Time machine and crontab

Time machine backups of OS X is nice, especially since you can restore your full system from them. What is not so nice is that they run all the time, and they transfer a huge amount of files, so you don't want it to run very often.

Recognize the problem? Add it to crontab instead! Just edit your crontab (crontab -e) and add something like this:

25 3-7 * * * /System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper &

This means that backupd-helper will run between 25 minutes past 03 to 07 (3-7 AM) everyday. backupd-helper is the same thing that is run if you would press "backup now" in the Time Machine preferences.

Oh, in time machine prefs, set it to NOT run (since the point is to run it by crontab). And no, backups will not be taken if you computer is asleep (since cron would be asleep as well..)

Time machine backups of OS X is nice, especially since you can restore your full system from them. What is not so nice is that they run all the time, and they transfer a huge amount of files, so you don't want it to run very often.

Recognize the problem? Add it to crontab instead! Just edit your crontab (crontab -e) and add something like this:

25 3-7 * * * /System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper &

This means that backupd-helper will run between 25 minutes past 03 to 07 (3-7 AM) everyday. backupd-helper is the same thing that is run if you would press "backup now" in the Time Machine preferences.

Oh, in time machine prefs, set it to NOT run (since the point is to run it by crontab). And no, backups will not be taken if you computer is asleep (since cron would be asleep as well..)

Time machine and crontab

Use a specific proxy connection with Chrome Web Browser in OSX

I travel a little bit now and then so I use a few different wireless or fixed networks that I'm a guest at. I tend to use Firefox a lot, and in FF i have set FF to always browse via my proxy server at home (tinyproxy). The handy thing with FF is that the proxy setting is only for FF, and that is a feature I've been missing in Chrome which I tend to use more often these days.

In OSX, there is a setting to use a proxy in System Preferences, but then that setting will be applied to all programs (except FF in my case), which is not what I want. So today I googled if there were any new addons for Chrome that could do that, and lo and behold, here is the solution (but not from a addon...)

Type the following in a Terminal.app (or iTerm2, which is awesome)

open -a /Applications/Google\ Chrome.app --args --proxy-server=proxy.home.over.vpn:8888

I saved that string as an alias in .bashrc for reuse.

Taken from http://hints.macworld.com/article.php?story=20100213001826236

I travel a little bit now and then so I use a few different wireless or fixed networks that I'm a guest at. I tend to use Firefox a lot, and in FF i have set FF to always browse via my proxy server at home (tinyproxy). The handy thing with FF is that the proxy setting is only for FF, and that is a feature I've been missing in Chrome which I tend to use more often these days.

In OSX, there is a setting to use a proxy in System Preferences, but then that setting will be applied to all programs (except FF in my case), which is not what I want. So today I googled if there were any new addons for Chrome that could do that, and lo and behold, here is the solution (but not from a addon...)

Type the following in a Terminal.app (or iTerm2, which is awesome)

open -a /Applications/Google\ Chrome.app --args --proxy-server=proxy.home.over.vpn:8888

I saved that string as an alias in .bashrc for reuse.

Taken from http://hints.macworld.com/article.php?story=20100213001826236

Use a specific proxy connection with Chrome Web Browser in OSX

Exim4, dovecot with sqlite authentication

As I am moving away from courier to dovecot I also wanted to move away from the old courierauth DB and use something newer and slicker: sqlite3. Having all my SMTP and IMAP users in sqlite3 is nice, since you don't need them to have a actual system user.

Creating the sqlite3 db is easy, just "sqlite3 /etc/dovecot/authdb.sqlite". I used the SQL query from the dovecot page:

CREATE TABLE users (
    userid VARCHAR(128) NOT NULL,
    domain VARCHAR(128) NOT NULL,
    password VARCHAR(64) NOT NULL,
    home VARCHAR(255) NOT NULL,
    uid INTEGER NOT NULL,
    gid INTEGER NOT NULL
);

The next step was to edit the /etc/dovecot/dovecot.conf and /etc/dovecot/dovecot-sql.conf. I just created the entries in the sqlite db manually (my courierdb is small)

insert into users values ('jolt', 'mekk.com','oldcryptedpw', '/home/courier/jolt','104','105');

where all of the values are directly from the /etc/courier/userdb.

