Long Weekends

Summer’s upon us again. The kids just got out of school on Wednesday, which reminded me that my last post was to say that the kids were just starting back and I haven’t said a word since then. Anyway, we have them signed up for pretty much every summer sport offered and Gabby’s getting ready to start piano lessons, so they’ll be keeping pretty busy.

Jen and I have been mulching the flower gardens, to the tune of about one pickup load of mulch per weekend. We’ve put down about 4 tons now, and I think we’re finally getting to the end of it. Which is good. Because at this point, if I never move another handful of the stuff, that’ll be fine by me.

Up In The Morning And Out To School

Well, it’s officially school time again. Gabby and Ari started back yesterday, and Jake went this morning for the first time.

Gabby seemed really happy. She got in line with her friends and immediately jumped back into the swing of things.

When we took Ari into the Montessori preschool, she ran off to play with the other kids as if she’d been there all along. When I picked her up in the afternoon, she told me that she’d learned how to read (so I suppose that they’ll cover math today, and maybe start on biology next Monday).

Jake looked a little unsure this morning, but he was mostly smiling as he lined up and walked to class. I just wish I’d remembered to bring his bookbag and a camera. These are the things that happen when I’m the one who gets the kids ready for school. At least they were fed, dressed and clean.

Tilden Days

Last weekend, we took the kids to Tilden’s “Prairie Days” festival, a celebration that raises money for various local organizations.

Events included:

  • Whiplash, the dog-riding monkey. We arrived about ten minutes too late to see him, which was unfortunate because he was the main thing the kids were looking forward to.
  • An officially-sanctioned cow chip throwing contest. I didn’t know there was an official governing body for such things, but there is. Winners were eligible to compete in the World Championship Cow Chip Throw.
  • The First Annual Drag Your Nag Contest. Men carried their wives or girlfriends through an obstacle course, and the winning team earned the woman’s weight (in pounds) in dollars. Jen and I had registered, but when we discovered that:

    1. All the other men looked like firefighters or bullriders and were in much better shape than me,
    2. Almost everyone else was in their early 20s, and
    3. The obstacle course included a mud pit and we weren’t wearing old clothes,

    we (I) chickened out and watched from the sidelines.

We had a great time, though, and gorged ourselves on watermelon. Congratulations on another great year, Tilden!

Running Before Walking

The kids started swimming lessons yesterday. They all had a great time and left smiling. As I was putting Jake to bed, I asked him about his day:

Me: What was your favorite part of swimming lessons?
Jake: Jumping off the diving board.
Me: Really?
Jake: Yeah. It was a little scary, though.
Me: Well, sometimes the most fun things are a little scary.
Jake: Yeah. (pause) I wish I’d done a back flip.

If God Meant For Man To Roll

It seemed like such a simple idea at the time: I’d buy a cheap bike and ride to work whenever possible. I’d get fresh air, exercise, and a tan, and most importantly I’d save money on gas (because I’m a cheapskate and hate paying $3.00 per gallon regardless of whether I can afford it).

So, I went to Happy Fun Land – what we call Wal-Mart when we want to antagonize the kids – and picked up their $80 generic mountain bike. In short, that lasted for a grand total of two (2) round trips to work before a broken chain ended my patience with its mechanical problems.

Wal-Mart kindly allowed me to exchange that lame horse for a slightly more expensive and much nicer Schwinn. I rode it to work exactly once before getting a flat tire.

It’s the little things, really. Chains are easy to fix and cheap to replace, and flat tires aren’t a big deal, but as of today I’ve spend about $50 per ride and I still don’t currently have a working bike. Maybe some of us are just meant to drive.

How To Make A Survival Kit

On my birthday in 2005, I read a Slashdot article discussing what things you might want to take with you if you had to evacuate your home. This was only a few months after Hurricane Katrina leveled southern Louisiana and Mississippi, so quite a few people had given this a lot of recent thought.

The article started off talking about which personal documents you should take copies of (driver licenses, marriage certificates, passports, etc.) – in other words, an electronic survival kit. However, the topic soon veered off into the kinds of things you need to physically stay alive. That made me realize that I’ve never made any such preparations, short of putting some bottled water in our tornado shelter. Below is a summary of the recommendations I came across.

