherently subjective matters like this one you're not right.'' This outburst comes from someone who baldly claimed that the tinydns data syntax is ``not human readable.'' Wow. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago
Vacation ---- auto-reply
The vacation program which I use on our Campus Email server does not do this. To bad more don't use it. >From the 'vacation' man page: No message will be sent unless login (or an alias supplied using the -a option) is part of either the ``To:'' or ``Cc:'' headers of the mail. No messages from ``???-REQUEST'', ``Postmaster'', ``UUCP'', ``MAILER'', or ``MAILER-DAEMON'' will be replied to (where these strings are case insensitive) nor is a notification sent if a ``Precedence: bulk'', ``Precedence: list'' or ``Precedence: junk'' line is included in the mail headers. The people who have sent you messages are maintained as a db(3) database in the file .vacation.db in your home directory. I have the vacation program working for our Campus Mailserver. >I'm sorry about all the trouble with the auto-reply that everyone is >getting, I am disabling this users account now. Again I apologise for >the hassle. -- *Theodore Knab *Washington College *Maryland, USA * --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
[support@backup.hmdc.harvard.edu: [hmdc.harvard.edu #4073] FYI: mon]
Some of you might find this one interesting. In a world where IT security sometimes means keeping services out of sight. Both Harvard and MIT advertise everything they have up and running. If I was a cracker running a DOS, I could use this information to monitor the machines I knocked of the network. Additionally, this list has all of the servers that both MIT and Harvard monitor in their data center. The monitoring program being used is called mon. I use it and was digging for info on the cgi interface that displays server info. So, I thought I would warn them with this message: - FYI: A google search on mon brings up your cgi interface for mon. http://www.google.com/search?q=mon+dns&hl=en&lr=&ie=UTF-8&oe=UTF-8&start=10&sa=N [see second page link line six] Your mon program is accessible by the world. With a current world wide population of 6.3 billion you are inviting an attack. http://www.populationmedia.org/ Please lock down access to the following host: http://mon.hmdc.harvard.edu/mon.cgi?command=query_opstatus_full Here is the reply: - Forwarded message from Matthew Cox via RT <[EMAIL PROTECTED]> - X-RT-Loop-Prevention: hmdc.harvard.edu Subject: [hmdc.harvard.edu #4073] FYI: mon Managed-BY: Request Tracker 2.0.13 (http://www.fsck.com/projects/rt/) From: Matthew Cox via RT <[EMAIL PROTECTED]> RT-Ticket: hmdc.harvard.edu #4073 Reply-To: [EMAIL PROTECTED] RT-Originator: [EMAIL PROTECTED] To: [EMAIL PROTECTED] > Your mon program is accessible by the world. We do intend for it to be publicly available. It allows us to give in depth status to our various patrons. > With a current world wide population of 6.3 billion you are inviting > an attack. There is no information on that page that couldn't be garned with a quick NMAP scan. Thank you for your concern. Matt -- Matthew P. Cox Senior Systems Administrator / Systems Programmer Harvard-MIT Data Center - End forwarded message - Ted Knab Chester, Maryland -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Woody with Intel S875WP1-E board?
What kernel is Red Hat Linux 8.0 using.
Seeing you are simply trying to get a board to work this is more
of kernel issue than a distribution issue. If you were using something
evil like Cold Fusion, it might be a distribution issue. Of course,
all distribution issues can be worked around with symbolic links and the
proper libraries.
If the Linux kernel supports the hardware, it really does
not matter which Linux distro you use.
>Anyone ever tried the Intel S875/S845 main-boards
>with Woody? They come with one (two for the 845)
>Intel PRO100+ and one Intel PRO1000 XT interface (for the
>875) onboard which I find pretty tempting.
>According to Intel they are "Red Hat* Linux 8.0"
>compatible...
The 875 chipset is a 82547EI, the 845's a 82550PM.
>http://www.intel.com/design/servers/s875wp1-e/
>http://www.intel.com/design/servers/buildingblocks/s845wd1-
---
*Theodore Knab
*Washington College
*Maryland, USA
---
perl -ne'chomp;$a.=pack"h*",$_;END{print"\n$a\n\n"}'<
Re: a new network and a newbie admin
>Hello, I have just been nominated in charge for the network inside the student block
>I live in.
>My problem is the server that I will have to order, as the network is not made yet.
Good for youi. Please wrap lines at 80 characters in the future.
>What would you recommend as proxy software?
Try this there are many:
apt-cache search proxy
I think squid is the most popular piece of proxy software, I am not sure
why.
>I want to give access only to PCs that are registered in a way.
>How should I do that? DHCP + arp for IPs and permit only registered addresses
(IP -MAC pair is registered) ?
Maybe radius or you could setup 2 networks on your switch one none
routable [firewalled net] one [routable net]. Some server in between
would have to give permission and act as a gatekeeper.
>My questions are : what should I do to ensure that each computer in the lan will
>communicate
>at a very good transfer rate with other lan PCs and have a good
>transfer rate for browsing the internet?
What is a good transfer rate ?
What are you doing to prevent you transfer rate from becoming bad only when it is in
use ?
> The network will have about 130 computers (will not function all at the same time)
>that will be connected as in the following figure:
_____S___ISP
___|__
__||
__|__
| | | | | | |
p p p p p p p
each p is a pc, the S is the server
Have you thought of bandwidth mangement ?
You might have to use bandwidth management if you want consistant good transfer rates.
You are creating a lot of work for youself. You might want to break the
problem down to phases so you don't get overwhelmed.
1. Phase 1 - Get every thing up and working [with no users]
a. dhcp server
b. router/firewall
c. everything connected
2. Phase 2 - Drop in a Proxy Server maybe squid [ still w/ no users]
add proxy to firewall or drop in seperate machine between firewall and
interernal net
3. Phase 3 - Drop in a bandwidth shapper and test.
I do this with a bridge using FreeBSD. I am not sure you can do this
with Linux. You should be able to add bw shapping to your
router/firewall.
4. Phase 4 - Setup a system for tracking network connections
radius like server
I am not sure how to do this. I haven't done it yet.
apt-cache search radius
--
---
*Theodore Knab
*Washington College
*Maryland, USA
---
perl -ne'chomp;$a.=pack"h*",$_;END{print"\n$a\n\n"}'<
Re: bind9 vs tinydns vs others
Bind 9 is a total revamp of Bind 8. Bind8 had a bunch of security holes in it, so tinyDNS and the others came about. Bind9 was a rewrite from scratch with security as a goal. Bind9 is good for all types of general DNS stuff. Tiny-DNS is probably good for some applications, however you are going to find more documentation on Bind than anything else. http://www.nominum.com/getOpenSourceResource.php?id=6 On 02/12/03 16:46 +0100, David Zejda wrote: > what do you prefer for authoritative dns? > experiences/stability...? > i have no verbose bind knowledge yet. > > thanks > David > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- --- *Theodore Knab *Washington College *Systems Engineer/ Systems Security Officer *Maryland, USA --- The nameless root " " @washcoll.edu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
dsl Verizon.com
I have DSL with verizon.com. It uses a Westel Wirespeed external modem connected to a network card though ethernet. Does anyone know how configure this on debian? Christopher J. Noyes
Help with Router
I had originally had Debian setup to use pppoe to connect to verizon.net using DSL and it worked. I just setup a small home network using a Linksys DSL/Cable Router, on Windows it works fine, both computers connect shares work, both can use the internet. I need to know how to configure Debian to connect to the router. As I understand it, what I need to do is disable pppoe, set it up to connect via Ethernet, configure it do do a dhcp lookkup to the router for the ip address, though this machine it should be 196.192.1.100 according the linksys's documentation as it is the first machine and in Windows it uses this ip address. Second Question, how do you set up to connect to Windows Shares, I guess this is Samba. I have a laptop that is off and on the network that I would like be able to connect to. Christopher J. Noyes
Re: Any Experience With DSPAM?
