Re: shutdown icon changed

[Matthias Bodenbinder]

Am 18.03.2015 um 07:07 schrieb Matthias Bodenbinder:
> Hi,
> 
> I am running debian testing and kde4. The icon theme is oxygen. But the 
> shutdown icon which is shown in the taskbar and in the menu is the shutdown 
> icon from the high-contrast theme. Basically this is black-and-white instead 
> of the red shutdowen icon from the oxygen theme. I opened the systemsettings 
> and switch back and forth through the different icon themes. All icons are 
> changed according to my selection except for the shutdown icon. It always 
> stays the same.
> 
> What is happening here?
> 
> Thanks
> Matthias
> 
> 

Actually, it is 3 icons that always stay the same: shutdown, logoff and 
restart. 
Matthias




-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/meb5ok$pgp$1...@ger.gmane.org

Re: Might wait with upgrade........

[Michael Biebl]

Am 18.03.2015 um 06:25 schrieb Charlie:
> 
> Received this when I tried to upgrade my Jessie system:
> 
> critical bugs of systemd (215-11 → 215-12) 
>  b1 - #780675 - systemd: segfault in systemd when running systemctl
> daemon-reload serious bugs of systemd (215-11 → 215-12) 
>  b2 - #779902 - /tmp can be mounted as tmpfs against user's will
> serious bugs of libfreetype6 (2.5.2-2 → 2.5.2-3) 
>  b3 - #780143 - libfreetype6_2.5.2-3 makes some fonts unusable
> Summary:
>  systemd(2 bugs), libfreetype6(1 bug)
> 
> So I might wait with the upgrade I think.

No, you don't need to wait, at least not for the two systemd issues.
Those affect 215-11 just the same as 215-12.
#780675 is only triggered under very rare circumstances, so you are most
likely not affected anyway. If 215-11 works, so will 215-12.

As for #779902, the situation is the same. If you haven't run into this
issue with 215-11, you won't with 215-12 either.


Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

shutdown icon changed

[Matthias Bodenbinder]

Hi,

I am running debian testing and kde4. The icon theme is oxygen. But the 
shutdown icon which is shown in the taskbar and in the menu is the shutdown 
icon from the high-contrast theme. Basically this is black-and-white instead of 
the red shutdowen icon from the oxygen theme. I opened the systemsettings and 
switch back and forth through the different icon themes. All icons are changed 
according to my selection except for the shutdown icon. It always stays the 
same.

What is happening here?

Thanks
Matthias


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/meb4nm$e2o$1...@ger.gmane.org

Might wait with upgrade........

[Charlie]

Received this when I tried to upgrade my Jessie system:

critical bugs of systemd (215-11 → 215-12) 
 b1 - #780675 - systemd: segfault in systemd when running systemctl
daemon-reload serious bugs of systemd (215-11 → 215-12) 
 b2 - #779902 - /tmp can be mounted as tmpfs against user's will
serious bugs of libfreetype6 (2.5.2-2 → 2.5.2-3) 
 b3 - #780143 - libfreetype6_2.5.2-3 makes some fonts unusable
Summary:
 systemd(2 bugs), libfreetype6(1 bug)

So I might wait with the upgrade I think.

Charlie
-- 
Registered Linux User:- 329524
***

Love must be as much a light, as it is a flame..Henry David
Thoreau

***

Debian GNU/Linux - just the best way to create magic

-


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150318162539.55b890b0@taogypsy

Re: Advise on setup of small office locally or via VPS

[Dan Purgert]

On Tue, 17 Mar 2015 16:02:31 +, Linux4Bene wrote:

> Op Tue, 17 Mar 2015 13:38:26 +, schreef Dan Purgert:
> 
> 
> 
>> Didn't you just say that you were using a Debian box as your firewall/
>> router?
> 
> Not yet. I'm still employed ... 
> Currently I have my own VPS running but no business internet line yet
> ror a Debian Firewall but that's the plan. Just thinking ahead on how I
> will get up and running as fast as possible :)

I read it as you were /planning/ on using a Debian box for routing and 
firewall (and then switched gears to "what's a good appliance?" midway 
through the writing), which is why I asked.  

Honestly, unless you already have said box ready to go, I would skip it 
and just use an appliance (e.g. the UBNT Edge Router).  Less to go 
wrong / muck up.

> 
> 
> 
>> Personally I have used Ubiquiti Edge Routers (ubnt.com), and they're
>> really nice - based on Vyatta 6.3, rival bigger names in terms of
>> routing performance, and are cheap ($100 for the 3-port model "ER
>> Lite",
>> and under $500 for the 8-port "ER-8".  There's also a "PRO" variant of
>> the 8-
>> port that includes 2 SFP ports that're shared with 2 of the copper
>> ports,
>> and a 5-port model with PoE, but this is really only the ER Lite with a
>> switch in the same case, so it's 2x routing ports + 3x switch ports,
>> and might not fit in your situation).
>> 
>> Here's the Datasheet for their routers -->
>> http://dl.ubnt.com/datasheets/edgemax/EdgeRouter_Lite_DS.pdf
> 
> Thanks, looks like a simple and adequate solution.

Yeah, they're a bit more than "adequate" -- they rival equipment put out 
by other vendors that's several times more expensive (IIRC, "cheap" Cisco 
kit is like 500-1000 USD).

> 
> [snip]
>> Depends on how their router is configured, but this sounds about right.
>> That said, in 99.5% of cases that I've seen the ISP-provided routers
>> are absolute rubbish, and should be relegated to bridge-only mode so
>> that you can use a better (i.e. more configurable) device to handle the
>> tasks.
> 
> I didn't know that. Thank you for the information.

Note - I'm in the USA, perhaps your local ISP's equipment isn't as 
rubbish as the ones here.  Best way to figure it out is by finding out 
what they'd supply, and then digging up discussions about it on google.

> 
>> If the email server is public already (in the DMZ zone), you'll
>> probably have an easier (and still secure) time if you just have the
>> clients using STARTTLS to access THAT server.  Not that you couldn't
>> set up a gateway /
>> relay, but there is much to be said about the KISS principle.
> 
> The mail service is public on the VPS. There isn't a DMZ zone on that
> server. As you suggest, both postfix and Dovecot are accessible via
> STARTTLS/SSL. If I read your comment correctly, you would leave the mail
> server config as it is, and put it in a DMZ and that's it?
> This would leave the mails also in the DMZ but as you said, accessing
> mail can only be done over a secure connection (SSL).
> I have SSL certificates setup for this (for my website, and Dovecot).

What I meant was that if you're putting a "local" server into a DMZ area 
already (because it's public facing), adding that extra internal server 
seems to be adding complexity for the sake of complexity, and wouldn't be 
offering you any benefits -- this also ties in with your webmail 
solution, if you choose to also have that going.

Now, if you were a bigger company with two or more sites that happen to 
be somewhat distant from one another, then running a relay would be 
beneficial (as users would all be hitting their "local" mail server, 
instead of /everyone/ needing to hit the server at your HQ site).



> [snip...] 
> 
> Indeed. There is some really great info regarding Postfix and keeping
> all the necessary info in a Postgresql db. If I would ever go with
> offering this as a service to users, I would use Django to build a web
> interface but that's a whole different topic.

You've already got a frontend for them (hint - "roundcube")

> 
> 
>>> I can see LDAP being useful to have central authentication.
>>> It can be a challenge to setup though. Are there other ways of having
>>> a simple central authentication?
>> 
>> LDAP, and a couple of books on the subject. ;)
> 
> Hehe, in the past I have setup LDAP on my own home network with Samba.
> It worked great and I could login from my Windows machine as well.
> The docs that I wrote back then will be horribly outdated by now :)

Probably not.  I mean, yeah some of the syntax for the config files may 
have changed, but LDAP is still LDAP ... so the core principles of the 
setups will be the same.

> 
> I like using a CLI but not when dealing with LDAP.
> Are there any good gui tools to manage a LDAP server?
> I have come across phpLDAPadmin. Is it any good?

emacs :)

> 
>>> I have thought about using a document management system from the
>>> start.
>>> But I have only experience with commercial ones and that might be
>

Re: why is eth0 up by default?

[David Wright]

Quoting Vincent Lefevre (vinc...@vinc17.net):
> I would like to know why is eth0 up by default?
> 
> IIRC, this wasn't the case in the past, but I'm not sure.

Not knowing what you mean by the past, nor what you're running, I can
but hazard a guess. And I mean guess.

> Here are the messages related to eth0 from /var/log/messages:
> 
> Mar 17 22:00:01 xvii kernel: [1.058264] e1000e :00:19.0 eth0: (PCI 
> Express:2.5GT/s:Width x1) 00:24:e8:97:5f:73
> Mar 17 22:00:01 xvii kernel: [1.058267] e1000e :00:19.0 eth0: 
> Intel(R) PRO/1000 Network Connection
> Mar 17 22:00:01 xvii kernel: [1.058293] e1000e :00:19.0 eth0: MAC: 7, 
> PHY: 8, PBA No: 1004FF-0FF
> Mar 17 22:00:20 xvii kernel: [   85.168228] IPv6: ADDRCONF(NETDEV_UP): eth0: 
> link is not ready
> 
> and there are no eth0 occurrences in the /var/log/boot file.

