January 2016 - luv-main

more about server migration
by Russell Coker 25 Feb '16

25 Feb '16

As mentioned in a previous message (which many people on the list probably didn't get) I've just moved the LUV server to a VM in Germany courtesy of Paul Menzel who pays the rent on the physical hardware. We had a few problems along the way with DNS records not updating when I wanted them to and with the wrong IP address being used for outbound mail - which caused some servers to correctly reject mail on the basis of bad SPF. DNS is now correct and has been correct for long enough that I expect most systems won't have old addresses cached any more (Google DNS has had the new values for a while). Andrew has started the process of gaining control over the DNS (which is registered in the names of people who haven't been committee members for a long time). We need to get that done before VPAC turns things off. My current plan is to use 2 servers that I run for LUV DNS secondaries. I've been a LUV member for 20 years and both the servers in question have been running for that long (one of them hasn't even changed it's IP address). I think that will give some assurance that things will keep working. As an aside if anyone knows how to contact the people running russell.linux.org.au and the creativecontingencies.com DNS servers about changing the entries for LUV then please let me know off-list. When running at VPAC the watchdog table in the Drupal database took up 20G of disk space and as it was in the ibdata1 file there was no good option for freeing the space even after deleting most rows. As part of the migration to the new server I dumped all MySQL databases and imported them. That solved the disk space problem and as I now have MySQL configured for a file per InnoDB table I will always be able to OPTIMIZE TABLE if I have that happen again. echo "delete from watchdog where timestamp < unix_timestamp() - 604800;" | mysql luv_drupal The above command is in a cron job to delete the old entries from the watchdog table. It would be good if we could fix the Drupal problem that's causing those entries (but I don't know how to do it or have time to learn). It would also be good if we could configure Drupal to not store millions of rows in that table (it's supposed to automatically delete old rows but doesn't). Assistance from Drupal experts is welcome. One thing I want to do is to convert the server to BTRFS. BTRFS snapshots is the best way of backing things up. Going forward I want to have much better backups of the server. The fact that I can't visit the server room any more makes them much more important as does the fact that data is crossing jurisdictions. I will resend this message tomorrow to make sure everyone gets it. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/

2 1

SSL configuration
by Russell Coker 04 Feb '16

04 Feb '16

https://www.decadent.org.uk/ben/blog/securing-wwwdecadentorguk.html I read the above blog post. https://www.ssllabs.com/ssltest/ I tested the LUV web site with the above URL and got A-. https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and- openssl-for-forward-secrecy I followed the advice at the above URL and got B! https://blog.qualys.com/ssllabs/2013/03/19/rc4-in-tls-is-broken-now-what From the comments on the above blog post it seems that the only way to have PFS and not be vulnerable to other issues is to require TLS 1.2. The browser that is built in to Android (which is going to be a long-term issue as some people will use it until their phone breaks) only supports TLS 1.2 in Android 5.0 and above. The Samsung Galaxy Note 2 is currently not supported for Android 5.0 while the Galaxy Note 3 is. The Note 2 is still quite a decent phone. https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_brows… The above page has TLS/SSL support of various browsers. If we require TLS 1.2 we exclude: The default Android browser before Android 5.0. Admittedly that browser always sucked badly and probably has lots of other security issues. Chrome versions before 30 didn't support it. But version 30 was released in 2013 and Google does a good job of forcing upgrades. A Debian/Wheezy system I run is now displaying warnings from the google-chrome package saying that Wheezy is too old and won't be supported for long! Firefox before version 27 didn't support it (the Wikipedia page is unclear about versions 27-31). 27 was released in 2014. Debian/Wheezy has version 38, Debian/Squeeze has Iceweasel 3.5.16 which doesn't support it. Would it be reasonable to assume that anyone who's still using Squeeze is using it for a server? IE version 11 supports it and runs on Windows 7+ (all supported versions of Windows). IE 10 doesn't support it and runs on Windows 7 and Windows 8. Are the free upgrades from Windows 7 to Windows 10 going to solve this problem? Windows mobile doesn't have enough users to care about. Opera supports it from version 17. This is noteworthy because Opera used to be good for devices running older versions of Android that aren't supported by Chrome. Safari supported it from iOS version 5, I think that's a solved problem there. Is breaking support for Debian/Squeeze, the built in Android browser on Android <5.0, and Windows 7 and 8 systems that haven't upgraded IE as a web browsing platform a reasonable trade-off for implementing the best SSL security features? For the LUV server as a stand-alone issue the answer would be no as the only really secret data there is accessed via ssh. For a general web infrastructure issue it seems that the answer might be yes. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/

11 22

firmware malware: DVD; ?motherboard?
by Douglas Ray 03 Feb '16

03 Feb '16

We have a PC with firmware malware on - at least - both DVDs. I don't know if it's worth recovering the system, but I definitely want to find diagnostics for identifying infections and vectors on the rest of the LAN. Booting a DVD live-image of ubuntu, invocations of firefox are intercepted and come up as "JON recovery system" or some such. The attack vector may have been the old XP system on the harddrive, but equally it may have been one of the ubuntu images. It is a medion PC, article number 10002328, and there are firmware updates at the manufacturer. I'm unsure how to securely install, given that the DVDs are compromised, and I have no way to verify the cardreader or motherboard BIOS or harddrive. (I could map/update the bootsector of the harddrive, but I haven't checked what may be available to work with the firmware.) Would putting the infected DVD drives on another system, sans media, risk infecting the new system? Conversely, let's say I swap in a new DVD drive and boot a putatively clean DVD - if the BIOS is corrupted do I risk just re-infecting the new DVD drive? Merry Christmas to all Douglas Ray

6 8

Thunderbolt
by Russell Coker 31 Jan '16

31 Jan '16

https://en.wikipedia.org/wiki/Thunderbolt_(interface) Apple's Thunderbolt uses the same connectors as MiniDisplayPort and USB-C. Is that going to matter to us? Are there going to be situations in which things can physically connect but not be able to talk to each other? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/

2 1

Lets Encrypt
by Russell Coker 30 Jan '16

30 Jan '16

I've just installed a new free SSL from letsencrypt. We have paid for a SSL key but seem to have lost the private key. http://etbe.coker.com.au/2016/01/27/using-letsencrypt/ Above is a blog post I wrote about Lets Encrypt. Now I have configured the luv server to redirect all web traffic to https (let me know if that breaks anything) and to use a valid key for SMTP TLS. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/

5 9

Postfix Virtual Users Transport
by Fraser McGlinn 28 Jan '16

28 Jan '16

Hi Guys, I’ve got a domain where i’ve the main hosting for the domain somewhere else (not controlled by me) and then the some users hosted locally. What i’m having issues with is getting the mail from my server to send upstream if it can’t find a user locally. What i’ve got so far: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 0 message_size_limit = 256000000 milter_connect_macros = j {daemon_name} v {if_name} _ milter_default_action = accept mydestination = frodo.iama.geek.nz <http://frodo.iama.geek.nz/>, localhost myhostname = frodo.iama.geek.nz <http://frodo.iama.geek.nz/> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname non_smtpd_milters = $smtpd_milters readme_directory = no recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_milters = unix:/spamass/spamass.sock unix:/clamav/clamav-milter.ctl smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unverified_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/ssl/self-sign-star.iama.geek.nz.crt smtpd_tls_key_file = /etc/ssl/self-sign-star.iama.geek.nz.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = proxy:mysql:/etc/postfix/mysql-virtual-transport-maps.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_transport = lmtp:unix:private/dovecot-lmtp With the following in my virtual transport table +----+--------------------+------------------------------------+ | id | source | destination | +----+--------------------+------------------------------------+ | 1 | example.com | smtp:[aspmx.l.google.com <http://aspmx.l.google.com/>] | | 2 | .example.com | smtp:[aspmx.l.google.com <http://aspmx.l.google.com/>] | | 3 | fraser(a)example.com | lmtp:unix:private/dovecot-lmtp | +----+--------------------+------------------------------------+ What I get when i try and email an email on the upstream server is Recipient address rejected: User unknown in virtual mailbox table Does anyone have any ideas on how to resolve this? It doesn’t seem to matter if I have virtual_transport set or not and do it all manually. Cheers, Fraser

2 1

How do I process a large xml file?
by h 27 Jan '16

27 Jan '16

Hi, I am a hobbyist. I have written a style sheet (xslt) which I want to use to process an xml file. I have run some tests, using xsltproc, on a sample xml and it all works well. The xml file I am wanting to process is 650 GB in size. When I run the xsltproc command the response is "Killed". I had hoped that xsltproc would step through the xml file, creating output as it goes. This does not seem to be the case. I am running Mageia x64. I have added a 1T disk to the system and set it as a swap partition. Does anyone know of an xml parser that will work with "limited" memory? - or a method by which I can apply the style sheet. I have experience with C, and if all else fails will write a C program to do what I want the style sheet to do, but I would rather get the style sheet working. Any advice appreciated. Hugh

3 2

special beginners meeting
by Russell Coker 27 Jan '16

27 Jan '16

I've publicised the meeting on Saturday to LCA delegates, so we may get a larger attendance than usual. Also I've suggested meeting for dinner after the meeting, it's not something we usually do but will probably be of interest to people who have visited Australia for LCA. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/

2 1

Outlook.com "Smart screen" - SMTP traffic does not arrive.
by Piers Rowan 26 Jan '16

26 Jan '16

Has anyone had success in getting an new IP past the Smart screen content filter? MS support keep sending me canned responses. No messages arrive in the @outlook.com account Here is a manual try: -sh-4.2$ telnet mx1.hotmail.com 25 Trying 65.55.92.168... Connected to mx1.hotmail.com. Escape character is '^]'. 220 SNT004-MC3F13.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.microsoft.com/en-us/anti-spam.mspx. Mon, 25 Jan 2016 20:29:51 -0800 HELO bne.recruitonline.com.au 250 SNT004-MC3F13.hotmail.com (3.21.0.230) Hello [103.16.128.141] MAIL FROM: piers(a)r.id.au 250 piers@r.id.au....Sender OK RCPT TO: piers(a)outlook.com 250 piers(a)outlook.com DATA 354 Start mail input; end with <CRLF>.<CRLF> Testing . 250 <SNT004-MC3F13p7mvjk000d0d99(a)SNT004-MC3F13.hotmail.com> Queued mail for delivery QUIT 221 SNT004-MC3F13.hotmail.com Service closing transmission channel Connection closed by foreign host. And here is a log snippet: Jan 26 15:25:55 bne postfix/smtpd[15845]: 6F53D18344: client=localhost[::1] Jan 26 15:25:55 bne postfix/cleanup[15848]: 6F53D18344: message-id=<20160126042555.6F53D18344(a)bne.recruitonline.com.au> Jan 26 15:25:55 bne postfix/qmgr[15722]: 6F53D18344: from=<support(a)recruitonline.com.au>, size=6837, nrcpt=1 (queue active) Jan 26 15:25:55 bne postfix/smtpd[15845]: disconnect from localhost[::1] Jan 26 15:25:57 bne postfix/smtp[15849]: 6F53D18344: to=<piers(a)outlook.com>, relay=mx3.hotmail.com[207.46.8.167]:25, delay=1.9, delays=0.04/0.01/0.49/1.3, dsn=2.0.0, status=sent (250<20160126042555.6F53D18344(a)bne.recruitonline.com.au> Queued mail for delivery) Jan 26 15:25:57 bne postfix/qmgr[15722]: 6F53D18344: removed I can't see anything in the MTA queue. Thanks for your help Cheers Piers

1 0

DNSSec configuration
by Jason White 25 Jan '16

25 Jan '16

Hello Luv members, I've recently added DNSSec signatures to my domain (jasonjgw.net) and supplied the key to my DNS registrar, gandi.net. Unfortunately, my ISP's name servers, which perform DNSSec validation, now return a SERVFAIL (indicating a validation failure) when I look up the domain. Google's public servers succeed, however, as DNSSec Analyzer appears to do: http://dnssec-debugger.verisignlabs.com/ The primary DNS server is running Bind 9 and I essentially followed the instructions here: https://nocko.se/2012/03/21/dnssec-quickly-and-correctly/ Is there anything that seems amiss? I have friends who are contemplating following in my footsteps with their own domains, thus anything we work out here should be helpful to them also.

4 6