Expat-IT Tech Bits

Home

Contact

Links

Search this site:

Categories:

/ (287)
  Admin/ (122)
    Apache/ (10)
      HTTPS-SSL/ (4)
      PHP/ (3)
      performance/ (2)
    Cherokee/ (1)
    LAN/ (4)
    LVM/ (6)
    Monitoring/ (2)
      munin/ (2)
    SSH/ (6)
    SSL/ (1)
    Samba/ (1)
    VPN-options/ (6)
      OpenVPN/ (1)
      SSH-Proxy/ (3)
      Tinc/ (1)
      sshuttle/ (1)
    backups/ (17)
      SpiderOak/ (1)
      backuppc/ (5)
      dirvish/ (1)
      misc/ (6)
      rdiff-backup/ (1)
      rsync/ (1)
      unison/ (2)
    commandLine/ (24)
      files/ (8)
      misc/ (10)
      network/ (6)
    crontab/ (1)
    databases/ (15)
      MSSQL/ (2)
      MySQL/ (8)
      Oracle/ (3)
      PostgreSQL/ (1)
    dynamicDNS/ (2)
    email/ (11)
      Dovecot/ (1)
      deliverability/ (1)
      misc/ (1)
      postfix/ (7)
      puppet/ (1)
    iptables/ (3)
    tripwire/ (1)
    virtualization/ (9)
      VMware/ (1)
      virtualBox/ (8)
  Coding/ (14)
    bash/ (1)
    gdb/ (1)
    git/ (3)
    php/ (5)
    python/ (4)
      Django/ (2)
  Education/ (1)
  Hosting/ (27)
    Amazon/ (18)
      EBS/ (3)
      EC2/ (10)
      S3/ (1)
      commandline/ (4)
    Godaddy/ (2)
    NearlyFreeSpeech/ (3)
    Rackspace/ (1)
    vpslink/ (3)
  Linux/ (30)
    Android/ (1)
    Awesome/ (3)
    CPUfreq/ (1)
    China/ (2)
    Debian/ (8)
      APT/ (3)
      WPA/ (1)
    audio/ (1)
    encryption/ (3)
    fonts/ (1)
    misc/ (6)
    remoteDesktop/ (1)
    router-bridge/ (3)
  SW/ (45)
    Micro$soft/ (1)
    browser/ (2)
      Chrome/ (1)
      Firefox/ (1)
    business/ (28)
      Drupal/ (9)
      KnowledgeTree/ (6)
      Redmine/ (2)
      SugarCRM/ (7)
      WebERP/ (2)
      WordPress/ (1)
      eGroupware/ (1)
    chat/ (1)
    email/ (1)
    fileSharing/ (2)
      btsync/ (1)
      mldonkey/ (1)
    graphics/ (2)
    research/ (2)
    website/ (6)
      blog/ (6)
        blosxom/ (3)
        rss2email/ (1)
        webgen/ (1)
  Security/ (15)
    IMchat/ (2)
    circumvention/ (2)
    cryptoCurrency/ (1)
    e-mail/ (4)
    greatFirewall/ (1)
    hacking/ (1)
    password/ (1)
    privacy/ (2)
    skype/ (1)
  Services/ (1)
    fileSharing/ (1)
  TechWriting/ (1)
  xHW/ (14)
    Lenovo/ (1)
    Motorola_A1200/ (2)
    Thinkpad_600e/ (1)
    Thinkpad_a21m/ (3)
    Thinkpad_i1300/ (1)
    Thinkpad_x24/ (1)
    USB_audio/ (1)
    scanner/ (1)
    wirelessCards/ (2)
  xLife/ (17)
    China/ (9)
      Beijing/ (5)
        OpenSource/ (3)
    Expatriation/ (1)
    Vietnam/ (7)

Archives:

  • 2016/07
  • 2016/05
  • 2016/02
  • 2016/01
  • 2015/12
  • 2015/11
  • 2015/06
  • 2015/01
  • 2014/12
  • 2014/11
  • 2014/10
  • 2014/09
  • 2014/07
  • 2014/04
  • 2014/02
  • 2014/01
  • 2013/12
  • 2013/10
  • 2013/08
  • 2013/07
  • 2013/06
  • 2013/05
  • 2013/04
  • 2013/02
  • 2013/01
  • 2012/12
  • 2012/10
  • 2012/09
  • 2012/08
  • 2012/07
  • 2012/06
  • 2012/05
  • 2012/04
  • 2012/03
  • 2012/01
  • 2011/12
  • 2011/11
  • 2011/10
  • 2011/09
  • 2011/08
  • 2011/07
  • 2011/06
  • 2011/05
  • 2011/04
  • 2011/02
  • 2010/12
  • 2010/11
  • 2010/10
  • 2010/09
  • 2010/08
  • 2010/07
  • 2010/06
  • 2010/05
  • 2010/04
  • 2010/03
  • 2010/02
  • 2010/01
  • 2009/12
  • 2009/11
  • 2009/10
  • 2009/09
  • 2009/08
  • 2009/07
  • 2009/06
  • 2009/05
  • 2009/04
  • 2009/03
  • 2009/02
  • 2009/01
  • 2008/12
  • 2008/11
  • 2008/10
  • 2008/09
  • Subscribe XML RSS Feed

    Creative Commons License
    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
    PyBlosxom

    This site has no ads. To help with hosting, crypto donations are accepted:
    Bitcoin: 1JErV8ga9UY7wE8Bbf1KYsA5bkdh8n1Bxc
    Zcash: zcLYqtXYFEWHFtEfM6wg5eCV8frxWtZYkT8WyxvevzNC6SBgmqPS3tkg6nBarmzRzWYAurgs4ThkpkD5QgiSwxqoB7xrCxs

    Wed, 29 Oct 2008


    /xHW/wirelessCards: Linux-Compatible Wireless Cards

    The cards are identified with the output of the "lspcmcia -v" command, with further comments below.

    Socket 0 Device 0:	[orinoco_cs]		(bus ID: 0.0)
    	Configuration:	state: on
    	Product Name:   Lucent Technologies WaveLAN/IEEE Version 01.01 
    	Identification:	manf_id: 0x0156	card_id: 0x0002
    			function: 6 (network)
    			prod_id(1): "Lucent Technologies" (0x23eb9949)
    			prod_id(2): "WaveLAN/IEEE" (0xc562e72a)
    			prod_id(3): "Version 01.01" (0xd27deb1a)
    

    This Lucent card is one of the famous "Orinoco Gold" cards, though there seems to be so many versions that I am quite unsure what that "Orinoco Gold" label really means. I have so far been unable to find a power rating for this card. It uses the orinoco_cs driver.

    Socket 0 Device 0:	[atmel_cs]		(bus ID: 0.0)
    	Configuration:	state: on
    	Product Name:   Belkin 11Mbps-Wireless-Notebook-Network-Adapter 
    	Identification:	manf_id: 0x01bf	card_id: 0x3302
    			function: 6 (network)
    			prod_id(1): "Belkin" (0x3805a391)
    			prod_id(2): "11Mbps-Wireless-Notebook-Network-Adapter" (0x04d6f391)
    

    This Belkin F5D6020 Ver.2 card is a bit of an odd ball, requiring firmware. (Note that the Ver.1 card is a completely different Prism-based card that uses the orinoco driver.) Debian users must install the atmel-firmware package to get it working. Good card, but not particularly powerful.

    Socket 0 Device 0:	[orinoco_cs]		(bus ID: 0.0)
    	Configuration:	state: on
    	Product Name:   INTERSIL HFA384x/IEEE Version 01.02 
    	Identification:	manf_id: 0x0156	card_id: 0x0002
    			function: 6 (network)
    			prod_id(1): "INTERSIL" (0x74c5e40d)
    			prod_id(2): "HFA384x/IEEE" (0xdb472a18)
    			prod_id(3): "Version 01.02" (0x4b74baa0)
    

    This nondescript card *does not* seem to work properly, and I do not think it is a Linux problem, though I am not absolutely sure. It will roam alright, but causes an error if you try to send it a WEP password. So it is useless on a WEP-protected network.

