SE Linux Play Machine

Free root access on a SE Linux machine!

To access my Debian play machine ssh to zp7zwyd5t3aju57m.onion as root, the password is “SELINUX“.
I give no-one permission to distribute this password. If you want to share information on this machine you must give the URL to this web site. In some jurisdictions it would be considered a crime to distribute the password without my permission (IE without giving the URL to this web page).

Note that such machines require a lot of skill if you are to run them successfully. If you have to ask whether you should run one then the answer is “no“.

The aim of this is to demonstrate that all necessary security can be provided by SE Linux without any Unix permissions (however it is still recommended that you use Unix permissions as well for real servers). Also it gives you a chance to login to a SE machine and see what it’s like.

When you login to a SE Linux play machine make sure that you use the -x option to disable X11 forwarding or set ForwardX11 no in your /etc/ssh/ssh_config file before you login. Also make sure that you use the -a option to disable ssh agent forwarding or set ForwardAgent no in your /etc/ssh/ssh_config file before you login.

If you don’t correctly disable these settings then logging in to the play machine will put you at risk of being attacked through your SSH client.

There is an IRC channel for discussing this, it is #selinux on


  • Editing thanks.txt_append_only with vi won’t work, use cat or echo to append data to the file. The following commands will work:
    echo something >> thanks.txt_append_only_dont_edit_with_vi
    cat >> thanks.txt_append_only_dont_edit_with_vi
  • There is no harm in letting you see dmesg output for such a machine, security by obscurity isn’t much good anyway. For a serious server you would probably deny dmesg access, but this is a play machine. One of the purposes of the machine is to teach people about SE Linux, and you can learn a lot from the dmesg output.
  • This is not a simulated machine or honeypot. It’s a real Lenovo ThinkCenter desktop PC running Debian/Jessie (pre-release) SE Linux in a Xen DomU. You really have UID==0. The Xen configuration is a default Debian install with a standard Debian kernel. SE Linux does it’s own permission checks in addition to the Unix permission checks. If you don’t believe me you are free to write assembler programs to call getuid() etc. But it would be a lot easier for you to just install a recent version of Debian or Fedora, see how it works, and read the source if you wish.
  • I will provide instructions on installing such machines soon.
  • To administer a SE Linux machine you need to have sysadm_r (the SE Linux administrative role) and UID==0 (the regular Unix admin account). So there needs to be a UID==0 account. As in regular Linux the UID==0 account does not need to be named “root”. In the case of this machine the root account has UID 0, but it has few privs in SE Linux.
  • The default policy in Fedora is known as the targeted policy, it has no restrictions on user login sessions (so can never be used for such a machine). The policy I use for this machine is known as the strict policy. The default configuration of the strict policy does not support running in such a manner and requires some changes.
  • This machine is intentionally more permissive than some other play machines. I let you see the policy files so you can learn how to configure a machine in this way.
  • Regarding core-dumping bash to read the history. That’s nice work, but you could have just used cat, grep, or any of your favourite tools on /root/.bash_history with much less effort.
  • Some people have asked for ping, telnet, etc access. I would like to provide such access (and have provided it in the past). I removed ping access because some people were using ping with large packet sizes to attack machines with small network connections. I removed telnet access because people were running scripts to try and discover (and attack) hosts with broken telnetd’s. As for whether the machine is usable without such access, for it’s intended purpose (demonstrating what SE Linux can do) it is quite useful. As a general shell server it’s not very useful because you share your account with lots of people who may rm your files or kill your processes.
  • Some types of files and directories may not be stat’d by unprivileged users (this includes shadow_t for /etc/shadow). Such files and directories show up in flashing red in the output of “ls -l” because ls can’t even determine whether it’s a file or a directory.

