Google apps catchall not catching yahoo recovery email

A very good friend of mine use one of my domains for its password recovery email address - in case something happens to the mainstream account. For such purposes, I keep a  special domain on a grand-fathered “google apps” plans - with no real users, just one administrator and a catchall set to never mark anything as spam and forward everything to a special email.

Recently, my friend forgot his yahoo password and for whatever reason, the mail with the recovery link was *NOT* reaching him, despite the catchall!! It was not in spam, not in the trash, nowhere after the google app- apparently it was just silently discarded by google. Separate tests using another (non yahoo) domain to send a similar email to the recovery address *DID* work, suggesting indeed that  the spare domain setup and the catchall did work, and that the problem was somewhere else.

In the end, I had to create a special user with this given email on this domain so that my friend could log in and receive the recovery link from yahoo.

That’s extra weird - maybe some recently-added Google security feature to avoid account thievery by a catchall. But this raises the question -  is there that much interest for a “premium” account in 2014???

Automatically creating reverse DNS PTR from an IPv6 zone file

If you are like me, you don’t want to create the PTR by hand. I saw several articles online, but nothing remotely good ( is recreating Net::IP)

So I created a perl script where you just update the domain name and the IPv6 prefix


# Copyright (c) Guylhem, 2014

use Data::Dumper;

use warnings;

use strict;

use Net::IP;

my $domain = “”;

my $prefix = “2001:470:8:1000”;

my $subnet = “/64”;

my @slaves = (“”, “”, “”, “”);

unless ( scalar @ARGV == 1 ) {

    die “Usage:\n\t$0 named-zone.txt\n”;


my $zone_file = $ARGV[0];

open( ZONE_FD, “<$zone_file” ) or die( “Can’t read zone file ” . $zone_file . ” !\n”


my @records;

while (my $line = <ZONE_FD>) {

    chomp $line;

    if ($line =~ /AAAA/) {

     if ($line =~ /$prefix/) {

      (my $name = $line) =~ s/(\s+|\t+).*//;

      (my $host = $name) =~ s/.*.//;

      my $fqdn = $host . $domain;

      (my $aaaa = $line) =~ s/.*$prefix/$prefix/;

      my $ip = new Net::IP($aaaa) or die (Net::IP::Error());

      my $raaa=$ip->reverse_ip();

      my @new = ($fqdn . “.”, $raaa);

      push (@records, \@new);

     } #fi

    } #fi

} #while

close (ZONE_FD);

my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime();

$year += 1900;

my $month = sprintf(“%02d”, $mon);

my $day = sprintf(“%02d”, $mday);

# number of seconds / 86400 = maximum 1000 at midnight.

my $stamp = 3600*$hour + 60*$min;

# Alternative: add warning about not running that at midgnigh

if ($stamp == 86400) { $stamp=86399 };

# We keep 3 numbers of the ratio

my $relstamp = sprintf(“%03d”, 1000*($stamp/(24*3600)));

my $prefixip = new Net::IP($prefix . “::” . $subnet) or die (Net::IP::Error());

my $rprefix = $prefixip->reverse_ip();

print $rprefix . “\t86400\tIN\tSOA\tns1$domain. hostmaster$domain. (\n”;

print “\t\t\t\t” . $year . $month . $day . $relstamp . “\t;serial\n”;

print “\t\t\t\t10800\t;systematic refresh 3h

\t\t\t\t1800\t;retry on refresh fail 30 min

\t\t\t\t604800\t;expire on secondary 1 week

\t\t\t\t86400 )\t;minimum TTL 1 day\n”;

print “$rprefix\t86400\tIN\tNS\tns1$domain.\n”;

foreach my $slave (@slaves) {

     print “$rprefix\t86400\tIN\tNS\t$slave.\n”;


foreach my $record (@records) {

     print @$record[1] . “\t86400\tIN\tPTR\t@$record[0]\n”;


To run that automatically when there is a change, add to your crontab:


DATE=$(date -u +”%Y-%m-%d-%H_%M_%S”)

