<ARCHIVE> Wilmer's stuff

Dear /dev/null, II

nospam@example.com (Wilmer van der Gaast) — Sun, 04 Oct 2020 23:02:00 +0000

tl;dr: 302 → Pelican (URL not yet known)

It's time to simplify my web presence. This massive ball of 4yo PHP with an unknown number of security risks should go, given how "much" I've been posting over the years. (Heh is anyone even reading this? I'll never know because I've already CSS-disabled the comments form. :-D)

I do like the idea of Pelican for static blogging, for dumping some content with more depth than Twitter every now and then. Sadly I couldn't figure out how to have it import my S9Y posts, so let's instead resort to recursive wget. Added benefit: Preserves all URLs, no dead links \o/ Just in case some of this may actually still be useful some day.

... if high quality blogs and RSS readers were still a thing, that would be nice though. Maybe one day I'll go expore..

PS: On the topic of quality: The "Preview" button in S9Y appears to be the Publish button or something, and I ended up with 7 drafts of this post published in random order. O_o Also, the delete button isn't actually working.

Puppet 4 on Debian 9 Stretch with nginx (with Puppet 3 agents if needed)

nospam@example.com (Wilmer van der Gaast) — Sat, 09 Sep 2017 19:19:00 +0000

As part of upgrading my machines from Jessie to Stretch, I finally had to pick up Puppet 4. My hosts running testing were trying to do so for a while already, but since Puppet requires the master to be newer than the agents, I've always just had a pinning rule in place to stick all machines to Puppet 3.x.

It's been quite the operation and I'm not done yet, but let me write down some of my findings for others to maybe use. As always, there are many different ways to achieve this goal, there are existing docs, but they're all outdated in one way or another. (As surely this one will be in a year.)

During the upgrade, one of the first issues I ran into was that Puppet 3 agents are simply not compatible with Puppet 4 masters. When you try to have them connect, you'll get a poorly formatted error message that looks more or less like:

Warning: Find /production/node/.... resulted in 404 with the message: {"message":"Not Found: Error: Invalid URL - Puppet expects requests that conform to the /puppet and /puppet-ca APIs.\n\nNote that Puppet 3 agents aren't compatible with this version; if you're running Puppet 3, you must either upgrade your agents to match the server or point them to a server running Puppet 3.\n\nMaster Info:\n  Puppet version: 4.8.2\n  Supported /puppet API versions: v3\n  Supported /puppet-ca API versions: v1","issue_kind":"HANDLER_NOT_FOUND"}

As helpfully pointed out by someone on this ticket, this is actually just a generic 404 message that kind of assumes you're the wrong Puppet version talking to this master. Now the Debian NEWS file tells you that for Puppet 3 agents to work, you need to switch from the old stand-alone webrick master to Puppet master running under Passenger (kinda Ruby's equivalent of Python's WSGI?) One important note here is: You won't find this information in official Puppet docs, because this compatibility is actually a Debian-specific patch!

(And another fun note: Puppet Master inside Passenger, too, is deprecated in v5, which kind of summarises my whole experience with Puppet TBH.)

Anyway, for getting Puppet+passenger to work, there's the puppet-master-passenger package. Which I didn't want to use though, because I've worked reasonably hard about a year ago to migrate away from Apache.

Screw backward compatibility, just give me Puppet+nginx+Passenger!

So, how to do this the, seemingly to me, right way? I've looked at using the Passenger packets from Debian, but there seems to be no nginx module. I tried out the existing passenger package which offered to recompile nginx for me, at which point I most definitely lost interest. :-/ But Phusion's official repository has a proper libnginx-mod-http-passenger package! I'm not a big fan of third-party repos, but when I only need it on my master and not on the entire fleet, I'll survive.

Here's most of my work, described in Puppet DSL (mind you, not directly reusable for others). tl;dr on it: Adds the repo, pinned to be used only for packages with "passenger" somewhere in the name, installs the packages from it that I need, plus nginx (that one from Debian proper) with only the Puppet master service enabled using a snippet like this.

Only thing left to do is the file used as Passenger glue, and this is where the existing written instructions fall short, and where the Debian package wins: The default file is pretty bare whereas the Debian one contains a few tricks to rewrite Puppet 3 agent requests into something your Puppet 4 master will understand!

So what I did: I've fetched the puppet-master-passenger package, but instead of installing it (which pulls in Apache, etc.), I've taken out only the /usr/share/puppet/rack/puppet-master portion, and put that into /etc/puppet/rack. (This is where apt install -d and dpkg --extract come in handy.)

One last thing here that is mentioned but not explained in other docs, yet very important: Ensure config.ru is owned by GID+UID puppet. As it turns out, that's the only thing instructing the Passenger framework what user to run the scripts as. I suppose implicit setuid behaviour like this is what the Ruby on Rails crowd considers elegant... :-)

Anyway, that's all I needed to do to get the Puppet 3 agents to talk to the new master again. However, there are other known incompatibilities, expect syntax errors or unwanted changes if you're not careful! Besides what's listed on that page, I ran into the issue of File objects that used to get created owned as root by default, now inherit the numeric UID+GID from the Puppet master. This was easily fixed with the following snippet in the site manifest (which is also where I learned one can get global defaults for object types this way!):

# Sets the default for Puppet 3 agents. Should be safe to remove when
# they're gone.
# https://docs.puppet.com/puppet/3.8/deprecated_resource.html#default-copying-of-source-permissions
File {
        source_permissions => ignore,
}

That's pretty much it, I think. Many thanks to Apollon Oikonomopoulos in this thread for reminding me to use the right config.ru file. To those who dislike third party repositories, Georg Faerber's response on using uwsgi may also be interesting!

Dear /dev/null,

nospam@example.com (Wilmer van der Gaast) — Mon, 11 Jan 2016 00:44:00 +0000

That's what weblogs are these days, it seems. :-( And I've just lost way too much time getting this quality PHP software to run on my new webserver.

All it is for me at this point is a place to post random small projects I've worked on. Something fun (ADS-B-related) will hopefully appear soon...

selphy.go - Linux client for Canon Selphy CP-900 photo printer

nospam@example.com (Wilmer van der Gaast) — Sat, 21 Sep 2013 23:13:34 +0000

Last month I ran into a Canon Selphy CP-900 photo printer. It's a pretty neat device, prints pictures with pretty good quality. It even worked out of the box in Linux, but only via USB, and by it pretending to be an ordinary printer. This can have pretty ugly results.

The CP-900, as the first one in the Selphy series, can also take print jobs over WiFi. The nice thing is, other than it being wireless, that the WiFi protocol is just a pretty simple JPEG file transfer mechanism. Just giving the printer a JPEG and have it figure out layout/crop/etc seems to give somewhat nicer results. But of course, only Windows/OSX/smartphone clients are available. Fortunately, after some staring at wireshark, I managed to create a new client for it.

For extra fun, it's written in Go. My first time using the language, and I quite like it. It means the tool is very easy to build, and there are no special dependencies at all, as the Go base libraries already have everything I need.

To try it:

bzr branch http://wilmer.gaa.st/selphy/

And yes, I'm still using bzr. Deal with it. :-)

T-4 days...

nospam@example.com (Wilmer van der Gaast) — Sun, 22 Apr 2012 09:16:09 +0000

Counting down and thinking "next week this time ..." for a while already. Predictably, I've only been able to do a fraction of all the things I wanted to do in the previous post. Me spraining my ankle and ending up on crutches a few weeks ago definitely didn't help with that. :>

The one-way flight will be on Thursday, giving us a whole Friday + a weekend before work starts. Hoping to get stuff like opening a UK bank account done quickly, so I can then figure out the cheapest way to transfer money there; I'll miss the perks of living in a Euro country...

Do you hear that, Doug? I'm coming to London!

nospam@example.com (Wilmer van der Gaast) — Sun, 04 Mar 2012 21:34:23 +0000

Yes, London. You know: fish, chips, cup 'o tea, bad food, worse weather, Mary fucking Poppins... LONDON. Or as I said it on Twitter last week already, I'll be subtracting 309 from my international dialing code.

My team is moving to London over the next months, and I'm moving with it. It's been five years already since I landed here in Ireland by now, longer than I ever expected when I arrived. Living in the UK instead of in Ireland will be a nice change. It's still off the European continent, but with directs flights to home for both of us we'll feel like we're much closer. And I expect there are more advantages that will offset living in what is also a heavily congested city.

I'll still be doing the same work, just in a different location for various practical reasons. The move will happen somewhere halfway the next quarter, so we're slowly starting preparations. Besides packing and cancelling utilities/services/etc, that also means experiencing Ireland as a tourist. After living here for five years, I've still not seen the Giant's Causeway, the Cliffs of Moher and some other stuff ... so should give that a shot now!

