 | Jeroen Wiert Pluimer… on Does Odido (the old T-Mobile N… |
 | Lars Fosdal on Security alarm provider Woonve… |
 | Thomas Mueller on Question got closed in May 202… |
 | Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
Posted by jpluimers on 2021/11/25
Cool: [Wayback/Archive.is] GitHub – TimeToogo/tunshell: Remote shell into ephemeral environments 🐚 🦀
Via: [Archive.is] Jan Schaumann on Twitter: “This looks neat: on-demand remote shell into ephemeral environments, e.g. CI/CD pipeline container. Both sides fetch a client, use rendezvous server to negotiate session info, then establish connection or fall back to proxy through rendezvous. “
Posted in Communications Development, Development, DevOps, HTTP, Infrastructure, Internet protocol suite, Power User, Software Development, TCP, WebSockets | Leave a Comment »
Posted by jpluimers on 2021/11/24
A few scripts and tips I found Googling around.
I have seen the below delete-from-mailq.pl script numerous time, usually without any attribution (for instance [Wayback] Postfix Flush the Mail Queue – nixCraft and [Wayback] postfix-delete.pl – Following script deletes all mail from the mailq which matches the regular expression specified as the first argument · GitHub).
The earliest version I could find was in [Wayback] ‘Re: delete messages from mailq’ – MARC by [Wayback] ‘Ralf Hildebrandt ‘ posts – MARC:
--- snip ---
#!/usr/bin/perl
$REGEXP = shift || die "no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!";
@data = qx</usr/sbin/postqueue -p>;
for (@data) {
if (/^(\w+)\*?\s/) {
$queue_id = $1;
}
if($queue_id) {
if (/$REGEXP/i) {
$Q{$queue_id} = 1;
$queue_id = "";
}
}
}
#open(POSTSUPER,"|cat") || die "couldn't open postsuper" ;
open(POSTSUPER,"|postsuper -d -") || die "couldn't open postsuper" ;
foreach (keys %Q) {
print POSTSUPER "$_\n";
};
close(POSTSUPER);
--- snip ---
And then use:
% delete-from-mailq "^test"
[Wayback] How do I check the postfix queue size? – Server Fault
Lots of great answers and pointers to useful guides/software there.
qstat[Wayback] Postfix Bottleneck Analysis points to [Wayback] Postfix manual – qshape(1): qshape - Print Postfix queue domain and age distribution, then explains about different scenarion and queues:
- [Wayback] Introducing the qshape tool
- [Wayback] Trouble shooting with qshape
- [Wayback] Example 1: Healthy queue
- [Wayback] Example 2: Deferred queue full of dictionary attack bounces
- [Wayback] Example 3: Congestion in the active queue
- [Wayback] Example 4: High volume destination backlog
- [Wayback] Postfix queue directories
postqueue
postqueue -p | tail -n 1Last line in the
postqueue -pshows how many requests and size:
-- 317788 Kbytes in 11860 Requests.
I tried finding the original posting of the below script, but could not. If you find it, please let me know.
#!/usr/bin/env perl # postfix queue/s size # author: # source: http://tech.groups.yahoo.com/group/postfix-users/message/255133 use strict; use warnings; use Symbol; sub count { my ($dir) = @_; my $dh = gensym(); my $c = 0; opendir($dh, $dir) or die "$0: opendir: $dir: $!\n"; while (my $f = readdir($dh)) { if ($f =~ m{^[A-F0-9]{5,}$}) { ++$c; } elsif ($f =~ m{^[A-F0-9]$}) { $c += count("$dir/$f"); } } closedir($dh) or die "closedir: $dir: $!\n"; return $c; } my $qdir = `postconf -h queue_directory`; chomp($qdir); chdir($qdir) or die "$0: chdir: $qdir: $!\n"; printf "Incoming: %d\n", count("incoming"); printf "Active: %d\n", count("active"); printf "Deferred: %d\n", count("deferred"); printf "Bounced: %d\n", count("bounce"); printf "Hold: %d\n", count("hold"); printf "Corrupt: %d\n", count("corrupt");
[Wayback] Inspecting Postfix’s email queue – Tech-G explaining about:
mailqpostqueue -ppostcat -vq XXXXXXXXXX(whereXXXXXXXXXXis the message ID)postqueue -f/postfix flushpostsuper -dto delete messages
More of these in [Wayback] Postfix Mail Queue Management – Linux Hint and [Wayback] Postfix Bottleneck Analysis: queues.