/etc/named/ /etc/named/ | uniq > /etc/named/

grep PTR /etc/named/db.2001_470_8_1000 > /tmp/$DATE-db.2001_470_8_1000

grep PTR /etc/named/ > /tmp/$

if ! cmp /tmp/$DATE-db.2001_470_8_1000 /tmp/$ >/dev/null 2>&1


  mv /etc/named/ /etc/named/db.2001_470_8_1000

  /usr/sbin/rndc reload


  rm /etc/named/


rm /tmp/$

rm /tmp/$DATE-db.2001_470_8_1000

OSX removing IPv6 addresses from openvpn

Recently, I tried to set up to do VPN, and found one interesting bug : the interface is configured with IPv4 and IPv6 addresses, but a few seconds later OSX removes the IPv6 addresses!

Apparently, this is a long know bug, with the first references being in 2004 (10 years ago!!) on the copy of in :

"There is another agent, however, that drives Unix admins into fits. The Kernel Event Monitor (KEM) waits for kernel events that tell it that an interface has gone down. When this happens it informs configd which interface has gone down. Configd then re-reads its config from the preference.plist file and sends out the new settings to the configuration agents which make sure the interfaces are configured they way they should be. This then triggers the IPMA which redoes the routing table according to the new information.

And that is what trips up the admins. They use their traditional methods of configuring an interface and use ifconfig to make it so. This works great. Until, for whatever reason, the KEM tells Configd things have changed. Configd then reverts everything back to whatever is held in the preference.plist file. This cheeses Unix admins off.”

Indeed, that’s a problem - especially since there’s nothing in preference.plist to fix.

There is no know workaround either (cf suggestion to use “ipconfig set tapN AUTOMATIC-V6” that does not work)

While I was still investigating, I was suggested the following by Viscosity support :

I’d recommend turning off Viscosity’s “Accept IPv6 Router Advertisements” option if it is on (under Preferences->Advanced). If this option is on it’s probable Mac OS X is trying to configure IPv6 on the tap adapter itself and overriding any OpenVPN settings. Mac OS X/configd will not attempt to do automatic IPv6 configuration on a layer-3 (TUN) adapter.

Another thing to try is to turn off DNS support for the connection (under the Networking tab when editing the connection). Obviously  in most cases this is less than ideal, but if it solves the issue it may help identify where the problem lies.

I’d also recommend adding a small “route-delay” to the connection, as occasionally OpenVPN may attempt to configure a TAP interface before it is ready. You can do this by adding the command “route-delay 10” (without quotes) under the Advanced tab for your connection.

Finally, as a work-around, you can try enabling IPv6 router advertisements on the router of your remote VPN network and allow the TAP interface to auto-configure itself rather than have OpenVPN manually attempt to do so.

Of course, nothing of that works, the 2nd was already turned off, and the 3rd only delays the routes.

The first doesn’t do anything, because the problem is due to the interface itself.

If when tap0 appears you try to do a ifconfig, you will see the correct IPv6 addresses, which are then removed by configd and its minions.

The statement “Mac OS X/configd will not attempt to do automatic IPv6 configuration on a layer-3 (TUN) adapter” is wrong.

I could ascertain that when I tried tun mode : apparently the interface type is set differently in the tun driver, which causes arp_client_init to fail and configd to stop trying to remove the ipv6 address. In syslog:

2014-07-11 3:30:05.240 PM configd[18]: arp_client_init(tun0): unsupported network type
2014-07-11 3:30:05.240 PM configd[18]: MANUAL tun0: arp_client_init failed
2014-07-11 3:30:05.244 PM configd[18]: IPConfiguration: failed to start link-local service on tun0, invalid operation

Look at line 100 :

this->family_name = TAP_FAMILY_NAME;
this->type = IFT_ETHER

Now look at line 55:

this->family_name = TUN_FAMILY_NAME;
this->family = IFNET_FAMILY_TUN;
this->type = IFT_OTHER;

It’s not that OSX won’t attempt to do automatic IPv6 configuration on a layer-3 (TUN) adapter - it will try, but fail, and therefore give up.

The real fix would be to pass the tap address to OSX configuration layer to prevent it from removing it, which is almost impossible, since in “networksetup” command line tool the tap0 interface is not considered as “hardware” - and therefore the information can’t be stored.

