Ted Leung on the air
Ted Leung on the air: Open Source, Java, Python, and ...
Sun, 01 Feb 2004
Mail hacking grumbles
The appearance of MyDoom this week has prompted me to install some additional security measures for our network at home.
  1. Disallow connections to port 25 from inside the firewall
  2. This is long overdue since lots of e-mail worms like to install their own SMTP server. The only way you're going out via SMTP is via our SMTP server.
  3. Enable SMTP AUTH via SASL
  4. Only authorized users should be able to use our SMTP server. This turned out to be a major headache since postfix on Debian runs chrooted, and was having trouble talking to saslauthd's socket. I ultimately gave up on using saslauthd and hacked around it using the sasldb method of checking passwords. But even that took me way too long to figure out. It would be nice if the Debian maintainers for postfix or SASL would include some documentation on how to do SASL based SMTP auth inside the postfix chroot environment (using SASL2).
  5. Enable TLS support for postfix
  6. I've grabbed the postfix-tls deb and installed. Next I need to generate the certificates. The problem is that I already have certifications for Apache and UW-IMAP (although I'm probably going to junk that in favor of Dovecot). I also want the SMTP TLS to require a client certificate (yes, I'm paranoid). So I pretty much need to setup my own CA to issue client and server certificates. What I'm not clear about is whether I need a server cert for each service (www, imaps, smtp) that I plan to offer -- I only have a single IP address. There's also the small matter of which of the many different HOWTO's or documents to follow to generate the certificates properly. Last time I used the makecert.sh that comes with Debian's modssl.
Bottom line: this stuff is a huge pain to do and do correctly. I can't see any reason why these features shouldn't be easy to turn on, but I've used up a bunch of energy trying to get them all to work. If anybody out there is running a setup like what I'm proposing, let me know. I'll try to publish a record of what I've done once I get it all working.
[22:35] | [computers/operating_systems/linux/debian] | # | TB | F | G | 2 Comments | Other blogs commenting on this post
sorry, but I just got this error loading this page :


ValueError Python 2.3.3: /usr/bin/python
Mon Feb 2 03:13:57 2004

A problem occurred in a Python script. Here is the sequence of function calls leading up to the error, in the order they occurred.

/home/twl/pyblog/pyblosxom/pyblosxom.cgi 
  41  p = PyBlosxom(req)

  42  p.startup()

  43  p.run()

  44

  45 #  import profile

p = <Pyblosxom.pyblosxom.PyBlosxom instance>, p.run = <bound method PyBlosxom.run of <Pyblosxom.pyblosxom.PyBlosxom instance>>


/home/twl/pyblog/pyblosxom/Pyblosxom/pyblosxom.py in run(self=<Pyblosxom.pyblosxom.PyBlosxom instance>)
  230  # giving everyone a chance to transform the data.  the request is

  231  # modified in place.

  232  tools.run_callback("prepare", {"request": self._request})

  233

  234  # now we pass the entry_list through the renderer

global tools = <module 'Pyblosxom.tools' from '/home/twl/pyblog/pyblosxom/Pyblosxom/tools.py'>, tools.run_callback = <function run_callback>, self = <Pyblosxom.pyblosxom.PyBlosxom instance>, self._request = <Request instance>


/home/twl/pyblog/pyblosxom/Pyblosxom/tools.py in run_callback(chain=[<function cb_prepare>, <function cb_prepare>, <function cb_prepare>, <function cb_prepare>, <function cb_prepare>, <function cb_prepare>, <function cb_prepare>, <function cb_prepare>], input={'request': <Request instance>}, mappingfunc=<function <lambda>>, donefunc=<function <lambda>>, defaultfunc=None)
  354  for mem in chain:

  355  # we call the function with the input dict it returns an output.

  356  output = mem(input)

  357

  358  # we fun the output through our donefunc to see if we should stop

output = None, mem = <function cb_prepare>, input = {'request': <Request instance>}


/home/twl/pyblog/plugins/logstats.py in cb_prepare(args={'request': <Request instance>})
  178  except IOError:

  179  logger.info("closed due to IO error %s" % stats._referrers)

  180  stats = PyblStats(config)

