Howto Spickzettel: Debian Lenny Mailserver: Postfix-SSL Courier-SSL SASL TLS MD5-CRAM VirtualAliases Procmail ClamAV Spamassassin
Ich hatte immer mal wieder mit Mailservern zu tun. Leider war ich häufiger etwas verwirrt, da - je nach Setup - sehr viele verschiedene Komponenten miteinander kommunizieren müssen. Aus diesem Grund hier mein Spickzettel für einen Mailserver auf einem Internethost mit FQDN. Ausprobiert wurde es auf einem Debian Lenny.
Alle Verbindungen nach außen sind verschlüsselt oder mit MD5-Cram Pasword Hashes verschleiert. Eingehende Mail wird auf Spam und Viren geprüft und Benutzer können ihre Mail über IMAP lesen.
Im Bild oben sind Daemons gelb, Datenbanken grau und gesichtere Verbindungen grün.
Was machen die einzelnen Komponenten?
- Postfix empfängt Mails, die Clients versenden wollen. Diese leitet er weiter an den richtigen Server im Internet. Außerdem entfängt Postfix Mails aus dem Internet für Benutzer mit Mailboxen auf dem Server.
- VirtualAliases(Teil von Postfix) ist eine Datenbank mit der Postfix empfangene Mails den einzelnen Mailusern zuordnen kann.
- Saslauthd authentifiziert User die Mail über Postfix per SMTP verschicken wollen. Er überprüft Username und Passwort mit MD5-Cram Hashes.
- Sasldb ist die Datenbank, aus der Saslauthd Usernamen und Passwörter anfragen kann.
- Courier-IMAP stellt dem Mailclient eines Nutzers die Mails aus seinem Maildir zur Verfügung
- Courier-Authdaemon authentifiziert User, die Mail über den Courier-IMAP lesen. Er überprüft Username und Passwort mit MD5-Cram Hashes.
- Userdb (Teil von Courier) ist die Datenbank, aus der Courier-Authdaemon Usernamen und Passwörter anfragen kann.
- Procmail ist ein Filter, durch den jede eingehende Mail laufen muss. Procmail reicht die Mail an den Spamfilter und den Virenscanner durch und liefert sie danach an den User aus.
- Clamassassin ist ein kleines Tool, das eine Schnittstelle zwischen Procmail und ClamAV bildet. Es reicht die Mails nur durch an ClamAV.
- Spamassassin (spamd) Spamchecker. Gibt jeder Mail einen Score, der aussagt wie wahrscheinlich es ist, dass die überprüfte Mail SPAM ist.
- Maildir Mailbox Hier liegen die Mails der Benutzer des Systems. Es ist ein normales Verzeichnis im Dateisystem. IMAP-Clients können sie von hieraus abrufen.
Vorbereitung
Alle benötigten Pakete installieren
apt-get update && apt-get upgrade apt-get install postfix postfix-doc postfix libsasl2-2 sasl2-bin libsasl2-modules courier-imap-ssl procmail spamassassin clamav clamassassin
Konfigfragen von Courier
- Verzeichnisse für WWW-Administration? Nein
Konfigfragen von Postfix
- Internet-Server
- E-Mail-Name: Der per DNS auflösbare FQDN des Servers (z.B. meinedomain.de)
Konfiguration von Postfix fortsetzten
dpkg-reconfigure postfix
Weitere Konfigfragen von Postfix
- Internet-Server
- An wen sollen Mails für root weitergeleitet werden: Nichts eintragen, kommt später.
- Rechner für die dieser Rechner als Zielsystem gilt: Alle Domains die mit Postfix Mails empfangen können und die einen DNS-Eintrag für die IP des Servers haben. (z.B. meinedomain.de, meinanderedomain.de, meinedrittedomain.de)
Postfix
Configdatei für Postfix
# /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = /usr/share/doc/postfix
# TLS aktivieren
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = meinedomain.de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = meinedomain.de, meineanderedomain, meinedrittedomain , localhost, 127.0.0.1
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
inet_protocols = ipv4
# Auth über SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
# Nur User Mail versenden lassen, die in SASL-DB stehen, nur MD5-Passwörter erlauben
smtp_sasl_security_options = noanonymous, noplaintext
# Nur Localhost (mynetworks) und über SASL angemeldete User dürfen Mails verschicken
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_local_domain =
# Nur verschlüsselt Authentifizieren mit TLS
smtp_tls_auth_only = yes
#TLS aktivieren
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
# Selbstgenerierter Schlüssel und das Zertifikat
smtpd_tls_key_file = /etc/postfix/cert/smtpd.key
smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem
# SPäter auf 0 setzen, gut zum debuggen
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# Mails in Maildirs ausliefern
home_mailbox = Maildir/
# Dateiname der Virtual-Alias-Map mit der Zuordnung von E-Mail-Adresse zu lokaler Mailbox
virtual_alias_maps = hash:/etc/postfix/virtual
# Mail wird nicht direkt in Mailboxen gelegt sondern an Procmail übergeben
mailbox_command = procmail -a "$EXTENSION"
SASL
SASL stellt für verschiedene Daemons einen Authentifizierungsmechanismus zur Verfügung. In diesem Setup werden in einer SASL-Datenbank die Benutzer gespeichert, die über unseren Postfix Post verschicken dürfen. (Also der Username und das Passwort, die im E-Mail-Client als Zugangsdaten für den SMTP-Server eingetragen werden müssen)
Konfigdatei für SASL erstellen
# /etc/postfix/smtpd.conf pwcheck_method: authdaemond mech_list: CRAM-MD5
Postfix kann leider noch nicht den saslauthd benutzen um Benutzerdaten zu überprüfen, da Postfix in einer chroot-Umgebung läuft und noch keinen Zugriff auf den saslauthd hat.
