2022-03-26 SPF/DKIM/DMARC and mailing lists
One of the founding forms of information exchange and community building on the Internet is the mailing list. A subscriber sends mail to a central mail address and the mail gets redistributed to all members. As this mechanism has been abused by spammers in lots of ways there has been a lot of work in stopping unwanted mail being distributed by mailing lists. There has also been a lot of work in publishing the official way in which outgoing mail from organizations is handled: Sender Policy Framework (SPF), documenting the sources from which e-mail can be send, DomainKeys Identified Mail (DKIM) for signing outgoing mail headers and body and Domain-based Message Authentication, Reporting and Conformance (DMARC) for publishing the policies for mails that fail SPF/DKIM and reporting on those. The way mailing lists forward mail isn't really compatible with SPF and DKIM. There is a 'new' source of mail from the original sender and some headers are changed/added when forwarding it with mailing list software. Yesterday I sent something to a mailing list from an idefix.net address and this morning I see a number of dmarc reports with failures, because the mailing list server isn't authorised to send on behalf of idefix.net. So maybe some people on this mailing list haven't received my reply. In the long run lots of SPF errors from this IP could also hurt its 'reputation score' for outgoing e-mail. Some mailing lists 'fix' this by not allowing domains with strict spf/dmarc policies, others go through interesting adjustments with 'sent on behalf of'. I have no simple solution for this, I see an example of security measures breaking an existing use case, for which adjustments may have to be made. Update: The general approach here seems to be 'sender rewriting'. Recently updated mailing list software should support this. But it depends on the mailing list owner to check the settings and update the software.
2022-03-10 Dear linux kernel, I know what I want with nomodeset
Just noted on bootup of a virtual machine:Mar 10 19:42:14 turing kernel: [ 0.181861] You have booted with nomodeset. This means your GPU drivers are DISABLED Mar 10 19:42:14 turing kernel: [ 0.181862] Any video related functionality will be severely degraded, and you may not even be able to suspend the system properly Mar 10 19:42:14 turing kernel: [ 0.181862] Unless you actually understand what nomodeset does, you should reboot without enabling itIt's a virtual machine which does server tasks. Anything more than 80x25 VGA text mode is pure overkill. It's currently the default card in qemu (Cirrus CLGD 5446 PCI VGA card), I could try the virtio VGA card to see if that saves on memory/cpu.
2022-03-05 SMTP auth bruteforce attacks seen
In checking recent logs I noticed several tries to find SMTP authentication credentials. Most notably is that anything that vaguely resembles something that might be an SMTP account is tried. Including plussed e-mail addresses and information from SIP urls.Mar 5 14:12:09 gosper saslauthd: : auth failure: [user=8006] [service=smtp] [realm=idefix.net] [mech=pam] [reason=PAM auth error] Mar 5 17:15:00 gosper saslauthd: : auth failure: [user=koos+web] [service=smtp] [realm=idefix.net] [mech=pam] [reason=PAM auth error] Mar 5 18:08:04 gosper saslauthd: : auth failure: [user=belspel] [service=smtp] [realm=idefix.net] [mech=pam] [reason=PAM auth error]
2022-02-25 Why the wifi in the shed is probably unreliable
I used the raspberry pi in the shed to do a wifi scan, to get an idea of the usage of the 2.4 GHz wifi band as seen in the shed. This finds 18 to 22 networks, with our own network not as the strongest network. As you can imagine most channels have multiple networks on them. And the overlap in wifi channels makes this worse: the networks on channel 2 see interference from those on channel 1. From the list of networks, with names and address information removed, just leaving signal strength and channel / frequency:-93 dBm, ch 1, 2412 MHz -91 dBm, ch 1, 2412 MHz -92 dBm, ch 1, 2412 MHz -72 dBm, ch 1, 2412 MHz -92 dBm, ch 1, 2412 MHz -88 dBm, ch 1, 2412 MHz -92 dBm, ch 1, 2412 MHz -91 dBm, ch 2, 2417 MHz -80 dBm, ch 2, 2417 MHz -90 dBm, ch 3, 2422 MHz -94 dBm, ch 4, 2427 MHz -93 dBm, ch 5, 2432 MHz -94 dBm, ch 5, 2432 MHz -80 dBm, ch 6, 2437 MHz -94 dBm, ch 8, 2447 MHz -95 dBm, ch 8, 2447 MHz -94 dBm, ch 9, 2452 MHz -95 dBm, ch 9, 2452 MHz -77 dBm, ch 10, 2457 MHz -84 dBm, ch 11, 2462 MHz -93 dBm, ch 11, 2462 MHzThis is a right mess. If I ever want reliable wifi in the back garden/shed I will have to have an extra access-point there. This option of having wireless vlan(s) available in the shed has influenced the choice in switch for the shed.
2022-02-23 Filtering logs to only get relevant reports
I want to know if something goes wrong but with the number of (virtual) servers here at home it is not possible to check all logs constantly. So the main machines use logcheck to find the interesting error messages and the rest gets filtered out. Ideally that leaves no messages, but I do want to know about patterns that indicate attacks so I do get messages constantly about ssh attack attempts and weird nameserver requests or misconfigured nameserver responses. Recently I've been checking the resulting reports again carefully and noticed some more patterns that could be filtered. And I found two misconfigurations that I solved. Normally those misconfigurations would drown in the noise of the log, only to be found if I was looking for something else. Now it started to stand out after filtering out a lot of messages that are to be expected.
2022-02-22 Shed switch ordered
In the project to upgrade the connectivity to our shed I ordered a switch with sfp slots: a netgear GS310TP. The choice is to have the same brand as in other places in the network so I can select compatible SFP modules easily. With this switch I also have vlan support so I can have a wifi access point in the shed if I want.
