artfulrobot's questions

My mailserver using exim4 has an ACL to check DKIM signatures. It accepts everything but it logs failures and writes a header with the results.

I'm sending mail from another server which I believe is adding DKIM sigatures correctly. (e.g. I've sent mail to gmail and outlook addresses, inspected the headers and both those systems have given the DKIM a pass.) But my mailserver is saying bodyhash_mismatch.

My mailserver doesn't always say DKIM is a fail.

Here's an email. I've changed the domains:

• example.org This is the main organisation's domain; it's used in the From: header and it's the signer domain.T he public key is published in the DNS.
• sender.example.org This is the server that sends the email, creates the DKIM header. It's the Return-Path header.
• receiver.example.org This is my mailserver's domain, where the DKIM is being verified. This is where the X-dkim-check header is being added, and the text following domain= comes from $dkim_cur_signer

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.receiver.example.org
    by mail.receiver.example.org with LMTP
    id t8rHGepc52SOVA8ADCPZSA
    (envelope-from <[email protected]>)
    for <[email protected]>; Thu, 24 Aug 2023 14:36:42 +0100
Received: from sender-rdns.example.org ([1.2.3.4] helo=sender.example.org)
    by mail.receiver.example.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.94.2)
    (envelope-from <[email protected]>)
    id 1qZAVv-004DMU-00
    for [email protected]; Thu, 24 Aug 2023 14:36:42 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=example.org; s=220151210; h=Sender:Message-Id:Subject:From:To:Date:
    Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
    Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
    :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
    List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=ecGWgWCJeWxJFeM0urOVWP+KOlqqvsQYKOpYUP8nk7I=; b=GTY2HZVje81tRJ0/xKFNUk5d7/
    9wE7CGtwmz2APM5VTDKY6q+qIbwhCRNzc6IWZ4j0Y9FOtnuVBeNR1I5xbOuqPaf62MYQZJFjLQ3/J
    PNpOpS3i1Yd3NCZUs1iB/Q8N+ii73FrvD5k1AA8F5yzJhVeaposgbkvU5vv1s/KgqTIA=;
Received: from localhost ([127.0.0.1] helo=sender.example.org)
    by sender.example.org with esmtp (Exim 4.96)
    (envelope-from <[email protected]>)
    id 1qZAVt-001EhO-2k
    for [email protected];
    Thu, 24 Aug 2023 14:36:41 +0100
Date: Thu, 24 Aug 2023 14:36:41 +0100
To: [email protected]
From: [email protected]
Subject: test Thu, 24 Aug 2023 14:36:41 +0100
Message-Id: <[email protected]>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
Sender: [email protected]
X-dkim-check: DKIM test failed: (domain=example.org), signature is bad.

This is a test mailing

How can I debug why exim on receiver.example.org thinks the signature is bad?

(I note that the DKIM signature includes a lot of headers that don't exist. Could that be a reason?)

EDIT: adding details:

• Signing exim: 4.96-15+deb12u1.
• Receiving exim: 4.94.2-7~bpo10+1

I'd like to set up the following logic using firewalld

1. When a host attempts to access the server from the internet on port 22:
   1. DROP and
   2. add their IP to an ipset called "trap" (with 24 hour timeout)
2. When a host whose IP is on the "trap" list attempts to connect to any port: DROP.

I've read many doc pages but can't see how to implement 1.2 above.

I noticed a steady increase in system memory use %age (as reported by sar) which I've tracked to MariaDB. It's does not seem to be related to db load: this increase is notmatched by an increasing number of queries.

I have the following size configuration:

key_buffer_size         =  400000000                                                                                  
innodb_buffer_pool_size = 1210612736 

Total there is 1.5GB, yet it's now topped out at 2.3GB on RSS memory.

Why is it getting so greedy? Can I get it to stick to its limits better? Or perhaps it is sticking to the limits on InnoDB but is using memory for something else, if so, is there a way to understand that so that I can adjust the configuration to keep the total memory use within a certain level? Or perhaps it's like Linux kernel and just uses all free memory for caching while it's free, but happily relinquishes it as needed?

I'm on MariaDB 10.3.22 on Debian 10 (Buster). The workload is a webserver (so I need to keep some memory for other processes: nginx+php). Happy to post more config if required.

I've successfully set up a WireGuard VPN on my Debian 10 server. It was incredibly straight forward compared to the setup of OpenVPN, and it's working fine.

