I just made a product for customers, a anti spam gateway with postfix and Mailscanner (for scanning spam). The mail comes in through postfix, Mailscanner scans it, when it is clean, it is delivered to a remote mailserver (for example Microsoft Exchange).

The delivering of the mail to the exchange is going ok. I made a transport file (/etc/postfix/transport).

Transport file:
domain.com smtp:[xx.xx.xx.xx]
domain2.com smtp:[xx.xx.xx.xx]

This all works ok. But now my question:

Is it possible, that when postfix notice a timeout on the remote mailserver, to deliver the mail into a pop3 mailbox, on the same server? (such as courier?).

I found some examples of configurations, but the all refer to put the mail right into the pop3 mailbox, and not checking wether the remote mailserver is offline or not.

Hope you guys can help me.

Tags: Debian, 4.0, Postfix + Mailscanner
Zones: Linux, Linux Networking, Email Servers
Author: shssystems, Premium Service Member
Advanced on this subject.
Request Attention
Time Zone: Central European Time (GMT+01:00)
Translate:

**** Answer:

Rank: Master
You will have more problem that what you are trying to solve. But in any event see below.

You would need to use a script that would either monitor the postfix logs and act when connections to the destination can not be made. You can have a script connect to the destination to check whether it is accepting connections.

The action of the script would be to re-write the transport file when changing states of the remote server have been detected. This will handle any new emails received, not sure how you would change the previously received emails.

If the same client has multiple domains, you would likely need to “activate” the local/virtual email handling for domains.

——————————————————————————–

How to setup an E-Mail Relay Host with Sendmail ?

In a high security internet environment it may be necessary to put all user mailboxes behind the corporate firewall into the HSZ (High Security Zone). The mailbox server cannot be directly accessed from the internet, a mail relay host in the DMZ (Demilitarized Zone) is needed. This mail relay host provides the following tasks:

All incoming SMTP-Mail will be processed by the relay host. Mail to internal recipients will be forwarded to the mailbox host.

Mail from the internet to other internet recipients will not be forwarded, except for certain clearly defined domains.

Mail from all hosts in the HSZ or DMZ will be sent to the relay host, which will deliver the email directly to the recipients in the internet using MX-records from the DNS Server.

——————————————————————————–

In this example, we show the configuration for the well known MTA (Message Transfer Agent) sendmail
on RedHat Linux 7.0.

DNS Configuration on DNS-Server

The relay host, the mailbox host and all hosts in DMZ must be inserted in the DNS for the domain ARKUM.CH. Besides this, it’s very important to insert the Firewall (NAT Address) in the DNS, or Sendmail will complain about relay problems. As a rule of thumb, all Hosts or IP-Adresses which will use the Relay-Host must be inserted in Sendmail’s DNS or you may encounter relaying problems. The configuration files for DNS can be found in /var/named for RedHat Linux.

;———————————————————
; arkum-ch.zone — Name-to-Address Mapping
;———————————————————
;
; Start Of Authority marker, indicates that this server is
; the master for the following addresses.
;
@ IN SOA rabbit.arkum.ch. postmaster.arkum.ch. (
2000091001 ; Serial (YYYYMMDDnn)
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after one week
86400 ; Minimum Time to Live of 1 day
)
;
; ——————————————–
; Descriptions of Name Servers for this domain
; ——————————————–
;
IN NS rabbit.arkum.ch.
IN NS opal.arkum.ch.
;
; Descriptions of Primary and Secondary Mail Servers
; (This tells sendmail where to send mail that is addressed to
; someone@arkum.ch, namely too rabbit.arkum.ch first, then
; to the secondary mail handler opal.arkum.ch)
;
IN MX 10 ux-mail1.arkum.ch.
;
; ——————————————–
; Arkum’s Hosts
; ——————————————–
;
localhost IN A 127.0.0.1
;
rabbit IN A 193.247.121.196
IN MX 10 ux-mail1.arkum.ch.
dns IN CNAME rabbit.arkum.ch.
IN TXT “DNS Server”
;
ux-mail1 IN A 193.247.121.205
smtp IN CNAME ux-mail1.arkum.ch.
mail IN CNAME ux-mail1.arkum.ch.
IN TXT “Mail Relay Host”
;
paragon IN A 192.168.138.20
IN MX 10 paragon.arkum.ch.
IN TXT “Mailbox Server”

Please note, that the MX record for the mailbox host paragon points to itself.

DNS Configuration on Relay Host

The sendmail MTA on the relay host needs access to the DNS Server. This must be setup in the file /etc/resolv.conf

search arkum.com arkum.ch
nameserver 193.247.121.196

Firewall Configuration

Port 25 (SMTP) must be opened between the Relay Host on the DMZ and the Mailbox Host in the HSZ. Ask your firewall administrator to accomplish this task.

Enable Relaying for all hosts in ARKUM.CH

Relaying (transmission of messages from a site outside your domain to another site outside your domain) is denied by default. Note that this changed in sendmail 8.9; previous versions allowed relaying by default. Relaying is a feature (not a bug) to prevent E-Mail spamming. You have to configure relaying or you will get the error message: 550 Requested action not taken: relaying denied.

Configure Relaying

Using /etc/mail/relay-domains

You need to add the fully-qualified host name and/or IP address of each client to class R, the set of relay-allowed domains. For version for 8.9.X, it is typically /etc/mail/relay-domains Note: if your DNS is problematic, you should list the IP address (e.g., 1.2.3.4); in general, however, this should not be necessary. Here is the content of the file relay-domains:

akadia.com
akadia.ch
arkum.ch

Using /etc/mail/access

An “access” database can be created to accept or reject mail from selected domains. For example, you may choose to reject all mail originating from known spammers. To enable such a database, use the file /etc/mail/access. Remember, since /etc/mail/access is a database, after creating the text file as described below, you must use makemap to create the database map.

For example:

makemap hash /etc/mail/access < /etc/mail/access

The table itself uses e-mail addresses, domain names, and network numbers as keys.
For example:

spammer@aol.com REJECT
cyberspammer.com REJECT
192.168.212 REJECT

would refuse mail from spammer@aol.com, any user from cyberspammer.com
(or any host within the cyberspammer.com domain), and any host on the
192.168.212.* network.

The value part of the map can contain:

OK Accept mail even if other rules in the running ruleset would reject it, for example, if the domain name is unresolvable
RELAY Accept mail addressed to the indicated domain or received from the indicated domain for relaying
through your SMTP server. RELAY also serves as an implicit OK for the other checks
REJECT Reject the sender or recipient with a general purpose message
DISCARD Discard the message completely using the $#discard mailer. This only works for sender addresses (i.e., it indicates that you should discard anything received from the indicated domain).
Error Text Any text where ### is an RFC 821 compliant error code and “any text” is a message to return for the command.

For example:

cyberspammer.com 550 We don’t accept mail from spammers
okay.cyberspammer.com OK
sendmail.org OK
128.32 RELAY

Would accept mail from okay.cyberspammer.com, but would reject mail from all other hosts at cyberspammer.com with the indicated message.It would allow accept mail from any hosts in the sendmail.org domain, and allow relaying for the 128.32.*.* network.

We use the following entries in /etc/mail/access, so all hosts within the domain ARKUM.CH or within the HSZ 192.168.138.x can use the Relay Host without “550 Requested action not taken: relaying denied.”

localhost RELAY
127.0.0.1 RELAY
arkum.com RELAY
arkum.ch RELAY
192.168.138 RELAY

Compile the entries with:

makemap hash /etc/mail/access < /etc/mail/access

More information can be found in the README.cf file of sendmail.

How to deliver local mails if DNS- and Mail-Server is the same machine ?

If your DNS-Server and E-Mail Relay Host is the same machine you may encounter the following error message:

554 MX list for akadia.ch points back to rabbit.akadia.ch
554 … Local configuration error

The Mail Exchanger (MX Records) in the DNS configuration is just an ordered list of destinations that tells mailers where to send messages if they want to reach a given domain. The preference value tells them how desirable it is to use that destination. That’s the basic idea behind MX records and mail exchangers, but there are a few more wrinkles you should know about. Here is the output of a typical MX entry in the DNS configuration for ARKUM.CH

What happens if a mailer finds itself at the highest preference, and has to discard the whole MX list as shown below ?

IN MX 10 rabbit.arkum.ch.
IN MX 20 opal.arkum.ch.

