sddlzz's Blog In WordPress

Google Search Tips

sddlzz — Sat, 24 Dec 2005 16:16:09 +0000

After reading a thread on Digital Point, I realized that a lot of people still don��t know about all the Google Operator commands. This list will help you control your Google search. There are a few more commands out there, but these are the ones I find most useful�� feel free to add your own in the comments.

link:www.yoursite.com – This command will show you all of the backlinks to your site. Handy tool for finding out who is linking to you.

related:www.yoursite.com – This command will show you a list of pages that Google thinks are related to your site in some way.

site:www.yoursite.com – Searches only those pages from the site you list.

allinurl: – If you start a query with [allinurl:], Google will restrict the results to those with all of the query words in the url. For instance, [allinurl: google search] will return only documents that have both ��google�� and ��search�� in the url.

define: – The query [define:] will provide a definition of the words you enter after it, gathered from various online sources. The definition will be for the entire phrase entered (i.e., it will include all the words in the exact order you typed them).

inurl: – If you include [inurl:] in your query, Google will restrict the results to documents containing that word in the url. For instance, [inurl:google search] will return documents that mention the word ��google�� in their url, and mention the word ��search�� anywhere in the document (url or no). Note there can be no space between the ��inurl:�� and the following word.

allintitle: – If you start a query with [allintitle:], Google will restrict the results to those with all of the query words in the title. For instance, [allintitle: google search] will return only documents that have both ��google�� and ��search�� in the title.

intitle: – If you include [intitle:] in your query, Google will restrict the results to documents containing that word in the title. For instance, [intitle:google search] will return documents that mention the word ��google�� in their title, and mention the word ��search�� anywhere in the document (title or no). Note there can be no space between the ��intitle:�� and the following word.

cache: – If you include other words in the query, Google will highlight those words within the cached document. For instance, [cache:www.subnixus.com web] will show the cached content with the word ��web�� highlighted.

info: – The query [info:] will present some information that Google has about that web page. For instance, [info:www.google.com] will show information about the Google homepage. Note there can be no space between the ��info:�� and the web page url.

spell: – Does a spell check of any given word.

stocks: – If you begin a query with the [stocks:] operator, Google will treat the rest of the query terms as stock ticker symbols, and will link to a page showing stock information for those symbols. For instance, [stocks: intc yhoo] will show information about Intel and Yahoo. (Note you must type the ticker symbols, not the company name.)

filetype: – Does a search for a specific file type, or, if you put a minus sign (-) in front of it, it won��t list any results with that filetype.

daterange: – Is supported in Julian date format only. 2452384 is an example of a Julian date.

maps: – Is a shortcut to do a google maps search.

phone: – Searches for anything that looks like a phone number.

allinlinks: – Searches only within links, not text or title.

allintext: – searches only within text of pages, but not in the links or page title.
dsfdsfasd

DHCP + DNS (bind) == DDNS

sddlzz — Sat, 24 Dec 2005 16:10:58 +0000

DHCP + DNS (bind) == DDNS

摘�?
Linux�?务器实现办公室内网IP动�?分�?�?�的机器�??访问。(2004-06-21 22:11:13)

By lanf, 出处：http://bbs.chinaunix.net/forum/viewtopic.php?t=344701

作者：q1208c

我们在办公室的时候，有时会去访问别的机器，如果是在windows下，我们多数时候会用机器�??去访问，因为netbios/wins会帮我们�?�把机器�?? 转�?IP的。下�?�给大家介�?一�?用动�?DNS�?�解�?机器�??的办法。�?过，�?是用的w2k的DDNS，而是用的Linux.

准备：一�?�（或两�?�）Linux�?务器，用�?��?�DHCP server和DNS server。也�?�以把它�?��?两�?��?务器。

安装：�?务器的安装过程，请�?�考其它文档，记�?把 dhcp 和 bind, bind-utils 装上就行了。

�?置：

一�?DHCP的�?置：

�?置DHCP server 时很简�?�，�?�以�?�考 /usr/share/doc/dhcp-x.xx/dhcpd.conf.sample�?��?�。也�?�以先把这个文件cp 到 /etc/dhcpd.conf，然�?�根�?�自己的需�?�?�适当修改。下�?�贴出我的一个/etc/dhcpd.conf，供大家�?�考：

ddns-update-style interim;
ignore client-updates;

key DHCP_UPDATER {
algorithm HMAC-MD5;
secret qhB++OR5yWo8BTXwk/m4ng;
};

zone bj.pnx. {
primary 127.0.0.1;
key DHCP_UPDATER;
}

zone 251.168.192.in-addr.arpa. {
primary 127.0.0.1;
key DHCP_UPDATER;
}

subnet 192.168.251.0 netmask 255.255.255.0 {
range 192.168.251.100 192.168.251.200;
# — default gateway
option routers 192.168.251.254;
option subnet-mask 255.255.255.0;

# option nis-domain “domain.org�?;
option domain-name “bj.pnx�?;
option domain-name-servers 192.168.251.63,192.168.251.254;

# option time-offset 28800; # PRC Standard Time
# option ntp-servers 192.168.251.220;
# option netbios-name-servers 192.168.1.1;

# range dynamic-bootp 192.168.0.128 192.168.0.255;
default-lease-time 21600;
max-lease-time 43200;

}

几个�?注�?的地方：
1. ‘ddns-update-style’
这个就是动�?DNS的更新方�?，有几个选项，我用的是interim，�?�以用 man dhcpd.conf找到�?�外的几个选项。

2. ‘ignore client-updates’
这个选项是�?�?许客户机更新DNS记录。当然，也�?�能�?许，但会有一点问题。

3. ‘key DHCP_UPDATER’
这个是更新DNS的KEY，是必须的。其中algorithm �?�的是生�?key的算法，key的生�?是用 ‘dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER’。

4. ‘zone’
�?更新的zone，如果是本机就是DNS server，primay 就写127.0.0.1，�?是其它机器是DNS server, 就写那�?�机器的IP。

别的都是一般DNS该有的了，�?注�?的是一定�?有 range 那一行，�?然就分�?了IP啦。

�?好以�?�，�?�以�?�动一下试试， service dhcpd start，如果没问题，把dhcpd改�?开机就�?�动，chkconfig –level 2345 dhcpd on。

二�?bind(named)的�?置。

关于bind(named)�?置的文章有很多了。这里�?�把与普通�?置�?�?�的地方写出�?�。
下�?�给我的named.conf供大家�?�考：

// generated by named-bootconf.pl

options {
directory “/var/named�?;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// forwarders { 192.168.1.254; };
// query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

key DHCP_UPDATER {
algorithm HMAC-MD5;
secret qhB++OR5yWo8BTXwk/m4ng;
};

zone “.�? IN {
type hint;
file “named.ca�?;
};

zone “localhost�? IN {
type master;
file “localhost.zone�?;
allow-update { none; };
};

zone “0.0.127.in-addr.arpa�? IN {
type master;
file “named.local�?;
allow-update { none; };
};

zone “1.168.192.in-addr.arpa�? IN {
type master;
file “1.168.192.zone�?;
allow-update { key DHCP_UPDATER; };
};

zone “test.com�? IN {
type master;
file “test.com�?;
allow-update { key DHCP_UPDATER; };
};
include “/etc/rndc.key�?;

其中多了的是

key DHCP_UPDATER {
algorithm HMAC-MD5;
secret qhB++OR5yWo8BTXwk/m4ng;
};

这就是更新dns�?用的key，必须和dhcpd.conf里的一样。

还有就是�?个 zone 都�?�以用 key �?�update了。

这样就行了。然�?��?�动一下试试�?�。

你就�?�以ping 机器�??�?�找你�?�事的机器了。

本人�?�在windows客户机上试验过，Linux好象会有一点问题。哪�?有兴趣，共�?�研究一下。给Linux分�?的IP都　是没有主机�??的。因为我的客户机都是windows的，Linux的我都用�?��?IP。
hongfengyue 的补充
当客户端是linux时，需�?在linux客户端编辑一个文件/etc/dhclient.confDNS�?能更新，�?信你�?�以看看/var/lib/dhcp/的文件的内容，客户端分�?的IP没有Hostname的记录。
我的/etc/dhclient.conf内容如下：

send fqdn.fqdn "hostname";send fqdn.encoded on;send fqdn.server-update off;

但是我在Redhat8&9中还是�?行，�?�有在/etc/rc.d/rc.local中加入下�?�的命令：
/sbin/dhclient
注�?必须在/sbin存在这个�?�执行的文件。我知�?�在redhat中是存在的。

activate tun device in linux

sddlzz — Sat, 24 Dec 2005 16:08:25 +0000

Even if you enabled the TUN/TAP module in the kernel you have to:

- mkdir /dev/net- mknod /dev/net/tun c 10 200  (Linux kernel 2.4.x)

This is documented in install.html at the homepage.

greetings

christoph

Kai Dittmann schrieb:

Am Do, den 15.04.2004 schrieb Mike Dickson um 19:45:

Also, forgot to mention that the tun stuff is compiled directly intothe kernel:

CONFIG_NET_IPIP=y

< *> IP: tunneling

sddlzz — Sat, 24 Dec 2005 16:06:27 +0000

在flash中定义一个�?��?，例如theurl， 按钮上写 on (release) { _root.getURL(theurl); }  在html页�?�中，用flashVars�?�数�?�以给flash里�?�的�?��?赋值：

Running qmail under Gentoo Linux

sddlzz — Sat, 24 Dec 2005 16:04:56 +0000

Running qmail under Gentoo Linuxby Kris Kelley

NOTE: This guide was written for use with qmail ebuild 1.03-r13. The currentstable qmail ebuild is 1.03-r15. Several other ebuilds mentioned in thisdocumentation also have been updated since the last revision. Unfortunately,I do not expect to update this guide again any time soon, if ever. I nolonger work as an email system administrator, I no longer have qmail running onany of my systems, and my time away from work is now devoted to other projects.The good news is that the Gentoo website now has Gentoo-specific documentationabout qmail and its related software packages. I now recommend using theofficial documentation, as well as the Gentoo forums and the qmail mailinglist.

This guide will remain available at its original URL(http://www.skunkworx.org/guides/QmailOnGentoo.txt), for reference. Also, foranybody who might wish to adapt and/or update this guide, I am making itavailable under the Creative Commons Attribution-ShareAlike 2.0 license;details are available at the license website(http://creativecommons.org/licenses/by-sa/2.0/).

I would like to thank everyone who provided constructive criticism and words ofencouragement while I was actively maintaining this guide. I still believeqmail is the best email server program out there, for any platform, and I hopethe qmail and Gentoo communities continue to thrive.

Introduction

This document gives instructions on how to install, configure, and run qmail ona system running Gentoo Linux. I originally wrote this after I could not findany qmail documentation specific to Gentoo, despite Gentoo offering packages(or "ebuilds", to use Gentoo's terminology) for qmail and related software.

You are probably not reading this if you are not familiar with Gentoo Linux,but just in case, Gentoo is a relatively new distribution that aims at strikinga compromise between the convenience and compatibility of a linux installationbased on ready-made software packages, and the power and configurability of alinux installation built from source. For more details, visit Gentoo's website(http://www.gentoo.org). Gentoo's promise of being able to tailor softwareexactly to a system's specifications, while at the same time having a packagemanager easily keep track of it all, is what attracted me to this distribution,to say nothing of the recommendations I received from friends and coworkers.

You are probably also not reading this if you have not heard of qmail, but tobe thorough, Daniel J. Bernstein's qmail is an email server software package,providing the same general functionality of packages like Sendmail or ssmtp.qmail is undebatably the most secure email server software available forUnix-compatible operating systems, and I would argue that it is the most secureemail server software period. qmail also provides plenty of configurability,enough to suit the needs of almost any email-related task. The fact that qmailhas not had an official release since 1997, and yet continues to grow inpopularity without a single security alert, is testimony of its quality. qmailis not for the faint of heart, however. Even with a versatile package managerlike Gentoo's Portage, qmail requires some manual intervention, not to mentionfirm knowledge of what you are doing, to run optimally.

Things to Know before Starting

These instructions were written using Gentoo Linux 1.4, installed followingthe distributors' instructions, and the qmail ebuild provided by Gentoothrough its package manager, Portage. As of this writing, the recommendedGentoo ebuild for qmail is 1.03-r13. There may be instructions here that arespecific to these versions; in particular, earlier versions of the qmailebuild are significantly different from 1.03-r13, and I do not recommendtrying to use this guide with them. Also, Gentoo and Portage are highlycustomizable, and experienced Gentoo users who have heavily tweaked theirsystems may find these instructions completely off base.

The qmail ebuild is modeled on the process prescribed by "Life with qmail"(LWQ, http://www.lifewithqmail.org), written by Dave Sill. LWQ is *required*reading; the instructions given here mostly highlight the differences betweenLWQ and the qmail ebuild, as well as the manual steps needed to completeqmail's installation and configuration.

Gentoo's qmail ebuild includes several patches to the original source code.These patches fix minor, non-critical bugs, and also provide additionalfeatures not present in the author's distribution of qmail 1.03, such as theability to encrypt SMTP sessions with SSL, and the ability to authenticatesessions with passwords unique to each user on your system.

(NOTE: The current version of LWQ makes use of a package called netqmail.netqmail 1.05 is a patched version of qmail 1.03. Bugs and incompatibilitiesfixed by netqmail 1.05 are also fixed by Gentoo's 1.03-r13 ebuild for qmail,and therefore LWQ is still an essential source of information, even for Gentoousers.)

IMPORTANT: qmail, as well as any software package written in the Cprogramming language, relies on a package called glibc to provide the basicC function libraries. As of this writing, Gentoo's recommended glibc ebuildis version 2.3.2-r9. Because of an old coding method that is no longersupported by the authors of glibc, all qmail ebuilds older than 1.03-r10 (aswell as the unpatched source code for qmail 1.03) ARE NOT COMPATIBLE with anyebuilds based on glibc 2.3.2! To ensure smooth installation, make sure youare using the latest unmasked ebuilds of qmail and all software packagesqmail depends on (including daemontools, ucspi-tcp, checkpassword,cmd5checkpw, dot-forward, and queue-fix; more information about these packagesis provided below.)