# /etc/default/saslauthd START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="pam" MECH_OPTIONS="" THREADS=5 # Mit -m legen wir das Socket von saslauthd in ein Verzeichnis, das Postfix aus dem chroot erreichen kann. OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Danach muss noch im "start-instance"-Block von /etc/init.d/saslauthd der Ort für die PID geändert werden, auch wieder damit Postfix das PID-File lesen kann.
# /etc/init.d/saslauthd
.
.
PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"
.
.
TLS
Es können nun keine nicht-authentifizierten Sender mehr Mail über den Postfix SMTP versenden, allerdings gehen die Mails noch im Klartext durch LAN und Internet. Die TLS-Verschlüsselung wurde bereits oben in der Postfix-Konfigdatei main.cf aktiviert. Allerdings fehlen noch Key und Zertifikat.
mkdir /etc/postfix/cert cd /etc/postfix/cert openssl genrsa -des3 -rand /etc/hosts -out ./smtpd.key 1024 chmod 600 ./smtpd.key openssl req -new -key ./smtpd.key -out ./smtpd.csr openssl x509 -req -days 99999 -in ./smtpd.csr -signkey ./smtpd.key -out ./smtpd.crt openssl rsa -in ./smtpd.key -out ./smtpd.key.tmp mv -f ./smtpd.key.tmp ./smtpd.key chmod 600 ./smtpd.key openssl req -new -x509 -extensions v3_ca -keyout ./cakey.pem -out ./cacert.pem -days 99999
SASL DB erstellen
Mails werden nun bei der Übertragung verschlüsselt, Usernamen und Passwörter für den Mailversand über den SMTP-Server gehen jedoch noch im Klartext durchs Internet. Diese kann man zumindest mit der MD5-Cram-Methode kaschieren. Diese wurde bereits in der /etc/postfix/smtpd.conf aktiviert. Es fehlt nur noch die SASL-Datenbank selbst. Diese legt man an, indem man einfach einem späteren Mailuser einen Usernamen und ein Passwort gibt.
# Für Username einen lokalen Mailuser einsetzen um die SASL-DB zu erstellen mit einem ersten Benutzer saslpasswd2 username
Postfix ist fertig. Er kann Mails empfangen und verschicken. Verbindungen zu Clients und anderen Mailservern sind verschlüsselt.
Courier
Couriers Konfigdateien
# /etc/courier/authdaemonrc # UserDB zur authentifizierung benutzen authmodulelist="authuserdb" authmodulelistorig="authuserdb authpam authpgsql authldap authmysql authcustom authpipe" daemons=5 authdaemonvar=/var/run/courier/authdaemon # Gut zum debuggen DEBUG_LOGIN=2 DEFAULTOPTIONS="" LOGGEROPTS=""
#/etc/courier/authmodulelist # courierauthdaemon nutzt MD5-cram authcram
# /etc/courier/imapd ADDRESS=0 PORT=143 MAXDAEMONS=40 MAXPERIP=20 PIDFILE=/var/run/courier/imapd.pid TCPDOPTS="-nodnslookup -noidentlookup" LOGGEROPTS="-name=imapd" #Hier wird AUTH=CRAM-MD5 hinzugefügt IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 IDLE" IMAP_KEYWORDS=1 IMAP_ACL=1 IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE" IMAP_PROXY=0 IMAP_PROXY_FOREIGN=0 IMAP_IDLE_TIMEOUT=60 IMAP_MAILBOX_SANITY_CHECK=1 IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN" IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN" IMAP_DISABLETHREADSORT=0 IMAP_CHECK_ALL_FOLDERS=0 IMAP_OBSOLETE_CLIENT=0 IMAP_UMASK=022 IMAP_ULIMITD=65536 IMAP_USELOCKS=1 IMAP_SHAREDINDEXFILE=/etc/courier/shared/index IMAP_ENHANCEDIDLE=0 IMAP_TRASHFOLDERNAME=Trash IMAP_EMPTYTRASH=Trash:7 IMAP_MOVE_EXPUNGE_TO_TRASH=0 SENDMAIL=/usr/sbin/sendmail HEADERFROM=X-IMAP-Sender IMAPDSTART=YES MAILDIRPATH=Maildir
SSLPORT=993 SSLADDRESS=externe.ip.des.servers SSLPIDFILE=/var/run/courier/imapd-ssl.pid SSLLOGGEROPTS="-name=imapd-ssl" IMAPDSSLSTART=YES IMAPDSTARTTLS=YES IMAP_TLS_REQUIRED=1 COURIERTLS=/usr/bin/couriertls TLS_KX_LIST=ALL TLS_COMPRESSION=ALL TLS_CERTS=X509 TLS_CERTFILE=/etc/courier/imapd.pem TLS_TRUSTCERTS=/etc/ssl/certs TLS_VERIFYPEER=NONE TLS_CACHEFILE=/var/lib/courier/couriersslcache TLS_CACHESIZE=524288 MAILDIRPATH=Maildir # Auch hier kommt AUTH=CRAM-MD5 hinzu IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 IDLE"
Spamassassin
Spamassassin muss aktiviert werden
# /etc/default/spamassassin ENABLED=1 OPTIONS="--create-prefs --max-children 5 --helper-home-dir" PIDFILE="/var/run/spamd.pid" CRON=0
Procmail
Nachdem Postfix Mails aus dem Internet für einen lokalen Benutzer empfangen hat, übergibt er sie an procmail. Procmail wiederum übergibt die Mail an Spamassassin um sie auf Spam zu überprüfen und an clamassassin, der sie weiterreicht an den Virenscanner clamav.
# Eine Beispiel .procmailrc für die Homeverzeichnisse der Mailuser PATH=$HOME/bin:/usr/bin:/bin:/usr/local/bin:. MAILDIR=$HOME/Maildir/ DEFAULT=$HOME/Maildir/new LOGFILE=$HOME/procmail.log # SPAMASSASSIN :0fw: /var/run/spam.lock * < 256000 | spamc -f -u $LOGNAME # Alle SPAMS mit Score 10-99 gleich weg :0: * ^X-Spam-Status: Yes, score=[1-9][0-9]\. /dev/null # Alle SPAMS mit Score > 3 gleich weg #:0: #* ^X-Spam-Status: Yes, score=[4-9]\. #/dev/null :0fw | /usr/bin/clamassassin # Rewrite Subject Line, if SpamLevel is high enough. :0fw * ^X-Virus-Status: Yes | sed '1,/^$/s@^Subject:@Subject: /VIRUS!/@' :0: * ^X-Virus-Status: Yes /dev/null # Move SA SPAM MAILS TO SPAM :0: * ^X-Spam-Status: Yes $MAILDIR/.Spam/new # Alle Mails die es ohne Blessuren bis hier geschafft haben, landen automatisch in der Inbox des Users. "Sie haben Post!"
Puh! Das Mailsystem ist fertig! Es fehlen nur noch Benutzer, die Maildirs und die Konfiguration der Virtual-Aliases um festzulegen welche Email-Adressen in welchen lokalen Mailboxen laden. Das folgende Skript legt den UNIX-Systembenutzer an, und denselben Benutzer noch einmal für Postfix in der SASLdb und für Courier in der Courier-Userdb.
Skript zum anlegen neuer User
# Added einen neuen User zum Mailsystem #!/bin/bash clear echo "Neuer User fuer das Mailsystem"; echo "Username eingeben: "; read newuser echo $newuser >> /root/scripts/mail/mail_users.dat # Adding Unix User adduser --ingroup users --quiet --shell /bin/false $newuser echo echo "Linux User wurde angelegt....." echo # Adding Courier Mailboxes maildirmake /home/$newuser/Maildir maildirmake -f Spam /home/$newuser/Maildir maildirmake -f Virus /home/$newuser/Maildir maildirmake -f LerneSpam /home/$newuser/Maildir maildirmake -f LerneKeinSpam /home/$newuser/Maildir maildirmake -f MeineOrdner /home/$newuser/Maildir maildirmake -f Sent /home/$newuser/Maildir maildirmake -f Trash /home/$newuser/Maildir chown -R $newuser.users /home/$newuser/Maildir echo echo "IMAP Mailverzeichnisse wurden angelegt...." echo # Setting SASL Password for Postfix SMTP auth echo echo echo "Passwort für SMTP-Auth angeben (Mails verschicken mit dem Client)" saslpasswd2 $newuser echo echo echo "Passwort für Courier angeben (Zuganspasswort für den IMAPSERVER)" NEWUID=`cat /etc/passwd | grep $newuser | cut -d: -f3` userdb $newuser set home=/home/$newuser uid=$NEWUID gid=100 userdbpw -hmac-md5 | userdb $newuser set imap-hmac-md5pw home=/home/$newuser makeuserdb /etc/init.d/courier-authdaemon restart /etc/init.d/saslauthd restart echo "OK. User angelegt" echo "Weisen Sie dem neuen User bitte noch E-Mail-Adressen zu!" echo echo echo "Datei /etc/postfix/virtual editieren." echo "Danach einmalig ausführen: postmap /etc/postfix/virtual" echo "Danach einmalig ausführen: /etc/init.d/postfix reload"
Skript zum löschen von Usern
echo "Diesen User loeschen:" read DELUSER # aus mail_users_dat kriegt lernespam die mailuser cat /root/scripts/mail/mail_users.dat | grep -v "^$DELUSER$" > /root/scripts/mail/mail_users.dat.tmp rm /root/scripts/mail/mail_users.dat mv /root/scripts/mail/mail_users.dat.tmp /root/scripts/mail/mail_users.dat deluser --remove-home $DELUSER saslpasswd2 -d $DELUSER userdb $DELUSER del makeuserdb /etc/init.d/courier-authdaemon restart /etc/init.d/saslauthd restart
Skript zum manuellen Spam-lernen
#!/bin/bash for user in $(cat /root/scripts/mail/mail_users.dat); do SADIR=/home/$user/.spamassassin NOSPAM=/home/$user/Maildir/.LerneKeinSpam/cur/ for l in $(ls $NOSPAM ); do PRINT=`cat $NOSPAM/$l | grep -e "^From:" | grep -o "[[:alnum:]\.\+\-\_]*@[[:alnum:]\.\-]*" | sort -u` echo "whitelist_from $PRINT" >> $SADIR/user_prefs done # Let SA learn /usr/bin/sa-learn -D --spam /home/$user/Maildir/.LerneSpam/cur /usr/bin/sa-learn -D --ham /home/$user/Maildir/.LerneKeinSpam/cur # Move Stuff mv /home/$user/Maildir/.LerneKeinSpam/cur/* /home/$user/Maildir/cur/ rm /home/$user/Maildir/.LerneSpam/cur/* done exit
