Ted Leung on the air: Open Source, Java, Python, and ...
If your are using shorewall as your firewall, be sure to update the contents of your rfc1918 file periodically, as networks get reassigned by IANA. I had a very out of date version, which was making my website inaccessible to people on various networks.
Fortunately shorewall includes a Python script for generating the appropriate parts of the file.
While I'm not having problems with downloading Debian packages (I have a cron job that downloads updated packages daily), I think that additional uses for bittorrent is a good thing. apt-torrent is a proxy for apt that uses bittorrent as the transport.
lvm2package and follow the directions in the LVM-HOWTO. It turned out to be much less painful than I anticipated.
/etc/init.d. postgrey doesn't supply a script, so I've made mine available. I'm not an init.d wizard, so if you improve the script please let me know. [ update: postgrey is now a package in Debian unstable ] To date our anti-spam measures consist of postfix, postgrey, amavisd-new, clamav, and spamassasin on the server, and a bayesian filter in the clients. The arms race goes on.
nameifas the solution for my kernel 2.6 interface swapping woes. It turns out that
nameifisn't able to swap interfaces easily. In order to make it work you need to give your eth1 a bogus name, swap that interfaces MAC to eth0 and the swap the other MAC to eth1. Thanks (as usual) to Google and the debian-users list for the fix. Note that you cannot do this from an /etc/mactab, so you need to change /etc/init.d/networking (on Debian) and include the calls to
nameifdirectly. You have to modify /etc/init.d/networking anyway because it doesn't check for an /etc/mactab and try to run
nameif, and that's probably just as well. At least I'm happily running 2.6 now.
- Disallow connections to port 25 from inside the firewall This is long overdue since lots of e-mail worms like to install their own SMTP server. The only way you're going out via SMTP is via our SMTP server.
- Enable SMTP AUTH via SASL Only authorized users should be able to use our SMTP server. This turned out to be a major headache since postfix on Debian runs chrooted, and was having trouble talking to saslauthd's socket. I ultimately gave up on using saslauthd and hacked around it using the sasldb method of checking passwords. But even that took me way too long to figure out. It would be nice if the Debian maintainers for postfix or SASL would include some documentation on how to do SASL based SMTP auth inside the postfix chroot environment (using SASL2).
- Enable TLS support for postfix I've grabbed the postfix-tls deb and installed. Next I need to generate the certificates. The problem is that I already have certifications for Apache and UW-IMAP (although I'm probably going to junk that in favor of Dovecot). I also want the SMTP TLS to require a client certificate (yes, I'm paranoid). So I pretty much need to setup my own CA to issue client and server certificates. What I'm not clear about is whether I need a server cert for each service (www, imaps, smtp) that I plan to offer -- I only have a single IP address. There's also the small matter of which of the many different HOWTO's or documents to follow to generate the certificates properly. Last time I used the makecert.sh that comes with Debian's modssl.