header_checks and Spamassassin headers in Postfix 2.6

images.duckduckgo.comI’ve had this mail server of mine for some time. I was an early adopter of Gmail back then, but as years went on and it became obvious that messages were data-mined by Gmail, I eventually started running my own Postfix server. Not just for me, but for family and eventually other people. Now, the thing is that some folks insist on having their emails forwarded to another service, like Gmail, Yahoo, etc. I can understand that. The problem is that if such mailbox receives a lot of spam messages, those messages get forwarded to Gmail and Yahoo as well, and as a result, my mail server can get bad reputation because of that – I can’t just explain to the other side that those spams are only forwarded.

I’m using Spamassassin to mark spam, but all it can do is to mark the messages for users’ MUAs, it can’t do anything else, like drop or reject unsolicited bulk email so that it doesn’t get forwarded. I’ve used Amavis somewhere in the past and it could have solved the problem, but here it felt as too large a gun for the task. All I wanted is to prevent the most obvious spam with high score points from being forwarded. So I created a file with a regular expression to catch all messages marked as Spamassassin with help of X-Spam-Level header.

and uncommented this line in:

The above mentioned HOLD action will put the messages into the hold queue for further inspection. Other option is to REJECT the messages (more here external_link).

To my dismay, it just didn’t work when I gave it a try with help of Gtube. What I didn’t realize was that header_checks happen while message is being received. Spamassassin, however, works as a milter that adds extra headers later, so it couldn’t work. There is a Postfix feature designed to solve this problem – milter_header_checks – which does the same thing, except it takes headers added by milters into account, too. The only tiny drawback was that this feature was added to Postfix 2.7 and my Centos 6 had Postfix 2.6 running. There was a patch on Postfix page which backported milter_header_checks into version 2.6, but I just didn’t have enough courage to go for it. Instead I used the workaround discussed here external_link (many thanks). The trick is to create another service in master.cf and use it as a content filter for the main smtp service. That way, the Spamassassin headers get applied and on the second run, they get noticed by header_checks.

I also had to add permit_mynetworks in recipient restrictions, but that was probably relevant just to my particular setup.

After the postfix reload, the spam messages with score higher than defined in /etc/postfix/header_checks finally got caught and stopped.

Posted in Operating systems Tagged with: , ,

Apache and umask 002

downloadI ran into a problem with Apache on Centos 6. For some time, I was the only person who had access to this particular machine so permissions were not a problem. However, now that somebody else is taking care of the website hosted there, they had troubles editing files that were uploaded via website and owned by apache. So I added the user to the apache group and put this line:

into file:

That way, any file created by apache user was by default writable by the apache group so the given user would be able to work with those files. When I tried it out, however, it didn’t work, the user was not able to modify those files, to my frustration. Now, I was left with two options, either pull my hair off, or modify the httpd init script, neither of them much to my liking. Eventually, I found out that the solution was pretty easy – the PHP upload script was explicitly setting the permissions to 644 so members of apache group were not able to modify the file. When I modified the application and its chmod command, everything worked like a charm.

Posted in Operating systems, Web-related Tagged with: , ,

“Lazy” Synolocker

A funny thing happened to me the other day. Someone brought me a 4-bay Synology NAS which had been hit by ransomware called Synolocker. The usual scenario – the NAS was exposed to the internet, maybe not updated as regularly as it should have been, and eventually targeted by ransomware. The bright side was that the owner kept an offline copy of the data that was stored on the NAS, so no big harm done. I was only asked to restore the NAS to the original settings to get rid of the nasty piece of software and make the NAS usable again.

RAID 5

RAID 5

synolocker

The funny fact was that once I restored the operating system (thus removing the infected system) and was about to go and blank the encrypted volumes, I was surprised to find out that the data was still there, perfectly intact. This particular piece of ransomware was so “lazy” that it didn’t even bother to actually encrypt the data. It simply demanded ransom and waited for anyone who would panic enough to go and pay up.

