Training SpamAssassin's Bayes filter with Proxmox Mail Gateway

One of the problems with bayes filters is that you need to train them on both ham and spam. As Proxmox Mail Gateway only uses the Bayes filter for messages that pass originally, there is no way to force it to learn spam - leaving a hole in how to train.

Here are the steps for adding that feedback loop for sa-learn.

1) On the PMG Server, create the following script as /root/bin/remote-commands, then chmod +x /root/bin/remote-commands to make it executable:

                sa-learn --spam
                sa-learn --ham
                echo "Invalid command?"

2) Create an SSH Key, put the private part on the end mail server, then add the public part to /root/.ssh/authorized_keys and force it to use the restricted command:

command="/root/bin/remote-commands" ssh-rsa root@mail

You can further restrict this to a set of IP addresses by using the from= command as documented.

3) On the mail server, add the following script to /root/bin/spam-reporter. This assumes a number of things. The mail directories on the target system are listed as /mail/username in Maildir format. The end user IMAP mail directory will be "Spam". You can change these as required for your install. This handles multiple message formats that Dovecot uses - plain, gz or bz2 compressed. It could also be expanded if needed.

MAILFILTER=<ip of PMG install>

for i in /mail/*/.Spam/cur/* /mail/*/.Spam/new/*; do
        if [ -f "$i" ]; then
                STATUS=`file "$i"`
                if [[ $STATUS == *"gzip"* ]]; then
                        gunzip -d -c "$i" > /tmp/tempmail.$$
                if [[ $STATUS == *"bzip2"* ]]; then
                        bzip2 -d -c "$i" > /tmp/tempmail.$$
                if [[ $STATUS == *"SMTP mail"* ]]; then
                        cp "$i" /tmp/tempmail.$$

                cat /tmp/tempmail.$$ | ssh root@$MAILFILTER report
                if [ $? != 0 ]; then
                        echo "Error running sa-learn. Aborting."
                        exit 1
                rm -f "$i"
                rm -f /tmp/tempmail.$$

4) If you're going to use SystemD's timer specs, create /etc/systemd/system/spam-reporter.service with the following:

Description=This service automatically reports spam.


Then the timer unit as /etc/systemd/system/spam-reporter.timer:

Description=This is the timer to check for spam and report it.



Then enable the timer with systemctl daemon-reload && systemctl enable spam-reporter.timer --now.

That's it! Now if your users throw mail in the Spam IMAP folder, it'll get fed back into PMG's bayes filter as spam.

New Guide - Changing fans in a CyberPower UPS

Just a quick update. I recently wrote a guide on how to replace dead fans in a CyberPower UPS. They use high speed (4000RPM+) fans in the factory, which you just can't easily get.

This guide shows you how to fool the UPS into thinking it has a high speed fan and still operate.

Be careful though, this is messing with mains voltage and reducing airflow - you might burn your house down.

Grandstream phones, APD-80 and 85638-01 cables

A number of months ago, I deployed a new SIP network using Grandstream GXP-1782 phones. For some of the folks that are always on the phone, we got a couple of Plantronics DECT headsets - which are specificially listed on the compatible headset list published by Grandstream.

The headset plugged into a APD-80 adapter cable. The Plantronics documentation states that a "85638-01 adapter" cable is required - although this is listed as an adapter to extend the APD-80 cable. When you look at the length of the APD-80 cable, this seems nuts - however the 85638-01 cable holds a secret.

Without the special 85638-01 cable, pickup and hangup of the phone was very unreliable. Lots of sites have this documented as a straight through cable - but it is not. The pins on this are actually reversed - ie:

End One

End Two









See example photo:


Using this cable, you should find that the hangup and pickup functions work correctly without spending $15 per cable.

Credits to Michael Schneider for discovering this

Migration from Wordpress to Nikola

A new year, a new blog engine.

While Wordpress is quite useful, its a heavy, hunking bit of software for those who just post occasionally and don't really need any dynamic content at all. This is where Nikola comes into play.

Nikola takes posts in reST, Jupyter Notebook, YAML, TOML, Markdown or HTML and runs them through the theming engine to get plain, static HTML.

The benefit of this is almost zero load on your web server - as there is no dynamic data to process. Especially good for cheap VPS packages from the many online providers.

So far, I'm impressed!

New page - converting PWM hubs to voltage controlled

New guide up - right here.

My Xen servers main board didn't have a second PWM controlled fan header to use with a PWM fan hub for the 3 case fans. Its a 4RU case - which has server grade 140mm fans that can draw up to 0.9A each and get up to around 3600 RPM.

So here's how I used an ATTiny85 to generate a PWM signal from the variable 'Speed Control' voltage on pin 2 of the SYS_FAN header.

Enabling BBR Congestion-Based Congestion Control on kernel-xen

With the release of kernel-xen version 4.9.40, I have enabled CONFIG_TCP_CONG_BBR. This adds support for using BBR to improve the throughput from your servers (mostly web servers) to your clients.

If you run my kernel-xen package on your Xen guests, you can also take advantage of this new feature.

To enable, ensure you are running kernel-xen version 4.9.40 or above, then create a file called /etc/sysctl.d/enable-bbr.conf containing:


You can activate this by typing: $ sysctl -p

The changes will automatically apply at the next system boot.

To read more about BBR and why it makes such a difference, head on over to acmqueue for a far more in-depth analysis than I could provide.

Turnbull handballs encryption problem to tech companies

In a speech in London overnight, Turnbull said companies should not be able to build end-to-end encryption tools that meant nobody - including courts and law enforcement - could access the content of communications.

If you're in the tech industry, and you know your local Liberal party member, point them to this and tell them to go fuck themselves. Regards, The Internet.

If you don't know who your local member is, search here: