homecablewhats the best way to raid 1 mirror with linux00:21
tewardi feel dirty... i'm setting up a centos 7 VM >.<00:49
tewardi feel like i'm betraying Ubuntu :00:49
teward:? *00:49
=== markthomas is now known as markthomas|away
=== xar is now known as xar-
sarkishmm is there soemthign wrong with the libc package?01:30
sarkisSTDERR: E: Failed to fetch http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-libc-dev_3.13.0-57.95_amd64.deb  404  Not Found01:30
sarkisanyone know if theres something up with linux-libc-dev_3.13.0-57.95_amd64.deb01:34
sarkisseems to be throwing errors on multiple mirrors?01:34
tewardsarkis: sure it wasn't superseded?01:35
sarkishmmm i see what this is01:35
tewardbecause it doesn't show up there when you navigate to the mirror itself in a web browser01:35
sarkisya need an apt-get update01:36
ubottuThe main Ubuntu channels require that you speak in calm, polite English. For other languages, please visit https://wiki.ubuntu.com/IRC/ChannelList01:36
patdk-lap it's a normal part of human behavior01:45
tewardCurrentToleranceLevel() = 0.000401:47
tewardi think ineed sleep01:47
tgm4883Trying to enable pci passthrough to one of my libvirt vm's on my 14.04 host, I'm getting this error when I try to start the machine "Error starting domain: unsupported configuration: host doesn't support passthrough of host PCI devices"02:47
qmanUnless its some obscure bug, its exactly what it says02:47
tgm4883I've added intel_iommu=on to my grub line and kvm-ok says that kvm acceleration can be used, which IIRC means that I've got the vt-d extensions02:48
tgm4883qman: what else is needed?02:48
qmanIf you expect your hardware to have this capability, check the bios settings to make sure its enabled for the device you're trying to use02:48
tarpmantgm4883: kvm just needs vt, vt-d is an additional feature and usually a separate bios setting02:48
tgm4883any way to verify I have that without going into the bios? The box is in a closet and I'd have to hook up a keyboard and monitor02:49
qmanManufacturer documentation to check if it has that feature02:50
qmanNo way to enable it without doing that, though02:50
tgm4883fair enough, i'll look though documentation02:50
qmanBeyond just trying it of course, which isn't working02:51
tarpmantgm4883: dmesg | grep -i dmar might be a clue, based on http://www.linux-kvm.org/page/How_to_assign_devices_with_VT-d_in_KVM02:54
tarpmantgm4883: my laptop which has VT-d prints a dmar: line (even though it's disabled in bios), while a server that lacks it does not02:54
tgm4883tarpman: I'm thinking mine does not. I don't see it listed on the ARK page for my processor02:55
tarpmantoo bad02:56
tgm4883yep, looks it was added in teh Nahalem family, which my processor is 2 behind that :(02:57
tgm4883So plan B I guess. See if I can segregate a NIC to only be used by a particular guest02:57
tarpmaneasy, just make a(nother) bridge backed by only that if, point the guest at it02:59
tgm4883tarpman: that makes sense, I've got to lock it down a bit from the host to, as I was planning on connecting this NIC directly to my cable modem03:00
tgm4883then running pfsense in the VM03:00
tarpmannot sure how to go about that, tbh :)03:01
tgm4883Which is why I wanted to do the PCI passthrough :/03:01
tgm4883the host itself doesn't do much. It runs 1 VM (pfsense) and a few LXC containers03:01
tgm4883tarpman: some quick searching indicates that the way to do it is leave it unconfigured in the host and use macvtap passthrough03:10
tarpmantgm4883: same applies for bridging, AFAIK03:11
tarpman(to be clear, I don't have a particular preference for bridging over macvtap; just all my experience is with the former)03:11
tgm4883tarpman: yea I've got a bridge setup for the lxc containers.03:12
tarpmanright. so 'iface br1 inet manual', with nics assigned as usual, would probably do as you expect03:12
tarpmanbearing in mind there's nothing preventing a root process in the host configuring it03:13
tgm4883true, but I wouldn't suspect that since it's only providing those two services and running a puppet agent and check_mk agent03:14
tgm4883I suppose I could write a check_mk check to verify it stays unconfigured03:14
qmanopenvswitch might offer some options here, too, but I'm far from an expert on it03:24
