DevHeads.net

Postings by Tom Browder

Are passwords with embedded spaces allowed using htdbm?

I can get htdbm to accept a cleartext password with spaces when using the
mode where I enter the password at the command line, e.g.,

htdbm -cB dbmfilename user

and the password is validated ok using

htdbm -vB dbmfilename user

but I can’t get it to work using the batch mode:

htdbm -cbB dbmfilename user passwordwithspaces

I have tried using single quotes around the password as well as backslashes
before the space without success.

I would love to be able to programmatically use passwords with spaces if
anyone can show me how to do it.

Thanks.

Best regards,

-Tom

New debian server: install postfix from src or package?

I’m in the process of setting up a new server and want postfix.

My question is: should I install from source or use the debian packages?

I have installed fro source before, but I would like to ease my maintenance
burden as much as I can, but without sacrificing security.

Thanks.

Best regards,

-Tom

What user should be specified for the opendikm -u UID option?

The docs mention not to use root or postfix for the "-u UID" option. Then
what user should it be? Is a new user to be created for that purpose?
Should that same user own the /var/db/dkim directory and files?

Thanks.

-Tom

mail archiving with bcc to a local user account: any security issues?

I tried to follow the instructions in several links detailing how to use
the always bcc method to archive mail sent through my mail server. However,
I couldn't get the no-home user with a /var Maildir directory to work.

I did get it to work by using a local user as bcc and all the mail goes to
that account fine (the name I picked isn't ideal so I plan to change it
soon).

My question is: is that any less secure than the no-home methods?

Thanks.

-Tom

rejecting mail for unknown recipients

It's not clear to me about mail from the internet to non-local
addresses being automatically rejected unless they are explicitly
listed in the aliases file.

I think the docs mean that I don't have to worry about rejecting mail
from the internet sending to unknown user names.

using libmilter for header injection

I need to add some headers in mail to satisfy gmail and it looks like using
libmilter may be the way to go unless someone suggests otherwise.

I don't see any specific mailing lists for libmilter assistance. Is it fair
to ask here or go elsewhere? If elsewhere, where, then?

Thanks.

-To

mitigating gmail spam traps: how does one add the required headers?8

Gmail has a list of steps recommended to minimize spam identification,
particularly mail sent as bulk mail (as from mailing lists).

One of the recommendations is to use DKIM and that is clearly explained on
the postfix website.

The other steps are fairly straight forward, also, but how does one add the
various headers they recommend? I assume it's via a filter, but which one
and how is it done?

Thanks.

-Tom

RHS item separators in alias and virtual lists: comma or space okay?

It's clear that list items in main.cf can be comma or space separated. Is
that also true for alias and virtual lists?

Thanks.

-Tom

Can send but not receive

My remote postfix installation can send but not receive, and I'm sure
I have a bad setting somewhere. When sending to the remote server,
from my personal gmail account I finally get a response from gmail as
shown in the attached file.

I can put my main.cf, master.cf in a github gist if there is any
interest. My mail logs are not interesting at all, at least to me,
but I am happy to put one or more of them on github, too.

Thanks.

-Tom

Fresh start for a postfix setup: how best to do a clean "start over" without a new installation?

I am fooling around with various configuration settings for my postfix
installation and would like to be able to clean out all existing mail and
the existing configuration.

Is there any single command to do that? Or do I have to manually delete
stuff.

I want the system to (1) start with empty queues and (2) no knowledge of
the previous configuration.

Is there any danger to the start-over method regarding external mail
servers which may been senders of mail that wasn't initially received for
some reason?

Is there any danger to the existing system if I do a start-over?

Many thanks.

-Tom

Recommendations on an spf record?

I'm reading about some conflicting opinions of the spf record (via a
TXT record) and wonder if there is a consensus view among the postfix
developers.

Thanks.

-Tom

Should I be root or postfix user to execute postfix commands?

In spite of its old age, I use the "Postfix" book by Kyle Dent for ease of
basic reference. I am now stepping through configuration and I can't find
whether the postfix commands should be executed as root or the postfix user.

I think it should be as root, but would appreciate an expert opinion.

Thanks.

-Tom

Postfix with no SASL: build problems

In another thread we discussed having TLS but no SASL.

I have tried the latest experimental Postfix and have dropped back to
using v3.2.2.

I am using this configuration:

make makefiles CCARGS="-DUSE_TLS -DNO_IP_CYRUS_SASL_AUTH"

I am using the Debian 8 (wheezy) openssl which is 1.0.1t.

During the build I get lines like this:

[src/smtpd]
gcc -I.

SASL vs. TLS

For secure comm between my null client to my smtp server, do I need SASL if
I use TLS for authentication also?

Thanks.

-Tom

DNS records, mail servers, and domains

I have been soliciting help from this list for some time now in the process
of planning my new single-server, multi-domain web and mail server, with
domains 'domain1.tld1' through 'domainN.tldN'.

I have been experimenting with Lets Encrypt clients with mixed success,
and, as of this morning, think I have all the bugs worked out for all my
domains.

2.4.27 installed, no con fig change, but web site down!

I installed 2.4.27, along with the latest openssl. no config was changed,
but my server isn't serving.

