Archive for category Linux

Server move

If you can see this post, the new server is now running properly! :)

The new server is running Lenny, and is actually running on identical hardware (but with more RAM). The move to Lenny was a clean install, and resulted in some minor pain:

While migrating user mail there were some changes in UID/GID – easily fixed with ‘chown’ – although I initially didn’t change the group ownership, meaning that the IMAP server wasn’t happy. A quick ‘chgrp’ fixed that one, but I really should have used ‘chown user.group’

The previous server ran djbdns, mainly for the claimed ease of updating compared to BIND v8 (which I have used in a “production” system), so my first instinct was to do the same. This was not a good move – the official Lenny package meant that I couldn’t just transfer the files, and my attempt at migration was not successful. Quickest fix was to go to BIND v9 – which I actually prefer in some ways (the assumption that djbdns was easier to admin was wrong TBH).

SPF Finally implemented

Finally got round to implementing SPF (Sender Policy Framework for the uninitiated) on the mail server. This should hopefully cut down on the recent bursts of “backscatter” from spam. I am also planning on adding SPF records for the main Demon account, as that was badly hit with backscatter from MyDoom.A way back, and may well suffer again!

For information on SPF, check out this site.

Adding SPF checks to SpamAssassin was absolutely trivial – install the Mail::SPF::Query perl module! In the case of this server it was just a quick apt-get away (gotta love Debian).

Just as a quick note: I have seen many sites claiming that SPF doesn’t work as it should to prevent spam. In response to those claims, I would suggest that people actually check what it does claim. It merely helps prevent “spoofing”, nothing else, and if used correctly, does work (in my case, spoofed messages have a raised SA score, and are more likely to go into the spam-bucket). End result is no lost mail, and as I know which hosts send mail for the domain, less backscatter (if others use SPF sanely!)

Exim alias lookups

After much pulling of hair, gnashing of teeth, searching on Google, etc…
I have finally got the /etc/aliases file under control :)
As some background, all mail historically went to the one mailbox, and was separated out by the client, and all was good with the world. Then I set up a proper mail server, with more than one mailbox, and everything got silly. Due to the huge range of local usernames we have used (mainly to track who is selling the data), the aliases file was getting beyond what I think of as reasonable.
It finally hit me that we were separating the mail using regexp, and the first 2 or 3 characters was enough to identify the intended destination. Armed with this (bloody obvious) insight, I started looking at getting exim to parse regexps in /etc/aliases. First port of call was to switch from lsearch to wildlsearch, which was great, until I noticed everything was falling through to the catchall mailbox! Rolled the changes back (that’s what notes are for, after all), and left it on a back-burner for a while.
Suddenly (at about 23:00!) I recalled seeing something about “real_local” (yes, I can be somewhat dense at times). Five minutes later, I have it working exactly as planned :)
Of course, that five minutes should have happened in the first place, but at least I got there!

For the record, the settings are:
/etc/exim4/conf.d/router/400_exim4-config_system_aliases:
data = ${lookup{$local_part}lsearch{/etc/aliases}}
becomes
data = ${lookup{$local_part}wildlsearch{/etc/aliases}}

/etc/aliases:
^user.*: real-user

New server

Finally got round to setting up the new server for my home network (also hosting this site) after far too many hand-crafted changes to the original E-Smith SME Server that was in use.

Settled on a proper distro this time (Debian), and planned it carefully to allow smooth migration from one server to the other. For the record, the list of installed debs is available here.

There’s probably a lot of stuff that could be removed, but it’ll do for now.