If your running Greylisting on your external mail gateways, and you implement one of the Cloud based e-mails for the another domain or sub-domain, then your mail from the Cloud will experience a delay on reaching those on the internal mail system.

There’s a number of Greylisting solutions out there. This particular solution is based on using (or should I say working around it!) For details on Alun Jones Greylisting module – see http://users.aber.ac.uk/auj/spam/. Typically I’ve implemented this on the Exim mail servers, with a few colleges.

The obviously choice would be to configure all the IP addresses of the Cloud-based mail system to either by-pass Greylisting or add them into the Greylisting IPwhitelist table. However, with the way the Cloud-based mail services work then it’s likely that there are a large number of IP address that could then change a lot.

With this in mind then it’s a good idea to implement something called SPF or Sender Policy Framework (bit much to explain SPF here – read http://openspf.org ) for the Cloud-based mail system. Microsoft seem to recommend it by using an include statement to ref to the SPF record for outlook.com, when implementing Live@Edu. Not sure if Google Mail do?

With this in place then actual workaround is quite simple.

Firstly, you need to make sure Exim has SPF support (exim -bV should confirm). If you don’t then you need to add this. For the Gentoo distribution, then you need to add the ‘spf’ USE flag (either globally in /etc/make.conf or for the package in /etc/portage/package.use). If compiling Exim from source then you need EXPERIMENTAL_SPF=yes in your Local/Makefile.

Secondly, you need the following snip before the Greylisting call in your Exim configure file (or in Gentoo exim.conf)

accept sender_domains = xyz.domain1.ac.uk
spf = pass


Other than a restart of Exim, and some testing and then that’s it. (Exim -bh is of course useful if you don’t want to actually generate some e-mail!)

Even after 3+ years of working with VMware ESX/ESXi it still manages to catch me out….

Recently had a pair of ESXi servers running a single Virtual Machine. The Virtual Machine was actually just a clone of the other and for plenty of reasons we would expect the load of these Linux VM’s to be similar. However, the ESXi servers varied ever so slightly. The one server (Box A) had 2 x Dual Core processors, the other (Box B) had just 1 x Dual Core processor, otherwise we would expect similar loads between the two servers. The VM had been allocated two vCPU’s. Box A was very happy, and seem to be running a dream. Box B was not happy, processing were generally hanging, monitoring scripts were failing and overall server perform was poor (run queue was in the 20′s). It even got to the extent of me checking the work loads concerned!

It wasn’t until an informal chat with a colleague, who pointed out that the maximum time-slice for the VM’s under ESXi is just 30ms, and that this could be causing me issues. It didn’t take me long to realise that actually on Box B the Linux VM’s were trying to slice between the two processors, as well as Box B trying to run the ESXi Hypervisor. So finally I do the two minute task of powering down the VM on Box B and gaving it just one vCPU, suffice to say a day or so later, everything is now stable.

Killing two birds with one stone. I also realised that my very lightly loaded Home ESXi server (Yes I’m a geek!), which runs about 3 Linux VM’s had been behaving poorly for months and that I hadn’t really had time to investigate. It turns out that for a very old ML110 G3 (which has a HyperThreading CPU, rather than a Dual Core), that it had a similar issue.  Once I’d allocated all my VM’s with just 1 vCPU and things are now all working well.   No more do I have to listen to the fan speed up when I copy some files/to from it!!!

I guess I’ve been very lucky that our production servers (just about everything in rsc-wales.ac.uk) despite being most being allocated two vCPU’s are sat on boxes with sufficient real processors.

So the moral is definitely don’t give away all your CPU’s to the VM. As an initial rule of thumb then I’d suggest giving away no more than 50% of them to anyone VM.

My final thought is with this business of my fans running up to full speed and the processor working extra hard, I guess we must now be saving a little bit of power?  I guess this kind of issue isn’t specific to VMware?

For quite a while now we’ve been using VMware Virtual Infrastructure with the bells and whistles of Vmotion and HA on a Fibre Channel SAN.  In my eyes it’s all been very good in that it gives us a resilient cluster to run our VM’s and therefore services on.  Unfortunately, it’s not necessarily cheap, not least of all because of ongoing licensing costs, hardware maintenance cost and the inevitable upgrades.  In an ideally world we all want the shiny shiny new solution, but if your on a budget of zero, then I’m going tell of how you can use older servers to create a SAN and Virtualisation solution. It is based on how I’ve used a solution myself on a number of older servers for running development and testing machines on.