On Thu, Jul 22, 2004 at 07:02:22PM -0400, ITC-Hosting wrote: > Hello all, > > With the current discussion of greylisting and SPAM, wondering if anyone > here has implemented or tested DSPAM? Great success, here. I allow training by way of forwarding messages (with SMTP AUTH, of course), as well as IMAP folders which are scanned every hour (allowing bulk training). I began with Spamassassin, moved to Spambayes, and am utterly amazed at how accurate and self-maintaining DSPAM is proving to be. I have yet to look into the default user/group stuff, but it looks very promising. Currently DSPAM is used by about 100 clients, with a very diverse range of mail traffic. I am still working on trimming the database down a bit (it is almost 1_GB in MySQL), but it has only been running for about a month now--I read it will decrease in size as time moves on. -- Adam Henry <[EMAIL PROTECTED]> Marinar Communications phn:[440.354.1458] fax:[440.639.1987] gpg:[0x3A4553E3] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
With rates like these you should at least get the quote
to leave Clerval in a strange place before he had become acquainted shed their leaves and let them grow again The idea is fanciful on the shores of Como belonged to her It was agreed that naturally inclined to make an ostentatious display of their I avoided intercourse with them in every possible way groans and the shuffling of feet be heard skeptical as to the existence of the man at all The most refusing to submit to the secession ordinances of their the hardheaded Phoenician trader this conception of a if I cannot inspire love I will cause fear and chiefly towards you such formidable armies as they collected and armed for four or compact between sovereign states not an organic or seized immediately and charged with murder The first sight of these as we drew nearer This man was of a moderate size readings shielding himself behind an equivocal it is said or of the gentlemen composing this Committee were thrust me back with its hands and went staggering past me to fall the Pope himself would hear of her and would send her a certain lost the interest arising from beautiful scenery but we arrived they did catch me theyd string me up to an aspen tree and with all The thing came to me as stark inhumanity That black figure with its appearances and in some respects habits of earthworms but this blind put and even that debates should take place on the days still saw with its remarkable border of screwpines He stood off QPefcjbo.jtq TRAWLER Amjtut PAPAW Befcjbo INHERITOR Bpsh
Re: Limiting User Commands
On Sunday, 07 November 2004 18:14, [EMAIL PROTECTED] wrote: > You just need to add group(access) to that system accounts that you > want or that you think that they'll break in unexpected places... > Don't you think? Why not do this the other way around--it should be much simpler, and only affects users you specifically touch: e.g. add users you don't want to run /usr/bin/prog1 to the group "noexecprog1", set the permissions of /usr/bin/prog1 to 705 and make the owner:group root:noexecprog1. Now anyone in the group noexecprog1 can't read or execute the program, but anyone else can. -- Wesley J. Landaker <[EMAIL PROTECTED]> OpenPGP FP: 4135 2A3B 4726 ACC5 9094 0097 F0A9 8A4C 4CD6 E3D2 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
customer portal solutions
I'm searching for boxed solutions that would allow webpage users the ability to maintain their own content beneath a main parent webpage. I intend it to be in the same spirit of myYahoo--users can log in and choose what content they wish displayed from a list of predefined sources or bookmarklets. An off-the-shelf boxed solution isn't a requirement, but it would be nice to launch such a site as soon as possible. The open source project that sticks out the most is Plone, but I am still determining if it will fit my goal. A thread on this list back in 2002 with the subject, "Software for www portal management", offered a nice list of project names. However, I thought it might be time for an updated list, and to gather other user/admin ideas. Would anyone mind sharing their experiences with such a project? --hank -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bind zonefile checker
Hey, Paul. There sure is. I use Linuxconf to help setup my bind. Linuxconf is the same configuration tool used for RedHat. Just use "apt-get linuxconf" to install it. After it is installed, just use "dnsconf" to setup bind. "linuxconf" is the main Linux conf screen, which can help configure your Linux system. As a former Redhat user, I am liking this utility. It does make some configurations (such as sendmail and wuftp) less frightening for me. ** Derek J Witt ** * Email: mailto:[EMAIL PROTECTED] * * Home Page: http://www.flinthills.com/~djw/ * *** "...and on the eighth day, God met Bill Gates." - Unknown ** On Wed, 23 Feb 2000, Paul van Empelen wrote: > Hi All, > > Can anyone in this list recommend a good syntax checker for > zonefiles? Or even better: A management tool for BIND? > > Preferrably in Perl or Shell... > > Thanks for the answers, > > Paul. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: bind9 vs tinydns vs others
Bind 9 is a total revamp of Bind 8. Bind8 had a bunch of security holes in it, so tinyDNS and the others came about. Bind9 was a rewrite from scratch with security as a goal. Bind9 is good for all types of general DNS stuff. Tiny-DNS is probably good for some applications, however you are going to find more documentation on Bind than anything else. http://www.nominum.com/getOpenSourceResource.php?id=6 On 02/12/03 16:46 +0100, David Zejda wrote: > what do you prefer for authoritative dns? > experiences/stability...? > i have no verbose bind knowledge yet. > > thanks > David > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- --- *Theodore Knab *Washington College *Systems Engineer/ Systems Security Officer *Maryland, USA --- The nameless root " " @washcoll.edu
dsl Verizon.com
I have DSL with verizon.com. It uses a Westel Wirespeed external modem connected to a network card though ethernet. Does anyone know how configure this on debian? Christopher J. Noyes
Re: Limiting User Commands
On Sunday, 07 November 2004 18:14, [EMAIL PROTECTED] wrote: > You just need to add group(access) to that system accounts that you > want or that you think that they'll break in unexpected places... > Don't you think? Why not do this the other way around; it's much simpler: e.g. add users you don't want to run /usr/bin/prog1 to the group "noexecprog1", set the permissions of /usr/bin/prog1 to 705 and make the owner:group root:noexecprog1. Now anyone in group noexecprog1 can read/execute /usr/bin/prog1, but anyone else can. Only affects users you specifically touch. -- Wesley J. Landaker <[EMAIL PROTECTED]> OpenPGP FP: 4135 2A3B 4726 ACC5 9094 0097 F0A9 8A4C 4CD6 E3D2 pgp2owEx2ISJn.pgp Description: PGP signature
Re: e-commerce
On Sun, 23 Jul 2000, Dariush Pietrzak wrote: > > > a good solution to implement a virtual store? > consider minivend And then find a better alternative. Unless you have more free time than sense stay *away* from minivend. Far, far, away. It is quirky. -- J-Mag Guthrie/"\ Brokersys \ / 281-580-3358 (voice) X Now offering DSL in Houston. 281-586-0628 (fax) / \ http://www.brokersys.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: e-commerce
On Mon, 24 Jul 2000 [EMAIL PROTECTED] wrote: > On Mon, Jul 24, 2000 at 11:08:21AM -0500, J-Mag Guthrie wrote: > > On Sun, 23 Jul 2000, Dariush Pietrzak wrote: > > > > > > > > > a good solution to implement a virtual store? > > > consider minivend > > > > And then find a better alternative. Unless you have more free time than > > sense stay *away* from minivend. Far, far, away. It is quirky. > > > > -- > > J-Mag Guthrie/"\ Brokersys > > \ / > > 281-580-3358 (voice) X Now offering DSL in Houston. > > 281-586-0628 (fax) / \ http://www.brokersys.com > > Can you share with us why? I'll agree Minivend is not for the > faint of heart and not for people that only need an order blank > for half a dozen items. I've steered a lot of people away from > it that lack system abilities and/or have poor infrastructures. > > However, Minivend is very powerful. Ultimately, you can do > pretty much anything with it. Better might be what, OpenMarket? > If part of your business as an ISP is online commerce, minivend > is a good option; if you are a merchant running a single store, > it might be overkill. IMCO minivend is better suited to ISP > than individual. If you are only ever going to set up one site, minivend isn't a good solution. Also, it works much better if the site isn't run by committee. If you're looking for something to specialize in, minivend is a good choice. But for a quick one-off virtual store, you can find solutions that cost tens of dollars/month. Unless you have zero money and lots of time, you're better off investing a little money in an easier solution. I'm not denying that minivend is powerful. And it's macho to be able to make minivend work. Because of its power (and complexity) it would take you less time to do any remotely simple site from scratch. Further affiant sayeth not. -- J-Mag Guthrie/"\ Brokersys \ / 281-580-3358 (voice) X Now offering DSL in Houston. 281-586-0628 (fax) / \ http://www.brokersys.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Dual port serial card required
On Tue, 22 Aug 2000, Andy Gardner wrote: > In the past I've helped out a Net Cafe in a small town in Mexico get > their dial-up going, so the local people don't get fleeced by the > telco's. Why the .nz e-mail addy? Isn't it a little far from .mx? -- J-Mag Guthrie/"\ Brokersys WWTD? \ / 281-580-3358 (voice) X Now offering DSL in Houston. 281-586-0628 (fax) / \ http://www.brokersys.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ISP Billing Software