There might be a possibility with “scutil”, if the tap0 entry can be populated when tap0 is up and before configd decides to remove things, but it would require passing some commands with the right timing, which can only be done by inspecting viscosity source code, which I don’t have.

tunnelblick had the exact same problem ( and had to resort to tricks, so I also used a dirty trick : an applescript that runs when the interface is up that’s basically reading the correct ip and route from the syslog and restores them.

— add to /etc/sudoers:

— yourusername ALL=(ALL) NOPASSWD: /sbin/ifconfig

— yourusername ALL=(ALL) NOPASSWD: /sbin/route

set ifconfig to do shell script “grep `pgrep openvpn` /var/log/system.log | grep ifconfig |grep inet6 |sed -e ‘s/.*\/sbin/\/sbin/g’ -e ‘s/^/sudo /g’”

set route to do shell script “grep `pgrep openvpn` /var/log/system.log|grep route |grep \/56 |sed -e ‘s/.*(/route add -inet6 /g’ -e ‘s/->.*)//g’ -e ‘s/dev/-interface/g’ -e ‘s/^/sudo /g’”

do shell script ifconfig

do shell script route


Viscosity, please run some scutil command as soon as tap0 comes up.

IPv6 tunnel on OSX while travelling

I need IPv6. I have it at home - not when I travel.

Let’s look at several different options, depending on how “cooperative” the ISP you are using is:

A) Tunnelbroker, from

If you can be pinged on the IPv4 address and are behind a router that passes on protocol-41, then configure this IPV4 in your tunnelbroker account and do:

sysctl -w net.inet6.ip6.forwarding=1
route -n add -inet6 default TUNNELSERVERIPV6ADDRESS
ifconfig en0 inet6 LOCALIPV6ADDRESS prefixlen 64

For example, with:
Tunnel info from HE:
Server IPv4 Address:
Server IPv6 Address: 2001:470:1f08:f23a::1/64
Client IPv6 Address: 2001:470:1f08:f23a::2/64

Local IPv4 router address:
Local IPv6 /48 network assigned by HE: 2001:470:f23f::/48

Then do:
ifconfig gif0 tunnel
ifconfig gif0 inet6 2001:470:1f08:f23a::2 2001:470:1f08:f23a::1 prefixlen 128
route -n add -inet6 default 2001:470:1f08:f23a::1
ifconfig en0 inet6 2001:470:f23f::3e07:54ff:fe10:b870 prefixlen 64

If you want to pass IPv6 information to other systems, use rtadvd.

If you want to update the dynamic IPv4, use wget or curl with

If your IPv4 changes, i.e. if you are assigned a dynamic IPv4 by your ISP instead of a static one, just create a simple script and do as before:

# Instead of using your username as $USER, get the userid on top of the page
NEW_IP=`curl -s “”`
# curl https://$USER:$$HETUNNEL&myip=$NEW_IP
curl -k -s “$NEW_IP&pass=$HEPASS&apikey=$HEUSER&tid=$HETUNNEL”

The password can be a tunnel specific password set in the advanced tab.

B) If you can’t use tunnelbroker, because you can’t be pinged, or if proto 41 is filtered

Some ISP filter ICMP ping. Apple time capsule is famous to only allow ICMP ping on its public IP if “Enable default host” in NAT is an existing IP address that does respond to ping

If you’re in that situation, or if proto 41 is filtered, you are out out luck. There are others thing, like teredo, but chances are they will also be blocked - and they’re not that good to begging with!

Your best bet may be to use freenet6 or aiccu/ Creating a login on is too complicated and too long, so I suggest you use freenet6 instead - your login will be working within minutes, and if you don’t want to spend a minute doing that, there’s also an anonymous mode (!!)

NB: In case of “Operation not permitted”, during your ping6 tests check the firewall :
sudo ip6fw show
65535 0 0 allow ipv6 from any to any

Compiling nginx with ipv6 support

If you try to recompile nginx, even if you say —with-ipv6, it might fail to add IPv6 code.

