July 29, 2004

Belkin UPS review...

It's 98% finished, pending a reply back from their support folks. Watch for it in the next few days.

Posted by Jim at 10:21 PM | TrackBack

Bug with blogrolling fixed

I never posted about this, but for ages I've had a problem sending automatic pings to blogrolling.com when new entries are posted here. After several weeks of searching for clues off and on (apparently no form of support is available for that service anymore since it was taken over by another company, I never received any answers to the various email addresses I sent help requests to), the answer finally presented itself...

Since early July, I've been getting errors as follows:


Ping 'http://rpc.blogrolling.com/pinger' failed: HTTP error: 301 Moved Permanently

Pulling up that link manually brought up a page telling me I didn't use their service correctly, which was expected since that link wasn't meant to be used directly from a browser, but it had worked fine before that point, and there was no indication what might be wrong.

Searching the web for information on blogrolling and the 301 error found little, but finally this week I stumbled across the answer. It turns out that I needed a trailing slash at the end of the link for it to work, apparently with the automated pings, not having that was a big no-no after some change to their system, again possibly as a result of their service being taken over by another company and the back end system changed. Since putting the slash in, pings now seem to be happening, so my blog will again be appearing on the blogrolling system for those of you who use that service.

Posted by Jim at 12:18 AM | TrackBack

July 28, 2004

gld upgraded to 1.3

Gld, the greylisting system I use here, seems to have received an update while I was away. Seems the prior version crashed on my system while I was out, it was down about 24 hours before I noticed and brought it back online, so I went in search of an update once I was back.

No problems so far, but it's still a pain to compile on the Mac, and getting it going still involved some editing of the make file to get it working. I still hate the command line, but it's a necessary evil at times...

Posted by Jim at 11:38 PM | TrackBack

Office Series 750VA Review

A few weeks back, the folks at Belkin were nice enough to send over one of their new Office Series 750VA Uninterruptible Power Supplies for me to review. After having had a chance to spend some time with the unit, I'm finally ready to publish my notes.

I should add here that both Tripp-Lite and APC were contacted regarding doing a comparison of their equivalent units (despite Tripp-Lite not having a Mac version of their UPS software), but neither company chose to participate.

As most of you are probably aware, power failures can be a major headache to computer users, resulting in anything from losing unsaved documents, to corrupted files, to damaged hardware. Case in point, while I was out on vacation in July, a power glitch at the office fried the hard drive in my main desktop system, not only damaging my drive, but causing an automated backup I have scheduled to copy over the corrupted data, essentially losing everything permanently. Obviously not what I wanted to come back from vacation to.

Back at home, the same storm that tore through the area apparently dropped power while I was gone, I was greeted with flashing alarm clocks and my VCRs blinking 12:00 at me. But my web/mail server didn't miss a beat, and more importantly, my cable modem was still up and running, thanks to the Belkin UPS.

My cable modem seems to be especially picky when power drops for brief moments then comes back, my CPU will restart all by itself, but the cable modem, even though it has power, will stubbornly sit there with all lights off until unplugged for a full 10 seconds before power is restored. To say the least, a major pain.

To the rescue comes the Belkin Office Series 750VA, rated at a battery capacity of 750 volt/amps, and able to power a 400watt load, this little unit now protects my web server, cable modem, and router from power failures. In fact, as I write this, the system is on battery power with the AC cord dangling off the edge of my desk.

My G4 for the site is an older model (rated at 200 watts), and does draw less power than the later G4 models, and certainly less than the G5 systems. With the router and cable modem I figure I'm pulling no more than 250 watts max, this puts about a 16% load on the UPS while in operation. Obviously if a user were to run their display through the UPS, this would cause a much larger drain on the available power, depending on the display type, but for my use, this isn't really needed.

Belkin offers several different models in the Office Series, with varying battery capacities, and some additional features like broadband protection (to keep spikes from your cable connection away from your router). For some folks, just having a few extra moments to do a proper shut down can be a lifesaver, for others, being able to keep a system up for an hour or more without power may be critical.

For my particular setup, I was able to run without power for 30 minutes, and had only run the battery down to about 50%, so I should be able to get close to an hours use out of this particular model during a power failure.

