May 19 2014

Mailserver Reloaded – The Idea

Category: Computer,LinuxTuxevara @ 23:14

It has been a while since the last big update of my email server configuration. For years it has been running solid as a rock based on Exim/Dovecot with a LDAP-backed configuration.

You may ask: Why change a running system?

One of the things that bugged me for months, was the fact that I am using self-signed certificates on that server. That means that all email clients have been set to accept ANY SSL certificate without further checks (at least manual pinning or something would be great). So any evil hacker in a public WiFi network could use SSL interception to get my username and password. To eliminate this risk, replacing the self-signed certificate with ones signed by a well-know CA (I’d never call them trustworthy!) would probably be enough, but who really wants such a simple solution?

So additionally to replacing the self-signed certificates, I decided to add some extra security by implementing application-specific passwords. Google user’s may already now how they work, for all others here comes a little introduction: Application-specific passwords allow users to create unique passwords for each application that is interacting with your email server. That means that regular user passwords, that are often used for other services as well, must neither be stored in email clients nor will they ever get transferred via SMTP, IMAP or POP3. The whole setup could even be hardened more, by creating a whole new username-password combination for each application, but that seems to be a little over the top to me.

As I also wanted to easily support multiple email domains in the future, I completely moved away from the LDAP backend, that was a partly replication of my LDAP database I use at home for authentication the accounts of my family, to a MySQL-backed setup. To reduce complexity and be more flexible in the future, I also made Dovecot my MDA (LMTP) and authentication service (SASL).

One thing that I also had to solve was the problem that no tools exist to allow users the management of their application-specific passwords. As I am using Roundcube Webbmail for years now and still more than happy with it, I decided to use Roundcube as the one and only tool that I provide users for managing their email settings, including the application-specific passwords. A corresponding plugin was therefore developed by me and has been published on GitHub in the meanwhile. Access to Roundcube is possible only with the normal user passwords BUT requires the use of one-time-passwords created with Google Authenticator (or compatible).

Now you know what I did and why I did it. I know that you now want to know how I actually implemented that setup, but unfortunately you must be patient. I’ll reproduce the setup in a brand new LXC container in order to provide a series of blog posts with precise information how to set this up on your own within the next two weeks. So stay tuned!

Tags: , , ,

 


Feb 02 2014

Migrating from KVM to LXC

Category: LinuxTuxevara @ 18:58

After I had to replace the mainboard of my HTPC, on which also two other virtual machines were running on KVM, the kvm_amd module crashed on every boot on the replacement hardware. Though KVM still worked, I don’t like to see any modules crashing on boot. I began asking myself whether I really need full KVM virtualization or if some kind of container based virtualization would do a good or even better job for me.

After reading into the pros and cons of different solutions, I concluded that LinuX Containers (LXC) should probably first choice for me. As the HTPC is running on Ubuntu 12.04, which also has Apparmor profiles that enhance the security of LXC’s weak security concept, I actually decided to continue with LXC.

I don’t want to explain how to install LXC, because this is already covered by many other sites. The only thing that I found which is not covered well enough, is the conversion of machines from KVM (or similar) to LXC. In my case the KVM guests where using RAW disk images, so I am exclusively focusing on converting such below.

Step 1 – Prepare the rootfs folder

First, the new target folder for the root file system of the LXC guest must be created.

mkdir -p /var/lib/lxc//rootfs

Step 2 – Mount the RAW image

Then the RAW disk image must be mounted to access the files. In my case the disk contained only one partition. Modify the mount command may be necessary.

kpartx -a
mount /dev/mapper/loop0p1 /mnt

Step 3 – Copy files to rootfs

Now that the content of the RAW image can be accessed, the files can be copied into the new rootfs folder created in step 1. I have been using the below command for years, to create more or less exact copies:

cd /mnt
find . -xdev | cpio -pmv /var/lib/lxc//rootfs

Step 4 – Modify the configuration

Now comes the trickiest part: The configuration of the new machine must be modified, otherwise it is unlikely that it will boot successfully. Most required changes can be extracted from the template files in /usr/lib/lxc/templates/, which are typically used for the creation of new machines. Below are the modification for Debian machines, which worked perfectly well for Debian Lenny (shame in me) and Squeeze.


