Random notes from installing postfixadmin 2.3 deb

Server: Debian Lenny

Installed .deb from here

# wget http://sourceforge.net/projects/postfixadmin/files/postfixadmin/postfixadmin_2.3_all.deb/download
# dpkg -i postfixadmin_2.3_all.deb
... dpkg moans about missing dependencies
Selecting previously deselected package postfixadmin.(Reading database ... 38632 files and directories currently installed.)Unpacking postfixadmin (from postfixadmin_2.3_all.deb) ...dpkg: dependency problems prevent configuration of postfixadmin: postfixadmin depends on dbconfig-common; however:  Package dbconfig-common is not installed. postfixadmin depends on wwwconfig-common; however:  Package wwwconfig-common is not installed. postfixadmin depends on php5-imap; however:  Package php5-imap is not installed.dpkg: error processing postfixadmin (--install): dependency problems - leaving unconfiguredErrors were encountered while processing: postfixadmin
# apt-get -f install
(dependencies now get installed...)

…. Goes into the Postfixadmin .deb installer thing.

  • Tell it to use Apache2 (in my case) as the webserver,
  • Give it the ‘root’ user’s database password (if MySQL).
  • Tell it to generate a password for the postfixadmin user…
  • Tell it to use the package maintainers version of /etc/postfixadmin/config.inc.php (well I did).

I think something went wrong for me – as I needed to do this afterwards; perhaps you’ll have better luck.

# mv /etc/postfixadmin/config.inc.php.ucf-dist /etc/postfixadmin/config.inc.php

Next, goto http://yourserver/postfixadmin/setup.php – you should see lots of text saying how it’s updating the database to version xyz, xyz+1 etc.

Choose a password to protect the setup.php page; press submit, and you’ll be presented with a ‘hash’ – copy and paste this into the config.inc.php file – so you get something like this on line 32 :

$CONF[‘setup_password’] = ‘my long hash thingy goes in here’;

Next, create a super admin account, using the setup.php page – remembering to type in the setup password you used to create the hash above.

That’s it.

(Well, now you need to configure Postfix and/or courier and/or dovecot etc etc)

You might want to read my other article which covers this…

Twitter Weekly Updates for 2010-02-21

  • pondering a long run tomorrow – http://favoriterun.com/302054 – 19.3 miles. Hope the weather's ok. #
  • UK Drivers – when on the motorway, if there is adequate space on your left, pull over and let those behind through. #fsckingBMWidiotontheM6 #
  • All stop. M42….. #
  • Only 8 hours in the car today. 'should' have been closer to 4 hours. #couldhavecycledtherequicker #
  • Uh oh. Snow! Cold fluffy snow. We can't go over it, we can't go under it. We've got to go through it. #
  • I've noticed that when I turn the car off, the traffic starts to move again. Git driving past in the field. *jealous*. 2 miles in 2 hours 🙁 #
  • Hmm slow slow slow #
  • Engine off. Handbrake on. Stupid m1. #
  • Spice valley, bromsgrove – nice food, shame about the lack of baby / toddler facilities. One of the better local curry houses at least. #
  • Silly cron, you really shouldn't run cron.d files which are chmod'ed 000. Oh well one mystery solved at least. #debian #bug #lenny #
  • .@Bendihossan nah. I'm cheap, dirty and run an interpreted language like php. Nat evolution not intelligent design ftw 🙂 I'd silently fail in reply to Bendihossan #
  • Soon I shall be 11111. Go me! (overflow error next year, or hardware upgrade?) #
  • It's cold. Specks of snow falling. But I Think it's not going to be a White birthday tomorrow … Boo #
  • "…. then bake mysterious things" #cake #ftw #
  • Garage: "We can't work on your car until it's been valeted", they did drill a hole in the boot (bye water) and give it two new tires… #
  • Guess I'd better give this sleep thing another try. In other news, the car interior might dry up after tomorrow (yey!) #
  • spent the morning debugging Python, stupid variable casting requirement…. #

