is Ansible easy to use?
Hi folks, is ansible a easy way to configure customized hosts? First try, its super complicated for me. Trying to create multiple files with content. It takes more time to create the playbook then creating this file by hand (this damn syntax acomplicates everything more) Then formatting is destroyed or need more time on creating the playbook... It is so hard or im so bad? -- Philipp Ewald Administrator
Re: mail monitoring
Hi, i mean Server's sending all messages to our main mail account - like script outputs, general errors from services, kern.log and so on. we do already use mailfilter to direct same mails into same directory. my goal is it to read less mails -> only mails with (unkown) errors But spamassassin maybe is a good idea -> so i can filter mails i know there are good or maybe bayes will help thanks Am 22.06.22 um 13:35 schrieb Dan Ritter: Philipp Ewald wrote: Hello guys, our server sending all message to our main Mail Account. Thats good we don't wanna change that. All Server sending all messages to this address, mostly its not important. I want to define "good" messages (with regex?) that can be filtered. Is there a software that already can do this? Are you looking for software that: - runs on the mail server, rejecting mail as it comes in? SpamAssassin. - runs on the mail server, filtering mail as it is delivered to users? Sieve or mailfilter or procmail (don't use procmail) - runs on a recipient's computer, filtering mail after it is pulled via IMAP? Look for tools built in to your mail client, or use imapsync to retrieve the mail and mailfilter to sort it. -dsr- -- Philipp Ewald Administrator
mail monitoring
Hello guys, our server sending all message to our main Mail Account. Thats good we don't wanna change that. All Server sending all messages to this address, mostly its not important. I want to define "good" messages (with regex?) that can be filtered. Is there a software that already can do this? Thanks for your input kind regards -- Philipp Ewald Administrator
Re: apt install : command not found
is your "$PATH" right? you can check this with: echo $PATH Does "/usr/bin/apt update" work? kind regards On 11/25/21 10:04 AM, lists.deb...@netc.eu wrote: Hello to all, After this morning I realize that command "apt install" isn't working anymore on my PC. I already used a few days ago... I've tried several other options (always with sudo): apt update apt search __ apt upgrade apt show __ ... And they all work as intended, only "apt install" is giving me the output "command not found" :( Do you have any idea on what might be the problem? Thanks all in advance for the help, Best regards, Marc -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
run script after updating package
Hello, is there a way, where i can run a script after updating a spezial package? I have found this: APT::Update::Post-Invoke {"/thinks/to/do.sh";} This would be workaround but nice would be to only run after a spezial package was updatet. Thanks Kind regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: Courier Authdeamon problem after upgrade
Oh sorry. As wourkaround we allready changed the permission on that directory. We are not affectied by this security problem, as we dont print the password hash from authdaemon. Thanks for help! On 8/26/21 1:02 PM, Greg Wooledge wrote: On Thu, Aug 26, 2021 at 10:21:55AM +0200, Philipp Ewald wrote: Thank you for your advise! i will add user to mail group and try again. That is absolutely *not* what I advised. Ordinary users should not be in the "mail" or "courier" group. Those groups are for mail programs/daemons only. Putting a user in the mail group will (among other things) allow that user to delete *other* users' mailboxes from /var/mail/, if you keep them there. drwxrwsr-x 2 root mail 4096 Jan 11 2018 /var/mail/ Your original plan (change the permissions on the /run subdirectory) is better than that, even if it means your system is "vulnerable" to the information disclosure that the change is trying to prevent. The severity of this disclosure depends on what type of users you have on your system. If it's just you, then there's nothing to worry about. If you have multiple real human users on your system and feel that keeping your password hashes a secret is a high priority, then you should talk to the maildrop support people and see what *they* suggest. -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: Courier Authdeamon problem after upgrade
