pmeerw's blog
pmeerw's blog
gmx.de uses a TLS alert (71) to claim insufficient security. After disabling TLSv1 in postfix, it works (i.e. mail is delivered). Amazing.
postfix/smtpd[3923583]: TLS SNI mail.pmeerw.net from mout.gmx.net[212.227.15.18] not matched, using default chain postfix/smtpd[3923583]: Untrusted TLS connection established from mout.gmx.net[212.227.15.18]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (3072 bits) client-digest SHA256 postfix/smtpd[3923583]: warning: TLS library problem: error:0A00042F:SSL routines::tlsv1 alert insufficient security:../ssl/record/rec_layer_s3.c:916:SSL alert number 71: postfix/smtpd[3923583]: NOQUEUE: lost connection after STARTTLS from mout.gmx.net[212.227.15.18] postfix/smtpd[3923583]: disconnect from mout.gmx.net[212.227.15.18] ehlo=1 starttls=1 commands=2
posted at: 14:49 | path: /configuration | permanent link
It's easy, just run sudo fwupdmgr get-updates followed by sudo fwupdmgr update.
The system needs to be on AC power to perform the update.
posted at: 22:07 | path: /configuration | permanent link
It's possible to just list multiple domains in opendkim.conf which will all get signed with the same key indicated by KeyFile and Selector (as pointed out here).
# Sign for example.com with key in /etc/dkimkeys/dkim.key using # selector 'mail' (e.g. mail._domainkey.example.com) # hacky, multiple domains, all share the same key and the same DNS setup # so we also need mail._domainkey.bla.net and mail._domainkey.blub.org DNS records Domain example.com, bla.net, blub.org KeyFile /etc/dkimkeys/example.com.key Selector mail
A more complex way with individual mappins is described here.
A good way to test the setup is appmaildev.com's DKIM Test.
posted at: 10:10 | path: /configuration | permanent link
Debian unstable recently updates the PostSRSd to 2.0.11-1+b1, breaking stuff:
sender_canonical_maps = socketmap:unix:srs:forward sender_canonical_classes = envelope_sender recipient_canonical_maps = socketmap:unix:srs:reverse recipient_canonical_classes = envelope_recipient, header_recipient
/etc/postsrsd.conf r, /var/spool/postfix/** rwk,
posted at: 11:00 | path: /configuration | permanent link
Thanks to these notes on setting up the route64 tunnelbroker on mikrotik, I can confirm it works. Route64 supports wireguard for the tunnel and give out a /56 subnet, so one can have 256 /64 subnets. The cable modem needs to forward a particular UDP port to the mikrotik router on the internal network which does the wireguard magic.
[Interface] PrivateKey = <private key> Address = 2a11:6c7:f03:123::2/64 [Peer] PublicKey = FkVCzA3bhSrqOUhXNxVHDXSLDvWHUa7BGj75uuh85TE= AllowedIPs = ::/1, 8000::/1 Endpoint = 165.140.142.113:<port> PersistentKeepAlive = 30
/interface wireguard add mtu=1420 name=wireguard1 private-key=<private key>
/interface wireguard peers add allowed-address=::/1,8000::/1 endpoint-address=165.140.142.113 endpoint-port=<port> interface=wireguard1 persistent-keepalive=30s public-key="FkVCzA3bhSrqOUhXNxVHDXSLDvWHUa7BGj75uuh85TE="
/ipv6 address add address=2a11:6c7:f03:123::2/64 interface=wireguard1 /ipv6 route add dst-address=2000::/3 gateway=wireguard1
/ipv6 nd set [ find default=yes ] interface=bridge mtu=1420 /ipv6 address add address=2a11:6c7:2001:5301::/64 advertise=yes interface=bridge
My IPv6 tunnel adventures are coming to an end... Still, I'd like to see Salzburg AG offer native IPv6.
posted at: 20:14 | path: /configuration | permanent link
