I'm really getting the urge to move away from BIND.
why?
re: jail, presumably rsync should be enough?
from bind to what?
cedwards: nsd is your best bet
up_the_irons: does nsd handle zone files the same way BIND does?
i've had powerdns recommended
cedwards: yes, same format (it's an RFC somewhere)
I learned on BIND, so it makes sense to me, but I had a discussion with a tiny fan the other day and he pointed out some things I never considered..
(particular for our recursives)
same with me cedwards - i think most people who learn dns properly start on bind
for one, maintaining forward and reverse in seperate files. doesn't make sense when the information is technically already in one file
my biggest issue with bind is the stupid /24 stuff for reversing
i know you can do it differently but it's a pain in the ass
we got a new /16 last year, i generated individual /24 reverse files for it :/
plus i prefer seperate forward/reverse files
you may want different data in each
forward and reverse should usually match, but I suppose there are exceptions.
indeed
they don't *have* to match
cedwards: i just can't stand making certain records in tinydns.  try srv records.  you need a generator
or txt records, or spf
basically anything here: http://www.anders.com/projects/sysadmin/djbdnsRecordBuilder
it's f'in ridiculous
that's.. strange.
ugh, djb
cedwards: here's an actual SRV record for an example domain:
:_sip._tcp.example.com:33:\000\012\000\144\023\304\003pbx\007example\003com\000:86400
that's what you actually put in your zone file for tinydns
THAT'S F'IN RIDICULOUS
messed up :/
therefore, no tinydns for me
at the moment i still use bind purely because i'm familiar with it and i know it's stable
for some reason i trust it
plus of course, having read DNS and BIND cover to cover several times, it just fits ;/
yeah i read the 2nd edition cover to cover
4th here :)
just got 5th in work, doesn't seem to be much different - just more on DNSSec, as you'd expect i guess
excellent book though
As I understand it, nsd/unbound is to bind as postfix is to sendmail?
cedwards: i've heard that analogy before, yes
how is spamd working for you?
I've got really good filtering just via postfix at this point, but I do like the idea of tying it into the firewall.
cedwards: i haven't got to the spamd part yet; postfix and dovecot are done and golden.  I also made a lot of postfix tweaks wrt spam and so far, it has worked out well on 2 test accounts that get nothing but spam
after i migrate some real users, then i want to play with spamd
some say my smtpd_*_restrictions are too tight, but I've not had problems and I get zero spam.
cedwards: nice
care to share?
I implemented it at work and I've actually had users jokingly complain about the lack of spam.
LOL
http://pastebin.com/sCkXCYN7
I like filtering at every step of the SMTP handshake/communication. I filter a bunch just at HELO
also use postgrey, zen.spamhaus.org and spf policy.
cedwards: nice, this looks similar to mine, but i don't have postgrey or spf policy stuff going yet
i _highly_ recommend postgrey
cedwards: with spamd, postgrey-like functionality is already provided
I was just reading about spamd and that's what it sounded like..
yeah
up_the_irons: how difficult is it to mount a different image on one of my hosts?
up_the_irons: I'm interested in trying something else on my second box.
cedwards: define "mount a different image"
up_the_irons: mount/attach a different .iso to the drive so I could reinstall something different over VNC.
cedwards: if it is within the same "class" (Linux vs. FreeBSD vs. OpenBSD), it is easy.  If you want to switch class, then I need to also change VM parameters.
I was just thinking of switching one of my boxes from FreeBSD to a Linux distro (yet undecided).
roger
cedwards: Resist the urge, fight the temptations   :)
Nat_UB: I know I should. Sometimes I just get restless.
Hehehehehe....enjoy
hmm. trying to install spamd in a jail. how do I allow the additional mount in fstab?
n/m
up_the_irons: don't do it. Just say no to greylisting!
jdoe: heh, why
delay, dropped mail from smtp farms.
i figure you could white list those
you can, but you have to know about them first.
and I like my email relatively maintenance free, personally.
his smtp*_*_restrictions are too tight too.
he'll lose mail if he ever has a dns failure
among other things.
mail is always maintenance
the script presented here: http://home.xnet.com/~ansible/openbsd_spamd_conf.html
makes a pretty good whitelist based off spf records
usually not "scouring mail logs looking for rejected mail that shouldn't be" maintenance
using spf is probably fine as long as the other side actually publishes the,
them
from what I hear gmail requires more maintenance than just that.
and facebook is a PITA
as are some airlines, I think a couple are listed in that list, I've seen it before.
ymmv, but still. I'd rather pass spam in than accidentally lose a legit mail
given i've had to scour quarantined messages for possible false positives, it's all just maintenance in the end
just depends where you're looking
I don't. I think I sent you my config, I reject on spamhaus/spamcop or on an obscene spamd score at session time.
everything else gets passed through (but tagged in headers) regardless of score. Users can sort as they please.
the greylisting thing is just personal preference. My only two legit beefs with his config are rfc-ignorant and the dns tests.
jdoe: oh yeah, you sent me stuff, but i think you forgot to attach the actual config; sorry i didn't have time to reply yet
... seriously?
that's embarrassing.
haha.
i forget attachments all the time...
;)
yeah. I had something setup to try to prevent that though, scanning email for things that implied there might be one.
... guess that was on the old system :(
the dns checks (like no reverse dns entry) tend to block a lot of spam though, i kinda like that one
well, sent again, with the attachment this time :P
tnx!
I think I actually do use dns checks, just ... not so many.
i c
you could also try something I did a while ago. Basically I wrote a postfix policy server that I could call from the *_restrictions blocks
it would check against a massive list of rbls and if it found any hits I could then greylist that host.
ah
it had some p0f integration, but presumably you could do that with pf already if you really wanted.
cool
if you're using postfix you may want to give http://www.postfix.org/postscreen.8.html a look too. It's... let's call it "volatile" right now, but it looks like it'll be a nice new toy.
although personally what I want is some way to glue rbls and (openbsd's) spamd together.
... I'll shut up about mail now ;)
what would you guys suggest for lightweight ftp? i only need to use it myself and maybe for users, no public access required