DKIM: DomainKeys identified mailTuesday, March 9. 2010
In a last effort to save e-mail from being obsoleted, some guys at Yahoo thought of the DomainKeys system to prevent message spoofing. SMTP servers that are DomainKeys-aware can check the contents of the message to find out whether it was really sent by the person mentioned in the From: mail header.
To be honest, I'm more of a fan of SPF. It's an incredibly simple protocol and I really can't think of any reason it shouldn't be used by any mail server. (Interestingly, the Yahoo mail servers don't use it, probably to boost acceptance of DomainKeys.) Let's explain SPF first, since it so much easier. In a nutshell: SPF uses DNS records to identify which IPs are allowed to send mail for a domain. So a server receiving mail for somebody@example.com would fetch the SPF record from example.com and check whether the IP of the connected SMTP client is actually allowed to send mail originating from the example.com domain. That's it, it's that easy. Since I'm hosting my own mail server, my domain's SPF record just mentions my mail server's IP (actually, it doesn't mention the IP directly, but refers to its DNS A record.) A server receiving an e-mail that was allegedly sent by me will just have to check whether the SMTP client is in fact my own mail server and if it isn't, reject the mail. DomainKeys is a little more advanced. Instead of checking the IP, it will check all contents of the message. It's like the mail server is signing the message on your behalf. Using DKIM, each outgoing message will be signed using the server's private key, and DKIM signatures present in the incoming message will be checked against the originating server's public key. That public key, by they way, is distributed using a DNS record, similar to the way SPF records are distributed. Here are the steps I did to get DKIM working on my server. First, create an RSA key pair: openssl genrsa -out private.key 1024Now you'll have to add the public key to your domain(s) DNS entry. Do this by adding a TXT record for selector._domainkeys.yourdomain.com, where selector can be anything, but make sure to mention the same selector in the config file. Next, install dkim-filter and edit the /etc/dkim-filter.conf Domain, KeyFile and Selector settings. Domain= comma separated list of domains for which to sign the mail; KeyFile= path to above keyfile; Selector= domain name prefix. sudo apt-get install dkim-filter Add the following to /etc/postfix/main.conf: # DKIMand restart postfix. To test whether it's working as it should, send yourself a mail and inspect the headers. Or, you could for example send a mail to a gmail account and gmail will show that the mail is "signed-by" your server. Site moved!Saturday, February 27. 2010
I've moved this blog from directnic.com to my own VPS. This blog is using Serendipity, which consists of a bunch of files for the webserver and a MySQL database. (I during the move I noticed that the new version supports SQLite backend, which would have made this whole process a lot easier.)
What I did:
Dump the MySQL database using mysqldump In MySQL client: create a new database using CREATE DATABASE xxx, select it using use xxx and execute the exported SQL script using source dumpfile Configure an Apache virtual server for the lunesu.com domain. Note to self: must check Include all addresses in Webmin's Networking and Addresses Apache configuration tab. Apply the new Apache configuration. Add lunesu.com to my local hosts file, to be able to test the new site without having to change the DNS settings. Oops: ncftp did not get the serendipity_config_local.inc.php because it was readable by user httpd only! The only way I was able to copy this file was by uploading a dummy PHP script with the following contents: <? header('Content-Type: text/plain' ); readfile("serendipity_config_local.inc.php"); UPDATE serendipityConfig SET value="/var/bla/path" where name="serendipityPath"; I also had to change some folder permissions: chmod 1777 . archives upload plugins templates_c The serendipity Weather sidebar plugin failed to work. I read that it needs the PEAR:Services-and-Weather module for PHP so I installed that using sudo apt-get install php-services-weather. Unfortunately, that completely borked my site. I was able to track this down to a function in Serendipity called get_plugin_title. Apparently, even with that module installed, the weather plugin still wouldn't work. Fix: disable the weather plugin. aolcdn.com is being blocked...Wednesday, January 27. 2010
...and it fucks up most of the sites I visit daily.
Apparently AOL offers the open-source Dojo framework on its Content Delivery Network and many sites make use of it. Come on, AOL, change your IP or something (it's not the DNS, since I'm already using Google's.) Installing ubuntu packages from a newer repositoryFriday, January 22. 2010
As I've explained earlier I have my incoming and sent mail in a single IMAP folder. To make this folder more readable I use a Thunderbird mail filter to add a "Sent" tag to the outgoing mail. This also causes the sent mail to be colored differently from the received mail.
Unfortunately, the tags don't stick. They should be saved into the mail by using the X-Keywords header, but for some reason they aren't. I've read somewhere this is a known problem with Dovecot 1.0.10, which is the version that comes with my server's Ubuntu 8.04 LTS. The LTS stands for Long Term Support, but unfortunately this bug is not considered important enough to release a new package for. Normally there's a good chance that the -backports repositories contain these kind of updates, but in this case hardy-backports did not have a newer version of Dovecot. So how to install a newer version of a package, in a way that doesn't mess your system up too much? The nice guys at Beijing Linux User Group pointed out that I can download the .deb file from a newer repository, and then install it using sudo dpkg -i. This works fine, but dpkg, as opposed to apt, does not automatically install dependencies. Fortunately for me I only had to manually update SQLite (using the same way) and the new Dovecot (from Intrepid) was good to go! After installing a package, it is advised to run sudo apt-get -f update in order to resolve any pending dependency issues. Another solution that was suggested to me was to add the Intrepid repositories to the /etc/apt/sources.list but this is pretty scary, since it can cause a whole bunch of unpredictable updates. Some of this can be managed using apt pinning, by specifying what repository can be used for what package, but still a lot more complex than the manual installation of 3 deb files. Writing portable code is pretty hard...Monday, January 11. 2010
I've decided to make a small Wake-On-Lan program that I can register as a scheduled task in order to wake up my NAS. This task must be executed every minute or else the NAS will shutdown again, so to minimize system resources I decided to write this thingy in plain old C, without using any functions that would use the CRT.
As if that wasn't bad enough, I tried to make it portable: buildable using different compilers on different platforms. Here's the result: // Portable Wake-On-Lan by Lionello Lunesu, placed in the public domain
#ifdef _WIN32
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <winsock2.h>
#ifdef _MSC_VER
#pragma comment(lib, "ws2_32.lib")
#endif
#else
#include <sys/socket.h>
#include <netinet/in.h>
typedef unsigned char BYTE;
typedef char TCHAR;
typedef int BOOL;
typedef int SOCKET;
#endif
//#include <stdio.h>
#define MACLEN (6)
#define PACKLEN (17*MACLEN)
int H2I(TCHAR m) {
return m <= '9' ? m - '0' : (m | 32) - 'a' + 10;
}
BOOL ValidHex(TCHAR t) {
return (t >= '0' && t <= '9') || (t >= 'a' && t <= 'f') || (t >= 'A' && t <= 'F');
}
#ifdef _WIN32
int WINAPI WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow
)
{
WSADATA wsaData;
#else
int main(int argc, char* argv[])
{
const char* lpCmdLine = (argc == 2 ? argv[1] : NULL);
#endif
struct sockaddr_in addr;
int t = 0, i;
SOCKET sock;
TCHAR nibble1, nibble2;
BOOL BroadCast = 1;
char pack[PACKLEN];
if (lpCmdLine == NULL) {
//printf("Usage: wol <MAC>\n");
return -3;
}
#ifdef _WIN32
// Initialize Winsock
i = WSAStartup(MAKEWORD(2,2), &wsaData);
if (i != 0) {
//printf("WSAStartup failed: %d\n", i);
return i;
}
#endif
// FFFFFFFFFFFF
while (t < MACLEN)
pack[t++] = 0xFF;
// first MAC
for (i=0; t < MACLEN+MACLEN; ++i) {
nibble1 = lpCmdLine[i];
if (nibble1 == 0)
return -1;
if (!ValidHex(nibble1))
continue;
nibble2 = lpCmdLine[++i];
if (!ValidHex(nibble2))
return -2;
pack[t++] = (H2I(nibble1) << 4) | H2I(nibble2);
}
// repeat 15 more times
for (;t < PACKLEN; ++t)
pack[t] = pack[t - MACLEN];
sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
#ifdef _WIN32
if (sock == INVALID_SOCKET) {
i = WSAGetLastError();
}
#else
if (sock < 0) {
//i = errno;
}
#endif
else {
i = setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (const char*)&BroadCast, sizeof(BroadCast));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = 0xFFFFFFFF;
addr.sin_port = htons(9); // network byte order
t = sendto(sock, pack, PACKLEN, 0, (struct sockaddr*)&addr, sizeof(addr));
#ifdef _WIN32
if (t != PACKLEN)
i = WSAGetLastError();
closesocket(sock);
#else
close(sock);
#endif
}
#ifdef _WIN32
WSACleanup();
#endif
return i;
}
I've build this using GCC on Ubuntu and MSVC and DMC on Windows. Actually, on Windows this application still needs the CRT, since that WinMain isn't exactly the entry-point called by the OS. The OS calls an entry point without any arguments and then the CRT will extract the HINSTANCE and command line etc using the Windows API. So to get the above code free of all CRT use I'll have to use GetCommandLineA and skip the first argument, taking double-quotes into account. Easy to do, for sure, but I'm lazy and the program does not load the MSVCRT DLL which is what I basically wanted. UPDATE: I have since then added a native Windows service wrapper tol my WakeOnLan program. Let me tell you: parsing command line parameters without CRT is not funny! My WOL service's private working set is now around 132KB. Not sure what else I can do to minimize that. (IIRC, there are some EXE headers that can be tuned, like stack size and such. Haven't tried that yet.) It has begun...Tuesday, January 5. 2010
For some reason none of my domains DNS names resolve to IP addresses anymore. I wonder if it has something to do with China's new policy, see China Imposes New Internet Controls.
It basically boils down to this: domain names will not be resolved to IP addresses, unless you register your domain (even your foreign domain) with the Chinese authorities. Now I'm no expert in population control and have to admire the Chinese goverment for their expertise on the subject, but I don't think that the power of the young generation of Chinese should be underestimated. I mean, even when my former colleagues would follow a link to a blocked website they would get mad. Now imagine if suddenly the World Of Warcraft servers would be inaccessible. For the moment, let's hope this is a temporary glitch in my ISP's DNS service. UPDATE: Screw that, even google.com cannot be resolved. I've just entered the IPs of some US DNS servers in my router configuration. This Chinese DNS service is crap anyway. UPDATE2: I'm now using 8.8.8.8, Google Public DNS Developing under Linux with EclipseSunday, December 13. 2009
I've installed Ubuntu 9.10 on my laptop (next to Windows 7) and actually, it's a pretty usable platform. I don't think there are many things that I do under Windows 7 that I cannot do under Ubuntu.
My favorite app for Windows, by far, is Visual Studio. A good, open-source alternative to Visual Studio is Eclipse. I've used Eclipse before under Windows, mostly for writing some hobby stuff in the D programming language, because the Descent plug-in turns Eclipse in an amazing IDE for programming in D. To prevent messing with tgz files (I never know where to unpack those) I've used Synaptic to install Eclipse. Because of this, my Eclipse was pretty lean and did not have the libraries needed by either Descent or the Android SDK. This was further aggravated by the fact that a problem in the installation package forgot to add the usual Eclipse update URL to the update sites list. Normally a 3rd party plug-in will automatically fetch all needed libraries from the Eclipse servers, but without any URLs, the installations were failing. This was fixed by adding one update site manually: in the Help menu, select Install new software, click Add, enter the following URL: http://download.eclipse.org/releases/galileo There seems to be another bug in Eclipse 3.5 Galileo: sometimes the Install New Software dialog remains empty, but it's not really empty: the checkboxes and the tree collapse/expand buttons are there and work if you click on them, you just can't see them. As always with linux, I'll get it working eventually, but it just takes a lot of time fixing these quirks Postfix + sender_bcc_maps = WINFriday, November 20. 2009
I've been using IMAP for my email for years now. I like it, because it allows me to access my mail from any device, anywhere on the globe. But what's been bothering for all those years is that, when using IMAP, you'll have to transfer your email twice if you want to keep a copy in the Sent folder. When you think of it, this makes perfect sense: first you send the email using SMTP. SMTP doesn't care about your "sent items" IMAP folder, so to put a copy of the sent message in that folder, you'll have to transfer it again using IMAP.