Now the fun part: get exim4 to play well with sqlite. ( I leave out the Exim dovecot config, since I used the exact same one from courier (i.e. it's the same path. Read the Dovecot-courier migration document for config details).

In exim I commented out my existing login: and plain: sections and replaced it with this:

plain:
driver = plaintext
public_name = PLAIN
server_prompts = :

server_condition = "${if and { \
{!eq{$2}{}} \
{!eq{$3}{}} \
{crypteq{$3}{${lookup sqlite{/etc/dovecot/authdb.sqlite SELECT password FROM users WHERE ( domain = \
'${domain:$2}' \
AND userid = '${local_part:$2}') OR userid='$2' }{$value}fail}} }} {yes}{no}}"
server_set_id = $2

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if and { \
{!eq{$1}{}} \
{!eq{$2}{}} \
{crypteq{$3}{${lookup sqlite{/etc/dovecot/authdb.sqlite SELECT password FROM users WHERE ( domain = \
'${domain:$2}' \
AND userid = '${local_part:$2}') OR userid='$2' }{$value}fail}} }} {yes}{no}}"
server_set_id = $1

The above lines are just a modified version of the MySQL authentication example at the Exim wiki.

Now I tried exim4 and and after changing the select clause a bit it actually worked!

Now back to dovecot. Dovecot needs to be configured (in /etc/dovecot/dovecot.conf) to use both passdb sql and fetch userdb info at the same time (enable userdb prefetch). I missed that myself, of course, so be warned:

# SQL database 
passdb sql {
  # Path for SQL configuration file
  args = /etc/dovecot/dovecot-sql.conf
}

userdb prefetch {
}

And dont forget to disable PAM (just comment it out, don't forget the }).


Then I needed to change the default crypt method to CRYPT (thats what my courierdb used, remember?). Here is the /etc/dovecot/dovecot-sql.conf config file for your reading pleasure:

# Database driver: mysql, pgsql, sqlite
driver = sqlite
connect = /etc/dovecot/authdb.sqlite


# Default password scheme.
#
# List of supported schemes is in
# http://wiki.dovecot.org/Authentication/PasswordSchemes
#
#default_pass_scheme = PLAIN-MD5
default_pass_scheme = CRYPT

# and enable the last line for user and pw prefetch:
password_query = SELECT userid as user, password, home as userdb_home, uid as userdb_uid, gid as userdb_gid FROM users WHERE userid = '%u'

I think that's pretty much it, so good luck!

As I am moving away from courier to dovecot I also wanted to move away from the old courierauth DB and use something newer and slicker: sqlite3. Having all my SMTP and IMAP users in sqlite3 is nice, since you don't need them to have a actual system user.

Creating the sqlite3 db is easy, just "sqlite3 /etc/dovecot/authdb.sqlite". I used the SQL query from the dovecot page:

CREATE TABLE users (
    userid VARCHAR(128) NOT NULL,
    domain VARCHAR(128) NOT NULL,
    password VARCHAR(64) NOT NULL,
    home VARCHAR(255) NOT NULL,
    uid INTEGER NOT NULL,
    gid INTEGER NOT NULL
);

The next step was to edit the /etc/dovecot/dovecot.conf and /etc/dovecot/dovecot-sql.conf. I just created the entries in the sqlite db manually (my courierdb is small)

insert into users values ('jolt', 'mekk.com','oldcryptedpw', '/home/courier/jolt','104','105');

where all of the values are directly from the /etc/courier/userdb.

Now the fun part: get exim4 to play well with sqlite. ( I leave out the Exim dovecot config, since I used the exact same one from courier (i.e. it's the same path. Read the Dovecot-courier migration document for config details).