roracleHey guys, i'm still on 14.10, noticed it expired today, but i can't get mod_rewrite working on subdomains.  could i please get some help06:04
roraclei'll be upgrading to a newer version soon06:05
Abhijitmy potfix+dovecot works well without ssl. when I enable ssl in 10-ssl.conf of dovecot I get ERROR: Connection dropped by IMAP server. I am using squirrelmail to login.06:17
Abhijitif I add imaps to /usr/share/dovecot/protocols.d/imapd.protocol like protocols = $protocols imap imaps i get syntax error and dovecot fails to restart06:24
lordievaderGood morning.06:33
sarnoldAbhijit: do you have any errors or warnings in the dovecot logs on the server?06:34
Abhijitsarnold, the previous issue is now solved. not i disabled imap and only enabled imaps. now i get error 111 : Connection refused06:35
Abhijitit was working when i had both of them enabled imap and imaps06:35
Abhijitsarnold, the reason for previous issue was ubuntu was using non standard syntax for ssl_cert without <06:37
Pupp3tm4st3rhi there07:13
Pupp3tm4st3rI have one question: Is it possible to create a user - ssh access AND this user has to push data into several directories07:14
Pupp3tm4st3rexample: the user has to push files for webprojects into some vhost directories07:14
Pupp3tm4st3rbut - the rights must fit07:15
Pupp3tm4st3rthat the files will be accessible for www-data07:15
sarnoldthe usual approach is to put the user into a group like 'www' or 'web' or something, set the group owner on the directories to 'www' (or whatever you pick), and set the bsdgroups mount property on the filesystem (so the user doesn't have to think to change the groups..)07:17
Pupp3tm4st3rokay, thank you sarnold07:19
gdi2kwhat is the correct way to install grub on a degraded raid1 array?07:25
Pupp3tm4st3rso I created a user and put it into the right group for the directory - primary group - but the user cannot write07:37
Pupp3tm4st3rpermission denied07:37
Pupp3tm4st3rso it seams, that the folder is only writable for the user, not the group, right?07:37
=== Lcawte|Away is now known as Lcawte
=== lukasa is now known as lukasa_away
=== lukasa_away is now known as lukasa
murchadoes anyone now any clue about Vulnerability in NTP (ntpd)09:03
bekksCan you be just a bit more precise? :)09:03
murchaThe vulnerability is related to the handling of NTP control messages. An attacker could cause a denial of service condition in the ntpd service by sending it a specially crafted configuration message. Remote configuration is disabled by default in ntpd.09:05
bekksmurcha: And do you have a CVE entry, too?09:10
murchabekks: ^09:11
bekksWhats the price if we guess it?09:12
bekksOr that, yes :)09:13
murchabekks: the company has here....so they know about it09:13
bekksmurcha: So what "clue" do you want, if you dont even want to tell us the CVE you are talking about?09:14
murchabekks: im a holiday worker09:14
murchabekks: what to do if my server is got DoS targeted ntpd?09:15
bekksYou tell us the CVE you are talking about, we tell you wether there is a patch/update, you apply it.09:16
=== lukasa is now known as lukasa_away
murchabekks: i checked ubuntu has released an update for the security issue.09:18
bekks"the issue".09:18
bekksSince there is an update, the CVE is plublically released, and it would have been no big deal to tell it.09:18
murchai don't have ntpd in my system instead have this /etc/network/if-up.d/ntpdate09:22
Davieysmoser: Why wasn't the cloudstack/cloud-init password issue treated as a sec upload?09:34
=== denbeiren is now known as zz_denbeiren
AppAraathello, I want to "integrate" my /home partition into the root directory. I chose to encrypt the home of my main user on the machine, but now I want to have it always unencrypted and turn that partition (not the user though!) into just a directory in /11:11
AppAraatdo I have to chroot in to do that?11:11
=== Lcawte is now known as Lcawte|Away
=== lukasa_away is now known as lukasa
=== lukasa is now known as lukasa_away
=== lukasa_away is now known as lukasa
smoserDaviey, i dont know. i guess it should have been.13:03
Davieysmoser: It sounds potentially CVE worthy IMO.13:04
=== Kully3xf is now known as thisdoescompute
AmilloHey guys, would anyone be able to point what I'm missing in here my zone file?13:22
AmilloMy syslog says I'm missing a ;13:23
Amillobut I can't for the life of my see it13:23
teward"zone file"?13:23
tewardand you haven't provided the file either13:23
