GIS Careers Newsletter : April 14, 2007

[GISCafe Newsletter]

TechJobsCafe.com
GIS Focus
GIS and Related Fields

[IMAGE]

Saturday
April 14, 2007
From: TechJobsCafe



Map Faster  Safer - LaserTech.com

Bentley Institue

[IMAGE]



Search All TechJobsCafe Jobs:

Featured GIS Job Opportunities

  * Data Acquisition Coordinator -- GeoDigital International LLC --
Lompoc, CA



  * Database Administrator/ St. Louis -- GeoDecisions -- St Louis, MO



  * Project Delivery Manager - Software -- MapFrame Corporation --
Dallas, TX



  * Information Technology Engineer I (GIS) -- City of Mesa -- mesa, AZ



  * Senior Consultant  Product Specialist -- PowerBuilders, Inc. -- New
York or DC, NY



  * Project Manager East Coast -- Geographic Technologies Group, Inc --
Goldsboro, NC



  * GIS Consultant -- City of Houston -- Houston, TX



  * Senior Database Administrator -- James W. Sewall -- Old Town, ME



  * GeoSpatial Consultant -- eSpatial Inc -- Herndon, VA



  * Utility GIS Consultant -- Wind Lake Solutions -- Mukwonago, WI



  * Senior Applications Specialist -- Trimble -- Westminster, CO



  * SR. ENTERPRISE TECHNOLOGY ANALYST -- Sacramento Municipal Utility
District (SMUD) -- Sacramento, CA



  * Manager, GIS CAD Services -- JEA -- Jacksonville, FL



  * GIS Specialist -- TGS-Nopec Inc. -- Houston, TX



  * SURVEY TECHNICIAN -- GeoDigital International LLC -- Lompoc, CA



  * Application Developer -- GeoDecisions -- Camp Hill, PA



  * GIS Analyst (entry level) -- GeoDecisions -- Camp Hill, PA



  * Sales Engineer -- PowerBuilders, Inc. -- Washington, DC



  * Web Developer -- GeoDecisions -- Camp Hill, PA



  * FIELD DATA PROCESSOR -- GeoDigital International LLC -- Lompoc, CA



[ More GIS Jobs ]

Recruit From a Targeted Audience

Who do you want to hire today?



Using GISCafe and TechJobsCafe is the most powerful way to get your GIS
job positions filled at an extremely low price. Here is why:

  1. Each of your jobs posted on TechJobsCafe also appears on GISCafe
homepage. Visited by more than 125,000 GIS professionals every month,
GISCafe is the #1 GIS web portal in the world.

  2. Each of your job postings is also sent to the 40,000 subscribers of
our daily newsletter. This is an audience that may never visit any of
the major job boards such as Monster, but we will bring your job
opening to this passive job-seeking audience.

  3. We have thousands of resumes from GIS professionals accessible to
you if you sign up for a three-month membership.

  4. This extremely targeted approach costs much less than your postings
on Monster or Dice and is much more effective in finding you the
right candidate.

  Contact us today! or fill out a short registration form and we will
  contact you.

Attention Job Seekers!

Only Enter Your Resume Once. Save time when you're applying for more than
one job position by posting your resume on TechJobsCafe.

After you enter your resume information it is automatically available
each time you apply for a job. You also have complete editorial control
of your resume information, and your resume is searched by companies who
are looking for your skills and talent.

Visit our Job Seeker section now to get a personalized account.

Career Guide

The TechJobsCafe Career Guide has been reorganized and new links have
been added. Check it out and gain an 

Re: Binary kernel and base update

[Maurice Janssen]

On Friday, April 13, 2007 at 17:21:14 -0400, Daniel Ouellet wrote:
Maurice Janssen wrote:
On Friday, April 13, 2007 at 15:16:41 -0400, Daniel Ouellet wrote:
If there was a real concrete effort, not just the usual vapor ware, I 
would/could offer hosting in Equinix peering point, for downloading 
binaries,

That's in the US?  Is that OK with regard to export restrictions?

Hmmm... You got a point there. I always forget about the backward 
mentality of some leaders (hmmm, wonder if the term apply really) in 
this place where they think everyone else is behind in technology, etc.

But download of files is available from many Universities in the US as 
well. Are they blocking the download for US only?

I guess most of the time, it isn't checked.  But that doesn't mean that
we shouldn't do it by the book.

So, I can't do it then, can I, not even built the binaries either?

As far as I understand it, both code and binaries are not allowed to be
exported.  But IANAL, I'd be happy to hear that I've got it all wrong.

Perhaps you could put some information and links on the
openbsdsupport.org website.  That would be a start.  The actual files
can be hosted somewhere else.

In the meantime, I tried to set things up for building stable releases.
- i386 and sparc64 do it in about a day on my rather old and slow
  hardware.
- sparc and vax are still crunching.
- I've had some problems with alpha and hppa.  But as these are probably
  not the most popular platforms, I guess this is not critical for now.
  I hope to fix this soon.

So I guess we need a place with good connecticity to host the files.
It's less than 200 MB per architecture, but I have no idea how much
traffic it'll generate.

Maurice

Re: Binary kernel and base update

[Maurice Janssen]

On Saturday, April 14, 2007 at 07:43:06 +0200, Marc Balmer wrote:
My company has to provide -stable base system and especially packages on 
at least i386 for it's customers.  We have a fan-out box to which 
customer systems connect (the PKG_PATH points to it).  This works really 
nice an we can distribute security updates like e.g. ClamAV within 
minutes to all machines we take care of.

Up to here, I was hoping you were going to offer hosting facilities.

If there is interest in this, we could make it available as a (paid, but 
reasonably priced) service.  Contact me off-list if interested.

But apparantly that's not the case.  I don't see how this is of any help
to this initiative.

Maurice

Re: Mail Server (seeking recommendations)

[Bryan Vyhmeister]

On Apr 13, 2007, at 8:49 PM, Sam Fourman Jr. wrote:


Does your Mail setup use a PostgreSQL backend?


No. I just used plain text files. This was a small test install to  
evaluate for my main mail server install. I haven't used any database  
back-end at this point.



I am wanting to know because I am Looking for a OpenBSD postfix
dovecott,and PostgreSQL article on the internet.


That would be nice. If I get around to it, I may just try this and  
write up an article. I'm busy with moving my office right now so it  
may be wishful thinking.


Bryan

Re: Mail Server (seeking recommendations)

[Bryan Vyhmeister]

On Apr 13, 2007, at 8:46 PM, Vijay Sankar wrote:


OpenBSD's sendmail, dovecot, and hastymail is a great solution, in my
opinion, for large or small networks. It allows you to support a
variety of clients very easily and with excellent security. Like Bryan
Vyhmeister mentioned, postfix also is a good option instead of
sendmail. I prefer sendmail because it is part of the OS distribution.


Is there any reasonably easy way to get SMTP AUTH functioning with  
sendmail and dovecot?


