As mentioned in a previous message (which many people on the list probably
didn't get) I've just moved the LUV server to a VM in Germany courtesy of Paul
Menzel who pays the rent on the physical hardware.
We had a few problems along the way with DNS records not updating when I
wanted them to and with the wrong IP address being used for outbound mail -
which caused some servers to correctly reject mail on the basis of bad SPF.
DNS is now correct and has been correct for long enough that I expect most
systems won't have old addresses cached any more (Google DNS has had the new
values for a while).
Andrew has started the process of gaining control over the DNS (which is
registered in the names of people who haven't been committee members for a
long time). We need to get that done before VPAC turns things off. My current
plan is to use 2 servers that I run for LUV DNS secondaries. I've been a LUV
member for 20 years and both the servers in question have been running for
that long (one of them hasn't even changed it's IP address). I think that
will give some assurance that things will keep working.
As an aside if anyone knows how to contact the people running
russell.linux.org.au and the creativecontingencies.com DNS servers about
changing the entries for LUV then please let me know off-list.
When running at VPAC the watchdog table in the Drupal database took up 20G of
disk space and as it was in the ibdata1 file there was no good option for
freeing the space even after deleting most rows. As part of the migration to
the new server I dumped all MySQL databases and imported them. That solved
the disk space problem and as I now have MySQL configured for a file per InnoDB
table I will always be able to OPTIMIZE TABLE if I have that happen again.
echo "delete from watchdog where timestamp < unix_timestamp() - 604800;" |
mysql luv_drupal
The above command is in a cron job to delete the old entries from the watchdog
table. It would be good if we could fix the Drupal problem that's causing
those entries (but I don't know how to do it or have time to learn). It would
also be good if we could configure Drupal to not store millions of rows in that
table (it's supposed to automatically delete old rows but doesn't).
Assistance from Drupal experts is welcome.
One thing I want to do is to convert the server to BTRFS. BTRFS snapshots is
the best way of backing things up. Going forward I want to have much better
backups of the server. The fact that I can't visit the server room any more
makes them much more important as does the fact that data is crossing
jurisdictions.
I will resend this message tomorrow to make sure everyone gets it.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
https://www.decadent.org.uk/ben/blog/securing-wwwdecadentorguk.html
I read the above blog post.
https://www.ssllabs.com/ssltest/
I tested the LUV web site with the above URL and got A-.
https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and-
openssl-for-forward-secrecy
I followed the advice at the above URL and got B!
https://blog.qualys.com/ssllabs/2013/03/19/rc4-in-tls-is-broken-now-what
From the comments on the above blog post it seems that the only way to have
PFS and not be vulnerable to other issues is to require TLS 1.2.
The browser that is built in to Android (which is going to be a long-term
issue as some people will use it until their phone breaks) only supports TLS
1.2 in Android 5.0 and above. The Samsung Galaxy Note 2 is currently not
supported for Android 5.0 while the Galaxy Note 3 is. The Note 2 is still
quite a decent phone.
https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_brows…
The above page has TLS/SSL support of various browsers. If we require TLS 1.2
we exclude:
The default Android browser before Android 5.0. Admittedly that browser
always sucked badly and probably has lots of other security issues.
Chrome versions before 30 didn't support it. But version 30 was released in
2013 and Google does a good job of forcing upgrades. A Debian/Wheezy system I
run is now displaying warnings from the google-chrome package saying that
Wheezy is too old and won't be supported for long!
Firefox before version 27 didn't support it (the Wikipedia page is unclear
about versions 27-31). 27 was released in 2014. Debian/Wheezy has version
38, Debian/Squeeze has Iceweasel 3.5.16 which doesn't support it. Would it be
reasonable to assume that anyone who's still using Squeeze is using it for a
server?
IE version 11 supports it and runs on Windows 7+ (all supported versions of
Windows). IE 10 doesn't support it and runs on Windows 7 and Windows 8. Are
the free upgrades from Windows 7 to Windows 10 going to solve this problem?
Windows mobile doesn't have enough users to care about.
Opera supports it from version 17. This is noteworthy because Opera used to
be good for devices running older versions of Android that aren't supported by
Chrome.
Safari supported it from iOS version 5, I think that's a solved problem there.
Is breaking support for Debian/Squeeze, the built in Android browser on
Android <5.0, and Windows 7 and 8 systems that haven't upgraded IE as a web
browsing platform a reasonable trade-off for implementing the best SSL security
features?
For the LUV server as a stand-alone issue the answer would be no as the only
really secret data there is accessed via ssh. For a general web
infrastructure issue it seems that the answer might be yes.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
We have a PC with firmware malware on - at least - both DVDs.
I don't know if it's worth recovering the system, but I definitely
want to find diagnostics for identifying infections and vectors
on the rest of the LAN.
Booting a DVD live-image of ubuntu, invocations of
firefox are intercepted and come up as "JON recovery system"
or some such. The attack vector may have been the old XP
system on the harddrive, but equally it may have been one
of the ubuntu images.
It is a medion PC, article number 10002328, and there are
firmware updates at the manufacturer.
I'm unsure how to securely install, given that the DVDs are
compromised, and I have no way to verify the cardreader or
motherboard BIOS or harddrive. (I could map/update
the bootsector of the harddrive, but I haven't checked
what may be available to work with the firmware.)
Would putting the infected DVD drives on another system,
sans media, risk infecting the new system?
Conversely, let's say I swap in a new DVD drive and boot a
putatively clean DVD - if the BIOS is corrupted do I risk just
re-infecting the new DVD drive?
Merry Christmas to all
Douglas Ray
I've just installed a new free SSL from letsencrypt. We have paid for a SSL
key but seem to have lost the private key.
http://etbe.coker.com.au/2016/01/27/using-letsencrypt/
Above is a blog post I wrote about Lets Encrypt.
Now I have configured the luv server to redirect all web traffic to https (let me
know if that breaks anything) and to use a valid key for SMTP TLS.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Hi Guys,
I’ve got a domain where i’ve the main hosting for the domain somewhere else (not controlled by me) and then the some users hosted locally.
What i’m having issues with is getting the mail from my server to send upstream if it can’t find a user locally.
What i’ve got so far:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 256000000
milter_connect_macros = j {daemon_name} v {if_name} _
milter_default_action = accept
mydestination = frodo.iama.geek.nz <http://frodo.iama.geek.nz/>, localhost
myhostname = frodo.iama.geek.nz <http://frodo.iama.geek.nz/>
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = $smtpd_milters
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = unix:/spamass/spamass.sock unix:/clamav/clamav-milter.ctl
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unverified_recipient
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/self-sign-star.iama.geek.nz.crt
smtpd_tls_key_file = /etc/ssl/self-sign-star.iama.geek.nz.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual-transport-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
With the following in my virtual transport table
+----+--------------------+------------------------------------+
| id | source | destination |
+----+--------------------+------------------------------------+
| 1 | example.com | smtp:[aspmx.l.google.com <http://aspmx.l.google.com/>] |
| 2 | .example.com | smtp:[aspmx.l.google.com <http://aspmx.l.google.com/>] |
| 3 | fraser(a)example.com | lmtp:unix:private/dovecot-lmtp |
+----+--------------------+------------------------------------+
What I get when i try and email an email on the upstream server is Recipient address rejected: User unknown in virtual mailbox table
Does anyone have any ideas on how to resolve this? It doesn’t seem to matter if I have virtual_transport set or not and do it all manually.
Cheers,
Fraser
Hi,
I am a hobbyist.
I have written a style sheet (xslt) which I want to use to process an
xml file. I have run some tests, using xsltproc, on a sample xml and it
all works well.
The xml file I am wanting to process is 650 GB in size.
