My Web App Isn’t a Spammer

  January 11, 2010 - 10:25 pm |
Leave a comment

At work we build and host web based applications. As part of that, our applications generate email. We don’t get too fancy with sending email, we just shoot it out using Windows Internet Information Services (IIS) SMTP service. Traditionally we never really configured it, we just turned it loose.

As the world becomes more and more spam conscious, we spend more time suggesting to our clients that they might have to keep an eye on their spam folders just in case our emails aren’t showing up. Heck, sometimes emails sent to ourselves, as part of testing, don’t show up either. That’s not really an ideal approach and I finally sat down late last week to fix things up a bit.

Show Original in Google MailFirst I had our server send me an email to my Google Apps account and checked out the “original” version of the mail – this is nice feature of Google Mail that a lot of folks haven’t noticed, but comes in handy for stuff like this:

Two of the lines in the header tell a grim story:

Received-SPF: softfail (google.com: best guess record for domain of transitioning noreply@mycompany.com does not designate 5.79.185.165 as permitted sender) client-ip=5.79.185.165;

Authentication-Results: mx.google.com; spf=softfail (google.com: best guess record for domain of transitioning noreply@mycompany.com does not designate 5.79.185.165 as permitted sender)smtp.mail=noreply@mycompany.com

Clearly I have things to fix.

Sender Policy Framework

First I tackled SPF – for some reason I had no SPF DNS records defined. SPF stands for Sender Policy Framework and you can read all about it over at Wikipedia. The short version is that it is a way for administrators to define which servers are allowed to send email for their domains. Mail servers then look for these SPF records to help determine if mail received is spam or legit.

I found a great SPF Wizard over at openspf.org and used it to determine what my record should look like. We’re a Google Apps customer so I had to make sure I included their servers as well as our assorted app servers. I specified some by IP, some by domain name, included the Google entry and got a record that looks roughly like this:

v=spf1 ip4:5.79.185.165 a a:demo.mycompany.com include:aspmx.googlemail.com ~all

I then popped over to my registrar and added that as a DNS TXT record. Actually, I did it twice. Once for just the domain name and one for the wildcarded subdomains. Gotta cover my bases for the next step.

Reverse DNS and IIS

OK, next I tackled Reverse DNS. I wanted to make sure that application mail server identified itself by a name that would match when other mail servers would look up its IP address.  There are two pieces to this one. First my SMTP server and the actual reverse DNS configuration.

By default, IIS SMTP server gives out its internal FQDN (fully qualified domain name) – in other words, something like webserver.ad.companyname.com. For me, this is never the same as the external DNS name – for instance, application.companyname.com. Fixing this in IIS SMTP had stumped for the longest time… but it turns out it is pretty easy to fix.

If you want to see what yours is doing just telnet to port 25 of the mail server and check the greeting. Top of the banner will be the machine name. You can hit enter a few times and then HELO and have a conversation or just type “quit” to be done.

To change the name, go into IIS Manager, right-click on the SMTP node and click properties. Go to the Delivery tab and click “Advanced…” at the bottom. As mentioned, by default the FQDN field is the machine’s internal name. I initially tried setting a value in the “Masquerade domain” field but that didn’t seem to change anything (I guess I should research that…).  I took a deep breath and just changed the FQDN field to the server’s external name. Fortunately, all heck did not break out and mail continued to get processed. A quick telnet test showed the right address.

Next I contacted our co-location provider and asked them to setup the reverse DNS for my server’s IP. 10 minutes later the server name matched the IP matched the reverse DNS. Fun!

Results?

Sent another test email to myself and the headers look a lot better now (compare to the ones above):

Received-SPF: pass (google.com: domain of noreply@mycompany.com designates 5.79.185.165 as permitted sender) client-ip=5.79.185.165;

Authentication-Results: mx.google.com; spf=pass (google.com: domain of noreply@mycompany.com designates 5.79.185.165 as permitted sender) smtp.mail=noreply@mycompany.com

Neat, huh? This isn’t a cure all, but I think just these few changes will make a big difference in our mail getting through.

