Dovecot and Sieve

Posted by kd35a | Filed under server

This will be a short post on how to get Postfix, Dovecot and Sieve working together. First I will assume you have set up Postfix and Dovecot. If not, use a guide like this one, from Linode. This guide is written for Ubuntu 10.04 LTS Server, but could be useful under other distributions as well.

Next thing is to assure all your mail that Postfix receives goes through Dovecot. Look in /etc/postfix/main.cf, and see that mailbox_command is properly set:

mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-dovecot-postfix.conf -n -m "${EXTENSION}"

Next we want to assure that Dovecot uses Sieve. Open /etc/dovecot/conf.d/01-dovecot-postfix.conf and make sure you have the following in the file, otherwise append it to the end of the file:

plugin {
        sieve=~/.dovecot.sieve
        sieve_dir=~/sieve
}

Now go to your home directory. There you should create a folder called ‘sieve’. Now create a file ‘.dovecot.sieve’ in your home folder. This file should contain your scripts. For example I like to sort out all notification-mail I get from Facebook to a special folder:

require "fileinto";
if address :is "From" ["update+m5_m5___@facebookmail.com", "notification+m5_m5___@facebookmail.com"]
{
	fileinto "Facebook";
}

It should be noted that I’m not completely sure about the sieve-folder. From http://wiki.dovecot.org/LDA/Sieve#Include_scripts it looks like you should put your scripts in that folder, and then link them from .dovecot.sieve. This is probably nice to do when you have a lot of scripts for sorting your mail. But I’m going to continue using .dovecot.sieve for my scripts, and if it gets nasty I will have to sort it out later.

Tags: , , ,

Read more | Comments (0) | Aug 17, 2011

FTPES with vsftpd

Posted by kd35a | Filed under server

I’m going to travel soon, and wanted an opportunity to safely backup my pictures during my travel to my server with RAIDed (1) disks. And of course this needs to be secured with SSL ;)

$ sudo apt-get install vsftpd

Now we want our certificates and keys organized a bit different than with lighttpd:

server_name.crt - the certificate for your server
server_name.key - the key associated with the above certificate
startssl_or_other_ca.pem - this file should contain the all the certificates in the chain from your CA, in the case with StartSSL it's two: root CA-cert and a class 1-signing-cert

Now edit your /etc/vsftpd.conf-file to look something like this (this works for me with StartSSL at least):

[...]
anonymous_enable=NO
[...]
ssl_enable=YES
rsa_cert_file=/etc/ssl/vsftpd/server_name.crt
rsa_private_key_file=/etc/ssl/vsftpd/server_name.key
ca_certs_file=/etc/ssl/vsftpd/startssl_or_other_ca.pem
ssl_ciphers=ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

force_local_data_ssl=YES
force_local_logins_ssl=YES

The line with ”ssl_ciphers=ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM” uses the configuration found at StartSSLs site about Apache-configuration.

Notice that the ca_certs_file-option only works in version 2.0.6 and up. I don’t know how this is made in earlier versions of vsftpd.

Tags: , , , , ,

Read more | Comments (1) | Jun 1, 2011

New server

Posted by kd35a | Filed under Okategoriserade

So, my new server is up and running :) It’s an old node from HPC2N which found it’s way to me via some nice people (thanks Sikevux, and MMN-o from Umeå Hackerspace!).

Until this day I have used Apache as my web-server. But after reading about lighttpd, and some friends telling me to try it out, I now have done some initial configuration.

First out: SSL-certificate. To create a SSL-key, and to generate a Certificate signing request (CSR), run the following in a terminal.

$ openssl req -new -newkey rsa:4096 -keyout ssl.key -out ssl.csr

This creates a 4096-bit RSA-key (ssl.key), and a CSR (ssl.csr).

After this we want it to be signed by a certificate authority, and my choice is StartSSL. They sign class 1 certificates for free. After you have created an account, go to the control panel, click ”Validations Wizard” and choose ”Domain Name Validation” and follow their instructions. Now you can go to ”Certificates Wizard” in the control panel, choose ”Web Server SSL/TLS Certificate”.

Now click ”Skip”, because you already have a key! Paste the contents the file ssl.csr into the field, and then follow the instructions. After this you’ll just have to wait for StartSSL to accept (or decline) your CSR.

Now you hopefully have a signed certificate (saved in a file called ssl.crt) and your key, now you just need StartSSLs intermediate certificates. This one, and this one. Lighttpd doesn’t like those files to be separated, so we’ll combine them into one:

$ cat ca.pem sub.class1.server.ca.pem > startssl.pem
$ cat ssl.key ssl.crt > ssl.pem

Because i will host a lot of virtual hosts on this machine, I created a file /etc/lighttpd/vhosts.conf, which i include in the main configuration file by adding:

# Here are all the virtual hosts specified
include "vhosts.conf"

to the end of /etc/lighttpd/lighttpd.conf (Ubuntu 10.04 LTS).