As you can see from the picture of the unit here and on Belkin's web site, it's a very stylish design, not the ugly brick of UPSs from years past. It would look just fine sitting on top of your desk, or alongside your computer. There are six outlets on top, four are battery backed, the other two are surge protected only.

The USB cable includes with the unit plugs directly into one of your Mac or PCs available USB ports (or through a hub, but if it's powered, be sure to put that on the UPS too!), and communicates to a software package called Bulldog.

Bulldog is pretty slick, there's a bar meter showing the current battery and loading level, and two other analog meters showing a number of other indicators selected via a pull-down menu, including battery, input, and output voltage, input or output frequency, and battery and output loading.

The software allows the scheduling of short and long UPS tests, as well as scheduled shutdowns and restarts. The software can automatically shut down your system after a power failure, or can even wait until the battery has run down and given a battery low warning, giving you every last bit of power remaining and still shutting your system down properly. The software will even let you set the UPS itself to power off after your CPU has shut down, to keep the battery from draining further..

For anyone that's ever lost a piece of electronic equipment to an electrical storm, you'll be happy to hear that a $75,000 connected equipment warranty is included.

The battery in the unit is replaceable, and the Bulldog software can even be set to give a battery replacement notification for some date in the future. Unfortunately, no information on the battery or with the unit indicates when the battery should be replaced, and Belkin's web site does not currently give any information on how a replacement battery for the Office Series of UPSs can be ordered.

The UPS itself retails for $109.99, but a quick search around the net found prices all the way down to $66.14.

As I was beginning this review, some questions arose that I submitted to Belkin's Tech Support staff, specifically the battery life/replacement date, availability of replacement batteries, and an updated version of the Bulldog software that might be more compatible with MacOS 10.3.4. After receiving their automated reply, nothing further was heard. More than two weeks later, a followup email was sent, which also went unanswered. My recommendation here is to call and reach a live person, as their email support is definitely lacking.

A 10.3 compatible version of Bulldog was found online, but it was problematic, with intermittent connectivity to the UPS, failure to show available gauges, and other problems I believe caused by their low level routines that monitor UPS activity. As the monitoring software is definitely not a requirement, I didn't weigh this terribly heavily.

All in all, I would highly recommend this unit, and Belkin's other models in the Office Series, for any user needing reliable short term power and peace of mind.

Posted by Jim at 12:22 AM | TrackBack

July 27, 2004

I'm back!

I'm back from vacation, and am working on catching up on a few thousand mails and browsing almost two week's worth of web sites that have backlogged while I was away. Being away from my high-speed internet connection was almost enough to put me into a coma...

Posted by Jim at 1:52 AM | TrackBack

July 16, 2004

Hitting the road...

I'm heading out on vacation for a bit over a week, so new updates will be a bit slow, but I'll probably pop in a time or two if I find something interesting to share.

The server is running on the Belkin UPS, so there should be no interruptions in service, weather permitting. ;)

Posted by Jim at 2:43 AM | TrackBack

July 15, 2004

More Postfix setup notes

Well, I learn a little more about Postfix every day, and most recently it was to pay attention to the order you run your restrictions in... I had an odd problem that wasn't getting fixed like I intended, and had to run to the experts on the Postfix mailing list for help, and was set straight in short order. Read along for notes and my latest config...

One of these days, I need to put together a full tutorial on setting up Postfix and then just keep that updated, but for now, here's where I'm at.

First, the proper order of restrictions. If you get this wrong, you'll make mistakes and never know why things aren't working right. I was under the impression that the HELO restrictions happened first (since HELO happens first in SMTP), but that isn't how Postfix handles things. So, here's the actual order for restrictions:

smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_recipient_restrictions


Did you score 100%? Good for you if you did. ;) My problem was that I was trying to filter a spammer that was proclaiming himself to be sending mail from a mail server with my own DNS name. As if! The blocks I put in place weren't working (it was hitting my other spam filters first and getting bounced), so that's where I started digging.

It turns out that Postfix Enabler, which I run to help manage Postfix on my Mac, set up its own smtpd_client_restrictions with the rbl filters and some other things, and in my other settings I didn't set up my own list of restrictions for that block figuring that PE had it under control, and thinking my HELO restrictions would happen first. So, once I was straightened out on that, I decided to rework my set of restrictions to make things flow a bit better.