Amilloworking on that now13:23
Amillojust uploading a screenshot13:23
Amilloand named.conf.local file13:23
tewardi can probably help with that13:23
tewardscreenshots aren't as useful as pastebins, but meh13:24
AmilloI'm not sure how to paste out of the vm13:24
tewardcat zonefile | pastebinit13:24
tewardgives you a link for the paste :)13:24
tewardyeah use a pastebin instead13:24
Amillothats the file13:24
AmilloI'll give that a go :)13:24
tewardyou may have to install pastebinit but meh13:25
tewardpoint not withstanding, you also haven't provided the full error message you get13:25
tewardwhich also will help13:25
Amilloyeah was gonna do a pastebin13:25
tewardAmillo: company.co.uk13:25
Amilloinstead of a screenshot13:25
tewardfile line13:25
tewardAmillo: you have mismatched quotes13:26
tewardfile "/etc/bind/db.company.co.uk;13:26
teward^ you need a closing quote13:26
AmilloI've been stairing at it...13:26
tewardjust like the other zones have13:26
Amillofor about13:26
Amillo45 minutes13:26
Amilloand I didn't notice that....13:26
tewardAmillo: it's always the tiniest things13:26
AmilloThat solved all my errors aha :)13:27
Amillowhen restarting bind9 I get connect failed: connection refused [OK]13:27
Amillois this bad?13:27
tewardwell... does bind9 still respond?13:28
tewardto queries i mean13:28
teward(I don't have all your configs so I can't say whether it is or isn't)13:28
AmilloHaven't checked yet13:28
AmilloJust that it says binding9 starts ok13:28
Amillobut also connection refused13:28
AmilloHow do I check if I've set my DNS up correctly13:31
Amillopinging company.co.uk, returns from the actual site I think13:31
* CiPi fucks teward in /dev/null13:32
tewardAmillo: dig @ip.of.dns.server SOA one.of.the.zones13:48
PiciCiPi: Mind your language and conduct in #ubuntu channels please. See http://ubottu.com/y/gl/13:49
AmilloI've set my computer to look at my primary DNS first and done an nslookup company.co.uk13:54
Amilloand it still returns the actual one13:54
Amillohttp://imgur.com/ZNX6QW0 - not all too sure what I'm looking at here, but it looks to me as though it worked?13:56
CiPiyeah pici13:57
CiPiWhat kind of name is this13:57
=== Lcawte|Away is now known as Lcawte
hd_chro321Today, I updated my ubuntu 14.04 use cli apt-get update && apt-get -y upgrade14:53
hd_chro321but after I update done, I found when I reboot my ubuntu 14.04 server, my golang application cannot start14:53
hd_chro321my golang application start command and package have not change, it is alike "sudo /usr/bin/mtunneld &"14:54
hd_chro321but whatever I modify start script /etc/rc.local, these golang application cannot automatic start again after I reboot my ubuntu VPS14:54
hd_chro321but I login to ubuntu 14.04 ssh console, manually run these golang application, it run ok14:54
hd_chro321I googled found none related to the problem14:54
hd_chro321I checked ubuntu 14.04 boot log, but found none error14:57
=== lukasa is now known as lukasa_away
pmatulishd_chro321: does it start when you invoke it manually?15:09
hd_chro321pmatulis:yes when ubuntu 14.04 boot ok, I ssh login terminal, I invoke the golang application, it start ok15:11
patdk-wksomehting with his env variables or shell path then15:12
hd_chro321what evn variables ? these cannot automatic start application is golang application15:13
hd_chro321my rc.local golang scripts all use absolute path15:14
patdk-wkand everything used by that program uses absolute path?15:15
pmatulishd_chro321: i don't think it will help but i would first try a proper upgrade. 'apt-get dist-upgrade' will get you new packages that might need to be pulled in. 'apt-get upgrade' only upgrades existing packages15:15
hd_chro321pmatulis: sorry my ubuntu 14.04 is VPS, resource is limited, if I update use ci apt-get dist-upgrade, if it will install many newly package, so make my limit VPS too large to run15:17
patdk-wkthat should never happen15:18
hd_chro321ok, I will try update use apt-get dist-upgrade, I will back a while15:18
cluelesspersonhey guys, how safe is a user account that you set to tunnel only?15:23
hd_chro321my problem is still exist, after I run the apt-get dist-upgrade, I run very fast, summary report only download 24M, now I have finish upgrade and reboot, my these golang application still have not automatic start15:23
