My website for a while has used CloudFlare as its front-end. It’s a rather nice setup and means my real server gets less of a hammering, which is a good thing. A few months ago they enabled a feature called Universal SSL which I have also added to my site. Around the same time, my SSL check scripts started failing for the website, the certificate had expired apparently many many days ago. Something wasn’t right.
I found an interesting side-effect of the Juniper firewalls when you introduce IPv6. In hindsight it appears perfectly reasonable but if you are not aware of it in the first place you may have a much more permissive firewall than you thought. My setup is such that my internet address changes every time I connect to an ISP. I have services “behind” the Juniper that I want to expose onto the Internet, in this case a mailserver.
After reading François’ article about running your own XMPP server, I thought I’d give it a go myself. A comment from Steven suggested that prosody would be a better and simpler alternative so I went with that.
It is actually really simple with about 5 lines to add to the config, as well as firewall changes. The only trick is if you have a chained SSL certificate like mine you need to cat the certificate and the CA one together, otherwise you get SSL errors.
So I’m up and going with a XMPP contact the same as my email address which is csmall and then the domain enc.com.au
It just doesn’t have anyone as contacts yet I”ll be adding the DNS records for it shortly.
Has anyone got a way for postfix to use a transport map such that it sends email to the given MX host for some specified domains then default to a smarthost for the remainder?
The logic would be:
IF domain in (‘example.net’, ‘foo.bar’,etc etc) THEN use the relevant MX host ELSE send to smarthost.isp.net
i can use a transport map to send from specific domains to specific hosts, eg @domain.com goes to otherisp.net mailserver but not to just use domain.com’s MX hosts
A day or two ago I tried sending an email to a friend who happens to use the Road Runner ISP for his mail service. Now this ISP doesn’t like dynamic IP addresses (using the increasing inaccurately named Dial Up List) so I have to punt the email through my ISP’s mailserver first. Now that server is telling me this:
The reason for the problem: 4.3.2 – Not accepting messages at this time 554-‘5.7.1 – ERROR: Mail refused – <220.127.116.11> – See http://sendersupport.senderscore.net’
So their ISP mailserver is refusing connections from my ISP’s mailserver for some reason, probably on some spam list. There’s a URL to look up the problem, so going there gives you three things:
- A redirection to https://sendersupport.senderscore.net/
- A badly configured webserver that uses the above URL with a certificate for www.senderscore.net
- A page that says “It works”
Either Road Runner or Senderscore, preferably both, need to get a clue. Oh and going to https://www.senderscore.net/ gives connection refused. A bit of digging around shows the correct URL is https://senderscore.org/
Now I just realized that my SSL certificate for https://enc.com.au/ expired on the weekend so I know these things can happen, but I’m one person (who was away for a while), why can’t companies get their act together?
I have been putting a lot of testing into JFFNMS lately. I have been very lucky to have had someone with the time and patience to try out various sub versions and give me access to their results.
The end-result of all this testing is a much, much less buggy JFFNMS. There have been a strack of problems with caching results, for example, where status would not be updated or even worse the status of one device impacted on another.
The poller parent scheduler had a problem too where it would almost always sit in the first child starving the others of work which slowed things down. The scheduler now is a lot fairer across the children giving a speed up. I’ve heard speed-ups of 15x for this one change alone.
I also had a curious bug where if a device was set to not gather state it still did and created events but not alerts. This meant your event table was spammed with down interface alerts even on interface you know are down and you turned state checking off. 0.9.3 now does it the right way.
The first RC is now uploaded and can be found at https://sourceforge.net/projects/jffnms/files/jffnms%20RC/ to try out.
I’m a little worried that the pollers now run too fast and could overwhelm the usually crummy control stack found in network devices for parsing SNMP. I’m interested to hear how people find it.
JFFNMS version 0.9.2 was released today both as an upstream tar.gz file and a new Debian package. This version fixes some bugs including making sure it works with PHP5.4.
The biggest change in PHP 5.4 is that you can no longer call by reference. Previously you could call a function like myfunc(&blah); which would send a pointer to blah and not the item itself. Now the function definition needs to define what it wants rather than change it each time.
Painless they say, automatically they say. This is what the NetworkManager manual page describes the daemon. I’d like to say annoying and intrusive and I know there are a lot of people out there that feel the same. The program is used to set-up network connections and provides a system tray thingy for Gnome and for simple set-ups its great.
Sure, I got NetworkManager running on my laptop and we’re all friends over there. It just works, it just works for my local network, wireless network and even 3G and VPNs work just like they should. This is the environment where it was designed for and it shows.
What about on the server where I login using gdm? We’ve had nothing but a world of pain there. It used to be bad enough when it fiddled with /etc/resolv.conf meaning DNS stopped working everytime i logged out. Every “stop playing around with my settings and leave me alone” option fails to do just that. It got so bad I had to use chattr to make the file immutable; so if you are tearing your hair out, then chattr +i /etc/resolv.conf is your friend.