The Virtualisation Solution

Well firstly It’s quite a while since I mentioned about a limited version of VMware ESXi being freely available. This is still available even with the latest vSphere 4.0 Hypervisor software – which I’m happily running on a small number of servers.  It’s a little bit more fussy that ESXi 3.5 was, for instance you must now have 2Gb+ of RAM, and it no longer supports 10/100 Nics. Realistically, you would want something fairly modern anyway.   Ideally you want a new server with Quad Core’s and HyperThreading, at at least 16Gb RAM, and ideally something supported by VMware.  If not then check out the WhiteBox HCL

If your going to re-use an existing server, then you need to ideally be using something with either Dual or Quad Core processors, rather than just HyperThreading alone, 2GB of RAM is the absolute minimum for ESXi 4.0 to run, but you want nearer 8Gb to actually get any good use of it.  You will also need at least one copy of ESXi (either 3.5 or 4.0) with the Free license.

If your only going to have just one server then make sure it has a RAID subsystem that is supported by VMware and you then simply store the Virtual Machines on it. You will have to accept the risk that you have a lot of eggs in this single server.  Make sure you do reliable backups of each servers OS (as you would normally for any physical server)

If your going to have more than one server, then consider having two servers to run VMware and some kind of SAN or NAS, as you don’t want to have to rely on the local storage of each of those Virtualisation servers, but instead using the shared storage, will allow you to manually share the VM’s across the servers.  Remember you can put the VMware ESXi Hypervisor onto a USB stick and boot the server from that, it if supports it.

So what about a SAN or NAS Solution?

Well you want something that works over a LAN so iSCSI or NFS are your options.  In an ideal world you want something that is fully supported by VMware, but again it’s not always possible to afford this.  You can look at higher of the SOHO grade NAS devices that can do RAID and either iSCSI or NFS.

However, if you have a server that has a fair amount of storage or that you can load up with storage cheaply, think of re-using the storage from your Virtualisation servers above, then you can use that as a Shared SAN/NAS solution.   I highly recommend OpenFiler for the job of a SAN/NAS server box.  It’s actually all a Linux distribution (based on rPath Linux), but please don’t let that put you off !  It has a very good web interface, and it’s very rare that you need to get into the Linux command line.  RAID generally isn’t an issue with OpenFiler, either use the built-in RAID on the server (if it’s supported by Linux) or if you don’t have RAID then you can use Software RAID under Linux, this can be configured in the OpenFiler installer and in the web interface.

See here for how to set it up using iSCSI to present storage to VMware ESXi, you can also use NFS instead of iSCSI to present storage to VMware.  It’s swings and roundabouts as to which is best;

An iSCSI setup presents the disks (aka a LUN) to VMware it allows you to format using VMFS (VMware’s File System) and with VMware ESXi / vSphere  you can then use features like thin provisioning.  However, there’s no way of seeing the files outside of VMware ESXi, which can make backup and recovery more challenging.

If you use NFS then you can see the files outside of VMware.  I’m guessing here, but with an LVM Snapshots, you could probably use that and create some scripts within VMware to mount a read-only Snapshot and take backups of your VM’s file from undernath.  So they won’t be crash consistent, but you’d have something to work from….

Some considerations

(which are probably relevant for any SAN and Virtualisation deployment)

• VMware support’s VLAN Trunks/tagging of traffic into VLAN’s, make use of it, and use your additional server NIC’s either to increase bandwidth or to improve resilience, rather than dedicating a separate NIC to each VLAN.
• Use a separate private VLAN for iSCSI/NFS traffic to your SAN/NAS
• Ensure that all connections are at 1Gb/s +
• Ideally use a pair of network switches for resilience (or separate cards on a chassis based switch)
• Try to use dual power supplies, ensure they are on separate power strips, UPS’s
• Backups – ensure you backup the machines fully.  You could also routinely power down the VM’s and Export them as an OVF Template

Finally…

Well hopefully, if you used this as a guide you might have enough info to setup a small scale solution of some description, even just for development and testing as I’ve done or even a solution to start you on the road to virtualisation.  Even if you use it for what Sales people call ‘the low hanging fruit’!