MakefileBased on [Wayback] Using “make” for Postfix file maintenance
MAPS = relays.db aliases.db transport.db relocated.db \
virtual.db sender_checks.db rejected_recips.db \
helo_access.db
all : $(MAPS)
aliases.db : aliases
newaliases
%.db : %
postmap $*
This is my Makefile that runs fine on Tumbleweed (note: all 8-space indents are TAB characters):
MAPS = /etc/aliases.db \ transport.db \ virtual.db \ helo_access.db \ canonical.db \ sasl_passwd.db \ relocated.db \ relay.db \ access.db \ relay_ccerts.db \ sender_canonical.db all : $(MAPS) aliases.db : aliases @echo "Rebuilding $@." newaliases %.db : % @echo "Rebuilding $@." postmap $*
In the future, I might try [Wayback] Makefile.postfix · GitHub, though I think it is convoluted:
| ## Postfix: Makefile to update *.db files | |
| POSTCONF= /usr/sbin/postconf | |
| POSTMAP= /usr/sbin/postmap | |
| default: postmap | |
| postmap: Makefile.postmap | |
| @echo 'Updating database files …' | |
| $(MAKE) -f Makefile.postmap | |
| Makefile.postmap: main.cf | |
| @echo 'Updating $@ …' | |
| @set -e; \ | |
| rm -f $@.$$$$.tmp; \ | |
| echo 'POSTMAP=$(POSTMAP)' >>$@.$$$$.tmp; \ | |
| echo 'postmap::' >>$@.$$$$.tmp; \ | |
| config_directory="$(PWD)"; \ | |
| { $(POSTCONF) -c $(PWD) || kill $$$$; } \ | |
| |tr ' ' '\n' \ | |
| |sed -n \ | |
| -e 's/,$$//' \ | |
| -e 's#^hash:\$$config_directory/##p' \ | |
| -e 's#^hash:'"$$config_directory/##p" \ | |
| |sort -u \ | |
| |while read mapfile; do \ | |
| echo "postmap:: $$mapfile.db" >>$@.$$$$.tmp; \ | |
| echo "$$mapfile.db: $$mapfile" >>$@.$$$$.tmp; \ | |
| echo " \$$(POSTMAP) $$<" >>$@.$$$$.tmp; \ | |
| done; \ | |
| mv $@.$$$$.tmp $@ |
Ralf Hildebrandt is an active and well-known figure in the Postfix community. He’s a systems engineer for T-NetPro, a German telecommunications company and has spoken about Postfix at industry conferences and contributes regularly to a number of open source mailing lists.
Co-author of this book: [Wayback: Book of Postfix State-of-the-Art Message Transport ISBN 9781593270018] (which used to have its own site: [Wayback: The Book of Postfix]
Book of Postfix
State-of-the-Art Message Transport
Publisher: No Starch PressRelease Date: March 2005Pages: 496 Best practices for Postfix–the popular alternative to Sendmail. Developed with security and speed in mind, Postfix has become a popular alternative to Sendmail and comes preinstalled in many Linux distributions as the default mailer. The Book of Postfix is a complete guide to Postfix whether used at home, as a mailrelay or virus-scanning gateway, or as a company mailserver. Practical examples show how to deal with daily challenges like protecting mail users from spam and viruses, managing multiple domains, and offering roaming access.
This is a great review of the book: [Wayback] The Book of Postfix (Ralf Hildebrandt, Patrick Koetter)
For my postfix studies… « The Wiert Corner – irregular stream of stuff
–jeroen
Posted in *nix, *nix-tools, bash, Communications Development, Development, Internet protocol suite, Makefile, postfix, Power User, Scripting, SMTP, Software Development | Leave a Comment »
Posted by jpluimers on 2021/11/23
Cool tool for when you ever need random users to test a system [Wayback] Random User Generator | Home:
Random user generator is a FREE API for generating placeholder user information. Get profile photos, names, and more. It’s like Lorem Ipsum, for people.
