I have ntopng installed. One of my machines is used to rsync data offsite. When I look at the machine in question, I don't see any traffic flows to the remote server, while I see all of its other traffic. Wondering if I am either misunderstanding something, or if there's something else I can do.
My setup has the current auth config. it forces authentication by any remote host. That's good. But I need to make an exception.
auth_file="/etc/lighttpd.users"
#if auth_file is not empty enable lighttpd local authentification
if grep -q ".*:.*" "$auth_file" 2>/dev/null;then
sed -ir '/^$/d' $auth_file
cat <<EOF
\$HTTP["remoteip"] != "127.0.0.1" {
auth.backend = "htdigest"
auth.backend.htdigest.userfile = "$auth_file"
auth.require = (
"/" => (
"method" => "digest",
"realm" => "MyRealm",
"require" => "valid-user"
)
)
}
EOF
fi
I setup a second server on a different port (as seen below). I'd like to make an exception to my auth script such that users to this 2nd site do not require authentication.
$SERVER["socket"] == ":8080" {
server.document-root = "/www2"
}
Sending email to one particular domain, I get the following error:
----- The following addresses had permanent fatal errors -----
<>
(reason: 403 4.7.0 TLS handshake failed.)
----- Transcript of session follows -----
<>... Deferred
Wondering if this is an issue with my mail server, or the recipient...
So this is happening on two domains now... both of whome are using outlook.com as mail providers:
openssl s_client -starttls smtp -connect x-com.mail.eo.outlook.com:25
CONNECTED(00000003) depth=2 CN = Microsoft Internet Authority verify error:num=20:unable to get local issuer certificate verify return:0
--- Certificate chain 0 s:/C=US/ST=WA/L=Redmond/O=Microsoft/OU=Forefront Online Protection for Exchange/CN=mail.protection.outlook.com i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2 1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2 i:/CN=Microsoft Internet Authority 2 s:/CN=Microsoft Internet Authority i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
--- Server certificate
-----BEGIN CERTIFICATE----- MIIHITCCBgmgAwIBAgIKaJVJ8AABAADfvjANBgkqhkiG9w0BAQUFADCBgDETMBEG CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG CgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMR8wHQYD VQQDExZNU0lUIE1hY2hpbmUgQXV0aCBDQSAyMB4XDTE0MDUyOTIyMTk0NloXDTE2 MDUxNTIwNTA1NVowgZkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UE BxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0MTEwLwYDVQQLEyhGb3JlZnJv bnQgT25saW5lIFByb3RlY3Rpb24gZm9yIEV4Y2hhbmdlMSQwIgYDVQQDExttYWls LnByb3RlY3Rpb24ub3V0bG9vay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQC//+TcN6C92y7BZE4E9+3VJfxW/QHCbOdk8/W2rZ9NXK+JfgM8t6lD
+Xi9IQflxEnOpuANelypefk5rfpJuiSnGRGMg44xAWQkhhBVynduvDRoddd9ieaC LIC0rcuyeqpvXnw8MPZdp1nRn12XoOrDhUYBke3JRk9JKys5yOec+g5a65nUxp++ jDtQOHCN60n5MmGZH5a+/EX++ZpyC13SISHEcVLNRDMMHzpmYT3h5JjCe3AhMgTy qbjavIddv5lAyuGw9UsSpmjdyQ0gLPepfKscZ/5bp6QRT8rOj3d4jTlAbqsjJM6y PBHxAHXrLiCPC3mn38Eggs7PIAPce47/AgMBAAGjggOAMIIDfDALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRr MGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASow CwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcw CgYIKoZIhvcNAwcwHQYDVR0OBBYEFOdAD77qj+T7cfw6+hwbEjOKBl9DMB8GA1Ud IwQYMBaAFOvbEV74CZ7Y1mKc/WKd44RKKOEnMIHuBgNVHR8EgeYwgeMwgeCggd2g gdqGT2h0dHA6Ly9tc2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01T