Most university networks block port 25. Of course to prevent spamming. Makes sense, as most mail servers listen on port 25. Of course they also block me in using my mail-server. Stupid! That's why my mail server now also listens on port 8025, which gets through. So I can contact my own mail server.

It's as simple as adding the following line to Postfix's master.cf:

8025 inet n - n - - smtpd

And of course change the setting in your mail client :)

In the past I used vnc to connect to a Windows computer remotely. Now I tried rdesktop, which implementes the client side of the native RDP protocol. It's fast as hell, compared to vnc. Simply enable it under Windows, assign a password to your user account and then connect:

rdesktop -z -P -E -f -p password -u username -k de ip_or_hostname

Bsdtalk 119 rambles about experiments with IPv6. There is also an associated homepage An IPv6 Test Lab which contains useful information. It also considers Windows Vista, which is quite uncommon for a bsdtalk :). Running IPv6 is also a very valuable source of information about IPv6.

Pkgsrc is the package management system (or ports system how it's called in FreeBSD) which was originally developed for NetBSD, but is also available for a lot of other systems (Solaris, Windows, Linux etc.). It is also the main package system for DragonFlyBSD.

Pkgjam is a "spin-off" from Pkgsrc with lots of new good ideas, using a database (SQLite) for storing the dependencies and using hard-links between all dependencies, so that each package is self-contained. You can simply remove a package without affecting any other package. I hope someday this will become the standard, as it'd make administration so much easier and less error-prone.

Seit Sonntag läuft bei mir Ubutu Linux auf meinem “alten” Laptop. In dieser kurzen Zeit ist er jedoch schon bestimmt 5 mal abgestürzt. Einfach so! Unter FreeBSD kannte ich das eigentlich nur, wenn ich irgendein USB Device eingestöpselt habe und nicht einfach so. Die Gnome Oberfläche gefällt mir sehr gut (die gibts ja auch unter FreeBSD :). Das Paketemanagement (von Debian) find ich recht umständlich, weil z.B. sehr oft noch eine alte Version von Ruby (1.8.2 – die war glaub ziemlich buggy!) zu finden ist. Das ist unter FreeBSD meiner Meinung nach besser, weil nicht alles in tausend kleine Pakete gestückelt wird, und ich mich einfach besser auskenn :). Unter X kann ich keine Auflösung oberhalb von 1024×768 einstellen, unter FreeBSD ging das! WPA2 hab ich auch hier nicht zum Laufen gebracht. Es mag jedoch an unserem Router liegen! Gut finde ich, dass es alles als Binärpaket gibt, da sollte FreeBSD noch etwas ändern. Hier gibt es auch Binärpakete, allerdings nicht in dem Umfang. Die Wireless-Konfiguration unter Gnome hat nicht geklappt. Das KNetwork Tool unter KDE scheint hier viel besser zu sein. Linux hat natürlich seine Vorteile, z.B. ist es einfach einen Plugin für Flash zu installieren. So einfach ist das unter FreeBSD nicht. Systemupdates gehen mit PC-BSD genauso einfach wie mit Ubutu. Etwas besser ist wohl die Unterstützung von Plugin-Devices in Ubutu. Auch der Hibernate Mode hat mir recht gut gefallen. Jedoch, wenn dann der Rechner mehrere Male abstürzt bringt das nichts, ausserdem dauert das Laden relativ lange. Schon jetzt bin ich mir sicher: Bald werd ich kein Ubuntu mehr haben :)

By Jeremy C. Reed, a guy well known to at least NetBSD and DragonFly people. Here. Looks good! Buy it!

Hakin9 is all about security.