Bryan

Re: Mail Server (seeking recommendations)

[Jacob Yocom-Piatt]

Bryan Vyhmeister wrote:
 On Apr 13, 2007, at 8:46 PM, Vijay Sankar wrote:

 OpenBSD's sendmail, dovecot, and hastymail is a great solution, in my
 opinion, for large or small networks. It allows you to support a
 variety of clients very easily and with excellent security. Like Bryan
 Vyhmeister mentioned, postfix also is a good option instead of
 sendmail. I prefer sendmail because it is part of the OS distribution.

 Is there any reasonably easy way to get SMTP AUTH functioning with
 sendmail and dovecot?


i asked about this a few weeks back and i think the answer is no. this
means you have to maintain 2 pw DBs, one for dovecot, one for
cyrus-SASL. i would like to be wrong here since it would make life
easier for me.

cheers,
jake

 Bryan

Re: Mail Server (seeking recommendations)

[Bryan Vyhmeister]

On Apr 15, 2007, at 2:03 AM, Jacob Yocom-Piatt wrote:


Bryan Vyhmeister wrote:

Is there any reasonably easy way to get SMTP AUTH functioning with
sendmail and dovecot?


i asked about this a few weeks back and i think the answer is no. this
means you have to maintain 2 pw DBs, one for dovecot, one for
cyrus-SASL. i would like to be wrong here since it would make life
easier for me.


That was the primary reason for using postfix with dovecot. Years  
back, I tried to get both sendmail and postfix working with SMTP AUTH  
and Cyrus as I recall. It was a mess. The super-easy integration of  
postfix and dovecot for SMTP AUTH is a welcome change.


Bryan

Re: Binary kernel and base update

[Bryan Vyhmeister]

I just skimmed this whole thread and I am wondering about a couple of  
things. It appears that all of you are talking about basically  
following the instructions for release(8) and just providing the  
generated files for people. Is that correct?


If the above is true, I can also assist with building release(8) for  
i386, mac68k, macppc, sparc64, and zaurus. I could also get sparc up  
and running as well. I am in the U.S. but I could provide hosting  
fairly easily.


The original poster seemed to be asking more about an incremental  
update system. Maybe that's the wrong term but something along the  
lines of the name-your-favorite-linux-distribution setup. An example  
might be yum in CentOS (and others) or apt-get in Debian. This seems  
like a much more complicated option. While possible, it would take a  
lot of work. Any thoughts on this part?


One way of doing this would be to provide a tarball that contains all  
of the affected files or binaries relevant to the particular fix or  
possibly one large tarball with every fix for -stable up to that  
point. This could be installed with tar or even a nice little shell  
script. What about this?


Bryan

Re: 4.1 !

[Renaud Allard]

Wijnand Wiersma wrote:

Or even more important: how is the song?

Wijnand




Excellent. Arabic style :) About magic caves and words :)

Re: Mail Server (seeking recommendations)

[Martin Hedenfalk]

On 4/15/07, Bryan Vyhmeister [EMAIL PROTECTED] wrote:

On Apr 13, 2007, at 8:46 PM, Vijay Sankar wrote:

 OpenBSD's sendmail, dovecot, and hastymail is a great solution, in my
 opinion, for large or small networks. It allows you to support a
 variety of clients very easily and with excellent security. Like Bryan
 Vyhmeister mentioned, postfix also is a good option instead of
 sendmail. I prefer sendmail because it is part of the OS distribution.

Is there any reasonably easy way to get SMTP AUTH functioning with
sendmail and dovecot?


I'm using sendmail, dovecot and a PostgreSQL database with passwords.
I got SMTP AUTH working nicely, using saslauthd with rimap
authentication via localhost. This way I only need one password
database.

   -martin

Re: Mail Server (seeking recommendations)

[Joachim Schipper]

On Sun, Apr 15, 2007 at 02:14:56AM -0700, Bryan Vyhmeister wrote:
 On Apr 15, 2007, at 2:03 AM, Jacob Yocom-Piatt wrote:
 
 Bryan Vyhmeister wrote:
 Is there any reasonably easy way to get SMTP AUTH functioning with
 sendmail and dovecot?
 
 i asked about this a few weeks back and i think the answer is no. this
 means you have to maintain 2 pw DBs, one for dovecot, one for
 cyrus-SASL. i would like to be wrong here since it would make life
 easier for me.
 
 That was the primary reason for using postfix with dovecot. Years  
 back, I tried to get both sendmail and postfix working with SMTP AUTH  
 and Cyrus as I recall. It was a mess. The super-easy integration of  
 postfix and dovecot for SMTP AUTH is a welcome change.

I think the main trick is in writing scripts that generate all databases
from a single main file. This is fairly easy using perl, awk, 

Of course, this becomes a hundred times more difficult the moment user
administration is not done centrally.

Joachim

-- 
TFMotD: vaccess (9) - check access permissions based on vnode parameters

Re: Binary kernel and base update

[Marc Balmer]

Bryan Vyhmeister wrote:

I just skimmed this whole thread and I am wondering about a couple of 
things. It appears that all of you are talking about basically following 
the instructions for release(8) and just providing the generated files 
for people. Is that correct?


That is not enough.  You have to make sure you packages are up-to-date 
as well.  So you are also into bulk package building.  If you want to 
this right, it is a lot work; that's why we don't do it in the project 
and that's probably also the reason why we ask money for it ;)  You need 
machinery and a lot of time...

Re: Binary kernel and base update

[Stuart Henderson]

On 2007/04/15 02:37, Bryan Vyhmeister wrote:
 The original poster seemed to be asking more about an incremental  
 update system. Maybe that's the wrong term but something along the  
 lines of the name-your-favorite-linux-distribution setup. An example  
 might be yum in CentOS (and others) or apt-get in Debian. This seems  
 like a much more complicated option. While possible, it would take a  
 lot of work. Any thoughts on this part?

That follows from the base OS being a bunch of unrelated packages
as done in most Linux distributions.

 One way of doing this would be to provide a tarball that contains all  
 of the affected files or binaries relevant to the particular fix or  
 possibly one large tarball with every fix for -stable up to that  
 point. This could be installed with tar or even a nice little shell  
 script. What about this?

I run -current on most systems, but I would imagine that many people
who made the more conservative decision to run -stable rather than
-current would probably prefer not to trust third-party binaries
either.

Re: Binary kernel and base update

[Bryan Vyhmeister]

On Apr 15, 2007, at 3:05 AM, Marc Balmer wrote:


Bryan Vyhmeister wrote:

I just skimmed this whole thread and I am wondering about a couple  
of things. It appears that all of you are talking about basically  
following the instructions for release(8) and just providing the  
generated files for people. Is that correct?


That is not enough.  You have to make sure you packages are up-to- 
date as well.  So you are also into bulk package building.  If you  
want to this right, it is a lot work; that's why we don't do it in  
the project and that's probably also the reason why we ask money  
for it ;)  You need machinery and a lot of time...


That's true. It would take lots of time. Packages are not updated  
that frequently as I recall though for -stable. It would take a lot  
of time to check on this regularly though.


