All posts by Pistolfly

Software Engineer in Tokyo, Japan
Linux, mail

Setting the maximum send / receive size of Postfix

Leave a comment

/etc/postfix/main.cf

message_size_limit = 20480000

The default when message_size_limit is not specified is 10240000 (10MB).

For complete parameter list of main.cf, see the postconf(5) man page.

$ man 5 postconf

message_size_limit (default: 10240000)
       The maximal size in bytes of a message, including envelope information.

Caution

Be careful when changing message_size_limit.
message_size_limit must not be larger than mailbox_size_limit.
If message_size_limit is larger than mailbox_size_limit、you can't receive any messages.

The default of mailbox_size_limit is 51200000 (50MB).
Zero means no limit.

mailbox_size_limit = 0

mailbox_size_limit (default: 51200000)
       The  maximal  size  of any local(8) individual mailbox or maildir file, or zero (no limit).  In fact, this limits the size of any
       file that is written to upon local delivery, including files written by external commands  that  are  executed  by  the  local(8)
       delivery agent.

       This limit must not be smaller than the message size limit.
Ruby on Rails

map(collect) method on an array of ActiveRecord object

Leave a comment

Let's assume there is a model `Member` and the table `members` has a column `name`.

class Member < ActiveRecord::Base
end

You can use map (or collect) method as shown below.

members = Member.find(:all)
member_names = members.map(&:name)

This is thanks to the definition of Symbol#to_proc in ActiveSupport as shown below.

class Symbol
  def to_proc
    Proc.new { |obj, *args| obj.send(self, *args) }
  end
end

The code that uses map method above is equal to the code below.

members = Member.find(:all)
member_names = members.map { |member| member.name }
Linux

Allowing ftp with iptables

Leave a comment

When you allow ftp with iptables, allowing port 21 like below is not enough to accept LIST command.

# iptables -A INPUT -p tcp --dport 21 -j ACCEPT

You need to load 2 modules ip_conntrack_ftp and ip_nat_ftp.
Edit /etc/sysconfig/iptables-config and add the following and they will be loaded automatically.

IPTABLES_MODULES="ip_conntrack_ftp ip_nat_ftp"

Then restart iptables.

# service iptables restart

Make sure the modules are loaded.

# lsmod
Module                  Size  Used by
nf_nat_ftp              7361  0 
nf_conntrack_ftp       13761  1 nf_nat_ftp
...(omit)

Source: iptablesでftpを通す

Linux, security

Set up public key authentication with SSH

Leave a comment

1. Generate a keypair using the ssh-keygen

$ ssh-keygen -t rsa

You will be prompted to supply a filename for saving the keypair. Press enter to accept the default filename.
Then enter passphrase twice.
The keypair files below are generated in ~/.ssh.

  • id_rsa
  • id_rsa.pub

2. Add public key to the remote SSH server

Copy the public key file generated in step 1 to the user's home directory of remote server using scp or ftp.

$ scp ~/.ssh/id_rsa.pub user@host:

On remote server register the public key to ~/.ssh/authorized_keys using cat command and redirection.

$ cat id_rsa.pub >> ~/.ssh/authorized_keys

Modify the permissions of ~/.ssh directory and ~/.ssh/authorized_keys to allow only owner of them to read or write.

$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
  • Pay attention to the permission of the user's home directory of client side.
    In case that write permission for other than owner is set, it's bad.
    For example, when file mode of /home/hoge is 777 and you attempt to connect with SSH, you will have an error below.

    Permission denied (publickey,gssapi-with-mic).

    In this case the log file of server side (/var/log/secure) says

    Authentication refused: bad ownership or modes for directory /home/hoge

    You should set home directory's permissions to 700, 711, or 755.

3. Attempt to log in with public key authentication

$ ssh -l user host

You will be prompted to enter passphrase then enter the passphrase which you specified in executing ssh-keygen command.
Notice the passphrase is NOT a password of the user

4. Client side

Copy private key file (id_rsa) to the client side ~/.ssh

  • Pay attention to the permission of the private key file.
    Below is an error on Mac OS X.

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/Users/xxx/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /Users/xxx/.ssh/id_rsa
Permission denied (publickey,gssapi-with-mic).

    Set the permissions of id_rsa to 600 and it will be OK.

  • If you use cwRsync, copy private key file (id_rsa) in .ssh directory under the HOME environment variable. (Same as directory in which known_hosts is created)

    For example:

    If HOME is /home/pistolfly and cygwin directory is C:\cygwin, use C:\cygwin\home\.ssh.
    (You can also specify path to private key file with -i option in rsync -e or --rsh options)

5. Disable password authentication

Edit /etc/ssh/sshd_config (server side)

Modify

PasswordAuthentication yes

to

PasswordAuthentication no

Disable root login.

PermitRootLogin no

Reload sshd as a root. Don't logout as root yet.

$ /etc/init.d/sshd reload