Twitter Weekly Updates for 2010-02-14

  • Hmm tesco sell semi invisible diesel too. Needle didn't move after refuel, stopped to put more in and then it caught up. Stupid car. #
  • Random diesel prices : independent 111.9p/l, sainsburys 113.9p/l, tesco 115.9p/l. Tescos were the only one open at 7am on Sunday. :-/ #
  • Hmm weather advisory for heavy snow on my birthday (17th). Convienant. #birthdaysledgingwouldbenice #
  • I'm wondering how I managed to hurt my ankle while asleep. It feels like it's almost sprained. Hop-along-David today :-/ #
  • Distinctly unimpressed brain – I shouldn't wake up at 1am thinking it's 5am and I've slept well. Now to try the sleep thing again….. #
  • Dentists enjoy making you wait. Do they overbook Deliberately? #
  • Today I did a total of 124 pushups thanks to the Hundred Pushups iPhone app. (Week 4, Day 2, Level 3) #100Pushups #
  • RT @glynmoody rupertg Chip and Pin bank card security cracked – http://bit.ly/9cVqqk #
  • I'm in awe of my competitors … http://www.birdandcocreative.co.uk/php-shorthand-if-and-else-assignments/ #php #fail #
  • Facebook chat over xmpp was easy to do. Thanks fb. #
  • Today I did a total of 152 situps thanks to the 200 Situps iPhone app. (Week 3, Day 2, Level 3) #200Situps #
  • RT @JohnPinner @europython EuroPython 2010 Registration & Talk Submissions open at http://europython.eu – Extra Early Bird rate for one week #
  • Well day 11316 has gone ok… Not long till day 11323. But what do I want? #
  • Today I did a total of 120 pushups thanks to the Hundred Pushups iPhone app. (Week 4, Day 1, Level 3) #100Pushups #
  • http://petitions.number10.gov.uk/Infant-formula/ #
  • A rabbit with a pancake hat…. http://www.myconfinedspace.com/2010/02/09/rabbit-with-a-pancake-on-its-head/ #
  • Time to find a star bucks with free wifi or something to tide me over to #phpwm At least I can drink tonight 🙂 #
  • Bus hat ftw. http://twitpic.com/12777q #
  • Meet or Die http://bit.ly/dbOocr clearly the authors were not against meetings or anything… 😉 #
  • RT @birminghampost rail delays between Birmingham and London http://tinyurl.com/y8s7dhf <- Is it just me that gets screwed by trains ? #
  • Today I did a total of 120 situps thanks to the 200 Situps iPhone app. (Week 3, Day 1, Level 3) #200Situps #
  • Trying to never eat 'lamb' curry dishes again …. mutton dressed as lamb. Spices of catshill – I'm looking at you.. Distinctly unimpressed #
  • Got the 3d glasses… Avatar had better be good #
  • 42 is the meaning of life…. and the number of pressups shall be 42. #100pressups #
  • Last night we swapped bed sides (perhaps just to f-ck with @rowangoodwin). I slept poorly. Who'd have thought which side mattered? #
  • Another week. Another brick in the wall. Two leads on php contractor front (neither agency related) *yey* #

Starbucks – Free wifi should not cost £5

Today, I went to London to visit a prospect customer – who we’ve done work for before – oddly the people I spoke to had no knowledge of the work we did (they paid for it all about 18-24 months ago… but nevermind), and it doesn’t appear to have been deployed either (“We heard someone talking about this X months ago; but thought it was just a suggestion / didn’t think work had been done”) … so I’ve probably thrown a spanner into their idea of migrating from ExponentCMS to something else (E.g. Drupal).

Anyway, I got back to Birmingham at about 17:00ish, at which point there wasn’t a lot of point in me sitting on the bus for an hour or more, only to arrive in Bromsgrove, and then drive back to Birmingham to do the phpwm meeting tonight…

So, while walking up New Street, I spot Starbucks with it’s “Free WIFI” advert in the window. Cool. Drink + Wifi = Win. Or not. I had to spend £5 to buy a ‘starbucks reward card’ – then use my iPhone to find out how to register (which wifi ssid etc) – and the starbucks.co.uk site didn’t make it obvious to find either.

