Re: [ALUG] Fwd: Re: ALUG Posting Etiquette - was Cross-platform text file processing tools
On 05/12/13 12:20, mbm wrote:
Me too. But can we add "Please avoid top posting"
Mick :-)
Sent from a mobile device. Please excuse both brevity and top posting.
And sigs that present lame excuses for doing so? ;)
Steve
On Thu, 05 Dec 2013 12:33:33 +0000 Steve Engledow steve@offend.me.uk allegedly wrote:
On 05/12/13 12:20, mbm wrote:
Me too. But can we add "Please avoid top posting"
Mick :-)
Sent from a mobile device. Please excuse both brevity and top posting.
And sigs that present lame excuses for doing so? ;)
Steve
I have actually deleted that post from the moderation queue. Steve received it because he was cc'd.
I posted from my Galaxy Tab, which has a brain dead mail client (hence the .sig which Steve finds amusing/lame) partly ironically. However, I received back the wonderfully apt message:
"Your mail to 'main' with the subject
Re: [ALUG] Fwd: Re: ALUG Posting Etiquette - was Cross-platform text file processing tools
Is being held until the list moderator can review it for approval.
The reason it is being held:
Message has a suspicious header"
(as did Ted earlier).
So - the list actually already imposes editorial control of crap email.
Mick
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On 05/12/13 15:33, mick wrote:
I have actually deleted that post from the moderation queue. Steve received it because he was cc'd.
So technically I've been guilty of the "posting back to the list things which were received off-list" :O That said, I don't think I had any real way of knowing.
I posted from my Galaxy Tab, which has a brain dead mail client (hence the .sig which Steve finds amusing/lame) partly ironically. However, I received back the wonderfully apt message:
"Your mail to 'main' with the subject
Re: [ALUG] Fwd: Re: ALUG Posting Etiquette - was Cross-platformtext file processing tools
Is being held until the list moderator can review it for approval.
The reason it is being held:
Message has a suspicious header"
Is it maybe the signature attachment? Seems unlikely that would hold things up but others will know the exact filtering rules.
Steve
P.S. I'd assumed you'd top-posted on purpose and were being funny - I was returning the favour :P
On Thu, 05 Dec 2013 15:50:04 +0000 Steve Engledow steve@offend.me.uk allegedly wrote:
P.S. I'd assumed you'd top-posted on purpose and were being funny - I was returning the favour :P
Yes, but my attempt at humour /was/ pretty lame......
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On 05/12/13 15:50, Steve Engledow wrote:
I posted from my Galaxy Tab, which has a brain dead mail client (hence the .sig which Steve finds amusing/lame) partly ironically. However, I received back the wonderfully apt message:
Try the K9 Mail client. It's less brain dead than others! I found it when I was concerned about html mail beacons auto-displaying, and thus confirming that that email address is genuine. Unfortunately, I can't find the website that pointed this out. I checked the default Android client and it auto-opened images and that couldn't be disabled. I hunted around and found K9 which can disable auto-displaying images. K9 is also quite configurable. Perhaps you should give it a go!
"Your mail to 'main' with the subject
Re: [ALUG] Fwd: Re: ALUG Posting Etiquette - was Cross-platformtext file processing tools
Is being held until the list moderator can review it for approval.
The reason it is being held:
Message has a suspicious header"Is it maybe the signature attachment? Seems unlikely that would hold things up but others will know the exact filtering rules.
HTML again? I doubt it's the sig attachment - they usually get through OK. Steve
On Thu, 05 Dec 2013 20:03:25 +0000 steve-ALUG@hst.me.uk allegedly wrote:
Try the K9 Mail client. It's less brain dead than others! I found it when I was concerned about html mail beacons auto-displaying, and thus confirming that that email address is genuine. Unfortunately, I can't find the website that pointed this out. I checked the default Android client and it auto-opened images and that couldn't be disabled. I hunted around and found K9 which can disable auto-displaying images. K9 is also quite configurable. Perhaps you should give it a go!
