/srv/irclogs.ubuntu.com/2015/07/24/#ubuntu-server.txt

homecable	whats the best way to raid 1 mirror with linux	00:21
teward	i feel dirty... i'm setting up a centos 7 VM >.<	00:49
teward	i feel like i'm betraying Ubuntu :	00:49
teward	:? *	00:49
=== markthomas is now known as markthomas\|away
=== xar is now known as xar-
sarkis	hmm is there soemthign wrong with the libc package?	01:30
sarkis	STDERR: E: Failed to fetch http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-libc-dev_3.13.0-57.95_amd64.deb 404 Not Found	01:30
sarkis	anyone know if theres something up with linux-libc-dev_3.13.0-57.95_amd64.deb	01:34
sarkis	seems to be throwing errors on multiple mirrors?	01:34
teward	sarkis: sure it wasn't superseded?	01:35
sarkis	hmmm i see what this is	01:35
teward	because it doesn't show up there when you navigate to the mirror itself in a web browser	01:35
sarkis	ya need an apt-get update	01:36
sarkis	fuck	01:36
teward	!language	01:36
ubottu	The main Ubuntu channels require that you speak in calm, polite English. For other languages, please visit https://wiki.ubuntu.com/IRC/ChannelList	01:36
patdk-lap	it's a normal part of human behavior	01:45
teward	CurrentToleranceLevel() = 0.0004	01:47
teward	i think ineed sleep	01:47
tgm4883	Trying to enable pci passthrough to one of my libvirt vm's on my 14.04 host, I'm getting this error when I try to start the machine "Error starting domain: unsupported configuration: host doesn't support passthrough of host PCI devices"	02:47
qman	Unless its some obscure bug, its exactly what it says	02:47
tgm4883	I've added intel_iommu=on to my grub line and kvm-ok says that kvm acceleration can be used, which IIRC means that I've got the vt-d extensions	02:48
tgm4883	qman: what else is needed?	02:48
qman	If you expect your hardware to have this capability, check the bios settings to make sure its enabled for the device you're trying to use	02:48
tarpman	tgm4883: kvm just needs vt, vt-d is an additional feature and usually a separate bios setting	02:48
tgm4883	ah	02:49
tgm4883	any way to verify I have that without going into the bios? The box is in a closet and I'd have to hook up a keyboard and monitor	02:49
qman	Manufacturer documentation to check if it has that feature	02:50
qman	No way to enable it without doing that, though	02:50
tgm4883	fair enough, i'll look though documentation	02:50
qman	Beyond just trying it of course, which isn't working	02:51
tarpman	tgm4883: dmesg \| grep -i dmar might be a clue, based on http://www.linux-kvm.org/page/How_to_assign_devices_with_VT-d_in_KVM	02:54
tarpman	tgm4883: my laptop which has VT-d prints a dmar: line (even though it's disabled in bios), while a server that lacks it does not	02:54
tgm4883	tarpman: I'm thinking mine does not. I don't see it listed on the ARK page for my processor	02:55
tarpman	too bad	02:56
tgm4883	yep, looks it was added in teh Nahalem family, which my processor is 2 behind that :(	02:57
tgm4883	So plan B I guess. See if I can segregate a NIC to only be used by a particular guest	02:57
tarpman	easy, just make a(nother) bridge backed by only that if, point the guest at it	02:59
tgm4883	tarpman: that makes sense, I've got to lock it down a bit from the host to, as I was planning on connecting this NIC directly to my cable modem	03:00
tgm4883	then running pfsense in the VM	03:00
tarpman	interesting	03:01
tarpman	not sure how to go about that, tbh :)	03:01
tgm4883	Which is why I wanted to do the PCI passthrough :/	03:01
tgm4883	the host itself doesn't do much. It runs 1 VM (pfsense) and a few LXC containers	03:01
tgm4883	tarpman: some quick searching indicates that the way to do it is leave it unconfigured in the host and use macvtap passthrough	03:10
tarpman	tgm4883: same applies for bridging, AFAIK	03:11
tarpman	(to be clear, I don't have a particular preference for bridging over macvtap; just all my experience is with the former)	03:11
tgm4883	tarpman: yea I've got a bridge setup for the lxc containers.	03:12