Some mailers attempt delivery directly to the destination host’s IP address, as a last-ditch effort. In most mailers however , it’s an error. It may indicate that DNS thinks the mailer should be processing (not just forwarding) mail for the destination, but the mailer hasn’t been configured to know that. Or it may indicate that the administrator has ordered the MX records incorrectly by using the wrong preference values. Then it will bounce the mail with the familiar error

Many versions of sendmail use class w or file class w as the list of local destinations. The sendmail configuration on RedHat Linux offers the file /etc/sendmail.cw. Enter the local domains in this file and the local delivery together with MX records will work.

arkum.ch
arkum.com

Note again, that this task must not be done, if the DNS Server and Mail Server are two different machines.

Enable local Mail Forwarding from the DMZ to the HSZ

Local Mail must be forwarded from the Relay Host on the DMZ to the Mailbox Host on the HSZ. Sendmail offers this feature using the Macros DR and DM in /etc/sendmail.cf. Enter the Mailbox Host for both Macros, besides this the domain name ARKUM.CH must be masqueraded with the macro DM.

Here are the necessary entries in /etc/sendmail.cf

# Who I send unqualified names to (null means deliver locally)
DRparagon.arkum.ch

# Who gets all local email traffic
# ($R has precedence for unqualified names)
DHparagon.arkum.ch

# Class M: domains that should be converted to $M
CMarkum.com

# Who I masquerade as (null for no masquerading) (see also $=M)
DMarkum.ch

Test the Configuration

Stop and Start Sendmail Daemon

/etc/rc.d/init.d/sendmail stop
/etc/rc.d/init.d/sendmail start

Test the internet delivery

Create a testfile to_internet for internet delivery with the following content:

To: martin.zahn@plenaxx.ch
From: martin.zahn@arkum.ch
Subject: Ein Test

Dies ist ein Header Test
(empty line)

Test the internet delivery

cat to_internet | /usr/lib/sendmail -bm -t -v

martin.zahn@plenaxx.ch. Connecting to nt-mail1.plenaxx.ch. esmtp…
220 nt-portal2.plenaxx.ch ESMTP Service (Lotus Domino Release 5.0.2c
(Intl)) ready at Sat, 4 Nov 2000 10:25:28 +0100
>>> EHLO rabbit.akadia.com
250-nt-portal2.plenaxx.ch Hello rabbit.akadia.com ([193.247.121.196]), pleased to
meet you
250-HELP
250-SIZE
250 PIPELINING
>>> MAIL From: SIZE=100
250 root@rabbit.akadia.com… Sender OK
>>> RCPT To:
250 martin.zahn@plenaxx.ch… Recipient OK
>>> DATA
354 Enter message, end with “.” on a line by itself
>>> .
250 Message accepted for delivery
martin.zahn@plenaxx.ch… Sent (Message accepted for delivery)
Closing connection to nt-mail1.plenaxx.ch.
>>> QUIT
221 nt-portal2.plenaxx.ch SMTP Service closing transmission channel

If you get an output similar to the above, your internet delivery is working perfectly !

Test the Mail Forwarding

Create a testfile to_arkum for local delivery with the following content:

To: martin.zahn@arkum.ch
From: root@plenaxx.ch
Subject: Ein Test

Dies ist ein Header Test
(empty line)

Test the local delivery

cat to_internet | /usr/lib/sendmail -bm -t -v

martin.zahn@arkum.ch… Connecting to paragon.arkum.ch. via relay…
220 SMTP service ready
>>> EHLO ux-mail1.arkum.ch
250-Requested mail action okay, completed
250-8BITMIME
250-SIZE
250-ETRN
250 HELP
>>> MAIL From: SIZE=93
250 Requested mail action okay, completed
>>> RCPT To:
250 Requested mail action okay, completed
>>> DATA
354 Start mail input; end with .
>>> .
250 Requested mail action okay, completed
martin.zahn@arkum.ch… Sent (Requested mail action okay, completed)
Closing connection to paragon.arkum.ch.
>>> QUIT
221 SMTP server closing transmission channel

If you get an output similar to the above, your local delivery is working perfectly !

Debug the Configuration

If you encounter troubles with the sendmail configuration, here are some tests to find out what happens.

Show Delivery Agent (Mailer)

$ /usr/lib/sendmail -d0.12 -bt as $>)
define(? as $?)
define(| as $|)
define(. as $.)
define([ as $[)
define(] as $])
define(( as $()
define() as $))
define(& as $&)
define(0 as $0)
define(1 as $1)
define(2 as $2)
define(3 as $3)
define(4 as $4)
define(5 as $5)
define(6 as $6)
define(7 as $7)
define(8 as $8)
define(9 as $9)
define(n as MAILER-DAEMON)
define(v as 8.9.3)
define(w as ux-mail1.arkum.ch)
define(j as ux-mail1.arkum.ch)
define(m as arkum.ch)
define(k as ux-mail1.arkum.ch)
define(b as Sat, 4 Nov 2000 13:44:49 +0100)
define(opMode as t)
redefine(w as ux-mail1)
define(S as )
define(R as paragon.arkum.ch)
define(H as paragon.arkum.ch)
define(M as arkum.ch)
redefine(n as MAILER-DAEMON)
define(Z as 8.9.3)
define(deliveryMode as b)
define(_ as root@localhost)
redefine(deliveryMode as i)

Show Sendmail Queue

$ /usr/lib/sendmail -bp

Mail Queue (2 requests)
–Q-ID– –Size– —–Q-Time—– ————Sender/Recipient————
RAA01002 27 Fri Nov 3 17:13 root
(martin.zahn@plenaxx.ch… reply: read error from nt-mail1.pl)
martin.zahn@plenaxx.ch
RAA01088 27 Fri Nov 3 17:18 root
(Deferred: Connection reset by nt-mail1.plenaxx.ch.)
martin.zahn@plenaxx.ch

Test the MX-Record readed by Sendmail from DNS

$ /usr/lib/sendmail -bt

> /mx arkum.ch
getmxrr(arkum.ch) returns 1 value(s):
ux-mail1.arkum.ch.
> /mx plenaxx.ch
getmxrr(plenaxx.ch) returns 1 value(s):
nt-mail1.plenaxx.ch.
> /mx glue.ch
getmxrr(glue.ch) returns 2 value(s):
ns.glue.ch.
chsun.eunet.ch.

If you have still troubles consult our sendmail guide or visit http://www.sendmail.org

What is it?
E-MailRelay is a simple store-and-forward message transfer agent and proxy server. It runs on Unix-like operating systems (including Linux), and on Windows.

When used as proxy server the E-MailRelay program (emailrelay) runs in the background and accepts e-mail from local e-mail client programs (KMail, Outlook etc.) or from the outside world, using the SMTP protocol. As soon as an e-mail message is received it is forwarded on to the next SMTP server for onward delivery. This becomes more useful when you add in your own message processing: as each message is received it can be passed one of your programs for editing, filtering, encrypting etc.

When used as a store-and-forward transfer agent E-MailRelay runs in two modes: the storage daemon part, and the forwarding agent. The storage daemon waits for incoming mail and stores anything it receives in a spool directory. As a forwarding agent E-MailRelay pulls messages out of the spool directory and passes them on to a remote server — perhaps your ISP mail server.

E-MailRelay can also run as a POP3 server so that e-mail client programs can read the spooled messages.

What it’s not
E-MailRelay is not a routing MTA. It forwards e-mail to a pre-configured SMTP server, regardless of any message addressing or DNS redirects.

E-MailRelay is not a delivery agent. Some programs like fetchmail send locally-addressed e-mail to the local SMTP server in order to deliver them to local system mailboxes. E-MailRelay will not normally do this.

Why use it?
E-MailRelay is a simple tool that does SMTP. For simple tasks it is likely to be easier to understand and configure than a more general purpose MTA.

E-MailRelay is designed to be policy-free, so that you can implement your own policies for message retries, bounces, local mailbox delivery, spam filtering etc. through external scripts.

It has no dependencies on third-party libraries or run-time environments so it is easy to build and install, and the single-threaded, event-driven design with non-blocking i/o may provide better performance and resource usage than some of the alternatives.