I show no errors in the error log.

I will try to go back to previous versions to see if I can recover, but
wonder if anyone can guess what has happened.

Thanks.

-Tom

Mailing list manager recommendation?

I need an mailing list manager (MLM) and plan to eventually use GNU Mailman
3 (MM3). Until its installation process is easier, I would like to use an
interim MLM that is easiest to install.

Automatic session expiration with auth_form

Is there any way to cause an auth_form session to expire automatically?

Thanks.

Best regards,

-Tom

Error trying to use 'mod_auth_form' and 'mod_dbd' with sqlite3

I am so close but getting the following error:

[dbd:error] [pid 14137:tid 140512755222272] (20014)Internal error:
AH00632: failed to prepare SQL statements: near "authn_query": syntax
error
[dbd:error] [pid 14137:tid 140512755222272] (20014)Internal error:
AH00633: failed to initialise
[authn_dbd:error] [pid 14137:tid 140512755222272] [client
76.3.0.179:43269] AH01653: Failed to acquire database connection to
look up user 'Browder', referer:
<a href="https://canterburycircle.us/login.html" title="https://canterburycircle.us/login.html">https://canterburycircle.us/login.html</a>

The chunk of my http.conf that I believe may be the problem is here
It's an include file in the main httpd.conf f

apache run status: how to tell as non-root user (on *nix)?

I need to programatically determine whether httpd is running or not,
whether I'm root or not. The only reliable way I have found is to use the
system command 'ps -C httpd' and grep the results.

Is there a better way?

Thanks.

Best regards,

-Tom

Use of mod_expires and mod_cache: how does one control cache time for specific file extensions?

I want to have *.shtml files parsed more frequently than other files.
Using "mod_expire" seems easy enough but it uses file mime types and
but I can't find any mime type for "text/shtml" only.

So I guess my only option is to use "mod_cache" which is not very
straight-forward to use, but it, too, doesn't seem to be able to use
files by extension.

Is there any way to satisfy my need?

Thanks.

Best regards,

-Tom

Executing a cgi program before providing access to a requested html page

I would like my server to update a database every time a new user
accesses a specific page. Currently I do that by embedding a call to
a cgi script via an SSI execution line in each file I want to log
access to. That method doesn't seem to work reliably and I think it
may be due to caching of the html file.

What I'm trying to do is this:

1. Client accesses my page "spec-page.html"
2a. Server uses CGI vars to update a database
2b.

Want friendly error message for failed attempt to access a restricted directory

I am running Apache 2.4.18 and have one site (<a href="https://usafa-1965.org" title="https://usafa-1965.org">https://usafa-1965.org</a>)
that requires a client certificate to access a restricted directory
("Classmates
Only").

Webmin with Postfix: recommended or not.

I am considering using Webmin on my servers and see that it has a Postfix
module. Does anyone have any experience with it or have an opinion to offer
ref its ability to manage Postfix?

Thanks.

Best regards,

-Tom

Allow comments after an entry in conf and map files

I would love to be able to use comments on the same line as conf and map
file entries. That has probably been requested before, but is it a
definite WILL NOT?

Best regards,

-Tom

Postfix 3.1 and TLS Cert Files

I have a server with several vhosts. I am working on providing mail
services to each with TLS. I have server CA certs and unlocked keys
for each individual vhost.

Is the right way to handle that to put ALL the cert and associated
files in the "smtpd_tls_CApath" directory and run "c_rehash" on that
directory? Or should I keep the three different types of files
concatenated into three files, one of each type?

Thanks.

Best regards,

-Tom

Static code checker research worth investigating (Communications of the ACM, 03/2016, Vol. 59, No. 03, p. 99)

Interesting article in latest issue of subject titled:

"A Differential Approach to Undefined Behavior Detection"

which may describe procedures not used in other static analysis programs.

Article references the authors' website here:

<a href="http://css.csail.mit.edu/stack" title="http://css.csail.mit.edu/stack">http://css.csail.mit.edu/stack</a>

which contains more info links and a link to the software on github here:

<a href="https://github.com/xiw/stack" title="https://github.com/xiw/stack">https://github.com/xiw/stack</a>

Best regards,

-Tom

Is it possible to use two different client cert sets?

I have a working system of client certs (which were signed using
SHA1) allowing access to a private area on a website. As we all know, soon
such certs will be a thing of the past since SHA2 will be required.

I have started generating the certs with SHA2, but want to know if can I
use both systems on the same site while I get my users to transition to
their new certs.

Thanks a heap!

Best regards,

-Tom

How to use a local postfix server for outgoing mail only

I want to use my local host as a mail server for outgoing mail only. For
example, send mail to my gmail address with no intervening smtp server
except that on my local host.

How can that be done?

Thanks.

Best regards,

-Tom

Status of mod_psgi?

Does anyone here use mod_psgi? I hear it discussed a bit in the Perl
community in the context of Catalyst, Dancer2, etc., but the repo on
github doesn't look active.

I have just sent a message to the repo owner (<a href="mailto: ... at cpan dot org"> ... at cpan dot org</a>), but I
wanted to check here also.

Thanks.

Best regards,

-Tom