Adding Certificates, Keys, etc

January 9, 2016

The technophobe tends to look at this topic as voodo (whodo?). Since this technophobe tends to look at the unix world and specifically Fedora OR CentOS From a top level [server] point of view one needs to address this for several of compatability, and other Network Reasons

  1.  port 22 provides secure SSH login
  2. port 443 can be used to provide secure http Secure Comm.
  3. port 993 (587?) secure access imap sessions

This rpm openssl-perl.i686 (or something like it)

openssl-perl contains the following script which is a must if you are cheaply intend on using self signed certificates  /etc/pki/tls/misc/CA.pl

This script WAS NOT used since i am confused about which flags, and the crypto RPMs do come with some keys

usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify

the genkey procedure produced this:

Made a key
Opened tmprequest for writing
(null) Copying the cert pointer
Created a certificate
Wrote 882 bytes of encoded data to /etc/pki/tls/private/www.weboir.com.key
Wrote the key to:
/etc/pki/tls/private/www.weboir.com.key

Edit /etc/httpd/conf.d/ssl.conf. Change the SSLCertificateFile and SSLCertificateKey lines to reflect these:

  1.          SSLCertificateFile /etc/pki/tls/certs/www.weboir.com.crt
  2.          SSLCertificateKeyFile /etc/pki/tls/private/www.weboir.com.key

Probably not Germain, but i spent a lot of time chasing this

            [Mon Jan 11 12:53:21 2016] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Mon Jan 11 12:53:39 2016] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Mon Jan 11 12:53:39 2016] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

when i tried to configure 1 to also be the key and not the .cert

These Keys will certainly come into play in a couple of other places

  • TLS connections from imap clients on port 143/993 etc [dovecot|cyrus-imap]
  • TLS connections from SMTP machines entering port 25 (postfix)

 

 

 

 

smtp not really simple at all

January 21, 2010

what is really unclear in the smtp from below

is phone connecting to postfix or is myzvw ? the other thing that confuses me (easily confused)  is it complaining about

– localhost not qualified
– mrluciano not qualified

we may have to add myzvw as a relay, but doesn’t this open your phone up to spam ?

ex) i got a call from unassigned 2066005382 yesterday

Jan 19 09:27:46 gfe postfix/smtpd[22469]: connect from
246.sub-97-36-51.myvzw.com[97.36.51.246]
Jan 19 09:27:56 gfe postfix/smtpd[22469]: NOQUEUE: reject: RCPT from
246.sub-97-36-51.myvzw.com[97.36.51.246]: 504 5.5.2 <localhost>: Helo
command rejected: n                                            eed
fully-qualified hostname; from=<chuck@mrluciano.com>
to=<chuck.luciano@gmail.com> proto=ESMTP helo=<localhost>
Jan 19 09:27:57 gfe postfix/smtpd[22469]: lost connection after RCPT from
246.sub-97-36-51.myvzw.com[97.36.51.246]
Jan 19 09:27:57 gfe postfix/smtpd[22469]: disconnect from
246.sub-97-36-51.myvzw.com[97.36.51.246]
Jan 19 09:27:57 gfe postfix/smtpd[22469]: connect from
246.sub-97-36-51.myvzw.com[97.36.51.246]
Jan 19 09:28:00 gfe postfix/smtpd[22469]: NOQUEUE: reject: RCPT from
246.sub-97-36-51.myvzw.com[97.36.51.246]: 504 5.5.2 <localhost>: Helo
command rejected: n                                            eed
fully-qualified hostname; from=<chuck@mrluciano.com>
to=<chuck.luciano@gmail.com> proto=ESMTP helo=<localhost>

Programming in A->B->C

December 25, 2009

what are A B C ? what is -> .

To the mathematician A, B, C can be objects or quantities (maybe just a placeholder), but need definition and -> is a relationship. then he can talk about  some theories relating to the 3 objects and how the operators cause them to relate to each other.

to the programmer I can see the paradigm in 2 ways

  • A B C are procedural steps and -> are the method(s) to get there as in E T L
  • A B C represent “objects” so b and c are in some sense “controlled by A” but can act independently.

Lately i’ve been working with a pear package “structures datagrid formatter” (ironically also available in .NET) which if you’ve worked with pear the documents leave something to be desired

http://pear.php.net/package/Structures_DataGrid/docs/latest/Structures_DataGrid/Structures_DataGrid.html

somewhat void in examples so here are some links

  1. http://devzone.zend.com/article/3019
  2. http://www.php-editors.com/pear_manual/package.structures.structures-datagrid.formatter.html

conceptually though it’s paradigm is a mixture of both which is very confusing

A == DataSource

B == Relate Source to Rendition

C == Renderer

Common sources are CSV, Excel files, or SQL, and Renderings can be HTML or Excel. The default Renderer consists of classes by the same author(s)

Structures_DataGrid_Renderer_HTMLTable ->http://pear.php.net/package/HTML_Table/docs

but this too is an inheritance relation, so the UML starts to look like A->B->C  with A->D->E thrown in. Oh and they say A and C are “drivers”.  The power here though is that the defaults are pretty good 80% of the time to get up some quick, and dirty ie. sortable/pagable row/columns web pages from a variety of data sources  (hire me to show you how )

Custom Rendering and Custom Data Sources

To me this gets back to ETL suppose i want to color (Render) only some cells in some colors in some ways based on the dynamics of the data . Do i call this dynamic rendering ??.  It produces some really unique design challenges. For DataSourcing is the vanilla CSV reader enough ? suppose i want to drop all precision beyond what is humanly interpretable (1234.56 no one [maybe a physicist ] cares about .56). Do i do this in the source or the rendering.

see also http://www.lephpfacile.com/manuel-pear/package.structures.structures-datagrid.custom-datasources.php for customizing a DataSource Driver.