However, I can't see any logs beyond those from journalctl -u [email protected]. I'd like to know, for example, when there are failed authentication attempts. Is there a way to monitor that? e.g. with openvpn I could use fail2ban based on auth attempts.

I'm running PHP 7.3 FPM and nginx. In my pool config I have

pm.status_path = /fpmstatus

I have nginx config in place to call out to php for that URL. But when I access that path I get an Access Denied.

The logs say:

Access to the script '/var/www/mysite.com/fpmstatus' has been denied (see security.limit_extensions)

As I understand, what's happening is that PHP is refusing to "run the script" called fpmstatus because it doesn't end in .php.

But I'm confused because I believe it was previously working, and because the comments in the config file for setting the status path suggest not including .php in the name. I don't want to turn off security.limit_extensions. And surely with the /fpmstatus path being internal, it should be excempt from these extensions?

EDIT

I tried setting the status path to /fpmstatus.php but this just gives a "No input file specified." error. Seems like fpm is not responding to the configured status page?

The nginx config that applies is:

location = /fpmstatus.php {
    access_log off;
    allow 127.0.0.1;
    deny all;
  fastcgi_param  SCRIPT_FILENAME    $document_root/fpmstatus.php;
  fastcgi_param  QUERY_STRING       $query_string;
  fastcgi_param  REQUEST_METHOD     $request_method;
  fastcgi_param  CONTENT_TYPE       $content_type;
  fastcgi_param  CONTENT_LENGTH     $content_length;

  fastcgi_param  SCRIPT_NAME        $document_root/fpmstatus.php;
  fastcgi_param  PATH_INFO          $fastcgi_path_info;
  fastcgi_param  REQUEST_URI        $request_uri;
  fastcgi_param  DOCUMENT_URI       $document_uri;
  fastcgi_param  DOCUMENT_ROOT      $document_root;
  fastcgi_param  SERVER_PROTOCOL    $server_protocol;
  fastcgi_param  REQUEST_SCHEME     $scheme;
  fastcgi_param  HTTPS              $https if_not_empty;

  fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
  fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

  fastcgi_param  REMOTE_ADDR        $remote_addr;
  fastcgi_param  REMOTE_PORT        $remote_port;
  fastcgi_param  SERVER_ADDR        $server_addr;
  fastcgi_param  SERVER_PORT        $server_port;
  fastcgi_param  SERVER_NAME        $server_name;

  # PHP only, required if PHP was built with --enable-force-cgi-redirect
  fastcgi_param  REDIRECT_STATUS    200;

    fastcgi_pass myupstream;
  }

I can get it working if I set cgi.fix_pathinfo=1 in /etc/php/7.3/fpm/php.ini but is there a way to get it working with that set to 0?

My Debian 8 vm has lots of systemd logs like this:

Apr 28 23:02:09 foo systemd[22305]: Starting Shutdown.
Apr 28 23:02:09 foo systemd[22305]: Reached target Shutdown.
Apr 28 23:02:09 foo systemd[22305]: Starting Exit the Session...
Apr 28 23:02:09 foo systemd[22305]: Received SIGRTMIN+24 from PID 22461 (kill).
Apr 28 23:02:10 foo systemd[22469]: Starting Paths.
Apr 28 23:02:10 foo systemd[22469]: Reached target Paths.
Apr 28 23:02:10 foo systemd[22469]: Starting Timers.

i.e. lots of Starting Shutdown lines and SIGRTMIN+24.

The docs say:

SIGRTMIN+24: Immediately exits the manager (only available for --user instances).

What does 'Shutdown' mean here? I don't think it means shutting down the whole machine - no signs of a reboot happening. So is it just a restart of systemd for some reason? What would cause that?

Confused!

journalctl looks like a great tool for looking through logs, but I'm stuck on what feels like a simple ask: I want to see all cron messages that contain the phrase update-ipsets.

Of course I can do this

journalctl -u cron.service | grep update-ipsets

but then you lose all the other benefits of journalctl's output (colour coding, auto paging, live view etc.)

I've tried:

journalctl -u cron.service MESSAGE=update-ipsets
journalctl -u cron.service "MESSAGE=*update-ipsets*"
journalctl -u cron.service "MESSAGE=.*update-ipsets.*"
journalctl -u cron.service "MESSAGE=/.*update-ipsets.*/"

And you don't want to experiment by hitting tab after MESSAGE= - hangs the (zsh/Debian Jessie) shell and Ctrl-C didn't help either!

I sort of can't believe that it doesn't have this basic functionality built in, so I'm sure I must have missed something?

Thanks.

