Description: SMTP command-line test tool
 swaks (Swiss Army Knife SMTP) is a command-line tool written in Perl
 for testing SMTP setups; it supports STARTTLS and SMTP AUTH (PLAIN,
 LOGIN, CRAM-MD5, SPA, and DIGEST-MD5). swaks allows to stop the SMTP
 dialog at any stage, e.g to check RCPT TO: without actually sending a
 mail.
 .
 If you are spending too much time iterating “telnet foo.example 25”
 swaks is for you.

A very important tool which makes debugging e-mail a breeze. A must for every mail admin.

Dear Lazyweb, in late 2001, I bought a shiny new computer to replace my VHS VCR and to finally help me in getting my last 200 hours worth of music form analog audio tapes into the digital domain. I have to admit that I have failed to do this. While the TV ambitions were originally spoiled with the rotten Windows TV software that came with the Hauppauge PVR PCI card, audio with windows used to work rather decently. Until I decided to ditch Windows and to use Linux. Which looks like a mistake. Not even the audio stuff works any more. I have bought a new TV card and a new sound card, but all I currently get (with the old sound card, btw) are audio recordings that sound way too fast. I would like to use my DAT deck as a A/D-converter and to feed the resulting 44.1 kHz 16 bit stereo data stream to the computer via optical S/PDIF. I couldn’t get the emu10k card I bought to listen to its optical entry, so I swapped it back to the cm8738-based Nightingale Pro 6. Since toying around with the IEC switches in command-line ALSA mixer, I can hear what’s being put in on optical S/PDIF correctly playing on the PCs analog output. However, when I use arecord -Dhw:0,2 -f cd foo.wav to actually record from the optical S/PIDIF input, the Result sounds way too fast. Otoh, both aplay and file(1) say that this is a 44.1 kHz 16 bit stereo WAV file. Up to now, neither Usenet nor the ALSA mailing list have been helpful in debugging this. Oh dear lazyweb, who can help? In the current situation, I am really really tempted to shell out money - either for a new Windows license, or for a Mac. What should I do?

"Guidelines for the Secure Operation of the Internet" (RFC1281)

Read it and weep.

Techblogging: DoSing spammers

I've done this in the past, by having a CGI rabbit-hole in a semi-hidden link near the start of the page which just generated 1000s of invalid email addresses. For bonus points, use addresses with MX servers which will never be online again, or maybe with a MX that tarpits and rejects all mail eventually. Get enough points and the spammer will either stop scanning your site or waste a lot of time on you.

Google scanned by spammers [Techblogging]

I don't use pingomatic, but a few of my pages are ranked high enough to attract spammers every time I update them. I think blog spammers probably are using subscription tools to find the most active/most syndicated sites to spam. Can we redesign the tools to defeat them?

BBC News Technology UK Edition: Ads help Google profits triple

But hey, why should Google care about spammers when their externalisation to date is making Google rich?

Techblogging: Web 2.0 security issues incoming

I dislike Web 2.0 so far because it is often inaccessible - this suggests it's often insecure too.

Software Patents Petition

Need more brains... come on, sign the petition, even if it has a bit of hyperbole/invective and a typo or two. Last I heard, it's behind adopting Spandau Ballet's Gold as national anthem, for crying out loud!

The Irascible Professor-commentary of the day 06-07-06. Calculator dependence.

Parents, don't let your children grow up to be calculator junkies!

Zugschlusbeobachtungen: Which kind of software suspend?

I think I heard Matthew Garrett give an interview somewhere (LUG Radio?) which summarised the suspend situation as something like "it works well except when it doesn't." My computer usually software-suspends, but sometimes it crashes and sometimes is often enough to deter me from suspending it often. I really ought to debug it, but it's not a priority yet.

'Cheap and tacky' wedding email that went global - 19 Nov 2006 - National

"The marquee company's CEO, Klaus Jorgensen, said he had sacked the employee responsible - who turned out to be his wife"

NoDaddy.Com - Exposing the Many Reasons Not to Trust GoDaddy with Your Domain Names

"They didn't give me a chance to dispute or resolve the problem -- just a voicemail saying my domain was scheduled for suspension , followed up by a Domain Suspension Notice exactly 52 seconds later. Note that neither of these included a phone number for the abuse department or a reason for the shutdown."

