SMTP and HTTPS with DANE

Some days ago I dealt with DNSSEC and DANE in conjunction with SMTP and HTTPS. It is pretty easy to configure BIND with DNSSEC. Add to your zone configuration these lines:

auto-dnssec maintain; inline-signing yes; key-directory "/etc/bind/keys";

Generate the zone-signing key and the key-signing key in /etc/bind/keys:

dnssec-keygen -a RSASHA256 -r /dev/random -b 2048 -3 -fk example.com dnssec-keygen -a RSASHA256 -r /dev/random -b 2048 -3 example.com

Now your hoster need to publish the DS record to get a full functional DNSSEC. The easiest way to retrieve the required information is dig:

dig @your_name.server dnskey example.com | dnssec-dsfromkey -f - example.net

DANE is as simple as DNSSEC. You only need to publish the certifacte hash to your DNS. Assumed your webserver and mailserver works already with encryption you can retrieve the hash with ldns-dane:

ldns-dane create example.com 443 # or ldns-dane create mx01.example.com 25

With a self signed cert you even can use openssl:

openssl x509 -in your_cert.crt -outform DER | openssl sha256

Lastly you need to publish the TLSA record from the ouput:

nsupdate -l
> ttl 3600
> update add _25._tcp.mx01.example.com. IN TLSA 3 0 1
> update add _443._tcp.mail.example.com. IN TLSA 3 0 1
> send
> quit

Be careful. Use alwasy nsupdate as you told BIND to maintain the DNSSECed zones! Manual changes in the zone files will not work anymore.

Write a comment

2015-10-20 10:36:02

Z-Push with Dovecot and nginx

Today I tried to activate push mail for my private mail server. And what should I say... It works like a charm.

Prerequisites:

  • Dovecot IMAP
  • NGINX configured with SSL

To activate get the latest version of Z-Push. Unpack to /usr/share/z-push. Now you need to make some configuration changes:

At least you should change the backend provider in /usr/share/z-push/config.php:

define('BACKEND_PROVIDER', 'BackendIMAP');

If you use SSL with your IMAP change the configuration in /usr/share/z-push/backend/imap/config.php:

define('IMAP_PORT', 993); define('IMAP_OPTIONS', '/ssl/novalidate-cert');

Last but not least you have to point https://server.tld/Microsoft-Server-ActiveSync to your Z-Push installation. If you already configured NGINX with SSL you can add a new location to your config:

location /Microsoft-Server-ActiveSync {
alias /usr/share/z-push/index.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
access_log /var/log/nginx/as.log;
error_log /var/log/nginx/as_error.log;
}

You can test your configuration by opening https://server.tld/Microsoft-Server-ActiveSync in your browser. If you are prompted to authenticate with your username and password, everything works fine.

Now you have configured the server side of your push mail configuration. To gain the full functionality on your mobile device, you need to reconfigure you mail client. Choose Exchange as your mailprovider. Fill your username, password and server. Choose accept all certifcates and use your new push mail account.

Write a comment

2015-02-04 09:39:40

SFTP chroot

To put some users in a chroot for sftp you need to adjust a few settings in your sshd_config:

Subsystem       sftp    internal-sftp

Match Group sftponly
    ForceCommand internal-sftp -l VERBOSE
    ChrootDirectory /srv/sftp
    X11Forwarding no
    AllowTcpForwarding no

After that you can add a user for sftp and give him a home directory under your chroot. Use / as home directory just to ensure that the user is in the right directory after sftp login:

# useradd -G sftponly -d / -s /usr/sbin/nologin 
# mkdir -p /srv/sftp/
# chown  /srv/sftp

Write a comment

2014-05-14 09:05:46

Outlook Web App with Chrome on Linux

Today I noticed that Outlook Web App (owa) does not work with Google Chrome on Linux properly. Owa switches to the light version automatically without any chance to unselect the checkbox.

A simple trick is to change the user agent from your browser to anything which is supported by owa, e.g. Firefox 3.6, which is in fact supported on all platforms. Now you should have the full functionality of owa in Chrome on Linux.

Write a comment

2014-04-02 13:55:44

SSLē

Yesterday I found a free SSL issuer which supports all major browsers (see here). So I decided to switch my website to SSL only. If you encounter any problems please leave a message

Write a comment

2014-03-12 10:08:24

SSL

Perhaps some of you may have noticed that my webserver is SSL enabled quite a while. The Root CA is from CAcert.org. You can download it here.

Write a comment

2014-01-31 11:11:17

TMan-1.01

Found a bug which prevent TMan from startup if you have configured a bike. If you have trouble starting the new version, reinstall this app.

Write a comment

2014-01-24 09:03:45

TMan-1.0

This is my first release of my new Android app. It is a trainings manager for Trainingsverwaltung on Rennrad-News.de, a german bicycle forum. With this app you can upload your driven routes. Currently it only supports uploading and analysing your routes. The API don't give me anything to modify or download the existing units. It is only in German, because the trainings manager on RRN is German too.

If I get enough donations (at least $25), I will publish this app to Google Play. But for now you have to use this insecure version from my homepage

I hope you enjoy it

Download

Write a comment

2014-01-22 20:42:15

Copy flash videos to disk the second encounter

As of Google discontinues the support of NPAPI in April 2014, I experimented with the new pepperflash. My old skript for saving flash videos to disk doesn't work anymore with this plugin. So I looked a bit around in proc and found out, that there is still a chance to get our videos back:

FPID=`lsof|grep Pepper|grep deleted|awk '{print $2}'|uniq` 
DATE=`date +%y%m%d`
HOME=/your/home/dir
USER=yourUser
GROUP=yourPrimaryGroup
VDIR="$HOME/video"

rc=1
count=1


while [ $rc -eq 1 ]
do
        mkdir $HOME/video/v-$DATE
        rc=$?
        if [ $rc -eq 1 ]
        then
                mkdir $VDIR/v-$DATE-$count
                rc=$?
                let count=count+1
        fi
                
done

CDIR=$VDIR/`ls -tr $HOME/video/|tail -1` 
chown $USER:$GROUP $CDIR

for FD in `ls -l /proc/$FPID/fd/|grep deleted|awk '{print $9}'`
do
        cat /proc/$FPID/fd/$FD > $CDIR/$FD.flv
        chown $USER:$GROUP $CDIR/$FD.flv
done


The disadvantage ist, you need root access. It looks like the file descriptors could only be accessed by root. I'm using sudo to execute this skript. Works like a charme for me.

Write a comment

2014-01-19 13:38:22

Windows 7 Backup 0x80070002

Today I encountered a problem with Windows 7 Backup & Recovery. I was not able to backup anything on my computer. The Windows 7 Backup fails with error 0x80070002 - file not found. After a long search I found that there is a misconfiguration in the registry. In Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList the active profiles are listed. It appears that I have deleted some of those profiles from C:\Users manually without removing them from registry. After deleting those keys I was able to start the Windows Backup normally

Write a comment

2013-12-03 09:27:28