cluelesspersonor is it possible to setup a user account so the only thing they can possibly do is connect a tunnel?15:24
=== lukasa_away is now known as lukasa
pmatulishd_chro321: you will now need to enter into the troubleshooting phase. i recommend the tool 'strace'. to start: https://goo.gl/Ryo3i915:30
hd_chro321pmatulis:I will read it15:32
Guest60715What is the correct way to allow dns port in ufw? Will it slow down the DNS performance?15:33
pmatulishd_chro321: good luck. please report back and let us know what you discovered15:33
Guest60715I have used this rule: ufw allow 53 and had problems.  Could this be the correct command: ufw allow in 53 and ufw allow out 53 ? What else port I need to open for a Standanone production DNS cache Server?15:34
hd_chro321pmatulis:I need confirm a point, after ubuntu 14.04 boot ok, I ssh login to terminal, I run the golang application, it is run ok, if I still need debug use strace, when ubuntu 14.04 PC boot ok, the application is can run15:35
Guest60715And how do I check whether UFW loggin is enabled?15:35
Guest60715Where does it log?15:35
patdk-wkwhy would ufw log?15:36
cluelesspersonGuest60715, ufw status numbered15:37
cluelesspersonGuest60715, /var/log/ufw.log15:37
Guest60715cluelessperson: Could this be the correct command: ufw allow in 53 and ufw allow out 53 ? What else port I need to open for a Standanone production DNS cache Server?15:39
pmatulishd_chro321: the idea is to use strace wherever the program does not run properly. in your case it will be from /etc/rc.local15:41
Guest60715I've enabled UFW Logging. Now Ufw is logging something like this : Jul 24 21:10:02 dns kernel: [ 2341.934090] [UFW BLOCK] IN=eth0 OUT= MAC=33:33:00:00:00:01:4c:5e:0c:54:a7:3f:86:dd SRC=fe80:0000:0000:0000:4e5e:0cff:fe54:a73f DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=171 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=UDP SPT=5678 DPT=5678 LEN=13115:41
hd_chro321pmatulis: ok I will try15:41
=== thisdoescompute is now known as kully3xf
Guest60715Why it logging something like that^ ?15:41
pmatulishd_chro321: it would be good to get an strace output for both cases however. a comparison may illuminate15:41
pmatulis(both cases: working and not-working)15:41
hd_chro321pmatulis: ok I got it15:42
Guest60715Do you suggest that removing ufw and using plaing iptables to create rules is a good idea?15:42
patdk-wkthat is just the kernel logging, ufw doesn't log15:43
patdk-wkufw is a *tool* to load up rules into iptables15:43
patdk-wkif you want to log differently, use like, ulog15:44
patdk-wkno idea how to use ulog in ufw though15:44
Guest60715patdk-wk: So, when i run: ufw logging off, Im actually telling the kernel to stop logging?15:47
patdk-wkyour telling iptables to stop logging15:48
patdk-wkand iptables log module uses the kernel15:48
patdk-wkunless you override it with nlog or ulog15:48
jdstrandufw doesn't support ulog15:52
jdstrandbecause ulog doesn't exist for ipv615:52
ogra_cant be, they both start with u15:52
Guest60715patdk-wk: is shorewall a frontend of Iptables too? Or it directly communicates with Netfilter?15:52
patdk-wkeverything is a frontend15:53
patdk-wkufw is directly iptables15:53
patdk-wkshorewall is a generator though15:54
Guest60715What is a Generator? Is it like Firewall Builder?15:54
Guest60715Which used to create firewall rules?15:54
patdk-wkkindof, but firewallbuilder is simple15:54
patdk-wkshorewall will take what you want, and compile results, depending on what you want, rules, nat, masq, traffic shaping, and what firewall modules are installed15:55
Guest60715oh. If iptables is that important why Im able to remove it? If I remove it, will the server go broke?15:55
patdk-wkno, you just won't have a firewall15:55
jrwrenyou won't have the iptables userspace command. iptables is still a feature in the kernel.15:56
patdk-wkI assumed he was removing the modules :)15:56
Guest60715Ok, the netfilter module which actually does the filtering will stop working theb.15:56
jrwrenoh, right, sorry.15:56
patdk-wkit just won't filter15:56
patdk-wkI have many servers without netfilter loaded on them15:57
Guest60715Do you needed to compile the kernel to remove the netfilter from those?15:57
patdk-wkif it's compiled in, you would15:57
=== markthomas|away is now known as markthomas
