Server – Page 2 – Ryan Schulze

Setting up multidomain DKIM with Exim

October 13, 2016November 7, 2018RyanDKIM, dmarc, exim, SMTP, SPF

Update November 2018:

A reader contacted me and pointed out that removing the {} around DKIM_DOMAIN solves the errors in the original example I found and had problems using. I’ve updated the code below (line 8) to reflect those changes in case anyone ends up here via google.

He also shared a nifty way to make selector rollovers easier by adding them to the filename:

DKIM_SELECTOR = whatever
DKIM_FILE =/etc/exim4/dkim/DKIM_DOMAIN.pem.DKIM_SELECTOR
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

With the format of the key files being ....

/etc/exim4/dkim/example.org.pem.previousselector
/etc/exim4/dkim/example.org.pem.whatever

DKIM_SELECTOR = whatever

DKIM_FILE =/etc/exim4/dkim/DKIM_DOMAIN.pem.DKIM_SELECTOR

DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

With the format of the key files being ....

/etc/exim4/dkim/example.org.pem.previousselector

/etc/exim4/dkim/example.org.pem.whatever

And last but not least an elegant way to populate the DKIM_DOMAIN variable: https://bugs.exim.org/show_bug.cgi?id=1019

Original Posting:

I was recently setting up SPF, DKIM and DMARC for multiple domains and was having trouble getting Exim to sign emails for the different domains. I found an article here explaining the steps. But I kept getting the following error in my exim logs:

failed to expand dkim_private_key: missing or misplaced { or }

The suggested configuration was the following:

DKIM_CANON = relaxed
DKIM_SELECTOR = 20150726

# Get the domain from the outgoing mail.
DKIM_DOMAIN = ${sg{${lc:${domain:$h_from:}}}{^www\.}{}}

# The file is based on the outgoing domain-name in the from-header.
DKIM_FILE = /etc/exim4/dkim/DKIM_DOMAIN.pem

# If key exists then use it, if not don't.
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

DKIM_CANON = relaxed

DKIM_SELECTOR = 20150726

# Get the domain from the outgoing mail.

DKIM_DOMAIN = ${sg{${lc:${domain:$h_from:}}}{^www\.}{}}

# The file is based on the outgoing domain-name in the from-header.

DKIM_FILE = /etc/exim4/dkim/DKIM_DOMAIN.pem

# If key exists then use it, if not don't.

DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

I’m not quite sure why, but Exim was having trouble using the macros in the following macros, so I ended up changing it to the following snippet instead. If you don’t use DKIM_FILE you can omit it. Also you might want to set DKIM_STRICT to true if you published a DMARC policy that will reject or quarantine email failing the DKIM tests (unset, or “false” tells Exim to send the message unsigned if it ran into problems signing the email). The default setting for DKIM_CANON is “relaxed“, so it also can be omitted.

DKIM_CANON = relaxed
DKIM_STRICT = false
DKIM_SELECTOR = 20160724
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/dkim/${lc:${domain:$h_from:}}.pem
DKIM_PRIVATE_KEY = ${if exists {/etc/exim4/dkim/${lc:${domain:$h_from:}}.pem} {/etc/exim4/dkim/${lc:${domain:$h_from:}}.pem}}

DKIM_CANON = relaxed

DKIM_STRICT = false

DKIM_SELECTOR = 20160724

DKIM_DOMAIN = ${lc:${domain:$h_from:}}

DKIM_FILE = /etc/exim4/dkim/${lc:${domain:$h_from:}}.pem

DKIM_PRIVATE_KEY = ${if exists {/etc/exim4/dkim/${lc:${domain:$h_from:}}.pem} {/etc/exim4/dkim/${lc:${domain:$h_from:}}.pem}}

Other than that, just make sure the exim process has permissions to access the dkim directory and certificate files and everything should work nicely.

How to prevent changes to a tag via svn hook

February 4, 2015Ryanbash, hook, linux, subversion, svn

A colleague of mine recently asked if it was possible to keep people from committing changes to tags in subversion. I thought “Hey, that should be easy to do via the pre-commit hook. I bet someone already made one that I can just test and use“. Either my google-fu failed me or the request wasn’t as common as I had anticipated, because surprisingly I couldn’t find any hooks that truly accomplish blocking changes to a tag (probably right after I post this someone will say “hey, why didn’t you look $here, it is exactly what you wanted“).

I found people looking for such a feature, and I found a hook or two that kinda did what I needed (the best I could find was a hook that just blocked updates to /tags/* but it allowed deletes, adds and property changes), but none that really blocked all changes to tags. So I decided to just make my own configurable svn hook. You can tell it what to allow and what to block, and which directory to work on (since not everyone has the tags in their base directory of the repository).