Worthless Questions at Lectures

I’ve previously blogged about the productive length of questions at lectures [1]. But it seems to me that worthless questions can be recognised before the person asking even gets properly started. Here is a list of ways of recognising them:

  1. Appeal to authority. If someone tells you about their job or other qualifications before asking a question then the question is almost certain to be useless. If a question is good then it can be asked by someone with no special qualifications who has 20 seconds to ask.
  2. An introduction that shows that it’s not a question. Anything starting with a statement like “I just want to say” isn’t a question and has no place in a conference lecture hall. After a lecture the speaker will usually hang around and talk to delegates, anyone can make comments then or send email later. In this case it’s not just that statements are inappropriate for “question time” it’s that people who think that they are so important that their statement is more important than genuine questions probably aren’t going to have anything useful to say.
  3. A second question. Anyone who has more than one question wants a conversation – they can do that privately after question time. Again it’s people with an over-inflated opinion of their own importance who do this.
  4. A statement of “fact” that they want the speaker to address. Questions should mostly concern facts referenced by the speaker. “Facts” that are cited by the audience are often the sort of thing that can be easily disproved by Snopes or Wikipedia – but not in the amount of time available during a lecture. While it is possible to ask useful questions regarding facts that weren’t presented in the lecture my observation is that most such questions are worthless and the “facts” are false.

I think that for a serious lecture the MC should cut off such questions when they start. Once enough has been said to make it obvious that the question falls into one of the above categories I believe that the correct thing to do is to say “that’s probably a good thing to discuss after the lecture”, and then move on to the next question.

Please note that the above list isn’t comprehensive. Let me know if you have suggestions for any I missed.

ASD Self-Diagnosis Tests

Here are some online psychological tests that can be used as part of an Autism Spectrum Disorder (ASD) self-diagnosis.

Simon Baron-Cohen is well known for his research into Autism, some of it is quite controversial (particularly the “Extreme Male Brain” theory which is widely rejected in the Autism community). There are some interesting tests based on his work though, has some online tests for Systemising Quotient, Empathy Quotient, Autism Spectrum Quotient, and the Mind in the Eyes test [1]. has an online Aspie Quiz that allows you to create an account and track your results over time [2].

There is an online Alexithymia test, note that the site has no other useful content other than the test [3]. It would be useful if someone would create a better site about Alexithymia. I’d be happy to provide hosting for a forum if someone would do the moderation.

Some Suggestions for Parents of Aspies

I’ve had a couple of parents ask me for advice about children with Asperger Syndrome (AS), in one case a child who was formally diagnosed and in another case a child who is suspected of being an Aspie but who hasn’t been assessed. I don’t claim to be an expert on these things, but based on my own experiences growing up and what I’ve read from others I can at least provide some pointers for further research.

One thing to note is that it’s worth seeking advice from people who are on the Autism Spectrum as well as Neuro-Typical (NT) people in regard to these issues. You should also keep in mind the fact that the experiences of people on the Spectrum vary a lot, in this post I try to represent some people on the Autism Spectrum who are quite different from me to give a broad overview of the issue. But you should read what others write too. There will be some kids on the Spectrum who are in some ways quite different to what I describe, there’s lots of ways to not be average.

Should Your Child be Assessed?

A common issue is whether a child should be assessed for an Autism Spectrum Disorder (ASD).

For a young child there is no reason not to have them assessed. It is expensive but any time a parent thinks that their child is an Aspie they are probably correct (most parents seem to live in denial if at all possible). In most first-world countries a diagnosis of an Autism Spectrum Disorder in a child will result in a moderate amount of government funding so the expense will be repaid. The staff of any medical center can usually provide advice on where to look for information about government funding.

Some parents refuse to have their children assessed because they “don’t want their child to be labelled”. If the child in question attends school the other children will notice that they are different and label them, so this really isn’t an issue.

For a child who is old enough to make their own decisions it’s a really good idea to consult the child first. Doing a covert assessment and then springing the result on them can be taken really badly. There is an Aspie tendency to not appreciate surprises, and “that person you spoke to was a psychologist who diagnosed you with AS” is the type of surprise that can be taken badly. Of course the down-side to giving your child a choice is that they may not choose what you want – it’s something you have to deal with.

Note that the child doesn’t need to be old enough to make decisions that are necessarily good before they need to be consulted. While an 11yo may make grossly ill-informed decisions they will make decisions that they care about and remember it for a long time if you ignore their wishes. Even if you aren’t going to give your child a choice you should at least inform them in general terms of what is happening if they are old enough to understand.

I’ve seen suggestions that informing a child who was diagnosed when very young should be handled in the same way as informing a child that they were adopted. Tell them when they are very young and fill in more details as they get older.

When a child is diagnosed they should be informed. It’s best to inform them of the diagnosis as soon as possible, obviously young children won’t understand it properly but they should have the amount of information that they can handle. I’ve seen this compared to informing adopted children, if you tell them when they are very young and provide more details as they grow up they will never have a shocking realisation. If a child isn’t informed then they will just wonder why the other kids are always mean to them for no apparent reason.

