Getting Postfix and Dovecot working

posted 06:11PM Oct 10, 2017 by Craig Stewart

In my last blog post I set up apache and certbot and got the ssl certificates I needed for my new mail server. So this blog was going to be about postfix, but as I found a handy guide online I followed some of it to get what I wanted. That is to say I followed those steps that made sense, skipped the ones that conflicted with my requirements, and altered the ones that didn't apply because of changes I had made. This gave me a reasonable set up, on two servers, that could each act independently, but lacked the mailbox sync to allow me to use them as a single mail infrastructure. To be fair the only things that really needed changing in any great detail where the dovecot userdb settings to allow doveadm to enumerate the users and get the correct settings, most of the remaining settings changes were trivial (SSL cert locations for example). I also skipped all of the optional extras (like roundcube and phpmyadmin). After this I had to configure dovecot mailbox sync as per their guide, and tweak the SSL settings to harden them, and now I have new mail servers. It took longer than I would like, and I have less to say than I have for the previous steps. But all is now working. I have however decided to look into DKIM and DMARC settings, as I have already configured SPF and there is a nice guide to follow linked from the comments on the guide I followed to get postfix installed and working.

Tags: email project sysadmin

Comments [0]

Apache Config SSL and certbot

posted 08:48PM Sep 28, 2017 by Craig Stewart

So after my last blog post I decided that this one should be less rushed, and more practised and tested, which turns out to be a good thing. After my last blog post the hosted servers I have didn't work over IPv6, this is due to the hosting firm's use of SLAAC to configure the external IPv6 address and routing, and my use of iptables to block all traffic that wasn't otherwise allowed. Now I allowed icmp echo requests on IPv4 but those commands raised an error run I transposed them to IPv6 so I left them out. This led to SLAAC, which requires ICMP to work over IPv6 to not work. That has been rectified now. So onto apache, and SSL certs. Now one of the requirements I had for these servers was the ability to swap between them via DNS, and as I do not know how to configure postfix to use multiple SSL certs based upon the domain that is being connected too I decided the easiest way to do that would be to get a cert with a cname to that shared domain for each server. Using http authentication with lets encrypt you put a file on disk and they request that file from the domain they are validating. This would be a problem for the server that is not currently being pointed at for the shared domain.

[Read More]

Tags: email oops project sysadmin

Comments [0]

IPTables config

posted 09:49PM Sep 24, 2017 by Craig Stewart

So in my last blog post I promised that I would talk about iptables, and basically I have been a little lax in getting started with configuring the IPTables rules on the new servers I have set up. Now I mentioned that IPTables is quite powerful, and it can be if configured to be so, but I am using it as a basic firewall, so that should I accidental configure a service to listen on an external port it shan't be able too. On top of this I am going to set the rules up such that the three default chains drop packets that don't match any rules, meaning I am using them as first match allows the flow firewall, with a default drop.

[Read More]

Tags: email project sysadmin

Comments [0]

A new project, emails

posted 11:03PM Sep 18, 2017 by Craig Stewart

So, when I started this blog I wanted to make it a record of my learning of new skills, particularly around electronics. That hasn't happened, and now that I have a new project to start it isn't about to start, this project is very much within my skill set (or at least it should be). A little background, I have been running my website, and email server, on my home connection for years, I got an internet connection with a company that was a good ISP for those who were a little more knowledgeable of networking and computers when I moved into my house. Back then I was a novice, but with an ISP a little more forgiving of allowing more advanced use of an internet connection I could host a website, and emails, without paying any extra money for a proper hosting solution. This has lead to me being the only person on my street that has a wireless internet connection during a power outage, but that is not really the point. Since then there has been a great deal of consolidation in the UK ISP market, and my ISP, PlusNet, was bought, some time ago, by BT. Until recently this wasn't really an issue, nothing much changed, BT kept PlusNet at arms length, but for some reason, now, PlusNet have chosen to add the block of IP addresses that the static IP for my connection is in to Spamhaus' Policy Block List. This marks my internet connection as not suitable for email hosting. So my new project is to move my emails into a proper hosting solution.

[Read More]

Tags: email project sysadmin

Comments [0]

Lets talk about Social Justice Warriors

posted 10:56PM Aug 08, 2017 by Craig Stewart

So lets start off by saying I am a white, heterosexual, middle class, male. I have seen lots of comments on the internet about Social Justice Warriors (SJWs for short), and I gather that, based upon what I have seen, I should be worried for my very existence, as these SJWs are apparently out to rid the world of my kind, that is to say white middle class cis gendered (yes I know that "cis gendered" is a label for non trans gendered people, and some see it as an insult, but I am what I am, and I have no better label to use) heterosexual able bodied men. But I have very few examples I can point to of any of these SJWs that really concern me, or indeed that I disagree with in any significant way.

Before we go any further I should probably explain what triggered this particular rant. Recently a person at Google has been sacked for breach of Google's internal policies, a situation that has come to light because the breach was an article they authored about how diversity polices may be harmful, and then circulated within Google, and which promptly leaked. Now I have seen a version of this article, and I shall discuss my thoughts on it later, but what worries me now is the "debate" about the actions taken by Google, and I have already seen some very negative comments. There appear to be two basic sides to this debate, those who say the article was damaging, and wrong, and so Google did the right thing, and those that say Google has damaged itself by shutting down dissenting internal opinions (something the article points out is a risk of Google's current internal culture) and has also trampled this person's free speech rights. My concern is that these are the voices that are going to be screaming about SJWs in the not to distant future. So I thought I'd have a rant about the stupidity of this position from the viewpoint of a SJWs typical "victim".