How can i make the default rendering more pleasing ? Are style sheets enough ?? clearly not if  the changes are dynamic. Although one might create `classes` of cells suitable for grouping into stylesheet classes.  Someone still needs to change HTML ‘cells’ to make reference to the style sheet.  Perhaps a picture of A result will obviate more verbage

http://nomenware.net/cgi-bin/render.php

Neel Desai’s EndoGlide Forceps Corneal/Lens Coordination

March 12, 2017
5053923_origBackground      The Eye Institute of West Florida

On my recent visit for Cataract surgery  noticed a B+ L patent application of the Forceps mentioned above, and described below; a surgical implantation device ?.   Before the surgery implanting the IOL that day ie. -19.5 D ™ SofTec HD lens. I snapped a photo of that application.

The problem

The true Technophobe finds seeing Good Technology can barely be distinguished from magic. This is so true for IOL lens surgery. As an optical system my lens choice was an Bi Aspheric monofocal lens which to characterize in general terms is more like the eyes’ natural lens than a “plainly” (say convex) manufactured one. There are drawbacks to any optical system design, but God in his infinite wisdom gave us 2 eyes to offset focal length  for the brain to process into ONE image. These are in fact naturally offset in their individual focal length’s. The patient choice boiled down to 3 options. My choice was the Mid Level option not so much as a cost savings measure but I don’t have Gods’ intended 2nd eye so i needed to err on the conservative side. The most expensive option involved an Abbott Labs design ™ Symfony which through an optical correction technique addressing chromatic aberration might provide more / better variable focal length properties.

A solution

The Luddite finds the array of choices in surgeons, and IOL lens design bewildering. The eye measurements for the Eye as optical system include:

  • Curvature of the Cornea
  • Distance of the Lens from the Cornea
  • Distance of the Lens to the Retna (fovea ?)

The actual measurement of these parameters is truly a miracle of science / maths / computers.  Exponential moving averages ? It turns out that if a surgeons’ results are studied statistically the lens formula (see below) can be fine tuned to that surgeons hand.

Through a process of Phacoemulsification the old lens is broken apart through sound waves , and evacuated through the frontal container (aqueous humor) .  One measurement that is not typically done is the current curvature of the old lens. This “statistic” might be derivable from old refractions’ of the eye in my case roughly -1  D to + 2.25 D which for most of  my adult life was -2 D with occasionally minor

Astigmatism

this is an area where Dr Desai truly excelled. This technophobe was really afraid of Correcting this condition by so called Yag Lasers. I grew up in that era when Lasik was so new that it often created *(feared)* corneal problems in the future.

again remembering that the eye is but an Optical System astigmatic correction can be accomplished BOTH at the cornea OR the lens

It is easy for a technophobe to get wrapped up in ideas like Keratoconus and to possibly avoid what might be his (her) best options.

Laser ablation

I am going to take a WAG (wild ass guess) that the Eximer laser is how the Cornea is actually reshaped. I am told this is the tube I looked into in the beginning of surgery which creates `slits` at the edge of Cornea allowing  `relaxation` along along the cut axis. Scary Stuff right ?

From a physics (mechanics) perspective these slits probably have to be 90 deg Orthogonal  to the actual [long natural] astigmatic axis (in my case 86 deg). A machine can really do this ??

After the lens was placed i remember looking into 3 red lights (probably low power led’s) which were used to focus patient’s AOA (angle of attack) I suppose to allow exact orientation of the implanted lens. In respect to the slits; my lens probably needed no extra (preferential ) cylindrical orientation ie. Aspheric ?.

In a spherical lens, spherical aberration causes incident light rays to focus at different points, creating a blur; in an aspheric lens, light focuses to a point, creating comparatively no blur and improving image quality.

I grew up in that era when Lasik was so new that it often created *(feared)* corneal problems in the future. The intellectual side of my mind knows that this (UV ?) coherent radiation source is most likely destroying epithileal cells (inside the cornea?)

Examples of non-keratinized stratified squamous epithelium include cornea (see also corneal epithelium),

without truly understanding what is going on here i believe the UV radiation is creating a “new cornea” (at least it’s curvature). Which of the 3 epithelium histology types destroyed and being regenerated, is left to be some pathologist’s mystery,  but i did have some interesting visual effects following the surgery

  1.  Floating Halo’s concentric circles like moving waves
  2.  Double vision of incoherent light sources at 20+ feet (night)
  3.  30-45 degree beams directed from non-coherent light sources

The first 2 subsided rather quickly. Presumably it is the “healing” sic regeneration of those epithelial cells along with the mind’s adaptive processing of the “new optics” that reduces these visual “side effects” over time.

The Process

This is where the magic truly happens. A (one) 1 mm incision is made for the IOL placement. Probably the new lens unfolds since it is clearly much bigger (12mm ?)  than that. Further the placement of the lens in the lens capsule is a microscopic process since in the case of multifocal astigmatic correction; orientation of that new (toric) lens inside the capsule is now of paramount significance.