/etc/lighttpd/vhosts.conf looks like this:

$HTTP["host"] =~ "example.com$" {
    server.document-root = "/var/www"
}

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine = "enable"
        ssl.ca-file = "[path to certs folder]/startssl.pem"
        ssl.pemfile = "[path to certs folder]/ssl.pem"
        server.document-root = "/var/www"

        $HTTP["host"] =~ "example.com$" {
                server.document-root = "/var/www"
        }

#       $HTTP["host"] =~ "example2.com$" {
#               server.document-root = "/var/vhosts/example2.com"
#               ssl.ca-file = "[path to certs folder]/startssl.pem"
#               ssl.pemfile = "[path to certs folder]/ssl2.pem"
#       }
}

In the end I included an example of what to do when adding more vhosts that want different certificates. Please observe that the handling of multiple domains and their SSL-certificates using a single IP needs to be done using SNI, which does not always work.

Read more | Comments (2) | Maj 16, 2011

Sanitize a hacked Joomla-site

Posted by kd35a | Filed under Okategoriserade

A friend of mine and me did some work with sanitizing a hacked Joomla-page today, for the second time. This time we went a little bit deeper, and have hopefully found the entry-point for the hackers and fixed it. Read more here.

Tags: , ,

Read more | Comments (0) | Maj 3, 2011

Dell E6410

Posted by kd35a | Filed under Okategoriserade

I have recently (ok, a while a go, but I’ve been slow with updating this page) bought a new laptop, replacing the MacBook. I went for the Dell E6410 with a Core i7, 8GB RAM and a nVidia NVS 3100M graphic card. Of course went Windows 7 out the door fairly quickly, and in went Ubuntu 10.10 x86_64.

Unfortunately did not everything work out of the box (though Ubuntu made a lot better than Windows, not even the CD-player worked out of the box there…), so here i will try to collect some tips:

First of: graphics
When first booting Ubuntu, you will get a blank screen. This is caused by some collision between the nVidia graphic card, and the i915 graphic card that is built in in the Core i7. When booting up the Ubuntu CD, choose the language you wish to use, and then press F6 to get the advanced settings. Mark the option ”nomodeset”, and continue the install as normal.

After installation is finished, hold down shift while booting up, and the Grub menu will come up. Select the default entry, and press ”e”, replace ”quiet splash” with ”nomodeset” and continue booting.

Now when booted up, install the proprietary drivers for the nVidia-card, and edit in the file ”/etc/default/grub” so that you get ‘GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash nouveau.modeset=0 acpi_sleep=nonvs”‘. Now run ”sudo update-grub”, and everything should work as you want.

SD-card reader
The next problem is the SD-card reader. Add the file linked from here to ”/etc/modprobe.d/”: 

$ sudo wget https://launchpadlibrarian.net/53259856/latitude-e6510-cardreader.conf -O /etc/modprobe.d/latitude-e6510-cardreader.conf
And now run: 
$ sudo rmmod sdhci_pci
$ sudo rmmod sdhci
$ sudo modprobe sdhci_pci

If anything is unclear, or you think I forgot something important, feel free to leave a comment :)

Tags: , , , ,

Read more | Comments (2) | Apr 5, 2011

Mailen hackad

Posted by kd35a | Filed under Okategoriserade

Jahap, då kom den dagen även för mig… :(

Ikväll så skickade jag detta mail till en del av mina kontakter: 

I bought some items from a commercial site, because of the unique
channel of purchases,
product prices unexpected, I think you can go to see: [skit-sida som inte är värd en länk] ,
high-quality products can also attract you.

Dagens läxa? Fler säkerhetsnivåer på lösenord. Jag har redan idag ett flertal säkerhetsnivåer, men tydligen så litade jag lite för mycket på någon sida/server jag inte skulle litat på.

Dags att hitta fler nivåer, samtidigt som ens teflonminne ska kunna komma ihåg dom… Här ska det filosoferas över natt på olika sätt att organisera sina lösenord, samtidigt som man har flera säkerhetsnivåer (alpha, alphanum+tecken etc.).

Tags:

Read more | Comments (3) | Dec 28, 2010

WiFi on the Ben NanoNote

Posted by kd35a | Filed under Okategoriserade

I’m writing this in English so that I can reach more people.

Just the other day I got my hands on a Ben NanoNote. It’s a really fantastic little machine with a MIPS-processor, 32MB RAM and 2GB flash. It runs a modified OpenWRT (linux) out of the box. The problem is that it has no integrated WiFi. But you can solve that problem with inserting a SDIO WiFi-card, in my case a SPECTEC SDW-823.

On the projects wiki they try to guide you how to get everything to work, but it isn’t very good written in my opinion. So here I guide you through my process:

1. Download this file: http://downloads.qi-hardware.com/software/ks7010-firmware-20100217.tar.bz2, and pack it up. You will find two files, ks7010sd.rom and ks79xx.cfg, put those in /lib/firmware on the NanoNote.

