djs.to

darrin's musings on software, linux, and anything else.

CentOS 7.1: Install StartSSL CA Certificate

A few months ago I configured Postfix on my CentOS 7.0 VPS to accept a TLS client certificate from my laptop, instead of a password. My client certificate was obtained from StartSSL, who have a rather convoluted process but seem to be the best value CA out there.

Last week CentOS 7.1 became available. I did a yum update, and rebooted, it all seemed to go without a hitch. Until I tried to send an email. My server was logging ‘certificate verification failed’.

After a bit of research, I figured that the problem might be with the StartSSL certificate chain. Time to figure out how to add it to the system. Turns out its fairly easy:

Step One: Fetch the startssl bundle and put it in the right directory

cd /etc/pki/ca-trust/source/anchors
curl -o startssl-ca-bundle.pem http://www.startssl.com/certs/ca-bundle.pem

Step Two: Rebuid the trust database

update-ca-trust

Step Three: Restart Postfix

service postfix restart

And that takes care of that. I wish Postfix/OpenSSL had some better diagnostics when things go wrong, it would reduce the amount of guesswork required.

RamNode

Some time ago I moved my virtual private server to a new provider. The old one was fine, but I wanted to play around with IPv6 and RamNode offered that. They were also able to host CentOS 7 which I was keen to familiarize myself with.

More recently they added a hosting site in my city, so I took them up on their offer to migrate my VPS. I was very impressed, it was about a 15 minute process and went flawlessly.

This site still sits behind CloudFlare, which has been doing a splendid job although there has not really been enough traffic to give it a decent test.

Hyper Estraier

This must be a pretty common scenario. Your company has a private intranet which is a cobbled together group of web servers, wikis, maybe Bugzilla if you do software development, maybe some CRM systems, inventory systems, databases with web front-ends and so on.

After a while everyone starts complaining that that can’t find the information they need. Nothing is structured, and there is no global search facility. What everyone craved was a google-like search for the private data the intranet.

logo

This was becoming quite a problem at my place of work. Until I discovered Hyper Estraier. This is one of those delightfully terse pieces of software that is not only incredibly fast, but flexible enough that I am confident I can use it to index any intranet data we will have.

Read more »

blkid

Its funny how, even after many years of working with Linux and other Unix-like systems, every now and then a little utility comes up that you never knew about.

blkid is one of those little utilities that is wonderfully handy, and now I find myself using it all the time.

Read more »

CloudFlare and a Virtual Private Server

It wasn't that long ago that people paid fairly hefty monthly rates to host web sites, with pitifully small storage quotas.

Then along came companies like DreamHost that promised massive amounts of storage at much lower cost. But even small personal sites would still be up for hundreds of dollars per year in hosting fees.

By this time, we all had 24/7 broadband internet. And (depending on your ISP's policy) it was quite feasible to serve your own site from your home, for free, and with as much storage as you would like. For personal sites this worked fine, but there was always the risk of the Slashdot effect, which would render your home internet connection unusable and probably get you kicked off your ISP.

Read more »

BlazeBlogger

After a short and non-extensive search, I selected BlazeBlogger as the CMS tool for this site.

logo

It does feel a bit simple compared to the more common systems, but it has a edit-source-generate-output workflow that feels very familiar to software developers, and lets me stay close to the CSS and HTML code that defines the look of the site.

There are no databases, the source files can be kept under version control, and the output is static HTML pages (and therefore nice and fast). A few simple command-line tools are used to add/edit pages, and then the site is generated with blaze-make. After that its a simple matter of previewing and using rsync to upload it to the web server.

I'm not sure if the lack of a comment system is a good thing or a bad thing. So many sites out there only have nonsense or spam in their comments. But the lack of a feedback channel is a bit of a shame. Perhaps I'll try an email address for feedback submission, and see if that generates ridiculous amounts of spam or not.

If you have a Mac, you can easily install it (and all sorts of other packages) using the Homebrew package manager.

Postfix SASL support for sshguard

sshguard is a great tool for securing internet-facing servers. I've been using it for some some to protect from ssh brute-force attacks and IMAP server attacks.

However, the current version does not include attack signatures for Postfix, and my servers are seeing hundreds of brute-force connection attempts. These show up in logs like:

Oct 19 19:56:07 longbeach postfix/smtpd[2309]: warning: unknown[199.19.110.207]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 19 19:56:21 longbeach postfix/smtpd[2309]: warning: unknown[199.19.110.207]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Anyway, I decided to check out the code and look at adding support for these lines. It was fairly simple, the only real complication was that the yacc-based parser did not accept the two-part process name ("postfix/smtpd"). A quick rule tweak took care of that.

Read more »