Bryan

Re: Binary kernel and base update

[Bryan Vyhmeister]

On Apr 15, 2007, at 3:09 AM, Stuart Henderson wrote:


On 2007/04/15 02:37, Bryan Vyhmeister wrote:

The original poster seemed to be asking more about an incremental
update system. Maybe that's the wrong term but something along the
lines of the name-your-favorite-linux-distribution setup. An example
might be yum in CentOS (and others) or apt-get in Debian. This seems
like a much more complicated option. While possible, it would take a
lot of work. Any thoughts on this part?


That follows from the base OS being a bunch of unrelated packages
as done in most Linux distributions.


That's very true and that is one big reason why I like OpenBSD so much.


One way of doing this would be to provide a tarball that contains all
of the affected files or binaries relevant to the particular fix or
possibly one large tarball with every fix for -stable up to that
point. This could be installed with tar or even a nice little shell
script. What about this?


I run -current on most systems, but I would imagine that many people
who made the more conservative decision to run -stable rather than
-current would probably prefer not to trust third-party binaries
either.


(As an aside, how often do you update your -current systems and do  
you run -current on production servers?)


I realize that this is always the issue when you are dealing with non- 
official binaries. In a production environment, I do build my own  
releases and all to use internally but I also recognize that this can  
be a pain for some people. Certain architectures like mac68k take  
next to forever to finish a release. The last time I tried with 3.9,  
it took a week and then failed with something. As soon as 4.1 has  
some security errata, I am going to attempt the build again on  
mac68k. It isn't worth it with 4.0 now that 4.1 is right around the  
corner. Of course this brings up the point that in a production  
setting, you really would have no good reason to be using mac68k  
machines. Other more powerful architectures can be patched pretty  
easily.


I guess the ideal really would be for someone to put the work into  
developing a good way to distribute an update tarball like I referred  
to above and then this work could be integrated into the base system  
or something. Whoever put the work into this could I suppose do the  
work of creating the tarballs but these official updates could be  
distributed through the usual mirrors and such. That would be nice  
but reality sets in. I may just start fiddling around with this  
concept when I have a little more time.


Bryan

host to host ipsec link

[Markus Wernig]

Hello all

I am trying a  - what I think is - simple ipsec setup. The point is to
ipsec-encrypt all traffic between a pair of firewalls (gateA and gateB,
both OBSD 4.0), in order to send pfsync traffic over the encrypted link.
Although having read through ipsec, ipsec.conf, isakmpd and friend's
manpages, I get stuck on the same point. Obviously I'm missing some
important point.

gateA:/etc/ipsec.conf:
ike esp from 10.111.1.1 to 10.111.1.2

gateB:/etc/ipsec.conf:
ike esp from 10.111.1.2 to 10.111.1.1

private and public key created by rc on initial boot in
/etc/isakmpd/private on both machines.
copied
gateA's /etc/isakmpd/private/local.pub to
gateB:/etc/isakmpd/pubkeys/ipv4/10.111.1.1
and
gateB's /etc/isakmpd/private/local.pub to
gateA:/etc/isakmpd/pubkeys/ipv4/10.111.1.2

/etc/rc.conf.local
ipsec=YES
isakmpd_flags=-K -f /var/run/isakmpd.fifo


I thought that with this, automatic keying would setup a tunnel between
10.111.1.1 and 10.111.1.2 on system start. But nothing of the like
happens, not even a single IKE package is exchanged between the two
hosts. Consequently, when pinging from 10.111.1.1 to 10.111.1.2 or vice
versa, the packets go over the wire in the clear.

I'm sorry, but I just can't see what I'm missing. Would anybody have a
pointer for a lost soul?

thx /markus

Re: SSH/SFTP question

[jared r r spiegel]

On Sat, Apr 14, 2007 at 05:32:38PM -0400, Frank Bax wrote:

 Based on what your vendor says; it looks like the file originally contains 
 only LF and not CRLF; so enabling ASCII transfer should convert LF to 
 CRLF.  If your transfer software doesn't have this option find another that 
 does. 

  or just convert the files yourself after you get them

-- 

  jared

Re: host to host ipsec link

[Renaud Allard]

Markus Wernig wrote:
 Hello all
 
 I am trying a  - what I think is - simple ipsec setup. The point is to
 ipsec-encrypt all traffic between a pair of firewalls (gateA and gateB,
 both OBSD 4.0), in order to send pfsync traffic over the encrypted link.
 Although having read through ipsec, ipsec.conf, isakmpd and friend's
 manpages, I get stuck on the same point. Obviously I'm missing some
 important point.
 
 gateA:/etc/ipsec.conf:
 ike esp from 10.111.1.1 to 10.111.1.2
 
 gateB:/etc/ipsec.conf:
 ike esp from 10.111.1.2 to 10.111.1.1
 
 private and public key created by rc on initial boot in
 /etc/isakmpd/private on both machines.
 copied
 gateA's /etc/isakmpd/private/local.pub to
 gateB:/etc/isakmpd/pubkeys/ipv4/10.111.1.1
 and
 gateB's /etc/isakmpd/private/local.pub to
 gateA:/etc/isakmpd/pubkeys/ipv4/10.111.1.2
 
 /etc/rc.conf.local
 ipsec=YES
 isakmpd_flags=-K -f /var/run/isakmpd.fifo
 
 
 I thought that with this, automatic keying would setup a tunnel between
 10.111.1.1 and 10.111.1.2 on system start. But nothing of the like
 happens, not even a single IKE package is exchanged between the two
 hosts. Consequently, when pinging from 10.111.1.1 to 10.111.1.2 or vice
 versa, the packets go over the wire in the clear.
 
 I'm sorry, but I just can't see what I'm missing. Would anybody have a
 pointer for a lost soul?
 
 thx /markus
 
 

It seems you just forgot to load your rules.
Just add ipsecctl -f /etc/ipsec.conf in the rc.local of both your
firewalls and everything should just work fine.

Re: host to host ipsec link

[Markus Wernig]

Renaud Allard wrote:

 It seems you just forgot to load your rules.
 Just add ipsecctl -f /etc/ipsec.conf in the rc.local of both your
 firewalls and everything should just work fine.


Hi

I've tried to load the rules by hand with ipsecctl -f /etc/ipsec.conf
- to no avail. On the other hand I seemed to understand that with
ipsec=YES in /etc/rc.conf.local this was done automatically.

I've tried it nevertheless, unfortunately no joy ;-)

thx /markus

Re: host to host ipsec link

[Renaud Allard]

Markus Wernig wrote:
 Renaud Allard wrote:
 
 It seems you just forgot to load your rules.
 Just add ipsecctl -f /etc/ipsec.conf in the rc.local of both your
 firewalls and everything should just work fine.
 
 
 Hi
 
 I've tried to load the rules by hand with ipsecctl -f /etc/ipsec.conf
 - to no avail. On the other hand I seemed to understand that with
 ipsec=YES in /etc/rc.conf.local this was done automatically.
 