I can't remember ever having modified /etc/init.d/networking but I
find I also have /etc/init.d/networking.dpkg-old. Comparing them,
there is a paragraph which was:

link=${iface##:*}
link=${link##.*}
if [ -e "/sys/class/net/$link" ] && [ "$(cat /sys/class/net/$link/operstate)" = 
up ]
then
  echo "$iface"
fi

and is now:

link=${iface##:*}
link=${link##.*}
if [ -e "/sys/class/net/$link" ]
then
  # link detection does not work unless we up the link
  ip link set "$iface" up || true
  if [ "$(cat /sys/class/net/$link/operstate)" = up ]
  then
echo "$iface"
  fi
fi

I have

$ cat
/sys/devices/pci\:00/\:00\:1c.2/\:09\:00.0/net/eth0/operstate 
down
$ 

and

$ /sbin/ifconfig 
eth0  Link encap:Ethernet  HWaddr ,,,
  UP BROADCAST MULTICAST  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000 
  RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
  Interrupt:18 

...

It does appear that

  ip link set "$iface" up || true

is something new, probably from upgrading to jessie.

I haven't tried to trace whether /etc/init.d/networking is calling
ifup_hotplug () on eth0 or any other interface. It's perfectly
possible that my eth0 is up because I (wicd) am watching for the wired
interface to appear (because it should prefer it to wlan).

Cheers,
David.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150318033956.ga25...@alum.home

Re: Cool things to do with server

[Dan Purgert]

On Wed, 18 Mar 2015 03:29:07 +, Dan Purgert wrote:

> On Tue, 17 Mar 2015 12:30:24 -0700, Joris Bolsens wrote:
> 
>> On 03/17/2015 06:05 AM, Dan Purgert wrote:
>>>
>>> Set your t-bird to use "STARTTLS" for the outgoing server.  Fixed it
>>> for me when I ran into that problem.
>>>
>>> There's probably a fix in either postfix or dovecot, but from what I
>>> can see, there's no real security concerns over explicitly starting a
>>> TLS session (via STARTTLS) vs. using implicit TLS.
>>>
>>>
>> did that, now when I try to send an email I get:
>> 
>> ---
>> An error occurred while sending mail. The mail server responded:  5.1.1
>> : Recipient address rejected: gmail.com. Please
>> check the message recipient epicbl...@gmail.com and try again.
>> ---
>> 
>> 
> 
> The error is because it can't send to "epicbl...@gmail.com" for some
> reason or other (e.g. you spelled it wrong).
> 
> 1. Check the email address and make sure you've spelled it right 2.
> Check the main.cf file to ensure your domain and mail server name are
> correct.
> 3. Check that the "my networks" setting is also correct (if you're using
> dovecot / sasl auth already, then it should be 127.0.0.0/8.



Ugh, scratch this one -- just saw your other comment about having your 
transport set to 'error'.   Good deal that you sorted it out :)


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/mearil$b1f$7...@ger.gmane.org

Re: Cool things to do with server

[Dan Purgert]

On Tue, 17 Mar 2015 12:30:24 -0700, Joris Bolsens wrote:

> On 03/17/2015 06:05 AM, Dan Purgert wrote:
>>
>> Set your t-bird to use "STARTTLS" for the outgoing server.  Fixed it
>> for me when I ran into that problem.
>>
>> There's probably a fix in either postfix or dovecot, but from what I
>> can see, there's no real security concerns over explicitly starting a
>> TLS session (via STARTTLS) vs. using implicit TLS.
>>
>>
> did that, now when I try to send an email I get:
> 
> ---
> An error occurred while sending mail. The mail server responded:  5.1.1
> : Recipient address rejected: gmail.com. Please
> check the message recipient epicbl...@gmail.com and try again.
> ---
> 


The error is because it can't send to "epicbl...@gmail.com" for some 
reason or other (e.g. you spelled it wrong).

1. Check the email address and make sure you've spelled it right
2. Check the main.cf file to ensure your domain and mail server name are 
correct.
3. Check that the "my networks" setting is also correct (if you're using 
dovecot / sasl auth already, then it should be 127.0.0.0/8.




-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/meare3$b1f$6...@ger.gmane.org

Re: apt-offline usage

[peter]

*   From: franc...@avalenn.eu
*   Date: Mon, 9 Mar 2015 13:40:25 +0100
> isolated$ apt-offline set --install-packages $package
> networked$ apt-offline get ...
> isolated$ apt-offline install ...
> isolated$ apt-get install $package

Yes; that works.  Thanks!

An optimistic reader might take "man apt-offline" to mean 
that "apt-offline install" will install the package.  The 
example could include "apt-get install".

Thanks again,   ... Peter E.

-- 
123456789 123456789 123456789 123456789 123456789 123456789 123456789 12
Tel +1 360 639 0202   http://carnot.yi.org/   Bcc: peter at easthope. ca


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/E1YY2LH-MZ-4N@armada

Re: apt-offline usage

[peter]

*   From: franc...@avalenn.eu
*   Date: Mon, 9 Mar 2015 13:40:25 +0100
> isolated$ apt-offline set --install-packages $package
> networked$ apt-offline get ...
> isolated$ apt-offline install ...
> isolated$ apt-get install $package

That works.  Thanks!

An optimistic reader might take "man apt-offline" to mean 
that "apt-offline install" will install the package.  The 
example should include the "apt-get install".

Thanks again,   ... Peter E.

-- 
123456789 123456789 123456789 123456789 123456789 123456789 123456789 12
Tel +1 360 639 0202   http://carnot.yi.org/   Bcc: peter at easthope. ca


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/E1YY2RD-Mi-6Z@armada

Re: Advise on setup of small office locally or via VPS

[David Christensen]

On 03/17/2015 04:22 AM, Linux4Bene wrote:

Thanks for any advice, thoughts, links or info and for your patience if
you got this far :)


I run a SOHO LAN with ADSL, 4 static IP's, and a few Internet services.


I avoid running key Internet-facing services locally -- my WAN bandwidth 
is too precious and the services are too important.  I prefer service 
provider DNS and mail, and VPS WWW.



+1 for using a dedicated device/ FOSS distribution for your WAN/LAN 
gateway.  I use IPCop.



+1 for using Samba for the LAN file server -- I want interoperability: 
Linux, *BSD, Windows, Mac, and others.



VPN's are appealing, but consider the consequences of a VPN machine 
compromise.  Securing the rest of the VPN against that risk is 
non-trivial, and involves other people's computers and networks.  I 
turned it off.



David


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/5508d9ef.7000...@holgerdanske.com

Re: Anyone with experience of Intel S3000AH server boards

[David Christensen]

On 03/17/2015 04:17 PM, Andrew Wood wrote:

... Ive found them to be unreliable, they keep failing for no apparent
reason just refuse to boot up with 4 angry looking red LEDs. ...
Can anyone recommend a Socket 775 server board with 2 on board Ethernets
which is more solid? We're a small charity and  cant really afford a
wholesale replacement so Id like to keep the same CPUs and RAM if possible.


Assuming that your charity is legally recognized (e.g. incorporated), 
your charity has something very valuable to offer in exchange for 
donated servers:


1.  A receipt for tax purposes; and

2.  A public "thank you" message (charity newsletter, web site, lobby 
posters, etc.) with a non-revocable, perpetual license for the donor to 
copy and use as they see fit (e.g. good citizenship marketing).



Write up the above opportunity and mail it to all of the charity's 
members and sponsors, include it with your charity's recruiting 
literature, and post it publicly (e.g. web site, Craig's List, etc.).



David


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/5508cd2b.2060...@holgerdanske.com

Re: Cool things to do with server

[Joris Bolsens]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

So I had two issues in case anyone is wondering,
1: I had to use STARTTLS and not SSL/TLS
2: I had `error` set as my transports for some reason,

works fine and dandy now.

On to setting up horde :p

~Joris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJVCMjEAAoJEORnMHMHY2FrTMYP/0bv+lpWIKnNin/StZ2XrRib
5A4yyAWnVFD05RHdgPxQVu109oJBMKKoZzCBzdGVUembTvpf7tsZNBGrPowonwnU
LHO2FLymyLuCRMHvjqEeJ/eDoQ0tpsLewiWp6CMM01wQ9F5b6gbGJud0yX299+h5
lsoPkt2LdvxllovNMDYyKFURG9+I/usSBCBK+BVULZF2ntrWBZvaqYN+kWr3l9sE
Q/yFjBu+jry/VHyOjZ0uxXOkxHc/fr0joHP7w6RPcqhX7MJ8FyF7VuXmEKcVVQk0
rEj5FOyN0Gbw2hTrFaCk8OhtlKJxgfS1GZtzIOgTjbB4s3oPO7BVbAn6ZtAYhXSE
euui2MP4wHhKB8M4T4D5aD09XV5avZr7xjBX3kj+iYUddwP+urTuw4AOuz/kAKuH
x7MxPPwxIQaESswTg7X9Xkg8c3A9m3KVANb35pS1F7vbpvJcsCMuc5JF5KRupXSa
phTv8eNukn9d6ao9k9pRT0Ep9IpOBicV3ehZNam0hsKSABsQADGEZ3Vs4nXd5tX5
aRL+qZwSQolnfSHKIQsXzXAv88WkX5fG2qteHqkj+I7sR1dEhwLrq763o2HXeGc1
dcHptqQlbJWggejKVu+Ey859GqzrWlt2wWXTlXIrN7YvbbZuFhmuJ6PXrNlfg5On
6D6gxou8epTVAaOOQwJG
=u/zh
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5508c8c4.9060...@gmail.com

Re: Why no security update of apache2 concerning SSLv3?