Part One - Configuring Gentoo to Allow qmail's Installation

Before you can install qmail, you may need to configure Gentoo to allow youto do so. This requires knowing a few things about Gentoo and Portage.

One of Portage's features is the ability to keep track of "virtual" packages.Virtual packages are not specific software packages, but are definitionsthat can be matched by any Gentoo ebuild claiming to do so. When you install(or "merge") an ebuild that matches the definition of a virtual package,Portage considers that virtual package present on your system.

Gentoo keeps a list of default ebuilds it will use to satisfy virtual packageneeds. An ebuild from this list is merged whenever the associated virtualpackage is requested and a matching ebuild is not already present. Many ofthese ebuilds are added to the system during Gentoo's initial set-up.

Much of Gentoo's behavior is governed by a set of configuration filescollectively known as a "profile." Included in a profile is the default listfor satisfying virtual package requirements. Regardless of what profile youuse, you can look at the associated files in /etc/make.profile. Editingthese files is not a good idea, unless you are planning on building your ownprofiles for distribution.

Besides the default list supplied by a profile, Gentoo also keeps a list ofvirtual packages actually present on your system, and the ebuilds thatrepresent those virtual packages. Gentoo keeps this list in the file/var/cache/edb/virtuals. Whenever you merge an ebuild that satisfies therequirements for a virtual package, that virtual package's entry is createdor updated in /var/cache/edb/virtuals.

Gentoo ebuilds can be designed to block their own installation if they wouldconflict with other software already present on the system. These blocks canbe based on virtual packages as well as specific ebuilds.

Gentoo controls the presence of an email server (or, more accurately, a "mailtransfer agent") with the virtual package "virtual/mta". Gentoo's qmail ebuildis a virtual/mta package, but of course it is not the only one. If youfollowed all instructions for installing Gentoo, ssmtp will be present on yoursystem, and will be listed in /var/cache/edb/virtuals. Because most systemsreally only need one mail transfer agent, the ebuilds for ssmtp, qmail, andother MTAs will block installation if a virtual/mta package is already present.

So, if ssmtp or some other virtual/mta package is already installed on yoursystem, you will need to allow qmail to be installed on your system. There aretwo good ways of doing this:

1. Uninstall the virtual/mta package currently on your system. Anyconfiguration you may have performed to run the current MTA on yoursystem, such as having it start automatically during system boot, willneed to be undone prior to removal.

2. Edit the qmail ebuild script to remove the virtual/mta block. Forversion 1.03-r13, the ebuild script is usually kept at/usr/portage/net-mail/qmail-1.03-r13.ebuild. The edit involves findingthe two lines that look like this:

RDEPEND="!virtual/mtavirtual/glibc

and replacing them with this one line:

RDEPEND="virtual/glibc

#2 is the recommended choice, as other components of your system may complainabout the sudden lack of a virtual/mta package. It is safe to keep yourcurrent MTA while installing and configuring qmail, as long as you do not tryto run both MTAs at the same time.

Once you have removed any currently installed virtual/mta packages, or havemodified the qmail ebuild script, you will be ready to install qmail.

IMPORTANT: Before you can emerge qmail and related ebuilds, you must alsohave the right system users and groups on your system. You will need usersnamed "alias", "qmaild", "qmaill", "qmailq", "qmailr", and "qmails", and groupsnamed "nofiles" and "qmail". Also, the alias user's home directory must be setto /var/qmail/alias. Normally this is all taken care of during Gentoo'sinstallation, specifically, when the baselayout package is emerged. If youhave since edited your users and groups files, removing entries you believedwere unnecessary, make sure you have the right users and groups beforeproceeding!

Part Two - Installing and Configuring qmail and Related Software

Thanks to Portage and the "emerge" command, all of the software required forrunning qmail is installed with a single command. However, keep in mind thatthe authors of Gentoo recommend you always run emerge with the "pretend" flagprior to installing any new packages, so that you know for certain what isabout to be installed on your system.

# emerge -p qmail

These are the packages that I would merge...

(NOTE: The 1.03-r13 qmail ebuild uses one USE flag, "ssl". You must set thisUSE flag, either in /etc/make.conf or in your shell's USE environmentvariable, if you want to install qmail with encrypted SMTP support. Moreinformation about encrypted SMTP is in appendix B.5)

Depending on what you already have available, you will see a number ofebuilds that Portage would merge along with qmail. Most likely you will see"ucspi-tcp", "daemontools", "dot-forward", "checkpassword", "cmd5checkpw", and"queue-fix" in this list. Except for "cmd5checkpw" and "queue-fix", these areadditional tools written by Bernstein, designed to provide a stable, easilyconfigurable environment for qmail. "ucspi-tcp" and "daemontools" inparticular are required packages for a qmail installation that conforms to LWQ,and Gentoo's default configuration appropriately defines qmail as dependent onthese packages.

(NOTE: "cmd5checkpw" is used to offer authenticated SMTP; see appendix B.3 formore information. "queue-fix" is used to initially create the qmail queue,that is, the folders qmail uses to temporarily store email that is beingprocessed; it can also be used to repair or recreate the queue when needed.)

Once you are satisfied in knowing what is going to be added to your system,run emerge again without the "pretend" flag.

# emerge qmail

When this command finishes, the system will be almost ready. Portage not onlyinstalls qmail and all related software, but also performs a number ofnecessary system configurations, and installs several scripts documented in LWQ.

Gentoo's qmail ebuild includes an option that allows for some additionalautomatic configuration. In fact, this extra configuration will be enough forqmail to run securely and effectively on many systems. However, while Irecommend taking advantage of this option to prevent any security checkpointsfrom being accidentally overlooked, this feature should not be considered asubstitute for following the rest of this guide, especially if qmail is to beused in a production environment. To perform the additional automaticconfiguration, run this command:

# ebuild /var/db/pkg/net-mail/qmail-1.03-r13/qmail-1.03-r13.ebuild config

If run, the above command will look up the machine's fully qualified domainname, and set up qmail to treat as local any email bound for this namespecifically. For example, if the fully qualified domain name ismachine.example.com, qmail will process for local delivery any email bound foraddresses ending in "@machine.example.com" (but not "@example.com"). qmailwill also be set up to allow SMTP (mail transport) connections from anywhere.For local connections, all email will be accepted, and any email notdestined for local delivery will be directed (or "relayed") to the appropriatedestination. For all other connections, only email destined for local deliverywill be accepted. These configurations may not be exactly what you want, socontinue reading to learn how to configure qmail to suit your needs.

(NOTE: Running the above ebuild command will also generate a self-signed SSLcertificate for use with encrypted SMTP. See appendix B.5 for moreinformation. If you plan on making use of encrypted SMTP, first edit/var/qmail/control/servercert.cnf, particularly the values in the "req_dn"section, before running the above ebuild command. This will ensure your newSSL certificate contains the correct information for your system. Rememberthat qmail needs to be emerged with the "ssl" USE flag for encrypted SMTP towork.)

From this point, follow LWQ starting with section 2.7. Refer to theinstructions below for Gentoo-specific notes related to each section.

2.7. daemontools has already been installed by Portage by this point,however, the daemontools ebuild does not change /etc/inittab. Instead,the ebuild provides an rc script for svscan in /etc/init.d. To ensurethat svscan will start during system boot, use Gentoo's rc-update commandto link the svscan rc script within the appropriate runlevel directoryor directories. If you plan on running qmail from the default runlevel,enter this command:

rc-update add svscan default

Note that starting svscan from an rc script does not protect it fromunexpected termination. If you would like to take advantage of init'sability to recreate processes that have died, do *not* use Gentoo's rcscript for svscan. Instead, edit /etc/inittab, adding this line:

SV:12345:respawn:/usr/bin/svscanboot

Note that the ebuild uses a different directory for daemontools'executables than the author's original package.

2.8.1. The qmail ebuild supplies a /var/qmail/rc script and a/var/qmail/control/defaultdelivery control file similar to the onesgiven in LWQ. In the Gentoo ebuild versions, comments are allowed in/var/qmail/control/defaultdelivery; any line starting with "#" will beignored.

The ebuild configures qmail to use maildirs, however, note that the name ofeach user's maildir directory is slightly different than that given in LWQ(".maildir/" instead of "Maildir/").

2.8.2.1. The qmail ebuild does not provide the /var/qmail/bin/qmailctlscript. Instead, a script named qmail-control is created and placed in/var/qmail/bin. qmail-control allows for qmail's services to be stoppedand started, and for the locals and virtualdomains control files (seebelow) to be reread. qmailctl offers the same functionality and more,providing an easy, convenient alternative to remembering several differentcommands. So, while creating /var/qmail/bin/qmailctl as documented in thissection of LWQ is not necessary, it is highly recommended.

The comments for Red Hat Linux's chkconfig tool are not needed. PATHdoes not have to include /usr/local/bin or /usr/local/sbin; thesedirectories are empty on a typical Gentoo system.

2.8.2.2. Gentoo's qmail ebuild creates all the necessary supervisescripts that are documented in this section of LWQ.

/var/qmail/supervise/qmail-send/log/run and/var/qmail/supervise/qmail-smtpd/log/run, as created by the qmail ebuild,are slightly different than those given by LWQ. The difference enables themultilog program to rotate the log files of qmail-send and qmail-smtpd whenthey reach approximately 2.5MB in size, instead of the default 100kB.

(NOTE: See http://cr.yp.to/daemontools/multilog.html for more informationabout how multilog maintains log files.)

/var/qmail/supervise/qmail-smtpd/run as provided by the ebuild is verydifferent from the one presented in LWQ. Generally speaking, version1.03-r13 of the qmail ebuild was designed so that qmail's functionalitycould be changed entirely with configuration files, removing the need formanipulating any qmail-related scripts or programs. In particular,the Gentoo version of /var/qmail/supervise/qmail-smtpd/run relies on theGentoo-specific control files /var/qmail/control/conf-common and/var/qmail/control/conf-smtpd for configuring qmail's SMTP service.Editing these files is not essential for basic qmail and SMTPfunctionality, and is also not recommended for those installing qmail forthe first time. Once you are comfortable with how qmail operates, andwould like to take advantage of features like authenticated SMTP or spamblacklisting, you can edit these configuration files to suit your needs.See appendix B for more information about editing the/var/qmail/control/conf-common and /var/qmail/control/conf-smtpdconfiguration files.

Creating the concurrencyincoming control file is optional. You can usethis file for setting the maximum number of concurrent connections allowed,or instead edit the appropriate section of /var/qmail/control/conf-common.If neither action is taken, qmail will limit the number of possibleconcurrent incoming SMTP connections to 40.

All log files under /var/log already exist by this point, as does the/service directory. You will need to create the symbolic links within the/service directory. Note that qmail will *not* start automatically afterthese links are created, *unless* svscan is running (see the notes above forLWQ section 2.7).

2.8.2.3. This section is not necessary if you used the optional "emerge"command for extra automatic configuration, described above. Otherwise,perform the steps in this section as given. Note that this sectionexpects you to have created the /var/qmail/bin/qmailctl script given in LWQsection 2.8.2.1.

2.8.3. If you haven't done so already, now is a good time to remove anyother virtual/mta packages from your system. For example, you can run thesecommands to remove ssmtp:

emerge -C mailbaseemerge -C ssmtp

Note that you should first undo any configuration you may have performed torun another email server on your system, such as having it startautomatically during system boot.

If qmail services began running while another virtual/mta package was stillbeing utilized, stop qmail as documented in this step. You can use theqmail-control script to do so if you decided not to create qmailctl.

The "sendmail" symbolic links will already exist by this point.

2.8.4. The qmail ebuild creates all of the .qmail files under/var/qmail/alias mentioned in this section. The .qmail files are empty,which means any email bound for the affected addresses will be directed touser alias's maildir. If this is not the behavior you want, follow LWQ'sinstructions for editing these files.

2.8.5. Again, svscan should be running before you try to start (orrestart) qmail using qmailctl (or qmail-control). See the notes for LWQsection 2.7 above.

2.9. Perform these steps as given to test your new installation.

Now follow the instructions given in LWQ section 3 to fully configure qmail toyour liking. If you performed the optional configuration discussed above, anumber of control files documented in LWQ section 3.1 will already exist bythis point:

/var/qmail/control/me/var/qmail/control/defaultdomain/var/qmail/control/plusdomain/var/qmail/control/locals/var/qmail/control/rcpthosts

Each of these files will contain a single line, the fully qualified domainname of the machine.

Gentoo's installation of qmail allows for several extra control files inaddition to those documented in LWQ section 3.1 They are described below:

Control Default Used by Descriptionbadmailto (none) qmail-smtpd blacklisted To addressesbadrcptto (none) qmail-smtpd blacklisted To addressesconf-common as given various configuration common to allof qmail's network servicesconf-pop3d as given qmail-pop3d configuration specific toqmail's POP3 serviceconf-qmqpd as given qmail-qmqpd configuration specific toqmail's QMQP serviceconf-qmtpd as given qmail-qmtpd configuration specific toqmail's QMTP serviceconf-smtpd as given qmail-smtpd configuration specific toqmail's SMTP servicemorebadrcptto (none) qmail-smtpd more blacklisted To addresses

Also, regular expressions can be used in badmailfrom and badmailto.

(NOTE: Yes, badmailto and badrcptto provide essentially the samefunctionality. That's what happens when a lot of different patches are used tomake a program as functional and configurable as possible.)

