[00:21] <homecable> whats the best way to raid 1 mirror with linux
[00:49] <teward> i feel dirty... i'm setting up a centos 7 VM >.<
[00:49] <teward> i feel like i'm betraying Ubuntu :
[00:49] <teward> :? *
[01:30] <sarkis> hmm is there soemthign wrong with the libc package?
[01:30] <sarkis> STDERR: E: Failed to fetch http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-libc-dev_3.13.0-57.95_amd64.deb  404  Not Found
[01:34] <sarkis> anyone know if theres something up with linux-libc-dev_3.13.0-57.95_amd64.deb
[01:34] <sarkis> seems to be throwing errors on multiple mirrors?
[01:35] <teward> sarkis: sure it wasn't superseded?
[01:35] <sarkis> hmmm i see what this is
[01:35] <teward> because it doesn't show up there when you navigate to the mirror itself in a web browser
[01:36] <sarkis> ya need an apt-get update
[01:36] <sarkis> fuck
[01:36] <teward> !language
[01:45] <patdk-lap>  it's a normal part of human behavior
[01:47] <teward> CurrentToleranceLevel() = 0.0004
[01:47] <teward> i think ineed sleep
[02:47] <tgm4883> Trying to enable pci passthrough to one of my libvirt vm's on my 14.04 host, I'm getting this error when I try to start the machine "Error starting domain: unsupported configuration: host doesn't support passthrough of host PCI devices"
[02:47] <qman> Unless its some obscure bug, its exactly what it says
[02:48] <tgm4883> I've added intel_iommu=on to my grub line and kvm-ok says that kvm acceleration can be used, which IIRC means that I've got the vt-d extensions
[02:48] <tgm4883> qman: what else is needed?
[02:48] <qman> If you expect your hardware to have this capability, check the bios settings to make sure its enabled for the device you're trying to use
[02:48] <tarpman> tgm4883: kvm just needs vt, vt-d is an additional feature and usually a separate bios setting
[02:49] <tgm4883> ah
[02:49] <tgm4883> any way to verify I have that without going into the bios? The box is in a closet and I'd have to hook up a keyboard and monitor
[02:50] <qman> Manufacturer documentation to check if it has that feature
[02:50] <qman> No way to enable it without doing that, though
[02:50] <tgm4883> fair enough, i'll look though documentation
[02:51] <qman> Beyond just trying it of course, which isn't working
[02:54] <tarpman> tgm4883: dmesg | grep -i dmar might be a clue, based on http://www.linux-kvm.org/page/How_to_assign_devices_with_VT-d_in_KVM
[02:54] <tarpman> tgm4883: my laptop which has VT-d prints a dmar: line (even though it's disabled in bios), while a server that lacks it does not
[02:55] <tgm4883> tarpman: I'm thinking mine does not. I don't see it listed on the ARK page for my processor
[02:56] <tarpman> too bad
[02:57] <tgm4883> yep, looks it was added in teh Nahalem family, which my processor is 2 behind that :(
[02:57] <tgm4883> So plan B I guess. See if I can segregate a NIC to only be used by a particular guest
[02:59] <tarpman> easy, just make a(nother) bridge backed by only that if, point the guest at it
[03:00] <tgm4883> tarpman: that makes sense, I've got to lock it down a bit from the host to, as I was planning on connecting this NIC directly to my cable modem
[03:00] <tgm4883> then running pfsense in the VM
[03:01] <tarpman> interesting
[03:01] <tarpman> not sure how to go about that, tbh :)
[03:01] <tgm4883> Which is why I wanted to do the PCI passthrough :/
[03:01] <tgm4883> the host itself doesn't do much. It runs 1 VM (pfsense) and a few LXC containers
[03:10] <tgm4883> tarpman: some quick searching indicates that the way to do it is leave it unconfigured in the host and use macvtap passthrough
[03:11] <tarpman> tgm4883: same applies for bridging, AFAIK
[03:11] <tarpman> (to be clear, I don't have a particular preference for bridging over macvtap; just all my experience is with the former)
[03:12] <tgm4883> tarpman: yea I've got a bridge setup for the lxc containers.
[03:12] <tarpman> right. so 'iface br1 inet manual', with nics assigned as usual, would probably do as you expect
[03:13] <tarpman> bearing in mind there's nothing preventing a root process in the host configuring it
[03:14] <tgm4883> true, but I wouldn't suspect that since it's only providing those two services and running a puppet agent and check_mk agent
[03:14] <tgm4883> I suppose I could write a check_mk check to verify it stays unconfigured
[03:24] <qman> openvswitch might offer some options here, too, but I'm far from an expert on it
[06:04] <roracle> Hey guys, i'm still on 14.10, noticed it expired today, but i can't get mod_rewrite working on subdomains.  could i please get some help
[06:05] <roracle> i'll be upgrading to a newer version soon
[06:16] <Abhijit> Hi
[06:17] <Abhijit> my potfix+dovecot works well without ssl. when I enable ssl in 10-ssl.conf of dovecot I get ERROR: Connection dropped by IMAP server. I am using squirrelmail to login.
[06:24] <Abhijit> if I add imaps to /usr/share/dovecot/protocols.d/imapd.protocol like protocols = $protocols imap imaps i get syntax error and dovecot fails to restart
[06:33] <lordievader> Good morning.
[06:34] <sarnold> Abhijit: do you have any errors or warnings in the dovecot logs on the server?
[06:35] <Abhijit> sarnold, the previous issue is now solved. not i disabled imap and only enabled imaps. now i get error 111 : Connection refused
[06:35] <Abhijit> it was working when i had both of them enabled imap and imaps
[06:37] <Abhijit> sarnold, the reason for previous issue was ubuntu was using non standard syntax for ssl_cert without <
[07:13] <Pupp3tm4st3r> hi there
[07:14] <Pupp3tm4st3r> I have one question: Is it possible to create a user - ssh access AND this user has to push data into several directories
[07:14] <Pupp3tm4st3r> example: the user has to push files for webprojects into some vhost directories
[07:15] <Pupp3tm4st3r> but - the rights must fit
[07:15] <Pupp3tm4st3r> that the files will be accessible for www-data
[07:17] <sarnold> the usual approach is to put the user into a group like 'www' or 'web' or something, set the group owner on the directories to 'www' (or whatever you pick), and set the bsdgroups mount property on the filesystem (so the user doesn't have to think to change the groups..)
[07:19] <Pupp3tm4st3r> okay, thank you sarnold
[07:25] <gdi2k> what is the correct way to install grub on a degraded raid1 array?
[07:37] <Pupp3tm4st3r> so I created a user and put it into the right group for the directory - primary group - but the user cannot write
[07:37] <Pupp3tm4st3r> permission denied
[07:37] <Pupp3tm4st3r> so it seams, that the folder is only writable for the user, not the group, right?
[07:37] <Pupp3tm4st3r> *seems
[09:03] <murcha> does anyone now any clue about Vulnerability in NTP (ntpd)
[09:03] <bekks> Can you be just a bit more precise? :)
[09:05] <murcha> The vulnerability is related to the handling of NTP control messages. An attacker could cause a denial of service condition in the ntpd service by sending it a specially crafted configuration message. Remote configuration is disabled by default in ntpd.
[09:10] <bekks> murcha: And do you have a CVE entry, too?
[09:11] <murcha> yes
[09:11] <murcha> bekks: ^
[09:12] <bekks> Cool.
[09:12] <bekks> Whats the price if we guess it?
[09:12] <ObrienDave> prize?
[09:13] <bekks> Or that, yes :)
[09:13] <murcha> bekks: the company has here....so they know about it
[09:14] <bekks> murcha: So what "clue" do you want, if you dont even want to tell us the CVE you are talking about?
[09:14] <murcha> bekks: im a holiday worker
[09:15] <murcha> bekks: what to do if my server is got DoS targeted ntpd?
[09:16] <bekks> You tell us the CVE you are talking about, we tell you wether there is a patch/update, you apply it.
[09:18] <murcha> bekks: i checked ubuntu has released an update for the security issue.
[09:18] <bekks> "the issue".
[09:18] <bekks> Since there is an update, the CVE is plublically released, and it would have been no big deal to tell it.
