Recently we realized that proftpd misses several modules that are available but not included in the standard distribution. Therefore, we created an ebuild. As time was short today, we only included mod_dnsbl. In the near future, we will add more modules.

The ebuild is available on our SVN repository: http://dev.informations-compagnie.de/svn/gentoo/net-ftp/proftpd/proftpd-1.3.2b-r1.ebuild. Please have a look at our repository intro page for instructions on how to use the additional overlay.

# Any random options you want to pass to sshd.
# See the sshd(8) manpage for more info.
SSHD_OPTS=”"

# Pid file to use (needs to be absolute path).
SSHD_PIDFILE=”/var/run/sshd2.pid”

# Path to the sshd binary (needs to be absolute path).
SSHD_BINARY=”/usr/sbin/sshd2″

Although there are many ways workarounding the lack of security with ye olde FTP, there is a quite handy solution: use OpenSSH via SCP/SFTP to handle the file transfers.

There are many solutions which all try to restrict the access for some users. That’s not what we are trying to do. At the end, we will have two running openssh-instances. One for ssh and the other for sftp/scp.

With Gentoo, this is quite easy to do, but even for the other distros, this howto should be usable.

Here are the steps:

1. Get OpenSSH. (Should already been done at install time)

emerge openssh

2. Copy some files, make links

cp /etc/ssh /etc/ssh2 -R
cp /etc/conf.d/ssh /etc/conf.d/ssh2
ln -s /etc/init.d/sshd /etc/init.d/sshd2
ln -s /usr/sbin/sshd /usr/sbin/sshd2

3. SSH-Server

Now edit /etc/ssh/sshd_config and remove the line containing «internal subsystem». Now you can decide what to do: either bind the servers to different IP and the same ports or vice versa or both. Anyway, the options for this are:

Port <portnumber>
ListenAddress <ip-address>

3. SFTP-Server

Now edit /etc/ssh2/sshd_config and keep the Port- & IP-Settings of the SSH-server in mind.

Subsystem       sftp    internal-sftp

# These lines must appear at the *end* of sshd_config
ChrootDirectory %h
ForceCommand internal-sftp

This will force every successful login to start the internal sftp server and chroot to its home directory.

Edit /etc/conf.d/sshd2

# /etc/conf.d/sshd: config file for /etc/init.d/sshd
# Where is your sshd_config file stored?
SSHD_CONFDIR=”/etc/ssh2″# Any random options you want to pass to sshd.
# See the sshd(8) manpage for more info.
SSHD_OPTS=”"
# Pid file to use (needs to be absolute path).
SSHD_PIDFILE=”/var/run/sshd2.pid”
# Path to the sshd binary (needs to be absolute path).
SSHD_BINARY=”/usr/sbin/sshd2″

4. Add SFTP to the runlevels

rc-update add ssh2 default

5. Check permissions

Make sure, that the path to each user’s home directory is being set 0755 for root:root. Otherwise, you won’t be able to log in. Let’s say, your home directory is /home/users/domains/e/example.com/t/testuser. Then, each of the path’ elements must be set to 0755 root:root. This leads to an inability of creating and removing files in the home-root. Create an incoming-files directory to get around of this.

6. EXTRA: DenyHosts just for SFTP

emerge denyhosts

edit /etc/denyhosts.conf and adapt the options to fit your needs. There is just one thing you must change:

BLOCK_SERVICE  = sshd2

If you choose to run denyhosts as daemon, I suggest to add t to the default runlevel as well. And – of course – start it.

rc-update add denyhosts default
/etc/init.d/denyhosts start

That’s all, folks!

You might know the situation, something happened, and afterwards you get error messages from Cyrus telling you that your databases just have crashed. Then, your Inbox is shown empty while the filesystem does show the correct files.

What happened?

Every Cyrus folder contains three files «cyrus.cache», «cyrus.header» and «cyrus.index». These are responsible for telling the mail client how many mails the specific folder contains and which flag has been set per mail. they are your per-folder-message-database. And that’s exactly the point why Cyrus is that much faster than any other MDA. If a mail client connects, the server just looks into these databases to serve the necessary information and just if you actually read the message, it is being loaded.
So if these databases are being corrupted, you won’t see anything but big emptiness although you might have several millions of messages physically stored in the folder.

Here are some example error messages…

Jan 12 15:02:32 host cyrus/imap[23319]: DBERROR: dbenv->open ‘/var/imap/db’ failed: Permission denied
Jan 12 15:02:32 host cyrus/imap[23319]: DBERROR: init() on berkeley
Jan 12 15:02:32 host cyrus/imap[23319]: DBERROR: reading /var/imap/db/skipstamp, assuming the worst: Permission denied
Jan 12 15:02:32 host cyrus/imap[23319]: executed
Jan 12 15:02:32 host cyrus/imap[23319]: IOERROR: opening /var/imap/mailboxes.db: Permission denied
Jan 12 15:02:32 host cyrus/imap[23319]: DBERROR: opening /var/imap/mailboxes.db: cyrusdb error
Jan 12 15:02:32 host cyrus/imap[23319]: Fatal error: can’t read mailboxes file
Jan 12 16:00:21 host cyrus/imaps[31010]: DBERROR db4: PANIC: fatal region error detected; run recovery
Jan 12 16:00:21 host cyrus/imaps[31010]: DBERROR: critical database situation
Jan 12 16:04:32 host cyrus/lmtpunix[31504]: DBERROR: opening /var/imap/deliver.db: Permission denied
Jan 12 16:04:32 host cyrus/lmtpunix[31504]: DBERROR: opening /var/imap/deliver.db: cyrusdb error
Jan 12 16:04:32 host cyrus/lmtpunix[31504]: FATAL: lmtpd: unable to init duplicate delivery database

Yes, this is exactly my problem! What’s next?

