For many years I've run a poor-man's mailing list through /etc/aliases
on my VPS. Before you start breaking out the flaming torches and
pitchforks, it's very limited in scope; it forwards only within my
immediate household, albeit to mailboxes hosted by gmail and hotmail.
I've just learned that some mails to this alias are being quarantined or
bounced at their ultimate destinations. They're passing SPF (because
envelope-from is postmaster@ my vps) but failing DMARC (the external
From address isn't being rewritten). When the sender has full DMARC
enabled, we lose.
Drat.
My VPS is running Debian with exim4.
I think I might like to rewrite "From: foo(a)bar.baz" to something like
"From: postmaster+foo_bar.baz(a)my.domain" in order to satisfy DMARC, but
only when forwarding via this particular alias. I'm not readily figuring
out how to do this, and am leery to tangle with Exim's rewrite rules anyway.
Would anybody care to venture whether this is possible? a good/bad idea?
alternative solutions? I am looking for a least hassle, least
maintenance answer, ideally at little or no additional cost (hence
/etc/aliases has served well for a long time). On a unicorn, naturally :-)
(No I don't run mailman - I used to but I found it rather tiresome to
set up, feed and water.)
Thanks
Ross
I have an old Ubuntu 16.04 install that is beginning to give me a tonne of
grief with apt.
It has now happily upgraded (well) past kernel 4.4.0-210, but it's refusing
to go further because it can't remove -210 any more:
# apt remove --purge linux-modules-extra-4.4.0-210-generic
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED
linux-headers-4.4.0-210-generic linux-modules-4.4.0-210-generic
linux-modules-extra-4.4.0-210-generic
0 to upgrade, 0 to newly install, 3 to remove and 18 not to upgrade.
3 not fully installed or removed.
After this operation, 225 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 149323 files and directories currently installed.)
Removing linux-headers-4.4.0-210-generic (4.4.0-210.242) ...
dpkg: error processing package linux-headers-4.4.0-210-generic (--remove):
unable to securely remove
'/usr/src/linux-headers-4.4.0-210-generic/include/config/generic/isa/dma.h':
Not a directory
Removing linux-modules-4.4.0-210-generic (4.4.0-210.242) ...
dpkg: error processing package linux-modules-4.4.0-210-generic (--remove):
unable to securely remove
'/lib/modules/4.4.0-210-generic/kernel/fs/nfs/nfsv4.ko': Not a directory
Removing linux-modules-extra-4.4.0-210-generic (4.4.0-210.242) ...
dpkg: error processing package linux-modules-extra-4.4.0-210-generic
(--remove):
unable to securely remove
'/lib/modules/4.4.0-210-generic/kernel/fs/nfs/blocklayout': Not a directory
Errors were encountered while processing:
linux-headers-4.4.0-210-generic
linux-modules-4.4.0-210-generic
linux-modules-extra-4.4.0-210-generic
E: Sub-process /usr/bin/dpkg returned an error code (1)
apt upgrades are failing as a result of this. I've been slowly reinstating
files (using touch), but is there a way to *genuinely force* apt to
remove/purge when it gets into a state like this?
Kind regards
Murray Crane
Hi,
I was just updating this to use "pool" directives:
https://tools.bitfolk.com/wiki/Securing_NTP
and it struck me that these days Chrony is perhaps a more suitable
NTP client.
If any of you use Chrony and are willing to share what a sensible
default config for a BitFolk VM would look like, please do edit the
article.
I might even switch the Debian installer to use it by default.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi All,
Is letting bind9 listening on all interfaces a good practice? Or letting it listening on specific interface best ?
If I set specific address listening, bind9 failed to start and stops listening.
If i set bind9 to listen to all and block using the firewall the interface I do not it to listen to bind9 to powerdns replication did not work. Powerdns as primary here.
It seems to be working if I set bind9 to listen to all interfaces and not block by the firewall.
Regards,
-badli
Hello,
If you do not make use of BitFolk's secondary DNS service then you
can safely skip this email.
Over the last few days we've upgraded the servers used for our
secondary DNS service and also switched software from PowerDNS to
BIND. On the whole nothing changes, but there is one thing I would
like to draw your attention to.
BIND actually pays attention to the expire timers that you set
in your SOA records whereas PowerDNS does not.