So, suffice to say, now I am connected – and all traffic is being tunnelled out via

ssh -D 9999 david@my.server

<expletive begins-with=’f’ ends-with=’wits’/>

Twitter Weekly Updates for 2010-02-07

  • Wondering where to run to tomorrow. #
  • Rowan now has a facebook account to go with his Twitter @rowangoodwin and blog … (rowangoodwin.co.uk, Facebook.com/rowan.Goodwin) #
  • Haha msnbot it appears you are enjoying indexing a customers server a bit much. Have you heard of being 'nice' ? #
  • Today I did a total of 132 pushups thanks to the Hundred Pushups iPhone app. (Week 4, Day 3, Level 3) #100Pushups #
  • Rowan is still asleep. Lie in ftw. #
  • RT @loudmouthman What Woman will not tell you about pregancy is great breakfast reading http://bit.ly/caqaJL #
  • RT @jzy: @codinghorror you should try "Outside" sometimes. http://bit.ly/dsbcos – looks like a great game…. Cost? Hardware/platform? #
  • If only this developer knew database design. Adding (a) new table(s) for an additional dataset is just WRONG! #uneducated #heathen #
  • Today I did a total of 119 pushups thanks to the Hundred Pushups iPhone app. (Week 4, Day 2, Level 3) #100Pushups #
  • More sleep plz? Kthxzzzz #
  • Hmm aroundme's augmented reality looks cool; @moobert might kill me if i ask him to do it on the food hygiene iPhone app we're planning tho #
  • Don't you just hate it when you save data to a backend, only for it to silently vanish. (Apc + zend_cache. Perhaps apc needs more memory?) #
  • I am now 200 grams heavier. #chocolate #
  • Why do I need to FAX docs to apple to develop on the iPhone. FFS. What's wrong with email ? #fail #not1980sanylonger #
  • Today I did a total of 121 situps thanks to the 200 Situps iPhone app. (Week 2, Day 3, Level 3) #200Situps #
  • Interviewing possible php contractor this morning. I hope he's good – i've got work stacking up. #
  • *ding dong* "Time to wake up chuggers!" #
  • .RT @metofficeWMids ADVISORY of Heavy Snow for West Midlands valid from 0349 – 2359 Wed 03 Feb http://bit.ly/bBNkz0 #
  • RT @scottmac: Announcing HipHop for PHP – http://developers.facebook.com/news.php?blog=1&story=358 #
  • RT @grifferz Impregnation via the proximal gastrointestinal tract in a patient with an aplastic distal vagina: http://is.gd/7wvbe (via @jwz) #
  • Today I did a total of 102 pushups thanks to the Hundred Pushups iPhone app. (Week 4, Day 1, Level 3) #100Pushups #
  • Sleep little toddler. Sleep. #
  • Cold cold. Brrr. Snow melted tho 🙁 #
  • Well that was a crash course into learning mailscanner with exim on rhel. What next dear customers ? #
  • Hmm 144 bus turns up an hour and a half late. Chances of getting to Birmingham before 1030 – near zero. #
  • Bromsgrove looks a bit clogged up this morning. Stupid snow. Wondering if I'm going to make
    the train now. #
  • Today I did a total of 108 situps thanks to the 200 Situps iPhone app. (Week 2, Day 2, Level 3) #200Situps #

Still looking for a PHP contractor….

At work I’m still looking for a short term PHP contractor. Perhaps I’m being unrealistic in my expectations/requirements (rate/location/duration/skills etc), but nevertheless…. As I’ve not found anyone via normal channels (twitter/phpwm user group etc) I thought I’d turn to a random recruitment agency (who I’d spoken to a week or so ago).

Yesterday I interviewed one guy – who’d been a programmer for a number of years (10+) – using Visual Foxpro (whatever that is) – presumably it’s a dead language, as he wants to move across into PHP. He has very basic PHP experience (yet claims 2 years on his CV), figured out how to do FizzBuzz and Recursion without too much help – but didn’t know anything about object orientation, separation of concerns (specifically MVC), security (obvious SQL injection) or unit testing and failed to make any comment on what is almost the worst code I could find to present to him. This isn’t necessarily a problem – I would normally be happy to train someone – however, not when I’m paying him £25/hour and I’d be lucky if he was productive within a week. (Hint: students are better than this when they’ve only been in University for two years).