In exim I commented out my existing login: and plain: sections and replaced it with this:

plain:
driver = plaintext
public_name = PLAIN
server_prompts = :

server_condition = "${if and { \
{!eq{$2}{}} \
{!eq{$3}{}} \
{crypteq{$3}{${lookup sqlite{/etc/dovecot/authdb.sqlite SELECT password FROM users WHERE ( domain = \
'${domain:$2}' \
AND userid = '${local_part:$2}') OR userid='$2' }{$value}fail}} }} {yes}{no}}"
server_set_id = $2

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if and { \
{!eq{$1}{}} \
{!eq{$2}{}} \
{crypteq{$3}{${lookup sqlite{/etc/dovecot/authdb.sqlite SELECT password FROM users WHERE ( domain = \
'${domain:$2}' \
AND userid = '${local_part:$2}') OR userid='$2' }{$value}fail}} }} {yes}{no}}"
server_set_id = $1

The above lines are just a modified version of the MySQL authentication example at the Exim wiki.

Now I tried exim4 and and after changing the select clause a bit it actually worked!

Now back to dovecot. Dovecot needs to be configured (in /etc/dovecot/dovecot.conf) to use both passdb sql and fetch userdb info at the same time (enable userdb prefetch). I missed that myself, of course, so be warned:

# SQL database 
passdb sql {
  # Path for SQL configuration file
  args = /etc/dovecot/dovecot-sql.conf
}

userdb prefetch {
}

And dont forget to disable PAM (just comment it out, don't forget the }).


Then I needed to change the default crypt method to CRYPT (thats what my courierdb used, remember?). Here is the /etc/dovecot/dovecot-sql.conf config file for your reading pleasure:

# Database driver: mysql, pgsql, sqlite
driver = sqlite
connect = /etc/dovecot/authdb.sqlite


# Default password scheme.
#
# List of supported schemes is in
# http://wiki.dovecot.org/Authentication/PasswordSchemes
#
#default_pass_scheme = PLAIN-MD5
default_pass_scheme = CRYPT

# and enable the last line for user and pw prefetch:
password_query = SELECT userid as user, password, home as userdb_home, uid as userdb_uid, gid as userdb_gid FROM users WHERE userid = '%u'

I think that's pretty much it, so good luck!

Exim4, dovecot with sqlite authentication

Printing with Konica Minolta PP1300W in OSX Snow Leopard (over Time Capsule)

I was supposed to do this years ago, and I actually tried to, but I never got the gutenprinting stuff to work with the built in CUPS of OSX. However, today was the day I thought I might just do it!

Turns out it was quite easy (after I tried all the different combinations that is...)

1. Go to Linuxprinting and download the min12xxw dmg (min12xxw-0.0.92-ub.dmg).
2. Download the Ghostscript stuff from the same page (gplgs-8.71.dmg)
3. Run the installer for min12xxw
4. Run the Ghostscript installer
5. Add your printer (it will auto select the Foomatic/min12xx driver
6. Save and print!

I was supposed to do this years ago, and I actually tried to, but I never got the gutenprinting stuff to work with the built in CUPS of OSX. However, today was the day I thought I might just do it!

Turns out it was quite easy (after I tried all the different combinations that is...)

1. Go to Linuxprinting and download the min12xxw dmg (min12xxw-0.0.92-ub.dmg).
2. Download the Ghostscript stuff from the same page (gplgs-8.71.dmg)
3. Run the installer for min12xxw
4. Run the Ghostscript installer
5. Add your printer (it will auto select the Foomatic/min12xx driver
6. Save and print!

Printing with Konica Minolta PP1300W in OSX Snow Leopard (over Time Capsule)

Automatically upgrade Debian with security updates

So, one of the boring tasks of being a sysadmin is to do updates. Well, it's not really boring, just a boring task of doing it if you have more than 10 systems or so.

Since I'm lazy and not really a sysadmin full-time, I'm cheating by using the unattended-upgrades package. Here is how you do it:

1. Install unattended-upgrades
2. Add the following to /etc/apt/apt.conf
   

   APT::Periodic::Update-Package-Lists "1";
   APT::Periodic::Unattended-Upgrade "1";

3. See if you need to modify

   /etc/apt/apt.conf.d/50unattended-upgrades

   (I didn't)
4. Watch your logs for any errors during updates (I use logcheck for this)
5. Read the additional info at https://wiki.ubuntu.com/AutomaticUpdates for more details about this feature if you want to.
   
