Hey all,
I've been self-hosting an ancient mailman 2.x service for many years for
the residents' association where I live, and it's time to move on. Apart
from anything else, I dread to think what security holes may still exist.
But we're experiencing issues with SPF failures causing bounces and
eventual unsubscribes, which I'm not even sure mailman 3.x handles any
better than 2.x.
So I'm looking for recommendations on a way forward, and figured this list
is full of knowledgeable sorts who probably have experience with various
options. I should mention that these lists are used for discussion, not
just for broadcasting one-way announcements.
mailman 3.x seems to be substantially more complex than 2.x, but I don't
see that as an issue, because I've decided to move away from self-hosting
since I just don't have time to become a mailman expert. Moving to SaaS
would also increase the service's bus factor above 1, and provide some
added security through isolation from other services currently on the same
machine.
I'm loathe to move to Google Groups since some of our residents are very
anti-Google, and I expect their support will be awful if ever needed. It's
also a closed source dead end. I'd prefer to pick a SaaS offering based on
Free/Open Source, to support continued development of that. I'm inclined
to go with a mailman 3 SaaS offering, and the following two both look very
promising because they're decently priced, can migrate my existing 2.x
lists, and can host on London servers:
https://www.mailmanhost.com/https://www.mailmanlists.net/
There's also https://mailman3.com/ which can host in the EU, but I'm not
sure if they offer migration.
Does anyone have any experience with any of these, or have recommendations
of good alternatives to mailman (preferably with options to migrate
existing mailman lists)?
Thanks a lot!
Adam
For many years I've run a poor-man's mailing list through /etc/aliases
on my VPS. Before you start breaking out the flaming torches and
pitchforks, it's very limited in scope; it forwards only within my
immediate household, albeit to mailboxes hosted by gmail and hotmail.
I've just learned that some mails to this alias are being quarantined or
bounced at their ultimate destinations. They're passing SPF (because
envelope-from is postmaster@ my vps) but failing DMARC (the external
From address isn't being rewritten). When the sender has full DMARC
enabled, we lose.
Drat.
My VPS is running Debian with exim4.
I think I might like to rewrite "From: foo(a)bar.baz" to something like
"From: postmaster+foo_bar.baz(a)my.domain" in order to satisfy DMARC, but
only when forwarding via this particular alias. I'm not readily figuring
out how to do this, and am leery to tangle with Exim's rewrite rules anyway.
Would anybody care to venture whether this is possible? a good/bad idea?
alternative solutions? I am looking for a least hassle, least
maintenance answer, ideally at little or no additional cost (hence
/etc/aliases has served well for a long time). On a unicorn, naturally :-)
(No I don't run mailman - I used to but I found it rather tiresome to
set up, feed and water.)
Thanks
Ross
I have an old Ubuntu 16.04 install that is beginning to give me a tonne of
grief with apt.
It has now happily upgraded (well) past kernel 4.4.0-210, but it's refusing
to go further because it can't remove -210 any more:
# apt remove --purge linux-modules-extra-4.4.0-210-generic
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED
linux-headers-4.4.0-210-generic linux-modules-4.4.0-210-generic
linux-modules-extra-4.4.0-210-generic
0 to upgrade, 0 to newly install, 3 to remove and 18 not to upgrade.
3 not fully installed or removed.
After this operation, 225 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 149323 files and directories currently installed.)
Removing linux-headers-4.4.0-210-generic (4.4.0-210.242) ...
dpkg: error processing package linux-headers-4.4.0-210-generic (--remove):
unable to securely remove
'/usr/src/linux-headers-4.4.0-210-generic/include/config/generic/isa/dma.h':
Not a directory
Removing linux-modules-4.4.0-210-generic (4.4.0-210.242) ...
dpkg: error processing package linux-modules-4.4.0-210-generic (--remove):
unable to securely remove
'/lib/modules/4.4.0-210-generic/kernel/fs/nfs/nfsv4.ko': Not a directory
Removing linux-modules-extra-4.4.0-210-generic (4.4.0-210.242) ...
dpkg: error processing package linux-modules-extra-4.4.0-210-generic
(--remove):
unable to securely remove
'/lib/modules/4.4.0-210-generic/kernel/fs/nfs/blocklayout': Not a directory
Errors were encountered while processing:
linux-headers-4.4.0-210-generic
linux-modules-4.4.0-210-generic
linux-modules-extra-4.4.0-210-generic
E: Sub-process /usr/bin/dpkg returned an error code (1)
apt upgrades are failing as a result of this. I've been slowly reinstating
files (using touch), but is there a way to *genuinely force* apt to
remove/purge when it gets into a state like this?
Kind regards
Murray Crane
Hi,
I was just updating this to use "pool" directives:
https://tools.bitfolk.com/wiki/Securing_NTP
and it struck me that these days Chrony is perhaps a more suitable
NTP client.
If any of you use Chrony and are willing to share what a sensible
default config for a BitFolk VM would look like, please do edit the
article.
I might even switch the Debian installer to use it by default.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi All,
Is letting bind9 listening on all interfaces a good practice? Or letting it listening on specific interface best ?
If I set specific address listening, bind9 failed to start and stops listening.
If i set bind9 to listen to all and block using the firewall the interface I do not it to listen to bind9 to powerdns replication did not work. Powerdns as primary here.
It seems to be working if I set bind9 to listen to all interfaces and not block by the firewall.
Regards,
-badli
Hello,
If you do not make use of BitFolk's secondary DNS service then you
can safely skip this email.
Over the last few days we've upgraded the servers used for our
secondary DNS service and also switched software from PowerDNS to
BIND. On the whole nothing changes, but there is one thing I would
like to draw your attention to.
BIND actually pays attention to the expire timers that you set
in your SOA records whereas PowerDNS does not.
An SOA record looks like this:
$ dig +multi +noall +answer -t soa bitfolk.combitfolk.com. 86383 IN SOA a.authns.bitfolk.co.uk. hostmaster.bitfolk.com. (
2023042101 ; serial
14400 ; refresh (4 hours)
7200 ; retry (2 hours)
1209600 ; expire (2 weeks)
43200 ; minimum (12 hours)
)
The "expire" timer tells authoritative DNS servers how long the
records they hold are valid for, if they have not been able to
contact the primary nameservers. In the above example, should the
primary nameserver be unreachable, any secondary nameservers that
are still responding will serve the zone content for a further two
weeks. After that time they will respond with SERVFAIL. Compliant
DNS client behaviour is to retry any other servers when that
happens.
PowerDNS does not implement these "expire" semantics and always
answers queries.
In watching logs carefully over the last few days I have seen that
some of you have extremely short expire timers. I'm not sure whether
you intend for that to be the case. For example, there are many
zones currently on BitFolk's servers with an expire time of 300
seconds. That means that you are indicating that the entire zone
should not be served 5 minutes¹ after your primary server stops
responding. It doesn't seem likely to me that you really want all
authoritative servers for your domain to stop working 5 minutes into
any sort of outage.
Since the secondary servers will now really believe you on this, I
urge you to review your expire timers. If in doubt please put your
domain name into this:
https://zonemaster.net/en/run-test
and it'll advise you if any of those timers seem wrong.
Cheers,
Andy
¹ Different DNS server implementations actually behave slightly
differently here. As mentioned, PowerDNS doesn't handle expire
timers at all. BIND has a minimum of 300 seconds, or the
refresh+retry timers, whichever is larger. So in fact the shortest
expire behaviour I can see at the moment is 600 seconds (10
minutes). Which still seems unusually short.
See:
https://jpmens.net/2022/01/14/fun-with-the-dns-soa-expire-field/
for more info about how different implementations treat the expire
timer.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
Today and tonight (UK time) we're going to be doing some work on
b.authns.bitfolk.com (secondary DNS service).
I'm going to disable alerts for it and stop it from responding (so
it can't give any incorrect answers). The other servers will remain
up and working; I'm just letting you know in case you notice it is
intermittently down.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