[Vincent Lefevre]

On 2015-03-12 23:46:31 +1100, Matthew Chong wrote:
> mod_openssl for Apache is the offending package.

There's no such package in Debian.

/etc/apache2/mods-available/ssl.conf is provided by the apache2
package.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150318001444.gd24...@xvii.vinc17.org

Re: Why no security update of apache2 concerning SSLv3?

[Vincent Lefevre]

On 2015-03-12 22:48:01 +, Lisi Reisz wrote:
> Or perhaps you could subscribe to the Debian Security Advisory Mailing List?  
> I don't think it shouts, but it's good on information.

Useless here: it is about security updates, but for apache2,
there was none!

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150318001303.gc24...@xvii.vinc17.org

Re: Why no security update of apache2 concerning SSLv3?

[Vincent Lefevre]

On 2015-03-12 14:45:59 +, Darac Marjal wrote:
> Hang on. If you're aware of POODLE and you've not taken steps to
> mitigate it, aren't you the one at fault?

This is not the point of view of the admin who said that it's
Debian's job: if Debian doesn't issue a security update, then
this is not a big security problem.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150318000558.gb24...@xvii.vinc17.org

Re: Why no security update of apache2 concerning SSLv3?

[Vincent Lefevre]

On 2015-03-12 12:53:10 -0600, Bob Proulx wrote:
> The Debian default Apache2 configuration for ssl is in local-ssl and
> it configures the self-signed so called "snakeoil" certificates.

No, it is /etc/apache2/mods-available/ssl.conf, where you have the
SSLProtocol line, which is the line that needs to be modified.

> Anyone actually setting up SSL for secure public use *must* set a
> local configuration.

Yes, but the /etc/apache2/mods-available/ssl.conf file does *not* need
to be modified for that. The configuration concerning the certificate
and so on is under the /etc/apache2/sites-available directory.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150318000347.ga24...@xvii.vinc17.org

why is eth0 up by default?

[Vincent Lefevre]

I would like to know why is eth0 up by default?

IIRC, this wasn't the case in the past, but I'm not sure.

Here are the messages related to eth0 from /var/log/messages:

Mar 17 22:00:01 xvii kernel: [1.058264] e1000e :00:19.0 eth0: (PCI 
Express:2.5GT/s:Width x1) 00:24:e8:97:5f:73
Mar 17 22:00:01 xvii kernel: [1.058267] e1000e :00:19.0 eth0: Intel(R) 
PRO/1000 Network Connection
Mar 17 22:00:01 xvii kernel: [1.058293] e1000e :00:19.0 eth0: MAC: 7, 
PHY: 8, PBA No: 1004FF-0FF
Mar 17 22:00:20 xvii kernel: [   85.168228] IPv6: ADDRCONF(NETDEV_UP): eth0: 
link is not ready

and there are no eth0 occurrences in the /var/log/boot file.

The reason I ask is because I get spammed by one of my cron scripts
that regularly checks the eth0 speed with ethtool. It is silent when
eth0 is down, which is normally the case when there's no Ethernet
cable plugged in... except since the last boot.

Note that my network setup is based on ifupdown, and I use netplug
to detect when an Ethernet cable is plugged in/out. So, I do *not*
have "auto eth0" in my /etc/network/interfaces file.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150317233521.ga5...@xvii.vinc17.org

Anyone with experience of Intel S3000AH server boards

[Andrew Wood]

Any one here with experience of machines with Intel S3000AH server 
boards these are the Socket 775 boards from 2007 era.


Ive found them to be unreliable, they keep failing for no apparent 
reason just refuse to boot up with 4 angry looking red LEDs. I started 
using them to replace the old Intel SE7210 socket 478 boards but to be 
honest Im thinking of switching back as the SE7210 is rock solid and the 
S3000 is flaky and very disappointing for an Intel Server product.


Be interesting to hear others opinions.

Can anyone recommend a Socket 775 server board with 2 on board Ethernets 
which is more solid? We're a small charity and  cant really afford a 
wholesale replacement so Id like to keep the same CPUs and RAM if possible.


Thanks
Andrew


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/5508b615.5000...@perpetualmotion.co.uk

Re: An odd warning message?

[Ric Moore]

On 03/17/2015 12:37 PM, Lisi Reisz wrote:

On Tuesday 17 March 2015 16:18:13 Karen Lewellen wrote:

I am not using Debian in any form


Erm .  This is the *Debian* users list!!


Even Win users can't resist being around really smart people. :) Ric



--
My father, Victor Moore (Vic) used to say:
"There are two Great Sins in the world...
..the Sin of Ignorance, and the Sin of Stupidity.
Only the former may be overcome." R.I.P. Dad.
http://linuxcounter.net/user/44256.html


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/5508a2fe.20...@gmail.com

Re: fbdev driver on Wheezy

[Andrew Wood]

On 17/03/15 13:50, Elimar Riesebieter wrote:

* Andrew Wood  [2015-03-17 12:18 +]:

[...]

It just lists one

01:00.0 VGA compatible controller Silicon Motion SM712

I suspect what may be happening is its defaulting to video out on the LVDS
and turning the VGA port off. Is there a way to configure it to mirror the
output on both ports simultaneously?

Maybe https://wiki.debian.org/XStrikeForce/HowToRandR12

Elimar

 I dont think that will work with the Silicon Motion SM712 unfortunately


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/5508961b.2030...@perpetualmotion.co.uk

XFCE, network-manager and VPN?

[mad]

Hi!

I am using XFCE instead of KDE now for some weeks and like the switch
very much, but network-manager does make problems.

I created VPN profiles with NM in KDE and I see them in XFCE also. When
I choose them I receive the error:

NetworkManager:  [vpn-manager/nm-vpn-connection.c:1778]
get_secrets_cb(): Failed to request VPN secrets #2: (6) No agents were
available for this request.

And if I open NM to change/remove/add VPN profiles, I get the error message:

** (nm-connection-editor): WARNING **: Unsupported connection type 'vpn'

Any ideas?

TIA
mad


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5508852f.5090...@sharktooth.de

Re: Cool things to do with server

[Joris Bolsens]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 03/17/2015 11:42 AM, Tazman DeVille wrote:
> 
> Linode (expensive host, I no longer use, but with lotso great
> docu), has a great howto for setting up mail with postfix, dovecot,
> mysql on squeeze: 
> https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql-on-debian-6-squeeze/
>
> 
I still refer to it when setting up new mail servers, although configs
> are a little different in Wheezy now (and I don't even know about 
> Jessie, yet).
> 
> ./taz -- http://taz.liberame.org
> 
> 
Yea, I followed that tutorial but ran into a bit of a problem:
https://lists.debian.org/debian-user/2015/03/msg00737.html

~Joris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJVCH0DAAoJEORnMHMHY2FrodkP/iamLvDcvwaYBn+/Ksg0Pu2X
d0quRBpoD1HF7bh1N9/bo9BXbmXNN/gy764rrFc4VVIXOypDWIomVGDvpoyh4jy4
fzjNlfz2+9/lt8RBcwT/HZ+6zH9E+Q0ZgsN5JR64cgcdgqN8YH38TS6GC2fC82et
z2IK6Y8mdlcLWF95brnIPx/Ao9iK7/MzoyhxQQ27H26k+GGSOHSGc/GL05QZDH7f
Ub5rZBXBvl1nWPGkzleenUnLlmwQrnLtMxRpFE6I8a5e9cwQKls9TtN+RSvDGvw7
9gH0Rb0aiposlIgWPO2TClsJVdXcmsNmK+Snz7Q+ntF5Op6AGkrX6Mpy7VxN1t+E
fZT0RtYAfDxC2r0MLx1tJ29U3NeYYbnGlWjXBEpUCwl9l5r0473ft7wFEEId23MU
uQrRLl2uxVq9ySLSk6utvVsD+44GAKIm7H9wbJRzXPKnUgrPptaQnjnzNDTTPtjy
dgQefnFDHKD3sXlRn10zmQMpRw61Fr6s9dib2Xg5p3qiniH3UxjkVf+E4wSoX8Z2
bugEqlSEP19nFabksJzi5JKCw2VtCIEqgeAFmsZFuyftmB+z8GxiMxZkojP94Dxl
XtdjpykJwG0nKMREB2v93D0eoswXgdmYY0QoBg3K3u8gnVOmrAuVv3O0VEBUlIUM
mtnh41ZsDihCtWugu/NY
=MV6W
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/55087d03.9090...@gmail.com

Re: Cool things to do with server

[Joris Bolsens]

On 03/17/2015 06:05 AM, Dan Purgert wrote:
>
> Set your t-bird to use "STARTTLS" for the outgoing server.  Fixed it for
> me when I ran into that problem.
>
> There's probably a fix in either postfix or dovecot, but from what I can
> see, there's no real security concerns over explicitly starting a TLS
> session (via STARTTLS) vs. using implicit TLS.
>
>
did that, now when I try to send an email I get:

---
An error occurred while sending mail. The mail server responded:  5.1.1
: Recipient address rejected: gmail.com. Please
check the message recipient epicbl...@gmail.com and try again.
---

and mail.log:
---
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: extract_addr: in:
, result: epicbl...@gmail.com
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: >>> START Recipient address
RESTRICTIONS <<<
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: generic_checks:
name=permit_sasl_authenticated
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: generic_checks:
name=permit_sasl_authenticated status=1
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: >>> CHECKING RECIPIENT MAPS <<<
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: ctable_locate: leave
existing entry key epicbl...@gmail.com
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: maps_find:
recipient_canonical_maps: epicbl...@gmail.com: not found
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: match_string: gmail.com ~?
localhost
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: match_list_match:
gmail.com: no match
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: maps_find:
recipient_canonical_maps: @gmail.com: not found
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: mail_addr_find:
epicbl...@gmail.com -> (not found)
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: maps_find: canonical_maps:
epicbl...@gmail.com: not found
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: match_string: gmail.com ~?
localhost
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: match_list_match:
gmail.com: no match
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: maps_find: canonical_maps:
@gmail.com: not found
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: mail_addr_find:
epicbl...@gmail.com -> (not found)
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: dict_mysql_get_active:
found active connection to host 127.0.0.1
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: dict_mysql: successful
query from host 127.0.0.1
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: dict_mysql_lookup:
retrieved 0 rows
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: maps_find:
virtual_alias_maps: epicbl...@gmail.com: not found
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: match_string: gmail.com ~?
localhost
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: match_list_match:
gmail.com: no match
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: dict_mysql_get_active:
found active connection to host 127.0.0.1
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: dict_mysql: successful
query from host 127.0.0.1
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: dict_mysql_lookup:
retrieved 0 rows
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: maps_find:
virtual_alias_maps: @gmail.com: not found
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: mail_addr_find:
epicbl...@gmail.com -> (not found)
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: NOQUEUE: reject: RCPT from
c-my-host-name.net[my.ip.addr]: 550 5.1.1 :
Recipient address rejected: gmail.com; from=
to= proto=ESMTP helo=<[10.0.1.39]>
---




signature.asc
Description: OpenPGP digital signature

Re: Cool things to do with server

[Joris Bolsens]

On 03/17/2015 06:05 AM, Dan Purgert wrote:
> 
> Set your t-bird to use "STARTTLS" for the outgoing server.  Fixed it for 
> me when I ran into that problem.
> 
> There's probably a fix in either postfix or dovecot, but from what I can 
> see, there's no real security concerns over explicitly starting a TLS 
> session (via STARTTLS) vs. using implicit TLS.
> 
> 
did that, now when I try to send an email I get:

---
An error occurred while sending mail. The mail server responded:  5.1.1
: Recipient address rejected: gmail.com. Please
check the message recipient epicbl...@gmail.com and try again.
---

and mail.log:
---
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: extract_addr: in:
, result: epicbl...@gmail.com
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: >>> START Recipient address
RESTRICTIONS <<<
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: generic_checks:
name=permit_sasl_authenticated
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: generic_checks:
name=permit_sasl_authenticated status=1
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: >>> CHECKING RECIPIENT MAPS <<<
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: ctable_locate: leave
existing entry key epicbl...@gmail.com
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: maps_find:
recipient_canonical_maps: epicbl...@gmail.com: not found
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: match_string: gmail.com ~?
localhost
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: match_list_match:
gmail.com: no match
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: maps_find:
recipient_canonical_maps: @gmail.com: not found
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: mail_addr_find:
epicbl...@gmail.com -> (not found)
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: maps_find: canonical_maps:
epicbl...@gmail.com: not found
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: match_string: gmail.com ~?
localhost
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: match_list_match:
gmail.com: no match
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: maps_find: canonical_maps:
@gmail.com: not found
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: mail_addr_find:
epicbl...@gmail.com -> (not found)
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: dict_mysql_get_active:
found active connection to host 127.0.0.1
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: dict_mysql: successful
query from host 127.0.0.1
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: dict_mysql_lookup:
retrieved 0 rows
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: maps_find:
virtual_alias_maps: epicbl...@gmail.com: not found
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: match_string: gmail.com ~?
localhost
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: match_list_match:
gmail.com: no match
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: dict_mysql_get_active:
found active connection to host 127.0.0.1
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: dict_mysql: successful
query from host 127.0.0.1
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: dict_mysql_lookup:
retrieved 0 rows
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: maps_find:
virtual_alias_maps: @gmail.com: not found
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: mail_addr_find:
epicbl...@gmail.com -> (not found)
Mar 17 19:17:19 hawk961 postfix/smtpd[4557]: NOQUEUE: reject: RCPT from
c-my-host-name.net[my.ip.addr]: 550 5.1.1 :
Recipient address rejected: gmail.com; from=
to= proto=ESMTP helo=<[10.0.1.39]>
---



signature.asc
Description: OpenPGP digital signature

Re: Cool things to do with server

[Tazman DeVille]

On Sun, Mar 15, 2015 at 02:06:10PM +, Dan Purgert wrote:
> On Sat, 14 Mar 2015 19:43:46 -0700, Joris Bolsens wrote:
> 
> >> I have a guide on my website[1] for setting up Postfix that is secure.
> >> If you google, you'll find many more for different configurations[2].
> >> Use them as guides and review the documentation on the proper
> >> Postfix/Exim/etc websites and man pages.
> >> 
> > I'll give it a look then, awesome :D
> > 
> > Anything else I could do with this server? :p
> > 
> > Really just looking for some fun projects to keep me busy and keep the
> > server busy so I don't feel like I'm wasting money on hosting costs.
> > 
> > ~Joris
> 
> Confirming "mail server" will keep you busy - especially the initial 
> configuration (there will be a lot of "WTF, now what'd I do!?" moments, 
> if you're like me). 
> 
> But yeah, postfix + dovecot (or other sasl agent) is pretty 'secure' in 

Linode (expensive host, I no longer use, but with lotso great docu),
has a great howto for setting up mail with postfix, dovecot, mysql on
squeeze: 
https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql-on-debian-6-squeeze/
I still refer to it when setting up new mail servers, although configs
are a little different in Wheezy now (and I don't even know about
Jessie, yet).

./taz
--
http://taz.liberame.org


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150317184201.gb17...@myownsite.me

Re: Cool things to do with server

[Tazman DeVille]

On Sat, Mar 14, 2015 at 03:38:44PM -0700, Joris Bolsens wrote:
> Hey all,
> 
> I've got a smallish Debian server that I'm currently not really using
> for anything.
> At the moment I have it as my own imagehost, general fileserver, vpn,
> and a pastebin like thing.
> 
> What are some cool/fun/weird things you use your servers for?
> 
Run a RedMatrix hub on it. See https://redmatrix.me

./taz
--
https://red.liberame.org/channel/tazdvl


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150317183732.ga17...@myownsite.me

Re: An odd warning message?

[Lisi Reisz]

On Tuesday 17 March 2015 16:18:13 Karen Lewellen wrote:
> I am not using Debian in any form

Erm .  This is the *Debian* users list!!

Lisi


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/201503171637.36226.lisi.re...@gmail.com

Re: An odd warning message?

[Karen Lewellen]

Hi,
Thanks.
Our admin wrote me after I contacted him.  He says they changed the server 
early this morning.  I dare say then that our guess may be correct.

He is going to work on the key at his end though.
I am not using Debian in any form so cannot update my ssh telnet client 
that way.
My guess based on your wisdom though is that my client is using the old 
sheet music for  instead of the new arrangement.

I do feel better knowing  the server was changed.
Kare


On Tue, 17 Mar 2015, Darac Marjal wrote:


On Tue, Mar 17, 2015 at 11:09:40AM -0400, Karen Lewellen wrote:

Hi,
Sorry this is done in a hurry because now the only way I can reach my inbox
is via dial up and unsecured TELNET.
Yesterday afternoon the admin for shellworld sent me a warning to change
both of my passwords, which i did.
This  morning I find I cannot ssh TELNET into shellworld, or my own site at
all.
The  error is that there he dsa key exchange has failed with the remote host
closing the connexion, closed by peer.


"Key Exchange Failed" probably means that your client and server
couldn't agree on a set of parameters to authenticate each others keys.

At a guess, I'd say that shellworld have changed the parameters of their
server to be more secure, but your client doesn't know how to use those
parameters. In that case, update your SSH client to the latest version
(for debian, that's probably openssh 1:6.6p1-4~bpo70+1 from backports or
newer).


my own provider is fine, I can ssh TELNET elsewhere.
But the dsa key here is now altered in a way likely unplanned by shellworld.
More thoughts?
Thanks for the wisdom!
And sorry for the mess.
Kare


On Mon, 16 Mar 2015, Darac Marjal wrote:


On Mon, Mar 16, 2015 at 11:42:50AM -0400, Karen Lewellen wrote:

Hi all,
Going to ask about this on other lists, but thought I would check here.
I use a shell service called shellworld.
www.shellworld.net
they also host my domain karenlewellen.com
One of the many advantages is that I can ssh -l between both workspaces for
tasks.
However when I  tried doing this a few moments ago,
ssh -l karen karenlewellen.com
I got the message,
warning permanently added to the dsa key for ip address  for karenlewellen.com
It then asked for my password as normal.
I did not complete this ssh because of the warning.
should I be concerned about the warning added to the shellworld ip address?
the ip was stated correctly, I recognize it from other uses.


