E-Mail Certificate updated

We have a new SSL/TLS certificate as of 12 August 2019.  Some users are having problems accessing the mail server, so here is a reminder of the settings needed:

The server both for sending and for receiving mail is mail.oa5.com  This is constant regardless of your own domain and is a change from our old policy of asking you to connect to a name within your own namespace  ie smtp.example.com or imaps.example.com

Your username is your complete email address eg user@example.com

You have been sent a password which was created with your email account  As you are connecting over a secure encrypted link you can use plain or password authentication

The incoming port to read mail is 993 which uses the secure imap (imaps) protocol

The submission port for sending mail is 465 which again uses a secure connection.  If your settings have a check box for SSL/TLS you need to check it when configuring both sending and receiving mail

A reminder — if you create an archive folder on the server the space used is still part of your quota, if you need to move messages to make space then it has to be somewhere other than on the server

Checking your settings on an iPhone / iPad



iPhone screenshot

Settings > Passwords & Accounts > Select account

Screenshot 2

Top half of account screen
Scroll down and touch the hostname on the SMTP Line


Screenshot 3

Touch the primary server line


Screenshot 4

Check the port settings
touch top left twice (Cancel, Account)

You are now back at the main account screen, touch Advanced at the bottom of the screen

Screenshot 5

There is an error in these settings — The Deleted Mailbox should be Trash
Update this

The bottom half of the screen should be like this:

After fixing Deleted Mail box

After fixing Deleted Mail box

The Trash Mailbox has a separate quota to allow you to delete mail even when your mailbox is full

We’re leaving Hertfordshire

After 34 years in East Herts, 28 in Much Hadham we’re moving on 6/7th June 2016 to Milnathort on the outskirts of Kinross.  Our new address will be

The Old Church
22/24 Church Street
KY13 9XH

The servers are remaining in the hosting centre for now.

Trading connectivity and convention for address space

Copyright © 2005 Andrew Macpherson. Redistribution permitted under the GNU Creative Commons Licence.

Maximising address space by shuning ones neighbours

Andrew Macpherson

Today’s SOHO ADSL customer typically buys a small block of 8 fixed IP Addresses which after deduction of two broadcast values, and a gateway address leaves 5 usable addresses for their equipment.

None of these three deducted addresses should be accessible from the Internet at large, unless the gateway address is used both on the LAN and WAN interface (unusual). Additionally hosting center customers will sometimes find themselves with blocks that cannot simply be joined by shifting their netmask by one bit, implying a duplication of the overhead.

This article will explore ways of losing the overhead, and discuss the consequences.

Address allocation to network customers

Address space is given to end customers in two models, which can be characterised as hub vs firewall, or N vs N+1. In the hub case the N addresses will be just that — N addresses within a larger address space, quite possibly assigned completely at random. The random assignment is particularly true of some cable operators.

With the firewall or N+1 model the address assignment matches conventional routed subnets, the N addresses are contiguous, while the 1 is the Red interface of the firewall, and will definitely be assigned on the hub model.

Switch / Hub customers

Where each host plugs directly into a larger network, each must act as its own firewall. The broadcast address will be that for the whole subnetwork, and no address space wasted. The Interface hub will simply forward most packets to the service provider’s lan, though local inter-host packets may stay within the hub or switch. Many service providers use this model, and it is the only model for single-address USB broadband modems, and in common use for multi-address cable modems.

Routed Customers

RFC1219 (qv) “On the assignment of subnet numbers” is unfortunately much neglected by hosting centres and those assigning static blocks on the N+1 model to ADSL/leased line customers. This scheme would allocate starting addresses for allocation chunks thus: 00000000 10000000 01000000 11000000 00100000 10100000 01100000 11100000
. . . 11111000

in a form of reverse binary counting, where the leftmost bit of the final octet is the least significant bit and the rightmost the most significant. It maximises the space that an assigned block can be expanded to fill for as long as possible while the bigger block is being split up

If the simple guidelines in this standard were followed for the starting addresses of the assigned blocks, then it would be easy to accomodate any rapid initial growth of address-space requirements of their customers, with an easy
netmask change. Of course once the space is allocated problems are as bad as if the procedure had never been followed.