In my /var/log/auth.log file, I regularily see hundrends of lines like this:

Aug  1 15:03:20 core sshd[18272]: Invalid user test from 85.42.62.82

Some script-kiddies try to get into. Of course they cannot as we’ve choosen very good passwords or use PKI, but anyway it’s annoying. So I decided to block those IPs. The best way would be to do this inside of sshd. So I looked at the sourcecode, but quickly realized that it’s not easily possible to achive. No, the sourcecode is very easy to read, that’s not the problem. But it doesn’t work easily because there is one process listening for connections which then spawns off a child process for each connection. So there is no common information available about which IPs to block. But wait: I’ve had an idea how it could work! Upon authentification failure, the child terminates itself and returns a special AUTH_FAILED exitcode. The parent registers a SIGCHLD signalhandler and can this way block the IP. Now lets fetch my FreeBSD laptop and implement it!

Now I realized that it isn’t easily possible this way. Because sshd loops and asks the user for a password even if that user does not exist in the system.

But I’ve now wrote a little Ruby script that is called from swatch (a system logging daemon). It locks you out if you supply three times a wrong password or a wrong username.

Around a year ago, I accidentally killed sshd on our remote co-location machine. Bad! Very bad! Okay, a reboot fixed it, but even that costs money (and it destroys the uptime record :). That this can never ever happen again, I have currently monit running. I use it solely for this purpose. Monit can do much more than just this. As I thought, it might be a bit oversized for my purpose, I tried to find a simpler solution. What I came up with at first was the following script:

. /etc/rc.subr
while true
do
  if [ "0" = `netstat -a -f inet -p tcp | tail -n +3 | tr -s ' ' | 
              cut -d ' ' -f 4 | grep ssh | wc -l | tr -d ' '`]
  then
    echo "sshd down -> try to start" 
    /etc/rc.d/sshd forcestart
  fi
  sleep 30
done

Yeah, I wrote it by myself, but don’t ask me what is going on :). This script would check every 30 seconds whether there’s a daemon listening on the ssh port and if not, it would restart the sshd daemon. Keep in mind that this is FreeBSD-specific! But then, I found a much simpler solution:

# run it from cron every minute or so
/etc/rc.d/sshd status || /etc/rc.d/sshd start

Much simpler, ehh?

Dank Knoppicillin ist nun der Rechner meiner Schwester wieder virenfrei. War infiziert mit Beagel, und das gleich 11 mal :). Jetzt nicht mehr… hoffentlich.

• ... login as root on a remote server after 3 o’clock in the morning…

• ... to then play around with kldload (load kernel module), especially if you accidentially load the ipfw (firewall) kernel module, whose default setting is deny any access :)

Once you did this, your only chance of gaining remote access to your server again is to request a reboot of your machine. This is what happended to me. But: No Risk no Fun :)

For the purpose of maintaining changes to configuration files on our server, I wrote some time ago a little shell script called scm. Today I added some new features, mainly support for rsync to make space usage more efficient (optionally it uses pax so it works out-of-the-box on a FreeBSD system), but also a log subcommand and some fixes.

Download and try it: scm. Rename it to ’/usr/local/bin/scm’. Then let’s start:

scm help
scm init /tmp/repos
scm add some-file
scm add some-other-file
scm status
scm diff
scm commit
scm log

Note that due to recording which packages are currently installed on a FreeBSD system, scm will fail on other systems. You can avoid this by simply overwriting function scm_custom_action.

Um zwei Verzeichnisse auf Unterschiede hin zu überprüfen gibt es unter FreeBSD das wunderbare Programm mtree. Man wendet es wie folgt an, um Verzeichnis dir1 mit dir2 zu vergleichen:

mtree -c -k cksum -p dir1 | mtree -k cksum -p dir2

Der erste Befehl generiert eine Spezifikation von dir1 unter Hilfe von Prüfsummen pro File. Diese Spezifikation wird dann mit dem zweiten Befehl verglichen.

How to copy the files of a hard-disk from one computer to another, across a network, without loosing file attributes? That’s kind of easy using pax and ssh (pax is probably only available on BSD. cpio on others will do fine, too):

cd directory/to/copy
pax -w -x sv4crc . |
  ssh root@remotehost "cd directory/to/copy/into && pax -r -p e"

You should use "root", to maintain correct ownership of files. Use format sv4crc, as most other formats are limited to a path-length of 255.

To double-check that all files were transfered correctly, make use of mtree:

cd directory/to/copy
mtree -c -k md5digest -p . |
  ssh root@remotehost "cd directory/to/copy/into && mtree -k md5digest -p ."

If there’s no output, everything is OKAY!

Edit your prefs.js file located somewhere inside the .thunderbird directory, and add or modify the following two lines:

user_pref("network.protocol-handler.app.http", "/usr/local/bin/konqueror");
user_pref("network.protocol-handler.app.ftp", "/usr/local/bin/konqueror");

I got my external USB-connected 300 GB Seagate harddisk today. The first thing I tried was to install FreeBSD 6.0 Beta-1 on it. I quickly recognized that my BIOS would not recognize the USB-connected harddisk to boot from. After some research I found this workaround:

1. Boot from FreeBSD 6.0 CD-ROM.
2. Escape to the boot loader and type set boot_askname.
3. At the "mountroot>" prompt type ufs:da0s1a

And voila, it boots from the root partition of the first slice of da0. Note that the kernel will be loaded from the CD-ROM and not from the USB harddisk.

1. Create public/private key-pair (replace "mneumann" with your name):

   ssh-keygen -t dsa -b 2048 -f .ssh/mneumann

2. Append the contents of your local .ssh/mneumann.pub file to the .ssh/authorized_keys file on your server.
3. Now back on your local machine, start ssh-agent. Using bourne-shell (sh, bash):

   eval `ssh-agent -s`

   Or for csh:

   eval `ssh-agent -c`

4. Add your key to be handled by the ssh-agent (you have to type in the password you gave during step 1):

   ssh-add $HOME/.ssh/dneumann

5. Ready! You should now be able to login without specifying a password.

Pretty easy (on FreeBSD):

cdparanoia -B -- "1-"
burncd -f /dev/acd0 audio *.wav fixate

Today I wrote RuBackup, my own backup program, of course in Ruby. I am now using it instead of Flexbackup, which is a very decent backup program written in Perl that I used before.

It creates CPIO archives (new portable format, w/o CRC), and compresses them on the fly if desired. Note that it’s all pure Ruby, so that you don’t have to install the cpio program.

You can download the sources here. Make sure that you get both files cpio.rb and rubackup.rb. Of course it comes without any warranties. USE AT YOUR OWN RISK!

Below is a short example how to use RuBackup:

require 'rubackup'
require 'enumerator'
require 'find'

BACKUP_DIR = '/backup/%s'

Collection.new('projects', BACKUP_DIR) {
  Find.to_enum(:find, '/data/projects').to_a
}.backup_monthly

Collection.new('maildirs-home', BACKUP_DIR) {
  files = []
  Dir.glob('/data/home/*/Maildir') do |md|
    Find.find(md) {|path|
      if File.directory?(path) && %w(.Spam .Trash).include?(File.basename(path))
        Find.prune # skip those directories
      else
        files << path
      end
    }
  end
  files
}.backup_monthly

Collection.new('rcs', BACKUP_DIR) {
  Dir['/**/RCS'].select {|path| File.directory?(path)}.
  collect {|path| Find.to_enum(:find, path).to_a}.flatten
}.backup_weekly

Collection.new('etc', BACKUP_DIR) {
  Find.to_enum(:find, '/etc').to_a +
  Find.to_enum(:find, '/usr/local/etc').to_a
}.backup_weekly

Call this script daily (via crontab or /etc/periodic/daily) to create daily incremental backups. When backup_monthly is specified, it will create a full backup every first day of the month, or in the case of backup_weekly, every first day of the week.

Note that I’m using Find.find most of the time in the example above instead of Dir.glob, as the latter does not include dotfiles by default.

Why another backup program?

I wrote RuBackup, as I wanted to be able to perform an arbitrary number of incremental backups. This wasn’t possible with flexbackup or at least I didn’t knew how. Furthermore, I wanted to be able to specify exactly which files to backup and which not. For this purpose, Ruby is very powerful.

Today, I ported Algae, a programming language for numerical analysis, and submitted it to the FreeBSD ports collection.

As it was my first FreeBSD port (I submitted several NetBSD ports in the past), it took me about two hours to make it perfect. But the next time it will require no more than 15 minutes, as it’s really simple, once you’ve got the idea.

Now you can install it by simply typing:

portinstall algae

Or if you haven’t installed portinstall (BTW it’s written in Ruby):

cd /usr/ports/math/algae
make && make install && make clean

Here’s the problem report:

www.freebsd.org/cgi/query-pr.cgi?pr=ports/52397

This article describes the steps neccessary to setup Postfix acting as SMTP client, using SASL authentification and SSL/TLS encryption.

Nowadays, most modern mail clients like Evolution or Mozilla-Mail include a full-featured SMTP client to send email to a central mail-relay (usually your providers’ one). And they usually support SASL authentification and encryption over SSL/TLS, as your provider will (hopefully) not accept mail for relay by everyone. But other email clients still exist - the famous mutt for example - that do not come with a SMTP client at all.

Installation

Build Postfix with Cyrus-SASLv2 and SSL/TLS support.

Configuration

Edit /usr/local/etc/postfix/main.cf where you add the following lines:

relayhost = mailhost
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps=static:username:password
smtp_use_tls = yes

sender_canonical_maps=hash:/usr/local/etc/postfix/sender_canonical

Replace mailhost with your provider’s mail server, username and password with your own mail account settings.

Further create the sender_canonical file with following content:

@your.localhost.domain your-real-address

On my system that looks this way:

@michael.neumann.all mneumann@ntecs.de

This will rewrite the envelope address from mneumann@michael.neumann.all (that’s my local address) to mneumann@ntecs.de (that’s my remote address). You still need to build the hash database:

postmap /usr/local/etc/postfix/sender_canonical

Finally, make sure the main.cf file is not world readable (chmod 640), as it contains your password!

Notes

If you are your own provider (I am), and you’re using Postfix as your mail-relay, make sure that the permit_sasl_authentificated directive comes before any of the reject_xxx directives. This makes live easier with mail programs that produce mails with missing headers.

Written by Michael Neumann (mneumann@ntecs.de).

Acknowledgements: This howto relies heavily on Kirby Menzel and Lucas Peet’s great Postfix+Courier-IMAP+MySQL for multiple domains HOWTO (kirb.insanegenius.net/postfix.html). In the underlying howto, I list the steps I’ve used for my own setup. It has an additional section about SMTP authentification using Cyrus SASL (and Mysql) and some more information not found in the above howto.

Required Software

• (FreeBSD 4.8)
• Postfix
• Courier-IMAP
• MySQL
• OpenSSL (SSL/TLS)
• Cyrus SASL v2

Installing Mysql Database

cd /usr/ports/databases/mysql40-server
make install BUILD_OPTIMIZED=yes
make clean

A group mysql and user mysql has been added automatically, as well as a startup script /usr/local/etc/rc.d/mysql-server.sh.

After starting the mysqld server, modify the password with:

/usr/local/bin/mysqladmin -u root password 'new-password'

When calling mysqladmin later, pass the -p option, which will ask you for the current password, otherwise the access will be denied.

TIP: use security/apg, the automated password generator, to create a password.

Installing postfix

cd /usr/ports/mail/postfix
make
  (choose "Cyrus SASLv2", "SSL and TLS" and "MySQL map lookups" as options,
   then in SASLv2 menu, choose "MySQL password Authentification")
make install
make clean

Note that this will additionally install the Mysql-323 client libraries (if you’ve installed MySQL 4.x).

Modify /etc/mail/mailer.conf to use Postfix, or let the install program do that for you (make install will ask you).

For automatic startup when system starts, disable sendmail in /etc/rc.conf:

sendmail_enable="NONE"

Then make the following symbolic link:

cd /usr/local/etc/rc.d
ln -s /usr/local/sbin/postfix postfix.sh

Important: The MySQL server should be started before postfix (rename mysql-server.sh into 100.mysql-server.sh or something alike; number go before characters).

Then create /etc/periodic.conf with following content:

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

This will disable some Sendmail-specific daily maintenance routines.

Check /etc/mail/aliases, then run newaliases, otherwise Postfix will not be able to deliver mail locally (unless you setup virtual domains etc.) Local mail will be usually delivered to /var/mail.

You can disable sending email locally (using sendmail) by setting the following option in main.cf.

mydestination =

But make sure you know what you are doing!

Setting up the Mysql tables

mysql -p -u root

create database maildb;

CREATE TABLE transport (
  domain varchar(128) NOT NULL,
  transport varchar(128) NOT NULL,
  UNIQUE KEY domain (domain)
) TYPE=MyISAM;

CREATE TABLE users (
    id varchar(128) NOT NULL,
    address varchar(128) NOT NULL,
    clear varchar(128) NOT NULL,
    crypt varchar(128) NOT NULL,
    name varchar(128) NOT NULL default '',
    uid smallint(5) unsigned NOT NULL default 5000,
    gid smallint(5) unsigned NOT NULL default 5000,
    home varchar(128) NOT NULL,
    domain varchar(128) NOT NULL,
    maildir varchar(255) NOT NULL,
    quota integer unsigned NOT NULL,
    imapok tinyint(3) unsigned NOT NULL default '1',
    PRIMARY KEY  (id),
    UNIQUE KEY id (id),
    UNIQUE KEY address (address),
    KEY id_2 (id),
    KEY address_2 (address)
  ) TYPE=MyISAM;

CREATE TABLE virtual (
    address varchar(255) NOT NULL,
    goto varchar(255) NOT NULL,
    UNIQUE KEY address (address)
) TYPE=MyISAM;

GRANT SELECT
ON maildb.*
TO maildb_user@localhost
IDENTIFIED BY '****chose a password here****'
;

The user maildb_user will be used by both Postfix and Courier.

Modify Postfix’s main.cf

Add these lines:

transport_maps=mysql:/usr/local/etc/postfix/mysql_transport.cf
virtual_mailbox_maps=mysql:/usr/local/etc/postfix/mysql_virtual_mbox.cf
virtual_uid_maps=mysql:/usr/local/etc/postfix/mysql_uids.cf
virtual_gid_maps=mysql:/usr/local/etc/postfix/mysql_gids.cf
virtual_mailbox_base=/var/spool/postfix/virtual/
virtual_maps=mysql:/usr/local/etc/postfix/mysql_virtual.cf
# 100 MB
virtual_mailbox_limit=102400000
virtual_minimum_uid=100

…and create the mysql_XXX.cf files:

# mysql_transport.cf
user=maildb_user
password=******
dbname=maildb
table=transport
select_field=transport
where_field=domain
hosts=localhost

# mysql_virtual_mbox.cf
user=maildb_user
password=*****
dbname=maildb
table=users
select_field=maildir
where_field=address
hosts=localhost

# mysql_uids.cf
user=maildb_user
password=*****
dbname=maildb
table=users
select_field=uid
where_field=address
hosts=localhost

# mysql_gids.cf
user=maildb_user
password=*****
dbname=maildb
table=users
select_field=gid
where_field=address
hosts=localhost

# mysql_virtual.cf
user=maildb_user
password=******
dbname=maildb
table=virtual
select_field=goto
where_field=address
hosts=localhost

Important: Don’t forget that the mysql_xxx.cf files should not be world readable (mode 400) and chown postfix:postfix them, due to the fact that they contain a mysql password, and the password allows to get the users password out of the table! Whenever you modify these files, make sure it is readable by postfix:postfix (e.g. if you check the file out of a RCS repository, beeing the root user, the file will be owned by root and not by postfix, so that the postfix daemon cannot read the file anymore!)