I suspect the warning you got was "Permanently added 'karenlewellen.com'
(RSA) to the list of known hosts".

The typical sequence of events is that, when you connect to a machine,
SSH establishes a connnection and both sides exchange keys. You
authenticate to the server, but also the server authenticates itself to
you. The first time you connect, the key the server presents will be
unknown so you get a message like:

The authenticity of host 'penguin.example.net' can't be established.
DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c.
Are you sure you want to continue connecting (yes/no)?

If you answer yes here, the key is cached (in ~/.ssh/known_hosts) and
you get the message:

Warning: Permanently added 'penguin.example.net' (RSA) to the list of
known hosts.

Now, if the key on the remote hosts changes (either because you
regenerated the host key on the server, or because you're connecting to
a different host - possibly not to your knowledge), then you get a big
warning saying

@@@
@WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@

However - and this is the part I'm not too sure on - if you connect to a
different host and receive a key you already know (for example, if the
host changes IP address), then I think SSH will do what you've seen:
warn you that it's using a key that you already trust to connect to a
different machine. This is only a warning. The chance of somebody being
able to reproduce your host key on a different machine are considered
slim.

In summary, your remote host's IP may have changed.


Thanks,
Karen


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject
of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/pine.bsf.4.64.1503161133300.68...@server1.shellworld.net






--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject
of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/pine.bsf.4.64.1503171103180.69...@server1.shellworld.net






--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: 
https://lists.debian.org/pine.bsf.4.64.1503171214100.76...@server1.shellworld.net

Re: An odd warning message?

[Darac Marjal]

On Tue, Mar 17, 2015 at 11:09:40AM -0400, Karen Lewellen wrote:
> Hi,
> Sorry this is done in a hurry because now the only way I can reach my inbox
> is via dial up and unsecured TELNET.
> Yesterday afternoon the admin for shellworld sent me a warning to change
> both of my passwords, which i did.
> This  morning I find I cannot ssh TELNET into shellworld, or my own site at
> all.
> The  error is that there he dsa key exchange has failed with the remote host
> closing the connexion, closed by peer.

"Key Exchange Failed" probably means that your client and server
couldn't agree on a set of parameters to authenticate each others keys.

At a guess, I'd say that shellworld have changed the parameters of their
server to be more secure, but your client doesn't know how to use those
parameters. In that case, update your SSH client to the latest version
(for debian, that's probably openssh 1:6.6p1-4~bpo70+1 from backports or
newer).

> my own provider is fine, I can ssh TELNET elsewhere.
> But the dsa key here is now altered in a way likely unplanned by shellworld.
> More thoughts?
> Thanks for the wisdom!
> And sorry for the mess.
> Kare
> 
> 
> On Mon, 16 Mar 2015, Darac Marjal wrote:
> 
> >On Mon, Mar 16, 2015 at 11:42:50AM -0400, Karen Lewellen wrote:
> >>Hi all,
> >>Going to ask about this on other lists, but thought I would check here.
> >>I use a shell service called shellworld.
> >>www.shellworld.net
> >>they also host my domain karenlewellen.com
> >>One of the many advantages is that I can ssh -l between both workspaces for
> >>tasks.
> >>However when I  tried doing this a few moments ago,
> >>ssh -l karen karenlewellen.com
> >>I got the message,
> >>warning permanently added to the dsa key for ip address  >>correctly> for karenlewellen.com
> >>It then asked for my password as normal.
> >>I did not complete this ssh because of the warning.
> >>should I be concerned about the warning added to the shellworld ip address?
> >>the ip was stated correctly, I recognize it from other uses.
> >
> >I suspect the warning you got was "Permanently added 'karenlewellen.com'
> >(RSA) to the list of known hosts".
> >
> >The typical sequence of events is that, when you connect to a machine,
> >SSH establishes a connnection and both sides exchange keys. You
> >authenticate to the server, but also the server authenticates itself to
> >you. The first time you connect, the key the server presents will be
> >unknown so you get a message like:
> >
> > The authenticity of host 'penguin.example.net' can't be established.
> > DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c.
> > Are you sure you want to continue connecting (yes/no)?
> >
> >If you answer yes here, the key is cached (in ~/.ssh/known_hosts) and
> >you get the message:
> >
> > Warning: Permanently added 'penguin.example.net' (RSA) to the list of
> > known hosts.
> >
> >Now, if the key on the remote hosts changes (either because you
> >regenerated the host key on the server, or because you're connecting to
> >a different host - possibly not to your knowledge), then you get a big
> >warning saying
> >
> >@@@
> >@WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> >@@@
> >
> >However - and this is the part I'm not too sure on - if you connect to a
> >different host and receive a key you already know (for example, if the
> >host changes IP address), then I think SSH will do what you've seen:
> >warn you that it's using a key that you already trust to connect to a
> >different machine. This is only a warning. The chance of somebody being
> >able to reproduce your host key on a different machine are considered
> >slim.
> >
> >In summary, your remote host's IP may have changed.
> >
> >>Thanks,
> >>Karen
> >>
> >>
> >>--
> >>To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject
> >>of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> >>Archive: 
> >>https://lists.debian.org/pine.bsf.4.64.1503161133300.68...@server1.shellworld.net
> >>
> >
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject
> of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: 
> https://lists.debian.org/pine.bsf.4.64.1503171103180.69...@server1.shellworld.net
> 


signature.asc
Description: Digital signature

Re: Advise on setup of small office locally or via VPS

[Linux4Bene]

Op Tue, 17 Mar 2015 13:38:26 +, schreef Dan Purgert:



> Didn't you just say that you were using a Debian box as your firewall/
> router?

Not yet. I'm still employed but have everything up and running in a VPS,
and I have all the legal stuff in order like VAT and so on.
Legally this means it's seen as a secondary activity.
>From the moment I quit, it becomes my main occupation.
That's how it works over here.

Currently I have my own VPS running but no business internet line yet ror 
a Debian Firewall but that's the plan. Just thinking ahead on how I will
get up and running as fast as possible :)

> Personally I have used Ubiquiti Edge Routers (ubnt.com), and they're
> really nice - based on Vyatta 6.3, rival bigger names in terms of
> routing performance, and are cheap ($100 for the 3-port model "ER Lite",
> and under $500 for the 8-port "ER-8".  There's also a "PRO" variant of
> the 8-
> port that includes 2 SFP ports that're shared with 2 of the copper
> ports,
> and a 5-port model with PoE, but this is really only the ER Lite with a
> switch in the same case, so it's 2x routing ports + 3x switch ports, and
> might not fit in your situation).
> 
> Here's the Datasheet for their routers -->
> http://dl.ubnt.com/datasheets/edgemax/EdgeRouter_Lite_DS.pdf

Thanks, looks like a simple and adequate solution.

> It's not "difficult" to get redundancy, though depending on the levels
> of redundancy you're after, it can get a bit complex.
> 
> Easiest route is a cold spare -- buy a second of whatever router, config
> it exactly the same way, and then shut it down for use if / when the
> first one dies.
> 
> Though you could always scale to multiple WAN connections spread across
> multiple routers, with OSPF / iBGP being used to manage the routes...
> but this is probably a bit much for a small business.
> 

I should have been more clear about the use case. The cold spare in my
case is enough. If a lot of other people would use services, that's
somethings else but I don't see that happening in the near future.


> Depends on how their router is configured, but this sounds about right.
> That said, in 99.5% of cases that I've seen the ISP-provided routers are
> absolute rubbish, and should be relegated to bridge-only mode so that
> you can use a better (i.e. more configurable) device to handle the
> tasks.

I didn't know that. Thank you for the information.

> If the email server is public already (in the DMZ zone), you'll probably
> have an easier (and still secure) time if you just have the clients
> using STARTTLS to access THAT server.  Not that you couldn't set up a
> gateway /
> relay, but there is much to be said about the KISS principle.

The mail service is public on the VPS. There isn't a DMZ zone on that 
server. As you suggest, both postfix and Dovecot are accessible via 
STARTTLS/SSL. If I read your comment correctly, you would leave the
mail server config as it is, and put it in a DMZ and that's it?
This would leave the mails also in the DMZ but as you said, accessing mail
can only be done over a secure connection (SSL).
I have SSL certificates setup for this (for my website, and Dovecot).

>> - I have Roundcube (webmail) installed as well. I think I could handle
>> this by forwarding the requests from firewall to the internal mail
>> server.
>> Not sure if this is the safest way to do this.
>> One can of course argue about web mail in the first place.
> 
> Again, might be easiest (best) to keep the entire mail service in the
> DMZ, including webmail.

OK I would really like to go KISS :)
Basically, if I end up with a local situation I would move the services 
to a local server in a DMZ zone. Otherwise, I could just keep the VPS
to serve as our mail server.

>> - Central user and document management.
>> I would like to have a space on the file server where people could
>> store their own and shared documents. I think I would need NFS for this
>> (haven't used this before). The docs might need to be accessible from
>> Windows as well, although I really would like to only use Debian
>> machines for my own people. Otherwise, this would mean using Samba.
> 
> If you need / want access to the file server from windows hosts, I'm
> pretty sure samba is your only solution.

