Category Archives: Linux

Fun with regex: We match the requirements for the HTTPS DNS record type defined by RFC 9460

Linux, PHP, , ,

To be able to fully read, understand and transfer RFCs into a standard-aligned application can be very difficult. You may become a lawyer as well.

We start off with section 2.1 of RFC 9460 which defines the following rules for us to apply:

  • the record data must be formatted as “SvcPriority TargetName SvcParams” where
    • SvcPriority is a number between 0 and 65535
    • TargetName is a domain-name, which is a combination of texts (labels) that can contain alphabetic characters, digits and hyphens, these labels can be up to 63 characters each and can be bonded together using dots up to a length of 255 characters
      • Note: The domain-name is not specified in RFC 9460, but already in RFC 1035
    • SvcParam is one or more of either only a key such as ‘mykey’ or a key-value pair such as ‘mykey=”myvalue”‘ where the quotation mark is mandatory
Continue reading Fun with regex: We match the requirements for the HTTPS DNS record type defined by RFC 9460

Compile SquirrelMail imapproxy with OpenSSL 1.1.1 and 3.0

Linux,

imapproxy is a application aware (POP3/IMAP) proxy, which enables webmailers such as SquirrelMail or Roundcube to save on roundtrips by using a local low-latency connection to a mail server over a high-latency connection that is being kept open.

SquirrelMail as well as imapproxy is very outdated software and you may not want to use it. However, if you really want, you may want to compile it yourself as shown in the rest of this article.

Continue reading Compile SquirrelMail imapproxy with OpenSSL 1.1.1 and 3.0

Dovecot “get_public_key(INBOX) failed: […] Mailbox attributes not enabled”

Linux, OSS, ,

If you use Dovecot as a IMAP or POP3 server, and you have looked around how to secure and design your setup, you propably came across the mail-crypt plugin for Dovecot. The plugin enables you to store mails in an encrypted manner, basically to do so called “encryption at rest”.

Continue reading Dovecot “get_public_key(INBOX) failed: […] Mailbox attributes not enabled”

Various approaches to extract the cluster state from keepalived VRRP-instances

Linux, , ,

keepalived can be used to switch one or more IPs between one or more server systems. Typically, the underlying protocol for this is VRRP (Virtual Router Redundancy Protocol).

To determine whether localhost is currently in an active (ACTIVE), passive (BACKUP), or dysfunctional (FAULT) state within the server cluster, there are multiple approaches, each with its own pros and cons.

The goal is to provide a brief overview and examine some methods in detail, making it easier for other system administrators facing the same task.

TLDR: See “Part 5 – DBus”

Continue reading Various approaches to extract the cluster state from keepalived VRRP-instances

Set up an rsyslog server with multithreaded TLS encryption using stunnel

Linux

If you run a rsyslog server using the rsyslog imtcp module with OpenSSL or GnuTLS enabled for encrypted communication support, chances are, as your infrastructure and/or log traffic grow, you will find out, that for TLS offloading, rsyslog is only able to use one thread of your multithreaded system. This is by design and until today, the imtcp module, which is also the only module supporting TLS, is not able to utilize multiple CPUs.

The imptcp, also known as plaintext-tcp module however, does support multiple threads, but cannot do any encryption.

In my case, I found that the only viable solution to multithreaded TLS offloading with rsyslog is to wrap stunnel in front of it, like this in /etc/stunnel/rsyslog-server.conf:

Continue reading Set up an rsyslog server with multithreaded TLS encryption using stunnel

Data recovery from defective storage media using ddrescue and photorec

Linux, ,

Recently, I found myself in the situation of having to undergo a large-scale recovery operation on a 15-year-old hard drive with a total runtime of nearly 70,000 hours. The drive had long suffered from numerous defective sectors and reading errors.

The specific hard drive model in question was the SAMSUNG HD501LJ, a contemporary model widely used in systems of that time. It was later replaced by 750GB and 1TB models in the following years before the hard drive division of SAMSUNG was partially acquired by Seagate in 2011.

The task at hand was not an easy one, as it involved:

  1. Safeguarding and reading as many data as possible.
  2. Making existing data available on the file systems.
  3. Locating and making available previously deleted data from the distant past.
  4. If feasible, writing the data onto a new storage medium of equal or greater size to restore the original system.
Continue reading Data recovery from defective storage media using ddrescue and photorec