The 'Ow' starts now / freedom bits / greve / Fellows / The Fellowship - Fellowship of FSFE

FSFE's Georg Greve won't be upgrading to Vista, which I saw called "Windows Fista" on the BBC's site - disgruntled journo, over-aggressive MS PR or typo?

BBC NEWS Have Your Say Will you be getting Microsoft Vista?

Nearly 2000 comments, most "No" AFAIS

Microsoft files for patent on "modular operating system"

Microsoft patents Linux?

Hacking gadflies: Marechal, A dystopian future''

Another comment on the MS patent.

BBC NEWS Technology Triple threat targets Word users

While I'm boggling at Microsoft, I hope all their customers saw this little Christmas present from 20 December.

BBC News Technology UK Edition: Sony CD compensation agreed

No Christmas for Sony, remember? They pay out a year or so late.

BBC Trust - On-demand Services' consultation

A remarkable consultation that includes a question "How important is it that the proposed seven-day catch-up service over the internet is available to consumers who are not using Microsoft software?", but the questionnaire doesn't work in all browsers. Do you think this biases the responses? Yes, yes or yes?

Digg - Pressure the BBC to embrace open standards, not just Microsoft technology!

Digg is the new slashdot. Just add hot grits.

BBC News Technology UK Edition: Vista has speech recognition hole

"for the flaw to be exploited the speech recognition feature would need to be activated and configured and both microphone and speakers would have to be switched on." Well, my speakers are embedded in the screen, my microphone doesn't have an on/off switch and I leave it switched on in the mixer so that I can answer the softphone quickly... I doubt I'm the only one who doesn't switch the mic off after every use. Are Microsoft living in the real world any more?

For nearly two years, I have been pondering about a good and failure-resilient DNS setup to implement for my own domains. In the last days, I have set the first prototype into use. No, I haven’t dared to touch zugschlus.de, my most important domain, yet. This is planned for the weekend. So, if you experience difficulties in accessing any of my Internet services, please inform me and allow me to fix the issue. However, zugschl.us, marc-haber.de and a number of less important test domains have already been moved to the new, svn-driven Scheme and delegation has been changed to the new DNS servers, dns1.nosuid.net, dns2.notwork.de and dns3.mxonly.de. q.bofh.de, my old main DNS server, continues to run as a slave for a transition period, and it continues to feed the slave servers run by various commercial and non-commercial entities that have kindly been serving the zones in the last years. The new servers are all run by myself. dns1 and dns2 are dedicated servers (“real” machines that both have other duties as well) located at two different ISPs/hosters located in different parts of Germany, while dns3 is a vServer located in the US (which only does DNS due to its rather severely limited amount of memory). The three domains the servers are located in are in two different top level domains, are registered through two different registrars and are not used for anything besides DNS (and providing the host name for ivanova.notwork.de, one of the DNS servers and the machine hosting this blog). The two .de-Domains mxonly.de and notwork.de are MX only domains, which means that they are not delegated outside of the .de zone but their resource records are directly written to the .de TLD zone. This reduces the chance of the domains becoming unavailable due to failures in the delegated servers (because there are none), and we depend on .de being available anyway. A downside of MX only domains is that the number of registrars that support them through their automatisms is rather limited. The .net zone is served by the registrar’s name servers since .de is the only TLD I know of that has reasonable prices and offers MX only domains. One can argument that the .net zone is a weak point here, but I suspect that I’m reasonably safe with the MX only .de domains that the .net domain is only a paranoid safety catch anyway.

I recently had an issue where a remote host would frequently run out of memory after a number of processes had been invoked from remote. I looked in the wrong direction first, but finally found out that each process invocation leaves two sshd processes hanging around, which are eventually exhausting the memory on the box. Next step was finding out what happened for the sshd processes not to properly terminate. Eventually, I remembered that the incoming ssh connections were not invoked directly, but via a third host with “proxycommand ssh other-host socket %h %p”. Looking on other-host quickly showed a number of socket processes being around, and killing them made the sshds on the low-memory host vanish as well. Short-term remedy was therefore to set ClientAliveInterval in the low-memory host’s sshd configuration. I then searched for reasons why ClientAliveInterval is not set by default at least in Debian’s sshd configuration. I didn’t find a reason and proceeded to file a wishlist bug request againnst openesh-server for this option to be set by default. Before filing this bug, I routinely visited the BTS, just to find out that the bug was already filed. By me. One year and 285 days ago. And that the openssh maintainer(s) didn’t even bother to reply to it yet. Guys, this is a textbook example how to discourage people from filing Bugs against your packages. Please, give them at least the appreciation of a short ACK if you don’t get around to fixing the bugs in reasonably short time. Having a bug rot away uncommented and unfixed in the BTS for two years is simpy not acceptable. Yes, that goes even for a wishlist bug.