tarpman	right. so 'iface br1 inet manual', with nics assigned as usual, would probably do as you expect	03:12
tarpman	bearing in mind there's nothing preventing a root process in the host configuring it	03:13
tgm4883	true, but I wouldn't suspect that since it's only providing those two services and running a puppet agent and check_mk agent	03:14
tgm4883	I suppose I could write a check_mk check to verify it stays unconfigured	03:14
qman	openvswitch might offer some options here, too, but I'm far from an expert on it	03:24
roracle	Hey guys, i'm still on 14.10, noticed it expired today, but i can't get mod_rewrite working on subdomains. could i please get some help	06:04
roracle	i'll be upgrading to a newer version soon	06:05
Abhijit	Hi	06:16
Abhijit	my potfix+dovecot works well without ssl. when I enable ssl in 10-ssl.conf of dovecot I get ERROR: Connection dropped by IMAP server. I am using squirrelmail to login.	06:17
Abhijit	if I add imaps to /usr/share/dovecot/protocols.d/imapd.protocol like protocols = $protocols imap imaps i get syntax error and dovecot fails to restart	06:24
lordievader	Good morning.	06:33
sarnold	Abhijit: do you have any errors or warnings in the dovecot logs on the server?	06:34
Abhijit	sarnold, the previous issue is now solved. not i disabled imap and only enabled imaps. now i get error 111 : Connection refused	06:35
Abhijit	it was working when i had both of them enabled imap and imaps	06:35
Abhijit	sarnold, the reason for previous issue was ubuntu was using non standard syntax for ssl_cert without <	06:37
Pupp3tm4st3r	hi there	07:13
Pupp3tm4st3r	I have one question: Is it possible to create a user - ssh access AND this user has to push data into several directories	07:14
Pupp3tm4st3r	example: the user has to push files for webprojects into some vhost directories	07:14
Pupp3tm4st3r	but - the rights must fit	07:15
Pupp3tm4st3r	that the files will be accessible for www-data	07:15
sarnold	the usual approach is to put the user into a group like 'www' or 'web' or something, set the group owner on the directories to 'www' (or whatever you pick), and set the bsdgroups mount property on the filesystem (so the user doesn't have to think to change the groups..)	07:17
Pupp3tm4st3r	okay, thank you sarnold	07:19
gdi2k	what is the correct way to install grub on a degraded raid1 array?	07:25
Pupp3tm4st3r	so I created a user and put it into the right group for the directory - primary group - but the user cannot write	07:37
Pupp3tm4st3r	permission denied	07:37
Pupp3tm4st3r	so it seams, that the folder is only writable for the user, not the group, right?	07:37
Pupp3tm4st3r	*seems	07:37
=== Lcawte\|Away is now known as Lcawte
=== lukasa is now known as lukasa_away
=== lukasa_away is now known as lukasa
murcha	does anyone now any clue about Vulnerability in NTP (ntpd)	09:03
bekks	Can you be just a bit more precise? :)	09:03
murcha	The vulnerability is related to the handling of NTP control messages. An attacker could cause a denial of service condition in the ntpd service by sending it a specially crafted configuration message. Remote configuration is disabled by default in ntpd.	09:05
bekks	murcha: And do you have a CVE entry, too?	09:10
murcha	yes	09:11
murcha	bekks: ^	09:11
bekks	Cool.	09:12
bekks	Whats the price if we guess it?	09:12
ObrienDave	prize?	09:12
bekks	Or that, yes :)	09:13
murcha	bekks: the company has here....so they know about it	09:13
bekks	murcha: So what "clue" do you want, if you dont even want to tell us the CVE you are talking about?	09:14
murcha	bekks: im a holiday worker	09:14
murcha	bekks: what to do if my server is got DoS targeted ntpd?	09:15
bekks	You tell us the CVE you are talking about, we tell you wether there is a patch/update, you apply it.	09:16
=== lukasa is now known as lukasa_away
murcha	bekks: i checked ubuntu has released an update for the security issue.	09:18
bekks	"the issue".	09:18
bekks	Since there is an update, the CVE is plublically released, and it would have been no big deal to tell it.	09:18
