ameir dot net - Tech Corner

Yahoo! Mail IMAP Proxy

nospam@example.com (Ameir Abdeldayem) — Mon, 01 Mar 2010 22:21:22 -0600

There are a few Yahoo! Mail IMAP proxies out there (YPOPS!, FreePOPs), but to be honest, I haven't had much luck with either of them. Additionally, switching webmail interfaces to Asia or Classic or whatever can be a bit of a hassle.

Yahoo! supports IMAP on some mobile devices, and now also allows it for anyone using the Zimbra mail client. Unfortunately, I'm not too fond of that client and much prefer my Thunderbird; too bad it isn't natively supported.

Luckily, Yahoo's IMAP implementation isn't too far off from what other clients recognize; it simply requires a "ID ("GUID" "1")" to be issued before logging in. No clients do that (except for these hacked up versions of Thunderbird), so my workaround was to create a simple IMAP proxy.

This proxy simply takes the commands sent to it by your mail client, passes them on to Yahoo, and relays them back to your client. It all the while looks for your client to issue a "login" command so that it can inject the "id" command to unlock IMAP access.

This program is written in C and has been tested on Linux and Windows (via Cygwin). Read the release notes in the source for more information. I haven't written in C for a while, and I know that this program can be improved. If anyone does so, I'd like to hear from you.

Connection settings:
Username: yahoo_username@yahoo.com
Hostname: localhost
Port: 3490
SSL: off

Download latest source

Download Windows Cygwin version

View Google Code Homepage

Installing Windows XP over a Network using PXE

nospam@example.com (Ameir Abdeldayem) — Wed, 10 Feb 2010 23:28:04 -0600

I just spent countless hours trying to revive an old laptop with seemingly no hope left in it. Its CD-ROM drive is bad, it doesn't support booting from USB, and it has no floppy drive. After backing up the hard drive using a USB caddy, I tried countless ways of loading up bootdisks over PXE using MEMDISK and PXELINUX. I got very close several times, but unfortunately both FreeDOS and MS-DOS failed me. The closest I got was by partitioning the hard disk such that I had a 1GB FAT partition at the end with the XP installation files copied to it. Running winnt32.exe from DOS brought me a lot of hope, but also a lot of pain, namely the error "Setup is out of memory and cannot continue." I hacked away and the config.sys file and kept editing various bootdisks, but no luck in the end. I tried dozens of things, but I'll skip that all and get to the good stuff: how I got it working.

Continue reading "Installing Windows XP over a Network using PXE"

Cheapest SSL Certificates

nospam@example.com (Ameir Abdeldayem) — Wed, 12 Aug 2009 02:02:33 -0500

Interested in securing your website? There are several types of certificates out there at wildly varying prices, but they all provide exactly the same function--encryption. In most cases, you're no more secure with a $300 certificate than a $10 one; the difference lies in the verification the certificate company performs to confirm your identity. In short, if you're not a bank or think your users won't trust you using a cheapo certificate, then you'll be fine with a cheapo.

Below the cheapest SSL certificates I found online and have personally used:

~~AlphaSSL from Dynadot ($41.50/5 years)~~

Positive SSL from CheapSSLs.com ($24/3 years)

RapidSSL from CheapSSLs.com ($27/3 years)

RapidSSL from Servertastic ($50/5 years)

Registerfly ($9.99/year)

As you can see, you get discounts if you pay for multiple years in advance. If you plan on keeping the domain for a while, it shouldn't hurt--just be sure to keep the certificate and key in case you decide to switch servers over time.

If you know of any other deals, let me know!

Creating a customized OpenVPN installer - Round 2

nospam@example.com (Ameir Abdeldayem) — Thu, 23 Jul 2009 14:54:50 -0500

In a previous article, I outlined the steps I took to "roll" my own customized OpenVPN installer, and it worked like a charm back then. OpenVPN has gone through several revisions since, and getting things running (especially on different architectures) with the new versions just doesn't work so well. Luckily, there's another way to approach this problem and have OpenVPN installed as it was intended (i.e. the correct TAP driver will be detected and the shortcuts where they belong). This method is more of a workaround, but definitely works. Note that with this method you can't rename OpenVPN to "MyVPN" or whatever like the previous method.