2022-02-21 I participated in the ARRL DX CW contest 2022
As I'm trying to make more morse contacts the 'easy' way is to participate in contests in morse. Last weekend was the ARRL DX CW contest and I heard quite a bit of contest morse on the 20 meter band. I tried a few contacts and after two contacts got the reply 'USA ONLY'. So I looked up the ARRL DX contest rules and found out that indeed for non-US/Canada stations only contacts with US/Canada are valid. Since I didn't hear any stations from that area in the late afternoon I left it at that. But in the early evening after the sun goes down but before the propagation on 20 meters dies down completely it is possible to make contacts with North America. So on Saturday and Sunday evening I used that 'window' to get several stations in the log. If these get all confirmed I should get several new US states in morse. It was also a good practise in decoding callsigns and return information in morse with noisy conditions.Band 160 80 40 20 15 10 QSO's 0 0 0 30 0 0 Mult 0 0 0 16 0 0Raw Score: 84 Qpts x 16 Mults = 1344. The objective for this contest is to expand knowledge of DX propagation, so I already met that objective with fine-tuning my operating window to have a good opportunity to work US stations in morse.
2022-02-19 Receiving DMARC reports and trying to debug my DKIM setup
Since November 2021 I have been running DKIM with sendmail. First for a test domain, later also for the main domain sending e-mail. I directly added a DMARC record with options to notify me of spf/dkim errors. I have seen a few reports of fake mail injected but most reports were about valid mail. For a long time google kept sending reports about dkim errors but I couldn't find out why. After I added the option to receive debug information this problem did not come back, so I'm not sure whether I fixed this. Today I sent something to a mailing list and got a debug report instantly. Somewhere after the mailing list software had changed the body of my message (it stripped the pgp signature and noted this) a mail server checked the DKIM headers and found out the body signature was wrong. Indeed. Mailing lists and DKIM/SPF are complicated.
2022-02-16 Closing 2021 in amateur radio
I noticed I didn't do a "Closing 2021 in amateur radio" post yet, so time to catch up. Looking back at the Review of 2020 in amateur radio with plans for 2021 I can say:
And the plans for 2022:
- Practising morse has happened! Just no exam yet, but that is mainly due to the current circumstances
- Satellite contacts: none.
- Morse and phone in contest: yes!
- New qsl cards ordered and in use
- More and more morse, and that exam. There is an exam date now and it will be possible to get the wanted 'CW included' on my radio amateur identification
- Again satellites
- In contests: try to get more morse and phone contacts.
- Use the better propagation to get contacts on different bands
More detailed statistics over 2021And I had to check my own notes again how I got these numbers last year, so I'm adding the sql queries I typed at the mysql/mariadb client. With the database behind cqrlog available I can make all kinds of queries.
By monthThe influence of months with (digital) contests isn't as strong as in previous years.+-------+-----+ | month | cnt | +-------+-----+ | 1 | 234 | | 2 | 204 | | 3 | 238 | | 4 | 161 | | 5 | 131 | | 6 | 111 | | 7 | 211 | | 8 | 19 | | 9 | 232 | | 10 | 204 | | 11 | 191 | | 12 | 101 | +-------+-----+Query: select month(qsodate) as month,count(id_cqrlog_main) as cnt from cqrlog_main where year(qsodate)=2021 group by month order by month;
By bandNo real surprises there. And the feeling that 10 meter was improving isn't showing in the statistics yet.+------+-----+ | band | cnt | +------+-----+ | 40M | 699 | | 20M | 849 | | 17M | 151 | | 15M | 40 | | 10M | 243 | | 2M | 51 | | 70CM | 4 | +------+-----+Query: select band,count(id_cqrlog_main) as cnt from cqrlog_main where year(qsodate)=2021 group by band order by freq;
By modeAlmost double the number of morse contacts compared to the previous year.+-------+-----+ | mode | cnt | +-------+-----+ | JT65 | 2 | | PSK31 | 3 | | FM | 19 | | FT4 | 35 | | PSK63 | 226 | | CW | 240 | | SSB | 267 | | RTTY | 386 | | FT8 | 859 | +-------+-----+Query: select mode,count(id_cqrlog_main) as cnt from cqrlog_main where year(qsodate)=2021 group by mode order by cnt;
2022-02-15 My work PGP key needed replacement and using PGP keys in thunderbird with their original passphrasesItems with tag english before 2022-02-15
Today I tried to sign a key with my work PGP key, and after lots of tries the conclusion was that my 2006 work pgp key was too infected with SHA1 signatures that I couldn't remove, so I created a replacement work PGP key. Even a signature for the new key with the old key was rejected. So the new work key:pub rsa4096/0x36FF19C6159C0262 2022-02-15 [SC] [expires: 2027-02-14] Key fingerprint = 1401 EE9F 25AD 23F1 C299 FD07 36FF 19C6 159C 0262 uid [ultimate] Koos van den Hout <k.vandenhout(at)uu.nl> uid [ultimate] Koos van den Hout <koos(at)surfcert.nl> sub rsa4096/0x918F8E7A170EA93E 2022-02-15 [E] [expires: 2027-02-14]I also signed it with my personal key, and I will try to get more signatures for the new work key to make things work better. Available at PGP key 0x36ff19c6159c0262. There you will see I also signed it with my old work key 0x42216fe29ee949cf but since that signature is also a SHA1 signature the new gpg implementation immediately rejects it. So I should get some signatures from people who have relatively new PGP keys. I've been using PGP since 1993 (29 years now!) and I can see the developments in PGP over the years in my keys. In the process I noticed one thunderbird installation insists on managing PGP keys completely and the other doesn't. Searching for the reason eventually found Use Thunderbird 78 with System GnuPG Keyring and I made sure the option mail.openpgp.allow_external_gnupg was set to true.