murcha	i don't have ntpd in my system instead have this /etc/network/if-up.d/ntpdate	09:22
Daviey	smoser: Why wasn't the cloudstack/cloud-init password issue treated as a sec upload?	09:34
=== denbeiren is now known as zz_denbeiren
AppAraat	hello, I want to "integrate" my /home partition into the root directory. I chose to encrypt the home of my main user on the machine, but now I want to have it always unencrypted and turn that partition (not the user though!) into just a directory in /	11:11
AppAraat	do I have to chroot in to do that?	11:11
=== Lcawte is now known as Lcawte\|Away
=== lukasa_away is now known as lukasa
=== lukasa is now known as lukasa_away
=== lukasa_away is now known as lukasa
smoser	Daviey, i dont know. i guess it should have been.	13:03
Daviey	smoser: It sounds potentially CVE worthy IMO.	13:04
=== Kully3xf is now known as thisdoescompute
Amillo	Hey guys, would anyone be able to point what I'm missing in here my zone file?	13:22
Amillo	My syslog says I'm missing a ;	13:23
Amillo	but I can't for the life of my see it	13:23
teward	"zone file"?	13:23
teward	and you haven't provided the file either	13:23
Amillo	working on that now	13:23
Amillo	just uploading a screenshot	13:23
Amillo	and named.conf.local file	13:23
teward	oh	13:23
teward	i can probably help with that	13:23
teward	screenshots aren't as useful as pastebins, but meh	13:24
Amillo	I'm not sure how to paste out of the vm	13:24
teward	cat zonefile \| pastebinit	13:24
Amillo	http://imgur.com/2fbmjVb	13:24
teward	gives you a link for the paste :)	13:24
teward	yeah use a pastebin instead	13:24
Amillo	thats the file	13:24
Amillo	Right	13:24
Amillo	I'll give that a go :)	13:24
teward	you may have to install pastebinit but meh	13:25
teward	point not withstanding, you also haven't provided the full error message you get	13:25
teward	which also will help	13:25
teward	oh	13:25
Amillo	yeah was gonna do a pastebin	13:25
teward	Amillo: company.co.uk	13:25
Amillo	instead of a screenshot	13:25
teward	file line	13:25
teward	Amillo: you have mismatched quotes	13:26
teward	file "/etc/bind/db.company.co.uk;	13:26
teward	^ you need a closing quote	13:26
Amillo	I've been stairing at it...	13:26
teward	just like the other zones have	13:26
Amillo	for about	13:26
Amillo	45 minutes	13:26
Amillo	and I didn't notice that....	13:26
teward	Amillo: it's always the tiniest things	13:26
teward	:P	13:26
Amillo	That solved all my errors aha :)	13:27
teward	:P	13:27
Amillo	when restarting bind9 I get connect failed: 127.0.0.1#953: connection refused [OK]	13:27
Amillo	is this bad?	13:27
teward	well... does bind9 still respond?	13:28
teward	to queries i mean	13:28
teward	(I don't have all your configs so I can't say whether it is or isn't)	13:28
Amillo	Haven't checked yet	13:28
Amillo	Just that it says binding9 starts ok	13:28
Amillo	but also connection refused	13:28
Amillo	How do I check if I've set my DNS up correctly	13:31
Amillo	pinging company.co.uk, returns from the actual site I think	13:31
* CiPi fucks teward in /dev/null		13:32
teward	Amillo: dig @ip.of.dns.server SOA one.of.the.zones	13:48
Pici	CiPi: Mind your language and conduct in #ubuntu channels please. See http://ubottu.com/y/gl/	13:49
Amillo	I've set my computer to look at my primary DNS first and done an nslookup company.co.uk	13:54
Amillo	and it still returns the actual one	13:54
Amillo	http://imgur.com/ZNX6QW0 - not all too sure what I'm looking at here, but it looks to me as though it worked?	13:56
CiPi	yeah pici	13:57
CiPi	What kind of name is this	13:57
=== Lcawte\|Away is now known as Lcawte
hd_chro321	hello,everyone	14:53
hd_chro321	Today, I updated my ubuntu 14.04 use cli apt-get update && apt-get -y upgrade	14:53
hd_chro321	but after I update done, I found when I reboot my ubuntu 14.04 server, my golang application cannot start	14:53
hd_chro321	my golang application start command and package have not change, it is alike "sudo /usr/bin/mtunneld &"	14:54