 I've tried it nevertheless, unfortunately no joy ;-)
 

Did you verify that isakmpd is running?

Re: host to host ipsec link

[viq]

On 15/04/07, Markus Wernig [EMAIL PROTECTED] wrote:

Renaud Allard wrote:

 It seems you just forgot to load your rules.
 Just add ipsecctl -f /etc/ipsec.conf in the rc.local of both your
 firewalls and everything should just work fine.


Hi

I've tried to load the rules by hand with ipsecctl -f /etc/ipsec.conf
- to no avail. On the other hand I seemed to understand that with
ipsec=YES in /etc/rc.conf.local this was done automatically.

I've tried it nevertheless, unfortunately no joy ;-)

thx /markus


You also need to start isakmpd with -K flag, that can be done with
rc.conf.local too.

--
viq

Re: host to host ipsec link

[Markus Wernig]

Renaud Allard wrote:

 Did you verify that isakmpd is running?

Yes. It runs as follows:

11967 ??  Is  0:00.05 isakmpd: monitor [priv] (isakmpd)
18753 ??  I   0:01.40 isakmpd -S -K -f /var/run/isakmpd.fifo

Re: host to host ipsec link

[Renaud Allard]

Markus Wernig wrote:
 Renaud Allard wrote:
 
 It seems you just forgot to load your rules.
 Just add ipsecctl -f /etc/ipsec.conf in the rc.local of both your
 firewalls and everything should just work fine.
 
 
 Hi
 
 I've tried to load the rules by hand with ipsecctl -f /etc/ipsec.conf
 - to no avail. On the other hand I seemed to understand that with
 ipsec=YES in /etc/rc.conf.local this was done automatically.
 
 I've tried it nevertheless, unfortunately no joy ;-)
 
 thx /markus
 
 

Maybe also try on both firewalls:

cd /etc/isakmpd  ln -s private/local.pub .

Then restart isakmpd and reload the rules.

Re: host to host ipsec link

[Markus Wernig]

Renaud Allard wrote:

 Maybe also try on both firewalls:
 
 cd /etc/isakmpd  ln -s private/local.pub .
 
 Then restart isakmpd and reload the rules.
 

Hi

Tried that as well ... still no go.
I have disabled pf for setting the enc up. I suppose, that doesn't
matter, does it?

krgds /markus

Re: host to host ipsec link

[Renaud Allard]

Markus Wernig wrote:
 Renaud Allard wrote:
 
 Did you verify that isakmpd is running?
 
 Yes. It runs as follows:
 
 11967 ??  Is  0:00.05 isakmpd: monitor [priv] (isakmpd)
 18753 ??  I   0:01.40 isakmpd -S -K -f /var/run/isakmpd.fifo
 
 
-S is used for redundant setups. Did you try without that flag?

Re: host to host ipsec link

[Renaud Allard]

Markus Wernig wrote:
 Renaud Allard wrote:
 
 Maybe also try on both firewalls:

 cd /etc/isakmpd  ln -s private/local.pub .

 Then restart isakmpd and reload the rules.

 
 Hi
 
 Tried that as well ... still no go.
 I have disabled pf for setting the enc up. I suppose, that doesn't
 matter, does it?
 

If your pf config blocks esp, ah or udp 500, you will have problems
establishing the communication.

sk or em

[Chris C.]

Hi,

I'm in the need to replace my two 100mbit fxp nic's in my firewall with a 
1000mbit one. The hardware is kinda old. (PIII)
I'm looking for an inexpensive but not bad (so I think no realtek chips) nic.
Have looked at sk and bge, but couldn't find any bge nics at my local vendors. 
So... which driver to go? sk? em?
I really think this has been discussed before so if someone could just give me 
some keywords to search for in the archives I'd be lucky.

Thanks
Chris

Re: host to host ipsec link

[Jacob Yocom-Piatt]

Markus Wernig wrote:
 Renaud Allard wrote:

   
 It seems you just forgot to load your rules.
 Just add ipsecctl -f /etc/ipsec.conf in the rc.local of both your
 firewalls and everything should just work fine.
 


 Hi

 I've tried to load the rules by hand with ipsecctl -f /etc/ipsec.conf
 - to no avail. On the other hand I seemed to understand that with
 ipsec=YES in /etc/rc.conf.local this was done automatically.

 I've tried it nevertheless, unfortunately no joy ;-)

 thx /markus

   

for god's sake (it likes it warm and served by sexy japanese women),
please use google:

http://www.securityfocus.com/infocus/1859

turn off pf on both machines and follow the instructions with the minor
modifications to /etc/ispec.conf that are req'd for your setup. use
isakpmd's debugging switches to see what is going on if it doesn't work.
isakmpd -dDA=10 gives mostly useful output, start there and read the
isakmpd manpage.

Re: host to host ipsec link

[Markus Wernig]

Hello!

Renaud Allard wrote:
 Markus Wernig wrote:
 Renaud Allard wrote:

 Did you verify that isakmpd is running?
 Yes. It runs as follows:

 11967 ??  Is  0:00.05 isakmpd: monitor [priv] (isakmpd)
 18753 ??  I   0:01.40 isakmpd -S -K -f /var/run/isakmpd.fifo


 -S is used for redundant setups. Did you try without that flag?

Infact, this resolves the problem! Thanks a lot.

Yet, it brings me to the next problem that I didn't set the -S flag, but
/etc/rc does so automatically because of sasyncd, which will be used on
those boxes in a further step. (The far goal being two firewall clusters
encrypting traffic between the networks behind them, and encrypting
traffic between the two members respectively.)

krgds /markus

OpenBSD/alpha Status

[Bryan Vyhmeister]

I could have posted this on the alpha list but I thought I might get  
a better answer here since that list has very little traffic. OpenBSD/ 
cats is no longer around and is OpenBSD/alpha on its way out as well?  
I am not intending to cause any rumors or anything but I do have the  
opportunity to pick up some alpha machines but I am not going to if  
the platform is on its way out. I had a couple of cats machines that  
are doing nothing and I don't want to have alphas in the same boat.  
Thanks for the info.


Bryan

Recommendation for a UPS

[Jean-Daniel Beaubien]

Hi everyone,

I have to replace a UPS and I was wondering if anyone could make a
recommendation (Last time I purchased one was 4 years ago, so I've a
bit out of the loop by now).

Here is what I will be working with:

- Fresh install of 4.1 (as soon as my copy gets here)
- I Will probably be using nut to shutdown the server.

I'm trying to find something that won't require too much
configs/poking around.  I'm not looking for something fancy either, I
just need enough juice to shutdown the server properly when the
electricity goes out.

Thank you for your time,

-Jd

Re: host to host ipsec link

[Hans-Joerg Hoexer]

On Sun, Apr 15, 2007 at 05:26:11PM +0200, Markus Wernig wrote:
 
 /etc/rc.conf.local
 ipsec=YES
 isakmpd_flags=-K -f /var/run/isakmpd.fifo

why the -f ...?  isakmpd takes care of the fifo itself.  You only need
-K, nothing else.

