Restrict incoming and outgoing mail on #exim4 with #ldap

When I first had to set up an emailserver with Exim4, it took me some time to figure out how to restrict incoming and outgoing mail. This way some accounts were allowed to send mail outside the domain and others could receive mail from the outside world and most could do both.

This turned out to be very useful. I managed to do this with a list including all names. allowed_out and allowed_in. The next step was to figure out how to setup this within the ldap database. Setting up a list, wasn't hard to manage. Finding out the router settings was a lot harder, but I finally found out.

First you'll have to make an ldap entry containing all the users allowed to send mail outside your domain. The ObjectClass for now is inetOrgPerson, better would be something like PosixGroup in combination with memberUid attribute. (I'll change this later)

dn: cn=allowed_out,dc=example,dc=com
cn: allowed_out
objectClass: inetOrgPerson
objectClass: top
o: EXAMPLE
sn: Allowed out
mail: cow@example.com
mail: horse@example.com

Now, you'll have to make a router for your Exim4 config. /etc/exim4/conf.d/router/081_local-config_check_out (whatever filename you like in that dir, but make sure, it's one of the first routers checked)

check_outgoing:
driver = redirect
#don't check local mail
domains = ! +local_domains
#if the sender doens't match the ldap list allowed_out
senders = ! : !{${sg {${lookup ldapm {ldap://127.0.0.1/cn=allowed_out,dc=example,dc=com?mail?sub?}}}{\\s+}{:}}}
# fail sending the mail
allow_fail
# giving the sender next message
data = :fail: You are not allowed the send mail outside this domain. example.com

You can do the exact same thing for incoming mail.

dn: cn=allowed_out,dc=example,dc=com
cn: allowed_in
objectClass: inetOrgPerson
objectClass: top
o: EXAMPLE
sn: Allowed out
mail: cat@example.com
mail: horse@example.com

This time you'll have put some lines in /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt just above the line "acl_check_rcp"

#deny if the mail address is not in the ldap list specified
deny
# but don't check this if the sender is from within the same domain
!hosts = +relay_from_hosts
recipients = !:! {${sg {${lookup ldapm {ldap://127.0.0.1/cn=allowed_in,dc=example,dc=com?mail?sub?}}}{\\s+}{:}}}
message = This email-address isn't allowed to receive mail outside of it's own domain. example.com

That's all, now don't forget to update your Exim4 config and restart the service.

update-exim4.conf
/etc/init.d/exim4 restart

Restrict incoming and outgoing mail on #exim4 with #ldap

Virtualisation: firewall and webserver on ESXi

In this article I'll explain howto put a firewall (IPCOP), a webserver (apache) and if you like a small PDC (Primary Domain Controller) on one Server. We will use VMware ESXi for the virtualisation. It's free, but you will need to register.

Before you start downloading, you'll have to be sure, your hardware is recognized by ESXi. Or you could just download it and test the iso image, as I did.

I used an HP Proliant DL120 G5. It is not mentioned in the hardware list as being compatable with ESXi. But I tried any way and succeeded. But There are some things you need to know.

- For any ESXi installation you'll need more than 1 GB ram(less just wont do, I found out the hard way), go for 4GB
- on the HP Proliant you can't use SATA raid (it actually is a software raid and ESXi has no drivers for RAID setup), so you'll have to disable it in the BIOS
- also you'll have to put SATA in native mode
- For this setup you'll need at last 2 nic's

Once you installed ESXi, witch is not more than downloading the iso, burning it on a cd an than booting your server with the CD. You will be able to do a minor config on the console.



You'll need the set a root password, the name, domainname, IP address (pick out the right nic. if you only connect 1 nic with a cable, you can see witch one you'll have to pick), subnetmask, gateway and DNS. When your done, you should be able to browse to the servers ip address. http://ip-address-server You might get something about wrong certificat, just add it. The site you'll see shows you a link for downloading the VMware Infrastructure Client. Go download and install this.



Once your done, you can run the cliënt and login in to your ESXi host. So, now you Host has been set up and ready to be configured. First thing you should do, is configure the netwerkcards, because we will have some real nic's and some virtual ones.

Before we continue I should explain a bit about IPCOP, the firewall we will use.