This was used when extracting Parler data to substantiate evidence around the 20210106 USA Capitol riots.
You can even use a simple HTTP GET like [Wayback] randomuser.me/api and get a JSON result like this.
{"results":[{"gender":"female","name":{"title":"Miss","first":"Malou","last":"Mortensen"},"location":{"street":{"number":2669,"name":"Lyngbyvej"},"city":"Sundby","state":"Syddanmark","country":"Denmark","postcode":48047,"coordinates":{"latitude":"-35.1307","longitude":"113.7480"},"timezone":{"offset":"+1:00","description":"Brussels, Copenhagen, Madrid, Paris"}},"email":"malou.mortensen@example.com","login":{"uuid":"981747de-66fe-40b0-87ea-adfe403fe1be","username":"purpleostrich871","password":"sweets","salt":"x86aQbIB","md5":"55497ac53530b428f98b9d36267ceeef","sha1":"358b94ffabe7d827c34da15791e5d6717c594428","sha256":"6e357e887877e29b7e6d53073f648174382c53c24f83479e25fed9c82075ed32"},"dob":{"date":"1995-06-05T04:50:35.145Z","age":26},"registered":{"date":"2018-07-21T00:59:50.523Z","age":3},"phone":"02990797","cell":"94800012","id":{"name":"CPR","value":"050695-9954"},"picture":{"large":"https://randomuser.me/api/portraits/women/27.jpg","medium":"https://randomuser.me/api/portraits/med/women/27.jpg","thumbnail":"https://randomuser.me/api/portraits/thumb/women/27.jpg"},"nat":"DK"}],"info":{"seed":"8971869bb62b73d7","results":1,"page":1,"version":"1.3"}}
Via:
–jeroen
Posted in Communications Development, Development, HTTP, Internet protocol suite, JavaScript/ECMAScript, JSON, Python, REST, Scripting, Software Development, TCP | Leave a Comment »
Posted by jpluimers on 2021/11/10
From a while back, but still relevant when you learn all your life:
[Archive.is] 🔎Julia Evans🔍 on Twitter: “ten questions about UDP: “
Hello! Here are some questions & answers. The goal isn’t to get all the questions “right”. Instead, the goal is to learn something! If you find a topic you’re interested in learning more about, I’d encourage you to look it up and learn more
–jeroen
Posted in Communications Development, Development, Internet protocol suite, Software Development, UDP | Leave a Comment »
Posted by jpluimers on 2021/11/03
Some links for my archive; note that pure tar-pits by now are also hampering large email sender services like SendGrid, Mailgun and Amazon SES.
So the below links are for educational and historic purposes only.
I assembled these links because out of a sudden, Ring 2FA verification emails could not be delivered any more.
Ring 2FA came mandatory towards the end of February 2020.
Some links on that:
The purpose of Two-Step Verification (2SV) is to protect you from bad actors logging into your Ring account, even if those bad actors have the proper login credentials. This feature will be enabled by default for all users and, unlike 2FA, there is no user option to opt out.
Sendmail timeouts:
–jeroen
Posted in *nix, Communications Development, Development, HIS Host Integration Services, Internet protocol suite, Power User, SMTP | Leave a Comment »
Posted by jpluimers on 2021/10/29
If you enable File and Printer sharing on Windows, by default the firewall only enables it on private networks for the local subnet as remote address (for domain networks, it allows “Any”) as seen on the picture below.
When your network consists of multiple subnets, for instance when it is large, or multiple sites are connected via site-to-site VPN (often called LAN-to-LAN VPN) solutions, then these subnets cannot access each others files or printers.
Realising these default blocks, they are easy to resolve as explained in for instance [WayBack] Windows firewall blocking network shares through VPN server – Server Fault by [WayBack] Brian:
I realize this is almost three years late, but I just spent today fighting with the same problem. I did get it working, so I figured I’d share. Note that I’m using a Windows 7 PC as the file server; other versions might need slightly different configuration.