I would if it worked - but unfortunately K9 is irredeemably broken for my use case. I have self signed X509 certs on my mailserver (I use IMAPS and POP3S with dovecot). K9 doesn't like this. If I send an email I have to first get the certificate and OK it. I can then send, and send and send - but I cannot receive. If then re-get the certificate for receiving I can receive, and receive and receive. But I cannot then send without going through the whole silly rigmarole all over again.
Otherise I agree. Much better email client.
Mick ---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On 05/12/13 20:29, mick wrote:
On Thu, 05 Dec 2013 20:03:25 +0000 steve-ALUG@hst.me.uk allegedly wrote:
[Try K9]
I would if it worked - but unfortunately K9 is irredeemably broken for my use case. I have self signed X509 certs on my mailserver (I use IMAPS and POP3S with dovecot). K9 doesn't like this. If I send an email I have to first get the certificate and OK it. I can then send, and send and send - but I cannot receive. If then re-get the certificate for receiving I can receive, and receive and receive. But I cannot then send without going through the whole silly rigmarole all over again.
Hmm, just googled it. Is this the problem you've had? http://code.google.com/p/k9mail/issues/detail?id=3716
If so, it's could be mismatched CN (common name) between sending and receiving certificate.
HTH
Steve
Oh, one I've just found re. top - interleaved - bottom posting:
A: Think about it. Come on, you can figure it out. A:>> When half the group posts top and the other half posts bottom. Q:>>> What's even more annoying than topposting? Q:> Why would that be annoying?
And there's another which I shall not publish in this list...
On Thu, 05 Dec 2013 22:12:03 +0000 steve-ALUG@hst.me.uk allegedly wrote:
Hmm, just googled it. Is this the problem you've had? http://code.google.com/p/k9mail/issues/detail?id=3716
Yep. Seen that.
If so, it's could be mismatched CN (common name) between sending and receiving certificate.
Nope. It's not that. CN is the same for both (smtp.rlogin.net - see below.
subject=/C=UK/ST=Norfolk/L=Norwich/O=rlogin.net/CN=smtp.rlogin.net/emailAddress=postmaster@rlogin.net issuer=/C=UK/ST=Norfolk/L=Norwich/O=rlogin.net/CN=smtp.rlogin.net/emailAddress=postmaster@rlogin.net
However, I do have separate certificates for dovecot and postfix (historic accident) so the two are not identical. I'll experiment by re-configuring dovecot's ssl config to use the postfix cert so that I can be sure they /are/ identical. Tomorrow sometime....
Cheers
Mick
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On 05/12/13 22:42, mick wrote:
[Is is a mismatched certificate problem?]
However, I do have separate certificates for dovecot and postfix (historic accident) so the two are
not identical. I'll experiment by re-configuring dovecot's ssl config to use the postfix cert so that I can be sure they /are/ identical. Tomorrow sometime....
If you do get it working, or actually, if you find a step-by-step guide of what to do, could you share it with us (well me really!). I have got receiving with a certificate sorted, but I never got round to configuring sending from my phone due to various complexities: Dynamic DNS. Using Dynamic DNS address in cert, or domain used for email address. Access from inside house using WIFI, and outside via 3G.
(and mainly, not knowing how to do it and make certificates safely, securely, not wishing to allow any weak attack vectors onto my server)
Good luck!
Steve
AHA!
This is the email bug checker that so shocked me
https://emailprivacytester.com/
Try it and see how much your email client will let you be tracked!
Steve
On Fri, 06 Dec 2013 00:19:57 +0000 steve-ALUG@hst.me.uk allegedly wrote:
This is the email bug checker that so shocked me
https://emailprivacytester.com/
Try it and see how much your email client will let you be tracked!
Steve
Mike is one of the good guys. He posts to the tor-relays and tor-talk lists (amongst others). I first came across him (and his excellent blog) a couple of years ago when I was having problems with t-mobile (again because of my perverse insistence on running my own mail server).