Typical applications of E-MailRelay include:

spam filtering and virus checking incoming mail
adding digital signatures or legal disclaimers to outgoing mail
doing store-and-forward for outgoing mail across a dial-up Internet connection
adding authentication where the existing infrastructure does not support it
simple SMTP proxying on a firewall host or DMZ
SMTP to POP gateway
Running E-MailRelay
To use E-MailRelay in store-and-forward mode use the –as-server switch to start the storage daemon in the background, and then trigger delivery of spooled messages by running with the –as-client switch and the address of the target host.

For example, to start a storage daemon listening on port 10025 use a command like this:

emailrelay –as-server –port 10025 –spool-dir /tmp
And then to forward the spooled mail to smarthost run something like this:

emailrelay –as-client smarthost:smtp –spool-dir /tmp
To get behaviour more like a proxy you can add the –poll switch so that messages are forwarded continuously rather than on-demand. This example starts a store-and-forward server that forwards spooled-up e-mail every hour:

emailrelay –as-server –poll 3600 –forward-to smarthost:smtp
For a proxy server that forwards each message as it is being received, without any delay, you can use the –as-proxy mode:

emailrelay –as-proxy smarthost:smtp
If you want to edit or filter e-mail as it passes through the proxy then specify your pre-processor program with the –filter switch, something like this:

emailrelay –as-proxy smarthost:smtp –filter /usr/local/bin/addsig
To run E-MailRelay as a POP server without SMTP use –pop and –no-smtp:

emailrelay –pop –no-smtp –log –close-stderr
The emailrelay-submit utility can be used to put messages straight into the spool directory so that the POP clients can fetch them.

Note that by default E-MailRelay will always reject connections from remote machines. To allow connections from anywhere use the –remote-clients switch, but please consider the implications if your machine is connected to the internet.

For more information on the command-line options refer to the reference guide or run:

emailrelay –help –verboseConfiguration
The emailrelay program itself is mostly configured through command-line switches (such as –port and –forward-to), so there is no single definitive configuration file.

However, in most installations on Unix-like system the E-MailRelay server will be started up by the boot-time script called emailrelay in the /etc/init.d directory, and this script uses the configuration file /etc/emailrelay.conf to define the server command-line. Each entry in the configuration file corresponds to an E-MailRelay command-line switch, so you can edit this file to add and remove server switches. Refer to the reference guide for a complete list of configuration switches.

On Windows the installation program creates a startup batch file called emailrelay-start.bat that contains all the server command-line switches and you can edit this file to tailor the server configuration. You can also set up your own shortcuts to the E-MailRelay executable and add and remove command-line switches using the shortcut properties tab.

If you are using authentication then you will have to create the text files containing your authentication secrets (passwords and password hashes). The –server-auth, –client-auth and –pop-auth command-line switches are used to point to these files.

There is also a graphical configuration program called emailrelay-gui that may be available to help with configuring the system. This is intended to be used once at installation time (and it is the basis of the self-extracting installer on Windows) but it may also be used to do some simple reconfiguration of an alreay-installed system.

Logging
If the –log switch is used then E-MailRelay program issues warnings and error messages to the syslog system using the LOG_MAIL facility. Under Windows it writes to the Application event log.

The syslog system is configured through the /etc/syslog.conf file (try man syslog.conf), and in most cases you will find that LOG_MAIL warnings and errors are directed to an appropriate log file (perhaps /var/log/messages).

For more verbose logging add the –verbose switch. If this becomes difficult to read via the system log (especially on Windows) then try logging to the standard error stream and redirect that to a file. Bear in mind that you will need have to replace –as-server with –log and –as-proxy with –immediate –forward-to since the –as-server and –as-proxy switches implicitly close the standard error stream soon after startup.

emailrelay –log –verbose > emailrelay.log 2>&1Troubleshooting
A useful technique for troubleshooting SMTP problems is to telnet into the remote server and drive the SMTP protocol manually. Telnet can be told to connect to the remote SMTP port by putting the port number (25) on the command line after the remote hostname, for example: telnet smtp.myisp.net 25.

Once connected you should get a startup banner from the server, which may tell you what server software you have connected to. From there you should type something like EHLO myhost.mydomain. The response to the EHLO command should contain a list of SMTP extensions which the server software supports. If this includes the AUTH extension then the set of supported authentication mechanisms (such as LOGIN, CRAM-MD5 etc.) will be listed on the same line.

After the EHLO response you should type MAIL FROM:, retaining the angle brackets but substituting your own address. If this is accepted then enter a RCPT TO: command to say where the e-mail is going. (Again, retain the angle brackets but substitute an appropriate address.)

After one or more RCPT TO commands you should enter the DATA command, followed by the message content. The message content should include an RFC822 header, followed by a blank line, followed by the message text. For testing purposes you might get away without having any header/body structure at all, but to do things properly you should have at least a To: line, a From: line and a Subject: line in the header.

At the end of the message text type a . on a line of its own. At that point the message should get dispatched, and eventually end up in your in-box in the usual way (assuming you put your own address in the RCPT TO command).

The following is an example SMTP dialogue, with >> and <> telnet smtp.myisp.net 25
<< Trying 12.34.56.78…
<< Connected to smtp.myisp.net.
<< Escape character is ‘^]’.
<> EHLO myhost.myisp.net
<< 250-mail12.myisp.net Hello modem-185.myisp.net [12.34.56.78]
<< 250-SIZE 104857600
<< 250-PIPELINING
<> MAIL FROM:
<< 250 is syntactically correct
>> RCPT TO:
<< 250 verified
>> DATA
<> To: me@myhost.myisp.net
>> From: me@myhost.myisp.net
>> Subject: test
>>
>> Test message.
>> .
<> QUIT
<< 221 mail12.myisp.net closing connection
<< Connection closed by foreign host.
If you get some sort of access denied errors when talking to a server which does not support the AUTH extension, then your ISP may be using POP-before-SMTP authentication. In this scheme you are required to conduct an authenticated POP or IMAP dialogue before you try to use SMTP. The POP/IMAP dialogue is done separately from the SMTP connection, but bear in mind that there might be a time limit so that your SMTP connection has to be made soon after the POP/IMAP authentication. You should be able to use an e-mail client program, or something like fetchmail to do the POP/IMAP authentication.

If you can send mail messages sucessfully using telnet, then you should look at the E-MailRelay –verbose log output and compare what you do interactively with what the program does.

Preventing open mail relay
If you are running E-MailRelay as a server with a permanent connection to the Internet it is important to prevent open mail relay because this can be exploited by spammers. By default open mail relaying is not possible because E-MailRelay does not accept IP connections from remote clients. However, if you use the –remote-clients switch then you need to be more careful.

If the only required access to the E-MailRelay server is from a local network and not from the Internet then you can use the –interface switch to listen for incoming connections only on the local network interface. You should also use a firewall in this scenario.

Another option is to require all clients to authenticate by using the –server-auth switch. If you then need local clients, such as your own e-mail client program, to connect without authentication then you must put those trusted IP addresses in the secrets file with an authentication mechanism of NONE. Refer to the reference guide for more information.

Taking it one stage further, you may want to allow connections from the Internet without authentication but only allow them to send mail to local users. In other words you want to allow anyone to deliver e-mail to your system but not allow them to spam someone else. You can do this by requiring authentication with the –server-auth switch, then exempt everyone from mandatory authentication with NONE server *.*.*.* x line in the secrets file, and finally have an address verifier script (–verifier) which rejects remote recipient addresses if the client has not authenticated. Again, refer to the reference guide for further details.

Running as a POP server
E-MailRelay can run as a POP server so that e-mail client programs can retrieve messages from the spool directory directly (although it is not a good idea to run E-MailRelay as a POP server if also forwarding messages by SMTP).

To allow POP access to spooled messages use a command-line something like this:

emailrelay –as-server –pop –pop-auth /etc/emailrelay.auth
You will need to create the authentication secrets file (/etc/emailrelay.auth in this example) containing usernames and passwords. A simple example would look like this:

APOP server user1 password1
APOP server user2 password2
If you need to serve up messages to more than one POP client consider using the –pop-by-name option with a –filter script that moves messages into the appropriate sub-directory. The emailrelay-filter-copy program is designed to be used in this way: when a message is received over SMTP it copies it into all available sub-directories for collection by multiple POP clients.

Refer to the reference guide for more information.

Triggering delivery over dial-up
If you are using E-MailRelay to store and forward e-mail over a dial-up link to the Internet, then you will need to set things up so that the dialler tells E-MailRelay when to start forwarding.

