ameir dot net

Sorry for the inconvenience, and welcome back .

There is large interest in OpenDNS, and I happen to be a fan of it myself.  Sadly, Fon routers, when connected directly to a modem and using DHCP, use the ISP's DNS servers and don't allow you to override those settings.  Fortunately, there is a loophole in older Fon firmware that allows you to enable a BusyBox shell (so you can connect to it via SSH).  This is actually a security hole and shouldn't be a good thing at all, but hey, I'm kind of glad it exists.  Anyways, let's get started.

Enable SSH access to your Fon router by following these instructions.  Be sure to enable permanent SSH access, as it'll be very useful later.  When your Fonera updates to newer firmware that doesn't allow code injections, SSH will still be enabled.  Be sure to leave your network cable unplugged until after you enable SSH permanently or you might form some gray hairs.

Now, in a shell, let's create a startup script that overrides the ISP's DNS settings after the network is initialized.  Type the following:

vi /etc/init.d/S45opendns

Now, in the vi window, paste this (press i to insert text):

echo "nameserver 208.67.222.222" > /etc/resolv.conf
echo "nameserver 208.67.220.220" >> /etc/resolv.conf

This will "blank" /etc/resolv.conf and load it with the OpenDNS settings.  Save and exit vi (press the esc key then type :x).

Now, to make the file executable type:

chmod +x /etc/init.d/S45opendns

You're all done!  OpenDNS settings will be persistent across reboots.  You can activate the settings now without having to reboot by simply running your new script:

/etc/init.d/S45opendns

If DHCP renewals cause your new nameserver settings to be overwritten to the ISP's, you can create a cron job that runs every few minutes (you can pick a time based on your ISP's DHCP lease time):

Type crontab -e in the terminal window.  When vi opens, insert the following line at the end:

15 * * * * /etc/init.d/S45opendns

This will run your new script every 15 minutes, so there will never be more than a 15-minute period where you will not be using OpenDNS.

That should be all you need to get you going. If you're using more advanced features of OpenDNS, you can use DNS-O-Matic on your Fon to keep OpenDNS informed of IP changes. Comment below with your experiences.

When downloading via IE, the software they want you to install is called "ADSTechnology" and "FireBit" when using Firefox. I have actually installed ADSTechnology before and it seemed harmless, but the malware warnings from my AV were discouraging enough that I removed it. Also, the software doesn't appear to have any impact on downloading at all.

Now to the good stuff: how to bypass the plugin. I'll give the Firefox case since it subsumes the IE case (plus Firefox is better anyways ).

1. Install the User Agent Switcher addon for Firefox and restart the browser
2. Go to Tools -> User Agent Switcher -> Internet Explorer 7 (Windows Vista)
3. Browse to the file in BitRoad.net that you want to download. You'll be shown a small box mentioning ADSTechnology.
4. Right-click and view the page source
5. Ctrl+F in the source code window and search for "check_install"
You'll see something that looks like this:

onsubmit="check_install('http://b7.bitroad.net/download5/3f0605518729_k0adf32ybm046/filename.ext')">

6. Copy the URL in the single quotes and enter it in the address bar. The download should now begin.

Domains are
added via a web interface, and a sample zone file (from a template that
you can configure) is created. From there, you can use their web
interface to add records, or just dive into the zone editor. The zone
editor is recommended for those who have a bit of experience with DNS
servers as errors can be easily made, but that method is extremely
efficient. For example, if you want to create dozens of CNAMES that
point to www.domain.tld, copying and pasting one line multiple times is
much easier than going to through the web interface dozens of times.


Also, since the zone editor is essentially a plain-text editor that
offers you full control, you can easily import and export zone files
from/to different locations. Afraid.org allows you to export your zone
file, so moving to DollarDNS just involves a simple copy-and-paste.
You can also use your own text editor or a script to generate your zone
file and paste it into DollarDNS when finished.

No minimum TTL maximum hostname limit appears to be mentioned
anywhere, so I doubt that there are any. You seemingly have infinite control over your zone.

I
currently use them for slave DNS and after a NOTIFY, DollarDNS requests
a transfer within a second or so. Compare that to any other service.

DollarDNS
offers two DNS servers, although only ns1.dollardns.net appears to be
authoritative (ns2.dollardns.net refuses queries immediately). Still,
assuming you have other DNS servers authoritative for your domain, that
isn't a major issue.