I might be posting here a little bit more over the next while. :-)

uhat, using your joystick's hat switch in Linux flight simulators

nospam@example.com (Wilmer van der Gaast) — Sat, 03 Mar 2012 13:23:00 +0000

So I have this fun hobby for a while already, flying.. I have around 50 hours logged by now in the US + Ireland, which means I can more or less land safely now, on my own. In fact I had my first solo in October last year which was an absolutely amazing experience. But sometimes weather just doesn't work with me here in Ireland (either too windy or too cloudy) and instead I go "flying" with X-Plane on my machine at home.

Now X-Plane is a pretty neat simulator, and as long as you use it with a real yoke/stick and not keyboard/mouse, it seems like a useful way to practice. But there's one way in which a flight simulation projected on a single screen, no matter its size, just doesn't beat sitting in a cockpit: the inability to look around in any direction by, you know, just turning your head. Instead, joysticks often have this hat switch on the top to look around. Unfortunately in Linux, the joystick driver gets told that the hat switch is a mini-joystick that the user can move up/down, left/right. Instead of just representing it as four separate buttons (which is what they really are anyway, hardware-wise). X-Plane and apparently other flight simulators can't use this, they need buttons.

This week I wrote uhat to solve this problem. It'll listen to joystick events and if you move the hat switch axes, it will generate button events on a separate virtual joystick device. There's a similar tool called jhat, which generates keyboard events instead, but I never really liked the idea of my joystick pretending to be a keyboard and hoped there were a better way to do this. A week ago I found my answer in uinput. It's poorly documented, but fortunately very simple to figure out. It looks like uinput is just a fairly 1:1 translation of the input subsystem kernel interface into a character device.

It works like a charm for me, with the udev rule I don't even have to think about it, udev will just start it for me when I plug in my joystick. Hugely enjoying X-Plane 10 again. :-D

Debian, dmcrypt and SSD TRIMming

nospam@example.com (Wilmer van der Gaast) — Mon, 27 Feb 2012 22:44:36 +0000

Spent an hour or so this morning wondering how to get my Debian initramfs to activate my LUKS-encrypted partition with --allow-discards. I know it's less secure, but as long as wrenches are still cheap I'm fine with sub-standard security if it means my hardware will perform better for longer. :-)

The trick is to add a flag "discard" to your crypttab, like this:

CODE:

wilmer@peer:~$ cat /etc/crypttab
sda2_crypt /dev/sda2 none luks,discard

And then of course rebuild your initramfs (update-initramfs -u) and reboot, etc.

You do need cryptsetup 1.4 or higher for this to work. I had to manually install that package (only twenty or so days old) from sid on my testing laptop.

Bank statement scraper for Bank of Ireland

nospam@example.com (Wilmer van der Gaast) — Mon, 01 Aug 2011 15:14:35 +0000

Like many people, I was also losing track of my finance. Having bank accounts in use in both NL and IE probably didn't help. :-) As any proper FOSS geek, I learned to like the monster called GnuCash. (Psst! Guys! It's pretty amazing that a product more than ten years old still doesn't let you do operations (like delete) on multiple entries at once, dont you think?)

And there's this thing about Irish Banks. They have bigger issues to worry about than how well their Internet banking service works. What keeps you away from looking at my bank account? You (hopefully) not knowing my six-digit user ID, date of birth (top secret information! Have I mentioned that my birthday is next Saturday? ;-P) and another six-digit number, this time my PIN number. No one-time passwords, no challenge-response system, nothing else.

My only hope is that this lets you transfer money only to accounts to which I've transferred money before. IOW all you can do is give my landlady a little present. Pfew!

Also, going back to the original topic, there's no way to export info from their web interface. So I wrote one myself. One advantage of a pretty simple website is that I could easily write a scraper for it. Run it with the right arguments, and it'll spit out a CSV bank statement, ready to be fed to your favourite accounting software.

What else have I been doing? Been working on Giggity. Android development's fun. I spent the weekend scraping the Dance Valley timetable page, Google, Last.FM, Wikipedia and more to automatically generate a Giggity schedule file for it. Love it! :-)

On Pandaboard SD card performance

nospam@example.com (Wilmer van der Gaast) — Mon, 13 Jun 2011 21:03:53 +0000

I have the Pandaboard running as my home server for a while now. Until last weekend, I was using a Microdrive as its root filesystem. Sadly, the drive seems to be broken. :-( That means I finally had a chance to try bootstrapping a server very quickly using Puppet. This worked fairly well, which means the time investment is paying off already.

