Continuous integration with Debian virtual machines

[André Rodier]

Dear Debian users,

Anyone know a hosting service, like GitHub or GitLab, offering recent Debian 
virtual machines to run tests ?
The last time I checked, they offered old Ubuntu versions or docker images, but 
I need a full Debian VM. 

For contextual information, the source code is here: 
https://github.com/progmaticltd/homebox

My tests are relying on systemd services as well (so no docker), and some of 
them are pretty low-level.
The packages names differences are big enough for the tests to fails, and I am 
not interested porting my solution to Ubuntu.

Thanks for your insights.

André Rodier.

Continuous integration with Debian virtual machines

[André Rodier]

Dear Debian users,

Anyone know a hosting service, like GitHub or GitLab, offering recent Debian 
virtual machines to run tests ?
The last time I checked, they offered old Ubuntu versions or docker images, but 
I need a full Debian VM. 

For contextual information, the source code is here: 
https://github.com/progmaticltd/homebox

My tests are relying on systemd services as well (so no docker), and some of 
them are pretty low-level.
The packages names differences are big enough for the tests to fails, and I am 
not interested porting my solution to Ubuntu.

Thanks for your insights.

André Rodier.

How to create a systemd service that interact with nftables service

[André Rodier]

Hello, all.

I have a simple script, to save / and store dynamic nftables sets.

I would like to create a systemd service, that starts -after- nftables is 
started, and stops -before- nftables is
stopped.

Any idea on how to achieve this, please ?

I tried to play a little with ‘Requires’ or ‘After’, without success.

Thanks for your help.
André

Re: Email clients and IMAP search support

[André Rodier]

Hi, Byung-Hee.

This is definitely not what I asked, and we don't ask for a Gmail advertisement.

I don't understand what prompted you to write such an answer, this is a waste 
of resource and time.

Moreover, I have found my answer.

Andre.


17 Apr 2023 06:29:12 Byung-Hee HWANG :

> Andre Rodier  writes:
> 
>> On Sun, 2023-04-16 at 17:01 +0100, Andre Rodier wrote:
>>> Hi,
>>> 
>>> Is there any desktop email client on Debian, that supports server
>>> side IMAP search, please ?
>>> 
>>> I have an email server that support indexing attachment contents,
>>> and when I run a query from the command line using
>>> doveadm search or even TELNET, it is returning the correct email indexes.
>>> 
>>> However, when I try the same search with a desktop client, nothing
>>> is returned. I tried Thunderbird, Balsa, Claws and
>>> Geary. None of them is satisfactory.
>>> 
>>> Thanks for your help.
>>> 
>>> Thanks,
>>> André
>>> 
>> 
>> OK, I am answering to myself, Gnome Evolution works, it is sending the
>> search query to the server.
>> 
>> Even in some advanced RTL languages like Arabic.
>> 
>> Great!
> 
> Hellow Andre,
> 
> Searching for IMAP is good with Gmail web interface, i think. If you
> have web browser such as mozilla firefox, chromium browser. Try to
> gmail, just with web browser. It is not bad in my experience. And also i
> am Debian user (Debian 11 Bullseye under Chromebook).
> 
> As you know, Gmail is good with UTF-8 support / Searching / Labeling.
> 
> See here:
> https://gitlab.com/soyeomul/Gnus/-/commit/314e84446d1002726aec0ccf81a756d54568bfbb
> 
> In real world, i use both Gmail and Emacs Gnus for email.
> 
> Sincerely, Byung-Hee
> 
> -- 
> ^고맙습니다 _地平天成_ 감사합니다_^))//

Thunderbird security

[André Rodier]

Hi all,

I would like to collect, from this thread, your experience and opinion 
about Mozilla Thunderbird, in term of security.


I am registered on The Debian security list, and I see a lot of CVE 
coming, some of them with a high score, mentioning execution of 
arbitrary code or information disclosure.


Most of them seems pretty severe to me, and I am now running Thunderbird 
in firejail. However, I wonder if such vulnerability would allow a 
remote attacker to send an email, and get, for instance, the credentials 
stored in Thunderbird, with or without master password.