An SOA record looks like this:
$ dig +multi +noall +answer -t soa bitfolk.combitfolk.com. 86383 IN SOA a.authns.bitfolk.co.uk. hostmaster.bitfolk.com. (
2023042101 ; serial
14400 ; refresh (4 hours)
7200 ; retry (2 hours)
1209600 ; expire (2 weeks)
43200 ; minimum (12 hours)
)
The "expire" timer tells authoritative DNS servers how long the
records they hold are valid for, if they have not been able to
contact the primary nameservers. In the above example, should the
primary nameserver be unreachable, any secondary nameservers that
are still responding will serve the zone content for a further two
weeks. After that time they will respond with SERVFAIL. Compliant
DNS client behaviour is to retry any other servers when that
happens.
PowerDNS does not implement these "expire" semantics and always
answers queries.
In watching logs carefully over the last few days I have seen that
some of you have extremely short expire timers. I'm not sure whether
you intend for that to be the case. For example, there are many
zones currently on BitFolk's servers with an expire time of 300
seconds. That means that you are indicating that the entire zone
should not be served 5 minutes¹ after your primary server stops
responding. It doesn't seem likely to me that you really want all
authoritative servers for your domain to stop working 5 minutes into
any sort of outage.
Since the secondary servers will now really believe you on this, I
urge you to review your expire timers. If in doubt please put your
domain name into this:
https://zonemaster.net/en/run-test
and it'll advise you if any of those timers seem wrong.
Cheers,
Andy
¹ Different DNS server implementations actually behave slightly
differently here. As mentioned, PowerDNS doesn't handle expire
timers at all. BIND has a minimum of 300 seconds, or the
refresh+retry timers, whichever is larger. So in fact the shortest
expire behaviour I can see at the moment is 600 seconds (10
minutes). Which still seems unusually short.
See:
https://jpmens.net/2022/01/14/fun-with-the-dns-soa-expire-field/
for more info about how different implementations treat the expire
timer.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
Today and tonight (UK time) we're going to be doing some work on
b.authns.bitfolk.com (secondary DNS service).
I'm going to disable alerts for it and stop it from responding (so
it can't give any incorrect answers). The other servers will remain
up and working; I'm just letting you know in case you notice it is
intermittently down.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hello,
I found this an interesting read:
https://changelog.complete.org/archives/10478-easily-accessing-all-your-stu…
The author's favourite is Yggdrasil which I'll summarise.
It can be used as a simple VPN of course, but also an overlay
network to easily connect together disparate networks, VMs and
containers.
Once you run the daemon your host generates itself a static IPv6
address inside 200::/7 (a range of addresses that are marked as
deprecated so should not be in use anywhere else). That IPv6 address
stays with you as long as the keys the daemon generated still exist,
and it's how other nodes on the overlay network talk to you.
Initially I was a bit perturbed by this use of "someone else's"
IPv6, but it does make things very simple.
A normal VPN does all of that as well, but it's interesting that
yggdrasil will try to pick an optimal route. For example, if you
have two laptops which are away from their home network and they
want to talk to each other on their 200::/7 addresses they will try
to peer with each other directly over the Internet. That might fail
if they are both behind multiple layers of NAT or on really
restrictive networks or something. They would both also be trying to
peer with every other peer they know about though, so you'd probably
also have a node on your home network for them to connect to. Once
they'd both connected to that, traffic between them would go via
that node as if they were both traditional VPN clients in a star
topology. Yet once they both end up at their home network again the
traffic would go directly between them, bypassing the home server
node - without you having to change anything.
It's doing TCP-over-TCP which is also frowned upon, but they seem to
have taken some steps to optimise it. You might not notice the
overhead unless you're on a >1Gbps network. It's comparable to
Tailscale and ~50% to ~66% that of Wireguard.
As far as I understand, Tailscale does a lot of similar things as
well. I've not used it yet, but I'm liking the apparent simplicity
of Yggdrasil. Tailscale's free pricing tier is only for personal use
and you have to authenticate with github to use it.
Anyone else looked at Yggdrasil?
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
After 12 years I am actually making some progress on implementing
DNSSEC for BitFolk domains:
https://tools.bitfolk.com/redmine/issues/59
I will continue to update this as more progress is made.
Sorry it's taken so long to get going. Mistakes are scary with this
(for me).
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
