Hi,
is something up with b.authns.bitfolk.com. ?
Currently, for me, of all failed queries to x.authns.bitfolk.com., 98%
of those fail on b.authns
Started around 9pm BST on 13/9/2023.
Thank,
Conrad
My own stupid fault for blindly following tutorials in the dim and distant
past (2019) I guess and not then "backing that up" with learning exactly
what it was you just did...
I had a very small "ZFS infrastructure" set up. Small VM on a XenServer
install; worked beautifully.
USB disk that housed the XenServer install died, no more metadata/config,
but all the VHDs were safely stored on external NFS disks. "Burned" a new
USB on newer XCP-ng, started building new VMs. Nothing lost but time...
But...
When it comes to the ZFS volumes I find myself with 6 VHDs for one
"mirrored pair", and I don't entirely know how to "attach" them to see the
content/figure out which two are the current pair.
I have the VM these ZFS VHDs belong to reinstated (bless Linux and
/etc/hostname), but my novice ZFS skills ran out long ago. Is there a
"simple" way to RO mount an individual zpool member (from a pair) and see
what's on it? I'm happy enough going one VHD at a time if it's possible...
Kind regards
Murray Crane
This is directly a "work query", but I'm hoping there are some folk out
there with way more Exchange knowledge than me.
When we set up Exchange 2010 for work, we somewhat followed MS "best
practice guidance" and made a DAG between the two VMs, and it's been way
more trouble than it's worth on more than one occasion.
Since we really do need to be upgrading to a newer Exchange now, is it
possible to go from a DAG setup back to a single server on a newer Exchange?
Kind regards
Murray Crane
Hi All,
I am trying, and failing, to set up postfix and google is not playing nice.
The domain name of my server is ianhobson.com
The message I sent is
echo "This is the message body" | mail -s "Hello world 7"
hobson42(a)google.com
The txt record for ianhobson.com contains the entry:
v=spf1 ip4:85.119.83.63 ip6:2001:ba8:1f1:f159::2 include:_spf.google.com
-all
My message bounced ...
--000000000000779e540603f583f0
Content-Type: message/rfc822
X-Google-Smtp-Source:
AGHT+IEp9prm+RYt9RU4zCwTQ3RtchA2FcY6YsplVKwCVE6xm4NDC8r9xgRVISiZKbp+XA0ARsLc
X-Received: by 2002:a05:600c:b42:b0:3fe:1fd9:bedf with SMTP id
k2-20020a05600c0b4200b003fe1fd9bedfmr19347254wmr.11.1693202867117;
Sun, 27 Aug 2023 23:07:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1693202867; cv=none;
d=google.com; s=arc-20160816;
b=B1rJ+GcvNSZSWuXvkd0eJmcKuTh3u5xYoevSMwGo9AYZiBFw7zxRTp1TyUDCytUxPj
X88FC/M2i02OY3hbpWZovRTvfTt7qDr9foar4MejQ2AUaoNPSCzGhw4mh3N8L6jpYOAZ
Bwp2+1Uu0cOJEAxkcolV5vpepJNLyviWo+tugpPQ1VoOVkbnnYkc1e3W62jJZkUyQmW4
dyKhs261pJxj3t+mRaXCuu0KCpubpUFut3MTCCrc+YDqWoe1l3Iqmdq3vUctAF5zCyZx
q9Hm5KaLnL8ByBD06KGMExVYrrl1KSPkduHP4eO5b3Wf5onH6BoqcA9RVG1NDCvj572J
X1BA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=arc-20160816;
h=from:date:message-id:to:subject;
bh=xAjO0M9TPUb7cMQCtftlB6qyGZ///K1cOTl9KtbIS7o=;
fh=GAhnp/c7C3JdQ2Hhj44GY0EPYm7p/BemqzOophPSH38=;
b=z29ZintE4XH0/vzj1A2PMoWhUCMlbKIYVh/919smU+pbaTWrxezz+MDno71mRW2pzn
RL/q7mS3GNHVcAp8VadqeAomBQetQ9fexWmClyBhynFNma5JYRnxZFqzNBpDtKnQBO5f
34tk7vXrVRhC7gobov93uvJ0n2A8BaDcL7FMqthLdizMW7UuzcMNV01gnPw1S0e4Ru1b
jBtDeToW5GPdAPBeYM63ndMgxelMIQr5DZhhsf6dMdjN+qefkmXG0FSRCXTkxAeE0ImL
ulduc7GYoL1nCQ1O5Q/0U8+L4mB+oJXiHeWRFY9zyO67WWXImeZJ/kwPF6Esc/3prF+a
hOig==
ARC-Authentication-Results: i=1; mx.google.com;