This seem habitual to me, compared to other mail clients in Debian, like 
evolution / claws, etc...


In term of security, Which email clients, or which practices, you would 
recommend to me ?


Thanks for your understanding and advice, but please, I don't want to 
start a troll.


--
퓐퓡 - 퐴푛푑푟푒 푅표푑푖푒푟

Thunderbird security

[André Rodier]

Hi all,

I would like to collect, from this thread, your experience and opinion 
about Mozilla Thunderbird, in term of security.


I am registered on The Debian security list, and I see a lot of CVE 
coming, some of them with a high score, mentioning execution of 
arbitrary code or information disclosure.


Most of them seems pretty severe to me, and I am now running Thunderbird 
in firejail. However, I wonder if such vulnerability would allow a 
remote attacker to send an email, and get, for instance, the credentials 
stored in Thunderbird, with or without master password.


This seem habitual to me, compared to other mail clients in Debian, like 
evolution / claws, etc...


In term of security, Which email clients, or which practices, you would 
recommend to me ?


Thanks for your understanding and advice, but please, I don't want to 
start a troll.


--
퓐퓡 - 퐴푛푑푟푒 푅표푑푖푒푟

netfilter on bullseye: matching executable name or pid with nftables

[André Rodier]

Hi,

With iptables, I was able to use the match extension, and create rules 
per program or pid, for isntance:


iptables -A OUTPUT --match owner -p tcp --cmd-owner tinyproxy -j ACCEPT
iptables -A OUTPUT --match owner -p tcp --pid-owner 4554 -j ACCEPT

How can I achieve the same, on Linux, using nftables, please ?

I am using Debian Bullseye

Thanks.

--
퓐퓡 - 퐴푛푑푟푒 푅표푑푖푒푟

Re: PAM two factors authentication

[André Rodier]

Hello Kamil,

This is not exactly what I asked.

I want two factors authentication, with the first factor (the password) 
and the second one being one of many (Yubikey, google auth or u2f)


Thanks,

On 13/11/2021 18:13, Kamil Jońca wrote:

André Rodier  writes:


Hello all,

I can use various second factors authentications on Debian:

- google authenticator
- u2f key
- yubikey

I would like to configure pam sessions to have 1) password
authentication, and then 2) one of the second factor described above.

How this can be achieved, please ?

Thanks for your answers.

André Rodier.



Well.
I can say that I follow:
https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F
and I can use my ubikey (I believe its u2f application) to login/unlock.


KJ




--
퓐퓡 - André Rodier

PAM two factors authentication

[André Rodier]

Hello all,

I can use various second factors authentications on Debian:

- google authenticator
- u2f key
- yubikey

I would like to configure pam sessions to have 1) password 
authentication, and then 2) one of the second factor described above.


How this can be achieved, please ?

Thanks for your answers.

André Rodier.

preseeding Bullseye

[André Rodier]

Hello all,

I am building a preseed file for Debian Bullseye.

I am able to configure many advanced features, like LUKS / LVM, etc.

However, I still have one question asked at the beginning of the 
installer, about the keyboard variant (see the attached image)


For instance, I can select British, and then, the installation continues.

I am attaching the full preseed file I use.

Thanks for your help.

André Rodier.
 Preseed for one drive, using just an LVM partitioning scheme


# The values can also be preseeded individually for greater flexibility.
d-i debian-installer/language string en_GB:en
d-i debian-installer/country string UK
d-i debian-installer/locale string en_GB

# Optionally specify additional locales to be generated.
# d-i localechooser/supported-locales multiselect en_GB.UTF-8

# Keyboard selection.
# d-i console-keymaps-at/keymap string gb
d-i keyboard-configuration/xkb-keymap select gb
d-i keyboard-configuration/variant select British English
d-i keyboard-configuration/toggle select No toggling

# Do not scan for another CD
d-i apt-setup/use_mirror boolean false
d-i apt-setup/cdrom/set-first boolean false
d-i apt-setup/cdrom/set-next boolean false
d-i apt-setup/cdrom/set-failed boolean false