Also add $transport_maps to mydestination.

Finally Steps

Create /var/spool/postfix/virtual/ and chown it to user/group postfix. For each user, create a mailbox directory and chown it to them.

Filling Data into the Mysql tables

For creating the crytped password, use Mysql’s encrypt function.

A simple example (one domain, one user, multiple aliases):

mysql> select * from transport;
+----------+-----------+
| domain   | transport |
+----------+-----------+
| ntecs.de | virtual:  |
  +----------+-----------+
1 row in set (0.01 sec)

mysql> select * from users;
+---------+------------------+-------+---------------+-----------------+------+------+...
| id      | address          | clear | crypt         | name            | uid  | gid  |
+---------+------------------+-------+---------------+-----------------+------+------+...
| michael | michael@ntecs.de | abc   | 9GZRP/ADKguPk | Michael Neumann | 5000 | 5000 |
+---------+------------------+-------+---------------+-----------------+------+------+...
...+----------------------------+----------+-------------------+-----------+--------+
   | home                       | domain   | maildir           | quota     | imapok |
...+----------------------------+----------+-------------------+-----------+--------+
   | /var/spool/postfix/virtual | ntecs.de | ntecs.de/michael/ | 102400000 |      1 |
...+----------------------------+----------+-------------------+-----------+--------+

1 row in set (0.00 sec)

mysql> select * from virtual;
+-------------------+------------------+
| address           | goto             |
+-------------------+------------------+
| mneumann@ntecs.de | michael@ntecs.de |
| @ntecs.de         | michael@ntecs.de |
+-------------------+------------------+
2 rows in set (0.00 sec)

TODO: It might be a good idea to rename table users to mailbox, virtual to aliases and perhaps transport to domain.

NOTE: Each email that should be deliverable, must have an entry in the virtual table, even if it points to itself (e.g. mneumann@ntecs.de => mneumann@ntecs.de).

For more information about Postfix and Mysql read /usr/local/share/doc/postfix/MYSQL_README.

Courier Imap

cd /usr/ports/mail/courier-imap
make WITHOUT_PAM=yes WITH_MYSQL=yes
make install

After installation, we first create a certificate for imapd-ssl. First edit /usr/local/etc/courier-imap/imapd.cnf (copy from imapd.cnf.dist):

RANDFILE = /usr/local/share/courier-imap/imapd.rand

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=DE
L=Frankfurt
O=Courier Mail Server
OU=Automatically-generated IMAP SSL key
CN=localhost
emailAddress=postmaster@ntecs.de

[ cert_type ]
nsCertType = server

Edit the [ req_dn ] section as you like.

Then, create the certificate with:

/usr/local/share/courier-imap/mkimapdcert

Now we’ll copy the example configuration files to their real name:

cd /usr/local/etc/courier-imap
mv authdaemonrc.dist authdaemonrc
mv authmysqlrc.dist authmysqlrc
mv imapd.dist imapd
mv imapd-ssl.dist imapd-ssl

Edit authdaemonrc and remove all but "authmysql" from authmodulelist.

Edit authmysqlrc:

MYSQL_SERVER            localhost
MYSQL_USERNAME          maildb_user
MYSQL_PASSWORD          *****
MYSQL_SOCKET            /tmp/mysql.sock
MYSQL_DATABASE          maildb
MYSQL_USER_TABLE        users
MYSQL_CRYPT_PWFIELD     crypt
MYSQL_UID_FIELD         uid
MYSQL_GID_FIELD         gid
MYSQL_LOGIN_FIELD       id
MYSQL_HOME_FIELD        home
MYSQL_NAME_FIELD        name
MYSQL_MAILDIR_FIELD     maildir
MYSQL_QUOTA_FIELD       quota
MYSQL_WHERE_CLAUSE      imapok=1

Edit imapd:

nothing to edit for now

In imapd-ssl there are two important options:

IMAPDSSLSTART=NO     (enables imapd over SSL)
IMAPDSTARTTLS=YES    (imap via TLS: TLS is application level encryption)

Both should be set to these values by default, so no editing is needed here.