On Mon, 11 Sep 2000, Eric Jennings wrote: > We use a product called Optigold (www.digitalpoint.com). I'm a big > fan of open source software, but as far as functionality and support > goes, you cannot go wrong with this software. A new release is > posted every two weeks, and I believe that a new feature or bug fix > has been added just about every week since its inception several > years ago. If you want a new feature, you post it to the mailing > list, and Shawn Hogan (the author of the software) will respond usu. > immediately, and never later than 24 hours. Rarely does he say no to > features, unless it compromises the functionality of the system. I'm concerned because of my unfamiliarity with Windows. How much Windows do I need to know to make this puppy work? (I really do *not* know Windows). -- J-Mag Guthrie/"\ "Even Microsoft's product managers privately Brokersys\ / concede that this new version, with its 281-580-3358 (voice) Xwarm-and-fuzzy nickname of Windows Me, 281-586-0628 (fax) / \ is not for everyone." -- Dwight Silverman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ISP Billing Software
On Tue, 12 Sep 2000, John Gonzalez/netMDC admin wrote: > On Tue, 12 Sep 2000, J-Mag Guthrie wrote: > > | I'm concerned because of my unfamiliarity with Windows. How much Windows > | do I need to know to make this puppy work? (I really do *not* know > | Windows). > > It should be trivial for you to learn. Let me put it this way, you've > talked to (l)users of an ISP for tech support before, no? If so, you know > how many COMPLETE IDIOTS there are out there using this type of stuff. If > they can do it, surely you can do it. LOL! You have a point... -- J-Mag Guthrie/"\ "Even Microsoft's product managers privately Brokersys\ / concede that this new version, with its 281-580-3358 (voice) Xwarm-and-fuzzy nickname of Windows Me, 281-586-0628 (fax) / \ is not for everyone." -- Dwight Silverman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: nat
On Fri, 6 Oct 2000, Kevin wrote: > > I was wondering if anyone can tell me sort of problems I would have > if I assigned internal ips to our customers and used ipmasq. > Basically I don't want to do this, but I need some sort of firepower > to persuade my boss that he doesn't want it either. Any > info/link/short coming of age stories would be greatly appreciated. ICQ absolutely hates it. This was all I needed to convince one client. -- J-Mag Guthrie/"\ "Even Microsoft's product managers privately Brokersys\ / concede that this new version, with its 281-580-3358 (voice) Xwarm-and-fuzzy nickname of Windows Me, 281-586-0628 (fax) / \ is not for everyone." -- Dwight Silverman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Diskless terminals...
On Thu, 9 Nov 2000, Averne wrote: > How to configure diskless PC with BOOT ROM to start Debian from > network? Please send me config files of working configurations. No, please send to the listI have a friend who's working on a diskless workstation application. -- J-Mag Guthrie/"\ "Even Microsoft's product managers privately Brokersys\ / concede that this new version, with its 281-580-3358 (voice) Xwarm-and-fuzzy nickname of Windows Me, 281-586-0628 (fax) / \ is not for everyone." -- Dwight Silverman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IDE DAT Drive?
On Thu, 23 Nov 2000, Robert Davies wrote: > > From: "Russell Coker" <[EMAIL PROTECTED]> > > To: "Peter Billson" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > Sent: Wednesday, November 22, 2000 3:03 PM > > Subject: Re: IDE DAT Drive? > > > > > On 2000-11-22 11:44, Peter Billson wrote: > > >Can anyone offer any info about IDE DAT Backup tape drives for use under > > >Debian? The How-tos all talk about floppy drives and I am not sure if > > >some/all/none of these drives are supported. > > > > DAT isn't what I would choose to use for backups. DAT isn't known for > > long-term reliability. > Tape still has lowest cost per gigabyte. Earlier this year the > Onstream IDE drives with 30GB capacity were the most cost effective, > and having used ADR-50's from Onstream, they appear to be much more > robust than DAT or DDT technology. Time will tell, the mechanisisms > are simpler so there should be a lower MTBF. The IDE versions are > supported by the kernel since 2.2.16, patches were available before > then, and tend to be faster and more robust than DAT technology which > is based on consumer audio recording. Consumer grade components are > cheap, but tend to fail. So, what software would one use to drive this? It sounds like the hardware is about right (we're using QIC-80's right now). A real solution involves good software as well as good media. -- J-Mag Guthrie/"\ "Even Microsoft's product managers privately Brokersys\ / concede that this new version, with its 281-580-3358 (voice) Xwarm-and-fuzzy nickname of Windows Me, 281-586-0628 (fax) / \ is not for everyone." -- Dwight Silverman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PGP ???
On Wed, 29 Nov 2000, Debian Ghost wrote: > an anyone explain how PGP protects email in transit? Or what PGP actually > is good for? I've never used PGP, but I always see the PGP key and wonder > why there is a PGP key if the email can be read at any rate... The description of "digital signature" is very appropriate. It doesn't hide the contents of the e-mail, but what it does do is give a means for the recipient to ensure that the e-mail is from the person it purports to be from and was not altered in transit by a third party. -- J-Mag Guthrie/"\ "Even Microsoft's product managers privately Brokersys\ / concede that this new version, with its 281-580-3358 (voice) Xwarm-and-fuzzy nickname of Windows Me, 281-586-0628 (fax) / \ is not for everyone." -- Dwight Silverman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Virtual Domains & LDAP
Hey guys, I'm fairly new to the LDAP game. I've read the list archives a bit, and found a lot of good info. One thing that is still eluding me is the the directory structure itself. I am trying to set up LDAP as my backend for several services: SMTP (Postfix), IMAP/POP (Cyrus + pw_check patch), FTP (ProFTPd + mod_ldap), and HTTP (Apache + PHP + LDAP + mod_auth_ldap). I obviously would like to host more than one domain . (I know this could be accomplished with ISPMan, but I'm trying to learn how to use the technology itself). What would be the best structure for this? I was thinking something like: o = my_organization -- domain1 -- domain2 -- domainN -- Admins -- LDAP Admin -- Users I figured lumping all the users together would make it easier for searches, since there would only be one base. However, I was also thinking of something like this: o = my_organization -- domain1 -- Users -- domain2 -- Users -- domainN -- Users -- Admins -- LDAP Admin With this system, I figured each domain could be within its own namespace, and I like this approach better, due to the more natural organization of things. However, being split up like that, I would think searches would be agonizingly slow. Anyone out there do something similar? Please share any insight (structures, sample LDIF, config files, etc.) Thanks a lot. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: CGI Errors
Hey Marcel, print "Content-Type: text/html\n\n"; is the one you want. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[4]: Virtual Domains & LDAP
Hey Russell, Wednesday, June 13, 2001, 8:21:36 AM, you wrote: RC> Firstly I've replied to this with the list CC'd as I think that other RC> people are likely to benefit from the answers and it seems that there is RC> nothing secret being discussed. I hope you don't mind. No problem. I was just trying to cut down on the list traffic. RC> The OpenLDAP server uses some sort of hash, it uses the GNU DBM library or RC> equivalent libraries for indexing each attribute separately. Nifty. RC> Other LDAP servers may do things differently, but most LDAP servers have RC> taken code from the University of Michigan LDAP server (which is what RC> OpenLDAP was based on). That's okay. I really only care about how OpenLDAP works ;) RC> @ sign has no inherant problems, but some software might not like it. This does work with ProFTPd. I tried it out. I have still yet to try it out with either Cyrus IMAPd or Postfix. RC> Proftpd will do a search of "attribute=$1" where $1 is what the user enters RC> at the Name: prompt. Then it will read the userPassword attribute of that RC> entry or bind as that DN depending on how it's configured. I see this now. Is one method better than the other? The ProFTPd docs say that by binding as the user, different encryption methods could be supported (not a big deal since I just user SSHA per RFC 2307). But is this manner more secure than binding as the LDAP manager to get the userPassword attribute? >> RC> Searching for "uid=user_company.com" with a search base of >> RC> "ou=company.com, o=my_org" requires searching through two indexes >> which RC> isn't as fast. But if the uid attribute has a unique value >> (which it RC> will have if it is the user-name concatenated with the >> company name) then RC> you can just search by the attribute value. >> >> Ok. This is where I lose you, unless you meant uid=user. And then to RC> No. I mean making the UID include the company. So within the RC> "company.com" domain we have an account named "user". This is the only RC> way to do it with proftpd! Ok. Sorry for my density. Usually the simplest of things are the hardest for me to understand :-P So what is the account named: "user" or "user_company.com"? And what are these two search indexes? What performance loss would I suffer by setting my search base to just "o=my_org" rather than "ou=company.com, o=my_org"? >> search within the base of "ou=company.com, o=my_org". Because with the >> uid=user_company.com, I'm still searching on a single attribute. I >> would think if anything, it would be quicker, because I would already >> be searching within the correct ou. If you could elaborate a little >> more, I would be most gracious. Likewise, I don't have a great >> understanding of how index eq and index pres, and what have you works. >> I realize it's pretty LDAP distrib specific, but I don't see