Use perdition as ssl offload proxy for imap / pop and managesieve

 In modern setups you often have an ingress controller, which does the ssl termination of the connections and then routes the traffic to the correct backend(s)

For kubernetes and http(s), often nginx is used for that task.

When you wish to do the same for imap and/or pop, then it also possible to use nginx for this.

https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/

But the main drawback is, that you need to implement some authentication and routing based on an http request.Also the managesieve protocol isn't supported.

If you don't wish to do the hassle with this, or you haven't the required infos to do it, then perdition can handle this be used as a full imap/pop/managesieve proxy.

The basic setup is quite simple, but has a few things to be aware of, when using it with ssl and/or ipv6.

When you enable ssl, then you have to specify the certificate files.

Usually something like this:

ssl_ca_file /etc/postfix/ssl/ssl-root.ca
ssl_cert_file /etc/postfix/ssl/myserver.crt
ssl_key_file /etc/postfix/ssl/myserver.key

When you then start perdition, it will probably log some warning about not beeing able to read the DH parameters from the certificate file. 

could not read DH params from cert file

Modern OpenSSL configurations require Diffie-Hellman values to generate secure keys in the exchange.

If your certificate does not have these embedded in it, you can generate them yourself and add them to the certificate.

openssl dhparam -out dhparams.pem 4096

Then just append the content of the dhparams.pem file to your .crt file and perdition has the required DH values.

The second thing you might struggle with, when you start perdition on an IPv6 enable host, then perdition will only bind the IPv4 address and not to the IPv6 address.

Unfortunally the documentation is lacking in this area, as how to bind the IPv6 ports too.

The correct syntax is to use this in the perdition.imap4s etc. files:

bind_address 88.xx.xx.xx,"[2a01:xxx:xxx:xxx::xxx]"

Please note that you must specify both IPvç and IPv6 addresses, and also that the IPv6 "[::]" will not work.

You have to specify the IPv6 address and enclose it in "[...]", including the " characters.

Configuring perdition as managesieve proxy is also not very well documented.

Specifying the sieve capabilities is rather tricky, here a wroking example:

capability \
"\"IMPLEMENTATION\" \"Cyrus timsieved\"  "\
"\"SIEVE\" \"comparator-i;octet "\
"comparator-i;ascii-numeric "\
"fileinto "\
"reject "\
"vacation "\
"imapflags "\
"notify "\
"envelope "\
"relational "\
"regex "\
"subaddress "\
"copy\"  "\
"\"SASL\" \"PLAIN\""

 

The important things to note in this:

Use \" to delimit the capabilities, and use two spaces to delimit the capability lines .

Have a look at the base config file perdition.conf as a staring point

If you have clients using K9 mail (And probably other too), then you might remove all "AUTH=..." settings from the imap capability string.

https://lists.vergenet.net/pipermail/perdition-users/2011-August/002547.html

Please also see my upcomming post  on monitoring perdition with Zabbix

Automatically remove write protection from USB Disks in Backup Exec

Veritas BackupExec has a default, which flags disks which have been offline for more than 32 days as write protected.

BackupExec has expiration dates for each backup you have done. Once this date is reached, BackupExec does free up the disk space and deletes the old backups.

The idea behind this is, that these are disks which contain older backups, which should not automatically be purged from disk.Otherwise, when you connect the disk with the monthly backup of january on the server in june, for some restore, then BackupExec would remove these old backup sets.

That's usually not what you wish to have, this is why in the default this 32 day rule exists.

Of course you can tell BackupExec to either not set this write protection at all, or only for some longer time period. There is also a dangerous option, to allow BackupExec to delete all expired backup sets.

The default is usually fine, until you reinsert your january 2019 disk in january 2020. Then the disk will be write protected and you will have to remove the write protection first, or your backup jobs will fail.

Since this is a manual action you have to do on a regular basis, you can also automate it with some scripts.

With powershell und the windows task scheduler you can remove the write protection of the connected drives.

One important thing to note is, you must schedule the powershell script via task scheduler, if you define it as an "Run before job" in BackupExec, then the job will not start since it sees no writable disk in then system, and also does not start the "pre job run script"

This is the powershell script, which remove the write protection on all online disks in BackupExec, store it in a location on C:\...., for example as "c:\Program Files\Veritas\Backup Exec\Scripts\TurnWriteProtectedOff.ps1"

<# This script does remove the virtaul write protection on any online disks
   This way USB disks which had not been online for a long time wil be overwritable again
   2020 a.schild@aarboard.ch
#>
Import-Module "c:\Program Files\Veritas\Backup Exec\Modules\BEMCLI\BEMCLI.Scripts.psm1"

$disks= Get-BEStorageDevice
foreach ($d in $disks) {
    if ($d.Servers.IsOnline -eq "true") {
        # $d | Format-Table Name
        $d | Set-BEDiskStorageDevice -VirtualWriteProtectionEnabled $false
    }
}

In your task scheduler you then schedule it to be run 5-10 minutes before the regular backup job.

As command specify your powershell.exe as "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

In the script argugemt you pass:

 -File "C:\Program Files\Veritas\Backup Exec\Scripts\TurnWriteProtectedOff.ps1"

And define it to be run always, with no network resources and with highest priority.

Startup problems with php-fpm and ldap user backend on Debian

Startup problems with php-fpm and ldap user backend on Debian

Do you use php-fpm together with an ldap backend for user authentication, then you probably have seen this message in your boot logs:

[26-Sep-2019 14:58:34] ERROR: [pool XXXXXX] cannot get uid for user 'XXXXXXXX'

When using the php5.6-fpm / php7.x-fpm versions of the PHP fpm process can cause startup problems, when the users are provided via the nslcd service.