   

So, one of the boring tasks of being a sysadmin is to do updates. Well, it's not really boring, just a boring task of doing it if you have more than 10 systems or so.

Since I'm lazy and not really a sysadmin full-time, I'm cheating by using the unattended-upgrades package. Here is how you do it:

1. Install unattended-upgrades
2. Add the following to /etc/apt/apt.conf
   

   APT::Periodic::Update-Package-Lists "1";
   APT::Periodic::Unattended-Upgrade "1";

3. See if you need to modify

   /etc/apt/apt.conf.d/50unattended-upgrades

   (I didn't)
4. Watch your logs for any errors during updates (I use logcheck for this)
5. Read the additional info at https://wiki.ubuntu.com/AutomaticUpdates for more details about this feature if you want to.
   
   

Automatically upgrade Debian with security updates

iPhone 3G iOS4 improved speed

After installing ios4 the phone became extremely sluggish, so I thought "why not google around when I'm at home with this shitty cold".

So, first you need to jailbreak your phone (i.e. redsnow or equivalent).
Then install OpenSSH, adv-cmds erica utilities, vim, bash from Cydia or Rock (i prefer Rock to cydia any day).

Now: start with changing your password on root and mobile user to something not guessable,

--

First tip:

The first one I found was to enable some swap memory by uploading a plist that enable the dynamic pager:

Download com.apple.dynamic_pager.plist, scp it to the iphone and place it in /System/Library/LaunchDaemons/ and reboot.

If you are lazy the iMemory Enhancer is available from Cydia (but I like to know which file they are actually touching).

--

The second one is to disable some of the daemons that take care of background tasks.

Login via SSH and perform this:

launchctl unload -w /System/Library/LaunchDaemons/com.apple.syslogd.plist

and continue with these (if they exist)

com.apple.CrashHousekeeping.plist
com.apple.DumpBasebandCrash.plist
com.apple.DumpPanic.plist
com.apple.ReportCrash.DirectoryService.plist
com.apple.ReportCrash.Jetsam.plist
com.apple.ReportCrash.SafetyNet.plist
com.apple.ReportCrash.SimulateCrash.plist
com.apple.ReportCrash.plist
com.apple.powerlog.plist
com.apple.racoon.plist (this is used by VPN subsystem, so don't remove if you use that)
com.apple.scrod.plist (used for voice, which the 3G doesn't support)
com.apple.tcpdump.server.plist
com.apple.apsd.tcpdump.en0.plist (thought to be used by push notification logging)
com.apple.apsd.tcpdump.pdp_ip0.plist ( -"- )
com.apple.wifiFirmwareLoader.plist (thought to be used for the new OTA (over-the-air) updates)

Oh, and you can do the same with sshd if you want to:
launchctl unload -w /Library/LaunchDaemons/com.openssh.sshd.plist

You can then start SSH when you want by using SBSettings

Now lets, deactivate locationd from startup but let it startpup on request

cd /System/Library/LaunchDaemons

plutil -convert xml1 com.apple.locationd.plist
vim com.apple.locationd.plist
------------------

search for RunAtLoad

change true ----> false

----------------
plutil -convert binary1 com.apple.locationd.plist
reboot

Do this under your own risk.

Found the info at modmyui

--

iPhone 3G has shadows enabled default for icons and the dock, which sucks some power, removing some of the png's are supposedly helping the graph libs giving you more memory and power. So, remove/move these files from /System/Library/CoreServices/SpringBoard.app:

WallpaperIconShadow*.png

WallpaperIconDockShadow?.png

--

Also, on another note, people have seen some improvements by removing additional language from applications. Not sure if it really matters or not, your milage will vary:

http://a-common-hades.blogspot.com/2010/02/final-script-for-deleting-iphone.html

After installing ios4 the phone became extremely sluggish, so I thought "why not google around when I'm at home with this shitty cold".

