?
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
oe etc. etc.. They rarely object to plussed user
addresses or single-person-owned domains that could have a catchall
configured, though ...
(I *should* have tried a user part with "ß" on an upcaseing online
service back when that umlaut officially *didn't have* an uppercase
version ...
might want to
try reducing the MTU configured in your client.
Other than that, do you see any packets of a connection *attempt* arrive
on the server, or corresponding log entries?
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
stro, and Other Parameters May Vary"
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/li
oblem.
... as long as the VPNs are running in UDP mode, and the server goes
through an *orderly* shutdown ...
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailin
having a plugin run amok and cause the master dovecot
process to abort due to OOM sounds like creating an even worse problem,
frankly ...
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
would choose to fail the POP requests?
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
pn/scripts(/.*)?
system_u:object_r:openvpn_unconfined_script_exec_t:s0
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/list
their VPNs.
(Also, the capabilities of nation-level censors vary with the nation in
question, and you have never mentioned - maybe for good reason - *which*
nation we're talking about ...)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic
rt of file upload service would probably fit the bill best. You
still shouldn't upload the same file over and over, or in regular
intervals, though, if you want to fool the national censors.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic
a
problem in that OpenVPN doesn't try to write to the log in the first place.)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourc
as in more resistant to cryptanalysis ... no idea. People
around me tend to value the recommendations of the BSI more than my
CYA-fu and cipherpunkness, anyway. Try https://www.schneier.com/ for a
second opinion.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description:
to the point, OpenSSL 3.0.9.)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo
give them
*exact* names including the number in the OpenVPN configs) on the
server, enable forwarding there as well, and finally, either MASQUERADE
on the server or push a proper set of routes to the VPN clients.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description
On 08.02.24 19:04, Peter Davis wrote:
On Thursday, February 8th, 2024 at 3:45 PM, Jochen Bern
wrote:
On 08.02.24 11:36, Peter Davis via Openvpn-users wrote:
Can an intermediate server do this? Instead of connecting directly to
the final server, people connect to an intermediate server
, and ideally many more servers) does ... ?
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net
oo. What's the rationale to limit a CRL
installed *there* to a lifetime of one week, if that's a burden to ops?
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing li
$ locale -a | wc -l
873
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
On 27.01.24 19:27, Peter Davis wrote:
On Thursday, January 25th, 2024 at 1:25 AM, Jochen Bern
wrote:
Also, don't forget to configure the VPN server with --port-share, in
case one of the nation-level censors you're trying to fool gets the idea
of looking at your "interesting website&quo
*.rpmnew file when the update
finds the current version manually changed.)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-use
ink I've *once* seen a case where it was necessary to use "sudo -s"
instead.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.
--port-share, in
case one of the nation-level censors you're trying to fool gets the idea
of looking at your "interesting website" himself ...
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_
te servers while they're deep-diving might well
be the *idea*. :-3
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge
On 22.01.24 12:01, Peter Davis wrote:
On Monday, January 22nd, 2024 at 10:41 AM, Jochen Bern
wrote:
On 20.01.24 07:24, Peter Davis wrote:
When someone connects to this server with OpenVPN and uses the Internet, then
all his\her Internet connections are tunneled through Tor.
I want to know
way of having the logs collected, across servers, in a central (tamper
proof) location.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@l
On 20.01.24 07:24, Peter Davis wrote:
On Friday, January 19th, 2024 at 5:04 PM, Jochen Bern
wrote:
On 19.01.24 13:59, Peter Davis via Openvpn-users wrote:
I want to tunnel OpenVPN on Tor and I found the following iptables rules:
# export OVPN=tun0
# IPTABLES -A INPUT -i $OVPN -s 10.8.0.0/24
normal VPN clients try to send through
the server.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourcefo
*do* need separate cert+privkey pairs for every *device* connecting to
the VPN.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users
Not
Want To Do That™.
(Disclaimer: Talking about "key"s as in "client privkey+cert" here.