One thing that I will eventually go in and change is the access restrictions, and create separate lists for recipient, client, and sender restrictions. Postfix Enabler manages the one list called 'access' and rebuilds it every time I update (using the postmap command in the background, I'm assuming), and for now I'd rather not have to do that manually, but if my lists grow much more I may need to separate them to avoid filter errors.

So, here's my current config, with a few notes:


###Start PostfixEnabler###
alias_maps=hash:/etc/postfix/aliases
alias_database=hash:/etc/postfix/aliases
smtpd_sender_restrictions=hash:/etc/postfix/access
inet_interfaces=all
mynetworks_style=subnet
message_size_limit=10240000
mydomain=wrightthisway.com
myhostname=wrightthisway.com
smtpd_recipient_restrictions=permit_mynetworks,check_recipient_access hash:/etc/postfix/filtered_domains
unknown_local_recipient_reject_code=550
###End PostfixEnabler###

As indicated, this is what Postfix Enabler puts in on its own, most of those settings I'm not overwriting, but the restrictions definitely get changed. Also, I removed all the rbl listings from Postfix Enabler, so it now no longer creates its own client restrictions setting.


###Start Custom Config###
disable_vrfy_command = yes
default_process_limit = 10
smtpd_error_sleep_time = 30

strict_rfc821_envelopes = yes
smtpd_helo_required = yes

Same as what I've had before here, being strict with the protocols, setting some values to better manage bad servers, etc.


smtpd_helo_restrictions=
check_recipient_maps,
check_helo_access hash:/etc/postfix/helo_access,
check_client_access hash:/etc/postfix/access,
check_sender_access hash:/etc/postfix/access,
reject_unknown_hostname,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_client,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,

Now, here we have some real changes. I had copied my previous settings for client restrictions (that Postfix Enabler created for me) and brought those into the helo restriction block, and placed these after the checks I wanted in there first.

Specifically, the check_recipient_maps will make sure that the recipient actually has an account on my server, the check_helo_access is what I wrote about here, then the client and sender access filters kick in so that I can specifically allow certain email addresses or server names to pass through without going through further filters (for users on misbehaving servers that their admins won't fix, or some mail lists that happen to show up on a spammer listing, etc.), then my usual checking to make sure that the server I'm talking with checks out and is well configured.


smtpd_recipient_restrictions =
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/access,
check_client_access hash:/etc/postfix/access,
check_sender_access hash:/etc/postfix/access,
check_policy_service inet:127.0.0.1:2525,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client relays.ordb.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.ahbl.org,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client relays.visi.com,
reject_rhsbl_client blackhole.securitysage.com,
reject_rhsbl_sender blackhole.securitysage.com,
reject_rhsbl_client rhsbl.ahbl.org,
reject_rhsbl_sender rhsbl.ahbl.org,
reject_rhsbl_client rhsbl.sorbs.net
reject_rhsbl_sender rhsbl.sorbs.net,
reject_rhsbl_client block.rhs.mailpolice.com,
reject_rhsbl_sender block.rhs.mailpolice.com,
reject_rhsbl_client dynamic.rhs.mailpolice.com,
reject_rhsbl_sender dynamic.rhs.mailpolice.com,
reject_rhsbl_client bogusmx.rfc-ignorant.org,
reject_rhsbl_sender bogusmx.rfc-ignorant.org,
reject_rhsbl_client dsn.rfc-ignorant.org,
reject_rhsbl_sender dsn.rfc-ignorant.org

smtpd_data_restrictions =
reject_unauth_pipelining,
permit

Here we can actually check the recipient access list, and I also check client and sender again for good measure, but I think perhaps that's not needed again here. Next is a check using the Gld Greylisting software, this will force a server to try a second time to deliver the message, which most spammers won't, then once the mail comes in again, we run it through the various block lists. If it passes those, it should be pretty clean.


header_checks = regexp:/etc/postfix/maps/header_checks
mime_header_checks = regexp:/etc/postfix/maps/mime_header_checks
body_checks = regexp:/etc/postfix/maps/body_checks

unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 450

default_rbl_reply=$rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason} - see http://$rbl_domain for additional info. If this was actually a legitimate email to a real user, please forward this message to postmaster@wrightthisway.com for assistance.