Virtual Aliases
Unser Postfix weiss noch gar nicht welche E-Mail-Adressen welchen lokalen Mailboxen zugeordnet sind. Diese Zuordnung wird in der Datei /etc/postfix/virtual geschaffen. Links stehen E-Mail-Adressen oder lokale Absender wie "root", rechts steht der Username für die IMAP-Mailbox oder eine Ziel-E-Mail-Adresse für Weiterleitungen
# /etc/postfix/virtual root daniel daniel@meinedomain.de daniel daniel@meineanderedomain.de daniel fritz@meinedomain.de fritz alle@meinedomain.de daniel,fritz weiterleitung@meinedomain.de daniel@gmail.com
Danach muss Postfix die virtuellen Aliase neu initialisieren. Das ist nach jeder Änderung der Datei notwendig.
postmap /etc/postfix/virtual
Jetzt ist wirklich alles fertig. Es müssen noch alle Dienste gestartet werden.
/etc/init.d/postfix restart /etc/init.d/courier-imap restart /etc/init.d/courier-imap-ssl restart /etc/init.d/courier-authdaemon restart /etc/init.d/saslauthd restart /etc/init.d/spamassassin restart /etc/init.d/clamav restart
Irgendwas wird sicherlich nicht funktionieren! Zum Debuggen eignet sich /var/log/mail.log ganz gut. In vielen Configdateien kann man das Loglevel hochsetzen um mehr Informationen zu bekommen.
Transport Maps
Um Mails an einen anderen SMTP weiterzurouten, benötigt man Transport-Maps. Sie werden in der Datei /etc/postfix/transport angelegt:
#/etc/postfix/transport # Links lokales Ziel # Rechts SMTP an den weitergeleitet wird daniel-ritter.de smtp:12.13.14.15 daniel-ritter.de smtp:anderer.host.de # Zusätzlich alle Subdomains .daniel-ritter.de smtp:anderer.host.de
#/etc/postfix/main.cf transport_maps = hash:/etc/postfix/transport
# Aktivieren von Änderungen an den Transportmaps postmap /etc/postfix/transport /etc/init.d/postfix reload
Nutzer das Courier-Passwort selbst ändern lassen
echo "Courier Passwort ändern" echo echo echo "Benutzername: " read U echo "Altes Passwort: " read A echo "Neues Passwort: " read N if [ $(echo $N | grep -e ^[0-9]) ]; then echo "Entschuldigung. Passwörter dürfen nicht mit einer Zahl beginnen." exit fi echo -e "$U\0$A\0$N\0" | /opt/courierpasswd --verbose --stderr --stdin --changepw
Keep it simple – Very basic iptables
Iptables können ziemlich verwirrend sein. Deshalb habe ich, um einen Grundstock zu schaffen, ein ganz simples Skript gebastelt. Standardmässig sind keine Ports von außen erreichbar, gewünschte Ports müssen explizit freigegeben werden. Von innen initiierte Verbindungen funktionieren, Verbindungen mit den freigegebenen Ports auch. Kann man es noch weiter vereinfachen?
#!/bin/bash # alle bestehenden Regeln löschen iptables -F # Standardmässig eingehende Verbindungen verbieten iptables -P INPUT DROP # Standardmässig ausgehende Verbindungen erlauben iptables -P OUTPUT ACCEPT # Nicht routen iptables -P FORWARD DROP # localhost darf alles iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Eingehende Verbindungen für SSH und HTTP erlauben iptables -A INPUT -j ACCEPT -p tcp --dport 22 iptables -A INPUT -j ACCEPT -p tcp --dport 80 # Eingehende Verbindungen erlauben, die sich auf bestehende Verbindungen # beziehen. (Damit es nach dem Verbindungsrequest eines Clients auch weitergeht) iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Screencast Ubuntu 10.04 “Lucid Lynx” Beta 1
Ein kleiner Screencast zur neuen Lucid Beta. Ich schaue mir den Desktop und einige neue Features an.