### Apt setup
# You can choose to install non-free and contrib software.
d-i apt-setup/non-free boolean true
d-i apt-setup/contrib boolean true
d-i apt-setup/use_mirror boolean true

# Select which update services to use; define the mirrors to be used.
# Values shown below are the normal defaults.
d-i apt-setup/services-select multiselect security, updates
d-i apt-setup/security_host string security.debian.org

# Additional repositories, local[0-9] available
# d-i apt-setup/local0/repository string \
# http://dl.google.com/linux/chrome/deb/ stable main
# d-i apt-setup/local0/comment string Google chrome

# URL to the public key of the local repository; you must provide a key or
# apt will complain about the unauthenticated repository and so the
# sources.list line will be left commented out
# d-i apt-setup/local0/key string 
https://dl.google.com/linux/linux_signing_key.pub

# Enable deb-src lines
#d-i apt-setup/local0/source boolean true

# By default the installer requires that repositories be authenticated
# using a known gpg key. This setting can be used to disable that
# authentication. Warning: Insecure, not recommended.
#d-i debian-installer/allow_unauthenticated boolean true

# Uncomment this to add multiarch configuration for i386
#d-i apt-setup/multiarch string i386
### Network configuration
# Disable network configuration entirely. This is useful for cdrom
# installations on non-networked devices where the network questions,
# warning and long timeouts are a nuisance.
#d-i netcfg/enable boolean false

# netcfg will choose an interface that has link if possible. This makes it
# skip displaying a list if there is more than one interface.
# d-i netcfg/choose_interface select auto
d-i netcfg/choose_interface select auto

# To set a different link detection timeout (default is 3 seconds).
# Values are interpreted as seconds.
#d-i netcfg/link_wait_timeout string 10

# If you have a slow dhcp server and the installer times out waiting for
# it, this might be useful.
#d-i netcfg/dhcp_timeout string 60
#d-i netcfg/dhcpv6_timeout string 60

# If you prefer to configure the network manually, uncomment this line and
# the static network configuration below.
#d-i netcfg/disable_autoconfig boolean true

# Any hostname and domain names assigned from dhcp take precedence over
# values set here. However, setting the values still prevents the questions
# from being shown, even if values come from dhcp.
d-i netcfg/get_hostname string mail
d-i netcfg/get_domain string rodier.me

# If you want to force a hostname, regardless of what either the DHCP
# server returns or what the reverse DNS entry for the IP is, uncomment
# and adjust the following line.
#d-i netcfg/hostname string somehost

# Disable that annoying WEP key dialog.
d-i netcfg/wireless_wep string

# The wacky dhcp hostname that some ISPs use as a password of sorts.
#d-i netcfg/dhcp_hostname string radish

# If non-free firmware is needed for the network or other hardware, you can
# configure the installer to always try to load it, without prompting. Or
# change to false to disable asking.
d-i hw-detect/load_firmware boolean false
### Network console1
# Use the following settings if you wish to make use of the network-console
# component for remote installation over SSH. This only makes sense if you
# intend to perform the remainder of the installation manually.
#d-i anna/choose_modules string network-console
#d-i network-console/authorized_keys_url string http://10.0.0.1/openssh-key
#d-i network-console/password password r00tme
#d-i network-console/password-again password r00tme

### Mirror settings
# If you select ftp, the mirror/country string does not need to be set.
#d-i mirror/protocol string ftp
d-i mirror/country string manual
d

Status of Apache Solr

[André Rodier]

Hello,

The version of Solr on Debian seems to be outdated a lot. The Debian version is 
3.6, but IIRC, the official version is 8.x. I checked testing and Sid, but it 
seems to be the same version.

What is the status, of this, please?

Thanks,
André

Any Bluetooth 5 adapter Debian compatible

[André Rodier]

Hello,

I am looking for a USB / Bluetooth 5 adapter, natively compatible with
Debian.