Benefits of Assessment

When a child has been formally diagnosed there may be government funding available to the school (sometimes to the extent of hiring an extra teacher) and the school can arrange a formal support plan. If the management of the school are not willing to arrange such a support plan (which is often a legal requirement – but they may not want to obey the law) then it’s best to find another school.

An assessment for a child should include a document of the details of their case. Any school that has a decent special needs program will need a copy of that to know exactly the issues that they are dealing with, if they just want to know the diagnosis as a one word summary then they aren’t running their special needs program properly. But for an adult a one-word diagnosis is acceptable as adults will generally already know what issues they face.

In some countries the parents of an Aspie child can apply for social security payments.

If the child happens to need to see a psychologist for reasons that aren’t directly related to an ASD then they need to be diagnosed first. The strategies that psychologists use with NTs tend not to work well with Aspies. As the issues related to an ASD can give an increased risk of depression and other psychological problems this is something that’s worth keeping in mind.

Finally it’s good if parents and children can understand each other, and getting everyone diagnosed is an important part of that.

Can it be Cured?

ASDs are the result in differences in brain development and can’t be cured as such. People who are on the Spectrum learn strategies for coping and the environment can be configured to make things easier for them. Trying to cure something that is incurable is not a good strategy, at best it will take resources away from more useful things. There are many reports of parents spending tens of thousands of dollars on quack treatments that do no good.

There has been a lot of medical research into the issue of whether ASDs are caused by vaccines, it all shows that there is no link to vaccination. Anyone who claims otherwise is a liar or a quack and should not be believed.

Chelation doesn’t do any good for anyone unless they are suffering from heavy metal poisoning, the symptoms of which are nothing like an ASD. Any organisation that has anything to do with chelation should be avoided as they will just hurt children.

There are ways of alleviating some of the symptoms, some of the supposed cures (such as certain diets) merely avoid triggers and allow children to emulate NTs more effectively. If you find a diet that makes things better don’t think that you have cured anything.

Emulating an NT

Pretending to be like other people is a useful skill. Children need to be taught how to act like other people when in public places, but they should be allowed (even encouraged) to act in a way that is normal for them when at home. Trying to emulate someone who is Neuro-Typical (an NT) all the time is exhausting and results in a decreased ability to do most of the things that one might want to do.

Don’t try to force Aspie kids to socialise excessively, it’s not going to be fun for them and it’s not going to do any good. Team sports such as cricket and football are probably a bad idea. Golf and other individual sports are better options.

Is it bad to be on the Spectrum?

So far I haven’t found a single report of someone who unconditionally claimed that an ASD made their life suck, although many people report that they have big problems from some of the sensory issues.

It seems that an ASD only makes someone unhappy if they are mistreated by other people because of it.

Sensory Issues

One common factor with AS is Sensory Processing Disorder (SPD), the site [1] has a lot of good information on it.

In most cases these are issues of degree, some things which irritate Neuro-Typical people (NTs) a little bit can irritate an Aspie a lot. But some are severe and require totally avoiding certain things, one example I’ve heard of is Aspies who can’t stand the feel of woolen clothing.

Discovering these things can be difficult as no-one really knows what other people experience. For example I don’t know how much my experience of strong sunlight differs from that of other people, but the fact that I like to stay inside on sunny days while most people don’t suggests that my experience is significantly different from that of others.

When an adult is diagnosed with AS they can usually determine what their sensory issues are by just thinking about what they have been avoiding for decades. Given enough time you can work out what things irritate you and avoid them (sometimes subconsciously). For a child you want a fast result.

For younger children there are companies that specialise in soft clothes which can deal with clothing comfort issues.

Noise cancelling headphones [2] are good for some sound related issues, over-ear headphones are good for people who don’t like things touching their ears and nowadays headphones are better than ear-muffs due to the recent development of wireless headphones and headphones with built-in MP3 players so they don’t seem so unusual. High fidelity ear-plugs [3] and custom made musicians earplugs [4] are two options for anyone who doesn’t have a problem with things being stuck in their ears.