Since all the storage I had at home was the 32GB SD card I bought for this thing anyway, I decided to give it another chance. At some point I was reminded already that alignment really matters with these things. Some Bonnie++ runs do seem to confirm this. I removed the second partition on the SD, and recreated it on a 4MB barrier. (The trick to do this is to use the "u" command in fdisk to switch units to sector instead of cylinders, and make sure the start sector is a multiple of 8192.)

To be honest, I did run most of these benchmarks with the SD card reader/writer in my desktop machine. Only the last test was done on my Pandaboard, but as you can see the results are very similar.

Version 1.96		Sequential Output						Sequential Input				Random Seeks			Sequential Create						Random Create
	Size	Per Char		Block		Rewrite		Per Char		Block				Num Files	Create		Read		Delete		Create		Read		Delete
		K/sec	% CPU	K/sec	% CPU	K/sec	% CPU	K/sec	% CPU	K/sec	% CPU	/sec	% CPU		/sec	% CPU	/sec	% CPU	/sec	% CPU	/sec	% CPU	/sec	% CPU	/sec	% CPU
ext3-noalign	4G	189	41	3514	1	4878	1	2646	98	21147	2	20.9	0	16	463	0	+++++	+++	2832	3	3214	4	+++++	+++	3221	4
	Latency	6643ms		28833ms		19841ms		6668us		483ms		47888ms		Latency	1335us		655us		933us		531us		85us		60814us
ext3	4G	437	93	3727	1	5631	1	2725	99	21484	2	21.5	0	16	938	1	+++++	+++	4303	5	3743	6	+++++	+++	4304	5
	Latency	412ms		32024ms		5622ms		6422us		469ms		52114ms		Latency	1574us		760us		713us		1644us		13us		585us
logfs	4G	1149	75	13670	5	3530	4	1067	81	5920	7	6.5	3	16	2033	9	+++++	+++	4731	22	1755	8	+++++	+++	1516	11
	Latency	10944us		1810ms		4562ms		29505us		54279us		2401ms		Latency	568ms		9300us		7881us		2783ms		1483us		570ms
nilfs2	4G	797	95	7118	2	5186	1	2711	98	24112	2	617.3	29	16	2102	36	+++++	+++	+++++	+++	4592	71	+++++	+++	10886	56
	Latency	20454us		2767ms		2788ms		25974us		21810us		3432ms		Latency	4928ms		1288us		1020us		1339us		358us		294us
ext4	4G	443	91	18315	2	9299	2	2602	99	25041	2	22.4	0	16	3567	8	+++++	+++	4369	7	3792	7	+++++	+++	4393	6
	Latency	32264us		920ms		926ms		12851us		14137us		5042ms		Latency	530us		1451us		1316us		393us		401us		771us
ext4-panda	1496M	106	96	16838	8	8865	7	663	99	22243	12	30.1	1	16	3479	26	+++++	+++	4035	23	8760	65	+++++	+++	10388	63
	Latency	78219us		3925ms		961ms		13732us		104ms		1251ms		Latency	1190us		1801us		1892us		762us		61us		671us

Click here for a table not f*cked up by my blog software.

Although the throughput numbers for ext3 are pretty similar for non-aligned and aligned access, look at the latency numbers. Unfortunately I haven't got a clue how Bonnie++ calculates these and can't find very good documentation on it. Throughput may be average and latency worst-case? Either way, as you can see a misaligned partition can cause some slowdowns.

What surprised me more is that a switch to ext4fs sped up things a lot more, up to the point that the performance is perfectly reasonable! I'm running with this SD as my root filesystem now and everything just works. (While before a simple apt-get install run could take several minutes.)

While I was at it, I also tried out logfs and nilfs2, which are officially optimised for flash media. However, AFAIK they're more meant for raw NAND storage, not for block devices with all the NAND logic abstracted away (like anything you buy in stores these days). Not worth it for these SDs.

Obviously this test is far from scientific. Only in the case of ext4-panda have I run the test five times to then pick a decent result (there were some outliers in all areas). All other tests were done on a freshly formatted filesystem, which I'm sure also doesn't make the result that reliable.

Just my 2 cents! But my Pandaboard's definitely happier now. Here's hoping that wear leveling works well..

