After fidling around with some settings and trying some workarounds from various web resources I decided to uninstall BitDefender. Now I am looking for a good replacement. Any recommendations for a Windows 7 antivirus program?

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

A google searched showed some pages where errors like these were discussed (like here). It seems like there is a bug in openjdk-6-jdk 6b11-9.1+lenny2. The symbolic link /usr/lib/jvm/java-6-openjdk/jre/lib/security/cacerts is directing to the file /etc/ssl/certs/java/cacerts which is missing. It should be included in the package ca-certificates-java but that package is unavailable under Debian lenny.

I hope this bug is fixed in a future openjdk version, meanwhile I copied the file from one of my Ubuntu servers.

Jungledisk uses fuse to mount the web service storage and it seems that I am not able to load the fuse module on my virtual server. I installed fuse-utils via aptitude but every time I tried to run jungledisk I got the error message:

fusermount: failed to open /dev/fuse: Permission denied

If I try to load the fuse module by running modprobe fuse I get the error

FATAL: Could not load /lib/modules/2.6.9-023stab048.6-enterprise/modules.dep: No such file or directory

Seems like the kernel on my server was compiled by Hosteurope without being able to load modules. I am doing a manual backup now and will have a look into that in some days again.

UPDATE: I sent an email to the support of Hosteurope and their short answer was: It is not possible to use FUSE on their systems

Backing up the application was easy by following BoyGenius’ how to. To hardest part was to find the folder using Vista’s search – I ended up firing up find in cygwin.

Having securely stored all my precious applications I am now going to update my Bold to OS version 4.6.0.216 just found on blackberryforums. Wish me luck on that one!

When I read this about a week ago I reacted immediately and updated my system with:

aptitude update
aptitude dist-upgrade

The OpenSSL wiki page describes what has to be done for the various installed packages that use OpenSSL certificates. The tool dowkd.pl allows you to check if there are vulnerable keys on your system.

I use PuTTY a lot in combination with keys created by PuTTYgen – these keys stored on my various systems are of course not affected by this problem.

SMTP error from remote mail server after MAIL FROM:<anyone@anywhere.com>
SIZE=16282613:
host example.net [87.230.24.156]: 552 5.3.4 Message size exceeds fixed limit

I was a bit confused because I did not set any limit. After checking the postfix manual and running the following commands

postconf -d (showing the default settings)
postconf -n (showing explicitly configured settings)

I found out that the default maximum message size is configured like

message_size_limit = 10240000

which means about 10MB. I ran the following commands to adjust the limit:

postconf -e "message_size_limit = 102400000"

Now I am able to receive mails with a maximum size of about 100 megs. Additionally I change the maximum mailbox size with the following command:

postconf -e "mailbox_size_limit = 512000000"
postconf -e "virtual_mailbox_limit = 512000000"

The whole process was simpler than I thought it would be. I just had to add the following line to my Location in the apache virtual host that points to my repository:

AuthzSVNAccessFile /path/to/access/file

Then I created the file I pointed out with the directive. There I added entries like

[main:/]
tom = rw

[other:/]
tom = rw
frank = rw

With this entries I defined which users have access to the two repositories main and other. It is as easy as this. The modules configured per default for svn in Debian etch already have loaded the authz_svn module. For more details see the svn documentation.

The second reason is that I do not want to delete or archive my mails to often and I want to have access to them anywhere at any time. Therefor I need an IMAP server with a lot of storage. Most free mail services provide this nowadays but did not five years ago. I thought about using GMAIL lately but I am not completely happy with storing all my mails on Google servers.

First I used an old PC that ran in my home office day and night. My home internet connection always had a high enough upload bandwidth to allow that. The mail server was no dedicated mail server for my domain. I used fetchmail to receive my emails from multiple POP3 servers.

About six months ago I configured a VPS machine to act as the dedicated mail server for my domains. I host multiple mail accounts for my family and friends on it. This post explains what I did to configure my perfect personal mail server.

Basic mail server setup

The whole system is based on Debian etch base network installation. The first packages I installed were

apt-get install postfix mutt

I use postfíx as my mail transfer agent. It provides a huge set of features and is a lot easier to configure than other systems. After installing postfix the configuration dialog asked what kind of system I have. I answered “Internet site” because I wanted to configure a dedicated mail server for my domain.

mutt is a simple mail reader which I use to read and send mails for testing when connected over ssh. After the installation of postfix it should be possible to send mails localy between user accounts (tom, root, …) and to an official mail address with mutt. See the mutt manual on how to control mutt.

Spam filter

I found this nice article on how to install and configure spamassassin with postfix on debian. Based on this how to I installed the following packages:

apt-get install spamassassin spamc pyzor razor

With the command line

spamassassin --lint -D

it is possible to check if spamassassin works and what checks are enabled.