rootfs=/var/lib/lxc//rootfs

cat < $rootfs/etc/inittab
id:2:initdefault:
si::sysinit:/etc/init.d/rcS
l0:0:wait:/etc/init.d/rc 0
l1:1:wait:/etc/init.d/rc 1
l2:2:wait:/etc/init.d/rc 2
l3:3:wait:/etc/init.d/rc 3
l4:4:wait:/etc/init.d/rc 4
l5:5:wait:/etc/init.d/rc 5
l6:6:wait:/etc/init.d/rc 6
# Normally not reached, but fallthrough in case of emergency.
z6:6:respawn:/sbin/sulogin
1:2345:respawn:/sbin/getty 38400 console
c1:12345:respawn:/sbin/getty 38400 tty1 linux
c2:12345:respawn:/sbin/getty 38400 tty2 linux
c3:12345:respawn:/sbin/getty 38400 tty3 linux
c4:12345:respawn:/sbin/getty 38400 tty4 linux
EOF

mkdir -p $rootfs/selinux
echo 0 > $rootfs/selinux/enforce

mknod $rootfs/dev/tty1 c 4 1
mknod $rootfs/dev/tty2 c 4 2
mknod $rootfs/dev/tty3 c 4 3
mknod $rootfs/dev/tty4 c 4 4

# reconfigure some services
LANG="${LANG:-en_US.UTF-8}"

locale="$LANG $(echo $LANG | cut -d. -f2)"
chroot $rootfs echo "locales locales/default_environment_locale select $LANG" | chroot $rootfs sh -c "LANG=C debconf-set-selections"
chroot $rootfs echo "locales locales/default_environment_locale seen true" | chroot $rootfs sh -c "LANG=C debconf-set-selections"
chroot $rootfs echo "locales locales/locales_to_be_generated seen true" | chroot $rootfs sh -c "LANG=C debconf-set-selections"
chroot $rootfs sed -i -e "0,/^[# ]*$locale *$/ s/^[# ]*$locale *$/$locale/" /etc/locale.gen
chroot $rootfs sh -c "LANG=C dpkg-reconfigure locales -f noninteractive"

# remove pointless services in a container
chroot $rootfs /usr/sbin/update-rc.d -f checkroot.sh remove # S
chroot $rootfs /usr/sbin/update-rc.d checkroot.sh stop 09 S .

chroot $rootfs /usr/sbin/update-rc.d -f umountfs remove # 0 6
chroot $rootfs /usr/sbin/update-rc.d umountfs start 09 0 6 .

chroot $rootfs /usr/sbin/update-rc.d -f umountroot remove # 0 6
chroot $rootfs /usr/sbin/update-rc.d umountroot start 10 0 6 .

# The following initscripts don't provide an empty start or stop block.
# To prevent them being enabled on upgrades, we leave a start link on
# runlevel 3.
chroot $rootfs /usr/sbin/update-rc.d -f hwclock.sh remove # S 0 6
chroot $rootfs /usr/sbin/update-rc.d hwclock.sh start 10 3 .

chroot $rootfs /usr/sbin/update-rc.d -f hwclockfirst.sh remove # S
chroot $rootfs /usr/sbin/update-rc.d hwclockfirst start 08 3 .

chroot $rootfs /usr/sbin/update-rc.d -f module-init-tools remove # S
chroot $rootfs /usr/sbin/update-rc.d module-init-tools start 10 3 .

rm $rootfs/etc/udev/rules.d/70-persistent-net.rules

Step 5 – Create LXC config

Finally we have to create a LXC configuration file for the new machine. Lazy as I am, I have copied an existing config file into /var/lib/lxc// and modified the paths and network configuration accordingly.

After that the machine can be started with

lxc-start -n

Keep in mind that you won’t be able to detach from that console again. But to debug boot problems it is essential to not launch the machine in background mode (-d).

Tags: , , ,

 


Dec 13 2013

Vdr-sxfe audio output issues over and over again

Category: Computer,LinuxTuxevara @ 20:53

And after fixing them for the hundredth time in the last ten years, I finally decided to write down what I seem to always forget. Isn’t this what tech blogs are for?!

So what was happening this time: After some years without any major issues, our media center PC decided to reboot in circles, which turned out to be caused be a defective motherboard. After replacing it with the one from my gaming PC everything worked fine, except that I had to use the onboard graphics card as the passive cooler of the former PC-Express graphics card wouldn’t allow me to use the DVB-S card in the upper PCI slot.

In my vdr-sxfe startup script I’ve set the audio parameter to alsa:plug:'hdmi:CARD=NVidia,DEV=0'. But the only results I get is either no sound at all or vdr-sxfe restarting every few seconds. At some point I managed to set the audio channel in VDR to stereo instead of AC3. Guess what happened? Immediately vdr-sxfe stopped restarting and sound was coming from the left and right speakers.