[09:22] <murcha> i don't have ntpd in my system instead have this /etc/network/if-up.d/ntpdate
[09:34] <Daviey> smoser: Why wasn't the cloudstack/cloud-init password issue treated as a sec upload?
[11:11] <AppAraat> hello, I want to "integrate" my /home partition into the root directory. I chose to encrypt the home of my main user on the machine, but now I want to have it always unencrypted and turn that partition (not the user though!) into just a directory in /
[11:11] <AppAraat> do I have to chroot in to do that?
[13:03] <smoser> Daviey, i dont know. i guess it should have been.
[13:04] <Daviey> smoser: It sounds potentially CVE worthy IMO.
[13:22] <Amillo> Hey guys, would anyone be able to point what I'm missing in here my zone file?
[13:23] <Amillo> My syslog says I'm missing a ;
[13:23] <Amillo> but I can't for the life of my see it
[13:23] <teward> "zone file"?
[13:23] <teward> and you haven't provided the file either
[13:23] <Amillo> working on that now
[13:23] <Amillo> just uploading a screenshot
[13:23] <Amillo> and named.conf.local file
[13:23] <teward> oh
[13:23] <teward> i can probably help with that
[13:24] <teward> screenshots aren't as useful as pastebins, but meh
[13:24] <Amillo> I'm not sure how to paste out of the vm
[13:24] <teward> cat zonefile | pastebinit
[13:24] <Amillo> http://imgur.com/2fbmjVb
[13:24] <teward> gives you a link for the paste :)
[13:24] <teward> yeah use a pastebin instead
[13:24] <Amillo> thats the file
[13:24] <Amillo> Right
[13:24] <Amillo> I'll give that a go :)
[13:25] <teward> you may have to install pastebinit but meh
[13:25] <teward> point not withstanding, you also haven't provided the full error message you get
[13:25] <teward> which also will help
[13:25] <teward> oh
[13:25] <Amillo> yeah was gonna do a pastebin
[13:25] <teward> Amillo: company.co.uk
[13:25] <Amillo> instead of a screenshot
[13:25] <teward> file line
[13:26] <teward> Amillo: you have mismatched quotes
[13:26] <teward> file "/etc/bind/db.company.co.uk;
[13:26] <teward> ^ you need a closing quote
[13:26] <Amillo> I've been stairing at it...
[13:26] <teward> just like the other zones have
[13:26] <Amillo> for about
[13:26] <Amillo> 45 minutes
[13:26] <Amillo> and I didn't notice that....
[13:26] <teward> Amillo: it's always the tiniest things
[13:26] <teward> :P
[13:27] <Amillo> That solved all my errors aha :)
[13:27] <teward> :P
[13:27] <Amillo> when restarting bind9 I get connect failed: 127.0.0.1#953: connection refused [OK]
[13:27] <Amillo> is this bad?
[13:28] <teward> well... does bind9 still respond?
[13:28] <teward> to queries i mean
[13:28] <teward> (I don't have all your configs so I can't say whether it is or isn't)
[13:28] <Amillo> Haven't checked yet
[13:28] <Amillo> Just that it says binding9 starts ok
[13:28] <Amillo> but also connection refused
[13:31] <Amillo> How do I check if I've set my DNS up correctly
[13:31] <Amillo> pinging company.co.uk, returns from the actual site I think
[13:32]  * CiPi fucks teward in /dev/null
[13:48] <teward> Amillo: dig @ip.of.dns.server SOA one.of.the.zones
[13:49] <Pici> CiPi: Mind your language and conduct in #ubuntu channels please. See http://ubottu.com/y/gl/
[13:54] <Amillo> I've set my computer to look at my primary DNS first and done an nslookup company.co.uk
[13:54] <Amillo> and it still returns the actual one
[13:56] <Amillo> http://imgur.com/ZNX6QW0 - not all too sure what I'm looking at here, but it looks to me as though it worked?