This is where my interest in the Patent App began. Just my opine, but the word endoglide might have been a poor key word choice.  The diagram (which appeared to come from the Bauche + Lomb microfiche) appeared like another optical device called a cystitome

The microfiche of Desai’s device probably rendered in 6-8 point typeface so was a little short on detail but here is my analysis:

1 mm is roughly  18 gauge tubetubes

however for a Lens placement device as the above diagram demonstrates it is the outer diameter that is significant as shown in this chart. So to place a spring loaded plunger mechanism inside a 26 (or 20) gauge tube (or pipe) would be an almost impossibly complicated piece of Nano-mechanics

Endoglide

Cystitome

I can only think of one Mn company that does such “tight tolerance” manufacturing, and unfortunately they have not the background in making of surgical devices.

This of course leads me to Yet Another of my Technophobic rants. Is the Desai Forcep caught in that ugly place housing the Patent Pending Govt Files?. I believe that often the best ideas get stuck here or never even make it out of labs or university into production because of legal (sometimes manufacturing) “consideration”.

This is where i always thought government could , would , and should step in. If we have the materials expertise to make composite bumpers why not Nanotubes. Is it simply a matter of ROI. If the initial non-recurring engineering cost of a Patentable surgical instrument is in 6 figures before manufacturing costs is this acceptable risk for any company or individual ?  Frankly probably not, but the patent office is so choked with mediocre ideas as to make the entire Motif non-sustainable.

BTW a quick search of “endoglide” only produced one instrument

After Thought

The healing of the eye was left to both time, and what i call better living through chemistry. Four (4) eye drop types were used

  1. artificial tears
  2. antibiotic
  3. NSAids
  4. Steroid (durizol)

I remember my Uncle Dr Elgin commenting on the efficacy of Alcon’s products, but from the NSAid list (3) i think Ilevro might have been a little bit over the top especially since a steroid is used anyway. The main advantage seemed to be a 1 Tid application, but the $250 price tag w/such small packaging seems not so optimal.

Another thing i remember from Dr Elgin was around 1982 programming his Ti59 [remember the IBM PC AT was still spit in some dude’s eye] calculator with the Ax + By + C  (A as in A-scan ? ) formula which was a linear approximation to the surgeons’ hand x, and y being the eye measurements with C being adjusted from doing linear regression statistics on the individual surgeon’s historical results’ .  Apparently before that time some x**2 and y**2 formula had been used with some  let us say not best in class results.

I suppose that now with the advances in instrumentation, and computers there are some 6 or 7 statistical variables that can be statistically modeled against the surgical process.

I believe one area of eye care that has not been well explored is the effect of heavy metals (in particular zinc +copper ) as described in ARREDs II which may well have other benefits besides Retinal Health.

Another drop i have found of value is Retaine which could be stimulated by adding << 1% mineral oil to 1) above.

==

The reason i mention these things there is a property of optical systems of disjoint materials called the brewster angle

Brewster’s law, relationship for light waves stating that the maximum polarization (vibration in one plane only) of a ray of light may be achieved by letting the ray fall on a surface of a transparent medium in such a way that the refracted ray makes an angle of 90° with the reflected ray.

(in real life < 90 deg) which has to do with the index of refraction of the adjoining materials. Clearly the HYDROphyllic acrylic material used in the SofTec lens has some material significance. Apparently there is less chemical interaction with this material against the surrounding tissue. A 26% water content being key to optical properties as well. The materials guys probably measured protein content

fibronectin-adhesion-comparison-up1

For most humans their sugar (glucose) levels will most likely affect the index of refraction in the Vitreous humor, but probably not for the aqueous humor. This is one of the truly amazing features of the capsule lens design. There are several Physical barriers between the cornea and the retinue. In addition to providing physical (and UV) protection for the eye they also tend to naturally polarize the light falling on the retna.

As i said Magic

Result

Patient result (success) is dependent on many things, but for a didactic look it is necessary to do a refraction on the eye concerned mainly  as to study criteria

  • Visual Acuity
  • Natural Focal Length
  • Glare Sensitivity

The first has something to do with reading. I say this since one of the misunderstandings about the Snelling charts is that they truly measure refraction  of the eye.

A manifest refraction is the manual way to determine the best lenses, by placing various lenses in front of the patient’s eyes and asking, “Which is better, lens A or lens B?”

This practice which did MY surgery for better or worse incorporates  either newer sloan or  LogMAR standard. They also used a special device

A pinhole occluder is an opaque disk with one or more small holes through it, used by ophthalmologists, orthoptists and optometrists to test visual acuity. The occluder is a simple way to focus light, as in a pinhole camera, temporarily removing the effects of refractive errors such as myopia.

The most useful pinhole diameter for clinical purposes is 1.2mm. This pinhole size is effective for refractive errors of +/-5.00D. A pinhole improves visual acuity by decreasing the size of the blur circle on the retina, resulting in an improvement of the individual’s visual acuity; however, if the pinhole aperture is less than 1.2mm, the blurring effects of diffraction around the edges of the aperture will increase the blur circle and cause worsened vision.

The Focal Length criteria is as if to say the eye like a camera. As mentioned in the beginning. Each candidate for this surgery has some natural focal length which of course is changing throughout the patients life time according to many Factors

  1.  General Eye Health (corneal, presbyopia, and retinal)
  2.  Shape of the eye (geometry) which generally shrinks w/age
  3.  History of Optical Aids used (refraction correction)

I mention these since in the final analysis result is perhaps totally subjective and NOT measurable

Using cyrus-imap w/postfix Milter mgmt

January 20, 2016

For me this is a somewhat ambitious Undertaking so I am masking the effort around creating a mxbackup server [something we have never had]. The problem is vast when one considers the list of components on the current primary mail server

  1.  Postfix
  2. DoveCot
  3.  SpamAssassin
  4.  MailScanner
  5.  MailWatch
  6.  clamav
  7.  postsrsd
  8.  opendkim

cyrus-imap is meant to replace DoveCot, and for the time being I was going to skip 4, and 5 since they are shells around 1, and 3, and 6. Which Add a layer of configuration complexity i’d like to avoid. In fact i find it hard to justify putting in mysql `in a pure mailserver setup`

The history of this setup is MailScanner was chosen to replace amavisd (or -new i forgot) as a means of enhancing SpamAssassin. I do remember looking for alternatives {ClamSmtpD?} at that time,  and with this choice i had no need to run spamd as a milter, but doing that might well have been faster.