###End Custom Config###

Here we stop the pipelining that some spammers use to flood a server, then do the header/body checks I've covered previously, set some reject codes (I'm now doing a 450 instead of a 550 on bad hostnames, this has helped some mails come through from larger ISPs that might have one bad server out of several, often redeliveries will come through from a different box and make it in, so the 450 gives them another chance), and lastly a custom rbl_reply, with some added text to help legitimate users reach me in the case of a problem. Spammers won't ever read these even if they do get the bounce.

And to guarantee that my postmaster account gets all mail sent to it, I've assed that account to my access list, so when the recipient checks run, this will pass those mails right on through without filtering.

So, that's this month's round of changes, we'll see how far this gets me. ;)

Posted by Jim at 1:40 AM | TrackBack

July 11, 2004

Blocking forged HELO in Postfix

I came across this article on Blocking spammers with Postfix HELO controls after finding a log entry for a (rejected) spam that appeared to be getting sent from my own mail server. My own server never sends email (all that routes through my ISP), so this is all instant spam.

In the case of the mail that appeared on my system, a different spam filter caught it before it was even delivered, but I figured having one more hurdle for mail to pass wouldn't hurt, so this seemed a good one to try out.

I followed the steps in the article to set this up here, pay special attention to the 'Making it so' section about half way through. When this file is created or changed, you need to do a 'postmap helo_access' in the terminal for the changes to take place. If you don't, not only won't your changes take place, but postfix will log a warning during each server connection telling you that the source file is newer than it's database.

Posted by Jim at 11:55 PM | TrackBack

July 8, 2004

New Belkin UPS

I received a Belkin Office Series 750VA UPS today to review, I'll be putting it through its paces over the next week or so, and will have a full report once that's wrapped up.

Posted by Jim at 8:19 PM | TrackBack

July 7, 2004

Anomy's overzealous filtering

I'd completely forgotten that Postfix Enabler also installed a little utility called Anomy for helping to filter email. I'd forgotten until I had to troubleshoot a problem that was effecting some mail my wife was receiving and it brought up a problem I'd forgotten about...

Anomy has the ability to 'defang' parts of HTML code embedded in messages, usually this will keep rogue code from executing on your machine, but in this case was effecting how mail messages were being displayed.

I'd first noticed this when I was forwarding a certain email back to myself, the quoted section had several zeros on there that I couldn't figure where they came from. Eventually I discovered that this was some oddity in the HTML formatting, so I just turned that off in Mail (OS X's mail application) and forgot about it.

Today, my wife received a mail with several numbers at the start from someone who's mailed her before, and she never saw anything like that. After scratching my head then looking at the raw source of the message, things finally started clicking.

I need to dig into this a bit further, but I'm thinking with all the other spam filtering I'm doing, I should be safe to just disable this feature in Anomy, it's a quick fix, just change the following in the anomy.conf file:

feat_html = 1

change to:

feat_html = 0

That should do it! I'll investigate more and see what else I can find out about this problem. I figured it was easier to deactivate this one setting than to try removing Anomy itself.

Posted by Jim at 12:05 AM | TrackBack

July 3, 2004

Greylisting working well

The Gld greylisting utility I'm running with Postfix is working pretty well, and it's already saving me some headaches. I'm still getting other headaches from postmasters that don't quite understand how their mail servers should be configured and some ISPs that just don't care, but that's a different issue. One great thing about greylisting is that it can help BIG if your mail server happens to get hit with a dictionary attack, because of greylisting, all attempts, even to valid email account, will get a temporary bounce, and this is usually enough that the spammer won't bother running through their list again.

I'm going to be looking into cutting back on some of the filtering I'm doing now that greylisting is working, I'll post my updated Postfix config in a week or so with some new notes.

Posted by Jim at 12:29 AM | TrackBack

July 2, 2004

Site tweaks part 2

Well, it turns out the calendar WAS generating ok for all pages, sort of. I was expecting it to keep track of ALL entries, but instead it was smart enough to keep track of the calendar for the particular category selected, which is why it didn't look right. Also, since I was checking this right after midnight and a new month had started, there weren't a whole lot of entries to put on the calendar at that time, so all is well there.

