Category: IT

It afforded quite some packet sniffing and debugging to find out the correct settings and encodings.

Here are the settings for postfix outbound/outgoing/upstream SMTP AUTH, smtp.hispeed.ch/cablecom.ch and Gentoo:

To /etc/postfix/main.cf, add:

smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_use_tls = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd_outgoing_smtp
smtp_sasl_security_options = noanonymous

For debugging purposes, you might want to temporarily set “smtp_use_tls = no” in order to disable transport layer security encryption. Setting “smtp_sasl_mechanism_filter = plain” is not mandatory but might be helpful if AUTH LOGIN doesn’t seem to work for some reason.

Then create a file /etc/postfix/sasl_passwd_outgoing_smtp (or whatever name you chose) consisting of the following line:

smtp.hispeed.ch login:password

where “login” is your hispeed e-mail address (e.g. name@hispeed.ch) and “password” the password for your e-mail account at hispeed.ch. Don’t even try to use the credentials they sent you by snail mail. These are only valid to setup an initial e-mail account at hispeed.ch.

Now create a postfix-readable hash database of this text file by executing:

# postmap hash:/etc/postfix/sasl_passwd_outgoing_smtp

reload postfix:

# /etc/init.d/postfix reload

That’s it :) You can now check whether SMTP authentication works by sending a test message to a local and to a remote recipient while monitoring /var/log/messages or /var/log/mail.info (‘tail -f /var/log/messages’ etc.). If necessary, you can temporarily increase the log level of postfix by starting postfix with the “-v” option (adjust /etc/init.d/postfix accordingly). For general debugging of SMTP problems, telnet comes handy.

Use perl to encode your login and password as base64:

$ perl -MMIME::Base64 -e ‘print encode_base64(“name\@hispeed.chname\@hispeed.chpassword”);’
bmFtZUBoaXNwZWVkLmNoAG5hbWVAaGlzcGVlZC5jaABwYXNzd29yZA==

You could also use ‘mimencode’ (or ‘mmencode’ etc.) instead, but using perl is recommended as feeding the special characters (“nul”) to mimencode is pretty error-prone. The above, encoded string is suitable for AUTH PLAIN. Note that you need to specify your credentials as “loginloginpassword” and mask any perl special characters like “@”, “$” etc. with backslashes. denotes the ASCII nul character (0x00). For AUTH LOGIN, separate the login and password, i.e. do

$ perl -MMIME::Base64 -e ‘print encode_base64(“name\@hispeed.ch”);’
bmFtZUBoaXNwZWVkLmNo
$ perl -MMIME::Base64 -e ‘print encode_base64(“password”);’
cGFzc3dvcmQ=

If AUTH PLAIN works, your telnet session should look similar to this one:

$ telnet smtp.hispeed.ch 25
Trying 62.2.95.12…
Connected to smtp.hispeed.ch.
Escape character is ‘^]’.
220 smtp.hispeed.ch ESMTP Sendmail 8.12.6/8.12.6/tornado-1.0; Thu, 2 Jun 2005 18:25:33 +0200
EHLO smtp.hispeed.ch
250-smtp.hispeed.ch Hello cut.dclient.hispeed.ch [cut], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 10485760
250-DSN
250-AUTH PLAIN LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP
AUTH PLAIN bmFtZUBoaXNwZWVkLmNoAG5hbWVAaGlzcGVlZC5jaABwYXNzd29yZA==
235 2.0.0 OK Authenticated
QUIT
221 2.0.0 smtp.hispeed.ch closing connection
Connection closed by foreign host.

For AUTH LOGIN, the login and password need to be separated and submitted separately.