[13:57] <CiPi> yeah pici
[13:57] <CiPi> What kind of name is this
[14:53] <hd_chro321> hello,everyone
[14:53] <hd_chro321> Today, I updated my ubuntu 14.04 use cli apt-get update && apt-get -y upgrade
[14:53] <hd_chro321> but after I update done, I found when I reboot my ubuntu 14.04 server, my golang application cannot start
[14:54] <hd_chro321> my golang application start command and package have not change, it is alike "sudo /usr/bin/mtunneld &"
[14:54] <hd_chro321> but whatever I modify start script /etc/rc.local, these golang application cannot automatic start again after I reboot my ubuntu VPS
[14:54] <hd_chro321> but I login to ubuntu 14.04 ssh console, manually run these golang application, it run ok
[14:54] <hd_chro321> I googled found none related to the problem
[14:57] <hd_chro321> I checked ubuntu 14.04 boot log, but found none error
[15:09] <pmatulis> hd_chro321: does it start when you invoke it manually?
[15:11] <hd_chro321> pmatulis:yes when ubuntu 14.04 boot ok, I ssh login terminal, I invoke the golang application, it start ok
[15:12] <patdk-wk> somehting with his env variables or shell path then
[15:13] <hd_chro321> what evn variables ? these cannot automatic start application is golang application
[15:14] <hd_chro321> my rc.local golang scripts all use absolute path
[15:15] <patdk-wk> and everything used by that program uses absolute path?
[15:15] <pmatulis> hd_chro321: i don't think it will help but i would first try a proper upgrade. 'apt-get dist-upgrade' will get you new packages that might need to be pulled in. 'apt-get upgrade' only upgrades existing packages
[15:17] <hd_chro321> pmatulis: sorry my ubuntu 14.04 is VPS, resource is limited, if I update use ci apt-get dist-upgrade, if it will install many newly package, so make my limit VPS too large to run
[15:18] <patdk-wk> that should never happen
[15:18] <hd_chro321> ok, I will try update use apt-get dist-upgrade, I will back a while
[15:23] <cluelessperson> hey guys, how safe is a user account that you set to tunnel only?
[15:23] <hd_chro321> my problem is still exist, after I run the apt-get dist-upgrade, I run very fast, summary report only download 24M, now I have finish upgrade and reboot, my these golang application still have not automatic start
[15:24] <cluelessperson> or is it possible to setup a user account so the only thing they can possibly do is connect a tunnel?
[15:30] <pmatulis> hd_chro321: you will now need to enter into the troubleshooting phase. i recommend the tool 'strace'. to start: https://goo.gl/Ryo3i9
[15:32] <hd_chro321> pmatulis:I will read it
[15:33] <Guest60715> What is the correct way to allow dns port in ufw? Will it slow down the DNS performance?
[15:33] <pmatulis> hd_chro321: good luck. please report back and let us know what you discovered
[15:34] <Guest60715> I have used this rule: ufw allow 53 and had problems.  Could this be the correct command: ufw allow in 53 and ufw allow out 53 ? What else port I need to open for a Standanone production DNS cache Server?
[15:35] <hd_chro321> pmatulis:I need confirm a point, after ubuntu 14.04 boot ok, I ssh login to terminal, I run the golang application, it is run ok, if I still need debug use strace, when ubuntu 14.04 PC boot ok, the application is can run
[15:35] <Guest60715> And how do I check whether UFW loggin is enabled?
[15:35] <Guest60715> Where does it log?
[15:36] <patdk-wk> why would ufw log?
[15:37] <cluelessperson> Guest60715, ufw status numbered
[15:37] <cluelessperson> Guest60715, /var/log/ufw.log
[15:39] <Guest60715> cluelessperson: Could this be the correct command: ufw allow in 53 and ufw allow out 53 ? What else port I need to open for a Standanone production DNS cache Server?
[15:41] <pmatulis> hd_chro321: the idea is to use strace wherever the program does not run properly. in your case it will be from /etc/rc.local
[15:41] <Guest60715> I've enabled UFW Logging. Now Ufw is logging something like this : Jul 24 21:10:02 dns kernel: [ 2341.934090] [UFW BLOCK] IN=eth0 OUT= MAC=33:33:00:00:00:01:4c:5e:0c:54:a7:3f:86:dd SRC=fe80:0000:0000:0000:4e5e:0cff:fe54:a73f DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=171 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=UDP SPT=5678 DPT=5678 LEN=131
[15:41] <hd_chro321> pmatulis: ok I will try
[15:41] <Guest60715> Why it logging something like that^ ?