So, first you need to jailbreak your phone (i.e. redsnow or equivalent).
Then install OpenSSH, adv-cmds erica utilities, vim, bash from Cydia or Rock (i prefer Rock to cydia any day).

Now: start with changing your password on root and mobile user to something not guessable,

--

First tip:

The first one I found was to enable some swap memory by uploading a plist that enable the dynamic pager:

Download com.apple.dynamic_pager.plist, scp it to the iphone and place it in /System/Library/LaunchDaemons/ and reboot.

If you are lazy the iMemory Enhancer is available from Cydia (but I like to know which file they are actually touching).

--

The second one is to disable some of the daemons that take care of background tasks.

Login via SSH and perform this:

launchctl unload -w /System/Library/LaunchDaemons/com.apple.syslogd.plist

and continue with these (if they exist)

com.apple.CrashHousekeeping.plist
com.apple.DumpBasebandCrash.plist
com.apple.DumpPanic.plist
com.apple.ReportCrash.DirectoryService.plist
com.apple.ReportCrash.Jetsam.plist
com.apple.ReportCrash.SafetyNet.plist
com.apple.ReportCrash.SimulateCrash.plist
com.apple.ReportCrash.plist
com.apple.powerlog.plist
com.apple.racoon.plist (this is used by VPN subsystem, so don't remove if you use that)
com.apple.scrod.plist (used for voice, which the 3G doesn't support)
com.apple.tcpdump.server.plist
com.apple.apsd.tcpdump.en0.plist (thought to be used by push notification logging)
com.apple.apsd.tcpdump.pdp_ip0.plist ( -"- )
com.apple.wifiFirmwareLoader.plist (thought to be used for the new OTA (over-the-air) updates)

Oh, and you can do the same with sshd if you want to:
launchctl unload -w /Library/LaunchDaemons/com.openssh.sshd.plist

You can then start SSH when you want by using SBSettings

Now lets, deactivate locationd from startup but let it startpup on request

cd /System/Library/LaunchDaemons

plutil -convert xml1 com.apple.locationd.plist
vim com.apple.locationd.plist
------------------

search for RunAtLoad

change true ----> false

----------------
plutil -convert binary1 com.apple.locationd.plist
reboot

Do this under your own risk.

Found the info at modmyui

--

iPhone 3G has shadows enabled default for icons and the dock, which sucks some power, removing some of the png's are supposedly helping the graph libs giving you more memory and power. So, remove/move these files from /System/Library/CoreServices/SpringBoard.app:

WallpaperIconShadow*.png

WallpaperIconDockShadow?.png

--

Also, on another note, people have seen some improvements by removing additional language from applications. Not sure if it really matters or not, your milage will vary:

http://a-common-hades.blogspot.com/2010/02/final-script-for-deleting-iphone.html

iPhone 3G iOS4 improved speed

Startssl certificate (free) + exim + courier (Debian/Lenny)

So, my godaddy SSL cert finally expired. I wanted a new cert, but I weren't up to paying $29/year/domain for something I only have a few users on, but I still wanted a verified CA (no more adding exceptions). Looking around I found the great startssl.com, a CA that exists in most of todays browsers and email clients, and the best of all, their certs are free for non-business users!

The host I run is a Debian Lenny machine with exim4 and courier as MTA/IMAP server. So, here we go:

1) Sign up for a cert at StartSSL, follow the instructions (you will eventually end up with a client cert you need to install in your browser
2) Login, verify your email / domain, go into the certificate wizard and create a "Web Server SSL/TLS Certificate"
3) Create a new private key (2048 keylength is default, stick with it). Remember the password, you will need it later.
4) Save the cert as server.crypted.key. Create a keyless version with

openssl rsa -in server.crypted.key -out server.key

, or just use the toolbox and paste the cert and your key.
5) Select one of the validated domains to create a server cert, enter a subdomain such as mail.domain.com, or whatever. My cert was for the domain.com level, and that name wll also be included in the mail.domain.com cert.
6) The cert is eventuall created, so save it as server.crt
7) Go to the toolbox and download the Server Certificate Bundle with CRLs (PEM encoded) as ca-bundle.pem.
8) Copy ca-bundle.pem to /etc/ssl/certs

