Re: [DNG] networking thinking
We use OPNSense for almost everything that does not require untrained users to manage things. For the latter, we use IPFire. OPNSense works for small offices that just want VPN, up to our NOC where we have two routers (active/failover), DMZ and multiple backend LAN's. But, it does require some networking knowledge (though not as much as "roll your own"). Don't know what part of the world you're in, but we use Protectli (https://protectli.com/) hardware from the US. Pricey, but I've not had a hardware failure in the 5+ years I've been using their stuff. They have an option for Coreboot, a video port and a serial port, so I feel I'm covered. OPNSense also sells hardware specific to the appliance. We also purchase used enterprise grade network switches (mainly HP) and have had good results with them since we can monitor and configure at will. The smaller clients are running little 16 port, 15 year old switches, and at the NOC we're using two 96 port switches in and HA configuration. As mentioned, the webUI on the switches doesn't work most of the time, but I'm mainly a CLI type of tech anyway, so it doesn't bother me. Reply to questions: 1. Less hardware is better from a maintenance point of view. OPNSense has an excellent firewall, so I do not have a separate firewall device. My reason is pure laziness; I go to one interface I'm comfortable with and configure there. Most of my firewalling is just allowing traffic from one VLAN to another anyway, which is more of a routing thing. 2. No good training on networking that I know of except going back to school. If you decide to go with OPNSense, they have some decent documentation, and the pfSense site has more. Feel free to visit my notes site at http://kb.unixservertech.com for some recipes on OPNSense, but be warned these are my personal notes and I'm not a good writer. I mainly stick things out there so I don't have to remember them next time, but occasionally, the OPNSense people will do an upgrade that negates all or part of my notes. Rod On 11/29/21 3:38 PM, Adrian Zaugg wrote: > Hi TIA > > In der Nachricht vom Sunday, 28 November 2021 14:20:14 CET steht: > >> 1. is my splitting the network system into the three parts a good idea or >> should I truncate parts 1 and 2 into the router? If you would please give >> reasons - - - please? > Less devices, less to setup and maintain and less to break: I would go with 1 > Firewall and 1 Switch. > > Get a box with an SFP Port for your firewall and install OPNSense on it. > Stick > your fiber directly in your firewall, if your provider lets you chose and > does > not insist on some plastic box. If he does, then try to use it in bridge > mode. > Upon request, the providers over here tell what one has to do, when using a > media converter (e.g. VLAN tag or PPPoE). > > OPNSense and pfSense are excellent firewall distributions and IPv6 is well > integrated with both of them. They are almost identical, coming the same way. > OPNSense is more community oriented where as pfSense drifted away to be more > commercial now, but Documentation is better. > > PCEngines is a stable, bullet-proof hardware, it's industrial grade, lasts > for > ever and has a core boot BIOS. There soon will be a version with an SFP port > available. You won't get Gigabit-Speed through an APU with OPNSense (around > 800Mbit/s), get something with a CPU on par with a Intel N4100, if you want > to > be ready for gigabit speed. > > There are many nice boxes around without SFP ports (like the ones from AsRock > industrial e.g.) but don't use Zotac nano ci329 with pfSense, it doesn't run > stable (Linux in contrary runs like a charm on these). > > Zyxel Switches are basically OK, but you don't get security updates after > some > years, the interface doesn't work on all browsers and they have weird bugs > (e.g. prios in RSTP together with LAGGs). You're better of with a MikroTik > using SwOS. The MikroTiks boot amazingly fast, SwOS is easy to configure and > they are rather cheap. You get a Desktop Switch with 2x 10GbE and 8x 1 GbE > for > <$100. If you want to play around with your Zyxel to install whatever on it, > that's fine, but I wouldn't invest my time on that ─ better get your lab > running. > > Opinions on the topic will go apart, you'll get tons of advice in any > direction. To a certain extent it's about your personal liking. Mine you > probably just read above... > > Regards, Adrian. > > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US https://dailydata.net 214.827.2170 ext 100 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Wanting to set up an email system
