[00:01] <JanC> if the ABI stays the same then that would make security updates smaller/easier too, which would also be a benefit?
[00:01] <teward> JanC: never got a clear answer on that from NGINX devs.  I've gotten mixed answers, but nothing clear.  I'm sending a complete list with these inquiries from you and rbasak to the nginx-devel list shortly
[00:01] <JanC> if it often changes, then you would suddenly have multiple source packages to build & test
[00:01] <teward> ... assuming my computer gets off its lazy processor state and decides to speed up.
[00:02] <JanC> (assuming the 3rd party modules would become separate packages then)
[00:02] <teward> JanC: that's been a consideration point back in Xenial
[00:02] <teward> since the likelihood of that happening is near nil currently, because it'd require the nginx source to be rebuilt by every such source package, that consideration was shelved.
[00:02] <teward> both here and in Debian
[00:03] <teward> it's also what delayed getting the dynamic module support enabled and forced it to be enabled in 16.10
[00:03] <teward> ... that and Debian didn't give us much choice in that matter, deciding to enable it themselves.
[00:06] <teward> rbasak: JanC: once I get the answers, I'll let you know what they say.  Ultimately, though, if Debian accepts debian bug 897926 and its proposal, it'd get included in the next merge.
[00:09] <teward> mother...okay, so NGINX set up strict "envelope sender" and "From" enforcement that they need to match.  (I hate MTAs configured that way...)
[00:09] <teward> let me finish setting up my mail server for my other domain so I can use that to submit the inquiry.  Since apparently @ubuntu.com as an 'alias' for "From" is stupid
[00:09] <teward> *grumbles angrily at stupid configuraiton setups for mail servers*
[00:48] <JanC> you can use Sender: with a proper address in some such setups
[00:50] <teward> JanC: true...
[00:50] <teward> ... except SPF would fail and Google won't let me set the Sender header in Thunderbird :P
[00:51] <teward> s/would fail/would possibly fail/
[00:51] <teward> it's odd how strict they are...
[00:51] <teward> *shrugs*
[00:51] <teward> it didn't have this issue until recently, so I guess I'll go complain to their customer relations team later.
[00:51] <JanC> what I mean is that if Sender: is okay according to SPF, but From: isn't, they will accepted that too
[00:51] <teward> aaaand 18.04, Postfix, and Dovecot don't want to work.
[00:52] <teward> JanC: it's more the envelope outer field and the inner from field not matching
[00:52] <teward> I"ve seen that issue before on overly-strict mail environs
[00:52] <teward> and the mail gateways at work (we just add 0.5 to the spam score instead of outright refusing now, for spam determination instead; if the SPF matches and the DKIM matches if present then it invalidates that 0.5)
[00:52] <JanC> right, but sometimes they are okay if either From: or Sender: matches with the envelope outer field  :)
[00:52] <teward> right, I just can't set that with Google-routed mail
[00:53] <teward> at least, not if I"m using TBird as the client.
[00:53] <teward> sure, if I write it by hand in Python it'll work, but :p
[00:53] <teward> at that point I may as well send it through my normal mailserver.
[00:53] <JanC> you can't add arbitrary headers in TB?
[00:53] <teward> ... which doesn't want to behave in 18.04 with the same 16.04 configs, and there's no errors.
[00:53] <teward> JanC: not in *this* version of TBird, the addon I had to do that went AWOL.  16.04 TBird is... interesting.
[00:54] <teward> *normally* I'd run this through a custom mail handler that then sends through Google, but I'm lazy and don't want to go and find that code in my backups right now.
[00:54] <JanC> maybe try Evolution or something  ;)
[00:54] <teward> JanC: oh you mean that thing that hasn't worked in eons, because Evolution didn't support Google's new auth system and therefore stopped being a viable mail client.
[00:55] <teward> Unless they've done major Evolution version bumps and feature inclusion in Xenial without my knowing
[00:55] <JanC> hm?
[00:55] <teward> or without tsimonq2 knowing and he'd probably tell me :P
[00:55] <JanC> I never heard anybody complain about that actually (certainly not in recent years)
[00:55] <teward> JanC: well i'm painfully old school
[00:56] <teward> and it won't matter once I up this system to 18.04 because yay new software.