Today, I therefore continued hunting, with mixed success. I had three more CVs – all asking for more money, and one looked quite good – but had a requirement he worked remotely after the first few days (well he does live in Telford). Another, who is local, I’m interviewing tomorrow. Wanting to do some homework on him, I had a look at a couple of websites mentioned in his doctored CV  – the first is clearly .Net from the error message it throws when you pass a > into it’s search box – so either they replaced his PHP site quickly or his CV is misleading. The second has a PHP error on it – and is only (effectively) a themed wordpress site which looks like it’s slowly rotting. From these I found out his address (hint: whois $flamingodomain) and an invalid email address/domain (which archive.org seems to not do much with). Typing in his name into Google / LinkedIn, Facebook etc produces no obvious matches. So I know hardly anything about him, and for all intent he may as well not exist. Great sales job there.

From talking to the recruiters it seems it’s difficult to find decent PHP programmers – and anyone who may be decent will almost certainly not be programming PHP as their primary language (i.e. they’ll be doing web development in Java/.Net, and know PHP quite well). This seems a shame, but really only confirms what I already knew from interacting with others in the community. I’ve known for ages that I’ve effectively taken a large pay cut by running my own company, and doing PHP. It sucks that this continues to be the case. Clearly I’m a martyr or something.

So, if you happen to be a contractor looking for work, please make an effort. I’m not overly impressed so far, and may just end up stalling customers for another week/month instead.

(Oddly I wrote this post, posted it, and it vanished. What are you up to wordpress? Why do you want me to retype things in twice?)

Can you write a web app, like Ebay, for me?

Today I had a phone call which went along the lines of ….

Prospect: Do you develop web applications?
Me: Yes… <cue sales pitch>
Prospect: I’ve got a great idea, it’s like eBay…. I need a programmer….
Me: <thinking: oh not another….>
Prospect: I think it’s about 2 developer months worth of work….
Me: Well, we’d need to see your requirements spec to determine that.
Prospect: Would you be willing to do the work for free in return for a stake in the resultant venture? How much would it cost?
Me: Well, I’ve not seen any sort of requirements specification; I’ve no idea what’s involved….. Just how long is a piece of string?

I don’t quite understand why people think they’ll be able to create an eBay/Amazon/Google/whatever killer/competitor with minimal funding, a couple of months development and also persuade me to do the work for free on the outside chance they’re successful (that’s like a <5% chance). I might consider reducing the price of the development in return for a share in any resultant company – but I’m sure as not going to commit to anything before I’ve seen any sort of business plan.

Perhaps tomorrow I’ll get someone wanting a site “like Facebook” costing a few thousand pounds… ‘cos we do PHP just like them… and it can’t be hard can it?

Rate limiting http traffic (mod_evasive and iptables)

A customer has a relatively busy web site, which contains lots of juicy information (business names, addresses, email address, phone numbers etc etc). Currently there is nothing in place to stop people spidering it – unless someone explicitly looks at the log files and does something.

Blocking annoying people who spider the site is easy enough –

iptables -I INPUT -s 80.x.x.x -j REJECT

However, I’d obviously rather automate this if possible – and ideally without having to change the PHP code (as each request would need perform some sort of DB lookup it’s part of a spidering attempt)

So, my first idea was to manipulate an existing rule I have to limit SSH connection attempts, giving something like :

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 40 -j LOG --log-prefix "http spidering?" --log-ip-options --log-tcp-options --log-tcp-sequence --log-level 4

Annoyingly however, even though these are the first rules in the iptables output – and they should therefore work, they don’t – i.e. I’m not seeing anything being logged, when doing e.g. the following on a remote server :

while [ true ] ; do
wget -q -O - http://server.xyz/index.php

So, I’m still trying to avoid making changes to the code base – although doing so would produce the best user experience (namely we could display a captcha or something and if someone really can browse that quickly they’d not encounter any problems).