Dec 29 11:23:51 scyw00225 kernel: Critical temperature reached (4822 C), shutting down.

Right after your system has shut down while booting up in the early morning.

Dear Lazyweb, dear Santa Claus, One thing I wish for exim is a patch for Exim Bugzilla Issue #66, which will incidentally fix Debian Bug #244724, which has become a recurring issue in various complex ISP configuration schemes. A patch solving this would add an option to an SMTP transport which allows the transport to set the authentication credentials instead of the authenticator. The transport still knows the host name given to it and can look up the right authentication credentials, while the authenticator only knows the IP address that we are connected to and thus needs to rely on reverse DNS information to look up the credentials. Which leads to numerous kinds of confusion regarding CNAMEs and broken reverse DNS on the ISP side. So, please dear Santa, give me a patch for that. It shouldn’t be too hard to do.

Yesterday, Philip Hazel released exim 4.64. I have just uploaded the packages to Debian experimental. If you want to try the lastest and finest exim, please check out the packages. Unfortunately, the release is too late for etch. Debian etch will release with exim 4.63. I mean, unless the release team decides to bend their rules very badly, which I really do not assume.

If I continue leaving channels at this rate, I’ll have an empty IRC client by christmas. I somehow still consider this a bug, since IRC is the anchor for most of my social contacts. But I surely won’t be missing #debian, and #debian is not going to miss me.

Andreas, I am not a nice guy. I am only lazy. If the change to exim4 (it now displays a debconf note to everybody who tries do dpkg-reconfigure exim4, -base or a daemon package telling them to dpkg-reconfigure exim4-config) saves #debian from answering the question “how do I reconfigure exim4, dpkg-reconfigure exim4 does nothing!” twice a day, it is a good change. I basically agree with you that people who not read the minimum basics of documentation are a nuisance, but they’re unfortunately real. You need to hurl the docs into their faces. And even then they’re going to ignore them and google for answers instead. And on google, they’re going to find wrong or outdated docs.

I somehow thought I usually was nice and helpful, however upon reading Marc's e-mail about trying to make exim4 a little bit more foolproof, I realized I was not. My gut reaction to the problem (people failing to check the docs at all) was a simple "So what? Either they'll learn the minimal basics. (Docs on Debian are in /usr/share/doc and reading them can be helpful.) or Debian is not for them. I sure won't be jumping through hoops for them." Lesson learned: I am just an elitist <insert favorite 4-letter word>.

... have a mandatory policy about how Planet pictures have to look like? Or officially allow some individual touch? And, btw, it is horrendously impolite to rant about people on IRC while the people ranted about are present. Sheesh!

While evaluating Gallery, I noticed that my test web server generates wrong links inside the web application. After getting some help on the Gallery Forum, I was told that this was because my setup was miscreating REQUEST_URI to contain the entire URI, consisting of scheme, host name and path, while Gallery expects that variable to be only the path portion of the URI. Since REQUEST_URI is fine when I ask the web server running the application directly from the host in question, while accessing it from my local machine through an ssh tunnel (since the application web server is not going to be publicly visible on the Internet) yields the full URI in REQUEST_URI Unfortunately, neither is the PHP Documentation especially verbose (it just says that REQUEST_URI is “The URI which was given in order to access this page; for instance, ‘/index.html’.”) nor is the apache documentation formally defining REQUEST_URI (the closest to a definition being the documentation for mod_setenvif, which says that REQUEST_URI is “generally the portion of the URL following the scheme and host portion without the query string”). Did I miss a more formal documentation of apache/PHP’s behavior? Pointers appreciated. While I was writing this blog entry, which was a lot more angry in its first version, the Gallery guys finally acknowledged that apache and PHP are not sufficiently specifying REQUEST_URI and that I have delivered a valid example where there is a host part in REQUEST_URI. They’re going to work around this. Good news, thanks!

---

The promised fix is in gallery2 svn, I have applied the patch to my local version, and the application is fine now. Thanks!

