LinuxPizza

Personal notes and occasional posts – 100% human, 0% AI generated

You probably came here because some friend of you mentioned “fediverse” to you, while you responded – fediverse? what is that?.

And your friend did not really wanted to explain it, so you was sent here instead.

Great! I will try my best into explaining what the “Fediverse” is, and how it might save your digital life.

The Fediverse is a name of a network of tens of thousands connected servers, consisting of many different kind of software that “speaks” to each other. The most popular software is Mastodon, that basically is a Twitter clone. The big difference is that the code that is being used on the server is publicly available to everyone, so that ensures that the code is secure and does not hide any hidden “feature” such as data collection on a massive scale, such as Twitter.

Mastodon is developed by many, but the leader and founder of the project is Eugen “Gargron” Rochko that wanted to create a social network because he was tired of having his friends and family being on different networks. And if he wanted to keep in touch with he had to create account on different places (MySpace, Twitter, Viber, Telegram and so on). And so Mastodon was born.

Today, there is thousands of Mastodon servers up and running, each one with it's own characteristic, culture, rules and people. Servers for those who love beer, cats, politics, Linux or just being social. Most of the servers is connected to each other. Yes, you can join that super-niche server that focuses exclusively on cats with moustaches, while still connecting to your friends who is on that instance about helicopters – is'nt that awesome?

Or, if you just want to listen to someone explain how it works, here is a Peertube (which is also a fediverse compatible piece of software) video explaining how it works

As a MTA lover, I always try to encourage people (especially “IT-people”) to host their own mailserver. Mostly so they actually can learn something and also that I do not like how the big providers like Google, Microsoft, Amazon etc keep eating up the market. Diversity is a key to a healthy market – but that is another topic.

This guide will mostly apply to Debian-based distros like Debian (9 or newer), Ubuntu (16.04 or newer) or any other “serverdistro”. I do assume that you already have a working mailserver that do both deliver and receive emails that are DKIM signed (or atleast perform validation with OpenDKIM), otherwhise you can read my short guide here (coming soon).

First, install OpenDMARC from the repository.

apt update
apt install opendmarc -y

Verify that the user and group opendmarc has been created by checking /etc/passwd and /etc/group. Otherwhise, create them. When you have installed it, verify the installation by running this:

opendmarc -V

You will get something like this (the version number is not that important yet):

opendmarc: OpenDMARC Filter v1.3.2       
    SMFI_VERSION 0x1000001       
    libmilter version 1.0.1       
    Active code options:               
    WITH_SPF               
    WITH_SPF2

Great! Let's proceed to configuring opendmarc First, take a backup of the current opendmarc.conf, it will save some headache in the future if you want to redo it:

cp /etc/opendmarc.conf /etc/opendmarc.conf.BAK

Edit /etc/opendmarc.conf with the following:

AuthservID [SERVERHOSTNAME]
FailureReports true
PidFile /var/run/opendmarc.pid
RejectFailures false
SPFSelfValidate yes
Socket inet:8893@localhost
SoftwareHeader true
Syslog true
SyslogFacility mail
TrustedAuthservIDs [SERVERHOSTNAME]
HistoryFile /var/run/opendmarc/opendmarc.dat
UMask 0002
UserID opendmarc

Dont forget to restart opendmarc

service opendmarc restart 

Proceed with adding opendmarc as a milter in postfix. I am assuming that you already have opendkim enabled as a milter like this:

smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

We now need to add the opendmarc milter into the postfix configuration, it is important that you add it AFTER the opendkim milter, otherwhise opendmarc will not be able to check if the DKIM key is valid.

smtpd_milters = inet:localhost:8891,inet:localhost:8893
non_smtpd_milters = inet:localhost:8891,inet:localhost:8893
milter_default_action = accept

The last one is pretty important, so if one of your milters does not work for some reason – Postfix will still let it throu. Restart postfix

service postfix restart

We should now be able to test the configuration by sending an email from example a gmail.com account to an email address on your email-server and check your logs if opendmarc actually works.

tail -f /var/log/mail.log | grep "opendmarc"

You should be able to see this:

Apr 26 12:16:38 mx opendmarc[31490]: 5155751C32: SPF(mailfrom): dmarctest@linux.pizza pass
Apr 26 12:16:39 mx opendmarc[31490]: 5155751C32: linux.pizza pass

Great! Your server does now validate DMARC policies! If you just wanted this basic functionality, you are done now. But there is always room for improvement!