Per-department *secrets* for HMAC auth are a different beast.)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cry
a command/procedure to create a CA cert that way.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net
nfirmed by the issuer, but it seems that your national
authorities ceased to exist".
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
O
On 08.01.24 07:19, Peter Davis wrote:
On Sunday, January 7th, 2024 at 10:52 PM, Jochen Bern
wrote:
On 07.01.24 06:50, Peter Davis via Openvpn-users wrote:
Now if I ignore the warning message above, what is the risk?
Then you'll lose the content of those files that only the CA needs
haddya mean we have no process for that!?" happen.
¹ https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
² i.e., the leaf cert will turn inoperational when the *CA* cert
expires, *not* on the (later) day the leaf cert's n
, you'll be unable to have a new
one created by the same CA, thus requiring a config change on *every*
client - wherever and in whosever hands it is - before it'll be able
to connect to the VPN again.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME
will be
located, ...
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn
) in them.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
/wiki/Paper_size#/media/File:A_size_illustration2_with_letter_and_legal.svg
There are printers that outright *refuse* to print out a PDF stating a
sheet size different from the paper actually sitting in the tray, etc..
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
on them? ;-)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
e no info for an IP you look
up, or some that's plain wrong.
And *then* there are things like Anycast or BGP hijacking or VPN
services to obscure one's origin or ...
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
w to solve it?
So the client tries to encrypt the control channel packets, on top of
the HMAC auth, but the server doesn't do any extra (en- or) decryption,
I'd guess ...
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic
cess to the router's *admin interfaces*,
of course. Preferably with belt (client IP whitelist on the router),
suspenders (having iptables filter out attemps through the VPN), *and*
superglue (strong authentication mechanisms).
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
day one, but to make sure that you
got keypair/cert/CRL rollovers implemented end-to-end and well-tested
while you still have a nominal devel budget for the project.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
-noout -text | grep -B 1 CA:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing
-to-date are your client installations?
(I still take care to get expired CAs removed from configs before their
final CRL expires as well, just in case.)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
, DuckDuckGo.com does *not* have IPv6 addresses, so be
prepared to run a 6-to-4 gateway as well ...
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users
local IPv6 addresses assigned - at which point
IPv6 LISTENs will work, too.
Of course, if you "disabled" IPv6 by compiling a kernel without the code
relevant to it (is it still possible to do that?), various things might
break *hard* ...
Kind regards,
--
Jochen Bern
Systeminge
ed* as well. User+pass does not
provide for encryption keys.
¹ And I mean *certificates*, half of what you list aren't.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing
On 27.08.23 20:43, Jason Long wrote:
On Sun, Aug 27, 2023 at 1:33 PM, Jochen Bern
that seems correct, but as I said, I don't use EasyRSA myself.
Hello,Thanks again.Can you show me the OpenSSL commands that you use
to generate the server and client certificates?
I'm not using bare OpenSSL
a POSIX Bourne-style shell
https://unix.stackexchange.com/questions/368944/what-is-the-difference-between-env-setenv-export-and-when-to-use
that seems correct, but as I said, I don't use EasyRSA myself.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cry
e to send a new key to clients automatically when client
key is revoked?
Not with one OpenVPN connection alone (as revoking the key means that
you do not trust that client anymore, and thus should hand over a new
one to the (re-)verified holder by *different*, still-trusted means).
t
have the CA issue a *new* cert instead.
*Revoked* certs do *not* count against the guideline of "there shouldn't
be two certs by the same CA for the same DN with overlapping validity
periods".
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description:
ey lose your trust.
Etcetera.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
irst place would be it - which is
exactly what you're trying to do, without ever explaining *why* you
would want to do that.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-us
like "JasonLong_privCell" instead.
Not that it should be much news to you how *I* would name CA, server,
and client certs, respectively, if you had read my previous posts ...
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signa
./easyrsa sign-req server
NAME" commands. Right?
