Cette année XP Day France aura lieu les 25 et 26 mai 2009 au chalet de La Porte Jaune (toujours à Paris).

XP Day est la conférence annuelle sur les méthodes agiles à ne pas manquer si vous êtes sur Paris. C'est l'occasion de rencontrer des personnes intéressantes ayant un long cursus sur la mise en place et l'utilisation d'eXtreme Programming et autres méthodes agiles dans diverses sociétés, cherchant constamment à améliorer leurs méthodes de travail.

Il y a des sessions pour tous les goûts et pour tout le monde, que ce soit les développeurs, chefs de projets, clients, les novices, les agilistes confirmé…

Quelques sessions sont présentées par d'anciens collègues, de qui j'ai beaucoup appris :

• Offshoring avec intégrité. Retour d'expérience sur un projet (sur lequel j'ai travaillé d'ailleurs) dont une partie de l'équipe était en France et une partie en Inde. Présenté par Pascal et Sandrine (qui fait partie de l'équipe organisatrice d'XP Day France cette année).

• XP 2.0 : améliorer l'amélioration continue avec Lean. Régis travaille activement depuis quelques temps à comprendre les concepts de Lean. Dans cette session, Régis et Antoine vont présenter différents éléments pouvant compléter certaines lacunes de l'eXtreme Programming. Les présentations de Régis et Antoine sont toujours très intéressantes et agréables, ils ont tous les deux de vrais talents d'orateurs (je ne m'y endors pas et pourtant je suis fort pour ça ;-)).

• Le développement hédoniste. J'ai eu l'occasion de discuter, très rapidement, avec Dominic sur ce sujet et j'espère que je pourrais assister à sa présentation. Dominic aborde l'eXtreme Programming dans sa dimension philosophique, côté indispensable à la maîtrise de la méthode et malheureusement souvent oublié lors de la mise en pratique.

• La théorie des centres, une nouvelle façon de voir la conception incrémentale des logiciels. Deuxième session présentée par Régis. Il a déjà abordé le sujet de la théorie des centres sur son blog, théorie de Christopher Alexander, et de ce qu'elle apporte au développement logiciel.

• My language is more agile than yours - a LISP presentation. Session, certainement en anglais, présentée par Conan (qui m'a fait découvrir XP et les méthodes agiles) où il montrera certaines spécificités de LISP qui en font un bon langage de programmation pour les agilistes.

• Binômage 2.0. Session présentée par Charpi et Sylvain, deux experts du pair programming. J'ai réellement apprécié binômer avec eux, je sais que c'est un sujet qui les intéressent vraiment car ils ont vu la puissance que cette pratique (qui peut être assez difficile à mettre en place) apporte quand elle fonctionne à plein régime. Je pense que leur retour d'expérience sera très intéressant pour ceux qui se posent des questions sur le binômage.

Bien évidemment il n'y a pas que mes anciens collègues qui font de bonnes présentations, il y en a plein d'autres, vous pouvez consulter le programme d'XP Day. Comme d'habitude il y a pleins de sessions intéressantes… en même temps. Ils vous faudra faire des choix.

6 month after my post on OpenBSD 4.4, here is the one on OpenBSD 4.5.

Today was released OpenBSD 4.5, adding more hardware support (my D-Link DWA-110 works straight away, no need to recompile the kernel anymore), few new features, lots of software updates.

So I updated my fit-PC with this new OpenBSD, as usual it was quite easy, few questions (and they have good default values), the overall upgrade took me 20 minutes (15 minutes copying files from the CDROM, I have a slow one).

Theme and Song

This release theme is inspired by Tron:

The accompanying song is called "Games":

Lyrics and songs files are available (as usual, there is a MP3 file for losers and a OGG Vorbis file for good people (anyway, only good people uses OpenBSD ;-))).

I tried to find out where the secret entry of the hub is but I failed to locate it.

In this third post about configuring your own mail server on Debian (first post, second post), I'm going to talk a bit about SPAM and show you 2 ways of reducing it.

There are a lot of ways of fighting spam with various degrees of effectiveness, simplicity, standards respectful, etc.