Guest60715In default Ubuntu Server its precompiled I think. Will removing the netfilter enhance the resposiveness of the processes like Bind9?15:58
patdk-wkit would15:58
patdk-wkbut it would be unmeasurable compared to bind itself15:59
patdk-wkor you have a really really horrible ruleset loaded15:59
Guest60715what are the attack surface that I should remove in a DNS server to run it without a firewall.15:59
Guest60715First one I guess is ssh.16:00
patdk-wkhow many gigabits of dns traffic are you planning on doing?16:00
Guest60715not GB/s, only 500 pps at max.16:01
patdk-wkwhy are you worried about 500pps?16:01
Guest60715I will be back later patdk-wk , this is the screen name- Capprentice. Right now I have to go.16:05
Guest60715I will be back with that Screen name.16:05
Amillohey guys, is there any obvious reasons why my nslookup would return the IP address - but also the server as a loopback16:23
patdk-wkshouldn't it?16:25
Amilloit does work16:26
hd_chro321pmatulis:I found my question root cause, it is caused by rc2.d a new installed proxy application havenot add & background running, result in all rc2.d process stop running, so also include all the golang application16:26
AmilloIt's just not saying that it came from my server16:26
hd_chro321pmatulis:now my all application start ok, include all golang application16:27
pmatulishd_chro321: there you go. did strace help?16:27
hd_chro321pmatulis: I added strace script, but the script havenot redirect output, so I find deeper, I find the root cause16:28
hd_chro321pmatulis:the rc.local script havenot run16:28
=== Lcawte is now known as Lcawte|Away
hd_chro321pmatulis: thank you and others, give me important tips, my question resolved, thanks16:31
=== Lcawte|Away is now known as Lcawte
=== lukasa is now known as lukasa_away
=== lukasa_away is now known as lukasa
=== Lartza is now known as TheRealBronsky
=== TheRealBronsky is now known as Lartza
pcleonhello everyone16:58
=== balloons_ is now known as balloons
=== balloons39 is now known as balloons
mailserverdoes anyone know of any serveces out there that will walk me through setting up a mail server18:17
mgzmailserver: you already appear to be one18:17
=== admcleod- is now known as admcleodafk
mailservera not very good one18:18
geniimailserver: You mean for instance a web hosting company that has decent documentation for such things?18:18
mailserverive been walking myself through the various different tutorials on the web and havent had any success yet so a support center or something of that nature that can help me figure out what im doing wrong18:20
patdk-wka mail server is one of the most complex things to setup18:21
geniiIf just for a home server with Ubuntu Server, the normal documentation is usually pretty good. https://help.ubuntu.com/lts/serverguide/postfix.html  for the Postfix install walkthrough, for instance18:21
mailserverits for a business trying to transfer mail to an encryption service and their email provider doesnt offer a smart host so they need a mail server to send their outgoing mail to the third party18:23
mailserverand im currently in the middle of the normal documentation i got linked that last night18:23
JanCif you only need it for outgoing mail, that's like the easiest possible configuration for Postfix?18:29
pmatulismailserver: i don't understand "business wants to send email to an encryption service". explain that18:30
mailserverinstead of smtp to their mail provider they want to smtp to a third party which encrypts their mail.18:33
mailserveri might just be making a silly mistake i don't know18:33
patdk-wkjanc, easiest to configure in *postfix* yes18:34
geniiThey can't just chane the mail entry of their dns records to point to the third party machine?18:34
patdk-wkbut hardest to make work18:34
patdk-wkdue to dns, naming, dkim, spf, ....18:34
mailservertheir mail provider doesnt provide a smart host so no18:35
patdk-wkwhat is a smart host?18:35
JanC"smart host" refers to receiving mail normally?18:36
JanCwell, both18:36
patdk-wknormally smarthost is a sendmail config option to redirect to an msa18:36
JanCit goes back to dial-up times18:36
patdk-wkinstead of doing direct delievery18:36
JanCso incoming mail got received by your ISP until you dialled in18:37
patdk-wkbut really, dont understand the issue18:37
patdk-wkyou don't direct mail provider to use other mail provider18:37
