Most MTA’s should offer SSL/TLS

Most MTA’s should offer Opportunistic TLS by default

I think that the time has come for most SMTP MTA servers to offer STARTTLS session protection by default. I see two reasons for doing this. Firstly, it takes a short amount of extra time and a little more CPU horsepower and that’s a resource that spammers cannot control. Secondly, opportunistic TLS brings email security a little more in line with the security model that most users expect.

Spammers

The majority of spammers out there are relying on stealing CPU time on machines that they don’t own. I don’t see them moving to TLS at the client side anytime soon. On the other hand legitimate email senders usually aren’t sending mail in such bulk that the cost of encrypting the session would be an onorous penalty. The practical end result of this would be differentiation of mail at the inbox. We would get mail from servers that used TLS to encrypt the session and mail from servers that didn’t. Assuming that the MTA server flagged the mail on this axis by adding a header, the end result is a hook for a statistical spam filter to use.

Users expectation

The second advantage would be a little added security in email during the transport from client MTA to server MTA. If everyone adopted opportunistic TLS encryption of the wire then sending email would better approximate the users expectations for security. Compared to physical mail email without TLS is like sending a postcard. No one sends postcards where security is a requirement because it’s obvious that everyone between the point where you drop the mail in the postbox and  the point of delivery  can just read the mail. Most users don’t expect that this is the case with email right now.

The advantage of opportunisticaly encrypting the mail is that we have a situation that we can grow into. If some server doesn’t do TLS in transport the mail still gets delivered.

Greylisting + MS Exchange 2003

I’m using greylisting to filter spam. It works quite well. If you aren’t of the technique this is how it works. Greylisting filters spam by testing the RFC compliance of the server that is trying to send mail to you. RFCs 2821 and 821 describe the meat and potatoes of sending email on the internet. The RFCs both specify that the receiver may tell the sender to queue the message and retry later because the receiver is temporarily out of resources. Greylisting exploits this to sift spam from legitimate email because many Spam sending programs cannot queue mail. As a method of spam detection Greylisting is great because it takes almost no resources on the receiving side to filter. Other methods of filtering are not so resource friendly. I find that Greylisting is rejecting over my inbound 90% of the spam. I used to say that it did this with 0 false positives but after reading these two threads I’m not so sure:

Leave it to Microsoft to rain on the parade.

I’m not going to stop Greylisting. It’s just been too effective at spam removal for me to even consider going without. I’m also aware of several people who are using Exchange to contact me who have not run across this problem. For me the solution to this potential problem is to contact some of the people who I know that are running Exchange and see what their awareness is on this problem.

Beer run

Got a beer making session in today. There was really no excuse for not doing this earlier. I’ve had all the ingredients in the house for the better part of a year. The yeast was dated Feb 2006 so I’m not sure quite what to expect here. I started the yeast on Thursday morning and it looked ready to go on Saturday morning so I put it into a starter culture. It never really took off but it was producing enough bubble to tell me that it was alive. The boil was okay but I overestimated the amount of water that I needed to boil and didn’t realize that I had until after I sparged the grain. I was still over when it was time to add the malt extract and start the boil. I tried to save as much as possible in a pot but I think I lost a little of the malt. The boil bubbled over twice making a mess on the stove but that wasn’t so bad. The biggest mistake as that the clamp on the wort chiller loosened up a little and so the wort chiller was adding tap water to my beer water. I like to boil all the water going into the beer. The original gravity was between 1.059 and 1.061 and the recipe called for it to be 1.061 ~ 1.064 so I think I’m okay. Well see when it starts to bubble in the primary. I hope to transfer it from the primary to the secondary next Friday night.

Followup

I remeasured the O.G. at 1.062. I’m pretty psyched. The yeast has started working. I’m getting about one bubble in the airlock every 10 seconds.

It’s been a few weeks so the beer should be pretty aged out by now. I should transfer it to the keg and get it on tap in a day or so.

Templating in Joomla and WordPress

Vindaloo backgroundI haven’t been writing in a while. It’s not because I don’t love it, I’ve been ramping up on a couple of projects and quite frankly that’s what I’ll be doing in about 10 minutes.

Among other things I’ve been using the Gimp to generate a new template for Vindaloo.com. I need to give credit where it’s due here. The person to talk to about this is Al Gordon. Vindaloo will be moving to Joomla soon. I’m writing a white paper on spam prevention and a few other things. I want to have a common theme for both this site and my Joomla site so I need to learn templating for both Joomla and WordPress. For Joomla the best thing seems to be PhotoShop and Dreamweaver. for the Open Source Developer who is on a budget. You can trade more time for less money and use the Gimp and Nvu. Nvu has a Mambo/Joomla Template Generator which is okay. If you are using FreeBSD and nvu make sure to get the latest copy of the port. I submitted a patch a month or so ago to enable Cascades, nvu’s CSS editor which is okay. Software:

Tutorials:

FreeBSD NIS server + Linux NIS client

Today I installed Fedora on my Desktop machine and tried to get it to talk to my NIS/NFS Server. I’ve run a NIS/NFS for a long while. It saves me my hair. But it’s always been FreeBSD on both sides. That’s easy to do. The FreeBSD handbook explains it quite well. I’ve been dipping my toe into the Linux waters alot lately and I figured that the next thing to put together was a Linux Client for my NIS/NFS server. The NFS part is easy. I used the automounter (amd) and the configuration is the same for both Linux and FreeBSD but NIS is another story. For my setup FreeBSS NIS server, Linux NIS client you need this patch to thefile: /var/yp/Makefile.dist on your server. Rebuild the maps and make sure that you have the automounter working and you should be good to go.

