***: schmir has quit IRC (Remote host closed the connection)
schmir has joined #arpnetworks
LT has joined #arpnetworks
schmir has quit IRC (Remote host closed the connection)
schmir has joined #arpnetworks
nuke` has quit IRC (Ping timeout: 240 seconds)
Zahran has joined #arpnetworks
nuke` has joined #arpnetworks
ziyourenxiang has joined #arpnetworks
hiro_dSn_ has joined #arpnetworks
hiro_dSn has quit IRC (Ping timeout: 248 seconds)
Ehtyar has joined #arpnetworks
nerdd has joined #arpnetworks
Zahran has quit IRC ()
nerdd_ has quit IRC (Ping timeout: 276 seconds)
__Ehtyar has quit IRC (Remote host closed the connection)
nerdd_ has joined #arpnetworks
nerdd has quit IRC (Ping timeout: 252 seconds)
cmeiklejohn has quit IRC (Quit: leaving)
nerdd has joined #arpnetworks
nerdd_ has quit IRC (Ping timeout: 264 seconds)
nerdd has quit IRC (Ping timeout: 252 seconds)
nerdd has joined #arpnetworks
nerdd_ has joined #arpnetworks
nerdd has quit IRC (Ping timeout: 260 seconds)
LT has quit IRC (Quit: Leaving)
ziyourenxiang has quit IRC (Quit: ziyourenxiang)
schmir has quit IRC (Remote host closed the connection)
epid_ has left
lll_ has quit IRC (Quit: leaving)
lll_ has joined #arpnetworks
lll_ has quit IRC (Client Quit)
lll_ has joined #arpnetworks
lll_ has quit IRC (Client Quit)
lll_ has joined #arpnetworks
lll_ has quit IRC (Client Quit)
Lucas__ has joined #arpnetworks
Lucas__ has quit IRC (Client Quit)
lcw has joined #arpnetworks
lcw has quit IRC (Client Quit)
LucasWilcox has joined #arpnetworks
LucasWilcox has quit IRC (Client Quit)
LucasWilcox has joined #arpnetworks
LucasWilcox has quit IRC (Client Quit)
LucasWilcox has joined #arpnetworks
cedwards: I'm really getting the urge to move away from BIND.
jdoe: why?
re: jail, presumably rsync should be enough?
awyeah: from bind to what?
up_the_irons: cedwards: nsd is your best bet
***: schmir has joined #arpnetworks
schmir has quit IRC (Ping timeout: 265 seconds)
schmir has joined #arpnetworks
schmir has quit IRC (Ping timeout: 265 seconds)
AndrewBC has quit IRC (Quit: Bye!)
AndrewBC has joined #arpnetworks
visinin has joined #arpnetworks
heavysixer has quit IRC (Quit: BAMPF!)
visinin has quit IRC (Quit: leaving)
cedwards: up_the_irons: does nsd handle zone files the same way BIND does?
bob^^: i've had powerdns recommended
up_the_irons: cedwards: yes, same format (it's an RFC somewhere)
cedwards: I learned on BIND, so it makes sense to me, but I had a discussion with a tiny fan the other day and he pointed out some things I never considered..
bob^^: (particular for our recursives)
same with me cedwards - i think most people who learn dns properly start on bind
cedwards: for one, maintaining forward and reverse in seperate files. doesn't make sense when the information is technically already in one file
bob^^: my biggest issue with bind is the stupid /24 stuff for reversing
i know you can do it differently but it's a pain in the ass
we got a new /16 last year, i generated individual /24 reverse files for it :/
plus i prefer seperate forward/reverse files
you may want different data in each
cedwards: forward and reverse should usually match, but I suppose there are exceptions.
bob^^: indeed
they don't *have* to match
up_the_irons: cedwards: i just can't stand making certain records in tinydns. try srv records. you need a generator
or txt records, or spf
basically anything here: http://www.anders.com/projects/sysadmin/djbdnsRecordBuilder
it's f'in ridiculous
cedwards: that's.. strange.
bob^^: ugh, djb
-: bob^^ isn't a fan
up_the_irons: cedwards: here's an actual SRV record for an example domain:
:_sip._tcp.example.com:33:000012000144023304003pbx007example003com000:86400
that's what you actually put in your zone file for tinydns
THAT'S F'IN RIDICULOUS
bob^^: messed up :/
up_the_irons: therefore, no tinydns for me
bob^^: at the moment i still use bind purely because i'm familiar with it and i know it's stable
for some reason i trust it
plus of course, having read DNS and BIND cover to cover several times, it just fits ;/
up_the_irons: yeah i read the 2nd edition cover to cover
bob^^: 4th here :)
just got 5th in work, doesn't seem to be much different - just more on DNSSec, as you'd expect i guess
excellent book though
cedwards: As I understand it, nsd/unbound is to bind as postfix is to sendmail?
up_the_irons: cedwards: i've heard that analogy before, yes
cedwards: how is spamd working for you?
