RedirectMatch 301 ^/technotes/users/edit.* /technotes/articles/69

Get Python

Boost Build

• Get the boost source from http://sourceforge.net/projects/boost/files/
• Also, get the Windows bjam .exe, currently rev'd at: http://sourceforge.net/projects/boost/files/boost-jam/boost-jam-3.1.17-1-ntx86.zip/download
• Make your dev dirs. I use cygwin, you can easily translate to the Windows command shell. Unless you have tar, though, make sure you download the zip distro of boost. Also, I use the cygpath of "http://morison.biz/" instead of "http://morison.biz/cygdrive", i.e., I run mount -s --change-cygdrive-prefix /

  cd "http://morison.biz/c/Documents and Settings/Rod/My Documents"
  mkdir -p Devel/local
  cd Devel/local
  mkdir bin lib src tmp
  cd src
  tar jxf ~/Downloads/boost_1_39_0.tar.bz2 
  cd ../bin
  unzip ~/Downloads/boost-jam-3.1.17-1-ntx86.zip 
  mv boost-jam-3.1.17-1-ntx86/bjam.exe  .
  chmod +x bjam.exe
  rm -rf boost-jam-3.1.17-1-ntx86/

• Add the Devel/local/bin path to your Windows path variable (Control Panel->System, Advanced Tab, Environment Variables Button):
  
  
• Start a Visual C++ command shell, i.e., menu to something like:
  
  

  Setting environment for using Microsoft Visual Studio 2008 x86 tools.
  C:/Users/rod/KlickFu/Devel/local/src/boost_1_39_0>bjam --build-dir=../../tmp/boost --prefix=../.. --toolset=msvc --threading=multi --runtime-link=static  link=static debug release install

  Actually, I'm currently building with...

  C:Develboost_1_43_0>bjam --build-dir=../tmp --prefix=../boost --build-type=complete runtime-link=static --without-graph --without-graph_parallel --without-mpi --without-wave msvc install

To use Wondershaper, you'll have to use a Linux computer as your router. Afaik, most basic broadband routers don't provide traffic limiting features. Setting up a Linux router for your broadband is not a good first-time Linux project. For more info, perhaps look at http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions or http://www.stanford.edu/~fenn/linux/ . It's not terribly difficult to do with a standard Ubuntu Server distro, which is what I use.

sudo apt-get install wondershaper

Postscript: For those interested, a good bit of research has been done on this problem, particularly under the name of FastTCP. http://fastsoft.com is commercial spinoff of that project and has some pertinent white papers on the subject.

openssl x509 -in morison.org.crt -out morison.org.der -outform DER
openssl x509 -in morison.org.der -inform DER -out morison.org.pem -outform PEM
sudo cp ./morison.org.pem /etc/ssl/certs/
sudo /etc/init.d/cyrus2.2 restart
sudo /etc/init.d/postfix restart

$ sudo apt-get install dkms
$ sudo sh /cdrom/VBoxLinuxAdditions-x86.run #look for the amd64 if that's your linux guest install
$ sudo reboot

• Install on Ubuntu 8.10

$ sudo apt-get install postgresql-8.3 postgresql-server-dev-8.3
$ sudo vi /etc/postgresql/8.3/main/postgresql.conf 
# uncomment the listen_addresses = 'localhost' line
# optional: change localhost to machine hostaddr if you want outside access
$ sudo /etc/init.d/postgresql-8.3 restart

• Give the "root" db user a password, create a new dbuser and a database with access privs for that new dbuser. Also, give the new dbuser perms to create more databases.

$ sudo -u postgres psql template1
template1=# ALTER USER postgres WITH UNENCRYPTED PASSWORD 'P8ss';
ALTER ROLE
template1=# CREATE USER user1 CREATEDB;
CREATE ROLE
template1=# ALTER USER user1 WITH UNENCRYPTED PASSWORD 'P9ss';
ALTER ROLE
template1=# CREATE DATABASE db1 WITH OWNER user1;
CREATE DATABASE
template1=# q

• To suck a sqldump into that database

$ zcat /PathToDbDump/DbDump.sql.gz | psql -h localhost -U postgres -d user1

• Logging in as non-postgres user (this bit baffled me originally, until I decoded the postgres init settings): /etc/postgresql/8.3/main/pg_hba.conf has security settings that say, "If connected via unix socket then require the db username match the process owner name." By default psql uses the unix socket. That's fine for the "root" db user (postgres), but not how you want access other dbs. However, for network socket connections pg_hba.conf is set to use only password check against it's user table. Yay. So access through the socket, which is the general case in production systems anyway, as the db is on a dedicated machine.
• Log in as the user1 and create a db.

psql --username user1 --password -h localhost template1
CREATE DATABASE db2 WITH OWNER user1;

• if you don't put a db name on the psql command line, it will assume the db name is the same as the user
• postgres provides an easily scripted command, createdb, that does most of what the CREATE DATABASE command does.
• read the postgres docs for encrypted passwords, recommended for production

cd c:\Python26
copy python.exe python-backup.exe
copy pythonw.exe pythonw-backup.exe
mt -inputresource:python.exe;#1 -manifest \PathToWxPySrc\src\winxp.vc9.manifest  -outputresource:python.exe;#1
mt -inputresource:pythonw.exe;#1 -manifest \PathToWxPySrc\src\winxp.vc9.manifest  -outputresource:pythonw.exe;#1