* genii sips his coffee and thinks about putting .forward files in the skel directory18:37
patdk-wkyou just change youself to not use provider1, and to use provider218:37
mailserverthe mail provider we are using wont allow mail to go to a different server even if the dns record are changed the host destination needs to be changed and they wont let that happen on their server18:38
patdk-wkso we are not talking about smarthost or outgoing mail at all18:39
mailserverno we are18:39
patdk-wkdns has nothing to do with outgoing or smarthost18:39
patdk-wkonly incoming18:39
mailserverany records wont effect it18:39
patdk-wkmx is ONLY used for incoming18:40
patdk-wknot smarthost or outgoing18:40
mailserverwell i mean to be talking about outgoing18:40
patdk-wkyes, and mx doesn't matter18:40
patdk-wkand what either provider does, doesn't matter18:40
patdk-wkso your issue, is not an issue18:40
patdk-wkif you are talking about mx, (incoming), then yes, it is an issue18:40
mailserverit is an issue because it doesnt work18:41
patdk-wkand the only solution is to get a mail provider that actually does email correctly18:41
patdk-wkthe issue currently is, you don't understand enough about email to explain what doesn't work though18:41
mailserverthats also true18:41
patdk-wkfirst thing you need to do18:42
patdk-wkis map the path an email takes18:42
JanCmaybe the issue is that their mail provider1 uses DKIM/SPF/etc. and sending mail through (encryption) provider2 gets blocked?18:42
patdk-wkthat is having the issue18:42
patdk-wkthat is a simple dns config change18:42
patdk-wknothing to do with the mail provider18:42
JanCunless mail provider "owns" their DNS  :P18:42
patdk-wkif provider won't *update* those dns entries18:43
patdk-wkthen you have big issues with provider18:43
patdk-wkbut so far, is sounds like, don't know what we want, to asking provider to do random things18:43
patdk-wkand provider properly responds with, but that won't work18:44
mailserverthe provider doesnt allow us to put in a relay host18:44
patdk-wkthey shouldn't18:44
patdk-wkthat is the wrong solution to whatever it is your attempting18:44
mailserverim just explaining it wrong but that is what i need18:44
patdk-wkno, that is not what is needed18:45
patdk-wkthat is what is needed if you handled email inhouse18:45
patdk-wkand you owned the servers18:45
patdk-wkit would be the most simple way to solve the issue18:45
patdk-wkbut since you don't18:45
mailserverthats what im trying to do18:45
patdk-wkit won't work18:45
mailserverwhy wont it work18:46
patdk-wkthe solution to bring email inside and do it yourself, or to make the changes needed18:46
patdk-wkare the same18:46
patdk-wkevery single thing that *sends* email, will need to be changed18:46
patdk-wkcurrently they point to provider1, and now need to point to provider218:46
patdk-wkif you had email setup inhouse, then just setting relayhost to provider2 would do the same result18:47
patdk-wkassuming everything was configured to send email to the inhouse mail server18:47
patdk-wkso not only do you have to setup a mail relay (msa)18:48
patdk-wkyou also have to set it up to do encryption18:48
patdk-wkand handle user logins, and actully supply it with a user/password database to check those users against18:48
patdk-wkhopefully that can be done, considering it exists at provider1 currently18:49
mailserverprovider 1 doesnt allow us to point to provider 2 so it has to be done inhouse to work around provider 118:49
mailserverand like you pointed out earlier i am not knowledgable enough to figure out the probably simple mistakes im making and am wondering if there is a service somewhere on the Internet where i can pay some support people and get some help setting it up18:53
JanCmailserver: your local IT company?18:55
mailserveri am the local IT company I don't do mail servers very often18:55
tewardwith postfix, i have virtual mail aliases set up so i can have email@somedomain.tld forward to one address, and email2@otherdomain.tld to forward to another address.  Is there any way to set up SSL/Secure communication on both incoming to the postfix server and outgoing to the destinations18:59
tewardor is that just insane with the type of configuraiton i'm trying to achieve18:59
tarpmanteward: sounds doable. for the server cert (incoming), if people call your server by different names (mail.somedomain.tld and mail.otherdomain.tld), then you need (AFAIK) a single cert with all the names in subjectAltNames19:04
tewardthat'll be painful :/19:04
tewardthat's 8 domains, i'd need a multidomain cert19:04
tarpmanteward: but if the MX for otherdomain.tld is just mail.somedomain.tld then easy19:04
tewardtarpman: which isn't the case here, the first statement is the current case19:05
tewardcan easily change it if i have to though, the lovely thing about running my own DNS19:05
tarpmanas far as I understand, your options are a multi-domain cert, or an nginx proxy19:05
* teward shivers19:05
tarpman(and hope all the clients support SNI)19:05
tewardtarpman: what about the other side, the mail server -> other mailservers19:05
tewardhandled by the same set of certs?19:06
tarpmanI think that's fairly straightforward. I have it working, but didn't really have to do it myself -- zimbra configures my postfix for me :)19:06
tarpmanbut all the servers I talk to have certs the system trusts, so no special setup19:06
=== lukasa is now known as lukasa_away
tonyyarussoteward: Yup, you need a multi-domain certain - have fun forking oer some cash.19:33
tewardtonyyarusso: yeah blargh i think i'll just leave it unencrypted and PGP-encrypt messages that need securesent19:34
=== Guest11931 is now known as clueless
tonyyarussoteward: I'm waiting to see what SAN capabilities Let's Encrypt has in September.19:35
cluelessif i setup a server following the help tutorial step by step and when i telnet it times out what could be my issues19:36
cluelessive changed the default port to 80 in stead of 25 since 25 tends to be blocked19:38
geniirouter port forwarding, firewall19:38
cluelessdisabled my firewall completely19:38
geniiIf you have access to the physical machine see if telnet to localhost or works first19:40
geniiclueless: Are you using telnet as a diagnostic tool for your email setup, or are you just using it as telnet but on 25 or 80,19:41
=== zz_denbeiren is now known as denbeiren
geniiCheck in /var/log/mail.log19:42
=== lukasa_away is now known as lukasa
geniiclueless: Find anything enlightening in the log?19:52
cluelessyeah im getting a dovecot fatal error missing file19:53
cluelessdovecot: master: Fatal: service(auth) access(/usr/lib/dovecot/dovecot-auth) failed: No such file or directory19:53
=== lukasa is now known as lukasa_away
cluelesscan you test a relay host with any isp?20:04
cluelessthat i have access to20:05
sarnoldemail doesn't work like it used to -- you can't realistically expect any mail server to relay your mail for you like you could 25 years ago20:05
cluelessits an inhouse server20:06
sarnoldrelays are typically used within one organization, and their working details are mostly not important to senders ...20:06
sarnoldah, good20:06
patdk-lapteward, you know, requiring and enforcing smtp to be ssl/tls while sounds like a good idea20:07
=== lukasa_away is now known as lukasa
patdk-lapdoesn't solve ANY of the issues pgp email protects20:07
geniiclueless: sudo touch /usr/lib/dovecot/dovecot-auth && sudo chmod 755 /usr/lib/dovecot/dovecot-auth & sudo chown dovecot:dovecot /usr/lib/dovecot/dovecot-auth20:11
geniiApologies on lag, work required me for an extended period20:12
patdk-lapwhy would you do all of that?20:12
patdk-lapI really don't understand how an empty file will replace a program20:13
sarnoldwhat exactly is an empty executable going to do? :)20:13
patdk-lapheh, what do we know20:13
sarnoldI'm constantly amazed at what I don't know :)20:14
tarpmanprobably equivalent to /bin/true20:14
patdk-lapit's not parsable20:15
patdk-laphmm, looks like bash treats it that way atleast20:15
tarpmanmay or may not be applicable in the dovecot case above, depending on whether there's a shell involved20:17
tewardpatdk-lap: oh, indeed, but given my current setup i'mma need a multidomain cert20:20
tewardunless i repoint MX to one domain20:20
patdk-lapya, they should always be pointed to one hostname in the mx20:21
patdk-lapeven if pointed to different names and using different certs or a multicert20:22
patdk-lapit will be impossible to know what helo name you should be responding with20:22
patdk-lapbut pretty much, any server that cares, is misconfigured, but they do exist20:27
=== Lcawte is now known as Lcawte|Away
=== Lcawte|Away is now known as Lcawte

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!