Sunglasses (or prescription glasses with “transition” lenses that go dark in sunlight) can be used to deal with light sensitivity. There is also Scotopic Sensitivity Syndrome (SSS) also known as Irlen Syndrome and Visual Stress Syndrome in which certain colors cause problems and glasses with colored lenses alleviate the problem. Dealing with SSS can alleviate other problems that might seem to be unrelated (such as difficulty in recognising faces).

It’s probably best to try a range of measures and continue with the ones that seem to give a good result. The strategies that are used to determine minor food allergies can be used for minor sensory issues in terms of eliminating a lot of possible things and then reintroducing things one at a time to see what gives a bad result.

One thing to keep in mind is that minor sensory issues don’t cause an immediate obvious problem. They can over the course of hours cause someone to be more likely to become angry or unhappy than usual so some strategic planning is required to avoid problems. Adults can manage these things for themselves, young children need to be managed by their parents.

Selective Mutism

Selective Mutism is the condition of being unable to speak in certain situations. Some forms of it are reasonably common among people on the Autism Spectrum. Mild forms may not be apparent as people tend to avoid situations that trigger such problems.

Face Blindness

There seems to be a correlation between Face Blindness (Prosopagnosia) and ASDs. Face blind children can’t be sent to a regular school, the typical experience for such children is to have the other children take turns hitting them.


Many Aspies have issues with food, one common issue is with food that is messy, for example dishes such as Paella are very unappealing to me. Japanese food is always very appealing to me, I like the way that the different items are separated and the consideration that is given to aesthetic appeal of the food. Also the Bento style of presentation where every type of food has it’s own compartment is appealing. If you serve food that is visually unappealing to an Aspie child then you will have trouble convincing them to eat it and you may convince them to avoid all variations of the food item in question – so make sure that healthy food looks good!

Food that tasted good today will probably taste good tomorrow, and every day for the next year. There’s no real reason not to eat the same food every day (as long as you get the necessary vitamins and proteins). There is a tendency among Aspies to not vary their diet much. So if an Aspie child is in the habit of eating relatively healthy food you really don’t want to break that habit, EG if the habitual meal is peanut butter sandwiches then offering a peanut butter and honey sandwich would be a really bad idea.

Finally sensory differences can have a significant impact on what food is edible, if an Aspie doesn’t like eating Broccoli it might be because they just don’t like it or it might be that Broccoli so horrible that thinking about it makes them nauseous. In the latter case it would be bad to force them to eat it. There are lots of web sites with information on the nutrition content of various foods, so finding acceptable foods that provide all essential amino acids and vitamins shouldn’t be difficult.

Note that minor food allergies can cause stress without showing any obvious symptoms. So a test for food allergies is a really good idea. Food allergies don’t cause Autism, but avoiding bad foods can make it easier to emulate an NT.


Lisa wrote a long article about stimming that is worth reading if you want to learn a lot [5].

But in summary stimming is performing some repetitive action (such as chewing a pen, spinning a coin, or twirling hair) to help manage stress or excessive excitement. Bouncing and spinning are well known stims even though most stimming is less noticeable. Redirecting stimming to actions that are more socially acceptable is OK, but note that it can be extremely difficult or even impossible for someone else to suggest a suitable replacement stim – which is a problem when dealing with kids who are too young to work it out for themselves.

Trying to prevent an Aspie kid from stimming is a really bad idea, that will just result in them being more stressed and therefore more difficulties for everyone else. It’s a good idea to encourage children to stim when they appear to need it or when they have been under stress. Note that things that are fun can be stressful, so don’t assume that allowing a child to do something they enjoy will be a good way of relaxing.

Touching People

It seems that most children have issues with being touched by adults, I’ve heard a few comedians make jokes about being forced to kiss aunties at Christmas and the jokes seem to resonate with the majority of the audience who aren’t on the Autism Spectrum. Aspie kids have more issues with this than NT kids, not only is being touched unwelcome but there are problems with perfume and make-up that can rub off. One of my mother’s friends used to wear plenty of make-up and perfume, I can still remember the happy day when I was tall enough that she couldn’t kiss me unless I bent down – so I stood up straight and avoided getting any make-up and perfume on my cheek.

I suggest advising relatives not to initiate any physical contact with Aspie kids, or if they do initiate it make it optional (EG ask “would you like to shake hands”). It must really suck for Aspie girls having almost 100% of their adult relatives wanting to hug or kiss them – 50% was bad enough in my experience.


