niels / Software /

Comparing web hosting packages

Comparing web hosting packages is harder than it seems. When searching for the best deal there is a huge list of companies claiming to offer all the features you could ever want and more bandwidth than you need.

Unfortunately, most of these offers are useless. The small print usually contains one or more vague clauses allowing the web hosting company to shutdown your website as it pleases. Typical reasons are that your website is ‘interfering with the performance of other customer websites’ or that you have been found to use ‘a’ script that is on their list of ‘insecure programs’.

Some things can’t even be found in the small print. I personally use Servage. They offer 510GB of traffic per month. Last night however I’ve seen a rumor confirmed that they don’t give you 510GB per month per se. Instead they give you 510GB/30 = 17GB per day. Now I know a few high-traffic websites and none of them have a traffic pattern that is the same every day of the week. This means it’s practically impossible to benefit from the full 510GB. You won’t even get close.

My problem is not that these limitations exist. Considering the low prices I actually expect some to be there. What is my problem however, is that I have to spend hours reading terms & conditions, disclaimers and rumors on forums to figure out which company has the limitations that least impact my needs.

niels / Hardware /

Windows Mobile 5.0 on HX4700

After many delays HP finally released a Windows Mobile 5.0 upgrade for the HX4700. Normally I wouldn’t care about the Windows upgrades, but unfortunately Linux does not support the built-in WiFi of the HX4700 yet.

Running the upgrade from VMWare caused too many problems with the USB passthrough. It got to 50% once out of 20 tries. I ended up using a Windows machine. The upgrade isn’t too exciting, but the improvements are useful enough to spend the $40.

Keeping an eye on the Linux WiFi progress though. OPIE and GPE ran great on my previous IPAQ so I’ll surely switch when WiFi is available. More info at www.handhelds.org.

EDIT:
If you use synce (or synce-kde) you will have to add the new USB id’s to ipaq.c in your kernel source tree:

{ USB_DEVICE(0x03F0, 0x0301) }, /* HP USB Sync */

EDIT 2:
I hear a lot of complaints about the speed of the HX4700 after the update. Hint: turn off automatic error reporting.

niels / Hardware / #voip

Addpac 200 with Asterisk

After telling you how to turn a Pilmo Voicefinder into an Addpac 200 I noticed some people are looking for an actual configuration example. Some fragments might not be needed in your setup.

The Addpac 200 configuration:

version 8.12
!hostname AP200
!no ip-share enable
ip-share interface net-side ether0.0 ip-share interface local-side ether1.0
!interface ether0.0ip address 192.168.1.3 255.255.255.0
description eth0
!interface ether1.0
no ip address
ip dhcp-group 0
!snmp community 192.168.1.8 public rosnmp 
name AP200A
!no arp reset
!route 0.0.0.0 0.0.0.0 192.168.1.1
!dnshost  domain peen.net
dnshost  nameserver 192.168.1.2
!service snmpd
!user add niels somepassword admin
!! VoIP configuration.
!! Voice service voip configuration.
!voice service voipfax protocol t38 redundancy 0
fax rate 9600
h323 call start fast
announcement language english
busyout monitor gatekeeper
busyout monitor voip-interface
!! Voice port configuration.
!voice-port 0/0
! FXSinput gain -3
output gain -3
caller-id enable
caller-id type etsi-dtmf-prior-ring
!! Pots peer configuration.
!dial-peer voice 0 pots
destination-pattern 1000
port 0/0
user-password asteriskpassword
!! Voip peer configuration.
!dial-peer voice 1000 voip
destination-pattern T
session target sip-server
session protocol sip
answer-address 1000
codec g711ulaw
dtmf-relay rtp-2833
no vad
!! Gateway configuration.
!gatewayh323-id voip.192.168.1.3
public-ip 192.168.1.3
!! SIP UA configuration.
!sip-uasip-server 192.168.1.35
timeout treg
try 10
!! MGCP configuration.
!mgcpepid-type
codec  g711ula
!! Tones
!voip-interface ether0.0

The Asterisk part (sip.conf):

[1000]
type=friend
secret=asteriskpassword
host=dynamic
dtmfmode=rfc2833
username=1000
canreinvite=no
disallow=all
allow=ulaw
qualify=yes
context=default
callerid=Addpac handset <1000>
niels / Code / #php

Geo DNS

There are many databases and pieces of code out there that allow you to detect which country (or even city) a visitor to your website is from. Most of this code is intended to allow you to adjust the content of your website. Very useful. Really!

