Dennis Krul

We have finally migrated to our new server! This hardware replacement was long due. The old one (a dual Intel PIII-700 with 1Gb of memory) started to show some hardware and performance problems. Everything should be fast and smooth again

Because of this migration this weblog and my pet project TheMirror have been offline for about a day.

On the old server we used ispworks to manage virtual hosts, but the project didn’t have an update since december 2003. We now use ispconfig to manage apache virtual hosts, ftp accounts, email accounts, mysql databases, dns stuff, bandwith limits, quota’s, you name it. It features a nice self-service panel on which users can reset their password and configure some basic spamassassin settings. So far I’m very satisfied.

I would like to express my gratitude towards Thijs, Johannes and Jacob for preparing and doing the actual migration. Unfortunately I didn’t have much spare time to help out. Thanks guys!

I would also like to thank our end users for the generous donations which made it possible to actually buy the new hardware.

Lately I’ve been doing some tweaking of the incoming mailservers at a customer site. They have about 500.000 active mailboxes and have been flooded with spambots over the last weeks. It probably has something to do with the storm worm. Such an attack puts a heavy strain on the infrastructure and some measures were needed to make sure the whole thing didn’t fall apart.

On my own mailserver I simply use postgrey to greylist unknown sources. But in such an environment any delays on mail delivery are unacceptable. Besides, I doubt postgrey scales well to such a high volume environment.

These are the measures I took to slow down spambots and making sure the mailservers can still accept mail from legitimate senders even when under a spamattack.

Use rate limiting on your inbound connections.

Allow only 10 connections/minute from the same sender with a maximum of 10 open connections.

It will slow down spammers that are not blacklisted in any of the RBL’s you configured and are using a dictionary attack in an attempt to guess valid email addresses in order to spam them.

You will have to enable the anvil service in your master.cf and add the following settings to your main.cf :


anvil_rate_time_unit = 60s
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 10


There might be some parties that you receive a lot of mail from and don’t want to be throttled. For example this particular customer uses the nlwhitelist to make sure dutch ISP’s are never throttled.

smtpd_client_event_limit_exceptions = hash:/etc/postfix/whitelist, $mynetworks


Increase available resources

Disconnect inactive smtp sessions after 30 seconds (instead of the default of 300 seconds). Some spambots open up a lot of connections and sit there taking up all your resources. Legitimate connections will then be refused if the maximum of connections is reached.

(You can also consider increasing the maximum number of connections postfix will accept.)

smtpd_timeout = 30s


This should result in better availability of your SMTP service and stop at least some spambots even before they reach your RBL checks or your spamfilter.

You’ll soon notice these kind of lines in your postfix logfiles:

Sep 5 13:14:45 **** postfix/smtpd[27510]: [ID 947731 mail.warning] warning: Connection rate limit exceeded: 217 from *.sdsl.bell.ca[69.159.*.*] for service smtp


217 blocked connections in one minute from just one IP. Not bad

A quick HOWTO on how to fix a degraded Linux software RAID-1 mirror, mostly a reminder for myself in case I run into this problem again.

First replace the faulty disk with a new drive of at least the same size.

Copy the MBR of the active disk (sda) to the new disk (sdb):

# dd if=/dev/sda of=/dev/sdb bs=512 count=1


Copy the partition table of the active disk to the new disk:

# sfdisk -d /dev/sda | sed s/sda/sdb/g > /tmp/ptable
# sfdisk /dev/sdb < /tmp/ptable


Inform MD about the new partitions:

# for MD in /dev/md?
> do
> NEWPART=$(mdadm --detail $MD | awk '/active sync/{ print $7}' | sed s/sda/sdb/)
> mdadm -a $MD $NEWPART
> done

(Disclaimer: Do not just blindly copy and paste these lines. Your setup might be different and you could break stuff if you don’t use mdadm wisely.)

I noticed this particular system wasn’t able to boot from the second disk. It seems that the GRUB bootloader isn’t very much RAID aware and didn’t install the bootloader on to the second disk. So I installed good ol’ LILO instead, which seems to be able to handle such a setup better. I added the following lines to /etc/lilo.conf:

boot=/dev/md0
root=/dev/md1
raid-extra-boot=/dev/sda,/dev/sdb


If you run the lilo command it writes the bootloader to both disks, so you should be able to boot from both, even in case of a failing disk.

Because the WordPress webinterface is a bit too slowish for me I’m giving Drivel a testdrive. It allows me to post to my weblog straight from my Gnome desktop.

In the past I’ve used gnome-blog but I had some issues with it (which I can’t remember). So far Drivel seems to be more mature.