So on this go i thought i would give MilterManager a go so following these simple Instructions

 wget http://sourceforge.net/projects/milter-manager/files/centos/milter-manager-release-1.2.0-1.noarch.rpm
 rpm  --install milter-manager-release-1.2.0-1.noarch.rpm

tthis only installs the yum repo stuff for milter-manager
one still needs the actual milter manager SW

 yum install milter-manager.x86_64

After Installing, and Configuring the milters (chkconfig on etc...) One needs
to add all components to the milter manager Group for ex)

usermod -G milter-manager -a postfix  usermod -G milter-manager -a sa-milt usermod -G sa-milt -a milter-manager usermod -G clam -a milter-manager usermod -G opendkim -a milter-manager usermod -G spamd -a milter-manager

To configure cyrus-imapd two(2) files need to be modified

  1.    /etc/sasl2/smtpd.conf
    pwcheck_method: auxprop
    auxprop_plugin: sasldb
    mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
  2. 
    
    /etc/imapd.conf 
    virtdomains:            yes
    defaultdomain:          weboir.com
    servername:             weboir.com
    configdirectory:        /var/lib/imap
    partition-default:      /var/spool/imap
    admins:                 chuck cyrus gelgin
    sievedir:               /var/lib/imap/sieve
    sendmail:               /usr/sbin/sendmail.postfix
    hashimapspool:          true
    allowanonymouslogin:    no
    allowplaintext:         yes
    sasl_pwcheck_method:    auxprop
    sasl_mech_list:         CRAM-MD5 DIGEST-MD5 PLAIN
    tls_cert_file:          /etc/pki/cyrus-imapd/cyrus-imapd.pem
    tls_key_file:           /etc/pki/cyrus-imapd/cyrus-imapd.pem
    tls_ca_file:            /etc/pki/tls/certs/ca-bundle.crt
    
    autocreatequota:                -1
    createonpost:                   yes
    autocreateinboxfolders:         spam
    autosubscribeinboxfolders:      spam

Now going back to Milter Manager configuration the beauty of which is it identifies ALL the milters you have previously installed so…

load_if_exist(“milter-manager.local.conf”)

if we create one of these ie.

/usr/sbin/milter-manager -u milter-manager –show-config >  /etc/milter-manager/milter-manager.local.conf

we can then see what was configured ie.

  1.    grep milter.conn /etc/milter-manager/milter-manager.local.conf
  2.    grep milter.conn /etc/milter-manager/milter-manager.local.conf
  3.    grep  grep milter.ena  /etc/milter-manager/milter-manager.local.conf

which for this last best be `= True` for all entries

well i haven’t totally given up but this `project` certainly isn’t going easily. I had so many problems with miltermanger [it’s a top down thing] i gave up. Same with cyrus-imapd [went to the the devil i know sic dovecot]. Postsrsd isn’t even availabe as an rpm [at least for CentOS]. So… many problems using Clam,Spamd without MailScanner ……

I am actually toying with the thought of going back to amavisD [perhaps with a graphical interface this time ?]. MailScanner works well, but like any shell around Clam,SpamScan it’s configuration is

  1.   OBscure
  2.   DBdependent

which if i go that route there are then many graphical TOOLs out there , so stay tuned …

PostVis

Various

if i were starting from scratch i would definitely consider this package

 

yum repository handling and rpm usage

January 9, 2016

This article gives you a steps to install and enable RPMForge repository under RHEL/CentOS 7, 6, 5, 4 systems.

As an example of using rpmbuild from source rpm’s usage

wget http://sourceforge.net/projects/postfixadmin/files/postfixadmin/postfixadmin-2.3.8/postfixadmin-2.3.8.src.rpm/download

/usr/bin/rpmbuild –rebuild postfixadmin-2.3.8.src.rpm
rpm  -i postfixadmin-2.3.8.src.rpm
rpmbuild -ba postfixadmin.spec

To then list the contents of this new ly created Target `binary` RPM
rpm -qlp rpmbuild/RPMS/noarch/postfixadmin-2.3.8-1.1.noarch.rpm

here are details on enabling ALL the respositories, and prioritizing them

Dovecot Adding CA certificate TLS to Postfix

January 7, 2016

The current dovecot.conf only supports a Public/Private Keypair so when this is added:

verbose_ssl=yes

with this ssl_key = </etc/pki/dovecot/private/dovecot.pem

we in turn see tons of imap certificate errors sic

Lv3 read client certificate A [192.168.10.14]
Jan  6 16:53:32 gfee dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.10.14]
Jan  6 16:53:32 gfee dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.10.14]
Jan  6 16:53:32 gfee dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.10.14]
Jan  6 16:53:32 gfee dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.10.14]

since we are in fact NOT using a Certificate this appears to be one of chuck’s imap apple clients causing postfix/dovecot to log these warnings.