Since upgrading to Debian 8 my syslog is full of

...freshclam[17851]: WARNING: Your ClamAV installation is OUTDATED!
...freshclam[17851]: WARNING: Local version: 0.98.7 Recommended version: 0.99
...freshclam[17851]: DON'T PANIC! Read http://www.clamav.net/support/faq

While trying not to panic, as instructed, I followed the link. Which goes to a 404! Panic! [joke. EDIT: this link is now working.]

Virus scanners need to be updated regularly, and these updates do not make it into Debian stable frequently. In days gone by we had a "volatile" repo for virus checkers etc. in Debian, then we had workarounds for Wheezy. What about Debian 8, Jessie?

Ideally I'd like to stick with apt for package management, especially as I have unattended upgrades running for security updates.

I've been using MariaDB, "an enhanced, drop-in replacement for MySQL" on my Debian stable servers for years, because of its increased performance.

However I've noticed that it appears to lag with relation to security updates in MySQL; for instance, there's DSA 3229-1 which lists several vulnerabilities, which do not appear to be patched in the Debian stable mariadb package.

Is this a security versus speed tradeoff? Is MariaDB generally behind on security updates or is this just a one-off?

I have a Windows 7 desktop and a Linux server running SSH and Samba services.

The Windows machine has a directory of files that need to be synced with a copy on the Linux server.

The Windows machine has a service that uses this set of files when running, and I need to copy the files before this service is running to ensure the integrity of the copied files.

The files are big (hundreds of MB) and ideally I'd like to use rsync to make this process efficient. I believe I can do this with cygwin.

So is there a way to make a script (I'm guessing a BAT file) that is run as an particular user, but before another particular service (e.g. on the machine turning on, but after networking is established) and rsyncs the data to either the server's samba share or (better) over ssh.

It would be fairly easy in a Linux environment, but I'm not a Windows expert.

cron runs shell commands from crontabs.

But having just got caught out by the differences between zsh and bash, I'm now concerned that I don't know which shell cron uses to interpret crontab commands? Obviously the simple case where the cron entry just points to a script file is handled by the #!/path/to/interpreter on the first line, but what when you have something more complex in cron?

I looked in /etc/cron* and can't see anything that might allow this to be set or changed?

I'm a small company on not much budget providing websites and databases for charity and not-for-profit clients.

I have a few Debian Linux VPS servers and ensure I have daily backups to a different VPS than the one the service is hosted on.

Recently one of my hosting companies told me two drives failed simultaneously and so that data was lost forever. Stuff happens, they said sorry, what else could they do? But it made me wonder about cost-effective ways to basically get a VPS up again in the event of a hardware or other host-related failure.

Currently I would have to

1. Spin up a new VPS
2. Get the last day's backup (which includes databases, web root and website-specific config) over onto the VPS, and configure it like the last one etc.
3. Update DNS and wait for it to propagate.

It would probably take a day or so achieve this, with the DNS propagation being a big unknown, although I have the TTL set quite low (hour or so).

Some hosts provide snapshots which can be used to replicate a set up to a new VPS, but there's still the IP and this doesn't help in the case that the host company cancels/suspends an account outright (I've been reading about this behaviour from certain hosting providers and it's scared me! I'm not doing anything spammy/dodgy and keep a close eye on security, but I realise that they literally have the power to do this and I'm quite risk averse).

Is this, combined with choosing reputable hosts, the best I can do without going for an incredibly expensive solution?

After a recent Debian upgrade on my LAMP webserver to Wheezy, mysqldump is throwing a warning:

-- Warning: Skipping the data of table mysql.event. Specify the --events option explicitly.

Events seems to be something special. Man page for mysqldump:

   *   --events, -E

       Include Event Scheduler events for the dumped databases in the output.

I have tried adding --skip-events to tell mysqldump that this is explicitly the behaviour I wanted (although I don't know why...) but it still generates the warning.

How can I (a) stop it emitting this warning, or (b) otherwise include this awkward table, if its something I should be keeping.

I used the easy-rsa/2.0 programs to build server and client certificates for OpenVPN. I copied the client ones to the clients along with ca.crt. All good.

I now need to revoke a client certificate from a stolen laptop. In /usr/share/doc/openvpn/examples/easy-rsa/2.0 there's a revoke script. I've run this successfully and it says "Data Base Updated". It's created some files in a subdir of the examples/doc folder.

I've copied the created crl.pem to /etc/openvpn/crl.pem and I've added crl-verify /etc/openvpn/crl.pem to server.conf.