This method employs the use of an SFX that installs the vanilla OpenVPN installer as downloaded from their site, then automatically installs the keys afterwards. You have the option of making the install entirely silent as well--it's all up to you.

Prerequisites:

7-ZIP SFX Maker (version 2.0 at the time of writing)

7-Zip (or another 7-Zip-capable archiver such as IZArc)

OpenVPN (version 2.1_rc19 at the time of writing)

Your OpenVPN keys

Steps:

First, package your OpenVPN keys with 7-Zip. If you want multiple OpenVPN connections configured on the same machine, it's a good idea to have each connection's keys in a subfolder. Ensure that each connection has a .ovpn or .conf file with a unique name.

Next, open up 7-ZIP SFX Maker and add your archived keys by clicking on the "+" symbol. Now, go to the "General" tab. Under "Extract to specified folder", enter %ProgramFiles%\OpenVPN\config. You can right-click for some preset environment variables if you want to change the path.

You can change other options if you'd like. I have "Beginning extraction of keys..." in the "Begin prompt" field of the Text tab. From here, you're ready to click "Make SFX".

Now, create another 7-Zip archive with your new SFX and the OpenVPN installer. Add this archive to 7-ZIP SFX Maker. In "General" enter %tmp% or another writable directory in the "Extract to specified folder" field. I have "Allow user to change extraction path" checked as well--this all depends on your environment and needs. Under the Text tab, I have it filled as follows:

Under the Shortcuts tab, I created a shortcut to OpenVPN GUI in Startup so that it starts on login.

Now, (and this is important), go to the Execute tab. We will tell the SFX maker to run the OpenVPN installer then run the SFX for the keys. Be sure to list them in that order. Note that I have a /S in the first entry because I want OpenVPN to install silently. Sadly, not everyone at my company knows how to install software, and I'm satisfied with the setup defaults anyway.

You're now ready to "Make SFX"! Your new installer will be placed in the folder your files were in.

You might want to play around with settings until the installer suits your tastes.

Redirect HTTP traffic to HTTPS with IIS

nospam@example.com (Ameir Abdeldayem) — Sun, 22 Mar 2009 01:46:32 -0500

There are many situations where you'd want a site to be accessible only securely, and there are several resources online on how to accomplish this. Unfortunately, I couldn't find a perfect solution for me. Influenced by this info and following the steps outlined here (under In Windows Server 2003 (IIS 6.0)), I came up with the following:

CODE:

<%
   If Request.ServerVariables("SERVER_PORT")=80 Then
      Dim strSecureURL

  strSecureURL = Replace(Request.QueryString,"http","https")  ' entire old URL, but w/https
  strSecureURL = Replace(strSecureURL,"403;","") ' remove "403;" from beginning
  strSecureURL = Replace(strSecureURL,":80","") ' remove port # that's appended to server name
  Response.Redirect strSecureURL
    End If
%>

It works well for my purposes, but of course, your mileage may vary.

More resources:

1. http://support.microsoft.com/kb/239875
2. http://support.microsoft.com/kb/839357
3. http://blog.opsan.com/archive/2005/04/17/395.aspx

Using OpenDNS on Your Fon Router

nospam@example.com (Ameir Abdeldayem) — Tue, 12 Aug 2008 01:03:19 -0500

There is large interest in OpenDNS, and I happen to be a fan of it myself. Sadly, Fon routers, when connected directly to a modem and using DHCP, use the ISP's DNS servers and don't allow you to override those settings. Fortunately, there is a loophole in older Fon firmware that allows you to enable a BusyBox shell (so you can connect to it via SSH). This is actually a security hole and shouldn't be a good thing at all, but hey, I'm kind of glad it exists. Anyways, let's get started.

Enable SSH access to your Fon router by following these instructions. Be sure to enable permanent SSH access, as it'll be very useful later. When your Fonera updates to newer firmware that doesn't allow code injections, SSH will still be enabled. Be sure to leave your network cable unplugged until after you enable SSH permanently or you might form some gray hairs.