See https://baldric.net/2012/01/12/t-mobile-resets-its-policy/
Mick ---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On Fri, 06 Dec 2013 00:19:57 +0000 steve-ALUG@hst.me.uk allegedly wrote:
This is the email bug checker that so shocked me
https://emailprivacytester.com/
Try it and see how much your email client will let you be tracked!
Oh, and here is the post where I first described the K9 problem (which looks as if it could now be solved, thanks to Steve)
http://baldric.net/2012/03/24/android-mail-client-is-broken/
(More later when I have re-configured dovecot and re-installed K9)
Mick
(Of course if you get scary messages from your browser when attempting to connect to my block over TLS, just switch to plain HTTP. I always connect "securely" and sometimes forget when I copy and paste URLs. )
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On Fri, 6 Dec 2013 08:02:34 +0000 mick mbm@rlogin.net allegedly wrote:
(More later when I have re-configured dovecot and re-installed K9)
And here is the "more".
Summary - reconfiguring dovecot (/etc/dovecot/conf.d/10-ssl.conf) to use the same X509 cert as I use for postfix solved the problem. I can now both send and receive with K9 without having to reload and re-accept certs when switching from sending to receiving (and vice versa).
My thanks to Steve for pointing out the post at
http://code.google.com/p/k9mail/issues/detail?id=3716
where one of the K9 project members said:
"the problem is that your imaps and your smtps certifcate don't match. we store the certs with their CN. So if the CN is the same but the cert is different we get a problem.
The fix is complexe and breaks backward compability so we can't apply it. I know this does not sound good :/ there is some missing feature which is an blocker on this issue, but i can't give you an timetable when this missing part is addressed.
I fear the only thing you can do about this is to change your smtps cert to be the same as your imaps cert."
My (ahem) excuse for not having solved this myself with a bit of searching is that I originally had the problem in late 2011 or early 2012. The fix in question only appears in September 2012 when I had long ceased using K9 (and so did not search further).
Although both my postfix and dovecot certs used the same configuration parameters (in particular the critical server name at CN), because I had generated them separately (at different times) the certificates and key files were totally different. Now that I point to the same file for both postfix and dovecot, I have no problems.
Mick
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On Thu, 05 Dec 2013 23:11:34 +0000 steve-ALUG@hst.me.uk allegedly wrote:
If you do get it working, or actually, if you find a step-by-step guide of what to do, could you share it with us (well me really!). I have got receiving with a certificate sorted, but I never got round to configuring sending from my phone due to various complexities: Dynamic DNS. Using Dynamic DNS address in cert, or domain used for email address. Access from inside house using WIFI, and outside via 3G.
Steve
Might need more info, but this is what I assume.... (and my assumptions may be wrong so bear with me).
I take it from the above (plus a perusal of your DNS, your email headers etc) that you are running your mail server on a machine at home at the end of your Virgin cable network (which does not give you a fixed IP address). Is that correct?
Your external DNS shows that hst.me.uk resolves to 81.21.76.62. That address is a webserver for "www.123-reg.co.uk" and I guess you use that to log in to manage DNS etc. Certainly I can't see an email server on that adddress.
You have two MX records, one pointing to your dynamic IP service (hst.no-ip.com currently pointing to 82.21.143.180). Your secondary MX points to straddle.cardolan.com on 212.159.47.228 (which seems to have a PTR record mapping to mikejevans.plus.com!).
I don't know what your internal network looks like, but your email headers suggest that you use a mail client on your machine called dell1.hst-net ([192.168.0.21]) to connect to your mailer on hst.me.uk which in turn relays outbound mail to your service provider's smarthost. Is that right?
I don't know what your internal DNS looks like either, but I suspect from what you say above though that you are having a problem because you have separate names for your mail server depending upon whether you are sending mail from inside your home (via hst.me.uk) or from outside your home (via hst.no-ip.com). Is that right?
