After a long hiatus, I’ve updated courierpasswd, my checkpassword-like utility with hooks into the Courier authentication library. Courierpasswd now logs the IP address of hosts when they attempt to authenticate. My motivation for adding this feature was to track remote hosts trying to authenticate against my SMTP server. This version also adds sha256 as a valid CRAM type since sha256 is supported by the Courier authentication library. You can find more details in the Changlog file. Follow this link to download the tarball.
This is just a minor update. I’ve upgraded OpenVPN to version 2.3.3 and started using the verify-x509-name configuration directive on my Windows and Mac clients. Find the updated document here.
Major update of my DNS & DHCP Setup document. Not only am I using current versions of BIND and ISC DHCP, but I’m doing a couple of new things with DNS. I’ve set up classless in-addr.arpa delegation for part of my network and I have a local RBL zone that my mail server uses to reject certain incoming SMTP connections. I’ve got a more thorough explanation of how dynamic DNS updates are working on my network, too. Follow this link to find the new document.
If anyone would like to translate this version of the document into Spanish, drop me a line on the Comment page.
I’ve added an addition to The Arda Network, a shiny new pfSense based firewall that I’ve plugged in between my ISP’s modem and my wireless router. I’ve updated my network overview document to reflect this change. The firewall should give me a lot more visibility into what is moving in and out of my network. I look forward to exploring what it can do. Find the updated doc here.
After a very long hiatus, a new setup document appears on The Arda Network. This one describes how I set up OpenVPN to provide a secure connection to my home network when I’m on the road. It describes not only the VPN server, but my Windows and Mac clients as well. Follow this link to find it.
My network overview page is severely out of date so I’ve written a new one that reflects the current state of The Arda Network. You can find it here. The old network overview page is still available here. My existing Setup docs will continue to point to the old overview. Any new setup docs will point to the new page. Hopefully having posted the new network overview page will inspire me to write some new Setup docs.
In my qmail config, I use rblsmtpd with two RBLs to filter incoming SMTP connections. One is the Zen RBL from Spamhaus. The second is a local RBL that blocks all SMTP connections from a particular country. Admittedly, blocking all SMTP traffic from an entire country isn’t very practical for anyone hosting email service for a community of users. One of the advantages of running my own email server, however, is that I don’t have to ask anybody’s permission to block whatever I want.
But I don’t want this post to be about the advisability of blocking email from entire countries. I want to talk about making my email server as efficient as possible.
When I first started using RBLs with qmail, I was only using the Zen RBL. Only later did I start using the country based blocklist. Not surprisingly, Zen appeared first in qmail’s call to rblsmtpd. Here is a snippet from my qmail-smtpd startup script that invokes rblsmtpd.
/usr/local/bin/rblsmtpd -b -r zen.spamhaus.org -r country.blocklist
The ordering of the blocklists is important because Zen is a remote blocklist while the country-based RBL is served by my DNS server on my local network. Queries to my local RBL list will be much quicker than queries to Zen and so it benefits me if I can filter out as many incoming SMTP connections as possible using the RBL with the quickest response time. It also benefits Spamhaus and the internet in general if I can eliminate unnecessary network traffic and remote DNS queries.
Here is the same snippet after I changed the order of the RBLs.
/usr/local/bin/rblsmtpd -b -r country.blocklist -r zen.spamhaus.org
To illustrate my point, here is a week’s worth of statistics showing incoming SMTP connections blocked by rblsmtpd before I changed the order of my blocklists.
And here is another week’s worth of statistics after I made the change.
As you can see, the proportion of connections rejected by each blocklist has completely reversed showing that most of the connections caught by Zen were coming out of the country covered by the country-based RBL. The numbers were taken from my qmail logs for the same days of the month exactly one month apart. In case anyone is wondering, the daily number of connections rejected by rblsmtpd was increasing even before I reversed the order of the RBLs.
Using dig to query the two blocklists, I found that queries to the country-based RBL returned results in 0 to 2 milliseconds. Queries to the Zen RBL, on the other hand, took anywhere between 30 and 120 milliseconds. That represents over an order of magnitude difference in processing time.
Still, the difference isn’t all that significant for my system given how few SMTP connections it has to process on any given day. But part of running my own email and DNS servers is finding ways to make them run as efficiently as possible and properly ordering my RBLs is a big step towards that goal. On the other hand, anyone running even a moderately busy email server would benefit substantially by calling their locally served RBLs first when using a program like rblsmtpd.
As you might have noticed, I’ve finally brought The Arda Network website into the 21st century. I figured it was time to toss my old static html pages and start using a modern content management system. Why did I choose WordPress? Because I found it to have the shallowest learning curve of the CMSs I looked at and I want to focus on the content of my site rather than the building of the site itself. Having said that, I do expect I’ll be exploring how I can customize WordPress in order to fancy up Arda here and there.
So far, you’ll just find the same old content from the old site. The Arda Network hasn’t been idle, however, and I plan to post new HowTo docs as I find time to write them.
Henry Izurieta has been kind enough to translate my DNS & DHCP document into Spanish. Find the doc here.
I’ve started using SpamAssassin’s Razor2 plugin and so I’ve added the steps I used to configure Vipul’s Razor on my server. You will find the updated doc here.