There are instances however where adjusting content is not enough. Sometimes you will want to redirect users to a server that is local to them. This could be because you have lag-sensitive traffic like VoIP of game servers. It could also be that you generate a lot of traffic and local traffic is simply cheaper than transit. Or maybe you have multiple entry points for VPN and email traffic into your corporate network. Whatever it is, the only way to do this transparently is to make sure your DNS hands out the right IP address to your users. Doing this based on ip-country databases is not ideal but it should get you a long way.

I looked around a bit for a way to do this. There are a few special DNS servers for this purpose. There are also some patches for Bind. I’m not a fan of either special or
patches though, they often imply maintenance.

So I wrote a little command-line script called geobind.php to convert the database provided by Webnet77 to Bind acl’s. (Requires PHP4 cli version to be installed; make sure
to edit variables at the beginning of the script.)

Once you have these acl’s you can use Binds view functionality to serve different versions of your zone file to different parts of the world. Each zone file would of course point to IP addresses that are local to that specific part of the world.

Imagine you have 3 zone files: one for europe, one for the america’s and one for the rest of the world. You simple edit named.conf.local to include the acls for europe and the america’s. E.g.:

include “/etc/bind/named.conf.options”;
include “/etc/bind/acl-europe_east.inc”;
include “/etc/bind/acl-europe_sout.inc”;
include “/etc/bind/acl-europe_west.inc”;
include “/etc/bind/acl-europe_nort.inc”;
include “/etc/bind/acl-america_cari.inc”;
include “/etc/bind/acl-america_cent.inc”;
include “/etc/bind/acl-america_nort.inc”;
include “/etc/bind/acl-america_sout.inc”;

Next you create seperate views. One for europe, one for the america’s and one for everyone else.

view “europe” {
    match-clients {
        europe_east;
        europe_nort;
        europe_sout;
        europe_west
    };
    zone “peen.net” {
        type master;
        file “/etc/bind/europe/db.peen.net”;
    };
};

view “americas” {
    match-clients {
        america_cari;
        america_nort;
        america_sout;
        america_cent
    };
    zone “peen.net” {
        type master;
        file “/etc/bind/americas/db.peen.net”;
    };
};

view “others” {
    match-clients { any; };
    zone “peen.net” {
        type master;
        file “/etc/bind/others/db.peen.net”;
    };
};

Reload Bind and see what happens! 🙂

peen:~# rndc reload
niels / Software / #voip

Asterisk 1.2.4 with Sarge

Of course this had to happen: I finish my 1.2.4 packages and the Asterisk team releases 1.2.5. Oh well, the Debian VoIP team will probably follow soon enough and so will I.

When upgrading, make sure you choose the correct version of asterisk: asterisk-classic or asterisk-bristuff. Also, H323 support is removed and chan_capi is included by default now. The zaptel drivers (incl. hfc) have been pre-built for some common kernel versions. If you don’t like waiting, skip asterisk-doc, it’s a 13MB monster.

deb http://debian.peen.net asterisk/
niels / Software / #email

Postfix with Cyrus, Clamav and Spamassassin

This is a quick howto on how to get it all running. Most of the software used is a lot more powerful than this howto suggests. Once you have it all up and running make sure to spend some time checking out the full potential of your setup.

Get all the packages:

Include

deb http://ftp2.de.debian.org/
debian-volatile sarge/volatile main

in your /etc/apt/sources.list to make sure you get updates on the clamav engine (and not just the virus data as provided by freshclam).

apt-get install postfix clamav clamav-base clamav-daemon clamav-freshclam amavisd-new spamassassin spamc razor pyzor cyrus21-admin cyrus21-common cyrus21-imapd cyrus21-pop3d

The amavis package recommends a lot of tools like unzip, unrar, etc. It’s best to install all of them; using dselect might be helpful here.