My Ubuntu 9.10 Karmic Koala annoyances and how i fixed them
Lets face the truth. Desktop Linux has made an incredible progress in the last few years. It still gives you all the freedom, happiness and elegance it inherited from it's UNIX-foundation - and it tries hard to compete with the Windows Plug-And-Play mentality.
The standard user shouldn't need to do complicated things on the console. Basic things should just work. Especially Ubuntu did great, they really improved many GUI aspects of the GNOME-desktop. Most modern machines run and work just "out of the box" with a fresh Ubuntu install. BUT there are still these little annoyances and things that don't work as expected. I will collect my personal annoyances with Ubuntu 9.10 "Karmic Koala" in this post and add solutions, if I find them.
Annoyance #1
Logs are spammed with messages about CPU temperature
This one is an ugly one. It started for me with Karmic. /var/log/kern.log and /var/log/syslog got spammed with millions of messages from the kernel stating things like:
CPU0: Temperature above threshold, cpu clock throttled (total events = 208[ 8973.550089] CPU0: Temperature/speed normal
CPU0: Temperat cpu clock throttled (total events = 2080190)
This was a real problem, because about 100 messages per second were written to the logs, making them hard to read for other purposes. Syslog archiving them pushed my CPU to 100% and they filled up my root partition very quickly. This behaviour seems to originate from a kernel bug that should be fixed anytime soon. There is an Ubuntu Bug-Report on the problem already: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/453444. There is no real fix for it, as this is a kernel bug, but there is a workaround that fixed the odd behaviour of my system. I just disabled the logging of lines, that contain the bogus information:
- Create a file /etc/rsyslog.d/10-temperature.conf
- Paste the following code into it::msg,contains,"Temperature/speed normal" ~
:msg,contains,"Temperature above threshold" ~
- Save it
- Do an sudo restart rsyslog to make the new rule active.
Annoyance #2
CPU Frequency Scaling Monitor didn't remember my password
There is a very useful little applet for the Gnome panel, that allows you to change the speed of your CPU while working. As I am using a notebook most of the time, this thingy came in quiet handy for me. Because changing of the CPU policy requires root-privileges, you had to enter your password once with old Ubuntu versions. After that you were able to check a checkbox and Ubuntu remembered your policy. Things changed in Karmic. With the new policykit2 environment, there was no possibility anymore to remember the password. I had to reenter it every time i wanted to change my CPU policy. I found out, that I could set the permisson right in the config files for policykit2:
- Create a file /var/lib/polkit-1/localauthority/50-local.d/gnome-cpufreq.pkla
- Paste the following code into it (be sure to replace YOURUSERNAME with your username):[Allow users to set the CPU frequency]
Identity=unix-group:YOURUSERNAME
Action=org.gnome.cpufreqselector
ResultAny=no
ResultInactive=no
ResultActive=yes
- Save it
- There is no password needed anymore for changing CPU policies
Annoyance #3
Streamtuner couldn't load the Shoutcast streamlist anymore
This started with Intrepid or so. Shoutcast changed the hostname of it's streamlist-servers. The old hostname seems to be hardcoded into Streamtuner, so it couldn't get the streamlist anymore. This was unconvenient for me, because i got used to tune into my favourite internet radio stations (like Lemixx Paris France) with Streamtuner. There seems to be no effort to fix this in the Ubuntu package, as the bug is now several months old already. I fixed it by adding the right IP to /etc/hosts.
- Open up /etc/hosts with a text editor
- Add the following line to it:205.188.234.120 www.shoutcast.com
- Save it
- Streamtuner can access Shoutcast streams again
Annoyance #4
USB Startup Disk Creator is unable to create an USB Startup Disk
Ubuntu brings it's own tool to clone itself onto an USB flashdrive. You basicly get a fully working Ubuntu Installation on your flashdrive. A very useful thingy to carry around if you want to connect to the internet from untrusted machines or if you want to fix a brokeen down computer. So far so good, it didn't work. When you start the USB Startup Disk Creator from Ubuntus menu, the tool starts but is unable to format or write to partitions on your flashdrive. The solution is surprisingly simple: It needs to be run as root to make it work:
- Open up a terminal
- Enter the following command:
sudo usb-creator-gtk - Create and enjoy your flashdrive
Annoyance #5
Couldn't click on any web link in Pokerstars with wine
Poker is one of my hobbies and the guys from Pokerstars did a great job on making it a good experience on Linux with wine too. There are a few downgrades though. When clicking on links in the Pokerstars software, no webbrowser opened up in Gnome. You need to edit the registry to fix that.
- Run wine regedit to open the registry editor
- Navigate to HKEY_CLASSES_ROOT\http\shell\open\command
- Add a "%1" after -nohome in that registry key
- Links work now in Pokerstars
Annoyance #6
Couldn't make Pokerstars tables fullscreen with wine
Another Pokerstars problem. Scaling tables didn't work well. There was no way to make a table fullscreen. There is a way to fix that, implemented espcially for wine users by Pokerstars.