SVQlMjBNYWNoaW5lJTIwQXV0aCUyMENBJTIwMigxKS5jcmyGTWh0dHA6Ly9jcmwu bWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NU0lUJTIwTWFjaGluZSUyMEF1 dGglMjBDQSUyMDIoMSkuY3JshjhodHRwOi8vY29ycHBraS9jcmwvTVNJVCUyME1h Y2hpbmUlMjBBdXRoJTIwQ0ElMjAyKDEpLmNybDCBrQYIKwYBBQUHAQEEgaAwgZ0w VQYIKwYBBQUHMAKGSWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3Jw L01TSVQlMjBNYWNoaW5lJTIwQXV0aCUyMENBJTIwMigxKS5jcnQwRAYIKwYBBQUH MAKGOGh0dHA6Ly9jb3JwcGtpL2FpYS9NU0lUJTIwTWFjaGluZSUyMEF1dGglMjBD QSUyMDIoMSkuY3J0MD8GCSsGAQQBgjcVBwQyMDAGKCsGAQQBgjcVCIPPiU2t8gKF oZ8MgvrKfYHh+3SBT4PC7YUIjqnShWMCAWQCAQ0wJwYJKwYBBAGCNxUKBBowGDAK BggrBgEFBQcDAjAKBggrBgEFBQcDATCBiAYDVR0RBIGAMH6CFSoubWFpbC5lby5v dXRsb29rLmNvbYIdKi5tYWlsLnByb3RlY3Rpb24ub3V0bG9vay5jb22CG21haWwu cHJvdGVjdGlvbi5vdXRsb29rLmNvbYILb3V0bG9vay5jb22CHG1haWwubWVzc2Fn aW5nLm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEFBQADggEBAG0IKQDUPEOjAOv2 RMUAzyveNL590cdIVRNb3qq9kOOAK2HsUJJy8AE6HXEhgAl2kOyeIUKLlO0iYVRe Viapc0nAcmuGT0AJtNEOaklBBzEAxfMBVsDuo1N9ngGDH4sx0izkM1R6fkN6fjHe lVWeyne4GnJG//RoiQDIoRcETgLhpr+fd972PupvF13ao+tC3L4MEx6K5KfDY4z9 Fvjz+uPd1Y/6h2PwmxyBR2C5G2hkAsKs7ZD2ZhI5JhI+Sle4JLFDcjhdYVHS/dGo s5+lCADuoG4gaPkdHplaqHyF5p8kREhlCOlwhEp3c6LXoTjgG75Lu02V1YKy+DZK v5STRJE=
-----END CERTIFICATE----- subject=/C=US/ST=WA/L=Redmond/O=Microsoft/OU=Forefront Online Protection for Exchange/CN=mail.protection.outlook.com issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2
--- Acceptable client certificate CA names /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=SecureTrust Corporation/CN=SecureTrust CA /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority /C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA /C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2 /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010 /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority /CN=NT AUTHORITY
--- SSL handshake has read 8738 bytes and written 566 bytes
--- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 991B0000D75A2D35BA784D9139460FCC0234D206A71677CE0D40B92CF8698C7C
Session-ID-ctx:
Master-Key: 5C84C017A9B2B9E0DF1B9E7E7A14BDF6666B02A4281D5ADF352BF6AEDDFE31D826E394B4DB4F4B72357E45CAF402A4CE
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1424906131
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
--- 250 CHUNKING
I am trying to move all subdirectories of a folder to another share on the same server. If I do a mv *, I will run out of space since the folders are not removed until all folders get transferred. So I'd like to create a short script that loops through each one. Does any one have an example that I can look at? I've searched around but can't find exactly what I am looking for.
We have opnldap setup on our ubuntu server, and were getting this message for a user:
auth: pam_unix(dovecot:account): account has expired (account expired)
Sep 3 19:05:03 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=XXXX rhost=::1 user=XXXX
I changed the password with ldappasswd successfully, but still the error persists. Doing some research it seems that shadowLastChange is not getting updated.
How can we resolve this?
/usr/share/slapd/slapd.conf
access to attrs=userPassword,shadowLastChange
by dn="@ADMIN@" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="@ADMIN@" write
by * read
OK - this seems to be a PAM issue.
If I edit /etc/nsswitch.conf to :
shadow: compat
I don't get the message that the account is expired.
