Becoming Unrooted
So, I forgot my root password. For non-technical types, that’s pretty much the key to the kingdom when you need to get full access to a computer, or install new software, or to make backups, or to fix something in an emergency. I use this little program called “sudo” all the time that lets you do most of the same things except with your own password. I guess it’d been so long since I’d actually needed that root password that it just slipped my mind. Still, I felt pretty dumb and resigned myself to coming up with a new one and resetting it on all the computers I use.
So, this morning something came up where I really needed that password, and without thinking I picked up a keyboard and mashed it out. It worked. “Oh joy,” I though. “I’ll just do it again and pay attention to what I’m typing.” Except that try as I might, I just can’t type that password if I’m consciously thinking about it.
This has not improved my outlook on an upcoming birthday in the slightest.
baby.lisp
In our household, a baby just ain’t a baby without an appropriately geeky birth announcement. And since Nick is mostly functional — I mean, he can’t exactly type yet — this one is in Lisp. Share and enjoy!
; This program forks(). That should be plenty for a few years' entertainment
; Copyright (C) 2007 Kirk & Jennifer Strauser
; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
; However, the output of this particular instance shall remain
; exclusively licensed to the authors for a period of up to eighteen
; years.
; $Id: baby.lisp 4 2007-09-05 23:18:12Z kirk $
(require :sb-posix)
(defvar *birthtime* (encode-universal-time 0 20 1 1 9 2007))
(defvar *age* (- (get-universal-time) *birthtime*))
(defun hello ()
(format t "Hello, world! My name is Nicholas Arthur Strauser and this is ~
my ~:r day!~%" (ceiling (/ *age* 86400))))
(defun labor ()
(cond
((zerop (sb-posix:fork)) (format t "Ouch!~%"))
(t (hello))))
(defun wait ()
(cond
((< *age* 0)
(sleep (- *age*))
(setf *age* 0)
(labor))
(t (hello))))
(wait)
Vapor Rises
Dan Feather, aka “Vapor”, died today after he lost control of his motorcycle. Dan was remarkable for his quiet decency. There were many reasons to like him, but above all else, he was a good man.
Goodbye, friend. You leave behind many people who held you in high regard.
Rest well.
Down To The Uptown
As our anniversary dinner tradition, Jen and I drive to Stanton to eat at the Uptown Brewery. Each year, we ask each ourselves if we really want to go all the way down there. Each year, we decide that we’ll have a nice meal and that it’s not that far anyway. Each year, we wonder why we don’t go there more often. I don’t want to disparage any of the wonderful local places, but it really is true: the best restaurant in Norfolk is in Stanton.
The building itself is interesting and the service is always top-notch, but it’s the food that brings us back. We started with the seafood-stuffed mushrooms and moved to amazingly good tomato bisque and cream of chicken noodle soup. The entrees, though, were exceptional. Jen loved the seafood crepes, which were very similar to the stuffed mushrooms but so large that she could only eat one of the two. I ordered the steak Johannesburg, which is a thick cut of angus beef covered with chopped lobster in Madeira cream sauce, and remembered why it’s my usual.
I’m not a food critic, which you can pretty easily tell by my previous attempts at describing meals, nor have I read many restaurant reviews. I don’t know all the words I should use to tell you why you absolutely must take the trip to Stanton to see for yourself. Just trust me on this one, OK? Go. You’ll be glad you did.
Negotiations With Western Digital
We bought a Western Digital external hard drive for Jen’s computer while we were in Omaha. I hooked it up when we got home and it was dead on arrival. I called for an RMA (“return material authorization” — basically permission to return it to the manufacturer) and got the replacement a few days later. Unfortunately, they didn’t include a pre-paid shipping label to return the defective part, and the customer service guy wasn’t too keen on giving me one. I wasn’t asking for anything unreasonable or that they could justifiably deny, and here’s how I got one anyway:
CS guy: It’s not our policy to give out shipping labels. It’s the customer’s responsibility to pay for shipping.
Me: It’s not this customer’s policy to pay for shipping products that were dead on arrival.
CS guy: I see your point, but that’s not something we normally do.
Me: OK, but I’d sure appreciate it. I mean, I did you a favor by calling you instead of returning this to the store. I didn’t know I’d have to pay for it.
CS guy: Well, we don’t do a very good job of telling you that on our website. I can ask my supervisor, but I don’t think he’ll do it.
Me: I’ll hold.
[5 minutes go by]
CS guy: Sir, this isn’t something we do, but since these are special circumstances, we’ll do it just this one time. You’ll get it within a week.
Me: Thanks! Oh, and can you extend my deadline for returning the broken one by a few days since I don’t have the shipping label yet?
CS guy: (sighs) Yeah, OK. You can have an extra 10 days.
Note two important things: first, I was polite; second, I was assertive. Failure on either of those would have wrecked the whole deal.
Electronic Survival Kit
So, you’ve made a survival kit to keep you alive until the good guys come to rescue you. Well, now you’re starting life over in a new place. These are some of the things you might want to bring along.
References
How To Carry It
Electronically
Our primary goal is to make our data as easy to access as possible. This is critically important when you don’t know what kind of machine you may have to use to access your data. You might have a beautiful Mac or Unix workstation at home, but if you were at home and could use your computer, then the rest of this would be pointless. Regardless of what you normally use, expect to be using a Windows box to access it.
First, I highly recommend that you combine your files into a single Zip file. That’s because it’s much easier to manage one file than 100.
Second, and this is critically important, use an encryption program to put as password on the zip file! You’re going to be putting a lot of sensitive information in there, so don’t leave it out for any twit to find if you misplace your copy. I highly, highly recommend GNU Privacy Guard, or GPG. A package of it for Windows is available from http://www.gpg4win.org. Under no circumstances should you trust the lame “encryption” (bah!) that comes with some storage media like USB keychain drives, or such as is built into WinZip. I mean it! Use a stand-alone encryption program.
Don’t forget to put a copy of the installer on your backup media so that you’ll be able to unlock your data when you need it!
Third — and this is very important — create the zip file on your computer’s hard drive, then encrypt it, and finally move the encrypted file onto your backup media. You should never copy the unencrypted data onto that media! Even if you delete it afterward, it may be possible to recover the information.
By the same token, don’t decrypt the zipfile onto your backup media. Copy it onto the hard drive of the computer you’re using to access it, then decrypt it and unzip it from there. Of course, if you’re using a very public computer such as a rental at an Internet cafe, then that may actually be the worse option. Trust your own judgment, and let rampant paranoia be your guide.
Physically
A floppy ain’t gonna cut it. Your encrypted zipfile will probably be much larger than will fit on a floppy disk, unless your life is so simple that this is just an academic exercise. Your four main options, in the order I’d recommend them, are:
- USB “keychain” drive
- Pros: they’re durable and can be reused thousands of times. They’re also much smaller than a CD-R.
- Cons: fewer computers have USB slots than CD-ROM drives, although that’s changing as old machines are replaced — almost all new computers have them.
- CD-R
- Pros: blank CD-Rs are cheap, most people have a CD burner (so you probably already have the equipment to make one), and almost every computer has a CD-ROM device to read it. Also, CD-Rs can hold a relatively huge amount of data for pennies.
- Cons: every time you update your data, you have to throw away the old copy or risk packing away the wrong one. CD-Rs are relatively fragile; one fat scratch and your data is lost.
- DVD-R
- Same pros and cons as CD-R, except they hold much more data but are not as widely available as USB slots.
- Free webmail account (Yahoo! Mail, Gmail, Hotmail, etc.)
- Pros: access your data from any computer with Internet access. No physical media to lose or destroy.
- Cons: it can take a long time to store or retrieve your data. Not every computer has Internet access. Your files may be larger than your webmail account can hold. If your webmail company is also destroyed in the disaster, you’re out of luck.
Remember, don’t forget to store a copy of the encryption program you’re using along with the encrypted data itself! Although you can always download another copy off the Internet, that may be inconvenient (especially if you don’t remember what it’s called because you just watched your house burn down and you’re under extreme duress).
Also, nothing says you can’t use more than one option. Just don’t forget to update all of them whenever you add more information.
Whichever you choose, it’s not a bad idea to store any physical media with your regular survival kit. If disaster strikes, you’re more likely to remember to grab your knife and matches than a CD-R or keychain drive.
The List
Store small amounts of information in a text file using an editor like Notepad (on Windows). Do not store it in a Word document! Believe it or not, many computers don’t have an office suite installed on them, and you’d be seriously limiting your access options at a time when you can least afford it.
When scanning documents, set the resolution to at least 125DPI (200 is preferable); greyscale (instead of color) is fine and will use less space). Use at least 300 for photos. Don’t just blindly turn your scanner to its highest setting, though, or you’ll never get all of your documents to fit onto your media.
- Employment
- Current resume
- Examples of your work
- High school and/or college diplomas
- Letters of recommendation
- References
- Financial
- Bank/investment accounts
- Credit card numbers and expiration dates
- Loan accounts
- Insurance policy numbers
- Contact numbers for all of the companies above!
- Identification
- Baptism/dedication certificates
- Birth certificates
- Driver’s license
- Family photos (also important for morale!)
- Fingerprints
- Marriage certificate
- Passport
- Tax returns
- Voice recordings
- Medical
- Dental records
- Disease records
- Immunization records
- X-rays
- Property
- Deeds and titles
- Wills
- Contact information for lots of friends and relatives, preferably spread over a large geographical area so that they’re not all affected by the same disaster you’re fleeing
Summary
That list is pretty long and odds are you’ll never need it. However, if you do, won’t you wish you’d taken the time to get all this information together? Once you’ve managed to gather it, maintenance should be a snap — just make a new zip archive, encrypt it, and replace your old copy with the new one.
Just remember the basics:
- Pick one or two of the most durable media that can hold all of your information.
- Don’t trust the built in Zip encryption.
- Don’t trust the built-in USB keychain drive encryption.
- Don’t ever put your unencrypted data onto your backup media unless you have to.
- Include an (unencrypted) copy of your encryption program’s installer, or a standalone version that can be run directly from your storage media.
- Also include a copy of WinZip or another file extraction utility. Older versions of Windows don’t have that functionality built in.
- Keep current!
If you do happen to be affected by a local disaster, this information could be incredibly useful. Think about how impressed an interviewer would be to find out that you brought your resume and work samples with you. Imagine how glad the police would be to get a high-quality picture of missing family members. You buy insurance for your house and cars, right? Think of this as cheap insurance for your way of life.
Fresh Sushi Better
Jen and I took Jake and Ari to Omaha. I had joked with Jake that I was going to make him eat sushi, and to my surprise he loved the idea. There was a restaurant downtown within walking distance of our day’s destination and I thought we’d leave Norfolk early and have an early lunch. On our way in, though, we were running a little late. As we passed Yet Another Strip Mall, I saw a big “SUSHI” sign and asked Jen if she wanted to see if it was busy rather than getting all the way downtown and finding out we didn’t have time to eat. She agreed and we pulled in.
What a surprise.
We ended up at Hiro Japanese Cuisine (on W. Maple, near Borders), and I state without exaggeration that it had the best sushi I’ve ever eaten. My nigiri plate was superb. Jake’s California roll was far better than I knew one could be. Jen’s tempura was fresh, crisp, and varied. Ari’s teriyaki chicken was tender and delicious. The salad dressing was so good that I was only halfway joking about tipping my bowl up and drinking it. There’s really not much more I can say; it was awe-inspiring.
The decor was elegantly cool, and I felt stylish simply for being there. Even the bathrooms were beautiful.
Our waiter was exceptionally good. He was funny but not annoying, and helpful without being condescending. For example, Jen poked her chopsticks into her rice bowl and left them there. Our waiter came by and whispered to her, and she blushed and started laughing: that’s apparently a symbol of death. However, he told her this discreetly and politely, rather than making fun of us ignorant folk behind our backs (or at least hiding it well if he did). The service easily ranked among the best we’ve had.
If you like sushi or other Japanese fare, you must try Hiro Japanese Cuisine. We will definitely be eating there whenever we visit Omaha from now on.
Mowing With Max
I have a nice Craftsman lawn mower. I like my lawn mower. I have no desire to get another lawn mower. And yet, I got another lawn mower. Jen bought a cordless string trimmer from someone she knows and they offered to throw in their mower for free, so why not?, we took it home.
I began mowing the lawn this weekend, and at one point I stopped to adjust the deck height on one side. When I tried to restart the engine, the pull cord snapped. Well, I couldn’t very well leave the lawn half-mowed, so I figured I’d try the “new” one. It started, which gave it an immediate advantage over the other.
After about two laps around the yard and listening to every single moving part squeak, rattle, or tick, and given the number of knobs and levers on the thing, I named it Max, as in “Mad Max”. If the bad guy from “The Road Warrior” had a wife, and she made him mow the lawn, he would have built something like this.
I guessed that it had to be either the cheapest, junkiest mower I’d ever seen, or the nicest I’d ever been around, for two reasons:
- It was monstrously heavy. It was self-propelled for the same reason as a Cadillac Escalade: if it wasn’t, it would be pretty useless.
- It had no safety equipment whatsoever. I don’t know how many times I got nailed by flying debris that shot out from the back of it.
And yet, it ran and did a pretty nice job. With any luck I’ll be able to fix the regular mower and use it next weekend, but if not, it’s nice knowing that the other hunk of snarling, deadly iron is available.
Pre Packaged Sushi Not Bad
I was buying groceries and saw a new display of pre-packaged plastic boxes of sushi. In the middle of Nebraska. Supermarket sushi. The idea kind of horrified me, but eventually my curiosity got the best of me and I had to try some. I settled on the spicy surimi roll and threw it in the cart. As I was checking out, I asked the cashier if anyone else ever bought these, or if I was the guinea pig. “Oh yeah,” she said. “We sell lots of it!”
Later that afternoon, Jake was asking for a snack so I recruited him to help me try it. The package came with little packets of soy sauce and wasabi, and the sushi itself looked pretty good. Steeling my nerves, I tried it.
The first bite wasn’t bad.
Jake was digging in, and I took a second, less-timid bite. No, not bad at all.
By the time we’d finished, Jake was loving it and I was pretty happy I’d taken the chance.
It certainly wasn’t Haruno, but it was actually pretty decent and something I’d gladly buy again. It was made by Fuji Food Products, Inc., and had a blue-and-gold “Fujisan” logo on the dark red-orange tape strip.
Decent sushi in Norfolk, from a grocery store cooler of all places. Who’d have thought?
Long Weekends
Summer’s upon us again. The kids just got out of school on Wednesday, which reminded me that my last post was to say that the kids were just starting back and I haven’t said a word since then. Anyway, we have them signed up for pretty much every summer sport offered and Gabby’s getting ready to start piano lessons, so they’ll be keeping pretty busy.
Jen and I have been mulching the flower gardens, to the tune of about one pickup load of mulch per weekend. We’ve put down about 4 tons now, and I think we’re finally getting to the end of it. Which is good. Because at this point, if I never move another handful of the stuff, that’ll be fine by me.
Up In The Morning And Out To School
Well, it’s officially school time again. Gabby and Ari started back yesterday, and Jake went this morning for the first time.
Gabby seemed really happy. She got in line with her friends and immediately jumped back into the swing of things.
When we took Ari into the Montessori preschool, she ran off to play with the other kids as if she’d been there all along. When I picked her up in the afternoon, she told me that she’d learned how to read (so I suppose that they’ll cover math today, and maybe start on biology next Monday).
Jake looked a little unsure this morning, but he was mostly smiling as he lined up and walked to class. I just wish I’d remembered to bring his bookbag and a camera. These are the things that happen when I’m the one who gets the kids ready for school. At least they were fed, dressed and clean.
Tilden Days
Last weekend, we took the kids to Tilden’s “Prairie Days” festival, a celebration that raises money for various local organizations.
Events included:
-
Whiplash, the dog-riding monkey. We arrived about ten minutes too late to see him, which was unfortunate because he was the main thing the kids were looking forward to.
-
An officially-sanctioned cow chip throwing contest. I didn’t know there was an official governing body for such things, but there is. Winners were eligible to compete in the World Championship Cow Chip Throw.
-
The First Annual Drag Your Nag Contest. Men carried their wives or girlfriends through an obstacle course, and the winning team earned the woman’s weight (in pounds) in dollars. Jen and I had registered, but when we discovered that:
- All the other men looked like firefighters or bullriders and were in much better shape than me,
- Almost everyone else was in their early 20s, and
- The obstacle course included a mud pit and we weren’t wearing old clothes,
we (I) chickened out and watched from the sidelines.
We had a great time, though, and gorged ourselves on watermelon. Congratulations on another great year, Tilden!
Running Before Walking
The kids started swimming lessons yesterday. They all had a great time and left smiling. As I was putting Jake to bed, I asked him about his day:
Me: What was your favorite part of swimming lessons?
Jake: Jumping off the diving board.
Me: Really?
Jake: Yeah. It was a little scary, though.
Me: Well, sometimes the most fun things are a little scary.
Jake: Yeah. (pause) I wish I’d done a back flip.
If God Meant For Man To Roll
It seemed like such a simple idea at the time: I’d buy a cheap bike and ride to work whenever possible. I’d get fresh air, exercise, and a tan, and most importantly I’d save money on gas (because I’m a cheapskate and hate paying $3.00 per gallon regardless of whether I can afford it).
So, I went to Happy Fun Land — what we call Wal-Mart when we want to antagonize the kids — and picked up their $80 generic mountain bike. In short, that lasted for a grand total of two (2) round trips to work before a broken chain ended my patience with its mechanical problems.
Wal-Mart kindly allowed me to exchange that lame horse for a slightly more expensive and much nicer Schwinn. I rode it to work exactly once before getting a flat tire.
It’s the little things, really. Chains are easy to fix and cheap to replace, and flat tires aren’t a big deal, but as of today I’ve spend about $50 per ride and I still don’t currently have a working bike. Maybe some of us are just meant to drive.
How To Make A Survival Kit
On my birthday in 2005, I read a Slashdot article discussing what things you might want to take with you if you had to evacuate your home. This was only a few months after Hurricane Katrina leveled southern Louisiana and Mississippi, so quite a few people had given this a lot of recent thought.
The article started off talking about which personal documents you should take copies of (driver licenses, marriage certificates, passports, etc.) — in other words, an electronic survival kit. However, the topic soon veered off into the kinds of things you need to physically stay alive. That made me realize that I’ve never made any such preparations, short of putting some bottled water in our tornado shelter. Below is a summary of the recommendations I came across.
Note: This isn’t meant as a list of things you’ll need to form your own private society out in the desert. I have absolutely zero interest in “survivalism”; I just want to have the stuff needed to keep me and my family alive until the National Guard arrives.
Second note: I primarily wrote this for me and my family. It’s biased towards scenarios that I might have to cope with, but completely ignores things that I could never hope to deal with anyway (such as being lost at sea).
References
How To Carry It
There are two schools of thought here:
- Pack everything inside a small metal pan that you can use for cooking, carrying water, etc.
- Pros: no wasted space or weight
- Cons: small metal pans can get crushed or soaked
- Put everything “fragile” inside a hardened case, like an OtterBox
- Pros: your gear stays dry and intact
- Cons: the box isn’t probably very intrinsically useful
Your application affects your choice very heavily. If you plain to carry mainly camping gear that’s pretty durable, the first option is probably your best choice. If you expect to carry many fragile items, such as an electronic survival kit or other small electronics, then the second is likely better. I personally use an OtterBox.
The List
Note, some of this is blatantly, word-for-word plagiarized from the above sources. My goal is to condense their ideas into one handy list, and there are only so many ways to say “strike anywhere matches”.
-
Instructions
- Short checklist of things you’d never remember to do on your own
- The US Army Survival Manual. Print it small and use a magnifying glass if you need to.
-
Tools
- Good, metal knife
- Small multi-tool (for the scissors, screwdrivers, etc.)
- Compass
- Thermometer
- Magnifying glass — possibly a Fresnel lens
- Flashlight with batteries, preferably with a blinker
-
Metal dining utensils (that can be sanitized before and after use)
-
Fire starters — at least one of:
- Strike anywhere matches in a waterproof safe
- Firestarting piston
- Disposable lighter
- Magnesium/flintbar
-
Water
- Personal water filter
- Water purifying straw
- Water purification tablets
-
Several sheets of paper and a pencil
-
A bottle of alcohol. Distilled, drinkable grain alcohol is best.
-
Medicine / Health
- Anti-diarrheals
- Aspirin
- Antihistimines — to counter allergic reactions
- Any other drugs you personally need to stay alive
- Scalpel blades
- Sunscreen
- Suture kit
-
Homemade soda can stove
-
5 pounds of gorp (“good old raisins and peanuts”)
-
Emergency blanket
-
Ziploc Baggies
-
Camelback water reservoir recently filled with known good water
-
100 feet of parachute cord
-
Wool cloth. Two shirtweight pieces 45"X 72". One heavier weight 60"X108". These are your clothes, your hammock, your chair, your carryall, etc. Do not substitute cotton!
-
Three yards of 36" wide cotton could come in handy as well. This is your hat, your belt, your shoulder bag, your sling, etc.
-
Clothing
- Two pair of wool socks
- Waterproof, windproof shell or parka. Yes, even if you’re in a tropical zone.
- Work gloves for digging through post-disaster rubble
- A warm hat
-
A pennywhistle or any other tiny musical instrument. If you can turn a disaster into a party, your odds of survival will go up.
-
Signalling
- Referee’s whistle
- Mirror
- Mini LED flashlight
-
Money — your eventual goal is to get back to civilization
-
Repairs
- Mini roll of duct tape
- Sewing needle and thread
- Safety pins
-
9’x7’ painting tarp (to make a tent) or a few trashbags
-
Slingshot kit — can be used to kill small game or fish
The Piano's Broken
We got a used piano a few months ago. After we cleaned it and put it where we wanted it, I played a few short songs (poorly). Throughout the rest of the day, we’d occasionally hear one of the kids hitting a few keys and laughing.
Several hours later, Jake came up to me with some bad news:
Jake: Daddy, I think the piano’s broken.
Me, alarmed: Why? What happened?
Jake, upset: I pressed all the keys, but it didn’t make the right music come out.
Our Bird Is Dead
Gabby was in the preschool at Christ Lutheran School, and her classroom had a caged parakeet. One day Gabby told me that their bird was dead. Since she was only three years old at the time, I didn’t think she knew what that meant, so I asked her about it:
Me: What do you mean, dead?
Gabby: I mean, the bird died.
Me: But what do you mean when you say that it died?
Gabby: It began to stink, so my teacher had to put it in a box and bury it.
Oh. I guess she knew what she was talking about after all.
They Were How Big?
Well, today was the big day — Jake and Ari had their tonsils removed. The doctor said Jake’s were nearly as large as golf balls, so the poor little guy had to have been miserable.
The operations went off without a hitch, and they’re both recovering nicely (if irritably) at home.
Filtering Spam With Postfix
If you are responsible for maintaining an internet-connected mail-server, then you have, no doubt, come to hate spam and the waste of resources which comes with it. When I first decided to lock down my own mail-server, I found many resources that helped in dealing with these unwanted messages. Each of them contained a trick or two, however very few of them were presented in the context of running a real server, and none of them demonstrated an entire filtering framework. In the end I created my own set of rules from the bits and pieces I found, and months of experimentation and fine-tuning resulted in the system detailed in this article.
This article will show you how to configure a Postfix mail-server in order to reject the wide majority of unwanted incoming “junk email”, whether they contain unsolicited commercial email (UCE), viruses, or worms. Although my examples are specific to Postfix, the concepts are generic and can be applied to any system that can be configured at this level of detail.
For a real world example, I’ll use my server’s configuration details:
| Hostname | kanga.honeypot.net |
| Public address | 208.162.254.122 |
| Postfix configuration path | /usr/local/etc/postfix |
Goals
This configuration was written with two primary rules in mind:
- Safety is important above all else. That is, I would much rather incorrectly allow an unwanted message through my system than reject a legitimate message.
- The system had to scale well. A perfect system that uses all of my server’s processing power at moderate workloads is not useful.
To these ends, several checks — that may have reduced the number of “false negatives” (messages that should have been rejected but were not) at the cost of increasing the number of “false positives” (legitimate messages that were incorrectly rejected) — were avoided. The more resource-intensive tests were moved toward the end of the configuration. This way, the quick checks at the beginning eliminated the majority of UCE so that the longer tests had a relatively small amount of traffic to examine.
HELO restrictions
When a client system connects to a mail-server, it’s required to identity itself using the SMTP HELO command. Many viruses and spammers skip this step altogether, either by sending impossibly invalid information, or lying and saying that they are one of your own trusted systems — in the hopes that they will be granted undeserved access. The first step in the filtering pipeline, then, is to reject connections from clients that are severely mis-configured or that are deliberately attempting to circumvent your security. Given their simplicity, these tests are far more effective than might be imagined, and they were implemented in my main.cf file with this settings block:
1 smtpd_delay_reject = yes
2 smtpd_helo_required = yes
3 smtpd_helo_restrictions =
4 permit_mynetworks,
5 check_helo_access hash:/usr/local/etc/postfix/helo_access,
6 reject_non_fqdn_hostname,
7 reject_invalid_hostname,
8 permit
Line 1 is a fix for certain broken (but popular) clients, and is required in able to use HELO filtering at all. The second line rejects mail from any system that fails to identify itself. Line 4 tells Postfix to accept connections from any machines on my local network. The next line references an external hash table that contains a set of black- and whitelisted entries; mine looks like this:
woozle.honeypot.net OK
honeypot.net REJECT You are not me. Shoo!
208.162.254.122 REJECT You are not me. Shoo!
The first line in the table explicitly allows connections from my laptop so that I can send mail when connected through an external network. At this point Postfix has already been told to accept connections from all of my local machines and my short list of remote machines, so any other computer in the world that identifies itself as one of my systems is lying. Since I’m not particularly interested in mail from deceptive systems, those connections were flatly rejected.
Lines 6 through 8 complete this stage by rejecting connections from hosts that identify themselves in blatantly incorrect ways, such as “MAILSERVER” and “HOST@192.168!aol.com”.
Some administrators also use the reject_unknown_hostname option to ignore servers whose hostnames can’t be resolved, but in my experience this causes too many false positives from legitimate systems with transient DNS problems or other harmless issues.
You can test the effect of these rules, without activating them on a live system, by using the warn_if_reject option to cause Postfix to send debugging information to your maillog without actually processing them. For example, line 6 could be replaced with:
warn_if_reject,
reject_non_fqdn_hostname,
This way the results can be observed without the risk of inadvertently getting false positives.
Sender restrictions
The next step is to reject invalid senders with these options:
9 smtpd_sender_restrictions =
10 permit_sasl_authenticated,
11 permit_mynetworks,
12 reject_non_fqdn_sender,
13 reject_unknown_sender_domain,
14 permit
Lines 10 and 11 allow clients that have authenticated with a username and password or Kerberos ticket, or who are hosts on my local network, to continue onward. Lines 12 and 13 work similarly lines 6 and 7 in the “HELO restrictions” section; if the sender’s email address is malformed or provably nonexistent, then there’s no reason to accept mail from them. The next line allows every other message to move on to the next phase of filtering.
Recipient restrictions and expensive tests
By this time, it’s clear that the client machine isn’t completely mis-configured and that the sender stands a reasonable chance of being legitimate. The final step is to see that the client has permission to send to the given recipient and to apply the remaining “expensive” tests to the small number of messages that have made it this far. Here’s how I do it:
15 smtpd_recipient_restrictions =
16 reject_unauth_pipelining,
17 reject_non_fqdn_recipient,
18 reject_unknown_recipient_domain,
19 permit_mynetworks,
20 permit_sasl_authenticated,
21 reject_unauth_destination,
22 check_sender_access hash:/usr/local/etc/postfix/sender_access,
23 check_recipient_access hash:/usr/local/etc/postfix/recipient_access,
24 check_helo_access hash:/usr/local/etc/postfix/secondary_mx_access,
25 reject_rbl_client relays.ordb.org,
26 reject_rbl_client list.dsbl.org,
27 reject_rbl_client sbl-xbl.spamhaus.org,
28 check_policy_service unix:private/spfpolicy
29 check_policy_service inet:127.0.0.1:10023
30 permit
Many spammers send a series of commands without waiting for authorization, in order to deliver their messages as quickly as possible. Line 16 rejects messages from those attempting to do this.
Options like lines 17 and 18 are probably becoming familiar now, and they work in this case by rejecting mail targeted at domains that don’t exist (or can’t exist). Just as in the “Sender restrictions” section, lines 19 and 20 allow local or authenticated users to proceed — which here means that their messages will not go through any more checks. Line 21 is critically important because it tells Postfix not to accept messages with recipients at domains not hosted locally or that we serve as a backup mail server for; without this line, the server would be an open relay!
The next line defines an access file named sender_access that can be used as a black- or whitelist. I use this to list my consulting clients’ mail-servers so that none of the remaining tests can inadvertently drop important requests from them. I added line 23, which creates a similar blacklist called recipient_access for recipient addresses, as an emergency response to a “joe job”. Once in 2003, a spammer forged an email address from my domain onto several million UCE messages and I was getting deluged with bounce messages to “michelle@honeypot.net”. I was able to reject these by adding an entry like:
michelle@honeypot.net REJECT This is a forged account.
Although the event was annoying, this allowed my server to continue normal operation until the storm had passed.
Line 24 is the last of the “inexpensive” checks. It compares the name that the remote system sent earlier via the HELO command to the list of my secondary mail servers and permits mail filtered through those systems to be delivered without further testing. This is the weak link in my filtering system, because if a spammer were clever enough to claim that they were one of my backup servers then my mail server would cheerfully deliver any message sent to it. In practice, though, I’ve never seen a spammer that crafty and this line could be removed without side effects should the need arise.
Lines 25 through 27 are somewhat more controversial than most of my techniques, in that they consult external DNS blackhole lists in order to selectively reject messages based on the IP address of the sender. Each of these lists have been chosen because of their good reputation and very conservative policies toward adding new entries, but you should evaluate each list for yourself before using their databases to drop messages.
SPF and greylisting
Lines 28 and 29 add Sender Policy Framework (SPF) and greylisting filtering respectively. SPF works by attempting to look up a DNS record, that domains can publish, which gives the list of addresses allowed to send email for that domain. For example, webtv.net’s SPF record is currently “v=spf1 ip4:209.240.192.0/19 -all”, which means that a message claiming to be from joeuser@webtv.net sent from the IP address 64.4.32.7 is forged and can be safely rejected.