Setting IMAPDSSLSTART=YES and IMAPDSTARTTLS=NO would work too, but TLS is newer, so we’ll use it here, and I believe it transmits unsensitive data in clear text (the connection establishing part, until password and data is transfered, then switchs to encryption). Again I think, TLS is easier to cope with in terms of logging etc.

Do some cleanup:

cd /usr/local/etc/rc.d
rm courier-imap-imapd.sh.sample    (we don't need this)
rm courier-imap-pop3d.sh.sample    (we don't need this either)
ln -s /usr/local/libexec/courier-imap/imapd-ssl.rc courier-imap-imapd-ssl.sh

And start the daemon (or reboot):

sh /usr/local/etc/rc.d/courier-imap-imapd-ssl.sh start

Postfix SMTP Setup

By default, everyone from everywhere (untrusted client) is allowed to send your postfix server mail he is responsible for (mydestination paramter, or relay_domains), whereas relaying to other hosts is not allowed.

Only allow relaying on the host itself by setting:

mynetworks_style = host

Remove saslauthd.sh from /usr/local/etc/rc.d as we don’t need it:

cd /usr/local/etc/rc.d
rm saslauthd.sh

In /usr/local/lib/sasl2 create file smtpd.conf:

# smtpd.conf
pwcheck_method:auxprop
mech_list: plain login

mysql_user: maildb_user
mysql_passwd: *******
mysql_hostnames: localhost
mysql_database: maildb
mysql_statement: select clear from users where id = '%u'
# mysql_verbose: 1

After everything works as expected, we can turn "mysql_verbose" off (comment it out).

Make this file chmod 400, as it contains the mysql database password.

Note that for SASL authentification we need the clear-text password (column clear), whereas for IMAP autentification the crypted-password (column crypt) is required. This is a bit strange.

Again, modify postfix’s main.cf configuration file (in /usr/local/etc/postfix):

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unknown_sender_domain,
  reject_unauth_pipelining,
  reject_unknown_recipient_domain,
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_non_fqdn_hostname,
  check_relay_domains

Enable TLS/SSL

We need a certificate first. But as we still have one for the Courier-IMAP server, we’ll reuse that. We should give it 400 permissions first:

cd /usr/local/share/courier-imap
chmod 400 imapd.pem

Then again, we edit Postfix’s main.cf configuration file, where we add the following:

smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /usr/local/share/courier-imap/imapd.pem
smtpd_tls_cert_file = /usr/local/share/courier-imap/imapd.pem
smtpd_tls_CAfile = /usr/local/share/courier-imap/imapd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# allow authentification (e.g. PLAIN/LOGIN) only in TLS mode
smtpd_tls_auth_only = yes

The last directive (smtpd_tls_auth_only) is very important, as it only allows authentification to be performed when TLS is established. This protects the client, to accidentially send their passwords in clear text.

Todo’s

• run Postfix in chroot’ed environment.
• run Courier-Imap as non-root user
• change /tmp/mysql.sock to /var/mysql/mysql.sock
• use mail/messagewall to protect even more against spam

Some days ago, I wanted to copy all my files from an FTP server to a local directory. I looked for a program that would do this job and finally found ftpcopy (FreeBSD port ftp/ftpcopy).

www.ohse.de/uwe/ftpcopy.html

The commands below did the job (substitute user, password, hostname etc. appropriatly):

mkdir local-dir
ftpcopy -n -u user -p password hostname / local-dir

The slash (/) specifies in this case the remote directory. Option -n tells ftpcopy to not delete the files from the FTP server after they have been copied.