Pet cats seem to be quite popular among people on the Spectrum, you can pat a cat when you feel like it and just leave it alone when you don’t want the interaction. Other pets can also work well too.

A recent trend is towards prescribing Assistance Dogs for kids on the Spectrum, Assistance Dogs International [9] has a lot of general information about such working dogs. It’s illegal in Australia to deny entrance to an Assistance Dog but a lot of companies still have written regulations and staff training procedures that specify limited uses for such animals (such as specifically only allowing guide dogs for the blind). They will change such policies if asked.

Home Schooling

Reports of ASD kids being happy at school are few and far between. The vast majority of reports are bad. The special schools for ASD kids that have military-style discipline sound really bad.

Seriously consider home schooling.


Some degree of alexithymia is usually associated with AS. Because of this asking questions like “how do you feel?” will generally get a bad result. In some cases you can substitute questions for a better result, such as asking “do you want to do that again?” instead of “did you enjoy that?“.

It seems that parents are generally advised to tell their children that they love them, that may be good advice regarding an NT child. For an Aspie child that can be a really creepy experience, don’t do it. If you want to show your child how much you love them then make them a jam sandwich!

You will often see references to Aspies lacking Empathy, but they don’t lack Sympathy – I’ve linked to the Wikipedia definitions of the two words. Basically in this context “empathy” means using non-verbal signals to determine someone’s emotional state while “sympathy” means caring about what other people feel. It’s widely regarded that Aspies can be taught to recognise other people’s emotions, but a common experience is to be good (or even significantly better than average) at recognising the emotions of people but be unable to process the data.

Many people on the Spectrum report Affective Flattening (sometimes referred to as “Blank Affect”). This means giving minimal signs of their emotional state. So don’t assume that someone really is calm when they appear to be.


SPD can cause people to act in ways that don’t conform to the most strict gender norms. The most obvious examples are boys who have long hair because short hair feels bad and girls who have really short hair because long hair feels bad. There are lots of other examples such as boys who have a great aversion to dirt and girls who can’t wear cosmetics.

The gender norms are so strict that anyone who generally acts differently to other people is likely to do something that can be interpreted as being outside the range of accepted behavior for their gender.

If your child doesn’t conform well to gender norms you should consider whether it’s a sensory issue and also whether it’s an issue of just failing to emulate an NT well enough. You should also consider whether your ideas of gender norms are reasonable.

Of course there are Transgender and Genderqueer Aspies. If you suspect that your child really doesn’t fit the gender norms then it’s best not to question them about it, alexithymia makes any such conversations unpleasant and creepy.


It seems to be a common belief that parents should talk to their children about sex etc. I think that most Aspie kids would find that extremely creepy. The best thing to do is to just provide them with some books covering the relevant topics. Everything that they might need to know about sex is in a book somewhere.

It’s widely regarded that about 1/3 of the people on the Autism Spectrum are Asexual. Also it seems reasonably common for people on the Spectrum to be psychologically ready for a relationship at a later age than NTs. So if your child doesn’t have a straight relationship when you think they should then don’t assume that they are gay or bisexual and don’t try to force them to have a relationship on your schedule.

Alexithymia makes applying labels more difficult. So don’t focus on whether your child’s close friend is actually a girlfriend or boyfriend and whether that makes them straight, gay, or bisexual. Focus on whether they are with someone who makes them happy and inspires them to do good things.

Because Aspies tend to be literal a statement like “it’s OK to be gay” may be interpreted as “it’s not OK to be anything other than straight or gay“. So it’s best to be aware of the other possibilities, the LGBT Wikipedia page is a good place to start learning about such things.

Executive Function

It seems that ASDs are almost always associated with some degree of executive function disorder. Among other things this makes it difficult to plan things, get things done on time, and avoid playing computer games for an entire day. A written schedule with numbered points can help with this.

Aspies can be diagnosed with ADD or ADHD because of this which among other things can be used to preclude a later AS diagnosis (due to AS only applying to people who have not been diagnosed with anything else). Ritalin has been reported to help some Aspies, and caffeine works for me.