[Read More]

Tags: comment controversial equality opinion rant

Comments [0]

The death of a smartphone, and the liberation it brings.

posted 10:16PM May 22, 2017 by Craig Stewart

I knew I relied heavily on the access that I get by carrying around a smart phone, I read my emails, send and receive text messages, look things up on the internet, etc. It is a very useful tool, but I didn't realise how much of an impact it has on my life until it died. So I immediately ordered a replacement, but that took two whole days to arrive. The fix for my old phone was outside my ability level, and I couldn't find anyone who could fix it in a hurry, so I elected to spend two days without it, or any other phone. And it has been two of the least stressful days I have had in a very long time. Disconnected from the world, I didn't need to worry about things I could do nothing about, or keep abreast of the latest goings on on twitter. I almost regret getting a new phone, the old one is off for repair, and will be back in two to four weeks. I can hardly imagine spending that much time without a smartphone. Before the old one broke it was because I thought I would become overly stressed, and fail to cope, but having spent two days with only having the internet when tethered to a desk I can't imagine how relaxed I may get without a smartphone. Maybe in future I shall turn the phone off for periods of time. Maybe too much connectivity is a bad thing?

Tags: breaking comment oops opinion

Comments [0]

So I decided to join a professional body.

posted 09:55PM May 10, 2017 by Craig Stewart

I have for a long time thought that the IT industry has an issue with how people within it present themselves to the rest of the world. Everyone wants to be an "Engineer", indeed my current job title is "DevOps Engineer" (a title I am not particularly enamoured with, but that is a matter for another time). We all know that Engineers create clever solutions to otherwise very difficult problems. The issue I have with this is that in many other fields where you find Engineers there are rules, and regulations, and bodies that decide who gets to call themselves "Engineer" and what standards those people must meet. In most of these other fields there are highly defined Engineering Standards against which we can measure the ability and performance of these Engineers. In IT this is not enforced, now I have been very lucky to work with some incredibly talented and intelligent individuals, and I do not wish to deride their contributions in anyway, but without the standards to measure ourselves against, using the term "Engineer" just cheapens it. Unfortunately I have no idea what the standards should be in IT, and I have no idea what the underlying problem with the way many working in IT think that I feel is not proper Engineering, after all I am no more an "Engineer" than anyone else in IT using that title, and claiming otherwise would be a lie. And so I have joined BCS in order that maybe I can get more exposure to the rest of IT and perhaps learn more about what the standards I feel are missing should be.

I shall probably write more on this in the future, but for now here's to hoping that membership of a professional body is going to be a positive step towards understanding my industry, and how I can make it better.

Tags: bcs opinion reflection sysadmin thinking

Comments [0]

Should have seen it coming!

posted 07:04PM Mar 13, 2017 by Craig Stewart

So the SSL certificate that I used to secure my website (and other things) is no longer trusted by Chrome (as of version 57), and so I have been forced to upgrade to a Lets Encrypt SSL certificate. It's almost as if I could have predicted this state of affairs in advance. At least I can now rest assured that my SSL certs will be easy to keep up to date (I have set up what I believe to be the required automated steps to do just that, time will tell).

Tags: fail ssl sysadmin

Comments [0]

3 years on

posted 07:35PM Mar 12, 2017 by Craig Stewart

So I started this blog just about 3 years ago now, and despite my intent to use it to encourage me to do something with electronics, and to show case my progress, I have done nothing much since I bought a Raspberry Pi and got it running. Indeed it is still sat in a box waiting for me to motivate myself to get back at it. I have used this blog to rant about politics far more than I have done any electronics. It doesn't help that I have hardly been out on my bike once since I started this blog, so the project I intended to build I have had no need for. So based upon my initial intentions I must count this blog as an abject failure. However, as I pointed out at the time I started this blog I have attempted to do so before, and those prior attempts always ended empty, and pathetic, killed off due to a lack of content. I have at least managed to create content sporadically for this blog. The difference this time around? I am no longer trying to post stuff that I think other people will find interesting, so I am no longer holding back when I just want a rant, or to post about an "oh shit" moment. Granted I don't have the broadest readership in the world, but that doesn't really matter, I have an outlet, and if people read it, and find it interesting, great, if not then at least I still said what I wanted to. So this time around I'm not going to delete this blog, just yet, I'll give it another few years, and see how it goes. Who knows, maybe I'll start cycling regularly again and actually do something about that cycle computer (probably not though).

Tags: comment embarrassing reflection stuff

Comments [0]

God Damn it Plus net

posted 07:46PM Feb 20, 2017 by Craig Stewart

So recently I changed my mail server over to postfix, this not that long after I ranted about e-mail security with plusnet. It turns out this has led to an interesting problem. So SSL settings were set pretty strictly on the smtps port, so only strong TLSv1.2 ciphers were available. On the smtp port I was a little more permissive, as long as it was TLSv1.2 it would accept even very weak ciphers (well a weak cipher is better than no cipher at all, and I was accepting mail that didn't use the starttls command) and everything was good. Accept that it turns out emails coming from Plusnet's mail servers was failing, they would connect, try to starttls, not like any of the ciphers and fail, breaking the connection. Once they tried again they didn't remember that starttls didn't work so they tried again. Until the mail timed out, and was bounced. So I've had to make the setting even more permissive, as getting emails from people I know on plusnet (like my Father for example) is sort of important.

Tags: email fail not-good-enough rant security sysadmin

Comments [0]