For instance, there are some stupid systems like SpamCop based on user submissions. If a user tell that he received a spam from a given IP, then the IP is temporarily marked as a SPAM sender and will be blocked by mail servers using SpamCop black list. So, when your email address is hosted by an ISP used by a lot of people, of course there are emails reported as junk, and your ISP is black listed. Several mails I sent were blocked by SpamCop. Junk emails are a pain, but being blocked is way much worse. So please, don't use system generating to many false positives.

Greylisting

Greylisting consist of sending a temporary error when an email is received, store information about this email (server IP, sender, recipient) and wait for a second attempt after a given amount of time. If the email is received again, it's allowed.

Usually spam senders send emails to a huge list of addresses, so when they received an error, they just try with the next email address. This is very simple and effective against that kind of spam. The bad news is that emails are often delayed (the sender server may try again 5, 10, 30… minutes later). By definition emails are not instantaneous, but usually it's quite fast, so it can be a bit slower with this solution.

SPF

SPF stands for Sender Policy Framework. It's a way to check if the sender if allowed to send mails. For instance, a domain owner can specify in its DNS a TXT record containing IPs allowed to send emails from that domain.

I strongly suggest that you add this record if you have a mail server. For example, if you dig my domain name for TXT records you will get:

$ dig desgrange.net TXT

; <<>> DiG 9.5.0-P2 <<>> desgrange.net TXT
(…)
;; ANSWER SECTION:
desgrange.net.     600 IN  TXT "v=spf1 a mx ~all"
(…)

The value v=spf1 a mx ~all means that A and MX IPs are allowed to send emails and that all other IPs should not.

tumgreyspf

In order to add greylisting and SPF to postfix, I decided to install tumgreyspf. The name is quite explicit, it does both greylisting and SPF.

Installation:

$ sudo apt-get install tumgreyspf

Tell postfix how to start tumgreyspf in /etc/postfix/master.cf by adding:

(…)
tumgreyspf unix -       n       n       -       -       spawn
  user=tumgreyspf argv=/usr/bin/tumgreyspf

Tell postfix when to ask tumgreyspf to perform a check, set smtpd_sender_restrictions in /etc/postfix/main.cf to something looking like that:

(…)
smtpd_sender_restrictions =
    permit_sasl_authenticated,
    reject_unauth_destination,
    check_policy_service unix:private/tumgreyspf
(…)

And now restart postfix (reload should be enough):

$ sudo /etc/init.d/postfix restart

Misc

After some tests, I found that tumgreyspf does not reject emails when SPF returns softfail but only fail and permerror.

If you configure your DNS like I did, which seems to be a quite common configuration, you may want to consider softfail has a reason to reject an email.

To change that, change line 122 of /usr/bin/tumgreyspf to the following (it's written in python, don't change indentation):

if spfResult == 'Fail' or spfResult == 'Permerror' or spfResult == 'Softfail':

Mail Stories posts

• Installing a mail server
• Installing a webmail
• Spam reduction (this post)

In the previous "Mail Story" post, I explained how to quickly install a mail server on Debian.

Sometimes I want to check my emails but I don't have my own computer with me, only an access to an other computer connected to the internet. So I need a webmail. For that purpose I use RoundCube, it's an AJAX webmail written in PHP, using IMAP to retrieve emails and SMTP to send them.

Installation

In Debian, RoundCube seems not to be a very popular package, or maybe Debian people thinks the project is still too young. In fact, there is no RoundCube package for the current stable release of Debian. In "testing" there is RoundCube 0.1.1, and 0.2~stable in "unstable". Current official release is 0.2.1.

So lets install the "unstable" package (which is quite stable as far as I know ;-)).