Aspies Need Space

Socialising requires more effort for people on the Spectrum, it’s draining and it’s not something that can be done all the time. You should expect that a typical school day will push an Aspie kid to their limit. When they get home they often won’t want to talk to their parents or anyone else, they will want to read a book, watch TV, or play computer games. Plan to allow them a certain amount of time to unwind after something like school. After school some young Aspie kids want to tell their parents about all the things they thought about during the school day, so there is quite a range of ways of unwinding after socially stressful events – but some way of relaxing and recovering is necessary.

There are reports of Aspies who really hated family holidays. Having their routine broken and being forced to spend a lot more time with their family than usual can be stressful. For a child in their late teenage years it’s a good option to allow them to stay home alone while the rest of the family goes on holiday. A week or two of minimal involvement with other people can be really relaxing and help them prepare for the next semester of school. Aspie kids tend not to have wild parties while their parents are away. :-#

Should the Parents be Assessed?

In most cases ASDs are genetic and inherited from a parent (there is research suggesting that in some cases it’s due to a de novo mutation but they comprise a small minority). Also it seems very rare to have asymptomatic carriers of ASD genes. So it’s best to assume until proven otherwise that at least one parent of an Aspie child is an Aspie.

An Aspie who gets diagnosed is probably going to do a much better job of parenting than one who is in denial, so I believe that geeky parents of Aspie kids really should get assessed.

I put this suggestion at the end because I know that some people will stop reading here.


Lisa wrote an informative post “Ten Things Everyone Should Know About Autism” that is worth reading [6].

Forums such as Aspies For Freedom [7] are good sources of information.

I have an Amazon astore with links to some books related to ASDs [8].

I appreciate suggestions for this document, but please note that I don’t want to write a book. I aim to provide a list of suggestions that allows parents to do a Google search or ask on forums for more information. If you have a suggestion for a significant addition to this then please write it up in a blog post and send me the URL.


Memlockd is a daemon that locks files into memory. Then if a machine starts paging heavily the chance of being able to login successfully is significantly increased. The default configuration will lock all the files needed for login to a Debian GNU/Linux system via the console or via ssh.

Free Books

Here are some free books that I have downloaded and read:

Computer Power Use

This table shows the power consumption of some of the computers I own. I use a domestic electricity meter that was certified for use in billing customers to measure this. Any inaccuracies in the measurement will
correspond to inaccuracies in electricity bills of people who use such computers.

Before anyone asks, I am not interested in contributions of data, I believe that doing tests with a different meter or in a different country with a different supply voltage will diminish the accuracy of the results. Also I will provide minimal analysis on this page (the numbers should allow you to perform your own analysis).

Before I started such tests I had significant problems cooling my house in summer. Based on the results of these tests I made changes such as replacing the Compaq 1GHz Athlon machine by an IBM 1GHz P3 machine for a small server I run, this saved 49W of power, 49W of power which mostly ends up as heat makes a significant difference in a small server room when running 24*7!

All the machines below apart from the SMP machine are workstation class machines, they don’t have ECC RAM and their PSUs are designed for small load. The SMP machine has a PSU designed for a desktop machine (I couldn’t easily obtain any other type). If it had a PSU designed for server use it would draw more power.

Unless otherwise noted all machines were idling while running Linux (idling while running DOS uses significantly more power).

The summary of this table is, P3 is a great CPU for power to computer power ratio, the P4 isn’t too good, and the Athlon sucks badly – don’t run an Athlon server if you have heat problems!

Thinkpad T20 500MHz P3 512M 30G IDE 10.7W
Cobalt Qube AMD K6-450MHz, 128M RAM, 10G IDE 20W
Thinkpad T41p 1.7GHz idle at 600MHz, screen on and battery charged 23W
Compaq SFF 800MHz P3 512M 10G IDE spun-down 28W
Compaq SFF 800MHz P3 512M 10G IDE 35W
Compaq 800MHz P3 128M 10G IDE 38W
IBM 1GHz P3 256M 30G IDE, idling 38W
HP Pavilion 513A Celeron 1.8GHz, 384M RAM, 40G IDE 45W
HP Pavilion 513A Celeron 1.8GHz, 768M RAM, 2*80G IDE + 46G IDE 58W
Compaq 1.1GHz Celeron 512M 40G IDE idling 46W
HP/Compaq Celeron 2.4GHz, 512M RAM, no hard disk 43W
HP/Compaq Celeron 2.4GHz, 512M RAM, 300G IDE 50W
NEC Pentium-E2160 1.8GHz, 1G RAM (1 DIMM), 160G S-ATA 52W
Packard-Bell (NEC) Celeron-D 2.93GHz, 512M RAM, 2*20G IDE 75W
Compaq 1.5GHz P4 256M 20G IDE, idling 78W
Compaq 1.5GHz P4 256M 20G IDE, installing 85W
SMP 2*P3 1GHz, 1GB RAM, 2*U160 SCSI 18G disks idle 81W
SMP 2*P3 1GHz, 1GB RAM, 2*U160 SCSI 18G disks disk busy 99W
SMP 2*P3 1GHz, 1GB RAM, 2*U160 SCSI 18G disks CPU busy 130W
SMP 2*P3 1GHz, 1GB RAM, 2*U160 SCSI 18G disks CPU and disk busy 136W
Compaq 1GHz Athlon 256M 20G IDE idling 87W
NEC Pentium-D (920) 2.8GHz, 1G RAM, 160G S-ATA 98W
White-box Athlon XP 1700+, 768M RAM, 2*80G IDE + 46G IDE 110W

