Archive

Archive for the ‘Blog’ Category

Thunderbird MIME mixup

May 19th, 2009 3 comments

Today I decided it was time to introduce my iPhone to the campus wireless network, instead of using the slow GPRS network of my carrier. I’m still a happy user of the first generation iPhone, so I’m stuck with GPRS and that’s why I like WIFI.

So I downloaded the already made VU-iphone.mobileconfig file to my workstation and fired up my favorite MUA, what happens to be Mozilla Thunderbird to mail the configuration as a attachment, just like the way the online manual described. But as soon as I opened up the mail app on the phone the message looked like normal text and there was no attachment to open. I decided to use Mutt as an alternative and repeated the steps described above. This time the attachment showed up as it should be. So I was able to import the wireless configuration and finished the wireless setup.

Now I’m happy being wireless connected but still curious why the attachment send by Thunderbird did not show up correctly in the mobile mail app. So I compared both mail clients MIME behaviour and it appears that Thunderbird is not behaving correctly according to rfc2183. As you can see it uses Content-Disposition type ‘inline’ instead of the correct ‘attachment’ type.

I have stripped the irrelevant header and body information of the message.

Thunderbird:

User-Agent: Thunderbird 2.0.0.21 (X11/20090320)
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="————070008030904000701030203"

This is a multi-part message in MIME format.
————–070008030904000701030203
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

————–070008030904000701030203
Content-Type: text/xml;
 name="VU-iphone.mobileconfig"
Content-Transfer-Encoding: 7bit
<strong>Content-Disposition: inline;</strong>
 filename="VU-iphone.mobileconfig"

Mutt:

MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="WIyZ46R2i8wDzkSu"
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)

–WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

–WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
<strong>Content-Disposition: attachment;</strong> filename="VU-iphone.mobileconfig"

This looks like a bug..

Categories: Blog Tags: , ,

877W wireless config

May 13th, 2009 No comments

As mentioned earlier I would post my wireless configuration of the Cisco 877W router as soon as I got it to work the way I like. In this setup the commonly used IRB bridge option is not used. This configuration will also work on the 857W model.

!
dot11 ssid <your ssid>
   vlan 2
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 <your password>
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool wireless
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server <dns server> <dns server>
!        
interface Dot11Radio0
 no ip address
 !
 encryption vlan 2 mode ciphers tkip
 !
 ssid <your ssid>
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel least-congested 2412 2442 2462
 station-role root
 no cdp enable
!        
interface Dot11Radio0.1
 description WLAN vlan2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!        
interface Vlan2
 no ip address
!

On the (outside) dialer0 interface I had to add the following line to enable NAT:

ip nat outside

And at last you’ll need the next ip nat and access-list lines to make it work:

ip nat inside source list 103 interface Dialer0 overload
access-list 103 remark Traffic allowed to enter the router from the WLAN
access-list 103 permit 192.168.2.0 0.0.0.255

You can use the show dot11 or debug dot11 commands to troubleshoot. For example, the following output displays a associated device:

router#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [<your ssid>] :

MAC Address    IP address      Device        Name            Parent         State    
xxxx.xxxx.xxxx 192.168.2.2     unknown       -               self           Assoc    

router#

Enjoy being wireless!

Categories: Blog Tags: , , ,

Limit Wordpress archives

May 8th, 2009 No comments

Since switched over to a new theme I needed to rearrange the way the sidebar should look. The list of archives was just to long, think 20 months is the default, to be aesthetic correct. So I started to look for a limit setting in de admin interface of Wordpress, but could not find a way to change the limit. I probably looked over it. So browsing through the php scripts I found the file responsible for the way the archives section behaves.

I use Wordpress version 2.5.1 from the Debian lenny repository

Edit the following file:

wordpress/wp-includes# vi general-template.php

And look for the following function:

# cat -n general-template.php
<…>
   356  function wp_get_archives($args = ”) {
   357          global $wpdb, $wp_locale;
   358 
   359          $defaults = array(
   360                  ‘type’ => ‘monthly’, ‘limit’ => ‘<strong>10</strong>’,
   361                  ‘format’ => ‘html’, ‘before’ => ”,
   362                  ‘after’ => ”, ’show_post_count’ => false
   363          );
   364 
<…>
#

Change the options you whish, I lowered the limit to 10 months.