The Nickel solution is to just NOT use verbose_ssl so as to ignore the warning. The $100 solution is to actually implement the handling of certificates from the imap dovecot server so….


In directory: /etc/postfix

these kinds of changes have been documented elsewhere:

smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unknown_sender_domain
broken_sasl_auth_clients = yes

In directory : /etc/pki/dovecot

we can run This Command

[root@gfee dovecot]# openssl req -config dovecot-openssl.cnf -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key
…………….++++++
…++++++
writing new private key to ‘private/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–

this creates a TLS CA aware certifcate [the cacert.pem ] for use by the SSL portion of dovecot. ie back to dovecot.conf

The pass pharase above needs to be communicated to dovecot with this option:

ssl_key_password =

so that dovecot can access the private key associated with the certificate you just created. So here is what else was added/changed:

ssl_cert = </etc/pki/dovecot/cacert.pem
ssl_key = </etc/pki/dovecot/private/cakey.pem

to reflect the newly created SSL cert.


Now what remains is to modify postfix.conf to reflect the newly created (cert,key) the first step is to remove the passphrase from postfix’s copy of the cacert.pem

openssl rsa -in /etc/pki/dovecot/private/cakey.pem -out /etc/postfix/cakey.pem

cp  /etc/pki/dovecot/cacert.pem /etc/postfix/

Then change ownership/perms on these new postfix copies:

[root@gfee postfix]#  chmod 0640 cakey.pem cacert.pem
[root@gfee postfix]# chown postfix:postfix cakey.pem cacert.pem

service MailScanner restart

reloads our postfix after modifying postfix’s main.cf, and master.cf to reflect these new smtpd changes. A couple of afterthoughts which would have saved a LOT of misery:

  •  yum list available crypto* then yumm update that list.
  • dovecot can use a key with a passphrase, but postfix can’t
  • the internet has a plethora of test tools

, but the local Test for TLS is still telnet from the outside:

[gelgin@cjll ~]$ telnet gfee.internut.com 25
Trying 192.168.43.6…
Connected to gfee.internut.com.
Escape character is ‘^]’.
220 gfee.internut.com ESMTP Postfix
ehlo localhost                                                                           <—- u  have to type
250-gfee.internut.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS                                                                                <—- u  have to type
220 2.0.0 Ready to start TLS

 

 

dkim as XMIT/RCV Spoof Advisor

January 6, 2016

I still have an Advertisement @ dkim.org where i had proclaimed myself as a professional who can help you install dkim. Unfortunately most of the emails i get go something like this:

I am under spoofing attacks and would like to know how DKIM could help. I would also like to know is this a paid service. The detail for implantation at the DKIM.ORG web site described how to add the key. Generating the key was not included in the description. I have an Office 365 premium account and have the DMARC set up. Can you help me to understand what is needed to start using the DKIM key with my exchange environment. 

Sometimes i do quote a rate (which involves a retainer), but in this case my response was  terse sic

i doubt it would help that much maybe 1%,, no i doubt you would get it

, but since he wasn’t ever going to pay me for what he and others think is “free” [like Grits] here is some detail from one of my mail headers:

not spam, SpamAssassin (score=-1.311, required 4.1, autolearn=not spam, ALL_TRUSTED -1.00, BAYES_20 -0.00, DKIM_SIGNED -0.01, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, DKIM_VERIFIED -0.10)

In our email setup spam is rated as a number based on Bayesian Scoring

as a number where anything above 4 or so is spam and above 5 or so just ain’t delivered :/

The point i didn’t wish to persue with him is

  • Why would anybody go to the trouble to ip spoof you
  • if you are using SPF or it’s Microshucks equivalent why is it not getting tagged already

I don’t doubt that this guy is “under attack” though Most of the enquieries i get are probably from people who wish to implement dkim XMIT `transmitters` as opposed to dkim RCV `receivers`. This first customer type view themselves as legitimate “marketeers”, but wish their spam [hm… advertisements ?] to bypass such bayesian spam erradication which was never what Dkim was intended to do.

Which i suppose gets into the issue of whether your MTA only checks Dkim on reciept or signs outgoing e-mail or both. One of the reasons we had never implemented dkim on the sender side is because of the use of Multiple Domains on the same mail Server made implementing that many public/private keypairs painful.

The recent implementation of SRS made this downside much less painful so in fact this gentlemen’s email motivated me to “do the right thing”, but back the recieving side:

; Generic TXT RR format
name  ttl  class   TXT     "text"
;DKIM TXT RR format
selector._domainkey ttl class TXT "DKIM-specific-text"

is from the zytrax book and a little more explicative than the RFC 4871. The specifics for the “DKIM-specific-text” includes stuff like the version, key type, p=publickeystring; , granularity

There are actually many APPs out on the internet that can generate this given a public key

“v=DKIM1; n=AkeyGen; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDjf6l7P5/VJcSxmhEerk1zN5Dm4QEWSZRvY694dLcFK6mCGvia7CWdh/r7hvXasFxalOjjd0+1uZawizz5rf4AP65QXqhFMCnMTgfhDsGnz00Lbfkieh9lG8aJEdceLOdPBLNX+NSferT8GTWZ8p8TN9RHULk9PrxN9t6i05kA9wIDAQAB; s=email; t=s:y”

shows you how The DNS record could be generated, but the thing to note is t=s:y This tells the world (sic the MTA RCV reciever) that we are really only TESTing dkim and don’t Trust it or “Please DONT” reject email on that basis alone.

However this stuff can be very subtle for example if t=y (instead of s:y) That Tool  points out that subdomains are allowed [subdomain spoofing anyone ?]