When I run the xsltproc command the response is "Killed".
I had hoped that xsltproc would step through the xml file, creating
output as it goes. This does not seem to be the case.
I am running Mageia x64. I have added a 1T disk to the system and set
it as a swap partition.
Does anyone know of an xml parser that will work with "limited" memory?
- or a method by which I can apply the style sheet.
I have experience with C, and if all else fails will write a C program
to do what I want the style sheet to do, but I would rather get the
style sheet working.
Any advice appreciated.
Hugh
I've publicised the meeting on Saturday to LCA delegates, so we may get a
larger attendance than usual. Also I've suggested meeting for dinner after
the meeting, it's not something we usually do but will probably be of interest
to people who have visited Australia for LCA.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Has anyone had success in getting an new IP past the Smart screen
content filter?
MS support keep sending me canned responses.
No messages arrive in the @outlook.com account
Here is a manual try:
-sh-4.2$ telnet mx1.hotmail.com 25
Trying 65.55.92.168...
Connected to mx1.hotmail.com.
Escape character is '^]'.
220 SNT004-MC3F13.hotmail.com Sending unsolicited commercial or bulk
e-mail to Microsoft's computer network is prohibited. Other restrictions
are found at http://privacy.microsoft.com/en-us/anti-spam.mspx. Mon, 25
Jan 2016 20:29:51 -0800
HELO bne.recruitonline.com.au
250 SNT004-MC3F13.hotmail.com (3.21.0.230) Hello [103.16.128.141]
MAIL FROM: piers(a)r.id.au
250 piers@r.id.au....Sender OK
RCPT TO: piers(a)outlook.com
250 piers(a)outlook.com
DATA
354 Start mail input; end with <CRLF>.<CRLF>
Testing
.
250 <SNT004-MC3F13p7mvjk000d0d99(a)SNT004-MC3F13.hotmail.com> Queued mail
for delivery
QUIT
221 SNT004-MC3F13.hotmail.com Service closing transmission channel
Connection closed by foreign host.
And here is a log snippet:
Jan 26 15:25:55 bne postfix/smtpd[15845]: 6F53D18344: client=localhost[::1]
Jan 26 15:25:55 bne postfix/cleanup[15848]: 6F53D18344: message-id=<20160126042555.6F53D18344(a)bne.recruitonline.com.au>
Jan 26 15:25:55 bne postfix/qmgr[15722]: 6F53D18344: from=<support(a)recruitonline.com.au>, size=6837, nrcpt=1 (queue active)
Jan 26 15:25:55 bne postfix/smtpd[15845]: disconnect from localhost[::1]
Jan 26 15:25:57 bne postfix/smtp[15849]: 6F53D18344: to=<piers(a)outlook.com>, relay=mx3.hotmail.com[207.46.8.167]:25, delay=1.9, delays=0.04/0.01/0.49/1.3, dsn=2.0.0, status=sent (250<20160126042555.6F53D18344(a)bne.recruitonline.com.au> Queued mail for delivery)
Jan 26 15:25:57 bne postfix/qmgr[15722]: 6F53D18344: removed
I can't see anything in the MTA queue.
Thanks for your help
Cheers
Piers
Hello Luv members,
I've recently added DNSSec signatures to my domain (jasonjgw.net), and
supplied the key to my DNS registrar, gandi.net.
Unfortunately, my ISP's name servers, which perform DNSSec validation, now
return a SERVFAIL (indicating a validation failure) when I look up the domain.
Google's public servers succeed, however, as DNSSec Analyzer appears to do:
http://dnssec-debugger.verisignlabs.com/
The primary DNS server is running Bind 9 and I essentially followed the
instructions here:
https://nocko.se/2012/03/21/dnssec-quickly-and-correctly/
Is there anything that seems amiss?
I have friends who are contemplating following in my footsteps with their own
domains, thus anything we work out here should be helpful to them also.