If I change it to:
shadow: files ldap
I do. But in either case, I still get the dovecot error.
We have 2 servers, one each located at different geographical locations where we are considering using an rsync script to keep certain folders in sync. Our setup disables root login and password logins and relies on keyfiles.
We run SSH on port 22X (just to minimize the login attempts, not as a way of security through obscurity).
If we setup port forwarding so that port XYZ forwards to 22X, and have disabled password logins, what other measures should we take to prevent any malicious activity occurring because of the open port?
My thinking is that as long as we keep our keys secure, then there should not be an issue. have I missed something?
I have a Windows 2008 Server machine with a postgres database running on it. I'd like to back it up daily and have it sent to another machine (running Ubuntu or Windows). What's the best way to set this up?
I noticed something weird today on my mail server. I had a message in my inbox that said:
Received: from myserver.com (localhost)
by myserver.com (8.14.3/8.14.3/Debian-9.2ubuntu1) id r3GJ4H5S005124;
Tue, 16 Apr 2013 19:05:02 GMT
Date: Tue, 16 Apr 2013 19:05:02 GMT
From: Mail Delivery Subsystem <[email protected]>
It's a bounce from a message that seems to have been sent from my server. Logs show that I recieved a spam message from this address, but then the last line of the log I pasted below caught my attention. How would I have a "TO" message to this email address? I can guarantee that I never responded, etc.
This is running sendmail on ubuntu.
syslog:Apr 16 14:48:23 myserversm-mta[32741]: r3GEmLnq032741: from=<[email protected]>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA-v4, relay=[37.45.241.125]
syslog:Apr 16 14:53:32 myservermilter-regex[4633]: [37.45.241.125] [37.45.241.125]: cb_envfrom('<[email protected]>')
syslog:Apr 16 14:53:32 myservermilter-regex[4633]: [37.45.241.125] [37.45.241.125]: macro {mail_addr} = [email protected]
syslog:Apr 16 14:53:32 myservermilter-greylist: r3GErUP7000362: addr [37.45.241.125][37.45.241.125] from <[email protected]> to <[email protected]> delayed for 00:04:51 (ACL 154)
syslog:Apr 16 14:53:33 myserversm-mta[362]: r3GErUP7000362: from=<[email protected]>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA-v4, relay=[37.45.241.125]
syslog:Apr 16 14:58:50 myservermilter-regex[4633]: [37.45.241.125] [37.45.241.125]: cb_envfrom('<[email protected]>')
syslog:Apr 16 14:58:50 myservermilter-regex[4633]: [37.45.241.125] [37.45.241.125]: macro {mail_addr} = [email protected]
syslog:Apr 16 14:58:52 myserversm-mta[459]: r3GEwm3L000459: from=<[email protected]>, size=1102, class=0, nrcpts=1, msgid=<002701ce3ab0$bfb09940$236828a4@vadiminljjo>, proto=SMTP, daemon=MTA-v4, relay=[37.45.241.125]
syslog:Apr 16 14:58:52 myservermilter-regex[4633]: [37.45.241.125] [37.45.241.125]: cb_header('From', '"Vivian Cotton" <[email protected]>')
syslog:Apr 16 14:58:52 myservermilter-regex[4633]: [37.45.241.125] [37.45.241.125]: ACCEPT, HELO: 37.45.241.125, FROM: <[email protected]>, RCPT: <[email protected]>, From: "Vivian Cotton" <[email protected]>, To: <[email protected]>, Subject: Get Ready For More News From This Company!
syslog:Apr 16 19:05:02 myserversm-mta[5124]: r3GJ4H5R005124: to=<[email protected]>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30000, relay=mail.bio.ru. [83.222.200.20], dsn=5.1.1, stat=User unknown
I inherited a mysql server, and so I've started with running the MySQLTuner.pl script. I am not a MySQL expert but I can see that there is definitely a mess here. I'm not looking to go after every single thing that needs fixing and tuning, but I do want to grab the major, low hanging fruit.
Total Memory on the system is: 512MB. Yes, I know it's low, but it's what we have for the time being.