In most Unix-like systems a ppp daemon calls the script /etc/ppp/ip-up when it has successfully established a dial-up link to your ISP. This script will probably set up IP routes, update the DNS configuration, initialise a firewall, run fetchmail and sendmail, etc. It may also call out to another script, ip-up.local which is available for you to put stuff into without having to edit ip-up itself.

The simplest approach for editing ip-up is to look for a sendmail -q line. If you find sendmail -q then it should be sufficient to replace it with this:

emailrelay –as-client :smtp
where you substitute your ISP’s SMTP server address for .

Or if your ip-up calls out to ip-up.local then create a two-line /etc/ppp/ip-up.local script like this:

#!/bin/sh
exec /usr/local/sbin/emailrelay –as-client :smtp
If you create ip-up.local yourself remember to make it executable.

Notification of failed e-mails
If e-mail messages cannot be forwarded by the E-MailRelay system then the envelope files in the spool directory are given a .bad suffix. The reason for the failure will be recorded in the envelope file itself.

You should check for .bad envelope files in the E-MailRelay spool directory from time to time.

If you want failed e-mails to be retried a few times you can run the emailrelay-resubmit.sh script periodically, perhaps from cron. This script simply removes the .bad suffix from files in the spool directory, as long as they have not been retried too many times already.

If you are using E-MailRelay to forward outgoing e-mails then you can also get failed e-mails to bounce back to your in-tray by running the emailrelay-notify.sh script periodically as root, although this does require procmail to act as a delivery agent.

Polling and timeouts
In normal proxy mode, using –immediate or –as-proxy, the E-MailRelay server will try forward each message as soon as it is received and only then will it acknowledge receipt of the message back to the submitting client. This has the advantage that any problems with the forwarding process can be reported back to the submitting client; any failures should be reported your e-mail client program and the failed messages should stay in its outbox.

However, some e-mail client programs are not always prepared to wait long enough for the message to be forwarded and this can result in problems with timeouts. A good fix for this is to use the –poll mechanism as a replacement for –immediate/–as-proxy. In this way the submitting e-mail client program does not have to wait for the E-MailRelay server to forward each message and so it should not time out. If you have timeout problems try replacing –immediate with –poll 0 so that forwarding is done as soon as the client has finished submitting messages.

Usage patterns
The simplest ways of using E-MailRelay for SMTP are as a proxy or as a store-and-forward MTA, but many other configurations are possible. For example, multiple E-MailRelay servers can run in parallel sharing the same spool directory, or they can be chained in series to that e-mail messages get transferred from one to the next.

Remember that messages can be introduced directly into the E-MailRelay spool directory using the emailrelay-submit utility, and they can be moved out again at any time, as long as the envelope file is not locked (ie. with a special filename extension). Your –filter program can edit messages in any way you want, and it can even remove the current message from the spool directory.

When using E-MailRelay as a POP server the –pop-by-name feature can be used to serve up different spooled messages according to the username that the client authenticated with: each user’s messages are taken from their own sub-directory of the main spool directory. If messages are coming in over SMTP then you could install an SMTP –filter script to move each new message into the relevant sub-directory based on the message addressing.

For more ideas check out the –client-filter and –poll switches, and don’t overlook the administration and control interface (–admin) which you can use to receive notification of message arrival or force message forwarding at any time.

SpamAssassin
The E-MailRelay server can use SpamAssassin to mark or reject potential spam.

To get E-MailRelay to reject spam outright you can just use spamassassin -e as your E-MailRelay –filter program:

emailrelay –as-server –filter “/usr/bin/spamassassin –exit-code”
Or on Windows:

emailrelay –as-server –filter “c:/Program\ Files/perl/site/bin/spamassassin.bat –exit-code”
To get spam messages identified by SpamAssassin but still pass through the E-MailRelay system you will have to have a small –filter script to collect the output from the spamassassin program and write it back into the E-MailRelay content file.

Your –filter shell script could look something like this:

#!/bin/sh
spamassassin “$1″ > “$1.tmp”
mv “$1.tmp” “$1″
exit 0
Or an equivalent batch script on Windows:

c:\Program Files\perl\site\bin\spamassassin.bat %1 > %1.tmp
ren %1.tmp %1
exit 0
You may need to set the –filter-timeout switch to control how long E-MailRelay waits for the spam analysis to complete.

You could also consider doing spam filtering off-line, completely independent of any SMTP activity, by having two E-MailRelay processes chained together working off two spool directories:

emailrelay –as-server –spool-dir /tmp/spool-in –poll 1 –forward-to localhost:10025
emailrelay –as-server –spool-dir /tmp/spool-out –port 10025 –filter /tmp/myspamfilter
Here the first E-MailRelay server accepts incoming mail straight into its spool directory and it uses a –poll timer to independently forward spooled messages to the second server running on port 10025. The second server runs the spam filter as each message is received.

There is also an experimental mechanism where E-MailRelay can talk direcly to the SpamassAssin spamd network deamon using a special form of the –filter switch:

emailrelay –as-server –filter spam:localhost:783
This might be useful if spam filtering is creating a bottleneck in the E-MailRelay server.

Google mail
To send mail via Google mail’s SMTP gateway you will need to create a client secrets file containing your account details and enable TLS support in E-MailRelay by using the –client-tls switch.

The secrets file should contain one line of text something like this:

login client myname@gmail.com mypassword
Reference this file using –client-auth on the E-MailRelay command-line and also add in the –client-tls switch:

emailrelay –as-proxy smtp.gmail.com:587 –client-tls –client-auth /etc/emailrelay.auth …

Copyright (C) 2001-2008 Graeme Walker . All rights reserved.

Overview

1. Build bare-bones Linux server
a. Custom Configurations
b. Partitions
c. Firewall Option
d. Package Selection
e. LANG variable

2. Install Postfix Message Transfer Agent (MTA)
a. Disable sendmail
b. Install Postfix
c. Configure Postfix
d. Test Postfix
e. Configure for mail forwarding
f. Test again

3. Install Mailscanner
a. Install MailScanner Package
b. Initial MailScanner Configuration

4. Install Spamassassin
a. Install SpamAssassin
b. Configure SpamAssassin

5. Install ClamAV
a. Install ClamAV
b. Configure ClamAV
c. Test ClamAV
Step I – Build Bare-Bones Linux Server
I’ve used some of the fairly recent versions of RedHat Linux. Versions 8, 9 or Fedora should work fine. I choose the custom build using the GUI installer.

a. Custom User Configurations
Select the generic selections for keyboard, language and timezone.

b. Partitions
You should partition the server with at least this layout: / /usr /varThis will protect your server from runaway log files.

c. Firewall Configuration
I chose to select the “no firewall” option. I consider this device to be a traffic management device and not a security device. Upstream security should be handeld by an actual firewall. Of course, many may disagree with this and choose to load IPTables. Just make sure you have the right chains configured to allow traffic to flow properly.

d. Package Selection
When you get to the package selections, DE-SELECT EVERYTHING. Go back and choose only the following items:

Editors -> you’ll need this to vi files
Development Tools -> you’ll need this to compile software

Once the machine builds itself, it will reboot.

e. Fix LANG Variable
Once it reboots, we need to edit the LANG variable. RedHat’s LANG variable setting of LANG=”en_US.UTF-8″ can cause compilation errors in some perl code used by MailScanner and SpamAssassin.

In Red Hat Linux you must edit the file /etc/sysconfig/i18n to change the lines:
LANG=”en_US.UTF-8″ SUPPORTED=”en_US.UTF-8:en_US:en” To: LANG=”en_US” SUPPORTED=”en_US.UTF-8:en_US:en”You then need to re-set and export the LANG variable: [root@titan sysconfig]# LANG=’en_US’ [root@titan sysconfig]# export LANGStep II – Install Postfix
I chose to use postifx instead of sendmail for my MTA. I like postfix because its configuration is very understandable. Also, I believe it is a bit more lightweight than sendmail.

a. Disable existing Sendmail services
Before you install postfix, you need to disable the existing sendmail items running on your Linux box. Service sendmail stop chkconfig sendmail offb. Install Postfix
Download postfix 2.1.5 from www.postfix.org and install as per this postfix document. Make sure you add the required records in passwd, group and aliases files. Postfix and Mailscanner will not work without them!

Accept all of the default settings when you “make install”

c. Configure Postfix
Postifx has two files which control most of its functionality. These are main.cf and master.cf.