And as I’ve just found mod_evasive which claims to provide DoS and DDoS protection. Thankfully Jason Litka has packaged it – so I have no problems from an installation point of view 🙂 (yum install mod_evasive)

Installation on Debian doesn’t result in a config file – but it’s not difficult to create (see /usr/share/doc/mod_evasive). However, it’s not a shiney, sunny ending – mod_evasive appears to be “tripped” by people requesting images – and in my case the client has about 10-20 images per page; so it’s difficult to differentiate between a normal user loading a page or someone running httrack on the website and only requesting the “php page”. If only mod_evasive took a regexp to ignore/match… and I can’t seem to find anyway of fixing this.

So application logic it is :-/ Perhaps caching in APC may be the way forward ….

Twitter Weekly Updates for 2010-01-31

  • RT @glynmoody Facebook rewrites PHP runtime – http://bit.ly/ahwWiq to be released as open source #facebook #php #
  • Poop. Spoke too soon. Snow tap being turned off. F'ing weather god. Curse you. #
  • Decent snow. 4/10 perhaps. B61 #uksnow … Just keep up for an hour or two and perhaps i can sledge/snow fight. #
  • Looks like we had a token amount of snow last night. Looks cold too :-/ 14 miles here I run. Still, cybrosis ppdcast episode to listen to:) #
  • Our car has depreciated £1000 for every year (7) we've owned it. Perhaps it'll soon put on value when as it turns into a mobile pool? #
  • Today I did a total of 105 pushups thanks to the Hundred Pushups iPhone app. (Week 3, Day 3, Level 3) #100Pushups #
  • RT @stuherbert PHP 5.3 adoption: some numbers and talking points http://bit.ly/djJRos (please RT) #
  • Dogs have a very inefficient protocol for communication. Guessing lots of packet loss as they've been retransmitting for ages now. Woof woof #
  • The last apple in the shop should be avoided; keys are always in the last pocket you check. #lessonoftheday #
  • Today I did a total of 97 situps thanks to the 200 Situps iPhone app. (Week 2, Day 1, Level 3) #200Situps #
  • Twitterific appears to have won. Goodbye tweetdeck. #
  • Nice Run – roads (a38 etc) were almost empty, shame I'd have to get up at 5am to experience it more often :-/ #
  • 100 pushup thing is now hard; couldn't do last rep without two stops :-/ #100pushups weak puny arms get bigger! #
  • Today I did a total of 100 pushups thanks to the Hundred Pushups iPhone app. (Week 3, Day 2, Level 3) #100Pushups #
  • Today I did a total of 92 situps thanks to the 200 Situps iPhone app. (Week 1, Day 3, Level 3) #200Situps #
  • is giving tweetdeck a whirl… as a change from twitterific #
  • Shocked to receive apple MacBook he ordered online yesterday afternoon this morning. Win! #
  • Today I did a total of 80 pushups thanks to the Hundred Pushups iPhone app. (Week 3, Day 1, Level 3) #100Pushups #
  • Worringly I seem to like coffee (with chocolate biscuits) I wish there was no junk food in this house. I'd best help 'dispose' of it….. #
  • Today I did a total of 88 situps thanks to the 200 Situps iPhone app. (Week 1, Day 2, Level 3) #200Situps #

Verified by Visa …. what rubbish

On Wednesday I was trying to buy train tickets for an upcoming trip to London.

So, I book the tickets, and get to point of being asked for my card details … tap tap tap … kapow … Up comes the Verified by Visa payment screen (in a stupid iframe [how do I know this isn’t a phishing site?]). Well, it displays my ‘username’ correctly – a terrificly hard to guess one of MRDAVIDGOODWIN… I enter my details and it keeps decling them. Hmm.. Fine… perhaps I’ve incorrectly stored the password – “oooh look – reset password…” *click* – “You want me to enter my date of birth… is that the ONLY security check you’re going to do? WTF??? ”

Grr.. Why do they bother….

See also http://www.lightbluetouchpaper.org/2010/01/26/how-online-card-security-fails/