If you want comparison of some systems that I’ve used for various solutions using VMWare ESXi 3.5 and 4.0 then here goes..

Permanent development and testing solution

2 xDell PowerEdge 1850, P4 Xeon 2.8Ghz, 6Gb RAM (originally had 1-2Gb when I first started running ESXi on them), 2 x 72Gb Disks (no RAID – “eek!”).  One server running vSphere 4.0, other running ESXi 3.5.  Each will run about 8 VM’s.

1 x Dell PowerEdge 750, P4 2.4Ghz HT, 1.5GB RAM, 2 x 160Gb (Software RAID), Running OpenFiler (32-bit)

Single Server Solution

1 x HP ML110, P4 3.0Ghz HT, 5GB RAM, 2x 500Gb S-ATA HDD, Adaptec RAID controller.  Will also run about 6 VM’s.

RSC Wales are now able to offer scheduled external penetration testing service to our supported learning providers.

The external penetration testing service can be used to provide a detailed report of your Internet facing systems and services. This report is generated by scanning the external IP addresses and hostnames used by the organistation, the scans are scheduled to occur once a month.

For each system identified a list of any issues with Internet facing services running on the system are identified. Information is then provided in relation to any known security issues, with information on how to further investigate or to resolve these issues. Where are an organisation requires further support, RSC Wales are then able to further guidance and advise.

How to register

To register for this service, you will need to provide us with the following information via e-mail to pentest@rsc-wales.ac.uk

1. A list of target IP address and hostnames

2. An e-mail address (or addresses) to send the report to.

3. A name for the scan

Further details

The penetration testing service is provided using the Open Source scanner – OpenVAS, and as such we are restricted by the rate at which the OpenVAS software is developed. If you find these reports useful then please consider contributing to the OpenVAS project.

The reports provided will give you an external view of your network in relation to other hosts on the Internet. The scan performed can be affected by security devices such as Firewalls, especially those performing deep packet analysis or rate limiting. If in doubt about a particular system we would recommend using a copy of OpenVAS or the commercial version of Nessus against the system from within the same logical network. You should cross reference that report against any Firewall rules and/or the results of an external port scan.

As the scan commences you will receive an e-mail advising you that the scan has started. This is so that you can be more vigilant of system problems whilst the scan is running. In some cases the scans can (or can appear to) perform a Denial of Service attempt as it tests a particular service for a vulnerability or as the scan places strain on devices performing network security such as Firewalls, Routers with Access-lists or packet inspecting device. In our testing these issues are rare.

Finally RSC Wales accept no responsibility for any issues caused by the scan, or for the validity or integrity of the report. The service is only provided to raise awareness of the security of Internet facing systems.

I’m a big fan of the Cacti – the monitoring tool, although I’ve a small number of the plants too!  One of it’s limitations, is that it works on a 1 or 5 minute poller interval, so you get very rounded figures and no sign of the short bursts of traffic, CPU or anything else you happen to be monitoring.

As my colleague Hefin has pointed out here, you can use a tool called “SNMP Traffic Grapher”.   However, it’s not something you can use from anywhere, you would in most cases need to be at your desk and on a trusted machine that has SNMP access to the devices concerned.  One of good things about Cacti is that you can (if you want to) use it from anywhere!

So I am pleased to have discovered that there is now a solution for Cacti.  It’s called the Realtime Plugin and you need to have something called the Plugin Architecture (PA) installed first.    You probably have PA already if you have the Threshold, Monitor or Weathermap plugins installed.

It can be a bit of bind having to install PA and the plugins, but I’m hoping this will get easier in the future, as according to the Cacti Roadmap PA will be included in the next point release.   If you are using the latest CactiEZ you already have everything I’ve mentioned installed!

Back to the Realtime Plugin – Once it’s installed here’s what it looks like;

It’s available by using the line graph icon by the side of your Cacti graphs

CactiEZ, Plugin Architecture and the Realtime Plugin can be downloaded from CactiUsers.org

Cacti is available from cacti.net

If not then you can download all of this from CactiUsers.org

This an update to the advise given at the ITSYSMAN meeting in October.