[00:56] <JanC> wasn't that with the gnome accounts thing?
[00:56] <teward> remind me again, does Evolution ahve an exchange-compatible plugin since I also need to work with that for work email...
[00:56] <JanC> IIRC GNOME accounts aren't particularly well-maintained, but IIRC it still works with Evolution's native support
[00:56] <JanC> it has 2 Exchange plugins IIRC
[00:57] <teward> JanC: more important, does it work with Exchange 2k8 through 2k13? because my workplace uses ancient obsolete exchange at the moment (reason: NEGLECT OF SYSTEMS AND STINGINESS WITH BUDGETS)
[00:57] <teward> (that's changing in 2018 now...)
[00:58] <teward> (this said, my *own* business's mail servers are Postfix+Dovecot+IMAP with some heavy duty filtering and auth requirements, so...)
[00:58] <JanC> there is an #evolution channel on GIMPnet  :)
[00:58] <JanC> I have no experience with the Exchange stuff
[00:58] <JanC> but I see people who use it on the channel & mailing list from time to time
[01:02] <JanC> it supports Exchange over EWS and over MAPI apparently
[01:09] <JanC> teward: evolution EWS accounts supposedly work with Exchange 2k7 & later
[01:09] <JanC> https://help.gnome.org/users/evolution/stable/exchange-connectors-overview.html.en
[01:10] <teward> well good it'll work with the new exchange and replacement for Microsoft's ancient decrepit poor excuse for a WAF that was called Threat Management Gateway
[01:10] <teward> as I said, obsolete systems due to neglect.
[01:12] <JanC> seems like it mostly only supports features from 2k7 though
[01:13] <JanC> plus a bit of 2k10 stuff
[01:14] <teward> yeah there's not much between 2k10 and 2k16 beyond webui interface changes but meh.  As long as it supports, I'll investigate the switch when I finish upgrading this laptop to 18.04
[01:14] <teward> in the interim, Thunderbird it is.
[01:14] <JanC> :)
[01:15] <teward> ... and more importantly and more urgently...
[01:15] <JanC> to be fair, evolution is in universe in Ubuntu, so doesn't always get bug fixes & such...
[01:15] <teward> *glares evilly at 18.04 Dovecot and grabs the laser sword to go hack away at its config further*
[01:16] <JanC> maybe I'll wait until .1 before upgrading my server  :)
[01:16] <JanC> will likely be a new install actually
[01:16] <teward> probably wouldn't hurt, though the upgrades have given me headaches, so i'm doing 'new install, transfer old data over, nuke old server' really :p
[01:17] <JanC> right, that's what I've done with my VPS in the past
[01:18] <teward> ... and I'm having some fun with 18.04 myself on other non-critical servers too ;)
[01:19] <JanC> although I usually test the new one before switching over  :)
[01:19] <JanC> old one is still 14.04 actually
[01:19] <teward> Most of my servers are pretty non-complex or are containerized 16.04
[01:19] <JanC> so going to need some Dovecot/Postfix config changes I'm sure
[01:19] <teward> straight DNS servers and an lxd host system :p
[01:20] <teward> JanC: well what's odd is, there's not much difference in the guides for email on 18.04 compared to 16.04 since the major dovecot versions haven't changed much
[01:20] <JanC> might do that for the new one too
[01:20] <teward> so why it's failing with a bog-standard postfix/dovecot non-virtual user account delivery system is making me scratch my head
[01:20] <teward> i'll dig into it later
[01:21] <teward> for now, I think a drink is needed.  *goes to grab a cold one from the fridge*
[01:21] <JanC> teward: like I said, I'll be coming from 14.04 with a config that dates back 15 years or so
[01:21] <teward> heh
[01:21] <teward> JanC: the only 14.04 server I have is a Mailborder mail gateway system because their software set isn't updated for 16.04 or newer yet
[01:21] <teward> ... and a couple DNS servers but those are *real* easy to move over
[01:21] <teward> since Bind hasn't changed that much :P
[01:25] <JanC> unless you want to move them to other software  :)
[01:26] <teward> they've got a 16.04 update coming out in the next quarter
[01:27] <teward> ... and any other viable replacement would be outside my budget currently if I wanted feature parity
[01:27] <teward> *shrugs*
[04:42] <chamar> whaaa. 18.04 got a new installer. nice
[04:56] <TheEagerPadawan> and still having the same issue(s) as earlier due to an upgrade of 17.10 to 18.04
[04:57] <chamar> :/ First install of 18.04 server.. can't say much yet
[04:58] <chamar> Trying out conjure-up ... don't expect much since I didn't had much success in the past.