[15:41] <pmatulis> hd_chro321: it would be good to get an strace output for both cases however. a comparison may illuminate
[15:41] <pmatulis> (both cases: working and not-working)
[15:42] <hd_chro321> pmatulis: ok I got it
[15:42] <Guest60715> Do you suggest that removing ufw and using plaing iptables to create rules is a good idea?
[15:43] <patdk-wk> that is just the kernel logging, ufw doesn't log
[15:43] <patdk-wk> ufw is a *tool* to load up rules into iptables
[15:44] <patdk-wk> if you want to log differently, use like, ulog
[15:44] <patdk-wk> no idea how to use ulog in ufw though
[15:47] <Guest60715> patdk-wk: So, when i run: ufw logging off, Im actually telling the kernel to stop logging?
[15:48] <patdk-wk> no
[15:48] <patdk-wk> your telling iptables to stop logging
[15:48] <patdk-wk> and iptables log module uses the kernel
[15:48] <patdk-wk> unless you override it with nlog or ulog
[15:49] <Guest60715> ok.
[15:52] <jdstrand> ufw doesn't support ulog
[15:52] <jdstrand> because ulog doesn't exist for ipv6
[15:52] <ogra_> cant be, they both start with u
[15:52] <Guest60715> patdk-wk: is shorewall a frontend of Iptables too? Or it directly communicates with Netfilter?
[15:53] <patdk-wk> everything is a frontend
[15:53] <patdk-wk> ufw is directly iptables
[15:54] <patdk-wk> shorewall is a generator though
[15:54] <Guest60715> What is a Generator? Is it like Firewall Builder?
[15:54] <Guest60715> Which used to create firewall rules?
[15:54] <patdk-wk> kindof, but firewallbuilder is simple
[15:55] <patdk-wk> shorewall will take what you want, and compile results, depending on what you want, rules, nat, masq, traffic shaping, and what firewall modules are installed
[15:55] <Guest60715> oh. If iptables is that important why Im able to remove it? If I remove it, will the server go broke?
[15:55] <patdk-wk> no, you just won't have a firewall
[15:56] <jrwren> you won't have the iptables userspace command. iptables is still a feature in the kernel.
[15:56] <patdk-wk> I assumed he was removing the modules :)
[15:56] <Guest60715> Ok, the netfilter module which actually does the filtering will stop working theb.
[15:56] <jrwren> oh, right, sorry.
[15:56] <patdk-wk> it just won't filter
[15:57] <patdk-wk> I have many servers without netfilter loaded on them
[15:57] <Guest60715> Do you needed to compile the kernel to remove the netfilter from those?
[15:57] <patdk-wk> if it's compiled in, you would
[15:58] <Guest60715> In default Ubuntu Server its precompiled I think. Will removing the netfilter enhance the resposiveness of the processes like Bind9?
[15:58] <patdk-wk> it would
[15:59] <patdk-wk> but it would be unmeasurable compared to bind itself
[15:59] <patdk-wk> or you have a really really horrible ruleset loaded
[15:59] <Guest60715> what are the attack surface that I should remove in a DNS server to run it without a firewall.
[16:00] <Guest60715> First one I guess is ssh.
[16:00] <patdk-wk> how many gigabits of dns traffic are you planning on doing?
[16:01] <Guest60715> not GB/s, only 500 pps at max.
[16:01] <patdk-wk> why are you worried about 500pps?
[16:05] <Guest60715> I will be back later patdk-wk , this is the screen name- Capprentice. Right now I have to go.
[16:05] <Guest60715> I will be back with that Screen name.
[16:23] <Amillo> hey guys, is there any obvious reasons why my nslookup would return the IP address - but also the server as a loopback
[16:25] <patdk-wk> shouldn't it?
[16:26] <Amillo> it does work
[16:26] <hd_chro321> pmatulis:I found my question root cause, it is caused by rc2.d a new installed proxy application havenot add & background running, result in all rc2.d process stop running, so also include all the golang application
[16:26] <Amillo> It's just not saying that it came from my server
[16:27] <hd_chro321> pmatulis:now my all application start ok, include all golang application
[16:27] <pmatulis> hd_chro321: there you go. did strace help?
