Zabbix Postfix (and Postgrey) templates

Today’s Zabbix templates are for Postfix and Postgrey (but separated in case you don’t use both).

Since I run a moderate volume set of email servers, I could probably have Zabbix request the data and parse the logs all the time, but why not do it in a way that could scale better? (yes, I know I have 3 greps that could be replaced by a single awk call, I just noticed it and will improve it in the future).

I took as base a few other examples and improved a bit upon them resulting in the following:

  1. A cron job selects the last entries of /var/log/maillog since the previous run (uses logtail from package logcheck in EPEL)
  2. Then pflogsumm is run on it as well as other queries gathering info not collected by pflogsumm (in my case, postgrey activity, rbl blocks, size of mail queue)
  3. Then zabbix_send is used to send the data to the monitoring server

The cron job gets the delta t you want to parse the logs, in my case it’s -1 as I’m going it per minute and that’s an argument to find … -mmin and you’d place it like this:

* * * * * /usr/local/bin/ -1

This setup will very likely require some adaptation to your particular environment, but I hope it’s useful to you.

Then you can make a screen combining the graphics from both templates as the following example:

Zabbix Keepalived template

I’m cleaning up some templates I’ve done for Zabbix and publishing them over here. The first one is Keepalived as a load balancer.

This template…

  • requires no scripts placed on the server
  • creates an application, Keepalived
  • collects from the agent:
    • if it is a master
    • if it is an IPv4 router
    • the number of keepalived processes
  • reports on
    • state changes (from master to backup or the reverse) as WARNING
    • backup server that’s neither a router or has keepalived routing as HIGH (your redundancy is impacted)
    • master server that’s neither a router nor has keepalived routing as DISASTER (your service will be impacted if there’s an availability issue in one real server as nothing else will automatically let IPVS know of a different table)

I still haven’t found a good way to report on the cluster other than creating triggers on hosts, though. Any ideas?

Up next is Postfix and, hopefully, IPVS Instance (not sure it can be done without scripts or writing an agent plugin, though. I haven’t done it yet).

Stallman’s great talk on surveillance

When did the great Richard Stallman start using slides?

Well, I don’t mind, they’re cute and funny!


“Should we have more surveillance than the USSR?” is a highly recommendable talk!

I’ll update this post later with more photos.

Batman v Superman is awesome, don’t let critics ruin movie for comic book fans

Last night I went to watch Batman V Superman and it’s a very good comic book movie. It’s not Lawrence of Arabia, or by any means a contender for Best Movie Oscar Award or anything like it, but it’s an excellent depiction of a good comic book movie.

I’m putting a view “more” link by force because the rest has spoilers. Just trust me: if you like good dark comic book stories, specially those featuring Batman and Superman and those that don’t try to fit a single story in one go, you’ll like the movie. I did. A lot (not that I don’t have some gripes with it, but it’s a god damn good action movie adapting comic book characters).

Remember: there be spoilers. Read at your own discretion.

Continue reading “Batman v Superman is awesome, don’t let critics ruin movie for comic book fans”

Contratos deixam de poder ser celebrados por telefone

Contratos deixam de poder ser celebrados por telefone – PÚBLICO


Muito abuso têm feito com isto. Já por duas vezes rebati (felizmente com sucesso) a EDP e a NOS (então Zon) que vinham alegando que eu por telefone tinha negociado redução do serviço.

Com a NOS tiveram o azar de eu ter contrato em papel na mão, assinado 3 meses antes da alegada redução para quase nada.

Então dizem que meros 3 meses depois de eu assinar um contrato para aumentar significativamente o serviço fui por telefone reduzir para menos do que tinha quando subscrevi serviço na TVCabo? Ora provem lá isso, que eu tenho aqui o contrato…

“Ai tem o contrato? Aguarde um momento por favor”


Já a EDP tentou alegar que o débito directo não estava autorizado e se eu autorizava novo mandato que mandavam novo contrato para assinar (provavelmente perdendo algum dos descontos).

Ao telefone tive literalmente de lhes gritar para que me enviassem provas do débito recusado, porque não voltava ao banco alegando problemas sem prova, e rejeitando qualquer responsabilidade por falhas, e ai deles que me cortassem a electricidade…

Como se recusaram a enviar, lá voltaram a tentar e deu. Que generosos!