Even worse - nginx -V will report the —with-ipv6 compilation flag, while if you check the build process you will see : “AF_INET6 not found”

It happened to me when I tried to compile with Werror, which treated warning as errors even during the ./configure!

Solution : CFLAGS=”-O2” ./configure …

Installing Mathematica to the raspberry pi with GPG package check

Installing Mathematica to the raspberry pi gives GPG errors

root@raspberry:~# cat /etc/apt/sources.list
# Wolfram Research, Inc. APT Repository (for WolframEngine)
deb stable non-free

So when you run:

apt-get update ; apt-get upgrade

You get the following problem:

W: GPG error: stable Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 574FA74E5CBB4222

The solution is to run:

apt-key adv —keyserver —recv-keys 574FA74E5CBB4222

Before you install Mathematica with:

sudo apt-get install wolfram-engine mathematica-fonts


Running qemu with tap0 and nat under OSX 10.9 Maverick

Running qemu with full network access for the virtual host under OSX can be a problem - especially under Maverick

For example see

The proper way to do it is :

1) Install qemu from rudix on

2) Get TunnelBlick 3.4beta26 from

3) Install the tap and tun kext contained in tunnelblick beta by mounting the dmg then:

cd /Volumes/Tunnelblick/

cp -r tap* tun* /Library/Extensions

4) (make sure to remove the old modules as explained on : not just kextunload but rm -fr them, a reboot might be necessary if the latter doesn’t work)

5) As root, configure the proper tap link and up/down scripts :

ln -sf /dev/tap0 /dev/tap

echo “#!/bin/bash

sysctl -w net.inet.ip.forwarding=1

sysctl -w

sysctl -w net.inet.ip.fw.enable=1

ifconfig bridge0 create

ifconfig bridge0 addm en0 addm tap0

ifconfig bridge0 up

natd -interface en0

ipfw add divert natd ip from any to any via en0

" > /etc/qemu-ifup

chmod +x /etc/qemu-ifup

echo “#!/bin/bash

#ipfw del 00100

ipfw del `ipfw list | grep “ip from any to any via en0”|sed -e ‘s/ .*//g’`

killall -9 natd

sysctl -w net.inet.ip.forwarding=0

sysctl -w

sysctl -w net.inet.ip.fw.enable=1

ifconfig bridge0 deletem en0 deletem tap0

ifconfig bridge0 down

ifconfig bridge0 destroy” > /etc/qemu-ifdown

6) start qemu, for example with a raspberry image (after commenting out the first line of /etc/ld.preload.conf:

qemu-system-arm -kernel kernel-qemu -cpu arm1176 -m 256 -M versatilepb -no-reboot -serial stdio -append “root=/dev/sda2 panic=1 rootfstype=ext4 rw” -hda /dev/disk2 -net nic -net tap,ifname=tap0

7) set up the proper ip on OSX :

ifconfig tap0

8) finally, set up the default route in the host vm:

ifconfig eth0

route add default gw

The above requires that en0 is your outgoing interface (ex: my wifi card on a macbook air)  - obviously you can adapt that to other scenarios.

Compiling libsureelec examples on OSX

install rudix’s autoconf, automake and libtool, then after running the (configure, make etc) type:

cd examples

gcc -Wall -I../ -o sureelec_test2 sureelec_test2.c ../.libs/libsureelec.dylib -lreadline

EFI boot on a MacPro 3.1

Apparently it is possible to boot Windows 7 and Windows 8 in pure EFI ( ) even if Windows 8 makes it even easier ( )

All I want is a motion-interpolation video player, such as SVP ( - and there is none under OSX.

If I can’t get good performances with a VM, maybe I’ll add a dual boot !

Changing the color of icons from OSX Terminall

And the answer is :

sudo xattr -wx 0000000000000000000C00000000000000000000000000000000000000000000 the-file-you-want-to-turn-red

red: C
orange: F
yellow: B
green: 5
blue: 9
violett: 7
grey: 3

To clear the label again, either use 0 as a value or run sudo xattr -d /Applications/Utilities.

As mentionned on

Caution: This will wipe out any other FinderInfo value there might be set for the target file/directory already. For the Utilities folder this shouldn’t be an issue but it might for others.