If you're interested, here is a more thorough overview of SD card performance. The LWN article about flash storage it links to is interesting too. The Flash card I used here is a 32GB class 10 Transcend card.

Splitting PDFs with pyPdf

nospam@example.com (Wilmer van der Gaast) — Fri, 03 Jun 2011 22:04:02 +0000

A simple task, yet I couldn't find a quick cmdline to do it with, apart from pdftk, 15MB of Java rubbish.

Instead, here only 10 or so lines of Python. It was so fast I wasn't sure if it worked until I saw the results were there. Usage: split [prefix] [infiles...]. Multiple infiles possible. First argument is the filename prefix to use for all created files.

CODE:

import pyPdf
import sys

n = 0
for f in sys.argv[2:]:
f = pyPdf.PdfFileReader(open(f))
for p in f.pages:
of = pyPdf.PdfFileWriter()
of.addPage(p)
of.write(open("%s-%03d.pdf" % (sys.argv[1], n), "w"))
n += 1

Don't pay attention to Serendipity screwing up the code layout. We all know it's rubbish, I just can't be arsed to migrate to something better. :-/

dnsrev

nospam@example.com (Wilmer van der Gaast) — Tue, 24 May 2011 00:09:14 +0000

As a bit of a cloud "sceptic" I still like to waste too much time maintaining my own network/IT infrastructure. :> I'm definitely trying to avoid the more tedious stuff though. I started using Puppet a while ago which definitely helps.

Last week I was looking for a way to automatically populate DNS reverse lookup zones. The only thing I could find was mkrdns which is unmaintained for almost ten years and doesn't seem to support IPv6. So I decided to write my own thing, dnsrev.

It's pretty simple, written in Python with help from some modules. It can read any number of zonefiles and update any number of reverse zonefiles. There's no need for any kind of 1:1 mapping between them, so it can deal with multiple netblocks in one zonefile, etc. I hope it'll be useful to someone. Comments, suggestions and patches are welcome.

Shiny happy hardware

nospam@example.com (Wilmer van der Gaast) — Sat, 23 Apr 2011 13:05:00 +0000

For years I'm using Winterms as simple home "servers". It was a fun project to work on and some people were even nice enough to send me some examples of more powerful (relatively, we're talking about ~300MHz here at most) hardware. Two of them are still working as nameservers/printservers and one of them even hosted the Winterm hacking website for a while.

But they're getting old, slow, and pretty painful to upgrade. Time to move on I'm afraid. So before my last trip to the US, I ordered two shiny pieces of hardware: A Pandaboard and an Nvidia Tegra developer board. Due to circumstances, I didn't really expect both (or even either) of them to arrive - Nvidia seemed to send the board only to people who have projects they find interesting/important (stuff like the Motorola Xoom probably), and the Pandaboards never seem to be in stock.

Yet, here I am with both of them, wondering which one to actually use. :-)

Left: Pandaboard, right: Tegra2 250 Harmony board

I guess I'll just write down my findings here so far. I'll probably end up using both, one as a server and the other one to run stuff like xbmc on my TV.

Both boards seem quite similar, spec-wise. Two 1GHz ARM cores, 1G of RAM, USB, sound, networking (including WiFi and Bluetooth), HDMI output, and an SD card slot. The Pandaboard has an internal antenna, no clue about the range.

Although both boards' USB ports apparently aren't really meant for powering 2.5" USB HDDs, it seems to work quite well anyway. Which is good, because SD cards as root filesystems seems like a bad idea. Did you know that (according to bonnie++) a desktop hard disk from 2007 outperforms SD cards (at least in the Pandaboard and Tegra) not just on sequential reads, but also on seeks? So yeah, I may be using USB HDDs instead, which sadly means more power usage. :-( Especially in the Pandaboard SD performance is too bad to be usable.

One big advantage of the Pandaboard seems to be the community. A pretty busy (and generally helpful) IRC channel, lots of info online on Wikis. The Pandaboard iss "just another OMAP architecture" so lots of stuff that worked for BeagleBoard should work on the Panda with some customizations. Canonical/Ubuntu also support the thing officially.

Here comes the biggest contrast with the Tegra. Nvidia seems to be too busy with Android, the result is that there's little support for doing other stuff with the board. The only thing you get for now is L4T (Linux 4 Tegra), which is an Ubuntu Jaunty (yes, 9.04, that's two years ago by now..) image you can run on it. There are efforts on getting Lucid to run, don't know where those are ATM. But one complication there is some binary-only drivers/helpers (like nvrm_daemon, which I guess manages the memory shared between OS and video/etc), which means troubles getting X to work after an upgrade. Ouch.