Specific main.cf edits: myhostname = titan.corp.com mydomain = corp.com myorgin = $mydomain inet_interfaces = all mydestination = $myhostname, localhost.$mydomain $mydomain mynetwork_style = hostNote: some of these items need to be changed, while some only need to be uncommented.

d. Test Postfix Build
It is very importiant to test postfix now to make sure everything works.

Send an email to this mail server. You can telnet on port 25 to this box and manually send an email.

e. Configure Postfix to forward email
Since we do not want this device to be the final destination for our mail, we need to configure Postfix to forward all mail for our domain to our SMTP mail server. We need to make sure that only mail for our domain is forwarded, and mail for other domains is dropped (do not become a open mail relay – very bad!)

Edit this item in main.cf relay_domains = lab.netThis tells Postfix which domains it should relay mail. All mail destined for this doamin (and only this domain) will be forwarded to its remote SMTP server. You can put multiple domains here, just seperate them with a comma or whitespace.

Add line to end of main.cf transport_maps = hash:/etc/postfix/transportThis tells Postfix what method to use to resolve the destination address for relayed mail:

Add line to end of “/etc/postfix/transport” lab.net smtp:[192.168.2.225]This command specifically maps the domain “lab.net” to the IP address 192.168.2.225 and tells Postfix to use SMTP as the transport. All mail destined for lab.net which is relayed thru this Spam Gateway will be forwarded via SMTP to 192.168.2.225.

Then run command: postmap /etc/postfix/transportThis command builds the hash table/file which Posfix will use to forward mail. If you don’t do this, it wont work.

Finally add this line to main.cf append_at_myorigin = noThese lines will make sure your Spam Gateway does not add any of its own header domain info to the mail as it passes thru.

f. Test Again
Stop and start postfix to make sure all changes take. postfix stop postfix startI know this is redundent, but you really should test your system again before installing MailScanner. Make sure that mail gets passed thru the system wihtout problem. If you do encounter a problem, it will be alot easier to fix it now than after you’ve installed MailScanner, SpamAssassin and ClamAV.
Step III – Install MailScanner

a. Install MailScanner
MailScanner installation is very easy to install. Just download the package from http://mailscanner.info. I use the version for RedHat/Mandrake.

Place the tar file in you directory of choice then run: tar zxvf MailScanner-.tar.gzRun the install script: ./install.shUse chkconfig to make sure MailScanner is set for the proper run levels. chkconfig –list | grep MailScannerYou should see: MailScanner 0:off 1:off 2:on 3:on 4:on 5:on 6:offAlso, you’ll need to disable postfix via chkconfig. MailScanner starts postfix itself. chkconfig postfix offb. Configure MailScanner Settings

Updates to postfix’s main.cf by adding this line: header_checks = regexp:/etc/postfix/header_checks In the file /etc/postfix/header_checks add this line: /^Received:/ HOLDHere are the edits to Mailscanner – place / update in /etc/MailScanner/MailScanner.conf Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming MTA = postfixHere’s some file permissions changes you’ll need to make: chown postfix.postfix /var/spool/MailScanner/incoming chown postfix.postfix /var/spool/MailScanner/quarantineIts a good idea to test the server now. Send a message to the remote server and see if it goes thru. It should, and then you can move to installing SpamAssassin.
Step IV – SpamAssassin
a. Install SpamAssassin
SpamAssassin is also very easy to install, however, you need to make sure you have the proper PERL modules installed. They are: Digest::SHA1 HTML::ParserOptional Modules: MIME::Base64 DB_File Net::DNS Mail::SPF::Query Time::HiResYou can install SpamAssassin with: perl -MCPAN -e ‘install Mail::SpamAssassinThen install Net::DNSb. Configure SpamAssassin
You don’t need to edit any of the SpamAssassin conf files because all of the configuration is done thru MailScanner.

In /etc/MailScanner/MailScanner.conf we will make these changes:
Change this line: Use SpamAssassin = noto: Use SpamAssassin = yesUpdate the SpamAssassin User State Dir setting: SpamAssassin User State Dir = /var/spool/MailScanner/spamassassinand then run commands: mkdir /var/spool/MailScanner/spamassassin chown postfix.postfix /var/spool/MailScanner/spamassassinRestart MailScanner to make changes stick. service MailScanner restartStep V – ClamAV
a. Install ClamAV
Before you install ClamAV, you need to add the clamav user and group. You can do this as follows: groupadd clamav useradd -g clamav -s /bin/false -c “Clam AntiVirus” clamavOnce this is done, you can build the software.
Open up the package: tar xvzf clamav-0.80.tar.gzGeneric build proceedure: ./configure makeI encountered a problem with my RedHat Fedora Core 3 build which was fixed by using this command “ln -s /usr/lib/libidn.so.11.4.6 /usr/lib/libidn.so”. See this web page for details: “http://kb.atmail.com/view_article.php?num=132&title=libidn.so:%20No%20such%20file%20or%20directory” make installNow you need to load the perl modules for the ClamAV perl -MCPAN -e shell install Parse::RecDescent install Inline install Mail::ClamAV b. Configure ClamAV and MailScanner Settings
In /usr/local/etc/clamd.conf make the following edits:

Add ‘#’ in front of the word ‘Example’

Do the same in /usr/local/etc/freshclam.conf

Now you need to update ClamAV’s virus signature files [root@titus]# freshclam ClamAV update process started at Sat Jan 29 19:43:51 2005 main.cvd is up to date (version: 29, sigs: 29086, f-level: 3, builder: tomek) daily.cvd is up to date (version: 691, sigs: 804, f-level: 4, builder: ccordes)Update MailScanner’s configuration file to use ClamAV ‘Virus Scanners = clamav’In MailScanner.conf, check the setting of ‘Monitors for ClamAV Updates’ to ensure it matches the location of your ClamAV virus database files. This should be “/usr/local/share/clamav/*.cvd”.

Be attuned to the state of your network and systems
Malicious software, such as bots and spyware, often goes unnoticed for far too long. Well-crafted malware can avoid being detected by antivirus software and intrusion detection systems. The first line of defense against such a formidable foe is to become familiar with the normal state of your IT infrastructure, and monitor it to detect anomalies.

Establishing and maintaining IT infrastructure awareness means committing to the following steps:

Centrally manage logs from systems and network devices across the enterprise to detect anomalous events. Even an operational incident, such as a surge in CPU load on a server, could have security implications; the increased load could be attributed to malware on that system. Logs can be aggregated without commercial tools via Syslog, which runs natively on Unix and has been ported to Windows. Without a central monitoring point, your perspective on the infrastructure will be severely obstructed.

Deploy intrusion detection sensors at key points on the network. Host-based sensors on key servers also help. However, maintaining host intrusion detection systems (IDS) tends to be more burdensome than managing network IDS. Even though a traditional IDS may not block infections, it will offer additional visibility into the environment. Snort is widely considered the king of free network IDS tools. For a free multi-platform host IDS, take a look at OSSEC.

Monitor outbound network traffic to detect infected systems that seek instructions or leak data to their masters. You can tune a network IDS sensor to scrutinize outbound traffic, or employ traditional network monitoring tools for this purpose. (I have had a lot of luck with free Argus Open Project software.) The quicker a compromise is detected, the faster it can be contained. To learn more about detecting unauthorized activities in outbound traffic, see the book Extrusion Detection by Richard Bejtlich.

Detect unauthorized changes to the state of your systems. Although some malware resides purely in memory of the infected system, many infections leave footprints on the file system or registry. Some host IDS can detect such changes to the system’s integrity. Free tools dedicated to accomplishing this include AIDE, cfengine, and the open source version of Tripwire.
Trap malware with honeypots
Honepots combine the best aspects of detective and preventative technologies in the fight against malware. Honeypots are systems specifically deployed to be compromised. While the development of commercial honeypots seems to have lost steam, there is a plethora of innovative and freely available honeypot technologies. When carefully deployed, they can strengthen an enterprise’s defensive posture in several ways:

Slow down an intruder’s progress by having him waste time breaking into a system that offers no value to the attacker. For instance, the freeLaBrea tool stalls port scans and worm propagation activities by creatively responding to an attacker’s network connections.

Decrease the rate of false positives, which often plagues network IDS. Since a honeypot, by definition, should not participate in production activities, almost any connection to it is an indication of malice. A free toolHoneyd emulates servers, devices, and even networks to increase the span of such monitoring without requiring multiple physical systems.