Categories: Blog Tags: ,

New ISP, new router

May 4th, 2009 2 comments

Recently I had to choose another ISP for my home internet connection, and because my previous modem was a bit limited in it’s capabilities I decided it was time to invest in a Cisco 877W Integrated Services Router.
The main reason to choose for the 877W is that I used to work with Cisco appliances, so I’m familiar with IOS and like the CLI to manage the device.

After unpacking the device I connected the serial console cable which comes with the 877W to my laptop and turned on the device. The first step was to make the internal LAN work. My new internet connection comes with 8 public IP addresses, so I had to change my internal LAN from private space to public. Now the LAN part was done I could setup the WAN interface, which took quite some time to figure out how to setup correctly.

While discovering the device it appeared that the preinstalled IOS version was a really old one that goes back to 2006. I decided to load a more recent firmware image, better safe than sorry.

With the following specs I’ve created a configuration that works well for the SurfSnel ADSL product of InterNLnet:

Provider: InterNLnet (SurfSnel ADSL)
Protocol: PPPoA routed (RFC 2364)
Encapsulation: VC MUX
VPI/VCI: 0/35
Authentication: PAP

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!        
dot11 syslog
no ip source-route
ip cef
!
!
ip inspect name firewall appfw firewall
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall skinny
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name yourdomain.com
ip name-server 217.149.196.6
ip name-server 217.149.192.6
!
appfw policy-name firewall
  application http
    strict-http action allow alarm
    content-type-verification unknown-type match-req-rsp action allow alarm
    port-misuse tunneling action allow alarm
!
!
archive
 log config
  hidekeys
!
!
interface ATM0
 description Physical ADSL (ATM) Interface
 no ip address
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode auto
 dsl enable-training-log
!
interface ATM0.1 point-to-point
 description ATM subinterface enables PPP over ATM
 no ip proxy-arp
 pvc 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 station-role root
!
interface Vlan1
 ip address 145.99.xxx.xxx 255.255.255.248
 ip access-group 102 in
 ip virtual-reassembly
!
interface Dialer0
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip inspect firewall in
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 no cdp enable
 ppp pap sent-username <username>@dsl.inter.nl.net password 0 <password>
 ppp ipcp dns request
 ppp ipcp route default
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 permit tcp any any established
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 remark DNS In and Out
access-list 101 permit udp any eq domain any eq domain
access-list 101 permit udp any eq domain any gt 1023
access-list 101 remark DHCP client requests
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 remark NTP client requests
access-list 101 permit udp host 192.87.106.2 eq ntp any eq ntp
access-list 101 permit udp host 192.87.36.4 eq ntp any eq ntp
access-list 101 permit udp host 192.87.110.2 eq ntp any eq ntp
access-list 101 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17179591
ntp source Vlan1
ntp server 192.87.36.4
ntp server 192.87.106.2 prefer
ntp server 192.87.110.2
end

The above configuration will most likely also work on the 857W! As you’ll probably notice the wireless configuration has not been setup, so later more on this story..

Categories: Blog Tags: , , ,

Setup Firefly to serve iTunes

May 4th, 2009 4 comments

FireFly LogoThis guide will help you setup Firefly Media Server to serve iTunes. This server based program, previously known as “mt-daapd” shares your media collection to iTunes. DAAP stands for Digital Audio Access Protocol and is developed by Apple to share media across a local network.

I have done the installation on Debian Lenny, but Firefly (still called mt-daapd on the Debian repository!) is even available on Windows. In order to publish the firefly shared library on the network I have used Avahi, which is a free implementation of Zeroconf including mDNS/DNS-SD.

1. Install the needed packages including dependencies

# apt-get install mt-daapd avahi-daemon

2. Setup Avahi by creating /etc/avahi/services/mt-daapd.service

<?xml version="1.0" standalone=’no’?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_daap._tcp</type>
<port>3689</port>
<txt-record>txtvers=1</txt-record>
<txt-record>iTSh Version=131073</txt-record>
<txt-record>Version=196610</txt-record>
</service>
</service-group>

3. Restart the Avahi daemon

# /etc/init.d/avahi-daemon restart

4. Edit /etc/mt-daapd.conf. The following variables where important to me:

# $Id: mt-daapd.conf.templ 1660 2007-09-12 13:08:04Z rpedde $
#
# This is the mt-daapd config file.

<…>

#
# admin_pw (required)
#
# This is the password to the administrative pages
#

admin_pw = mt-daapd

<…>

#
# mp3_dir (required)
#
# Location of the mp3 files to share.  Note that because the
# files are stored in the database by inode, these must be
# in the same physical filesystem.
#

mp3_dir = /path/to/music

#
# servername (required)
#
# This is both the name of the server as advertised
# via rendezvous, and the name of the database
# exported via DAAP.  Also know as "What shows up in iTunes".
#

servername = Firefly %v on %h

<…>

5. Restart mt-daapd

# /etc/init.d/mt-daapd restart

The first time you start mt-daapd it will do a full scan to update the mt-daapd database. Watch the /var/log/daemon.log file to see when it’s ready.