Adding a Public-suffix list

This can be achieved in the following simple steps: Create a catalogue (and change ownership) for the list to be downloaded to:

mkdir -p /etc/opendmarc/
chown opendmarc: /etc/opendmarc

Set up a cronjob to download the suffix list once a week

crontab -u opendmarc -e

And this line:

@weekly/usr/bin/wget -k -q -N -P /etc/opendmarc https://publicsuffix.org/list/effective_tld_names.dat

Also, just download the list so you have it before you configure opendmarc to use it:

wget -k -q -N -P /etc/opendmarc https://publicsuffix.org/list/effective_tld_names.dat 

Finally, configure opendmarc to actually use that list, put this on the bottom in /etc/opendmarc.conf and restart opendmarc

PublicSuffixList /etc/opendmarc/effective_tld_names.dat
service opendmarc restart 

Awesome! You are now done with the OpenDMARC. Next up – adding DMARC reporting, this will be in an upcoming post.

#postfix #dmarc #opendmarc #smtp #email #linux

During my short IT-career, I have dealt with alot people who struggle with generating a .csr file (certificate signing request) on Linux. Windows (especially IIS) have a more clearer approach so that can most of the people figure out by themselves without having to ask to many questions :)

The following example generates a .csr and a .key file for the Company “Company Name”, located in some country in the city “City”. Just replace the variables to your liking.

DOMAIN=www.example.com
COUNTRY=2 letter country code
ORG="Company Name"
CITY="City"
STATE="State"
EMAIL="youremail@example.com"

openssl req -utf8 -nameopt multiline,utf8 -new -newkey rsa:2048 -nodes -sha256 -out $DOMAIN.csr -keyout $DOMAIN.key -subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORG}/OU=IT/CN=$DOMAIN/emailAddress=${EMAIL}"

Sometimes, you do want to generare a .csr file that includes two or more domains – a SAN certificate. Using the same variable as above, we can now add more CN's to the .csr:

openssl req -utf8 -nameopt multiline,utf8 -new -newkey rsa:2048 -nodes -sha256 -out $DOMAIN.csr -keyout $DOMAIN.key -subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORG}/OU=IT/CN=$DOMAIN/emailAddress=webmaster@example.com" -config <(
cat <<-EOF
[req]
default_bits = 2048
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.se
DNS.2 = example.se
DNS.3 = www.example.it
DNS.3 = example.it
DNS.3 = www.example.fi
DNS.3 = example.fi
DNS.3 = www.example.org
DNS.3 = example.org
EOF
)

Lets simplify this even more, with a script!

Running this script, will prompt you with a small dialog that ask you for the domain-name you want a .csr file for. It creates the .key and .csr, and prints out the .csr in the termina

#!/bin/bash
echo -n "Please enter the full Common Name (CN)"
read DOMAIN

COUNTRY=SE
ORG="Company"
CITY="City"
STATE="State"
EMAIL="admin@domain.tld"

openssl req -utf8 -nameopt multiline,utf8 -new -newkey rsa:2048 -nodes -sha256 -out $DOMAIN.csr -keyout $DOMAIN.key -subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORG}/OU=IT/CN=$DOMAIN/emailAddress=$EMAIL" -config <(
cat <<-EOF
[req]
default_bits = 2048
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = $DOMAIN
EOF
)

echo "private key and certificate request created"
cat $DOMAIN.csr
exit 0 

I hope this can prevent some headache for one or two :)

#linux #openssl #csr #ssl #tls #certificate

One year ago, social.linux.pizza was launched. The domain was initially bought with the intend to launch a website similar to the old and famous “happypengiun.org” – which was the place where people downloaded their games to their Linux machines. It was sadly closed in 2013.

Shortly after social.linux.pizza was launched, the idea came to mind – what about not stopping with mastodon and start provide other free services?. And thus, linux.pizza was born.

linuxpizza logo logo was crafted toghether by my wife

Our vision is as follows: We aim to provide an even more complete suite for that will help people leave Google, Microsoft or [INSERT LARGE CORP HERE] and get a more control, more freedom and more trust in their online experience and life.

The Fediverse has become something central in what we believe in, it is the key to the a more trusted web. Therefore blogs.linux.pizza will publish news and updates regarding LinuxPizza, occasional blog post that will motivate people over from established social network and taking

forthebadge forthebadge