Re: Recommendation for a UPS

[Jason Beaudoin]

- Fresh install of 4.1 (as soon as my copy gets here)
- I Will probably be using nut to shutdown the server.

I'm trying to find something that won't require too much
configs/poking around.  I'm not looking for something fancy either, I
just need enough juice to shutdown the server properly when the
electricity goes out.


What are your power requirements? Just a single server? How big of a
system are we talking about? ...mainframe, onyx, or a single opteron?


Regards,
~Jason

Re: OpenBSD/alpha Status

[Joachim Schipper]

On Sun, Apr 15, 2007 at 11:40:48AM -0700, Bryan Vyhmeister wrote:
 I could have posted this on the alpha list but I thought I might get  
 a better answer here since that list has very little traffic. OpenBSD/ 
 cats is no longer around and is OpenBSD/alpha on its way out as well?  
 I am not intending to cause any rumors or anything but I do have the  
 opportunity to pick up some alpha machines but I am not going to if  
 the platform is on its way out. I had a couple of cats machines that  
 are doing nothing and I don't want to have alphas in the same boat.  
 Thanks for the info.

While I am not a developer and not privy to Theo's thoughts, I did
notice quite a bit of work on the alpha (some developer mentioned the
switch to gcc 3).

On the other hand, there seems to be a 'the alpha bug' around. I don't
think it's solved yet, and it's been around for a long time. Apparently,
it causes random crashes.

Joachim

-- 
PotD: security/libtasn1 - Abstract Syntax Notation One structure parser
library

Re: Recommendation for a UPS

[Jean-Daniel Beaubien]

What are your power requirements? Just a single server? How big of a
system are we talking about? ...mainframe, onyx, or a single opteron?


Regards,
~Jason



My power requirements are very small.  The server is running an Athlon
xp 2000+ with 2 HDDs in raid 1 (no screen).  And that's the only thing
that will be attached to the UPS.

Regards,

-Jd

Sending mail from rc.local

[Ivo van der Sangen]

I am trying to send mail from rc.local to inform users about reboots. I
wrote a script /root/reboot_notification containing the following:

#!/bin/sh
for user in `/bin/cat /root/reboot_notification_users`; do
echo $SERVER has rebooted at `/bin/date` | /usr/bin/mail -s $server 
reboot $user
done

Where $server is replaced by the hostname of the server.

I added the following entry to rc.local:

if [ -x /root/reboot_notification ]; then
echo -n ' notifying users about reboot'; /root/reboot_notification
fi

I made /root/reboot_notification to be world-executable, although I
don't think that's neccesary.

It works like a charm if I execute the script from a user-shell.

The problem is that it doesn't work from rc.local and I can't figure out
why. I tried to add /usr/bin/touch /tmp/test to rc.local and that
also didn't work which made me suspect that only programs from /bin and
/sbin are allowed to be run. At the same time a Sparc-user informed me it
works perfectly for him.

I am running OpenBSD 4.0 stable on i386.

Could this have something to do with sendmail having a warmup-time? I
tried adding a sleep 30 before the line rc.local and that didn't help.

Does anybody have an idea what I am overlooking?

Ivo van der Sangen

Re: Mail Server (seeking recommendations)

[Adam]

Bryan Vyhmeister [EMAIL PROTECTED] wrote:

 On Apr 13, 2007, at 8:46 PM, Vijay Sankar wrote:
 
  OpenBSD's sendmail, dovecot, and hastymail is a great solution, in my
  opinion, for large or small networks. It allows you to support a
  variety of clients very easily and with excellent security. Like Bryan
  Vyhmeister mentioned, postfix also is a good option instead of
  sendmail. I prefer sendmail because it is part of the OS distribution.
 
 Is there any reasonably easy way to get SMTP AUTH functioning with  
 sendmail and dovecot?

Yes, just put WANT_SMTPAUTH=yes in your /etc/mk.conf, install the
cyrus-sasl package and recompile sendmail.  Then see the configuration
options listed here http://www.sendmail.org/~ca/email/auth.html

Adam

Re: Sending mail from rc.local

[Mike Erdely]

On Sun, Apr 15, 2007 at 10:00:38PM +0200, Ivo van der Sangen wrote:
 I am trying to send mail from rc.local to inform users about reboots. I
 wrote a script /root/reboot_notification containing the following:
 
 #!/bin/sh
 for user in `/bin/cat /root/reboot_notification_users`; do
 echo $SERVER has rebooted at `/bin/date` | /usr/bin/mail -s 
 $server reboot $user
 done

I do something somewhat similar.  Look for @reboot in crontab(5).

-ME

Re: sk or em

[Stuart Henderson]

On 2007/04/15 20:27, Chris C. wrote:
 I'm in the need to replace my two 100mbit fxp nic's in my firewall with a 
 1000mbit one. The hardware is kinda old. (PIII)
 I'm looking for an inexpensive but not bad (so I think no realtek chips) nic.
 Have looked at sk and bge, but couldn't find any bge nics at my local 
 vendors. 
 So... which driver to go? sk? em?

Modern Realtek re(4) are not really a problem, they do IPv4 TCP
checksum offload, HW vlan tagging, and are a better design than the
rl(4). They only handle jumbo frames up to 7.5k, but if jumbo
support was a big issue you'd probably have mentioned it already
(and even 2k would cover many of the reasons you'd want jumbos).

I'd still go for the sk(4) if they were the same price - this is
fairly possible, unlike em(4) which will almost certainly cost more
than re(4) - but don't worry about it, pretty much anything you
pick up is likely to work fine.

Re: Mail Server (seeking recommendations)

[Bryan Vyhmeister]

On Apr 15, 2007, at 2:53 AM, Martin Hedenfalk wrote:


On 4/15/07, Bryan Vyhmeister [EMAIL PROTECTED] wrote:

Is there any reasonably easy way to get SMTP AUTH functioning with
sendmail and dovecot?


I'm using sendmail, dovecot and a PostgreSQL database with passwords.
I got SMTP AUTH working nicely, using saslauthd with rimap
authentication via localhost. This way I only need one password
database.


I'll have to look into that.

Bryan

Re: Mail Server (seeking recommendations)

[Bryan Vyhmeister]

On Apr 15, 2007, at 1:09 PM, Adam wrote:


Bryan Vyhmeister [EMAIL PROTECTED] wrote:

Is there any reasonably easy way to get SMTP AUTH functioning with
sendmail and dovecot?


Yes, just put WANT_SMTPAUTH=yes in your /etc/mk.conf, install the
cyrus-sasl package and recompile sendmail.  Then see the configuration
options listed here http://www.sendmail.org/~ca/email/auth.html


Thanks. I'll look into that. I was not aware that this option existed.