I've got really good filtering just via postfix at this point, but I do like the idea of tying it into the firewall.
up_the_irons: cedwards: i haven't got to the spamd part yet; postfix and dovecot are done and golden. I also made a lot of postfix tweaks wrt spam and so far, it has worked out well on 2 test accounts that get nothing but spam
after i migrate some real users, then i want to play with spamd
cedwards: some say my smtpd_*_restrictions are too tight, but I've not had problems and I get zero spam.
up_the_irons: cedwards: nice
care to share?
cedwards: I implemented it at work and I've actually had users jokingly complain about the lack of spam.
up_the_irons: LOL
cedwards: http://pastebin.com/sCkXCYN7
I like filtering at every step of the SMTP handshake/communication. I filter a bunch just at HELO
also use postgrey, zen.spamhaus.org and spf policy.
up_the_irons: cedwards: nice, this looks similar to mine, but i don't have postgrey or spf policy stuff going yet
cedwards: i _highly_ recommend postgrey
up_the_irons: cedwards: with spamd, postgrey-like functionality is already provided
cedwards: I was just reading about spamd and that's what it sounded like..
up_the_irons: yeah
cedwards: up_the_irons: how difficult is it to mount a different image on one of my hosts?
up_the_irons: I'm interested in trying something else on my second box.
up_the_irons: cedwards: define "mount a different image"
cedwards: up_the_irons: mount/attach a different .iso to the drive so I could reinstall something different over VNC.
up_the_irons: cedwards: if it is within the same "class" (Linux vs. FreeBSD vs. OpenBSD), it is easy. If you want to switch class, then I need to also change VM parameters.
cedwards: I was just thinking of switching one of my boxes from FreeBSD to a Linux distro (yet undecided).
up_the_irons: roger
Nat_UB: cedwards: Resist the urge, fight the temptations :)
cedwards: Nat_UB: I know I should. Sometimes I just get restless.
Nat_UB: Hehehehehe....enjoy
***: ziyourenxiang has joined #arpnetworks
cedwards: hmm. trying to install spamd in a jail. how do I allow the additional mount in fstab?
***: LucasWilcox has quit IRC (Ping timeout: 248 seconds)
LucasWilcox has joined #arpnetworks
cedwards: n/m
***: ziyourenxiang has quit IRC (Ping timeout: 240 seconds)
cedwards has quit IRC (Ping timeout: 240 seconds)
ziyourenxiang has joined #arpnetworks
jdoe: up_the_irons: don't do it. Just say no to greylisting!
up_the_irons: jdoe: heh, why
jdoe: delay, dropped mail from smtp farms.
up_the_irons: i figure you could white list those
jdoe: you can, but you have to know about them first.
and I like my email relatively maintenance free, personally.
his smtp*_*_restrictions are too tight too.
he'll lose mail if he ever has a dns failure
among other things.
up_the_irons: mail is always maintenance
the script presented here: http://home.xnet.com/~ansible/openbsd_spamd_conf.html
makes a pretty good whitelist based off spf records
jdoe: usually not "scouring mail logs looking for rejected mail that shouldn't be" maintenance
using spf is probably fine as long as the other side actually publishes the,
them
from what I hear gmail requires more maintenance than just that.
and facebook is a PITA
as are some airlines, I think a couple are listed in that list, I've seen it before.
ymmv, but still. I'd rather pass spam in than accidentally lose a legit mail
up_the_irons: given i've had to scour quarantined messages for possible false positives, it's all just maintenance in the end
just depends where you're looking
jdoe: I don't. I think I sent you my config, I reject on spamhaus/spamcop or on an obscene spamd score at session time.
everything else gets passed through (but tagged in headers) regardless of score. Users can sort as they please.
the greylisting thing is just personal preference. My only two legit beefs with his config are rfc-ignorant and the dns tests.
up_the_irons: jdoe: oh yeah, you sent me stuff, but i think you forgot to attach the actual config; sorry i didn't have time to reply yet
jdoe: ... seriously?
that's embarrassing.
haha.
up_the_irons: i forget attachments all the time...
;)
jdoe: yeah. I had something setup to try to prevent that though, scanning email for things that implied there might be one.
... guess that was on the old system :(
up_the_irons: the dns checks (like no reverse dns entry) tend to block a lot of spam though, i kinda like that one
jdoe: well, sent again, with the attachment this time :P
up_the_irons: tnx!
jdoe: I think I actually do use dns checks, just ... not so many.
up_the_irons: i c
jdoe: you could also try something I did a while ago. Basically I wrote a postfix policy server that I could call from the *_restrictions blocks
it would check against a massive list of rbls and if it found any hits I could then greylist that host.
up_the_irons: ah
jdoe: it had some p0f integration, but presumably you could do that with pf already if you really wanted.
-: jdoe is/was a bit of an email nerd.
up_the_irons: cool
jdoe: if you're using postfix you may want to give http://www.postfix.org/postscreen.8.html a look too. It's... let's call it "volatile" right now, but it looks like it'll be a nice new toy.
although personally what I want is some way to glue rbls and (openbsd's) spamd together.
... I'll shut up about mail now ;)
***: heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
ziyourenxiang has quit IRC (Quit: ziyourenxiang)
homosaur has quit IRC (Quit: pocketful of goat cheese, ready to party)
Elem[e]nt has quit IRC (Read error: No route to host)
homosaur has joined #arpnetworks
homosaur: what would you guys suggest for lightweight ftp? i only need to use it myself and maybe for users, no public access required
***: homosaur has quit IRC (Quit: pocketful of goat cheese, ready to party)
Ehtyar has quit IRC (Remote host closed the connection)
Ehtyar has joined #arpnetworks