Thanks,
André

Re: pass simple readline frontend

[André Rodier]

On Tue, 2019-11-05 at 18:30 -0800, Kushal Kumaran wrote:
> André Rodier  writes:
> 
> > Hello,
> > 
> > I want to use the pass password urtility on Linux, in my Emacs
> > eterm.
> > 
> > The TERM environment variable seems to be ignored, the ncurses
> > utility
> > starts and this is totally unusable.
> > Is there any option, beside recompiling the software to have it
> > working properly?
> > 
> 
> Have you looked at the emacs mode for pass?
> https://stable.melpa.org/#/pass
> 
> Not sure what your usecase is, but I find the emacs mode suffices for
> everything I need it to do.
> 
Hello Kushal,

Yes, I am using it to manage the passwords, but the gpg agent is not
compatible and starts an ncurses frontend in the eshell prompt.

Apparently, Dominik have proposed a solution.

Thanks,
André

Re: Remove package file from cache as soon as it is installed

[André Rodier]

On Sun, 2019-09-22 at 11:08 -0500, David Wright wrote:
> On Sun 22 Sep 2019 at 16:29:54 (+0100), André Rodier wrote:
> > Hello,
> > 
> > Is there a way, when using apt to install packages, to delete the
> > package file from /var/cache as soon as it is installed?
> > 
> > I am running a package installation inside docker:stable, and it
> > fails
> > in the middle, with no space left on device.
> 
> I think you need to break up the apt command into several of them,
> with clean in between (if needed: apt might clean automatically;
> IDK as I use apt-get).
> 
> Install the dependencies of dependencies first, then the
> dependencies,
> then the packages *with* those dependencies, ie starting from the
> bottom of the tree of dependencies.
> 
> > Otherwise, is there an option to increase the docker image before
> > installing it?
> 
> Cheers,
> David.
> 
Thanks David et al,

The issue was the number of inodes in my /var/lib/docker partition was
ridiculously small, I had to reformat the partition to increase the
number of inodes, and it is now working.

Th partition is 20G, with the big files option, perhaps it was the
reason of the small number of inodes?

And yes, I was using overlay2.

Thanks again for your help,

André

Re: Remove package file from cache as soon as it is installed

[André Rodier]

On Sun, 2019-09-22 at 18:01 +0200, Nemeth Gyorgy wrote:
> 2019. 09. 22. 17:29 keltezéssel, André Rodier írta:
> > Is there a way, when using apt to install packages, to delete the
> > package file from /var/cache as soon as it is installed?
> 
> apt-get clean
> 
Thanks, I knew the command, so perhaps I did not explain properly.

Let's take an example:

> Step 7/24 : RUN apt -qq install -t buster-backports -y simple-cdd
> debian-archive-keyring   
>  ---> Running in
> e3e9a1948203 
>  
>  
>   
> WARNING: apt does not have a stable CLI interface. Use with caution
> in scripts.
>  
>   
> debian-archive-keyring is already the newest version
> (2019.1). 
> debian-archive-keyring set to manually
> installed.  
> The following additional packages will be
> installed:   
>   bc binutils binutils-common binutils-x86-64-linux-gnu build-
> essential bzip2  
>   ca-certificates cpp cpp-8 curl dbus dctrl-tools debian-cd
> dirmngr
>   distro-info-data dose-distcheck dosfstools dpkg-dev fakeroot
> file
>   fontconfig-config fonts-dejavu-core fonts-droid-fallback fonts-
> noto-mono g++ 
>   g++-8 gcc gcc-8 ghostscript gnupg gnupg-l10n gnupg-utils gpg gpg-
> agent   
>   gpg-wks-client gpg-wks-server gpgconf gpgsm gpgv gsfonts hfsutils
> iso-codes  
>   isolinux krb5-locales libalgorithm-diff-perl libalgorithm-diff-xs-
> perl   
>   libalgorithm-merge-perl libapparmor1 libapt-inst2.0 libarchive13
> libasan5
>   libassuan0 libatomic1 libavahi-client3 libavahi-common-data
> libavahi-common3 
>   libbinutils libbsd0 libburn4 libc-dev-bin libc6-dev libcc1-0
> libcups2
>   libcupsfilters1 libcupsimage2 libcurl4 libdbus-1-3 libdpkg-perl
> libexpat1
>   libfakeroot libfile-fcntllock-perl libfontconfig1 libfreetype6
> libgcc-8-dev  
>   libgdbm-compat4 libgdbm6 libgomp1 libgpgme11 libgpm2 libgs9 libgs9-
> common
>   libgssapi-krb5-2 libicu63 libidn11 libijs-0.35 libisl19
> libisoburn1  
>   libisofs6 libitm1 libjbig0 libjbig2dec0 libjpeg62-turbo libjte1
> libk5crypto3 
>   libkeyutils1 libkrb5-3 libkrb5support0 libksba8 liblcms2-2 libldap-
> 2.4-2 
>   libldap-common liblocale-gettext-perl liblsan0 liblua5.2-0
> libmagic-mgc  
>   libmagic1 libmpc3 libmpdec2 libmpfr6 libmpx2 libncurses6
> libnetpbm10 
>   libnghttp2-14 libnpth0 libnspr4 libnss3 libopenjp2-7 libpaper-
> utils  
>   libpaper1 libpcre2-8-0 libperl5.28 libpng16-16 libpopt0
> libpsl5  
>   libpython3-stdlib libpython3.7-minimal libpython3.7-stdlib
> libquadmath0  
>   libreadline7 librpm8 librpmio8 librtmp1 libsasl2-2 libsasl2-modules
>   libsasl2-modules-db libsqlite3-0 libssh2-1 libssl1.1 libstdc++-8-
> dev
>   libtiff5 libtsan0 libubsan1 libwebp6 libxml2 libyaml-0-2 linux-
> libc-dev
>   lsb-base lsb-release lynx lynx-common make manpages manpages-dev
>   mime-support mtools netbase netpbm openssl patch perl perl-modules-
> 5.28
>   pinentry-curses poppler-data publicsuffix python-apt-common python3
>   python3-apt python3-chardet python3-debian python3-minimal
>   python3-pkg-resources python3-simple-cdd python3-six python3-yaml
> python3.7
>   python3.7-minimal readline-common reprepro rpm-common rsync
> sensible-utils
>   syslinux-common syslinux-utils tofrodos ucf wget xorriso xz-utils
> [...]
> Selecting previously unselected package g++-
> 8.  
> Preparing to unpack .../044-g++-8_8.3.0-6_amd64.deb
> ... 
> Unpacking g++-8 (8.3.0-6)
> ...  
>  
> dpkg: error processing archive /tmp/apt-dpkg-install-x4yofK/044-g++-
> 8_8.3.0-6_amd64.deb (--unpack): 
>  error creating directory './usr/share/doc/gcc-8-base/C++': No space
> left on device 
> tar: ./prerm: Cannot open: No space left on
> device  
> tar: Exiting with failure status due to previous
> errors   

Remove package file from cache as soon as it is installed

[André Rodier]

Hello,

Is there a way, when using apt to install packages, to delete the
package file from /var/cache as soon as it is installed?

I am running a package installation inside docker:stable, and it fails
in the middle, with no space left on device.

Otherwise, is there an option to increase the docker image before
installing it?

Thanks,
André

Re: Get the timezone from an IP address

[André Rodier]

On Wed, 2019-05-08 at 15:03 -0400, Michael Stone wrote:
> On Wed, May 08, 2019 at 07:43:58PM +0100, André Rodier wrote:
> > Is there any way - or Debian package - to know the timezone from an IP
> > address, or at least from a country? I have successfully used the geoip
> > databases to get the country, so I could use the main city as an
> > approximation.
> > 
> > I would prefer to do this offline, though.
> 
> You can get a guess on lat/lon for an IP and then get the TZ for the 
> coordinates. Lots of options there, e.g.:
> https://stackoverflow.com/questions/16086962/how-to-get-a-time-zone-from-a-location-using-latitude-and-longitude-coordinates
> 

Thanks, I will check this as well, a lot of links!

-- 
André

nscd errors with AppArmor

[André Rodier]

Hello all,

I have an annoying bug or something not configured properly with the
nscd library, that is visible with AppArmor.

This is happening at least with Apache and Dovecot.