First you need to add unstable repositories to APT if it's not done already. Edit /etc/apt/sources.list and add the following lines (replace ftp.fr.debian.org with your closest mirror):

deb http://ftp.fr.debian.org/debian/ unstable main contrib non-free
deb-src http://ftp.fr.debian.org/debian/ unstable main contrib non-free

Then tell APT to keep using stable packages by default (currently the stable release is called lenny, so set the value accordingly with your system), edit /etc/apt/apt.conf.d/70debconf and add:

(…)
APT::Default-Release "lenny";

It's time to retrieve the list of unstable packages:

$ sudo apt-get update

Install RoundCube (RoundCube needs a database, it works with MySQL, PostgreSQL and SQLite, select the one you prefer, here I'm going to use SQLite):

$ sudo apt-get install roundcube
-> Configure database for roundcube with dbconfig-common? Yes
-> Database type to be used by roundcube: sqlite

Configuration

RoundCube should be accessible at http://mailserver.example.com/roundcube/. If it's not the case, you may need to uncomment the two Alias directives at the beginning of /etc/roundcube/apache.conf (don't forget to reload apache configuration before checking if it works).

Now edit /etc/roundcube/main.inc.php. Each parameter has a quite explicit comment, read them. Things you may want to change:

# (…)
$rcmail_config['enable_caching'] = FALSE;
$rcmail_config['default_host'] = 'ssl://localhost:993';
$rcmail_config['default_port'] = 993;
$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_port'] = 587;
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';
$rcmail_config['create_default_folders'] = TRUE;
# (…)

You should now be able to login, read and send emails.

Misc

In the parameters I changed, there is create_default_folder set to TRUE. This in order to have the default IMAP folders always here (INBOX, Drafts, Sent, Junk and Trash). By default they are all protected, so they can't be removed.

But there is no real convention on those folder names. For instance, by default Apple Mail use some different directory names. But you can tell Apple Mail to use the ones you want. First you need to select the directory (Mailbox in Apple Mail):

And then associate it with the right meaning:

For other IMAP clients, see the respective documentation. For instance, here is how to change the trash folder on Thunderbird.

If you have an iPhone, you only need to synchronize it again, the iPhone uses Mail.app configuration (don't forget to check Mail Accounts in Info/Advanced/Replace information on this iPhone: in iTunes before synchronizing).

Note: since I wrote this post, Debian's RoundCube unstable package has been updated to version 0.2.1 but testing package is still version 0.1.1.

Mail Stories posts

• Installing a mail server
• Installing a webmail (this post)
• Spam reduction

Here is a quick tutorial to build your own mail server using a Debian GNU/Linux.

Disclaimer

Configuring its own mail server can be fun, but remember that there are a lot of bad guys on the internet. I'm no expert on mail server configuration, don't forget that you must not allow relaying mails to domains you don't own and from people you haven't authenticated in order to avoid spam relay. Of course, keep your softwares (operating system, mail server, etc.) up to date in order to keep your computer safe from being cracked.

Goal

I have a domain name (desgrange.net as you can see) and I would like to use it for my mails. It's not that I don't trust service providers, but I would like to be in charge of the mail server configuration (so I would be able to tune it as I want).

For instance, I want to be able to send mails using SMTP over SSL and retrieve emails using IMAP over SSL.

For those tasks I chose:

• Debian as operating system (tested on Debian 5.0 and Debian testing)
• Postfix (2.5.5) as SMTP server
• Courier-imap (4.4.0) as IMAP server

In this tutorial I assume that I'm installing a mail server for domain example.com on a computer named mailserver. Allowed users are the standard unix users created on the mail server.

DNS

First make sure that your DNS has your MX record pointing to your mail server. See with your domain name provider for that part. I'm using OVH so I did it on their website (which sucks a bit for that).

Postfix

Postfix is a well known SMTP server. As a lot of mail servers, it has several hundreds parameters, but here, all of them have good default values, so we just need to change some of them to get it working like we want. Let's start with postfix installation:

$ sudo apt-get install postfix
-> General type of mail configuration: internet with smarthost
-> System mail name: example.com
-> SMTP relay host: <blank>

Now we need to install the authentication system saslauthd.

$ sudo apt-get install sasl2-bin libsasl2-modules

As told by the installation process, to enable saslauthd, edit /etc/default/saslauthd and set START=yes.