Greylisting via Spamd

Spamd

After far too long I’ve finally setup spamd to greylist inbound mail into vindaloo.com. This is something that I should have done a while ago. Before spamd I used a simple filtering setup for email based on Spam Assassin and using SA’s Bayes filter. It works okay but I was never happy with the performance that it needed from my box. When I first started this I was able to handle all the mail for vindaloo.com on a SparcStation 20 running OpenBSD. That’s not really special since I typically have less than 5 users. Disk space concerns forced me to upgrade to a VA Linux 2200, still running OpenBSD. That’s been very good but I’m now running into the same problems that I’ve had before. If there is any holdup in the mail system then the mail server gets hammered while the MX boxes on the internet offload mail. It’s easy to figure out why this is. I just look at the count of messages in my spam and junkmail folders. Lets see 376 messages in spam and another 246 in junkmail. That’s about 3 days worth of mail. That’s right. Despite Javascript veiling and everything else I do I get over 150 spams per day. Or at least I did until I started running spamd!

Slave Cylinder

Well, a while ago the slave cylinder in the M3 went south again. The last slave cylinder was about a year old but for a car that I drive 6000 miles a year in that’s pretty short. I’ve been buying the parts from Turner Motorsports and they’ve been okay but I’ll admit to being a little pissed at having to do this again. When I was a kid I didn’t mind being on my back underneath a car as the blood and strength drained away from my arms. Nowadays, working under a car just brings me closer to the day that I buy a lift. Anyhow thanks to my neighbor I was able to get the thing installed and again I get to see how nice the M3 is. For the past three weeks I’ve been getting my BMW kick from my wife’s 325i  and after two hours of driving the M3 I just have to say that there is no comparison. That’s saying something as I own a rather old E36 M3 and my wife has a very cherry E46 325i.

Regional qualifier

Anyone who knows me in person knows that I play darts. I’m proud to say that we won our division last year. This was a rea real accomplishment for me, it’s the first time I’ve won as Captain. The one flaw in this victory was pointed out by my friend Pete. At the final Captain’s meeting he congratulated me but then asked why I didn’t play a single leg in the finals. Well, the answer is that I spent the last three weeks of the regular season and all of the playoffs concetrating on winning. My team has made it to the playoffs with a good seed every season. We’ve made it to the finals three times. In each of those failed trips to the playoffs and finals I got out Captained. The other teams were usually better than us but not so much so that we would fail so easily. This was especially true last fall. The other team was good, (a special shout out to Gee) but even if we lost we should have had more points at the end of the night.

Concentrating so much on not getting out played at Captain cost me my focus on my game. I knew it during the finals. It really hit home at the last regional qualifier that I played. I think that I need to be where I was two or three years ago. For some reason I’ve gotten it into my head that I don’t need to practice at darts to be good in league. My friend Garry says that if I praticed I’d be deadly. Let’s see if he’s right….

Exercise

I rode my bike today. It was the first time in a while which is bad. I went from Home to the yacht club to the beach and then back home. Maybe it was 10 miles. I’m gonna check with Google Earth later. I’m a little tired right now. Once I got to the yacht club I tried to figure out if I had spent 1/3 or 1/2 of my energy. I guess I was between 1/2 and 1/3 and figured that the extra three miles to Silver Sands Beach would probably fit in. I was barely right. Still you have sto stretch yourself once and again.

Back to basics

Life gives us constant reminders to go back to basics and in the computer world it’s no different. My laptop has two network interfaces built in, an intel gigabit interface that FreeBSD calls em0, and an intel 802.11b wifi interface that FreeBSD calls ipw0. Usually I need either the gigabit interface or the wifi interface. I’ve never needed both. When I move about the house I sometimes have to switch in between them. The architecture of my network makes that a little more complicated and when I switch without rebooting I have to remember to get back to basics or I could waste some serious coffee time.

It’s the network dummy

My network is a logical cidr/23 divided into two physical cidr/24’s by an OpenBSD bridge which does packet filtering. That gives me the classic firewall spaces: a DMZ network connected directly to the internet and a protected network which is behind both the filter on the internet gateway and the DMZ filter. Using a bridge allows me to make the DMZ filter transparent. As far as a node on the protected network is concerned there it’s on the same switch as the hosts that it talks to in the DMZ. If a host in the DMZ tries to connect to something in the protected network it only passes if the filter allows it. When the connection is blocked the filter responds as though the port is closed on the protected client.For most clients this design is pretty simple. They see a single LAN with a router that gets them to the internet. It’s nice from the outside also. I can build an IPSec tunnel to a partner without seriously compromising the security of my protected LAN. But the lesson here is that hidding complexity does have a cost.