Posted in Hardware, Operating systems Tagged with: ,

Blackthorne

Yet another game from the 90’s that I wanted to tick off as done. Here are a few screenshots:

Posted in Games Tagged with: ,

Centos 7 – bridge for KVM

nicubunu-RPG-map-symbols-stone-bridge-100pxI got a machine on which I wanted to try Centos 7 and KVM virtualization. As usual, I had to search for how to do a network bridge as it’s been quite long since I did it last time (on Centos 6). So these are the basic steps. First, dont’t forget to install bridge-utils while installing the KVM-related packages:

Now, this was the default config file for the network interface:

I had to change it to point to a bridge interface called bridge0.

And this is where the new network configuration goes. It’s probably worth mentioning that it’s been changed from DHPC to a static IP address:

and also that the GATEWAY has been moved to /etc/sysconfig/network.

After

you should be able to connect KVM VMs directly to the LAN.

Posted in Operating systems Tagged with: , , ,

Systemd problem

At home, I’ve been using rolling release of Debian for my desktop for quite some time. The good thing about it is that years go by and you need not worry about the end of life of this or that particular release. Sometimes, things can go awry, of course, but that happens quite rarely and running apt-get dist-upgrade usually takes care of the problem. Yesterday, however, I ran into a funny error message:

I have to admit that as far as the current flamewars regarding systemd are concerned, I don’t feel my insight is deep enough to allow me to contribute to those discussions one way or the other, but in the light of the current spiteful debate, it was a really funny error message 🙂

screenshot-systemd

Posted in General thoughts, Operating systems Tagged with: ,

Hardware repairs

kids helped a lot

kids helped a lot

I’ve been tinkering with my computers ever since the days of ZX Spectrum, more or less. In the last eight years or so, however, people would come to me with their broken laptops and computers every now and then. It didn’t happen too often to become a nuisance; instead, it was a welcome distraction from my regular daily tasks (with the exception, maybe, of the time when I had seven laptops at my office at once 🙂 ).

Read more ›

Posted in General thoughts, Hardware Tagged with:

Gettext translations

120px-Official_gnu.svgGettext is a great way to localize and internationalize (simply put, to translate) your (web)applications. It’s especially useful when you’re building a multi-language application because you can separate the code from the translation process effectively.

  1. all strings that need to get translated have to be wrapped in _() function in the source code files:

  2. cd to the project directory and run in bash (this will go through all the php files in the current working directory):

  3. to search for all php files in the project directory recursively, try this:

    If you need to omit a particular directory, use inverted grep like this:

  4. The above mentioned commands will output a file named projectname.po, which can be translated using Poedit or Pootle. Poedit will generate binary file projectname.mo on save.
  5. To use this binary file, create another directory in your project folder (I’m using cz_CS locale identifier)

    and copy the .mo file there.

  6. In your application, use the following:

This will load the .mo file with translated strings and replace all the _() wrapped strings in there.

Posted in Programming, Web-related Tagged with: , ,

Lands of Lore (again)

Some time ago, I started playing Lands of Lore. Then I took a short break (for about five years 🙂 ) and now I happened to stumble across the saved games so I decided to go on again this Xmas. Here come a few screenshots from the final stages of the game:

Posted in Games Tagged with: , ,

Skype in Docker

small_hAlthough jabber is my preferred IM protocol, sometimes I have to communicate with people who, for some reason, only use Skype. On Debian, that can be quite a problem, supposing you are not particularly keen on weed infestation of your system. One way to get Skype was to start a virtual machine with another operating system. That is a rather resource hungry solution for one application only, however. Last week I found a satisfactory solution – run Skype in a docker container. It was a double win as I finally discovered something to use docker for 🙂

The container keeps Skype away from my base operating system and at the same time it all takes less resources than a full VM. The fork of the original repo is here:
https://github.com/vex21/docker-skype

Funny things happen, though. Today, Microsoft announced they were going public with the web interface. Naturally, that is the best option they could provide.

Posted in General thoughts, Operating systems Tagged with: ,

About

My name is Vratislav Hutsky. I work as a Senior Quality Engineer at Red Hat. Before that, I was a freelance sysadmin and web developer for quite a few years.