I have saved my files to /etc/ssl/startssl/. With this as the base, the real work begins:
Create a dhparam file
1) openssl dhparam -out dhparam.pem 1024
2) openssl gendh >> dhparam.pem

For Exim4:
1) Edit /etc/exim4/exim4.conf. Add/edit this fields:

tls_advertise_hosts = *
tls_certificate = /etc/ssl/startssl/server.crt
tls_verify_certificates = /etc/ssl/certs/ca-bundle.pem
tls_privatekey = /etc/ssl/startssl/0x2a.key
tls_dhparam = /etc/ssl/startssl/dhparam.pem
tls_on_connect_ports = 465
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
daemon_smtp_ports = 25 : 465 : 587 : 10025

2) Your done! Restart exim4 and be a happy camper

For Courier
1) cat server.key server.crt > server.pem
2) cat server.pem dhparam.pem > /etc/courier/imapd.pem
2) Edit /etc/courier/imapd-ssl, Add/edit the following:

TLS_CERTFILE=/etc/courier/imapd.pem
TLS_TRUSTCERTS=/etc/ssl/certs

3) Restart courier-ssl

That's how I got it to work. Good luck!

So, my godaddy SSL cert finally expired. I wanted a new cert, but I weren't up to paying $29/year/domain for something I only have a few users on, but I still wanted a verified CA (no more adding exceptions). Looking around I found the great startssl.com, a CA that exists in most of todays browsers and email clients, and the best of all, their certs are free for non-business users!

The host I run is a Debian Lenny machine with exim4 and courier as MTA/IMAP server. So, here we go:

1) Sign up for a cert at StartSSL, follow the instructions (you will eventually end up with a client cert you need to install in your browser
2) Login, verify your email / domain, go into the certificate wizard and create a "Web Server SSL/TLS Certificate"
3) Create a new private key (2048 keylength is default, stick with it). Remember the password, you will need it later.
4) Save the cert as server.crypted.key. Create a keyless version with

openssl rsa -in server.crypted.key -out server.key

, or just use the toolbox and paste the cert and your key.
5) Select one of the validated domains to create a server cert, enter a subdomain such as mail.domain.com, or whatever. My cert was for the domain.com level, and that name wll also be included in the mail.domain.com cert.
6) The cert is eventuall created, so save it as server.crt
7) Go to the toolbox and download the Server Certificate Bundle with CRLs (PEM encoded) as ca-bundle.pem.
8) Copy ca-bundle.pem to /etc/ssl/certs

I have saved my files to /etc/ssl/startssl/. With this as the base, the real work begins:
Create a dhparam file
1) openssl dhparam -out dhparam.pem 1024
2) openssl gendh >> dhparam.pem

For Exim4:
1) Edit /etc/exim4/exim4.conf. Add/edit this fields:

tls_advertise_hosts = *
tls_certificate = /etc/ssl/startssl/server.crt
tls_verify_certificates = /etc/ssl/certs/ca-bundle.pem
tls_privatekey = /etc/ssl/startssl/0x2a.key
tls_dhparam = /etc/ssl/startssl/dhparam.pem
tls_on_connect_ports = 465
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
daemon_smtp_ports = 25 : 465 : 587 : 10025

2) Your done! Restart exim4 and be a happy camper

For Courier
1) cat server.key server.crt > server.pem
2) cat server.pem dhparam.pem > /etc/courier/imapd.pem
2) Edit /etc/courier/imapd-ssl, Add/edit the following:

TLS_CERTFILE=/etc/courier/imapd.pem
TLS_TRUSTCERTS=/etc/ssl/certs

3) Restart courier-ssl

That's how I got it to work. Good luck!

Startssl certificate (free) + exim + courier (Debian/Lenny)