Here's what the script had to say:
General recommendations:
Run OPTIMIZE TABLE to defragment tables for better performance
MySQL started within last 24 hours - recommendations may be inaccurate
Enable the slow query log to troubleshoot bad queries
When making adjustments, make tmp_table_size/max_heap_table_size equal
Reduce your SELECT DISTINCT queries without LIMIT clauses
Increase table_cache gradually to avoid file descriptor limits
Your applications are not closing MySQL connections properly
Variables to adjust:
query_cache_limit (> 1M, or use smaller result sets)
tmp_table_size (> 16M)
max_heap_table_size (> 16M)
table_cache (> 64)
innodb_buffer_pool_size (>= 326M)
For the variables that it recommends that I adjust, I don't even see most of them in the mysql.cnf file.
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
innodb_buffer_pool_size = 220M
innodb_flush_log_at_trx_commit = 2
innodb_file_per_table = 1
innodb_thread_concurrency = 32
skip-locking
big-tables
max_connections = 50
innodb_lock_wait_timeout = 600
slave_transaction_retries = 10
innodb_table_locks = 0
innodb_additional_mem_pool_size = 20M
user = mysql
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
skip-external-locking
bind-address = localhost
key_buffer = 16M
max_allowed_packet = 16M
thread_stack = 192K
thread_cache_size = 4
myisam-recover = BACKUP
query_cache_limit = 1M
query_cache_size = 16M
log_error = /var/log/mysql/error.log
expire_logs_days = 10
max_binlog_size = 100M
skip-locking
innodb_file_per_table = 1
big-tables
[mysqldump]
quick
quote-names
max_allowed_packet = 16M
[mysql]
[isamchk]
key_buffer = 16M
!includedir /etc/mysql/conf.d/
I have been running mysqldump on my set of MySQL databases (MyISAM and INNDOB). Recently I wanted to restore the databases to another server, and so I created the databases and imported the dump file. It was then that I rezlied that the IBD files were not created.
I was under the impressions that what I was doing was a backup, but in the case of INNODB it seems I have to do a backup of /var/lib/mysql//.ibd as well -- right?
If that's the case, then what is the point of a dumpfile if I have to take a backup of IBD files as well?
I am sure I am missing the obvious...
Running ubuntu 10.10, MySQL, I imported a set of databases from a backup.
The import looks OK - I can query the databases and see data in them. The strange thing is that in the /var/lib/mysql/ folder there exists only *.frm files and not the *.ibd file to that I would expect. Along the same lines, the size of the files in each folder are way too small to contain all of the data.
Likewise, the /var/lib/mysql/ibdata1 file is way too small to contain the data.
Where can I look to figure out a) where the data actually is and b) where the ibd files are?
I am running ubuntu 10.10 and trying to setup pam with pam_ldap.
The guide at: http://wiki.debian.org/LDAP/PAM says, among other things:
In order to globally enable LDAP authentication through PAM, configure /etc/pam_ldap.conf accordingly and edit the /etc/pam.d/common-* files so that they contain something like this:
/etc/pam.d/common-account:
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
Now, taking this one file as an example, I see:
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
My question is, do I remove the things currently in that file, replacing them with the ones from the guide - or so I append the things from the guide to the end of the file?
Ubuntu 10.10 server When I run the following command: mysql
It tells me: mysql: option '--default-character-set' requires an argument
I've updated the my.cnf file to set the default character set, so I am perplexed. What am I missing?
I've got that line exactly... but something strange is that I have a file at: /etc/init/mysql.conf that has
/usr/bin/mysqladmin --defaults-file="${HOME}"/debian.cnf ping && {
exec "${HOME}"/debian-start
I am running MySQL on Windows XP. My data directory is: c:/database/data/
I want to create a new database but store it's data on m:/database/data/
Is it possible to keep the existing data on c:\ and the new data in m:\?
When I boot my laptop, I get the following event in the error log...
I cannot tell which service is trying to use the aegisp.sys file or generating this event. Can anyone shed some light? Google is not very helpful with this issue ;)
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 8/20/2010
Time: 10:50:03 PM
User: N/A
Computer: XXX
Description:
The AEGIS Protocol (IEEE 802.1x) v3.6.0.0 service failed to start due to the following error:
The system cannot find the file specified.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I followed the guide at http://msmvps.com/blogs/clustering/archive/2004/10/06/15096.aspx to move my laptop from a domain to a workgroup.