Note: This isn’t meant as a list of things you’ll need to form your own private society out in the desert. I have absolutely zero interest in “survivalism”; I just want to have the stuff needed to keep me and my family alive until the National Guard arrives.

Second note: I primarily wrote this for me and my family. It’s biased towards scenarios that I might have to cope with, but completely ignores things that I could never hope to deal with anyway (such as being lost at sea).


How To Carry It

There are two schools of thought here:

  1. Pack everything inside a small metal pan that you can use for cooking, carrying water, etc.
    • Pros: no wasted space or weight
    • Cons: small metal pans can get crushed or soaked
  2. Put everything “fragile” inside a hardened case, like an OtterBox
    • Pros: your gear stays dry and intact
    • Cons: the box isn’t probably very intrinsically useful

Your application affects your choice very heavily. If you plain to carry mainly camping gear that’s pretty durable, the first option is probably your best choice. If you expect to carry many fragile items, such as an electronic survival kit or other small electronics, then the second is likely better. I personally use an OtterBox.

The List

Note, some of this is blatantly, word-for-word plagiarized from the above sources. My goal is to condense their ideas into one handy list, and there are only so many ways to say “strike anywhere matches”.

  • Instructions
  • Tools
    • Good, metal knife
    • Small multi-tool (for the scissors, screwdrivers, etc.)
    • Compass
    • Thermometer
    • Magnifying glass – possibly a Fresnel lens
    • Flashlight with batteries, preferably with a blinker
  • Metal dining utensils (that can be sanitized before and after use)
  • Fire starters – at least one of:
    • Strike anywhere matches in a waterproof safe
    • Firestarting piston
    • Disposable lighter
    • Magnesium/flintbar
  • Water
    • Personal water filter
    • Water purifying straw
    • Water purification tablets
  • Several sheets of paper and a pencil
  • A bottle of alcohol. Distilled, drinkable grain alcohol is best.
  • Medicine / Health
    • Anti-diarrheals
    • Aspirin
    • Antihistimines – to counter allergic reactions
    • Any other drugs you personally need to stay alive
    • Scalpel blades
    • Sunscreen
    • Suture kit
  • Homemade soda can stove
  • 5 pounds of gorp (“good old raisins and peanuts”)
  • Emergency blanket
  • Ziploc Baggies
  • Camelback water reservoir recently filled with known good water
  • 100 feet of parachute cord
  • Wool cloth. Two shirtweight peices 45″X 72″. One heavier weight 60″X108″. These are your clothes, your hammock, your chair, your carryall, etc. Do not substitute cotton!
  • Three yards of 36″ wide cotton could come in handy as well. This is your hat, your belt, your shoulder bag, your sling, etc.
  • Clothing
    • Two pair of wool socks
    • Waterproof, windproof shell or parka. Yes, even if you’re in a tropical zone.
    • Work gloves for digging through post-disaster rubble
    • A warm hat
  • A pennywhistle or any other tiny musical instrument. If you can turn a disaster into a party, your odds of survival will go up.
  • Signalling
    • Referee’s whistle
    • Mirror
    • Mini LED flashlight
  • Money – your eventual goal is to get back to civilization
  • Repairs
    • Mini roll of duct tape
    • Sewing needle and thread
    • Safety pins
  • 9’x7′ painting tarp (to make a tent) or a few trashbags
  • Slingshot kit – can be used to kill small game or fish

Our Bird Is Dead

Gabby was in the preschool at Christ Lutheran School, and her classroom had a caged parakeet. One day Gabby told me that their bird was dead. Since she was only three years old at the time, I didn’t think she knew what that meant, so I asked her about it:

Me: What do you mean, dead?
Gabby: I mean, the bird died.
Me: But what do you mean when you say that it died?
Gabby: It began to stink, so my teacher had to put it in a box and bury it.

Oh. I guess she knew what she was talking about after all.

The Piano’s Broken

We got a used piano a few months ago. After we cleaned it and put it where we wanted it, I played a few short songs (poorly). Throughout the rest of the day, we’d occasionally hear one of the kids hitting a few keys and laughing.