If you’ve emerge sync’ed today and the output of an ’emerge -puD world’ on your CLI-only box looks similar to mine..

o2 media-libs # emerge -pu lib-compat

These are the packages that I would merge, in order:

Calculating dependencies …done!
[ebuild N ] media-libs/audiofile-0.2.6-r1
[ebuild N ] media-sound/alsa-headers-1.0.8
[ebuild N ] media-libs/alsa-lib-1.0.8
[ebuild N ] x11-base/xorg-x11-6.8.2-r1
[ebuild N ] sys-apps/utempter-0.5.5.5-r1
[ebuild N ] x11-terms/xterm-200-r1
[ebuild N ] media-libs/lcms-1.13-r1
[ebuild N ] media-libs/libmng-1.0.4
[ebuild N ] x11-libs/qt-3.3.4-r3
[ebuild N ] kde-base/kde-env-3-r3
[ebuild N ] kde-base/arts-1.3.2-r1
[ebuild N ] media-libs/libsdl-1.2.8-r1
[ebuild N ] sys-libs/lib-compat-1.4

..you might want to adjust your USE flag settings to anticipate the recent soft dependency changes in libsdl. Add “-arts” (KDE sound server, not needed on a headless server) to your USE flags in /etc/make.conf and the output will look like

o2 media-libs # emerge -puD lib-compat

These are the packages that I would merge, in order:

Calculating dependencies …done!
[ebuild N ] media-libs/audiofile-0.2.6-r1
[ebuild N ] media-sound/alsa-headers-1.0.8
[ebuild N ] media-libs/alsa-lib-1.0.8
[ebuild N ] media-libs/libsdl-1.2.8-r1
[ebuild N ] sys-libs/lib-compat-1.4

Much better, isn’t it? ;) Of course, if you don’t like alsa, you can opt it out too.

There’s a new Gentoo derivative:

“Pentoo” is an acronym for “PENetration on genTOO”. It is based on kernel version 2.6.10, uses the Gnome desktop environment, and aims to provide a complete platform for intrusion detection, penetration-testing and security assessment. The content of the LiveCD can be updated, allowing for
up-to-date fingerprint and vulnerability databases, for tools that require regular updates like the Nessus plugins, or scanner fingerprint files, metasploit etc. Users can optionaly store data on USB sticks for non-volatile storage support. Pentoo’s author, Michael Zanetta, emphasizes that “it
has to be considered beta as I have not much time to test it carefully,” so feedback and comments are very welcome, at bugs@pentoo.ch. A roadmap for the project is available, too.

(Source: Gentoo Weekly Newsletter: April 25th, 2005)

did you know you can configure mod_dav to allow read-only access to your webdav share (apart from the usual read-write access)? all you need is set “Options Indexes”, point your browser to the webdav url and enter your credentials. basically, i have the following mod_dav configuration[1]:

BrowserMatch “^WebDAVFS/1.[012]” redirect-carefully
BrowserMatch “Microsoft Data Access Internet Publishing Provider” redirect-carefully
BrowserMatch “Microsoft-WebDAV-MiniRedir/5.1.2600” redirect-carefully
BrowserMatch “^WebDrive” redirect-carefully
BrowserMatch “^WebDAVFS” redirect-carefully

LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
DavLockDB /var/lib/dav/lockdb

DavMinTimeout 600
<Directory /path/to/the/dav>
Options Indexes
Dav On
AuthType Basic
AuthName “Please enter your webshare credentials”
AuthUserFile /path/to/the/passwordfile
Require user johndoe
</Directory>

i had to remove <Limit> restrictions as basic auth didn’t work with it for some reason. configuring a share that can be both accessed (read-write) using samba/smb/cifs and webdav is a bit more tricky and depends on which linux distribution you use. in a nutshell, you need to fiddle with directory permissions (especially the “sgid – set group id” bit) and figure out which setting works best (and the most securely) for you.

note that for security reasons, you should only allow encrypted http access (https using tls/ssl) to your share (see the <Redirect> option for example).

[1] in gentoo, edit /etc/apache2/conf/modules.d/45_mod_dav.conf

(thanks to flo for the tip)

nload, a decent network bandwith monitor for the linux console (you can thus use it to quickly monitor the available bandwidth on your remote linux server):

www.roland-riegel.de – nload: monitor network traffic and bandwidth usage

# emerge nload (surprise, surprise ;)

usage (for example):

# nload -i 2000 -o 400

(where 2000 is the [i]ncoming/downstream and 400 the [o]utgoing/upstream bandwith of my server in kbit/s)

(note that it doesn’t brew coffee, though ;)

(kudos to Crypto from #gentoo for the hint)

As Linus Torvalds mentioned it as the most viable BitKeeper replacement, monotone: distributed version control is on my watchlist now (and it should be on yours too, eventually ;).