References

Tips & Tricks

sudo apt-get install mailutils
mail rod@moleculemedia.net -s test
Cc: rod@morison.org
test
^D

sudo bash
cd /var/spool/cyrus/sieve
ls domain
mkdir domain
cp -a [a-z] domain/
chown cyrus:mail domain
chmod o-rwx domain

IP & DNS Setup

Checklist

1. A static IP, from your access or hosting provider
2. An 'A' record pointing to a name to your static ip, using a name something like "mailserver.example.domain". In this guide we'll use example.domain as a placeholder for your own domain.
3. An MX record for example.domain which points at mailserver.example.domain
4. CNAME or A records for mail.example.domain, smtp.example.domain and webmail.example.domain. If you use CNAME's, point them at mailserver.example.domain, if A use your static IP.

Next Step: Ubuntu Install

1. Install the Goods

   sudo apt-get install amavisd-new spamassassin clamav-daemon
   sudo apt-get install pyzor razor python-policyd-spf
   sudo apt-get install arj cabextract cpio lha nomarch pax rar unrar unzip unzoo zip zoo

2. Add clamav to amavis group

   sudo adduser clamav amavis

3. Enable SpamAssassin -

   sudo vi /etc/default/spamassassin

   and change line 8 to ENABLED=1
4. Tell Amavis to Virus & Spam Check

   sudo vi /etc/amavis/conf.d/15-content_filter_mode

   and uncomment the virus & spam check lines as shown:

   @bypass_virus_checks_maps = (
      %bypass_virus_checks, @bypass_virus_checks_acl, $bypass_virus_checks_re);

   ...

   @bypass_spam_checks_maps = (
      %bypass_spam_checks, @bypass_spam_checks_acl, $bypass_spam_checks_re);

5. Set Local Policy Prefs

   sudo vi /etc/amavis/conf.d/50-user

   My policy is to tag, but pass all spam. Viruses are not delivered, but the postmaster is notified and the email is quarantined, such that it can be recovered if need be. You may want to study the Amavis docs and customize here.
   
   Change example.domain to yours. My 50-user reads

   use strict;
   
   #
   # Place your configuration directives here.  They will override those in
   # earlier files.
   #
   # See /usr/share/doc/amavisd-new/ for documentation and examples of
   # the directives you can use in this file
   #
   
   $log_level = 0;
   
   @local_domains_maps =
      ( [ ".$mydomain", 'example.domain' ] ); 
   
   $sa_spam_subject_tag = '*SPAM* ';
   $sa_tag_level_deflt  = -999;  # add spam info headers if at, or above that level
   $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
   $sa_kill_level_deflt = 999; # triggers spam evasive actions
   $sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
   
   $virus_admin = "postmaster@$mydomain"; # due to D_DISCARD default
   $spam_admin = "postmaster@$mydomain";
   $dsn_bcc = "maildebug@$mydomain";
   
   $mailfrom_notify_admin     = "virusalert@$mydomain";
   $mailfrom_notify_recip     = "virusalert@$mydomain";
   $mailfrom_notify_spamadmin = "spamalert@$mydomain";
   
   $final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
   $final_banned_destiny     = D_REJECT;   # D_REJECT when front-end MTA
   $final_spam_destiny       = D_PASS;
   $final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
   
   #------------ Do not modify anything below this line -------------
   1;  # ensure a defined return

6. Integrate Amavisd into Postfix

   sudo vi /etc/postfix/main.cf

   Add the following to the bottom of /etc/postfix/main.cf

   # Amavis ClamAV+SpamAssassin
   content_filter = smtp-amavis:[127.0.0.1]:10024
   
   # Postfix behavior/content controls
   #body_checks = regexp:/etc/postfix/body_checks
   #header_checks = regexp:/etc/postfix/header_checks
   smtpd_helo_required = yes
   disable_vrfy_command = yes
   smtpd_delay_reject = yes
   smtpd_helo_required = yes
   smtpd_error_sleep_time = 15s
   smtpd_soft_error_limit = 10
   smtpd_hard_error_limit = 20

7. /etc/postfix/master.cf

   sudo vi /etc/postfix/master.cf

   Add the two "-o" lines shown under the line beginning with "pickup", to read:

   pickup    fifo  n       -       -       60      1       pickup
            -o content_filter=
            -o receive_override_options=no_header_body_checks

   Then add the following to the bottom of /etc/postfix/master.cf

   smtp-amavis     unix    -       -       -       -       2       smtp
           -o smtp_data_done_timeout=1200
           -o smtp_send_xforward_command=yes
           -o disable_dns_lookups=yes
           -o max_use=20
   