Dynamic DNS is also supported via a client
that they provide, although I have not tested it. Based on the quality
of the service overall, I expect the dynamic portion to work flawlessly
as well.

I recommend this service overall due to its feature set, quality, reliability, and the admin's modesty (the admin created a page comparing DollarDNS to others, and he admits on the homepage that domain registrations through his service aren't the cheapest around).

If you know of a free host that amazes you, leave a comment. I'd like to hear about it.

OpenVPN is an excellent product with seemingly infinite configuration options. After setting everything up to your tastes, though, you may find that your end users are a bit too "simple" to install OpenVPN and your custom config files successfully. I find that many users (well, where I work at least) are uncomfortable browsing to and placing files in C:\Program Files\OpenVPN. You can easily get around this by creating a self-extracting executable with a default output path of C:\Program Files\OpenVPN (use IZArc to make nice free SXEs). Although that gets the job done, the end user would still need to install OpenVPN, the run the SXE. Why not cut down the number of steps in half (or by one :p ), while at the same time adding your company's touch to the OpenVPN installer?

Recent documentation on this is not very widespread, but luckily still of good use. The main source of documentation on this can be found here, and is supplied by the creator of OpenVPN GUI. The documentation can be followed, but unfortunately the packages provided are a bit outdated. To get up-to-date (and to become Vista-compatible), we first download a copy of the current release candidate (2.1 RC4 at the time of writing). I actually had to get the Windows installer since I didn't want to bother compiling from source. Next, I downloaded the 2.1 beta 7 package from the OpenVPN GUI site. I installed the Windows installer by accepting all defaults, then extracted the install source (anywhere should work). Next, to get things up-to-date I replaced openvpn.exe and openvpn-gui.exe in the openvpn\bin folder of the extracted archive with that from my Windows installation (C:\Program Files\OpenVPN\bin).

To get our installer to work with Vista, we need to replace the blacklisted 0801 TAP driver with the newer 0901 TAP driver. This is not documented anywhere I could find, but doing this turned out to be easy and effective. Simply make replacements as we did above, but instead copy the contents of C:\Program Files\OpenVPN\driver to the openvpn\tap-win32\i386 folder of the extracted archive. You can safely remove the older 0801 files. To make this work, we now have to edit the openvpn-gui.nsi script in the extracted archive. In any text editor (Notepad++ worked great for me and offered syntax highlighting), open up openvpn-gui.nsi, look for !define TAP "tap0801", and replace that with !define TAP "tap0901". Your archive is now Vista-compatible.

There are many other changes that can be made in the Nullsoft installer script such as including your company name, custom icons, and most importantly your OpenVPN client config. You can look through the script to understand how it works and modify it accordingly. To include your custom config/cert files, browse in your text editor to Section "OpenVPN GUI" SecGUI. You will see a comment indicating where your custom config files go. To include multiple files in the install, simply add more File entries, like so:

This will include client.ovpn, ca.crt, dh2048.pem, etc. to your custom installer, and will place them in the config folder upon installation.

To compile your masterpiece into an executable, you need to download and install The Nullsoft Scriptable Install System. Although a newer edition may work, I went with the original documentation's recommendation and installed the older v2.05. You can get this here. Once installed, you can simply right-click on the openvpn-gui.nsi script you modified and click on "Compile NSIS Script". A log of the compilation will show and an opportunity to test the installer will show if everything went well. You will also have an installable .exe waiting for you in the current directory waiting to be distributed to your clients.

If you ran into errors, look through the logs to try to identify what's going on. Otherwise, you can simply just make some changes to the archive I already hacked up:
http://www.ameir.net/blog/uploads/openvpn_install_source-2.1rc4-gui-1.0.3.zip

If you're just interested in creating a custom OpenVPN installer for Windows and don't particularly care to dabble in Nullsoft install scripts or are just lazy, download the archive above and make whatever changes you may need. The hacks described above are implemented in this package.

NOTES:

In Vista, if you're using routing (tun mode), the end user must run OpenVPN by running as an administrator. This is because the routing table must be modified to tell your computer how to get to your company network. Otherwise, the client may appear to be connected (he/she actually is), but attempts to access the company network will fail, as packets are instead trying to go through the default route (usually your ISP). Using tap mode eliminates this requirement as clients are given IPs in the company's subnet range, therefore eliminating the need to do routing.