hd_chro321	but whatever I modify start script /etc/rc.local, these golang application cannot automatic start again after I reboot my ubuntu VPS	14:54
hd_chro321	but I login to ubuntu 14.04 ssh console, manually run these golang application, it run ok	14:54
hd_chro321	I googled found none related to the problem	14:54
hd_chro321	I checked ubuntu 14.04 boot log, but found none error	14:57
=== lukasa is now known as lukasa_away
pmatulis	hd_chro321: does it start when you invoke it manually?	15:09
hd_chro321	pmatulis:yes when ubuntu 14.04 boot ok, I ssh login terminal, I invoke the golang application, it start ok	15:11
patdk-wk	somehting with his env variables or shell path then	15:12
hd_chro321	what evn variables ? these cannot automatic start application is golang application	15:13
hd_chro321	my rc.local golang scripts all use absolute path	15:14
patdk-wk	and everything used by that program uses absolute path?	15:15
pmatulis	hd_chro321: i don't think it will help but i would first try a proper upgrade. 'apt-get dist-upgrade' will get you new packages that might need to be pulled in. 'apt-get upgrade' only upgrades existing packages	15:15
hd_chro321	pmatulis: sorry my ubuntu 14.04 is VPS, resource is limited, if I update use ci apt-get dist-upgrade, if it will install many newly package, so make my limit VPS too large to run	15:17
patdk-wk	that should never happen	15:18
hd_chro321	ok, I will try update use apt-get dist-upgrade, I will back a while	15:18
cluelessperson	hey guys, how safe is a user account that you set to tunnel only?	15:23
hd_chro321	my problem is still exist, after I run the apt-get dist-upgrade, I run very fast, summary report only download 24M, now I have finish upgrade and reboot, my these golang application still have not automatic start	15:23
cluelessperson	or is it possible to setup a user account so the only thing they can possibly do is connect a tunnel?	15:24
=== lukasa_away is now known as lukasa
pmatulis	hd_chro321: you will now need to enter into the troubleshooting phase. i recommend the tool 'strace'. to start: https://goo.gl/Ryo3i9	15:30
hd_chro321	pmatulis:I will read it	15:32
Guest60715	What is the correct way to allow dns port in ufw? Will it slow down the DNS performance?	15:33
pmatulis	hd_chro321: good luck. please report back and let us know what you discovered	15:33
Guest60715	I have used this rule: ufw allow 53 and had problems. Could this be the correct command: ufw allow in 53 and ufw allow out 53 ? What else port I need to open for a Standanone production DNS cache Server?	15:34
hd_chro321	pmatulis:I need confirm a point, after ubuntu 14.04 boot ok, I ssh login to terminal, I run the golang application, it is run ok, if I still need debug use strace, when ubuntu 14.04 PC boot ok, the application is can run	15:35
Guest60715	And how do I check whether UFW loggin is enabled?	15:35
Guest60715	Where does it log?	15:35
patdk-wk	why would ufw log?	15:36
cluelessperson	Guest60715, ufw status numbered	15:37
cluelessperson	Guest60715, /var/log/ufw.log	15:37
Guest60715	cluelessperson: Could this be the correct command: ufw allow in 53 and ufw allow out 53 ? What else port I need to open for a Standanone production DNS cache Server?	15:39
pmatulis	hd_chro321: the idea is to use strace wherever the program does not run properly. in your case it will be from /etc/rc.local	15:41
Guest60715	I've enabled UFW Logging. Now Ufw is logging something like this : Jul 24 21:10:02 dns kernel: [ 2341.934090] [UFW BLOCK] IN=eth0 OUT= MAC=33:33:00:00:00:01:4c:5e:0c:54:a7:3f:86:dd SRC=fe80:0000:0000:0000:4e5e:0cff:fe54:a73f DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=171 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=UDP SPT=5678 DPT=5678 LEN=131	15:41
hd_chro321	pmatulis: ok I will try	15:41
=== thisdoescompute is now known as kully3xf
Guest60715	Why it logging something like that^ ?	15:41
pmatulis	hd_chro321: it would be good to get an strace output for both cases however. a comparison may illuminate	15:41
pmatulis	(both cases: working and not-working)	15:41