Another thing i would had to spend hours trying to explain to this potential “customer” is that DKIM is much more forgiving than say SPF. Many MTA Recievers rather than giving a FULL Stop on DKim check Will give a Full STOP on SPF faults.


Perhaps a short note pointing out that opendkim is NOT the only one system for signing outgoing emails, and interpreting incoming dkim signatures. Others I have played with from time to time include

This last i include since it does much more than dkim signing, and has it’s own way of configuring keys and provides some pretty interesting build in tools to “pre-test”

# amavisd showkeys
; key#1, domain weboir.com, /etc/opendkim/keys/default.private
default._domainkey.weboir.com.  3600 TXT (
“v=DKIM1; h=sha256:sha1; k=rsa; s=default; t=s:y; p=”
“MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQConpvV+03ba5FoaQPxo71w6dGX”
“GlYAIK/J6F6vlSUI26RABaghBzy31UYJ4NSJdZUUTvCGDUtVh7TD/kSv0zLChy3n”
“KpL4D0RoD2kosXczvxMfjnxHWN2N8C2Wr9sE4xJLBeXvbRELga1tnIiHYRaJLyAJ”
“wgjRRApUqOI8jtEDawIDAQAB”)

# amavisd testkeys
TESTING#1: default._domainkey.weboir.com     => invalid (public key: OpenSSL error: bad base64 decode)

to fix this last

[root@maintenance opendkim]# amavisd convert_keysfile /etc/opendkim/KeyTable    dkim_key(‘default’,         ‘default’,   ‘/etc/opendkim/keys/default.private’);

@dkim_signature_options_bysender_maps = (new_RE(
[ qr/^default\._domainkey\.weboir\.com weboir\.com\@\z/is => { d=>’default’} ],
));

aparently worked around amavisd 2.2 or so , but it was easier just to start fresh:

# amavisd  genrsa /etc/amavisd/weboir.com.pem 1024
Private RSA key successfully written to file “/etc/amavisd/weboir.com.pem” (1024 bits, PEM format)

 


Is DKIM going to accomplish your goal ?. I dunno do you thinK signing on XMIT  your outgoing mail header with a private Key that can’t be compromised  is a good thing ? Conversely is Decoding someone else’s Incoming Mail Header RCV with their Public Key which is virtually uncompromisable a guarentee of Authenticity ??. These are subtle questions of ethics that i think the Banks & Financial companies do take seriously.

Use to be putting a .41c stamp on a piece of mail Gave some Federal Protection against Tampering. Me not so sure  == Technophobe ==.

 

 

 

install DKIM w/SRS On Fedora

December 26, 2015

this is the template I followed:

A tutorial for Debian installations w/POSTFIX

SRS which is STEP 2 in their procedure; had already been installed previously from source ie.

unzip -l postsrsd.zip
cd /usr/local/src/postsrsd-master/
then the typical

make
make install

, but where the rubber meets the road is integrating this into postfix

Add the following to /etc/postfix/main.cf:

# PostSRSd settings.
sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes= envelope_recipient,header_recipient

/etc/postfix/main.cf:

Step 1  The DKIM install  (after about a Month)

yum install opendkim.i686

which creates the operating environ for the DKIM daemon sic

[root@gfee postfix]# ls -ld /var/run/opendkim
drwxr-xr-x 2 opendkim opendkim 4096 Sep 22  2011 /var/run/opendkim

modify /etc/opendkim.conf for Your Domain.

Create the directory /etc/opendkim.d and put the following in /etc/opendkim.d/TrustedHosts

modify  /etc/opendkim.d/TrustedHosts with inside network ip's

127.0.0.1
::1
localhost
192.168.43.0/24
*.internut.com
.
.

The next step is to generate the Keys

$ cd /etc/opendkim.d
$ opendkim-genkey -s mail -d internut.com
$ chmod 600 mail.private
$ chown opendkim:opendkim mail.private

This Utility produces 2 files

The next step is to Publish the public KEY as a dns TxT record:

  • mail.txt
  • mail.private

which is as expected the public & private dkim keyes

mail._domainkey.internut.com v=DKIM1; k=rsa; p=<> where <alphabetical soup> comes from the previously created mail.txt

Since we have a somewhat unusal dns setup to add this DNS TXT record requires accessing a mydns DB on “Master”, and once that is committed one needs to force the zone transfer to the BIND slaves with something like this

         cd  /var/named/chroot/var/named/slaves/; ls -1 /var/named/chroot/var/named/slaves/ | xargs rm ; service named restart

 v=DKIM1; r=postmaster; t=y; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDjf6l7P5/VJcSxmhEerk1zN5Dm4QEWSZRvY694dLcFK6mCGvia7CWdh/r7hvXasFxalOjjd0+1uZawizz5rf4AP65QXqhFMCnMTgfhDsGnz00Lbfkieh9lG8aJEdceLOdPBLNX+NSferT8GTWZ8p8TN9RHULk9PrxN9t6i05kA9wIDAQAB

The final Steps are to modify /etc/postfix/main.cf to accomodate opendkim

# Milter settings.
milter_protocol = 2
milter_default_action = accept
# OpenDKIM runs on port 12301.
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

Again in Our setup bouncing Postfix probably not sufficient something like this

/etc/init.d/MailScanner restart

then to actually start the Milter

service opendkim
Usage: /etc/init.d/opendkim {start|stop|status|reload|restart|condrestart}

As a Test there are Several Places which will echo back a verification e-

ex)  auth2@verifier.port25.com

Dec 26 17:26:10 gfee opendkim[18728]: 3D6AE41C4E: DKIM verification successful
Dec 26 17:26:10 gfee postfix/smtpd[19004]: disconnect from verifier.port25.com[38.95.177.125]

One more suggestion is to verify your Published Key with this Tool

which in my case uncovered an issue. Specifically i did NOT terminate the Key  p=  with ‘;’ . The utility did complain about the choice of the selector name, but mails do work so i take this to be a bug in the tool.