If you want to let others access your RubLog as /blog and not as /blog/index.cgi, put following directive into your Apache configuration file:

ScriptAlias /blog "/home/mneumann/cm/my_rublog/index.cgi"

When using virtual hosting, make sure the following directive is inside your <VirtualHost>:

AddHandler cgi-script .cgi

Replace /home/mneumann/cm/my_rublog/index.cgi with the path to your RubLog CGI script.

Reverse proxying passes HTTP requests arriving at webserver A to another webserver B. The user does not take notice of this step.

Say you want to redirect every path below /proxy on your main webserver to another webserver listening at localhost:8080. All you have to do is to modify your httpd.conf file by adding the following lines:

LoadModule proxy_module libexec/apache2/mod_proxy.so
LoadModule proxy_http_module libexec/apache2/mod_proxy_http.so

<Location /proxy>
        ProxyPass http://localhost:8080
</Location>

Finally restart the main webserver (apachectl restart).

All (important) configuration files should be RCS versioned. To put a file under version control, create a RCS directory in the same directory as the file. Then use ci and co as described below:

ci file

check file into repository and remove it.

co file

checkout file (file will be readonly, so you cannot modify it).

co -l file

checkout file and lock it (you need to lock the file prior to modifying it).

ci -u file

equal to ci file && co file.

ci -l file

equal to ci file && co -l file.

So, to modify a file already under version control, call co -l file. This will check it out in locked mode. After modifying it, use ci -u file to commit your changes and put a copy into the current directory, so that it can be read by daemons or processes.

With a file not yet under version control, proceed as follows:

1. If there’s not yet a RCS directory (in the same directory as the file), create one.
2. Put the (unmodified) file under version control by issuing ci -l file.
3. Modify it.
4. Commit your changes and check the file out, in non-locked mode: ci -u file.

It is extremely dangerous to play with firewall, as it might happen, that you are not able to access your computer anymore, if for example the wrong rule at the wrong place has a syntax error, or your ruleset is simply wrong. The first time I wrote an IPFilter configuration file, I really locked myself out (all except SSH still worked, but that was enough to press the reset button).

So here is a tip to prevent locking yourself out:

At first edit /etc/rc.conf and disable the firewall by setting firewall_enable="NO" (do not forget to reverse this step later).

Next, open up two ssh sessions and become root user. Now, before you change your rules, type at the other terminal:

sleep 100 && reboot

Then apply the firewall rules (ipfw flush && ipfw /etc/ipfw.rules). If you’ve not locked yourself out, you can simply abort the "software watchdog timer" by typing Ctrl-C, whereas in the case you’ve locked yourself out, the computer will reboot after 100 seconds and as we’ve disabled the firewall in rc.conf, after reboot it will be open up for you again.

Security Announchements

Subscribe to FreeBSD-security-notifications@FreeBSD.org

Make System Files Unchangable

Make kernel and /bin unchangeable:

chflags schg /kernel
chflags -R schg /bin
chflags -R schg /modules

To undo use noschg instead schg.

Even root cannot delete / modify them (when in securelevel >= 2). So be careful to not make your rc.conf files unchangable, unless you exactly know what you do.

To display file flags use ls -lo.

Securelevels

Level -1:

no restrictions

Level 1:

• Cannot load / unload kernel modules
• Disabled /dev/mem etc.
• no access to raw devices
• no X windows

Level 2:

Same as level 1 plus the following:

• cannot write diretly to mounted / unmounted filesystems
• cannot alter system time by more than 1 second

Level 3

Same as level 2 plus the following:

• cannot modify ipfw rules.

Conclusion

As long as you’re not modifying your firewall rules very often, run Securelevel 3, otherwise go with Securelevel 2. On my private co-location server, I’m running Securelevel 2, as I need to modify firewall rules from time to time (e.g. enable another port for a user).