With Dovecot:
> Feb 15 06:51:19 portal kernel: [2105960.896749] audit: type=1400 
> audit(1550213479.204:6722): apparmor="DENIED" operation="file_mmap" 
> info="Failed name lookup - disconnected path" error=-13 
> profile="/usr/lib/dovecot/auth" name="var/cache/nscd/hosts" pid=6180 
> comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Feb 15 07:04:30 portal kernel: [2106752.493506] audit: type=1400 
> audit(1550214270.805:6723): apparmor="DENIED" operation="file_mmap" 
> info="Failed name lookup - disconnected path" error=-13 
> profile="/usr/lib/dovecot/auth" name="var/cache/nscd/hosts" pid=6653 
> comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Feb 15 07:47:27 portal kernel: [2109329.163406] audit: type=1400 
> audit(1550216847.487:6724): apparmor="DENIED" operation="file_mmap" 
> info="Failed name lookup - disconnected path" error=-13 
> profile="/usr/lib/dovecot/auth" name="var/cache/nscd/hosts" pid=8221 
> comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> 

With Apache:
> Feb 15 06:25:22 portal kernel: [2104404.314334] audit: type=1400 
> audit(1550211922.612:6713): apparmor="DENIED" operation="file_mmap" 
> info="Failed name lookup - disconnected path" error=-13 
> profile="/usr/sbin/apache2" name="var/cache/nscd/hosts" pid=5144 
> comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Feb 15 06:25:22 portal kernel: [2104404.678807] audit: type=1400 
> audit(1550211922.976:6714): apparmor="DENIED" operation="file_mmap" 
> info="Failed name lookup - disconnected path" error=-13 
> profile="/usr/sbin/apache2" name="var/cache/nscd/passwd" pid=5144 
> comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Feb 15 06:25:22 portal kernel: [2104404.679772] audit: type=1400 
> audit(1550211922.980:6715): apparmor="DENIED" operation="file_mmap" 
> info="Failed name lookup - disconnected path" error=-13 
> profile="/usr/sbin/apache2" name="var/cache/nscd/group" pid=5144 
> comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> 

Basically, the query to open nscd cache files is missing the heading
'/' character.

Does anyone has an idea where this is coming from?

Thanks,
André

-- 
André Rodier
HomeBox: https://github.com/progmaticltd/homebox

Re: Debian on Phone as webserver

[André Rodier]

On 2018-12-13 22:13, Marek Mosiewicz wrote:

W dniu 13.12.2018, czw o godzinie 20∶55 +, użytkownik André Rodier
napisał:

On 2018-12-13 17:31, Marek Mosiewicz wrote:
> I'm just about having static IP for my LTE connection.
>
> That brings me to some idea. What about having install Debian on
> ARM
> old phone to have it as web server. They have quite modern hardware
> and
> this is of course depending on web application, but I suspect that
> ordinary PHP website could be served quite easily.
>
> It can be connected to web as LTE or be bounded to router location
> via
> WiFi or USB cable (that is for sure can be done)
>
> Battery means that it can monitor easily possible shutdown of
> system.
>
> Are there any experiences with installing Debian on phones ?

Hello Marek,

Interesting, thanks for the feedback.

- In which country you are ?

Poland

- Is the static IP address is IPv4 or IPv6 ?

I have dynamic IP4 address

- Are the ports 25 and 587 are open, or there are restrictions?

I have mail server on OVH server. I bought there VPS (I had is sometime
before, even root server time ago). But realizing how much RAM requires
java CMS I liked I just thought maybe there is something different.
On my machine ports are closed. Router should also have no this port
open
By the way such phone server could also hold mailbox. Just have some
good backup tool

- Do you have access to reverse DNS

There is no reverse DNS set. Actually I have no experience with reverse
DNS. How it is set if there is many web virtual hosts on same machine.

- How much you pay per month

I pay about $30 a year for mail hosting. $15 monthly for VPS and $10
and $15 monthly for LTE


Thanks for your answer.

Kind regards,
André



Sorry, I am interested in the details of the static IP address with your 
mobile broadband.


Kind regards,
André

--
https://github.com/progmaticltd/homebox

Re: Email tutorial?