o1bigtenor via Dng said on Thu, 2 Dec 2021 17:05:59 -0600 >On Tue, Nov 30, 2021 at 3:26 AM Adrian Zaugg > wrote: > >> In der Nachricht vom Monday, 29 November 2021 23:08:33 CET schrieb >> Adrian Zaugg: >> > Be prepared for a long, long journey setting up an email >> > system with SMTP/ IMAP/Webmail using all the goodies SPF/SRS, >> > BATV, DKIM, DNSSEC, TLS certs, DANE, virusscanning, anti-spam >> > Measures (possibly greylisting, classification, RBLs, dnswl, ...), >> > virtual domain handling, user auth >> from >> > a directory, automatical MUA configuration, backup of the >> > mailstorage, >> asf. >> ...sieve and vacation might also be nice and a solution for an >> addressbook, >> both integrated into the webmail >> > > >Hm - - - - interesting ideas. >A couple votes for dovecot, lots of roll your own using selected from >the plethora of >options - - - but - - - - - . > >I had thought that when I asked about an email system that there might >be words >re: dovecot (which I did see - - thanks) but what about iRedMail, >Citadel, Cyrus >- - - - - or are those considered groupware only? > >I think I'm getting more confused rather than less!! It's not a simple subject, especially if you want a true smtp server in the mix. I don't run an smtp server, because most email clients have a built-in smtp on-ramp, and even if they don't, you could use a dedicated smtp on-ramp like nullmailer. If this paragraph is confusing, ignore it; it's not really important. The philosophy behind my suggestion is "do one thing and do it well". In most setups, the email client does tons of things: Grabs your email from your ISPs IMAP or POP3 server, lets you read mail, lets you write mail, stores your mail, folderizes your mail, lets you move mail between folders and organize your email, and filter your email. This is wonderful until it isn't. I found that out the hard way, in 2012, when Kmail became the crapitudinous Kmail2, and I became a refugee. Because Kmail had encompassed so much of my email activity in one place, it was almost irreplaceable. I think people on this list could relate, using a metaphor about a certain "we do it all for you" PID1. So in my setup, fetchmail grabs the email from my ISP, and hands it off to procmail, who filters the email and places each email in the proper folder of my Daily Driver Desktop's (DDD's) Dovecot IMAP server's maildir. My procmail IMAP serves out emails to whatever email client looks into it. I normally use Claws-mail, but can use Thunderbird or pretty much any other completely IMAP aware email client. Claws-Mail is pretty much just a window into my DDD's Dovecot IMAP server, plus it can let me write emails, and via a built in smtp-onramp, it can let me send them. It also provides a very nice environment to add, move and delete emails and folders. For various reasons I hope to move from Claws-mail to something else: Perhaps Mutt, perhaps Alpine. Mutt would be the ultimate do one thing and do it yourself because it doesn't have an smtp on-ramp but instead relies on qmail, postfix, sendmail and the like. And Mutt doesn't have its own editor, but instead puts you into your favorite editor. I don't think I can use Mutt to rearrange emails and folders, so I'll need to use IMAP commands for that; perhaps even write my own gui app to do that. Mutt is very hard to learn and very undiscoverable, but that's not why I haven't made the switch yet. Mutt doesn't seem to be able to discover all the folders in my DDD's IMAP server. Once I get past that, I'll probably switch to Mutt. So that's it. My setup is based on the "do one thing and do it well" philosophy, and is more email client agnostic than most other setups, so I'll never again get trapped by an email client going bad. SteveT Steve Litt Spring 2021 featured book: Troubleshooting Techniques of the Successful Technologist http://www.troubleshooters.com/techniques ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Wanting to set up an email system