Clamav

Clamav will run fine without changing any settings. To make sure Clamav plays nicely with Amavis add the clamav user to the amavis group in /etc/group:

postfix:x:104:
postdrop:x:105:
mysql:x:106:
clamav:x:107:
amavis:x:108:clamav

You can do this by typing:

adduser clamav amavis

Spamassassin

Switch user to amavis:

peen:~# su - amavis

Then run the commands required to enable Razor to be used by Spamassassin:

amavis@peen:~$ razor-admin -create
amavis@peen:~$ razor-admin -register
Register successful. Identity stored in /var/lib/amavis/.razor/
identity-ruu0K-KHfE

Also enable Pyzor:

amavis@peen:~$ pyzor discover
downloading servers from http://pyzor.sourceforge.net/cgi-bin/
inform-servers-0-3-x

Create/edit /etc/spamassassin/local.cf.
Mine is very simple:

report_safe 0
skip_rbl_checks 1

I turn off rbl checks in spamassassin as I will have postfix do this instead; see below. No other changes are required.

By default spamassassin is disabled on Debian. Make sure to edit /etc/default/spamassassin and start it:

peen:~# /etc/init.d/spamassassin start
Starting SpamAssassin Mail Filter Daemon: spamd.

Amavis

/etc/amavis/amavisd.conf requires a few configuration changes. Please find the settings quoted below and adjust them to match your setup.

…
$mydomain = ‘peen.net’;
…
$forward_method = ’smtp:127.0.0.1:10025′;
$notify_method = $forward_method;
…
@local_domains_acl = ( “.$mydomain”, “.localhost” );
…
$inet_socket_port = 10024;
…

Also make sure you turn on spamassassin support by removing this line:

@bypass_spam_checks_acl = qw( . );

The rest of the defaults are fine. Now restart amavis:

peen:~# /etc/init.d/amavis restart
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.

And do a tail on your syslog to make sure it detects Clamav and Spamassassin:

peen:~# tail -4 /var/log/syslog
Dec 1 11:42:38 peen amavis[15613]: Using internal av scanner code for (primary) Clam Antivirus-clamd
Dec 1 11:42:38 peen amavis[15613]: Found secondary av scanner Clam Antivirus – clamscan at /usr/bin/clamscan
Dec 1 11:42:38 peen amavis[15613]: SpamControl: initializing Mail::SpamAssassin
Dec 1 11:42:39 peen amavis[15613]: SpamControl: done

##Cyrus

The default Cyrus configuration will work for us. We do however need to set sasl passwords and create mailboxes:

peen:~# saslpasswd2 cyrus
Password:
Again (for verification):
peen:~# saslpasswd2 niels
Password:
Again (for verification):

The cyrus user is used for administering Cyrus. The niels user is, well, me. Now create the mailbox for niels:

peen:~# su – cyrus
cyrus@peen:~$ cyradm localhost
IMAP Password:
localhost.localdomain> cm user.niels
localhost.localdomain> exit

##Postfix

Finally we’ll need Postfix to actuall get this thing going. We need to add quite a bit to /etc/postfix/master.cf to make sure Postfix can communicate with Amavis:

…
smtp-amavis unix – – n – 2 smtp
-o smtp_data_done_timeout=1200

127.0.0.1:10025 inet n – n – – smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000

Then we edit /etc/postfix/main.cf to accept email for our domain, do rbl checks, send email to Amavis and deliver it to Cyrus:

smtpd_banner = peen.net ESMTP
biff = no

append_dot_mydomain = no

myhostname = xxx-xxx-xxx-xxx.solcon.nl
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = peen.net, localhost.localdomain, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8, 192.168.2.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mailbox_transport=
lmtp:unix:/var/run/cyrus/socket/lmtp
content_filter = smtp-amavis:[127.0.0.1]:10024

smtpd_helo_required = yes
disable_vrfy_command = yes

smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client relays.ordb.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit

smtpd_data_restrictions =
reject_unauth_pipelining,
permit

Now restart postfix and you’re ready to receive email!

peen:~# /etc/init.d/postfix restart
Stopping mail transport agent: Postfix.
Starting mail transport agent: Postfix.
niels / Software / #email

Plesk with Clamav

Written while using Debian 3.1 (sarge) and Plesk 7.5.