And it looks like the calendar can't link to a whole day's worth of blog entries as I'm archiving individual entries instead of a day's worth at a time. So, it's doing exactly what it was designed to do, and I think trying to do it differently at this point would be way more trouble than it's worth. Maybe MovableType 3.0 might do things a bit differently, will have to wait and see.

Posted by Jim at 12:28 AM | TrackBack

July 1, 2004

Video adapter working

I brought home one of the gViews I had at work, along with two other ATI video cards, an AGP Rage 128 Pro, and a PCI Rage 128 card. I was surprised when I opened my G4 and discovered I had a Rage 128 Pro in there already, I could have sworn it was an nVidia card...

The two 128 Pro cards were slightly different, one had a fan, the other didn't, and were otherwise identical except for a color difference between the DVI connectors (w/fan, black, w/o fan, white). Turns out that both cards worked with the gView adapter.

I never did try out the older PCI Rage 128 card, but I suspect it also would work fine. I was really starting to believe there was some OS X issue going on that was eluding me, but obviously that's not the case.

But some questions remain, such as why the adapter didn't work on the G4's I had at the office with nVidia cards, and why my home brew adapter wasn't working.

On that last point, I think it comes down to not having the right parts, I believe the diodes I was trying to use were too large, looking at their specs I believe the voltage drop across them was sufficient so that the signal that was being measured wasn't being passed, and therefore read as an open circuit. I'll attempt to find some smaller ones next time I get to the parts store and will try to revisit that.

More details as I get them. ;)

Posted by Jim at 9:02 PM | TrackBack

More VGA adapter woes

Well, the mystery deepens. Using a known good diode on my home brew VGA adapter didn't help the matter at all. However, I managed to identify the spare VGA adapters I had at the office when I found an unopened one, and it was the Griffin gView (discontinued). But, that adapter didn't work either!

In every case, OS X reported no display attached, and gave resolution choices of 1024x768 and 832x624 only. I tried multiple gView adapters, various settings, two different G4's. No luck at all, unless I'd actually connect a display to the adapter and reboot, then it would work. Obviously OS X is detecting displays differently from how OS 9 did, I've emailed Griffin support in the hope of getting some answers to this one. Stay tuned...

Posted by Jim at 6:17 PM | TrackBack

Site tweaks

If anyone was online late Wednesday evening/Thursday morning and noticed some strangeness with how the pages looked, that was my fault. I was tweaking a few things and was making changes on the fly on the live web pages. Generally a bad idea, but I didn't think what I wanted to change would take much time. Oops.

So, now I get to go into a rant about the Movable Type templates I'm using here... ;)

The one big change I wanted for now was to change my 'Categories' menu so that the archive pages brought up only contained the summaries of my blog entries, and not the full text. Easy fix, and that's in there now. Should make finding articles in various categories a bit easier.

Next thing I wanted to change was my 'Recent Entries' menu, specifically the 'More' menu item at the bottom. What I wanted was for this items to take you back to the category listing for the entries in that menu, or the full archive if you weren't browsing a specific category. Because of how I built the menu, this wasn't an easy change, and the fix would have meant keeping several versions of my menu built for Monthly, Category, or Individual Archive use, and that was more trouble than I wanted, so I'll need to think on that a bit.

I did change the full archive listing to use a table, and show the dates for the articles. Should help somewhat to make it a bit more usable.

For those of you familiar with Movable Type, I'm sure you've noticed I've stuck pretty much with the default templates, but with a few tweaks here and there. One thing I've done which I've written about before is to make my right hand column present on all pages for a nice, uniform look. Well, that part is good, but it turns out that the Calendar doesn't generate properly on all the pages. It's going to take me a while to sort that bit out too.

Lastly, and a related item, when clicking on a calendar date, only one article for that date is brought up, rather than bringing up a page showing all articles. I 'thought' I had that working originally, but it looks like it isn't working now.

It's all the same issue as the 'More' menu item, and has to do with how the archive pages are built from what I can tell. So that means a lot of pouring over the MovableType docs, which is something I'll need to do another day. ;)

Posted by Jim at 2:29 AM | TrackBack