Racker Hacker

Disabling SSLv2 in Dovecot is relatively easy:

ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

# openssl ciphers -v 'ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM'
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

This is one of Exim’s more cryptic errors:

Mar 29 11:22:52 114075-web1 postfix/smtp[20589]: 9E0142FC589: to=, relay=somehost.com[11.11.11.11], delay=147966, status=deferred (host somehost.com[11.11.11.11] said: 451 Could not complete sender verify callout (in reply to RCPT TO command))

When you send e-mail to an Exim server with a sender verify callout enabled, the Exim server will connect back into your server and verify that your server accepts mail for the sender’s e-mail address. For example, if you send e-mail from orders@somehost.com, the Exim server will connect back into your server and do this:

HELO someotherhost.com
250 somehost.com
MAIL FROM: test@someotherhost.com
250 2.1.0 Ok
RCPT TO: orders@somehost.com
250 2.1.5 Ok

Exim will make sure that it gets a 250 success code before it will allow the e-mail to come into its server. Some situations that cause problems with this process are:

• Port 25 is blocked inbound on the sender’s server
• Something else is filtering port 25 inbound on the sender’s server
• The sender’s server uses blacklists which delay the responses to Exim’s commands

If you need to change the hostname that Sendmail announces itself as, just add the following to sendmail.mc:

define(`confDOMAIN_NAME', `mail.yourdomain.com')dnl

And, to add additional stuff onto the end of the line:

define(`confSMTP_LOGIN_MSG',`mailer ready')dnl

If you find that the time zones are hopping around in your syslog output, there is an open bug with Redhat about it and the release is still pending.

If you have too many files to remove, try this trick:

find . -name '*' | xargs rm -v

If you’ve forgotten the root password for a MySQL server, but you know the system root, you can reset the MySQL root password pretty easily. Just remember to work quickly since the server is wide open until you finish working.

First, add skip-grant-tables to the [mysqld] section of /etc/my.cnf and restart the MySQL server.

Next, run mysql from the command line and use the following SQL statement:

UPDATE mysql.user SET Password=PASSWORD('newpwd') WHERE User='root';
FLUSH PRIVILEGES;

Remove the skip-grant-tables from /etc/my.cnf and leave the server running. There’s no need to restart it.

You may find that some sites do not work well if you omit a trailing slash on the URL. For example, if you have a directory on domain.com called “news”, the following two URL’s should take you to the same place:

http://domain.com/news
http://domain.com/news/

If you find that they do not take you to the same place, be sure that the mod_dir (Apache 1 or Apache 2) module is being loaded in Apache. If that module is being loaded, and you’re still having problems, make sure mod_rewrite is loaded as well.

If none of that works, make sure that there is no ErrorDocument 301 or ErrorDocument 302. Should either of those exist, promptly slap the developer/sysadmin that enabled those options. Apache will do a 301 redirect when the trailing slash is missing so that the user will be directed to the correct location, and if there is an ErrorDocument 301, this error document will always be presented rather than the proper redirection to the directory on your site.

Often times, the wonderful webmail application known as Horde will spin out of control and cause unnecessary resource usage and often cause defunct Apache processes to appear. You may wonder how this can happen, especially if you set the max_execution_time variable in php.ini. Well, the Horde developers took it upon themselves to overwrite your settings in their own configuration file in /usr/share/psa-horde/config/conf.xml:

<configinteger name="max_exec_time" desc="If we need to perform a long operation, what should we set max_execution_time to (in seconds)? 0 means no limit; however, a value of 0 will cause a warning if you are running in safe mode. See http://www.php.net/manual/function.set-time-limit.php for more information.">0</configinteger>

It’s set to forever by default in Horde. However, if you do turn on safe_mode, Horde will have some problems setting its time limit variable. You can change the zero to something more reasonable, such as 30 or 60 by editing the conf.xml and reloading Apache.

First, you have to get the certificate and key out of Windows in a pfx (PKCS #12) format.

• Click Start, Run, then type “mmc” and hit enter.
• In the leftmost menu, choose “Add/Remove Snap In”.
• Click “Add”, then click “Certificates”, then OK.
• When the wizard starts, choose “Computer Account”, “Local Computer” and finish out the wizard.
• Once you’re finished, get back to the MMC and expand the “Certificates” node, then the “Personal” node.
• Click on the “Certificates” node under “Personal” and find your certificate in the right pane.
• Right click on the certificate and choose “All Tasks”, then “Export”.
• When the wizard starts, choose “Yes” for exporting the private key, then select ONLY “Strong Private Key Protection” from the PFX section. You will also need to set a password and specify a location for the PFX file.
• Once the PFX file has been saved, close out the MMC (don’t save the snap-in if it asks).
• Get the PFX over to the Linux server somehow.

Once the PFX makes it over to the Linux server, you have to decrypt the PFX into a plaintext PEM file (PFX’s are binary files, and can’t be viewed in a text editor):

openssl pkcs12 -in file.pfx -out file.pem

You will be asked for the password for the PFX (which is the one you set in the Windows wizard). Once you enter that, you will be asked for a new password. This new password is used to encrypt the private key. You cannot proceed until you enter a password that is 4 characters or longer. REMEMBER this password!

When this step is complete, you should have a PEM file that you can read in a text editor. Open the file in a text editor and copy the private key and certificate to different files. Remember to keep the dashed lines intact when you copy the certificates - this is important. There is some additional text above the key, and also between the key and certificate - this text should be ignored and should not be included in the certificate and key files.

Now that you have the key and certificate separated, you need to decrypt the private key (or face the wrath of Apache every time you restart the server). You can decrypt the private key like this:

openssl rsa -in file.key -out file.key

Yes, provide the same file name twice and it will decrypt the key onto itself, keeping everything in one file. OpenSSL will ask for a password to decrypt the key, and this is the password you set when you decrypted the PFX. If you forgot the password, you will need to start over from when you brought it over from the Windows box.

After this entire process, you will have four files, a PFX, PEM, KEY, and CRT. Throw away the PFX and PEM, and you can use the key and certificate files to install into Apache. In case you forget the syntax, here’s what goes in the Apache configuration:

SSLEngine On
SSLCertificateFile /path/to/your/certificate
SSLCertificateKeyFile /path/to/your/privatekey

If you can’t use PHP to force HTTPS, you can use mod_rewrite instead. Toss this in an .htaccess file in the web root of your site:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.domain.com/$1 [R,L]

Or, if it needs to be forced only for a certain folder:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} somefolder
RewriteRule ^(.*)$ https://www.domain.com/somefolder/$1 [R,L]