Postfix – relay emails via a another mailserver with authentication and submission enabled
This short writeup will guide you on how to do it on Debian-based and Fedora systems.
We begin with installing posfix and the required packages for authentication.
First – doublecheck that your machine has a Fully Qualified Domain Name set in the hostfile, this will remove alot of headaches from you in the future.
My machine is named “T15.domain.tld” – so emails will be arriving from “user@T15.domain.tld”.
Debian:
apt-get install postfix mailutils libsasl2-2 libsasl2-modules
Fedora:
dnf install postfix mailx mailx cyrus-sasl cyrus-sasl-plain
Next, we will create the sasl-password file and hash it:
echo "[relay.domain.tld]:587 username:password" > /etc/postfix/sasl
postmap /etc/postfix/sasl
Great, now we have to tell postfix that all emails sent via it should be relayed throu the smtp-relay:
relayhost = [relay.domain.tld]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
Restart postfix and check the log, so everything looks good.
Test your setup:
echo "This is a test" | mail -s "Just a test" destination_email@domain.tld
You can check the status of the mailqueue with the command mailq.
And that's about it!
Some good IPTABLES rules
Personal note with example IPv4s Maybe this could be useful for your DNS-server aswell
IPT="/sbin/iptables"
# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
# Accept inbound TCP packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Traffic from Ports
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 192.168.69.0/24 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 53 -s 192.168.69.X/32 -j ACCEPT
$IPT -A INPUT -p tcp --dport 53 -m state --state NEW -s 192.168.69.X/32 -j ACCEPT
$IPT -A INPUT -p tcp --dport 5666 -m state --state NEW -s 192.168.69.X/32 -j ACCEPT
# Flood protection for DNS UDP
# See: /proc/net/ipt_hashlimit/DNS
#iptables -A INPUT -p udp --dport 53 -m state --state NEW \
# -m hashlimit \
# --hashlimit-above 300/sec \
# --hashlimit-mode srcip \
# --hashlimit-name DNS \
# --hashlimit-htable-expire 60000 \
# -j DROP
$IPT -A INPUT -p tcp --dport 53 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT # - DNS
# Accept inbound UDP packets
$IPT -A INPUT -p udp -m udp --dport 53 -s 0.0.0.0/0 -j ACCEPT
# Accept inbound ICMP packets #
$IPT -A INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT
Create a simple docker-registry on your local machine
There is many reasons why you would like to have local docker registry, and being cool is one of them. This is how you do it on Debian.
Well, lets go!
1 Install the package:
apt install docker-registry
2 Tell the machine where you are going to pull to, that the registry is “unsafe” (non-https):
{
"insecure-registries":
[
"docker.internal:5000",
"registry.linux.pizza:5000"
]
}
3 Create a basic-auth on your registry:
htpasswd -Bbn dockeruser registrypassword >/etc/docker/registry/.htpasswd
4 Login to the registry from your host:
docker login -u dockeruser registry.linux.pizza:5000
Dont forget to restart docker!
Have fun!
Run a Tor-Relay on Tribblix – an Illumos retro distribution
This fall, has been busy for me, and when I am busy I like to experiment and play with stuff – especially IT and nerdy stuff.
This brings me back to the days when I started with Linux, for me it was new, cool and different. Nowadays I feel like it is not so different.
So, being the hipster that I am, I set out to find something new. I've already tried and played with OmniOS a couple of years back and I liked it. And during my quest to get it on a iPXE server – I found out about Tribblix.
Tribblix is a Illumos distribution with a retro feel. And that I liked. The iPXE setup was easy since Peter Tribble – the creator and maintainer of Tribblix – already have an iPXE server up and running. So I just used the already ready target at (http://pkgs.tribblix.org/m24/ipxe.txt) and got it up and running according to the installation instructions provided by Tribblix here: http://www.tribblix.org/install.html
Enter Tor – and the recent news that Russia has decided to block Tor nationwide. I must say that I do understand why they did it from a IT-security perspective – alot of crap is originating from Russia. That is an undisputed fact. However, from a freedom perspective – this is making an already bad situation even worse. So what a perfect opporunity to run a Tor-relay on a SunOS machine! Currently, there is only 5 relays that is running on a Solaris/SunOS based kernel (including one of mine). Lets change that – more diversity in the Tor-network is a good thing.