NO. Reread what I wrote about the (hint: different) roles the certs
generated by these two sets of commands have.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description:
VPN clients usually aren't expected to *have*
a long-term-stable FQDN, so I would suggest naming the certs by user
and/or device, like "Jason Long's private cell phone".)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
ecause it assumes that you made sure to have it
created and installed in the correct location with the intended CN
"client2" beforehand and don't *need* to check "now which cert did this
client happen to end up with?".
Kind regards,
--
Jochen
ng* cert, or you
misnamed the certs as you created them (even more than that how-to
instructs you to).
Anyway, in order to create a CCD file for your client using the cert it
uses *now*, the CCD file would need to be named "server".
Kind regards,
--
Jochen Bern
Systemingenieur
Bine
ks about the cert the client presents, you'll have
to have the client make an attempt to connect, and then grab the logs
from *those* couple seconds.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_
would nonetheless recommend that you look at the server log (of
suitable verbosity) for a line telling what cert/CN the client has
actually sent, though.
Kind regards
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
with *no
packets* being sent yet. Hence, your iptables setup is entirely
irrelevant there.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-use
astructure. And proper per-customer network isolation doesn't scale
well to only a *few* end-to-end-transparent public IPs per range/country.)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_
shown us only what you *actively changed* (no info on the
chains' policies, for example), and the question what SRC IP the through
traffic is MASQUERADEd to (to compare that with the filter rules) is
still open.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S
route to 8.8.8.8, so the pings *should* have gone into the VPN,
as intended.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
I said,
it's *your* trade-off (vulnerable monoculture vs. maintenance
complexity, yadda yadda) to make.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Openvpn-users mailing list
Openv
ther
hand, if someone manages to hack a server (VM) and grabs the keys there,
you have an interest to disable only *that* server, and not others just
because they use the same now-compromised keypair.
That trade-off is essentially yours to gauge ...
Kind regards,
--
Jochen Bern
Systemingenieur
B
dress the client has "in the
Internet". It's important to keep all these addresses and their roles
separate, as their choice/design follows different requirements.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description:
quot; statements in your server-side configs state what
IPs the *clients* will be assigned to use for the traffic *inside* the
VPN, once they have connected. You very probably want to put different
IP ranges into every single config file, *regardless* of whether "port"
matches between two conf
., from a "template" unit file installed with OpenVPN, you derive one
systemd service for each config file, and administrate those like you
would a "standalone" service.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cry
[ClientCertFile]",
"OK"s all combinations. (As it should.)
How can I try to further narrow down the root cause?
Thanks in advance,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
Open
nd an equivalent for the
*virtual* accounts' password backend ...
(Yes, it'd be better to have it seamlessly integrated into the IMAP
protocol, but don't forget that you'd need the *MUAs* to start
supporting it as well before the general public will ever even learn
about the new feature ...
as things, especially the number of such fourth parties to
support by the same CA, start to scale up IMHO. Which promptly brings
us back to you running the CA yourself ...
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic
ot;no A or RRs found", in fact, I'm getting an NXDOMAIN for the FQDN).
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
tall it so as to install a current
version from a different source.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
en inside encryption (that a
MitM may or may not be able to crack), so it's not a clear all-out FAIL
to use those.
Whether the password is still in cleartext *when written to / read from
disk* is another question, but that would be a negligible defense
against someone who rooted your server.
Kind reg
hark) without having to crack any crypto ...
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
was "how many users may there be who flag incoming
e-mails with the due date for the request contained in them, rather than
using a separate calendar or to-do-list application?" ...)
Regards
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
On 01.07.22 20:02, Jochen Bern wrote:
*Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH),
POP, and IMAP protocol definitions do not provide elbow room to make
*two* rounds of authentication. (Ever pondered why the admin can require
O365 users to "use 2FA",
o communicate with the token directly
(ideally so that the user gets the password-to-enter via the token, say,
per SMS, but for *that* to work out, you need that *every* piece of
software used is willing and able to forward the info "user X wants to
make an attempt at auth" *before* i
ISHED-ACCEPT rule's
priority (it's some additional burden to the CPU to match *all* incoming
IMAP(S) packets against the blocklist, after all), you could always
render it effectively unusable by setting a (blackhole) host route for
the IP.
