My 11th day in UK. Visited Alnwick Castle in Northumerland today. This was Hogwarts in Harry Potter series movies.
2013/09/30
2013/09/29
CGN
Carrier Grade NAT (CGN) - an evil and ugly technology that kills network applications and innovations. No one is happy with it.
2013/09/25
cheap SSL certificates
Just ordered and received one SSL certificate from Cheapl SSLs at US$8.9 for 1-year use, no other charges.
www.cheapssls.com
Even though it is affordable, I still think that the PKI structure which puts Certificate Authorities in a supreme position is a flaw. There is no need to have Certificate Authorities in the digital online world.
www.cheapssls.com
Even though it is affordable, I still think that the PKI structure which puts Certificate Authorities in a supreme position is a flaw. There is no need to have Certificate Authorities in the digital online world.
2013/09/17
SMTP over TLS
SMTP over
TLS is straight forward. Just make sure the MTA can support TLS security then set the MTA config file where to find the CA
cert, server cert/key, client cert/key. That's
all.
2013/09/13
beginner guide to SSL
What a disgrace ! An IT magazine invited me to get a free copy of beginner guide to SSL.
2013/09/11
Selector of Facebook's DKIM Key
Interesting, when I looked at the header of an email from Facebook, I found the DKIM Sigature as follows:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=facebookmail.com;
s=s1024-2011-q2; t=1378874220;
bh=RZqavvVaT/9/C1fdtvELn/vrEJC9Q5C/X8tnCwdRrhs=;
h=Date:To:From:Subject:MIME-Version:Content-Type;
b=FXKVjd7kn/lF5PnDTngllmI72AJ+iuHIFLmoFhUJMGsN1NBbcLkSNctqB12hYBBUN
eJknvOHvvqRNEliiZATpKHORQoaR8EGGZNTdCVkbsMZj9xTW+pPH4HZgfH4yk3IzQz
O4gK1bnIXD7k5aI+ndToMPeoj676W6PO6Hr4hpnY=
The selector is named as s-1024-2011-q2. Well, I can understand 1024 bits is used and the key has been in service since Q2 of 2011. Facebook has not changed the key pair for over three years. It is a bad and unacceptable security practice !
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=facebookmail.com;
s=s1024-2011-q2; t=1378874220;
bh=RZqavvVaT/9/C1fdtvELn/vrEJC9Q5C/X8tnCwdRrhs=;
h=Date:To:From:Subject:MIME-Version:Content-Type;
b=FXKVjd7kn/lF5PnDTngllmI72AJ+iuHIFLmoFhUJMGsN1NBbcLkSNctqB12hYBBUN
eJknvOHvvqRNEliiZATpKHORQoaR8EGGZNTdCVkbsMZj9xTW+pPH4HZgfH4yk3IzQz
O4gK1bnIXD7k5aI+ndToMPeoj676W6PO6Hr4hpnY=
The selector is named as s-1024-2011-q2. Well, I can understand 1024 bits is used and the key has been in service since Q2 of 2011. Facebook has not changed the key pair for over three years. It is a bad and unacceptable security practice !
2013/09/09
SPF endless lookup
I found the
following SPF errors in my maillog:
Sep 7 14:59:57 i3way sendmail[28894]:
r876xsvM028894: Milter add: header: Received-SPF: unknown (i3way.net: error in processing during lookup of domain of
8.h.dvosh.info: Mechanisms used too many DNS lookups)
receiver=i3way.net; client-ip=173.254.227.52; helo=8.h.dvosh.info;
envelope-from=gvr@8.h.dvosh.info; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/;
On checking
the TXT record of the domain, it includes itself for further looking up. This will result in an endless loop. Here is what I found that caused the many
lookups:
[warren@dnssec
~]# dig txt 8.h.dvosh.info | grep spf
8.h.dvosh.info.
3555 IN TXT "v=spf1
include:8.h.dvosh.info ~all"
2013/09/08
DKIM replaced by Opendkim
In my last post about DKIM, the package I
used is dkim-milter. This is now
replaced by opendkim. For opendkim,
the socket to use must be defined in “/etc/opendkim/opendkim.conf” and “/etc/mail/sendmail.mc”.