Here is the Computer Related Power Use page [1] (for switches, filters, and other things).


This is a program I wrote to benchmark SMTP servers. I started work on this because I need to know which mail server will give the best performance with more than 1,000,000 users. I have decided to release it under the GPL because there is no benefit in keeping the source secret, and the world needs to know which mail servers perform well and which don’t!

At the OSDC conference in 2006 I presented a paper on mail relay performance based on the new BHM program that is now part of Postal.

I have a Postal category on my main blog that I use for a variety of news related to Postal. This post (which will be updated periodically) will be the main reference page for the software. Please use the comments section for bug reports and feature requests.

It works by taking a list of email addresses to use as FROM and TO addresses. I originally used a template to generate the list of users because if each email address takes 30 bytes of storage then 3,000,000 accounts would take 90M of RAM which would be more than the memory in the test machine I was using at the time. Since that time the RAM size in commodity machines has increased far faster than the size of ISP mail servers so I removed the template feature (which seemed to confuse many people).

When sending the mail the subject and body will be random data. A header field X-Postal will be used so that procmail can easily filter out such email just in case you accidentally put your own email address as one of the test addresses. ;)

I have now added two new programs to the suite, postal-list, and rabid. Postal-list will list all the possible expansions for an
account name (used for creating a list of accounts to create on your test server). Rabid is the mad Biff, it is a POP benchmark.

Postal now adds a MD5 checksum in the header X-PostalHash to all messages it sends (checksum is over the Subject, Date, Message-ID, From, and To headers and the message body including the “\r\n” that ends each line of text in the SMTP protocol). Rabid now checks the MD5 checksum and displays error messages when it doesn’t match.

I have added rate limiting support in Rabid and Postal. This means that you can specify that these programs send a specific number of messages and perform a specific number of POP connections per minute respectively. This should make it easy to determine the amount of system resources that are used by a particular volume of traffic. Also if you want to run performance analysis software to determine what the bottlenecks are on your mail server then you could set Postal and Rabid to only use half the maximum speed (so the CPU and disk usage of the analysis software won’t impact on the mail server).

I will not release a 1.0 version until the following features are implemented:

  • Matching email sent by Postal and mail received by BHM and Rabid to ensure that each message is delivered correctly (no repeats and no corruption)
  • IMAP support in Rabid that works
  • Support for simulating large numbers of source addresses in Postal. This needs to support at least 2^24 addresses so it is entirely impractical to have so many IP addresses permanently assigned to the test machine.
  • Support for simulating slow servers in Postal and BHM (probably reducing TCP window size and delaying read() calls)
  • Making BHM simulate the more common anti-spam measures that are in use to determine the impact that they have on list servers
  • Determining a solution to the problem of benchmarking DNS servers. This may mean just including documentation on how to simulate the use patterns of a mail server using someone else’s DNS benchmark, but may mean writing my own DNS benchmark.