IPCop Firewall is a Linux firewall distribution geared towards home and SOHO (Small Office/Home Office) users. The IPCop interface is very user-friendly and task-based. IPCop offers the critical functionality of an expensive network appliance using stock, or even obsolete, hardware and OpenSource Software. This is what you'll find on IPCOP:

Luckly it doesn't much of computer to run: a 386 processor, 32Mb of RAM, and 300Mb hard disk. Very nice. If we want to put up a firewall we will need at last a network interface for the connection with the internet and one for the connection with our own network. Running a webserver, will give you the need to have a third. and here is the beauty of ESXi, we will use a virtual nic.

So in short this is our setup( follow this link for more info on IPCOP's nic setup):

GREEN + ORANGE + RED (ipcop interface setup)

VMNIC0 + VSWITCH2 + VMNIC1 (ESXi setup)

I'll explain a bit more about the virtual nic's and virtual switches you'll have to setup. In you your cliënt console, go to configuration > Networking. You'll see allready a virtual switch is pressent and it's connected to a nic. Click on properties of this virtual switch and add a virtual nic and call it GREEN. Next we'll have to add a new virtual switch and connect it to the other free real nic. Call this one RED.



For our webserver we will use a virtual nic and a virtual switch , that will be connected to a virtual nic (ORANGE) on our firewall, so we wont need a real nic. When you're finished adding your nic's and switches, you can now start adding virtual machines. Setting up a custom machine, other 32-bit linux system with 256 Mb ram, 1 cpu and about 500 MB disk space will do fine. Add 3 virtual nic's (GREEN + ORANGE + RED) and your ready to install ipcop. Download the ipcop iso image, you don't have to burn a cd, you can connect an iso with your cliënt as a CD. reboot you virtual machine (CTRL+ALT+Insert) when your in console mode and follow the IPCOP's installation guide

Now you can add a new virtual machine and install a webserver on it. You only have add a new virtual nic on the same switch of your IPCOP's ORANGE virtual nic. And if you want, you can even add another Virtual machine as an PDC. Just add a new virtual nic on the same switch of your IPCOP's GREEN virtual nic.

Virtualisation: firewall and webserver on ESXi

Mounting a cellphone through bluetooth on the EeePC

Before you start following this blog entry, make sure bluetooth is working and your computer is all set for pairing your device. So this time I will explain how you can mount your cellphone, and browse your phone as if it were an internal disk. But before we start, You must know that browsing over bluetooth isn't the fastest way. Make sure your browser only shows lists and doesn't show icon's. This might speed things up. Or you could use a non graphical file browser like midnight commander or if you want a GUI without the icon's, you could try Krusader

Time to do some mounting. We do need several packages, so that we will be eable to mount a cellphone. We will be using the Obex file system, so you'll have to make sure your phone is capable of using obex. It's not that hard to find out, whether your phone can handle obex or not.

sdptool search --bdaddr AA:BB:CC:DD:EE:FF 0x1002

Replace the macaddress by the one of your phone. You will see a lot of services. You'll have to find the channel number for "OBEX File transfer" service.

Now you'll have to check if you have fuse-utils, libopenobex1 and obexfs installed. On the EeePC with xandros, you'll have to download the obex files, because they are not in the repositories, and install them manually.

wget http://ftp.nl.debian.org/debian/pool/main/libo/libopenobex/libopenobex1_1.3-3_i386.deb
wget http://ftp.nl.debian.org/debian/pool/main/o/obexfs/obexfs_0.10-3+b2_i386.deb

sudo dpkg -i libopenobex1_1.3-3_i386.deb
sudo dpkg -i obexfs_0.10-3+b2_i386.deb

Let's mount the phone for the first time. We will have to pair both the EeePC and the phone and therefore we need the passkey-agent. Replace the pin with the one you have put in the givepin script, the mac-addr. and the channelnumber (the x in -Bx). The phone will ask you a pin number.

mdkir /home/user/phone
./passkey-agent --default 1234 &
obexfs -b AA:BB:CC:DD:EE:FF -Bx /home/user/phone
ls /home/user/phone
fusermount -u /home/user/phone

Rember, bluetooth is slow, so give it time while browsing the device. The next time you mount, you won't need to run the passkey-agent again (pairing has been done). Trying to put this into /etc/fstab, doesn't work. There is some bug in the obexfs, so that unmounting as user keeps failing, but you could make a script that checks if the phone has been mounted or not and than does the opposite.

Mounting a cellphone through bluetooth on the EeePC

Connecting bluetooth mouse, keyboard and other hid devices.

It isn't that hard to get a mouse, a keyboard an even some cellphones, working as an input devices through bluetooth. These are all HID devices and do work out of the box. As for your cellphone, you have to make sure it supports HID. You can check this easly, but make sure you use your phones mac-addr.

sdptool search --bdaddr AA:BB:CC:DD:EE:FF 0x1002

Before we can actually use HID, we have to make sure it has been turned on. So edit the file /etc/default/bluetooth and enable the hid daemon.

HIDD_ENABLED=1

Now you will have to restart bluetooth

/etc/init.d/bluetooth

Let's pair out device with our computer. This time we don't need the passkey, because hidd devices don't use pairing, or the key has been set to "0000". If you do encouter problems, use the passkey-agent. Change the mac-addr.

sudo hidd --connect AA:BB:CC:DD:EE:FF

That's all folks and your device will even work on reboot. Just put it "on" and press a button to make the connection. If you need the passkey-agent, use the following commands. Don't forget to replace the PIN with the one you have put in givepin and again change the mac-addr.

./passkey-agent --default 1234 &
sudo hidd --connect AA:BB:CC:DD:EE:FF

Connecting bluetooth mouse, keyboard and other hid devices.

Pairing bleutooth devices with the EeePC

In my last post, I told you how to get Bluez working. Having done that, we now want to connect devices like a mouse, keyboard and even a cellphone. Make sure Bluetooth is working, by using hcitool scan (you should see other devices, if the are discoverable)

So let's start with pairing devices and make them known by your computer. First let's get the address from the device we will be pairing. Press the connect button on your keyboard, mouse or other device.

sudo hcitool scan

You should see the address and name of all the devices that are in discovery mode. You'll have to remember them. The tricky part about bluetooth is the pairing between devices. The thing is, there is no pairing helper in Xandros on the Eeepc and that makes it almost impossible to pair. But, there is a solution. Someone compiled the passkey-agent for Xandros EeePC.

wget https://dl.getdropbox.com/u/19226/passkey-agent
chmod +x passkey-agent

You can put this application in what ever directory you like. Just don't remove it. Next we will need a small script that echo's the pin. Don't forget to replace the pin, by one your own one .

#!/bin/sh
echo "PIN:1234"

Put the code above in a script called givepin and make the script executable.

vim /etc/bluetooth/givepin
chmod +x /etc/bluetooth/givepin

We do need to change some entry's in /etc/bluetooth/hcid.conf (the Bluetooth Host Controller Interface daemon). I'll paste my code here. The bold parts are pieces that have been changed.

#
# HCI daemon configuration file.
#

# HCId options
options {
# Automatically initialize new devices
autoinit yes;

# Security Manager mode
# none - Security manager disabled
# auto - Use local PIN for incoming connections
# user - Always ask user for a PIN
#
security auto;

# Pairing mode
# none - Pairing disabled
# multi - Allow pairing with already paired devices
# once - Pair once and deny successive attempts
pairing multi;

# Default PIN code for incoming connections
pin_helper /etc/bluetooth/givepin;
# passkey "1234";
}

# Default settings for HCI devices
device {
# Local device name
# %d - device id
# %h - host name
name "%h-%d";

# Local device class
class 0x3e0100;

# Default packet type
#pkt_type DH1,DM1,HV1;

# Inquiry and Page scan
iscan enable; pscan enable;

# Default link mode
# none - no specific policy
# accept - always accept incoming connections
# master - become master on incoming connections,
# deny role switch on outgoing connections
lm accept;
discovto 0;

# Default link policy
# none - no specific policy
# rswitch - allow role switch
# hold - allow hold mode
# sniff - allow sniff mode
# park - allow park mode
lp rswitch,hold,sniff,park;

auth enable;
}

Now you only have to restart the bluetooth service and you can start pairing your devices.

/etc/init.d/dbus restart
/etc/init.d/bluetooth restart

So how do you pair? Well the only way is, by starting a service over bluetooth. This, I will explain in the next blog entry's. I'll show you how to connect a mouse, keyboard or other hidd device, how to mount your phone and how to set up a network with your phone (so you can use the phone to connect to the internet)

Pairing bleutooth devices with the EeePC

XMLTV no longer welcome in Belgium

It might look like a strange title, but I'll explain and you'll understand. Mediacenter software like Mythtv use a script for grabbing there program guide. Most use xmltv. In Belgium it uses the tv_grab_be script, which is made to use the site www.teveblad.be.

Until a few weeks ago, there was no problem at all. But then suddenly it stopped grabbing the info. Fast enough, I found out teveblad had blocked the user agent xmltv. But there was a workaround. Make teveblad believe the user agent isn't xmltv, but IE.

This worked for a week or two. But then it stopped working again. Don't know why, but I started looking for some other solution. Teveblad added a little suffix to the listings:

The usage of software to extract data from this website for personal use or for display on other websites (screen scraping) is prohibited

Now the developer for tv_grab_be removed the teveblad part because of xmltv's general policy, which only allows the use of a script when the site allows such sort of screen scraping. So no more xmltv in the flemish part of Belgium.

So I really had to find another solution, because EPG is an importent part of Mythtv. Mc2xml seems to have that solution. This program does the trick. Downloading only takes about 15 sec. Man it really is fast.

All you need to do is run the program with your zipcode, then your are asked the listings you want ( I took Telenet analogue cable listings). When you use mythfilldatabase, it even fills out the right frequencies. How nice is that.

This very noon, I will change my cronjobs and start using mc2xml.

PS: yes I'm now using the Microsoft media Center service to keep my Linux Mythtv going. Let's hope they don't start blocking.

XMLTV no longer welcome in Belgium

Changing file names

I had about 700 pictures, which I used in 3 different documents. Now just importing them would crash the computer. So I had to make them smaller. This can be done with a script (you have to download) in THE GIMP. Works very well.

The document is a reference for the original pictures, but in the document they don't appear in the same order as the picture are numbered. So I had to rename the orginal pictures, within the same order as the smaller ones appear in the document.

Renaming 700 pictures would take a lot of time. I didn't find a batch script fast enough, but still google gave me the solution. Windows XP has the ability to change multiple file names. Great thing is, it can auto number too.

How to get this done? Well, in explorer you select a group of files. You change the file name of the first one and all the others will get the same name, with an increasing number.

what is the catch? Well the numbers are between brackets. So you will have something like this:

image.jpg
image (1).jpg
image (2).jpg
...

If you want the first file to have a 1, then just put (1) in the name. IMG (1).jpg Don't forget the space before the brackets. This way you can even start the numbering at any number you like:

IMG (151).jpg
IMG (152).jpg
...

Changing file names

Trying to set locales to dutch on an Eee pc

As you can see, some things are in Dutch now, but most stay in English. The thing I did was:

Open a terminal CTRL+ALT+t

sudo dpkg-reconfigure locales

I picked nl_BE.UTF-8 and made it my default choice.

This changes some things, but not all. This is because the programs only have French and English locale packages. When you check http://update.eeepc.asus.com/p701/, and dig into let's say nl. You will find the packages being empty. So no Dutch locale packages yet.

Trying to set locales to dutch on an Eee pc

Second impression

For 1 day the Eee pc is mine. I used it for pidgin (IM), firefox (browsing) and Amarok (music). At this moment, I don't feel the need to change the OS. Xandros does, what is has to do on those applications.

But, as I ordered a France Eee pc, I did feel the need to change the language. I made it English. Dutch ain't included so that's not an option, but hé, English is fine by me.

Press CTRL+ALT+T where ever you want to, so it opens a console. In the console you type:

/opt/xandros/bin/locale_dialog

This will open a dialog, where you can make your choise. After that you probably have to reboot.

There is an excellent wiki, where you can find all about the Eeepc, even how to install ubuntu en Eeebuntu. Go check it out: http://wiki.eeeuser.com/

As you can see, there is a small tag on one of the screw on the back panel



No mini-PCIe included, but you can upgrade the memory. Notice the sticker on the memory ;-)



Have fun.

Second impression

Webshare with webdav

Some time ago, a guy asked me for my howto on webdav. Because blicboc.be was offline, I posted a link to my google doc's. http://docs.google.com/Doc?id=dc8xcg7f_20gqff5z

This time, it is the howto, as far as I had finished it. Yes it is in Dutch, maybe someday it will be in English.