If using certificate authentication, then each of your users will need unique files in their config directory. I don't know of a way to automate this, unless you generate the client certificates on the fly and have a program initiate a compile of openvpn-gui.nsi with the new certificates included. In my install of OpenVPN, users are authenticated via Active Directory, so we don't have to distribute any user-specific files.  You may very well just have to use self-extracting archives or train your users how to work with zip files!

For many people, using an external mail server for outbound mail is more than critical. There are many reasons for this, some of which are:

• bypassing dynamic IP blacklists by using a non-blacklisted mail server
• sending mail from an alternative mail server on an alternative SMTP port (useful if your ISP blocks port 25, and the external server supports alternative ports)
• hardcoding an SMTP server into a web-based application (like a forum or CMS) when a mail server is otherwise unavailable

Relaying allows you to send email through an external mail server, but the email looks as if it's coming from your own domain. For example, I can send an email from anything@ameir.net to anythingelse@gmail.com via an intermediate host without the Gmail user knowing about the intermediary (unless he/she looks at the headers). This doesn't sound like a big deal at all, but if you lie under one of the bulleted conditions above, then you may find it hard to communicate with the rest of the web. Most mail servers only allow you to send mail from the email address you own from them (e.g. sending mail through AOL's mail servers requires you to send the mail FROM your address).

Because I was on a dynamic IP and because Comcast mysteriously blocked port 25, I found that I needed a way to have emails from my server get to me. My backups were no longer being sent via email, my blog wasn't notifying me of any actions, and I figured it would be cool to finally send an email without a DNSBL rejecting me solely because of my IP address.

Luckily, here are some solutions:

ulmb.com (ports 25, 587)

This service actually provides you with a webhosting account of 5GB. I tried using them as a webhost once, but gave up after I ran into some restrictions. Still, they support email and relaying (although relaying isn't advertised), which is of great use. They do not pester you about DNS pointing to them or anything of the sort either.

mail.ikojomail.com (ports 25, 26)

This is an email service that offers a 5GB quota with IMAP, POP, and all the bells and whistles. Unfortunately, its webmail interface needs a little working on (it doesn't synchronize with the actual IMAP data), but as a pure IMAP email service it works very well. As an SMTP relay it works even better.

UPDATE: This domain recently expired, leaving the service inoperable. If you can find the IP for the domain when it was up, you might be in luck.

mail.inboxnow.com (ports 25, 26)

This service is the same as Ikojomail, but with a different name. The webmail interface works just like Ikojomail's (not well). For IMAP and SMTP, the service is fast and works great.

mail.icmail.net (ports 25, 587)

This service has been around for a couple of years and is pretty reliable. They offer POP/IMAP/SMTP, and their SMTP servers allow you to send from another sender. The only thing I don't like about it is that it complains sometimes when you send emails shortly after each other/have multiple connections to the SMTP server.

smtp.webalta.com (port 25)

This is a web search company from Russia that offers email accounts. The signup and webmail interfaces are in Russian, but you can get by based on the icons and the locations of the text fields if you don't know Russian (I sure don't). The service is pretty fast, and, as you expected, allows you to send emails from another sender. Seems pretty reliable.

mail.kakle.com (ports 25, 465)

This service provides 5GB webmail with full IMAP/POP capabilities. It's actually a pretty good service (when it works), and uses Squirrelmail as the webmail frontend. Message filters are done by Squirrelmail so it's not entirely server side (because you have to login and load Squirrelmail for filtering to occur). Sometimes incoming email has problems (it either works great or not at all), but as an outgoing SMTP server it works superbly. Note that port 465 is typically SMTP over SSL, but Kakle uses it as standard SMTP.

If you own a mail server but do not know how to set up relaying, there is nothing to worry about. There is documentation online for everything.

Below I show how I setup mail relaying on my Postfix server (I'll use Inboxnow for this; change the hostname to whatever server you wish to try). Before you begin, make sure you have the postfix-tls package installed. On a Debian-based distro like Ubuntu, you can install it simply with:

Now here comes the good stuff. You must paste the following commands as root for relaying to work (copy and paste the below into a plain-text editor such as Notepad or Gedit, modify the relevant info, and paste into a terminal as root):

You can see from above that I disabled TLS. This is generally not a good idea if TLS is available, but I encountered issues with Inboxnow's SSL certificate because it was self-signed. I disabled TLS in the meantime, and will keep my eyes peeled for a workaround. If you find any ways to get TLS working with a self-signed certificate, please let me know in the comments below. You should now be able to send emails via the relay. As a quick test, you can send yourself a test email and look at the headers to see the trajectory the email took. If you have mutt installed, you can easily do this by typing (as any user):