The Panda also certainly wins in the bootloader department, as it just loads uboot stuff from a FAT partition on the SD card (tricky part here is that if you do anything wrong with the partitioning and formatting of this SD card, the boot process will just fail silently). For flashing the Tegra you need a proprietary fastboot flasher binary. Possibly, once booted, I can just write my kernels to NAND myself from inside the OS, but I haven't yet tried this.

So yes, with this all in mind, it's a delight to run a normal (and not outdated) Debian/Ubuntu install on a Pandaboard. Video is also supposed to work flawlessly almost out of the box on Ubuntu. However, I seem to be unlucky/doing it wrong since the framerate is not impressive, and playback seems buggy. (While the little video playback I've done on the Tegra was pretty good, super smooth, and with only 10% of CPU usage!)

For my original goal, running a simple home server, I feel that both boards are suitable - I'd just run Debian inside a chroot on the Tegra so the helper daemons (and maybe some video stuff) can run outside it. But before I get this video stuff to work, I have some work to do. And hopefully, if I wait for long enough, some other patient souls out there will also fix some of these problems...

Xen horror, just upgraded my box to Squeeze

nospam@example.com (Wilmer van der Gaast) — Sun, 13 Feb 2011 23:49:48 +0000

Of course I could just not upgrade, but I'd have to do it sooner or later anyway..

It looks like Xen, now that it's owned by Citrix, also suffers from the XML manager syndrome. At least the extremely annoying clock bug was fixed, which means I get >4ms precision in timing again.

Just dumping this here in my blog since more people seem to have this problem and aren't getting very helpful answers so far. Or maybe I just didn't try the right Google queries..

This:

hypnotoad:/tmp# xm suspend bijtje
Error: Domain is not managed by Xend lifecycle support.
Usage: xm suspend <DomainName>
Suspend a Xend managed domain

means you're not using the shiny new (whatever the purpose is) lifecycle tool that keeps track of domain configs and other stuff in /var/lib/xend/domains/$UUID/. You can use "xm new" to set this up, except this is broken on Debian:

hypnotoad:/tmp# xm new
Unexpected error: <type 'exceptions.ImportError'>
...
ImportError: No module named xmlproc

This, my dear reader, means that Debian's shipping Xen utils that depend on a Python XML module that was actually removed from Debian since it's not maintained by upstream anymore.

So I was just trying to figure out how to make this all go, and then I realised:

hypnotoad:/tmp# xm save bijtje bijtje.sav
hypnotoad:/tmp# xm restore bijtje.sav

Oh look! I can still do it. I just have to tell Xen where to save the statefile.

So in short:

Xen is also suffering from XML-itus
Debian drops packages that other packages still depend on
Use "xml save", not "xml suspend"

Burn all spammers!

nospam@example.com (Wilmer van der Gaast) — Sun, 08 Aug 2010 14:31:06 +0000

I have a habit of always having a tail -f /var/log/mail.log running on my mailserver somewhere. It's noisy, but has been useful in the past. Over the last weeks/months, I noticed open relay probes are getting incredibly popular (again), but also extremely aggressive. They're frequent, done by hundreds of botnet drones all the time.

Obviously my Postfix is configured properly, so this is mostly a waste of (fairly scarce, on a DSL box several km away from the exchange) bandwidth and annoying noise in the logs. But getting rid of it is harder than I hoped. :-(

This is what I have now: iptables -I FORWARD -p tcp --sport 25 -s 192.168.0.0/16 -m string --algo kmp --string '554 5.7.1 <' -j REJECT --reject-with tcp-reset

This works as-in it kills the connection as soon as my mailserver sends a "554 5.7.1 Relaying denied" response. The REJECT goes to the mailserver, but together with the tcp-reset this also kills the TCP connection on both sides fairly quickly. However, the little fuckers are also using pipelining, so I still get a screen full of logspam for pretty much every attempt. Although this is mostly cosmetic, I'd love to get rid of that crap..

What I really wonder is, WTF are they even doing this? Are open relays really still that common? Don't they have their botnets already? I guess the open relays are nice multipliers and are also more willing to deal with stuff like graylisting...

[edit]Looks like "554 5.7.1" is not just about "relaying denied", so possibly not such a great idea. Don't try this at home!