A few considerations if your deploying a Shibboleth entity (Identify or Service Provider) within the next few months.

Forget about Shibboleth 1.3

It goes end of life in June 2010, concentrate your efforts on Shibboleth 2.0.  For those with existing Shib 1.3 installs, then you need to start looking at upgrading your installation.

SSL Certificates for Shibboleth

Important Update – as a result an announcement from JANET (see this comment )- As a result you could apply for a JANET SCS Cert between now and 11th December 2009, and it will still be valid for it’s full term.  However, the following will advise is valid should you ever need to change your certificate, and the advise regarding Self-signed certificates still stands.

Due to the changes in the JANET SCS, then it could be worth hanging back on “go live” with your Shibboleth install until you can get the new certificates (probably from January 2010).

You could go live with an existing JANET SCS cert, but you will need to change it before 6th April 2010 (when all the existing JANET SCS certifcate expire).  The complexity of the change will depend whether you just use the certificate for the webserver (Tomcat, Apache or IIS) – which should be fairly simple.  But if you use the certificate with Shibboleth itself then this could cause some unavailablity of your Shibboleth IdP; whilst the federation metadata is updated and then whilst the service providers obtain that update.

That leads me onto the next piece of advise, which was recommended to those of us on the JANET Shibboleth courses in Llandindod Wells, by the trainer Rhys Smith from Cardiff University.  For you Shibboleth configuration you should use self-signed certificates which should be signed for an extended period (e.g. 10 years)

My advise on self-signed certificates is one make some very careful notes of the process (and the passphrase).  Ensuring that the certificates are fully backed up – including backing up the private key file BEFORE signing the certificate request.

You should continue to use the JANET SCS or similar certificates on the webservers concerned (unless you want your users to get some error messages!).

A few weeks ago we couldn’t get Second Life Voice Chat working via some ACL’s on a Cisco router.

All the documentation on the web suggests that the only way to do this is to use reflexive ACL’s.  However, as we are using some quite lengthy extended ACL’s , then it wasn’t going to be easy to change those to reflexive  ACL’s.

So why would you need to use these Reflexive ACLs? – well it’s all to do with state or connection tracking, with extended ACL’s you can do TCP state or connection tracking using a rule that accommodates for any return traffic in relation to a connection.  Something like this one..

access-list 110 permit tcp any any established

Unfortunately extended ACL’s don’t allow you to do this for UDP, and as Second Life Voice Chat uses the SIP protocol then its difficult without this.  The server seems to be hosted by a provdier called Vivox, who also provide similar services for some online games like Eve Online, this was useful as documentation seemed to be better than for Second Life.  Finally I managed to find the IP Ranges used for Vixox on this page.

The IP ranges are;

• 64.34.14.0/24
• 70.42.62.0/24
• 74.201.98.0/23
• 64.127.112.104/29
• 64.127.123.192/26
• 64.147.162.0/26
• 64.147.180.128/27

The next step for me was to isolate a PC, on an isolated segment of network, that we knew could run Second Life Voice Chat fine with no ACL’s in place (or with Reflexive ACL’s in place), and then to monitor the traffic using something like Wireshark or tcpdump.  Logging dropped packets on the Cisco router was also very useful,  finally after a lot of testing I came up with some working Access-list rules.

The solution is not particularly elegant, and is a compromise between security and usability.  The access-list rules assume that you have already granted (whether locally or via other rules) the neccessary access for machines to connect to the Internet (e.g HTTP, HTTPS, NTP and DNS) and that the access-list has a TCP established line and ends with a default deny line.

