postfix: send via smarthost

To be able to send emails from a linux server via a smarthost just add this to your /etc/postfix/

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps =
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
relayhost =

I use this on my home-server/NAS behind a DSL line to get the root-messages (refer

General MacOS

Show FileVault status

Show FileVault encryption status:

#apfs volumes (look/grep for "Encryption Progress")
diskutil apfs list

diskutil cs list

General MacOS

MacOS Java 13 installation

Using homebrew finding and installing the right java runtime is an easy task:

brew cask install java

Yes, sometimes I still need java on my desktop, like for designing load tests using JMeter.

DevOps General

Ansible Galaxy dependency usage

Short note on ansible/ansible galaxy:

  • ansible-galaxy takes care of install the roles. Regardless if defined via a requirements.yaml or defined via the “dependencies:” section in the meta/main.yaml of a role.
  • ansible-playbook/ansible-pull doesn’t care about installation of roles, it just wants the defined dependencies (same meta/main.yaml) to be present. Here is the role_path important.

Knowing this it allows you to fulfill many usage- and development patterns. Like developing company wide reusable ansible roles with multiple teams (DevOps).


Shared roles using gitlab repositories

Define the role dependencies in the corresponding section of the role’s meta/main.yml.

  - src:
    scm: git
    version: master
    name: nginx

  - src:
    scm: git
    version: master
    name: postfix


The installation of roles (and their dependencies) and running the playbook becomes a simple two-liner:

# install roles and their dependencies
ansible-galaxy install "git+,master" --force

# apply the playbook (using the defined and installed dependencies)
ansible-playbook -i localhost, /root/.ansible/roles/product/product/playbook.yml
General MacOS

MacOS Catalina and Fujitsu ScanSnap S300

The quite old, but still perfectly working ADF scanner ScanSnap S300 is not supported anymore by Fujitsu. With MacOS Mojave the scanner worked very well using the ScanSnap S1300i driver. But not so with Catalina – the new ScanSnap Home software checks the connected Device IDs.

Only solution: Fujitsu wants me to buy a new Scanner although the current one is still working fine (hardware wise)…

I could not find a simple solution. Yes, there are some solutions live VueScan or ExactScan, but for me they feel too expensive.

In the end I’m using now my existing Parallels Windows 10 virtual machine to scan. On that platform the ScanSnap Manager Software is still supported – also in a 64bit version (why not on Mac Fujitsu?). You can use the newer Version from the S1500 (Download)!

Finally I am able to scan again. Without spending valuable resources into a new scanner (just because of a missing switch in a software).

General MacOS

MacOS keychain with AWS CodeCommit

Using temporary credentials (access-tokens) with AWS CodeCommit and git clients can be hard with MacOS. The Keychain saves those credentials and after ~15min you must renew them (remove them manually from the keychain). And if you have also to work with repositories other than AWS (like GitHub, GitLab) its even worse. But since recent git versions (>2.9) it is possible to reset the credential helper by Git-Host!

Using the git credential-helper for CodeCommit repositories only:

[credential ""]
  helper=!aws codecommit --profile developer-cloudformation credential-helper $@
        UseHttpPath = true

It’s important to add that “helper=” line. Regularly the global git config contains a “helper=osxkeychain” line and those helper-directives are additive – but the “helper=” line breaks/resets that inheritance.


Cloud storage cost calculation (backup/restore)

Related to my offsite-backup with restic project I recently wanted to choose an cloud-provider as backup target. But that seems not an easy decision. Besides the costs for storage and traffic things getting complicated when it comes to restore: Pricing differs here from $10 to $1300 for a single restore of 500GB!

Although I use mainly AWS for my business projects I consider to use google cloud storage for my private backup. Main reason for me is that the restore options for AWS S3 Glacier are not easy to predict and the costs could be very different.


Cloud backup with restic

Yes, I’ve tried multiple approaches in the past to get an offsite-backup up and running. I’ve used rsync first and then obnam and duplicity with encryption. Both successful with remote ssh-hosts.

But times are changing and I wanted to use a cloud-storage provider now instead of a dedicated remote host for my backups – so I started with duplicity/duply to get AWS S3 access running – that worked quite good.

But for some reason I discovered restic on github and gave it a try (maybe because of this introduction)

Things I like:

  • growing user base on GitHub
  • its encrypted (very interesting read on this)
  • uses deduplication
  • usage is straightforward, no hard to read config-files with dozens of options
  • no full-/incremental backups, every backup is a “snapshot”
  • they’re promise to not change the repository format in the future
  • access to cloud providers (tested AWS S3 and Google Cloud Storage) went very easy
  • its using a local cache to speed up (but is not sticked to that)
  • you could move the backups to different locations using standard tools and they’re still usable
  • local backups (like on USB-drives) could be achieved the same way: every destination is considered as “remote” and is encrypted

Documentation is good, so I won’t share usage details here. But I’ve started backups to Google Cloud Storage last week and it feels great…


postfix: redirect mails for root

Short note: redirect local root mails (cron, mdadm, …) to an external address:

# install postfix
apt-get install postfix

# add alias for root
echo "root:" >> /etc/aliases

# reload aliases for postfix

Vigor 130 Webinterface / PPPOE passthrough with Sophos UTM

The Vigor 130 works very well as VDSL (Vectoring) modem in connection with a Sophos UTM. Therefore the modem is configured in PPPOE pass-through mode – this way all connection related details like credentials are configured by the Sophos UTM.

Because the vigor 130 has only one Ethernet interface I always had to re-plug some network cables just to watch the DSL status via the webinterface of the “modem”.

Here are some hints on how to connect to the modem interface (using just basic routing).

In my case my LAN subnet is

Place the modem into an additional Subnet

here:, ip of the modem:

create a static route

the vigor allows not to change the default route, but that is also not neccessary if you have only one LAN subnet.

Add an additional address to the Sophos WAN interace

In my setup the WAN interface is used as PPPOE interface for the modem, but its easy to add the modem subnet on top of it:

Thats it!

you should now be able to connect to your modem webinterface from your LAN via