Now, in a shell, let's create a startup script that overrides the ISP's DNS settings after the network is initialized. Type the following:

vi /etc/init.d/S45opendns

Now, in the vi window, paste this (press i to insert text):

echo "nameserver 208.67.222.222" > /etc/resolv.conf
echo "nameserver 208.67.220.220" >> /etc/resolv.conf

This will "blank" /etc/resolv.conf and load it with the OpenDNS settings. Save and exit vi (press the esc key then type :x).

Now, to make the file executable type:

chmod +x /etc/init.d/S45opendns

You're all done! OpenDNS settings will be persistent across reboots. You can activate the settings now without having to reboot by simply running your new script:

/etc/init.d/S45opendns

If DHCP renewals cause your new nameserver settings to be overwritten to the ISP's, you can create a cron job that runs every few minutes (you can pick a time based on your ISP's DHCP lease time):

Type crontab -e in the terminal window. When vi opens, insert the following line at the end:

15 * * * * /etc/init.d/S45opendns

This will run your new script every 15 minutes, so there will never be more than a 15-minute period where you will not be using OpenDNS.

That should be all you need to get you going. If you're using more advanced features of OpenDNS, you can use DNS-O-Matic on your Fon to keep OpenDNS informed of IP changes. Comment below with your experiences.

Taking control of your DNS

nospam@example.com (Ameir Abdeldayem) — Sat, 15 Mar 2008 17:11:39 -0500

Many webmasters, especially those who run their own servers, rely on
free DNS providers extensively to help ensure site uptime. There are
many out there, with widely varying numbers of pros and cons. For
example, afraid.org seems to provide a great number of configuration
options and features, but adding mass records can still be daunting.
This is true with just about all other free DNS services, as they
typically allow you to add one record at a time. I accidentally
stumbled upon a free host that didn't sound free at all, DollarDNS,
that offers more than I ever expected in a free DNS host. They offer
the typical set of features that most DNS hosts offer, but with one
very important feature: full control of your zone files.

Domains are
added via a web interface, and a sample zone file (from a template that
you can configure) is created. From there, you can use their web
interface to add records, or just dive into the zone editor. The zone
editor is recommended for those who have a bit of experience with DNS
servers as errors can be easily made, but that method is extremely
efficient. For example, if you want to create dozens of CNAMES that
point to www.domain.tld, copying and pasting one line multiple times is
much easier than going to through the web interface dozens of times.

Also, since the zone editor is essentially a plain-text editor that
offers you full control, you can easily import and export zone files
from/to different locations. Afraid.org allows you to export your zone
file, so moving to DollarDNS just involves a simple copy-and-paste.
You can also use your own text editor or a script to generate your zone
file and paste it into DollarDNS when finished.

No minimum TTL maximum hostname limit appears to be mentioned
anywhere, so I doubt that there are any. You seemingly have infinite control over your zone.

I
currently use them for slave DNS and after a NOTIFY, DollarDNS requests
a transfer within a second or so. Compare that to any other service.

DollarDNS
offers two DNS servers, although only ns1.dollardns.net appears to be
authoritative (ns2.dollardns.net refuses queries immediately). Still,
assuming you have other DNS servers authoritative for your domain, that
isn't a major issue.

Dynamic DNS is also supported via a client
that they provide, although I have not tested it. Based on the quality
of the service overall, I expect the dynamic portion to work flawlessly
as well.

I recommend this service overall due to its feature set, quality, reliability, and the admin's modesty (the admin created a page comparing DollarDNS to others, and he admits on the homepage that domain registrations through his service aren't the cheapest around).

If you know of a free host that amazes you, leave a comment. I'd like to hear about it.

Creating a customized OpenVPN installer

nospam@example.com (Ameir Abdeldayem) — Sat, 19 Jan 2008 20:42:15 -0600

Note: See "Creating a customized OpenVPN installer - Round 2" for another approach to a custom OpenVPN installer.