May  4 09:54:25 sinners mt-daapd[16843]: Firefly Version svn-1696: Starting with debuglevel 2
May  4 09:54:25 sinners mt-daapd[16843]: Plugin loaded: daap/svn-1696
May  4 09:54:25 sinners mt-daapd[16843]: Plugin loaded: ssc-ffmpeg/svn-1696
May  4 09:54:25 sinners mt-daapd[16843]: Plugin loaded: rsp/svn-1696
May  4 09:54:25 sinners mt-daapd[16843]: Starting rendezvous daemon
May  4 09:54:25 sinners mt-daapd[16843]: Client running
May  4 09:54:25 sinners mt-daapd[16843]: Starting signal handler
May  4 09:54:25 sinners mt-daapd[16845]: Initializing database
May  4 09:54:25 sinners mt-daapd[16845]: Full reload…
May  4 09:54:25 sinners mt-daapd[16845]: Starting mp3 scan
May  4 09:54:27 sinners mt-daapd[16845]: Starting playlist scan
May  4 09:54:27 sinners mt-daapd[16845]: Updating playlists
May  4 09:54:27 sinners mt-daapd[16845]: Scanned 10 songs in 1 seconds
May  4 09:54:27 sinners mt-daapd[16845]: Starting web server from /usr/share/mt-daapd/admin-root on port 3689
May  4 09:54:27 sinners mt-daapd[16845]: Registering rendezvous names
May  4 09:54:27 sinners mt-daapd[16845]: Serving 10 songs.  Startup complete in 2 seconds

Now you should be able to connect to the mt-daapd admin webinterface at http://yourservername:3689.

6. You’re done!
Fire up iTunes and you’ll see the just created Firefly library become available under Shared. You can also use this service with Rhythmbox Music Player, XMMS with the DAAP plugin, or any other DAAP compatible music player.

Categories: Blog Tags: , , , ,

Ipurge

April 26th, 2009 1 comment

No, it’s not another Apple app, it’s an handy tool that comes with the Cyrus mailserver package to delete mail from IMAP mailboxes. I have setup two entries to get rid of unnecessary messages from the spam and trash folders for all users.
The following rules have been added to the EVENTS list on /etc/cyrus.conf.



# purge trash messages older than 2 weeks

purgetrash      cmd="/usr/sbin/ipurge -X -d 14 -f user.*.Trash" at=0600

# purge spam messages older than 4 weeks

purgetrash      cmd="/usr/sbin/ipurge -X -d 28 -f user.*.Spam" at=0630

[/code]


It took me some time to figure out the correct matching pattern and at first I was a little bit scared to use the -f option. The man page for ipurge says “-f        Force deletion of mail in all mailboxes.” But you’ll need it, without it won’t work.


I like this way of cleaning up!
Categories: Blog Tags: , ,

Secured by CAcert

April 8th, 2009 No comments

In oder to secure this personal website I have recently joined the CAcert community. This community driven certificate authority issues free public key certificates. After signing up I created two server certificates, one for the webserver and the other one for secure mail and ldap services.
So if you are using any web or mail related service on the vleeuwen.net domain I would recommend to import the CAcert root certificate. See the CAcert site for more information.

Hopefully one day Mozilla will make the right decision and include the CAcert root keys in their products.

Categories: Blog Tags: ,

iXhash does a good job

February 26th, 2009 No comments

Some weeks ago I installed the iXhash spamassassin plugin and the spamtagging became noticeable better. Just look at the spam stats page.
What is does is it creates md5 checksums of parts of the body of an email and compares them to those of tagged spam using DNS.

Installation is very easy, just follow the online documentation. The default scores for the four zones are a on the safe site, so after I had monitored the results for a week I raised the scores to 1.5 for all zones.

Below you can see the result of a debug test to see if iXhash is working correctly. At the end of the test you’ll find an short explanation on how it works.