Thank you for your advise! i will add user to mail group and try again. On 8/25/21 5:01 PM, Greg Wooledge wrote: On Wed, Aug 25, 2021 at 04:14:51PM +0200, Philipp Ewald wrote: i have upgrade my Debian 10 to 11 and notice that courier-authdeamon got problem with new permissions in /var/run/courier This appears to be intentional and security-related. See <http://bugs.debian.org/984810> and <https://security-tracker.debian.org/tracker/CVE-2021-28374>. Debian 11: #Type PathMode UID GID Age Argument d /run/courier0775 rootcourier - - d /run/courier/authdaemon 0750 courier courier - - But with this configuration authdaemon not working: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Temporary authentication failure. status: deferred Perhaps this should be considered a bug in maildrop, rather than in courier-authdaemon. I'm not familiar with maildrop or what privileges it requires. The package description says it runs setgid "mail", whereas this authdaemon directory is only accessible to group "courier". But I don't know how to fix it without breaking other things. -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Courier Authdeamon problem after upgrade
Hello, i have upgrade my Debian 10 to 11 and notice that courier-authdeamon got problem with new permissions in /var/run/courier Since upgrade this file has changed: /usr/lib/tmpfiles.d/courier-authdaemon.conf Debian 10: #Type PathMode UID GID Age Argument d /run/courier0775 rootcourier - - d /run/courier/authdaemon 0755 courier courier - - Debian 11: #Type PathMode UID GID Age Argument d /run/courier0775 rootcourier - - d /run/courier/authdaemon 0750 courier courier - - But with this configuration authdaemon not working: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Temporary authentication failure. status: deferred Workaround: Add "chmod 755 /run/courier/authdaemon" to rc.local or should that work? dpkg -l | grep courier ii courier-authdaemon0.71.1-2 amd64 Courier authentication daemon ii courier-authlib 0.71.1-2 amd64 Courier authentication library ii courier-authlib-pipe 0.71.1-2 amd64 External authentication support for the Courier authentication library ii courier-authlib-userdb0.71.1-2 amd64 userdb support for the Courier authentication library ii courier-base 1.0.16-3 amd64 Courier mail server - base system ii courier-mta 1.0.16-3 amd64 Courier mail server - ESMTP daemon ii libcourier-unicode4:amd64 2.1.2-2amd64 Courier Unicode library (shared runtime library) kind regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: Certbot in Buster
Many thank! i had now finely the time to test this (as far as possible) last test is when Lets Encrypt change there Chain. (security)update i have to install manual? On 11/18/20 7:01 PM, Michael Stone wrote: On Wed, Nov 18, 2020 at 06:42:27PM +0100, Philipp Ewald wrote: can i install the package from unstable and after that i remove the entry in sourses.list? or is this risky? I wouldn't do that, just download the appropiate debs from http://ftp.us.debian.org/debian/pool/main/p/python-certbot/certbot_1.8.0-1_all.deb http://ftp.us.debian.org/debian/pool/main/p/python-certbot/python3-certbot_1.8.0-1_all.deb http://ftp.us.debian.org/debian/pool/main/p/python-acme/python3-acme_1.8.0-1_all.deb run sudo dpkg -i *.deb then sudo apt --fix-broken install to clean up any dangling dependencies You can find which debs to download by looking at https://packages.debian.org/bullseye/certbot Most of the dependencies are provided in buster already, except for the proper versions of python3-certbot and python3-acme. If you were to install only the certbot deb and then run apt install (without --fix-broken) you'd see something like this: # apt install Reading package lists... Done Building dependency tree Reading state information... Done You might want to run 'apt --fix-broken install' to correct these. The following packages have unmet dependencies: certbot : Depends: python3-certbot (= 1.8.0-1) but it is not installed E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution). which indicates that a particular version of the python3-certbot package is required. If you were to run with --fix-broken in this case instead of manually installing the deb linked above it would tell you that it is removing certbot, because the appropriate version can't be found in buster. -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: Certbot in Buster