hd_chro321	pmatulis: ok I got it	15:42
Guest60715	Do you suggest that removing ufw and using plaing iptables to create rules is a good idea?	15:42
patdk-wk	that is just the kernel logging, ufw doesn't log	15:43
patdk-wk	ufw is a tool to load up rules into iptables	15:43
patdk-wk	if you want to log differently, use like, ulog	15:44
patdk-wk	no idea how to use ulog in ufw though	15:44
Guest60715	patdk-wk: So, when i run: ufw logging off, Im actually telling the kernel to stop logging?	15:47
patdk-wk	no	15:48
patdk-wk	your telling iptables to stop logging	15:48
patdk-wk	and iptables log module uses the kernel	15:48
patdk-wk	unless you override it with nlog or ulog	15:48
Guest60715	ok.	15:49
jdstrand	ufw doesn't support ulog	15:52
jdstrand	because ulog doesn't exist for ipv6	15:52
ogra_	cant be, they both start with u	15:52
Guest60715	patdk-wk: is shorewall a frontend of Iptables too? Or it directly communicates with Netfilter?	15:52
patdk-wk	everything is a frontend	15:53
patdk-wk	ufw is directly iptables	15:53
patdk-wk	shorewall is a generator though	15:54
Guest60715	What is a Generator? Is it like Firewall Builder?	15:54
Guest60715	Which used to create firewall rules?	15:54
patdk-wk	kindof, but firewallbuilder is simple	15:54
patdk-wk	shorewall will take what you want, and compile results, depending on what you want, rules, nat, masq, traffic shaping, and what firewall modules are installed	15:55
Guest60715	oh. If iptables is that important why Im able to remove it? If I remove it, will the server go broke?	15:55
patdk-wk	no, you just won't have a firewall	15:55
jrwren	you won't have the iptables userspace command. iptables is still a feature in the kernel.	15:56
patdk-wk	I assumed he was removing the modules :)	15:56
Guest60715	Ok, the netfilter module which actually does the filtering will stop working theb.	15:56
jrwren	oh, right, sorry.	15:56
patdk-wk	it just won't filter	15:56
patdk-wk	I have many servers without netfilter loaded on them	15:57
Guest60715	Do you needed to compile the kernel to remove the netfilter from those?	15:57
patdk-wk	if it's compiled in, you would	15:57
=== markthomas\|away is now known as markthomas
Guest60715	In default Ubuntu Server its precompiled I think. Will removing the netfilter enhance the resposiveness of the processes like Bind9?	15:58
patdk-wk	it would	15:58
patdk-wk	but it would be unmeasurable compared to bind itself	15:59
patdk-wk	or you have a really really horrible ruleset loaded	15:59
Guest60715	what are the attack surface that I should remove in a DNS server to run it without a firewall.	15:59
Guest60715	First one I guess is ssh.	16:00
patdk-wk	how many gigabits of dns traffic are you planning on doing?	16:00
Guest60715	not GB/s, only 500 pps at max.	16:01
patdk-wk	why are you worried about 500pps?	16:01
Guest60715	I will be back later patdk-wk , this is the screen name- Capprentice. Right now I have to go.	16:05
Guest60715	I will be back with that Screen name.	16:05
Amillo	hey guys, is there any obvious reasons why my nslookup would return the IP address - but also the server as a loopback	16:23
patdk-wk	shouldn't it?	16:25
Amillo	it does work	16:26
hd_chro321	pmatulis:I found my question root cause, it is caused by rc2.d a new installed proxy application havenot add & background running, result in all rc2.d process stop running, so also include all the golang application	16:26
Amillo	It's just not saying that it came from my server	16:26
hd_chro321	pmatulis:now my all application start ok, include all golang application	16:27
pmatulis	hd_chro321: there you go. did strace help?	16:27
hd_chro321	pmatulis: I added strace script, but the script havenot redirect output, so I find deeper, I find the root cause	16:28
hd_chro321	pmatulis:the rc.local script havenot run	16:28
=== Lcawte is now known as Lcawte\|Away
hd_chro321	pmatulis: thank you and others, give me important tips, my question resolved, thanks	16:31
=== Lcawte\|Away is now known as Lcawte
=== lukasa is now known as lukasa_away