Por isso telefone é muito giro e tal, mas tenham sempre o papel na mão…


Ooo… sorry for shouting. I hope I haven’t hurt your ears, specially if you enjoy that mantra about lazy Portuguese. Actually… the most people I hear it from are right-wing nuts parroting The Message their idols injected in their puny minds.

Here it goes, from OECD and restricted to the EU countries so it’s easier to understand:hours-worked-eu-2013One thousand, eight hundred and fifty two hours per year on average.

(Yes, I didn’t notice the graphic included other countries, I thought the EU filter reduced, and it did, the list of countries but it didn’t remove explicitly selected countries, I’ll fix that later)

Aha, your neo-liberal devil whispers in your ear… in average… now we got him!

Well, the definition of work for this graphic is:

Average annual hours worked is defined as the total number of hours actually worked per year divided by the average number of people in employment per year. Actual hours worked include regular work hours of full-time, part-time and part-year workers, paid and unpaid overtime, hours worked in additional jobs, and exclude time not worked because of public holidays, annual paid leave, own illness, injury and temporary disability, maternity leave, parental leave, schooling or training, slack work for technical or economic reasons, strike or labour dispute, bad weather, compensation leave and other reasons. The data cover employees and self-employed workers.

So this actually means that should you only consider full time jobs it would be an even higher value… and it’s not counting with “too many holidays”, or strikes, or whatever.

Reality calls, people…

(via Jan Wildeboer)

#ilovefs – I 💕 Free Software


Hey, it’s that time of the year when some megafuck dudes drop the strongest advertisement campaigns for selling chocolates, perfumes and flowers to your sweetheart!

But never fear! As usual in the world of Free Software, we like to turn things around 180º to turn around the evil powers into good powers and give a much better meaning to things.

As the GNU GPL and the copyleft movement have used copyright’s powers to bestow upon us the wonders of software freedom, let’s now turn this horrid day into a day of celebration of our love for Free Software.

Thank you all Free Software developers out there! I love your work and hope to be able to stand on your giant shoulders.

Love ya! 🙂


Today would have been a good day to stay in bed a little bit more. 😪

pam_ipahbac (and why not pam_hbac)

ipahbacThose implementing FreeIPA (possibly in the enterprise ready version called Red Hat Identity Management) in a hybrid environment (meaning… not just recent GNU/Linux operating systems but particularly including AIX and Solaris) may have noticed the lack of support of an essential component in AIX and Solaris: Host Based Access Control (HBAC).

Without HBAC support, when you join a server to a real every single enabled user will be able to login into that server, which just might not be what you want, specially in more “”””enterprise“””” (please do notice the several quotes) environments with different servers having different access roles (developers can go into development servers but not into application life-cycle, operations people not having to logon to developement servers, system administration teams, security officers, etc…).

Some applications sort of implement HBAC by letting you restrict the users that can log into them, but that is definitely not elegant as it defeats the purpose of HBAC: a centralized place where one can define such access rules.

Being a PAM module it needed to have a few features:

  1. KISS: it doesn’t have to do much more than get the rules, give success on the first match or just deny for any other reason
  2. be secure: be not fancy, worry not about UNICODE, do not worry about supporting the kitchen sink, etc. This means:
    1. most AIX and Solaris environments do not have special characters like ç or ó or µ, and actually user logins are short in length, so a design strategy was to make this module extremely restrictive about the character set it allows, UNICODE is awesome but it’s also a sea of unexpected security issues;
    2. do not over-engineer in libraries and sub-files, just implement the PAM groups it needs, do a simple ldap query, navigate through the results, reply to PAM with allowed or denied
    3. I definitely do not mean to imply pam_hbac is not secure, only that it’s a critical focus on pam_ipahbac

If in the future such fancy use cases that need these things come up, then it can be re-evaluated. It’s not set in stone. Just not the focus. Priorities and such.

And this is why pam_ipahbac was born rather than working with pam_hbac.

I believe jhrozek’s module to be much more advanced, but I also believe in the above principles, and the primary focus of this module is to work in AIX and Solaris so those plagued with those systems can at least use the awesome Free Software that FreeIPA is.

Also, because it’s fun to father some code.

Happy hacking!