I’ve been using subversion/svn for a while now (BTW if you use it, choose FSFS for storage type and DAV for connectivity). It’s pretty okay (way better than CVS, at least) as long as you’re working online and the only one accessing the repository ;) For distributed development (such as with the Linux kernel) it’s less suitable though. Particularly merging conflicting revisions kind of “sucks”. Monotone promises to bring improvements in this field (monotone FAQ):

How do you merge versions?

The merging system is based on a pair of 3-way merges: one set-oriented one at the changeset level to resolve differences in tree layout, and one line-oriented one at the file level, to resolve differences in concurrent edits to the same file. If either of these fail, they are passed off to a user-provided hook function, which invokes emacs ediff mode by default (but can be overridden).

It is important to note that a 3-way merge is not the same as simply “applying patches” in one order or another: we locate the least common ancestor of the merged children in our ancestry graph, calculate the edits on the left and right edges, adjust the right edge’s edit coordinates based on the left edge’s edits, and only then do we concatenate the left and right edges (ignoring identical changes, and rejecting conflicting ones).

Why not use more “sophisticated” merge algorithms, as
in Codeville, Darcs, or
Arch?

A few reasons:

• We don’t see how Codeville’s algorithm achieves anything beyond
  what we currently do, though we’ll happily listen to explanations.
• Darcs algorithm is based on patch commuting, which requires a
  fundamentally different representation of versions than ours.
• Arch’s merges are based on applying patches in various orders.
  While better suited to cherry-picking, only one of them (star-merge)
  seems to provide a 3-way merge; the other two are strictly weaker.
• In general, we’re afraid of hitting patents. We don’t know exactly what’s
  patented in this field, but so far the 3-way merge has served well.

If you find a better, free merge operator, please let us know!

Hopefully, there will be more choice regarding monotone’s frontends and IDE integration soon.

BitKeeper would be the VCS of choice for me. Unfortunately, it will be closed source software exclusively soon. Due to BK’s high price tag, a commercial license (or leasing) of BK is not an option at the moment.

BTW. Surprisingly, there’s a whole bunch of other interesting VCS projects (most of which I didn’t know).

UPDATES:
1. monotone is available in Gentoo’s Portage tree, ready to be installed (IOW stable) :)
2. svk looks interesting too (particularly if you use svn already). Gentoo ebuilds for svk are masked currently.

as ingo restarted to publish plain exec-shield patches, i decided to apply his patch again. exec-shield-nx-2.6.11-A8 works nicely with kernel 2.6.11.6. there’s just a minor reject for the makefile:

– EXTRAVERSION =
+ EXTRAVERSION = -exec-shield

either patch the patch or change EXTRAVERSION from “.6” to “.6-exec-shield” manually.

nice document about exec-shield (among others): New Security Enhancements in Red Hat Enterprise Linux v.3, update 3 (PDF). another nice document: Security Enhancements in Red Hat Enterprise Linux (beside SELinux) (PDF). it also features a cool shell script – which is protected by copyright laws (and strict pdf drm settings) unfortunately.

NOTE TO SELF: check for compatibility with vms (jvm, mono). might break a couple of things.

Need to take a look at Migshm – A MAASK group DSM patch for openMosix (Gentoo patches). Might be useful for transparently distributing Mono/Java apps to leverage the computing power of many nodes in a LAN. Note that only Java apps running on JVMs using green threads are distributable with default OpenMosix. Mono apps aren’t distributable at all as the VM only uses native threads so far (I was told; not verified so far).

I should also re-enable distcc in order to better leverage available computing power.

An old “acquaintance”: The Joel Test: 12 Steps to Better Code

Just stumbled on it again. I don’t agree with all of the points[1], but it can’t hurt to check them in everyday life from time to time.

[1] 9 wrongly neglects budget restrictions, 11 wrongly discriminates people with a deep understanding of CS/IT but little practice in language XY, 12 a) not everybody has a bunch of people at hand for usability testing b) people tend to treat things as “well usable” if it feels or looks familiar even if they’re actually accustomed to very bad habits in regard to usability.