=== lukasa_away is now known as lukasa
=== Lartza is now known as TheRealBronsky
=== TheRealBronsky is now known as Lartza
pcleon	hello everyone	16:58
=== balloons_ is now known as balloons
=== balloons39 is now known as balloons
pmatulis	hello	17:47
mailserver	does anyone know of any serveces out there that will walk me through setting up a mail server	18:17
mailserver	services	18:17
mgz	mailserver: you already appear to be one	18:17
=== admcleod- is now known as admcleodafk
mailserver	a not very good one	18:18
genii	mailserver: You mean for instance a web hosting company that has decent documentation for such things?	18:18
mailserver	ive been walking myself through the various different tutorials on the web and havent had any success yet so a support center or something of that nature that can help me figure out what im doing wrong	18:20
patdk-wk	a mail server is one of the most complex things to setup	18:21
genii	If just for a home server with Ubuntu Server, the normal documentation is usually pretty good. https://help.ubuntu.com/lts/serverguide/postfix.html for the Postfix install walkthrough, for instance	18:21
mailserver	its for a business trying to transfer mail to an encryption service and their email provider doesnt offer a smart host so they need a mail server to send their outgoing mail to the third party	18:23
mailserver	and im currently in the middle of the normal documentation i got linked that last night	18:23
JanC	if you only need it for outgoing mail, that's like the easiest possible configuration for Postfix?	18:29
pmatulis	mailserver: i don't understand "business wants to send email to an encryption service". explain that	18:30
mailserver	instead of smtp to their mail provider they want to smtp to a third party which encrypts their mail.	18:33
mailserver	i might just be making a silly mistake i don't know	18:33
patdk-wk	janc, easiest to configure in postfix yes	18:34
genii	They can't just chane the mail entry of their dns records to point to the third party machine?	18:34
patdk-wk	but hardest to make work	18:34
patdk-wk	due to dns, naming, dkim, spf, ....	18:34
mailserver	their mail provider doesnt provide a smart host so no	18:35
patdk-wk	what is a smart host?	18:35
JanC	"smart host" refers to receiving mail normally?	18:36
patdk-wk	dunno	18:36
JanC	well, both	18:36
patdk-wk	normally smarthost is a sendmail config option to redirect to an msa	18:36
JanC	it goes back to dial-up times	18:36
patdk-wk	instead of doing direct delievery	18:36
JanC	so incoming mail got received by your ISP until you dialled in	18:37
patdk-wk	but really, dont understand the issue	18:37
patdk-wk	you don't direct mail provider to use other mail provider	18:37
* genii sips his coffee and thinks about putting .forward files in the skel directory		18:37
patdk-wk	you just change youself to not use provider1, and to use provider2	18:37
mailserver	the mail provider we are using wont allow mail to go to a different server even if the dns record are changed the host destination needs to be changed and they wont let that happen on their server	18:38
patdk-wk	so we are not talking about smarthost or outgoing mail at all	18:39
mailserver	no we are	18:39
patdk-wk	no	18:39
patdk-wk	dns has nothing to do with outgoing or smarthost	18:39
patdk-wk	only incoming	18:39
mailserver	any records wont effect it	18:39
mailserver	mx	18:39
patdk-wk	mx is ONLY used for incoming	18:40
patdk-wk	not smarthost or outgoing	18:40
mailserver	well i mean to be talking about outgoing	18:40
patdk-wk	yes, and mx doesn't matter	18:40
patdk-wk	and what either provider does, doesn't matter	18:40
patdk-wk	so your issue, is not an issue	18:40
patdk-wk	if you are talking about mx, (incoming), then yes, it is an issue	18:40
mailserver	it is an issue because it doesnt work	18:41
patdk-wk	and the only solution is to get a mail provider that actually does email correctly	18:41
patdk-wk	the issue currently is, you don't understand enough about email to explain what doesn't work though	18:41
