Νάνι νάνι (#2)

– Μη μου πείτε, αυτό είναι το μωράκι σας; (σε μη μετρήσιμα ντεσιμπέλ)

(%@#$!@! Όχι είναι κασκαντέρ, το μωράκι μας το αφήσαμε σπίτι)

Και γενικά δεν μιλάμε ποτέ -ούτε κάνουμε γκριμάτσες- σε μωράκια ενώ οι γονείς τους προσπαθούν να τα κοιμήσουν.

(#1)

Ντόπιοι οδηγοί

“Στο χωριό μου προτεραιότητα;”

Ποδοσφαιρικά συνθήματα

Η πραγματική χρησιμότητα τους είναι πως νανουρίζουν εύκολα, γρήγορα και άνετα τα μωρά.

micro_proxy

Our router master kept nagging me about these IPv6 tunnels^* that we’ve setup and we haven’t really (test)driven. Which is quite expectable since we have not yet standardized on our IPv6 addressing scheme. However, he was right: We should create some traffic. So, instead of handing out space that we might reclaim later, we decided (as a one hour exercise) to IPv6 enable our web proxy server.

Which we did fairly easy: Just modprobe ipv6 and configure the network interface. We pinged and tracerouted some IPv6 addresses, verified connectivity and edited /etc/network/interfaces (it is a Debian machine) accordingly (amazingly easy BTW, just man interfaces).

Since we did not really want to mess with the current proxy software, we decided to run another proxy software on the same machine. Our preferred choice was micro_proxy:

“micro_proxy is a very small Unix-based HTTP/HTTPS proxy. It runs from inetd, which means its performance is poor. But for low-traffic sites, it’s quite adequate. It implements all the basic features of an HTTP/HTTPS proxy, including IPv6 forwarding, in only 320 lines of code.”

The best thing about Jef Poskanzer’s code is that it is elegant and totally readable. That means that when it does not do exactly what you want, you are only minutes away from the solution. In this case, micro_proxy, when given a URL by default tries to use an IPv4 address first and if it does not exist falls back to IPv6. We needed the exact opposite (first try IPv6; if it fails try IPv4) and with only 320 loc, locating the 17 lines that needed to be rearranged proved an easy task.

So if you are one of our users, set your web proxy option to proxy.tee.gr (port number 8086⁺) and try the Cool IPv6 stuff from sixxs.net.

[*] – You can set up an IPv6 tunnel by using Hurricane Electrict‘s excellent tunnelbroker. A very helpful tutorial can be found at the OpenBSD Journal: IPv6 Test Lab (Part 1 and Part 2).

[+] – Our router master insisted on port number 8088 whereas I find port number 8086 more appropriate. I won.

1988 – 1998 – 2007

1988: Η Εθνική Ελπίδων παίζει στον τελικό του Πανευρωπαϊκού Πρωταθλήματος και χάνει από τη Γαλλία του Καντονά. Ομολογώ πως από εκείνη την ομάδα θυμόμουν τον Καρασαββίδη (ποιος μπορεί να ξεχάσει τα 5 γκολ του απέναντι στην Ολλανδία) και τους Σαββίδη, Σοφιανόπουλο και Μολακίδη επειδή τους πήρε ο Ολυμπιακός. Σωστά όμως θυμίζει η Καθημερινή πως το μεγαλύτερο όνομα που ανέδειξε εκείνη η ομάδα ήταν ο Αλεξανδρής.

1998: Η Εθνική Ελπίδων παίζει στον τελικό του Πανευρωπαϊκού Πρωταθλήματος και χάνει από την Ισπανία. Θυμάμαι καλά αυτή την Εθνική. Είχα ρωτήσει (αφελώς) τον Καραγκούνη σε ένα αεροδρόμιο:

Γ. Ποια Εθνική είστε παιδιά;
Κ. Ελπίδων ποδοσφαίρου.
Γ. Από φιλικό έρχεστε ή από επίσημο;
Κ. Από φιλικό.
Γ. Και;
Κ. Χάσαμε.
Γ. Ε δε πειράζει φιλικό ήταν.
Κ. Τι λε ρε φίλε! Χάσαμε!

2007: Αυτό το “Τι λε ρε φίλε! Χάσαμε!” -για φιλικό αγώνα- είναι τα EUR 0.02 μου για τα παιδιά που χάσανε από την Ισπανία.

8th annual System Administrator Appreciation Day

“Friday, July 27th, 2007, is the 8th annual System Administrator Appreciation Day. On this special international day, give your System Administrator something that shows that you truly appreciate their hard work and dedication.

Let’s face it, System Administrators get no respect 364 days a year. This is the day that all fellow System Administrators across the globe, will be showered with expensive sports cars and large piles of cash in appreciation of their diligent work. But seriously, we are asking for a nice token gift and some public acknowledgement. It’s the least you could do.”

[via]

re: Κάθε βοήθεια δεκτή

Το blog Ανακύκλωση_τώρα_ ζητά τη βοήθειά μας:

“Αυτό το post είναι μια παράκληση για όσους ενδιαφέρονται να βοηθήσουν σε αυτό το blog, ας αφήσουν εδώ το σχόλιό τους ώστε να τους προσθέσω και να μπορούν να αναρτούν άρθρα.”

