Folks, add this to your Postfix servers ASAP.  Microsoft’s unpatched VML vulnerability will probably be exploited via email within the next couple of days:

/etc/postfix/main.cf:
  body_checks =
   pcre:/etc/postfix/body_checks.regexp

/etc/postfix/body_checks.regexp:
  /<v:rect/       REPLACE <safety: MS VML tag removed>
  /<v:fill/       REPLACE <safety: MS VML tag removed>

References:
http://internetweek.cmp.com/193004562?cid=rssfeed_pl_inw
http://www.microsoft.com/technet/security/advisory/925568.mspx
http://secunia.com/advisories/21989/

The exploit:
http://www.securityfocus.com/archive/1/446505

The 57 posts I that have written on my blog to date (now 58), have for the most part been composed just minutes after I got some random idea in my head that I wanted to share.  As such, the posts have been as random as the times that I write them.  For the most part, the content has been technical or Webmail.us related, with a few non-technical posts about getting married, tailgating or whatever else.  Here is a monthly breakdown:

                      N D J F M A M J J A S  TOTAL
technical/Webmail.us: 4 7 7 4 3 2 3 2 5 5 2   44
non-technical/random: 2 2 0 1 1 1 2 1 0 1 2   13

On Monday I asked my readers, What should I post about next?  My goal was to find out if you want to have any influence over the content that I write or if I should continue to do as I have since November 2005 and post whatever is in my head at the moment I get the urge to write.  Only one person responded.  My friend Ryan Reed asked “How does Google Earth do all that new crazy 3D stuff?”.

I’ll conclude from this brief sociology experiment you deeply enjoy what I write and don’t want to mess with a good thing :).  However feel free to comment from time to time and tell me if a post sucked/rocked.

Reed:
Google purchases 3D building datasets for major US cities from a company called Sanborn.  Google also acquired @Last Software who had been independently creating 3D data for Google Earth.  And the satellite images and original Google Earth technology was developed by a company called Keyhole, which Google acquired in 2004. Google takes all of this data, aggregates it, analyzes it and serves it, using their massively distributed storage system called BigTable.  BigTable is built on top of Google File System.  GoogleFS enables them to store seemingly limitless amounts of data and BigTable enables them to make use of that data in any way that their software engineers think might be interesting.  Somebody over there in Mountain View thought it would be cool to create a 3D interface into our planet, and behold Google Earth.

Ask me a question and I will try my best to answer it.

+1 for an enterprise version of Netvibes.

We need an intranet-style start page to tie all of our internal business data together.

Quoting Nik Cubrilovic:

> The most ideal solution we could think of was having something like
> Netvibes, but an enterprise edition that allowed you to setup groups,
> views, permissions, secure connections, auth integration etc. etc

Unfortunately even if Netvibes does build it, I have a suspicion that most businesses will be using a custom start page powered by Google in a few years.  Google is attempting to address this much needed space with their yet to be announced Personalized Start Page for your Domain.  Nik says it doesn’t have what his company needs, but I bet by this time next year it will.  Google’s best products are ones that their own employees use every day, and their employees have been using this sort of intranet-style start page for years.  It is nicknamed MOMA.

I want my MOMA!

Well, Firefox 2.0 beta 2 looks stable.  Beta 1 crashed all the time on me, but I haven’t had a single crash with beta 2 since I installed in on Thursday.

...was released about an hour ago.  Beta 1 was nice because it added inline spell check and things generally felt a little faster.  However it crashed frequently.  Hopefully beta 2 won't crash so often.  They updated the skin between beta 1 and beta 2 as well:

http://www.mozilla.org/projects/bonecho/releases/2.0b2.html

Running it now as I compose this post and it already caught a typo.

This feature is hot:

Client-side session and persistent storage:  New support for storing structured data on the client side, to enable better handling of online transactions and improved performance when dealing with large amounts of data, such as documents and mailboxes. This is based on the WHATWG specification for client-side session and persistent storage.

Keepalived currently only supports load balancing TCP traffic.  However DNS runs over UDP, so how can you load balance DNS traffic using keepalived?  I had mentioned in my Load Balancing vs Failover post that I’d give you a trick to accomplish this, so here it is…

Keepalived is essentially a wrapper around Linux Virtual Server (LVS) which is built into most modern kernels.  LVS supports load balancing of both TCP and UDP traffic.  (keepalived also includes VRRP and Healthchecks, but that’s off-topic)  Lucky for us, DNS servers happen to listen for TCP connections in addition to UDP.  They do this in order to handle queries that are larger than the old RFC limit of 512-bytes.

The simple trick I use in order to load balance DNS traffic is to configure keepalived to load balance TCP port 53 just like you would load balance any other TCP port, such as http or smtp.  Then use keepalived’s notify_up / notify_down script calling feature to manually configure LVS for load balancing the corresponding UDP port.

For example:

virtual_server 123.456.78.9 53 {
  delay_loop 6
  lb_algo wrr
  lb_kind DR
  persistence_timeout 0
  protocol TCP
  ha_suspend
  real_server 10.0.0.1 53 {
    weight 1
    notify_down "/sbin/ipvsadm -d -u 123.456.78.9:53 -r 10.0.0.1:53"
    notify_up   "/sbin/ipvsadm -a -u 123.456.78.9:53 -r 10.0.0.1:53 -g -w 1"
    TCP_CHECK {
      connect_timeout 6
    }
  }
  real_server 10.0.0.2 53 {
    weight 1
    notify_down "/sbin/ipvsadm -d -u 123.456.78.9:53 -r 10.0.0.2:53"
    notify_up   "/sbin/ipvsadm -a -u 123.456.78.9:53 -r 10.0.0.2:53 -g -w 1"
    TCP_CHECK {
      connect_timeout 6
    }
  }
  real_server 10.0.0.3 53 {
    weight 1
    notify_down "/sbin/ipvsadm -d -u 123.456.78.9:53 -r 10.0.0.3:53"
    notify_up   "/sbin/ipvsadm -a -u 123.456.78.9:53 -r 10.0.0.3:53 -g -w 1"
    TCP_CHECK {
      connect_timeout 6
    }
  }
}

Using the above configuration, whenever healthchecks finds that TCP port 53 is not responding on one of the real servers, it removes the TCP port from the pool of available servers, and then notify_down immediately calls ipvsadm to take the corresponding UDP port also out of it’s pool of available servers.  So keepalived (LVS) stops routing traffic for both TCP and UDP to the dead server whenever the TCP port fails.

Likewise, when healthchecks finds that TCP port 53 is back up, notify_up calls ipvsadm to add it back into the pool of available servers.

There is one additional thing that you must do in order to make this all work.  Keepalived does not call notify_up at startup, so you must also add the ipvsadm command to the keepalived init script, so that the UDP ports get brought up when keepalived launches.