The reason is, that the ldap user backend is starting after the php fpm process(es)

Fortunately this is easy to solve, just edit your /etc/init.d/php7.3-fpm init script and add the user backend service(s) to the Required-Start section

It looks like this:
# Required-Start:    $remote_fs $network

So to add nslcd (and recommended nscd too) results in this line

# Required-Start:    $remote_fs $network nslcd nscd


To enable the new dependencies of your service starts, just disable the service and reenable it.

systemctl disable php7.3-fpm 
systemctl enable php7.3-fpm

After this, you can reboot your server and the fpm processes should startup just fine
 

Chromium 75.0.3770.xx does submit html forms twice

When you have customers which use chromium on Ubuntu 18.04 LTS, then you might see duplicate form posts in your applications.

This is a very nasty bug introduced somewhere between the 74.0.3729.169 and 75.0.3770.80 releases.
Here a few references to the problem, which seems to be still "work in progress"

• https://stackoverflow.com/questions/56488687/duplicate-requests-after-chrome-update-to-version-75-0-3770-80-official-build
   
• https://bugs.chromium.org/p/chromium/issues/detail?id=977882
   
• https://support.google.com/chrome/thread/8616084?hl=en

 This does not help the customers, since we need a solution now, and not in a few days/weeks.

On ubuntu the simplest is to roll back to the last working version 74.0.3729.169

How to do this:

Login in the console of your system(s) and do this:

cd /tmp
rm chromium-*

wget -q http://launchpadlibrarian.net/424897539/chromium-browser_74.0.3729.169-0ubuntu0.18.04.1_amd64.deb
wget -q http://launchpadlibrarian.net/424897541/chromium-codecs-ffmpeg-extra_74.0.3729.169-0ubuntu0.18.04.1_amd64.deb
wget -q http://launchpadlibrarian.net/424897535/chromium-browser-l10n_74.0.3729.169-0ubuntu0.18.04.1_all.deb


dpkg -i chromium-*.deb
rm chromium-*
 
apt-mark hold chromium-browser
apt-mark hold chromium-browser-l10n
apt-mark hold chromium-codecs-ffmpeg-extra


This installs the 74er version and prevents future upgrades to install bad versions.
Of course once a working 75 or 76 release is available, you have to unhold the packages

Generate one page PDF calendars with entries

Generating a on epage pdf calendar isn't that difficult.
Just draw the month grid and put the entries into the corresponding matrix at the correct places.

But wait, is it that easy?

- What do you do when the number of entries in one grid cell use more space than is available?

To solve this problem in php, I did just write a class which handles this problem.
The PdfCalendarBuilder library hosted on github solves this problem in two ways:

- First it trys to resize the row heights, to distribute the free height across the rows, so everything still fits on one page
- The secon option, if the content is still too large, is to reduce the font size of the entries until everything has place on the same page

Both features can be de/activated independently of each other, but best results are done when both remain activated.

There are still a few things to work out in the library, such as handling entries which span days or things like full-day events which should be rendered differently.

But the basic stuff already works fine, even with event categories and legends.
It also does not matter what paper siez you choose, just modify the font sizes as you need them, the defaults are good for A4 paper.

And to help you integrate it in your own projects, the whoche whole library is licensed under the Apache 2.0 license.
But please send back enhancements, error reports or other ideas to the project page.

Monitor letsencrypt certificates with Zabbix

Monitor letsenrcypt certificates with Zabbix

Letsenrcypt is a great free system to automatically provide ssl/tls certificates for your website(s)
Zabbix is a great free system to monitor your IT infrastructure

One of the main features of Zabbix is the ability to extend it with any kind of monitoring scripts.
So when you do use letsencrypt certificates, you can also monitor them from Zabbix.

There exists a template you can add to the Zabbix server, and the required config and script files you place on the agents.

These can be found here.

It provides these features:
- Autodiscovery of all active letsencrypt certificates
- Monitor the lifetime of the certificates
- Trigger when the certificates are about to expire (Which means your auro renew does not work correctly)
- Monitor the certbot version
- Triggers when certbor version is below 0.28

The certbot version is important, since all certbot versions below 0.28 don't support the ACME-2.0 standard which is required by letsencrypt since the 13-february 2019.

Whith this you can relax about your ssl certificates, you won't have customers calling you in the morning, that their website(s) have an invalid/expired certificate.

You can even enhance the ssl monitoring with more Zabbix templates from here.
These allow you to monitor also ftps/imaps/smtps/pop3s and other TLS/SSL secured connections.

We use these in our own environment, to make sure everything runs smoothly and that we are warned of potential problems before the customers notice them.

Java ffmpeg wrapper jave

Java ffmpeg wrapper

In the last months we did some major enhancements in the jave library which can be used from java to analyze/convert audio and video files with the use of ffmpeg.

The project homepage can be found here https://github.com/a-schild/jave2

The main changes as to the original package are:
- Support for Windwos 32+64 bit
- Support for Linux 32+64 bit
- Support for OS-X 64bit
- Upgraded to ffmpeg 4.x (From 3.x)
- Enhanced output parsing
- Added options for running the encoding/decoding as a separate thread
- Added to maven central for simpler usage
- Many smaller enhancements

The project was initially started by Carlo Pelliccia at http://www.sauronsoftware.it/projects/jave/

You are welcome to contribute to the project with ideas and code.
You can use the github page for this.