Is there any way I can verify that I've done the right thing and that it will indeed block access?

Also, I'm not clear where this "Data Base" is stored or what it refers to? Is there any way to inspect this database?

I have OpenVPN set up on a Debian server. Clients can connect, and clients can ping and access resources (Samba shares and intranet) on the server.

However, the server cannot ping the client - it just times out.

Diagram

Client OpenVPN assigned IP: 10.67.15.26
   ↓ UDP on 1194
Internet
   ↓
Router port-forwards 1194 to server
   ↓ 
Server LAN IP: 10.67.5.1

Server OpenVPN config (relevant bits)

port 1194
proto udp
dev tun
server 10.67.15.0 255.255.255.0
push "route 10.67.5.0 255.255.255.0"

Server routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.67.15.2      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.67.15.0      10.67.15.2      255.255.255.0   UG    0      0        0 tun0
10.67.5.0       0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         10.67.5.254     0.0.0.0         UG    0      0        0 eth1

Server firewall

I've temporarily disabled the server's firewall, all chains' policies are ACCEPT and all forwarding flags are set:

1 : /proc/sys/net/ipv4/conf/all/forwarding
1 : /proc/sys/net/ipv4/conf/default/forwarding
1 : /proc/sys/net/ipv4/conf/lo/forwarding
1 : /proc/sys/net/ipv4/conf/eth1/forwarding
1 : /proc/sys/net/ipv4/conf/tun0/forwarding
1 : /proc/sys/net/ipv4/ip_forward

Test cases:

client: ping 10.67.5.1 works, as do other resources.

server: ping 10.67.15.26 times out.

I have Dropbox running on a Debian server. I'd like to be able to find out the sync status - like you get when you right-click the dropbox icon in Windows, e.g. "Downloading 123 files" or "All up-to-date".

I'm sure there's a way but Google is apparently not my friend on this one.

Pls. note that I'm talking about the headless server install of dropbox, not the more common dropbox + dropbox-nautilus set up used for a typical linux desktop.

I've read about filename limits in Linux but this is specifically about Samba.

I hit a problem where by both Windows and Linux clients to my (Debian Squeeze) Samba server were unable to access certain PDFs burried in a deep file path.

The filepath of the containing dir is 250 characters, which makes me suspect that there's a 255 character limit. (It's possible that it's less because of multibyte UTF8 characters.)

This would be massively less than a Linux filename/filepath limit.

Anyone know whether there is a way around this limit?

I need files created by apache2 to have umask 002, i.e. group rw, by default.

I've tried putting umask 002 in /etc/apache2/envvars and although this script does get executed as part of apache start up (apache2ctl graceful) the umask has no effect. Presumably somewhere further in the start up process (e.g. when the user is downgraded from root to www-data) there's somewhere better to put this.

I've read posts about Fedora and one suggesting putting umask in /etc/init.d/apache2 but neither of these apply/work in Debian (Squeeze).

Can you help?

I want to use doxygen on my Debian Squeeze server, but I need the version from Debian Wheezy because this apparently contains the bugfix I need.

It's not in backports -- check packages.debian.org/search?suite=squeeze-backports&searchon=names&keywords=doxygen (I'm new here and wasn't allowed this as a proper link!)

I tried adding Wheezy to my sources.list file and running apt-get install -t wheezy doxygen but it wants to install too much from wheezy; This is a production server so can't afford this risk.

I'm assuming that compiling from source is going to want to compile all the rest of the above from source too?

Any other solutions? (e.g. some virtualisation or chrooting?) etc

I have OpenVPN setup and working. My office is part of a large building that operates several VLANs. Obviously from within our own VLAN I can access local resources, and from somewhere else in the world I can use OpenVPN. But when connected to a different VLAN in the same establishment I cannot do either.

OpenVPN is complaining because it is connecting to the building's external IP address, but the reply is being routed back internally (by switches I have no control over), which means the reply is not from the expected IP. Result:

Incoming packet rejected from [AF_INET]10.67.5.1:1194[2], 
   expected peer address: [AF_INET]195.x.x.x:1194 
   (allow this incoming source address/port by removing
   --remote or adding --float)

(x.x.x = censored public ip)

Anyone help? (I realise this is similar to other posts but I thought my problem was a bit different and justified a separate question)

As requested, server conf:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.67.15.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.67.5.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Client config

client
remote example.org
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client_rich.crt
key /etc/openvpn/client_rich.key
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user openvpn
group openvpn