In the “Windows Firewall with Advance Security”, there are several “File and Printer Sharing” rules:
- File and Printer Sharing (NB-Datagram-In)
- File and Printer Sharing (NB-Name-In)
- File and Printer Sharing (NB-Session-In)
- File and Printer Sharing (SMB-In)
(There are additional rules, but I didn’t care about printer sharing. The same changes would apply if you want those.)
File and Printer Sharing appears to default to “Local subnet” only. You’ll need to add the subnet of your VPN clients.
Modify each of those rules as follows:
- Open the Properties dialog for the rule.
- Navigate to the Scope tab.
- In the Remote IP address section, the “These IP addresses” radio button should be selected.
- Click “Add…” next to the list of addresses. By default, only “Local subnet” is in the list.
- In the “This IP address or subnet:” field, enter the subnet assigned to your VPN clients (this is probably 192.168.1.0/24 in the OP, but if not, it’s the subnet assigned to the VPN adapter on the client side), then click OK.
- If you’re also using IPv6, add the VPN client IPv6 subnet as well.
That was enough for me to access file shares over the VPN.
(If you want to do it manually, you need to open TCP ports 139 and 445, and UDP ports 137 and 138, in the file server’s firewall.)
Hopefully I will find some time in the future to automate this using PowerShell, as netsh names are localised do hard to make universal.
These links might help me with that:
Posted in Communications Development, Development, Internet protocol suite, Power User, SMB, TCP, Windows | Leave a Comment »
Posted by jpluimers on 2021/10/20
[Archive.is] Filippo Valsorda on Twitter: “whoami.filippo.io , the SSH server that knows who you are, got some newly refreshed intel! Try it out! $ ssh whoami.filippo.io “
The server itself has some HTML with information too whoami.filippo.io redirecting to [WayBack] ssh whoami.filippo.io (source code is at [WayBack] GitHub – FiloSottile/whoami.filippo.io: A ssh server that knows who you are. $ ssh whoami.filippo.io).
It’s a cool open source server written in Golang, that gets all your public ssh keys (ssh automatically transmits those) and tries to map them back to a GitHub account.
In addition it shows you some potential vulnerabilities of your ssh client.
Note that in October 2020, it was temporarily down, but it will be up again: [Archive.is] Filippo Valsorda 💉💉 on Twitter: “Yeah I’m planning to but I can’t give you an ETA I’m afraid. A few weeks, maybe?… “
Some interesting comments in the thread:
https://GitLabWebsite/username.keys… “github-keygen: it builds SSH config that protects against this attack by using your GitHub SSH key only when connecting to GitHub.… “
This script will:
- Create a new SSH key dedicated only to your GitHub connections in ~/.ssh/id_<github-account>@github
- Create the SSH configuration optimized for GitHub and dedicated to GitHub (does not impact your other SSH configurations) in ~/.ssh/config.
- Install the GitHub SSH host authentication fingerprints in ~/.ssh/known_hosts_github
whoami.filippo.io is a neat trick, not a proof of concept of a vulnerability. However, all the folks who said “public keys are public duh” pass their cryptography 101 and fail their security 201 =)”
$ ssh whoami.filippo.io (code: …) “Related: [WayBack] Auditing GitHub users’ SSH key quality
[WayBack] GitHub – FiloSottile/whoami.filippo.io: A ssh server that knows who you are. $ ssh whoami.filippo.io: How do I stop passing public keys
How do I stop it?
If this behavior is problematic for you, you can tell ssh not to present your public keys to the server by default.