You may have to change the SVNLOOK variable depending on where your svnlook binary is installed.

#!/bin/bash

#===============================================================================
#
#          FILE:  pre-commit
# 
#   DESCRIPTION:  pre-commit svn hook. configurable hook to block certain 
#                 actions on svn tags
#                 (e.g. blocking changes to existing tags)
# 
#  REQUIREMENTS:  svnlook
#        AUTHOR:  Ryan Schulze (rs), ryan@dopefish.de
#===============================================================================

#===============================================================================
# Path to tags directory in the repository
#===============================================================================
TAGS_PATH="^tags/"

#===============================================================================
# What to allow or block
#===============================================================================
UPDATE=block
DELETE=block
ADD=block
PROPERTIES=block

#===============================================================================

REPOS="${1}"
TXN="${2}"

SVNLOOK=/usr/bin/svnlook

ABORT=0

while read line
do
	# SVN Action for this element
	ACTION="${line%% *}"

	# Path for this element
	FILE_PATH="$(echo "${line#* }" | sed 's/^ *//')"

	# regex that skips entries for the top level directory of a specific tag (e.g. tags/1.5/)
	# so that we can still create and delete the tags themselves
	if [[ "${FILE_PATH}" =~ ${TAGS_PATH}[/]*[^/]+/.+$ ]] 
	then
		# A  - Item added to repository
		# D  - Item deleted from repository
		# U  - File contents changed
		# _U - Properties of item changed
		# UU - File contents and properties changed
		case ${ACTION} in 
			U | UU )  [[ "${UPDATE}" == 'block' ]] && ABORT=1 ;;
			D )       [[ "${DELETE}" == 'block' ]] && ABORT=1 ;;
			A )       [[ "${ADD}" == 'block' ]] && ABORT=1 ;;
			_U | UU ) [[ "${PROPERTIES}" == 'block' ]] && ABORT=1 ;;
		esac
	fi

	if [[ ${ABORT} -gt 0 ]]
	then
		echo "Cannot change tags!" 1>&2
		exit 1
	fi	

done < <(${SVNLOOK} changed -t "$TXN" "$REPOS")

# All checks passed, so allow the commit.
exit 0

#!/bin/bash

#===============================================================================

# FILE: pre-commit

# DESCRIPTION: pre-commit svn hook. configurable hook to block certain

# actions on svn tags

# (e.g. blocking changes to existing tags)

# REQUIREMENTS: svnlook

# AUTHOR: Ryan Schulze (rs), ryan@dopefish.de

#===============================================================================

# Path to tags directory in the repository

#===============================================================================

TAGS_PATH="^tags/"

#===============================================================================

# What to allow or block

#===============================================================================

UPDATE=block

DELETE=block

ADD=block

PROPERTIES=block

#===============================================================================

REPOS="${1}"

TXN="${2}"

SVNLOOK=/usr/bin/svnlook

ABORT=0

while read line

# SVN Action for this element

ACTION="${line%% *}"

# Path for this element

FILE_PATH="$(echo "${line#* }" | sed 's/^ *//')"

# regex that skips entries for the top level directory of a specific tag (e.g. tags/1.5/)

# so that we can still create and delete the tags themselves

if [[ "${FILE_PATH}" =~ ${TAGS_PATH}[/]*[^/]+/.+$ ]]

then

# A - Item added to repository

# D - Item deleted from repository

# U - File contents changed

# _U - Properties of item changed

# UU - File contents and properties changed

case ${ACTION} in

U | UU ) [[ "${UPDATE}" == 'block' ]] && ABORT=1 ;;

D ) [[ "${DELETE}" == 'block' ]] && ABORT=1 ;;

A ) [[ "${ADD}" == 'block' ]] && ABORT=1 ;;

_U | UU ) [[ "${PROPERTIES}" == 'block' ]] && ABORT=1 ;;

esac

if [[ ${ABORT} -gt 0 ]]

then

echo "Cannot change tags!" 1>&2

exit 1

done < <(${SVNLOOK} changed -t "$TXN" "$REPOS")

# All checks passed, so allow the commit.

exit 0

Downtime, Backups, and IPv6

February 16, 2014Ryanbackups, downtime, ipv6

Sorry for the unexpected downtime that lasted a few days and affected all the services here. One of the hard drives in the raid on my server suddenly showing miserable I/O performance, since the other drive was fine according to tests, SMART and logs I decided to take the slow drive offline to have it replaced. That turned out fatal since the other drive was also kaput and all my virtual machines on that server were now corrupted.