To tell postfix to use saslauthd, create a file /etc/postfix/sasl/smtpd.conf containing:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

As postfix is running chrooted, to allow it to talk to saslauthd we need to move some files (or change the directory specified in OPTIONS in /etc/default/saslauthd):

$ sudo mkdir -p /var/spool/postfix/var/run/
$ sudo mv /var/run/saslauthd /var/spool/postfix/var/run/
$ sudo ln -s /var/spool/postfix/var/run/saslauthd/ /var/run/saslauthd
$ sudo adduser postfix sasl

Postfix is configured to run on the standard port 25 so other mail servers can transfer mails to you. This postfix process can't use SSL only because other mail servers may not support it. So we need to start an other postfix process running over SSL, so we can use this one when we want to send an email. To allow this process to start, just uncomment the submission lines in /etc/postfix/master.cf.

Check that /etc/mailname contains your domain name. It's used by postfix for some parameters (seems to be debian specific).

Most of postfix configuration is done in /etc/postfix/main.cf, you can edit this file directly or use the following commands:

1 $ sudo postconf -e 'smtpd_tls_security_level = may'
2 $ sudo postconf -e 'smtpd_tls_mandatory_ciphers = high'
3 $ sudo postconf -e 'smtpd_tls_mandatory_exclude_ciphers = aNULL'
4 $ sudo postconf -e 'smtpd_tls_mandatory_protocols = TLSv1'
5 $ sudo postconf -e 'mydestination = $myhostname localhost.$mydomain localhost $mydomain'
6 $ sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination'
7 $ sudo postconf -e 'relay_domains ='
8 $ sudo postconf -e 'home_mailbox = Maildir/'
9 $ sudo postconf -e 'mailbox_command ='

• Line 1 tells postfix to use TLS on standard SMTP port (25) if remote server support it.
• Line 2 restricts TLS ciphers to only "HIGH" ciphers.
• Line 3 excludes aNULL cipher (no encryption).
• Line 4 tells to use TLSv1 as protocol for the postfix over SSL process.
• Line 5 list domain names for which the server will accept mails.
• Line 6 tells postfix to send mails only from authenticated users or to domains postfix is in charge of.
• Line 7 postfix must not relay mails to other domains.
• Line 8 and 9 are for Courier which use a specific type of mailboxes.

You can have a look at the postfix configuration parameters documentation.

Courier-IMAP

Courier is a full mail server but here I'm going to use only Courier's IMAP server component. Installation:

$ sudo apt-get install courier-imap-ssl
-> Create directories for web-based administration?: no

By default IMAP and IMAP over SSL processes are started but I don't want the first one. To disable the standard IMAP process, set IMAPDSTART to NO in /etc/courier/imapd.

Some parameters have to be changed for the IMAP over SSL process, edit the file /etc/courier/imapd-ssl and set the following values:

# (…)
IMAP_TLS_REQUIRED=1
TLS_PROTOCOL=SSL23
TLS_STARTTLS_PROTOCOL=SSL23
TLS_CIPHER_LIST=HIGH
# (…)

For TLS_PROTOCOL and TLS_STARTTLS_PROTOCOL I use SSL23 because I'm using Apple Mail and it does not handle TLS very well. If you use a mail client supporting TLS, replace SSL23 with TLS1.

Finishing the installation

First we need to restart everything:

$ sudo /etc/init.d/saslauthd restart
$ sudo /etc/init.d/postfix restart
$ sudo /etc/init.d/courier-authdaemon restart
$ sudo /etc/init.d/courier-imap restart
$ sudo /etc/init.d/courier-imap-ssl restart

If you type sudo netstat -lntp you should see something like that:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      12718/master
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      12718/master
tcp6       0      0 :::993                  :::*                    LISTEN      12440/couriertcpd

There are two processes for postfix (master on ports 25 and 587 (SSL)) and one for courier on port 993.

Create your mailbox. You may want to initialize your own mailbox directory on the server:

$ maildirmake ~/Maildir

Certificates

I didn't say anything about SSL certificates, you need certificates for all your SSL connections, here some default ones are created, but when you connect with your mail client, it may complain about the certificate not being trustworthy.