We created a little script that runs through every user’s mailbox and rebuilds the databases. the only problem is that after a successfull rebuild every message is being marked as unread. But that’s a rather small problem, we think.  )

Where can I get it from? I’m in a hurry!

We know you are. But before you download, please have a look at the readme or at least at the file in order to assure that the settings are correct. And don’t forget to backup. We do not grant for anything.

Download

Gentoo users can use our siczb portage overlay. Please have a look at this article to get to know how to access the overlay.

We finally managed to release a package for the (currently) recent version of Best Practical’s Request Racker (rt). We added it to our layman / portage overlay. see the following article for information on how to add it to your portage tree.

Additional Notes:

• There are several packages which are masked at the moment. We do not know what they do to your system.
• The additional dev-perl/Encode is an rt dependency which probably will override some files originally owned by perl itself.
• The USE flag “fastcgi” seems to be mandatory. In other words, rt won’t compile if you don’t set this flag.
• As you might have realized by now, the whole thing is still under development so please be very careful with you system. We do not grant for anything.

Gentoo has, is and will be the distribution of our choice. As it is with every love, nothing is perfect. So is Gentoo. We missed the recent packages for Bestpractical’s Request Tracker. Therefore, we created our own Layman overlay. That’s a thing we were thinking of for a long time and now there was a good chance to play around. Okay, here’s what you should do in order to use the overlay:

• edit your local layman overlay file (e.g. /usr/portage/local/layman/cache_65bd38402ac8431067b54904bd2ed2d1.xml)

• add the following before the </layman> line:

<overlay
contact=”direktion@informations-compagnie.de”
name=”siczb”
src=”http://dev.informations-compagnie.de/svn/gentoo”
status=”unofficial”
type=”svn”>
<link>http://dev.informations-compagnie.de/svn/gentoo</link
<description>
Additional packages by saechsische Informations-Compagnie zu Berlin
</description>
</overlay>

• do a simple layman -a siczb to add our repo to your portage tree

As usual, we do not grant for anything. So don’t blame us if your box suddenly starts burning.

As it is written in the package information, KDE4 still is masked. Those who cannot wait (like us) have to face a long and struggling road. To ease things up a little bit, we hacked some shell-aid. Like this:

while [ `emerge kde-base/kde-meta:kde-4 -vp | grep -c "masked by:"` != "0" ]; do _THING=`emerge kde-base/kde-meta:kde-4 -vp | grep -m1 “masked by:” | awk ‘{print $2}’`; echo “$_THING”; echo “=$_THING” >> /etc/portage/package.keywords ;echo “=$_THING” >> /etc/portage/package.unmask; done

to be continued…

Somewhere, the compile process hangs during a package of kde-base-meta. We’re giving kde4 up for the moment, as it disturbs the whole system. (Actually it forced us to remove qt3 which is necessary for kde3 – the kfilepicker for instance.) Seems like we really should wait for a stable gentoo version. Doh!

I managed to build a working kernel for ATI’s SB600 chipset under gentoo 2007.0 hardened. I tried to use =sys-kernel/gentoo-sources-2.6.23-r3 but the bloody thing wouldn’t boot. So I emerged =sys-kernel/vanilla-sources-2.6.24_rc7 and everything worked just fine.

Here I read that there are two problems with this chipset, one hardware-relevant (thank you, ATI) and a kernel-bug. The latter one has been fixed in 2.6.22-rc2. Nevertheless, =sys-kernel/gentoo-sources-2.6.23-r3 seemed not to work.

I attached my config.gz. Below, you’ll find what lspci found.

00:00.0 Host bridge: ATI Technologies Inc Unknown device 7910
00:01.0 PCI bridge: ATI Technologies Inc Unknown device 7912
00:07.0 PCI bridge: ATI Technologies Inc Unknown device 7917
00:12.0 SATA controller: ATI Technologies Inc SB600 Non-Raid-5 SATA
00:13.0 USB Controller: ATI Technologies Inc SB600 USB (OHCI0)
00:13.1 USB Controller: ATI Technologies Inc SB600 USB (OHCI1)
00:13.2 USB Controller: ATI Technologies Inc SB600 USB (OHCI2)
00:13.3 USB Controller: ATI Technologies Inc SB600 USB (OHCI3)
00:13.4 USB Controller: ATI Technologies Inc SB600 USB (OHCI4)
00:13.5 USB Controller: ATI Technologies Inc SB600 USB Controller (EHCI)
00:14.0 SMBus: ATI Technologies Inc SB600 SMBus (rev 14)
00:14.1 IDE interface: ATI Technologies Inc SB600 IDE
00:14.3 ISA bridge: ATI Technologies Inc SB600 PCI to LPC Bridge
00:14.4 PCI bridge: ATI Technologies Inc SB600 PCI to PCI Bridge
00:18.0 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] HyperTransport Technology Configuration
00:18.1 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Address Map
00:18.2 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] DRAM Controller
00:18.3 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Miscellaneous Control
01:05.0 VGA compatible controller: ATI Technologies Inc Radeon X1200 Series
01:05.2 Audio device: ATI Technologies Inc Radeon X1200 Series Audio Controller
02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 01)