On the bright side the 2nd MX server worked fine and held all the email like it supposed to do until I got the main server back up and running (yaay to “exim -Mvb” to at least be able to read important mails that are in the mail server queue).

Long story short, since these drives have caused me much trouble in the past too, I decided to just get a new server with different hardware and restore everything from backups. Like any sysadmin I have my regular backups and scripts to check that they are working and occasionally test them to ensure I can restore a server from backups, but I’ve never had to really actually restore everything from a backup on one of my private servers. So when doing so I noticed minor things that aren’t perfect and needed to be changed to make my life easier in the future and decided to share my experience.

Backups. Instead of making one large archive with all the directories backed up (e.g. /etc, /home, /opt, …), split it up into multiple archives of the applications you are backing up (e.g. /etc/apache2, /var/www/). I should have known better since this is common practice at work. It makes your life a lot easier when restoring from a backup if you have one archive with everything in it associated to a specific application, Digging through a backup of /etc and trying to remember all sub-directories needed to get email back up and running was a chore (webinterface, greylisting, spamassassin, exim, dovecot … some of them store data you also want to restore in other parts of the filesystem). You can always tar all the application backups together into one package before uploading it to the backup server if you want.

Use some kind of configuration and/or deployment management software (Puppet, Chef, Ansible, Salt, own scripts, …). Don’t underestimate how relaxing it is to just press a button to get your server(s) back into the defined state you previously had, just drop in the data from the backups (configuration too depending on how you roll) and you are good to go. Getting networking up and running manually took me longer than it should have (VPN networks, routing on the VM host, sysctl settings, NAT, which interfaces are bridged, which are internal, guest network configuration, …), I’ve put that all into Ansible playbooks now so it’s just a press of a button.

IPv6 is still sorely underused in the internet. I always set it up on all my hosts and mainly I see it being used by core services like email servers, dns, package download servers of large distributions, sometimes ntp, that kind of stuff, not so much on normal websites. Ordering extra IPv4 IPs for my guests normally takes an extra day or so until they are assigned to me (and they each cost extra), so I do enjoy having a huge subnet ip IPv6 IPs free of charge to do with as I please. It’s nice to spin up a virtual server, assign it an IPv6 IP and have it online without having to worry about NAT or port forwarding or other stuff you are confronted with when getting a server/services online that reside on an internal IP.
While I like to push people to embrace IPv6 early and get used to it, it is also important to give it the same attention you give IPv4 to make sure that you aren’t opening yourself up to security problems. Make sure you have the same firewall policy for IPv6 as you do for IPv4 and IPv6 brings a few new features with it that IPv4 didn’t have. Unless you explicitly need/use them it is best to shut them off. Below I’ll ad some IPv6 settings you probably want to set per default unless you are explicitly using them.

net.ipv6.conf.all.autoconf=0
net.ipv6.conf.all.accept_dad=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.all.accept_ra_defrtr=0
net.ipv6.conf.all.accept_ra_rtr_pref=0
net.ipv6.conf.all.accept_ra_pinfo=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.accept_dad=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.default.accept_source_route=0

net.ipv6.conf.all.autoconf=0

net.ipv6.conf.all.accept_dad=0

net.ipv6.conf.all.accept_ra=0

net.ipv6.conf.all.accept_ra_defrtr=0

net.ipv6.conf.all.accept_ra_rtr_pref=0

net.ipv6.conf.all.accept_ra_pinfo=0

net.ipv6.conf.all.accept_redirects=0

net.ipv6.conf.all.accept_source_route=0

net.ipv6.conf.default.autoconf=0

net.ipv6.conf.default.accept_dad=0

net.ipv6.conf.default.accept_ra=0

net.ipv6.conf.default.accept_ra_defrtr=0

net.ipv6.conf.default.accept_ra_rtr_pref=0

net.ipv6.conf.default.accept_ra_pinfo=0

net.ipv6.conf.default.accept_redirects=0

net.ipv6.conf.default.accept_source_route=0

How to find the fingerprints of public keys in authorized_keys

August 15, 2012September 27, 2014Ryanauth, authorized_keys, bash, fingerprint, ssh, ssh keys

If you use keys for SSH authentication (and you should) then you have probably run into the situation that the auth.log shows that someone logged in, even which local user was used (e.g. root), but you have no idea which of the keys in ~/.ssh/autorized_keys was used. The first step you can do to see what is going on, is increasing the log level of the SSH daemon:

/etc/ssh/sshd_config

LogLevel VERBOSE

1	LogLevel VERBOSE

That will spit out the fingerprint of the SSH key used to log in. Example log entry for a successful login:

Aug 15 11:47:40 security sshd[1924]: Connection from 192.168.199.1 port 39648
Aug 15 11:47:41 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c
Aug 15 11:47:41 security sshd[1924]: Postponed publickey for root from 192.168.199.1 port 39648 ssh2 [preauth]
Aug 15 11:47:42 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c
Aug 15 11:47:42 security sshd[1924]: Accepted publickey for root from 192.168.199.1 port 39648 ssh2
Aug 15 11:47:42 security sshd[1924]: pam_unix(sshd:session): session opened for user root by (uid=0)

Aug 15 11:47:40 security sshd[1924]: Connection from 192.168.199.1 port 39648

Aug 15 11:47:41 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c

Aug 15 11:47:41 security sshd[1924]: Postponed publickey for root from 192.168.199.1 port 39648 ssh2 [preauth]

Aug 15 11:47:42 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c

Aug 15 11:47:42 security sshd[1924]: Accepted publickey for root from 192.168.199.1 port 39648 ssh2

Aug 15 11:47:42 security sshd[1924]: pam_unix(sshd:session): session opened for user root by (uid=0)

Now that we have the fingerprint of the ssh key used to login, we will need ssh-keygen to spit out the fingerprints of the public keys in ~/.ssh/authorized_keys to be able to compare them. So I wrote a little wrapper called ssh-fingerprint.sh around ssh-keygen to feed it all the public keys from authorized_keys (if you want you can even fit the whole while loop as a oneliner):

#!/bin/bash 
initialize() { #{{{
	# Treat unset variables as an error
	set -o nounset
	tempfile=$(mktemp)
	authorized_keys="${HOME}/.ssh/authorized_keys"
	trap cleanup TERM EXIT # clean up if script exits
} #}}}

cleanup() { #{{{
	rm -f ${tempfile}
	exit 0
} #}}}

#===============================================================================
# Main
#===============================================================================
initialize

if [ ! -e ${authorized_keys} ]
then
	echo -e "\nERROR: ${authorized_keys} file not found\n"
	exit 
fi

while read line
do 
	echo "${line}" &gt;  ${tempfile}
	ssh-keygen -l -f ${tempfile}
done &lt; ${authorized_keys}

#!/bin/bash

initialize() { #{{{

# Treat unset variables as an error

set -o nounset

tempfile=$(mktemp)

authorized_keys="${HOME}/.ssh/authorized_keys"

trap cleanup TERM EXIT # clean up if script exits

} #}}}

cleanup() { #{{{

rm -f ${tempfile}

exit 0

} #}}}

#===============================================================================

# Main

#===============================================================================

initialize

if [ ! -e ${authorized_keys} ]

then

echo -e "\nERROR: ${authorized_keys} file not found\n"

exit

while read line

echo "${line}" > ${tempfile}

ssh-keygen -l -f ${tempfile}

done < ${authorized_keys}

New Virtualbox version, script for easy update of extension pack

March 14, 2012March 14, 2012Ryan2 Commentsbash, extpack, virtualbox

VirtualBox 4.1.10 was released yesterday with a few nice things in the changelog. Updating virtualbox itself is easy, just download the package and update it. Since I seem to stumble over the update of the extension pack every time (on my headless system) I thought I’d write a small script this time so I don’t have to rethink it next time (automatically downloads and installs the current extpack):

#!/bin/bash
URL="$(wget -qO - https://www.virtualbox.org/wiki/Downloads|grep "Oracle VM VirtualBox Extension Pack"|sed "s/.\+\(http:\/\/download.virtualbox.org.\+.vbox-extpack\).\+/\1/")"
File=${URL##*/}

if [[ "${URL}" != "" &amp;&amp; "${File}" != "" ]]
then
  echo "Downloading and installing ${File}" &amp;&amp; \
  wget -qO ${File} ${URL} &amp;&amp; \
  VBoxManage extpack install --replace ${File}
fi

#!/bin/bash

URL="$(wget -qO - https://www.virtualbox.org/wiki/Downloads|grep "Oracle VM VirtualBox Extension Pack"|sed "s/.\+$http:\/\/download.virtualbox.org.\+.vbox-extpack$.\+/\1/")"

File=${URL##*/}

if [[ "${URL}" != "" && "${File}" != "" ]]

then

echo "Downloading and installing ${File}" && \

wget -qO ${File} ${URL} && \

VBoxManage extpack install --replace ${File}