(NOTE: QMTP, the Quick Mail Transfer Protocol, is an alternative to SMTP,designed by qmail's author. QMTP is not compatible with SMTP, nor is it widelyused across the Internet. If you wish to read more about QMTP, have a look atLWQ section 5.11, and also Daniel Bernstien's documentation for QMTP(http://cr.yp.to/proto/qmtp.txt). More information about QMTP will be in afuture revision of this guide.)

(NOTE: QMQP, the Quick Mail Queueing Protocol, was designed by qmail's authorto allow multiple servers running qmail to pool their messages into a singlequeue on a centralized server. The outlying servers run a special configurationof qmail called "mini-qmail" and use QMQP to send their messages to the centralserver. Bernstien has documentation for mini-qmail(http://cr.yp.to/qmail/mini.html) and QMQP (http://cr.yp.to/proto/qmqp.html).More information about these features will be in a future revision of thisguide.)

(NOTE: The optional configuration discussed above will also create files"clientcert.pem", "rsa512.pem", and "servercert.pem" in /var/qmail/control.These files are your self-signed SSL certificate and are necessary forencrypted SMTP; more information about them is provided in appendix B.5. Theycan be safely ignored if you do not plan on using encrypted SMTP, or if youdid not emerge qmail with the "ssl" USE flag enabled.)

Part Three - After qmail Is Up and Running

Some tips for smooth operation and extended functionality.

* By default, Portage's "config file protection" extends to qmail'sconfiguration directory, /var/qmail/control. This feature prevents qmail'sconfiguration from being blindly overwritten by any future upgrades orremovals. Run "emerge -h config" for more information.

* Assuming you kept the default delivery instructions provided by Gentoo(/var/qmail/control/defaultdelivery), each user on your system will needa maildir named ".maildir" in his or her home directory. See LWQ section4.1.3 for more information.

* Refer any users on your system to LWQ section 4 for information on how toexert control over their incoming email.

* LWQ section 5.2.1 provides information on how to install and configurethe POP3 server that comes with qmail. If you decide to use this POP3server (qmail-pop3d), read through the steps given in LWQ section 5.2.1.2.If the standard checkpassword program meets your needs, then steps 1through 6 will already have been performed by the Gentoo qmail ebuild bythis point. The supervise scripts set up by the ebuild for POP3service are different from those given in LWQ, and the differences aresimilar to those described above for qmail-smtpd./var/qmail/supervise/qmail-pop3d/run is designed to read configuration from/var/qmail/control/conf-common and /var/qmail/control/conf-pop3d.Modifying these configuration files is not necessary for standard POP3functionality, and not recommended for those running POP3 service for thefirst time. Once you are familiar with how qmail's POP3 service operates,you can change these files to take advantage of features like alternativepassword checking programs, and POP-before-SMTP authentication. Appendix Bprovides more information about how to edit the configuration files, if youdecide to do so.

When you are ready to offer POP3 service, run the following command to allowsvscan to automatically start and supervise the qmail-pop3d process:

ln -s /var/qmail/supervise/qmail-pop3d /service

(NOTE: Gentoo used to provide a separate ebuild called qmail-pop3d thatwould install the necessary scripts for running qmail's POP3 server. Thecurrent qmail ebuild provides the same functionality, therefore theqmail-pop3d ebuild is no longer necessary.)

If you created the /var/qmail/bin/qmailctl script discussed in LWQ section2.8.2.1, follow steps 7 through 12 to add features related to qmail-pop3d.If you decided to keep the /var/qmail/bin/qmail-control script instead, itis already capable of starting and stopping qmail-pop3d.

If svscan is currently running, POP3 service should now be available.

* Portage merges the dot-forward ebuild along with qmail. dot-forwardallows people to create delivery instructions using Sendmail's format.Custom delivery instructions for Sendmail are usually kept in files named".forward", hence this package's name. See LWQ appendix B.1 for moreinformation.

Conclusion - Any Questions?

Your qmail server should now be ready for action. However, you may stillhave some questions or concerns.

If you are using Gentoo without many customizations, and you have a concernabout qmail's installation as performed by Portage, contact the maintainersof Gentoo, as they wish to be notified of any problems with their ebuilds.Their policy is to investigate the problem, and then notify the originalsoftware authors themselves if they determine the cause lies there. VisitGentoo's bug page (http://bugs.gentoo.org) for more information.

If you have successfully installed qmail, but now you have a question aboutits performance and/or your configuration, the qmail mailing list is theplace to ask experienced qmail users for information. However, please keepin mind these are people giving of their free time, and they are very tiredof reading the same questions over and over. I cannot emphasize this enough:READ THE DOCUMENTATION and, if appropriate, CHECK YOUR LOGS before asking aquestion on the list. LWQ, the qmail man pages, the web pages maintained byqmail's author at http://cr.yp.to, and especially the qmail mailing listarchives (http://www.ornl.gov/cts/archives/mailing-lists/qmail/) are allexcellent sources of information, and many list veterans consider all ofthese to be required reading. Should you decide a question to the list isnecessary, list veteran Charles Cazabon has written "12 Steps to qmail ListBliss"(http://www.qcc.ca/~charlesc/writings/12-steps-to-qmail-list-bliss.html),detailing what every list veteran would like to see happen when somebody hasa question about qmail.

If you have a question or comment about this guide in particular, feel freeto email me at skunkworx@kingwoodcable.com.

Appendix A - The qmail Program Chain

This section briefly describes how the various qmail programs are set up, andhow they interact with one another to provide qmail's services. Understandingthese interactions is essential if you plan on modifying your qmailinstallation to take advantage of additional features, such as those describedin appendix B. This section does not go into much detail, and is also somewhatspecific to the way qmail is installed and configured on Gentoo systems. For abetter and more general understanding of why and how these programs interactthe way they do, you are encouraged to read the referenced documentation.

The svscan init script (/etc/init.d/svscan) is used to start all of qmail'sservices. First, an svscan (http://cr.yp.to/daemontools/svscan.html) processis created. For every symbolic link created within the /service directory,svscan then creates and monitors two supervise(http://cr.yp.to/daemontools/supervise.html) processes. The second superviseprocess creates and monitors a multilog(http://cr.yp.to/daemontools/multilog.html) process, which will feed the outputof the first supervise process into a log file. The first supervise process'sactivity depends on the service.

For qmail-send, supervise executes and monitors the /var/qmail/rc script. Bydefault, this script in turn executes qmail-start, which in turn creates allthe processes in charge of processing qmail's message queue. These processesinclude qmail-send, qmail-clean, qmail-lspawn, and qmail-rspawn. Man pages areavailable for these four programs, and for qmail-start.

For qmail-smtpd, supervise creates and monitors a softlimit(http://cr.yp.to/daemontools/softlimit.html) process, designed to limit theuse of system resources and prevent runaway processes. softlimit in turncreates a tcpserver (http://cr.yp.to/ucspi-tcp/tcpserver.html) process,configured to listen for SMTP connections. For every SMTP connectionreceived, tcpserver creates a qmail-smtpd process to handle that connection.A man page is available for qmail-smtpd.

For qmail-pop3d, supervise creates and monitors a softlimit process, which inturn creates a tcpserver process configured to listen for POP3 connections.For every POP3 connection received, tcpserver creates a qmail-popup process tohandle that connection. qmail-popup displays to the connecting client a POP3greeting, then prompts for a login name and password. qmail-popup thenexecutes a password checking program to verify the login name and password.If the login name and password are valid, the password checking program willthen create a qmail-pop3d process to further handle that connection;otherwise, the password checking program will exit, causing the connection tobe dropped. Man pages are available for qmail-popup and qmail-pop3d.

(NOTE: If you followed the instructions for adding svscanboot to /etc/inittab,svscanboot (http://cr.yp.to/daemontools/svscanboot.html) will be executedduring system boot, which in turn will create the svscan process.)

Appendix B.1 - qmail Network Service Configuration

This section explains the environment variables that can be defined in/var/qmail/control/conf-common, /var/qmail/control/conf-smtpd, and/var/qmail/control/conf-pop3d. The values of these variables are in turn usedby /var/qmail/supervise/qmail-smtpd/run and/var/qmail/supervise/qmail-pop3d/run.

This section assumes an understanding of how the various programs interact toprovide qmail's services; see appendix A for an overview.

The configuration files provide default definitions for most of thesevariables. The defaults will be enough for many qmail users' needs.Appendices B.2 through B.5 provide examples of how the configuration files canbe changed to enable certain features in qmail. I *strongly* recommend leavingthese files alone until you are confident about what you are doing.

/var/qmail/control/conf-common provides definitions that affect all of qmail'snetwork services. /var/qmail/control/conf-smtpd and/var/qmail/control/conf-pop3d provide definitions that will affect only SMTPand POP3 services, respectively. Except where noted, these environmentvariables can be defined in conf-common or in a specific network service'sconfiguration file. A definition in a specific network service's configurationfile will override any definition of that variable in conf-common, unless theprevious definition is incorporated into the new definition.

* MAXCONN

The maximum number of concurrent connections that tcpserver will allow.If unset, tcpserver will use its internal default of 40. Normally, thisvalue is read from /var/qmail/control/concurrencyincoming.

* NOFILESGID

The GID of the system group that will run the tcpserver processes in chargeof providing qmail-related network services.

* QMAIL_CONTROLDIR

The directory for qmail's control files. This will almost always be/var/qmail/control. This variable is also defined in an /etc/env.dconfiguration file, so defining it again is really not necessary.

* QMAIL_POP3_CHECKPASSWORD

Specific to POP3. This variable defines the program that will be executedto verify a POP3 login's name and password. It is assumed that thisprogram provides the standard checkpassword interface, described athttp://cr.yp.to/checkpwd/interface.html, and further assumed that thisprogram can execute qmail-pop3d when a login name and password have beensuccessfully verified.

* QMAIL_POP3_POP3HOST

Specific to POP3. This variable defines the name of the machine thatqmail's POP3 service will identify as its host. By default, this is readfrom /var/qmail/control/me.

* QMAIL_POP3_POSTAUTH

Specific to POP3. Normally, the password checking program defined byQMAIL_POP3_CHECKPASSWORD will execute qmail-pop3d when a login name andpassword have been successfully verified. If this variable is defined, thepassword checking program will instead execute the program or string ofprograms given by this variable. It is assumed that qmail-pop3d and itscommand-line arguments can be passed as the final command-line arguments ofthis program chain.

* QMAIL_POP3_PREAUTH

Specific to POP3. After accepting a POP3 connection, tcpserver willnormally execute qmail-popup to provide the initial POP3 greeting andpassword prompt to the connecting client. If this variable is defined,tcpserver will instead execute the program or string of programs given bythis variable. It is assumed that qmail-popup and its command-linearguments can be passed as the final command-line arguments of this programchain.

* QMAIL_SMTP_POST

Specific to SMTP. This variable provides command-line arguments to executeqmail-smtpd with.

* QMAIL_SMTP_PRE

Specific to SMTP. After accepting an SMTP connection, tcpserver willnormally execute qmail-smtpd to provide SMTP service to the connectingclient. If this variable is defined, tcpserver will instead execute theprogram or string of programs given by this variable. It is assumed thatthat qmail-smtpd and its command-line arguments can be passed as the finalcommand-line arguments to this program chain.

* QMAIL_TCPSERVER_PRE

Normally, softlimit will execute tcpserver. If this variable is defined,softlimit will instead execute the program or string of programs given bythis variable. It is assumed that tcpserver and its command-line argumentscan be passed as the final command-line arguments to this program chain.

* QMAILDUID

The UID of the system user that will run the tcpserver processes in chargeof providing qmail-related network services.

* SOFTLIMIT_OPTS

Command-line arguments to execute softlimit with. Seehttp://cr.yp.to/daemontools/softlimit.html for more information about theoptions available.

* TCPSERVER_HOST

The IP address tcpserver will listen for connections on.

* TCPSERVER_OPTS

Command-line arguments to execute tcpserver with, in addition to-x, -c, -u and -g. See http://cr.yp.to/ucspi-tcp/tcpserver.html for moreinformation about the options available.

* TCPSERVER_PORT

The specific port of the IP address defined by TCPSERVER_HOST thattcpserver will listen for connections on. This can be defined in theconfiguration file specific to each network service, however, conf-commonas installed by the qmail ebuild will set the value of this variable equalto that of the SERVICE environment variable. SERVICE is defined by eachnetwork service's supervise script, "smtp" for SMTP, "pop3" for POP3, andso on. For this to work, these services need to be defined with portnumbers in /etc/services.

* QMAILQUEUE

Normally, qmail pipes all messages through a program called "qmail-queue."qmail-queue's task is to place each message into qmail's message queue,where later it will be picked up by qmail-send for further processing anddelivery. This environment variable, which by default is not set, allowsanother program to take the place of qmail-queue, providing the opportunityfor additional processing on each message before it is placed in the queue.See http://www.qmail.org/qqrbl for one example of a replacement qmail-queueprogram. Note: You better know what you are doing if you wish to takeadvantage of this feature. If you do not replace qmail-queue with aprogram that provides at least the same functionality, you will break yourqmail installation!

Appendix B.2 - Authenticated SMTP

Gentoo's installation of qmail allows SMTP sessions to be authenticated withthe ESMTP AUTH command. This permits you to restrict relaying priveleges topeople who have correct user names and passwords, instead of people who connectfrom certain IP addresses (the two methods can also be used together). TheESMTP AUTH command was designed to support different methods of passwordverification, and this implementation provides the three most popular methods:PLAIN, LOGIN, and CRAM-MD5. This makes qmail's authentication featurecompatible with most email clients currently available.

To enable authenticated SMTP, the QMAIL_SMTP_POST environment variable inthe conf-smtpd control file needs to be defined with three arguments. The manpage for qmail-smtpd explains what these arguments should be: a hostname, apassword checking program, and an additional subprogram. The hostname shouldbe the fully qualified domain name of your email server; it is used to generateCRAM-MD5 "challenges." The password checking program must conform to thecheckpassword standard defined at http://cr.yp.to/checkpwd/interface.html, withone additional requirement: If the password checking program is to supportCRAM-MD5, the program must be able to handle both unencrypted passwords andMD5-encrypted challenges and responses. The subprogram is executed by thepassword checking program if password verification was successful; usually setto /bin/true, the subprogram must return "true" when exiting.

