The Advisory Boar

By Abhijit Menon-Sen <ams@toroid.org>

Resolving a conflict between manpages-dev and libbsd-dev

2018-09-01

I use xmonad, which needs ghc.

On my Debian 9/stretch machine, the manpages-dev package is declared to break libbsd-dev, which ghc depends on. So in practice, one must choose between xmonad and manpages-dev, which has annoyed me for a long time.

Today I tracked down a related Debian bug report and happened to notice that my libbsd-dev 0.8.3 was just one minor revision too old to avoid the conflict declared by manpages-dev 4.10-2: 

$ apt-cache show manpages-dev|grep Breaks
Breaks: libbsd-dev (<< 0.8.4-1), manpages (<< 4.13-3)

I also noticed that libbsd-dev 0.9.1-1 packages were available in unstable/sid, and followed the instructions to create a backport of the package to stretch. 

$ dget -x http://http.debian.net/debian/pool/main/libb/libbsd/libbsd_0.9.1-1.dsc
$ cd libbsd-0.9.1
$ sudo mk-build-deps --install --remove
$ dch --local ~bpo9+ --distribution stretch-backports "Rebuild for stretch-backports."
$ dpkg-buildpackage -us -uc

I installed the updated libbsd0 and libbsd-dev packages, and was then able to install manpages-dev for the first time in… several months, at least.

I have manpages again!

Relaying from Postfix to gmail

2017-03-13

Here's how I configured Postfix to relay mail from x@example.com through smtp-relay.gmail.com:587 using the credentials set up for x@example.com on Google Apps.

There are three parts to this: making Postfix relay mail based on the sender address, teaching it to authenticate to gmail, and configuring gmail to accept the relayed mail. (Postfix was already configured to send outgoing mail directly.)

Sender-dependent relay

I created /etc/postfix/relay_hosts with the following contents: 

@example.com smtp-relay.gmail.com:587

Then I ran «postmap /etc/postfix/relay_hosts» and set sender_dependent_relayhost_maps in /etc/postfix/main.cf: 

sender_dependent_relayhost_maps =
    hash:/etc/postfix/relay_hosts

SMTP SASL authentication

I created /etc/postfix/sasl_passwords (mode 0600) with the following contents: 

smtp-relay.gmail.com x@example.com:xpassword

Then I ran «postmap /etc/postfix/sasl_passwords» and added the following to /etc/postfix/main.cf: 

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps =
    hash:/etc/postfix/maps/relay_passwords
smtp_sasl_security_options = noanonymous

That enables SMTP AUTH in the Postfix SMTP client and tells Postfix where to look up the username and password for a domain.

Gmail will accept SMTP AUTH only in a TLS session, so TLS client support must be configured in Postfix (which means setting smtp_tls_security_level to "may"). But even once that's done, gmail advertises only the following authentication mechanisms: 

250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH

I didn't want to worry about OAUTH, so I was left with PLAIN was the only reasonable choice. Postfix will not use plaintext authentication mechanisms by default, so I also had to remove "noplaintext" from the default value for smtp_sasl_security_options.

As an additional precaution, I also set smtp_tls_policy_maps to change the default TLS policy from "may" to "encrypt" for smtp-relay.gmail.com.

Gmail configuration

When I tried to send mail through the relay, Postfix wasn't able to authenticate:

SASL authentication failure: No worthy mechs found

SASL authentication failed; cannot authenticate to server smtp-relay.gmail.com[74.125.206.28]: no mechanism available

Google considers password authentication to be “less secure”, and you have to explicitly enable it on the less secure apps settings page. There are some other alternatives, but I was happy to take the path of least resistance here.

I did that and tried again, only for mail to bounce with this error:

Invalid credentials for relay [136.243.148.74]. The IP address you've registered in your G Suite SMTP Relay service doesn't match domain of the account this email is being sent from. If you are trying to relay mail from a domain that isn't registered under your G Suite account or has empty envelope-from, you must configure your mail server either to use SMTP AUTH to identify the sending domain or to present one of your domain names in the HELO or EHLO command. For more information, please visit https://support.google.com/a/answer/6140680#invalidcred

This message is misleading, as I found out by using openssl's s_client to establish a TLS session and then authenticating by hand. SMTP AUTH succeeded, but MAIL FROM was subsequently rejected. I followed the link in the message, which led me to the SMTP relay service support page.

The Google Apps admin console doesn't use sensible URLs, but I followed the breadcrumb trail to an “Advanced settings” page where I was able to edit the SMTP relay service settings to set “Allowed senders” to “Only addresses in my domains”, as well as to “Require SMTP authentication” and “Require TLS encryption”. Remember to “Save” the changes.

