A StackExchange question on using HAProxy’s capture feature to pass data from TCP mode to HTTP mode prompted me to update my SSL configuration. This was intended to get an A+ rating from SSL Labs by sending non-SNI capable clients to a server with weaker ciphers. This was to enable clients on WinXP/IE8, Java 6, and an old Android version to connect. I found a solution without having to have two sets of ciphers and handling traffic in both the TCP mode and HTTP mode. I then optimized my settings to a minimal list of cipher specifications.
I often see posting asking about running a mail server on a Dynamic IP address. Twenty years ago I started running my server on a dynamic IP address. However, times have changed, and it is more difficult to do so. However, there are mail server roles that work reasonable well on a dynamic IP address. Continue reading
The new Poodle vulnerability lead me to disable
SSLv3 on my Ubuntu server. I have TLS/SSL enabled on three services:
dovecot2. Each service required a different method to disable
Ubuntu uses configuration files split into small pieces. The method should apply to other distributions, although the configuration files may be arranged differently. Continue reading
I use eximstats to report my daily email traffic. I have a fairly high rate of rejections, and wanted hostnames listed in the rejection reports. To resolve this I developed a patch to capture the hostname related to the IP address, and add this data to the rejection reports.
The enhanced list saves me the effort of looking up IP addresses that were repeatedly addressed. Occasionally, these are from legitimate servers that have been misconfigured. DNS problems are often the cause. Continue reading
While I was cleaning up my Ubuntu Email server configuration, I consolidated my login security. My SMTP server is Exim and my IMAP server is Dovecot. Mail User Agents (MUAs) use authentication over TLS encrypted connections to access IMAP and SMTP. Both programs had their own password configuration.
Exim includes Dovecot in its supported authentication mechanisms. This enables one authentication mechanism to be used for both SMTP and IMAP (or POP3). This post also includes configuration details for forced authentication over the Submission port. Continue reading
We are quickly running out of IPv4 addresses. Are you ready for World IPv6 Day on June 8th, 2011? I have prepared my configuration on OpenWRT and Ubuntu. This includes configuring DNS using bind, email using Exim, and a Squid web proxy.
Having verified that I could establish IPv6 connectivity, I chose to improve my connectivity. This started with getting a tunnel from Hurricane Electric and updating my configuration. I then updated my bind server and Exim mail server support IPv6 addresses. This posting updates and continues from my post on Implementing IPv6 6to4 on OpenWRT. Review it for information on creating a tunnel and running radvd on OpenWRT. Continue reading
Recent reports indicate that spam is increasing again. I have been using Exim to filter spam for several years. Some recent tuning I have done have decreased the percent of spam which reaches my spam filters. This article provides a discussion of the techniques used, and provides implementation examples. Spambots tend to be simple programs which don’t handle slow servers very well. Using a greylist is effective method of blocking them as they usually don’t retry. My latest changes use delays to cause many spambots to abandon their attempt. Greylisting is used only for poorly configured servers that make it to the Recipient command.
This article was updated in February 2014 to reflect changes policy and reporting options. The earlier ADSP (Author Domain Signing Practices) information has been removed.
DomainKeys Identified Mail (DKIM) provides a method to confirm the origin of an e-mail. DKIM also provides some protection against tampering. Unlike SPF, this validation applies to the contents of the message when it is signed. Like SPF, the information required for validation is added to DNS. Continue reading
I have been receiving a fair amount of Spam from an e-mail forwarder. They are unwilling to correct their problems. Much of the Spam they forward is the form of bounce notifications. Attempting to reject other Spam resulted in more notifications. To control this Spam I implemented signed return path addresses. As a side benefit, I am also rejecting bogus notifications sent directly to me.
Signing my return path allows me to reject faked notification e-mail. The SMTP standard requires that no email sent with a null return path “
<>” (aka Envelope Sender) be returned. Its purpose is for allow for notifications about existing messages. These includes notifications such as address unknown, message delivered, and message read. E-mail notification which are not about a previously sent message can be refused . Signing the return path allowed me to reject such invalid notifications. Continue reading