Ideally, and to make things easier, you should have a single name for your mailer (say mail.hst.me.uk) which you can use in your mail client configs. Internally, your DNS (or hosts files or whatever you use) would then point mail.hst.me.uk to the correct IP address. Externally, your DNS should also point mail.hst.me.uk to the correct IP address but there you have a problem. You don't have a static address. Unfortunately, you cannot point an MX record at an alias (otherwise it would be a simple matter of pointing mail.hst.me.uk to hst.no-ip.com). So, given that you are stuck with the name hst.no-ip.com as the MX externally, I suggest that you use exactly the same name internally. (So set up a hosts file entry for that name pointing to the correct internal IP address, or frig the DNS by running your own internal version of the no-ip.com domain.) Your phone's email client could then be configured to always connect to hst.no-ip.com andit wouldn't matter whether you used the internal wifi or the 3G data connection.
Now to the certificate.
It doesn't matter if the CN, OU or other details in the certificate do not match the name or domain details of the mail server. At worst your email client will object on first connection, but once you have agreed and accepted the certificate, all future connections will proceed quite happily.
I build my certificates with openssl like this:
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout server.pem -out server.pem -days 1095
For discussion see http://baldric.net/2013/09/12/add-ssl-to-lighttpd-server/
Whilst that is about SSL for a webserver, the process is the same. I have also documented the use of postfix and TLS some time ago at:
http://baldric.net/upstream-authentication-with-tls-on-postfix/
and postfix with dovecot (and TLS) at http://baldric.net/using-postfix-and-dovecot-to-provide-mail-to-egroupware/
(that is now looking a bit dated, particularly since dovecot version 2.xx - see my problem documented at: http://baldric.net/2013/01/11/dovecot-failure/
I note, however, that you use Exim, and not postfix. I can't help you with the Exim configuration, but I'm sure that someone else on the list will be able to give you the Exim equivalents of the postfix configs I point to here.
(and mainly, not knowing how to do it and make certificates safely, securely, not wishing to allow any weak attack vectors onto my server)
The openssl command above will build a certificate and key file which excludes known weak ciphers. But bear in mind that the server gets to choose which cipher to offer the client depending upon the capability of the client (given to the server in the TLS handshake) and the server's own configuration directives (Note the ssl_cipher_list directive in dovecot for example).
I use:
ssl_cipher_list = TLSv1+HIGH !SSLv2 !RC4 !aNULL !eNULL !3DES @STRENGTH
in dovecot.
howtoforge (http://www.howtoforge.com/forums/showthread.php?t=50453 ) gives some advice on strong ciphers for postfix. I guess that there is a similar set of options available in Exim.
HTH
Mick
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On 06/12/13 22:39, mick wrote: {}
I don't know what your internal DNS looks like either, but I suspect from what you say above though that you are having a problem because you have separate names for your mail server depending upon whether you are sending mail from inside your home (via hst.me.uk) or from outside your home (via hst.no-ip.com). Is that right?
Ideally, and to make things easier, you should have a single name for your mailer (say mail.hst.me.uk) which you can use in your mail client configs. Internally, your DNS (or hosts files or whatever you use) would then point mail.hst.me.uk to the correct IP address. Externally, your DNS should also point mail.hst.me.uk to the correct IP address but there you have a problem. You don't have a static address. Unfortunately, you cannot point an MX record at an alias (otherwise it would be a simple matter of pointing mail.hst.me.uk to hst.no-ip.com). So, given that you are stuck with the name hst.no-ip.com as the MX externally, I suggest that you use exactly the same name internally. (So set up a hosts file entry for that name pointing to the correct internal IP address, or frig the DNS by running your own internal version of the no-ip.com domain.) Your phone's email client could then be configured to always connect to hst.no-ip.com andit wouldn't matter whether you used the internal wifi or the 3G data connection.