[16:28] <hd_chro321> pmatulis: I added strace script, but the script havenot redirect output, so I find deeper, I find the root cause
[16:28] <hd_chro321> pmatulis:the rc.local script havenot run
[16:31] <hd_chro321> pmatulis: thank you and others, give me important tips, my question resolved, thanks
[16:58] <pcleon> hello everyone
[17:47] <pmatulis> hello
[18:17] <mailserver> does anyone know of any serveces out there that will walk me through setting up a mail server
[18:17] <mailserver> services
[18:17] <mgz> mailserver: you already appear to be one
[18:18] <mailserver> a not very good one
[18:18] <genii> mailserver: You mean for instance a web hosting company that has decent documentation for such things?
[18:20] <mailserver> ive been walking myself through the various different tutorials on the web and havent had any success yet so a support center or something of that nature that can help me figure out what im doing wrong
[18:21] <patdk-wk> a mail server is one of the most complex things to setup
[18:21] <genii> If just for a home server with Ubuntu Server, the normal documentation is usually pretty good. https://help.ubuntu.com/lts/serverguide/postfix.html  for the Postfix install walkthrough, for instance
[18:23] <mailserver> its for a business trying to transfer mail to an encryption service and their email provider doesnt offer a smart host so they need a mail server to send their outgoing mail to the third party
[18:23] <mailserver> and im currently in the middle of the normal documentation i got linked that last night
[18:29] <JanC> if you only need it for outgoing mail, that's like the easiest possible configuration for Postfix?
[18:30] <pmatulis> mailserver: i don't understand "business wants to send email to an encryption service". explain that
[18:33] <mailserver> instead of smtp to their mail provider they want to smtp to a third party which encrypts their mail.
[18:33] <mailserver> i might just be making a silly mistake i don't know
[18:34] <patdk-wk> janc, easiest to configure in *postfix* yes
[18:34] <genii> They can't just chane the mail entry of their dns records to point to the third party machine?
[18:34] <patdk-wk> but hardest to make work
[18:34] <patdk-wk> due to dns, naming, dkim, spf, ....
[18:35] <mailserver> their mail provider doesnt provide a smart host so no
[18:35] <patdk-wk> what is a smart host?
[18:36] <JanC> "smart host" refers to receiving mail normally?
[18:36] <patdk-wk> dunno
[18:36] <JanC> well, both
[18:36] <patdk-wk> normally smarthost is a sendmail config option to redirect to an msa
[18:36] <JanC> it goes back to dial-up times
[18:36] <patdk-wk> instead of doing direct delievery
[18:37] <JanC> so incoming mail got received by your ISP until you dialled in
[18:37] <patdk-wk> but really, dont understand the issue
[18:37] <patdk-wk> you don't direct mail provider to use other mail provider
[18:37]  * genii sips his coffee and thinks about putting .forward files in the skel directory
[18:37] <patdk-wk> you just change youself to not use provider1, and to use provider2
[18:38] <mailserver> the mail provider we are using wont allow mail to go to a different server even if the dns record are changed the host destination needs to be changed and they wont let that happen on their server
[18:39] <patdk-wk> so we are not talking about smarthost or outgoing mail at all
[18:39] <mailserver> no we are
[18:39] <patdk-wk> no
[18:39] <patdk-wk> dns has nothing to do with outgoing or smarthost
[18:39] <patdk-wk> only incoming
[18:39] <mailserver> any records wont effect it
[18:39] <mailserver> mx
[18:40] <patdk-wk> mx is ONLY used for incoming
[18:40] <patdk-wk> not smarthost or outgoing
[18:40] <mailserver> well i mean to be talking about outgoing
[18:40] <patdk-wk> yes, and mx doesn't matter
[18:40] <patdk-wk> and what either provider does, doesn't matter
[18:40] <patdk-wk> so your issue, is not an issue
[18:40] <patdk-wk> if you are talking about mx, (incoming), then yes, it is an issue
[18:41] <mailserver> it is an issue because it doesnt work
[18:41] <patdk-wk> and the only solution is to get a mail provider that actually does email correctly
[18:41] <patdk-wk> the issue currently is, you don't understand enough about email to explain what doesn't work though
[18:41] <mailserver> thats also true
[18:42] <patdk-wk> first thing you need to do
[18:42] <patdk-wk> is map the path an email takes
[18:42] <JanC> maybe the issue is that their mail provider1 uses DKIM/SPF/etc. and sending mail through (encryption) provider2 gets blocked?