  181

  182  stats.addReferer(httpData.get('HTTP_REFERER', '-'))

stats undefined, global PyblStats = <class logstats.PyblStats>, config = {'JAVA_HOME': '/home/twl/bin/j2sdk1.4.1/bin/java', 'aggregator_length': 50, 'base_url': 'http://www.sauria.com/blog', 'blog_description': 'Ted Leung on the air: Open Source, Java, Python, and ...', 'blog_encoding': 'iso-8859-1', 'blog_language': 'en-us', 'blog_title': 'Ted Leung on the air', 'blogroll_image': '/blog/images/xml.gif', 'blogroll_opml': '/home/twl/pyblog/blosxom/myChannels.opml', 'blosxom_custom_flavours': ['comment-head', 'comment-story', 'comment', 'comment-form'], ...}


ValueError: insecure string pickle
  args = ('insecure string pickle',)

hope this helps to get it fixed
Posted by
rffrf at Mon Feb 2 03:15:31 2004

This HOWTO secure your network at home from MyDoom by Ted Leung is only for true hackers and geeks! Not for the technically challenged. Non techies are better off using Geekmail in combination with a non Outlook email client.



QUOTE

The appearance of MyDoom this week has prompted me to install some additional security measures for our network at home.



  1. Disallow connections to port 25 from inside the firewall
    This is long overdue since lots of e-mail worms like to install their own SMTP server. The only way you're going out via SMTP is via our SMTP server.

  2. Enable SMTP AUTH via SASL
    Only authorized users should be able to use our SMTP server. This turned out to be a major headache since postfix on Debian runs chrooted, and was having trouble talking to saslauthd's socket. I ultimately gave up on using saslauthd and hacked around it using the sasldb ...
    Posted by Trackback from geekmail at Wed Feb 4 13:39:23 2004

You can subscribe to an RSS feed of the comments for this blog: RSS Feed for comments

Add a comment here:

You can use some HTML tags in the comment text:
To insert a URI, just type it -- no need to write an anchor tag.
Allowable html tags are: <a href>, <em>, <i>, <b>, <blockquote>, <br/>, <p>, <code>, <pre>, <cite>, <sub> and <sup>.

You can also use some Wiki style:
URI => [uri title]
<em> => _emphasized text_
<b> => *bold text*
Ordered list => consecutive lines starting spaces and an asterisk

Name:


E-mail:


URL:


Comment:


Remember my info?


twl JPG

About

Ted Leung FOAF Explorer

I work at the Open Source Applications Foundation (OSAF).
The opinions expressed here are entirely my own, not those of my employer.

Creative Commons License
This work is licensed under a Creative Commons License.

Now available!
Professional XML Development with Apache Tools : Xerces, Xalan, FOP, Cocoon, Axis, Xindice
Technorati Profile
PGP Key Fingerprint
My del.icio.us Bookmarks
My Flickr Photos


Syndicate
RSS 2.0 xml GIF
Comments (RSS 2.0) xml GIF
Atom 0.3 feed
Feedburner'ed RSS feed

< February 2004 >
SuMoTuWeThFrSa
1 2 3 4 5 6 7
8 91011121314
15161718192021
22232425262728
29      

Archives
2006
2005
2004
2003

Articles
Macintosh Tips and Tricks

Search
Lucene
Blogs nearby
geourl PNG

Categories
/ (1567)
  books/ (33)
  computers/ (62)
    hardware/ (15)
    internet/ (58)
      mail/ (11)
      microcontent/ (58)
      weblogs/ (174)
        pyblosxom/ (36)
      www/ (25)
    open_source/ (145)
      asf/ (53)
      osaf/ (32)
        chandler/ (35)
        cosmo/ (1)
    operating_systems/ (16)
      linux/ (9)
        debian/ (15)
        ubuntu/ (2)
      macosx/ (101)
        tips/ (25)
      windows_xp/ (4)
    programming/ (156)
      clr/ (1)
      dotnet/ (13)
      java/ (71)
        eclipse/ (22)
      lisp/ (34)
      python/ (86)
      smalltalk/ (4)
      xml/ (18)
    research/ (1)
    security/ (4)
    wireless/ (1)
  culture/ (10)
    film/ (8)
    music/ (6)
  education/ (13)
  family/ (17)
  gadgets/ (24)
  misc/ (47)
  people/ (18)
  photography/ (25)
    pictures/ (12)
  places/ (3)
    us/ (0)
      wa/ (2)
        bainbridge_island/ (17)
        seattle/ (13)
  skating/ (6)
  society/ (20)



[Valid RSS]

del.icio.us linkblog

www.flickr.com

Blogroll

java.blogs
Listed on BlogShares

Locations of visitors to this page
Where are visitors to this page?


pyblosxom GIF