Zuper-quick post for when this bites me again in the future!

Tonight I upgraded from Zentyal 6.2 to Zentyal 7.0. Smooth as butter, everything went great.

Until I logged in, and my shiny Actual Paid Money SSL certificate had vanished, replaced by a self-signed commoner's certificate. Piffle.

Instructions for installing a custom SSL certificate in Zentyal are actually kinda shaky, so here you go:

cd /var/lib/zentyal/conf/ssl/
mkdir old
mv * old
nano ssl.key
nano ssl.cert
cat ssl.cert ssl.key > ssl.pem
chmod …

Turns out this is my third Amavis article. I guess it's just one of those systems.

Heads up, if you're trying to do this, make sure you also read my other article about the "banned_files_lover" thing.

Today I'm on a mission to: 1. Drop all incoming Office '97 files (they're predominantly malicious these days) 1. Drop all incoming Macro-enabled Office 2007+ files (there aren't legitimate reasons to receive these in my scenario) 1. Drop any emails containing a .onion address 1. Drop any emails containing a bitcoin wallet

Dropping Attachments …

About 7 months ago, I left Nginx and moved to Caddy. I've found it super easy, and have now experienced using it as a reverse proxy, a static site server (this one!), as well as a hosting a handy place for me to copy my favourite Kaomoji.

Update 2021-01-20: I had a bug! By default, Caddy serves this without a Content-Type header. However, the RFC specifies that the response should be explicitly Content-Type "text/plain". Thanks to klausenbusk for letting me know!

Note: the Caddyfile fragment to generate https://shrug …

Logs of your client DNS queries can be a really good tool for incident response. I've finally got this implemented but it was much more of a struggle than I expected it to be, so here's my story!

We've got a pfSense firewall running as a DNS fowarder, and a Zentyal server running BIND9 as the authoritative local server. The firewall rules block all UDP/53, so all DNS queries go either directly to the firewall, or (more commonly) to the Zentyal server for resolution. This means we have two …

I really like iRedMail, and I also really like Lynis.

However, they don't exactly like each other... or, more accurately, some of Lynis' recommendations can cause a couple iRedMail components to fail. Today we're talking about SpamAsassin.

One of the suggestions from Lynis is to turn off the 'execute' bit on compilers for users who aren't either the owner or in the owner group (the 'other' execute bit). For example:

root@server:/# chmod o-x /usr/bin/as
root@server:/# chmod o-x /usr/bin/gcc

Easy peasy! But once you do …

Right.

Today I needed to find a diagram of the traffic flow for a split-tunnel VPN. Nothing fancy, just a real simple user-facing diagram to form part of an article.

And friends, there was nothing. Nothing at all. I found proper technical ones from Cisco Meraki; fancy Office365 ones, depicting an ExpressRoute to O365 and tunnelling everything else through the VPN; and another Office365 tunnel with ExpressRoute and a split-tunnel for the rest of the traffic.

Pretty much the closest I came to my needs was this atrocity, via http …

Okay so a few days ago I posted about adopting Caddy.

Of course, anyone who hosts anything knows that accessible services on the internet will start getting hit by scanners within literal moments of being accessible. On the very first night of having my site live on the new VPS, Logwatch informed me of a bunch of attempts to access wp-admin.php. Sigh.

Well, this entire site is built with my favourite static site generator Pelican. That means I don't have any PHP on my site whatsoever. Why not just …

For the last couple of years I've been running this site, as well as my friend's site (Under The Umbrella) on Nginx. Recently my VPS host decided to do away with their cheapest tier, so instead of doubling my annual cost, I hopped onto https://www.lowendbox.com and found myself a replacement Cheaps McGee VPS to host this.

Well, a major change like that is a great time to learn about something new, so I took the opportunity to get started with Caddy. If you don't already know about …

After hosting a mail server for a few years, I've gotten tired of seeing alllll the 404 attempts in my daily logwatch. Fail2Ban can help here really well, and it turns out to be really easy.

Start with nano /etc/fail2ban/filter.d/nginx-4xx.conf (I'm counting on your running Debian and having things in default locations here), and enter the following:

[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
ignoreregex =

Note: Make sure you use a capital 'D' in Definition there.

Now, edit your /etc/fail2ban/jail.conf …

If you're setting up a new SSL VPN with certificate authentication, and if you already have an internal PKI, you're probably considering using your internal certification authority to create the SSL keys and certificates for your VPN clients. Awesome! This is a great and easy way to do this job.

But there's a dearth of information on the Interwebs regarding what Extended Key Usages you need to have enabled in your Certificate Template for these. There are a heap available, including Email Signing, Timestamping, Code Signing, IPSec SSL things (about …