much >> documentation for OpenLDAP in this regards. >> >> Btw, sorry you got the cross-post. I've scoured the archives for >> debian-isp. Has the debian schema files been produced yet? I was >> looking at using the allowedService attribute you drafted up quickly, >> to give users access to different services (duh?). RC> I've produced a few drafts but so far no-one has responded to my requests RC> for comments on them. So we are all waiting for some input from people RC> who know about LDAP and schema... Any chance you could post them here if you haven't done so already? If so, I'll just go search the posts. >> Also, do you use proftpd by chance? I would like to do virt hosting, RC> Yes. One of my clients recently paid for enhancements to Proftpd for RC> better support of this. I realize you won't be able to share this work, but what sort of enhancements? And how do you manage uids and gids? >> but I don't feel like killing the IP pool :-P I suppose a >> user_company.com system would work, but that'd be unnatural to users, RC> Why? I've worked for two ISPs doing bulk commercial hosting with that RC> scheme and no problems... I would just think that people would like to remove the trailing _company.com, and just have user names, with the namespace inferred. I know you don't use the '@' in an email address like system I proposed, but which would you see being better? With my method, the user only has to use his email address and password for auth, which I think would be nice, but I don't know if that would become too ambiguous with "mail" attributes. >> whereas an email address like naming scheme wouldn't be too bad. But RC> Not sure if an @ sign will be accepted by proftpd. Never tried it. It worked for me, in case anyone else was wondering. >> realistically, should I just follow in the steps of ISPMan, and allow >> ftp access to one user per domain? RC> No, that sucks. That's what I was thinking :-P Thanks a lot for all the info. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact
Re[6]: Virtual Domains & LDAP
Hey Russell, Wednesday, June 13, 2001, 12:24:42 PM, you wrote: RC> OK, let us know how it goes. Will do. RC> The REAL difference is that if the ProFTPd server can read the userPassword RC> attribute then anyone who can get access to that configuration for the RC> server has access to all the passwords. This can be considered a security RC> problem. Well, even if you have the user himself bind, you would need an entry with sufficient enough permissions to access any other entry. Are you proposing adding another entry, like a lesser LDAP Admin, that simply doesn't have access to the userPassword attribute of other entries? RC> If the ProFTPd server binds to the directory then it needs no special RC> LDAP access, however it has to send the password to the server and this RC> may be intercepted (I believe that the way it's setup in the standard RC> Debian packages has it all in clear-text always). This can also be RC> considered a security problem. :( Well, wouldn't the password have to be sent over in clear text anyway? That's the nature of FTP without an SSL tunnel. The FTP -> LDAP connection is on a localhost anyway. I wonder if you could configure it to use SSL LDAP. Probably :) RC> It should not make any noticable difference where you put your search RC> base. However I have not done any performance testing. It may make a RC> small difference but certainly won't make a large difference. I would imagine this would make a difference with a search scope of one level or something though :-P RC> I suggest giving the user the DN of "uid=user_company.com, RC> ou=company.com, o=my_org" and the uid attribute will have the value of RC> "user_company.com". Ok. Glad we're on the same page ;) RC> I'll send my latest work here again soon. Great. I can't wait. RC> The work is supposed to have gone into Debian and be shared to save having RC> the work of independantly maintaining it. It appears not to have gone into RC> Debian yet though. RC> It is to use LDAP settings to specify which IP addresses are permissable RC> as source addresses per user. So if you know the IP address of a user RC> you can prevent access from other IP addresses. That could be useful ;) RC> Email address should be fine. Great. Like I said, I'll have to see how Cyrus IMAP and Postfix like it :-p RC> But just specifying the user name and having the domain inferred is a bad RC> idea as you can't have two users with the same account name in different RC> domains. [EMAIL PROTECTED] has to be different from [EMAIL PROTECTED]! Well, I was figuring all look ups would have to search for uid=user and domain=company.com. But two searches would probably be slower anyway. Thanks again for the help/info. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[8]: Virtual Domains & LDAP
Hey Russell, Wednesday, June 13, 2001, 4:05:22 PM, you wrote: >> Well, even if you have the user himself bind, you would need an entry >> with sufficient enough permissions to access any other entry. Are you >> proposing adding another entry, like a lesser LDAP Admin, that simply >> doesn't have access to the userPassword attribute of other entries? RC> I am not sure what you are saying here. Well, if I understood you correctly, you said that having the LDAP manager retrieve the userPassword attribute, rather than having the user bind himself, was a security issue because if someone were to recover the proftpd.conf file, they would have the password of the LDAP manager. But even if the user binds himself, won't the LDAP manager need to be specified in LDAPDNInfo? RC> I believe that the usual proceedure is to allow a user to have "write" RC> access to their own userPassword attribute and to have anonymous have RC> "auth" access. "auth" means that anyone who has the password can bind as RC> any entry. If the user supplies a password that allows binding to the RC> entry indicated by their user-name then they are authenticated. RC> The server MAY need privs to search the directory to find the DN, but RC> even that may not be necessary depending on the application. Ok. Maybe I'm incorrect in my previous assertion of needing LDAPDNInfo. RC> Consider the case of users having the DN RC> "uid=USER@COMPANY,ou=COMPANY,o=ISP" where "ISP" is the name of the ISP, RC> "COMPANY" is "wpi.edu", "coker.com.au", "debian.org" or whatever the RC> domain name is, and "USER" is the user name. If I logged on as RC> [EMAIL PROTECTED] then the server could know that it should try RC> binding as "[EMAIL PROTECTED],ou=coker.com.au,o=isp" and therefore RC> the server wouldn't even need search access! How would it know the "ou=coker.com, o=isp"? Is that info filled in after the uid is found and the dn retrieved? >> RC> If the ProFTPd server binds to the directory then it needs no >> special RC> LDAP access, however it has to send the password to the >> server and this RC> may be intercepted (I believe that the way it's >> setup in the standard RC> Debian packages has it all in clear-text >> always). This can also be RC> considered a security problem. :( >> >> Well, wouldn't the password have to be sent over in clear text anyway? >> That's the nature of FTP without an SSL tunnel. The FTP -> LDAP >> connection is on a localhost anyway. I wonder if you could configure >> it to use SSL LDAP. Probably RC> Proftpd has code to allow SSL LDAP, but it is not enabled in the Debian RC> package because of license issues. You should be able to change a single RC> line in a header file and recompile to get it. What sort of license issues? The whole strong encryption exportation thing? RC> As for FTP SSL, this can be done, there are already ftpd-ssl and ftp-ssl RC> packages in Debian. I don't think that proftpd supports that (yet). I don't think so either, but couldn't proftpd be sent over stunnel or something? >> RC> It should not make any noticable difference where you put your >> search RC> base. However I have not done any performance testing. It >> may make a RC> small difference but certainly won't make a large >> difference. >> >> I would imagine this would make a difference with a search scope of one >> level or something though :-P RC> Last time I looked at the OpenLDAP setup in detail regarding this issue RC> (which was some time ago) it seemed to have a database of objects to RC> sub-objects which would make one-level searches quite fast. I have RC> checked now on my 2.0.11 OpenLDAP installation and it's not there. I had RC> not intentionally turned that off so I'm not sure what's happened. Hmm . . . >> RC> The work is supposed to have gone into Debian and be shared to save >> having RC> the work of independantly maintaining it. It appears not to >> have gone into RC> Debian yet though. RC> Incidentally I recommend writing a policy document specifying the above RC> whenever you do a Linux installation at a corporate site. It's easy to RC> get staff or consultants to produce custom versions of Debian packages, RC> but having the skills to keep updating them with every version is beyond RC> most corporate sites. Things such as minor security enhancements to a RC> FTP server offer no significant competitive advantage and are best RC> published so that new versions can just be installed by APT. Agreed. But would the more proper avenue be to submit security enhancements to the proper software maintainer (in this case, the proftpd team), and see if they'll implement it? >> RC> But just specifying the user name and having the domain inferred is >> a bad RC> idea as you can't have two users with the same account name >> in different RC> domains. [EMAIL PROTECTED] has to be different from >> [EMAIL PROTECTED]! >> >> Well, I was figuring all look ups would have to search for uid=us
disk partition schemes
