More Exim4

This may not make much sense to others but it’s all the things for setting up Exim4 in Debian that weren’t obvious.

  • Add all the names and ip address to /etc/hosts
  • Add ip address to exim4 files. Copy the other things added from the old server..
  • Edit just the main folder after doing the exim4 dpkg
  • Update /etc/letsencrypt to allow execute on /etc/letsencrypts/archive and live to get rid of the /var/log/exim4/mainlog pem related errors
  • Remember the sasl stuff from Debian’s exim4 setup to let the user login.

Time Machine cleanup old backups

This is the command to cleanup old backups in Time Machine should you ever need to. Replace with an appropriate path for your backup location. I find it’d best to delete ranges of old backups with the * wildcard as well.

tmutil delete /Volumes/BackupDriveName/Backups.backupdb/MacComputerName/YYYY-MM-DD-HHMMSS/

Ad Blocking with DNS

Easy to ad block with your own DNS server if you don’t want to trust adblock or other plugins.

1 – you need a web server to host a blank image

2 – Get blacklist

Get the blacklist from http://pgl.yoyo.org/adservers/

Choose for the bind 8 config format.

I had to change the file so that the records read like this:

zone "101com.com" IN { type master; notify no; file "/etc/bind/null.zone.file"; };

by adding the “IN” between the domain name and the “{ type master ….” part. Use your vi-skills for this.

Give this file a easy name, like ‘blacklist’. Now create a line in /etc/bind/named.conf.local:

include "/etc/bind/blacklist";

Create the null zone file

Create a file /etc/bin/null.zone.file with the following contents:

$TTL    86400   ; one day

@       IN      SOA     nds.example.com. hostmaster.example.com. (
            2002061000       ; serial number YYMMDDNN
            28800   ; refresh  8 hours
            7200    ; retry    2 hours
            864000  ; expire  10 days
            86400 ) ; min ttl  1 day
        NS      nds.example.com

        A       192.168.1.100

@               IN      A       192.168.1.100
*               IN      A       192.168.1.100

and replace example.com by your internal domain name and replace 192.168.1.100 by the name of your web server. The above format allow for the use of wildcards. This means that you do not have to care about the subdomains.

Restart bind (Ubuntu version)

service bind9 restart

2 is copied from here for posterity: https://box.matto.nl/dnsadblok.html

3 – use a different DNS source if you want

If you want to use a different DNS server (say you don’t trust your ISP or Google to know every site you query) you can find others here:

https://www.opennic.org

And then in /etc/bind/named.conf.options add the forward to the dns servers:

 forwarders {
 69.195.152.204;
 96.47.228.108;
 96.90.175.167;
 };

Fetchmail Google SSL Updates

Google appears to update it’s SSL cert nightly which breaks my fetch mail script nightly as well. Here’s a simple python script in case this happens to you!

import ssl
import socket
import hashlib
import sys

addr = 'imap.gmail.com'

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(1)
wrappedSocket = ssl.wrap_socket(sock)

try:
 wrappedSocket.connect((addr, 993))
except:
 response = False
else:
 der_cert_bin = wrappedSocket.getpeercert(True)
 pem_cert = ssl.DER_cert_to_PEM_cert(wrappedSocket.getpeercert(True))
 #print(pem_cert)

#Thumbprint
 thumb_md5 = hashlib.md5(der_cert_bin).hexdigest()
 #print("MD5: " + thumb_md5)

wrappedSocket.close()

cnt = 0

thumb_md5_d = ''

for letter in thumb_md5:
 if cnt%2 == 0 and cnt!=0:
 thumb_md5_d += ':'
 thumb_md5_d += letter
 cnt += 1

thumb_md5_d = thumb_md5_d.upper()

infile = "//home//user//fetchmailrc.tmp"
text = open(infile)

outfile = open('/etc/fetchmailrc', 'w')
outfile.truncate()

textToSearch = 'GOOGLE_FINGERPRINT'

for line in text:
 if textToSearch in line:
 line = line.replace( textToSearch, thumb_md5_d )
 outfile.write(line)

Where fetchmailrc.tmp is this (in addition to whatever else in your fetchmailrc):

poll imap.gmail.com protocol IMAP user "login@gmail.com" there with password "password" is blah@blah.com here nofetchall ssl sslfingerprint 'GOOGLE_FINGERPRINT'

Then you setup a cron job to run it nightly and now you’ve got up to date Google fingerprints!