The problem always starts the same way. I unplug the ethernet cable from my laptop. FreeBSD stops dhclient from running on the em0 interface but leaves the interface running. This is just in case I’m running downstairs to plug in at a different jack. Instead I load the kernel module for the ipw interface and then configure it with my WEP keys and fire off a new dhclient. The Dhclient finds the server, modifies the DNS configuration, and silently fails in the attempt to modify the routing table. Dhclient stalls in the protocal waiting for a packet and I think that it’s some sort of transient. Now’s the time to go back to basics.

Debugging simple ip connection problems.

I’ve moved to place where there isn’t a wired jack, switched from wired to wifi and my internet connection no longer works. Firefox gives me the “I can’t find your server screen.” Try these before a reboot.

  1. Start from the inside: Is the configuration correct on the wifi card? Check with ifconfig:
    $ ifconfig ipw0
    ipw0: flags=8843 mtu 1500
    inet6 fe80::204:23ff:fe7a:c9d2%ipw0 prefixlen 64 scopeid 0x6
    inet xxx.yyy.zzz.67 netmask 0xfffffe00 broadcast xxx.yyy.zzz.255
    ether 00:04:23:7a:c9:d2
    media: IEEE 802.11 Wireless Ethernet autoselect (DS/11Mbps)
    status: associated
    ssid Vindaloo-WVLAN channel 10 bssid 00:04:5a:0f:34:fe
    authmode OPEN privacy ON deftxkey 1 wepkey 1:104-bit wepkey 2:104-bit
    wepkey 3:104-bit wepkey 4:104-bit txpowmax 100 bintval 100

    Ok, that looks good.
  2. Cut out the resolver: The best thing one can do when trying to isolate tcp/ip connection problems is to cut out the resolver early in the process and come back to it when you know the lower levels are correct. We treat name resolution like its a part of the media (layer 2) but it’s not. The name resolver is an application (layer 7) and it’s subject to failure in all of the lower levels.
    Memorize the addresses of a few hosts both on the internet and on the LANs that you connect to. When testing ping by address if pinging by name doesn’t work. Also be aware of the resolver’s timing. If something takes exactly 1 minute 15 seconds to fail your resolver configuration is probably corrupt.
    In my case ping of all addresses failed.
  3. Really check the configuration: Understand that the configuration check in the first step was lightweight. If ifconfig says everything is all right the next place to look is probably the route table. In my case running the route program would have shown that the kernel was trying to get packets to the network through the em0 interface which is marked down but still has a route for my network. This happens on my network because the wifi network and the wired network are the same.

Downsides

The DMZ gateway here becomes a single point of failure and that creates a rather big downside. The problem isn’t that if the DMZ fails that the clients can’t get to the internet. In that case discovering what the problem is will be easy. So having reliable hardware at that point will be critical. In the worse case that box is only a patch cord with filtering anyhow. The insideous problem is that your network has two protection plateaus: a somewhat protected DMZ; and a somewhat more protected plateau for clients and insecure services like smb/cifs. If you are thinking about security and you have this as your infrastructure there will be a great and proper temptation to locate some very useful services on the protected network. That generates more holes in your filter and means that even more is lost if the filter fails.

My Waterloo: LDAP

When I first met LDAP, the database that really isn’t a database, I turned my nose up at it. In my applications software engineering world the relational database was the Shangri-La of storage. From where I sat LDAP looked like an overcomplicated, X.500 based steaming pile of cruft. But as buzzwords go LDAP wasn’t going away. So in early October of 2001 on a somewhat nervous plane ride from Newark, NJ to San Diego, CA, I decided to use the incommunicato 6 hours flight to get to know openldap. After a couple of days I got the point where I could put data into the LDAP box, search for it and take it out but not much more. The problem of the day was authentication. Everyone did authentication differently which meant that every user had one a set of credentials for each application. And the help desk spent most of it’s time reaquanting people with those credentials. Furthermore every application had to have functions committed to updating those credentials. It was obvious then that this situation was not optimal. If you people to be in-secure the best way to go about it is to make security difficult for the users. My personal problem had to do with managing users on a Samba server. To change a password I had to log into a shell, su to root, and then use passwd program with the user present. I was also managing several web applications. One of these managed authentication and hashed it’s passwords into a relational database. In the long run this was just way too much work. The second problem is that nearly no one does authentication right. Back when I was a pup playing with AIX in Chicago I was a huge advocate of rsh instead of telnet. And the one reason that I liked rsh was because it didn’t pass your password in the clear on the ethernet hub environment of the time. And we did get cracked and the cracker got everyone’s password in the building except mine. Now we have switches, but we also have wifi, and we have ssh which puts the entire argument to bed. But eleven years later in 2006 when people write a new application and design their own authentication the best that they can come up with still passes a password on the wire. Thankfully most applications are smart enough to at least use SSL for that part of the transaction.