Conclusion: Something must be terribly wrong with the AC3 passthrough. But what? And who controls which device is used for the AC3 passthrough? I know that I should have asked myself this questions earlier, but trial and error worked perfectly well in the past ;)

After trying to remember which files I modified several times before to optimize vdr-sxfe audio and video output, I came to the point where I felt certain that the whole magic must only happen in ~/.xine/config_xineliboutput. As vdr-sxfe is based on Xine this seems to make sense.

Some tests later it was proven, that the audio parameter of vdr-sxfe never affects the value of audio.device.alsa_passthrough_device in the config file.

So the solution to my AC3 passthrough problem is setting the audio.device.alsa_passthrough_device value in the config file to plug:'hdmi:CARD=NVidia,DEV=0'.

Today the new PCI-Express graphics card arrived and all I had to do is changing the vdr-sxfe audio parameter and the audio.device.alsa_passthrough_device value in the config file to plug:'hdmi:CARD=NVidia_1,DEV=0'.

For the sake of completeness, here are all non-default values from my ~/.xine/config_xineliboutput


audio.device.alsa_default_device:plug:'hdmi:CARD=NVidia_1,DEV=0'
audio.device.alsa_front_device:plug:'hdmi:CARD=NVidia_1,DEV=0'
audio.device.alsa_passthrough_device:plug:'hdmi:CARD=NVidia_1,DEV=0'
audio.device.alsa_surround51_device:plug:'hdmi:CARD=NVidia_1,DEV=0'
audio.output.speaker_arrangement:Pass Through
audio.synchronization.av_sync_method:resample
video.processing.ffmpeg_thread_count:2
media.xvdr.num_buffers_hd:5000
media.xvdr.scr_tuning_step:100
effects.goom.fps:25
effects.goom.height:576
effects.goom.width:720
engine.buffers.audio_num_buffers:500
engine.buffers.video_num_buffers:250
engine.buffers.video_num_frames:50
engine.performance.memcpy_method:libc

Tags: , , , , ,

 


Nov 11 2013

Open Rhein Ruhr 2013

Category: Allgemein,Computer,LinuxTuxevara @ 14:50

Wieder ist ein spannendes Open Rhein Ruhr Wochenende vorueber. Fuer mich war es diesmal etwas Besonderes, da ich nicht als Helfer sondern als Orga dabei und auf der Veranstaltung fuer das Netzwerk verantwortlich war. Ausser zwei nicht so ganz sauberen DSL-Leitungen gab es jedoch keine groesseren Probleme, weshalb mir genug Zeit blieb mich unter die Besucher zu mischen und interessante Gespraeche an den Staenden zu fuehren.

ORR Social Event

Auch das Social Event war wie in der Vergangenheit eine tolle Sache, nicht zuletzt wegen der Location.

Was mich aber wirklich jedesmal auf solchen Linux und Open Source Events begeistert, ist der Umgang miteinander. Es fuehlt sich eigentlich immer so an, ob als ob es kein oben oder unten gibt, kein gut oder schlecht gibt und jeder ist in irgendeiner Weise Anbieter und Konsument zugleich. Alle packen mit an wo Haende gebraucht werden. Ich hoffe, dass mich mein Eindruck nicht taeuscht und dass all diese Menschen im Alltag genau so einen offenen Umgang miteinander pflegen.

Mein besonderer Dank gilt natuerlich allen Helfern und vor allem den Freifunkern, welche durch Bereitstellen von weiterer Hardware sowohl das ORR eigene WLAN verbessert haben, als auch zusaetzlich noch Ihr eigenes Freifunk Mesh bereitgestellt haben.

Bis zum naechsten Jahr,wenn es wieder heisst: “Ein Pott voll Software”.

Tags: , ,

 


Oct 31 2013

Setting IMAP INTERNALDATE to header date

Category: Computer,LinuxTuxevara @ 11:02

While setting up a self refilling test mail server, I came across the problem that I need other IMAP INTERNALDATEs (aka arrival date) than the create/modify time of the email file.
As my email generator script creates random dates for the email headers that are between 10 years back and today, it would make perfect sense to also use them as the arrival date of the message.

Five minutes later the following little script was finished, which I think could be pretty useful for anyone who has to update the arrival date in his IMAP server that uses Maildir format or similar. This could for instance become quite handy after an email migration where the IMAP INTERNALDATE could not be retained.

#!/bin/sh

for FILE in `find $1 -type f`
do
    DATE=`grep "Date" $FILE | cut -d ":" -f 2- | sed -e 's/^ *//g' -e 's/ *$//g'`
    if [ -n "$DATE" ]
    then
        echo "Setting modified time of \"$FILE\" to \"$DATE\"."
        touch -c $FILE --date="$DATE"
    else
        echo "No date found in \"$FILE\"."
    fi
done  

Tags: , , ,

 


Jul 04 2013

NRPE on Centos or RHEL6

Category: LinuxTuxevara @ 16:52

If you are running NRPE on Centos or RHEL 6 and wonder why check commands that are prepended with a sudo command always fail: remove the “requiretty” option from your /etc/sudoers and everything will work fine again. It’s a shame that it takes strace to get the initial error message our of nrpe-server.