Bryan

Re: Mail Server (seeking recommendations)

[Bryan Vyhmeister]

On Apr 15, 2007, at 3:03 AM, Joachim Schipper wrote:


On Sun, Apr 15, 2007 at 02:14:56AM -0700, Bryan Vyhmeister wrote:

That was the primary reason for using postfix with dovecot. Years
back, I tried to get both sendmail and postfix working with SMTP AUTH
and Cyrus as I recall. It was a mess. The super-easy integration of
postfix and dovecot for SMTP AUTH is a welcome change.


I think the main trick is in writing scripts that generate all  
databases

from a single main file. This is fairly easy using perl, awk, 

Of course, this becomes a hundred times more difficult the moment user
administration is not done centrally.


This is exactly why I have hesitated to move to a system based on  
postfix and dovecot for my main ISP mail server. I would still like  
to do it that way but it definitely brings up some other issues with  
easy user administration. My staff needs to be able to add accounts  
easily and unfortunately, the command line is not that easy for them.  
If I did all of the user administration all the time it would be a  
non-issue but that is not practical.


Bryan

Re: OpenBSD/alpha Status

[Bryan Vyhmeister]

On Apr 15, 2007, at 12:27 PM, Joachim Schipper wrote:


On Sun, Apr 15, 2007 at 11:40:48AM -0700, Bryan Vyhmeister wrote:

I could have posted this on the alpha list but I thought I might get
a better answer here since that list has very little traffic.  
OpenBSD/

cats is no longer around and is OpenBSD/alpha on its way out as well?
I am not intending to cause any rumors or anything but I do have the
opportunity to pick up some alpha machines but I am not going to if
the platform is on its way out. I had a couple of cats machines that
are doing nothing and I don't want to have alphas in the same boat.
Thanks for the info.


While I am not a developer and not privy to Theo's thoughts, I did
notice quite a bit of work on the alpha (some developer mentioned the
switch to gcc 3).


That is a good sign. Another reason to keep it around is that alpha  
machines were commercially produced which the cats machines were just  
evaluation boards. Big difference. I had a very hard time finding the  
two cats boards I came up with. Alpha systems are much easier to come  
by and are a much more powerful architecture.



On the other hand, there seems to be a 'the alpha bug' around. I don't
think it's solved yet, and it's been around for a long time.  
Apparently,

it causes random crashes.


I was not aware of this bug. That is unfortunate. Hopefully this  
might be resolved at some point.


Bryan

Re: Mail Server (seeking recommendations)

[Joachim Schipper]

On Sun, Apr 15, 2007 at 02:06:56PM -0700, Bryan Vyhmeister wrote:
 On Apr 15, 2007, at 3:03 AM, Joachim Schipper wrote:
 
 On Sun, Apr 15, 2007 at 02:14:56AM -0700, Bryan Vyhmeister wrote:
 That was the primary reason for using postfix with dovecot. Years
 back, I tried to get both sendmail and postfix working with SMTP AUTH
 and Cyrus as I recall. It was a mess. The super-easy integration of
 postfix and dovecot for SMTP AUTH is a welcome change.
 
 I think the main trick is in writing scripts that generate all  
 databases
 from a single main file. This is fairly easy using perl, awk, 
 
 Of course, this becomes a hundred times more difficult the moment user
 administration is not done centrally.
 
 This is exactly why I have hesitated to move to a system based on  
 postfix and dovecot for my main ISP mail server. I would still like  
 to do it that way but it definitely brings up some other issues with  
 easy user administration. My staff needs to be able to add accounts  
 easily and unfortunately, the command line is not that easy for them.  
 If I did all of the user administration all the time it would be a  
 non-issue but that is not practical.

I'd suggest either writing quite a few scripts or looking at saslauthd,
then. The latter was already mentioned, and seems to be widely used.

Joachim

-- 
TFMotD: resolv.conf, resolv.conf.tail (5) - resolver configuration files

Re: OpenBSD/alpha Status

[Joachim Schipper]

On Sun, Apr 15, 2007 at 02:30:02PM -0700, Bryan Vyhmeister wrote:
 On Apr 15, 2007, at 12:27 PM, Joachim Schipper wrote:
 
 On Sun, Apr 15, 2007 at 11:40:48AM -0700, Bryan Vyhmeister wrote:
 I could have posted this on the alpha list but I thought I might get
 a better answer here since that list has very little traffic.  
 OpenBSD/
 cats is no longer around and is OpenBSD/alpha on its way out as well?
 I am not intending to cause any rumors or anything but I do have the
 opportunity to pick up some alpha machines but I am not going to if
 the platform is on its way out. I had a couple of cats machines that
 are doing nothing and I don't want to have alphas in the same boat.
 Thanks for the info.
 
 While I am not a developer and not privy to Theo's thoughts, I did
 notice quite a bit of work on the alpha (some developer mentioned the
 switch to gcc 3).
 
 That is a good sign. Another reason to keep it around is that alpha  
 machines were commercially produced which the cats machines were just  
 evaluation boards. Big difference. I had a very hard time finding the  
 two cats boards I came up with. Alpha systems are much easier to come  
 by and are a much more powerful architecture.

Yes, I think that was one of the reasons to can the cats architecture:
it had pretty much done what it was intended to do, provide a
springboard for zaurus and lately landisk, and there just aren't many
machines around.

 On the other hand, there seems to be a 'the alpha bug' around. I don't
 think it's solved yet, and it's been around for a long time.  
 Apparently,
 it causes random crashes.
 
 I was not aware of this bug. That is unfortunate. Hopefully this  
 might be resolved at some point.

I do hope so; but I might be wrong there. I've never owned an Alpha, an
don't think it's very likely I'll acquire one in the nearish future, so
I haven't followed too closely.

Joachim

-- 
TFMotD: hunt (6) - a multi-player multi-terminal game

Re: Mail Server (seeking recommendations)

[666a]

Here is my recommendation.  You only have to install and maintain 
patches on one piece of software other than OpenBSD.  The software 
is OpenVPN with OpenBSD's sendmail and popa3d.

Why popa3d? User can use any mail client he choses and you don't 
have to worry about your email server running out of space.

Re: Mail Server (seeking recommendations)

[Stuart Henderson]

On 2007/04/15 14:06, Bryan Vyhmeister wrote:
 This is exactly why I have hesitated to move to a system based on  
 postfix and dovecot for my main ISP mail server.

This pair are pretty easy. Postfix (also more recent Exim versions) can
look at Dovecot for smtp-auth; Dovecot's auth setup is quite simple and
flexible.

 My staff needs to be able to add accounts easily and unfortunately,
 the command line is not that easy for them.  

BSD auth, ldap, sql, text files - take your pick... There's also
dovecot-sieve if you need server-side filtering.

One thing to note if you use milters, Postfix milter support is not
based on libmilter; building milter apps on a box with Sendmail 8.14
installed will result in breakage when run against Postfix until
Postfix milter support is updated unless you take extra care.

Re: OpenBSD/alpha Status

[Siegbert Marschall]

Hi,

 On the other hand, there seems to be a 'the alpha bug' around. I don't
 think it's solved yet, and it's been around for a long time.
 Apparently,
 it causes random crashes.

only on some machines.