Capture malware samples for analysis. Since malware is a part of most modern intrusions, capturing it before it finds its way to a production system assists in incident response. One of the free tools that can assist in this task is Nepenthes, which can capture malicious software propagating over the network. With copies of malicious samples at hand, they can be analyzed to understand their capabilities. (Coincidentally, I teach a SANS Institute course about this.)

Understand the intruder’s intentions by observing his interactions with the compromised environment. This can be accomplished by deploying a series of honeypots to fool the intruder, whether a human or a program, about the authenticity of the targeted system. The bootable Honeywall disk, distributed for free by the Honeynet Project, can help enable this, and includes excellent monitoring tools.

Determine whether your users visited malicious websites by employing a client-side honeypot that crawls and examines Web pages. Drive-by downloads, which exploit vulnerabilities through the Web browser, are a common infection technique. Consistently blocking this threat vector may be hard, but you can still detect the incident quickly. If your organization has a mechanism, such as a proxy server, that records visited URLs, you can use the free Caffeine Monkey tool from SecureWorks to automatically examine those sites for Web exploits.
The most challenging aspect of using honeypots is deploying them in a manner that prevents an intruder from using them as a launching pad for attacks. If your organization chooses to experiment with honeypots, be sure to implement the safeguards outlined in each tool’s documentation. For an overview of honeypots and deployment scenarios, see the book Virtual Honeypots by Niels Provos and Thorsten Holz.

Protect the endpoint from malware threats
Alas, despite information security’s best efforts, malicious software may bypass network defenses and reach a system you’re trying to protect. Personal computers are particularly vulnerable, because PCs are often used in unpredictable ways and places. Here are the techniques that can help lock down laptops and desktops:

Employ antimalware tools with behavior-blocking capabilities.Traditional signature-based antivirus techniques are no longer sufficient. Modern security suites from the familiar antivirus vendors can observe local executables for behavior that characterizes malicious software, such as attempting to monitor keystrokes or writing to certain registry locations. This helps detect malware that evades signature detection and block its actions. However, before enabling such tools across the enterprise, be sure to confirm they do not interfere with regular business activities.

Look out for rootkits. Though far from being a novelty, only recently have rootkits found their way into “mainstream” malware. Rootkits’ stealthy capabilities make it particularly difficult to detect an infection. Fortunately, antimalware products are becoming better about detecting rootkit-concealed malware. They do so mostly by identifying inconsistencies in the way different OS components describe the system’s state. Free stand-alone rootkit scanners include GMER, Microsoft RootkitRevealer, andSophos Anti-Rootkit.

Protect browsing activities to anticipate drive-by downloads and other browser exploitation techniques. Hardening the browser may involve creating a protective sandbox around it with a tool such as Sandboxie (it’s free). It also helps to run the browser with fewer privileges; that’s where Vista’s built-in User Account Control (UAC) and free tools such asDropMyRights can help. Don’t forget to disable unnecessary browser features and components; you can exercise fine-grained control over Internet Explorer with the help of Windows Group Policy.

Keep up with security patches. Information security pros are getting better at keeping up with security updates for Microsoft products, but knowing when and how to patch third-party software, such as Acrobat Reader and Java Runtime, is more challenging. Free tools that detect missing patches for third-party software include F-Secure Health Checkand Secunia Software Inspector.

Lock down the workstation. Last, but not least, is the need to harden the core OS on the endpoint. This involves disabling unnecessary OS components; Group Policy is very helpful for this. It can be used to restrict which applications may run via its Software Restriction Policy feature. A free stand-alone tool that can limit which executables may run is Trust-No-Exe from Beyond Logic.
A comprehensive security program is a must
As your organization considers its antimalware strategy, remember that there is no quick fix to this growing threat. Effective approaches incorporate detective and preventative controls that create multiple defensive layers. There are products, both commercial offerings and free tools, to help you along the way. These tools are only as effective as the overall security program that they are a part of.

About the author:
Lenny Zeltser is the New York security consulting leader at Savvis Inc. He is also a senior faculty member at SANS Institute, where he teaches a course on reverse-engineering malware.

© 2004-2006 Radiant Morning

uses madCodeHook © 1999-2005 Mathias Rauen

Table of contents
Introduction
Installing and uninstalling
User interface
Usage precautions
Final notes
License

Introduction
Naomi 3.0 is an advanced internet filtering program, easy to use and totally free, intended for families and parents in particular.

Naomi 3.0 is able to constantly monitor all internet connections, protecting children from inappropriate online material (such as obscene or violent contents; pornography and erotism in the form of images or texts; sites that popularize drugs; gambling games; terrorism; hate propaganda; occultism; sects; blasphemy, etc.)

The filter does not rely on a mere list of banned sites; instead, it examines all data that are transmitted or received from the internet using applications like web browsers, chat programs, newsreaders, file sharing tools, and more.

The filtering technology employed in Naomi 3.0 features:

Heuristic analysis capable of recognizing new sites automatically.
Semantic analysis of web pages contents and analysis of their addresses and links.
Recognizes the major languages.
Recognizes ICRA labelling system.
Monitoring is not limited to web sites, but covers the whole local internet traffic.
Works with any software application, and does not alter their settings.
Password-protected (the password is chosen by the user during the installation).
User interface is extremely easy to use.
Does not require configuration.
Can be used on slow connections (it does not perform any download in background and does not need to contact sites, proxies, databases, etc.)

Installing and uninstalling
Installation of Naomi 3.0 only requires a few seconds. You just need to launch its installation (setup) file. Then, you will be promped to choose a password, to prevent unauthorized access to the program. This password is essential for accessing the program’s interface, and also for deactivating or uninstalling it. You are advised to choose a password that is difficult to guess (e.g. you can use letters and numbers) and to remember it or keep it in a safe place.

The program is now ready and it immediately starts its monitoring activity. Whenever a potential access to inappropriate sites or material is detected, the application in use is terminated. If, for example, a pornographic website is accessed – on purpose or not -, the web browser is immediately closed, both to prevent further exploration and to avoid the user from seeing any partially downloaded material (e.g. photos, banners, etc.)

User interface
To access the user interface, you just need to click twice (left mouse button) on the flower-shaped icon near the Windows clock:

You will be asked to enter the password that you have chosen during the installation.

Once you have entered the exact password, you’ll see the user interface. The following buttons are available:

Hide: hides again the interface and keeps monitoring the internet connections.
Stop: temporarily stops filtering; the buttons name changes to “Start”. Pressing it again restarts filtering.
Uninstall: stops filtering and uninstalls definitively the filter.
Help: shows this manual.
Web site: to visit the official web site from where you can download updates and new versions (you must be connected to the internet to use it).

Usage precautions
In some cases, it is possible that the filter detects “false positives”, that is, it could result in blocking of legitimate sites. This may happen in the following cases:

Search engines: many porn sites use common keywords so they can get listed in the results of different searches and entice users to visit them.
Spamming (unsolicited advertising) received via chat programs like icq or mirc, and on forums, newsgroup, etc. (often they are obscene messages inviting the user to visit a certain site or to join a chat room for adults).
Advertisement of inappropriate material (for example, porn banners) on “regular” web sites.
If you find that a kids-safe site is erroneously blocked, or that an inappropriate site is not filtered, or if the program does not work for you, please contact me. Your report shall be taken into account for the next versions and updates of the filter.

Final notes
Using a software filter allows parents to exert less vigilance or internet surfing, but no program can be considered a substitutive of the parent’s action of education and control. Don’t forget that, unless internet access is limited to a few selected sites, it is not possible to block the 100% of inappropriate contents: programs, in fact, do not “understand”; they just make choices based on criteria that can prove to be more or less valid according to the different cases.

I dedicate this program to a dear friend’s baby girl; her name, naturally, is Naomi

http://www.naomifilter.org

Dave, I have just installed a new DVD burner in my computer (a Pioneer DVD-RW DVR-105 internal drive) and am trying to figure out what kind of blank disks I should be using. There are apparently five different blank DVD formats. Do I want DVD-R? DVD-RW? or ??

A:

Well, there are really only two “families” of DVD at the moment (unless you want to count the red laser vs. blue laser stuff that’s starting to come on to the market at the high end), and one “outcast”. You’ve got the “minus” (“-”) formats (DVD-R, DVD-RW) and the “plus” (“+”) formats (DVD+R, DVD+RW), then there’s the older DVD-RAM format that’s harder to find these days. All of these are for data, of course — all but the newest DVD video players will choke on those, in the same way early CD players choked on CD-R discs.

