pmeerw's blog

Wed, 22 Oct 2025

gmx.de claims insufficient security

gmx.de uses a TLS alert (71) to claim insufficient security. After disabling TLSv1 in postfix, it works (i.e. mail is delivered). Amazing.

postfix/smtpd[3923583]: TLS SNI mail.pmeerw.net from mout.gmx.net[212.227.15.18] not matched, using default chain
postfix/smtpd[3923583]: Untrusted TLS connection established from mout.gmx.net[212.227.15.18]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (3072 bits) client-digest SHA256
postfix/smtpd[3923583]: warning: TLS library problem: error:0A00042F:SSL routines::tlsv1 alert insufficient security:../ssl/record/rec_layer_s3.c:916:SSL alert number 71:
postfix/smtpd[3923583]: NOQUEUE: lost connection after STARTTLS from mout.gmx.net[212.227.15.18]
postfix/smtpd[3923583]: disconnect from mout.gmx.net[212.227.15.18] ehlo=1 starttls=1 commands=2

posted at: 14:49 | path: /configuration | permanent link

Tue, 30 Sep 2025

Lenovo X13 firmware update on Linux

It's easy, just run sudo fwupdmgr get-updates followed by sudo fwupdmgr update. The system needs to be on AC power to perform the update.

posted at: 22:07 | path: /configuration | permanent link

Fri, 26 Sep 2025

Easy DKIM/DMARC setup for multiple domains

It's possible to just list multiple domains in opendkim.conf which will all get signed with the same key indicated by KeyFile and Selector (as pointed out here).

# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector 'mail' (e.g. mail._domainkey.example.com)
# hacky, multiple domains, all share the same key and the same DNS setup
# so we also need mail._domainkey.bla.net and mail._domainkey.blub.org DNS records
Domain                  example.com, bla.net, blub.org
KeyFile                 /etc/dkimkeys/example.com.key
Selector                mail

A more complex way with individual mappins is described here.

A good way to test the setup is appmaildev.com's DKIM Test.

posted at: 10:10 | path: /configuration | permanent link

Sun, 21 Sep 2025

Debian PostSRSd update woes

Debian unstable recently updates the PostSRSd to 2.0.11-1+b1, breaking stuff:

  1. new postfix configuration required (and pointed out in the NEWS)
      sender_canonical_maps = socketmap:unix:srs:forward
      sender_canonical_classes = envelope_sender
      recipient_canonical_maps = socketmap:unix:srs:reverse
      recipient_canonical_classes = envelope_recipient, header_recipient
    
  2. apparmor changes required (or should apparmor be dropped?)
      /etc/postsrsd.conf r,
      /var/spool/postfix/** rwk,
    

posted at: 11:00 | path: /configuration | permanent link

Thu, 21 Aug 2025

Controlling IKEA smart home stuff with Python

IKEA has some smart home products: Zigbee light bulbs, a temperature sensor, several remote controller, and -- most importantly -- the Dirigera hub which allows to control the devices via an app or REST API. The hub supports the matter standard and lacks technical documentation (it has USB-C for power supply, an Ethernet plug and expects to local network with WiFi). A Python package, dirigera, is available.

First step is to generate a token (JWT) to enable access to the API, which requires pressing the "Action" button on the hub.

posted at: 18:05 | path: /projects | permanent link

Made with PyBlosxom