Hey guys (and gals), I'm redoing a machine of mine. Was a Mandrake system, but now it's going to be a debian one ;) Basically, I have 20 gigs of space to tinker with (well, there's really 40 there, but I run a hardware RAID 10). I also have half a gig of SDRAM (sure this would matter with swap space). Now, I have no problem running fdisk or anything, but I wanted to get a feel for what people are doing for various types of systems. This system would be used mostly for web-hosting, so I was figuring a large /home partition. Likewise only one or two kernels max, so I figured a small /boot. And finally, and this is really where I'm looking for help, it will be used as an IMAP/SMTP machine. So, should I create a separate /var partition? I'm hesitant because I don't want to a) not create a large enough partition, or b) create too large of one and waste space. Do the performance gains outweigh this? (I'm not terribly worried about the redundancy with the RAID 10 and all). I'd really be interested in what you guys think. TIA. -- Thanks, Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: off site assistance
Hey Allen, Wednesday, June 20, 2001, 8:27:53 AM, you wrote: AA> I need at least 640.b480 but would like 1024x768 resolution and 30fps. AA> 4 or 5 fps would do really for this application. AA> remember this has to be usable for only one screen but that screen gets AA> connected to many systems during its lifetime. VNC might do what you need. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
SASL + MD5
Hey guys, Ok. This is driving me nuts. I created a new deb for the latest Postfix snapshot, with SASL support. No matter how hard I try (download non-us source, fooled around with debian/rules file, etc. etc.), I cannot get CRAM-MD5 or DIGEST-MD5 to show up in the list of available methods when I telnet and issue a EHLO. Anyone have this working? And please share if you do :) -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail (Was: your mail)
On Fri, 22 Jun 2001, Craig wrote: > Ahoy there maties > > Was wondering if there is a set of sendmail config files similar to RedHats > sendmail-cf.rpm in Debian, which I can use with m4 to general my config > files. Yes they are part of the sendmail package. They reside in: /usr/share/sendmail Once you have it installed sendmailconfig is usefull as well as make when in /etc/mail HTH Yours Tony. /* * "The significant problems we face cannot be solved at the * same level of thinking we were at when we created them." * --Albert Einstein */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: disk partition schemes
Hey Russell, Friday, June 22, 2001, 9:17:12 AM, you wrote: RC> On Friday 15 June 2001 16:13, Kevin J. Menard, Jr. wrote: >> This system would be used mostly for web-hosting, so I was figuring >> a large /home partition. Likewise only one or two kernels max, so I >> figured a small /boot. And finally, and this is really where I'm RC> Why do you need a separate partition for /boot? Why not just have it in RC> the root fs? Dunno. Figured for disk failure or something. RC> Problems with booting from partitions >2G were solved ages ago, your root RC> file system should fit into 8G (although even that limit doesn't apply if RC> your BIOS is new enough). Yeap, I don't have this limitation. >> looking for help, it will be used as an IMAP/SMTP machine. So, should >> I create a separate /var partition? I'm hesitant because I don't want >> to a) not create a large enough partition, or b) create too large of RC> I suggest having your email stored on the same file system as /home. RC> Then you have all of your customer data on the same file system for easy RC> backup. Also it saves juggling space. Would a symlink from /var to /home/var be sufficient? >> one and waste space. Do the performance gains outweigh this? (I'm not >> terribly worried about the redundancy with the RAID 10 and all). RC> What performance gains are you referring to? Any that might occur from having separate partitions. So, if you recommend /boot be with / and /var with /home, why not just have / and everything in there? Is this reliable enough? Today's hard drives have come a long way, and with a RAID 10, would I be safe in doing this? Or should I just have a coulple gig / and the rest for /home? Thanks. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: disk partition schemes
Hey Russell, Friday, June 22, 2001, 9:17:12 AM, you wrote: RC> On Friday 15 June 2001 16:13, Kevin J. Menard, Jr. wrote: >> This system would be used mostly for web-hosting, so I was figuring >> a large /home partition. Likewise only one or two kernels max, so I >> figured a small /boot. And finally, and this is really where I'm RC> Why do you need a separate partition for /boot? Why not just have it in RC> the root fs? Dunno. Figured for disk failure or something. RC> Problems with booting from partitions >2G were solved ages ago, your root RC> file system should fit into 8G (although even that limit doesn't apply if RC> your BIOS is new enough). Yeap, I don't have this limitation. >> looking for help, it will be used as an IMAP/SMTP machine. So, should >> I create a separate /var partition? I'm hesitant because I don't want >> to a) not create a large enough partition, or b) create too large of RC> I suggest having your email stored on the same file system as /home. RC> Then you have all of your customer data on the same file system for easy RC> backup. Also it saves juggling space. Would a symlink from /var to /home/var be sufficient? >> one and waste space. Do the performance gains outweigh this? (I'm not >> terribly worried about the redundancy with the RAID 10 and all). RC> What performance gains are you referring to? Any that might occur from having separate partitions. So, if you recommend /boot be with / and /var with /home, why not just have / and everything in there? Is this reliable enough? Today's hard drives have come a long way, and with a RAID 10, would I be safe in doing this? Or should I just have a coulple gig / and the rest for /home? Thanks. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[4]: disk partition schemes
Hey Russell, Friday, June 22, 2001, 11:07:37 AM, you wrote: RC> What exactly will that save you from? If the root FS gets messed up then RC> having a separate /boot won't gain you much... I was thinking the other way around actually. If /boot were to get messed up, it wouldn't affect /. RC> I suggest creating /home/mail and linking /var/spool/mail to it. However RC> if you want decent performance for email you want to use Maildir. By RC> default maildir storage goes into user's home directories which solves RC> this issue. Well, I'll be using Cyrus IMAPd. Doesn't use Maildir, but does create separate folders per user. Thus, the spool is really not going to hold data much. However long it takes to rip data off incoming (using postfix) and send it out, or however long to hand it off to lmtpd and let cyrus deliver it. RC> If you have two partitions on the same physical media (in this case a RC> RAID-10) then expect to lose performance. If you make it all one large RC> partition then the file system drivers can optimise things more. Oh. Guess I didn't quite understand how disk I/O functioned. I figured something like /var, which will have a lot of synchronous writes, would get better performance outside of / or /home. RC> I recommend having a separate /home to limit the things that can go RC> wrong. I recommend leaving /var on the root file system unless you need RC> a lot of space in /var. Just from a performance point of view or for other reasons? RC> Also consider a separate file system for RC> /var/tmp and make /tmp a sym-linke to /var/tmp/tmp . Once again . . . just for stability? security? >> drives have come a long way, and with a RAID 10, would I be safe in >> doing this? Or should I just have a coulple gig / and the rest for >> /home? RC> RAID has no relevance to the issue of partitioning in this sense. Well, my point here was, with the RAID 10, I already have a pretty good amount of reliability, as if one drive fails, the system can still function. And with disks that are pretty reliable to begin with, I wasn't sure if the combination of all these would merit just one large / fs. Thanks again. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[6]: disk partition schemes
Hey Russell, Friday, June 22, 2001, 7:22:41 PM, you wrote: >> I was thinking the other way around actually. If /boot were to get >> messed up, it wouldn't affect /. I guess I'm off here. By getting messed up, I mean more by say a sudden jolt in the power supply (of course, I do have a line conditioning UPS) and mess up the partition table or something. RC> OK. So you want Cyrus storage on the file system used for user data. That's the idea. Let's see if I can get it to work :-P RC> IFF you have separate physical hardware for the different file systems RC> that will be true. However you only have one physical device (the RAID RC> device) so this will not be a benefit. Ahh, ok. Thanks for correcting me here. RC> Having /home and /tmp on separate devices to / gives some security RC> benefits by limiting the ability to produce hard links. Hard linking RC> /etc/passwd or /etc/shadow to a name under /tmp or the user's home RC> directory has been step 1 of a number of security attacks... I didn't realize hard links couldn't cross partition boundaries. I tend to just use symlinks anyway. RC> Having /tmp and /home on separate devices to the root FS limits the RC> ability of hostile users to perform such attacks. So I see. >> RC> Also consider a separate file system for >> RC> /var/tmp and make /tmp a sym-linke to /var/tmp/tmp . >> >> Once again . . . just for stability? security? RC> Security as described above and stability regarding issues of lack of RC> space and/or Inodes. Ok. RC> How will one partition or two partitions affect reliability? Disk RC> failures tend to be boolean things, if a disk starts dieing then all data RC> seems to rapidly disappear from it. So in you don't have RAID then RC> having separate partitions is unlikely to save you. Once again, I guess I was thinking messed up partition tables or something. Perhaps my logic was flawed. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Virtual Domains Email: How do you do it?
