2013/09/30

Alnwick Castle

My 11th day in UK. Visited Alnwick Castle in Northumerland today. This was Hogwarts in Harry Potter series movies.







2013/09/29

CGN

Carrier Grade NAT (CGN) - an evil and ugly technology that kills network applications and innovations. No one is happy with it.

2013/09/25

cheap SSL certificates

Just ordered and received one SSL certificate from Cheapl SSLs at US$8.9 for 1-year use, no other charges.

www.cheapssls.com

Even though it is affordable, I still think that the PKI structure which puts Certificate Authorities in a supreme position is a flaw.  There is no need to have Certificate Authorities in the digital online world. 

2013/09/17

SMTP over TLS

SMTP over TLS is straight forward. Just make sure the MTA can support TLS  security then set the MTA config file where to find the CA cert, server cert/key, client cert/key.  That's all.

2013/09/13

beginner guide to SSL

What a disgrace ! An IT magazine invited me to get a free copy of beginner guide to SSL.


2013/09/11

Selector of Facebook's DKIM Key

Interesting, when I looked at the header of an email from Facebook, I found the DKIM Sigature as follows:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=facebookmail.com; 
    s=s1024-2011-q2; t=1378874220; 
    bh=RZqavvVaT/9/C1fdtvELn/vrEJC9Q5C/X8tnCwdRrhs=; 
    h=Date:To:From:Subject:MIME-Version:Content-Type; 
    b=FXKVjd7kn/lF5PnDTngllmI72AJ+iuHIFLmoFhUJMGsN1NBbcLkSNctqB12hYBBUN 
     eJknvOHvvqRNEliiZATpKHORQoaR8EGGZNTdCVkbsMZj9xTW+pPH4HZgfH4yk3IzQz 
     O4gK1bnIXD7k5aI+ndToMPeoj676W6PO6Hr4hpnY= 

The selector is named as s-1024-2011-q2.   Well, I can understand 1024 bits is used and the key has been in service since Q2 of 2011.   Facebook has not changed the key pair for over three years.  It is a bad and unacceptable security practice !

2013/09/09

SPF endless lookup

I found the following SPF errors in my maillog:

Sep  7 14:59:57 i3way sendmail[28894]: r876xsvM028894: Milter add: header: Received-SPF: unknown (i3way.net: error in processing during lookup of domain of 8.h.dvosh.info: Mechanisms used too many DNS lookups) receiver=i3way.net; client-ip=173.254.227.52; helo=8.h.dvosh.info; envelope-from=gvr@8.h.dvosh.info; x-software=spfmilter 0.93 http://www.acme.com/software/spfmilter/;

On checking the TXT record of the domain, it includes itself for further looking up.  This will result in an endless loop.  Here is what I found that caused the many lookups:

[warren@dnssec ~]# dig txt 8.h.dvosh.info | grep spf

8.h.dvosh.info. 3555 IN  TXT "v=spf1 include:8.h.dvosh.info ~all"

2013/09/08

DKIM replaced by Opendkim

In my last post about DKIM, the package I used is dkim-milter.  This is now replaced by opendkim.  For opendkim, the socket to use must be defined in “/etc/opendkim/opendkim.conf” and “/etc/mail/sendmail.mc”.

I found two great features in opendkim, namely SigningTable and TrustHosts.  SigningTable defines which users could use the private to sign outgoing email.  I think it should be * which means everyone.  As for TrustHosts, as the name implies, it tells what domains and IP addresses can utilize which key to sign email messages if the SMTP server is serving multiple domains.  For interest sake, I dump a few config lines of the associated files.

/etc/mail/opendkim/singingtable

#*@abc.com default._domainkey.example.com
*@abc.com default._domainkey.abc.com
admin@vm-host.net default._domainkey.vm-host.net

/etc/mail/opendkim/trusthosts
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should be the first entry in this file.
127.0.0.1
mail.abc.com
vm-host.net
202.81.251.17

2013/09/07

SPF and DKIM for anti-spam

Oh my God, this is the first time I successfully make Sendmail works on DKIM for outgoing and SPF verification for incoming emails. Hey, HSBC and Citibank do not use DKIM for anti-phishing even they send email notices to customers. In short, I am doing better than the two banks.

For DKIM. the processes as I can recall are:

1.      Generate key pair under the designated path /etc/mail/dkim-milter/keys, specifying a 
         selector (e.g. sept2013, my-dkim etc)
2.      Extract the public key for publishing as DNS txt records
3.      Edit keylists to tell which public keys be included and for what domain
4.      Edit sendmail.mc to add:
         INPUT_MAIL_FILTER(`dkim-filter', `S=local:/var/run/dkim-milter/dkim-milter.sock')

5.      Recompile sendmail.mc to sendmail.cf by m4
6.      Start up dkim-milter
7.      Restart sendmail

The benefits are two fold.  My emails can be verified by other DKIM-enabled SMTP servers for source authentication and the signature can guarantee no tamper is made in the end-to-end delivery process. On my server, the same can be done.

The public key can be found by:

#dig -t txt sept2013._domainkey.i3way,net
;; ANSWER SECTION:
sept2013._domainkey.i3way.net. 3600 IN  TXT     "v=DKIM1\; g=*\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDq8KAvkv66AOeWd3UnpR74kDcIS4dkL8xR8wzzHUTvrrJR9l3B+X5wTZkHctfhjKHBmZg+W7MZW1b5O4SHI/n3FbqJ+6MK5jxHyx02Q6HSTtaYXjzalE3K0zgy4DRN7n/iYvRgS99OJw6LrKDcnzfRuO554G68aRgd32yflw+DQIDAQAB"


Forget to mention that the RSA key pair has no expiry.  I can use for signing emails forever.




2013/09/06

電源插頭提供USB充電接口

正產發展商應在牆身電源插頭提供USB充電接口,這不是奢侈要求,是生活必需。



2013/09/05

鋰電壽命

高性能鋰電只有較短的壽命,懷疑嗎?請看這件產品的包裝盒,三星原廠電只能保證 500 次充電次數,如每天充一次電,即只有不到壹年半的壽命。如果你的 iPhone 或 Samsung 用了兩年後,發現電池效能下降,電池發熱甚至澎脹,這已是警號,夠期了,換電吧!


2013/09/02

維園泳池將被拆

維園泳池將被拆,陪伴我們這批60後成長的現只剩九龍仔公園游泳池。那裏有很多特式,如水深12呎、拱型小橋及一個可晒太陽的巨型平台。最難忘是飛機在頭上幾百尺飛過,那種震耳欲聾的聲音,要掩耳才頂得箸。今後要多珍惜,每年要抽點時間去重温昔日的喜悅。