Greylists are pure gold when it comes to rejecting junk email. Whenever a client attempts to send mail to a particular recipient, the greylist server will attempt to find that client’s address and the recipient’s address in its database. If there is no such entry then one will be created, and Postfix will use a standard SMTP error message to tell the client that the recipient’s mailbox is temporarily unavailable and to try again later. It will then continue to reject similar attempts until the timestamp is of a certain age (mine is set to five minutes). The theory behind this is that almost no special-purpose spam sending software will actually attempt to re-send the message, but almost every legitimate mail server in existence will gladly comply and send the queued message a short time later. This simple addition cut my incoming junk email load by over 99% at the small cost of having to wait an extra five minutes to receive email for the first time from a new contact. It has worked flawlessly with the many mailing lists that my clients and I subscribe to and has not caused any collateral problems that I am aware of. If you take nothing else from this article, let it be that greylisting is a Good Thing and your customers will love you for using it.
I use the smtpd-policy.pl script that ships with Postfix to handle SPF, and Postgrey as an add-on greylisting policy server. They’re defined in my master.cf file as:
spfpolicy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/local/libexec/postfix/smtpd-policy.pl
greypolicy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/local/libexec/postfix/greylist.pl
Content filtering
The messages remaining at this point are very likely to be legitimate, although all that Postfix has actually done so far is enforce SMTP rules and reject known spammers. Their final hurdle on the way from their senders to my users’ mailboxes is to pass through a spam filter and an antivirus program. The easiest way to do this with Postfix is to install AMaViS, SpamAssasin, and ClamAV and then configure Postfix to send messages to AMaViS (which acts as a wrapper around the other two) before delivering them, and line 31 does exactly that:
31 content_filter = smtp-amavis:127.0.0.1:10024
SpamAssassin is fantastic at identifying spam correctly. Its “hit rate” while used in this system will be much lower than if it were receiving an unfiltered stream, as most of the easy targets have already been removed. I recommend setting AMaViS to reject only the messages with the highest spam scores; I arbitrarily picked a score of 10.0 on my systems. Then, tag the rest with headers that your users can use to sort mail into junk folders.
ClamAV has proven itself to be an effective and trustworthy antivirus filter, and I now discard any message that it identifies as having a viral payload.
Unfortunately, the configuration of these systems is more complicated than I could hope to cover in this article, as it depends heavily on the setup of the rest of your email system. The good news is that literally less than 1% of junk email makes it this far into my system, and I’ve actually gone for several days without realizing that SpamAssassin or ClamAV hadn’t been restarted after an upgrade. Still, these extra filters are very good at catching those last few messages that make it through the cracks.
Other possibilities
If you want more aggressive filtering and can accept the increased risk of false positives, consider some of the other less-conservative blackhole lists such as the ones run by SPEWS or the various lists of blocks of dynamic IP addresses. You may also consider using the reject_unknown_hostname option mentioned in the “HELO restrictions” section, but you can expect a small, measurable increase in false positives.
The ruleset described above should be sufficient on its own to eliminate the vast majority of junk email, so your time would probably be better spent implementing and adjusting it before testing other measures.
Conclusion
None of the techniques I use are particularly difficult to implement, but I faced quite a challenge in assembling them into a coherent system from the scraps I found laying about in various web pages and mailing lists.
The most important thing I learned from the process was that it’s easy to experiment with Postfix, and it can be customized to your level of comfort. When used in my configuration, the most effective filters are:
- Greylisting
- DNS blackhole lists
- HELO enforcement
Greylisting has proven to be an excellent filter and I’ve deployed it successfully on several networks with nothing but positive feedback from their owners. Even the basic HELO filtering, though, can visibly decrease spam loads and should be completely safe. It can be difficult to find a good compromise between safety and effectiveness, but I believe I’ve found a solid combination that should work in almost any situation. Don’t be afraid to test these ideas on your own and make them a part of your own anti-spam system!
Notes and resources
- Postfix Configuration — UCE Controls
- SPF: Sender Policy Framework
- Greylisting.org — a great weapon against spammers
- Postgrey — Postfix Greylisting Policy Server
- AMaViS — A Mail Virus Scanner
- The Apache SpamAssassin Project
- Clam AntiVirus
Copyright information
This article is made available under the “Attribution-Sharealike” Creative Commons License 2.5 available from http://creativecommons.org/licenses/by-sa/2.5/.
Reprint information
This article was originally published in Free Software Magazine. I’m reposting it here for backup purposes.