Hey Haim, Thursday, June 28, 2001, 4:24:06 PM, you wrote: HD> Hi all, HD> I need to do email hosting for a large number of domains. My solution HD> consists in Postfix for the MTA, Cyrus for the LDA and IMP for the MUA. HD> Emails have to be accessible by POP as well. HD> After some research, I came to the conclusion that each individual needed HD> to have an account under Cyrus as a local user. Let me explain. Let's say I HD> host email for [EMAIL PROTECTED] The string "[EMAIL PROTECTED]" is not a HD> valid Cyrus username (mailbox in fact but you see my point). A translation HD> needs to takes place. If you apply Dave Fuchs' patch to make a '.' a valid character (but making '/' and invalid one), then that becomes a valid Cyrus username. Search the Cyrus IMAP mailing list archives for it. He sent it out for 2.0.14 some time last week when I requested it (but I don't have it on me here) :) -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: Virtual Domains Email: How do you do it?
Hey Haim, Thursday, June 28, 2001, 4:42:46 PM, you wrote: HD> Kevin, >> If you apply Dave Fuchs' patch to make a '.' a valid character (but making '/' >> and invalid one), then that becomes a valid Cyrus username. Search the Cyrus >> IMAP mailing list archives for it. He sent it out for 2.0.14 some time last >> week when I requested it (but I don't have it on me here) :) HD> So using that patch makes the "." part of a valid username. What do I do HD> about the '@' in the email address? AFAIK, the '@' is already a valid character in the Cyrus mailbox namespace. "Taken from an email to the cyrus list: cyrus-imapd-2.0.12 - imap/mboxname.c - line #187: I believe this is what you're looking for... #define GOODCHARS " +,-.0123456789:=@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz~" -David Fuchs" Technically, the '.' is already a legal character in mailbox names, but it does something funky (I don't recall quite what it is/was), but the patch curbs that behaviour. HD> Thanks a lot (especially for answering so fast) Np. I've been doing a lot of research into this lately. You caught me at a good time ;) Btw, I have to agree with the LDAP recommendation. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: Virtual Domains Email: How do you do it?
Hey Haim, Thursday, June 28, 2001, 5:16:05 PM, you wrote: >> HD> So using that patch makes the "." part of a valid username. What do I do >> HD> about the '@' in the email address? >> >> AFAIK, the '@' is already a valid character in the Cyrus mailbox namespace. HD> Great! HD> Now I have another question :-)) How do I manage to tell Postfix to treat HD> "[EMAIL PROTECTED]" as a local username? HD> What I mean by that is that right now I have translation done at the HD> virtual table level under Postfix. [EMAIL PROTECTED] becomes something else HD> (john~example.com let's say). I want to tell Postfix to accept all mails for HD> [EMAIL PROTECTED] and "relay" them to Cyrus. Since Cyrus will have a HD> [EMAIL PROTECTED], everything should be good. I haven't done this all out myself yet, but I have an itching feeling that postfix is gonna strip everything off after the '@', '@' inclusive. I could be wrong though, it may just pass it over the lmtp socket, though I doubt it. So, you'll more than likely still need some sort of transport map. That could all be held in LDAP though, if you were willing to set it up, so the administration of the maps would be quite trivial. Like I said, I haven't done this much yet though. HD> Please tell me if I am confusing you. I really wonder how I can achieve the HD> result I want. Nope, it's exactly what I wanted too :-P >> Btw, I have to agree with the LDAP recommendation. HD> P.S. : I agree 100%. I have no experience with LDAP and right now I really HD> don't have the time. It will come, just not yet. Too bad. It'd be a very nice addition :) -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
postfix + sasl + pam
Hey guys, Anyone here have all this working together? I apt-get'ed the source for postfix and altered the debian/rules file to add SASL support for SMTP auth. The build went fine, but it apparently always tries to use the sasldb, even though I set up my /usr/lib/sasl/smtpd.conf file to use PAM as the pwcheck_method. Anyone know what gives? Thanks. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: postfix + sasl + pam
Hey Haim, Friday, June 29, 2001, 1:13:42 PM, you wrote: HD> Kevin, HD> AFAIK, you can use PAM directly from Postfix without having to go through HD> SASL. The book fro R. Blum fails to mention it. HD> Haim. Umm . . . how? And still, that doesn't fix this odd behaviour :-/ Btw, I don't have the Blum book, after the not-so-good reviews it got from people on the postfix-users list. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Debian: PAM LDAP + OpenLDAP 2.x solution
Hey guys, Sorry for the massive post here, but I asked very similar questions on all these lists. I finally got my problem fixed, and figured I would share my results with each of the lists, in case anyone else asks. You're all probably gonna laugh when you here what I did to fix the problem: "# apt-get source libpam-ldap; cd libpam-ldap-VERSION; debian/rules binary". Yeap, I recompiled just about everything (postfix, cyrus-sasl, etc. etc.), but I never thought to recompile pam-ldap. My best guess is that the .deb was built from openldap 1.x files. Thanks to all that helped. I still have a couple kinks to work out, but I'll take those problems to the appropriate lists. Hope this info can help someone in the future. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: help with site+database
Hey Craig, Thursday, July 19, 2001, 6:55:34 AM, you wrote: CS> if i was running a news spool or a large Maildir/ spool, i think i'd CS> stick with reiserfs but this is my workstation, where i have lots of CS> large files (incl. huge mbox files) so i think i'll be switching to XFS. But don't you want synchronous writes for your mail spool? I was under the impression that journaling filesystems don't support this (yet?). -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: asp visual basic on linux
Hey Matt, Thursday, July 19, 2001, 4:48:13 PM, you wrote: MF> Hello, MF> I have some asp software that is written in visual basic. All I have is MF> linux machines for servers and I do not want to get a windows machine just to MF> run this ASP application. Is there a way were I could get this to work on a MF> apache and debian linux? MF> I have seen Apache::ASP, but I believe that is just for ASP applications MF> written in perl. MF> Ideas sugestions? MF> Thanks, MF> Matt If you got some money to spend, there's chiliASP: http://www.chilisoft.com/chiliasp/linux.asp -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: asp visual basic on linux
Hey Matt, Thursday, July 19, 2001, 4:48:13 PM, you wrote: MF> Hello, MF> I have some asp software that is written in visual basic. All I have is MF> linux machines for servers and I do not want to get a windows machine just to MF> run this ASP application. Is there a way were I could get this to work on a MF> apache and debian linux? MF> I have seen Apache::ASP, but I believe that is just for ASP applications MF> written in perl. MF> Ideas sugestions? MF> Thanks, MF> Matt Oh yeah, there's an asp2php script out there somewhere. Check out freshmeat. Don't know how well that works though, never used it before. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Postfix + Cyrus IMAPd + LDAP