[05:28] <TheEagerPadawan> anyone an idea how to get around "volume group "ubuntu-vg" not found during the LUKS decrypt process
[05:34] <Neo4> see this 5 errors, I'll correct them now
[05:34] <Neo4> https://mxtoolbox.com/domain/mail.kselax.ru/
[05:34] <Neo4> from what start?
[05:37] <Neo4> DMARC - domain based massage authentication
[05:37] <Neo4> reporting and conformance
[06:43] <Neo4> who know how to check SPF record?
[06:43] <Neo4> I've created one http://pix.toile-libre.org/?img=1525588936.png
[06:48] <Neo4> what does it mean?
[06:48] <Neo4> http://www.openspf.org/Why?show-form=1&identity=neo%40kselax.ru&ip-address=91.227.18.36&.submit=Submit
[06:49] <Neo4> why rejected?
[06:59] <TheEagerPadawan> still having the same issues as yesterday - posted the whole story here to not overly spam the channel - https://paste.ubuntu.com/p/4wwXmYmJ9t/
[11:35] <Neo4> who know what is wrong with certificate?
[11:35] <Neo4> https://mxtoolbox.com/domain/mail.kselax.ru/
[11:52] <_KaszpiR_> Neo4 people already told you few days ago that's not gonna work
[11:52] <blackflow> Neo4: what certificate?
[11:53] <Neo4> blackflow: I've corrrected that, now works
[11:53] <_KaszpiR_> and if you don't know how to fix DNS issues then don't even bother with setting up mail server, especially when your ip is on spamhaus blacklist
[11:53] <blackflow> Neo4: you're still blacklisted tho'
[11:53] <Neo4> there was error 'mismatch name of certificate' I did for two name one certificate and not all good
[11:53] <blackflow> yeah, just due to that spamhaus bl, you'll have your mail rejected by most recipients.
[11:54] <blackflow> ours certainly :)
[11:54] <Neo4> blackflow: and black list nothing means, my mails deliver not like spam, Do you want I send you message for test?
[11:54] <blackflow> Neo4: you can send it, it would be rejected. I configured our MTAs to query spamhaus and a few other lists.
[11:54] <Neo4> blackflow: when we set SPF record google resolve mails like good
[11:54] <_KaszpiR_> lol
[11:55] <blackflow> Neo4: nah. SPF protects YOU, not the recipient.
[11:55] <Neo4> blackflow: rejected wholly or will mark like spam?
[11:55] <Neo4> blackflow: but google without SPF put all mails to spam
[11:55] <Neo4> with not
[11:55] <Neo4> who want I send him mail?
[11:56] <Neo4> put your main here, I will send
[11:56] <Neo4> now
[11:56] <Neo4> :)
[11:56] <blackflow> Neo4: thta depends on how the MTA is confiugred. cPanel/Exim ones will reject. Ours will drop it to Junk folder of the recipient.
[11:56] <Neo4> _KaszpiR_: Do you think it won't work?
[11:56] <Neo4> blackflow: because spam list? I think little MTA uses black lists
[11:57] <Neo4> blackflow: enough spamassassin
[11:57] <blackflow> Neo4: most MTAs use black lists
[11:58] <blackflow> all cPanel/Exim and Plesk deployments do, and that's almost the entire shared hosting industry.
[11:58] <Neo4> blackflow: gmail.com is the biggest and reliable MTA and it doesn't use, All other MTA should follow gmail.com...