We also use ispconfig (https://www.ispconfig.org/ispconfig/). There is a free version and a supported version, though it is all open source. We use this on multiple client sites and our hosting service. Highly recommended under most circumstances, though we do have some special purpose machines where we "roll our own." Rod On 12/2/21 5:16 PM, Curtis Maurand via Dng wrote: > I run ispconfig. uses postfix/dovecot/bind or powerdns. i host several > websites and email domains on beowulf. > > follow the perfect server debian instructions. > > Sent from my iPhone > >> On Dec 2, 2021, at 6:06 PM, o1bigtenor via Dng wrote: >> >> >> >> >> On Tue, Nov 30, 2021 at 3:26 AM Adrian Zaugg >> mailto:devuan@mailgurgler.com>> wrote: >> >> In der Nachricht vom Monday, 29 November 2021 23:08:33 CET schrieb >> Adrian >> Zaugg: >> > Be prepared for a long, long journey setting up an email >> system with >> > SMTP/ IMAP/Webmail using all the goodies SPF/SRS, BATV, DKIM, >> DNSSEC, TLS >> > certs, DANE, virusscanning, anti-spam Measures (possibly >> greylisting, >> > classification, RBLs, dnswl, ...), virtual domain handling, user >> auth from >> > a directory, automatical MUA configuration, backup of the >> mailstorage, asf. >> ...sieve and vacation might also be nice and a solution for an >> addressbook, >> both integrated into the webmail >> >> >> >> Hm - - - - interesting ideas. >> A couple votes for dovecot, lots of roll your own using selected from >> the plethora of >> options - - - but - - - - - . >> >> I had thought that when I asked about an email system that there might >> be words >> re: dovecot (which I did see - - thanks) but what about iRedMail, >> Citadel, Cyrus >> - - - - - or are those considered groupware only? >> >> I think I'm getting more confused rather than less!! >> >> TIA >> >> Regards >> ___ >> Dng mailing list >> Dng@lists.dyne.org >> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US https://dailydata.net 214.827.2170 ext 100 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Wanting to set up an email system
I run ispconfig. uses postfix/dovecot/bind or powerdns. i host several websites and email domains on beowulf. follow the perfect server debian instructions. Sent from my iPhone > On Dec 2, 2021, at 6:06 PM, o1bigtenor via Dng wrote: > > > > >> On Tue, Nov 30, 2021 at 3:26 AM Adrian Zaugg >> wrote: >> In der Nachricht vom Monday, 29 November 2021 23:08:33 CET schrieb Adrian >> Zaugg: >> > Be prepared for a long, long journey setting up an email system with >> > SMTP/ IMAP/Webmail using all the goodies SPF/SRS, BATV, DKIM, DNSSEC, TLS >> > certs, DANE, virusscanning, anti-spam Measures (possibly greylisting, >> > classification, RBLs, dnswl, ...), virtual domain handling, user auth from >> > a directory, automatical MUA configuration, backup of the mailstorage, asf. >> ...sieve and vacation might also be nice and a solution for an addressbook, >> both integrated into the webmail > > > Hm - - - - interesting ideas. > A couple votes for dovecot, lots of roll your own using selected from the > plethora of > options - - - but - - - - - . > > I had thought that when I asked about an email system that there might be > words > re: dovecot (which I did see - - thanks) but what about iRedMail, Citadel, > Cyrus > - - - - - or are those considered groupware only? > > I think I'm getting more confused rather than less!! > > TIA > > Regards > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Wanting to set up an email system
On Tue, Nov 30, 2021 at 3:26 AM Adrian Zaugg wrote: > In der Nachricht vom Monday, 29 November 2021 23:08:33 CET schrieb Adrian > Zaugg: > > Be prepared for a long, long journey setting up an email system with > > SMTP/ IMAP/Webmail using all the goodies SPF/SRS, BATV, DKIM, DNSSEC, TLS > > certs, DANE, virusscanning, anti-spam Measures (possibly greylisting, > > classification, RBLs, dnswl, ...), virtual domain handling, user auth > from > > a directory, automatical MUA configuration, backup of the mailstorage, > asf. > ...sieve and vacation might also be nice and a solution for an > addressbook, > both integrated into the webmail > Hm - - - - interesting ideas. A couple votes for dovecot, lots of roll your own using selected from the plethora of options - - - but - - - - - . I had thought that when I asked about an email system that there might be words re: dovecot (which I did see - - thanks) but what about iRedMail, Citadel, Cyrus - - - - - or are those considered groupware only? I think I'm getting more confused rather than less!! TIA Regards ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] lpr print pdf file landscape orientation