That's what I thought.
 
>> My mail users are in a Postgresql database. I would like to keep it
>> that way if I would ever provide mail to customers.
> 
> Sure. If you're selling email services, then you might need a dedicated
> DB box, but that's not exactly 'difficult'.

Indeed. There is some really great info regarding Postfix and keeping
all the necessary info in a Postgresql db. If I would ever go with
offering this as a service to users, I would use Django to build a web 
interface but that's a whole different topic.

In my current mail setup, I would need to provide a way for users to 
change their password. Maybe Roundcube has such a plugin.


>> I can see LDAP being useful to have central authentication.
>> It can be a chal

Re: An odd warning message?

[Karen Lewellen]

Hi,
Sorry this is done in a hurry because now the only way I can reach my inbox 
is via dial up and unsecured TELNET.
Yesterday afternoon the admin for shellworld sent me a warning to change 
both of my passwords, which i did.
This  morning I find I cannot ssh TELNET into shellworld, or my own site 
at all.
The  error is that there he dsa key exchange has failed with the remote host 
closing the connexion, closed by peer.

my own provider is fine, I can ssh TELNET elsewhere.
But the dsa key here is now altered in a way likely unplanned by 
shellworld.

More thoughts?
Thanks for the wisdom!
And sorry for the mess.
Kare


On Mon, 16 Mar 2015, Darac Marjal wrote:


On Mon, Mar 16, 2015 at 11:42:50AM -0400, Karen Lewellen wrote:

Hi all,
Going to ask about this on other lists, but thought I would check here.
I use a shell service called shellworld.
www.shellworld.net
they also host my domain karenlewellen.com
One of the many advantages is that I can ssh -l between both workspaces for
tasks.
However when I  tried doing this a few moments ago,
ssh -l karen karenlewellen.com
I got the message,
warning permanently added to the dsa key for ip address  for karenlewellen.com
It then asked for my password as normal.
I did not complete this ssh because of the warning.
should I be concerned about the warning added to the shellworld ip address?
the ip was stated correctly, I recognize it from other uses.


I suspect the warning you got was "Permanently added 'karenlewellen.com'
(RSA) to the list of known hosts".

The typical sequence of events is that, when you connect to a machine,
SSH establishes a connnection and both sides exchange keys. You
authenticate to the server, but also the server authenticates itself to
you. The first time you connect, the key the server presents will be
unknown so you get a message like:

 The authenticity of host 'penguin.example.net' can't be established.
 DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c.
 Are you sure you want to continue connecting (yes/no)?

If you answer yes here, the key is cached (in ~/.ssh/known_hosts) and
you get the message:

 Warning: Permanently added 'penguin.example.net' (RSA) to the list of
 known hosts.

Now, if the key on the remote hosts changes (either because you
regenerated the host key on the server, or because you're connecting to
a different host - possibly not to your knowledge), then you get a big
warning saying

@@@
@WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@

However - and this is the part I'm not too sure on - if you connect to a
different host and receive a key you already know (for example, if the
host changes IP address), then I think SSH will do what you've seen:
warn you that it's using a key that you already trust to connect to a
different machine. This is only a warning. The chance of somebody being
able to reproduce your host key on a different machine are considered
slim.

In summary, your remote host's IP may have changed.


Thanks,
Karen


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject
of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/pine.bsf.4.64.1503161133300.68...@server1.shellworld.net






--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: 
https://lists.debian.org/pine.bsf.4.64.1503171103180.69...@server1.shellworld.net

Re: configuring exim4 smtp to use SSL

[Gary Dale]

On 17/03/15 01:30 AM, David Wright wrote:

Quoting Gary Dale (garyd...@torfree.net):

On 16/03/15 12:37 PM, Brian wrote:

On Mon 16 Mar 2015 at 10:46:25 -0500, David Wright wrote:


Quoting James (bjloc...@lockie.ca):


You can't telnet to an ssl port.
Use:
openssl s_client -connect [IP]:smtps

I'm sorry if I muddied the waters by suggesting using telnet.
I find it a useful tool to quickly test whether I can reach a port,
whether anything is listening, and whether the response is the same as
I got last time/when things were working, even if that response is
to connect for a few seconds and then disconnect (like 80 does).
And I can get the results from ten differnet ports in one screenful
of text.

A slight mistake; but now the OP is back on the right track all he
should have to do is issue the helo, mail from:, rcpt to: and data
commands to test whether sending mail is possible. If it is he can
then take a closer look at his exim setup.

OK, following the doc at http://www.debianhelp.co.uk/mail.htm, I
could enter:
HELO 

I always use EHLO but have no idea if it makes a difference.


MAIL FROM @

but things get interesting when I enter the rcpt to:

RCPT TO: g...@extremeground.com

Shouldn't that be in <> according to rfc2821?
I just tried it with EHLO and using RCPT TO:  
and got the same result.



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/55083c79.5080...@torfree.net

Re: fbdev driver on Wheezy

[Elimar Riesebieter]

* Andrew Wood  [2015-03-17 12:18 +]:

[...]
> It just lists one
> 
> 01:00.0 VGA compatible controller Silicon Motion SM712
> 
> I suspect what may be happening is its defaulting to video out on the LVDS
> and turning the VGA port off. Is there a way to configure it to mirror the
> output on both ports simultaneously?

Maybe https://wiki.debian.org/XStrikeForce/HowToRandR12

Elimar
-- 
  Alles was viel bedacht wird ist bedenklich!;-)
 Friedrich Nietzsche


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150317135041.ga27...@baumbart.home.lxtec.de

Re: locale problems

[Frank]

On 03/16/2015 08:26 PM, Bob Proulx wrote:

Frank wrote:

Bob Proulx wrote:

   cat /etc/default/locale


root@frank-debian:/home/frank# cat /etc/default/locale
#LANG=en_US.UTF-8

Unexpected..I thought it would be empty ?


For whatever reason the locales package postinst script simply
comments out the lines it manages there.  I don't know why.

I realized I should have said something else too.  Let me fix that and
say it now.




default these days.  But I fear that I may have led you to not have
LANG set in your normal desktop environment now.  Because I always set
it myself and then also set LC_COLLATE too so that I get a sane sort
order and therefore didn't think of it.

   export LANG=en_US.UTF-8
   export LC_COLLATE=C




LANG was setbut LC_COLLATE was not...so I added it.

I **think** I now understand the whole thing a little better.

Thanks for the followup.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/55082e49.9090...@videotron.ca

Re: Advise on setup of small office locally or via VPS

[Dan Purgert]

On Tue, 17 Mar 2015 11:22:29 +, Linux4Bene wrote:

> Hi,
> 
> Local setup ===
> I would connect a Debian box with 3 nics to the ISP router to serve as
> firewall. 1 nic for WAN, 1 for LAN, 1 for DMZ. I have always used
> iptables to do this. The wan nic would have 1 public IP, LAN
> 192.168.1.0/24,
> DMZ 172.16.1.0/24.
> 
> DMZ would have 2 machines: 1 with web and DNS 1, another with DNS 2 and
> SMTP gateway. I would keep the free DNS for added redundancy. On the LAN
> part, I would put a file server, local DNS and some internal web apps.
> 
> This raises some questions:
> - What device could I use for the firewall. I don't want to use an old
> computer as I have some public services and need a reliable service.
> I'm open to using an appliance as well. Any links or info is welcome.
> Any easy way to having this devices redundant?

Didn't you just say that you were using a Debian box as your firewall/
router?

Personally I have used Ubiquiti Edge Routers (ubnt.com), and they're 
really nice - based on Vyatta 6.3, rival bigger names in terms of routing 
performance, and are cheap ($100 for the 3-port model "ER Lite", and 
under $500 for the 8-port "ER-8".  There's also a "PRO" variant of the 8-
port that includes 2 SFP ports that're shared with 2 of the copper ports, 
and a 5-port model with PoE, but this is really only the ER Lite with a 
switch in the same case, so it's 2x routing ports + 3x switch ports, and 
might not fit in your situation).  

Here's the Datasheet for their routers --> 
http://dl.ubnt.com/datasheets/edgemax/EdgeRouter_Lite_DS.pdf

It's not "difficult" to get redundancy, though depending on the levels of 
redundancy you're after, it can get a bit complex. 

Easiest route is a cold spare -- buy a second of whatever router, config 
it exactly the same way, and then shut it down for use if / when the 
first one dies.

Though you could always scale to multiple WAN connections spread across 
multiple routers, with OSPF / iBGP being used to manage the routes... but 
this is probably a bit much for a small business.


> 
> - I would only allow some traffic (mail for instance) from the DMZ to
> the private LAN. LAN could access the DMZ. Any downside to this security
> wise?

If I'm understanding your plan, no this shouldn't pose any problems.

> 
> - If I have multiple public IP's, I would assign each public machine a
> public IP. I assume it's the ISP's job to redirect the IP's in my range
> to their router in my office. I could then map the public IP's to a
> private IP by prerouting all allowed traffic on the public IP to the
> private IP address of the machine in the DMZ.

Depends on how their router is configured, but this sounds about right.  
That said, in 99.5% of cases that I've seen the ISP-provided routers are 
absolute rubbish, and should be relegated to bridge-only mode so that you 
can use a better (i.e. more configurable) device to handle the tasks.