 I was not aware of this bug. That is unfortunate. Hopefully this
 might be resolved at some point.

 I do hope so; but I might be wrong there. I've never owned an Alpha, an
 don't think it's very likely I'll acquire one in the nearish future, so
 I haven't followed too closely.

Should be still there, didn't follow it to closely but didn't get any
info about it being resolved. If somebody would've found it there'd likely
been a post to the alpha list since this mystery is around for years.

Have two machines down in the basement whicht have it and one which doesn't,
travels with swapping the CPU-Boards as far as I could test it. But being
honest I didn't turn them on in months and couldn't go into detail since
to much other work had to be done.

Just shooting in the blue it seemed to be something with MP and LLC, maybe
putting CPUs with not working SMP Elements into SP machines and sometimes
it wrecks the cache. Found only one guy though which had some knowledge
about the Hardware there and he gave up on it after he got a faster CPU
module which didn't show the LLC errors anymore. since SMP is slowly
moving ahead, maybe something shows up... ;)

-sm

Re: OpenBSD/alpha Status

[Bryan Vyhmeister]

On Apr 15, 2007, at 3:08 PM, Siegbert Marschall wrote:


Hi,

On the other hand, there seems to be a 'the alpha bug' around. I  
don't

think it's solved yet, and it's been around for a long time.
Apparently,
it causes random crashes.


only on some machines.


Any idea if it surfaces on dual processor CS20 machines? I have the  
opportunity to pick up three dual 833 Mhz CS20 machines.


Bryan

Re: OpenBSD/alpha Status

[Bryan Vyhmeister]

On Apr 15, 2007, at 2:50 PM, Joachim Schipper wrote:


On Sun, Apr 15, 2007 at 02:30:02PM -0700, Bryan Vyhmeister wrote:

That is a good sign. Another reason to keep it around is that alpha
machines were commercially produced which the cats machines were just
evaluation boards. Big difference. I had a very hard time finding the
two cats boards I came up with. Alpha systems are much easier to come
by and are a much more powerful architecture.


Yes, I think that was one of the reasons to can the cats architecture:
it had pretty much done what it was intended to do, provide a
springboard for zaurus and lately landisk, and there just aren't many
machines around.


I think you meant armish rather than landisk but the point is well  
taken. The cats boards were difficult to deal with.


On the other hand, there seems to be a 'the alpha bug' around. I  
don't

think it's solved yet, and it's been around for a long time.
Apparently,
it causes random crashes.


I was not aware of this bug. That is unfortunate. Hopefully this
might be resolved at some point.


I do hope so; but I might be wrong there. I've never owned an  
Alpha, an
don't think it's very likely I'll acquire one in the nearish  
future, so

I haven't followed too closely.


I have two alpha machines right now and I haven't touched either one  
in a while. One is a PC164LX machine as I recall and I have no idea  
if it would work or not. I should try it. The other is an AlphaServer  
4100 which I picked up and never pulled out of the crate. After I  
bought it, I realized that the power consumption was going to be  
ridiculous and so I have never used it. I think it might even be 230v  
which made it even harder to deal with. I am not going to give that  
crazy thing its own circuit with the ridiculous California power rates.


Bryan

Re: OpenBSD/alpha Status

[Henning Brauer]

* Bryan Vyhmeister [EMAIL PROTECTED] [2007-04-16 00:32]:
 On Apr 15, 2007, at 3:08 PM, Siegbert Marschall wrote:
 
 Hi,
 
 On the other hand, there seems to be a 'the alpha bug' around. I  
 don't
 think it's solved yet, and it's been around for a long time.
 Apparently,
 it causes random crashes.
 
 only on some machines.
 
 Any idea if it surfaces on dual processor CS20 machines? I have the  
 opportunity to pick up three dual 833 Mhz CS20 machines.

all alphas, but it seems to happen more often on miatas than on cs20s. 
my cs20 is pretty stable. the cs20 is probably the nicest alpha we 
support.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: host to host ipsec link

[Mathieu Sauve-Frankel]

On Sun, Apr 15, 2007 at 08:32:00PM +0200, Markus Wernig wrote:
 Hello!
 
 Renaud Allard wrote:
  Markus Wernig wrote:
  Renaud Allard wrote:
 
  Did you verify that isakmpd is running?
  Yes. It runs as follows:
 
  11967 ??  Is  0:00.05 isakmpd: monitor [priv] (isakmpd)
  18753 ??  I   0:01.40 isakmpd -S -K -f /var/run/isakmpd.fifo
 
 
  -S is used for redundant setups. Did you try without that flag?
 
 Infact, this resolves the problem! Thanks a lot.
 
 Yet, it brings me to the next problem that I didn't set the -S flag, but
 /etc/rc does so automatically because of sasyncd, which will be used on
 those boxes in a further step. (The far goal being two firewall clusters
 encrypting traffic between the networks behind them, and encrypting
 traffic between the two members respectively.)

Currently the order in which isakmpd, ipsecctl and sasyncd need to be
invoked in order for everything to work is pretty rigid. 

# isakmpd -KS   
# ipsecctl -f /etc/ipsec.conf
# sasyncd 

First start isakmpd with -KS, this brings up isakmpd in passive mode, 
isakmpd won't initiate any IKE traffic until an sasyncd process sets
isakmpd to active mode through the fifo, you can do this by hand by
issuing M active into the fifo with echo. Don't forget to load your rules 
before you issue this command. 

If you are not going to use sasyncd, don't use -S.

-- 
Mathieu Sauve-Frankel

Re: Sending mail from rc.local

[Mathieu Sauve-Frankel]

 if [ -x /root/reboot_notification ]; then

You probably want to use -f here, not -x. man test.

-- 
Mathieu Sauve-Frankel

Re: Mail Server (seeking recommendations)

[John .]

On 14/04/07, Steven Presser [EMAIL PROTECTED] wrote:

Hello,
I'm working for a small company which has settled on OpenBSD as its
server software (because the security is excellent).  We have settled on
what software to use for everything but the mail server.  I'd like to
request recommendations from the knowledgeable people of this
list.  The priorities for the mail server are:
1. Security
2. Usability (for the end user - not everyone is technically skilled,
although the setup can be done for anyone who needs help)
3. Ease of setup
4. Scaleability
Obviously the first is by far the most important.  The other three
are more perks than anything else.

Thank you,
Steve




I use exim (mail server) qpopper (pop3) and openwebmail (web-only
users) and spamassassin and the spamd in pf. Adding mail routing for
domains and particular users is a breeze in exim. Documentation is
*extensive*.

If it's good enough for ISPs then it's good enough for me.
--
John

Re: OpenBSD/alpha Status

[Chris Cappuccio]

Don't lament,

1. There is a potential fix for the alpha bug coming up
2. The cats boards are junk, you didn't want them anyways,

As reported by miod@

Make it clear that it was the hardware which turned out to be unreliable,
not the software (and after having a cats board catch fire here, I dare you
to prove me wrong... how can a I-need-no-watts-really board catch fire?)