A DVD-R is a write-once format: once you’ve burned the data onto that DVD platter, the disk is forever frozen with that information. Add the “W” to that, and you’ll find that DVD-RW can be erased or rewritten up to a thousand times. Seems kinda weird, but if you can do so, DVD-RW obviously has significant advantages over DVD-R. DVD-RAM was even more flexible, however, since it let you erase and rewrite sections of an existing DVD, something that you cannot do with DVD-RW.

Moving to the plus side is where things get a bit confusing, because DVD+RW came before DVD+R. The plus formats have the same data storage capacity as the minus formats (4.7GB), but DVD+RW offers faster writing, better internal linking (a technical obscurity you don’t have to worry about), and support for drag-and-drop desktop files, which makes it easy to compose the contents of a disk. DVD+R is a write-once format intended to be more compatible with more DVD players, though at this point it seems to be about even with DVD-R, which remains the most compatible computer-burned DVD format.

In your case, since your drive is a DVD-RW, you’re effectively limited to DVD-R and DVD-RW format discs. Stay away from any of the “plus” formats, as those won’t work with your drive (and being newer, they cost more anyway). As to whether you want to use DVD-R or DVD-RW, that depends on what you want to use them for. DVD-R is a write-once format, just like CD-R, and you can’t erase the data once it’s written. DVD-RW is rewritable, so you can use it somewhat like a 4.7GB floppy disc, for all intents and purposes. In general, I suggest that you use DVD-R for archival purposes — stuff that isn’t going to change, and DVD-RW for more fluid data. DVD-RW discs are more expensive than DVD-R discs, so that may also influence your decision.

How do you confirm what format your drive works with? One way, if you’re on a Mac, is to use the System Profiler application. You’ll find this useful utility in Applications -> Utilities. Launch it, then click on the “ATA” item on the list. If you have an internal DVD burner, you’ll see something like what I get: “PIONEER DVD-RW DVD-106D”. If it’s an external DVD drive, you might find it in SCSI, USB or FireWire, depending on how you hook it up.

As far as your second question, your data-burning application definitely has to be aware of the DVD format you want to use (i.e. DVD-R or DVD-RW in your case). For Windows, you can use GEAR for burning CDs, but you’d need to upgrade to GEAR Professional Edition to be able to burn both CDs and DVDs. Toast Titanium does burn DVD-R and DVD-RW so you should be set in that department.

Content Aggregation by: ParagonHost, LLC

Web Hosting and Design Services: http://www.ParagonHost.com

Email Spam Prevention: http://www.TheSpamBusters.com

Web Content Filtering: http://www.ScanDefense.com

openPR) – The remote control and presentation software TeamViewer offers a fast and simple solution for desktop-sharing on the Internet. After running the small software package and entering an automatically generated session id an immediate connection to another desktop anywhere on the Internet is established, without any installation or firewall modifications.

Starting with version 2.0 a completely reworked communication protocol offers connections that are up to 4 times faster than comparable products. The new Multi-Channel-Routing Protocol, which was developed by TeamViewer GmbH, automatically detects the optimized connection path between two partners and can in many cases directly connect two computers even if both are located behind a firewall or NAT router.

TeamViewer now has more than 500 000 installations in over 50 countries of the world and is one of the big players in remote control. The solution is available in eight languages. Pricing starts from 298.- Euros, usage fields range from remote support to the presentations of any kinds of products and solutions.

Further information and a free trial version is available from the developer website www.teamviewer.com

TeamViewer GmbH
Stuttgarter Str. 159
D-73066 Uhingen

Press contact:
Tel. 07161 606920, press@teamviewer.com

The German TeamViewer GmbH was founded in 2005 and is fully focused on development and distribution of high-end solutions for remote support. A fast start and high growth rates have led to more than 500.000 installations in more than 50 countries all over the world.

Updated March 5, 2007
Congress has changed the dates for Daylight Saving Time (DST) in the United States starting in 2007. Canada has adopted similar DST dates. These changes could cause clocks and Microsoft Outlook calendar appointments on Windows Mobile-powered devices to display incorrect times for March 11 – April 1, 2007 and October 28 – November 4, 2007 and again in subsequent years. You can find more information about the exact dates and potential impact in the Changes in DST section.

To make sure your appointments on your Windows Mobile devices are accurate, you’ll need to update your device. If you regularly synchronize your device with your PC, you’ll need to update Microsoft Windows and Microsoft Outlook as well.

We have three tools that will help your make these updates:

2007 Time Zone Update for Microsoft Windows Operating Systems
Outlook Time Zone Update Tool
Daylight Saving Time 2007 Update Tool for Windows Mobile

Note: All users in the United States, Canada and Mexico should immediately install these updates. Users in other countries should install these updates if they travel to the United States, Canada and/or Mexico or if they make calendar appointments that include attendees that are based in the United States, Canada and/or Mexico.

On this page:

Overview of Changes in Daylight Saving Time
Steps to update your device
Installation tips
Frequently Asked Questions

IMPORTANT

Please be sure to follow all steps below completely and in order. And be sure to complete ALL steps.

Follow only one set of instructions below, depending on if you synchronize your device to a PC:
If you connect your device directly to a PC with a USB cable or cradle, follow the instructions for Windows Mobile users who connect to a PC to synchronize.
If do not synchronize your device or phone with your PC or you only synchronize your phone or device wirelessly with a Microsoft Exchange Server or, other e-mail and calendar systems, follow the instructions for Windows Mobile users who do not connect to their PC.

For Windows Mobile users who connect to a PC

First make sure your PC is up-to-date.
(see http://www.microsoft.com/dst2007 for more details)
NOTE: Make sure you update all PCs that you may connect to your Windows Mobile device.

For Windows XP SP2 and Windows Server 2003, the update has already been deployed using Automatic Updates and should be installed if you have Automatic Updates enabled. If you want to verify that it is installed, you can visit Windows Update and make sure all High Priority items are installed.
For Windows 2000 or earlier versions of Windows XP, see the 2007 time zone update for Microsoft Windows operating systems to the clock on your PC.
First make sure to update your PC by installing the 2007 time zone update for Microsoft Windows operating systems; which can be found here. This will update the clock on your PC.
If you use Microsoft Outlook to synchronize your calendar, download and run the Outlook Time Zone Update Tool which can be found here. If you do not use Microsoft Outlook, proceed to step 4.
Check to make sure you have the latest version of ActiveSync, which is ActiveSync 4.5.
Next, connect your Windows Mobile device to your PC, then download and run the Daylight Saving Time 2007 Update Tool for Windows Mobile which can be found here.

For Windows Mobile users who do not connect to their PC

For users that do not connect to PCs, there is an update file (CAB) available to make this update. (Note: there are a number of ways to install a CAB file and below outlines a popular method). Also, Microsoft Exchange users should contact your system administrator to make sure your Exchange Server has been updated as well.

Using the Microsoft Internet Explorer Mobile browser on your device, go to http://www.microsoft.com/windowsmobile/ and download the Daylight Saving Time 2007 Update your Windows Mobile device. This file will install the update directly on the device. On your device, navigate to the file you downloaded, and then click on it to install the update. If you are unable to download the link proceed to step 2.

If you are unable to access the link in step 1 on your device, open Windows Internet Explorer on your PC and click here to start the download process. After downloading the file, attach it to an e-mail and send it to an account you can access on your device. On your device, open the e-mail and save the attached file; on some devices, you may need to synchronize your e-mail a second time to download the attached file. Then navigate to the file on your device and click on it to install the update.

NOTE: After you install this update, your device will automatically restart to ensure that the update is complete.

Installation tips

Rapid succession of steps is important
Run the Outlook Time Zone Update Tool on your PC as soon as possible after the DST update is applied to all of your PCs. If meetings between March 11, 2007 and April 1, 2007 are scheduled after the DST files are installed but before the tool is run, meetings will erroneously be moved one hour earlier. To correct such calendar items, organizers should manually update such meetings to ensure they are scheduled accurately for themselves and all invitees.

All connected devices must be updated
Even if you correctly update your PC with the DST 2007 update, when you view your calendar from a non-updated mobile device running Windows Mobile, your meetings during the extended DST period will be shifted by one hour. Meetings created on your non-updated device will need to be updated on your PC by running the Outlook Time Zone Update Tool again.

If some users have not updated their Outlook, it will affect other users
The Outlook Time Zone Update Tool only updates meetings for which the user is the organizer, and then automatically sends updates for those meetings to attendees. Meetings that you are invited to but did not organize will not be updated until the organizer updates the meeting and prompts you to change to the correct time. Additionally, meetings created by a delegate on your behalf from an non-updated PC will need to be updated on your PC by running the Outlook Time Zone Update Tool again.

What you can do to ease the transition
All Windows Mobile powered device users affected by the time change should give extra attention to meetings and appointments scheduled between March 11 and April 1, 2007, and between October 28 and November 4, 2007. View any appointments that fall into these date ranges as suspect until you communicate with all meeting invitees to make sure that the item shows up correctly on everyone’s calendar.

Include the time of the meeting in the e-mail request so that invitees can double check the correct meeting time. Example: “Project brainstorming – 11:00 a.m. Central Time.”
When in doubt, verify the correct time with the organizer.
Prior to applying the DST files, print out your weekly calendars for the affected time periods so that you can keep track of which meetings were scheduled before and after you run the tool.

Changes in Daylight Saving Time
Daylight Saving Time (DST) will now start three weeks earlier (2:00 a.m. on the second Sunday in March) and will end one week later (2:00 a.m. on the first Sunday in November).

Change in Daylight Saving Time:
Previously started With the new law, will start Previously ended With the new law, will end
First Sunday in April Second Sunday in March Last Sunday in October First Sunday in November
Would have been: April 1, 2007 Will now be: March 11, 2007 Would have been: October 28, 2007 Will now be: November 4, 2007

Changes in DST will cause the following problems for Windows Mobile powered devices in the U.S. and Canada unless the updated detailed above are applied:

Impact between March 11, 2007
and April 1, 2007 Impact between October 28, 2007
and November 4, 2007
The device clock does not automatically update to DST and is one hour later than actual time.
Calendar items display one hour later than they actually occur.
The device clock does not automatically update to standard time and is one hour earlier than actual time.
Calendar items display one hour earlier than they actually occur.

Updating your device
Your device stores the pre-2007 DST dates in a table in its memory. Installing an update to the stored DST dates will prevent the problems described above. A separate update will fix Outlook calendar issues that might occur for appointments scheduled during the new DST-affected time periods listed above.

Frequently Asked Questions

Q. The update fails on my device
A. This error is rare, and can be fixed by restarting your device. Restarting usually means turning off your device and turning it back on (also sometimes called soft reset). Please refer to your devices user manual for accurate instructions on how to turn the device off and then on again.

Q. I get an error message that says “Error processing timezone, please manually set the timezone”
A. This error is rare, and can be fixed by restarting your device. Restarting usually means turning off your device and turning it back on. Please refer to your devices user manual for accurate instructions on how to turn the device off and then on again.

Q. I get an error message about an unsigned file
A. The installer will only work with devices that contain the Mobile2Market certificate. This certificate is installed on almost every Windows Mobile device ever released, this error is not expected on US devices. If your device rejects the update and shows you a security error, it does not have the required certificate. In this case you will have to wait for your mobile operator to issue this update signed with their own certificate. You should contact your Mobile Operator immediately.

Q. How do I know if I need to update my device?
A. You should update your Windows Mobilepowered Pocket PC or smartphone if it uses any of the following operating systems:

Windows Mobile 2003
Windows Mobile 2003 Second Edition; or
Windows Mobile 5.0
To see the operating system on a smartphone, click Start > Settings > More > About. On a Pocket PC, tap Start > Settings > System tab > About.

Q. What if my device locks up during the installation?
A. This may occur in 2003 devices, and you should restarting the device. Restarting usually means turning off your device and turning it back on. Please refer to your devices user manual for accurate instructions on how to turn the device off and then on again.

Q. How can I determine how my device synchronizes with Outlook?
A. If you are not sure which set of instructions to follow, open Microsoft ActiveSync on your device. The ActiveSync screen will display either Exchange Server and/or Windows PC, along with the last date of synchronization.
If the most recent synchronization is with Windows PC, follow the instructions “For Windows Mobile users who connect to a PC to synchronize.”
If the most recent synchronization is with Exchange Server, follow the instructions “For Windows Mobile users who connect their device to Microsoft Exchange Server.”

Q. How do I know if my device is a Pocket PC or a smartphone?
A. Pocket PCs have touch-sensitive screens and use a stylus to select among options. Smartphones do not have touch-sensitive screens and use hardware buttons to select among options. See the help page on how to tell for more information.

Q. Where can I find additional information?
A. Information about updating the DST tables stored in the device is available at http://support.microsoft.com/kb/923953. Information about calendar issues that might occur for appointments that fall into the new DST affected time periods is available at http://support.microsoft.com/kb/931667/en-us.

Q. How are people in Mexico affected?
A. Mexico time zones have changed and customers also need to install the specific Windows Mobile updates.

Q. How are people in countries outside of the United States affected?
A. All users in the United States, Canada and Mexico should immediately install this update. Users in other countries should install this update if they travel to the United States, Canada and/or Mexico or if they make calendar appointments that include attendees that are based in the United States, Canada and/or Mexico.

Q. Are users of the Microsoft Windows Vista operating system affected?
A. No. Updated time zone definitions are included in Windows Vista.

Q. Does Microsoft’s recently released Windows Mobile 6 platform require this update?
A. No. It does not require an update.

Aggregation by: ParagonHost, LLC http://www.ParagonHost.com

“World Class Internet Services”

Many experienced investors have attempted to apply the same procedures they have successfully used in large capital company investing to a small cap company investing with poor results.

To be a successful small cap investor you must:

Carefully study the capital structure of the company. Look very closely for “toxic” (excessively dilutive) financings;
Carefully review the company’s business model;
Carefully study management of the company and their background;
Check out the company’s auditor;
Invest early at low valuations and only invest money you can commit for a minimum of three years while the company implements its business plan and growth strategy;
Decide on the amount of money you feel comfortable investing in micro-capital companies and divide it amongst eight to fifteen positions;
Watch for excessive amounts of money or stock being issued for promotional purposes;
Avoid companies in a pre-revenue stage and look for companies that have demonstrated rapid revenue growth;

Determine the company’s quarterly burn rate and compare that number to the company’s cash available to cover this burn rate;

Look for investments in companies that have a proprietary technology in a large market;
If the business model doesn’t make sense or if you smell trouble, move on to other opportunities;

Watch the fully diluted shares outstanding very closely and be on the lookout for large increases in shares outstanding.

Before making an investment in any small cap company, be sure to comb through the financial statements to be sure there are not any potentially excessively dilutive financial instruments.

Toxic financial vehicles come in many different forms, but they all contain the same tricks. The trick is that the owner of the financial instrument (that is typically in the form of a convertible note, convertible preferred or equity line of credit) has the option to convert the financial instrument into common stock based on a formula instead of a fixed price that places a floor on the maximum dilution.

A good clean financing may take the form of a convertible note with terms to covert the face value of the note into common stock at a predefined price. For example a $1,000,000 convertible note with rights to convert the note into common stock at $1.00 per share has a maximum dilution of 1,000,000 shares. Under these terms the shareholders know in advance how many shares will be added to the capital structure and the owner of the convertible note benefits when the price of the underlying common stock appreciates. This puts the note holder and the rest of the shareholders on the same side of the fence.

A bad or “toxic” financing takes the form of a financial instrument that is convertible into common stock at a specific discount to the bid price or average bid price over a specified time period. The wording may be different, but the results are almost always the same. The owner of the note converts his financial instrument at a lower price than the stock is trading in the open market. For example, a $1,000,000 convertible note may be converted into common stock at 80% of the prior days closing price. This formula can have and usual does have dire results. A $1,000,000 note converts into 1,000,000 shares at $1.00, 2,000,000 shares at $.50, 4,000,000 shares at $.25 or 10,000,000 at $0.10. While it is bad enough that shareholders cannot predict the ultimate dilution, what’s worse is that the owners of these “toxic” notes are not usually very concerned about the shareholders and they do everything in their power to drive the stock lower so they will receive the greatest amount of shares upon conversion. Stay away from any company plagued with a “toxic” financing.

Source: http://www.stocktemple.com/research_tool_1

Aggregation: ParagonHost, LLC http://www.paragonhost.com

” World Class Internet Services”