The error I got was because the “Only accept mail from specified IP addresses” option was checked for this particular domain. I could have added the IP address of my server to the list, but SMTP authentication was what was I wanted to use anyway.

Raspberry Pi murder

2017-01-19

I wanted to restore a clean Raspbian image on the Raspberry Pi that was running in the battery room. I could have gone and got it, but I would have had to climb a ladder.

So I thought “Why not just remount the filesystems 'ro' and dd the image to /dev/mmcblk0?”

I remounted / and /boot (after "systemctl isolate rescue.target", which stopped sshd but left my ssh session running) read-only, and dd'ed the image from an NFS mount onto /dev/mmcblk0. The dd worked fine. I used /proc/sysrq-trigger afterwards to sync and reboot (I couldn't run any binaries after the dd, which wasn't much of a surprise). The machine fell off the network as expected…

…and never came back up. So I climbed up the ladder and brought the Pi down to my desk and plugged it into my monitor. It did start to boot, and got a fair distance before the kernel panicked. I didn't bother to try to figure out the problem, just extracted and rewrote the SD card; and all was well thereafter.

But I still think my plan ought to have worked.

Namecheap suspended my domain without notification

2017-01-14

My mother called to tell me that people were complaining that mail sent to her address at one of my domains (menon-sen.com) was bouncing. Here's an excerpt from the bounce message she sent me:

DNS Error: 27622840 DNS type 'mx' lookup of menon-sen.com responded with code SERVFAIL

I thought it was just a temporary DNS failure, but just for completeness I tried to look up the MX for the domain, and got a SERVFAIL response. I checked WHOIS for the domain and was horrified to find this: 

Name Server: FAILED-WHOIS-VERIFICATION.NAMECHEAP.COM
Name Server: VERIFY-CONTACT-DETAILS.NAMECHEAP.COM

In a near-panic (because this meant email to one of my work addresses was also being bounced), I checked a bunch of stuff: No, the whois details for the domain were not incorrect (nor had they been changed recently). No, Namecheap had not sent me any whois verification mail about the domain. No, Namecheap had not sent me any notification that it was going to suspend the domain. No, the Namecheap admin page didn't say anything about the domain having been suspended.

I couldn't find any relevant articles in the support knowledgebase, so I opened an emergency ticket with Namecheap support. They responded in an hour, and helped to resolve the problem immediately. They did admit that I didn't receive a notification because of an error on their part:

We have double-checked contact details on the domain in question and registrant details appeared to be missing on the domain due to a one-time glitch at our end. That is the reason you have not received verification email. Please accept our most genuine apologies for the inconvenience caused you.

I have always found Namecheap support to be responsive and helpful. I do appreciate their candour and the prompt response in this case as well, but I am deeply shaken that their system has no controls in place to prevent a domain from being suspended without any sort of notification (especially since they were sending me notifications about other domains registered under the same account in the same time period).

I don't know when exactly the domain was suspended. I have actually lost mail because of this incident—and at least one of them was an important response to some mail I sent. But thanks to my mother's correspondents, I think the problem was discovered before very long. I cannot afford to worry about this happening for my other domains that are up for renewal in the near future. If the same thing had happened to toroid.org, it would have been catastrophic.

I have been a happy customer of Namecheap for more than five years, and recommended it to any number of friends during that time. Along with EasyDNS (which is much more expensive), it's by far the best of the dozen or so registrars I've used over the past two decades. I have no idea where to move my domains, but I'll start keeping an eye out for an alternative.

Update, moments after writing the above: my friend Steve points out that there's something to be said for having a vendor who admits to their errors honestly; and only a pattern of errors rather than a single incident would justify moving my domains away to an unknown registrar. A few days from now, I hope to be able to properly appreciate Steve's wisdom in this matter. Meanwhile, I'm saved from precipitous actions by the fact that I haven't the faintest idea where to migrate anyway.

Reading about wireguard

2017-01-12

I have more than a passing interest in VPN software, and have looked at and used many different implementations over the years. I haven't found much to cheer about, which led me to write tappet for my personal use.

I've been reading about Wireguard for the past few weeks, and I really like it so far. It follows through on many of the same goals that I had with tappet, and goes much further in areas important to more widespread adoption. The author, Jason Donenfeld, articulates the project's design goals in this presentation.

Keeping the code small and easy to review was a primary consideration for me (tappet is under a thousand lines of code, not including NaCl). By this measure, Wireguard does an admirable job of staying small at around 15,000 lines including crypto code and tests.

When I wrote tappet, the Noise Protocol did not exist in a usable (or recommended) form. Wireguard's adoption of this framework brings a host of desirable properties that tappet lacks, notably including perfect forward secrecy.

