[01:16] *** schmir has joined #arpnetworks
[01:22] *** schmir has quit IRC (Remote host closed the connection)
[01:25] *** schmir has joined #arpnetworks
[01:26] *** LT has joined #arpnetworks
[02:47] *** schmir has quit IRC (Remote host closed the connection)
[02:47] *** schmir has joined #arpnetworks
[03:34] *** nuke` has quit IRC (Ping timeout: 240 seconds)
[03:48] *** Zahran has joined #arpnetworks
[03:51] *** nuke` has joined #arpnetworks
[04:03] *** ziyourenxiang has joined #arpnetworks
[04:58] *** hiro_dSn_ has joined #arpnetworks
[05:01] *** hiro_dSn has quit IRC (Ping timeout: 248 seconds)
[07:18] *** Ehtyar has joined #arpnetworks
[07:30] *** nerdd has joined #arpnetworks
[07:31] *** Zahran has quit IRC ()
[07:32] *** nerdd_ has quit IRC (Ping timeout: 276 seconds)
[07:36] *** __Ehtyar has quit IRC (Remote host closed the connection)
[07:51] *** nerdd_ has joined #arpnetworks
[07:52] *** nerdd has quit IRC (Ping timeout: 252 seconds)
[07:53] *** cmeiklejohn has quit IRC (Quit: leaving)
[07:57] *** nerdd has joined #arpnetworks
[07:58] *** nerdd_ has quit IRC (Ping timeout: 264 seconds)
[08:02] *** nerdd has quit IRC (Ping timeout: 252 seconds)
[08:03] *** nerdd has joined #arpnetworks
[08:24] *** nerdd_ has joined #arpnetworks
[08:25] *** nerdd has quit IRC (Ping timeout: 260 seconds)
[08:28] *** LT has quit IRC (Quit: Leaving)
[09:03] *** ziyourenxiang has quit IRC (Quit: ziyourenxiang)
[09:05] *** schmir has quit IRC (Remote host closed the connection)
[09:06] *** epid_ has left 
[09:13] *** lll_ has quit IRC (Quit: leaving)
[09:14] *** lll_ has joined #arpnetworks
[09:14] *** lll_ has quit IRC (Client Quit)
[09:15] *** lll_ has joined #arpnetworks
[09:16] *** lll_ has quit IRC (Client Quit)
[09:17] *** lll_ has joined #arpnetworks
[09:17] *** lll_ has quit IRC (Client Quit)
[09:18] *** Lucas__ has joined #arpnetworks
[09:18] *** Lucas__ has quit IRC (Client Quit)
[09:18] *** lcw has joined #arpnetworks
[09:19] *** lcw has quit IRC (Client Quit)
[09:19] *** LucasWilcox has joined #arpnetworks
[09:22] *** LucasWilcox has quit IRC (Client Quit)
[09:23] *** LucasWilcox has joined #arpnetworks
[09:23] *** LucasWilcox has quit IRC (Client Quit)
[09:24] *** LucasWilcox has joined #arpnetworks
[09:42] <cedwards> I'm really getting the urge to move away from BIND.
[09:52] <jdoe> why?
[09:52] <jdoe> re: jail, presumably rsync should be enough?
[11:24] <awyeah> from bind to what?
[11:25] <up_the_irons> cedwards: nsd is your best bet
[12:51] *** schmir has joined #arpnetworks
[12:55] *** schmir has quit IRC (Ping timeout: 265 seconds)
[14:06] *** schmir has joined #arpnetworks
[14:15] *** schmir has quit IRC (Ping timeout: 265 seconds)
[14:24] *** AndrewBC has quit IRC (Quit: Bye!)
[14:37] *** AndrewBC has joined #arpnetworks
[14:53] *** visinin has joined #arpnetworks
[15:05] *** heavysixer has quit IRC (Quit: BAMPF!)
[15:54] *** visinin has quit IRC (Quit: leaving)
[16:55] <cedwards> up_the_irons: does nsd handle zone files the same way BIND does?
[16:55] <bob^^> i've had powerdns recommended
[16:55] <up_the_irons> cedwards: yes, same format (it's an RFC somewhere)
[16:56] <cedwards> I learned on BIND, so it makes sense to me, but I had a discussion with a tiny fan the other day and he pointed out some things I never considered..
[16:56] <bob^^> (particular for our recursives)
[16:56] <bob^^> same with me cedwards - i think most people who learn dns properly start on bind
[16:56] <cedwards> for one, maintaining forward and reverse in seperate files. doesn't make sense when the information is technically already in one file
[16:57] <bob^^> my biggest issue with bind is the stupid /24 stuff for reversing
[16:57] <bob^^> i know you can do it differently but it's a pain in the ass
[16:57] <bob^^> we got a new /16 last year, i generated individual /24 reverse files for it :/
[16:58] <bob^^> plus i prefer seperate forward/reverse files
[16:58] <bob^^> you may want different data in each
[16:58] <cedwards> forward and reverse should usually match, but I suppose there are exceptions.