spf=fail (google.com: domain of ian(a)ianhobson.com does not
designate 2001:ba8:1f1:f159::2 as permitted sender)
smtp.mailfrom=ian(a)ianhobson.com
Return-Path: <ian(a)ianhobson.com>
Received: from ianhobson.com
(2001-ba8-1f1-f159-0-0-0-2.autov6rev.bitfolk.space. [2001:ba8:1f1:f159::2])
by mx.google.com with ESMTPS id
n27-20020a05600c181b00b003fee7bfd47dsi5015614wmp.74.2023.08.27.23.07.47
for <hobson42(a)google.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 27 Aug 2023 23:07:47 -0700 (PDT)
Received-SPF: fail (google.com: domain of ian(a)ianhobson.com does not
designate 2001:ba8:1f1:f159::2 as permitted sender)
client-ip=2001:ba8:1f1:f159::2;
Authentication-Results: mx.google.com;
spf=fail (google.com: domain of ian(a)ianhobson.com does not
designate 2001:ba8:1f1:f159::2 as permitted sender)
smtp.mailfrom=ian(a)ianhobson.com
Received: by ianhobson.com (Postfix, from userid 1000)
id DA2F7C00C5; Mon, 28 Aug 2023 07:07:46 +0100 (BST)
Subject: Hello world 7
To: <hobson42(a)google.com>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20230828060746.DA2F7C00C5(a)ianhobson.com>
Date: Mon, 28 Aug 2023 07:07:46 +0100 (BST)
From: Ian Hobson <ian(a)ianhobson.com>
This is the message body
--000000000000779e540603f583f0--
The proofpoint check
https://www.proofpoint.com/us/cybersecurity-tools/dmarc-spf-creation-wizard…
confirms the data.
What is going wrong?
Thanks
Ian
--
Ian Hobson
Tel (+66) 626 544 695
Hi All,
My VPS normally has 45% to 50% disk space free. (7GB)
This morning I find that it ran out of disk space on 22nd, and this
stopped email alerts getting to me, stopped all the websites from
working. All my clients were emailing to ask what was wrong, and those
emails were not getting through either. :(
I do have fail2ban set up, and uptime robot is checking the websites are
up.
How can I set up something to alert me of this problem before it becomes
critical? Say disk space used over 75%.
Many thanks
Ian
--
Ian Hobson
Tel (+66) 626 544 695
The latest emails from the list are all falling foul of Fastmail’s spam checking:
X-Spam-score: 11.1
X-Spam-hits: BAYES_00 -1.9, DCC_REPUT_13_19 -0.1, HTML_MESSAGE 0.001,
MAILING_LIST_MULTI -1, ME_HAS_VSSU 0.001, ME_SENDERREP_NEUTRAL 0.001,
RCVD_IN_SBL_CSS 3, RCVD_IN_ZEN_LASTEXTERNAL 8, SH_BODYURI_REVERSE_CSS 3,
SPF_HELO_NONE 0.001, SPF_PASS -0.001, URIBL_CSS_A 0.1, LANGUAGES en,
BAYES_USED user, SA_VERSION 3.4.6
X-Spam-source: IP='85.119.80.246', Host='lists0.bitfolk.com', Country='GB',
FromHeader='com', MailFrom=‘com'
It appears to be because 85.119.80.246 is in the Spamhaus CSS block list:
https://check.spamhaus.org/listed/?searchterm=85.119.80.246
Looks like you can request removal on that page.
Cheers,
Mike
Hi,
CentOS Stream 9 is now available for self-install and new installs.
https://tools.bitfolk.com/wiki/Using_the_self-serve_net_installer/CentOS_St…
We haven't yet sorted out installers for Alma Linux, Rocky Linux or
any of the other CentOS-like distributions and although that would
be pretty simple I'm not sure that we will do that. It depends upon
demand. I believe it's the case that as with CentOS Stream 8.x, you
can convert from it to Alma, Rocky or even RHEL without reinstall
using a script, so that might have to be the BitFolk-recommended way
to do that.
We are also going to consult about how much demand there is for RHEL
itself. Although that does require a Red Hat subscription, an
individual can get a no-cost subscription for personal use on up to
16 systems.
We do have to run these VMs under the kernel-lt or kernel-ml kernels
from ELRepo though, because Red Hat disables Xen support in its
kernels. Therefore such a VM may not be eligible for any form of
support from Red Hat which may result in there being no customer
demand to do so.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
I upgraded my Debian system from Bullseye to Bookworm earlier today. It mostly went pretty smoothly, but I have two questions:
1. I remembered to change the interface name from eth0 to enX0 but couldn't connect to any regular network services (ssh, httpd) after the system was rebooted. I used the Xen shell to change the interface name back to eth0, and could connect again after a reboot. Are some systems happy to stay as eth0? This is quite an old system and has been upgraded in place over several years (started as a Debian 5.x (Lenny) system in 2009.
2. The sysv-rc-conf package is being held back when I apt-get upgrade. If I try to upgrade it, apt wants to remove a load of packages (about 30). Can I safely just remove the sysv-rc-conf package? /sbin/init is a symlink to /lib/systemd/systemd, so I presume I'm using systemd and don't need sysv-rc-conf?
--
Jamie MacIsaac
jamie(a)macisa.ac
I'm trying to set up SPF for my carfax.org.uk domain (whence this
email comes). I'm getting a bounce from trying to send to gmail:
Diagnostic-Code: smtp; 550-5.7.26 This mail is unauthenticated, which poses a
security risk to the
550-5.7.26 sender and Gmail users, and has been blocked. The sender must
550-5.7.26 authenticate with at least one of SPF or DKIM. For this message,
550-5.7.26 DKIM checks did not pass and SPF check for [savella.carfax.org.uk]
550-5.7.26 did not pass with ip: [2001:ba8:1f1:f0e6::2].
However, I think I have the right TXT record in the DNS for carfax.org.uk:
@ TXT "v=spf1 mx a ip4:85.119.84.138/21 ip6:2001:ba8:1f1:f0e6::/64 a:mail.carfax.org.uk a:savella.carfax.org.uk -all"
and the diagnostic message from gmail isn't all that helpful about why
it's not matching.
Does anyone have any idea what I've missed here?
Thanks,
Hugo.
--
Hugo Mills | One of these days, I'll catch that man without a
hugo@... carfax.org.uk | quotation, and he'll look undressed.
http://carfax.org.uk/ |
PGP: E2AB1DE4 | Leto Atreides, Dune
Hi,
Back at the start of June the version of OpenSSH that we run on the
Xen Shell hosts was updated in order to provide support for
ecdsa-sk and ed25519-sk keys. These are used with "security key"
devices which support FIDO/U2F and was done after customer request.
At the same time this version of SSH disables the ssh-rsa signature
scheme. Older ssh clients may fail to negotiate an SSH connection to
the Xen Shell hosts (i.e. when you do "ssh
username(a)username.console.bitfolk.com") due to this.
If you see an error that reads something like this:
Couldn't agree a key exchange algorithm (available
curve25519-sha256,curve25519-sha256(a)libssh.org,ecdh-sha2-nistp256,
ecdh-sha2-nistp384,ecdh-sha2-nistp512,diffie-hellman-group16-sha512,
diffiehellman-group18-sha512,diffie-hellman-group14-sha256)
then this is the problem. You do not need to change your
authentication keys (if any) because that is not the problem. You
need to upgrade your SSH client.
The above message was from PuTTY 0.64; version 0.78 and above are
known to work.
ssh-rsa was deprecated since version 8.2 of the server in February
2020:
https://www.openssh.com/txt/release-8.2
Future deprecation notice
=========================
It is now possible[1] to perform chosen-prefix attacks against
the SHA-1 hash algorithm for less than USD$50K. For this reason,
we will be disabling the "ssh-rsa" public key signature
algorithm that depends on SHA-1 by default in a near-future
release.
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
and Application to the PGP Web of Trust" Leurent, G and
Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf
It was then disabled from version 8.8 in September 2021:
https://www.openssh.com/txt/release-8.8
Potentially-incompatible changes
================================
This release disables RSA signatures using the SHA-1 hash
algorithm by default. This change has been made as the SHA-1
hash algorithm is cryptographically broken, and it is possible
to create chosen-prefix hash collisions for <USD$50K.
For most users, this change should be invisible and there is no
need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing
ssh-rsa keys will automatically use the stronger algorithm where
possible.
If you are unsure whether this affects you, just verify that you can
connect to your Xen Shell host. If you can't, and you can't find a
way to upgrade your client (or doing so is ineffective), please let
us know at support(a)bitfolk.com.
Again, this not about rsa authentication keys. You do not need to
abandon ssh-rsa public keys:
https://ikarus.sg/rsa-is-not-dead/
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