One of my major frustrations with OpenVPN is the extraordinary time it takes to establish a TLS connection on a high-latency link. Very often, when tethered via GPRS, it will retry forever and never succeed. Tappet goes to the other extreme—it requires zero setup for encrypted links (at the expense of perfect forward secrecy). Wireguard restricts its handshake to a single round-trip, which is an entirely acceptable compromise in practice.

Wireguard runs in the kernel, thereby avoiding the need to copy packets in and out of userspace. I didn't care nearly as much about performance. Tappet is fast enough in userspace that it keps up with the fastest link I've tried it on (42.2Mbps DCHSPA+), and I didn't need anything more.

Wireguard accepts multiple peers per interface, while tappet is limited to setting up point-to-point encrypted links. The former is obviously more practical in realistic deployments. (On the other hand, Wireguard is a Layer-3 VPN, while tappet operates at L2 and forwards Ethernet frames instead of IP packets. How much that matters depends on the circumstances.)

I look forward to a time when I can use Wireguard in production.

Debian 8 on the Intel NUC5PPYH

2016-12-31

Hassath's birthday present this year was an Intel NUC5PPYH (with 8GB of Kingston DDR3L RAM and a 250GB Samsung SSD 750 Evo) to stand in at home for her ageing Thinkpad X131E.

It took some time for the machine to reach our remote mountain abode, but we have it working nicely after spending a few hours wrestling with it. Here's a quick summary of our experience (InstallingDebianOn/Intel/NUC5PPYH wasn't really useful).

Display problems

Hassath loves her old Samsung SyncMaster 172s monitor (1024x768, VGA) and resists the idea of a new wide-format monitor. Getting the NUC to work properly with this display took the most time (but none of it was the display's fault).

We connected the monitor to the NUC's VGA port and were greeted with a "Video mode not supported" error on the monitor. The debian installer's text-mode display worked fine after boot, but we couldn't see any of the UEFI setup menus. Fortunately, we were able to sidestep the problem by using an HDMI→VGA adapter that we had ordered “just in case”. Using the HDMI output resolved the display problems with the UEFI menus.

After we installed Debian (8.1 from a USB stick created from the DVD image), X wouldn't start. The intel driver didn't work, and Xorg fell back to the VESA driver, and died while trying to set the video mode. (Also, virtual terminals didn't work at all until we added an xorg.conf snippet to force the resolution to 1024x768.) It didn't work even with the DVI-D input (via another “just in case” HDMI→DVI-D cable) on my monitor.

We stumbled around for a while, but we eventually got it working. The key was to apt-get dist-upgrade against jessie-backports to install a new kernel and drivers (e.g., libdrm-intel1). We also updated the BIOS from revision 0054 to revision 0058, but I am not sure that this was necessary, or even helpful. Xorg works with the new kernel and Intel driver. We didn't bother to check if the VESA driver would also work if we forced its use.

(Aside: we had no UEFI boot-related problems at all. We didn't even need to try the legacy boot option, either for the installation from the USB stick or to boot the installed system.)

Everything else worked

The Ethernet controller is a Realtek RTL8168h, which works out of the box with the r8169 driver. Installing the firmware-realtek package got rid of an “unable to load firmware patch” message, but the adapter worked fine without it.

The wireless controller is an Intel dual band wireless-AC 3165, which required the new kernel from backports (4.8, though 4.2+ should have worked from what we read) and the firmware-iwlwifi package to be installed. It worked fine thereafter.

The audio controller is an Intel "Braswell" 2284, which works out of the box with the snd_hda_intel driver. Audio output goes simultaneously to the headphone connector on the front panel and the glowing red S/PDIF plus headphone connector on the back. We did not try S/PDIF audio (no cable, no devices) or HDMI audio (no audio port on the HDMI→VGA adapter) or recording (no mic—or at least, no mic on my desk).

The Intel Bluetooth 4.0 controller (8087:0a2a) works out of the box with the btusb driver. We were able to pair with an Android phone and a Bluetooth speaker. We were not able to play audio to the speaker, but that is probably not a problem with the NUC, because we didn't manage to get it working with any of our other machines either.

We didn't try the SDXC card slot or the infrared sensor.

Update (2017-01-18): The SDXC card slot works fine. I used it to write a Raspbian image.

Transferring domains from 123-Reg.co.uk

2016-12-08

A friend had a domain registered at 123-Reg that he no longer wanted. It was coming up for renewal later this month, and he offered to transfer it to me. The domain was not locked, so I asked him for an auth code, and immediately submitted a request to transfer it to Namecheap, my preferred registrar.