Regards,
--
Jochen Bern
Systemingenieur
Bin
rts, so MitM attacks are definitely possible.
[Still vividly remembers finding that a certain camping ground's WiFi
transparently redirects geusts' SMTP/IMAP to a snooping, SSL-enabled
server ...]
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
ch have a Message-ID of their own, with the IDs of the
earlier e-mails appearing in In-Reply-To: and References: headers to
support threading in MUAs.)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
v1, in the meantime -
at least by Red Hat - downgraded to *not* be a *Remote* Code Execution
(RCE) vuln) ...
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
, too.
In either case, keep in mind that you'll have to set up other mechanisms
(e.g., logrotate, logwatch, ...) to work on the new file, too.
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
(backing off) way, either. Cutting the worst of
them off by other means, like iptables, is the way to go IMHO ...
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
___
stunnel-users mailing list
nner like sslyze against the
server.)
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
From:Cc:Reply-To:Subject:In-Reply-To:References:From;
>
> [...] I do not know why Reply-to and From are both listed twice.
(That's Reply-To: (the address(es) to which to send replies) and
*In-*Reply-To: (the Message-ID of the mail that *this* e-mail replies
to), FWIW.)
Regards,
--
Jochen
ost:80
> connect = svchost:443
> ;
>
> Alas, stunnel still resolves svchost from the global /etc/hosts - not from
> chroot's!:
Why wouldn't you just put "connect = 1.2.3.4:443" into your stunnel
config ... ?
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
ntOS 6 Platform for
~8 years (until it was upgraded to CentOS 8) without a problem (other
than that it didn't use RELP, which was not yet production ready in
rsyslog at the time the platform was set up) ...
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptog
you NOT have an SMTP-out server for
this account at all!" etc..)
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
quot;ss"/"netstat" for the server's LISTEN and simply
terminates stunnel if it isn't found.
Or even better, have the server *restarted* automatically whenever it
croaks ...
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description
On 18.01.21 12:18, @lbutlr wrote:
> On 18 Jan 2021, at 04:12, Jochen Bern wrote:
>> (Also, you can legally have several e-mails with the same Message-ID in
>> your mailbox; e.g., someone addressed it to two aliases that both expand
>> to you, just to name one possibilty wh
; e.g., someone addressed it to two aliases that both expand
to you, just to name one possibilty where *both* go through *sieve* as
well.)
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
quot;problem" by appending A,B,C,... to the CN -
which was possible because we're using *actual CAs* there. For server
certs, where you need the CN to match the FQDN, you might want to add an
OU with a timestamp so as to have the *DN* as a whole differ ...
Kind regards,
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
issued, so at least the server admin would
prefer to have the old SC revoked but *not* the new one.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
mail loops.
If you don't know *exactly* what you're doing, maintain your myriad of
users/mailboxes *both* at the ISP and on your internal servers and put
the "mails in ISP mailbox X *all* go into internal mailbox Y, and
nowhere else!" relations "hardcoded" into your retrieval t
_pipe_exec_t:s0 gpgit gpgit 12141
> May 11 2015 gpgit.pl
Needless to say, you'll have to "su - gpgit" and "gpg --import ..." the
various(?) recipients' public keys, too. And *monitor* them there, if
there are any with a limited lifetime ...
Kind regards,
--
Jochen Be
ack randomization, SSH logins from
remote that fail, etc. etc..
Kind regards,
--
Jochen Bern
Systemingenieur
E jochen.b...@binect.de
W www.binect.de
(and, if present, reverse proxy
solution) you're using.
Regards,
--
Jochen Bern
Systemingenieur
www.binect.de
www.facebook.de/binect
smime.p7s
Description: S/MIME Cryptographic Signature
edirect to www.mydom.ain).
Regards,
--
Jochen Bern
Systemingenieur
www.binect.de
www.facebook.de/binect
smime.p7s
Description: S/MIME Cryptographic Signature
1 - 100 of 237 matches
Mail list logo