So, assuming that you have installed Tribblix. Lets pull down the Tribblix overlay called “develop”
zap install develop
This takes a couple of minutes, and what it does is that it download and installs all the nessecary packages you need to build Tor.
We also need LibEvent, since Tor requires it. And the TRIBlibev is like libevent – but not really – we need to manually compile it.
Download the latest stable version from github, and extract it like shown below:
wget https://github.com/libevent/libevent/releases/download/release-2.1.12-stable/libevent-2.1.12-stable.tar.gz
tar -xvf libevent-2.1.12-stable.tar.gz
Lets also pull down the Tor-source code and extract:
wget https://dist.torproject.org/tor-0.4.6.9.tar.gz
tar -xvf tor-0.4.6.9.tar.gz
Great, now you should have everything you need in order to get started.
Navigate to the libevent catalogue you just extracted, and run the following:
./configure --prefix=/tmp/mc --enable-static --disable-shared
gmake
gmake install
This will create a static and temporary copy of LibEvent in the /tmp/mc catalogue. we will use that in the compilation of Tor.
When the compilation of LibEvent is done, nagivate to the Tor-catalogue and run the following:
./configure --with-libevent-dir=/tmp/mc MAKE="gmake"
gmake
gmake install
The proceedure is quite similar to the LibEvent compilation.
When the gmake install procedure is done, you can find the tor-config files in /usr/local/etc/tor/ and the binaries in /usr/local/bin/.
Configure the torrc file according to your needs, read the Tor Projects Post Install Guide and follow the recommendations.
You can now run tor by just typing /usr/local/bin/tor in your terminal – and you now have a relay running.
For now, you can use tmux in order to run it in the background.
Thanks to Peter Tribble, who told me how to get LibEvent into the system.
Creating a PV and PVC on NFS for K8s
Took myself ages to figure this out, so I am noting this down for my future self. Just a note – this is not the indented workflow, but rather a “getting started with kubernetes” step.
First, we need to add NFS as a storage class:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: managed-nfs-storage
provisioner: k8s-sigs.io/nfs-subdir-external-provisioner # or choose another name, must match deployment's env PROVISIONER_NAME'
parameters:
archiveOnDelete: "false"
Then, we can add the actual storage:
kind: PersistentVolume
apiVersion: v1
metadata:
name: nfs-persistentvolume
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: "nfs" # Empty string must be explicitly set otherwise default StorageClass will be set / or custom storageClassName name
nfs:
path: "/path/to/share"
server: "xxx.xxx.xxx.xxx"
readOnly: false
claimRef:
name: nfs-persistentvolumeclaim
namespace: default
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nfs-persistentvolumeclaim
namespace: default
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: "nfs" # Empty string must be explicitly set otherwise default StorageClass will be set / or custom storageClassName name
volumeName: nfs-persistentvolume
Hope this helps
Bonus – run a Minecraft Bedrock inside K8S using your newly created PVC as storage
apiVersion: apps/v1
kind: Deployment
metadata:
name: mc-bedrock
labels:
app: mc-bedrock
spec:
replicas: 1
template:
metadata:
name: mc-bedrock
labels:
app: mc-bedrock
spec:
containers:
- name: mc-bedrock
image: itzg/minecraft-bedrock-server
imagePullPolicy: Always
resources:
requests:
cpu: 500m
memory: 4Gi
env:
- name: EULA
value: "TRUE"
- name: GAMEMODE
value: survival
- name: DIFFICULTY
value: normal
- name: WHITE_LIST
value: "false"
- name: ONLINE_MODE
value: "true"
- name: ALLOW_CHEATS
value: "true"
volumeMounts:
- mountPath: /data
name: data
volumes:
- name: data
persistentVolumeClaim:
claimName: nfs-persistentvolumeclaim
selector:
matchLabels:
app: mc-bedrock
---
apiVersion: v1
kind: Service
metadata:
name: mc-bedrock
labels:
app: mc-bedrock
spec:
selector:
app: mc-bedrock
ports:
- port: 19132
protocol: UDP
type: LoadBalancer
Get the IP assigned for the service
kubectl get service mc-bedrock -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
Restart the pods in the deployment
kubectl logs -f deployment/mc-bedrock
Changing bus-type on a Nutanix AHV Virtual Machine
In some cases – especielly with older systems – you might not be able to run your VM with a SCSI-drive since the drivers is missing from the system.