The latest version of NetworkManager takes this insanity to a new level. Now not content with messing around with my resolver files, it reconfigures my statically assigned IP address to a dynamic DNS one AND removes it when I logout. No doubt if it let it, it would muck around with resolver files too. Again, by default on a laptop this is fine. The problem is the ‘would you leave me alone’ options fail to work, or mean stupid things happen like pidgin doesnt think there is a network so never logs in.
So I resorted to reading more about this intrusive program and was there a way of stopping it doing what it was doing. The directory /etc/NetworkManager/system-connections looked promising as they were connections available at boot time and across all users. But then there is the funky format and wow, nothing saying what you might need versus what if you have missing makes the thing fail.
What’s not obvious is that if you edit your network connections and then select ‘available to all users’ then your settings go into that system-connections directory and that for the moment appears to be working. It means I have my network settings configured in two places which means all sorts of fun if I change them and forget about the other.
This isn’t an ideal situation and network manager should start to behave properly and read the ifupdown stuff and use it but not muck around with settings if it is told to. There are options that imply they do this but they don’t work. Despite the title, I don’t think peace has broken out between me and Network Manager but rather an uneasy truce; I’m sure that program is just sitting there thinking of what other settings it could play with when my back is turned.
- Network connections on Ubuntu (flatchat.wordpress.com)
We’re in that in-between place where there is plenty of IPv4 out there, but sometimes you either need or want to get to IPv6 addresses. With the IPv4 address allocations out of ARIN now empty there is going to be an increased need of NAT either between the address families or within it. This is a quick overview of the different sorts of systems that do this address translations.
The best way to describe this is port forwarding across the address families. You can have a IPv4 port on your local device that when you connect to it forwards the connection via IPv6 to a remote device, perhaps on a different port. You can also do it the other way, so connecting to a local IPv6 port will connect to a remote IPv4 port. Of course “remote” could be another port on the same computer.
You could replace squid with any other sort of proxy server that can work as a reverse proxy and understands IPv6. From the deployments I’ve heard of, this arrangement where the IPv4 only webservers are front-ended with a dual stack IPv4/IPv6 squid (or other) reverse proxy server or set of servers. It is a real simple way of getting your webserver onto IPv6, if you cannot do it in the webserver itself. The usual advantages and disadvantages of using a reverse proxy apply here. The better long-term solution is to have the servers just run IPv6 natively, but this is a reasonable stop-gap.
That’s a brief overview of the various packages out there that can help with address translation to either get your servers understanding IPv6 or a client to get to an IPv6 server. Ideally these are only temporary measures but as some methods people use to write programs (the latest I’ve seen has weird hard-coded 4 byte offset tree-table with 256 long list inside – good luck fixing that!) they may be “temporary” for some time.
This program implements NAT64 which is a 1:1 address translation. It can work both ways so IPv6 clients can connect to IPv4 servers and vice-versa. You would normally use this for your own hosts, rather than for connecting to the internet as you need to specify prefixes. It works like the old style static nat ranges in IPv4 where 18.104.22.168-100 would map to 22.214.171.124-100
Now this package is a little back-to-front to the others in that it takes an existing IPv4 only application and makes it able to connect, at least at the socket level, to a IPv6 server. It works by preloading a library which overloads the socket functions like socket() and connect() so it can attempt to find IPv6 servers.
This is a small DNS proxy which can be used to translate IPv4 A records to IPv6 AAAA records. You often use it with translation technologies like Tayga.
- A Sandbox to Test IPv6 Courtesy of OpenDNS (readwriteweb.com)
- With no (or few) more IPv4 addresses, where’s the IPv6 traffic? (arstechnica.com)
- What works, and what doesn’t work, with IPv6 (zdnet.com)
- IPv6 Addressing (blogs.cisco.com)
- It’s official: Asia’s just run out of IPv4 Addresses (zdnet.com)
I found a strange problem recently. Using Gallery I could always upload new pictures but someone else using Vista could not upload any pictures. It didn’t matter if she used IE or Firefox, every single upload made Gallery come up with error #2038 (IO). I could say that anyone that uses Vista deserves everything they get, but that would be a little churlish (if true).
A few searches showed that this basically gallery saying “something bad happened with your upload”. No, really? You mean it’s not supposed to be a big red box and no uploaded file? It’s not the world’s most useful error message.
What got me onto the right path was a message on the gallery forums though it was the other way around. Gallery uses a flash uploader which and this is the same flash if you use Firefox or IE. It seems it doesn’t like “strange” SSL certificates, such as chained certificates like that site uses (and my site too). No doubt there is probably some work-around or setting to fix it, but being Vista its probably buried in 20 menu items under some obscure reference.
Setting up the gallery under a non-ssl site fixed it. Perhaps more correctly it was a work-around.