> - My mail service (only used for my own purposes right now) consists of
> Postfix, Clamav, Pyzor, Razor, Spamassassin, with authentication
> provided by Dovecot. Domains, users and aliases are stored in a
> Postgresql database. Security wise it would be better to place this set
> up in the LAN part, and put a SMTP gateway in the DMZ to receive mail,
> and have the gateway forward the mail to the setup I just described.
> The SMTP gateway should have the same parts (Clamav, Spamassassin, ...)
> but just not store the mail locally. Any thoughts on this kind of setup?

If the email server is public already (in the DMZ zone), you'll probably 
have an easier (and still secure) time if you just have the clients using 
STARTTLS to access THAT server.  Not that you couldn't set up a gateway / 
relay, but there is much to be said about the KISS principle.  

> - I have Roundcube (webmail) installed as well. I think I could handle
> this by forwarding the requests from firewall to the internal mail
> server.
> Not sure if this is the safest way to do this.
> One can of course argue about web mail in the first place.

Again, might be easiest (best) to keep the entire mail service in the 
DMZ, including webmail.

> 
> - Central user and document management.
> I would like to have a space on the file server where people could store
> their own and shared documents. I think I would need NFS for this
> (haven't used this before). The docs might need to be accessible from
> Windows as well, although I really would like to only use Debian
> machines for my own people. Otherwise, this would mean using Samba.

If you need / want access to the file server from windows hosts, I'm 
pretty sure samba is your only solution.

> My mail users are in a Postgresql database. I would like to keep it that
> way if I would ever provide mail to customers.

Sure. If you're selling email services, then you might need a dedicated 
DB box, but that's not exactly 'difficult'.

> I can see LDAP being useful to have central authentication.
> It can be a chal

Re: Cool things to do with server

[Dan Purgert]

On Mon, 16 Mar 2015 22:54:34 -0700, Joris Bolsens wrote:

> On 03/16/2015 10:24 PM, Joris Bolsens wrote:
>> 
>> [snip]
>> 
>> Been googling for hours and I cannot for the life of me find what the
>> problem is.
>> ~Joris
>> 
>> 
> I can connect just fine to IMAP, it's SMTP that gives me issues.
> 
> the response when i EHLO the smtps delio i get;
> joris@debian:~$ telnet mail.mydomain.com smtps Trying srvr.ip.addr...
> Connected to mydomain.com.
> Escape character is '^]'.
> 220 mail.mydomain.com ESMTP Postfix EHLO mail.mydomain.com
> 250-mail.mydomain.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN
> 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN

Set your t-bird to use "STARTTLS" for the outgoing server.  Fixed it for 
me when I ran into that problem.

There's probably a fix in either postfix or dovecot, but from what I can 
see, there's no real security concerns over explicitly starting a TLS 
session (via STARTTLS) vs. using implicit TLS.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/me98q3$b1f$4...@ger.gmane.org

Re: Cool things to do with server

[Dan Purgert]

On Mon, 16 Mar 2015 16:38:27 -0700, Joris Bolsens wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> 
> 
> On 03/16/2015 02:59 PM, Dan Purgert wrote:
>> On Mon, 16 Mar 2015 12:23:43 -0700, Joris Bolsens wrote:
>> 
>>> [snip...] I'm assuming they moved it to here:
>>> https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-
>>
>>
> and-mysql
>>> 
>>> 
>> 
>> Yup, that's the one.  Gonna have to update my link then (wrote the note
>> in 2014, didn't think to check it before posting, sorry)
>> 
>> 
>> 
> just a quick question, if I get an ssl cert for mail.mydomain.com does
> that mean my email addresses all have to be u...@mail.mydomain.com or
> does that just mean that the mail server listens on mail.mydomain.com?
> 
> Thanks,

The ssl cert for "mail.yourdomain.com" is intended to handle the SSL 
connections for web browsers / MUAs (e.g. thunderbird), when you try 
logging in / securing the connection.

If you're wanting to sign with S/MIME, then you'll need a second 
certificate (comodo provides them for free) that's assigned to 
y...@yourdomain.com.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/me98ek$b1f$3...@ger.gmane.org

Re: fbdev driver on Wheezy

[Andrew Wood]

On 16/03/15 00:09, David Wright wrote:


You've got two cards on one PCI address. lspci might tell you what the
correct values are.

Cheers,
David.



It just lists one

01:00.0 VGA compatible controller Silicon Motion SM712

I suspect what may be happening is its defaulting to video out on the 
LVDS and turning the VGA port off. Is there a way to configure it to 
mirror the output on both ports simultaneously?


Thanks
Andrew


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/55081b9b.4090...@perpetualmotion.co.uk

Re: configuring exim4 smtp to use SSL

[Brian]

On Tue 17 Mar 2015 at 00:30:38 -0500, David Wright wrote:

> Quoting Gary Dale (garyd...@torfree.net):
> > OK, following the doc at http://www.debianhelp.co.uk/mail.htm, I
> > could enter:
> > HELO 
> 
> I always use EHLO but have no idea if it makes a difference.

EHLO allows the client to discover whether the server supports ESMTP. If
it does not it will revert to HELO behaviour.

> > MAIL FROM @
> > 
> > but things get interesting when I enter the rcpt to:
> > 
> > RCPT TO: g...@extremeground.com
> 
> Shouldn't that be in <> according to rfc2821?

Probably best to put them in, although there are servers which are not
too picky. Leaving off <> often gets an error message.

> > RENEGOTIATING
> > depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
> > Network, CN = USERTrust RSA Certification Authority
> > verify error:num=20:unable to get local issuer certificate
> > verify return:0
> > 
> > After that, I can't enter DATA. It says 503 valid RCPT command must
> > precede DATA
> 
> Yes, until you see a 250 from RCPT TO: it hasn't been accepted.
> 
> > I've tried a few different RCPT TO: addresses but I get the same
> > result. Also tried using the ISP's mail server's domain in the HELO
> > with the same results.
> > 
> > I tried creating a local certificate and updating the
> > exim4.conf.template with MAIN_TLS_ENABLE = yes but that didn't help
> > either.
> 
> I don't think those verify items above are necessarily a problem in 
> themselves.
> Your sequence of commands (with the changes I suggested) worked for me.

They can work for me too. But only when I'm on the same network as the
server. Then I suppose I'm trusted.

I hope the OP is diligently reading all the mails on -user. A couple
today in

  https://lists.debian.org/debian-user/2015/03/msg00645.html

might interest him.  


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/17032015114224.94ae556ae...@desktop.copernicus.demon.co.uk

Advise on setup of small office locally or via VPS

[Linux4Bene]

Hi,


sorry in advance for the lengthy post.
I have some questions on organizing and designing a small office 
environment. Clients and server parts Debian. I have always introduced 
Debian in every job I had in the last 14 years, and it would be great to 
finally use them as the default OS on devices of my own business :)

I currently have one VPS with a few services: hosting my own websites and 
DNS (authoritative for my domains), mail (Postfix,Dovecot). As I'm 
planning to start my own business, I would like to inform myself on the 
available choices.

I would probably get a business vdsl line, which would give me 8 public 
IP's. I have experience with most of the techniques described below, 
although it has been a while since I used some of those components/
software. I do manage some Debian servers, and have done so for the last 
14 years.

At the start, I would only employ 1 or 2 people. I'm trying to keep it 
small so I wouldn't want to go over 10 people.
Server part Debian, office parts also Debian as much as possible but we 
will also have MS machines as we need this to support our clients. Not 
sure if we would need to access any info on the Debian machines or 
servers. I have no preference to local infrastructure as opposed to cloud.

That's why I started out with a VPS to host my sites, mail and DNS.
Because of the DNS redundancy requirements, I use a free service that
replicates my DNS. Ideally, I would be able to provide this redundancy 
with my own machines, VPS'es or local.
I would like your advise on the way I would set this up locally or with 
VPS'es.

Local setup
===
I would connect a Debian box with 3 nics to the ISP router to serve as
firewall. 1 nic for WAN, 1 for LAN, 1 for DMZ. I have always used 
iptables to do this. The wan nic would have 1 public IP, LAN 
192.168.1.0/24,
DMZ 172.16.1.0/24.

DMZ would have 2 machines: 1 with web and DNS 1, another with DNS 2 and 
SMTP gateway. I would keep the free DNS for added redundancy. On the LAN 
part, I would put a file server, local DNS and some internal web apps.

This raises some questions:
- What device could I use for the firewall. I don't want to use an old
computer as I have some public services and need a reliable service.
I'm open to using an appliance as well. Any links or info is welcome.
Any easy way to having this devices redundant?

- I would only allow some traffic (mail for instance) from the DMZ to the
private LAN. LAN could access the DMZ. Any downside to this security wise?

- If I have multiple public IP's, I would assign each public machine a 
public IP. I assume it's the ISP's job to redirect the IP's in my range 
to their router in my office. I could then map the public IP's to a 
private IP by prerouting all allowed traffic on the public IP to the 
private IP address of the machine in the DMZ.

