Totally normal systemd behaviour – do not read

Systemd is great software for not working properly outside of debian defaults overwriting my good config systemd thing with broken systemd software and units.

postmulti -p status


postfix/postfix-script: the Postfix mail system is not running
postfix-1u/postfix-script: the Postfix mail system is running: PID: 6059
postfix-2m/postfix-script: the Postfix mail system is running: PID: 6167
postfix-2u/postfix-script: the Postfix mail system is running: PID: 6273
postfix-4m/postfix-script: the Postfix mail system is running: PID: 6355

My latest boot issue is our first zoo postfix instance wont load even with postmulti (my blog) oh the systemd script (my blog) stopped working months ago.  – lets try manually shall we as journalctl likes to keep secrets.

postfix -c /etc/postfix start
fatal: mail system startup failed

Due to ?

postfix/master[5223]: fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource temporarily unavailable

Something systemd is supposed to look after not me – However it might be up as it thinks port 25 on that interface is working.  It has been months since i altered postfix settings

If that is what a debian 9 thinks is good then god help us all – and i am an atheist.

I wonder what debian will fuck up for me next?

column in linux scripting

looks like: 1 US,104.168.171.191    1 US,24.177.51.11

Which is two lines of a file and saved me and the zoo a huge amount of time instead  of using awk which i love but can be a bit nasty to tame depending on complexity.  While my output format is not great it does work extracting the values from some odd log formats and giving the zoo what it wants in a better space saving format.

It also aligns if <x> etc is  <xx> etc.

It still great to find stuff you had all along but decided you did not need in linux until one day.

debian 9.5 in the wild and the broken virus scanner

UNCHECKED was the magic word that amavis (my blog) added to emails going through it after the upgrade.  Various suggested fixes to amavis in 50-user did nothing and so i delved into clamd the zoos scanner.

It could not share a socket in /var/run, adjusting that config file also did no good so after a afternoon of fun restarting things so i disabled the virus scanner in amavis which does not see a lot of action anyhow.

amavis[*]: (07127-01) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (All attempts (1) failed connecting to /var/run/clamav/clamd.ctl) at (eval 98) line 613.\n

my groups already share clamd, and amavis as members for both so that was not the fault I even removed a yara (my blog) file that the 9.5 version that clamd did not like all of a sudden.

Carol Beer little britain says computer said no

It did work in its own user/group but not anymore since it is a low priority and bad files are banned by the mta as well from email (a duplication)  i bet nobody will notice it is gone until it gets fixed.  Not my issue it seems but some artefact of AllowSupplementaryGroups not perhaps getting reflected elsewhere.

My printer server config got wiped away (dbus/systemd shenanigans ?) but i managed to get a kind of print server working for monday and that is a tale for another day as hplip might need an upgrade via a compile and that seems to be not important software in the grand scheme of now.

Overall apart from the whole server room rebooting itself early in the morning debian 9.5 seems a bit problematical if you use it as a server rather than ‘basic’ workstation.

I would have installed it at some point anyhow and i would not rather want to have done this on a monday morning.

So not sure if this is something i can fix.  More fun that way.

Exim gets a second chance

tube recycle those 1’s and 0’s

Exim was something the zoo thought of using before using something else now in production here at the zoo but doing our default mail server seemed heavy weather on a basic host.

So i configured exim which was a new experience for me without the gay russian spies at cambridge* (my blog) to help

I found  acls tricky being that

10.0.0.4 : 127.0.0.1

Did not work. – but

x.x.x.4:127.0.0.1

Did

It is a bit whiny and the update-exim4.conf.conf on debian  is not the most obvious file to file the settings in debian..  Not that i expect to edit it often

I still prefer my first choice.for smtp.

*Трахни меня товарищ

rpz secret society woes in bind on debian

Sisyphus is still a role model

So i wanted a dns firewall, (my blog) i did not want to pay or use a blocklist nameserver so it was time to do it yourself.  So our dns nameserver got upgraded eventually and i had a go.

rpz’s supposedly made this easy with all bad sites in one file opposed the many files per site.tld [per xone in rbldns and slow]- although rpz usage is hard to track down.   My first attempt was met with

ignoring out-of-zone data (citricbenz. website)

Apparently should be made with

citricbenz. website. in cname .

Citrixbenz is a zeus trojan server* when i wrote this and still might be and the only entry in my zone

However it dont work until you assign a policy and they have bizarre syntax. Something kind of does and does not work

changed from 2 to 1 qname, 0 to 0 nsdname, 0 to 0 IP, 0 to 0 NSIP, 0 to 0 CLIENTIP entries

So something is working.