mailserver	thats also true	18:41
patdk-wk	first thing you need to do	18:42
patdk-wk	is map the path an email takes	18:42
JanC	maybe the issue is that their mail provider1 uses DKIM/SPF/etc. and sending mail through (encryption) provider2 gets blocked?	18:42
patdk-wk	that is having the issue	18:42
patdk-wk	that is a simple dns config change	18:42
patdk-wk	nothing to do with the mail provider	18:42
JanC	unless mail provider "owns" their DNS :P	18:42
patdk-wk	if provider won't update those dns entries	18:43
patdk-wk	then you have big issues with provider	18:43
patdk-wk	but so far, is sounds like, don't know what we want, to asking provider to do random things	18:43
patdk-wk	and provider properly responds with, but that won't work	18:44
mailserver	the provider doesnt allow us to put in a relay host	18:44
patdk-wk	they shouldn't	18:44
patdk-wk	that is the wrong solution to whatever it is your attempting	18:44
mailserver	im just explaining it wrong but that is what i need	18:44
patdk-wk	no, that is not what is needed	18:45
patdk-wk	that is what is needed if you handled email inhouse	18:45
patdk-wk	and you owned the servers	18:45
patdk-wk	it would be the most simple way to solve the issue	18:45
patdk-wk	but since you don't	18:45
mailserver	thats what im trying to do	18:45
patdk-wk	it won't work	18:45
mailserver	why wont it work	18:46
patdk-wk	the solution to bring email inside and do it yourself, or to make the changes needed	18:46
patdk-wk	are the same	18:46
patdk-wk	every single thing that sends email, will need to be changed	18:46
patdk-wk	currently they point to provider1, and now need to point to provider2	18:46
patdk-wk	if you had email setup inhouse, then just setting relayhost to provider2 would do the same result	18:47
patdk-wk	assuming everything was configured to send email to the inhouse mail server	18:47
mailserver	right	18:47
patdk-wk	so not only do you have to setup a mail relay (msa)	18:48
patdk-wk	you also have to set it up to do encryption	18:48
patdk-wk	and handle user logins, and actully supply it with a user/password database to check those users against	18:48
mailserver	right	18:48
patdk-wk	hopefully that can be done, considering it exists at provider1 currently	18:49
mailserver	provider 1 doesnt allow us to point to provider 2 so it has to be done inhouse to work around provider 1	18:49
mailserver	and like you pointed out earlier i am not knowledgable enough to figure out the probably simple mistakes im making and am wondering if there is a service somewhere on the Internet where i can pay some support people and get some help setting it up	18:53
JanC	mailserver: your local IT company?	18:55
mailserver	i am the local IT company I don't do mail servers very often	18:55
teward	with postfix, i have virtual mail aliases set up so i can have email@somedomain.tld forward to one address, and email2@otherdomain.tld to forward to another address. Is there any way to set up SSL/Secure communication on both incoming to the postfix server and outgoing to the destinations	18:59
teward	or is that just insane with the type of configuraiton i'm trying to achieve	18:59
tarpman	teward: sounds doable. for the server cert (incoming), if people call your server by different names (mail.somedomain.tld and mail.otherdomain.tld), then you need (AFAIK) a single cert with all the names in subjectAltNames	19:04
teward	that'll be painful :/	19:04
teward	that's 8 domains, i'd need a multidomain cert	19:04
tarpman	teward: but if the MX for otherdomain.tld is just mail.somedomain.tld then easy	19:04
teward	tarpman: which isn't the case here, the first statement is the current case	19:05
tarpman	right	19:05
teward	can easily change it if i have to though, the lovely thing about running my own DNS	19:05
tarpman	as far as I understand, your options are a multi-domain cert, or an nginx proxy	19:05
* teward shivers		19:05
tarpman	(and hope all the clients support SNI)	19:05
teward	tarpman: what about the other side, the mail server -> other mailservers	19:05