(NOTE: checkpassword and other compatible programs are also used by qmail toauthenticate POP3 sessions, as explained earlier in this guide. Whenauthenticating POP3 sessions, the subprogram argument is necessary because,after verifying a user's name and password, the password checking program isexpected to execute qmail-pop3d. In the case of authenticated SMTP, thesubprogram really doesn't serve any purpose, which is why /bin/true isnormally used.)

The default conf-smtpd control file has configuration that, when uncommented,will enable authenticated SMTP, using cmd5checkpw as the passwordchecking program. cmd5checkpw keeps a list of allowed user names andpasswords in /etc/poppasswd; see the cmd5checkpw man page for more details.If cmd5checkpw suits your needs, uncomment the four environment variabledefinitions in the "SMTP-AUTH" section of conf-smtpd. Be sure to set up/etc/poppasswd as instructed by the cmd5checkpw man page for authentication towork properly.

Other password checking programs can be used. For example, checkpassword uses/etc/passwd and/or /etc/shadow, enabling system users to use authenticatedSMTP. To use checkpassword, edit conf-smtpd, uncommenting the four environmentvariable definitions mentioned in the above paragraph. Then, change the linedefining QMAIL_SMTP_CHECKPASSWORD to look like this:

QMAIL_SMTP_CHECKPASSWORD="/bin/checkpassword"

Remember to restart qmail afterward.

One advantage of using checkpassword over cmd5checkpw is that passwords do nothave to be stored in an unencrypted format on the server. This iscounterbalanced by the disadvantage of checkpassword not supporting CRAM-MD5;consequently, LOGIN or PLAIN must be used, which means passwords have to besent unencrypted across the network.

(NOTE: You may need to change the permissions of checkpassword for it to workproperly in this case. The program must be setuid root, otherwiseauthentication will fail. Run "chmod 6755 /bin/checkpassword" to givecheckpassword the proper permissions. Keep in mind that setting programs to besetuid root is generally a bad idea, and you may wish to look into otherpassword checking programs instead.)

(NOTE: If you plan on providing POP3 and/or IMAP service, you may want to usethe same authentication data across all email services. If you plan onproviding POP3 service using qmail's POP3 server, you can use the samepassword checking program for both POP3 and authenticated SMTP. Have a lookat the conf-pop3d control file, and make sure the QMAIL_POP3_CHECKPASSWORDenvironment variable is set to your liking.)

For more information about authenticated SMTP and how it works, Erwin Hoffmanhas written a tutorial, available at http://www.fehcom.de/qmail/smtpauth.html.

Appendix B.3 - Outbound Authenticated SMTP

qmail can also be instructed to use authenticated SMTP when relaying email toother servers. This is useful when you plan on routing all your email throughanother email server, such as the one provided by your Internet serviceprovider, and that server requires authentication.

If you have qmail configured to deliver all email to another server, then youshould have a single line in the smtproutes control file that looks similar tothis:

:mail.your-isp.com

To enable outbound authenticated SMTP, modify that line to include a usernameand password, both of which should be encoded in base64:

:mail.your-isp.com

This feature was patched into qmail. The patch's original author, JaySoffian, has documentation athttp://www.soffian.org/downloads/qmail/qmail-remote-auth-patch-doc.txt, whichincludes some Perl commands to help with base64 encodings. There are alsoweb-based base64 encoders available.

For the security-conscious, keep in mind that base64 encoding is not the sameas encrypting, and anybody who can see your smtproutes control file can learnyour passwords. Also, this feature uses LOGIN for authentication, which meansthe remote server must support LOGIN, and which also means your passwords willbe sent unencrypted across the network.

Appendix B.4 - POP-before-SMTP

An alternative to authenticated SMTP is POP-before-SMTP. When aPOP-before-SMTP system is in place, any user that first checks his or herincoming email with POP3 is then permitted, for a period of time, to relayoutgoing email through the server. POP-before-SMTP implementations accomplishthis by remembering POP3 clients' IP addresses, and looking for each SMTPclient's IP address in that list, granting relay permission if the address islisted. The list is periodically cleaned of old IP addresses, ensuring relaypermission is not granted for longer than necessary. While not as secure asauthenticated SMTP, POP-before-SMTP is a good solution that supports all emailclients, including those that cannot use authenticated SMTP.

POP-before-SMTP requires additional software, specifically, a program that willactually maintain the list of IP addresses permitted to relay. Portage offersrelay-ctrl, written by Bruce Guenter, for this purpose. Emerge this packagewith the following commands:

# emerge -p relay-ctrl

These are the packages that I would merge...

# emerge relay-ctrl

After emerge finishes, edit the conf-smtpd and conf-pop3d control files. Thedefault installation already includes the necessary configuration in each ofthese files, commented out. In conf-smtpd, uncomment the first two environmentvariable definitions in the section that begins with, "If you are interested inproviding POP or IMAP before SMTP..." In conf-pop3d, uncomment the twoenvironment variable defitions in the section for POP3 before SMTP. Aftersaving the changes, remember to restart qmail. POP-before-SMTP should nowwork.

(NOTE: This appendix assumes you are providing POP3 service, and that you areusing qmail-pop3d to do so. With relay-ctrl, it is possible to use adifferent POP3 server and still provide POP-before-SMTP. It is even possibleto provide "IMAP-before-SMTP" instead, using Courier IMAP. These examples arebeyond the scope of this guide, however, there is documentation for relay-ctrlat http://untroubled.org/relay-ctrl/ and for Courier IMAP athttp://www.inter7.com/courierimap.html, as well as notes about enablingIMAP-before-SMTP in the default installation of conf-smtpd.)

Appendix B.5 - Encrypted SMTP

Ordinarily, SMTP communications are "in the clear," with no encryption. Thismeans anybody who can eavesdrop on your network activity can monitor youremail traffic, snooping messages, sender and recipient addresses, and perhapseven SMTP authentication user names and passwords. Consequently, an extentionto the SMTP protocol was drafted, providing email servers with the ability toencrypt SMTP sessions by using the ESMTP STARTTLS command. Gentoo's qmailebuild allows encryption to be used on both incoming and outgoing SMTPconnections.

To enable encrypted SMTP, first make sure that you emerged qmail with the"ssl" USE flag enabled. Next, you must have an SSL server certificate inplace. If you ran the ebuild command for extra automatic configuration,described in Part Two above, then a self-signed certificate is already inplace. If you did not run the ebuild command, you can generate aself-signed certificate by first editing /var/qmail/control/servercert.cnf,filling in information specific to your server, and then running/var/qmail/bin/mkservercert. When the certificate generation processfinishes (using either command), three new files will appear in/var/qmail/control: servercert.pem, the server's new self-signed certificate,used for incoming SMTP connections; clientcert.pem, which can be a separatecertificate used for outgoing SMTP connections, but which by default is thesame as servercert.pem; and rsa512.pem, the private code-key used to decryptincoming SMTP traffic. Restart qmail after creating your certificate.

At this point, any client that supports the ESMTP STARTTLS command will beable to request an encrypted SMTP session; also, the server will automaticallyrequest an encrypted SMTP session when connecting to any remote host thatboasts ESMTP STARTTLS support. The server is ready to go. Furtherconfiguration is possible, providing, among other features, the ability torefuse outgoing email to remote hosts that do not support encryption, and theability to accept email from ecrypting clients that otherwise would have beenrejected. For more information, visit the web page for Frederik Vermeulen'soriginal patch for qmail (http://inoa.net/qmail-tls/).

Note that self-signed certificates may be rejected by some servers as insecureor untrustworthy. You may want to have a certificate signed by a mutuallytrusted Certificate Authority instead.

(NOTE: The process of getting an SSL certificate issued by a CertificateAuthority is really beyond the scope of this guide, however, I plan to havemore information in a future revision.)

Also, be aware that encrypting your server's SMTP traffic does not guaranteethat your email is safe from prying eyes. Email messages are sometimesrelayed through multiple servers, one or more of which may not supportencryption. Also, email that has made it to its final destination is usuallystored unencrypted, making it possible for other users or administrators onthat server to read it. For more complete email security, you may want toconsider using an email client that supports encrypting each email messagebefore it is sent. Of course, this will require that the recipient be able todecrypt the message. Further information would be beyond the scope of thisguide, but you can visit the web pages of email clients that support messageencryption, such as Mutt (http://www.mutt.org/), and the web pages ofgeneral-use encryption software, such as GnuPG (http://www.gnupg.org/).

Appendix C - Patches

Warning: Lots of technical jargon ahead. This section describes the patchesthat are applied to the qmail 1.03 source code by the qmail 1.03-r13 ebuild. Ishould mention that many qmail veterans consider some of these patches to beunnecessary for general use, suggesting that one should use as pristine a copyof qmail as possible, applying only those patches that are known to be needed.If you are handy at writing and modifying ebuild scripts, you may want toconsider editing qmail's ebuild script to remove patches that do not apply toyou. Of course, qmail has been found to run just fine with these patches, andthey do provide features many find useful, and fix bugs many find annoying orinconvenient. Buyer beware, however: The author of qmail makes no guaranteesabout its security beyond his original code. Buyer beware again: Removingpatches may result in unexpected behavior if the configuration files and scriptsare not modified appropriately.

* qregex-starttls-2way-auth (http://www.arda.homeunix.net/store/qmail/)

This patch combines several patches into one, providing several extentionsto qmail's functionality.

This patch provides the extra configuration file/var/qmail/control/badmailto, and enables the use of regular expressions tobe used in /var/qmail/control/badmailto and /var/qmail/control/badmailfrom.For more information, visit the original patch's web page(http://www.unixpimps.org/software/qregex/).

This patch also provides the ESMTP AUTH command, enabling qmail to requireauthorization before accepting messages for processing. For moreinformation, visit the original patch's web page(http://members.elysium.pl/brush/qmail-smtpd-auth/). See appendix B.2 fordetails on how to make use of this feature.

This patch also gives qmail the ability to use the ESMTP AUTH command whenconnecting to other SMTP servers. See appendix B.3 for more details onoutbound authenticated SMTP.

Finally, this patch enables TLS/SSL support for encrypted SMTP sessions.See appendix B.5 for details on how to make use of this feature.

Patch written by Andrew St. Jean, based on the work of "unixpimps.org,"Krzysztof Dabrowski, "Mrs. Brisby," Frederik Vermeulen, and Neal Groothuis.

* smtp-auth-close3

According to the qmail 1.03-r13 ebuild, this patch "fixes a problem whenutilizing morercpthosts" together with ESMTP AUTH.

* qmailqueue (http://www.qmail.org/qmailqueue-patch)

This patch provides qmail with the ability to replace qmail-queue withother programs. See appendix B.1 for more details. Patch written by BruceGuenter.

* big-todo (http://qmail.null.dk/big-todo.103.patch)

qmail was designed to be able to handle large numbers of email messageswithout a significant slow-down. One way it accomplishes this is bysplitting its queue into several different directories. Many of thesedirectories are in turn split into subdirectories, ensuring that no singlefolder becomes unnecessarily large.

When a message is first accepted by qmail for processing, it is placed inthe "todo" directory. Normally, this directory is not split intosubdirectories like certain queue directories are. This means that if alarge number of messages enters the system before qmail has a chance toprocess them all, the todo directory could become quite large, introducing alag into the system. This patch enables the todo directory to be split intosubdirectories, helping to prevent a sudden influx of email from being aproblem. Patch written by Russel Nelson, with some modification by BruceGuenter.

* qmail-1.03-qmtpc (http://www.qmail.org/qmail-1.03-qmtpc.patch)

This patch allows qmail to send email to other servers using QMTP insteadof SMTP. More information about QMTP will be in a future revision of thisguide. Patch written by Russel Nelson.

* qmail-103 (http://www.ckdhr.com/ckd/qmail-103.patch)

Unpatched qmail will have trouble sending email to domains whose DNSservers send oversized answers to DNS queries. This patch resolves thisissue. Patch written by Christopher K. Davis.

* qmail-local-tabs

Unpatched qmail, when handling .qmail files whose first lines are nothing buttabs, has the potential to access an array out of range, an error morecommonly known as a memory or buffer overflow. This bug is generallyconsidered to be minor, because qmail by this point is running as the ownerof the .qmail file and will never run as root, and also because qmail'sdocumentation states that a .qmail file should not start with an empty line.Nonetheless, this is a bug, and this patch fixes it.

* qmail-link-sync (http://www.jedi.claranet.fr/qmail-link-sync.patch)

qmail assumes that certain file commands are synchronous, that is, thecommands will not report a successful finish until the file has actuallybeen written to disk (as opposed to residing in a cache to be writtenlater). While this assumption is true for some Unix-compatible operatingsystems and the file systems they use, it is not true for many flavors oflinux and its file systems. The consequence is that a disruption of service,such as a power outage, could result in email being lost. This patchworks around this issue by forcing file synchronization to take place afterthese commands. Patch written by Frank Denis.

* big-concurrency

Unpatched qmail has an inherent maximum concurrency limit of 255. In otherwords, the highest number of concurrent local deliveries and concurrentremote deliveries that can take place is 255 each. This patch allows thoselimits to be as high as 65,000, though the qmail 1.03-r13 ebuild sets a newmaximum limit of 500 for each. Patch written by Johannes Erdfelt.

* qmail-0.0.0.0

0.0.0.0 is considered to be a self-referencing IP address, similar to127.0.0.1 (though the semantics of each are not quite the same).Unpatched qmail does not treat 0.0.0.0 as a local IP address; this patchresolves that issue. Patch written by Scott Gifford.

* errno

This patch fixes the code compatibility issue that prevents qmail 1.03 fromcompiling or running properly against versions of glibc 2.3.2 and newer.

