2013/11/29

Digital Certificates

I want to develop an e-certificate for my own use in the coming 50 years. No way, stuck in the Year2038 epoch issue. What shalI I do then? I am still alive after 2038 !!!


2013/11/28

SMTP over TLS, do it or not

After careful deliberation, I propose to my department not to do SMTP over TLS. I am sure I make the right decision. The considerations are as follows:


1. There might be less than 1 % of mail servers globally supporting this function. 

2. There is no standard or recommended practices if self-signed certificates can be allowed in server or client sides. 

3. Equally, there is no standard or recommended practice whether servers should request  clients to present their certificates for authentication. 

4. In the lack of industry practice, network administrators just arbitrarily make their SMTP TLS settings or using the defaults provided by commercial off-the-shelf packages of  security gateways/appliances.   

5. A lot of mail servers which might have operated for many years have outdated CA list. 5. In case of mail delivery failure, it is nearly impossible to conduct trouble-shooting  nor request the other side to amend their settings. 

Opportunistic TLS encryption could only be achieved if there is supporting recommended industry practice

2013/11/27

6to4 address connectivity problem

Port25.com is a renowned world leader on enterprise-grade email solutions. How can port25.com has this crazy setting in MX:

port25.com.        3600 IN MX    100   mail.port25.com.

mail.port25.com. 3600 IN AAAA          2002:453f:951e::1

This leads me to issue my last serious warning to all network administrators: 6to4 addresses should not be used to set up web and email servers, whether in test mode or production mode. They cause a lot of troubles. Please use 6in4 tunneling.

2013/11/25

Generate CA cert and sign server cert

Many IT bloggers have written down the steps for making self-signed certificates.  I should jotted down my own notes on how to generate my own CA cert and use the CA cert to sign my own server cert.  The procedures, if I can recall correctly, should more or less be as follows:

**** Generate my own CA cert/key and sign my own server cert ****

#openssl genrsa -des3 -out myca.key 4096
[Generate a key for self-signed CA, require to generate a passphrase to protect the key]
#openssl req -new -x509 -days 3650 -key myca.key -out myca.crt
[Use the key to create a X.509 certificate with the name myca.crt]
#openssl genrsa -des3 -out v6-mail.com.key 2048
[Generate a key for my server]
#openssl req -new -key v6-mail.com.key -out v6-mail.com.csr
[Generate certificate signing request from the server key]
#openssl x509 -req -days 3650 -in v6-mail.com.csr -CA myca.crt -CAkey myca.key -set_serial 01 -out v6-mail.com.crt
[Sign the csr with my CA cert and CA key, set the serial number to 01 and generate a signed public key in crt format]
#openssl rsa -in v6-mail.com.key -out new.v6-mail.com.key
(remove passphrase of in a new server keyfile)
#openssl rsa -in myca.key -out new.my-ca.key
(remove passphrase in a new CA keyfile)
rm v6-mail.com.key,
mv new.v6-mail.com.key v6-mai.com.key
rm myca.key
mv new.my-ca.key myca.key

**** End of Processs *****




2013/11/23

SMTP over TLS for Gmail

Great, just found out that Gmail performs SMTP over SSL/TLS without caring whether the server or client cert in the other side is signed by a CA. This ensures 100 % support for encryption. That’s says, we can use a self-signed certificate. A million thanks to Gmail.

2013/11/21

HSBC email server settings

What the hell is that in my maillog, hsbc attempting to send as Hang Seng Bank? That's why I always say HSBC ignores security. 

Nov 21 01:31:18 i3way sendmail[2228]: STARTTLS=server, relay=psmtp9.hsbc.com.hk [203.112.90.17], version=TLSv1/SSLv3, verify=OK, cipher=DHE-RSA-AES256-SHA, bits=256/256
Nov 21 01:31:19 i3way dkim-filter[5266]: rAKHVI5N002228 external host psmtp9.hsbc.com.hk attempted to send as hangseng.com

2013/11/18

免費電視發牌顧問報告

早前立法局欲引用權力及特權法,取得四份顧問報告內容。現在不用了,顧問報告的主要內容已暴光,行會黑箱作業,689自把自為已是無可抵賴的事實,七百萬人現在都知整件事完全沒有公義,你條 689 民望還有排跌呀。

2013/11/01

空降政務官做署長

絕不能空降政務官做署長,一旦空降,專業工程師的晉升機會被閹割,共有五個職級同事無得升,包括副署長、助理署長、總工程師、高級工程師及工程師,連帶畢業生都少個機會入職做政府工程師 !

http://news.mingpao.com/20131101/gaa1h.htm

屋宇署長有權處理及清拆危險建築物,這涉及保障市民生命財產,此等任務必須由受過訓練的專業工程師才可勝任。