Hi Haines, On Sun, 2021-11-28 at 15:12 -0500, Haines Brown wrote: > I have bsd-lpr. I can print a text file with landscape orientation > with $ lpr -o landscape file.txt > > My problem is that I cannot print pdf files in landscape > orientation. $ lpr -o landscape file.pdf does nothing. > > I don't want to make landscape the default CUPS orientation. > > Atril rotates the display of the PDF, but not the content of the > file in relation to the page when printed. > > The qpdfview utility also can rotate the display of text but > when printed the effect is simply move text up on the page. > > I don't see how poppler-utils can be of help. > > How does one print a PDF with landscape orientattion? > Isn't the page orientation used encoded in the pdf? To change it, other than by shrinking the page down so it fits on the paper in landscape orientation I think you would need to use a pdf editor to reflow the content. If you have a document or image that you are converting to a pdf then if you format the document or image landscape then the exported pdf will also be landscape. -- Marjorie ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] (SOLVED. I Think) Re: exim paniclog /var/log/exim4/paniclog has non-zero size
On 12/2/21 00:38, Pontus Goffe via Dng wrote:
Den 2021-12-02 kl. 09:16, skrev Marc Shapiro via Dng:
No luck. I rebooted and got the paniclog error during the boot.
After booting, I stopped exim4, deleted the paniclog, and restarted
exim4. It created a paniclog containing the following:
Had you also executed
exim4 -qff -v
I think you would immediately had your paniclog back, you have
undelivered messages that fails when exim tries to deliver.
2021-12-02 00:06:49 1momA3-00054k-DE == m...@quixote.home
R=local_user T=mail_spool defer (-1): Tainted '/var/mail/marc' (file
or directory name for mail_spool transport) not permitted
How do I convince exim4 that /var/spool/marc is an acceptable file
name for mail_spool transport?
Exim no longer allows a sender to decide a name of a path component,
in this case 'marc'. Your config needs to agree on 'marc' being
allowed. This is done using a lookup locally.
From what I understand there was / is a discussion about a setting to
just warn about this tainted data but allow it, but I could not make
it work.
I think you already have a lookup in the default config that checks
/etc/aliases which would allow 'marc' in your path if you just add a line
marc: marc
to it, I cant promise because I also use another lookup to be able to
send mail.
Anyhow, after a successful lookup, the config variable ${local_part}
can be replaced by the new variable ${local_part_data} which will
recieve its value in the lookup you need to have.
Your config files under /etc/exim4/conf.d must not contain
${local_part} anymore.
I have no idea what will happen if you try to reinstall exim to get a
new default config.
//PG
I THINK it's working now.
I found the line in /etc/exim4/exim4.conf.template 'file =
/var/mail/$local_part' that needs to be changed to 'file =
/var/mail/$local_part_+data'. (The line is 72% of the way through a 79K
file.) Then I needed to run 'update-exim4.conf -v|.
|
After that, it looks like all of my undelivered files have been
delivered and the paniclog has not returned.
||
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] exim paniclog /var/log/exim4/paniclog has non-zero size
Den 2021-12-02 kl. 09:16, skrev Marc Shapiro via Dng:
No luck. I rebooted and got the paniclog error during the boot. After
booting, I stopped exim4, deleted the paniclog, and restarted exim4.
It created a paniclog containing the following:
Had you also executed
exim4 -qff -v
I think you would immediately had your paniclog back, you have
undelivered messages that fails when exim tries to deliver.
2021-12-02 00:06:49 1momA3-00054k-DE == m...@quixote.home R=local_user
T=mail_spool defer (-1): Tainted '/var/mail/marc' (file or directory
name for mail_spool transport) not permitted
How do I convince exim4 that /var/spool/marc is an acceptable file
name for mail_spool transport?
Exim no longer allows a sender to decide a name of a path component, in
this case 'marc'. Your config needs to agree on 'marc' being allowed.
This is done using a lookup locally.