* sendmail-flagf (http://david.acz.org/software/sendmail-flagf.patch)

qmail's sendmail wrapper does not support the "-f" option that the realsendmail does. This patch provides that feature. Patch written by DavidPhillips.

* qmail-maildir++ (http://www.shupp.org/patches/qmail-maildir++.patch)

Sam Varshavshik, the author of Courier and Courier IMAP, authored anextention to the maildir format called maildir++. Among other things,maildir++ provides for multiple email subdirectories, and quota support.This patch enables qmail to make use of maildir++, allowing greatercompatibility between qmail and packages supporting maildir++, such asCourier IMAP and vpopmail. Patch written by Bill Shupp.

* maildir-quota-fix

This patch fixes a typo in the above patch.

* qmail-date-localtime(ftp://ftp.nlc.net.au/pub/unix/mail/qmail/qmail-date-localtime.patch)

Whenever qmail needs to generate a timestamp, such as when adding a "Date:"header to an email message, it uses Greenwich Mean Time (GMT) timestamps.Most email clients know how to convert GMT into the local time zone, butsome do not. This patch enables qmail to generate timestamps in the localtimezone instead.

* qmail-limit-bounce-size(http://www.qmail.org/www.jedi.claranet.fr/qmail-bounce.patch)

Normally, qmail will include a copy of the entire original message forthe original sender when generating a bounce message. This patch allowsfor a new control file, "bouncemaxbytes", that states the maximum size abounce message can be. Any bounce message that would go over this limitwill be truncated.

* qmail-smtpd-esmtp-size-gentoo

This patch provides support for the ESMTP SIZE command, allowing qmail toreject messages deemed too large before they are sent, instead of after.

* qmail-smtpd-relay-reject.gentoo

Some email servers allow their users to relay messages to non-localaddresses by creating a new email address that appears to be local. Toillustrate, an email server local to example.com could be instructed todeliver a message to user@anotherexample.com by sending it a messageaddressed to user%anotherexample.com@example.com. qmail by default doesNOT support this trick, as it can be easily abused by spammers who areaware of it. However, according to some programs that test the integrity ofemail servers, qmail APPEARS to support this trick, because it does notreject up front any email messages addressed to local domains; instead, itlater bounces any messages that are not destined for valid addresses, such asthose with "%" or other extraneous characters. Because these broken testingprograms do not check to see if their messages were actually delivered, manyqmail servers have unfortunately been incorrectly blacklisted. This patchworks around this issue by enabling qmail to reject up front any recipientaddresses that use "%" and other such characters.

* qmail-gentoo-1.03-r12-badrcptto-morebadrcptto-accdias.diff

This patch provides for two new control files, "badrcptto" and"morebadrcptto". They work similarly to badmailfrom, rejecting up frontany messages bound for addresses that appear in either of these files.Patch originally written by Ward Vandewege, later modified.

* qmail-popupnofd2close (http://www.dataloss.nl/software/patches/)

This patch allows checkpassword and similar programs to log error messagesto stderr. Patch written by peter(at)dataloss.nl.

* qmail-1.03-reread-concurrency.2 (http://js.hu/package/qmail/)

This patch enables qmail to reread control files concurrencylocal andconcurrencyremote when the qmail-send process receives a HUP signal.Normally qmail has to be restarted for these files to be reread. Patchwritten by Julian Severn-nek.

* 08-capa.diff (http://www.mcmilk.de/qmail/dl/djb-qmail/patches/)

This patch provides the POP3 CAPA command, allowing POP3 clients to get alist of all POP3 commands provided by qmail-pop3d. Patch written by TinoReichardt.

Appendix D - Additional Software

This is a collection of additional software packages, many of which areavailable through Portage, that are useful for managing qmail and extendingits functionality.

* Courier IMAP (http://www.inter7.com/vpopmail) (ebuild available)

An IMAP server that supports the maildir format, and therefore integratesvery well with qmail.

* qlogtools (http://untroubled.org/qlogtools) (ebuild available)

A set of programs designed to analyze qmail's logs for monitoring andstatistics gathering.

* qmail-scanner (http://qmail-scanner.sourceforge.net/) (ebuild available)

A multi-purpose email scanner specifically designed to work with qmail,useful for combatting viruses, spam, and even unwanted file attachments.qmail-scanner can be configured with its own set of rules, and can also workwith other popular email tools such as SpamAssassin(http://spamassassin.org, ebuild available), F-Prot (http://www.f-prot.com,ebuild available), and many commercial virus scanners available for linux.

* qmailanalog (http://cr.yp.to/qmailanalog.html) (ebuild available)

Another set of tools for analyzing qmail's logs, written by the author ofqmail.

* vpopmail (http://www.inter7.com/vpopmail) (ebuild available)

A collection of programs designed to make the creation and management ofvirtual users and multiple email domains relatively fast and painless.

Acknowledgements

Thanks to Dave Sill for excellent qmail documentation in the form of "Lifewith qmail" and 'The qmail Handbook'.

Thanks to Charles Cazabon for invaluable help through the qmail mailing list.

Thanks to Daniel J. Bernstein for qmail itself.

Thanks to the authors and contributors of Gentoo for creating an excellentlinux distribution.

Guide Revision History

3/20/03 - First release.

3/21/03 - Corrected the statement about Gentoo's scripts not providing alimit on the number of simultaneous incoming SMTP connections. There isalways a limit, even if it is not explicitly set. Thanks to Dave Sill forpointing out this typo.

4/17/03 - Added a note about the incompatibility between qmail 1.03 and glibc2.3.2, and also fixed some grammatical and formatting mistakes. glibc 2.3.1must be used to compile qmail and related packages.

5/13/03 - Added comments about the qmail ebuild's option for extra automaticconfiguration, and cleaned up some wording here and there.

5/15/03 - Added comments about the qmail-sumo and qmail-pop3d ebuilds. Thanksto Tridib Biswas for pointing these out to me.

7/20/03 - Updated the guide to reflect recent releases of qmail and relatedebuilds for Gentoo.

11/30/03 - Rewrote several sections in part one to more accurately explainPortage's system of virtual packages and package blocking; added appendices,which will be further fleshed out in the next update; cleaned up some wordinghere and there. This update is incomplete, pending a new version of the guideto be based on qmail ebuild 1.03-r13.

12/29/03 - Updated the guide to reflect qmail ebuild 1.03-r13. Reorganizedthe appendices. This update is also incomplete, as many sections in theappendices still need to be written.

12/30/03 - Corrected a statement concerning the Gentoo ebuild's initialconfiguration of qmail. By default, qmail will accept SMTP connections fromanywhere, not just from local IP addresses.

2/8/04 - Removed information about the qmail-sumo ebuild, which is no longerin Portage. Updated information about "Life with qmail," which is now basedon netqmail 1.05. Updated information about glibc; the latest stable ebuildis now 2.3.2-r9. Added a note about making sure the correct system users andgroups are in place before emerging qmail. Added information about theqmail-control script installed by the qmail ebuild. Reorganized the appendicesagain, and wrote sections concerning authenticated SMTP, outbound authenticatedSMTP, POP-before-SMTP, and additional qmail-related software. The section onencrypted SMTP still needs to be written. Cleaned up wording and formattingin various places.

2/20/04 - Wrote the section on encrypted SMTP. Cleaned up wording in variousplaces.

2/22/04 - Fixed a typo in the section for encrypted SMTP. "servercert.pem"was mentioned where "servercert.cnf" should have been named.

6/5/05 - Added the note that I am no longer actively maintaining this guide.

sddlzz — Sat, 24 Dec 2005 15:29:27 +0000

3Com SuperStack3 Switch4200系列交�?�机中文电�?手抄本

作者：�?祥文章�?��?：Internet 点击数：226 更新时间：2005-4-7

版本信�?�

Version 1.00

2004-05-31

Version 1.01

2004-06-01 版本说明：

1．修改了VLAN设置中注�?事项三的错误说法

2．增加了STP/RSTP中交�?�机Priority�?�端�?�cost的设置说明

3．增加了Security中有关端�?�安全的内容

�?文档说明】

1. 本文档为�?费文档，请勿用作商业用途。

2. 虽然作者�?图�?��?错误的�?�生，但由于水平�?��?�解能力的影�?，文档中还是�?�能存在错误。如果�?�现文档中的错误，请�?�邮件通知作者，作者的邮箱地�?�为: Aaron_Zhao@Huawei-3Com.com

先在此�?��?�现问题并通知作者的�?��?表示严�?感谢，希望大家多交�?。

3. 欢迎大家将此文档�?�外�?��?，�?��?时请勿对文档内容进行修改。

4. 对于使用本文档中的内容，对交�?�机进行�?置时�?�能引起的故障�?�错误，作者本人�?负任何责任。

5. 以上说明�?�款�?具有强制性，目的是为了大家得到更好帮助信�?�。对于�?�?�守以上�?�款的人，作者�?日将鄙视之一至两次或更多。。。

[�?�考信�?�]

1．3Com交�?�机软件�?�文档页�?�

http://www.3com.com/products/en_US/downloadsindex.jsp?home1=supportdownload

2．3Com Knowledgebase主页

http://3kb.3com.com

3．�?�为3Com热线电�? 800-810-0504

4．3Com技术支�?电�? 800-810-3033

SS3 4200交�?�机介�?

SS3 4200系列交�?�机是3Com生产的一款�?�管�?�的二层交�?�机，该系列交�?�机目�?包括三个型�?�，分别是4226T(3C17300)�?4250T(3C17302)�?�4228G(3C17304)。其中：

l 4226T 包括24个10Base-T/100Base-Tx自适应�?�，2个10Base-T/100Base-Tx/1000Base-T自适应�?�

l 4250T 包括48个10Base-T/100Base-Tx自适应�?�，2个10Base-T/100Base-Tx/1000Base-T自适应�?�

l 4228G 包括24个10Base-T/100Base-Tx自适应�?�，2个10Base-T/100Base-Tx/1000Base-T自适应�?�，2个GBIC �?�。GBIC�?��?�以选�?3Com的GBIC模�?�，包括1000Base-SX(3CGBIC91)�?1000Base-LX(3CGBIC92)�? 1000Base-T(3CGBIC93)�?�1000Base-LH70(3CGBIC97) GBIC

4200系列交�?�机的端�?�都是固定的，没有扩展槽�?，�?能增加模�?�。�?�有4228G交�?�机有2个GBIC�?�，�?�以�?�3Com的GBIC�?�兆模�?�。

作为一款二层交�?�机，4200的定�?是边缘接入�?�桌�?�交�?�机。相对�?�样定�?的4400系列交�?�机�?�讲，4200系列的交�?�机价格比较低，相对功能也比4400系列�?少，因此适用于追求端�?�密度，但对边缘交�?�机功能�?求一般的用户环境。

从功能和性能上讲，4200具有以下特点：

l �?�堆�?�。详细情况�?��?�章节介�?

l 除通过Console�?�进行管�?�外，还�?�以�?置管�?�地�?�，远程通过Telnet方�?�?�Web方�?�?�进行管�?�。但是，强烈建议用户�?�代�?�商�?�?使用Web方�?(因为显得太�?专业了)。支�?基于SNMP的网管

l 基本的二层交�?�功能，其性能为：4226T交�?�容�?8.8Gbps，包转�?�率6.6MPPS；4228G交�?�容�?12.8Gbps，包转�?�率9.5MPPS；4226T交�?�容�?13.6Gbps，包转�?�率10.1MPPS

l 所有端�?�支�?自�??商Auto-Negotiation�?�MDI/MDIX自适应

l 支�?VLAN�?STP�?Multicast Filter�?BroadcastControl等功能，详细�?置情况，�?��?�章节具体介�?

SS3 4200交�?�机典型�?置

�?管�?�方�?】

4200交�?�机支�?通过Console�?�(串�?�)管�?��?�?置管�?�IP�?�用Telnet/Web方�?管�?�，以�?�通过标准的SNMP网管系统进行管�?�。

建议用户尽�?使用命令行方�?(CLI-Command Line Interface)对交�?�机进行�?置管�?�，包括Console�?��?�Telnet方�?。对于Web方�?�?�网管系统，用�?�观察监控交�?�机的�?行情况�?�以，用�?�作为�?置的手段，�?建议使用。

一�?Console�?�管�?�方�?

