Training SpamAssassin's Bayes filter with Proxmox Mail Gateway


One of the problems with bayes filters is that you need to train them on both ham and spam. As Proxmox Mail Gateway only uses the Bayes filter for messages that pass originally, there is no way to force it to learn spam - leaving a hole in how to train.

Here are the steps for adding that feedback loop for sa-learn.

1) On the PMG Server, create the following script as /root/bin/remote-commands, then chmod +x /root/bin/remote-commands to make it executable:

#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
        report)
                sa-learn --spam
                ;;
        revoke)
                sa-learn --ham
                ;;
        *)
                echo "Invalid command?"
                ;;
esac

2) Create an SSH Key, put the private part on the end mail server, then add the public part to /root/.ssh/authorized_keys and force it to use the restricted command:

command="/root/bin/remote-commands" ssh-rsa AAAA....rest-of-key... root@mail

You can further restrict this to a set of IP addresses by using the from= command as documented.

3) On the mail server, add the following script to /root/bin/spam-reporter. This assumes a number of things. The mail directories on the target system are listed as /mail/username in Maildir format. The end user IMAP mail directory will be "Spam". You can change these as required for your install. This handles multiple message formats that Dovecot uses - plain, gz or bz2 compressed. It could also be expanded if needed.

#!/bin/bash
MAILFILTER=<ip of PMG install>

for i in /mail/*/.Spam/cur/* /mail/*/.Spam/new/*; do
        if [ -f "$i" ]; then
                STATUS=`file "$i"`
                if [[ $STATUS == *"gzip"* ]]; then
                        gunzip -d -c "$i" > /tmp/tempmail.$$
                fi
                if [[ $STATUS == *"bzip2"* ]]; then
                        bzip2 -d -c "$i" > /tmp/tempmail.$$
                fi
                if [[ $STATUS == *"SMTP mail"* ]]; then
                        cp "$i" /tmp/tempmail.$$
                fi

                cat /tmp/tempmail.$$ | ssh root@$MAILFILTER report
                if [ $? != 0 ]; then
                        echo "Error running sa-learn. Aborting."
                        exit 1
                fi
                rm -f "$i"
                rm -f /tmp/tempmail.$$
        fi
done

4) If you're going to use SystemD's timer specs, create /etc/systemd/system/spam-reporter.service with the following:

[Unit]
Description=This service automatically reports spam.

[Service]
Type=oneshot
ExecStart=/root/bin/spam-reporter

Then the timer unit as /etc/systemd/system/spam-reporter.timer:

[Unit]
Description=This is the timer to check for spam and report it.

[Timer]
OnCalendar=*:0/5
Persistent=true

[Install]
WantedBy=timers.target

Then enable the timer with systemctl daemon-reload && systemctl enable spam-reporter.timer --now.

That's it! Now if your users throw mail in the Spam IMAP folder, it'll get fed back into PMG's bayes filter as spam.

New Guide - Changing fans in a CyberPower UPS


Just a quick update. I recently wrote a guide on how to replace dead fans in a CyberPower UPS. They use high speed (4000RPM+) fans in the factory, which you just can't easily get.

This guide shows you how to fool the UPS into thinking it has a high speed fan and still operate.

Be careful though, this is messing with mains voltage and reducing airflow - you might burn your house down.

Grandstream phones, APD-80 and 85638-01 cables


A number of months ago, I deployed a new SIP network using Grandstream GXP-1782 phones. For some of the folks that are always on the phone, we got a couple of Plantronics DECT headsets - which are specificially listed on the compatible headset list published by Grandstream.

The headset plugged into a APD-80 adapter cable. The Plantronics documentation states that a "85638-01 adapter" cable is required - although this is listed as an adapter to extend the APD-80 cable. When you look at the length of the APD-80 cable, this seems nuts - however the 85638-01 cable holds a secret.

Without the special 85638-01 cable, pickup and hangup of the phone was very unreliable. Lots of sites have this documented as a straight through cable - but it is not. The pins on this are actually reversed - ie:

End One

End Two

1

4

2

3

3

2

4

1

See example photo:

/images/85638-01/cable.jpg

Using this cable, you should find that the hangup and pickup functions work correctly without spending $15 per cable.

Credits to Michael Schneider for discovering this

Migration from Wordpress to Nikola


A new year, a new blog engine.

While Wordpress is quite useful, its a heavy, hunking bit of software for those who just post occasionally and don't really need any dynamic content at all. This is where Nikola comes into play.

Nikola takes posts in reST, Jupyter Notebook, YAML, TOML, Markdown or HTML and runs them through the theming engine to get plain, static HTML.

The benefit of this is almost zero load on your web server - as there is no dynamic data to process. Especially good for cheap VPS packages from the many online providers.

So far, I'm impressed!

New page - converting PWM hubs to voltage controlled


New guide up - right here.

My Xen servers main board didn't have a second PWM controlled fan header to use with a PWM fan hub for the 3 case fans. Its a 4RU case - which has server grade 140mm fans that can draw up to 0.9A each and get up to around 3600 RPM.

So here's how I used an ATTiny85 to generate a PWM signal from the variable 'Speed Control' voltage on pin 2 of the SYS_FAN header.

Enabling BBR Congestion-Based Congestion Control on kernel-xen


With the release of kernel-xen version 4.9.40, I have enabled CONFIG_TCP_CONG_BBR. This adds support for using BBR to improve the throughput from your servers (mostly web servers) to your clients.

If you run my kernel-xen package on your Xen guests, you can also take advantage of this new feature.

To enable, ensure you are running kernel-xen version 4.9.40 or above, then create a file called /etc/sysctl.d/enable-bbr.conf containing:

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

You can activate this by typing: $ sysctl -p

The changes will automatically apply at the next system boot.

To read more about BBR and why it makes such a difference, head on over to acmqueue for a far more in-depth analysis than I could provide.

Turnbull handballs encryption problem to tech companies


In a speech in London overnight, Turnbull said companies should not be able to build end-to-end encryption tools that meant nobody - including courts and law enforcement - could access the content of communications.

If you're in the tech industry, and you know your local Liberal party member, point them to this and tell them to go fuck themselves. Regards, The Internet.

If you don't know who your local member is, search here: http://www.aph.gov.au/Senators_and_Members/Members