Egyptian Fraction Decomposition of -1 into A sum of 10 components

October 20, 2015

Problem:

Like China, as a country of a long history, Egypt has a different way  handling fractions. In most cases Egyptians Fractions use 1 as  numerator when using factions, for example, using 1/3 + 1/15 to indicate  2/5; 1/4 + 1/7+ 1/28 to indicate 3/7 etc…. Now the question is that there are 90 Egyptian fractions, going like: 1/2, 1/3, 1/4, 1/5,…,1/90 ,

can you  pick ten out of them and put on plus or minus signs, to make their final sum become -1?

if that means EXACTly 10 is a vERY difffcult lemma to PROVE or disprove,, these days i would write a computer program that tries all possible combinations,, but that won’t work since the computer would convert fractions to decimals and with that double conversion there would be round off error

Study:         my approach would to be to find 3 decompositions of 1 into Egyptian’s which fulfill the requirement of 10 Egyptians total

1/2 + 1/3 + 1/6 = 1 is one possibility

1/8 + 3/8 + 5/8  = 1 is a 2nd in Egyptian becomes 1/8 + (1/3 + 1/24) + (1/2 + 1/8)

As ancient man “Invented the hammer” as a tool to Convert Angular Momentum into Linear Force. Modern man has developed Fraction to Egyptian java app to study such Numerical problems.

1/10 +2/10 +3/10 + 4/10  = 1 which in Eqyptian is 1/10 + 1/5 + (1/4 + 1/20) + (1/3 + 1/15)

using the help of the App above we can now try 12ths

1/12 + 2/12 + 3/12 + 6/12 = 1 which converts to 1/12+ 1/6 + 1/4 + 1/2 which again falls short of 10

Solution:

well is 1/1 itself Usable ? then A solution is

1 – [ 1/10 + 1/5 + (1/4 + 1/20) + (1/3 + 1/15)] – [1/2 + 1/3 + 1/6]

u know to me the whole excercise sounded like some chinese mathematician trying to prove something on the cheap…

Corn a measure of economic health ?

June 6, 2011

This quote/commentary came from American Century Investments

Corn Price Increases Tell a Story About Why Commodity Prices Are Rising

In case you haven’t been watching, the price of corn for delivery in July (a futures price set on the Chicago Board of Trade) rose 35% just in the month of April from $216 to $293 per metric ton (or if you like to think in terms of bushels, from $5.50 to $7.45 per bushel). As both a commodity and agricultural product, the demand and pricing of corn can provide interesting insights into whether inflation is rising, why and (if so) what factors are driving it. In this Weekly Market Update, we’ll take a look at the market dynamics for corn, what is driving recent price increases and how this is likely to unfold over the remainder of this year and beyond.

Corn is the single largest agricultural product produced in the U.S. with a total crop value last year of $66 billion. In comparison, soybeans (the second largest U.S. crop) had a value of $39 billion while wheat (the third largest U.S. crop) had a value of $12 billion. And as the table below illustrates, it is a business largely focused on a few Midwest states which dedicate millions acres to corn farming.

State
Rank
13+State Acres
Planted
(000)
Acres
Harvested
for Grain
(000)
Ave.
Yield
(bushels/
acre)
Total
Prod.
(000
Bushels)
Total
Prod.
(Thousands
of Metric Tons)
Cumulative
Percentage
U.S.
Production
1 Iowa 13,400 13,050 165 2,153,250 54,711 17.3%
2 Illinois 12,600 12,400 157 1,946,800 49,465 32.9%
3 Nebraska 9,150 8,850 166 1,469,100 37,327 44.7%
4 Minnesota 7,700 7,300 177 1,292,100 32,830 55.1%
5 Indiana 5,900 5,720 157 898,040 22,818 62.3%
6 Kansas 4,850 4,650 125 581,250 14,769 67.0%
7 South Dakota 4,550 4,220 135 569,700 14,475 71.6%
8 Ohio 3,450 3,270 163 533,010 13,543 75.9%
9 Wisconsin 3,900 3,100 162 502,200 12,760 79.9%
10 Missouri 3,150 3,000 123 369,000 9,376 82.9%
U.S. Total 88,192 81,446 153 12,446,865 316,804 100.0%

Source: USDA National Agricultural Statistics Service and National Corn Growers Assocation

The U.S is not only the world’s largest producer of corn but also its largest market. Last year, the per capita consumption of corn in the U.S. was 2,074 pounds per person. And by the way, that doesn’t count the weight of the cob since corn statistics measure only the weight of the corn kernel–which is where all the value is. You may be thinking “I can’t imagine I eat that much corn” and you don’t (I hope). But if you eat pork, beef or chicken (which are fed corn prior to slaughter) or drive a car with a gasoline engine (where 10% of the fuel now consists of corn-based ethanol) you “consume” corn in these activities too. And because corn has so many (and diverse) uses that course through our economy, it makes this agricultural commodity a valuable one for studying its price and how price changes in corn affect many of the consumer and industrial products we manufacture and purchase every day.