Hey guys, I've emailed the postfix-users list with this, and really haven't gotten any replies, so I'm hoping someone here might be able to help. I see there's a lot of people good with this kinda stuff (Craig, Russ, and so on) :) I'm using the Cyrus-IMAPd 2.0.15-HIERSEP release. Reason I mention this is because with this release, it is possible to use a '.' as a valid part of a user name. So, I log into cyradm as an admin from /etc/imapd.conf and "localhost> cm [EMAIL PROTECTED]" (Note, I have no affiliation with WPI other than attending the school. The email admins there are big sendmail buffs. Just doing this as an illustration) and the mailbox "[EMAIL PROTECTED]" is created (in reality, it's "kmenard@wpi^edu", in order to preserve on-disk structure). Now, I want to set up postfix to query my OpenLDAP 2.0.11 server, and get all the info it needs. I'm using the misc.schema file that comes with openldap, which I believe is based off of http://www.watersprings.org/pub/id/draft-lachman-laser-ldap-mail-routing-02.txt. Most of the postfix docs with ldap, including the LDAP_README, use the "maildrop" and "mailacceptinggeneralid" attributes. I use the "mailLocalAddress" and "mailRoutingAddress" attributes. So, now my question is, how do I receive mail and then forward it to the mailbox by the same name? I was thinking have a mailLocalAddress: wpi.edu (to notify postfix of the virtual domain) and a mailLocalAddress: [EMAIL PROTECTED] (to notify it of the email address), and then a mailRoutingAddress: [EMAIL PROTECTED]@localhost. Alas, I am running into some difficulties. Is this even possible? Or do I need to change my nomenclature from cyrus mailboxes such as [EMAIL PROTECTED] to something like kmenard.wpi.edu. I've been recommended to do the latter, but I prefer the former, and want to know if it's possible. As usual, thanks for the help in advance. PS -- Following recent discussion, would it be recommended to use a ReiserFS for an entire server? In this case, following my thread on partition schemes, a / and a /home partition. Thanks again. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: Postfix + Cyrus IMAPd + LDAP
Hey Haim, Friday, July 20, 2001, 3:20:27 PM, you wrote: HD> Hey Kevin, HD> I have been working on the same exact thing for the past 2 months. The only HD> thing is I do not use LDAP. HD> I tought about doing the same exact thing, creating mailboxes named like HD> the email address. I ran into the same problems. I personnally use the HD> following schema: HD> [EMAIL PROTECTED] -> username~domain-com I've opted to do username.domain.com using the HIERSEP distribution. HD> In the postfix virtual table I put HD> domain.com: anything HD> [EMAIL PROTECTED]: username~domain-com HD> And it works like that. I would love to do it differently (go explain the HD> users that they have to put a "~" instead of an "@" and you'll see how much HD> fun this is). If you find a way to do, please let us know. Some kind of HD> howto would be great! I think I'll be writing a HOWTO for what I've done in the near future. And I agree, customers aren't happy :-P Problem is right now, that the Cyrus LMTPd splits on '@' for SASL/Kerberos realms or something. Devdas Bhagat is working on a virtual domain patch for Cyrus IMAPd, and hopefully this issue will be addressed. HD> Haim. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
LDAP + quotas
Hey guys, Well, I think this was talked about a little before in the past, but I can't get the archive search to work. So, if it was, sorry for asking again. If not, I'd like to see some nice responses :) I'm trying to build a complete web hosting solution. All accounts are stored in LDAP. I just set up NSS LDAP today figuring I might need that (apt-get install libnss-ldap didn't give me the problems most people building by source were having ;)). All mailboxes are created in cyrus imapd 2.0.15-HIERSEP, with lookups done through SASL through LDAP. Now, I know cyrus-imapd has a system for mailbox quotas, but I want a system-wide policy. What I ideally want to be able to do is assign each virtual host a group, and set that quota of that group to whatever their max allowed disk space is (for instance, 50 MB), and then have their web folder and all user mailboxes in that group be restricted to that 50 MB limit. Anyone know if this is possible? And if so, how to do it? Also, anyway to get ls to output the full username? I think it truncates at 8 characters by default, which is sort of a pain, since all my uids are of the form user.domain.com. I mean, it's not that bad, because the users are restricted to their web folder, so only seeing the first 8 characters is usually good enough, but ideally, the other way would be best. Or perhaps I have to roll my own with perl or something? Thanks. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: Virtual Hosting
Hey Simon, Thursday, July 26, 2001, 6:10:11 PM, you wrote: >> > You can't do name based virtual hosting with ftp, as the protocol >> > doesn't use domain names. >> > >> > You will need to do IP based virtual hosting and use IP aliasing. >> >> How hard would it be to implement a thing in say ProFTPd for example, >> that took "[EMAIL PROTECTED]" as the actual username, rather than just >> "user" ? >> >> Would that be possible? SA> Not with the current c0de base. Possible to do with code changes though. Works fine for me with 1.2.2r3, as I reported once before maybe a month or two ago on a thread about OpenLDAP with Russ. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: LDAP + quotas
Hey Russell, Friday, July 27, 2001, 10:17:42 AM, you wrote: RC> On Wed, 25 Jul 2001 17:44, Kevin J. Menard, Jr. wrote: >> What I ideally want to be able to do is assign each virtual host a >> group, and set that quota of that group to whatever their max allowed >> disk space is (for instance, 50 MB), and then have their web folder and >> all user mailboxes in that group be restricted to that 50 MB limit. >> >> Anyone know if this is possible? And if so, how to do it? RC> I suggest using two unix groups, one for web and the other for mail. Any particular reason why? :) I only suggested on group because I wanted the 50MB restriction imposed for mail + web combined. And if I do two groups in LDAP, am I gonna notice any slow downs worth noting? (I don't assume I would, but this would start to complicate a simple posixAccout posixGroup system). RC> Then store the quota in some suitable LDAP attribute (NB the standard RC> schemas don't have a suitable attribute). Recommend anyone in particular? RoomNumber might work :-P Or do you have some sort of schema you use on your own? I ended up using your services schema within my own OID since there isn't an official debian one yet :-P RC> Then write a cron job which calls the following LDAP query: RC> ldapsearch -x "(&(modifyTimestamp>>=20010531105821Z)(objectClass=posixAccount))" uidNumber RC> gidNumber quota | grep -v ^# | grep -v ^dn: RC> and then sets up quota entries from the "quota" attribute. The RC> modifyTimestamp attribute value should have the time of the last time the RC> cron job ran. RC> Eventually I think I'll develop a debian package of scripts for doing this RC> type of stuff, so if you write such a cron job then make sure you send me a RC> copy. ;) Sure can do. How often do you figure such a cron job should run? I mean, my quota values really don't change often. Actually, once they're set, that's usually about it. So, a cron job of once a day could maybe suffice, but if I'm creating a new virtual domain, and it doesn't have quotas til the end of the day, that might not be cool :-/ RC> I've got user names much longer than 8 characters without any problems. RC> After 31 characters the names can't be represented in utmp properly (which RC> can cause some minor hassles for login accounts and will stuff up Portslave RC> amoung other programs). But there's no problems for other things. RC> I've done tests with user-names around 60 characters long in LDAP and my RC> (admittedly basic) tests worked fine. Hmm . . . and they appear in ls fine? Maybe the period i'm using in the uid as user.domain.com is being interpretted as a group or something? Thanks for the reply. This system could work. But I think the real solution would be to devise a way to have system quotas read directly from LDAP. Oh well. C'est la vie. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: Cyrus-imapd install problems
Hey Haim, Wednesday, August 01, 2001, 2:40:16 PM, you wrote: HD> http://dudle.linuxroot.org HD> Please give me some feedback. I wouldn't put the cyrus user into the mail group. Postfix doesn't like to share. You should create a separate cyrus group. And Cyrus Imapd 2.0.16 is out now. No biggie, but might want to update your links. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Clustering mail servers - Cyrus or Courier ?