This was the case for me when I wanted to move a older VM (Debian 5) into Nutanix AHV from ESXi.
In order to mitigate this, you have to change the bus-type of the drive from SCSI to IDE or PCI:
Login to you CVM via SSH, and execute the following
acli vm.get NameOfTheVM
You will see some output similar to the following:
NameOfTheVM {
can_clear_removed_from_host_uuid: True
config {
affinity {
...
host_uuid: "d17a25a0-6a8a-4b30-993d-323f824eb383"
logical_timestamp: 83
state: "kOn"
uuid: "5ea5288b-d3fb-40d9-83ce-9356db75129b"
Look for disk list and vmdisk_uuid: similar to the following:
disk_list {
addr {
bus: "scsi"
index: 0
}
container_id: 1416
container_uuid: "f20a220c-f237-43eb-9465-200f17a3306e"
device_uuid: "53d01e6b-43bf-41dd-a8c5-c82cd3f673cb"
naa_id: "naa.6506b8d135b478f0803c4c2944a37187"
source_nfs_path: "/ntnx01-container01/xtract-vm//349a1ace-f328-40df-867e-6 c7f0d46ac7f/500a3a5a-741b-6de2-7ca3-4927a3c621e1/2000_NameOfTheVM.vmdk"
vmdisk_size: 107374182400
vmdisk_uuid: "315bb83c-7629-401a-a522-b350a3387dca"
}
The procedure here is simple, we will just create a new disk as a clone of an existing disk, using the vmdisk_uuid:
acli vm.disk_create NameOFTheVM clone_from_vmdisk=01f68633-06ab-4fe7-b819-90fec3e8d08a bus=pci
This create and attaches a disk to the VM NameOfTheVM, change the UUID to the one you have.
To create a disk with the bus ide, change pci to ide.
Done!
Change password of an existing SASL user
First, list the users that you have in your system:
sasldblistusers2
selea@mailserver.linux.pizza: userPassword
pizza@localhost: userPassword
Next, change the password of the specific user you want to change:
saslpasswd2 pizza@localhost
Password:
Again (for verification):
That's it!
If you want to create a new user
saslpasswd2 -c -u domain.tld smtprelay
You can also test a SASL-user with the following:
testsaslauthd -u smtprelay -r domain.tld -p PASSWORD
Opting out of Google's New tracking Method – FLoC
Luckily, this is quite easy – for now.
Just add the “Permissions-Policy: interest-cohort=()” header in your webserver. This can be done as following:
In Apache (including .htaccess):
Header always set Permissions-Policy: interest-cohort=()
In Nginx
add_header Permissions-Policy: interest-cohort=()
That's it!
Edit: In January 2022, Google announced that they would abandon FLOC
Pickled Jalapenos
I am a fan of jalapeños and chilies in general, and this year I had some luck with the weather so my only jalapeñoplant did pretty well. So today, where are going to pickle the jalapeños.
What you will need
- Garlic (couple of smashed cloves or powder is fine)
- 0.45 dl Sugar
- 15 ml Salt
- 3dl White Vinegar
- 3dl Water
- ~400grams of fresh Jalapeños (or other chilies)
The procedure
I decided to slice the jalapeños together with three quite big cloves of garlic:
Then, mix water, vinegar, salt and sugar into a pot. Let the sugar and salt dissolve and wait until the mix starts to boil a little.
Then, just add the jalapeños and garlic. Let it putter for 5 minutes.
Lastly, put it into your glass-container of choice!
This should last a couple of month, and serves well with taco, pizza or if you are like me – on EVERYTHING!
Done and easy! Everyone can do this, and it works with almost anything.
I also did this with unriped tomatoes, and it tasted very good too!