[11:58] <blackflow> yahoo/bing will drop you if you're on spamhaus. google has its own rules afaik.
[11:59] <Neo4> blackflow: and there exists blackhows?
[11:59] <blackflow> Neo4: funny thing about gmail, our MTAs are not blacklisted and have ALL the settings recommended by gmail (spf, dkim, dmarc, rdns, ....), and yet a good percentage of mail sent to @gmail.com still ends up in Junk.
[11:59] <blackflow> gmail has its own rules.
[12:00] <Neo4> ok
[12:00] <Neo4> blackflow: do you think I have to pull my ip from blacklist?
[12:00] <blackflow> recipients click "This is not spam" and its no longer going to Junk, for them.
[12:00] <Neo4> _KaszpiR_: what do you mean DNS problem?
[12:01] <blackflow> Neo4: yes, you do. especially spamhaus.
[12:01] <blackflow> but that might either go smoothly, or not at all. then you'd have to change the IP.
[12:01] <Neo4> _KaszpiR_: there all looks like nice
[12:02] <Neo4> blackflow: ok, will see
[12:02] <Neo4> but nice it works :)
[12:02] <Neo4> only black left black lists
[12:02] <Neo4> two errors
[12:03] <Neo4> we won't count warnings, it's not important
[12:03] <Neo4> I only have gmail.com
[12:03] <Neo4> Who want I test his mail?
[12:04] <blackflow> fix that dmarc problem
[12:06] <Neo4> blackflow: I've already done it, It has dmarc record, and will verified during 1 - 2 days
[12:06] <Neo4> left only blacklists
[12:07] <Neo4> and create good documentation 'how set up mail server'
[12:07] <Neo4> my set up is: postfix+dovecot+spamassassin+roundcobe+opendkim
[12:08] <Neo4> there lack some app that will give ban users who send spam automatically
[12:08] <Neo4> I will seek it
[12:08] <Neo4> then will open 'close relay'
[12:09] <Neo4> pulbic mail server site, where any users will able to register and get mail
[12:09] <Neo4> :)
[12:09] <blackflow> for free?
[12:09] <Neo4> blackflow: yes
[12:09] <blackflow> good to know. adding your server to our internal blacklists :)
[12:10] <Neo4> blackflow: ok, here much work, I don't know how customize folders inside and how to use quotes. I might not be do this
[12:10] <blackflow> running an MTA these days requires  alot of knowledge and experience.
[12:11] <blackflow> if I were you, (and I kinda was 10+ years ago when I started running own MTA), I'd start with a personal mail server, keep that going for a year or so, learning and understanding all aspects of it.
[12:11] <Neo4> blackflow: does it means I have a lot of knowledge? I managed to set up whole mail server? :)
[12:11] <Neo4> It means I have a lot of knowledge ))))
[12:11] <blackflow> because... with lack of knowledge and experience, you'll be overrun with spam and thus blocked by everyone.
[12:12] <Neo4> there much to learn, I won't do it, for me enough postfix + SPF record, and might DkIM
[12:12] <blackflow> Neo4: setting up by reading a tutorial does not constitute having knowledge and experience. For starters, you'll have to learn how to train SpamAssassin for quality spam detection.
[12:13] <Neo4> blackflow: I think it's not important, more important how to restrict postfix send spam, incoming messages are not dangerous
[12:14] <Neo4> blackflow: this is main
[12:14] <blackflow> you think you have a lot of knowledge? I'm pretty sure you have no idea how to set up SA learning via bayes. or running a  feedback look between post-queue SA and a pre-queue Postfix policyd
[12:14] <blackflow> *feedback loop
[12:14] <Neo4> blackflow: I don't know what that means, no, not a lot
[12:14] <blackflow> yes, spamassassin does both ways. see, you've still got a lot to learn ;)
[12:15] <Neo4> I won't learn mail server further
[12:15] <Neo4> blackflow: yes, quotas, others
[12:15] <Neo4> blackflow: I consider this all isn't important
[12:15] <blackflow> maybe not if you're running a mail server just for yourself.