I found two great features in opendkim,
namely SigningTable and TrustHosts.
SigningTable defines which users could use the private to sign outgoing
email. I think it should be * which
means everyone. As for TrustHosts, as
the name implies, it tells what domains and IP addresses can utilize which key
to sign email messages if the SMTP server is serving multiple domains. For interest sake, I dump a few config lines
of the associated files.
/etc/mail/opendkim/singingtable
#*@abc.com default._domainkey.example.com
*@abc.com default._domainkey.abc.com
admin@vm-host.net
default._domainkey.vm-host.net
/etc/mail/opendkim/trusthosts
# To use this file, uncomment the #ExternalIgnoreList
and/or the #InternalHosts
# option in /etc/opendkim.conf then restart
OpenDKIM. Additional hosts
# may be added on separate lines (IP
addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should be
the first entry in this file.
127.0.0.1
mail.abc.com
vm-host.net
202.81.251.172013/09/07
SPF and DKIM for anti-spam
Oh my God, this is the first time I successfully make Sendmail works on DKIM for outgoing and SPF verification for incoming emails. Hey, HSBC and Citibank do not use DKIM for anti-phishing even they send email notices to customers. In short, I am doing better than the two banks.
The benefits are two fold. My emails can be verified by other DKIM-enabled SMTP servers for source authentication and the signature can guarantee no tamper is made in the end-to-end delivery process. On my server, the same can be done.
The public key can be found by:
#dig -t txt sept2013._domainkey.i3way,net
;; ANSWER SECTION:
sept2013._domainkey.i3way.net. 3600 IN TXT "v=DKIM1\; g=*\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDq8KAvkv66AOeWd3UnpR74kDcIS4dkL8xR8wzzHUTvrrJR9l3B+X5wTZkHctfhjKHBmZg+W7MZW1b5O4SHI/n3FbqJ+6MK5jxHyx02Q6HSTtaYXjzalE3K0zgy4DRN7n/iYvRgS99OJw6LrKDcnzfRuO554G68aRgd32yflw+DQIDAQAB"
Forget to mention that the RSA key pair has no expiry. I can use for signing emails forever.
For DKIM. the processes as I can recall
are:
1.
Generate key pair under the designated
path /etc/mail/dkim-milter/keys, specifying a
selector (e.g. sept2013, my-dkim etc)
2. Extract the public key for publishing as DNS txt records
5. Recompile sendmail.mc to sendmail.cf by m4
2. Extract the public key for publishing as DNS txt records
5. Recompile sendmail.mc to sendmail.cf by m4
The benefits are two fold. My emails can be verified by other DKIM-enabled SMTP servers for source authentication and the signature can guarantee no tamper is made in the end-to-end delivery process. On my server, the same can be done.
The public key can be found by:
#dig -t txt sept2013._domainkey.i3way,net
;; ANSWER SECTION:
sept2013._domainkey.i3way.net. 3600 IN TXT "v=DKIM1\; g=*\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDq8KAvkv66AOeWd3UnpR74kDcIS4dkL8xR8wzzHUTvrrJR9l3B+X5wTZkHctfhjKHBmZg+W7MZW1b5O4SHI/n3FbqJ+6MK5jxHyx02Q6HSTtaYXjzalE3K0zgy4DRN7n/iYvRgS99OJw6LrKDcnzfRuO554G68aRgd32yflw+DQIDAQAB"
Forget to mention that the RSA key pair has no expiry. I can use for signing emails forever.
2013/09/06
2013/09/05
鋰電壽命
2013/09/02
維園泳池將被拆
維園泳池將被拆,陪伴我們這批60後成長的現只剩九龍仔公園游泳池。那裏有很多特式,如水深12呎、拱型小橋及一個可晒太陽的巨型平台。最難忘是飛機在頭上幾百尺飛過,那種震耳欲聾的聲音,要掩耳才頂得箸。今後要多珍惜,每年要抽點時間去重温昔日的喜悅。
Subscribe to:
Posts (Atom)