According to 'rmadison certbot' a newer version is only available in testing and unstable, but not in buster-backports: Oh my mistake I presume you did this via direct e-mail only. exactly... from packages.debian.org :) Preferably you should be using @packages.debian.org as this might reach more people (e.g. others interested in the package), just in case the Maintainer won't provide a backport or is unresponsive. I have done this. Many Thanks! I hope there will be a backports. If not: can i install the package from unstable and after that i remove the entry in sourses.list? or is this risky? On 11/18/20 3:38 PM, Andrei POPESCU wrote: If the package in stable is still usable afterwards (even if with reduced functionality) this looks like a case for backports. According to 'rmadison certbot' a newer version is only available in testing and unstable, but not in buster-backports: certbot| 0.28.0-1~bpo9+1 | stretch-backports | all certbot| 0.28.0-1~deb9u2 | oldstable | all certbot| 0.31.0-1| stable| all certbot| 1.8.0-1 | testing | all certbot| 1.8.0-1 | unstable | all I have allready ask the Maintainer to update the certbot package but no answer. I presume you did this via direct e-mail only. What can i do? Write an e-mail to debian-backports with Cc: the package Maintainer asking nicely for a backport. Preferably you should be using @packages.debian.org as this might reach more people (e.g. others interested in the package), just in case the Maintainer won't provide a backport or is unresponsive. Kind regards, Andrei -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Certbot in Buster
Hello, https://community.letsencrypt.org/t/certbot-users-preparing-for-the-isrg-root-transition-january-11-2021/138059 certbot is on Version 0.31.0 in Debian Buster. As of January 11, 2021, we’re planning to make a change to our API so that ACME clients will, by default, serve a certificate chain that leads to ISRG Root X This would be bad for older Android devises. To use the old Intermediate certificate its needet to use certbot Version 1.6.0 or higher. But this Version is only avalible in Debian sid/buster-backports I have allready ask the Maintainer to update the certbot package but no answer. What can i do? Kind regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: OpenSSl encrpt and decrypt a String
Thank you! I have used this : openssl base64 -d instead of "base64 -d" .. On 16.10.20 18:09, Reco wrote: Hi. On Fri, Oct 16, 2020 at 03:58:46PM +0200, Philipp Ewald wrote: echo -n "That's the text" | openssl enc -aes-256-cbc -a -A -nosalt gives me following "String": ttn39k7YiglePLvmmc6s+w== Correct so far, assuming that you've entered a passphrase from the keyboard. echo -n "ttn39k7YiglePLvmmc6s+w==" | openssl base64 -d | openssl enc -d -aes-256-cbc Wrong one. By default openssl assumes that plaintext is salted before the encryption. echo -n "ttn39k7YiglePLvmmc6s+w==" | openssl base64 -d | openssl enc -d -aes-256-cbc -nosalt That one worked for me, but I've used a different passphrase, so the ciphertext was different: $ echo -n "That's the text" | openssl enc -aes-256-cbc -a -A -nosalt -k foo 2>/dev/null 3zGGAzM31Vsu9cax67TUrw== $ echo -n 3zGGAzM31Vsu9cax67TUrw== | base64 -d | openssl enc -d -aes-256-cbc -nosalt -k foo 2>/dev/null That's the text $ openssl version OpenSSL 1.1.1d 10 Sep 2019 Reco -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
OpenSSl encrpt and decrypt a String
Hey everyone, i try to encrypt a String with OpenSSL but its not working as i want. echo -n "That's the text" | openssl enc -aes-256-cbc -a -A -nosalt gives me following "String": ttn39k7YiglePLvmmc6s+w== echo -n "ttn39k7YiglePLvmmc6s+w==" | openssl base64 -d | openssl enc -d -aes-256-cbc echo -n "ttn39k7YiglePLvmmc6s+w==" | openssl base64 -d | openssl enc -d -aes-256-cbc -nosalt is not working "bad decrypt" or "bad magic number" can some one explain why this isn't working? and how it should work? Kind regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Informationen zum Datenschutz: www.digionline.de/ds
Re: reprepro using a gpg certificate
afaik: you dont need a password on a gpg-key so if its not required you can remove the password and script Am 28.09.20 um 13:59 schrieb Andreas Rönnquist: Hi! I have managed to setup a personal repository for backports from unstable to stable only for personal usage. Everything works just fine, with one small exception: After I dput a package I must login to the repository server, and run a shell script containing the reprepro command, which I cannot automate, since it requests entry of a password for a gpg key. Does anyone have some simple instructions to setup reprepro so I don't have to enter this password by hand - I understand that I can use some kind of gpg certificate to get around this, but I haven't managed to set it up properly. I want to do the reprepro command in a crontab so that eventual uploaded packages get processed automatically every X minutes, but then it (of course) cannot require someone to fill in a gpg password. Is there any simple tutorial somewhere that I haven't found? thanks in advance -- Andreas Rönnquist mailingli...@gusnan.se andr...@ronnquist.net [Please don't CC me, if I mail to a mailinglist, I am subscribed to it.] -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: traps: courieresmtp
Ahh sorry dont saw that reply. Year i dont realy know whats going on and wich packege is involved. Unicode/Encoding is not my strong - i will never get this... This error was found by some ".mailfilter" rule and a user was writing his own Mail adress wrong my expected behavior on this ".mailfilter" File was that courier will say; @do–main.tld Domain not found. because do-main.tl != do–main.tld this behavior was on testing with Tunderbird so i tried on Terminal to reprosuce this issue. I cannot print the hypen dash in terminal because the cursor is jumping arround. so i have tried with "echo -e ..." I would report it as a bug against courier, I will do this. Thanks for advise Kind regards Philipp Am 28.09.20 um 03:49 schrieb David Wright: (Reordered quotes.) Am Donnerstag, 24. September 2020 schrieb Philipp Ewald: maybe i found a bug in courier. courier crash's when a E-Mail address contains "–" (EN DASH) traps: courieresmtp[36082] general protection mail.log: courieresmtp: Crashed child process 41684, while delivering to DO<96>MAIN.TLD When i try to send a mail to DO–MAIN.TLD via thunderbird (smtp server is the same) or something else Server report: No such domain (replace DO–MAIN.TLD with a real domain containing normal "-") is this a bug from courier? debian? maildrop? (I assume TB is your client (MUA) and courier is your MTA that's being required to forward it.) Not using that software, it might help to clarify a few things. It says "delivering", which raises the question of "to whom", if the domain is unrecognisable as such. It says 41684 "crashed": does that mean merely that it returned non-success, which would be an odd way of indicating it. OTOH, 36082 says "general protection": does that mean a General Protection Fault, which would definitely be a bug if it's caused by just a typo in an email address. Even more so if the parent crashes just because its child did. I don't know the significance of "traps:". I would report it as a bug against courier, though because the problem is reproducible, I'd try and increase the level of logging if that's possible. (For example, I use exim, and leave it configured to run with -d (debug).) On Sun 27 Sep 2020 at 12:44:59 (+0200), Stefan Krusche wrote: courier crash's when a E-Mail address contains "–" (EN DASH) This does not seem to be a dash ^^^ I think that could be a character which is not allowed for email addresses. It looks like a long hyphen which I get on a german keyboard layout with "AltGr + -". When i try to send a mail to DO–MAIN.TLD via thunderbird (smtp server is the same) or something else Server report: No such domain (replace DO–MAIN.TLD with a real domain containing normal "-") This I understand as the server saying: "don't use '–' (long hyphen) but '-' (dash) instead. I would agree with that, but could you not further confuse matters by using the opposite names for dash and hyphen from everybody else. tested with: cat /some/mail/content | sendmail user@do(echo -e "\0\x96"| tr -d ↑ presumably left out a $ in the posting. "\0")main.tld Sorry, I don't understand where you get that "–" (long hyphen) from, maybe some HTML-formatted emails?! They inserted it, as above, to provoke the error message, though I'm not quite sure why they didn't just type the en-dash: $ cat /some/mail/content | sendmail user@do–main.tld directly. It might be a locale thing to do with their terminal. Hex 96 means nothing to me in Unicode. Cheers, David. -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
traps: courieresmtp
Hello, maybe i found a bug in courier. courier crash's when a E-Mail address contains "–" (EN DASH) Kernel log: traps: courieresmtp[36082] general protection mail.log: courieresmtp: Crashed child process 41684, while delivering to DO<96>MAIN.TLD When i try to send a mail to DO–MAIN.TLD via thunderbird (smtp server is the same) or something else Server report: No such domain (replace DO–MAIN.TLD with a real domain containing normal "-") tested with: cat /some/mail/content | sendmail user@do(echo -e "\0\x96"| tr -d "\0")main.tld is this a bug from courier? debian? maildrop? kind regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
traps: courieresmtp
Hello, maybe i found a bug in courier. courier crash's when a E-Mail address contains "–" (EN DASH) Kernel log: traps: courieresmtp[36082] general protection mail.log: courieresmtp: Crashed child process 41684, while delivering to DO<96>MAIN.TLD When i try to send a mail to DO–MAIN.TLD via thunderbird (smtp server is the same) or something else Server report: No such domain (replace DO–MAIN.TLD with a real domain containing normal "-") Mail was send via .mailfilter (auto reply) is this a bug from courier? debian? maildrop? kind regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds