2022-03-26 SPF/DKIM/DMARC and mailing lists
One of the founding forms of information exchange and community building on the Internet is the mailing list. A subscriber sends mail to a central mail address and the mail gets redistributed to all members. As this mechanism has been abused by spammers in lots of ways there has been a lot of work in stopping unwanted mail being distributed by mailing lists. There has also been a lot of work in publishing the official way in which outgoing mail from organizations is handled: Sender Policy Framework (SPF), documenting the sources from which e-mail can be send, DomainKeys Identified Mail (DKIM) for signing outgoing mail headers and body and Domain-based Message Authentication, Reporting and Conformance (DMARC) for publishing the policies for mails that fail SPF/DKIM and reporting on those. The way mailing lists forward mail isn't really compatible with SPF and DKIM. There is a 'new' source of mail from the original sender and some headers are changed/added when forwarding it with mailing list software. Yesterday I sent something to a mailing list from an idefix.net address and this morning I see a number of dmarc reports with failures, because the mailing list server isn't authorised to send on behalf of idefix.net. So maybe some people on this mailing list haven't received my reply. In the long run lots of SPF errors from this IP could also hurt its 'reputation score' for outgoing e-mail. Some mailing lists 'fix' this by not allowing domains with strict spf/dmarc policies, others go through interesting adjustments with 'sent on behalf of'. I have no simple solution for this, I see an example of security measures breaking an existing use case, for which adjustments may have to be made. Update: The general approach here seems to be 'sender rewriting'. Recently updated mailing list software should support this. But it depends on the mailing list owner to check the settings and update the software.
2022-03-18 Using grafana for alerting too
I've been playing with grafana for about a year since starting with updating my statistics gathering and I keep seeing new options and updates in grafana. Grafana recently got some new options for alerting and I am trying a few of those. Alerts for things that are a real problem and can cause other problems are a good start. Based on some earlier problems I keep an eye on some filesystems that are over 90% full. Today I read Three DDoS attacks on my personal website found via Three DDoS attacks on my personal website : r/homelab reddit and this made me wonder about overloads on my webserver. The easiest way to detect problems with web serving I could think of is to look at the queue size in haproxy which is monitored in influxdb/grafana anyway for nice graphs of website traffic. I did have a time with too high queues for backend webservers. But that was when the backend server was completely broken due to a filesystem problem so that was a logical reason. It would be nice if I could iterate alerts, like 'for the root filesystem of every monitored system'. Or at least copy them changing only the system name in the rules and alerts.
2022-03-10 Dear linux kernel, I know what I want with nomodeset
Just noted on bootup of a virtual machine:Mar 10 19:42:14 turing kernel: [ 0.181861] You have booted with nomodeset. This means your GPU drivers are DISABLED Mar 10 19:42:14 turing kernel: [ 0.181862] Any video related functionality will be severely degraded, and you may not even be able to suspend the system properly Mar 10 19:42:14 turing kernel: [ 0.181862] Unless you actually understand what nomodeset does, you should reboot without enabling itIt's a virtual machine which does server tasks. Anything more than 80x25 VGA text mode is pure overkill. It's currently the default card in qemu (Cirrus CLGD 5446 PCI VGA card), I could try the virtio VGA card to see if that saves on memory/cpu.
2022-03-05 SMTP auth bruteforce attacks seen
In checking recent logs I noticed several tries to find SMTP authentication credentials. Most notably is that anything that vaguely resembles something that might be an SMTP account is tried. Including plussed e-mail addresses and information from SIP urls.Mar 5 14:12:09 gosper saslauthd: : auth failure: [user=8006] [service=smtp] [realm=idefix.net] [mech=pam] [reason=PAM auth error] Mar 5 17:15:00 gosper saslauthd: : auth failure: [user=koos+web] [service=smtp] [realm=idefix.net] [mech=pam] [reason=PAM auth error] Mar 5 18:08:04 gosper saslauthd: : auth failure: [user=belspel] [service=smtp] [realm=idefix.net] [mech=pam] [reason=PAM auth error]