Add these lines at the end of your
~/.ssh/config(after other “Host” directives)Host * PubkeyAuthentication no IdentitiesOnly yesAnd then specify what keys should be used for each host
Host example.com PubkeyAuthentication yes IdentityFile ~/.ssh/id_rsa # IdentitiesOnly yes # Enable ssh-agent (PKCS11 etc.) keysIf you want you can use different keys so that they can’t be linked together
Host github.com PubkeyAuthentication yes IdentityFile ~/.ssh/github_id_rsa
–jeroen
Posted in *nix, *nix-tools, Communications Development, Development, Go (golang), Internet protocol suite, Power User, Software Development, SSH, ssh/sshd, TCP | Leave a Comment »
Posted by jpluimers on 2021/10/05
googlechrome: scheme to force Chrome as browser on it a while agoexample: scheme to an application)microsoft-edge: scheme even more than Windows 10 to force URIs to open in Edge, and some browsers are now working around thisVia:
- Implement
microsoft-edge:protocol handler, issue #1726697, , Masatoshi Kimura, Firefox project, Bugzilla, Mozilla- When Brave handles
microsoft-edge:protocol searches use user’s default search instead of Bing, issue #17684, , Brian Clifton, Brave browser project, Brave Software, GitHub- Allow Brave to Handle Searches from Windows Shell and Cortana, issue #13875, , Brave browser project, Brave Software, GitHub
microsoft_edge_protocol_util.cc, commit a80e1ea7b6, , Simon Hong, Brave Core project, Brave Software, GitHub- Mozilla has defeated Microsoft’s default browser protections in Windows, , Tom Warren, The Verge, Vox Media
- Microsoft is making it harder to switch default browsers in Windows 11, , Tom Warren, The Verge, Vox Media
- Opening links in Chrome for iOS, , Mobile Chrome, Documentation, Chrome Developers, Google
Posted in Awareness, Development, HTTP, Internet protocol suite, Software Development, TCP, TLS, URI, Web Development | Leave a Comment »
Posted by jpluimers on 2021/10/04
From a while back: [Archive.is] Jeroen Wiert Pluimers on Twitter: ‘Answering Yes to “You have an older version of PackageManagement known to cause issues with the PowerShell extension. Would you like to update PackageManagement (You will need to restart the PowerShell extension after)?” hung my Visual Studio Code.… ‘
After clicking “Yes”, the the only thing visible was this notification that had an ever running “progress bar”:
Notifications – Powershell – Source: Powershell (Extension)
The first part of the solution was relatively simple: restart Visual Studio code, then the original notification showed, and after clicking “Yes”, the “Panel” (you can toggle it with Ctrl+J) showed the “Terminal” output (yes, I was working on [Wayback/Archive.is] PowerShell script for sending Wake-on-LAN magic packets to given machine hardware MAC address, more about that later):
Posted in .NET, Communications Development, Development, Encryption, HTTP, HTTPS/TLS security, Internet protocol suite, Power User, Security, Software Development, TCP, Visual Studio and tools, vscode Visual Studio Code, Windows, Windows 10 | Leave a Comment »
Posted by jpluimers on 2021/09/30
Last weekend I published 5 days before the Let’s Encrypt’s Root Certificate is expiring!
It basically was a post trying to amplify the [Wayback/Archive.is] Let’s Encrypt’s Root Certificate is expiring! message by [Wayback] Scott Helme .
Yesterday and today, he is maintaining a Twitter thread on things that have broken.
Quite a few things have, including some versions of curl, on which a lot of infrastructure relies (the certificate for it got fixed later on 20120930), see:
This bundle was generated at Thu Sep 30 03:12:05 2021 GMT .
Two important starting points in his thread:
If you want to check from one of your own clients, try [Archive.is] Scott Helme on Twitter: “I’ve created a test site to help identify issues with clients. If you can connect to https://t.co/bXHsnlRk8D then your client can handle being served the expired R3 Intermediate in the server chain!… “
[Wayback/Archive.is] https://expired-r3-test.scotthelme.co.uk/
Note that neither SSLabs, nor Cencys, nor CertCheckkerApp do show the expired certificate, only the new one:
Yes, I know the pluimers.com web server is rated B from a TLS perspective. Will be working on it, but I’m still recovering from rectum cancer treatments, and have an almost 1.5 year backlog to get through.
–jeroen
Posted in Communications Development, Development, Encryption, HTTP, https, HTTPS/TLS security, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), Power User, Security, Software Development, TCP, TLS, Uncategorized, Web Development | Leave a Comment »
The Wiert Corner - irregular stream of stuff 