Now to the certificate.
It doesn't matter if the CN, OU or other details in the certificate do not match the name or domain details of the mail server. At worst your email client will object on first connection, but once you have agreed and accepted the certificate, all future connections will proceed quite happily.
{}
Hi Mick,
Thanks for looking into this for me.
One of the problems I've had is not knowing which name to put in certificates - the me.uk or no-ip.com variants. You've covered that in that as you say either will work.
The other major problem that I've had, even before trying to connect a mobile phone to the server. I did not want to introduce any vulnerabilities onto my server.
(As I understand it - feel free to point out any problems with my understanding!)
I didn't want to make it an open relay (intentionally or unintentionally). Consequently I think that means I need to authenticate with the server. Authenticating with the server requires certificates, otherwise passwords could be sniffed. Even with certificates, I'd like to make sure that they were being used and that unauthenticated and/or logins without certificates not be allowed. I also don't want to someone could telnet onto my server and keep trying to guess user names and passwords. - I know that it's possible to use denyhosts and similar to monitor ssh access and block suspicious login attempts/addresses - I'd like to do something similar with email if possible.
As I said, thanks for the pointers. I'll work thorough it next week when I have a bit more time.
Cheers Steve
On Fri, 06 Dec 2013 23:50:28 +0000 steve-ALUG@hst.me.uk allegedly wrote:
The other major problem that I've had, even before trying to connect a mobile phone to the server. I did not want to introduce any vulnerabilities onto my server.
(As I understand it - feel free to point out any problems with my understanding!)
I didn't want to make it an open relay (intentionally or unintentionally). Consequently I think that means I need to authenticate with the server. Authenticating with the server requires certificates, otherwise passwords could be sniffed. Even with certificates, I'd like to make sure that they were being used and that unauthenticated and/or logins without certificates not be allowed.
You need an Exim expert here. I can give you the postfix configuration which I use, but that would mean you changing your MTA, which I guess you don't want to do.
You could start here. https://github.com/Exim/exim/wiki/Q0742
You are right about the authentication helping and you do also need to ensure that users /do/ authenticate when connecting and don't simply bypass that. But there are also explicit anti-relay configurations options you must consider (such as limiting which networks can send mail through you).
I also don't want to someone could telnet onto my server and keep trying to guess user names and passwords. - I know that it's possible to use denyhosts and similar to monitor ssh access and block suspicious login attempts/addresses - I'd like to do something similar with email if possible.
I get lots of "SASL LOGIN authentication failed:" messages in my logs......
You could use fail2ban to limit connections. Personally I'm not keen on a script fiddling with my iptables rules. but that's just me.
In postfix I insist on a proper helo and disable vrfy. Every little helps. You could also modify your banner to obfuscate your MTA identity. That information will still leak in your email headers of course (unless Exim allows this to be blocked too.)
As I said, thanks for the pointers. I'll work thorough it next week when I have a bit more time.
Have fun.
Mick
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
On 05/12/13 20:29, mick wrote:
I would if it worked - but unfortunately K9 is irredeemably broken for my use case. I have self signed X509 certs on my mailserver (I use IMAPS and POP3S with dovecot). K9 doesn't like this. If I send an email I have to first get the certificate and OK it. I can then send, and send and send - but I cannot receive. If then re-get the certificate for receiving I can receive, and receive and receive. But I cannot then send without going through the whole silly rigmarole all over again.
Hmm... I've got a very similar set up; self-signed cert for IMAPS (dovecot) and SMTP with TLS and K9 works well for me.
I blame the NSA.
Steve
On Fri, 06 Dec 2013 10:49:57 +0000 Steve Engledow steve@offend.me.uk allegedly wrote:
I blame the NSA.
Actually I worry more about GCHQ. They are completely out of control.
(Hi guys)
Mick ---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
-
Anthony Anson -
Bev Nicolson -
mick -
Steve Engledow -
steve-ALUG@hst.me.uk