Inbound

access-list 101 permit udp 64.34.14.0 0.0.0.255 eq 3478 any range 1024 65535
access-list 101 permit udp 70.42.62.0 0.0.0.255 eq 3478 any range 1024 65535
access-list 101 permit udp 74.201.98.0 0.0.1.255 eq 3478 any range 1024 65535
access-list 101 permit udp 64.127.112.104 0.0.0.7 eq 3478 any range 1024 65535
access-list 101 permit udp 64.127.123.192 0.0.0.63 eq 3478 any range 1024 65535
access-list 101 permit udp 64.127.162.0 0.0.0.63 eq 3478 any range 1024 65535
access-list 101 permit udp 64.147.180.128 0.0.0.31 eq 3478 any range 1024 65535
access-list 101 permit udp 64.34.14.0 0.0.0.255 eq 5062 any range 1024 65535
access-list 101 permit udp 70.42.62.0 0.0.0.255 eq 5062 any range 1024 65535
access-list 101 permit udp 74.201.98.0 0.0.1.255 eq 5062 any range 1024 65535
access-list 101 permit udp 64.127.112.104 0.0.0.7 eq 5062 any range 1024 65535
access-list 101 permit udp 64.127.123.192 0.0.0.63 eq 5062 any range 1024 65535
access-list 101 permit udp 64.127.162.0 0.0.0.63 eq 5062 any range 1024 65535
access-list 101 permit udp 64.147.180.128 0.0.0.31 eq 5062 any range 1024 65535
access-list 101 permit udp 64.34.14.0 0.0.0.255 range 12000 16000 any range 1024 65535
access-list 101 permit udp 70.42.62.0 0.0.0.255 range 12000 16000 any range 1024 65535
access-list 101 permit udp 74.201.98.0 0.0.1.255 range 12000 16000 any range 1024 65535
access-list 101 permit udp 64.127.112.104 0.0.0.7 range 12000 16000 any range 1024 65535
access-list 101 permit udp 64.127.123.192 0.0.0.63 range 12000 16000 any range 1024 65535
access-list 101 permit udp 64.127.162.0 0.0.0.63 range 12000 16000 any range 1024 65535
access-list 101 permit udp 64.147.180.128 0.0.0.31 range 12000 16000 any range 1024 65535
access-list 101 permit udp any eq 12035 any

Outbound

access-list 110 permit udp any any eq 5060
access-list 110 permit udp any any eq 5062
access-list 110 permit udp any any eq 3478
access-list 110 permit udp any any range 12000 16000
access-list 110 permit tcp any any eq 21002
access-list 110 permit tcp any any eq 12043
access-list 110 permit tcp any any eq 12035
access-list 110 permit tcp any any eq 12036

This seems to have caught me out a few times recently… The binary logs MySQL generates can be huge, particularly with databases that constantly change, and the default configuration (in Gentoo at least) fails to rotate or expire these logs.

In Gentoo they are stored in /var/lib/mysql, with names like mysqld-bin-000001.  In a few instances they have grown to several Gigabytes, which on systems where disk space is at a premium (or where disks have been made deliberately small in Virtual Machines) this has causes some systems to unexpectedly run out of disk space.

MySQL Binary Logs are needed for things like replication between MySQL servers (which I suspect many people don’t use) and for the repair of databases.  So realistically the most you should need is a few days of these logs, so enough to maybe use your latest backup and use the binary logs to process the transactions that have occured since then?

The answer to the problem is to put a sensible line like “expire_logs_days = 7″ in the [mysqld] section of your MySQL my.cnf file (It’s /etc/mysql/my.cnf in Gentoo) .

If the MySQL Binary Logs have consumed all the disk space and you can’t get MySQL restarted then you can pick of some of the older (lower numbered) mysqld-bin.* files out and then restart MySQL.

Update: recently had this issue again – you may need to update mysqld-bin.index (delete the lines refering to the files you’ve deleted) before MySQL will restart successfully.

At the end of March, I along with a number of techies, attended the Netskills Federation Access Management Training course at Aberystwyth University.  Having had a go at setting up a Shibboleth in the past against the testshib.org federation and being a bit of a Linux geek.. I wasn’t going to take long to get there, so I thought I would very quickly share my experiences..  I’m not going to through any of the red tape stuff …… so to get to this stage you will need to have registered with the federation, registered an IdP and obtained the relevant SSL certificate.

With my red tape cut… I followed these and these instructions very loosely, set about installing the require packages on Gentoo Linux, these required packages were apache and tomcat, so I needed some reasonably sane global USE flags in /etc/make.conf …

USE="tokenizer curl zip bzip2 gd ldap mysql apache2 php xml xpat xpat2 -X -kde -gnome"

There are a few unrequired flags on my “idp” Virtual machine, but this because I used a template that I usually deploy for Apache/MySQL/PHP applications, so it wasn’t quite as clean as I would like. You definately need the ldap flag and the “-” ones, some of the rest can probably go.