Have fun, by the way, the old blicbox site is back online, till the new one is stable.

Webshare with webdav

Debian etch on FLASH (usb-sticks of CF) HOWTO FINAL

De howto is klaar. Mogelijks zitten er nog schoonheidsfoutjes in, maar hij is klaar voor gebruik. Je kan hem hier vinden: De installatie van Debian Etch op FLASH geheugen. Veel plezier met je USB-stick debians en je CF debians.

De volgende howto wordt die van mythtv, want blijkbaar is de belangstelling daarvoor sterk gegroeid. De bedoeling is, om tijdens de kerstvakantie deze verder af te werken en ook om de starten met een aantal tutorials hierover.

Debian etch on FLASH (usb-sticks of CF) HOWTO FINAL

Debian etch on FLASH (usb-sticks of CF) HOWTO part II

Ik zit halfweg met de howto (link in vorige post). Ze is nog van geen kanten bruikbaar, maar ik vorder goed. Als het meezit, ben ik er binnen 1 @ 2 dagen mee klaar.

Ik moet ook nog uitzoeken hoe je localetime bepaalt in debian, zodat ik het mee kan opnemen in de howto. Maar dit is echter een kleinigheid en zal ik waarschijnlijk achteraf in de howto

Debian etch on FLASH (usb-sticks of CF) HOWTO part II

Debian etch on FLASH (usb-sticks of CF) HOWTO

In afwachting van de nieuwe site, waar de howto's op een heel andere manier zullen benaderd worden, ben ik begonnen om deze howto te maken op onze huigie site.

Zij die vol ongeduld zitten te wachten (ik vraag me af hoeveel), hier is de link naar de howto: De installatie van Debian Etch op FLASH geheugen

Ik doe mijn best om hem zo snel mogelijk klaar te hebben. De mensen die nog zitten te wachten op de webdav howto, wel deze is al klaar om te gebruiken, maar nog niet afgewerkt. Je vindt hem bij de andere howto's op blicbox.

Blijkbaar zijn er toch ook een aantal mensen die graag zouden hebben dat ik verder werk aan de mythtv howto (terwijl ik altijd dacht, dat die al goed bruikbaar was). Deze zullen nog even moeten wachten tot na Kerstmis.

Debian etch on FLASH (usb-sticks of CF) HOWTO

Debian on Flash part FINAL

Goed nieuws, alweer. Het systeem draait nu vanaf een compact flash kaart van 4GB, waarvan 2 GB voor Debian en 2 GB voor opslag. Gnome desktop is geïnstalleerd en ik typ deze blog vanop het systeem.

Toen ik op de vorige installatie probeerde om gnome-desktop te installeren; liep het mis, om de eenvoudige reden dat er niet genoeg geheugen in de pc zit. Debian on FLASH werkt vanuit het RAM geheugen en je kan maar zoveel aan MB's downloaden als je werkgeheugen hebt.

Een nieuwe installatie, waarbij ik de alles meteen heb geïnstalleerd voor de image op de FLASH te plaatsen, loste dit probleem op.

Opdracht volbracht, nu nog de howto ;-)

Debian on Flash part FINAL

Blogspot toegevoegd

Het is gelukt, mijn blog is toegevoegd en ik heb meteen ook die "powered by" uitgezet. Nu kan ik weer vlot bloggen.

Voor zij die het het verhaal volgen van Debian on FLASH-DISK, ik ben ermee bezig geweest, maar ik zat een hele dag geblokkeerd op iets dom als het keyboard. Ik kreeg het maar niet op Belgisch en na heel lang zoeken, bleek dat ik "vergeten was" om het pakket kbd te installeren. DOM DOM DOM, maar ja, ondertussen had ik een hele hoop andere dingen geprobeerd en moet ik eigenlijk de hele installatie herdoen, om deze keer met een zuivere Debian installatie te eindigen.

De howto over Debian on FLASH-DISK, ben ik niet op blicbox aan het schrijven, maar in googledocs. Dit is in functie van de nieuwe site, maar later hier meer over. Mocht de howto klaar zijn en de nieuwe site laat op zich wachten, dan zal ik hem zeker posten op de bestaande site.

Blogspot toegevoegd