Slowly but steadily all missing pieces are emerging in the free software world. A project really worth mentioning is OpenChange. They’re working on a free MAPI implementation (libmapi) – the protocol used by Outlook to communicate with Exchange servers. An Evolution plugin is already in the works (of which a technology preview will soon be released) as well as a couple of client tools to convert exchange mail/contacts/calendars to mbox/vcard/ical format. Their roadmap also mentions the development of an openchange server. Who knows, this might replace Outlook+Exchange one day!

(I know that Evolution already has an Exchange connector, but it is basically a hack around the Exchange web interface instead of a real MAPI implementation.)

Woo.. It’s been over 3 months since my last post. So I guess it’s time for a little update
A couple of weeks ago I signed a contract at Competa, where I’ll be doing UNIX, Linux and OpenSource related projects in a system engineer’s role for various customers. I’m very excited and can’t wait to get started (2nd of April)! My main motivation for the job switch is that I need a new challenge. Simply said, when I do the same job for too long I get bored For the last 3,5 years I’ve worked for DTO. I’ve learned a lot there, for which I’m very grateful, but now it’s time for me to move on.

On another note: I will be attending FOSDEM in Brussels next Friday and Saturday. Like to meet? Contact me!

Gnucash is the de-facto accounting software for Linux desktops. A couple of months ago a GTK2 version of the application was announced. Yesterday I decided to give it a testdrive.

My first challenge was to import transactions from my bank (Rabobank). Unfortately they don’t provide exports in QIF or OFX formats. So it’s not possible transactions into GnuCash directly. Fortunately I found a convertor tool: MGC. I was pleased to see that they offer a Linux version, but it works horribly. I decided to go the wine route and use the windows version instead.

A really nice feature of Gnucash2 is it’s ability to do bayesian matching between transactions, which means you only have to select the account for one transaction and it automatically sets the right account for other similar transactions as well. That saved me a lot of time when importing a couple of hundred transactions since june 2005. On a sidenote: The bayesian matching stuff only works on OFX files, not on QIF. A developer of the project told me the QIF importer still uses the old importer code. So OFX is currently the preferred format.

I’ve been running a mailserver for about 8 years now. And up until now there was really only one worthy opensource webmail client available: Squirrelmail. Although it’s fast and stable it’s showing it’s age.
I was very pleased to hear about a new AJAX-y web-2.0 *insert more buzzwords here* enabled webmail client called RoundCube (thanks qball!). It requires PHP and a database (currently mysql, postgresql and sqlite are supported) for user preferences. The project is still in it’s infancy, but it looks very promising.

I visited the LinuxWorld conference 2 weeks ago and visited the Sun/StorEdge stand (among others). I talked to one of the account managers for a while, was quite impressed by the Sun X4500 storage server (24TB storage in a 5U rackserver!), and finally signed up for a contest.

And guess what. Wednesday an account manager from Sun called me and told me i won an 4GB iPod nano! He came to my office on friday to deliver it. I’m really amazed by the slim size and weight of the thing. It’s really a nice piece of technology (I never seen such a device up close). Unfortunately I quickly became aware that applications like Rhythmbox don’t have iPod write support. Well you can enable it at compile time, but it’s still experimental. I don’t like the fact that you can’t just drop mp3′s on the thing and it picks them up. And ofcourse iPods don’t play ogg either, which is the format most of my collection is encoded in.

So I decided to put Rockbox on it, which is opensource firmware for a lot of popular portable music players like the iPod. And I love it! It’s very customizable, too. And now i can just upload music somewhere on the device and rockbox automatically picks them up, indexes the ID3 tags and plays them (gapless playback!). It works very good in combination with Rhythmbox, too.

I, for one, am a happy rockpod user.

Because I wanted to watch movies from my couch without burning DVD’s all the time I decided to put together a simple mediacenter a couple of weeks ago. I had an old P2-400 laying around, put in a network card that supports PXE boot (3c509c), an old Nvidia card with TV out, a Soundblaster Live with digital out and removed the noisy parts (harddisc, CD player). I installed GeeXbox on my server and set up my DHCP server to boot geexbox on my mediacenter over PXE. The PC is connected with a SCART to S-video cable to my TV. The soundblaster is connected to my home cinema set with the digital output, so AC3 surround sound also works.

I didn’t expect much from GeeXbox, but I have to say I was quite impressed! I set up in no time and it boots in about 10 seconds. It pulls files from my server over NFS, but you can also use Windows fileshares or UPnP NAS devices. Basically it’s just mplayer over the framebuffer, with a highly customizable menu. It plays music from shoutcast and just about any media file you throw at it. Even though it isn’t a very fast CPU it can handle most DivX and Xvid files. I haven’t tried DVD’s, but I guess that’s too much to handle for this old box.

Ofcourse with this setup I can’t record TV shows and stuff, but I don’t really need that anyway. Maybe one day I’ll put one of these DVB-C digital decoder cards in my server, but because the technology is still quite expensive I’m going to wait a while for it to become a bit cheaper. I’m not going to invest in an analog TV card setup anymore.