    Socket 0 Device 0:	[orinoco_cs]		(bus ID: 0.0)
    	Configuration:	state: on
    	Product Name:   NTT-ME 11Mbps Wireless LAN PC Card   
    	Identification:	manf_id: 0x0156	card_id: 0x0002
    			function: 6 (network)
    			prod_id(1): "NTT-ME" (0xcf5acb06)
    			prod_id(2): "11Mbps Wireless LAN PC Card" (0xd74e4c54)
    			prod_id(3): " " (0x3b6e20c8)
    

    This is another nondescript card, but it works fine and is definitely a high-power card. It will work with the orinoco_cs driver, but if you blacklist orinoco_cs the hostap_cs driver will load instead. Under hostap, if you set the card mode to "Master", you have yourself a home-made wireless access point. (Just make sure the rest of your network setup is correct to support this[1], ie. static IP, routing to the internet, DHCP if desired....)

    [1] http://blog.langex.net/index.cgi/Admin/LAN/build-your-own-router.html

    posted at: 02:11 | path: /xHW/wirelessCards | permanent link to this entry

    Sun, 26 Oct 2008


    /Admin/backups/rdiff-backup: Using rdiff-backup for Secure Unattended Backups

    rdiff-backup[1] is basically a wrapper around rsync and ssh that by default mirrors a specified directory on the two machines, as well as providing incremental backups for files that have been modified.

    Say I have a server and I just want to backup some directory (/etc) on that server to a directory on my desktop machine (/backup):

    rdiff-backup root@server.com::/etc /backup/etc

    Note that rdiff-backup must be installed on both machines, and that in this case, "root" is required on the server because some files in /etc will certainly only be readable by root.

    Backups that are not automated tend to not happen reliably, so we must run this periodically in cron. However, in running the above command, there was a prompt for the root password on server.com, which will not work with cron.

    We need to setup password-less authentication from desktop to server.com. Set this up using this guide: http://blog.langex.net/index.cgi/Admin/SSH-SSL/passwordless-ssh-authentication.html

    Now add rdiff to crontab by executing "crontab -e" in a terminal, and adding the following line:

    16 16 * * * rdiff-backup root@server.com::/etc /backup/etc && rdiff-backup --remove-older-than 6M /backup/etc

    which will execute the backup from your desktop every day at 4:16pm, and then delete backups older then six months old.

    See this excellent summary for more information[2]. Honestly, if I had started using rdiff-backup rather then backuppc first, I might never have gotten around to trying backuppc.

    [1] http://rdiff-backup.nongnu.org/
    [2] http://debaday.debian.net/2008/10/26/rdiff-backup-easy-incremental-backups-from-the-command-line/

    posted at: 05:36 | path: /Admin/backups/rdiff-backup | permanent link to this entry

    Sat, 25 Oct 2008


    /Admin/backups/SpiderOak: Offsite backup killer app: https://spideroak.com/

    Spider Oaks good qualities as an offsite backup service are too numerous to list (please do have a look around their website to catch anything I might have missed):

    The security aspects of this service are what really sets them apart. They have set it up so no one at their company has any way of accessing user files, which are stored encrypted on their servers. You can read the technical details on their site, but the only one on the whole planet who has all the necessary information to decrypt your files, is you. A corollary of that is that if you lose your password, there is no recourse. You lose your files on their server. They cannot "reset" your password.

    There is only one hole in the design of their security, and that is that they have not Open Sourced the backup client you run on your own computer, so we must trust them when they say that our passwords are never sent back to the server, and that there are no other back doors. (Just like any other closed commercial application, for that matter.... But until an Open Source competitor appears, Spider Oak effectively has no competition.) They have been around for a while, and they have some quite significant endorsements on their website, so I am inclined to believe them and entrust them with my own personal files. This is the first service I have found, ever, that I can say that for.

    I have been running their Linux client for several days now, and it is both highly polished and very stable. And, for server administrators and cron users, the client can be run headless from the command line.

    posted at: 08:57 | path: /Admin/backups/SpiderOak | permanent link to this entry

    Fri, 24 Oct 2008


    /xHW/Thinkpad_x24: Debian Linux on Thinkpad x24 (Piii 1.1 GHz)

    Type: 2662-CBC

    # lspci
    00:00.0 Host bridge: Intel Corporation 82830 830 Chipset Host Bridge (rev 04)
    00:01.0 PCI bridge: Intel Corporation 82830 830 Chipset AGP Bridge (rev 04)
    00:1d.0 USB Controller: Intel Corporation 82801CA/CAM USB Controller #1 (rev 02)
    00:1d.1 USB Controller: Intel Corporation 82801CA/CAM USB Controller #2 (rev 02)
    00:1d.2 USB Controller: Intel Corporation 82801CA/CAM USB Controller #3 (rev 02)
    00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev 42)
    00:1f.0 ISA bridge: Intel Corporation 82801CAM ISA Bridge (LPC) (rev 02)
    00:1f.1 IDE interface: Intel Corporation 82801CAM IDE U100 Controller (rev 02)
    00:1f.3 SMBus: Intel Corporation 82801CA/CAM SMBus Controller (rev 02)
    00:1f.5 Multimedia audio controller: Intel Corporation 82801CA/CAM AC'97 Audio Controller (rev 02)
    01:00.0 VGA compatible controller: ATI Technologies Inc Radeon Mobility M6 LY
    02:03.0 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev a8)
    02:03.1 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev a8)
    02:03.2 FireWire (IEEE 1394): Ricoh Co Ltd R5C552 IEEE 1394 Controller
    02:05.0 Communication controller: Agere Systems WinModem 56k (rev 01)
    02:08.0 Ethernet controller: Intel Corporation 82801CAM (ICH3) PRO/100 VE (LOM) Ethernet Controller (rev 42)
    

    This is a late Pentium III / almost Pentium IV example of the X-series: 12-inch bright LCD, great keyboard, extremely light and portable, with a floppy / CD-ROM equipped docking station (which also works on by x20 Thinkpad).

    Installing Debian Linux on this machine is a slamdunk, everything (that I have tried -- not the WinModem, for example) works fine out-of-the-box. At 1.1 GHz, at least as of late 2008, with 640 Meg of memory, it is also my fastest and my main machine. For normal desktop activities this vintage (Pentium III 1.1 GHz) is more then enough for a Linux user. (Heavy coders will probably want more and faster....)

    posted at: 11:25 | path: /xHW/Thinkpad_x24 | permanent link to this entry


    /xHW/Thinkpad_600e: Ubuntu Linux on Thinkpad 600e (Pii 366 MHz)

    Type: 2645-CBH

    00:00.0 Host bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX Host bridge (rev 03)
    00:01.0 PCI bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX AGP bridge (rev 03)
    00:02.0 CardBus bridge: Texas Instruments PCI1251A
    00:02.1 CardBus bridge: Texas Instruments PCI1251A
    00:06.0 Multimedia audio controller: Cirrus Logic CS 4610/11 [CrystalClear SoundFusion Audio Accelerator] (rev 01)
    00:07.0 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ISA (rev 02)
    00:07.1 IDE interface: Intel Corporation 82371AB/EB/MB PIIX4 IDE (rev 01)
    00:07.2 USB Controller: Intel Corporation 82371AB/EB/MB PIIX4 USB (rev 01)
    00:07.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 02)
    01:00.0 VGA compatible controller: Neomagic Corporation NM2200 [MagicGraph 256AV] (rev 20)
    

    This was very much a high-end machine in its day, but now is I think quite slow for all but the most modest desktop requirements. However, it has two PCMCIA card slots, which makes it a good candidate for a home router / server.

    Also, it has a very similar sound card to my a21m Thinkpad[1], and has suffered the same fate: the sound card does not work because the driver has been removed from the Linux kernel because of firmware issues. Bummer. Playing music is something this machine should do quite well. Buy a USB sound card[2].

    PCMCIA Networking Problems

    Back when it was doing server duty with a Debian install, I used to roll my own kernel with this machine because the stock Debian kernel images never seemed to be able to get both of my PCMCIA cards working (usually just one network would come up -- one of this Thinkpad's functions was as a router for my home network, so this is not enough).

    Then I noticed that there are some ugly looking messages in the syslog on the subject of ACPI, despite passing "noacpi" to the kernel. I then added "acpi=off" to the kernel options, and lo and behold, both cards came up with Debian's linux-image-2.6.20-1-686.