Όποιος νομίζει πως έχει να συνεισφέρει περιεχόμενο για αυτή την προσπάθεια, ας επικοινωνήσει με τον συντονιστή της.

My EUR 0.02.

(In-Reply-To:)

milter-dnsbl

Sendmail administrators using FEATURE(dnsbl) may have noticed that ruleset check_rcpt is executed after all connected milters have executed the corresponding xxfi_*() routines.

Wouldn’t it be better if a milter (in fact the first in order) could block a connection based on a list of DNSBLs?

That is why I wrote my first milter, milter-dnsbl (download). milter-dnsbl has no configuration file; on startup it takes a number of arguments that allow you to specify a number of DNSBLs, plus whitelists published via DNS, or based on the domain name of the connecting host. It requires a running lwresd(8) which it uses as a caching server. Read the manpage that comes with the source code distribution.

milter-dnsbl is distributed with an OpenBSD-style license and has been tested on an Ubuntu 6.06 i386 server.

Πονηριές

Με την υπόθεση πως οι mail servers που εμπλέκονται στην διακίνηση ενός email message είναι συγχρονισμένοι με NTP, το πότε στάλθηκε το μήνυμα φαίνεται καθαρά από τα Received: headers.-

Διευκρίνηση: Έτσι με το να αλλάζουμε την ώρα στον υπολογιστή μας ώστε να φαίνεται πως το μήνυμα εστάλη άλλη ώρα από αυτή που το στείλαμε κανονικά (Date: header), δεν καταφέρνουμε τίποτε.

graymilter with DNS based whitelists support – part 3

In part 2 we saw a simple way of whitelisting domain names in Jef Poskanzer’s graymilter. However, this is a solution that does not scale well enough for busy mail systems. Adding or removing a domain from the whitelist means recompiling graymilter which is not the most convenient thing, especially if one needs to do it (over and over) on multiple mail servers.

Wouldn’t it be easier if you could update only one file and have the information distributed to all mail servers? One way of doing this is by using rbldnsd:

“rbldnsd is a small and fast DNS daemon which is especially made to serve DNSBL zones. This daemon was inspired by Dan J. Bernstein’s rbldns program found in the djbdns package.”

Normally people use rbldnsd for publishing blacklists, but this should not stop you. After all you only need to publish a list. Whether it is a blacklist or a whitelist depends on how the program that consults it decides upon the information it gets. I start rbldnsd as follows:

/usr/sbin/rbldnsd -p /var/run/rbldnsd.pid -r/var/lib/rbldns -b1.2.3.4 \\
whitelist.tee.gr:combined:whitelist.tee.gr.txt

And assuming that I want to enlist the domains example.com, example.net and example.org, whitelist.tee.gr.txt looks like this:

; It is declared as a combined zonefile when rbldnsd statrs
$DATASET dnset: @
.example.com
.example.net
.example.org

The next step is to patch graymilter so that it consults a nameserver. While we are at it why not use lwresd?

“[lwresd] provides resolution services to local clients using a combination of a lightweight resolver library and a resolver daemon process running on the local host. These communicate using a simple UDP-based protocol, the “lightweight resolver protocol” that is distinct from and simpler than the full DNS protocol.

To use the lightweight resolver interface, the system must run the resolver daemon lwresd or a local name server configured with a lwres statement.

The lwresd daemon is essentially a caching-only name server that responds to requests using the lightweight resolver protocol rather than the DNS protocol. Because it needs to run on each host, it is designed to require no or minimal configuration. Unless configured otherwise, it uses the name servers listed on nameserver lines in /etc/resolv.conf as forwarders, but is also capable of doing the resolution autonomously if none are specified.”

Now using the lwres(3) interface we can write a query function that consults the domain name whitelist that we serve via rbldnsd:

#ifndef _TEE_CHECKS_C_
#define _TEE_CHECKS_C_ 1
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <lwres/lwres.h>
#include <lwres/netdb.h>
static int
tee_check_domain(char *host, char *whitelist)
{
        char *name;
        int l, herr;
        struct hostent *he;
        l = strlen(host) + strlen(whitelist) + 1;
        name = (char *)malloc(l);
        if (name == NULL) {
                syslog(LOG_INFO, "tee_check_domain(): malloc() error: aborting");
                return(0);
        }
        memset(name, '\0', l);
        sprintf(name, "%s%s", host, whitelist);
        /* syslog(LOG_INFO, "tee_check_domain(): %s", name); */
        he = lwres_getipnodebyname(name, AF_INET, 0, &herr);
        if (he == NULL) {
                free(name);
                if (herr == HOST_NOT_FOUND) {
                        return(1);
                } else {
                        return(0);
                }
        }
        lwres_freehostent(he);
        free(name);
        return(0);
}
#endif /* _TEE_CHECKS_C_ */

and again after line 680 of graymilter.c (assuming graymilter-1.26):

if (tee_check_domain(connhost, ".whitelist.tee.gr") == 0) {
  syslog(LOG_INFO, "accepting host %s from whitelist", connhost);
  return SMFIS_ACCEPT;
}

After you run ./configure you have to add -llwres to the generated Makefile.

So there, now rbldnsd distributes your domain name whitelist and you have local caching at every mail server with the help of lwresd.

(part 2) (final)