For testing, I found the reports at allaboutspam.com were incredibly helpful. I just set up a quick ASP page to send test mails from my application server to their test service and they’d bounce it back with a nice report link. Slick.

Quick Tip: WordPress on 1and1.com

  January 10, 2010 - 2:06 pm |
14 Comments

I recently finished up a custom WordPress project for a client hosted at 1and1.com. Now, 1&1 is a pretty major hosting company, but this is the first time I’ve ever deployed WordPress there so I wasn’t quite sure what to expect.

Initially, everything seemed just fine — until the first WP minor upgrade was released. The automatic upgrade failed. A quick web search taught me that you need to add a line to the .htaccess file for the auto upgrades to work:

AddType x-mapp-php5 .php

This is how you tell 1&1 to use PHP5 instead of the default PHP4.

Note: If you haven’t ever set pretty permalinks you may not have a .htaccess file. Just create one with that one line and upload it to the main WP directory.

This tip is easily found with a quick web search. However, I’ve noticed that a lot of people aren’t sure where to add the line so let’s touch on that briefly.

When WordPress edits your .htaccess file it puts all of its changes between the # BEGIN WordPress and # END WordPress lines.  You can safely infer that anything you put between those two lines is not guaranteed to be there forever. For instance, if you change your permalinks that section will get re-written. In other words, don’t make changes between those two lines!

If you put your changes above the # BEGIN line then they’ll live through WP changes. Just that simple. Here’s mine for example:

AddType x-mapp-php5 .php
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Done Digging Digsby

  December 20, 2009 - 11:35 am |
4 Comments

Digsby logoOver a year and a half ago I announced that I was “digging Digsby” the multi-protocol instant messaging application. What wasn’t to love? It handled most instant messaging networks, Twitter, Facebook (added later) notifications and chat, along with some pretty solid email notification features as well. Oh, and all your settings are managed separately so that a new installation is ready to go almost instantly. (Dunno about you, but I always forget my various IM network passwords…)

Now, it hasn’t all been roses. For one thing, Digsby does a lot, but it also uses a lot of memory. That’s not so great on my netbook and older machines with limited resources.

Secondly, they like to send direct messages urging you to vote for them in various contests and polls. OK, that’s marketing, I get it – this thing is free after all, but it gets annoying over time.

Speaking of free? While the installer is no longer littered with as many crap-ware apps to dodge, there have been some rough edges on that journey.

Finally, this week, I received an email (I guess I opted-in at some point…) pushing me towards a “Tweet for Money” scheme that the digsby guys must’ve partnered with.

Final straw. “Make money on twitter schemes” are a major pet peeve for me.

Maybe Digsby should offer a pay option?

Replacing Digsby

After looking around, I haven’t really found anything that could do everything that Digsby does in one package. Trillian’s Astra might get close, but I really didn’t like how it handled Twitter and Facebook. So, back to a collection of utilities.

pidgin avatarInstant Messaging – Back to Pidgin. Actually, running the PortableApps version from my Dropbox account. That way my config is ready to go from all my machines – and the logs are centralized. One spot to update too.

Social Networking – I’m using TweetDeck for twitter and facebook. When I had last looked at it (last year sometime?) I didn’t like it at all. Now it pretty much blows me away.

Mail notification – At the moment I’m relying on the Firefox add-on Gmail Manager.  While Firefox isn’t necessarily the default browser on all of my machines, it is almost guaranteed to be running.

TweetDeck and Gmail Manager both can be configured to do nice little popup notifications in the bottom left of the screen. I’m a fan of that.

What are other folks using for this stuff? Any good “all-in-one” apps that I’ve missed?

Recycling an Old Server with Openfiler

  December 16, 2009 - 5:01 pm |
1 Comment

Openfiler A month or so ago I retired my old VMware Server hardware when I brought the new ESXi server online. Since then it had been sitting in the rack, dark and dusty. A shameful thing to do with over a terabyte of storage, right? Sure, the server specs aren’t cutting edge (dual hyper-threaded 3.0 Xeons) but it certainly isn’t garbage either.

