Category: Computing

SSL for everybody

letsencrypt

SSL certificates are a great way to ensure that the website you’re connected to is really the one you think you’re connected to, and it also keeps the traffic between your client and the server secure. The HTTPS protocol uses SSL certificates. The main problem with the SSL infrastructure was that you needed to get one that was signed by one of the central trusted authorities – and generally if you wanted one of these you had to pay for one. There were a few places that would give you a free certificate for personal use, the other alternative was to use a self signed certificate but there were usability issues because it isn’t signed by a trusted authority.

This all changed recently with Let’s Encrypt – you can now get a free certificate with very little effort. If you maintain a website or host an app, you should check letsencrypt.org out. The remainder of this post is a cleaned up set of notes on what I did.

I started out here https://letsencrypt.org/getting-started/ – which seemed to be a good starting point. Then I figured I’d make sure my server met the criteria they had for support, the documentation had some details covering this. I was happy to see Ubuntu 12.04+ and Apache 2.x support, so this made me fairly confident my server was supported.

But.. my Ubuntu doesn’t seem to have a letsencrypt package

No problem, we’ll just follow along with https://letsencrypt.org/getting-started/

The last command, while asking for help – will do some bootstrapping of let’s encrypt. So don’t skip it. The scripts include calls to sudo, so you don’t have to be root to run them but it will ask for root access.

[Security note – it is always a little bit scary running random scripts, always worth looking at them. There is a growing trend of having “wget -O –  http://randomscript.com | bash” be normal, but you should be afraid]

Some exciting updates to my server from doing just the bootstrap. My /etc/ca-certificates got updated (it was probably way overdue), it also dragged me up to date for libssl. It took a while to finish, but we finally got the help screen.

At this point, I have the let’s encrypt tools installed on my server, so time to try them out.

Hopefully the following command is going to register us and get a new certificate for my old expired one.

Well that didn’t work, it picked up some ‘other’ domains I host — but not my main lowtek.ca one. Weird, but probably due to my non-standard configuration of Apache due to years of hacking it. It was easy to bail out so no harm done. Let’s try this then:

Ok – much better, email sign up and an agreement (which yes, I took the time to read – it was only 6 pages).  It seems as I don’t have a virtual host setup for lowtek.ca and needed to manually pick the apache config file (not a big deal), this was why the first try didn’t work.

Visiting https://lowtek.ca/ shows no more certificate error (woot!) and all looks good. It was really this easy.

The end of the script even suggests you visit: https://www.ssllabs.com/ssltest/analyze.html?d=lowtek.ca to check for issues.  These SSL Labs tests, show that my certificate from letsencrypt will expire in just under 3 months, so I’ll want to add a cron job to do a renew. They also gave me a B rating, with lots of gorpy details on why.

To renew, I just need to run this command from time to time

That’s really easy to do with cron – so I added an entry to my root user crontab to run this once a month.

Removing Greylisting

This is a follow up article to my post on setting up greylisting with postfix and Ubuntu. While I really like the idea behind greylisting, it was resulting in legitimate email not arriving.

Why it wasn’t working

  1. Frustrating delay for any password reset, at least a 300 second (5 minute) delay for legitimate email from a properly configured email server. This was a known issue, but still annoying.
  2. Recently (mid-August 2013) some hotmail servers (impacting at least @hotmail and @sympatico.ca email addresses) were returning bounces to the user instead of properly handling the greylisting. [Specific servers from my logs: snt0-omc1-s8.snt0.hotmail.com, blu0-omc1-s36.blu0.hotmail.com, dub0-omc1-s5.dub0.hotmail.com]
  3. Other individual servers that failed to handle greylisting correctly. One important example would be the Interac email transfer email servers (notify@payments.interac.ca).

The more I looked at the logs, the more legitimate email I found that wasn’t being delivered.

It was also difficult for people to understand. If a friend sends you an email, it is then bounced back to them due to their sending server not handling the greylisting correctly – they then send you a follow up email some 5+ minutes later, that email will come through just fine because it looks like a second attempt to deliver the original email. The broken sending server will then kept on the auto-whitelist for 30 days or so and greylisting will not be applied.

Any spammer smart or lucky enough to send via my backup mail server would miss the greylisting as that server didn’t use greylisting and email was always accepted from the trusted backup server.

Also, more spam software seems to be retrying now.

Tools. It wasn’t until very recently that I found the postgreyreport script, this is quite useful for generating a report on what was rejected by the greylisting your mail server is using. I’d recommend anyone using greylisting consider using this script to monitor what isn’t being delivered.

I’ll recommend an article I came across while investigating some of these issues. It is supportive of greylisting (which I can’t agree with now) but it does touch on some other techniques. It’s based on OpenBSD / spamd – something not (easily) available on Ubuntu.

Continue reading “Removing Greylisting”

Tiny Tiny RSS as alternative to Google Reader

Rich Site Summary (RSS) – also commonly called Really Simple Syndication attracted my attention early on in its rise to popularity. I liked that it gave me a way to keep up to date with a website / blog that posted material without having to visit that site to poll for new updates. Previous to RSS there were tools that alerted you to website updates, allowing you to keep tabs on many sites without the boring manual labour of visiting them all only to find nothing had changed.

Initially I used a stand alone desktop reader, I used several different ones as they evolved and even had a different set of feeds for work and home. Much after the initial launch of Google Reader did I switch to using it as it gave me a consistent experience across multiple machines – but I had to give up the ability to see intranet RSS feeds at work.

Once I had a smart phone, one of the first things I wanted to do was read my feeds on it. Enter NewsRob which provided fantastic support for Google Reader and had rock solid offline support.

It shouldn’t be news to anyone that Google Reader is closing down, so a couple of weeks ago I decided it was time to move to another solution so I could kick the tires before the shut down. I did look at a couple, but most of the alternatives simply want to have you move over to their free hosted solution. Certainly this is low effort, and probably the destination for most. In my search I came across Tiny Tiny RSS, a self hosted solution.

Short version of the story: it seems to fit my needs fairly well. The web client is good with some tweaks and the Android story is a bit weak relative to NewsRob (lacking good offline support) but I haven’t tried the official app yet.

If you want the long version – read on, I’ll cover installation and set up. Continue reading “Tiny Tiny RSS as alternative to Google Reader”