My site has disappeared from Google's listings, and I initially blamed the cause on my site going down for a long period of time a while back. After finally getting back online, I decided to start using Google Sitemaps. After trying to add my site, though, I ran into a problem; Google claimed my site was inaccessible! I could browse the site fine so I figured it was a temporary problem on Google's end. After trying multiple times over a course of a month or so, I decided to investigate. What I found was a bit surprising: freedns.afraid.org (my dynamic DNS provider) blocks all requests from Google! I couldn't believe it!

A bit pissed, I emailed Joshua Anderson (the maintainer of FreeDNS) about it. He asked for my domain name and stated that Google can now access my site. He didn't respond to the portion of my email asking why Google is blocked in the first place.

Well, Google is now able to download my sitemap, but I will have to wait a LOOONG time before I show up in Google again. It took me a while the first time, and I'm basically starting again as if I'm reborn.

I also enlisted in a secondary DNS service, EditDNS.net, just in case there are some other surprises in afraid.org's services. Hopefully if any queries to afraid.org's servers fail, EditDNS will come through successfully.

Isn't blocking Google such a bad idea? I wonder what the reasoning behind it is. I don't see freedns.afraid.org having any trouble getting listed by Google.

UPDATE: FreeDNS has updated their FAQ to address the Google issue. Here's an excerpt:

There are now services that can take over as your voicemail service. When you miss someone's call, the caller is redirected to your new voicemail service instead of your service provider's.

For a while, I was using Privatephone.com. PrivatePhone gives you your own local phone number that is intended for use as a personal number that you give out for spam-style offers online, or to people you meet randomly that ask for your number while you really don't want to give it out. I found a useful link at Howard Forums that details how to enable call forwarding on T-Mobile (my provider) phones, and I went ahead and gave it a shot. Months later, I was satisfied with my decision.

With PrivatePhone, I was able to check my voicemails through my phone like before, through email, or through a web-based email-like interface. I had .wav of each voicemail emailed to me, so I was notified immediately by Thunderbird as soon as an email arrived. In addition, PrivatePhone sent me a text message telling me a voicemail was left, with the caller's number. The text message only showed the caller's number (along with a short PrivatePhone message), even if the caller was in my PrivatePhone addressbook.

I then stumbled upon YouMail. YouMail did everything PrivatePhone failed to do. It not only is a third-party voicemail service, but it also has excellent features such as custom voicemail greetings for each caller, text messages with the caller's number, name (if the caller is not in your contact list, it shows the caller ID name), and length of the voicemail. In addition, the emailed copies of the voicemails were sent in .mp3 as opposed to the .wav of PrivatePhone; I had bad luck with VLC and .wav files for some reason. The only drawbacks to YouMail are that you don't get your own private number (everyone uses the same voicemail number; your voicemail is handled based on the number that forwards the call to them), and that you can't currently set caller groups. It would be nice to have friends, family, work, etc., be greeted with different voicemail messages, but not have to individually set the message for each individual caller. Still, this service to me far exceeds what PrivatePhone could offer me, and I am still using it today.

If you have multiple phones or need a number you can comfortably give out to near-strangers, you might want to try GrandCentral. If a caller dials your GrandCentral number, GrandCentral can have multiple phones ring at the same time. Think of this as phone redundancy when you have service problems with your phone(s). GrandCentral used to offer ringback tones (where callers are greeted by music or whatever you decide to upload), but since being bought by Google, that feature has disappeared (for copyright reasons I'm sure). Still, there is a library of ringback tones you can choose, but none of them are anything special. I suggest you give this a shot, I'm sure you'll like it

UPDATE: YouMail has recently made tons of changes to the site, and it appears to be getting better every week.  I strongly advise you check it out.  Whenever I think of a possible improvement, I end up seeing it implemented shortly after.  I'm quite impressed with the service.  Let me know what you think about it in the comments.

UPDATE:  Privatephone.com will be ending their service on December 31, 2007.  FreeDigits was the closest replacement I could find to Privatephone, but they now no longer offer dedicated phone numbers; they instead make you use a "short code" which is the same as an extension.  My guess is that they didn't want to pay for more phone numbers.  If you're still interested in that service, they offer it through a sister site, ringtonumber.com.