[André Rodier]

On 2018-04-24 20:56, J.W. Foster wrote:

I am trying once again to get an email server to run on my server. I
NEED a qualified tutorial or some real assistance in getting it
operational and secure. I am aware that there are MANY primers or docs
on this. Problem is they like most are done for an individuals system
and are not really designed for my system. So here is what I'm working
with:
1. all IP addresses are DHCP regulated by Spectrum internet.
2. I do have a fully functioning Mediawiki website running on this
server and it is just fine. Spectrum doesn't often change the IP
addresses.
3. I have installed Dovecot and Postfix out of the box with no
changes, for MTA and mail server
4. I have Thunderbird as my MUI.
5. All this is running on a system using Debian 9 (stable) with plenty
of CPU and memory horsepower for the job.

I want to use this system to both send and receive email ONLY for this
server. There is only one user account currently and that is mine. I
need to be able to allow my Mediawiki system send replies to my
membership and to receive queries and emails from that membership.
Ther may be additional user accounts that need to be set up but for
now, only mine. I have been sort of able to send a few test emails to
my secondary testing account locally. Sending to an outside system
such as my own Gmail or Yahoo simply does not work. I was getting an
error message but I reinstalled everything again and am still  getting
that message>

An error occurred while sending mail. The mail server responded:
4.7.1 : Relay access denied.


Hello J.W.,

I understand your point, about the tutorials on internet. Most of the 
them are covering a small part of email hosting and a lot of other 
aspects are simply ignored. I would not put my emails live with doing 
only just what these tutorials are explaining.


I have hosted my emails for a while, now, and I recently started a 
project on Github that may suit your needs. The principle is to deploy a 
mail server on a Debian standard server, without installing anything 
from source or a git repository. Only Debian packages from maintained 
repositories. Instead of being a long and theoretical tutorial, it is a 
set of Ansible scripts. It is also oriented towards security and 
stability, thanks to Debian.


As you could read in the other answers, having an IP address that change 
from time to time may affect your delivery, and TTL is perhaps the best 
solution. The project I have started also covers this aspect, to a 
certain extent.


One solution that works for me, when my server is offline: I have setup 
a backup MX record using the DNS provider (Gandi) and I get emails 
automatically from this server when connecting. The script is setting 
this up very easily.


Your only concern would be someone setting up am catchall server and 
waiting for his server to receive emails from your domain. If you are 
receiving personal and confidential email, I suggest you not to do it, 
except if all emails are encrypted.


My project is meant to be at home, but I think it should be fine if you 
are using a remote server. You may have to set the AppArmor flag to 
false, as the scripts are deploying AppArmor profiles by default.


https://github.com/progmaticltd/homebox

Kind regards,
André

hosting emails at home

[André Rodier]

Hello everyone,

I have been using Postfix and Dovecot on Debian (Since potato) for my
personal emails for years.
After being tired of reinstalling my personal mail server many times, I
am currently writing some Ansible scripts to do it automatically.

I obviously checked the other projects, and did not found anything close
to what I am looking for, so I am implementing it now.

The final goal is to have a box that once online, would setup itself, by
creating the certificates, the DKIM keys and update the appropriate DNS
records.

This is so far what I have achieved:
- Automatic generation of certificates using LetsEncrypt
- Automatic update of the domain entries: imap, smtp, webmail, etc.
- Automatic generation of a DKIM keys
- Automatic update of specific records (MX, SPF, DKIM, etc.)
- LDAP server for user accounts, with or without system login.
- Installation of Postfix, Dovecot and Roundcube

Sending DKIM signed emails is working, and the IMAP server is configured
as well, although basic.

The postfix and dovecot configuration are not yet entirely finished. I
am planing to add an anti spam system, and sieve, amongst other things.

Although in development during my spare time, the system is normally
robust and you should be able to run it multiple times without errors.

If anyone is interested to use it, to have a look, or to take part, it
is here: https://github.com/progmaticltd/homebox

Kind regards,
André Rodier.