I also had some less sane options for APACHE2_MODULES again in /etc/make.conf

APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias"

Looking at this, you definitely need the alias, proxy related, rewrite, and include, but I’m sure that a large number of the others could go.  I also had a package USE flag in /etc/portage/package.use

www-servers/tomcat examples

So that your /jsp-examples/ test works…

So at this point you can probably run the command

emerge tomcat apache

I also needed to modify /etc/conf.d/apache2 so that ldap support was turned on, the important line being APACHE2_OPTS

APACHE2_OPTS="-D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -D PROXY -D LDAP -D AUTHNZ_LDAP"

After that then it was just a case of getting Shibboleth installed from it’s tar ball, I chose to install it into /opt/shibboleth-idp

I then had to copy the  .jar files from /opt/shibboleth-idp/endorsed into /var/lib/tomcat/common/endorsed, and then that was more or less a working shib just the actual configuration to go…

I won’t give the idp.xml as this guide on the UK Federation site is more than sufficient.

I have however attached some of my other config files (they had all sensitive info search and replaced)

resolver.xml – which is the bit that does all the hard work mapping eduPerson Attributes to your directory.  I took the bit for eduPersonAffiliation almost directly from a posting by Michael White (University of Sterling’s)  to the JISC-SHIBBOLETH JISCmail list.  You can probably find this info here or by using the JISCmail Archives.  I also managed to gain a copy of Swansea University’s resolver.xml file from Alex, who looks after the University’s Shibboleth IdP’s, which was very useful to compare against and get me started.

When I was checking some of the LDAP related syntax, I  stumbled across this a Sample Guide to Configuration Files by Chris Simpson at Swansea College, which I found very useful.

arp.site.xml- this is the Attribute Release Policy, this one is really insecure as it releases loads of info to everyone, but this will be useful for testing and creating your own more secure policy.  Sorry to the RSC team who’s details will be released to the resource if they ever  choose “JISC RSC Wales” from a UK Federation page…

shib-apache.conf- this is basically all the lines I needed to add to Apache to act as a proxy, so that we can gain access to tomcat via /shibboleth-idp and so that users are authenticated against Active Directory via LDAP.

Now time keeping, if you install on VMware then remember to install the VMware tools and make sure that they are working/running, and that the Physical Host is synchronised with a time server.  If installing on a physical box remember to install NTP!  If you notice that everything seems to work, and you then get “Session Error” double check the time is correct on the IdP server.

That’s it for now, if your deploying Shibboleth then let me know how your getting on…. In the meantime I’ll try and get some sensible instructions written up, and maybe even a Virtual Appliance..!

Next big step will be to get Shibboleth Service Provider working with Moodle.

A few months ago I spent a little bit of time setting up iFolder.  Primarily to deal with the teams requirements for backed up File Storage – many of the RSC Wales team are laptop users.  With many solutions there is the struggle of remembering to upload files and remembering which computer you saved that particular file on.  The beauty of iFolder is that it’s client  synchronises your files with your iFolder server, and therefore all your other computers.

So once I had installed the client on my work PC (Linux), Laptop (Vista) and Home PC (XP).  I could simply save my files in one of my designated “iFolders” and it would auto synchronise them.  You also don’t need to have all folders synchronised on all PC’s, and you can still upload and download files via the web interface provided e.g. if your using someone elses computer.

iFolder is a Novell product (part of Open Enterprise Server 2.0) but is also available as Open Source from http://www.ifolder.com.  We’ve been running  iFolder 3.6 for about 6 months, but it was difficult to find the very latest packages for, and there were some issues with using the client on Windows Vista.  With iFolder 3.6 having been released some 12 months before, and a general lack of activity on the iFolder site, I was rather concerned that if I wanted to upgrade I would need to move to OES2.0 and potentially pay for the privilege (I say potentially because Swansea University are covered under a Novell site license).

The excellent news is that Novell have recently announced that iFolder 3.7 has been released as OpenSource and is now available at http://www.ifolder.com (which has been redesigned).  I shall definitely be trying this one out and probably upgrading our system to 3.7 as a result, so watch this space…