[12:15] <Neo4> blackflow: I won't care about user
[12:16] <Neo4> blackflow: see you run your mail server for yourself, and somebody hack your account and able to send spam, He can black listed your mail server
[12:17] <blackflow> no I run for our company, with hundreds of clients using our mail services.
[12:17] <Neo4> or you allow user register on your site and give them SMTP access to server, they also can send spam and lay down your server
[12:17] <blackflow> I _started_ with my own postifx, just for myself, yes.
[12:18] <Neo4> blackflow: no, I say main it's not incoming mails, outcoming mails more dangerous
[12:18] <blackflow> no we don't allow random users register for e-mail. they have to be our clients, pay up for the full service, sign the contracts, and only then they get the email accounts.
[12:18] <Neo4> blackflow: even don't need antivirus, doesn't matter, windows users have his own antivirus
[12:19] <blackflow> I wouldn't even consider starting a "free for all" e-mail business. it'd be a waste of time and effort. GMail and others have years of engineering behind them with powerful spam detection systems and AIs, and they STILL have problems with SPAM. yeah, no thanks.
[12:19] <Neo4> we must remove all redundant applications
[12:20] <Neo4> blackflow: see if I will create online shop, I need only postfix + SPF ?
[12:20] <blackflow> for what?
[12:21] <blackflow> if you want to run a mail server that sends out mail, from a web shop, you need more than just spf, if you want your mail received by as much recipients as possible.
[12:21] <Neo4> blackflow: if do 'online stores' for people you must set up VPS, and needed apps, do you think postfix + SPF is enough
[12:21] <Neo4> blackflow: SPF, DKIM ?
[12:21] <Neo4> two?
[12:22] <blackflow> and rDNS, and DMARC, and NOT have blacklisted IPs,    and you'll still have occasional problems with your mail landing to Junk :)
[12:22] <Neo4> black list? If I buy server on digitalocen for 5$, sure it will blacklisted
[12:22] <blackflow> Neo4: that depends
[12:22] <Neo4> blackflow: no, blacklist will always if your client doesn't have money, good client won't hire you
[12:23] <blackflow> that does not make any sense.
[12:23] <Neo4> blackflow: I think all ip will blacklisted, what we can do postfix + SPF + DKIM +DMARC , and enough for majority servers?
[12:24] <Neo4> blackflow: why?
[12:24] <Neo4> blackflow: some guy whant show, he doesn't have money or what do it as cheap as he could, it has sense, and we will buy cheaper server
[12:24] <blackflow> because blacklisting has nothing to do wtih clients having money....
[12:24] <blackflow> like I said, our MTAs are NOT blacklisted, haven' been, anywhere, for the past 3 years.
[12:25] <Neo4> blackflow: how I will check on digitalocean droplets?
[12:25] <blackflow> we don't send out newsletters and spam-like stuff. our clients use it for transactional, business email.
[12:25] <blackflow> Neo4: you get a droplet, and then you check if the IP is blacklisted.
[12:25] <Neo4> I will create one then if that ip blacklist will remove and create nest?
[12:26] <Neo4> blackflow: ok, understood, on this server that I use not, I don't have droplet, I paid and use what you got
[12:26] <Neo4> )))
[12:26] <Neo4> I use now*
[12:28] <blackflow> Neo4: also note, even if your own IP is not blacklisted, some customer of the cloud service you use could get your entire subnet blacklisted. I've seen that happen a lot at Rackspace back when we were using them. Spamhaus of course, and they refused to delist.
[12:29] <blackflow> it's a game of whack-a-mole.
[12:30] <Neo4> blackflow: ok
[12:30] <blackflow> ideally, you'd want a provider with low tolerance for spam. we use Hetzner. never had an issue with blacklisted subnet with them, like at Rackspace and even Leaseweb.
[12:30] <blackflow> OVH has improved a lot too. nowadays they screen your outgoing mail and block you pre-emptively.
[12:31] <blackflow> but I wouldn't use OVH for other reasons (lousy network, for one)
[12:38] <Neo4> it will take 1 - 2 days to create instruction or even more :(