- Open up the file user.ini in your Pokerstars directory ($HOME/.wine/Program....)
- Add a line with f5redrawtable=1 to the file
- Save it
- Tables are redrawn now after resizing them when you press F5
Annoyance #7
Skype didn't show video on my Logitech Qucikcam Chat
Skype detected my cam as /dev/video0 but was unable to grab pictures from it. The video window just stayed in plain old black
I started Skype with -> LD_PRELOAD=/usr/lib/libv4l/v4l1compat.so skype to fix it.
To be continued...
6 Useful Things You Can Do With SSH
SSH must be my favourite piece of software ever. It's free, it gives you freedom, it's simple to use yet powerful in the things it can do. It helps you to encrypt and secure your communication. It can do this in an universal way and for nearly every usage case. In this post, I want to show you 6 things you can do with SSH without too much hassle. SSH can do more than just serve as an encrypted remote session. Try the following examples for yourself and explore the power of the Secure Shell.
Thingy #1 - A secure remote shell
OK, this is the most obvious thing you can do with SSH and i bet most of you have already done it: Connect to a remote machine via a SSH-secured connection and type on it's console to administer it.
This is very simple:
ssh user@box_B
This will connect you to Box B as user "user". After having entered your password, you will be able to use BOX B's console.
Sometimes you don't want to connect to the remote machine for an interactive session, because you just want to run a single command on the remote machine. In that case you can just do a
ssh user@box_B command
This will connect to Box B as "user", run "command", show you "command"'s output and disconnect.
Thingy #2 - Copy files between your boxes
Great, we can administer a remote machine with SSH but we can also move data between machines in an encrypted and secure way. It basicly works like the standard "cp" command, but it has got a different name: "scp"
scp /home/me/a_file.txt user@box_B:/home/me/
This will copy the local file "/home/me/a_file.txt" on our Box A to "/home/me/a_file.txt" on Box B.
It will work vice versa as well:
scp user@box_B:/home/me/b_file.txt /home/me
This would get the file "/home/me/b_file.txt" and would put in into our home dir on box A.
Because "scp" works like "cp" wildcards are allowed as well:
scp /var/log/* user@box_B:/home/me/logsbackup
This would copy all of the log files from our Box A to "/home/me/logsbackup" on Box B.
Thingy #3 - Mount a remote directory into your local file system
Sometimes it's not enough to simply copy one or more files from one machine to another. Mounting a remote directrory into your local filesystem becomes super useful, when you want to work on the remote files with local programs. A good example for this would be working on a remote website. You can simply mount the web-directory from the remote server into your local filesystem and use all your fancy HTML-editors and image-programs on the remote files as if they were on your local harddrive. That's where "sshfs" comes in handy. The tool isn't installed by default in most distributions but you should be able to find it in your repository. On Debian based systems just install it with:
apt-get install sshfs
After having installed sshfs you can start using it:
mkdir /mnt/b_data sshfs user@box_B:/b_data /mnt/b_data
This mounts the directory "/b_data" from box B into "/mnt/b_data" on your local file system. Now you can work on your remote files with local tools. When you are done, you can unmount the directory with:
fusermount -u /mnt/b_data
If the unmount fails, check if you have still open files in the directory or if you are still in that directory in some shell or Nautilus/Konqueror window.
Thingy #4 - Surf the Web uncensored and anonymously from "critical" locations
Corporate policies, fascist governments, internet cafés and other "unfriendly" rules, institutions and places can give you a hard time, when you want to access the web in a secure and private way. Firewalls and proxies may block your favourite sites, log the sites you have visited, perform man in the middle attacks or can just give you a bad feeling. SSH is the solution for these problems. It offers you the possibility to use it as a web-proxy. You simply connect to your good old trusted box B and surf through the encrypted connection.
(Local Browser <-> Local SSH Proxy <-> SSH <-> Box B <-> Website)
Now nobody on your unfriendly local LAN can block or spy on your surfing session.
Sounds good? Great! It's even simple to setup. SSH offers the "-D" option to provide a SOCKS proxy on the local machine:
ssh -D 1234 user@box_B
You'll have a proxy listening on localhost port 1234. Now you just have to setup your webbrowser to use the "SOCKS proxy" on localhost port 1234 and all your surfing will go through Box B. You can check if it worked by visiting a website that shows your IP. http://www.whatismyip.com is a site that would work. If that site shows Box B's IP-address instead of your local one, you setup everything correctly. A portable webbrowser on your USB-pendrive like Portable Firefox would make things even more cozy.