通过Console�?�对交�?�机进行管�?�是最基本的一�?方�?，也是最�?�一�?管�?�方�?，当其他管�?�方�?都�?能进入交�?�机时，用Console线连到交�?�机的管�?�端�?�试一试。如果通过Console�?�都�?能进入交�?�机，那说明交�?�机问题比较严�?，有�?�能需�?进行硬件返修。

Console �?�，也�?�以�?�管�?��?�，在4200交�?�机的机箱�?��?�，是一个9针的串�?�。一般通过专用的Console线与计算机的串�?�(COM1或COM2)相连，在计算机上用超级终端(HyperTerminal)作为工具，�?��?�实现对交�?�机的管�?�。超级终端的串�?�速率设置为：端�?�速率9600/数�?��?8/�?�止�?1/奇�?�校验无/�?控无。连接计算机与交�?�机的控制线�?��?�空Modem线(Null Modem)，其线�?如下所示。

二�?通过设置管�?�IP方�?�?�管�?�

给4200交�?�机设置一个管�?�IP�?�，就�?�以通过网络进行远程管�?�。管�?�的方�?包括Telnet和Web方�?。

设置4200管�?�IP的命令如下所示。

Select menu option: pro ip basic

Enter configuration method (auto,manual,none)[auto]: manual

Enter IP address [0.0.0.0 ]: 10.10.10.3

Enter subnet mask [0.0.0.0 ]: 255.255.255.0

Enter gateway IP address [0.0.0.0 ]: 10.10.10.1

IP address: 10.10.10.3

Subnet mask: 255.255.255.0

Gateway IP address: 10.10.10.1

Select menu option:

[说明]

1．黑体字为输入的命令�?��?�数

2． 4200的管�?�地�?�有手工方�?(manual)�?�自动方�?两�?。如果是设置�?自动方�?，则用户的网络中需�?有一个DHCP Server，4200开机�?�会自动去申请一个IP地�?�。这�?自动方�?�?建议用户使用，建议用户手工设定管�?�地�?�。上�?�例�?中是用manual方�?手工设置一个管�?�IP，地�?�为10.10.10.3/24，其默认网关为10.10.10.1

3． 4200的管�?�地�?�是设在VLAN 1上的，这点�?能改�?�。所以连到4200交�?�机VLAN 1上的计算机�?�直接对4200进行管�?�。属于4200其他VLAN的计算机需�?通过三层路由�?能访问4200的管�?�IP，�?�使该计算机直接连接到4200上

4． 4200是二层交�?�机，管�?�IP的设置方�?与3Com三层交�?�机设置VLAN Interface的方�?完全相�?�，但一定�?注�?，4200上的管�?�IP�?�能用作网管，�?是作三层转�?�的。

三�?4200交�?�机网管的设置

4200 交�?�机设置管�?�IP�?�，还�?�以通过网管系统进行管�?�，如3Com的�?费网管软件3Com Network Supervisor。一般情况下用4200默认的�?置就�?�以，根�?�情况也�?�以进行修改。主�?的包括设置网管软件对交�?�机进行读/写的Community 字串，以�?�交�?�机�?�网管软件�?��?Trap的目的地�?�，如下所示。

Select menu option: sys man snmp comm

Enter new community for user ‘admin’ [private]: write001

Enter new community for user ‘manager’ [manager]: write000

Enter new community for user ‘monitor’ [public]: read001

Select menu option:

[说明]

以上设置将网管系统读的Community字串设为read001，将改�?置和修改系统�?�数的Community字串设为write001�?�write000

Select menu option: sys man snmp trap create

Enter the trap community string [monitor]:

Enter the trap destination address: 10.10.10.8

Select menu option:

[说明]

以上设置使交�?�机将monitor的trap信�?��?�到地�?�为10.10.10.8的网管系统或其他�?�接收trap的系统。

�?�以设置多个目的地�?�

�?4200系统信�?�】

Select menu option: sys summ

3Com SuperStack 3

System Name : Office Test

Location : Huawei-3Com, BeiJing

Contact : Aaron Zhao

Time Since Reset : 1 Hrs 9 Mins 16 Seconds

Operational Version : 02.03p14

Hardware Version : 01.01.00

Boot Version : 1.00

MAC Address : 00-0a-04-64-38-80

Product Number : 3C17302

Serial Number : 7Y3V1D7643880

Select menu option:

[说明]

由以上命令�?�以得到该4200交�?�机的系统信�?�，按�?�?程度，说明如下：

1．版本信�?�，包括Operation版本，Hardware版本�?�Boot版本。我们�?的是Operation版本信�?�，3Com在网站上�?�布的版本�?我们�?�?�级的版本也都是Operation版本。其他两个版本信�?��?�?常用到。

2．系统�?行时间-Time Since Reset，从这里�?�以看到系统到目�?已�?�?行了多常时间。

3．产�?�?列�?�-Serial Number，这个�?列�?�是唯一的，�?�?�4200设备都�?相�?�。用户在3Com网站上注册该产�?时需�?输入这个�?列�?�，产�?有硬件故障需�?更�?�时也�?�?�3Com�??供这个�?列�?�。该�?列�?�在机箱底�?�的标签处也�?�以查到。

系统信�?�中的System Name�?Location�?�Contact�?�以由用户自行设置，命令如下：

Select menu option: system management name

Select menu option: system management location

Select menu option: system management contact

�?�?�项功能】

下�?�列出的是一些大家�?常用到的�?�项功能。

4200交�?�机的默认用户�??是 admin，密�?没有

Password:

Menu options: ————–3Com SuperStack 3 Switch 4200—————

bridge – Administer bridge-wide parameters

gettingStarted – Basic device configuration

logout – Logout of the Command Line Interface

physicalInterface – Administer physical interfaces

protocol – Administer protocols

security – Administer security

system – Administer system-level functions

trafficManagement – Administer traffic management

Type ? for help

—————————————– (1)—————————

Select menu option:

将�?置清空为出厂值

Select menu option: system control init

WARNING: This command initializes the system to factory defaults

(excluding Management IP configuration) and causes a reset.

Do you wish to continue (yes,no)[no]: y

[说明]

1．管�?�IP�?会清空�?出厂值，需�?到设置管�?�IP的�?��?�下�?�独设置

2． �?置清空�?�，机器会�?�?�动

3． 3Com交�?�机的�?置�?需�?save�?write等命令进行�?存，设置�?�系统自动�?存，�?新开机�?��?置�?会丢失

4．建议拿到一�?�交�?�机�?�，开始�?置�?，先将其�?置清空为出厂值

密�?丢失

Password:

*** Password Recovery Mode ***

The administrative password will be cleared if a hard reset operation is

carried out on the device within 30 seconds.

If a hard reset operation is not carried out during this period, the device

will return to the CLI login prompt

countdown = 30 29 28 27 26

*** Password Recovery Mode ***

Enter the new password for the admin user:

Re-enter the new password:

The Password Recovery feature is enabled.

Enter new value (enable,disable)[enable]:

Menu options: ————–3Com SuperStack 3 Switch 4200—————

bridge – Administer bridge-wide parameters

gettingStarted – Basic device configuration

logout – Logout of the Command Line Interface

physicalInterface – Administer physical interfaces

protocol – Administer protocols

security – Administer security

system – Administer system-level functions

trafficManagement – Administer traffic management

Type ? for help

—————————————– (1) —————————

Select menu option:

[说明]

1．在登录�??示时输入用户�??recover，密�?也是recover

2．在系统�??示的时间内(30秒)，对交�?�机断电，�?加电

3．系统�?新�?�动�?�，会�??示你输入新的admin用户的密�?

4．系统还会�??示是�?�将此密�?�?��?的功能开�?�还是关闭，默认是开�?�状�?

修改登录密�?

Select menu option: sys mana password

Old password:

Enter new password:

Retype password:

The command line interface password has been successfully changed.

Select menu option:

�?基本的二层交�?�功能】

4200的基本数�?�交�?�功能�?需�?�?�任何设置。这一部分对我们有用的信�?�是MAC地�?��?端�?�对照表，通过以下命令�?�以看到。

Select menu option: bri add summ

This operation may take a number of seconds

Select bridge ports (AL1-AL4,unit:port…,all,?): all

Location Address VLAN ID Permanent

—————————————————————–

Unit 1 Port 3 00-10-4b-a0-91-64 1 No

Unit 1 Port 11 00-09-6b-7a-6a-c6 1 No

Unit 1 Port 13 00-10-4b-a0-91-64 2 No

Select menu option:

[说明]

由上�?��?�以看到�?�个端�?�所连设备的MAC地�?�，以�?�相关的VLAN信�?�。如果一个端�?�下�?�连的是交�?�机或者集线器，那么这个端�?�上会对应多个MAC地�?�。

上�?�例�?中最�?�一项是Permanent，所列的地�?�都是No，说明这几个地�?�都是交�?�机学习而�?�的，当这个端�?�所连机器断开�?�，这个地�?�项在一段时间�?�会自动从表中清除。

�?�以手工把�?个机器(实际是该机器的网�?�)的MAC地�?�加到表中，如下所示：

Select menu option: bri address add

This operation may take a number of seconds

Select bridge port (AL1-AL4,unit:port,?): 1:8

Enter address: 00-10-4b-a0-91-64

Enter VLAN ID (1-2)[1]: 1

Select menu option: bri address summ

This operation may take a number of seconds

Select bridge ports (AL1-AL4,unit:port…,all,?): all

Location Address VLAN ID Permanent

—————————————————————–

Unit 1 Port 8 00-10-4b-a0-91-64 1 Yes

Unit 1 Port 11 00-09-6b-7a-6a-c6 1 No

Select menu option:

[说明]

以上例�?把MAC地�?�00-10-4b-a0-91-64加到Unit 1的端�?�8上，所属的VLAN是1。此时，MAC地�?�为00-10-4b-a0-91-64的计算机�?�有连到Unit 1的端�?�8上�?能通，连到其他端�?��?能通。

注�?：

1. 其他MAC地�?�的计算机连接到端�?�8上，通信完全正常。

2. �?�以将多个MAC地�?�手工写到�?�一个端�?�上。

如下所示：

Select menu option (bridge/addressDatabase): summ

This operation may take a number of seconds

Select bridge ports (AL1-AL4,unit:port…,all,?): all

Location Address VLAN ID Permanent

—————————————————————–

Unit 1 Port 8 00-09-6b-7a-6a-c6 1 No

Unit 1 Port 8 00-10-4b-a0-91-24 1 Yes

Unit 1 Port 8 00-10-4b-a0-91-64 1 Yes

Select menu option (bridge/addressDatabase):

�?VLAN功能】

除了基本的数�?�交�?�功能，VLAN是我们在�?置交�?�机中碰到最多的了。下�?�举两个例�?�?�说明如何�?置。

案例1：

在一�?�4200交�?�机�?创建3个VLAN，分别为工程师�?财务�?人事部门使用，默认VLAN1�?动，作为管�?�VLAN，�?置如下：

[创建VLAN]

Select menu option: bri vlan create

Select VLAN ID (2-4094)[2]: 2

Enter VLAN Name [VLAN 2]: engineer

Select menu option: bri vlan create 3 finance

Select menu option: bri vlan create 4 hr

Select menu option: bri vlan summ all

VLAN ID Name

——————————————

1 Default VLAN

2 engineer

3 finance

4 hr

Select menu option:

[�?��?�个VLAN里加端�?�]

elect menu option: bri vlan modi add

Select VLAN ID (1-4)[1]: 2

Select bridge ports (AL1-AL4,unit:port…,?): 1:1-1:9

Enter tag type (untagged,tagged): un

Select menu option: bri vlan modi add 3 1:10-1:19 un

Select menu option: bri vlan modi add 4 1:20-1:29 un

Select menu option:

�?过以上�?置，端�?�1到9划到VLAN2里，端�?�10到19划到VLAN3里，端�?�20到29划分到VLAN3中，其他端�?��?留在VLAN1中。

在�?�一VLAN内的计算机�?�以互相通信，�?�?�VLAN之间�?能通信。

案例2：

继续案例1。案例1中的4200放在公�?�的2楼，继续�?�工程师�?财务�?�人事部门�??供接入端�?�。现在在3楼�?�添加了一�?�4200，但三楼有工程师�?�财务部门，没有人事部门，而且多了市场部门。两�?�交�?�机通过�?�兆端�?�50(4250T交�?�机)互�?�。�?求2楼和3楼的工程师部门和财务部内部能互通，部门之间还是�?�?�?通(没有三层设备，相通也没门儿)。

[2楼4200添加如下�?置]

Select menu option: bri vlan modi remove 1 1:50

WARNING: Ports 1:50 are no longer members of any VLANs.

；将50端�?�从VLAN1中除去，因为此时50端�?�是untag端�?�。

Select menu option: bri vlan modi add 1 1:50 tag

；将50端�?��?新加入VLAN1(管�?�VLAN)，打上tag。

Select menu option: bri vlan modi add 2 1:50 tag

；将50端�?�加入VLAN2(工程师VLAN)，打上tag。

Select menu option: bri vlan modi add 3 1:50 tag

；将50端�?�加入VLAN3(财务VLAN)，打上tag。

[3楼4200�?置]

创建VLAN

Select menu option: bri vlan create 2 engineer

Select menu option: bri vlan create 3 finance

Select menu option: bri vlan create 5 marketing

�?��?�个VLAN中加端�?�

Select menu option: bri vlan modi add 5 1:1-1:9 un

Select menu option: bri vlan modi add 2 1:10-1:19 un

Select menu option: bri vlan modi add 3 1:20-1:29 un

将端�?�50划到VLAN1，2，3中

Select menu option: bri vlan modi remove 1 1:50

Select menu option: bri vlan modi add 1 1:50 tag

Select menu option: bri vlan modi add 2 1:50 tag

Select menu option: bri vlan modi add 3 1:50 tag

�?过以上�?置，两�?�4200通过端�?�50，�?�以使VLAN1(管�?�VLAN)�?VLAN2(工程师VLAN)�?�VLAN3(财务VLAN)内部�?�以互通，工程师部门和财务部门的计算机�?�使�?在一个一层楼，也能互相通信。为了方便管�?�，让管�?�VLAN，�?�VLAN1也能够互通。�?�?�VLAN之间还是�?�?�?通。

严�?�??醒：3Com交�?�机VLAN�?置中有关端�?�打Tag(以�?�?�802.1Q)的三原则

1．交�?�机上的�?个端�?��?属于多个VLAN，则该端�?�一定�?打tag

2．交�?�机的�?个端�?�打了tag，与它相连的对端的交�?�机端�?� (或网�?�)也�?打tag

3． �?个端�?��?�以在一个VLAN中是untag方�?(收�?��?带802.1Q的数�?�包)，在其他多个VLAN中是tag方�?(收�?�带802.1Q的数�?�包)。这时如果两端设置�?当，会使�?�?�VLAN互通，因此需注�?。

[注：有关VLAN，猫腻的东西还是挺多的，如4200支�?的是Open VLAN方�?，那�?大哥闲�?�没事干，�?�以�?�磨�?�磨]

�?端�?�设置】

对4200交�?�机端�?�的设置包括将端�?�block，解除block，改�?�端�?�的工作状�?等。命令在Select menu option (physicalInterface/ethernet): �?�?��?�下。下�?�举例列出一些�?�能用到的设置

将端�?�1到10阻塞，block�?�，端�?�的状�?�?�会在绿/黄之间交互闪�?