- My mail service (only used for my own purposes right now) consists of
Postfix, Clamav, Pyzor, Razor, Spamassassin, with authentication provided 
by Dovecot. Domains, users and aliases are stored in a Postgresql 
database. Security wise it would be better to place this set up in the 
LAN part, and put a SMTP gateway in the DMZ to receive mail, and have the 
gateway forward the mail to the setup I just described.
The SMTP gateway should have the same parts (Clamav, Spamassassin, ...) 
but just not store the mail locally. Any thoughts on this kind of setup?

- I have Roundcube (webmail) installed as well. I think I could handle 
this by forwarding the requests from firewall to the internal mail server.
Not sure if this is the safest way to do this.
One can of course argue about web mail in the first place.

- Central user and document management.
I would like to have a space on the file server where people could store 
their own and shared documents. I think I would need NFS for this 
(haven't used this before). The docs might need to be accessible from 
Windows as well, although I really would like to only use Debian machines 
for my own people. Otherwise, this would mean using Samba.
My mail users are in a Postgresql database. I would like to keep it that
way if I would ever provide mail to customers. 
I can see LDAP being useful to have central authentication.
It can be a challenge to setup though. Are there other ways of having a 
simple central authentication?

I have thought about using a document management system from the start.
But I have only experience with commercial ones and that might be overkill
from the start. Besides, they are Windows based.

VPS
===
The other way I could go is by using multiple VPS servers (or renting 
dedicated servers). I could connect them with OpenVPN. I have no 
experience with that.
But this would also mean I would have my file server online.
Then I definitely would need to setup a permanent connection from the 
office firewall to the online servers. 

Might make it a bit harder to fully manage reverse dns. As for my current 
VPS, I had to ask my VPS supplier to insert a reverse 

Re: Cool things to do with server

[Darac Marjal]

On Mon, Mar 16, 2015 at 10:24:10PM -0700, Joris Bolsens wrote:
> 
> 
> On 03/16/2015 02:59 PM, Dan Purgert wrote:
> > 
> > [snip]
> > 
> Well you were definitely correct in that this will keep me busy for
> awhile, can't get thunderbird to connect properly.
> 
> I have verified that the SSL cert is good (got one from comodo) followed
> instruction to the letter and checked to make sure that all users/pass
> are set correctly in DB. Here is what I see in
> 
> mail.log:
> Mar 17 05:08:11 hawk961 dovecot: master: Dovecot v2.1.7 starting up
> (core dumps disabled)
> Mar 17 05:08:12 hawk961 postfix/master[2983]: daemon started -- version
> 2.9.6, configuration /etc/postfix
> Mar 17 05:09:27 hawk961 postfix/smtpd[3092]: connect from
> c-my-host-name[76.102.110.154]
> Mar 17 05:09:27 hawk961 dovecot: imap-login: Aborted login (no auth
> attempts in 1 secs): user=<>, rip=my.ip.addr, lip=srvr.ip.addr, TLS,
> session=<4BWJ+HQRhQBMZm6a>
> Mar 17 05:09:37 hawk961 postfix/smtpd[3092]: lost connection after
> UNKNOWN from my-host-name.net[my.ip.addr]
> Mar 17 05:09:37 hawk961 postfix/smtpd[3092]: disconnect from
> my-host-name.net[76.102.110.154]
> Mar 17 05:09:49 hawk961 dovecot: imap-login: Aborted login (no auth
> attempts in 0 secs): user=<>, rip=my.ip.addr, lip=srvr.ip.addr, TLS,
> session=

Check you're talking to the server correctly. There are two types of
secure connections in email. In one type, the server will only talk on a
secure connection - it expects the very first bit of communication to be
an SSL handshake. On these, if you try to send plaintext commands, you
will get booted off. These services typically listen on port 465 (SMTPS)
and port 993 (IMAPS). This sort of server tends to be deprecated these
days.

In the other type of connection, the server starts with a normal,
plaintext connection but the client "upgrades" the connection to secure
by using the command "STARTTLS". This has the advantage that both
plaintext and encrypted clients can be handled by the one server. These
servers will listen on port 25 (SMTP, or 587, Submission) or port 143
(IMAP).

So, check how you're trying to talk to your server. If you're using the
first type of server, then "openssl s_client -connect my.ip.addr:465"
should give you a connection. If you're using the other kind, you'll
want "openssl s_client -connect my.ip.addr:25 -starttls smtp" will give
you a secure connection.

> 
> 
> and mail.info:
>  Mar 17 05:08:11 hawk961 dovecot: master: Dovecot v2.1.7 starting up
> (core dumps disabled)
> Mar 17 05:08:12 hawk961 postfix/master[2983]: daemon started -- version
> 2.9.6, configuration /etc/postfix
> Mar 17 05:09:27 hawk961 postfix/smtpd[3092]: connect from
> my.host.name.net[my.ip.addr]
> Mar 17 05:09:27 hawk961 dovecot: imap-login: Aborted login (no auth
> attempts in 1 secs): user=<>, rip=my.ip.addr, lip=srvr.ip.addr, TLS,
> session=<4BWJ+HQRhQBMZm6a>
> Mar 17 05:09:37 hawk961 postfix/smtpd[3092]: lost connection after
> UNKNOWN from my.host.name.net[my.ip.addr]
> Mar 17 05:09:37 hawk961 postfix/smtpd[3092]: disconnect from
> my.host.name.net[my.ip.addr]
> Mar 17 05:09:49 hawk961 dovecot: imap-login: Aborted login (no auth
> attempts in 0 secs): user=<>, rip=my.ip.addr, lip=srvr.ip.addr, TLS,
> session=
> Mar 17 05:12:57 hawk961 postfix/anvil[3099]: statistics: max connection
> rate 1/60s for (smtps:my.ip.addr) at Mar 17 05:09:27
> Mar 17 05:12:57 hawk961 postfix/anvil[3099]: statistics: max connection
> count 1 for (smtps:my.ip.addr) at Mar 17 05:09:27
> Mar 17 05:12:57 hawk961 postfix/anvil[3099]: statistics: max cache size
> 1 at Mar 17 05:09:27
> 
> Been googling for hours and I cannot for the life of me find what the
> problem is.
> ~Joris
> 




signature.asc
Description: Digital signature

Re: Cool things to do with server

[Darac Marjal]

On Mon, Mar 16, 2015 at 04:38:27PM -0700, Joris Bolsens wrote:
> 
> 
> On 03/16/2015 02:59 PM, Dan Purgert wrote:
> > On Mon, 16 Mar 2015 12:23:43 -0700, Joris Bolsens wrote:
> > 
> >> [snip...] I'm assuming they moved it to here: 
> >> https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-
> >
> >> 
> and-mysql
> >> 
> > 
> > 
> > Yup, that's the one.  Gonna have to update my link then (wrote the
> > note in 2014, didn't think to check it before posting, sorry)
> > 
> > 
> > 
> just a quick question, if I get an ssl cert for mail.mydomain.com does
> that mean my email addresses all have to be u...@mail.mydomain.com or
> does that just mean that the mail server listens on mail.mydomain.com?

Technically, it depends on what the certificate is marked as certifying.
An "SSL Certificate" is, basically an x509 certificate which is marked
as certifying host names. Thus it can be used to secure the connection
to mail.example.com. You can also get x509 certificates which are markes
as certifying email addresses, but these would usually be referred to as
"S/MIME certificates" and would be used for signing/encrypting messages.

> 
> Thanks,
> ~Joris
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: https://lists.debian.org/55076973.9090...@gmail.com
> 


signature.asc
Description: Digital signature

Re: configuring exim4 smtp to use SSL

[Jonathan Dowland]

On Sat, Mar 14, 2015 at 08:48:37PM -0500, David Wright wrote:
> Is it worth telnetting the port to check that it supports what you
> think it does. For example, from several years ago:

Check out "swaks". It is a debug SMTP client which can do more sophisticated
things than you can via telnet.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150317093222.ga8...@chew.redmars.org

i18n issue in GNOME Classic re. modifying date format of Clock Applet

[Alexis]

Hi all,

Context: Wheezy x86_64 fresh install, plus all available updates, 
plus systemd-sysv from wheezy-backports.


Is it possible to change the date format used by the GNOME Classic 
Clock Applet? It seems nothing i do will get it change from the US 
month-before-day format.


In GNOME System Settings -> Region and Language, the 'Formats' tab 
correctly shows the "Region" set to 'Australia', and correctly 
displays dates formatted in the standard date component order used 
here in Australia:


   Tuesday 17 March 2015
   17 March 2015
   17 Mar 2015
   17/03/15

Using `dconf Editor`, i found that the value of the 'region' key 
of org.gnome.system.locale was empty, but setting it to 
"en_AU.utf8", logging out of the desktop, then logging back in 
again, also made no difference to the date component ordering in 
the applet.


i can confirm that right-clicking on the Clock Applet, selecting 
"Preferences", then un-checking/re-checking items like 'Show the 
date' /do/ actually affect the applet.


localectl(1) reports:

  System Locale: LANG=en_GB.utf8 
 LC_NUMERIC=en_AU.utf8 LC_TIME=en_AU.utf8 
 LC_MONETARY=en_AU.utf8 LC_MEASUREMENT=en_AU.utf8 

Since this is basic internationalisation functionality, i assume 
that i'm probably missing some setting. i have no problem 
modifying a strftime(3)-format string somewhere if necessary.


Any suggestions, please?


Alexis.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/87ioe0t39y@gmail.com