    The full options line in my /boot/grub/menu.lst were:

    # kopt=root=/dev/hda1 ro acpi=off noacpi apm=on

    I am not sure if "apm=on" is actually doing anything, but almost all of the ACPI junk has disappeared from the log, and my PCMCIA network cards worked with this hack. For the record, I am using one PCMCIA network card and one cardbus card.

    [1] http://blog.langex.net/index.cgi/HW/Thinkpad_a21m/installation-report.html
    [2] http://blog.langex.net/index.cgi/HW/USB_audio/USB-audio-solves-Linux-sound-problems.html

    posted at: 11:23 | path: /xHW/Thinkpad_600e | permanent link to this entry


    /xHW/Thinkpad_a21m: Debian Linux on Thinkpad a21m (Piii 800 MHz)

    Type 2628-PRU

    $ lspci
    00:00.0 Host bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX Host bridge (rev 03)
    00:01.0 PCI bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX AGP bridge (rev 03)
    00:02.0 CardBus bridge: Texas Instruments PCI1450 (rev 03)
    00:02.1 CardBus bridge: Texas Instruments PCI1450 (rev 03)
    00:03.0 Ethernet controller: Intel Corporation 82557/8/9/0/1 Ethernet Pro 100 (rev 09)
    00:03.1 Serial controller: Xircom Mini-PCI V.90 56k Modem
    00:05.0 Multimedia audio controller: Cirrus Logic CS 4614/22/24/30 [CrystalClear SoundFusion Audio Accelerator] (rev 01)
    00:07.0 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ISA (rev 02)
    00:07.1 IDE interface: Intel Corporation 82371AB/EB/MB PIIX4 IDE (rev 01)
    00:07.2 USB Controller: Intel Corporation 82371AB/EB/MB PIIX4 USB (rev 01)
    00:07.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 03)
    01:00.0 VGA compatible controller: ATI Technologies Inc Rage Mobility P/M AGP 2x (rev 64)
    02:00.0 USB Controller: NEC Corporation USB (rev 43)
    02:00.1 USB Controller: NEC Corporation USB (rev 43)
    02:00.2 USB Controller: NEC Corporation USB 2.0 (rev 04)
    

    This is a big, heavy 14-inch LCD machine with everything, including floppy, removable CD drive, and two PCMCIA card slots. Your basic desktop replacement. As a Pentium III 800 MHz running Linux, this machine is just at the threshold of "just fast enough" for your normal user. I have noticed that slower machines, say around 500 MHz, tend to be noticably sluggish, and are clearly unable to play some kinds of video.

    The a21m currently has a serious issue[1]: the sound card used to work, but undistributable firmware is required to use the Cirrus Logic sound card, so apparently the snd-cs46xx module has been ripped out of the kernel until further notice. Solution: use a USB sound card.

    [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462035

    posted at: 03:57 | path: /xHW/Thinkpad_a21m | permanent link to this entry


    /xHW/USB_audio: USB Audio Solves Linux Sound Problems

    If you are having audio problems on a Linux system, your first step is to ensure that the userid you are logged in as is a member of the "audio" group. I have been using Linux for years, and if it has been a while since my last install, this one still causes me several minutes (or more) of head-scratching every install.

    There are several issues that make sound on Linux desktops a source of pain and frustation:

    "USB Sound" to the rescue!!!

    USB sound tends to be relatively simple and robust. I have tried four devices so far (two headsets, a pair of USB speakers, and a "USB sound card") and all of them have worked. For the three devices with microphone capabilities, that also worked. Mixers show one slider / mute button each for input and output -- dummy proof!!

    A USB sound device, when plugged into a system with a functioning onboard sound card, behaves like a second sound card, and does so consistently on whatever computer you plug it into, freeing you from dependence on your internal sound card. It shows up explicitly in Skype Options as a a second sound card, input/output levels are easily adjusted in your mixer, and the three models I have tried:

    1. Kyocera 250 USB headset
    2. Ovann (C-Media) USB80 USB Headphone Set
    3. cheap no-name USB sound card with a regular headset and mic plugged-in

    all work well with Skype, though sound quality from #3's mic is a bit poor (probably fixable with a higher quality mic....)

    Using a USB sound device with other Linux multimedia applications tends to be a bit more complicated, since such apps (Skype excepted) do not usually provide a sound card selector in the GUI. Here are some examples of how to send sound output to a second (USB) sound card for several applications:

    Simplest of all, disable the built-in sound card by blacklisting the driver module, as I did with my Thinkpad x20. Then when you plug in a USB sound device it automatically becomes the first and default sound card, which all apps will then play sound to by default. (Note: I looked for a more elegant way in Debian, but found none. Please clue me in if you know a better way. I have heard that Ubuntu automatically does the right thing by making a new USB card the default. In the case of the X20, the built-in speakers really suck anyway.)

    Where I live in Beijing a low-end USB sound card (looks like a USB memory stick / thumb drive except that it has headset and mic jacks in the end) can be had for as little as 25 RMB / US$4. I have a beautiful pair of tiny, mega-sound USB speakers (with no external power supply!! power comes from the USB bus!!) that I paid 140 RMB for, as I recall.

    posted at: 03:53 | path: /xHW/USB_audio | permanent link to this entry


    /xHW/Thinkpad_i1300: Debian Linux on a Thinkpad i1300/1310 (Piii 500 MHz)

    Type: 1171-310

    $ lspci
    00:00.0 Host bridge: Intel Corporation 82440MX Host Bridge (rev 01)
    00:00.1 Multimedia audio controller: Intel Corporation 82440MX AC'97 Audio Controller
    00:00.2 Modem: Intel Corporation 82440MX AC'97 Modem Controller
    00:02.0 VGA compatible controller: Silicon Motion, Inc. SM712 LynxEM+ (rev a0)
    00:03.0 CardBus bridge: O2 Micro, Inc. OZ6812 CardBus Controller (rev 05)
    00:07.0 ISA bridge: Intel Corporation 82440MX ISA Bridge (rev 01)
    00:07.1 IDE interface: Intel Corporation 82440MX EIDE Controller
    00:07.2 USB Controller: Intel Corporation 82440MX USB Universal Host Controller
    00:07.3 Bridge: Intel Corporation 82440MX Power Management Controller
    

    This machine has a wonderful keyboard and a CD-ROM drive, but has a rather low-end 12-inch 800x600 LCD, and a minimal number of ports (basically one of everything). It is also on the heavy side for a 12-inch, as it really has a 14-inch form factor.

    The winmodem was, of course, not tested. Everything else works except X, which stopped working over a year ago. I issued Debian[1] and Xorg[2] bug reports, so far to no avail. Starting X results in a blank screen and a locked up keyboard (Ctl-Alt-F1, Ctl-Alt-Backspace seem to have no effect). I can still log in through the network in this state.

    With no functioning Xorg, no builtin network card, one USB port, and one PCMCIA card slot, this machine is somewhat limited and is not useful for much other then being a simple server.

    [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=428711
    [2] https://bugs.freedesktop.org/show_bug.cgi?id=11845

    posted at: 02:43 | path: /xHW/Thinkpad_i1300 | permanent link to this entry

    Wed, 22 Oct 2008


    /Admin/dynamicDNS: Dynamic DNS Behind a Router in China

    My current situation (if I wish to continue saving a few bucks by sharing a broadband line) forces me to operate a server through my landlord's router. All I did on the router was set the DMZ[1] of the router to the IP of my server, so that any network traffic that is not specifically routed elsewhere by the router gets sent to my server.

    Having found no way of extracting the public IP from the router, I am left with one option: dynamic DNS services that permit (do not penalize) regular polling. The highest profile service of this type is dyndns.com[2], however I have found that their service does not respond to clients in China. In fact, the only viable option I have found so far is 88ip.cn, which as you can see is a 100% Chinese site. So far it works very well for me though.

    First click on 注册 and register an account on the site. Once logged in (the 登录 button) click on the 管理 button to access the "domains" area. There you get to select a sub-domain of 88ip.net, ie. "anything.88ip.net", then click on 确定. After that, selected domains should appear in the 地名 list. And that is about all you have to know about the website.