Select menu option (physicalInterface/ethernet): portstate

This operation may take a number of seconds

Select Ethernet ports (unit:port…,?): 1:1-1:10

Enter new value (enable,disable)[enable]: dis

改�?�端�?�2到5的自�??商方�?

Select menu option (physicalInterface/ethernet): portmode

This operation may take a number of seconds

Select Ethernet ports (unit:port…,?): 1:2-1:5

Enter auto-negotiation mode (enable,disable)[disable]: en

Enter fallback port mode (10half,10full,100half,100full)[10half]: 10full

[说明]

端�?�默认情况下auto-negotiation方�?是enable的。Fallback port mode是指当端�?�自�??商方�?失败时，最�?�到那个工作速率

如果�?指定端�?�的工作速率�?�全�?�工模�?，需�?将auto-negotiation关闭，�?设置速率�?��?�工模�?

smartAutosense的设置

Select menu option (physicalInterface/ethernet): smartau

Enter new value (enable,disable)[enable]: en

Select menu option (physicalInterface/ethernet):

[说明]

smartAutosense是一个对交�?�机的设置，�?能指定具体端�?�进行设置。

当smartAutosense 设置为enable时，对于在auto-negotiation状�?的端�?�，交�?�机会根�?�该端�?�统计的错误包数�?�调整端�?�速率。例如，端�?�5的auto- negotiation为enable，当�?工作方�?为100full，如果该端�?�在�?一时间段内收到的错误包数超过了一定数�?，则交�?�机自动将该端�?�的工作模�?�?�下�?。

�?堆�?�】

4200交�?�机在v2.0版本以�?�，支�?堆�?�功能。堆�?�以�?�的交�?�机�?�以作为一个整体�?�管�?�，如下图所示：

注�?点如下：

1. 4200的堆�?��?需�?�?�外�?置模�?�(你想�?也没地方�?�啊)。�?�需�?用超5类的网线将交�?�机的UP�?DOWN端�?�如上图所示连接起�?��?�完�?，�?需�?在交�?�机里作任何�?置。

2. 一个堆�?�最多�?�能有4�?�交�?�机，交�?�机型�?��?�以�?�?�，但强烈建议其软件版本一致。最好在堆�?��?对其软件版本进行检查，并将没�?�设备的�?置清空到出厂值�?��?堆�?�。

3. UP�?DOWN端�?�在�?堆�?�时，�?�以作为普通的10/100/1000Base-T端�?��?�用。在堆�?�时，必须是UP-DOWN相连，�?能UP-UP或 DOWN-DOWN相连。也�?�?许将最上�?�交�?�机的UP�?�与最下�?�交�?�机的DOWN端�?�相连，�?��?�?许形�?环。

4. �?�?�在很多地方�??到过Unit，Unit就是指在一个堆�?�中的计算机。如果1�?�计算机没有堆�?�，则它�?�是Unit 1。如果1个堆�?�中有3�?�计算机，则应该分别是Unit 1�?2�?3。具体的Unit�?�在交�?�机�?�?��?�上有指示�?�显示。

5. 当登录到交�?�机上对交�?�机进行�?置时，�?次你输入命令�?，都有一行虚线的指示行。该行括�?�中的数字�?�是你所�?置的交�?�机在堆�?�中的Unit�?�。如下�?�就在�?置Unit 2。

—————————————– (2)—————————

Select menu option:

6. 在�?�一个堆�?�里，如果你�?从一个Unit转到�?�一个Unit，在以下�?��?�中选择�?��?�(本例�?中�?�有一�?�设备，所以�?�有一个选择)：

—————————————– (1)—————————

Select menu option: sys unit select

Select unit (1):

7. 当你进行设置时，�?置会在整个堆�?�内生效，如创建的VLAN。在�?�VLAN里加端�?�时，也�?�以通过指定�?�?�的Unit�?�将�?�?�Unit上的端�?�划到�?�一个VLAN中。

�?生�?树-Spanning Tree Protocol】

4200支�?生�?树STP和快速生�?树RSTP�??议。RSTP是STP的改进版本，并且�?�下兼容，�?�如下情况，当4200交�?�机上�?�动RSTP，当端�?�检测到该端�?�所连设备�?�支�?STP时，该端�?�会自动�?到支�?STP。

STP/RSTP常用的设置有如下一些：

Select menu option: bri spann stpver

Enter Spanning Tree version – 0=STP, or 2=RSTP (0,2)[2]: 2

Select menu option:

[说明]

�?�以设置修改4200支�?RSTP还是STP，默认是RSTP。

Select menu option: bri spann stpstate

Enter new value (enable,disable)[enable]: dis

Select menu option:

[说明]

将RSTP/STP功能激活或者关闭，对整个交�?�机有效。交�?�机默认时有效。

Select menu option: bri spann stppri

Select stp priority (?)[32768]: ?

One of the following items may be selected at this prompt:

0,4096,8192,12288,16384,20480,24576,28672,32768,36864,40960,45056,49152,53248,57

344,61440

Select stp priority (?)[32768]: 8192

[说明]

设置交�?�机在选择生�?树根时的优先值，该值越�?表示优先值越高。如果所有交�?�机的优先值一样，生�?树会选择MAC�?的交�?�机作为生�?树的根(优先值+MAC)。

Select menu option: bri port stpfa

This operation may take a number of seconds

Select bridge ports (AL1-AL4,unit:port…,?): 1:9

Enter new value (enable,disable)[enable]: dis

Select menu option:

[说明]

以上命令�?�以对交�?�机�?个端�?�的StpFastStart进行设置。这个�?�数�?�有当STP/RSTP功能�?�动时�?起作用。

Select menu option: bri port stpcost

This operation may take a number of seconds

Select bridge ports (AL1-AL4,unit:port…,?): 1:3

Enter new value (1-200000000,auto)[19]: 10

Select menu option:

[说明]

对端�?�的cost值进行设置，这样�?�以手工改�?�端�?�在STP/RSTP选择中的优先顺�?。Cost值越低，被选中作为forwarding端�?�的优先级越高。

如上�?�例�?中所示，将端�?�3的cost值设为10，其他端�?�的默认值19�?�?�。则当端�?�3�?�加STP/RSTP选择forwarding端�?�时，会别优先选中为forwarding，其他�?�加选择的端�?�为block状�?。

�?端�?�安全PortSecurity】

�?�?�在基本的二层交�?�功能中介�?过，�?�以把�?�?�设备的MAC地�?�手工写到4200的�?个端�?�上，这样，这个设备�?�能连到该端�?�，如果连到其他端�?�，则�?通。

用户在使用中�?常有与其相�??的应用，�?��?个端�?��?��?许�?一�?�或几�?�设备接入，而�?�?许其他设备接入，这时候�?�以利用4200交�?�机的PortSecurity功能。

Select menu option: secu net acc

Menu options: ————–3Com SuperStack 3 Switch 4200—————

portSecurity – Configure port security

Type \”quit\” to return to the previous menu or ? for help

—————————————– (1)—————————

Select menu option (security/network/access): ports

Select user ports (unit:port…,?): 1:3

Enter mode of operation (?)[noSecurity]: ?

One of the following items may be selected at this prompt:

noSecurity,continuallyLearn,autoLearn

Enter mode of operation (?)[noSecurity]: autol

Enter the number of authorized addresses (0-79)[1]: 5

Enter Disconnect Unauthorized Device mode (?)[noAction]: ?

One of the following items may be selected at this prompt:

noAction,permanentlyDisable,temporaryDisable

Enter Disconnect Unauthorized Device mode (?)[noAction]: noac

Select menu option (security/network/access):

[说明]

上�?�例�?中，端�?�3设置为autolearn方�?，�?许的地�?�个数为5个(该端�?�所学到的�?5个地�?�)，对于5个以�?�的MAC地�?�，设备�?�使连到端�?�3上，也�?能通信。

下�?�是一些简�?�的�?�数说明，mode of operation有3个�?�数，noSecurity，continuallyLearn�?�autoLearn。如果针对一个端�?�设置，选择autoLearn。

DUD-Disconnect Unauthorized Device模�?有三个，noAction，permanentlyDisable，temporaryDisable。如果选择�?�两个，当端�?�上所学到的MAC地�?�超过�?许的个数时，该端�?�会自动down掉；如果选择noAction，端�?��?会闭塞，但�?��?�连上�?�的设备�?能通信，这是大部分情况下我们希望的。

�?组播过虑-Multicast Filter】

4200支�?组播过虑功能。�?�以通过设置IGMP的Snooping和Querying�?�实现。其命令行方�?如下：

Select menu option: bri multi igmp

Menu options: ————–3Com SuperStack 3 Switch 4200—————

queryMode – Enable/disable IGMP querying

snoopMode – Enable/disable IGMP Multicast learning

Type \”quit\” to return to the previous menu or ? for help

—————————————– (1)—————————

Select menu option (bridge/multicastFilter/igmp): query

Enter new value (enable,disable)[disable]: en

Select menu option (bridge/multicastFilter/igmp): snoopmo

Enter new value (enable,disable)[enable]: en

[说明]

当snoopmode为disable时，交�?�机会把组播数�?�包当作广播�?�处�?�，�?��?�所有端�?�转�?�。此时网络环境中如果有组播应用，一定会通，但浪费带宽，丧失了组播的优势。

当snoopmode为enable时，4200交�?�机会对组播数�?�进行过虑，端�?�所连设备�?接�?�组播数�?�，就�?�该端�?�转�?�，�?�则，就�?�?�该端�?�转�?�。

注�?当snoopmode为enable时，本网段中必须有一�?�设备的querymode设置为enable，这样，�?能知�?�网络中那些计算机�?接�?�组播。

�?软件�?�级】

4200的软件�?�以在3Com的英文网站�?费获得，但需�?用户先注册，并将4200产�?进行注册，当然，产�?�?�?�?�注册一�?��?��?�。

建议用TFTP方�?对4200交�?�机进行�?�级，�?�级时，4200作为Client端，存有4200软件的计算机作为TFTP的Server 端。TFTP的软件在3Com的网站上�?�以�?费下载，在�?机的光盘中也有。

�?�级过程在�?个版本的ReleaseNote中有详细介�?，一般在文档的最�?�。

Select menu option: sys con

Menu options: ————–3Com SuperStack 3 Switch 4200—————

initialize – Reset to factory defaults

reboot – Perform system reboot

softwareUpgrade – Perform agent software upgrade

Type \”quit\” to return to the previous menu or ? for help

—————————————– (1)—————————

Select menu option (system/control): soft

TFTP Server Address [0.0.0.0]:10.10.10.8

File Name []:s4202_03.bin

[说明]

以上10.10.10.8是与4200所连的TFTP Server的地�?�。

S4202_03.bin 是从3Com网站上下载的4200的软件，应该�?存在TFTP Server的默认目录下。从3Com网站上下载的是.exe文件，�?行�?�释放出�?�级软件�?�该软件版本的ReleaseNotes，�?求用户在�?�级�?一定�?读一�??ReleaseNotes。

Squid

sddlzz — Sat, 24 Dec 2005 15:26:40 +0000

使用Squid�?�代�?��?务器

http://www.sina.com.cn 2001/10/31 17:03 赛迪网-中国计算机报

文/�?��?

说到代�?��?务器，我们最先想到的�?�能是一些专门的代�?��?务器网站，�?些情况下，通过它们能加快访问互�?�网的速度。其实，在需�?访问外部的局域网中，我们自己就能设置代�?�，把访问次数较多的网页�?存在缓存中，从而“�??高�?网络速度。更�?�?的是，我们能通过代�?��?务器，达到控制访问�?��?的目的。在Windows中，有很多这样的软件，如：WinGate�?SyGate等，�?过，本文�?讨论的，是能给你充分自由的Linux下的Squid。

Linux下的代�?��?务器软件也�?是�?�有Squid，�?过在大部分Linux版本中都带有它。

走进“代�?��?

首先，我们�?�了解一下代�?��?务器的工作原�?�。代�?��?务器其实就是基于TCP/IP的一�?软件，它在TCP的�?个端�?�上进行监�?�，例如：4444，其他客户机(就是想通过代�?�上网的那些Windows系统)�?置好应用软件，如：IE。其中需�?填上代�?��?务器的端�?�，�?��?例中的4444，这样代�?��?务器�?知�?�你�?访问的地�?�。如果你是�?�法用户的�?，它就�?�得你想�?的网页，然�?��?通过4444这个端�?�传递给你，上网时你�?会感觉到代�?��?务器的存在。

而代�?��?务器的真正�?义在于：一�?由于它是先将网页下载到本地使用，因此访问频率越高的站点速度就会越快；二�?如果你没有访问�?个站点的�?��?而它有，你就能通过它访问到该站点；三�?它�?�以控制你的访问。

当今，通过窄带�?�入Internet的�??怕�?然�?�大多数，代�?��?务器的�??速作用也就�??分明显了。

熟悉Linux的朋�?��?�能知�?�，在Linux下有Ipchains�?�以�?�路由器，一样�?�以控制访问�?��?，但Ipchains的缺点是�?支�? DNS解�?，如果你想通过它控制客户机的访问，就必须一一指定目的地的IP，如果有�?把Ipchains用在访问Internet上，那他一定是疯了，因为Internet上的IP地�?��?但多得�?天上的星星，而且和星星一样�?时都在�?�化。Squid就�?�?�，它�?�以指定哪些域�?�缀�?能访问，如：.tw�?. net等，这样就把域�??对IP的映射交给ISP去�?�了。

�?置举例

在这个例�?中，我们使用的是一�?�普通�?牌机�?�代�?��?务器，内装两�?�网�?�，第一�?�eth0接的是本�?��?的局域网，第二�?�eth1接的是一�?�简�?�的Internet共享器，�?作系统是RedHat Linux 6.1，Ipchains和Squid都是系统自带的。

�?大多数Linux软件一样，Squid是通过�?置文件工作的，它的默认�?置文件是/etc/squid/squid.conf，原始文件长达数�??页，给出了详细的�?置说明，其中真正用得上的，�?�能�?�是很�?的一部分。看看下�?�这个�?置文件，其实很多选项都是一目了然的：

http_port 4444

#代�?��?务器监�?�的端�?�

cache_dir /var/cache/squid 100 16 32

#缓存目录大�?(兆) 第一级�?目录个数第二级�?目录个数

cache_access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

acl all src 0.0.0.0/0.0.0.0

acl head src 192.168.0.2/255.255.255. 255 192.168.0.3/255.255.255.255

acl normal src 192.168.0.21-192.168. 0.99/255.255.255.255

acl denysite dstdomain tw net

acl denyip dst 61.136.135.04/255.255. 255.255

acl dnsport port 53

http_access allow head

http_access deny denysite

http_access deny denyip

http_access allow normal

http_access deny dnsport

实例分�?

