Disable SSLv3 in Postfix, Dovecot

Postfix:

Disabling certain versions of SSL works like this in Postfix:

In your /etc/postfix/main.cf add or modify the following config parameter like so:

smtpd_tls_protocols=!SSLv2,!SSLv3

If you are using mandatory TLS you’ll want to set this instead:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

These should be fairly self-explanatory, but for further detail read the Postfix configuration parameters documentation.

Do not forget to restart Postfix!

Dovecot:

In dovecot, add the following to your configuration:

ssl_protocols = !SSLv2 !SSLv3

…and restart Dovecot. If you use a version of Dovecot older than 2.1, upgrade and then do the above.

scrub: -X argument cannot exist

I’ve been looking for a utility that will clean disks for me – and I do realize this is no real substitute for shredding them. Anyway, scrub seems to do the job. However, when I tried to run it I got:

scrub: -X argument cannot exist

This had me stumped because I read it as “the -X argument cannot exist”, which seemed to make no sense whatsoever. And indeed it means “the argument to -X cannot be a directory that exists”. Simply running it with a new directory, like so:

root@server:/home# scrub -X /home/scrub
scrub: using NNSA NAP-14.x patterns
scrub: scrubbing /home/scrub/scrub.000 1073741824 bytes (~1GB)
scrub: random |..^C |

works.

It is notable that more current versions of scrub fix the error message to be more intuitive (mine was still 2.2).

Could not perform immediate configuration on ‘python-minimal’

When I tried to update my Debian box, I got the following ominous error:

E: Could not perform immediate configuration on ‘python-minimal’.Please see man 5 apt.conf under APT::Immediate-Configure for details. (2)

It turns out that the fix is fairly simple. The following worked for me:

apt-get install -o APT::Immediate-Configure=false -f apt python-minimal

Postfix error – fatal: parameter “smtpd_recipient_restrictions”

I encountered this error when I added a check_sender_access clause to my smtpd_recipient_restrictions in postfixes “main.cf”:

fatal: parameter “smtpd_recipient_restrictions”: specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit.

I haven’t really checked, but I am guessing this is because smtpd_recipient_restrictions as the last clause isn’t specifically rejecting all mails that aren’t wanted, and so you risk turning your system into an open relay. I did as the error advised, adding reject_unauth_destination to my restrictions, and all was well.

Setting Sender Address in Mutt

I’m a Pine user. I seriously dislike mutt. It’s terribly uncomfortable to use. But it is maintained, and luckily it’s quite flexible and can be changed in how it acts. I’m trying to get by with mutt… and it’s a slow process, one step at a time.

First annoyance, by default it uses my machine name in the from address. The fix is easy enough. Open your .muttrc and add or change:

set realname=”Your Name”
set from=”mail@example.org”
set use_from=yes

That’s that.

Turning off Syntax Highlighting in vim

Today my screen is a bit dark – or rather, the office is bright, what with all the sun outside. This makes some of the colors of vim’s syntax highlighting hard to read. How do you turn this on or off?

After you open a file, and press ESC. With:

:syntax off

you can turn the highlighting off; with:

:syntax on

you can turn it on again.

If you want to do this permanently, you can edit (or create) the file .vimrc to include the line:

syntax off

I know this is a tiny thing, but I can now read my text files again. 😉

Enabling SSL in Apache2 on Ubuntu

I’m using my server for various admin interfaces and so want to SSL encrypt all traffic to the web server. This is easy enough to add to the default vhosts.

First, we need an SSL certificate. Create it by running:

openssl req -new -x509 -days 3650 -nodes
-out /etc/ssl/certs/apacheserver.pem
-keyout /etc/ssl/private/apacheserver.pem

This generates a self-signed certificate. For tests this is good enough; for production sites you WILL want to use a real purchased certificate. Since one of the jobs of SSL is not only to encrypt, but also to authenticate a site to the user, a self-signed certificate will cause browsers to pop up a warning. Users can (permanently) accept this for your site, but it’s probably not the impression you want to leave.

Ubuntu’s Apache2 will come with the SSL module installed by default, but it’s not used. As our next step, we need to enable it:

a2enmod ssl

Finally, we need to create an SSL virtual host. In my case, I want all http traffic to be simply redirected to https. Find the file /etc/apache2/sites-enabled/000-default and edit it.

Change the existing vhost to listen to Port 443; edit the “VirtualHost” line so it reads:

<VirtualHost *:443>
[…]
</VirtualHost>

(Where […] is of course the rest of your vhost configuration)

Now, inside the VirtualHost definition we’ll need to enable SSL and tell it where the certificate resides:

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ephesus.pem
SSLCertificateKeyFile /etc/ssl/private/ephesus.pem
[…]
</VirtualHost>

Finally, add a new vhost for redirection:

<VirtualHost *:80>
RedirectPermanent / https://server.example.org/
</VirtualHost>

Naturally, https://server.example.org/ should point to your machine’s name.

Restart Apache:

/etc/init.d/apache2 restart

And that’s all. If you go to http://server.example.org/ you should now be redirected to https://server.example.org

For final reference, here’s my configuration. Note that I commented out the Ubuntu documentation (No need to make this available to the big wide world) and cgi-bin (I’m not using this).

<VirtualHost *:80>
RedirectPermanent / https://ephesus.pandemonium.de/
</VirtualHost>

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ephesus.pem
SSLCertificateKeyFile /etc/ssl/private/ephesus.pem

ServerAdmin webmaster@localhost

DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
#<Directory “/usr/lib/cgi-bin”>
# AllowOverride None
# Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
# Order allow,deny
# Allow from all
#</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined
# Alias /doc/ “/usr/share/doc/”
# <Directory “/usr/share/doc/”>
# Options Indexes MultiViews FollowSymLinks
# AllowOverride None
# Order deny,allow
# Deny from all
# Allow from 127.0.0.0/255.0.0.0 ::1/128
# </Directory>

</VirtualHost>