Home / user-84843

Richard Hansen's questions

Martin Hope
Richard Hansen
Asked: 2016-03-14 18:37:17 +0800 CST
  • 3

How do I use Salt to securely copy a sensitive file (a cryptographic key) from one specific minion to another specific minion? I don't want any other minion to be able to read the file.

Salt Mine?

The Salt Mine seems to be a logical place to start, but the documentation says:

The Salt Mine is used to collect arbitrary data from Minions and store it on the Master. This data is then made available to all Minions via the salt.modules.mine module.

I don't want the data to be made available to all minions, just one. In addition I don't need the periodic refresh—I only need the file to be read whenever I run state.highstate for the destination minion.

cp.push?

Salt's cp.push function seems like a good way to get the file to the master, except:

  • it uses the salt.transport.Channel.send() method which is not guaranteed to be confidential
  • the master gives the files pushed by cp.push global read permissions in the master's file system
  • once the file is on the master, it's not obvious how to get it to the destination minion

Custom External Pillar?

I could write a custom external pillar that somehow reads the file from the source minion (how?) and then makes the file's contents available via a pillar to a second minion. That seems like a lot of effort for a behavior that should be built-in.

copy
Martin Hope
Richard Hansen
Asked: 2013-03-01 23:51:55 +0800 CST
  • 1

My Exchange 2010 server is configured to relay mail to a smart host. Basic authentication is required over TLS. For some reason, Exchange doesn't feel like logging in.

I see the following error message in the Queue Viewer:

451 4.4.0 Primary target IP address responded with: "451 5.7.3 Require basic authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

and the following in the Exchange SmtpSend protocol log:

<,220 smarthost.example.com ESMTP
>,EHLO exchange.example.net,
<,250-smarthost.example.com,
<,250-PIPELINING,
<,250-SIZE 10240000,
<,250-ETRN,
<,250-STARTTLS,
<,250-ENHANCEDSTATUSCODES,
<,250-8BITMIME,
<,250 DSN,
>,STARTTLS,
<,220 2.0.0 Ready to start TLS,
*,,Sending certificate
...
*,,Received certificate
...
>,EHLO exchange.example.net,
<,250-smarthost.example.com,
<,250-PIPELINING,
<,250-SIZE 10240000,
<,250-ETRN,
<,250-AUTH PLAIN,
<,250-AUTH=PLAIN,
<,250-ENHANCEDSTATUSCODES,
<,250-8BITMIME,
<,250 DSN,
>,QUIT,
<,221 2.0.0 Bye,

There doesn't appear to be anything wrong on the smart host -- Exchange is simply not attempting to authenticate.

Any ideas?

exchange-2010
Martin Hope
Richard Hansen
Asked: 2013-01-15 10:12:28 +0800 CST
  • 0

I'd like to require user user1 when the URL is /foo/user1/*, user user2 when the URL is /foo/user2/*, etc. Is it possible to do this?

For example, I'd like to do something like this:

AliasMatch ^/foo/([^/]+)(/.*)? /home/$1/foo$2
<LocationMatch "^/foo/([^/]+)(/.*)?">
    SSLRequireSSL
    AuthType Basic                                                              
    AuthName "foo"
    AuthUserFile /etc/apache2/htpasswd
    Require user $1
</LocationMatch>
apache-2.2
Martin Hope
Richard Hansen
Asked: 2012-06-17 17:20:56 +0800 CST
  • 3

I have a postfix mail server that should relay all outgoing mail to an Exchange 2010 server (the Exchange box is my smarthost). I have administrator access to the Exchange 2010 system, but I'm not very familiar with it. How should I set up authentication on the Exchange 2010 system?

I guess I could add a standard user with a mailbox on the Exchange box, then configure my postfix box to log in to port 587 to relay mail. That option doesn't feel right -- it seems like there should be way to do server to server authentication, not just client to server authentication. Is there? If so, how would I set it up?

Edit:

  • the postfix mail server is at a remote site with a dynamic IP address, so authenticating by IP address won't work
  • I would like the email traffic between the two to be encrypted
  • I would like mutual authentication (the Postfix box knows it's talking to the Exchange box and not a man in the middle; Exchange knows that it is talking to the Postfix box)
  • setting up an IPsec tunnel seems overly complicated for what should be a trivial Exchange configuration
  • Exchange must allow the Postfix box to send messages to any destination
  • the messages submitted by the Postfix box must not be rejected as spam even if they look like spam
email exchange postfix exchange-2010 smarthost