2. When I first put the WiFi-card in my NanoNote, the kernel flooded with messages like this in my terminals: 

[ 9262.380000] jz4740-mmc jz4740-mmc.0: Sparse irq: 80
[ 9262.390000] /home/xiangfu/PanGu/openwrt-xburst/build_dir/linux-xburst_qi_lb60/ks7010/ks7010_sdio.c:ks_sdio_interrupt[573]
[ 9262.400000] jz4740-mmc jz4740-mmc.0: Sparse irq: 80
[ 9262.410000] /home/xiangfu/PanGu/openwrt-xburst/build_dir/linux-xburst_qi_lb60/ks7010/ks7010_sdio.c:ks_sdio_interrupt[639]
[ 9262.420000] /home/xiangfu/PanGu/openwrt-xburst/build_dir/linux-xburst_qi_lb60/ks7010/ks7010_sdio.c:ks_sdio_interrupt[639]
[ 9262.430000] /home/xiangfu/PanGu/openwrt-xburst/build_dir/linux-xburst_qi_lb60/ks7010/ks7010_sdio.c:ks_sdio_interrupt[647]
[ 9262.440000] /home/xiangfu/PanGu/openwrt-xburst/build_dir/linux-xburst_qi_lb60/ks7010/ks7010_sdio.c:ks_sdio_interrupt[651]

I didn’t get any good answers on the meaning of those (if you know better, please add a comment), but I found this. So, open /etc/config/system in your favorite text-editor, and add an extra line with option conloglevel 4. Mine looks like this: 

config system
        option hostname BenNanoNote
        option timezone UTC
        option conloglevel 4

3. Next we want to add a network to wpa_supplicant. Edit /etc/wpa_supplicant/wpa_supplicant.conf as you want it. Mine looks like this: 

ctrl_interface=/var/run/wpa_supplicant

network={
        ssid="my-ap"
        bssid=xx:xx:xx:xx:xx:xx
        scan_ssid=1
        key_mgmt=WPA-PSK
        proto=WPA2
        psk="my-password"
}

4. Shut down your NanoNote with halt, and put in your WiFi-module, and start it up again. Now when you type iwconfig you should get something like: 

lo        no wireless extensions.
usb0      no wireless extensions.
eth0      IEEE 802.11b/g  ESSID:"default"  
         Mode:Managed  Frequency:2.457 GHz  Access Point: Not-Associated   
         Bit Rate:11 Mb/s   
         RTS thr:off   Fragment thr:off
         Encryption key:off
         Power Management:off
         Link Quality=0/100  Signal level=0 dBm  Noise level=0 dBm
         Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
         Tx excessive retries:0  Invalid misc:0   Missed beacon:0

5. Execute wpa_supplicant -Dwext -ieth0 -c /etc/wpa_supplicant/wpa_supplicant.conf. If you don’t get any errors, you can go on. Otherwise, try to read out what’s wrong. Add a -d-argument for debugging-output, -dd for even more. It’s probably your wpa_supplicant.conf that’s wrong if earlier steps succeeded.

6. Now you just want an IP-address: udhcpc eth0 . By this time you should probably be up and running :) Try for example ping -c 4 www.google.com to see if the connection works as intended.

Tags: , , , ,

Read more | Comments (0) | Nov 1, 2010

Kryptera

Posted by kd35a | Filed under Okategoriserade

Såja, då har det införskaffats en ny disk till servern, och självklart ska den krypteras. (Hej Pirate Pontén! *vinkar*)

Och det har hittills gått smidigare än vad jag trodde det skulle göra. Ladda ner en .tar.gz-fil från TrueCrypts hemsida, packa upp och köra binärfilen, sen vad det bara att börja skapa en krypterad partion :)

Tags: ,

Read more | Comments (0) | Jul 31, 2010

Starta och stoppa Firefox

Posted by kd35a | Filed under Okategoriserade

Firefox må vara bra, men det drar en del resurser. Detta resulterar i att min MacBook ibland måste dra på fläktarna, inte särskilt kul när man ska försöka sova :p (stänga av datorn, vad är det?) Lösningen har hittills varit ganska rå: ps ax | grep ”Firefox” och sedan kill -STOP PID, där PID är Firefox’s process-ID, och sedan med argumentet -CONT för att starta igen. Efter ett tag blir man dock lite trött på att skriva allt detta, och löser det hela med ett script: 
#!/bin/bash

if [ $1 == "start" ]
then
 ps ax | grep "Firefox" | grep -v "grep" | awk '{ print $1 }' | xargs  kill -CONT
elif [ $1 == "stop" ]
then
 ps ax | grep "Firefox" | grep -v "grep" | awk '{ print $1 }' | xargs  kill -STOP
fi

Tags: , ,

Read more | Comments (0) | Jan 31, 2010

Svart tisdag

Posted by kd35a | Filed under Okategoriserade

(Via Infallsvinkel)
Detta är ett öppet och gemensamt blogginlägg – kopiera och publicera på din blogg.

Tags: ,

Read more | Comments (0) | Dec 1, 2009

« Older Entries