So what usually happens? The technician delegating address space simply starts at the bottom of their allocated space and hands it out in their normal n-address chunks, typically 8 addresses for broadband, and 16 or 32 for hosting centres. We will consider an 8 address block for most of the rest of this article: Network Gateway Host 1 Host 2 Host 3 Host 4 Host 5 Broadcast address

This block has an associated netmask of, when we do a bitwise not of the netmask, and birwise ‘or’ that with the network, we get the broadcast addresses. The total effect is that 3 addresses, 38% of the address space you are paying for is lost to overhead and unusable for your machines

So what about this overhead?

Let’s start with something that may surprise you. All these “overhead” addresses are just host addresses as far as most of the internet is concerned. They have no special meaning — nothing tells the internet that these are broadcast addresses, gateways or sub-networks.

That’s right — if we can remove their special local meaning these addresses can be used for more hosts — just like you thought you would be able to!

Yes, but don’t we need broadcast addresses?

Yes we need a broadcast address locally, but there is no legitimate reason for all the Internet at large to be able to talk to it. Also the first address in the block, sometimes known as the “zeros” broadcast is not actually used except inside routing tables to identify the sub-network. It may or may not be usable depending on what equipment your ISP is using to talk to you — but outside your ISP it is definitely just another host address.

Ok but what about my firewall?

Well you have to be able to address it, but the world out there does not need to be able to talk to the inside address of your firewall — you’ve already exposed the WAN port for them to attack. That’s enough! If you move that address outside the visible range you have space for another server.

Ok I want to have more addresses, what do I do?

Poor artists copy, great artists steal. — Salvador Dali Steal some extra address space for internal use. The stolen space is something you can only look at in private (like stolen art) and you will not be able to access the systems which legitimately have those addresses, so if the WAN – side gateway falls into the range you are going to steal forget it, likewise other WAN – side services, but in general you will be cutting off your neighbours. In Britain those neighbours might well be at the other end of the country because of the way traffic is tunnelled by BT to your ISP. The odds are you would never want to talk to their servers anyway.

To steal addresses you need to shift your netmask until there is address space both before and after the routable block you have been assigned. In our example our block starts at, and the netmask is If we shift the netmask by one bit to then the address block will start at but still finish at, so we need to move the netmask by 2 bits to Now we are declaring our internal network to comprise 32 addresses to, though we still only have the original 8 routable addresses.

There have been some side effects though — the zeros broadcast address has become the unroutable and the ones broadcast — again outside the routable block, freeing 2 addresses for you to put hosts on.

And don’t forget that you can get an extra address by moving your firewall’s internal gateway address out of the routable block as well — in our example might be a good address, as it is a “broadcast address” when allocated by your ISP

None of the addresses we’ve subverted will be used by anyone with a conventional configuration. They’re all broadcast or network addresses. If you’re really concerned you can put explicit routes into your kernel for the other hosts in the blocks you’ve taken over as local

Finally if you have a managed hub, this again is something that you should keep outside the publicly visible address space, but if you have a remote control power switches, remember that the switch that controlls your firewall has to have an accessible address outside the firewalled block.

Configuring iptables on a Linux Firewall/Router

We need to confine the forwarded traffic to the address range that we have been allocated, and prevent any of our usurped address space from leaking. I’ll assume that you have other filtering to do in your FORWARD iptable, but all you need is:

iptables -I FORWARD -p all -i $Red -o $Green -d ! -j DROP

iptables -I FORWARD -p all -i $Green -o $Red -s ! -j DROP

where Red and Green are the obvious network interfaces,

Is it worth the bother?

Well let’s keep things in proportion… When one is dealing with very small address blocks (4, 8, 16 addresses) the overhead of 3 lost addresses is high. By the time the address block is 32 wide, the loss is under 10% and may be considered acceptable.

There are “edge conditions” where you might think twice — for instance if your block had ended with a 255 you might consider taking an internal net mask of — two Class C network’s worth of address space cuts off too many neighbours to be reasonable for the gain of 1 host address.

Where the technique is particularly useful is where one wishes to join 2 small blocks of public address space that are adjacent, but not immediately suitable for a simple bit shift in netmask, here instead of for instance 2 lots of 5 usable addresses, one can gain 6 further addresses. For example if the initial address block we had 8--15 were added to with the block 16--24 we could use the same extended subnet as in the example above, and might want to set the gateway to or

Finally — disturbing thought — ISPs can use this method to give their customers blocks of four addresses, and thus almost double their address space utilisation, but for the ISP it’s easier to use hub allocation and make it difficult for the customer to install firewalls, than to man a help desk to explain what’s in this paper..


This paper was first presented at the UKUUG 2005 Spring Convention