Thingy #5 - Encrypt the data traffic of your favourite local application or access services in LAN's you couldn't reach otherwise with SSH-tunnels
OK, we encrypted remote admin-sessions, copied files securely and even surfed the web in a private way. But SSH can do more. You can encrypt the traffic of every application that uses the TCP-protocol with SSH tunnels. Like with our SOCKS-proxy, we can tunnel other data through ssh, for example the traffic of our e-mail client. Lets say you want to pickup your e-mail while being in a "critical" environment. Bad corporations / governments / script kiddies could read your email and even worse could sniff your e-mail password. SSH helps. The syntax for tunnels in SSH might puzzle your brain at first sight, but it's not too hard:
ssh -L local_port:target_host:target_port user@box_B
for example
ssh -L 10000:pop3.mailprovider.com:110 user@box_B
OK, lets see what happened here. We told ssh to create a tunnel with a local (-L) endpoint at port "10000". Everything that is put into our local endpoint goes first encrypted to our Box B and after that to "pop3.mailprovider.com" on port 110 (which is POP3). You relay all data that goes into our local endpoint in an encrypted way via Box B to your E-Mail provider. In this example you would set the POP-account in your e-mail client to "localhost" port "10000". It doesn't have to be e-mail. Any other application that uses a protocol utilizing TCP works as well. For example IRC, FTP, HTTP, IMAP, you name it...
in case you are running your own server-service on Box B, "target host" can be Box B itself of course:
ssh -L 10000:127.0.0.1:110 user@box_B
Target host in this example is "127.0.0.1" because it's the target from Box B's point of view. "127.0.0.1" seen from Box B sure is Box B itself.
Tunneling can be useful to secure your services or to connect to services inside BOX B's network. Lets say BOX B is in an intranet that has an interesting webserver on IP "192.168.0.77" and you are unable to access that server from the outside. You just tunnel your way to BOX B and let BOX B forward you to the webserver:
ssh -L 10000:192.168.0.77:80 user@box_B
Now typing "http://127.0.0.1:10000" into your local webbrowser will show you the homepage of the intranets webserver.
Thingy #6 - A tunnel the other way around
OK, this could have been part of "Thingy #5" but to make things more clear i made an extra point for it. If you understood #5 this should be no problem for you. Here, you open up a "remote" endpoint on Box B. Everything that goes in there is relayed encrypted to Box A (the one you are using at the moment) and after that to the target host.
ssh -R remote_port:target_host:target_port user@box_B
for example
ssh -R 10000:pop3.mailprovider.com:110 user@box_B
An e-mail client would set "box_B" and port "10000" as the POP3 server. BOX B would relay the traffic to BOX A through SSH. BOX A would relay the traffic to "pop3.mailprovider.com" port "110".
Useful commandline options for SSH
-c "Compress"
The "-c" option in SSH compresses all traffic with gzip before sending it to the remote host. This increases the speed greatly with uncompressed data-types. It's very useful for copying large text-files over SSH or for surfing the web with the "-D" option. In general "-c" never hurts, it just puts a little more pressure onto your CPU.
ssh -c -D 1234 user@box_B
-g "Grant Access"
The "-g" option allows other hosts to connect to your local tunnel endpoints. If you don't use "-g" in combination with a tunnel, only your own localhost (Box A in the examples) may use the tunnel.
ssh -L -g 10000:127.0.0.1:110 user@box_B
-p "Port"
The "-p" option is needed, if the SSH-server you want to connect to doesn't run on the default port "22"
ssh -p 22000 user@box_b
-v "Verbose"
Add this option if you want to dive deeper into SSH. You will see many technical information while connecting to a remote host.
Further reading
I tried to keep this article as simple as possible to make it usable. There is a lot more to know about SSH. If you are looking for a more comprehensive read i suggest you check out these docs:
Linux Kostenzähler für UMTS-Verbindungen
Ich habe ein kleines Script geschrieben um den Traffic bei UMTS/GPRS-Verbindungen mitzuzählen und die entstandenen Kosten zu berechen. Ich brauche es, da ich plane bald mit einer ALDI-Talk Prepaid-Karte zu surfen, da die Preise in meinem regulären Vertrag zu hoch sind. (ALDI: 0,24€ pro Megabyte / E-PLUS-BASE 6,14€ !!!!!)
Am Besten packt man es an das Ende seines Einwahlskriptes, so dass es sofort nach dem Verbindungsaufbau beginnt mitzuzählen.
Alles ohne Gewähr.... weiss nicht ob es verbugt ist oder so, also Benutzung auf eigene Gefahr 
Bei mir mit BASE könnte das sehr teuer werden, also Vorsicht!