上�?�的内容，就是一个基本Squid所需�?的全部�?置，是�?是很简�?�？�?

从上�?�我们�?�以看到，代�?��?务器使用4444这个端�?�进行监�?�，缓存目录为100MB，IP地�?�为192.168.0.2和 192.168.0.3的用户�?�访问所有站点，而IP地�?�为192.168.0.21～99的用户�?能访问�?�缀为tw和net的站点，也�?能访问IP地�?�为61.136.135.04的站点(如果dst 61.136.135.04/255.255.255.255�?��?dst 61.136.135.04/255.255.255.0，指的是61.136.135.0这个网络)。

很明显，Squid使用acl�?�定义用户组，并使用http_access�?�控制用户组的�?��?。acl�?��?��?�以是src(�?地�?�)�?dst(目标地�?�)�?proto(�??议)�?port(端�?�)�? srcdomain(�?域)�?dstdomain(目标域)等，Squid的控制功能�??分强大，你甚至�?�以用acl aclname time指定用户组生效的时间，�?过�?注�?，用http_access设置�?�?�用户组的�?��?时，Squid是按从上到下的顺�?执行的，如果你想关闭一个组访问�?些站点的�?��?，就必须把deny的相应�?��?放在这个组的�?�?�。

�?�外，Squid文档中特别指出，如果没有相应的access设置，那么默认的�?��?与最�?�一行相�??，在上例中，一个IP为192.168.0.5的客户未被定义�?�能访问外部网络，因此，在最�?�一行设置http_access deny all是很有必�?的。

设置完�?�?�，就�?�以直接�?行Squid�?��?�动它，如果�?置文件有误，Squid会给出相应的�??示。然�?��?使用Ipchains设置包的转�?�规则，如�?��?许客户机使用POP3(110)�?SMTP(25)�?DNS(53)这几个端�?�收�?�信件，�?览网页�?�能使用代�?�，这样网络就安全得多了。

Ten Rules For Web Startups

sddlzz — Sat, 24 Dec 2005 15:26:20 +0000

Ten Rules for Web Startups

#1: Be Narrow
Focus on the smallest possible problem you could solve that would
potentially be useful. Most companies start out trying to do too many
things, which makes life difficult and turns you into a me-too.
Focusing on a small niche has so many advantages: With much less work,
you can be the best at what you do. Small things, like a microscopic
world, almost always turn out to be bigger than you think when you zoom
in. You can much more easily position and market yourself when more
focused. And when it comes to partnering, or being acquired,
there’s less chance for conflict. This is all so logical and,
yet, there’s a resistance to focusing. I think it comes from a
fear of being trivial. Just remember: If you get to be #1 in your
category, but your category is too small, then you can broaden your
scope—and you can do so with leverage.

#2: Be Different
Ideas are in the air. There are lots of people thinking about—and
probably working on—the same thing you are. And one of them is
Google. Deal with it. How? First of all, realize that no sufficiently
interesting space will be limited to one player. In a sense,
competition actually is good—especially to legitimize new
markets. Second, see #1—the specialist will almost always kick
the generalist’s ass. Third, consider doing something
that’s not so cutting edge. Many highly successful
companies—the aforementioned big G being one—have thrived
by taking on areas that everyone thought were done and redoing them
right. Also? Get a good, non-generic name. Easier said than done,
granted. But the most common mistake in naming is trying to be too
descriptive, which leads to lots of hard-to-distinguish names. How many
blogging companies have “blog�? in their name, RSS companies
“feed,�? or podcasting companies “pod�? or
“cast�?? Rarely are they the ones that stand out.

#3: Be Casual
We’re moving into what I call the era of the “Casual Web�? (and casual content creation).
This is much bigger than the hobbyist web or the professional web. Why?
Because people have lives. And now, people with lives also have
broadband. If you want to hit the really big home runs, create services
that fit in with—and, indeed, help—people’s everyday
lives without requiring lots of commitment or identity change. Flickr
enables personal publishing among millions of folks who would never
consider themselves personal publishers—they’re just
sharing pictures with friends and family, a casual activity. Casual games are huge. Skype enables casual conversations.

#4: Be Picky
Another perennial business rule, and it applies to everything you do:
features, employees, investors, partners, press opportunities. Startups
are often too eager to accept people or ideas into their world. You can
almost always afford to wait if something doesn’t feel just
right, and false negatives are usually better than false positives. One
of Google’s biggest strengths—and sources of frustration
for outsiders—was their willingness to say no to opportunities,
easy money, potential employees, and deals.

#5: Be User-Centric
User experience is everything. It always has been, but it’s still
undervalued and under-invested in. If you don’t know
user-centered design, study it. Hire people who know it. Obsess over
it. Live and breathe it. Get your whole company on board. Better to
iterate a hundred times to get the right feature right than to add a
hundred more. The point of Ajax is that it can make a site more
responsive, not that it’s sexy. Tags can make things easier to
find and classify, but maybe not in your application. The point of an
API is so developers can add value for users, not to impress the geeks.
Don’t get sidetracked by technologies or the blog-worthiness of
your next feature. Always focus on the user and all will be well.

#6: Be Self-Centered
Great products almost always come from someone scratching their own
itch. Create something you want to exist in the world. Be a user of
your own product. Hire people who are users of your product. Make it
better based on your own desires. (But don’t trick yourself into
thinking you are your user, when it comes to usability.) Another aspect
of this is to not get seduced into doing deals with big companies at
the expense or your users or at the expense of making your product
better. When you’re small and they’re big, it’s hard
to say no, but see #4.

#7: Be Greedy
It’s always good to have options. One of the best ways to do that
is to have income. While it’s true that traffic is now again
actually worth something, the
give-everything-away-and-make-it-up-on-volume strategy stamps an
expiration date on your company’s ass. In other words, design
something to charge for into your product and start taking money within
6 months (and do it with PayPal). Done right, charging money can
actually accelerate growth, not impede it, because then you have
something to fuel marketing costs with. More importantly, having money
coming in the door puts you in a much more powerful position when it
comes to your next round of funding or acquisition talks. In fact,
consider whether you need to have a free version at all. The TypePad
approach—taking the high-end position in the market—makes
for a great business model in the right market. Less support. Less
scalability concerns. Less abuse. And much higher margins.

#8: Be Tiny
It’s standard web startup wisdom by now that with the substantially lower costs to starting something on the web, the difficulty of IPOs,
and the willingness of the big guys to shell out for small teams doing
innovative stuff, the most likely end game if you’re successful
is acquisition. Acquisitions are much easier if they’re small.
And small acquisitions are possible if valuations are kept low from the
get go. And keeping valuations low is possible because it doesn’t
cost much to start something anymore (especially if you keep the scope
narrow). Besides the obvious techniques, one way to do this is to use
turnkey services to lower your overhead—Administaff, ServerBeach, web apps, maybe even Elance.

#9: Be Agile
You know that old saw about a plane flying from California to Hawaii
being off course 99% of the time—but constantly correcting? The
same is true of successful startups—except they may start out
heading toward Alaska. Many dot-com bubble companies that died could
have eventually been successful had they been able to adjust and change
their plans instead of running as fast as they could until they burned
out, based on their initial assumptions. Pyra was started to build a
project-management app, not Blogger. Flickr’s company was
building a game. Ebay was going to sell auction software. Initial
assumptions are almost always wrong. That’s why the waterfall
approach to building software is obsolete in favor agile techniques. The same philosophy should be applied to building a company.

#10: Be Balanced
What is a startup without bleary-eyed, junk-food-fueled,
balls-to-the-wall days and sleepless, caffeine-fueled,
relationship-stressing nights? Answer?: A lot more enjoyable place to
work. Yes, high levels of commitment are crucial. And yes, crunch times
come and sometimes require an inordinate, painful, apologies-to-the-SO
amount of work. But it can’t be all the time. Nature requires
balance for health—as do the bodies and minds who work for you
and, without which, your company will be worthless. There is no better
way to maintain balance and lower your stress that I’ve found
than David Allen’s GTD process. Learn it. Live it. Make it a part of your company, and you’ll have a secret weapon.

#11 (bonus!): Be Wary
Overgeneralized lists of business “rules�? are not to be taken too literally. There are exceptions to everything.

apt命令

sddlzz — Sat, 24 Dec 2005 15:25:05 +0000

apt-get update
从 /etc/apt/source.list 中�?的更新软件包列表, 当�?的内容改�?�或�?能确定时,�?行

apt-cache search search-string
查找�??述如 search-string 的软件包

apt-cache policy package-name
显示软件包的版本和优先级

apt-cache show package-name
显示文件的�??述信�?�

apt-cache showpkg package-name
显示软件包的�?赖关系

apt-get install package-name
从�?安装软件包�?�其所有�?赖包

apt-get upgrade
将当�?安装的软件包更新到最新

apt-get dist-upgrade
如 apt-get upgrade, 但是自动解决冲�?

apt-get remove package-names
删除软件包, �?�其所有�?赖它的包

apt-cache depends package-names
列出指定包的所有�?赖包

apt-cache rdepends package-names
列出�?赖于给定包的所有软件包

apt-file upgrade
从�?更新内容列表, 详�? apt-get upgrade

apt-file search file-name
查找包�?�文件的软件包

apt-file search package-name
列出软件包的内容

auto-apt
如果需�?�?�以自动安装软件包, �?�以替代 apt-file, 需�?安装 auto-apt.

aptitude
APT 的控制�?�接�?�, 需�?安装 aptitude

synaptic
APT的GUI接�?�, 需�?安装synaptic

Mysql优化

sddlzz — Sat, 24 Dec 2005 15:24:02 +0000

(1)�?back_log：
�?求 MySQL 能有的连接数�?。当主�?MySQL线程在一个很短时间内得到�?�常多的连接请求，这就起作用，然�?�主线程花些时间(尽管很短)检查连接并且�?�动一个新线程。
back_log值指出在MySQL暂时�?�止回答新请求之�?的短时间内多少个请求�?�以被存在堆栈中。�?�有如果期望在一个短时间内有很多连接，你需�?增加
它，�?��?��?说，这值对到�?�的TCP/IP连接的侦�?�队列的大�?。你的�?作系统在这个队列大�?上有它自己的�?制。
试图设定back_log高于你的�?作系统的�?制将是无效的。
当你观察你的主机进程列表，�?�现大�? 264084 | unauthenticated user | xxx.xxx.xxx.xxx |
NULL | Connect | NULL | login | NULL 的待连接进程时，就�?加大 back_log
的值了。默认数值是50，我把它改为500。

(2)�?interactive_timeout：
�?务器在关闭它�?在一个交互连接上等待行动的秒数。一个交互的客户被定义为对 mysql_real_connect()使用 CLIENT_INTERACTIVE 选项的客户。默认数值是28800，我把它改为7200。

(3)�?key_buffer_size：
索引�?�是缓冲的并且被所有的线程共享。key_buffer_size是用于索引�?�的缓冲区大�?，增加它�?�得到更好处�?�的索引(对所有读和多�?写)，到你
能负担得起那样多。如果你使它太大，系统将开始�?�页并且真的�?�慢了。默认数值是8388600(8M)，我的MySQL主机有2GB内存，所以我把它改为
402649088(400MB)。

(4)�?max_connections：
�?许的�?�时客户的数�?。增加该值增加 mysqld �?求的文件�??述符的数�?。这个数字应该增加，�?�则，你将�?常看到 Too many connections 错误。默认数值是100，我把它改为1024 。

(5)�?record_buffer：
�?个进行一个顺�?扫�??的线程为其扫�??的�?张表分�?这个大�?的一个缓冲区。如果你�?�很多顺�?扫�??，你�?�能想�?增加该值。默认数值是131072(128K)，我把它改为16773120 (16M)

(6)�?sort_buffer：
�?个需�?进行排�?的线程分�?该大�?的一个缓冲区。增加这值加速ORDER BY或GROUP BY�?作。默认数值是2097144(2M)，我把它改为 16777208 (16M)。

(7)�?table_cache：
为所有线程打开表的数�?。增加该值能增加mysqld�?求的文件�??述符的数�?。MySQL对�?个唯一打开的表需�?2个文件�??述符。默认数值是64，我把它改为512。

(8)�?thread_cache_size：
�?�以�?用的�?存在中的线程的数�?。如果有，新的线程从缓存中�?�得，当断开连接的时候如果有空间，客户的线置在缓存中。如果有很多新的线程，为了�??高性能�?�
以这个�?��?值。通过比较 Connections 和 Threads_created 状�?的�?��?，�?�以看到这个�?��?的作用。我把它设置为 80。

(10)�?wait_timeout：
�?务器在关闭它之�?在一个连接上等待行动的秒数。默认数值是28800，我把它改为7200。

注：�?�数的调整�?�以通过修改 /etc/my.cnf 文件并�?�?� MySQL 实现。这是一个比较谨慎的工作，上�?�的结果也仅仅是我的一些看法，你�?�以根�?�你自己主机的硬件情况（特别是内存大�?）进一步修改。