This week I took the plunge and installed Openfiler on that server to make it easier to use all that idle storage.

Openfiler converts an industry standard x86/64 architecture system into a full-fledged NAS/SAN appliance or IP storage gateway and provides storage administrators with a powerful tool to cope with burgeoning storage needs.

The base is rPath Linux, a  “vanilla distribution” and if you’ve ever installed Linux you will be right at home with this installer. That being said, be sure to follow the guidance in the Installation How-Tos. There are some wrinkles to be aware of… Like, be sure to setup your partitions manually as automagically won’t work.

Everything is managed via a web interface. Slick and well-polished and easy to find options. I like it and it definitely beats the tar out of wandering through text files to get everything configured (I’m sure that’s an option if you’re into masochism though! There is a console and login access).

Once I had it installed I decided that I wanted to integrate Openfiler with my existing Active Directory network for the users and permissions management. This could be a bit more intuitive… and I should point out that while the product is free, there’s little doubt that one goal of the Openfiler folks is to sell support. This may explain why there aren’t tons of docs on the site. ;-)

Openfiler AD integrationAll cynicism aside, most tasks are easy to puzzle out – but not AD integration! My first attempt didn’t work at all. Fortunately, I found an article at EduGeek.net that was immensely helpful, “Openfiler 2.3 Integration with Active Directory.” Without it I’d probably still be stumbling around. With it, I was up and going within 10 minutes.

There are tons of options that I haven’t even glanced at. iScsi, CIFS, NFS, rsync, NIC bonding, snapshots, etc. etc. Check out the tour for more information.

If you have an old server laying around, Openfiler seems like a great way to bring some storage online.

VMware Player is more than a Player

  December 2, 2009 - 10:58 pm |
1 Comment

I’ve mentioned VMware Player here a lot in the past and always with the caveat that while it is great to run virtual machines, it can’t create them (without hacks). After all, the name is “Player” right?

That all changed when version 3 of Player was released last month.

Here’s section of the Player “home” screen. Can you spot the crazy new feature?

VMware Player has a Create option

Top option there is Create!

Not only does it offer a create option, it even has a wizard called “Easy Install” that can dramatically streamline the create process. For instance, in this image I’m starting a new install and pointed it at my Windows Server 2008 iso:

Easy Install option

When I click “Next” it definitely gets easy:

The Easy Install options

Fill in a few fields, click “Next” and tell VMware Player where to put the machine files. Turn it loose and you don’t touch it again until the machine is ready for a logon.

Cool stuff.

This is great for “parity” with the competition (like VirtualBox) but I can’t deny that I’m a little miffed. I just bought VMware Workstation mainly to streamline the creation process… According to the FAQ, there’s not much extra in Workstation that I currently need:

Do I need another VMware product to use VMware Player?
No. VMware Player enables you to create and run virtual machines. However, if you need to leverage powerful developer-centric features such as Teams, multiple Snapshots and Clones, or Virtual Rights Management features for end-point security, you will need to upgrade to VMware Workstation.

Ah well. Live and learn, right?

But wait, there’s more!

A closer look at the release notes shows something interesting for the Windows 7 users:

Windows XP Mode Compatible — Import a Windows XP Mode virtual machine using VMware Player 3.0 and run the virtual machine without being prompted to enter a Windows XP license key. VMware Player enables the Windows XP Mode virtual machine to take advantage of more than one processor, render high-end graphics, integrate seamlessly with Unity, and transfer files easily with drag and drop, and shared folders. VMware Player also has the ability to run concurrently with Windows XP Mode.

Yeah, remember when i tried to convert a free Virtual PC image to VMware? It was virtually ugly. Perhaps VMware users have an easy way to use the free and Microsoft provided Internet Explorer App Compat images without having to install yet another virtual machine environment?

Fascinating. I may have to give that a shot soon.