[18:42] <patdk-wk> that is having the issue
[18:42] <patdk-wk> that is a simple dns config change
[18:42] <patdk-wk> nothing to do with the mail provider
[18:42] <JanC> unless mail provider "owns" their DNS  :P
[18:43] <patdk-wk> if provider won't *update* those dns entries
[18:43] <patdk-wk> then you have big issues with provider
[18:43] <patdk-wk> but so far, is sounds like, don't know what we want, to asking provider to do random things
[18:44] <patdk-wk> and provider properly responds with, but that won't work
[18:44] <mailserver> the provider doesnt allow us to put in a relay host
[18:44] <patdk-wk> they shouldn't
[18:44] <patdk-wk> that is the wrong solution to whatever it is your attempting
[18:44] <mailserver> im just explaining it wrong but that is what i need
[18:45] <patdk-wk> no, that is not what is needed
[18:45] <patdk-wk> that is what is needed if you handled email inhouse
[18:45] <patdk-wk> and you owned the servers
[18:45] <patdk-wk> it would be the most simple way to solve the issue
[18:45] <patdk-wk> but since you don't
[18:45] <mailserver> thats what im trying to do
[18:45] <patdk-wk> it won't work
[18:46] <mailserver> why wont it work
[18:46] <patdk-wk> the solution to bring email inside and do it yourself, or to make the changes needed
[18:46] <patdk-wk> are the same
[18:46] <patdk-wk> every single thing that *sends* email, will need to be changed
[18:46] <patdk-wk> currently they point to provider1, and now need to point to provider2
[18:47] <patdk-wk> if you had email setup inhouse, then just setting relayhost to provider2 would do the same result
[18:47] <patdk-wk> assuming everything was configured to send email to the inhouse mail server
[18:47] <mailserver> right
[18:48] <patdk-wk> so not only do you have to setup a mail relay (msa)
[18:48] <patdk-wk> you also have to set it up to do encryption
[18:48] <patdk-wk> and handle user logins, and actully supply it with a user/password database to check those users against
[18:48] <mailserver> right
[18:49] <patdk-wk> hopefully that can be done, considering it exists at provider1 currently
[18:49] <mailserver> provider 1 doesnt allow us to point to provider 2 so it has to be done inhouse to work around provider 1
[18:53] <mailserver> and like you pointed out earlier i am not knowledgable enough to figure out the probably simple mistakes im making and am wondering if there is a service somewhere on the Internet where i can pay some support people and get some help setting it up
[18:55] <JanC> mailserver: your local IT company?
[18:55] <mailserver> i am the local IT company I don't do mail servers very often
[18:59] <teward> with postfix, i have virtual mail aliases set up so i can have email@somedomain.tld forward to one address, and email2@otherdomain.tld to forward to another address.  Is there any way to set up SSL/Secure communication on both incoming to the postfix server and outgoing to the destinations
[18:59] <teward> or is that just insane with the type of configuraiton i'm trying to achieve
[19:04] <tarpman> teward: sounds doable. for the server cert (incoming), if people call your server by different names (mail.somedomain.tld and mail.otherdomain.tld), then you need (AFAIK) a single cert with all the names in subjectAltNames
[19:04] <teward> that'll be painful :/
[19:04] <teward> that's 8 domains, i'd need a multidomain cert
[19:04] <tarpman> teward: but if the MX for otherdomain.tld is just mail.somedomain.tld then easy
[19:05] <teward> tarpman: which isn't the case here, the first statement is the current case
[19:05] <tarpman> right
[19:05] <teward> can easily change it if i have to though, the lovely thing about running my own DNS
[19:05] <tarpman> as far as I understand, your options are a multi-domain cert, or an nginx proxy
[19:05]  * teward shivers
[19:05] <tarpman> (and hope all the clients support SNI)
[19:05] <teward> tarpman: what about the other side, the mail server -> other mailservers
[19:06] <teward> handled by the same set of certs?