[16:59] <bob^^> indeed
[16:59] <bob^^> they don't *have* to match
[16:59] <up_the_irons> cedwards: i just can't stand making certain records in tinydns.  try srv records.  you need a generator
[17:00] <up_the_irons> or txt records, or spf
[17:00] <up_the_irons> basically anything here: http://www.anders.com/projects/sysadmin/djbdnsRecordBuilder
[17:00] <up_the_irons> it's f'in ridiculous
[17:00] <cedwards> that's.. strange.
[17:01] <bob^^> ugh, djb
[17:01] * bob^^ isn't a fan
[17:01] <up_the_irons> cedwards: here's an actual SRV record for an example domain:
[17:01] <up_the_irons> :_sip._tcp.example.com:33:\000\012\000\144\023\304\003pbx\007example\003com\000:86400
[17:01] <up_the_irons> that's what you actually put in your zone file for tinydns
[17:01] <up_the_irons> THAT'S F'IN RIDICULOUS
[17:01] <bob^^> messed up :/
[17:02] <up_the_irons> therefore, no tinydns for me
[17:02] <bob^^> at the moment i still use bind purely because i'm familiar with it and i know it's stable
[17:02] <bob^^> for some reason i trust it
[17:02] <bob^^> plus of course, having read DNS and BIND cover to cover several times, it just fits ;/
[17:03] <up_the_irons> yeah i read the 2nd edition cover to cover
[17:03] <bob^^> 4th here :)
[17:03] <bob^^> just got 5th in work, doesn't seem to be much different - just more on DNSSec, as you'd expect i guess
[17:03] <bob^^> excellent book though
[17:04] <cedwards> As I understand it, nsd/unbound is to bind as postfix is to sendmail?
[17:04] <up_the_irons> cedwards: i've heard that analogy before, yes
[17:10] <cedwards> how is spamd working for you?
[17:28] <cedwards> I've got really good filtering just via postfix at this point, but I do like the idea of tying it into the firewall.
[17:32] <up_the_irons> cedwards: i haven't got to the spamd part yet; postfix and dovecot are done and golden.  I also made a lot of postfix tweaks wrt spam and so far, it has worked out well on 2 test accounts that get nothing but spam
[17:32] <up_the_irons> after i migrate some real users, then i want to play with spamd
[17:34] <cedwards> some say my smtpd_*_restrictions are too tight, but I've not had problems and I get zero spam.
[17:34] <up_the_irons> cedwards: nice
[17:34] <up_the_irons> care to share?
[17:34] <cedwards> I implemented it at work and I've actually had users jokingly complain about the lack of spam.
[17:34] <up_the_irons> LOL
[17:35] <cedwards> http://pastebin.com/sCkXCYN7
[17:36] <cedwards> I like filtering at every step of the SMTP handshake/communication. I filter a bunch just at HELO
[17:36] <cedwards> also use postgrey, zen.spamhaus.org and spf policy.
[17:37] <up_the_irons> cedwards: nice, this looks similar to mine, but i don't have postgrey or spf policy stuff going yet
[17:37] <cedwards> i _highly_ recommend postgrey
[17:38] <up_the_irons> cedwards: with spamd, postgrey-like functionality is already provided
[17:39] <cedwards> I was just reading about spamd and that's what it sounded like..
[17:39] <up_the_irons> yeah
[17:42] <cedwards> up_the_irons: how difficult is it to mount a different image on one of my hosts?
[17:42] <cedwards> up_the_irons: I'm interested in trying something else on my second box.
[17:42] <up_the_irons> cedwards: define "mount a different image"
[17:44] <cedwards> up_the_irons: mount/attach a different .iso to the drive so I could reinstall something different over VNC.
[17:45] <up_the_irons> cedwards: if it is within the same "class" (Linux vs. FreeBSD vs. OpenBSD), it is easy.  If you want to switch class, then I need to also change VM parameters.
[17:47] <cedwards> I was just thinking of switching one of my boxes from FreeBSD to a Linux distro (yet undecided).
[17:48] <up_the_irons> roger
[17:52] <Nat_UB> cedwards: Resist the urge, fight the temptations   :)
[17:52] <cedwards> Nat_UB: I know I should. Sometimes I just get restless.
[17:54] <Nat_UB> Hehehehehe....enjoy
[18:05] *** ziyourenxiang has joined #arpnetworks
[18:06] <cedwards> hmm. trying to install spamd in a jail. how do I allow the additional mount in fstab?