If you are putting an URL containing brackets in the section title of an .ini-like formatted file, you’d better use percent notation for the brackets in the URL. Sorry for yesterday’s Planet flood. I hope it will be less painful this time.

Since leaving planet.debian.org, I have moved my blog to my own s9y installation on my own server, and am thus able to debug s9y and to make modifications to my installation.I am therefore returning to Planet, and hope that my blog won’t cause any dupes any more.

Well, after reconfiguring my blog on Debian Planet, a few old articles have shown up again. Most probably the Planet had forgotten about having seen these articles before I left Planet weeks ago.It isn’t so bad, since most of the articles are still current - adduser is still beingn worked on, exim4 needs GnuTLS knowhow desperately, and clamav-data packages are still being built automatically for volatile.

After over two years without a release, and after having release candidates in experimental since October, aide 0.11 was released a few days ago, and I have just uploaded 0.11-1 to unstable. This time, I even haven’t forgotten to use the -v option to svn-buildpackage to have the changelog entries for the package versions uploaded to experimental in the unstable upload notice as well.aide is the Advanced Intrusion Detection Environment, a program which compares the real state of the file system with a database which holds various file attributes such as inode data and/or cryptographic checksums. In 2005, the Debian maintainer of aide, Mike Markley, has accepted me as a co-maintainer, and since I have done the biggest part of the work in the last months, I have adopted the package as responsible maintainer in January 2006. Mike is still listed in Uploaders and can commit to our alioth svn, though.

Disclaimer: I am not comfortable with technical documents in my native language, German. I generally find German translations of technical stuff clumsy, overly complicated and badly worded. I might have a “special” feeling for the language, but some output of translators is just too bad to tolerate.For example, I constantly keep stumbling over the german translation of the Debian security team FAQ, which I consider horrendously badly done. Especially the use of the german word “Gutachten”, which basically means “opinion” in the legal sense (as the document produced by an expert called by a court of law) to translate “advisory” is a very very bad choice. My toes curl when I read the german version.In April 2005, I suggested to the German translation team to review the translation of the security team FAQ. I might not have chosen the right wording for that request, but besides a lot of flamage and “the translation is just fine”, I received the usual “send a patch”. Which I did in April 2005.No answer. In October 2005, I asked again, and received answer from the translator that my patch was just too intrusive. Well, a bad translation was rewritten, and the bad translation is still being used.Consequences for me? I’m not going to bother any more about German translations. English is just fine, and when somebody needs a German translation, I’m going to translate the stuff myself. Pointing people to the official German translations is just too embarrassing. A pity.

To support my experiments with OpenVPN, I have been trying to evaluate different CA software packages in Debian. With devastating results.I tried

• pyca
• tinyca
• easy-rsa (from the openvpn package)

pycaPros

• command line

Cons

• Unmaintained upstream
• Quite underdocumented - the maintainer doesn’t think so and closed #355177.
• Didn’t work when I tried it

tinycapros

• seems easily useable

cons

• has a GUI and is thus not suitable for very old boxes as CA host
• version in unstable gets in endless loop after CA certification
• version in testing crashes without error message if default values for CA are changed
• version in testing succeeds in creating CA and then displays a GUI that doesn’t accept any mouse clicks

easy-rsapros

• easily useable
• Only CA tried that actually worked in creating certificates for first OpenVPN installation

cons

• not properly packages - only in examples directory of OpenVPN package
• creates CA without password!

openca

• not packaged for Debian (see #141748)

openxpki

• split from openca in October 2005
• Has not yet released any code

conclusionAll software sucks. Does Debian have CA software that is actually useable?

After months of complete silence, ICQ spam has started again. Unfortunately, it is not even possible to put these people on ignore since kopete does seem to have lost its ignore option. Or, at least, I cannot find it any more in the menus. At least, kopete doesn’t show a message from a new contact before one has decided whether to add or not to add the new contact. A very good idea. Not.I decided to query #kopete on freenode where the Ignore button has gone to. But, I didn’t get any information. They said “your kopete, 0.11.1, is old. Please update to 0.12, this is the supported version.”WTF? I am using Debian unstable, with has the latest released KDE, and kopete 0.11.1 is part of current kdenetwork. And the developers refuse support for a package which has been built a mere six weeks ago? Have these people lost their grasp with reality? This sooooo ridiculous.Is there any other useable ICQ client that integrates well with KDE?