U.S. Corn Supply and Demand Balance Years Change
Food, Seed and Industrial (FSI) Uses 1985 2010 Change % Change
Fuel Ethanol 6.9 124.5 +117.6 1708%
High Fructose Corn Syrup 8.3 13.1 +4.8 57%
Starch 4.8 6.4 +1.5 32%
Sweeteners 4.3 6.6 +2.3 54%
Beverage Alcohol 2.1 3.4 +1.3 63%
Seed 0.5 0.6 +0.1 15%
Cereal/Other 2.4 5.0 +2.6 112%
Total FSI 29.3 159.6 +130.3 445%
Food Animal (Pork, Chicken, Beef) Feed and Residual 104.5 132.1 +27.6 26%
Total U.S. Consumption 133.8 291.7 +157.0 118%
Direct Export 31.2 49.5 +18.4 59%
Total Use 164.9 341.2 +176.3 107%
Plus/Minus: Change in Ending Stocks 60.7 -24.5 N/A N/A
Total U.S. Production 225.6 316.8 +91.1 40%

Actually this points out some stunning information. Use of Corn represents

    consumption people or machines
    growth inflation OR deflation

A great deal of oil is used in the production of corn, but there is a feed back mechanism into the production of ethanol based fuel additives for gasoline as well. So to the energy market corn is both a consumer and a producer.

Another feed back is in the consumption of food. Both as a measure of consumption, but in the productivity of people 2074 lbs per person seems like an exagerated amount. If one looked at only the second table from 1985-2010 we have become a nation of predominated by:

    alcoholic drinkers
    breakfast foot eaters
    gasoline guzzling by 10x’s those

What is even more disturbing is how fast corn futures have accelerated in their price change (when calculated in USD) !!. One interpretation here is that we are either headed towards massive inflation OR huge food shortages. The idea that there was enough corn available to process into bio-fuel on any large scale seemed absurd since as the second table shows it has choked off all other demand even as a predominately 10% gasoline additive.

By the way I would hesitate to speculate on how much of that 2074 lbs per person is actually allocated towards pork production since the numbers are skewed by so much ethanol production.

So it may in fact be the american farmer who indeed saves the american economy once again.

MailWatch and MailScanner

March 29, 2011

Mailwatch is the php gui for use with MailScanner. When it became time to upgrade amavisd spamassassin postfix clamav from MailZu installation this became the obvious choice. Amavisd while functional has a very cryptic configuration file, and had severe limitations in how it interfaced to spamassassin.

Particularly I wanted MailScanner to be able to better control the Mail header and the subject line content for spam.

X-Nomenware-Info: Please contact Admin chuck@mrluciano for more information
X-Nomenware-ID: 4819941007.A8CF2
X-Nomenware-Mail: Found to be clean
X-Nomenware-SpamCheck: not spam, SpamAssassin (not cached, score=-7.501, required 4.5, autolearn=not spam, BAYES_00 -1.50, NO_RELAYS -0.00, USER_IN_WHITELIST_TO -6.00)

Another feature is MailScanner actually controls the starting and stopping of postfix subject to the caveat below. While the MailScanner.conf modifications are extensive, and shown in many tutorials I mention a few features here.

  1. I prefer that spam be shown as a number
    SpamScore Number Instead Of Stars = yes
  2. The subject line modification is controlled with this
    Spam Subject Text = {Spam _SCORE_}
  3. beginning of spam score
    Required SpamAssassin Score = 5.5
  4. and a high watermark for really dangerous spam
    High SpamAssassin Score = 8.5
  5. Spam List = SPAMEATINGMONKEY,CBL,MANITU,spamhaus-ZEN
  6. I am conservative with spam lists so
    Spam Lists To Be Spam = 1
    Spam Lists To Reach High Score = 2

Notice how easy adding realtime RBLs was as opposed to modifying Postfix configuration files under amavisd auspices. As in amavisd emails’ above the High Score can probably be deleted after a certain amount of debug time with:

High Scoring Spam Actions = delete

I would in turn not recommend something like

High Scoring Spam Actions = forward wayward@internut.com

2 very definite problem areas for debug were

  • the permissions on the quarentine directory
  • logging spam into the database to be read
  • first was fixed using a script fix_quarantine_permissions. The second was a configuration item ie.

    Always Looked Up Last = &MailWatchLogging

    It is advisable to run both these commands post installation

  • MailScanner -V
  • MailScanner –lint
  • the first to check for any missing perl Modules, and the second to check clamav, and spamassassin for correct functionality.

    Before deciding on the choice of amavisd or postfix for your installation it is key that you understand the operation of these 2 configuration items.

    Incoming Queue Dir = /var/spool/postfix/hold
    Outgoing Queue Dir = /var/spool/postfix/incoming

    A lot of folks (including the postfix inventor) have NOT recommended using MailScanner with this MTA because it defeats some mechanisms within postfix. In our case i saw the advantages of MailWatch outweighed that consideration, with this caveat:

    While still experimenting with Basic MailScanner.conf i used MailWatch to release a quarantined message that appeared to have:

    Quarantine: /var/spool/MailScanner/quarantine/20110329/7B6C0411DB.ADD2F
    Report: MailScanner: Message attempted to kill MailScanner

    because i thought it to be from a trusted source. This had the VERY NASTY side effect of bringing postfix to a complete stop. It was running and everything seemed fine, but nothing was being delivered. So as in all things free BBW Buyer Be Ware.

    The MailWatch GUI is so much more sophisticated than MailZu. It automates not only quarantine handling, and Bayesian learning, but thanks to php-gd, and some very talented programming puts system wide reports at the finger tips.