    Setting up the client side on your server is a little more complicated, and definitely not well documented, at least for Linux users. They have a number of clients on offer for download[4]. They offer three different Linux downloads, none of them a Debian .deb, and one of them even wanted to install a binary!! (A big no-no, especially in China.....) I will document what I believe to be the best client setup below, so you do not have to mess with their messy installers. First create the following /etc/ddns/xml/upddns.xml file (depending on your browser, you may have to "view source" to see the following file):

    <?xml version="1.0"?> <ELinkPacket> <MsgType>ActiveTestReq</MsgType> <Version>1.0</Version> <UserName>your88ipUsername</UserName> <UserPwd>your88ipPassword</UserPwd> </ELinkPacket>

    Username and password above should be the same as used to login to their website. Now create a small script /etc/ddns/sh/upddns.sh to ping 88ip.cn's server:

    /usr/bin/curl -v -d "`cat /etc/ddns/xml/upddns.xml`" \
    http://link.dipserver.com/elink/elink.dll/

    Note the reference above to /etc/ddns/xml/upddns.xml. Note that if you run this script from the command line, there is output, but there is no output if it is run in cron. I do not really understand this difference at the moment. And finally, create a cron job ("crontab -e") to run the script every five minutes:

    0-59/5 * * * * /etc/ddns/sh/upddns.sh

    88ip.cn's scripts actually were set to make this cron run every two minutes, but I think that is a bit excessive for my purposes. There is no output from this cron, so you will only see an e-mail if there is an error.

    Now if you point your browser to your "anything.88ip.cn" URL, it should be directed to a web server running on your server. Since 88ip.cn's interface does not specify a URL, we can assume that all URLs in a given 88ip.cn account will be pointed to the same IP address.

    [1] http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
    [2] http://www.dyndns.com/
    [3] http://www.88ip.cn/
    [4] http://www.88ip.cn/Download/

    posted at: 04:17 | path: /Admin/dynamicDNS | permanent link to this entry

    Tue, 21 Oct 2008


    /Admin/dynamicDNS: Dynamic DNS Basics

    You already have a broadband internet account at home, you have some unused hardware laying around, you know how to setup and configure a server, so why not save a few bucks and run your server at home?:

    So if you are not intending on using an e-mail server on your server at home, and whatever service(s) you were planning on providing (website?) can absorb a little downtime from power and ISP outages, it is a go. Especially if you want to run some very particular software that is not commonly available from cheap hosting services, leaving you with the relatively more expensive option of renting your own server.

    Dynamic DNS is really very simple. Computers understand numeric IP[4] ("Internet Protocol") addresses of the form 111.222.333.444. Humans understand alphanumeric internet addresses of the form www.myname.com. When you type www.myname.com into your web browser (or any other network application) www.myname.com must be pointing at the correct 111.222.333.444 for it to work. That is all DNS ("Domain Name Service") really is. "Dynamic DNS" just refers to the situation where the numeric IP address changes frequently, and the slightly specialized methods used to keep www.myname.com and 111.222.333.444 in sync when this is the case.

    In your home, you will be faced with two general options:

    Why would you want the added complication of the second option? Because somewhere on your network you must run a piece of software that will update www.myname.com with the new 111.222.333.444 whenever the latter changes. That piece of information is a property of the network interface that is directly connected to the internet, located on your router. If you are using a commercial off-the-shelf router, that information can be hard or impossible to extract from it. Some routers are pre-configured to talk to certain Dynamic DNS providers, and maybe some of them actually work in this role. I have so far not been so lucky as to find one that does. If the router is your own machine, whose hardware and software you have complete control of, everything tends to be a bit easier.

    That said, if you are sharing an internet connection, you might not have a choice in the router department.....

    Just to be clear, while probably achieving the opposite, the usual way to tell your Dynamic DNS service that you have a new numeric IP address is to send it a very simple message using http, and that message AUTOMATICALLY must contain your current public IP address (your new numeric address). The Dynamic DNS service then just strips this new IP out of the message. The complication is, most Dynamic DNS services do not want you to waste their resources by sending them this http message every two minutes. Most will freeze your account if you do. They want to hear from you only when the address really has changed, which is why the Dynamic DNS software client running on your network must know when your IP address changes, so that it then will know it is time to tickle the Dynamic DNS service provider.

    [1] http://en.wikipedia.org/wiki/Dynamic_ip
    [2] http://en.wikipedia.org/wiki/Dynamic_DNS
    [3] http://blog.langex.net/index.cgi/Admin/LAN/build-your-own-router.html
    [4] http://en.wikipedia.org/wiki/Ip_address

    posted at: 07:30 | path: /Admin/dynamicDNS | permanent link to this entry

    Mon, 20 Oct 2008


    /xLife/China/Beijing/OpenSource: Gnome Asia Summit[1] in Beijing

    I just attended what I think was my first Open Source conference. Hard to believe I have been an open source zealot for so long and this is my first conference.... As it happens, maybe because of the Beijing Olympics, maybe because the Open Source community is experiencing massive growth in China, this is just the first of several such events in Beijing over the next few months.

    I have to say a conference like this is a fun, informative, and highly motivating experience. It really does leave one with a strong desire to find a project and start coding, like yesterday. It probably also helps that the event was super-well-organized, and most of the presenters were quite interesting.

    One of the things I learned this past weekend is that the Open Source community and the commercial world are in a highly symbiotic relationship. Fully 40%(!!) of the work done on Open Source projects is done by paid employees of companies that operate in the Open Source space. Which of course explains why there are so many eager sponsors[2] for this kind of conference: they want to recruit more free labor for their projects by helping to build a vibrant Open Source community around them. It would seem like a truly win-win situation, and perhaps explains why many companies are moving towards the Open Source model. (Of course, Sun Microsystems[3] is the poster child for this trend....)

    The sponsors flew in a number of executives and senior engineers from around the world to talk to us. The event was free, the facility first class, lunch was good and also free, and there were some quite lavish prizes raffled-off at the end of every day (starting with a laptop....) I felt quite pampered.

    Another really interesting tidbit I picked up was the vast increase in Firefox usage in the past couple of years. If I recall the graph clearly, Firefox users went from single digit millions to over 100 million during that period. Obviously most of those are Windows users.

    And I switched my window environment from KDE to Gnome[5]. Gnome really seems to be becoming the standard, so I really think I should get better acquainted with it.

    Here are some pictures from the event[4].

    [1] http://www.gnome.asia/
    [2] http://www.gnome.asia/en/sponsor/
    [3] http://www.sun.com/
    [4] http://flickr.com/search/?w=all&q=gnomeasia&m=text
    [5] http://www.gnome.org/

    posted at: 01:39 | path: /xLife/China/Beijing/OpenSource | permanent link to this entry

    Thu, 16 Oct 2008


    /Admin/virtualization/virtualBox: An Educational Software Update

    Yesterday a new version of virtualbox-ose (the "ose" stands for Open Source Edition", BTW....) came down the pipe.

    First thing I noticed during installation was a message that said, to paraphrase, "snapshots are version specific and old snapshots will be discarded after this update". So much for my idea of keeping a version of my original Windows XP install lying around indefinitely so as to be able to restore a pristine install whenever I wanted. That is really most unfortunate for Micro$oft users. Maybe one of the other virtualization packages does snapshots better....

    Then I tried to run the thing to verify the update and got a

    "VirtualBox kernel modules and the version of VirtualBox application are not matching"

    error. The error message went on to suggest running this command to build he kernel modules manually:

    module-assistant auto-install virtualbox-ose

    Unfortunately this build failed VERY quickly, without a visible error message. I had already issued a bug report[1] where you can see my exchange with the Debian Developer, who set me straight very quickly: I must explicitly download the VirtualBox source, even though the module-assistant man page[2] says that it takes care of that. The auto-install section literally says "get the package source".

    So the manual VirtualBox module build process is:

    apt-get update
    apt-get upgrade
    apt-get install virtualbox-ose-source
    m-a a-i virtualbox-ose

    Still loving VirtualBox.... And what Micro$oft retail user has ever established communication with a Micro$oft engineer and resolved a problem within a few hours?

    [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502375
    [2] http://manpages.debian.net/cgi-bin/man.cgi?query=module-assistant

    posted at: 10:10 | path: /Admin/virtualization/virtualBox | permanent link to this entry

    Wed, 15 Oct 2008


    /xLife/China: Chiropractic in China: Its Called Tui Na

    I managed to mess up my lower back recently, resulting in severe, debilitating pain for several days. If I were living in N.America, and being averse to knives and drugs, I would turn first to a chiropractor. In China (and, as far as I can tell, all of Asia) chiropractors are a very rare breed. A friend of mine suggested that I should try Traditional Chinese Medicine (TCM - 中医).

    Personally, my first thought was that acupuncture (针灸) might be helpful....

    A lot of Chinese hospitals, naturally enough, seem to have TCM departments, and I knew of one for sure here in Beijing, a place that I have had a couple of very good, and very cheap experiences with before: Haidian Hospital (海淀医院)[1].

    I asked for acupuncture. The doctor said no, the best thing would be Tuina (推拿), which might be most generally described as Traditional Chinese Acupressure Massage. (The progenitor of Japanese Shiatsu, which is probably more familiar to most Westerners....)

    I would have to agree, in the end, because Tuina includes spine manipulation techniques that are very similar (and similarly effective) to those used by chiropractors. He massaged the area for about fifteen minutes, then put me on my side, and pressed back on my upper shoulder while pressing forward and down on my upper knee so as to put some torque on the whole spine. Then he dropped his weight into my knee to give the lumbar area a sudden surge of extra torque, and my vertebrae snapped back into place with the customary satisfying crack. Three treatments on three successive days and I was almost back to normal.

    I thought 100 RMB per treatment was a bit expensive for the local standard of living, but I might have been paying a bit of "white man's" premium. And at about US$1 ~ 6-7 RMB, it is still much cheaper then a comparable amount of attention from a chiro in N.America.

    I saw them adjusting other peoples necks, but have not yet had that experience from a Tuina doctor myself, so I cannot comment. Cervical adjustments, in my experience of chiropractic, require more finesse and a much lighter touch then is necessary for lumbar adjustments. Whether that skill is common here, I do not yet know. But I will not hesitate to go get some Tuina for any future spine issues while I am living in China.

    [1] http://www.hdhospital.com/EN/

    posted at: 10:03 | path: /xLife/China | permanent link to this entry

    Sun, 12 Oct 2008


    /Admin/virtualization/virtualBox: "Guest Additions" Allow Virtual Machine Inter-Communication

    Start your virtual machine (in my case, Windows XP). Then on the Virtual Box menu bar of the resulting running machines' window, select "Devices --> Install Guest Additions".

    This will download an ISO (apparently from Sun Microsystems), mount it, and install the "Guest Additions" via a couple of prompts. Reboot, and suddenly your mouse pointer can pass between the virtual machine windows and the Linux windows, without any intervening key strokes. Copy'n'Paste between Windows XP and Linux applications now also works transparently.

    In the Virtual Box menu, now select "Machine --> Seamless Mode". On Linux, I run KDE. After the above selection, the Windows XP control bar stacked itself on top of my KDE control bar at the bottom of my screen. Any Windows applications opened thereafter efficiently filled the *entire* remaining screen.

    Happy, Happy!

    posted at: 01:01 | path: /Admin/virtualization/virtualBox | permanent link to this entry

    Wed, 08 Oct 2008


    /xLife/China: Links: Information About China

    http://www.cnd.org/CR/
    Virtual Museum of the Chinese Cultural Revolution

    posted at: 23:40 | path: /xLife/China | permanent link to this entry


    /xLife/China: China sites: In Chinese, but of interest to foreigners....

    This is a list of Chinese language web-sites that might be of interest to non-Chinese who can read a little Chinese. (Please install Chinese fonts if you are not seeing Chinese characters below.) I personally use MDBG Chinese-English dictionary to speed up the process.

    Downloading: Why Buy Pirated DVDs When You Can Download Them?

    http://www.verycd.com/
    This site supports users of the popular eMule / aMule / Kazaa / eDonkey etc. peer-to-peer download clients that use the donkey and kademalia networks. If you pass your mouse over the menu items on the left, you will see from the English names of the underlying URLs what they are for. "电影" will take you to the movies section, for instance. Most of the site is in Chinese, but English names are displayed for English movies, and very few movies are dubbed, ie. the original sound track is very much the rule. When you find something you want to download, paste the download link into your xMule client and away you go.

    House hunting: find a place to live:

    http://shenghuo.google.cn/shenghuo/
    This site currently defaults to real estate listings in Beijing, and you get there by clicking on "生活" in http://www.google.cn/. Then click on "城市" to go to other cities, or click on the Chinese characters for the Beijing District where you want to live. ("租房" is "for rent", "买房" is "for sale.)

    Local E-mail Services:

    Low bandwidth is a problem in most of Asia, and is made worse in China by the Great Firewall. Using overseas webmail can be very, very slow, as are downloads. Both can be speeded up by using a local service, which may very well have a server right in your large city. These are the ones I have had the best experience with:
    http://mail.163.com/
    http://mail.126.com/
    Registration is really quite straight-forward, plus, like most Chinese providers, they provide free POP and SMTP.

    posted at: 23:35 | path: /xLife/China | permanent link to this entry


    /Linux/misc: Linux Desktop Memory Requirements Still Very Light

    For the vast majority of Linux software, 256 Meg is RAM is quite sufficient, and memory is not a bottleneck.

    However, I find myself using at least three pieces of software that are outrageous memory hogs, and in fact having any two of them running at the same time causes swapping and brings my 256 Meg machine to its knees. Unfortunately, all three are essential applications, so I just spent a few dollars to upgrade to 640 Meg (which so far seems to be enough to 100% avoid noticeable swapping).

    The three offenders are:

    1. Firefox[1]: Due to its good multimedia support and many useful plugins, Firefox is the current de facto standard browser in the Linux world. I keep trying to move to other browsers, but I always end up coming back to Firefox.
    2. Miro[2]: the best internet television / download client / video library I can find. I look forward to seeing 2.0, and hope it will be less of a resource hog.
    3. Trader Workstation[3]: Interactive Brokers proprietary Java trading app. I am just thankful they are providing a good multi-platform piece of software, and do not plan on giving them a hard time because it just happens to be a bloated and memory-hungry Java app. I wish all banks and brokerages were so friendly towards non-Micro$oft users.

    [1] http://www.mozilla.com/en-US/firefox/
    [2] http://www.getmiro.com/
    [3] http://www.interactivebrokers.com/en/p.php?f=tws&ib_entity=llc

    posted at: 10:53 | path: /Linux/misc | permanent link to this entry


    /Admin/virtualization/virtualBox: Setting up a VirtualBox Virtual Server is Ridiculously Easy

    (...at least to get Windows XP installed inside Debian Linux...)

    For those who don't know, virtualization software allows one to run two or more operating systems (or multiple instances of the same operating system) on the same computer simultaneously, and in a desktop context be able switch back and forth between them with a click of a key or mouse. (Note that this is *not* emulation, all OSes are running natively!)

    Why would one want to do this? Debian Linux is my chosen operating system, but sometimes I do need access to Micro$oft software. Or, one might have one's Desktop on one operating system, and be doing some kind of development on a completely different operating system. Etc. And of course, people who run big server farms have more uses for this kind of thing then I can even imagine (and I won't bother to list the ones I know about....)

    I finally have enough memory to try out virtualization for myself. There are a number of options on Debian[5]: VMware[1], Xen[2], VirtualBox[3], OpenVZ[4], etc.... A cursory look around did not find any compelling reasons to pick one over another, though there was some talk of VirtualBox being fast and easy to install. At this point, I can vouch for the "easy to install" part:

    1. Install management software and kernel modules:
      apt-get install virtualbox-ose virtualbox-ose-modules-2.6.26-1-686
    2. Add the user(s) that you will be running VirtualBox under to the "vboxusers" group.
    3. In the KDE menu, click on System --> VirtualBox OSE.
    4. In the resulting window, click on the "New" icon, and follow the instructions to create a new virtual machine (I just accepted defaults).
    5. At this point, I clicked on the new machine's hardware list in the right pane to make sure that the CD-ROM, the sound card, and the network were "turned on" (the network may already have been in that state).
    6. Insert the Windows XP installation CD in CD-ROM drive.
    7. In the VirtualBox window, click the "Start" icon to boot the (at this point still empty) virtual machine, which causes a black terminal window to pop up.
    8. Watch the Windows XP installer boot from the CD-ROM in this window, and respond to prompts until installation is finished.
    9. Thereafter, whenever you want to use Windows, bring up System --> VirtualBox OSE, select your Windows virtual machine from the list on the left, then click the "Start" icon, and Windows will appear in the resulting window. And its not "just like the real thing", it *is* the real thing, though there might be some funkiness with hardware access, as the virtual machine (Windows XP) must go through the host OS (Debian Linux) to interact with hardware.

    Installation was basically a slam-dunk process of accepting defaults. At this point I have no communication between the Linux and Windows OSes running on my desktop, and Windows does not use my whole screen. I will figure that out when I feel the need.

    VirtualBox (I think all virtualization software can do this....) provides the capability of taking a snapshot of your virtual machine at any point, and then at a later date reverting to exactly this snapshot if you so desire.

    This process was all so easy, that it brings up quite a subversive thought....

    Micro$oft operating systems are quite renowned for their susceptability to bit rot and not fully repairable infections by viruses and malware, resulting in increasingly flaky behavior, sluggishness, and increasing frequency of crashes. Which means that your typical Windows user finds it necessary to re-install a Micro$oft operating system quite regularly to restore full function. Without an elaborate and extensive backup system, re-installing any OS from scratch is a long process.....

    Your typical Linux OS will run for years without bit rot, basically until the hardrive wears out....

    So how about this bit rot solution, for someone who wants / needs to continue using Micro$oft Windows as their primary operating system: do a basic install of Linux *first*, just enough to run your favorite virtualization solution. Install Windows in a virtual machine. Hell, install two each of Windows XP and Vista, if you want. All you need is a nice big hard-disk. And run all four of them at the same time, if you have enough memory.... Install all the software you think you will need in each Micro$oft virtual machine, before you do anything that risks virus / malware infection. TAKE A SNAPSHOT OF EACH WINDOWS VIRTUAL MACHINE.

    Now use Windows just like before, until it becomes buggy and sluggish and unusable. Backup up your data. RESTORE THE SNAPSHOT OF YOUR ORIGINAL CLEAN INSTALL (very fast - and which should include the base OS *and* most of the software you use). Restore your data. Repeat many times if necessary.

    [1] http://www.vmware.com/
    [2] http://www.xen.org/
    [3] http://www.virtualbox.org/
    [4] http://wiki.openvz.org/Main_Page
    [5] http://wiki.debian.org/SystemVirtualization

    posted at: 10:51 | path: /Admin/virtualization/virtualBox | permanent link to this entry

    Sun, 05 Oct 2008


    /SW/graphics: Problem: How to Edit / Fax / Print a Web Page

    First I used Firefox to print the web page to a postscript file "file.ps". If I just wanted to fax the web site, at this point "ps2pdf file.ps" would generate a "file.pdf" which I could upload to my fax website no problem (ps2pdf comes from the "gs-common" package of the Ghostscript[1] software suite).

    However, I want to edit this file first.

    I used the "convert" utility from the ImageMagick[2] graphics suite (the "imagemagick" package in the Debian distribution) to "convert file.ps file.jpg". Edit file.jpg with gimp[3]. Then "convert file.jpg file.pdf". Fax or print file.pdf.

    [1] http://www.ghostscript.com/awki/Ghostscript
    [2] http://www.imagemagick.org/script/index.php
    [3] http://www.gimp.org/

    posted at: 06:08 | path: /SW/graphics | permanent link to this entry

    Sat, 04 Oct 2008


    /Admin/backups/misc: Backing up a MySQL Database[1]

    Simply making a copy of the files in /var/lib/mysql/ while the database is running is not guaranteed to work, as MySQL *might* complain about corruption and refuse to start with such "hot" copies. Of course, if you can afford to stop MySQL while you are taking a snapshot of /var/lib/mysql/, then it should work fine.... The simplest way to grab a copy of a running database is with 'mysqldump'. I use the following, run from cron a couple of times a week:

    mysqldump --user=**** --password=**** name-of-database | bzip2 > /var/www/name-of-database/db-backup/name-of-database-backup-`date +%Y-%m-%d`.sql.bz2

    backuppc, running on another machine, makes daily backups of the whole /var/www/ directory. If the security of the contents of the database is a concern, do not put the dump in /var/www/.

    To delete files that are older then 20 days on a Linux system, add this to your cron:

    find /var/www/name-of-database/db-backup/name-of-database-backup* -mtime +20 -exec rm {} \;

    [1] http://dev.mysql.com/doc/refman/4.1/en/backup.html

    posted at: 09:46 | path: /Admin/backups/misc | permanent link to this entry


    /Admin/backups/backuppc: Prepping an Offsite Backup

    Backuppc has a builtin method (called "archiving") for generating a set of files from the backup archive that are CD/DVD burn-ready. I do something different.

    In the Backuppc GUI, to extract a directory from the backup archive in the form of a tar file, click on "Browse backups", select a directory, then click on "Restore selected files". On the next page select "Download tar archive". Do this for each directory you want to move offsite, naming the saved gtar files appropriately.

    Rename one of the files to "backup.gtar", then merge each of the other archives into backup.gtar with the command:

    tar -Af backup.gtar www.gtar
    If you then do a
    tar -tvf backup.gtar | less
    you will see that all of your directories from the original tar files are now in the same compressed gtar file.

    Now encrypt the file:

    gpg -c backup.gtar (you will be prompted for a password)
    To decrypt at a later date:
    gpg backup.gtar.gpg
    and then extract the contents of the resulting backup.gtar with
    tar -xvf backup.gtar

    posted at: 05:59 | path: /Admin/backups/backuppc | permanent link to this entry


    /Admin/backups/backuppc: rysncd on the client to be backed up

    Note that unlike rsync over ssh, transfers using rsyncd are not encrypted, so rsyncd use is recommended only within a secure local network.

    On the machine to be backed up, install rysnc and open the rsync port (873) in your firewall.

    Create a /etc/rsyncd.secrets file with the following content:

    yourUserid:yourPassword
    Edit /etc/default/rsync to contain the following:
    RSYNC_ENABLE=true
    RSYNC_NICE='10'

    (A higher value of RSYNC_NICE reduces the priority of rsync activities if this machine is being used for other things, which is highly probable.)

    Create an /etc/rsyncd.conf file with the following content:

        pid file=/var/run/rsyncd.pid
        transfer logging = no
        timeout = 600
        refuse options = checksum dry-run
        dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
        use chroot = yes
        lock file = /var/lock/rsyncd
        read only = yes
        list = yes
    
        [etc]
    
            comment = /etc directory
            path = /etc
            uid = root
            gid = root
            auth users = yourUserid
            secrets file = /etc/rsyncd.secrets
            strict modes = yes
            ignore errors = no
            ignore nonreadable = yes
    
        [home]
    
            comment = /home directory
            path = /home
            uid = root
            gid = root
            auth users = yourUserid
            secrets file = /etc/rsyncd.secrets
            strict modes = yes
            ignore errors = no
            ignore nonreadable = yes
    

    posted at: 05:53 | path: /Admin/backups/backuppc | permanent link to this entry


    /Admin/email/postfix: Receiving Mail for Multiple Domains

    Since I have customized my postfix setup somewhat at this point, I am no longer sure what default behavior is. But in my current state, just adding domains to the mydestination line in /etc/postfix/main.cf was not sufficient. I kept getting the following error for any mail received for my just added domains:

    mail for ckintl.biz loops back to myself
    The solution lies in my /etc/postfix/transport file (see Multi Relay). Domains for which I am handling e-mail must me directed to "local", ie:
        langex.net              local
        ckintl.biz              local
        doesharleysuck.com      local
    
    otherwise the final
    * smtp

    line forces incoming e-mail for these domains to be sent out of the machine via smtp, where DNS just resolves back to the very same machine. Thus the "mail loops back to myself" wording of the error message.

    Don't forget to add all local domain userids that don't already exist as an account on your mail server, and that you would like to receive mail for, to /etc/aliases. Then run

    newaliases
    /etc/init.d/postfix reload

    posted at: 04:44 | path: /Admin/email/postfix | permanent link to this entry


    /Admin/email/postfix: Relay Your E-mail Through Multiple Servers with Postfix

    Why would you want to do this? As mentioned in Simple Relay, if you have a lot of e-mail going out and you are trying to relay all of it through one poor free relay server, that relay server is probably going to reach a threshold at which it labels you a "spammer" and starts deferring or even bouncing your e-mails. So what I do is use my own server to send e-mails directly to their destination as much as possible. And for those domains that reject my direct connections (theoretically because my server is running on a dynamic ip) I relay through another server. Preferably I have several such "other" relay servers so as to spread the load around and not have to deal with bounced e-mail.

    Postfix is not really designed to do this, so what I will present here is a limited solution that will work under specific circumstances.

    Basically the problem is that any free SMTP server I have been able to find insists on authentication (logging in with a valid userid and password) and further insists that the envelope address of the e-mail you are sending must agree with the userid you are logging in with. For instance, if you have a sina.com account with userid=mysinaname and password=mysinapassword, if the envelope address is anything but mysinaname@sina.com, the sina SMTP server will reject the e-mail. Note that the "envelope address" is not necessarily the same as the "From:" address in the e-mail's header, although they are usually the same.

    If you are sending e-mail with an e-mail client, the client will of course take care of all of this. But if you are sending e-mail through your own local e-mail server, and then onwards to its destination (optionally through another relay server) things get a little more complicated as there may be e-mails being queued to the server from multiple sources, and Postfix appears to have no way of associating a given envelope address with a given destination address/domain.

    Postfix is capable of routing e-mails to different relay servers based upon their destination address. But it is left up to any software queuing e-mail to Postfix for external delivery to take care of making sure that the envelope address is correct for the relay server that Postfix will later relay to. That is what makes this a limited solution.

    Set Up Postfix

    The solution lies in /etc/postfix/transport. Here is mine:

        langex.net               local
    
        gmail.com               smtp:smtp.sohu.com
        hotmail.com             smtp:smtp.sohu.com
    
        sina.com                smtp:smtp.sina.com
        boltblue.com            smtp:smtp.sina.com
        msn.com                 smtp:smtp.sina.com
        onlineworkshop.net      smtp:smtp.sina.com
    
        *                       smtp
    

    Mail destined for langex.net never leaves my server and is delivered locally. gmail.com and hotmail.com are both relayed via SMTP through smtp.sohu.com. sina.com, msn.com, etc. are relayed via SMTP through smtp.sina.com. Everything else ("*") goes out via SMTP directly to the destination domain (no relay).

    Ensure that /etc/postfix/sasl_passwd contains userid:password for both smtp.sohu.com and smtp.sina.com, then run the following commands:

        postmap /etc/postfix/sasl_passwd
        postmap /etc/postfix/transport
        /etc/init.d/postfix restart
    

    Set Up PHP

    My main source of e-mail on this server is a PHP-driven website. In this website I have the following function:

            function emailWrap($thisEmailAddress, $thisSubject, $thisMessage, $thisReplyTo)
            {
    
              $toDomain = stristr( $thisEmailAddress, "@" ); // extract domain from e-mail address
              $toDomain = strtolower ( $toDomain ); // make all alphabetic characters lower case
    
              switch($toDomain)
              {
                default:
                  $headMe = 'webmaster@langex.net';
                break;
    
                case "@gmail.com":
                  $headMe = 'bjlangex@sohu.com';
                break;
    
                case "@hotmail.com":
                  $headMe = 'bjlangex@sohu.com';
                break;
    
                case "@sina.com":
                  $headMe = 'langexnet@sina.com';
                break;
    
                case "@boltblue.com":
                  $headMe = 'langexnet@sina.com';
                break;
    
                case "@msn.com":
                  $headMe = 'langexnet@sina.com';
                break;
    
                case "@onlineworkshop.net":
                  $headMe = 'langexnet@sina.com';
                break;
              }
    
              $headFrom = "From: Language Exchange Webmaster <" . $headMe . ">";
              $headReplyTo = "Reply-To: " . $thisReplyTo;
              $headContent = "Content-Type: text/plain; charset=GB2312";
              $addheader = $headFrom . "\n" . $headReplyTo . "\n" . $headContent;
    
              $addParam = "-f " . $headMe; // the PHP magic for setting the envelope address
              mail($thisEmailAddress, $thisSubject, $thisMessage, $addheader, $addParam);
            }
    

    There are two main things to take note of in this function:

    1. The contents of the switch must be kept in alignment with /etc/postfix/transport
    2. $addParam = "-f " . $headMe; is the statement that specifies/sets the envelope address within PHP.

    Re. item 2, I chased my tail for a long time before figuring out that the "additional parameter" to the PHP mail()[1] function was the Linux server way to do this. There is one particularly misleading PHP function called ini_set()[2] which DOES NOT WORK on Linux, and is apparently meant for Windows servers. In Summary

    For those e-mail destination domains (hopefully the vast majority) that do not give your server any grief, everything works just like a default Postfix server, ie. Postfix connects directly to the destination SMTP server and delivers the e-mail.

    For those domains that regularly give you delivery problems for whatever reason, if you can find a relay server that it will accept mail from, then use that relay server.

    But remember: any application on your server that queues an e-mail to Postfix for one of these problem destination domains, where you have not correctly configured the application to set the envelope address to correspond to the relay server, will result in bounced e-mail. This is a seriously non-trivial problem if you have other people using the server and/or e-mail being sent from multiple different sources. If you can limit the number of applications sending external e-mail to one, this method works really quite well.

    [1] http://www.php.net/mail
    [2] http://www.php.net/ini_set

    posted at: 04:38 | path: /Admin/email/postfix | permanent link to this entry


    /Admin/email/postfix: Simple E-mail Server Relay

    The obvious first thing to try is an unauthenticated relay through your ISP's e-mail server: since I am a paying ADSL customer within their network, hopefully authentication will not be necessary. My ISP is China Netcom (中国网通 - “Wang Tong”). From China Netcom's e-mail web page I deduce that one of their servers is smtp.bbn.cn. If I add

    relayhost = smtp.bbn.cn
    to /etc/postfix/main.cf, my e-mails bounce with the error “530 Authentication required”, ie. for this SMTP server I need to set up a China Netcom/网通 e-mail account and use authenticated relaying.

    I then set up a bbn.cn account on http://mail.bbn.com.cn/. Note that if you are not using a China Netcom/网通 internet connection, you will get the following error message when you attempt to register: “提示:请您使用北京网通宽带接入才能购买此产品”. Also note that if you cannot read Chinese then the translation function of www.xuezhongwen.net/chindict/chindict.php is your friend.

    I then tested my new bbn.cn account's SMTP with my regular e-mail client, and it seemed to work fine. I then configured my postfix server to relay ALL e-mails through my bbn.cn account:

    First edit /etc/postfix/sasl_passwd to contain:

    smtp.bbn.cn username:password
    Restrict access to this password file:
    chown root:root /etc/postfix/sasl_passwd && chmod 600 /etc/postfix/sasl_passwd
    Create a database version of the file (sasl_passwd.db) for postfix:
    postmap hash:/etc/postfix/sasl_passwd
    Now edit /etc/postfix/main.cf to add the following lines:
    relayhost = smtp.bbn.cn
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_type = cyrus
    smtp_sasl_security_options = noanonymous
    and restart postfix:
    /etc/init.d/postfix restart
    You can then verify that your server’s outgoing e-mails are passing through smtp.bbn.cn by examining the header of a sent e-mail. Also, in /var/log/mail.log you should also see something like:
    postfix/smtp[7052]: 34CEA238D8: to=user@email.com, relay=smtp.bbn.cn[202.106.46.89]:25, delay=1388, delays=1382/0.11/5.6/0.14, dsn=2.0.0, status=sent (250 ok: Message 135909587 accepted)

    Sadly, there seems to be a problem with smtp.bbn.cn, as some of my e-mail disappeared without a trace or a bounce. Bad server. Stay away from smtp.bbn.cn.

    But the process is very easy to replicate. Next I registered for a sohu.com e-mail account at mail.sohu.com and substituted:

    relayhost = smtp.sohu.com

    in /etc/postfix/main.cf. (And don't forget the correct userid/password for your sohu.com account in /etc/postfix/sasl_passwd...)

    smtp.sohu.com seems to be reliable in the sense that they do not lose my e-mail, but if there is a lot of outgoing mail in a short period, they start refusing service and finally bounce everything for a period of time until things quiet down. In other words, a simple relay through sohu will probably work for personal e-mail, but if you have other people using your server this will probably not be the final solution.

    I am running now on a somewhat more complicated configuration: a multiple relay.

    posted at: 04:21 | path: /Admin/email/postfix | permanent link to this entry


    /Admin/email/postfix: Filtering E-mail Content

    This is remarkably simple in Postfix.

    Create two files, /etc/postfix/header_checks and /etc/postfix/body_checks, with content like the following:

    /Anatrim/ REJECT
    /Viagra/ REJECT
    Then add the following lines to /etc/postfix/main.cf:
    body_checks = regexp:/etc/postfix/body_checks
    header_checks = regexp:/etc/postfix/header_checks
    and as usual restart postfix:
    /etc/init.d/postfix restart

    "header_checks" will reject any e-mail which contains any of the specified strings in the header, and "body_checks" will reject any e-mail which contains any of the specified strings in the body. Note that the header of an e-mail is generally much smaller then the body, so there is much less overhead with header checking. Also, these checks are case insensitive.

    There is the added bonus that the offending e-mails will be rejected by your e-mail server in a way that might very well leave a spammer with the impression that they are sending to an invalid e-mail address.

    An excellent resource: http://www.securityfocus.com/infocus/1598

    posted at: 04:10 | path: /Admin/email/postfix | permanent link to this entry


    /Admin/email/postfix: Blocking SPAM

    For the simple case of blocking/bouncing a particular e-mail address, create a file /etc/postfix/spammer containing something like the following:

    spammer@domain.com REJECT
    spammer2@spamcentral.net 554 Die Spammer, die!

    Note that a full list of possible return codes can be seen in RFC-821[1].

    Then run

    postmap spammer

    to generate a db file for postfix. Add the following line to /etc/postfix/main.cf:

    smtpd_sender_restrictions = reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/spammer, permit

    Note that "reject_non_fqdn_sender" will bounce any e-mail coming from an address that does not have a fully-qualified domain name.

    Restart postfix:

    /etc/init.d/postfix restart

    That simple.

    Some useful resources: http://www.securityfocus.com/infocus/1593
    http://www.postfix.org/SMTPD_ACCESS_README.html
    http://www.yolinux.com/TUTORIALS/LinuxTutorialMailMTA.html
    http://www.akadia.com/services/postfix_uce.html

    [1] http://www.ietf.org/rfc/rfc0821.txt

    posted at: 04:04 | path: /Admin/email/postfix | permanent link to this entry

    Fri, 03 Oct 2008


    /SW/website/blog: On The Value of Blogging

    Blogging as a pop culture phenomenon came about just in the last couple of years. But for those of us involved in high-tech, this has been going on for many years, even decades. Who remembers "News Groups"? I certainly do, and probably made my first post to a news group around about 1996, just about the same time e-mail was becoming a common tool in big corportations.

    It is probably no big surprise, but the high-tech community were among the first to discover the vast potential of various electronic networking technologies (e-mail, news groups, web-pages....) for the sharing of information.

    As someone who has run Linux on all of his computers since at least 2002, and dabbled for several years before that, I have been heavily using and contributing to the Open Source software community for quite some time now. One of the things one quickly notices about the community is its geographic distribution. In getting one recent bug[1] fixed, for example, I (just at the moment, in Vietnam) worked with two other people, one in Sweden and one in the UK.

    Virtually all communication is electronic in this community. Software documentation is sometimes good, sometimes not so good.... But whether trying to do a fresh install & configure, or sort out a bug in something newly upgraded, one *quickly* learns to be grateful to all the people who have made their notes and answers and ideas available in a public place so that search engines can find them. Forum and e-mail list archives are treasure troves, but the very best stuff are the notes / tutorials / how-to's that the author's are kind enough to publish. There is so much information out there that I very rarely have to ask for help on an e-mail list (Open Source "customer support").

    So I have gotten quite used to how my friends and collaborators in Open Source, and now myself, live a rather "public" life, running web-sites and blogs, and making copious contributions to forums and e-mail lists (search google for "debian ckoeni@gmail" and you will get 200+ hits of my own contributions since I started using ckoeni@gmail for list e-mails). It's actually a way of giving back to the community, after so often being helped by others doing the same thing.

    As one can see from the dates, this particular blog is fairly new. I used to keep my notes in a typo3 Content Management System, but adding / editing was not nearly as convenient as my current setup[2], and something had to be "important" or I needed to feel like I had "free time" before content was added.

    My current setup using the pyBlosxom[3] blog engine with mirrored copies on my website and my desktop removes almost all the overhead from editing blog content, so I find myself creating content / notes on the fly, as I work. This makes my notes more complete and accurate, and I am finding it also seems to organize my work flow and make me more organized. I also still have access to all my notes even when not internet-connected.

    The discipline of writing a document about my work, as I work, seems to spill over into injecting more discipline and structure into my work. Perhaps it slows me down a bit, but I think the quality of the result is better. And I do not get stressed out trying to remember everything, because its all written down....

    [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497016
    [2] http://blog.langex.net/index.cgi/SW/blog/
    [3] http://pyblosxom.sourceforge.net/

    posted at: 01:14 | path: /SW/website/blog | permanent link to this entry

    Wed, 01 Oct 2008


    /xLife/Vietnam: Direct Train Between Hanoi and Beijing

    I had no idea this was possible until a travel agent educated me, but I just bought a Hanoi to Beijing train ticket right here in Hanoi. I thought it was impossible to buy Chinese train tickets outside of China, but I was quite wrong. This option has the excellent bonus feature of not getting stuck in Nanning for days trying to buy the onward train ticket after riding the bus from Hanoi to Nanning.

    The Hanoi to Nanning leg is quite a PITA. It leaves from Hanoi at 1830, and then there is a bed-time delaying train change at the border just before midnight (this is also where you clear Vietnamese immigration). This would not be so bad, but then the train quickly stops at a Chinese immigration station, where Chinese immigration take an hour+ to clear the whole train. Final bed-time: 0130. Then we arrived in Nanning around 0600, and were promptly kicked off the train for two hours while they added the cars from our little train to the much bigger train headed for Beijing. I would recommend trying to get some sleep on the Vietnamese train. The damned thing bounces and jolts around too much to read comfortably anyway.

    Total cost for the trip (soft sleeper accomodations) was US$150, less then half the best airfare I was being quoted. And I think my cost was augmented by a US$20-30 travel agent fee. Next time I will go directly to the train station to buy the ticket.

    posted at: 04:35 | path: /xLife/Vietnam | permanent link to this entry


    /SW/research: Zotero is Your Personal E-Library / E-Bibliography

    Have you ever wished someone would make your web browser "bookmarks" a useful place to store information? Someone has.....

    The most efficient thing to do is view the excellent intro video on their website:
    http://www.zotero.org/

    Zotero is a Firefox plugin, which is both its best feature (right at your fingertips while browsing) and worst feature (I dislike the constraint of one application depending too much on another.... Firefox is not the only web browser in the world, after all.)

    Basically it allows the collation and organization of a collection of notes, copies of web pages, external documents, pdfs, annotations and high-lighting, all into one place, that in this case is a box in the lower right hand corner of your Firefox browser window called "zotero". As someone who does a lot of research, I can say Zotero looks very powerful to me. It is not "just" a plugin, it is a big complex application that has been packaged as a "plugin".

    I cannot find anything else even close to it in functionality within Debian Linux' huge software library. "referencer" has promise, but seems primitive in comparison. Unless it is buggy (don't know yet) I expect to make heavy use of Zotero.

    posted at: 04:07 | path: /SW/research | permanent link to this entry