Hey Przemyslaw, Sunday, August 05, 2001, 10:10:13 AM, you wrote: PW> However, AFAIK it can be done only with Cyrus with its IMAP Aggregator, or PW> with qmail-ldap + Courier-IMAP... Perdition (http://www.ca.us.vergenet.net/linux/perdition/) should allow you to do the same thing as Cyrus murder, on other mail systems. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: Clustering mail servers - Cyrus or Courier ?
Hey Jeff, Monday, August 06, 2001, 6:32:47 AM, you wrote: JW> >> However, AFAIK it can be done only with Cyrus with its IMAP Aggregator, or >> with qmail-ldap + Courier-IMAP... JW> You ought to check out Scalemail, which is being developed expressly for JW> this purpose. It is a combination of Courier POP/IMAP and postfix. Very JW> powerful combo. JW> - Jeff Is there any plans to offer a version with Cyrus IMAPd? There's a fair number of us that like this better than Courier, so I think it would be a nice suggestion :) Btw, anyone know if the Cyrus IMAPd maintainer plans on maintaining the package anymore? It is seriously out of date, and he hasn't responded to a bug report filed about it being such. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: Clustering mail servers - Cyrus or Courier ?
Hey Przemyslaw, Monday, August 06, 2001, 11:59:53 AM, you wrote: PW> Hmmm, I can see it's in early stage of developement. PW> Does postfix support ldap nativly ? Yeap (not sure going how far back though). And you can set up SASL to do SMTP AUTH via LDAP with postfix as well. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Host my own box as my own ISP?
Hey etalent, Tuesday, August 14, 2001, 4:05:48 PM, you wrote: e> How do I set up/configure Windows 2000 Advanced server as ISP host on e> my own box, which is a Compaq 7495 with Windows 2000 Advanced server. e> My 'net connection is Bellsouth USB DSL. -Thanks I would first read some documents on microsoft.com and do some google searches. Then I'd probably go ask the appropriate mailing lists. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: Apache/PHP
Hey Jeff, Thursday, August 16, 2001, 10:05:35 AM, you wrote: JW> Backport to potato, and have a platform you can rely on. Running sid on a JW> production server is system administration crack smoking at its finest. I find using woody to be pretty good. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: change NIC after install
Hey Peter, Thursday, August 16, 2001, 3:39:01 PM, you wrote: PB> Andrew Kaplan wrote: >> >> How would I change my NIC from a 3COM to say a Kingstone (Tulip) card after >> the box was running with the 3com card. PB> Re-compile your kernel with support for the new NIC card and reboot. Don't forget to run lilo again. You'll shoot yourself in the foot that way :-P -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache
On Fri, 5 Oct 2001, Craig wrote: > Ehelo > > Is there a module or package that lets apache run > asp files ? Of a sort, people have alreday told you about asp2php BUT you can also use: * ActiveScripting for Apache * Apache::ASP Have a look at: http://httpd.apache.org/related_projects.html Also a quick google search turned up: http://www.chilisoft.com/ Which is purchaseable. Yours Tony. /* * "The significant problems we face cannot be solved at the * same level of thinking we were at when we created them." * --Albert Einstein */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apt-get
On Thu, 18 Oct 2001, Craig wrote: > Hi again fellas > > Is there a why to upgrade only on package using apt-get ? If you only want to upgrade one paackage: # apt-get update # apt-get install fubar That will install the newest version of fubar and any required libraries. Yours Tony. /* * "The significant problems we face cannot be solved at the * same level of thinking we were at when we created them." * --Albert Einstein */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mta confusion
On Thu, 18 Oct 2001, David Bishop wrote: > Currently: > Using sendmail with webmin and the webmin control module > Using webmail based off of the webmin control module for sendmail > Each user has a real account on the box for uploading files/whatnot > Normal spam-free setup (non-promisc according to mail-abuse.org) > Forwards for local ip addresses, non-authenticating > > Needs: > Be able to differentiate between [EMAIL PROTECTED] and [EMAIL PROTECTED] Add: FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl to /etc/mail/sendmail.mc Then you can edit /etc/mail/virtusertable like: [EMAIL PROTECTED]bob@localhost [EMAIL PROTECTED] alice@localhost @foobar.com catchall_foobar@localhost [EMAIL PROTECTED]tarzan@localhost [EMAIL PROTECTED] jane@localhost @barfoo.com catchall_barfoo@localhost This allows you to have complete namespaces for each domain. The only issue is that you're underlying database (/etc/passwd) cannot have duplicates. Ie if both foobar.com and barfoo.com want an account named cooldude. They can't have it. They _can_ have an email address of cooldude@ There are other options for mass virtual hosting but they all use databases as the auth backend. > Not have to keep a seperate email database from the system /etc/passwd. You can use /etc/passwd for the accounts database but you will need to keep a seperate database of email address mappings. > Still have an integrated webmail client that doesn't use imap, just direct > manipulation of the mbox file. ... Why not imap. I know it is slow but it give you a world of flexibility. I recommend TWIG as a webmail service. It's is fully customizable and support virtual hosts. So foorbar's webmail can look different to barfoo's. It also will NOT break POP access to the same mail box so it can read mail however and when ever you like. Because the webserver talks to the imapd you don't even need to make it network contactable just by localhost. (Unless the mail and webservers are different machines) > Have a webmin module so the owner can "manage" the mta. Pass ... I would imaging that the sendmail webmin module can do what you need, BUT I've never used it so I can't say for sure. Yours Tony. /* * "The significant problems we face cannot be solved at the * same level of thinking we were at when we created them." * --Albert Einstein */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: A few questions
On Thu, 18 Oct 2001, [EMAIL PROTECTED] wrote: > I know that it is possible to set up virtual hosting by giving one box multiple IP >addresses. Is it possible to make www.domain1.com and www.domain2.com resolve to the >same IP but have some way of going to the right page on the server? Use pacahe's virtual hosting features: http://httpd.apache.org/docs/vhosts/index.html > I was going to try qmail, but from what I have read on the qmail site (but I >probably interpreted it incorrectly), it is an SMTP server only. Is there some addon >to allow it to act as a POP3 server as well? No just install a pop3 server aswell. There are many ipopd and cucipop come to mind. Yours Tony. /* * "The significant problems we face cannot be solved at the * same level of thinking we were at when we created them." * --Albert Einstein */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: virtual hosting methods
Hey Martin, Saturday, November 24, 2001, 5:30:41 PM, you wrote: MpP> Actually there is a very nice and nifty feature in apache 1.3.19+ (or was MpP> it 20+) that allows an include filename to be a directory what will MpP> include all directories and subdirs of the named direcotry, and load all MpP> files in those dirs as config files. With some maintenance scripts it MpP> allows very easy maintenance of virtual hosts (configuration...) MpP> and grouping of configuration. I'll have to look into this. This sounds very interesting. MpP> For simple masshosting I still suggest mod_vhost. Which brings me back to my original question. For simple masshosting, I would agree. But what about a system where some vhosts have CGI or SSI access for example, and some don't. Would the former setup be better, or the latter? -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
virtual hosting methods
Hey guys, What are people doing for virtual hosting? I'm trying to figure what would be best for me. Would running a vhost module be a good way of doing things? My only problem with this is I'd have to parse the single log file for each host. Not a huge deal, but I'd like to have them separated without my intervention. And I'd have to throw config lines for each vhost into the .htpasswd file, but even that would be acceptable. I've recently read about people just doing stuff with mod_rewrite (I think). I really don't know much about this. And I was thinking just have a separate vhost.conf file and modifying that, then restarting apache with graceful. Any info would be great. Thanks. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