OpenVPN is an excellent product with seemingly infinite configuration options. After setting everything up to your tastes, though, you may find that your end users are a bit too "simple" to install OpenVPN and your custom config files successfully. I find that many users (well, where I work at least) are uncomfortable browsing to and placing files in C:\Program Files\OpenVPN. You can easily get around this by creating a self-extracting executable with a default output path of C:\Program Files\OpenVPN (use IZArc to make nice free SXEs). Although that gets the job done, the end user would still need to install OpenVPN, the run the SXE. Why not cut down the number of steps in half (or by one :p ), while at the same time adding your company's touch to the OpenVPN installer?

Recent documentation on this is not very widespread, but luckily still of good use. The main source of documentation on this can be found here, and is supplied by the creator of OpenVPN GUI. The documentation can be followed, but unfortunately the packages provided are a bit outdated. To get up-to-date (and to become Vista-compatible), we first download a copy of the current release candidate (2.1 RC4 at the time of writing). I actually had to get the Windows installer since I didn't want to bother compiling from source. Next, I downloaded the 2.1 beta 7 package from the OpenVPN GUI site. I installed the Windows installer by accepting all defaults, then extracted the install source (anywhere should work). Next, to get things up-to-date I replaced openvpn.exe and openvpn-gui.exe in the openvpn\bin folder of the extracted archive with that from my Windows installation (C:\Program Files\OpenVPN\bin).

To get our installer to work with Vista, we need to replace the blacklisted 0801 TAP driver with the newer 0901 TAP driver. This is not documented anywhere I could find, but doing this turned out to be easy and effective. Simply make replacements as we did above, but instead copy the contents of C:\Program Files\OpenVPN\driver to the openvpn\tap-win32\i386 folder of the extracted archive. You can safely remove the older 0801 files. To make this work, we now have to edit the openvpn-gui.nsi script in the extracted archive. In any text editor (Notepad++ worked great for me and offered syntax highlighting), open up openvpn-gui.nsi, look for !define TAP "tap0801", and replace that with !define TAP "tap0901". Your archive is now Vista-compatible.

There are many other changes that can be made in the Nullsoft installer script such as including your company name, custom icons, and most importantly your OpenVPN client config. You can look through the script to understand how it works and modify it accordingly. To include your custom config/cert files, browse in your text editor to Section "OpenVPN GUI" SecGUI. You will see a comment indicating where your custom config files go. To include multiple files in the install, simply add more File entries, like so:

CODE:

  # Include your custom config file(s) here.
  SetOutPath "$INSTDIR\config"
  File "${HOME}\config\client.ovpn"
  File "${HOME}\config\ca.crt"
  File "${HOME}\config\dh2048.pem"
  File "${HOME}\config\client.crt"
  File "${HOME}\config\client.key"

This will include client.ovpn, ca.crt, dh2048.pem, etc. to your custom installer, and will place them in the config folder upon installation.

To compile your masterpiece into an executable, you need to download and install The Nullsoft Scriptable Install System. Although a newer edition may work, I went with the original documentation's recommendation and installed the older v2.05. You can get this here. Once installed, you can simply right-click on the openvpn-gui.nsi script you modified and click on "Compile NSIS Script". A log of the compilation will show and an opportunity to test the installer will show if everything went well. You will also have an installable .exe waiting for you in the current directory waiting to be distributed to your clients.

If you ran into errors, look through the logs to try to identify what's going on. Otherwise, you can simply just make some changes to the archive I already hacked up:
http://www.ameir.net/blog/uploads/openvpn_install_source-2.1rc4-gui-1.0.3.zip

If you're just interested in creating a custom OpenVPN installer for Windows and don't particularly care to dabble in Nullsoft install scripts or are just lazy, download the archive above and make whatever changes you may need. The hacks described above are implemented in this package.

NOTES:

In Vista, if you're using routing (tun mode), the end user must run OpenVPN by running as an administrator. This is because the routing table must be modified to tell your computer how to get to your company network. Otherwise, the client may appear to be connected (he/she actually is), but attempts to access the company network will fail, as packets are instead trying to go through the default route (usually your ISP). Using tap mode eliminates this requirement as clients are given IPs in the company's subnet range, therefore eliminating the need to do routing.