An almost Shakespearean situation

I just serve to repost Economist articles perhaps. Here’s one about the recent amazing cabinet meeting, comparisons to King Leer, and how this really is so pathetic compared to Shakespearean tragedy. Nice quote at the end:

The fact that Mr Trump is a smaller, shallower figure than most Shakespearean heroes (or villains, come to that) makes the craven behaviour of his cabinet secretaries and other Republican enablers even harder to explain. Unlike courtiers in a Jacobean tragedy, they risk neither execution nor banishment. No invading army or witches’ curse impels so many members of Team Trump to sell their reputations and dignity cheap: merely ambition, and the comforting fiction that they are indispensable. Serving Mr Trump is a modest test of character, by Shakespearean standards. It is one which too many underlings are failing.

Horses

I just find this quote interesting – horses used to be much more respected and appreciated. After the Battle of Waterloo some survivor horses were brought to retirement and the king’s surgeon saw this:

“One morning…the surgeon saw the 12 horses form a line, shoulder to shoulder, then, without a cue, charge forward at a gallop. After a few strides they spun and retreated as formally as in a drill.” Each day, he watched as “his old cavalry horses, flecked white where their coats had grown back over their scars, enacted this enigmatic ritual and went to war together once more in the cool green parkland of the Home Counties.”

From the Economist article about 2 horse books which is an interesting read as well. We toss many a thing off. The article even gets a quick in if, with AI/robots, we’re now making ourselves as obsolete as we made horses.

 

ZFS fix with Debian upgrade

Somehow a Debian update broke bfs and I was getting this issue:

The ZFS modules are not loaded.
Try running '/sbin/modprobe zfs' as root to load them.

To reinstall ZFS this worked for me – a compilation of many suggestions so not sure all were necessary but it worked:

apt-get clean
apt-get update
apt-get purge zfs*   --get rid of everything ZFS
apt-get remove spl dkms spl-dkms  --get rid of more ZFS
apt-get autoremove
apt-get install -t jessie-backports zfsutils-linux  --change to whatever your distribution uses

--these commands recompile the libraries if they are still having issues
dkms remove -m zfs -v 0.6.5.9 --all
dkms remove -m spl -v 0.6.5.9 --all
dkms add -m spl -v 0.6.5.9
dkms add -m zfs -v 0.6.5.9
dkms install -m spl -v 0.6.5.9
dkms install -m zfs -v 0.6.5.9

L2TP IPSEC VPN

A couple of handy sites for getting that setup:

Your own IPSEC VPN in about 3 minutes using Digital Ocean

And this debian one for support.

https://wiki.debian.org/HowTo/AndroidVPNServer#L2TP.2FIPSec

Couple of notes that the script didn’t cover:

  • Instead of openswan had to use strongswan.
  • Had to add a shared secret to /etc/ipsec.secrets
  • To use a proxy you just point the proxy to listen on 172.16.1.1 and point the computer to that proxy’s port

The script he had is the key so it’s here for posterity:

apt-get install -y openswan xl2tpd ppp
apt-get install -y lsof

iptables --table nat --append POSTROUTING --jump MASQUERADE
echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -p

echo "for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done"  |  tee -a /etc/rc.local
echo "iptables --table nat --append POSTROUTING --jump MASQUERADE"  |  tee -a /etc/rc.local

echo "config setup
    dumpdir=/var/run/pluto/
    #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?
    nat_traversal=yes
    #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
    #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
    protostack=netkey
    #decide which protocol stack is going to be used.

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    #shared secret. Use rsasig for certificates.
    pfs=no
    #Disable pfs
    auto=add
    #start at boot
    keyingtries=3
    #Only negotiate a conn. 3 times.
    ikelifetime=8h
    keylife=1h
    type=transport
    #because we use l2tp as tunnel protocol
    left=%SERVERIP%
    #fill in server IP above
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any" > /etc/ipsec.conf



    ipsec verify


    echo "[global]
ipsec saref = yes

[lns default]
ip range = 172.16.1.30-172.16.1.100
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes" > /etc/xl2tpd/xl2tpd.conf

echo "require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4" > /etc/ppp/options.xl2tpd
echo "# username  l2tpd password  *" >> /etc/ppp/chap-secrets
echo ""
echo ""
echo "To Do:"
echo ""
echo "- Add users: /etc/ppp/chap-secrets"
echo "Restart the software: /etc/init.d/ipsec restart;  /etc/init.d/xl2tpd restart"