# spamassassin -D IXHASH < iXhash.eml
[4346] dbg: IXHASH: Using iXhash plugin 1.5.5
[4346] dbg: IXHASH: IxHash querying ctyme.ixhash.net
[4346] dbg: IXHASH: Computed hash-value cbdc00eaaf002aad4448b75f47a9784f via method 1, using perl exclusively
[4346] dbg: IXHASH: Now checking cbdc00eaaf002aad4448b75f47a9784f.ctyme.ixhash.net
[4346] dbg: IXHASH: Computed hash-value 464d43b6999bdbdf6071b8b1d3f9a525 via method 2, using perl exclusively
[4346] dbg: IXHASH: Now checking 464d43b6999bdbdf6071b8b1d3f9a525.ctyme.ixhash.net
[4346] dbg: IXHASH: Computed hash-value b02ad35492c64f721e97e9a2f63b700c via method 3
[4346] dbg: IXHASH: Now checking b02ad35492c64f721e97e9a2f63b700c.ctyme.ixhash.net
[4346] dbg: IXHASH: IxHash querying hosteurope.ixhash.net
[4346] dbg: IXHASH: Hash value for method #1 found in metadata, re-using that one
[4346] dbg: IXHASH: Now checking cbdc00eaaf002aad4448b75f47a9784f.hosteurope.ixhash.net
[4346] dbg: IXHASH: Hash value for method #2 found in metadata, re-using that one
[4346] dbg: IXHASH: Now checking 464d43b6999bdbdf6071b8b1d3f9a525.hosteurope.ixhash.net
[4346] dbg: IXHASH: Hash value for method #3 found in metadata, re-using that one
[4346] dbg: IXHASH: Now checking b02ad35492c64f721e97e9a2f63b700c.hosteurope.ixhash.net
[4346] dbg: IXHASH: IxHash querying generic.ixhash.net
[4346] dbg: IXHASH: Hash value for method #1 found in metadata, re-using that one
[4346] dbg: IXHASH: Now checking cbdc00eaaf002aad4448b75f47a9784f.generic.ixhash.net
<strong>[4346] dbg: IXHASH: Received reply from generic.ixhash.net:127.0.0.2</strong>
[4346] dbg: IXHASH: IxHash querying ix.dnsbl.manitu.net
[4346] dbg: IXHASH: Hash value for method #1 found in metadata, re-using that one
[4346] dbg: IXHASH: Now checking cbdc00eaaf002aad4448b75f47a9784f.ix.dnsbl.manitu.net
[4346] dbg: IXHASH: Hash value for method #2 found in metadata, re-using that one
[4346] dbg: IXHASH: Now checking 464d43b6999bdbdf6071b8b1d3f9a525.ix.dnsbl.manitu.net
[4346] dbg: IXHASH: Hash value for method #3 found in metadata, re-using that one
[4346] dbg: IXHASH: Now checking b02ad35492c64f721e97e9a2f63b700c.ix.dnsbl.manitu.net
X-Spam-Virus: No
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on vleeuwen.net
X-Spam-Level: **
X-Spam-Status: No, score=2.0 required=5.0 tests=BAYES_50,<strong>GENERIC_IXHASH</strong>,
        MISSING_DATE,NO_RECEIVED,NO_RELAYS autolearn=no version=3.2.5
From: "iXhash plugin test mail" <spamtrap@ixhash.net>
Message-ID: <mEsSaGeId@sOmEwHeRe.CoM>
To: admin@testsite.com
Subject: iXhash plugin test mail

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
</HEAD>
<body>
  <font face="Verdana">This is an e-mail designed to test the iXhash plugin’s functionality.<br>
  <br>
  If you run this mail through SpamAssassin (using ’spamassassin -D IXHASH < iXhash.eml’, you should see the plugin score with the list ‘generic.ixhash.net’.<br>
  This is because the hashes this mail generates ( cbdc00eaaf002aad4448b75f47a9784f and 464d43b6999bdbdf6071b8b1d3f9a525 ) are permanently listed on that list.<br>
  Apart from that this mail is of no use.<br>
  <br>

</body>
</html>

#

Just checking this with a manual DNS lookup:

$ host cbdc00eaaf002aad4448b75f47a9784f.generic.ixhash.net
cbdc00eaaf002aad4448b75f47a9784f.generic.ixhash.net has address 127.0.0.2
$

What a surprise, it turns out to be a valid A record. The iXhash will tag the email with the score you set for ‘GENERIC_IXHASH’.

Categories: Blog Tags: , ,