teward	handled by the same set of certs?	19:06
tarpman	I think that's fairly straightforward. I have it working, but didn't really have to do it myself -- zimbra configures my postfix for me :)	19:06
tarpman	but all the servers I talk to have certs the system trusts, so no special setup	19:06
=== lukasa is now known as lukasa_away
tonyyarusso	teward: Yup, you need a multi-domain certain - have fun forking oer some cash.	19:33
teward	tonyyarusso: yeah blargh i think i'll just leave it unencrypted and PGP-encrypt messages that need securesent	19:34
=== Guest11931 is now known as clueless
tonyyarusso	teward: I'm waiting to see what SAN capabilities Let's Encrypt has in September.	19:35
clueless	if i setup a server following the help tutorial step by step and when i telnet it times out what could be my issues	19:36
clueless	ive changed the default port to 80 in stead of 25 since 25 tends to be blocked	19:38
genii	router port forwarding, firewall	19:38
clueless	disabled my firewall completely	19:38
genii	If you have access to the physical machine see if telnet to localhost or 127.0.0.1 works first	19:40
clueless	refused	19:40
genii	clueless: Are you using telnet as a diagnostic tool for your email setup, or are you just using it as telnet but on 25 or 80,	19:41
=== zz_denbeiren is now known as denbeiren
clueless	diagnostic	19:41
genii	Check in /var/log/mail.log	19:42
=== lukasa_away is now known as lukasa
genii	clueless: Find anything enlightening in the log?	19:52
clueless	yeah im getting a dovecot fatal error missing file	19:53
clueless	dovecot: master: Fatal: service(auth) access(/usr/lib/dovecot/dovecot-auth) failed: No such file or directory	19:53
=== lukasa is now known as lukasa_away
clueless	can you test a relay host with any isp?	20:04
clueless	that i have access to	20:05
sarnold	email doesn't work like it used to -- you can't realistically expect any mail server to relay your mail for you like you could 25 years ago	20:05
clueless	its an inhouse server	20:06
sarnold	relays are typically used within one organization, and their working details are mostly not important to senders ...	20:06
sarnold	ah, good	20:06
patdk-lap	teward, you know, requiring and enforcing smtp to be ssl/tls while sounds like a good idea	20:07
=== lukasa_away is now known as lukasa
patdk-lap	doesn't solve ANY of the issues pgp email protects	20:07
genii	clueless: sudo touch /usr/lib/dovecot/dovecot-auth && sudo chmod 755 /usr/lib/dovecot/dovecot-auth & sudo chown dovecot:dovecot /usr/lib/dovecot/dovecot-auth	20:11
genii	Apologies on lag, work required me for an extended period	20:12
patdk-lap	heh?	20:12
patdk-lap	why would you do all of that?	20:12
patdk-lap	I really don't understand how an empty file will replace a program	20:13
sarnold	what exactly is an empty executable going to do? :)	20:13
patdk-lap	heh, what do we know	20:13
sarnold	I'm constantly amazed at what I don't know :)	20:14
tarpman	probably equivalent to /bin/true	20:14
patdk-lap	no	20:15
patdk-lap	it's not parsable	20:15
tarpman	hmm?	20:15
patdk-lap	hmm, looks like bash treats it that way atleast	20:15
tarpman	http://stackoverflow.com/questions/7268437/bash-script-execution-with-and-without-shebang-in-linux-and-bsd	20:17
tarpman	may or may not be applicable in the dovecot case above, depending on whether there's a shell involved	20:17
teward	patdk-lap: oh, indeed, but given my current setup i'mma need a multidomain cert	20:20
teward	unless i repoint MX to one domain	20:20
patdk-lap	ya, they should always be pointed to one hostname in the mx	20:21
patdk-lap	even if pointed to different names and using different certs or a multicert	20:22
patdk-lap	it will be impossible to know what helo name you should be responding with	20:22
teward	mhm	20:26
patdk-lap	but pretty much, any server that cares, is misconfigured, but they do exist	20:27
=== Lcawte is now known as Lcawte\|Away
=== Lcawte\|Away is now known as Lcawte
alexandercogneau	\quit	23:51

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!