Several hours later, Jake came up to me with some bad news:

Jake: Daddy, I think the piano’s broken.
Me, alarmed: Why? What happened?
Jake, upset: I pressed all the keys, but it didn’t make the right music come out.

Filtering Spam With Postfix

If you are responsible for maintaining an internet-connected mail-server, then you have, no doubt, come to hate spam and the waste of resources which comes with it. When I first decided to lock down my own mail-server, I found many resources that helped in dealing with these unwanted messages. Each of them contained a trick or two, however very few of them were presented in the context of running a real server, and none of them demonstrated an entire filtering framework. In the end I created my own set of rules from the bits and pieces I found, and months of experimentation and fine-tuning resulted in the system detailed in this article.

This article will show you how to configure a Postfix mail-server in order to reject the wide majority of unwanted incoming “junk email”, whether they contain unsolicited commercial email (UCE), viruses, or worms. Although my examples are specific to Postfix, the concepts are generic and can be applied to any system that can be configured at this level of detail.

For a real world example, I’ll use my server’s configuration details:

My server’s configuration details
Hostname Kanga.honeypot.net
Public address
Postfix configuration path /usr/local/etc/postfix


This configuration was written with two primary rules in mind:

  1. Safety is important above all else. That is, I would much rather incorrectly allow an unwanted message through my system than reject a legitimate message.
  2. The system had to scale well. A perfect system that uses all of my server’s processing power at moderate workloads is not useful.

To these ends, several checks – that may have reduced the number of “false negatives” (messages that should have been rejected but were not) at the cost of increasing the number of “false positives” (legitimate messages that were incorrectly rejected) – were avoided. The more resource-intensive tests were moved toward the end of the configuration. This way, the quick checks at the beginning eliminated the majority of UCE so that the longer tests had a relatively small amount of traffic to examine.

HELO restrictions

When a client system connects to a mail-server, it’s required to identity itself using the SMTP HELO command. Many viruses and spammers skip this step altogether, either by sending impossibly invalid information, or lying and saying that they are one of your own trusted systems – in the hopes that they will be granted undeserved access. The first step in the filtering pipeline, then, is to reject connections from clients that are severely mis-configured or that are deliberately attempting to circumvent your security. Given their simplicity, these tests are far more effective than might be imagined, and they were implemented in my main.cf file with this settings block:

1  smtpd_delay_reject = yes
2  smtpd_helo_required = yes
3  smtpd_helo_restrictions =
4     permit_mynetworks,
5     check_helo_access hash:/usr/local/etc/postfix/helo_access,
6     reject_non_fqdn_hostname,
7     reject_invalid_hostname,
8     permit

Line 1 is a fix for certain broken (but popular) clients, and is required in able to use HELO filtering at all. The second line rejects mail from any system that fails to identify itself. Line 4 tells Postfix to accept connections from any machines on my local network. The next line references an external hash table that contains a set of black- and whitelisted entries; mine looks like this:

woozle.honeypot.net     OK
honeypot.net            REJECT You are not me. Shoo!         REJECT You are not me. Shoo!

The first line in the table explicitly allows connections from my laptop so that I can send mail when connected through an external network. At this point Postfix has already been told to accept connections from all of my local machines and my short list of remote machines, so any other computer in the world that identifies itself as one of my systems is lying. Since I’m not particularly interested in mail from deceptive systems, those connections were flatly rejected.

Lines 6 through 8 complete this stage by rejecting connections from hosts that identify themselves in blatantly incorrect ways, such as “MAILSERVER” and “HOST@192.168!aol.com”.

Some administrators also use the rejectunknownhostname option to ignore servers whose hostnames can’t be resolved, but in my experience this causes too many false positives from legitimate systems with transient DNS problems or other harmless issues.

You can test the effect of these rules, without activating them on a live system, by using the warnifreject option to cause Postfix to send debugging information to your maillog without actually processing them. For example, line 6 could be replaced with:


This way the results can be observed without the risk of inadvertently getting false positives.

Sender restrictions

The next step is to reject invalid senders with these options:

9  smtpd_sender_restrictions =
10    permit_sasl_authenticated,
11    permit_mynetworks,
12    reject_non_fqdn_sender,
13    reject_unknown_sender_domain,
14    permit

Lines 10 and 11 allow clients that have authenticated with a username and password or Kerberos ticket, or who are hosts on my local network, to continue onward. Lines 12 and 13 work similarly lines 6 and 7 in the “HELO restrictions” section; if the sender’s email address is malformed or provably nonexistent, then there’s no reason to accept mail from them. The next line allows every other message to move on to the next phase of filtering.

Recipient restrictions and expensive tests

By this time, it’s clear that the client machine isn’t completely mis-configured and that the sender stands a reasonable chance of being legitimate. The final step is to see that the client has permission to send to the given recipient and to apply the remaining “expensive” tests to the small number of messages that have made it this far. Here’s how I do it:

15 smtpd_recipient_restrictions =
16   reject_unauth_pipelining,
17   reject_non_fqdn_recipient,
18   reject_unknown_recipient_domain,
19   permit_mynetworks,
20   permit_sasl_authenticated,
21   reject_unauth_destination,
22   check_sender_access hash:/usr/local/etc/postfix/sender_access,
23   check_recipient_access hash:/usr/local/etc/postfix/recipient_access,
24   check_helo_access hash:/usr/local/etc/postfix/secondary_mx_access,
25   reject_rbl_client relays.ordb.org,
26   reject_rbl_client list.dsbl.org,
27   reject_rbl_client sbl-xbl.spamhaus.org,
28   check_policy_service unix:private/spfpolicy
29   check_policy_service inet:
30   permit

Many spammers send a series of commands without waiting for authorization, in order to deliver their messages as quickly as possible. Line 16 rejects messages from those attempting to do this.

Options like lines 17 and 18 are probably becoming familiar now, and they work in this case by rejecting mail targeted at domains that don’t exist (or can’t exist). Just as in the “Sender restrictions” section, lines 19 and 20 allow local or authenticated users to proceed – which here means that their messages will not go through any more checks. Line 21 is critically important because it tells Postfix not to accept messages with recipients at domains not hosted locally or that we serve as a backup mail server for; without this line, the server would be an open relay!

The next line defines an access file named senderaccess that can be used as a black- or whitelist. I use this to list my consulting clients’ mail-servers so that none of the remaining tests can inadvertently drop important requests from them. I added line 23, which creates a similar blacklist called recipientaccess for recipient addresses, as an emergency response to a “joe job”. Once in 2003, a spammer forged an email address from my domain onto several million UCE messages and I was getting deluged with bounce messages to “michelle@honeypot.net”. I was able to reject these by adding an entry like:

michelle@honeypot.net REJECT This is a forged account.

Although the event was annoying, this allowed my server to continue normal operation until the storm had passed.

Line 24 is the last of the “inexpensive” checks. It compares the name that the remote system sent earlier via the HELO command to the list of my secondary mail servers and permits mail filtered through those systems to be delivered without further testing. This is the weak link in my filtering system, because if a spammer were clever enough to claim that they were one of my backup servers then my mail server would cheerfully deliver any message sent to it. In practice, though, I’ve never seen a spammer that crafty and this line could be removed without side effects should the need arise.

Lines 25 through 27 are somewhat more controversial than most of my techniques, in that they consult external DNS blackhole lists in order to selectively reject messages based on the IP address of the sender. Each of these lists have been chosen because of their good reputation and very conservative policies toward adding new entries, but you should evaluate each list for yourself before using their databases to drop messages.

SPF and greylisting

Lines 28 and 29 add Sender Policy Framework (SPF) and greylisting filtering respectively. SPF works by attempting to look up a DNS record, that domains can publish, which gives the list of addresses allowed to send email for that domain. For example, webtv.net’s SPF record is currently “v=spf1 ip4: -all”, which means that a message claiming to be from joeuser@webtv.net sent from the IP address is forged and can be safely rejected.