Here are links to download the source:

  • postal-0.72.tgz – made LMTP work and accept TAB as a field delimiter.
  • postal-0.71.tgz – rewrote the md5 checking code and fixed lots of little bugs.
  • postal-0.70.tgz – tidied up the man pages and made it build without SSL support.
  • postal-0.69.tgz – fixed some compile warnings, and really made it compile with GCC 4.3
  • postal-0.68.tgz – fixed some compile warnings, made it compile with GCC 4.3, and I think I made it compile correctly with OpenSolaris.
  • postal-0.67.tgz – changed the license to GPL 3
  • postal-0.66.tgz – made GNUTLS work in BHM and added MessageId to Postal.
  • postal-0.65.tgz – significant improvement, many new features and many bugs fixed!
  • postal-0.62.tgz – Slightly improved the installation documents and made it build with GCC 3.2.
  • postal-0.61.tgz – version 0.61. Fixed the bug with optind that stopped it working on BSD systems, and a few other minor bugs.
  • postal-0.60.tgz – version 0.60. Fixed the POP deletion bug, made it compile with GCC 3.0, and added logging of all network IO to disk.
  • postal-0.59.tgz – version 0.59.
  • postal-0.58.tgz – version 0.58. Added some new autoconf stuff, RPM build support, and the first steps to OS/2 and Win32 portability.
  • postal-0.57.tgz – version 0.57. Fixed lots of trivial bugs and some BSD portability issues.
  • postal-0.56.tgz – version 0.56. Added Solaris package manager support. Made it compile without SSL. Added heaps of autoconf stuff.
  • postal-0.55.tgz – version 0.55. Made Rabid work with POP servers that support the CAPA command. Fixed some compile problems on Solaris.
  • postal-0.54.tgz – version 0.54. Added a ./configure option to turn off name expansion (for systems with buggy regex). Fixed a locking bug that allowed Rabid to access the same account through two threads.
  • postal-0.53.tgz – version 0.53. Don’t use NIS domain name etc for SMTP protocol.
  • postal-0.52.tgz – version 0.52. Better portability with autoconf.
  • postal-0.51.tgz – version 0.51. Supports compiling without SSL and some hacky Solaris support.
  • postal-0.50.tgz – version 0.50. Adds SSL support to Postal (Rabid comes next).

How to Debug POP

POP (Post Office Protocol) is the most used protocol for receiving mail from a server to a MUA (Mail User Agent) for reading. It is specified in RFC1939.

But the way it works (in most cases) is quite simple and doesn’t require reading the RFC, connect to port 110 (the standard port for POP3) and a basic session transcript is as follows (data sent by the client is prefixed with C: and data sent by the server is prefixed with S:):
C:user ABC
S:+OK USER ABC set, mate
C:pass asecret
S:+OK Mailbox locked and ready
S:+OK scan listing follows
S:1 2989

When the server successfully completes an operation it will precede it’s response with “+OK“, when it fails it will precede it’s response with “-ERR“. The data after the OK or ERR statement is for humans not machines, so in most cases your MUA will discard it. Therefore connecting to the service manually is required to properly debug problems. The unfortunate thing is that often on big mail servers it takes time for the sys-admin to do such tests. If the user can do it for them and give a bug report saying “your POP server said -ERR user unknown” then things will get fixed a lot faster than if the report is “the POP server didn’t work”.

One thing that is quite important is the initial greeting string, on any system of moderate size you will have multiple back-end servers and the greeting will tell you which server you are connecting to. If POP sometimes works and sometimes fails then your ISP might have one server failing so making a note of this greeting string in a transcript of a failed session can really help in tracking down problems.

When the list of messages is displayed, the first column is message numbers (starting at one and going up sequentially) and the second column is message sizes. If you have a POP session timing out and you have an extremely large message then that might be the cause.

A commonly used program for testing POP (and other Internet services) is telnet. So start the above process you would type telnet 110.

There are methods of hashing POP passwords (which make things a little more complex), but they often aren’t used – and in any case don’t encrypt the data. So it’s common to run POP servers with SSL, and the standard port for this is 995. This makes testing a little more complicated (but actually no more difficult).

To make an SSL connection you can use the program stunnel, it is included in many (most?) distributions of Linux, and Windows binaries are apparently at this link (NB I’ve never tested the Windows binaries as I don’t use Windows).

The command stunnel -c -r will connect you to your mail server via SSL and you can then type in the POP commands as normal.

If your POP server supports the STLS command (which allows negotiation of TLS/SSL on port 110) then you can use the command stunnel -n pop3 -c -r

To use gnutls, you can use the command “gnutls-cli -p 995” or to work with STLS on port 110 you use the command “gnutls-cli -s -p 110” and press ^D after entering the STLS command.