Bryan Vyhmeister [EMAIL PROTECTED] wrote:
 I could have posted this on the alpha list but I thought I might get  
 a better answer here since that list has very little traffic. OpenBSD/ 
 cats is no longer around and is OpenBSD/alpha on its way out as well?  
 I am not intending to cause any rumors or anything but I do have the  
 opportunity to pick up some alpha machines but I am not going to if  
 the platform is on its way out. I had a couple of cats machines that  
 are doing nothing and I don't want to have alphas in the same boat.  
 Thanks for the info.
 
 Bryan

-- 
It's beneficial to your health to try and believe a few impossible things
before breakfast. -- Lewis Carroll

Re: verifying ntp via GPS configuration?

[Chris Cappuccio]

James Hartley [EMAIL PROTECTED] wrote:
 
 Do you have any other ideas?  Thanks.

Some receivers I've tried work at 9600 instead of 4800...

Re: Mail Server (seeking recommendations)

[Shane Harbour]

I'm running Postfix/Dovecot with PostgreSQL (for authorization and mail 
routing) all from the ports.  I've got it setup so that in the near 
future I can do virtual hosting of my wife's domains.  It's pretty 
simple to setup and there is a examples at postfix.org and dovecot.org.  
It would be easy enough to right a script (pick your language) or setup 
a GUI application/web page to administer user accounts.


Shane

Stuart Henderson wrote:

On 2007/04/15 14:06, Bryan Vyhmeister wrote:
  
This is exactly why I have hesitated to move to a system based on  
postfix and dovecot for my main ISP mail server.



This pair are pretty easy. Postfix (also more recent Exim versions) can
look at Dovecot for smtp-auth; Dovecot's auth setup is quite simple and
flexible.

  

My staff needs to be able to add accounts easily and unfortunately,
the command line is not that easy for them.  



BSD auth, ldap, sql, text files - take your pick... There's also
dovecot-sieve if you need server-side filtering.

One thing to note if you use milters, Postfix milter support is not
based on libmilter; building milter apps on a box with Sendmail 8.14
installed will result in breakage when run against Postfix until
Postfix milter support is updated unless you take extra care.

Re: Sending mail from rc.local

[Ivo van der Sangen]

On Mon, Apr 16, 2007 at 01:40:01AM +0300, Keith Richardson wrote:
 The fact that touch is not working suggests rc.local is not even being=20
 called

I tested it again. Touch looks to be working now, although I noticed
that I had to fork mysqld_safe. Apparently the script stopped when I
didn't.

I have verified that /etc/rc.local is being called, since outcommenting
the lines starting the daemons I usually run made sure they didn't.

 what is the output during boot time?=20

I have no display connected. I operate the server through OpenSSH.

Also I have placed an else statement for the executable bit test. The
test succeeds so the script should be called from rc.local.

Ivo van der Sangen

Re: CARP access outside a subnet

[david l goodrich]

I'm sorry to bring this up again, since it didn't get any responses the
first time.

But I haven't had any luck on my own, and was hoping someone might have an
idea.


On 4/9/07, david l goodrich [EMAIL PROTECTED] wrote:

 I have two hosts in a CARP group.

 on router-meus-cd1, i have the following network configuration:

 router-meus-cd1# ifconfig xennet1
 xennet1:
 flags=8963UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu
 1500
 capabilities=2800TCP4CSUM_Tx,UDP4CSUM_Tx
 enabled=0
 address: 00:16:3e:71:ef:6f
 inet 10.10.10.2 netmask 0xff00 broadcast 10.10.10.255
 inet6 fe80::216:3eff:fe71:ef6f%xennet1 prefixlen 64 scopeid 0x4
 router-meus-cd1# ifconfig carp216
 carp216: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 carp: MASTER carpdev xennet1 vhid 216 advbase 1 advskew 0
 address: 00:00:5e:00:01:d8
 inet 216.51.247.30 netmask 0xfff8 broadcast 216.51.247.31
 router-meus-cd1#

 on router-meus-cn1, i have a similar configuration:

 router-meus-cn1# ifconfig xennet1
 xennet1:
 flags=8963UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu
 1500
 capabilities=2800TCP4CSUM_Tx,UDP4CSUM_Tx
 enabled=0
 address: 00:16:3e:04:d3:e0
 inet 10.10.10.1 netmask 0xff00 broadcast 10.10.10.255
 inet6 fe80::216:3eff:fe04:d3e0%xennet1 prefixlen 64 scopeid 0x4
 router-meus-cn1# ifconfig carp216
 carp216: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 carp: BACKUP carpdev xennet1 vhid 216 advbase 1 advskew 0216.51.247.30

 address: 00:00:5e:00:01:d8
 inet 216.51.247.30 netmask 0xfff8 broadcast 216.51.247.31
 router-meus-cn1#


 The default route, nameservers, etc are all set correctly.

 CARP works great on the 216.51.247.24/29 subnet, from any machine on that
 subnet I can ping 216.51.247.30.

 When I get outside the subnet, I can't ping the address or ssh to it.

 Does anyone have some insight into why this is happening?

 Thanks
   --david

Re: Mail Server (seeking recommendations)

[Joel Wiramu Pauling]

On 16/04/07, Shane Harbour [EMAIL PROTECTED] wrote:

 I'm running Postfix/Dovecot with PostgreSQL (for authorization and mail
 routing) all from the ports.  I've got it setup so that in the near
 future I can do virtual hosting of my wife's domains.  It's pretty
 simple to setup and there is a examples at postfix.org and dovecot.org.
 It would be easy enough to right a script (pick your language) or setup
 a GUI application/web page to administer user accounts.



My Personal prefferance is exim4 and courier-imapd. I have come to love exim
as an MTA because of it's flexibility, and getting it working with the anti
malware toolchain is simple. Everything said above is true for courier as
for dovecot... my main gripe with dovecot is the poor developer support and
documentation. Courier is by no means brilliant but I find it is easier to
use than dovecot.

my $0.02c

Re: using spamd to block outbound spam

[Lars Hansson]

Paolo Supino wrote:
  I appriciate your straight and forward replies :-) but the world isn't 
black and white and sometime you have to create work arounds to overcome 
other people's crap (well most of the time).


No, in this case it is black and white. There is NO WAY to reliably fix 
this problem other than fixing the broken app or implementing the 
measures Bob Beck suggested.


---
Lars Hanssn

Re: OpenBSD/alpha Status

[Bryan Vyhmeister]

On Apr 15, 2007, at 3:48 PM, Henning Brauer wrote:


all alphas, but it seems to happen more often on miatas than on cs20s.
my cs20 is pretty stable. the cs20 is probably the nicest alpha we
support.


The CS20 does seem to be a pretty nice machine. I noticed that there  
is one obvious CS20 in the newrack.jpg picture. Is power consumption  
pretty high on these?


Bryan