One thing caught my eye, and that is: - There's still a ton of records in the registry with the SID from the domain user - Files in C:\windows\system32 have owner set to that SID.
Questions: - How can I fix the issue re: the registry, or should I just leave it as it is? - Re: ownership of files, should I leave them owned by the SID, or change it?
I've got sednamil, dkim-milter both running on RHEL4.
DNS and config files look like:
TXT record: mail._domainkey.MYDOMAIN.com IN TXT "v=DKIM1; g=*; k=rsa; t=y; p=....snip...TRM3w7CuYnQIDAQAB"
TXT record:
_adsp._domainkey.MYDOMAIN.com. IN TXT "dkim=unknown"
/etc/dkim.conf
Canonicalization simple
Domain MYDOMAIN.com,MY2ndDOMAIN.com
KeyFile /var/db/dkim/mail.key.pem
MTA MSA
Selector mail
Socket inet:8891@localhost
SignatureAlgorithm rsa-sha256
Syslog Yes
Userid dkim
X-Header Yes
Mode sv
InternalHosts /etc/dkim-internal-hosts
/etc/dkim-internal-hosts
MYDOMAIN.com
MY2ndDOMAIN.com
127.0.0.1
Now, when I send an email as a test, I don't see anything in the headers about DKIM being authenticated, although the key does appear:
X-DKIM: Sendmail DKIM Filter v2.8.3 MYDOMAIN.com o7FLH1Wa032083
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=MYDOMAIN.com; s=mail;
t=/XKdLCPjaYaY=;
h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type:
Content-Transfer-Encoding;
b=qetPkilXBdjnuqiKIyvAwsvTvJfAnq5urdgp/i7p/uLJ8DB+svy9A8C6CPmcfELsJ
hDid5k2AN5JD+wM2INmUIgjeAa/IwpGTbuMloj0Wioh4njqIfbATJqOhuqxTjic
If I type in:
# host -t txt mail._domainkey.MYDOMAIN.com
I get:
Host mail._domainkey.MYDOMAIN.com not found: 3(NXDOMAIN)
What could I be missing?
I've configured DKIM (milter-dkim) on my mail server. Incoming e-mail sent from my domain now containts the following header:
X-DKIM: Sendmail DKIM Filter v2.8.3 MYDOMAIN.com o7FLH1Wa032083
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.com; s=mail;
t=1281907022; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type:
Content-Transfer-Encoding;
b=qetPkilXBdjnuqiKIyvAwsvTvJfAnq5urdgp/i7p/uLJ8DB+svy9A8C6CPmcfELsJ
hDid5k2AN5JD+wM2INmUIgjeAa/IwpGTbuMloj0Wioh4njqIfbATJqOhuqxTjic
1.) So I guess that confirms that I have DKIM setup correctly, right?
But when I look at a message coming in from Google, I see:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
...snip...
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
...snip...
2.) What is the relationship of DomainKey-Signature vs DKIM-Signature?
Not sure if this belongs more on serverfault or not...
BACKGROUND:
I am using openldap, and pam/nss/ldap for authentiction on my server (webmail, etc).
My files, which work fine:
/etc/openldap/slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 0
access to attrs=userPassword,shadowLastChange
by dn="cn=Admin,dc=MYDOMAIN,dc=com" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=Admin,dc=MYDOMAIN,dc=com" write
by * read
database bdb
suffix dc=MYDOMAIN,dc=com
rootdn cn=Manager,dc=MYDOMAIN,dc=com
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
But when I change the access to:
access to *
by self write
by users read
by anonymous auth
access to attrs=userPassword
by self write
by anonymous auth
by * none
I can no longer login anymore. How can I write this so that I can still login, but that everyone in the world doesn't have read writes?
Is it possible to setup full disk encryption for Ubuntu 10.4 server? Either natively or with Truecrypt?
Additionally, is this something that has to be done at the time of installing the OS, or can it be done afterwards?