I added a user for spamassassin with the following statements:

groupadd -g 5001 spamd
useradd -u 5001 -g spamd -s /sbin/nologin -d /var/lib/spamassassin spamd
mkdir /var/lib/spamassassin
chown spamd:spamd /var/lib/spamassassin

In the file /etc/default/spamassassin I made the following changes:

SAHOME="/var/lib/spamassassin/"
ENABLED=1
OPTIONS="--create-prefs --max-children 2 --username spamd --helper-home-dir ${SAHOME} -s ${SAHOME}spamd.log"

This enables spamassassin on startup of the server, configures its home directory and defines the maximum number of processes it is allowed to use.

Inside the file /etc/postfix/master.cf I added the following line to tell postfix to filter received mails through spamassassin:

smtp inet n - - - 2 smtpd
-o content_filter=spamassassin

spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

After this point every incoming mail is checked by spamassassin. I wanted to drop every mail with a spam rating higher than ten points so I added the following line in /etc/postfix/main.cf

header_checks = regexp:/etc/postfix/header_checks

and created the file /etc/postfix/header_checks with this content:

/^X-Spam-level: \*\*\*\*\*\*\*\*\*.*$/ DISCARD

So far I had my new server where my old PC at home already was. One of the biggest advantages of having my own dedicated mail server for my domain compared to a home server with fetchmail is that it is possible to use greylisting. This means every time a new mail server wants to send a mail to my domain it is rejected on the first try. If the server tries again after five minutes the mail is accepted. Most spam senders do not try again which reduces spam significant (by about 90 percent!).

All I had to do to get greylisting was to install the correct Debian package

apt-get install postgrey

and add the following lines to /etc/postfix/main.cf:

smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_policy_service inet:127.0.0.1:60000

IMAP, POP and Webmail

Now that mails are received, filtered and stored by the server I had to make them accessible. My choice for this is dovecot for IMAP and POP in combination with squirrelmail for webmail. Of course there are Debian packages which I installed with

apt-get install dovecot-imapd dovecot-pop3d squirrelmail

This also installs apache2 as web server with PHP support because squirrelmail is a PHP web application. Inside /etc/dovecot/dovecot.conf I added the protocols IMAP, IMAPS and POP3S:

protocols = imap imaps pop3s

I only use IMAPS for security reasons but squirrelmail connects over IMAP internally. Now it was possible to run dovecot by executing

/etc/init.d/dovecot start

To enable squirrelmail I added the example configuration inside of /etc/squirrelmail/apache.conf to my apache2 virtual host and reloaded the apache2 configuration. Now I was able to log into my webmail.

Virtual mail users

Since I want to allow all the members of my family to use my mail server without having to add a user account on my Linux system I chose to create virtual mail users. Therefor I first created a real system user under which the mails of all virtual users will be handled.

adduser vmail

I made sure that he the user is not able to login (shell /bin/false) and has a strong password. Then I added the following lines to /etc/postfix/main.cf:

virtual_transport = virtual
virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
virtual_alias_maps = hash:/etc/postfix/valias

The ID 1001 in this configuration is the user and group ID of the vmail user I just created. Then I created the files configured above. The vhosts file holds the domains for which the mail server should handle incoming mails just like:

domain1.com
domain2.com

The vmaps file tells the system in which subdirectory of the vmail base directory (in my case /var/mail/vmail) the mails of the virtual users should be stored:

tom@domain1.com tom@domain1.com/
tom@domain2.com tom@domain2.com/
jim@domain2.com jim@domain2.com/

I had to create these directories and make vmail the owner of them. Later this configuration will be ignored because I used maildrop for filtering my mails (see below).

After creating the file I had to call postmap vhosts to generate to map that postfix uses to access it.

In the valias file it is possible to define mail alias which allows to create multiple email addresses that should be stored in the same mailbox like the following:

postmaster@domain1.com tom@domain1.com
postmaster@domain2.com tom@domain2.com
thomas@domain2.com tom@domain2.com

Like before I had to use postmap to create the map file for this file after every change. A reload of the configuration by calling /etc/init.d/postfix reload makes postfix aware of the changes and it is able to handle incoming mails for the virtual users.

To tell dovecot how to handle virtual users I had to make the following changes to /etc/dovecot/dovecot.conf:

mail_location = maildir:/var/mail/vmail/%u

auth default {  mechanisms = plain digest-md5  passdb passwd-file {

   # Path for passwd-file

   args = /etc/dovecot/passwd

  }

userdb passwd-file {

    # Path for passwd-file

    args = /etc/dovecot/users

  }

}

In the two configured files I added the entries required for the authorization of the virtual users. The file /etc/dovecot/users looks like

tom@domain1.com::1001:1001::/var/mail/vmail/tom@domain1.com/:/bin/false::
tom@domain2.com::1001:1001::/var/mail/vmail/tom@domain2.com/:/bin/false::
jim@domain2.com::1001:1001::/var/mail/vmail/jim@domain2.com/:/bin/false::

Here 1001 again is the ID of the user vmail. By using the dovecot password tool I created the entries for /etc/dovecot/passwd:

dovecotpw -u tom

The generated password hash has to be copied into the file /etc/dovecot/passwd:

tom@domain1.com:5tA1zgMfhrE4U
tom@domain2.com:BUJC6K1tPPNxc
jim@domain2.com:YpdhuPLRTRuqg

After reloading the configuration of dovecot it was able to authenticate the virtual users and to find their mail directory.