Greylists are pure gold when it comes to rejecting junk email. Whenever a client attempts to send mail to a particular recipient, the greylist server will attempt to find that client’s address and the recipient’s address in its database. If there is no such entry then one will be created, and Postfix will use a standard SMTP error message to tell the client that the recipient’s mailbox is temporarily unavailable and to try again later. It will then continue to reject similar attempts until the timestamp is of a certain age (mine is set to five minutes). The theory behind this is that almost no special-purpose spam sending software will actually attempt to re-send the message, but almost every legitimate mail server in existence will gladly comply and send the queued message a short time later. This simple addition cut my incoming junk email load by over 99% at the small cost of having to wait an extra five minutes to receive email for the first time from a new contact. It has worked flawlessly with the many mailing lists that my clients and I subscribe to and has not caused any collateral problems that I am aware of. If you take nothing else from this article, let it be that greylisting is a Good Thing and your customers will love you for using it.

I use the smtpd-policy.pl script that ships with Postfix to handle SPF, and Postgrey as an add-on greylisting policy server. They’re defined in my master.cf file as:

spfpolicy  unix  -       n       n       -       -       spawn
  user=nobody argv=/usr/bin/perl /usr/local/libexec/postfix/smtpd-policy.pl
greypolicy  unix  -       n       n       -       -       spawn
  user=nobody argv=/usr/bin/perl /usr/local/libexec/postfix/greylist.pl

Content filtering

The messages remaining at this point are very likely to be legitimate, although all that Postfix has actually done so far is enforce SMTP rules and reject known spammers. Their final hurdle on the way from their senders to my users’ mailboxes is to pass through a spam filter and an antivirus program. The easiest way to do this with Postfix is to install AMaViS, SpamAssasin, and ClamAV and then configure Postfix to send messages to AMaViS (which acts as a wrapper around the other two) before delivering them, and line 31 does exactly that:

31 content_filter = smtp-amavis:

SpamAssassin is fantastic at identifying spam correctly. Its “hit rate” while used in this system will be much lower than if it were receiving an unfiltered stream, as most of the easy targets have already been removed. I recommend setting AMaViS to reject only the messages with the highest spam scores; I arbitrarily picked a score of 10.0 on my systems. Then, tag the rest with headers that your users can use to sort mail into junk folders.

ClamAV has proven itself to be an effective and trustworthy antivirus filter, and I now discard any message that it identifies as having a viral payload.

Unfortunately, the configuration of these systems is more complicated than I could hope to cover in this article, as it depends heavily on the setup of the rest of your email system. The good news is that literally less than 1% of junk email makes it this far into my system, and I’ve actually gone for several days without realizing that SpamAssassin or ClamAV hadn’t been restarted after an upgrade. Still, these extra filters are very good at catching those last few messages that make it through the cracks.

Other possibilities

If you want more aggressive filtering and can accept the increased risk of false positives, consider some of the other less-conservative blackhole lists such as the ones run by SPEWS or the various lists of blocks of dynamic IP addresses. You may also consider using the rejectunknownhostname option mentioned in the “HELO restrictions” section, but you can expect a small, measurable increase in false positives.

The ruleset described above should be sufficient on its own to eliminate the vast majority of junk email, so your time would probably be better spent implementing and adjusting it before testing other measures.


None of the techniques I use are particularly difficult to implement, but I faced quite a challenge in assembling them into a coherent system from the scraps I found laying about in various web pages and mailing lists.

The most important thing I learned from the process was that it’s easy to experiment with Postfix, and it can be customized to your level of comfort. When used in my configuration, the most effective filters are:

  • Greylisting
  • DNS blackhole lists
  • HELO enforcement

Greylisting has proven to be an excellent filter and I’ve deployed it successfully on several networks with nothing but positive feedback from their owners. Even the basic HELO filtering, though, can visibly decrease spam loads and should be completely safe. It can be difficult to find a good compromise between safety and effectiveness, but I believe I’ve found a solid combination that should work in almost any situation. Don’t be afraid to test these ideas on your own and make them a part of your own anti-spam system!

Notes and resources

Postfix Configuration – UCE Controls
SPF: Sender Policy Framework
Greylisting.org – a great weapon against spammers
Postgrey – Postfix Greylisting Policy Server
AMaViS – A Mail Virus Scanner
The Apache SpamAssassin Project
Clam AntiVirus

Copyright information

This article is made available under the “Attribution-Sharealike” Creative Commons License 2.5 available from http://creativecommons.org/licenses/by-sa/2.5/.

Reprint information

This article was originally published in Free Software Magazine. I’m reposting it here for backup purposes.