Roy's Blog

A Hacker's musings on Code | Tech | Life

In my continuing efforts to entirely self host, fighting spam is hard. I originally configured SpamAssassin on my mail server quite a few years ago, and to be fair it has done it's job. But recently, more spam has been creeping through and my ever growing stack of addons (such as policyd-spf, OpenDKIM, OpenDMARC and others) to SA was eating quite a lot of memory on my poor server.

So I shopped around and found Rspamd. For my needs it sounded wonderful - no more need for MySQL (it's a hard dependency of OpenDMARC) as I much prefer PostgreSQL. SPF, DKIM and DMARC all integrated. Written in C and LUA which is a massive improvement over Perl and Python. Also sports a shiny Web UI to monitor the server and do basic config. Speaking of config, it's still not entirely easy, but it's much easier than configuring the stack I used to have! I did have to patch the build so that it works with OpenSSL-1.1 which is now in pkgsrc. All in all, I anticpated a nice memory reduction once I had it all configured. So far it's using about 200Mb less memory, but it's early days. How much better or worse than SA it is at actual spam filtering remains to be seem, but I have high hopes.

While here, I also replaced procmail with PigeonHole. I didn't really need to do this, but I thought "As I'm here.....". Actually the end result is much nicer as I now only have one Spam folder instead of another two Spam folders for training ham and spam. I just need to hook this final part into how I manage spam on my mlmmj email lists.

Continue reading...

OK, it's not really in the news, but today I got a message of apprecation for what openresolv does.

Thanks for openresolv. If only the whole world used it... 

Rome wasn't built in a day. But it's getting there - openresolv can be found in NetBSD and FreeBSD base systems. It's available in most other OS's package respositories to at least depend upon.

Thanks

Continue reading...

[ERROR] Can't open and lock privilege tables: Got error 9 from storage engine

Nice error. Googling for it doesn't reveal much on how to fix it. The good news is that I only use MySQL for Phabricator and PostreSQL for everything else. The bad news is that my Phabricator instance is no longer working. The worse news is that I get the same error when trying to use backups, so there must be something else in play here.

Ideas on how to resolve this are welcome!

Continue reading...

I'm desperately trying to retire a server i have. It's sole remaining task is to share the attached printer on the network via Samba. It uses CUPS as the backend. Trying to print a test page gives No such file or directory. That's nice, but it should at least say what the file or directory it cannot find actually is.

Trying to connect to the printer from a Windows machine (I can see the printer find in the server share) gives an error that it cannot connect, but nothing appears in the Samba or CUPS logs.

This is 2017, surely we have better diagnostics to solve these issues!

Continue reading...

So dhcpcd has supported a shared IP address for a long time. It did this by removing the address from the non preferrred interface and then adding it to the preferred interface.
Easy!

But this came with some issues:

  • There is a window where the IP address doesn't exist, and the kernel may wipe out the subnet route at that point also.
  • DHCP renews didn't come through to the right interface.
  • Some kernels didn't like the address moving interfaces.

Still, to the best of my knowledge, no other product has this feature and for the most part, it did work well allowing almost seamless switching of wired -> wireless and back again with both using the same IP address. But that wasn't good enough - I was challenged to do better!

So I took up the bat and cooked up this changeset to change the behaviour to this:

  • Each applicable interface will have the shared ip address.
  • Whenever the address is added, the most preferred address will be ARP announced.

And lo - IT WORKS!!! The changeover when plugging/removing the wired interface is 100% seamless for me. ssh, ping, etc get zero interuption. Of course, YMMV ;)
But there are some costs:

  • Thanks to ARP, only the primary interface will receive DHCP unicast messages for other interfaces.
    As such we need to re-direct them to the correct interface by examining xid and chaddr.
    This means we have to relax the BPF filters to allow more through.
  • Kernels supporting RFC5227 will double ARP announce the address.
  • NetBSD-8 kernels needed some love to get it to work and there's still an issue with it not working when an address is deleted from the interface.

Only the last bullet is really important, which is mainly why the changeset hasn't hit the master branch yet. But that should be fixed soon. The other points can be fixed as and when.

Continue reading...