If using certificate authentication, then each of your users will need unique files in their config directory. I don't know of a way to automate this, unless you generate the client certificates on the fly and have a program initiate a compile of openvpn-gui.nsi with the new certificates included. In my install of OpenVPN, users are authenticated via Active Directory, so we don't have to distribute any user-specific files. You may very well just have to use self-extracting archives or train your users how to work with zip files!

Free mail relay servers

nospam@example.com (Ameir Abdeldayem) — Thu, 13 Sep 2007 18:09:02 -0500

For many people, using an external mail server for outbound mail is more than critical. There are many reasons for this, some of which are:

bypassing dynamic IP blacklists by using a non-blacklisted mail server
sending mail from an alternative mail server on an alternative SMTP port (useful if your ISP blocks port 25, and the external server supports alternative ports)
hardcoding an SMTP server into a web-based application (like a forum or CMS) when a mail server is otherwise unavailable

Relaying allows you to send email through an external mail server, but the email looks as if it's coming from your own domain. For example, I can send an email from anything@ameir.net to anythingelse@gmail.com via an intermediate host without the Gmail user knowing about the intermediary (unless he/she looks at the headers). This doesn't sound like a big deal at all, but if you lie under one of the bulleted conditions above, then you may find it hard to communicate with the rest of the web. Most mail servers only allow you to send mail from the email address you own from them (e.g. sending mail through AOL's mail servers requires you to send the mail FROM your address).

Because I was on a dynamic IP and because Comcast mysteriously blocked port 25, I found that I needed a way to have emails from my server get to me. My backups were no longer being sent via email, my blog wasn't notifying me of any actions, and I figured it would be cool to finally send an email without a DNSBL rejecting me solely because of my IP address.

Luckily, here are some solutions:

Hotmail (ports 25, 587)

Now offers free POP3 and SMTP access. Reliable service, as it's from a big and trusted name. Read below for info:

http://arstechnica.com/microsoft/news/2009/03/rollout-for-hotmail-pop3-worldwide-support-complete.ars

Gawab (ports 25, 587)

Offers POP3/IMAP/SMTP, with relaying possible through their SMTP servers. Quite reliable, and I use it on a daily basis.

ulmb.com (ports 25, 587)

This service actually provides you with a webhosting account of 5GB. I tried using them as a webhost once, but gave up after I ran into some restrictions. Still, they support email and relaying (although relaying isn't advertised), which is of great use. They do not pester you about DNS pointing to them or anything of the sort either.

~~mail.ikojomail.com (ports 25, 26)~~

This is an email service that offers a 5GB quota with IMAP, POP, and all the bells and whistles. Unfortunately, its webmail interface needs a little working on (it doesn't synchronize with the actual IMAP data), but as a pure IMAP email service it works very well. As an SMTP relay it works even better.

UPDATE: This domain recently expired, leaving the service inoperable. If you can find the IP for the domain when it was up, you might be in luck.

mail.inboxnow.com (ports 25, 26)

This service is the same as Ikojomail, but with a different name. The webmail interface works just like Ikojomail's (not well). For IMAP and SMTP, the service is fast and works great.

mail.icmail.net (ports 25, 587)

This service has been around for a couple of years and is pretty reliable. They offer POP/IMAP/SMTP, and their SMTP servers allow you to send from another sender. The only thing I don't like about it is that it complains sometimes when you send emails shortly after each other/have multiple connections to the SMTP server.

smtp.webalta.com (port 25)

This is a web search company from Russia that offers email accounts. The signup and webmail interfaces are in Russian, but you can get by based on the icons and the locations of the text fields if you don't know Russian (I sure don't). The service is pretty fast, and, as you expected, allows you to send emails from another sender. Seems pretty reliable.

mail.kakle.com (ports 25, 465)

This service provides 5GB webmail with full IMAP/POP capabilities. It's actually a pretty good service (when it works), and uses Squirrelmail as the webmail frontend. Message filters are done by Squirrelmail so it's not entirely server side (because you have to login and load Squirrelmail for filtering to occur). Sometimes incoming email has problems (it either works great or not at all), but as an outgoing SMTP server it works superbly. Note that port 465 is typically SMTP over SSL, but Kakle uses it as standard SMTP.

