Showing only posts in Linux. Show all posts.

Enabling TLS-only SMTP on port 465 with Postfix

Enabling TLS-only SMTP on port 465 with Postfix

This was annoying to find Googling so I hope this article helps finding the information more easily.

In the end it's very easy, just add (or uncomment)

-o smtpd_tls_wrappermode=yes

In /etc/postfix/ under smtps inet .... This will run the Postfix SMTP server in the "non-standard" "wrapper" mode, requiring establishing a TLS connection instantly instead of requiring use of the STARTTLS command and being potentially vulnerable to MITM.

It is however recommended to keep using port 25 as well and allow STARTTLS there, this use of port 465 (smtps) seems to actually be standardized in a way, but can confuse older machines, I had some ancient online test break.

NB! This feature is available in Postfix 2.2 and later, if you have an older Postfix version you should really update.

Gitting git not to be a pain

Are you tired of git always pestering you about your password in one of your 100 repositories cloned into your system? Even worse, do you have multiple git accounts and it's just absolutely maddening?

No longer do you have to search for "git permanently store password" or "git credential helper cache infinite timeout"!

There's a solution to this maddening behaviour, just edit your .git/config and your troubles are over, no more stupid behaviour

                  name = Username
                  email = Email
                  password = Password
                  helper = cache

And git just becomes usable.

P.S: You might get:

$ git fetch
          remote: Repository not found.
          fatal: repository '' not found

Just delete ~/.git-credentials, git can't handle storing passwords for multiple accounts properly :')



Posted by TaaviE on in Linux. updated Tags: git.

Installing modsecurity as a static nginx module

This is a super minimal guide how to recompile nginx on Ubuntu 16.04/14.04 for ModSecurity.

A few external references:

I started with downloading nginx's sources and extracting them: .. code-block:: bash

wget tar -xf nginx-1.13.12.tar.gz

Then I took the compilation flags of my current nginx build with nginx -V, modified to include modsecurity and to excude useless modules (you can always find the sources of the modules online and pray they work with newer nginx, remove --add-module=./modules/ngx_brotli if you want nginx without brotli):

./configure --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --sbin-path=/usr/sbin/nginx --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/ --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-threads --add-module=./modules/headers-more-nginx-module --add-module=./modules/ModSecurity-nginx --add-module=./modules/ngx_brotli --with-compat

Building it is easy after that: .. code-block:: bash

make -j3 make install

Then I only had to restart nginx: .. code-block:: bash

sudo systemctl restart nginx

Configuration is left as an excercise for the reader :)


I tested it out for a while, it has a few bugs and the documentation is really lacking in terms of how to write brand-new rules for it. It's also super annoying to detect false-positives and I found the rule syntax vomit-worthy. I decided to drop using modsecurity, it just wasn't worth it, especially not just for fun™.

Posted by TaaviE on in Linux. updated Tags: nginx.