Tags: , , , ,

 


Mar 16 2013

My new RSS reader

Category: Android,Computer,LinuxTuxevara @ 16:49

Unnecessary to tell, that I am one of the million Google reader users that is very disappointed about Google’s announcement to shut down Google Reader in a few months. Recalling WHY I love Google reader, it turns out that it’s mainly for one reason: synchronization. I’m used to access an always in-sync list of my feeds from my phone, tablet, laptop or home/work desktop computers. I remember that I tried TTRSS back in the days where I was naively thinking I could live without all the Google services that are so addictive.

After checking Google Play for a TTRSS app and getting a positive response – the TTRSS developer offers an app himself – this seems to become really satisfying. Having some free time today between talks at the Chemnitzer Linux Days, I re-installed TTRSS on my webserver to see if that’s still an option. And let me tell you: IT IS!!!

Installation is smooth if you read the config.php file carefully. I missed that the database server was set ‘pgsql’ by default, which cost me a few minutes wondering about an empty page and no error messages in the logs. After creating a new user and importing my RSS subscriptions exported via Google Takeout I installed the Android app as well. I have to say that to me, the TTRSS app looks even better than Google Reader. BTW: The app is a seven day trial and the unlock costs 1.59 EUR. I think think it’s a fair price for such a good app (Have seen lots of crappy ones for more).

In case I change my mind about TTRSS, I’ll let you know.

UPDATE: Installed the app on my Galaxy Tab 10.1N. It’s awesome!

Tags: , ,

 


Mar 12 2013

Alice IAD 3221 Reloaded

Category: Computer,Hardware,LinuxTuxevara @ 00:34

Nachdem bei mir letzte Woche das Netzteil des Speedport 201 DSL-Modem den Geist aufgegeben hat und ich auf die Schnelle nur das original Alice IAD 3221 an die TAE haengen konnte, um ueberhaupt wieder Netz zu haben, war heute Abend endlich die Gelegenheit zu schauen, mit welchem der hier rumliegenden Geraete ich wieder die Buffalo AirStation mir DD-WRT zu meinem Router machen konnte.

Plan A: Die Samsung 3210 Box, welche eigentlich nur meine TK-Anlage ist, nun als DSL-Modem zu nutzten scheiterte daran, dass einfach kein ADSL-Sync zustande kam. Waere nicht das erste Mal, dass das Modem-Board darin kaputt geht.

Also Plan B: Gucken was man mit dem Alice IAD 3221 noch so anstellen kann. Irgendwie konnte ich nicht glauben, dass die Dinger so unfassbar beschraenkt sein sollen, wie einem das Webinterface versucht weiss zu machen. Nach ein wenig suchen stellte sich heraus, dass das ganze Geheimnis in der versteckten URL: http://192.168.1.1/web.cgi?controller=Internet&action=IndexAccessMode liegt. Dort kann man den Betriebsmodi des IAD umstellen. Der Modus “Modem (1 VC), VoIP over PPPOE” ermoeglicht es, dass IAD als normales DSL-Modem zu verwenden UND gleichzeitig die Alice Telefonfunktion vom IAD selber ueber die zweite PPPOE-Session laufen zu lassen. Letzteres ist nur just for fun aktiviert. Habe die Telefonfunktion noch nie verwendet, da mein eigentlicher Telfon-Anschluss bei Sipgate liegt.

Es gibt uebrigens noch eine Menge mehr solcher versteckter Seiten:

Standard-, Experten- oder Developermodus einschalten
http://192.168.1.1/web.cgi?controller=System&action=IndexAccessConfig

Zwischen “Standart-Installation (PIN)” und “Benutzerspezifische Installation” wechseln
(ja da steht wirklich “Standart)
http://192.168.1.1/web.cgi?controller=Overview&action=IndexPinMode

PIN fuer Standard-Installation festlegen
http://192.168.1.1/web.cgi?controller=Overview&action=IndexPin

IP-Adresse und DHCP-Server Konfiguration
http://192.168.1.1/web.cgi?controller=Network&action=IndexLan

Statische IP-Adressen fuer DHCP-Clients festlegen
http://192.168.1.1/web.cgi?controller=Network&action=IndexStaticDhcp

Statische Routen definieren
http://192.168.1.1/web.cgi?controller=Network&action=actionIndexNewStaticRoute