Clamav

Install the Debian packages clamav, clamav-daemon and
clamav-freshclam.

plesk:~# apt-get install clamav clamav-daemon clamav-freshclam

Download and extract qsheff and ripmime tar balls.

plesk:~# cd /usr/local/src/
plesk:/usr/local/src# wget http://www.enderunix.org/qsheff/qsheff-1.0-r3.tar.gz
plesk:/usr/local/src# wget http://www.pldaniels.com/ripmime/ripmime-1.4.0.5.tar.gz
plesk:/usr/local/src# tar zxvf qsheff-1.0-r3.tar.gz
plesk:/usr/local/src# tar zxvf ripmime-1.4.0.5.tar.gz

Building and installing ripmime is straightforward:

plesk:/usr/local/src# cd ripmime-1.4.0.5
plesk:/usr/local/src/ripmime-1.4.0.5# make

plesk:/usr/local/src/ripmime-1.4.0.5# make install

Ripmime will now be installed in /usr/local/bin; an appropriate place, and right where qsheff expects it.

Now build and install qsheff:

plesk:/usr/local/src# cd qsheff-1.0-r3
plesk:/usr/local/src/qsheff-1.0-r3# ./configure
plesk:/usr/local/src/qsheff-1.0-r3# make
plesk:/usr/local/src/qsheff-1.0-r3# /etc/init.d/qmail stop
plesk:/usr/local/src/qsheff-1.0-r3# make install

Now, before starting qmail, we have to fix the clamav path in the qsheff config file. Open /usr/local/etc/qsheff/qsheff.conf and change

VIRUS_PROG = “/usr/local/bin/clamdscan –quiet”

to

VIRUS_PROG = “/usr/bin/clamdscan –quiet”

You will probably want to change

enable_blackhole = 0;

to

enable_blackhole = 1;

as well.

Continue the installation:

plesk:/usr/local/src/qsheff-1.0-r3# /usr/local/etc/qsheff/install-wrapper.sh
plesk:/usr/local/src/qsheff-1.0-r3# /etc/init.d/qmail start

And everything should be working!

Spamassassin

If you, like me, want to use the Debian provided spamassassin instead of the Plesk one, there are a few extra steps.

First make sure you remove the plesk spamassassin using plesk.

Then install the Debian version:

plesk:~# apt-get install spamassassin spamc pyzor razor dcc-client

Initialize pyzor and razor:

plesk:~# pyzor discover
plesk:~# razor-admin –create
plesk:~# razor-admin –register

If registering razor fails, simply try it again.

Enable pyzor, razor and the dcc-client in /etc/spamassassin/local.cf:

pyzor_path /usr/bin/pyzor
pyzor_max 2
add_header all Pyzor _PYZOR_
score PYZOR_CHECK 5.00
use_pyzor 1
use_razor2 1
add_header all DCC _DCCB_: _DCCR_
dcc_path /usr/bin/dccproc
use_dcc 1

And restart spamassassin:

/etc/init.d/spamassassin restart

To enable things in our qsheff installation above you will have to replace /var/qmail/bin/qmail-queue with a little shell script:

plesk:~# cd /var/qmail/bin/
plesk:/var/qmail/bin# rm qmail-queue
plesk:/var/qmail/bin# vi qmail-queue

Insert the following code:

#!/bin/sh

/usr/bin/spamc | /var/qmail/bin/qmail-qsheff

Save the file, make it executable and restart qmail:

plesk:/var/qmail/bin# chmod +x qmail-queue
plesk:/var/qmail/bin# /etc/init.d/qmail restart

Notes
If /var/log/qsheff.log contains errors like

ERR, error=QUEUE, hint=chdir_workdir,open_mesg

you’ve probably set the clamav path wrong.

niels / Software / #voip

Bristuff 0.3.0-PRE-1d

As bristuff still seems to be the most popular way to use HFC Cologne based ISDN cards I’ve patched Asterisk with the lastest bristuff patches from Junghanns. Updated packages for Debian Sarge can be found at their usual location:

Add the following line to your /etc/apt/sources.list:

deb http://debian.peen.net asterisk/