[19:06] <tarpman> I think that's fairly straightforward. I have it working, but didn't really have to do it myself -- zimbra configures my postfix for me :)
[19:06] <tarpman> but all the servers I talk to have certs the system trusts, so no special setup
[19:33] <tonyyarusso> teward: Yup, you need a multi-domain certain - have fun forking oer some cash.
[19:34] <teward> tonyyarusso: yeah blargh i think i'll just leave it unencrypted and PGP-encrypt messages that need securesent
[19:35] <tonyyarusso> teward: I'm waiting to see what SAN capabilities Let's Encrypt has in September.
[19:36] <clueless> if i setup a server following the help tutorial step by step and when i telnet it times out what could be my issues
[19:38] <clueless> ive changed the default port to 80 in stead of 25 since 25 tends to be blocked
[19:38] <genii> router port forwarding, firewall
[19:38] <clueless> disabled my firewall completely
[19:40] <genii> If you have access to the physical machine see if telnet to localhost or 127.0.0.1 works first
[19:40] <clueless> refused
[19:41] <genii> clueless: Are you using telnet as a diagnostic tool for your email setup, or are you just using it as telnet but on 25 or 80,
[19:41] <clueless> diagnostic
[19:42] <genii> Check in /var/log/mail.log
[19:52] <genii> clueless: Find anything enlightening in the log?
[19:53] <clueless> yeah im getting a dovecot fatal error missing file
[19:53] <clueless> dovecot: master: Fatal: service(auth) access(/usr/lib/dovecot/dovecot-auth) failed: No such file or directory
[20:04] <clueless> can you test a relay host with any isp?
[20:05] <clueless> that i have access to
[20:05] <sarnold> email doesn't work like it used to -- you can't realistically expect any mail server to relay your mail for you like you could 25 years ago
[20:06] <clueless> its an inhouse server
[20:06] <sarnold> relays are typically used within one organization, and their working details are mostly not important to senders ...
[20:06] <sarnold> ah, good
[20:07] <patdk-lap> teward, you know, requiring and enforcing smtp to be ssl/tls while sounds like a good idea
[20:07] <patdk-lap> doesn't solve ANY of the issues pgp email protects
[20:11] <genii> clueless: sudo touch /usr/lib/dovecot/dovecot-auth && sudo chmod 755 /usr/lib/dovecot/dovecot-auth & sudo chown dovecot:dovecot /usr/lib/dovecot/dovecot-auth
[20:12] <genii> Apologies on lag, work required me for an extended period
[20:12] <patdk-lap> heh?
[20:12] <patdk-lap> why would you do all of that?
[20:13] <patdk-lap> I really don't understand how an empty file will replace a program
[20:13] <sarnold> what exactly is an empty executable going to do? :)
[20:13] <patdk-lap> heh, what do we know
[20:14] <sarnold> I'm constantly amazed at what I don't know :)
[20:14] <tarpman> probably equivalent to /bin/true
[20:15] <patdk-lap> no
[20:15] <patdk-lap> it's not parsable
[20:15] <tarpman> hmm?
[20:15] <patdk-lap> hmm, looks like bash treats it that way atleast
[20:17] <tarpman> http://stackoverflow.com/questions/7268437/bash-script-execution-with-and-without-shebang-in-linux-and-bsd
[20:17] <tarpman> may or may not be applicable in the dovecot case above, depending on whether there's a shell involved
[20:20] <teward> patdk-lap: oh, indeed, but given my current setup i'mma need a multidomain cert
[20:20] <teward> unless i repoint MX to one domain
[20:21] <patdk-lap> ya, they should always be pointed to one hostname in the mx
[20:22] <patdk-lap> even if pointed to different names and using different certs or a multicert
[20:22] <patdk-lap> it will be impossible to know what helo name you should be responding with
[20:26] <teward> mhm
[20:27] <patdk-lap> but pretty much, any server that cares, is misconfigured, but they do exist
[23:51] <alexandercogneau> \quit