I recently ran into a problem with my server setup where I would have incredibly long and random moments of downtime. The downtime wasn't the server's fault, but moreso due issues at the colocation site (i.e. my friend's house ). During this time period, of course, I was unable to send, receive, or retrieve any emails. Because I'm so dependent on email, and because the downtime was becoming excessive, I had to find some way to get around this. After doing some searching, I came up with these possibilities:

1. backup MX service that tries to deliver your mail to your main mail server periodically; once your server is back up, the mail will be delivered to your usual inbox. If you only expect minor downtimes this solution is a good safeguard to ensure that you'll never lose any emails, but for those of you with shaky configurations (or if you have a long-term project to complete that requires downtime), this may be inideal because your emails will not be accessible until your mail server is back up and running.
2. backup MX service that forwards all of your email to another address; you will be able to read these emails immediately (even while your mail server is down), but the messages will not appear in your mail server's inbox once it comes back up. This is nice for those who need immediate access to their emails, and cannot afford to wait until the server is back up (knowing that in many cases bringing the server back up is a time-consuming task). You unfortunately cannot access your existing email with this method, but then again, you can't do so with any method so long as the server's down. You also have to be aware that your mail server is down so you'll know to check your other email address. Hopefully an error message from your mail client is enough.
3. outsourced email; an external provider completely handles all aspects of your domain's email; your MX records will point to the provider's servers, as will your email client. All spam control, filtering, mail rules, etc., will be handled at the host's end. Your mail server is essentially unnecessary with this solution. You certainly have much less control over your emails and cannot perform low-level tasks such as messing with your mboxes/Maildir, but you do have the relief of not worrying about your mail server's status.

You can see that each of these methods have their pros and cons, and I cannot tell you which method works best for your situation. I can, though, explain my situation and explain what works best for me.

My situation: I have excessive, spontaneous, and oftentimes lengthy downtimes due to various reasons (ISP issues, people tampering with my server >:-[ , etc.). Because I'm in school and often expect important emails, I have to make sure that I can access incoming emails at any time.

My solution: I first started off using a backup MX service that forwarded all of my emails to my Gmail account. This was useful since I already had a copy of all of my emails forwarded there (I had procmail send a copy to two other email accounts for archiving/backup purposes, while keeping a copy on my mail server). This method worked and worked well. Because I had my previous emails already in my Gmail account, all new emails arrived smoothly and I couldn't tell (from a Gmail perspective) that my mail server ever went down without looking at the message headers to see what mail server accepted and forwarded the email. I recommend this solution for those who archive their emails like I did by forwarding copies to other accounts, and for those who are comfortable with that backup email address. Gmail is able to respond with another From: address, so your replies will look like they're coming from you@yourdomain.com.

I eventually ditched this method just because I am in love with IMAP and missed the convenience of it. I never looked back at POP after using IMAP, which makes me want to yell at Google for only supporting POP. Anyways, my solution turned out to be one that allows for me to use IMAP, and still have access to all my emails when my server is down. I never thought I'd do it, but I did; I outsourced!  I ended up pointing my MX records over to AOL's servers (yes, I never thought I'd go with them either) and from then on checked my emails through Thundbird.  AOL offers IMAP(S), POP(S), and SMTP, so they really do have the basics for me.  They don't have many basic features such as mail rules or mail forwarding (which I'm praying for), but luckily I never was reliant on these.  There are many other providers that offer domain email hosting for free, but usually only the paid accounts are given POP/IMAP access, which is why I outsourced in the first place.

If you know anything about me, you know that I don't like paying for anything.  I've therefore compiled a list of free backup MX services and domain email hosts.

Secondary MX - tries to deliver to main mail server

• rollernet.us
• editdns.net

Secondary MX - forwards to another email address

• zoneedit.net
• ulmb.com
• most webhosting accounts

• AOL
• Google Apps
• Bluetie
• Gawab

A good filehost is important for use in many different applications.  It can help you to share large files with friends and colleagues, and can really be useful in more life-saving applications, such as backups.  I use these services to accomplish both, although I do admit I rely on them heavily in parallel with my backup scripts; I get a nightly backup of each of my MySQL databases to multiple email accounts, as well as to FTP.  I know it's super-redundant to happen this way, but I learned my lesson from the past.  Plus, this level of redundancy is pretty nice.  Here is a list of some of the file hosts that I use, and will update the table later with more details.