It may prevent you to read/send mails (for instance I had to tell Apple Mail to trust the certificate in order to be able to send emails).

Trouble shooting

While configuring my mail server I ran in several problems, mainly due to Apple Mail, TLS and certificates. So, if you have any trouble, don't forget to have a look at log files in /var/log/, use netstat and ps to be sure that your servers are running and listening on the right ports.

You may even try to manually connect to the IMAP server with a command like this one:

$ openssl s_client -tls1 -connect mailserver:993 -state -debug

Have a look to the IMAP commands to check if it works.

Some of the errors I had:

• SASL authentication failure: cannot connect to saslauthd server: No such file or directory because I didn't had moved saslauthd files to /var/spool/postfix/var/run.
• imapd-ssl: Unexpected SSL connection shutdown because Apple Mail was not trusting the certificate.
• imapd-ssl: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number because Apple Mail does not support SSL3/TLS1 on IMAP.

Update (2010-05-09):

My father's mail client was displaying the following error message:

Filesystem notification initialization error -- contact your mail administrator (check for configuration errors with the FAM/Gamin library)

A quick solution to solve that is to replace FAM with Gamin:

$ sudo apt-get install gamin

And to restart courier.

Update (2012-05-31)

For a month the IMAP connection was freezing after some time. The solution? According to this post and this one: replace gamin with FAM ;-).

$ sudo apt-get install fam libfam0

Links

Some useful resources:

• Postfix Howtos and FAQs
• Postfix Documentation
• A tutorial on SMTP authentication over SSL
• A tutotial including a postfix/courier-imap installation

Mail Stories posts

• Installing a mail server (this post)
• Installing a webmail
• Spam reduction

Il y a actuellement, en France, des débats concernant le projet de loi HADOPI ou Création et Internet. Entre autre ce projet de loi contient une riposte graduée envers les méchants internautes qui auraient téléchargé illégalement du contenu sous droit d'auteur (musique, films…).

Cette riposte graduée consiste tout d'abord en l'envoi d'un email d'avertissement, puis d'une lettre recommandée et s'il continue, suspension de son abonnement internet.

D'un autre côté il y a des gens bien, des artistes, qui mettent en téléchargement libre leurs productions (licence type Creative Commons). Jamendo est une plate-forme de téléchargement sur laquelle on trouve ce type d'œuvres.

Pour prendre le contre-pied de la loi HADOPI et montrer qu'il n'y a pas que des maisons de disques en manque d'argent mais aussi des gens qui savent créer de nouveaux modèles de diffusion et de rémunération, le site Jamendo lance le Remerciement Gradué.

Vous recevez un mail de remerciement si vous téléchargez un album sur Jamendo, une lettre et un kit du complice si vous téléchargez beaucoup et enfin un mois de votre abonnement internet si vous arrivez à convaincre un lieu public à diffuser de la musique libre au lieu de ce qui était diffusé avant.

Personnellement, je suis inscrit sur Jamendo depuis fin 2007, je télécharge de temps en temps des albums dessus et je dois avouer que je suis tombé sur quelques artistes vraiment intéressants.

As you know, the web is based on standards, those standards give us the ability to access all the data on the web whatever our browser and/or operating system are.

But Microsoft didn't care much about web standards when they were building their own web browser: internet explorer. IE had more than 90 % market shares for a long time but nowadays it's less than 70 %, because of new browsers (more secure, faster, more standard compliant, etc.).

So Microsoft updated it's web browser with IE 7, which is a bit more standard compliant but far away compared to other browsers like Chrome, Konqueror, Firefox, Opera or Safari.

Unfortunately, lots of web sites were developed to be usable with IE 6 (which still have nearly 18 % market share), and IE 6 is so buggy that's a real pain to have a good website being usable with IE 6.

Web standards give us the power to create wonderful websites, web applications, but we usually can't because we have to take IE 6 users in account.