The transfer failed, and Namecheap sent me mail saying the domain was locked. I checked, and it was. It had also already been transferred to another sponsoring registrar (Mesh Digital, the company that owns both 123-Reg and Domainmonster). My friend contacted support to unlock the domain, but by then of course the domain had entered the sixty-day period during which it could not be transferred again. I was forced to pay the renewal fee to them, and will now have to retry the transfer after the embargo expires.

I suppose I could think of benign explanations for the above if I tried, but I'm not feeling especially charitable about it.

Debian 8 on the Lenovo Ideapad S206

2015-12-31

I got my dad a Lenovo Yoga 300 a few days ago, and installed Debian 8 on his old Ideapad S206 before giving it to Ammu, who has been using my old (and increasingly broken) Thinkpad X120e for months now.

The Linux Laptop Wiki has a page about the Ideapad S206; the quick summary is that everything works with only a little tweaking.

Wifi worked out of the box with brcmsmac. Bluetooth worked fine after installing the firmware-atheros package. Sound input and output worked fine out of the box. The hotkeys to change the volume (and brightness, etc.) also worked. I didn't try the card reader or the webcam.

I didn't bother with the fglrx video drivers, but I had to install firmware-linux-nonfree to enable KMS (kernel mode setting) to get suspend/resume to work properly. (Hibernation worked fine anyway.)

This is a sleek and light machine, quite a step up from the earlier Ideapad models I've used. The screen is a bit shiny, but stops short of being annoying. The keypad is unfortunately very jittery—unless you are very deliberate about tapping-to-click, you'll most likely just move the pointer a bit rather than clicking. This was my father's biggest problem with the machine (and it wasn't just a matter of acceleration settings).

But it's working nicely otherwise, and I hope Ammu gets some good use out of it.

Vodafone India snoops on e-mail

2015-12-28

An article about Vodafone injecting javascript into web pages reminded me of a problem I investigated last year when Hassath couldn't send mail when connected through her phone's mobile hotspot.

My first response to any network problems is to run tcpdump, and I saw the following EHLO response from my own SMTP server. 

250-raven.toroid.org
250-PIPELINING
250-SIZE 307200000
250-VRFY
250-ETRN
250-XXXXXXXA
250-AUTH PLAIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Vodafone is transparently proxying outgoing SMTP traffic and replacing STARTTLS in the EHLO response with XXXXXXXA, so that the client doesn't try to negotiate TLS. If you issue STARTTLS anyway—which no normal SMTP client would, but openssl's s_client can do—the TLS negotiation fails. So it's not just a downgrade attack, it's actively sabotaging TLS connections too.

This was the case in mid-2014, and it's still the case at the time of writing. I wonder how many terabytes of email logs they have collected in the meantime, how they are stored, and who is reading them.

While I was tethered to my phone, I did a bit more testing. Vodafone India doesn't seem to mess with HTTPS connections, and IMAP connections are not downgraded either (i.e., the server's STARTTLS advertisement is not modified, and the TLS negotiation succeeds). Nor did it inject any Javascript into the web pages I tried (yet).

Update (2017-10-01): I happened to read a 2014 post by Steve Atkins titled STARTTLS and misplaced outrage, which says this is a "very, very, very well known" problem with the configuration of a PIX firewall feature named "MailGuard". He writes:

The most likely scenario, by far, is that the mailserver operator is behind a PIX, and has it configured like that. As port forwarding is specific to the interface that traffic comes in on, it’s quite possible that it’s only misconfigured for traffic coming over some networks. Drastically less likely is that there was a PIX installed – backwards – on the cellular providers network. Somewhat less likely still is that they’re simply lying about what they’re seeing. But those are the only three options.

In this case, I'm the operator of the mail server in question, and I know there is no PIX involved anywhere, and I know I'm not simply lying either. I also know that the problem happens only on Vodafone's network, so—unlikely as it may be—maybe there's a PIX installed backwards on the Vodafone network?

Understanding sudoers(5) syntax

2015-11-07

This straightforward guide to configuring sudo is for anyone who didn't expect to see “Don't despair” and a “Quick guide to EBNF” in the sudoers(5) manpage.

Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.

This guide is intended to supplement the manpage. The various environment, security, and logging options are not covered; the explanations in the manpage are easy to follow.

The first 90%

It's possible that the only sudo explanation you will ever need is: 

%adm ALL=(ALL) NOPASSWD: ALL

This means “any user in the adm group on any host may run any command as any user without a password”. The first ALL refers to hosts, the second to target users, and the last to allowed commands. A password will be required if you leave out the "NOPASSWD:".

Read more…