LVM replication between two computers

[André Rodier]

Hello all,

I have a Debian Wheezy based virtualizer, with software raid properly 
configured :-)


I would like to try DRBD/GFS2 clustering, on top of an LVM, using this 
link: http://www.drbd.org/users-guide/s-lvm-lv-as-drbd-backing-dev.html


So far, the logical stack would be like this:

2 - GFS2
2 - DRBD
1 - LVM
0 - RAID1

Now, some questions:

1) At the moment, I have only one computer available, so is it possible 
to start a DRBD cluster with only one computer, and add a second 
computer later.

2) Is it really wise to use a so complex stack to host virtual machines?
3) Would it be faster to use directly LVM volumes to host virtual 
machines?
4) Would it be better to use another stack, for instance DRBD on top of 
software RAID?
5) Is DRBD is the best solution to replicate LVM modules easily with two 
computers?


My final goal is to be able to do live migration, between two or more 
virtual machines hosts, without using a shared storage.


Thanks for your advices
Andre Rodier.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Archive: 
https://lists.debian.org/18a762b23713488139756f2e42f10...@webmail2.rodier.me

Re: LVM replication between two computers

[André Rodier]

On 2014-05-09 13:15, Denis Witt wrote:

On Fri, 09 May 2014 12:14:50 +0100
André Rodier an...@rodier.me wrote:


1) At the moment, I have only one computer available, so is it
possible to start a DRBD cluster with only one computer, and add a
second computer later.


Yes, but you can't test certain things. What you can do is to set up
Xen on your Machine and create two hosts for testing. The downside is
that if you doesn't want to keep Xen you have to set up anything again
when you second physical machine is available.


2) Is it really wise to use a so complex stack to host virtual
machines? 3) Would it be faster to use directly LVM volumes to host
virtual machines?


Works fine for me (except I don't use GFS2). As I use a
Failover-Cluster-Setup I have a classic primary/secondary-DRBD-Setup.
So there is no need for a Cluster-Filesystem, as only one DRBD-Drive
is active (mounted). I use ext4.


4) Would it be better to use another stack, for instance DRBD on top
of software RAID?


I'm using it that way (in fact I use a hardware RAID10, but did some
tests before using mdadm, works fine too.)


5) Is DRBD is the best solution to replicate LVM modules easily with
two computers?


I replicate the ext4, not the LVM. My Machines are Xen-DomUs having no
knowledge that their drives have LVM-Support at all. Only the Dom0s
have access to LVM. But from the top of my head I could not think of
any problems replicating the LVM itself.


My final goal is to be able to do live migration, between two or more
virtual machines hosts, without using a shared storage.


Using it for more than a year now, together with pacemaker/corosync,
without problems on about 35 machines.

Regards.


Thanks a lot for all these information.

Andre Rodier.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Archive: 
https://lists.debian.org/f98b7062990500d587ef17e895d11...@webmail2.rodier.me

dovecot version in debian wheezy

[André Rodier]

Hello all,

The version packaged in Debian wheezy (2.1.7) contains a bug with the 
solr plugin that prevent indexing a large number of folders(#704422).


Does anyone knows how to compile properly a most recent version on Debian?

Thanks
André


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/51da5537.9000...@gmail.com

Problème de routage en PLIP

[André Rodier]

Salut à tous !
Je cherche désespérément à utiliser une liaison PLIP entre un portable
et une passerelle.
La passerelle fonctionne déjà avec un autre PC, via une carte réseau
1Mbps, et ceci fonctionne bien. par contre, le portable semble ne pas
vouloir utiliser la passerelle, et les pings vers mon fai restens sans
réponse.
Les pings entre le portable et la passerelle fonctionnent, (ils se
voient).
C'est donc un problème de configuration de la route, du portable vers la
passerelle. Quelqu'un pourrait-il m'expliquer la syntaxe bizarre de la
commande route, et m'indiquer quelles sont les commandes pour configurer
la route.
Sur le portable, j'ai essayé :
route add default gw serveur netmask 255.255.255.0 dev plip0
mais ensuite, les pings envoyés vers mon DNS restent sans réponses.
Il y a bien un mini howto, en français, mais je le trouve confu, et il
date un peu.
Merci de votre aide.