   127.0.0.1:10025 inet    n       -       -       -       -       smtpd
           -o content_filter=
           -o local_recipient_maps=
           -o relay_recipient_maps=
           -o smtpd_restriction_classes=
           -o smtpd_delay_reject=no
           -o smtpd_client_restrictions=permit_mynetworks,reject
           -o smtpd_helo_restrictions=
           -o smtpd_sender_restrictions=
           -o smtpd_recipient_restrictions=permit_mynetworks,reject
           -o smtpd_data_restrictions=reject_unauth_pipelining
           -o smtpd_end_of_data_restrictions=
           -o mynetworks=127.0.0.0/8
           -o smtpd_error_sleep_time=0
           -o smtpd_soft_error_limit=1001
           -o smtpd_hard_error_limit=1000
           -o smtpd_client_connection_count_limit=0
           -o smtpd_client_connection_rate_limit=0
           -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

8. SPF in Postfix - SPF is already a part of SpamAssassin's scoring scheme. We can further utilize SPF in Postfix to reflect sites that disapprove certain usage and reject those messages outright. I recommend a read through of materials on the SPF site and relevant discussion lists.
   
   You can omit this step if you choose.

   sudo vi /etc/postfix/main.cf

   Add a comma to the end of the last line of the smtpd_recipient_restrictions settings and on a new line add

   check_policy_service unix:private/policyd-spf

   followed by

   policyd-spf_time_limit = 3600

   This section of your main.cf should look something like

   smtpd_recipient_restrictions =
           permit_sasl_authenticated,
           permit_mynetworks,
           reject_unauth_destination,
           reject_invalid_hostname,
           reject_non_fqdn_hostname,
           reject_non_fqdn_sender,
           reject_non_fqdn_recipient,
           reject_unknown_sender_domain,
           reject_unknown_recipient_domain,
           reject_unauth_pipelining
           reject_rbl_client bl.spamcop.net,
           reject_rbl_client sbl-xbl.spamhaus.org,
           reject_rbl_client list.dsbl.org,
           check_policy_service unix:private/policyd-spf
   policyd-spf_time_limit = 3600

   In master.cf:

   sudo vi /etc/postfix/master.cf

   At the bottom, add

   policyd-spf  unix  -       n       n       -       0 spawn
           user=nobody argv=/usr/bin/python /usr/bin/policyd-spf

9. Start/Restart All Concerned

   sudo /etc/init.d/postfix restart
   sudo /etc/init.d/amavis restart
   sudo /etc/init.d/clamav-daemon restart
   sudo /etc/init.d/spamassassin start

10. Test and Check - Try another mail send and watch the log.

    tail -f /var/log/mail.log

    Look for the logfile line

    Sep 29 13:50:25 mailserver amavis[8449]: (08449-01) Passed CLEAN, LOCAL [192.168.66.194] [192.168.66.194] <test@mailserver.morison.org> -> <test@mailserver.morison.org>, Message-ID: <48E13F6D.1010202@mailserver.morison.org>, mail_id: 8HLb1RzoY+ZW, Hits: -1.44, size: 564, queued_as: EC77724624, 3852 ms

    for anti-spam action. Try it with a spam file (I'm sure you can find one.) You'll see

    Sep 29 13:52:55 mailserver amavis[8454]: (08454-01) Passed SPAMMY, LOCAL [192.168.66.194] [192.168.66.194] <test@mailserver.morison.org> -> <test@mailserver.morison.org>, Message-ID: <48E13FFB.7000908@mailserver.morison.org>, mail_id: moC25mDhimPK, Hits: 8.824, size: 649, queued_as: 4B5E624624, 12174 ms

    and look at the mail headers in your mail client:

    X-Virus-Scanned: Debian amavisd-new at mailserver.morison.org
    X-Spam-Flag: YES
    X-Spam-Score: 8.824
    X-Spam-Level: ****
    X-Spam-Status: Yes, score=8.824 tagged_above=-999 required=5
    	tests=[ALL_TRUSTED=-1.44, AWL=-10.264, DIGEST_MULTIPLE=0.001,
    	PYZOR_CHECK=2.834, RAZOR2_CF_RANGE_51_100=0.5,
    	RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5,
    	RAZOR2_CHECK=0.5, URIBL_AB_SURBL=1.613, URIBL_JP_SURBL=2.857,
    	URIBL_OB_SURBL=2.132, URIBL_SBL=2.468, URIBL_SC_SURBL=2.523,
    	URIBL_WS_SURBL=2.1]

    Finally, try sending a test virus from (the virus is dead, of course, but it triggers a ClamAV find):
    
    http://www.eicar.org/download/eicar.com http://www.eicar.org/download/eicar_com.zip http://www.eicar.org/download/eicarcom2.zip
    
    Look for

    Sep 29 14:07:56 mailserver amavis[8449]: (08449-02) Blocked INFECTED (Eicar-Test-Signature), LOCAL [192.168.66.194] [192.168.66.194] <test@mailserver.morison.org> -> <test@mailserver.morison.org>, quarantine: J/virus-JfYri+IcyuAB, Message-ID: <48E1438B.5060502@mailserver.morison.org>, mail_id: JfYri+IcyuAB, Hits: -, size: 1062, 934 ms

    and check your postmaster email.

Epilogue