So far I have not been able to find a solution to this conundrum. But then somewhere I saw Postfix' sender_bcc_maps configuration parameter. By using a sender-bcc-map, postfix can send a BCC to any user, depending on the sender of the message. Basically, if you use a simple 1:1 map like X->X then any message sent by user X will immediately be sent to user X's local mailbox, and all this happens server side so the client does not have to transfer the email twice! To create a sender-bcc-map, first create a new file in the usual postfix hash format: one mapping per line, where each mapping consists of the sender address followed by destination address, separated by whitespace. As usual, after editing the map file, run postmap mapfile to create the associated .db file. Maybe you'll have noticed that using a sender-bcc-map the email being sent will end up in the sender's inbox. This is actually not a bad thing! Because the message ends up in the inbox, I can finally use Thunderbird's "threaded view"! My inbox looks a lot like a newsgroup now, and I must say I really enjoy it. It's certainly much easier to find a discussion when the original messages and the replies are interleaved. (Yes, like on gmail, stop it already.) Whether you like it or not: this is definitely a case of killing two birds with one stone. Home Premium, but still crippled.Friday, November 20. 2009
Bought this nice 1TB Buffalo NAS and Windows 7 keeps nagging me to set up a backup schedule so I thought: cool, backup to the NAS! No:
You can only save your backups on a network location on Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise. Crap. Is this really a "professional" feature? I mean, every family has a HomeGroup/Workgroup by now. Networks are hardly Professional feature anymore. What this means is that there's no way I can get Windows 7 to make backups without intervention, since the only backup destinations supported in Home Premium are ones that need me to insert/connect, ie. CDs and USB-keys. My site's no longer blocked!Tuesday, November 17. 2009
But only because the server got a new IP. Let's see how long it takes for the new IP to get blocked.
Adding network storage to Windows 7 LibrariesSunday, November 8. 2009
One of the things I like about Windows 7 are the Libraries. These are pseudo-folders that actually create a view of a collection of folders to make them appear as one. By default there are 4 libraries: Documents, Music, Pictures and Video. Each of the default libraries combines the user's folder with the respective public folder, so the Music Library contains the files from your private music folder "My Music" and the "Public Music" folder.
Of course, it only seems logical that you'd want to add all remote folders to those libraries as well. This is allowed for external USB drives, but Windows 7 won't let you add network shares to the libraries! The help file suggests you mark the network share as "Make available offline" and then add the offline folder to the library, but this would basically copy all remote data to your local PC. That can't be right. There's a hack though. On NTFS you can make softlinks that point to files and folders, either local or remote. After creating a softlink to the remote folder (or share), the softlink can be added to the library. Example: C:\>mklink /d Remote \\Remote\share This will create a softlink in the C: root, pointing to the share "share" on the PC called "Remote". The /D creates a symbolic link to a folder. After creation, you can add the folder, or any subfolder, to the libraries. Disable HomeGroup in Windows 7Saturday, November 7. 2009
I'm the only Windows 7 in my workgroup, so that HomeGroup entry in explorer's tree view pane is pushing the far more useful Computer and Network entries down. But, simply disabling the two HomeGroup services will take care of it!
International Domain Names are here!Saturday, November 7. 2009
...but apparently the simple HTML encoding tag is still a big problem:
Windows 7, but not yet...Thursday, October 22. 2009UPDATE: it finished downloading in ~8,5 hours. UPDATE2: installing (upgrade) took ~5 hours. Normally I prefer to do a clean install, but I really didn't feel like spending the upcoming weekend hunting for latest versions and reinstalling all my software. I've heard good things about the Windows 7 upgrade option so I thought I'd test that first. I can always choose to reinstall later. Indeed, so far so good, since I'm writing this using Windows 7, but my first problem: quick launch is gone! I added it as a toolbar in the task bar, but know it shows up on the right, instead of the left.
(Page 1 of 7, totaling 95 entries)
» next page
Competition entry by David Cummins powered by Serendipity v1.0 |
QuicksearchMy Favorites
CategoriesTimezones
Blog Administration |