[18:14] *** LucasWilcox has quit IRC (Ping timeout: 248 seconds)
[18:14] *** LucasWilcox has joined #arpnetworks
[18:23] <cedwards> n/m
[18:37] *** ziyourenxiang has quit IRC (Ping timeout: 240 seconds)
[18:40] *** cedwards has quit IRC (Ping timeout: 240 seconds)
[18:40] *** ziyourenxiang has joined #arpnetworks
[18:52] <jdoe> up_the_irons: don't do it. Just say no to greylisting!
[18:52] <up_the_irons> jdoe: heh, why
[18:52] <jdoe> delay, dropped mail from smtp farms.
[18:53] <up_the_irons> i figure you could white list those
[18:53] <jdoe> you can, but you have to know about them first.
[18:53] <jdoe> and I like my email relatively maintenance free, personally.
[18:53] <jdoe> his smtp*_*_restrictions are too tight too.
[18:53] <jdoe> he'll lose mail if he ever has a dns failure
[18:53] <jdoe> among other things.
[18:54] <up_the_irons> mail is always maintenance
[18:55] <up_the_irons> the script presented here: http://home.xnet.com/~ansible/openbsd_spamd_conf.html
[18:55] <up_the_irons> makes a pretty good whitelist based off spf records
[18:56] <jdoe> usually not "scouring mail logs looking for rejected mail that shouldn't be" maintenance
[18:56] <jdoe> using spf is probably fine as long as the other side actually publishes the,
[18:56] <jdoe> them
[18:56] <jdoe> from what I hear gmail requires more maintenance than just that.
[18:56] <jdoe> and facebook is a PITA
[18:56] <jdoe> as are some airlines, I think a couple are listed in that list, I've seen it before.
[18:57] <jdoe> ymmv, but still. I'd rather pass spam in than accidentally lose a legit mail
[18:57] <up_the_irons> given i've had to scour quarantined messages for possible false positives, it's all just maintenance in the end
[18:57] <up_the_irons> just depends where you're looking
[18:58] <jdoe> I don't. I think I sent you my config, I reject on spamhaus/spamcop or on an obscene spamd score at session time.
[18:58] <jdoe> everything else gets passed through (but tagged in headers) regardless of score. Users can sort as they please.
[18:59] <jdoe> the greylisting thing is just personal preference. My only two legit beefs with his config are rfc-ignorant and the dns tests.
[18:59] <up_the_irons> jdoe: oh yeah, you sent me stuff, but i think you forgot to attach the actual config; sorry i didn't have time to reply yet
[19:00] <jdoe> ... seriously?
[19:00] <jdoe> that's embarrassing.
[19:00] <jdoe> haha.
[19:00] <up_the_irons> i forget attachments all the time...
[19:00] <up_the_irons> ;)
[19:01] <jdoe> yeah. I had something setup to try to prevent that though, scanning email for things that implied there might be one.
[19:01] <jdoe> ... guess that was on the old system :(
[19:02] <up_the_irons> the dns checks (like no reverse dns entry) tend to block a lot of spam though, i kinda like that one
[19:04] <jdoe> well, sent again, with the attachment this time :P
[19:04] <up_the_irons> tnx!
[19:04] <jdoe> I think I actually do use dns checks, just ... not so many.
[19:05] <up_the_irons> i c
[19:09] <jdoe> you could also try something I did a while ago. Basically I wrote a postfix policy server that I could call from the *_restrictions blocks
[19:09] <jdoe> it would check against a massive list of rbls and if it found any hits I could then greylist that host.
[19:09] <up_the_irons> ah
[19:09] <jdoe> it had some p0f integration, but presumably you could do that with pf already if you really wanted.
[19:09] * jdoe is/was a bit of an email nerd.
[19:11] <up_the_irons> cool
[19:16] <jdoe> if you're using postfix you may want to give http://www.postfix.org/postscreen.8.html a look too. It's... let's call it "volatile" right now, but it looks like it'll be a nice new toy.
[19:17] <jdoe> although personally what I want is some way to glue rbls and (openbsd's) spamd together.
[19:17] <jdoe> ... I'll shut up about mail now ;)
[21:09] *** heavysixer has joined #arpnetworks
[21:09] *** ChanServ sets mode: +o heavysixer
[21:47] *** ziyourenxiang has quit IRC (Quit: ziyourenxiang)
[23:05] *** homosaur has quit IRC (Quit: pocketful of goat cheese, ready to party)
[23:07] *** Elem[e]nt has quit IRC (Read error: No route to host)
[23:26] *** homosaur has joined #arpnetworks
[23:27] <homosaur> what would you guys suggest for lightweight ftp? i only need to use it myself and maybe for users, no public access required
[23:41] *** homosaur has quit IRC (Quit: pocketful of goat cheese, ready to party)
[23:54] *** Ehtyar has quit IRC (Remote host closed the connection)
[23:54] *** Ehtyar has joined #arpnetworks