The content of my blog should not attract IE users ;-) but here are the usage:

• Firefox: 52 %
• IE: 21 % (IE 6: 45 %, IE 7: 50 %)
• Safari: 10 %

Somebody had the great idea to start a campaign against IE 6 (I hope, if the goal is met, he is going to create a new campaign for IE 7 which is not a lot better):

The goal is obviously to wipe out IE 6 by telling people still using IE 6 (or older!) to switch to a newer browser (you can add a little script on your website warning IE 6 users that they should update their browser).

Après un petit tour sur le site pour particuliers d'EDF, j'ai remarqué différents problèmes, dont un bug qui m'empêche de me créer un compte.

Afin d'améliorer leur service, j'ai décidé de remonter ces informations aux responsables du développement du site. Pour le coup je pense que j'ai eu une mauvaise idée.

Tout d'abord, les contacter. Impossible de contacter qui que ce soit sur le site web (via un formulaire, une adresse email). Je tente d'envoyer un email aux boîtes mails webmaster et www comme spécifié dans la RFC 2142, mais bien évidemment ces adresses emails n'existent pas.

Bref, pas moyen de les contacter en ligne. Je me décide donc à téléphoner au service client. Le service téléphonique commence bien évidemment sur une machine vocale qui me demande de taper sur différentes touches avant de pouvoir parler à un humain. Je conseille toujours la lecture de l'article Seven steps to remarkable customer service, notamment le début de la partie 3 (pour ce qui concerne les appels téléphoniques).

La personne que j'ai m'indique qu'elle ne peux pas faire grand chose, comme il est tard il n'y a plus personne de l'équipe technique pour aider, elle me demande donc de rappeler le lendemain dans la journée. Je rappelle donc le lendemain, la personne que j'ai me donne le numéro de la hotline du site web (comme quoi ils en ont un, ils sont trop timides pour l'afficher sur le site ?). J'appelle la hotline, je tombe sur ce qui m'a semblé être d'un autre service que la hotline et qui m'a juste dit qu'en tant que particulier je ne devais pas appeler sur ce numéro, il m'a donné un autre numéro à la place. J'essaye le nouveau numéro, je tombe sur un répondeur me disant que le numéro n'est plus valide, que je dois faire tel autre numéro à la place. Ce dernier numéro, je l'ai, c'est celui pour parler à un conseillé travaux habitat. J'en ai donc strictement rien à faire.

Je rappel donc le service client, on m'indique que le numéro précédent n'est pas le bon, on me donne donc cette fois-ci le bon numéro. J'appelle, ça sonne, ça sonne toujours, ça continue de sonner… au bout de deux minutes de sonnerie j'ai raccroché.

Bref, tout ça pour dire que le site www.edf-bleuciel.fr utilise une expression régulière trop restrictive pour vérifier les adresses emails (et à mon avis, la vérification de l'adresse email ne devrait pas être faite à ce moment là), qu'ils ont un certificat SSL qui n'est plus/pas valide sur monagence.edf.fr et qu'ils devraient avoir des adresses emails webmaster et www.

En comparaison, j'ai remonté un bug sur le site de LCL qui empêchait les utilisateurs de Safari (et donc d'iPhone) de se connecter pour voir leur compte, le problème a été corrigé peu de temps après (et pour leur remonter l'information je n'ai pas eu à galérer, il y a un formulaire sur leur site pour ça).

Dans les méthodes agiles, pour développer un logiciel qui répond aux attentes des utilisateurs, il est nécessaire d'avoir un feedback de leur part. Il me paraît donc évident qu'il faut faciliter cette possibilité de feedback. À en croire mon expérience, ça ne fonctionne pas du tout comme ça chez EDF. Vu à quel point il est difficile de les joindre, j'ai l'impression qu'ils ne veulent pas entendre parler de leur produit, que c'est une contrainte pour eux, qu'ils sont déjà bien assez gentils de fournir un site web, si on n'est pas content on peu aller voir la concurrence. Ha non, j'oubliais, EDF a un petit monopole, la concurrence n'existe quasiment pas. C'est peut-être pour ça qu'ils ne se préoccupent pas de savoir ce que pensent leurs clients, de toute façon il sont captifs.