From what I understand there was / is a discussion about a setting to
just warn about this tainted data but allow it, but I could not make it
work.
I think you already have a lookup in the default config that checks
/etc/aliases which would allow 'marc' in your path if you just add a line
marc: marc
to it, I cant promise because I also use another lookup to be able to
send mail.
Anyhow, after a successful lookup, the config variable ${local_part} can
be replaced by the new variable ${local_part_data} which will recieve
its value in the lookup you need to have.
Your config files under /etc/exim4/conf.d must not contain ${local_part}
anymore.
I have no idea what will happen if you try to reinstall exim to get a
new default config.
//PG
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] exim paniclog /var/log/exim4/paniclog has non-zero size
On 12/1/21 23:56, Marc Shapiro wrote: On 12/1/21 10:10, Ludovic Bellière via Dng wrote: If you do not need your mail system to talk to the world, then you should replace exim with something that is a lot simpler to use and configure. I would suggest msmtp (https://marlam.de/msmtp/) as its configuration is a lot more simpler to the neophyte. If you want to keep exim4, I would then suggest to nuke the existing configuration and start from scratch with `dpkg-reconfigure exim4-config'. Extended information should be available at https://wiki.debian.org/Exim Exim4 being a software designed to handle large amount of emails, it may be out of scope for your personal usage. While, as I said, msmtp is a lot more accessible through its minimalist approach: you only need a file with a dozen of lines for it to function properly. While I do use it, I wouldn't be able to help you with exim4, the software is way too large and complex for my own understanding. I mainly rely on dpkg-reconfigure and hope nothing breaks. And while msmtp is easier to understand, changing software can itself be a source of immeasurable pain. So, if in doubt, you should probably rely on dpkg-reconfigure. Cheers, Ludovic On Wed, 01 Dec 2021, Marc Shapiro via Dng wrote: This is very likely the problem, as I now have version 4.94.2-7 installed. I know virtually nothing, however, about how MTAs do their work. Where and how do I make these config changes. I use Thunderbird for mail coming from outside the local network. Exim is only used for local transport (such as e-mail from cron jobs). Marc I looked into some of the other options and I do not recall why I decided against them. It may have been when I thought that I was going to use the MTA for more than just local mail. In any case, I have run `dpkg-reconfigure exim4-config' using the defaults from when I set it up originally. I am hoping that doing so with the new exim4 installed will correct the configuration issues. When I ran `dpkg-reconfigure exim4-config' I got the error about the paniclog being non-zero size, but I expected that. I truncated the paniclog and ran `dpkg-reconfigure exim4-config' again, this time with no errors. I have sent myself an e-mail from 'root' but have not received it. I will probably try shutting down the system and rebooting, to see if that gets things back in order after the reconfig. No luck. I rebooted and got the paniclog error during the boot. After booting, I stopped exim4, deleted the paniclog, and restarted exim4. It created a paniclog containing the following: 2021-12-02 00:06:48 1mmEkA-9l-Jr == m...@quixote.home R=local_user T=mail_spool defer (-1): Tainted '/var/mail/marc' (file or directory name for mail_spool transport) not permitted 2021-12-02 00:06:48 1msgsb-0002NH-Cv == m...@quixote.home R=local_user T=mail_spool defer (-1): Tainted '/var/mail/marc' (file or directory name for mail_spool transport) not permitted 2021-12-02 00:06:49 1mrJnB-00026m-53 == m...@quixote.home R=local_user T=mail_spool defer (-1): Tainted '/var/mail/marc' (file or directory name for mail_spool transport) not permitted 2021-12-02 00:06:49 1msCJK-0007YK-Pi == m...@quixote.home R=local_user T=mail_spool defer (-1): Tainted '/var/mail/marc' (file or directory name for mail_spool transport) not permitted 2021-12-02 00:06:49 1momA3-00054k-DE == m...@quixote.home R=local_user T=mail_spool defer (-1): Tainted '/var/mail/marc' (file or directory name for mail_spool transport) not permitted How do I convince exim4 that /var/spool/marc is an acceptable file name for mail_spool transport? Marc ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