#!/bin/bash
# trafficcount - Zeigt Trafficdaten für die aktuelle Verbindung an und
# erechnet Kosten für die Verbindung
# CONFIG:
# Netzwerkkarte der Verbindung
INTERFACE=eth0
# Kosten pro 1 MB Traffic
PREIS_PRO_MB=0.24
# Updateinterval in Sek
UPDATEINTERVAL=5
############################################
# Errechnet MB aus Byte
calc_mb()
{
BYTES=$1
MEGABYTES=`echo "scale=2; $BYTES / 1048576" | bc`
#echo "*** $MEGABYTES ***"
}
# Holt Trafficdaten aus ifconfig
get_data()
{
# RX bytes:3435333852 (3.1 GiB) TX bytes:1233166424 (1.1 GiB)
TRAFFICCUT=`ifconfig $INTERFACE | grep "RX bytes"`
#Recieved cutten
TMP=`echo $TRAFFICCUT | cut -d: -f2`
IN=`echo $TMP | cut -d" " -f1`
# SENT cutten
TMP=`echo $TRAFFICCUT | cut -d: -f3`
OUT=`echo $TMP | cut -d" " -f1`
# TOTAL ERRECHNEN
TOTAL=`echo "$IN + $OUT" | bc`
}
S_TOTAL=0
S_IN=0
S_OUT=0
get_data
START_TOTAL=$TOTAL
START_IN=$IN
START_OUT=$OUT
#echo $START_TOTAL
#echo $START_IN
#echo $START_OUT
clear
while [ 1 ]
do
get_data
# Aktuellen Traffic in der Sitzung bestimmen
S_TOTAL=`echo "$TOTAL - $START_TOTAL" | bc`
#echo "*** S_TOTAL: $S_TOTAL ***"
S_IN=`echo "$IN - $START_IN" | bc`
S_OUT=`echo "$OUT - $START_OUT" | bc`
# in MB umwandeln
calc_mb $TOTAL; TOTAL=$MEGABYTES
calc_mb $IN; IN=$MEGABYTES
calc_mb $OUT; OUT=$MEGABYTES
calc_mb $S_OUT; S_OUT=$MEGABYTES
calc_mb $S_IN; S_IN=$MEGABYTES
calc_mb $S_TOTAL; S_TOTAL=$MEGABYTES
# Kosten ermitteln
KOSTEN=`echo "scale=2; $S_TOTAL * $PREIS_PRO_MB " | bc`
#echo "*** $KOSTEN - $S_TOTAL - $PREIS_PRO_MB***"
# Sitzungsdaten updaten
#echo $TRAFFICCUT
#echo
echo "GESAMT an $INTERFACE: In: $IN MB | Out: $OUT MB | Total: $TOTAL MB "
echo "SITZUNG an $INTERFACE: In: $S_IN MB | Out: $S_OUT MB | Total: $S_TOTAL MB "
echo "KOSTEN: Euro $KOSTEN"
sleep $UPDATEINTERVAL
clear
done
Making your server box talk like in those old movies
This is a silly geek thing but you might like it. Why not let your penguin-server talk to you when it needs updates or other interesting things happen?
Code and config in these examples are tested on a debian box.
What we need:
-A software for speech synthesis
espeak is good for this purpose. quiet configurable and the voice quality is OK.
apt-get install espeak
-A software that can trigger events, when certain log entries appear
swatch is our friend here. it reads logs in realtime and triggers a command if a specific pattern is found.
In our case it will just trigger espeak to say something.
apt-get install swatch
Now that we have our tools lets make a sample talker...
We want our box to report, if new (no-spam) mail arrived.
I'm using spamassassin to filter my mail.
I get a line similar to
Jul 26 16:34:04 star spamd[13365]: spamd: clean message (-2.4/0.5) for mailbox:1001 in 1.9 seconds, 7128 bytes.
in /var/log/mail.log
So create a config file for swatch to look out for lines like that
File: /etc/swatch/ham
watchfor /clean message/
exec "espeak new_mail &"
The only thing left to do now is to start the swatch daemon
/usr/bin/swatch --daemon --config-file=/etc/swatch/ham --tail-file=/var/log/mail.logI think you got the point. The possibilities are endless. Everything that is logged can be spoken.
But there are other interesting possibilities. Lets say you want your box to report new available updates to you.
This little script can do it when run from a repeating cron-job:
#!/bin/bash
apt-get update
UPDATELINE=`apt-get --simulate upgrade | grep remove`
EINS=`echo $UPDATELINE | cut -d " " -f 1`
ZWEI=`echo $UPDATELINE | cut -d " " -f 3`
DREI=`echo $UPDATELINE | cut -d " " -f 6`
VIER=`echo $UPDATELINE | cut -d " " -f 10`
((UPDATES=EINS+ZWEI+DREI+VIER))
if [ $UPDATES -gt 0 ]; then
espeak "REPORT: i need $UPDATES updates! please install as soon as possible"
fi
Now you have got all the tools to make your server an absolutely anoying brabbling box.
Enjoy.
Über dieses Blog
Translator
Impressum
Daniel mieten
QUICK LINKS
Kategorien
Archive
Letzte Artikel
- Android Kontakte und Kalender ohne Google syncen mit Horde 4
- Vertragskündigung bei Blau.de mit Rufnummernmitnahme
- Beliebige Videodateien mit ffmpeg für die PS3 in H264 konvertieren
- Vorwahlbot – Einfach die Vorwahl einer Rufnummer herausfinden
- Out of the box Gigabit PCI Express Netzwerkkarte für Ubuntu und Debian
- Den Firexfox-Cache auf die Ramdisk auslagern unter Ubuntu
- Online mit Alice DSL unter Debian via pppd ohne Alice Router mit eigenem DSL-Modem
- Online per UMTS mit Surfstick unter Debian mit wvdial und O2 Mobile Flat
- 6 Plugins für mehr Privatsphäre beim Surfen mit Firefox
- Online Melderegisterauskunft in Düsseldorf macht schlechten Eindruck