Recently in HowTo Category

VMWare + Firefox 3.6

| 1 Comment | No TrackBacks

Been trying to figure out the problem for some time. When you connect with Firefox to a VMWare web interface it fails with some sort of SSL issue.

To fix this you need to reenable SSLv2 in Firefox:

  • enter about:config in the location bar
  • set security.enable_ssl2 to true

Great security, thank you VMWare!

DKIM in amavisd-new and postfix

| No Comments | No TrackBacks

As most of you know, email is an inherently insecure protocol. Basically, you're sending around text files with a certain format and you have to trust the servers that are forwarding the email, that they wont modify the content or lie about who they are.

One of the big issues here is, that anybody can claim to be sending email from bill.gates@microsoft.com and whoever receives the email has to believe it.

DKIM adds a certain level of protecting. What it does is, it gives the owner of the DNS record of a domain the possibility to provide a cryptographic public key to anyone who cares to validate the signature. The sending mailserver holds a copy of the corresponding private key and signs every outgoing message with that key. Every recipient can the check weather the signature is correct by checking the published public key.

A lot of the big players like gmail, etc. have added support for DKIM signatures in their infrastructure.

I have also implemented DKIM (along with SPF) on my mail server.

Following are the basic steps necessary to implement DKIM:

  1. create a crypto key-pair
  2. setup a separate path in your mailer for outgoing mail
  3. configure mailer to sign outgoing messages
  4. publish the public key through DNS

The best howto I came across is this

The most important part is to set postfix to tag mails as incoming or outgoing by using the

smtpd_sender_restrictions = 
    check_sender_access regexp:/etc/postfix/tag_as_originating.re
    ...
    check_sender_access regexp:/etc/postfix/tag_as_foreign.re

part in main.cf.

The rest of the setup happens in amavis by adding an additional policy in amavis:

$inet_socket_port = [10024,10026];  # listen on two ports
$enable_dkim_signing = 1;  # loads DKIM signing code
dkim_key('DOMAIN_NAME, 'dk1', '/path/to/keyfile');
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {  # mail originating from our users
    originating => 1,  # indicates client is ours, allows signing
};

The only remaining thing to do is publish the public key. My domains are managed by united domains. To get this working you have to create a subdomain and set the TXT record for this subdomain called dk1._domainkey.homemadecode.de (the dk1 part has to be the same as the identifier provided in the amavisd config above).

LDAP groups not showing up (immediately)

| No Comments | No TrackBacks

Background: I use LDAP as a user storage for my unix machines holding all relevant user and group data in the directory. When I add a user to a group, only LDAP is changed.

Since I just stumbled across this issue and have been wondering what's wrong, here is a short reminder for next time:

Whenever you update groups in LDAP when using LDAP for users and groups you have to flush the nscd cache to see the new groups immediately. Use

nscd -i <tablename>

to do this.

pushing routes via DHCP

| 2 Comments | No TrackBacks

Since I came across this problem now several times in my home office network as well as at the office, I finally found a viable solution to this issue.

The Problem
When you have a network consisting of several subnets and routers at each of the boundaries looking something like this:

INET <-> router A <-> subnet1 <-> router B <-> subnet2

The issue here is, that clients in subnet1 ideally should know about both routers to reach all networks. By default they only receive one of them as a default gateway. Of course one could set a static route on each client by using some sort of logon script but a more elegant way is to use DHCP for this purpose.

Solution
After some research I finally figured out how to do this. You need to use a feature classless static route1 which is of course documented in the corresponding RFC3442 (but hardly anywhere else). This option is supported by Windows 2k, XP, and upwards.

So to get dhcpd to serve this new option I did some further googling and came across this post with a solution for dhcpd3 by John Robinson:

# MS routes: adds extras to supplement routers option
option ms-classless-static-routes code 249 = array of integer 8;
# RFC3442 routes: overrides routers option
option rfc3442-classless-static-routes code 121 = array of integer 8;
option routers 172.22.0.1;
option ms-classless-static-routes 24, 172, 22, 99, 172, 22, 0, 1 ;
option rfc3442-classless-static-routes 24, 172, 22, 99, 172, 22, 
0, 1, 0, 172, 22, 0, 1 ;

The first two lines define the new commands to point to the corresponding option codes. These have to be in the global section. The rest of the lines can be specific to any of the other section if desired. The format for the information passed to the options is encoded in the following format:

If you want to supply a static route as follows: 192.168.1.0/24 (equivalent to netmask of 255.255.255.0) with a gateway of 192.168.1.1 you write the address as follows:

option ms-classless-static-routes 24, 192, 168, 1, 192, 168, 1, 1;

As also mentioned in the original post, it is required to supply the default gateway if using classless static routing. In the above example, this is done by the appended route

0, 1, 0, 172, 22, 0, 1 ;

equivalent to a default gateway of 172.22.0.1.

I hope this post will help some people running into the same kind of issues that I came across. Any thoughts welcome.

1 The option code is 121, grep for that in the RFC for further information

About this Archive

This page is an archive of recent entries in the HowTo category.

grails is the previous category.

IT Security is the next category.

Find recent content on the main index or look in the archives to find all content.

Creative Commons License
This blog is licensed under a Creative Commons License.
homemade code GmbH
powered by homemade code GmbH ~ the application security experts!