The next day was interesting as i used the chrome browser which passed along my attempts to access the named example – i had to assure cbl that i was not zeus infected as i use cbl on the zoos website (my blog) .  Moral of the tale do not use google software things to try out security stuff.

Having fixed that issue on our internal router i had a bit more luck and got a working rpz zone by blocking yahoo.com as that s safer to test with and my attempts to display a redirected website message ended in failure although nxdomain works.

I still seem to be resolving the real ip rather than lookup to the zone i created. which means i am close and i achieved interception of the request with

zone "internal.zoo" policy passthru;
zone "rpz.zoo" policy cname compromised.zoo;

the cname compromised.zoo redirects the bad site request ** to compromised.zoo. – .zoo being our domain name/tld and compromised being the zone name. It tells a user that something is wrong

Logging is important here.

Order matters here [precedent] the passthru is first, and the more restrictive.  note the lack of semi colons and quote statements which feels a bit odd when option { x; y; z }; is the normal syntax bind knows and parses and most of us expect.

Your webbroswer is faster than our dns rpz.and has the same data

So a race condition can develop.,If you have infected things the rpz will do more than just the browser blocklist your browser uses. although the log will detect the rpz hit.

client internal.zoo.lan#16983 (windrushvalleyjoinery.co.uk): rpz QNAME DROP rewrite windrushvalleyjoinery.co.uk via windrushvalleyjoinery.co.uk.malware.zoo

This stuff is quite hard to figure out

As to who’s fault this is after all the zoo clearly should be paying some security firm for this by the three and half dns professionals on the internet who guard this knowledge like a secret, or is out of date

Stats are interesting bind reported

[malware.zoo]
                   7 response policy zone rewrites

So not informative – that seems a good place to end.

I might do a further post on how i make zones but being honest the zoo appears to be immune from visiting dodgy sites as either the browser stops it and so while the zones exist they do not trigger for lack of a match.

weird shit with a cyrus imap server

One of the zoo’s imap servers decided to play dead when the other three where perfectly happy on the same box.  Having recently done a debian upgrade it was my job to fix it.   However i cascaded one fault to another store which was not my fault as i was using bad software that i thought was good from ten years ago.

Having spent a fun couple of days trying to fix the thing i found that it is best to not use gyrus admin gui as it fucks up acls and cyrus users.  So good to know and DO NOT USE GYRUS. – use cyradm instead.

In the end i restored the instance from backup after getting some stuff to work most of it did not and cyrus imap is not the most verbose thing with one debug setting in /etc/default/cyrus-imap your on your own.

Something went bad but with three other stores working away it was still an non easy diagnosis and what it was is something cyrus imap kept mum on.  It was good to know that gyrus admin does more harm than good these days and the permissions to our imap stores are horrible compared to modern imap.  However since it been over ten years since i started with cyrus imap and you can knock off seven days for downtime those being upgrades so cyrus imap is generally good software.

I had a sort of mostly working fixed message store thing but many messages and folders where not showing up and as the zoo damm insist on getting it all back i opted for the backup as the easier fix.

Email was flowing in but he store was not accepting it

I still had to delete the sockets and reconstruct the data with [/usr/lib/cyrus/bin/reconstruct -C /etc/cyrus/zoo1.conf] but the data is mostly there as requested.

modsecurity on debian

Modsecuritty left me confused – i thought i had the basic rules but had the extended crs rules as well and so it did not need configuring.  Debian (my blog) wiki keeps mum on the subject as well.

I know its working although its reporting via ruby,  upgrades via python make it a multidisciplinary tool.

From what i read outside of Debian it seems to work with our stuff so it remains on.  Mystery software that sounds like a future problem for me.to disable.

Its log messages are also hard to grep and awk.

I guess i shall be writing about mod-security rules at some point in the future…

some Debian 9.4 fun

with debian 9.4 postfix (my blog) started working once again, and opendmarc (my blog) had a funny five minutes when pidfile mismatched in the systemd config compared to the opendmarc.conf.I also needed dpkg --configure -a when apt decided stuff was still wrong with opendmarc..

who was right is a debate but I have not changed stuff i still have an opinion of systemd still sucks.

Opendmarc logging for reports also seems broken as to why i will have to look at it but it was and then it did not

I lost cups printers on an separate 686 Debian kernel but the rest of the zoo on i386 printers works so not a terrible headache

Overall forwards and a bit backwards too