Maildrop

Because I want to sort my incoming mails into different IMAP folders automatically on the server I decided to use maildrop. I installed the Debian maildrop package by calling

apt-get install maildrop

I added the following two lines to /etc/postfix/main.cf

maildrop_destination_recipient_limit = 1
virtual_transport = maildrop

and removed the line

virtual_transport = virtual

to tell postfix to delivery mail through maildrop. Additionally I had to include the following in the master.cf

maildrop  unix  -       n       n       -       -       pipe

flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${recipient}

When a mail is delivery maildrop looks into the home directory of the user for a file named .mailfilter so I created this file in /home/vmail with the following content:

DEFAULT="/var/mail/vmail/$1/"

exception {
  include "$HOME/mailfilters/$1"
}
to $DEFAULT

This configuration tells maildrop to look into the folder mailfilters for special configurations for a virtual users or to put the mail to its default directory. In the directory /home/vmail/mailfilters I created the files for the virtual mail users like tom@domain1.com:

if (/^X-Spam-Flag:.*YES/)
{
  exception {
    to "$DEFAULT/.spam/"
  }
}

if (/^Subject.*LogWatch/ || /^Subject.*Cron/ )
{
  exception {
    to "$DEFAULT/.logwatch/"
  }
}

Now every mail that is tagged by spamassassin with the X-Spam-Flag header is placed into the IMAP folder called spam and mails with a subject containing “LogWatch” are placed in the folder logwatch.

SASL

Sending mail through the server that is configured as the MX for a domain reduces the chance that it is mistaken for spam a lot. To allow me to not only receive email with my mailserver but to send my email through it I configured SASL for secure access and to block all other invalid users.

The packages are installed by the following command line:

apt-get install postfix libsasl2 sasl2-bin libsasl2-modules libdb3-util

The following lines needed to be added to /etc/postfix/main.cf:

smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service inet:127.0.0.1:60000
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous

Then I created the file /etc/postfix/sasl/smtpd.conf containing the following two lines:

pwcheck_method: saslauthd
mech_list: plain login

and I created a directory for the SASL daemon:

mkdir -p /var/spool/postfix/var/run/saslauthd

This directory is defined in /etc/defaults/saslauthd with

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Finished

This is the complete setup of my mail system. If you got any questions or hints to improve it please let me know it in your comments.

On last tip: It is helpful to test your system while going through the steps above. Therefor I used a testmail written into a file that looks like the this:

HELO test.local
MAIL FROM:test@local
RCPT TO:tom
DATA
Subject: testsubject
From: test@local
To: tom

Hello,
This is a Test
Goodbye
.
QUIT

By saving this text into a file, named testmail for example, it is possible to do a quick test of your mail system by executing

cat testmail | telnet localhost 25

which makes postfix receive the mail, send it through the configured chain and stores it in the appropriate user accounts inbox.

For further information see the following list of sites. These are the sources I used to create my how to:

http://www.howtoforge.com/linux_postfix_virtual_hosting
http://blogbound.com/etch-postfix-spamassassin-vps
http://postfix.wiki.xs4all.nl/index.php?title=Combine_With_Maildrop_Howto
http://www.howtoforge.com/perfect_setup_debian_etch_p5

To adapt the system to your needs you have to use two tools:

1. The group policy editor. To open it run gpedit.msc from the command line.

2. The Registry editor which may be started by executing regedit from the command line. If you get the message that you are not allowed to change registry keys you first have to use the Group Policy editor to set the value of "Prevent access to registry editing tools" under User Configuration -> Administrative Templates -> System to Disabled.

Most of the following changes can be done by using the Group Policy editor or the registry editor, choose your preferred method.

• No “Run…” entry in your start menu – I do not ask myself why this should be disabled but all you have to do is to open the registry and go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. There change the value of NoRun to 0. In the group policy editor you have to set "Remove Run menu from Start Menu" under User Configuration -> Administrative Templates -> Start Menu and Taskbar to Disabled.

• One of my favorite keyboard shortcut is Windows-Key + E to launch the Windows Explorer. I found out that it not work if the Control Panel is not shown in the Start Menu. To enable the shortcut go to User Configuration -> Administrative Templates -> Control Panel in the Group Policy editor and disable “Prohibit access to the Control Panel”

• To allow you to configure the Internet Explorer if you need it for testing web applications you can enable the Internet Options dialog under User Configuration -> Administrative Templates -> Windwos Components -> Internet Explorer -> Internet Control Panel

I am currently using MiniSafe Desktop which I purchased two years ago for 29 USD from Handango. I am satisfied with it but I will give KeePass a try because it looks like it has all the features of MiniSafe Desktop but comes for free. I had to reactivate it every time I switched my BlackBerry (which was three times in two years) and it took three days every time to get a new key.