Uebersicht aktueller NAT-Verbindungstabelle
http://192.168.1.1/web.cgi?controller=Network&action=IndexStatistics

USB-Drucker und -Festplattenkonfiguration
http://192.168.1.1/web.cgi?controller=Network&action=IndexUsbDevices

WebCam-Konfiguration
http://192.168.1.1/web.cgi?controller=Network&action=IndexExtDevices

Betriebsmodi Internetzugang konfigurieren
http://192.168.1.1/web.cgi?controller=Internet&action=IndexAccessMode

Zugangsdaten VoIP PPPOE-Session
http://192.168.1.1/web.cgi?controller=Internet&action=IndexAccessDataVoip

DynDNS-Konfiguration
http://192.168.1.1/web.cgi?controller=Internet&action=IndexDynDNS

DSL-Verbindungsinformationen
http://192.168.1.1/web.cgi?controller=Internet&action=IndexInfoConnection
http://192.168.1.1/web.cgi?controller=Internet&action=IndexInfoAdsl

MAC-Adressen-Filter
http://192.168.1.1/web.cgi?controller=Security&action=IndexMacFilter

Allgemeine Firewall-Einstellungen
http://192.168.1.1/web.cgi?controller=Security&action=IndexSecurityConfig

Paketfilter-Regeln
http://192.168.1.1/web.cgi?controller=Security&action=IndexPacketFilter

URL-Filter
http://192.168.1.1/web.cgi?controller=Security&action=IndexUrlFilter

UPnP-Einstellungen
http://192.168.1.1/web.cgi?controller=Security&action=IndexUPnP

System-Log
http://192.168.1.1/web.cgi?controller=System&action=IndexSyslog

System-Diagnose
http://192.168.1.1/web.cgi?controller=System&action=IndexSystemTest

Sprache aendern
http://192.168.1.1/web.cgi?controller=System&action=IndexLanguage

Zeitserver-Einstellungen bzw. Uhrzeit manuell stellen
http://192.168.1.1/web.cgi?controller=System&action=IndexTime

Firmware-Upgrade
http://192.168.1.1/web.cgi?controller=System&action=IndexFirmware

Aufzeichnen von Datenpaketen
http://192.168.1.1/web.cgi?controller=System&action=IndexDiagnostic

Tags: , , , ,

 


Nov 18 2012

Goolge Play Music

Category: Android,Computer,LinuxTuxevara @ 12:38

Once again Google just tackled me. While still not being completely satisfied with my OwnCloud + FolderSync setup that still requires too much manual steps to be really comfortable, Google released Play Music in Germany last week. As I am already a happy Android user owning a Nexus S and a Galaxy Tab, I had to give it a try. One thing it does not seem to do yet is uploading existing Music from the Android devices, BUT there is Google Music Manager for Linux. With that tool I was able to easily upload all my existing music albums from my local file server at home to my Google Play account. The best thing about it is, that it does not need to upload all files if they can be identified and found in Google’s music database. Now I have access to all the music from my Android devices as well and if necessary I can download them directly from Google for offline usage. Google Play Music allows to store 20,000 songs for free plus the ones you buy through their music store, which probably becomes my preferred choice over Amazon now.

And It would not be Google if they would not offer a full download of the library via Music Manager. That of cause makes it feel less painful to trust them with storing all your music, as it makes you feel like you could break up with them at any time.

Tags: , , ,

 


Oct 14 2012

Moneyplex mit ReinerSCT secoder unter Ubuntu 12.04 64Bit

Category: Computer,LinuxTuxevara @ 00:17

Nachdem ich heute mein System von Ubuntu 10.04 auf Xubuntu 12.04 aktualisiert habe (Neuinstallation wegen zweiwoechigem Kubuntu Versuch), mussten mein ReincerSCT secoder Kartenleser und Moneyplex neu verheiratet werden.

Dazu bin ich zunaechst wie in der von Matrica bereit gestellten Anleitung vorgegangen. Insgesamt sollten zur Installation aller benoetigten Pakete folgender Befehl ausreichend sein:

sudo aptitude install linux-source linux-headers-server libccid libpcsclite1 libpcsc-perl pcscd libifd-cyberjack6

Anschliessend sollte der Rechner wirklich neu gestartet werden.

Auf einem 64Bit System sind ausserdem noch zwei weitere Pakete zu installieren um Moneyplex ausfuehren und den Chipkartenleser verwenden zu koennen:

sudo aptitude instal ia32-libs libpcsclite1:i386

Danach sollte Moneyplex den Kartenleser erfolgreich erkennen.

Tags: , , ,

 


Next Page »