If you own a mail server but do not know how to set up relaying, there is nothing to worry about. There is documentation online for everything.

Continue reading "Free mail relay servers"

Backup Email Solutions

nospam@example.com (Ameir Abdeldayem) — Fri, 03 Aug 2007 18:05:30 -0500

I recently ran into a problem with my server setup where I would have incredibly long and random moments of downtime. The downtime wasn't the server's fault, but moreso due issues at the colocation site (i.e. my friend's house ). During this time period, of course, I was unable to send, receive, or retrieve any emails. Because I'm so dependent on email, and because the downtime was becoming excessive, I had to find some way to get around this. After doing some searching, I came up with these possibilities:

backup MX service that tries to deliver your mail to your main mail server periodically; once your server is back up, the mail will be delivered to your usual inbox. If you only expect minor downtimes this solution is a good safeguard to ensure that you'll never lose any emails, but for those of you with shaky configurations (or if you have a long-term project to complete that requires downtime), this may be inideal because your emails will not be accessible until your mail server is back up and running.
backup MX service that forwards all of your email to another address; you will be able to read these emails immediately (even while your mail server is down), but the messages will not appear in your mail server's inbox once it comes back up. This is nice for those who need immediate access to their emails, and cannot afford to wait until the server is back up (knowing that in many cases bringing the server back up is a time-consuming task). You unfortunately cannot access your existing email with this method, but then again, you can't do so with any method so long as the server's down. You also have to be aware that your mail server is down so you'll know to check your other email address. Hopefully an error message from your mail client is enough.
outsourced email; an external provider completely handles all aspects of your domain's email; your MX records will point to the provider's servers, as will your email client. All spam control, filtering, mail rules, etc., will be handled at the host's end. Your mail server is essentially unnecessary with this solution. You certainly have much less control over your emails and cannot perform low-level tasks such as messing with your mboxes/Maildir, but you do have the relief of not worrying about your mail server's status.

You can see that each of these methods have their pros and cons, and I cannot tell you which method works best for your situation. I can, though, explain my situation and explain what works best for me.

My situation: I have excessive, spontaneous, and oftentimes lengthy downtimes due to various reasons (ISP issues, people tampering with my server >:-[ , etc.). Because I'm in school and often expect important emails, I have to make sure that I can access incoming emails at any time.

My solution: I first started off using a backup MX service that forwarded all of my emails to my Gmail account. This was useful since I already had a copy of all of my emails forwarded there (I had procmail send a copy to two other email accounts for archiving/backup purposes, while keeping a copy on my mail server). This method worked and worked well. Because I had my previous emails already in my Gmail account, all new emails arrived smoothly and I couldn't tell (from a Gmail perspective) that my mail server ever went down without looking at the message headers to see what mail server accepted and forwarded the email. I recommend this solution for those who archive their emails like I did by forwarding copies to other accounts, and for those who are comfortable with that backup email address. Gmail is able to respond with another From: address, so your replies will look like they're coming from you@yourdomain.com.

I eventually ditched this method just because I am in love with IMAP and missed the convenience of it. I never looked back at POP after using IMAP, which makes me want to yell at Google for only supporting POP. Anyways, my solution turned out to be one that allows for me to use IMAP, and still have access to all my emails when my server is down. I never thought I'd do it, but I did; I outsourced! I ended up pointing my MX records over to AOL's servers (yes, I never thought I'd go with them either) and from then on checked my emails through Thundbird. AOL offers IMAP(S), POP(S), and SMTP, so they really do have the basics for me. They don't have many basic features such as mail rules or mail forwarding (which I'm praying for), but luckily I never was reliant on these. There are many other providers that offer domain email hosting for free, but usually only the paid accounts are given POP/IMAP access, which is why I outsourced in the first place.

If you know anything about me, you know that I don't like paying for anything. I've therefore compiled a list of free backup MX services and domain email hosts.

Secondary MX - tries to deliver to main mail server

rollernet.us
editdns.net

Secondary MX - forwards to another email address

zoneedit.net
ulmb.com
most webhosting accounts

Domain email hosting

AOL
Google Apps
Bluetie
Gawab