Lavabit SPF Record for Custom Domains

Lavabit SPF Record for Custom Domains

I have been using Lavabit for email for quite a while now. I love the simplicity, it works well, and it feels like an old school email provider before everything moved towards the cloud. When I setup my account I was able to assign a custom domain name for an alias. I figured this way, I can switch email providers without updating accounts everywhere.

Recently, I noticed that some of my mail has been ending up in spam. It was the worst when sending to Gmail users. I assume Gmail may have started to assign a higher priority to correct SPF records which is causing my emails to hit spam.

I have setup SPF and DKIM records for other businesses over my career and in this case I just forgot to do it.

The best way to check your own email is to view the headers on a sent email. The headers will show how the messages traveled across the internet and if it passed SPF.

This is a fraction of what Google will show in the headers.

The only way to resolve this is by adding a SPF record with your domain provider. I personally use Namecheap and the screenshot below shows the TXT record that I added to my account. I set the SPF policy to Strict (-all), however Soft Fail (~all) might be a better place to start.

v=spf1 include:lavabit.com -all

After making this change, Google started to mark my SPF as Passed.

There are many resources out there for configuring your own domain. While this example is specific to Lavabit, it will apply anywhere. I might suggest starting with MXToolBox and their generator or checking with your email provider.

HP iLO Amplifier Pack – Undocumented Accounts

HP iLO Amplifier Pack – Undocumented Accounts

Alright, so I am finally getting around to posting this…

While digging around in the Amplifier Pack, I noticed a couple of undocumented accounts. Root and summercuryuser do not appear to be disabled and I could not find them listed in the documentation.

Cisco has been getting called out and removing backdoor accounts from different software offerings for quite some time. It is a little hard to tell what the purpose of these accounts are within the Amplifier Pack.

I updated /etc/shadow and replaced the values, for root, in the wolfram config file at /opt/wolfram/cfg/userInfoAllConfig.json with a known hash value. After rebooting the machine, the hash values were reverted. This was not the case when I was originally poking around version 1.30. With the older version, I was able to log in and get dumped into the wcli. HP seems to be doing more to protect these accounts.

I suppose you could disassemble the software and see if there are any other undocumented commands while using these accounts. However, that certainly is not my strong point.


As a side note, In March 2019, I sent a check for $10 to HP requesting the source code under the GPL. It has been almost a year later and I have not heard back.


Honestly, I still think the Amplifier Pack is a great value add to an organization using HP servers. I love that it ships on Debian instead of Ubuntu.

They started shipping open-vm-tools with the OVA!

I personally would like to see the summercuryuser account documented, disabled, or removed from the software. It would also be great if HP made it easier to retrieve the source code under the GPL.

This post was originally drafted using release 1.30 and finished with release 1.55

Enable WPA3 on OpenWrt 19.07

Enable WPA3 on OpenWrt 19.07

The latest release of OpenWrt will be fully available on January 12th, 2020. They started the final builds on the fifth. I upgraded one of my Meraki APs with the release candidate earlier because I am excited for WPA3. I just started updating the rest of my APs and wanted to share the process I used to enable WPA3.

The documentation which I saw, tells you to install wpad-openssl for WPA3 support. I found it to be slightly more complicated than that. I saw the error below and I imagine others might too…

root@OpenWrt:~# opkg install wpad-openssl
Installing wpad-openssl (2019-08-08-ca8c2bd2-1) to root...
Collected errors:
 * check_conflicts_for: The following packages conflict with wpad-openssl:
 * check_conflicts_for:   wpad-basic * 
 * opkg_install_cmd: Cannot install package wpad-openssl.

I found the following command worked well for me.

root@OpenWrt:~# opkg update 
root@OpenWrt:~# opkg --force-depends --force-maintainer --force-overwrite install hostapd-openssl wpa-supplicant-openssl wpad-openssl 

After a reboot I was able to enable WPA3 within the Luci interface.

It doesn’t look like Debian Buster or Fedora 31 supports WPA3 yet, but my Android phone is connected.

RHEL7 Software Collections – Migrate from PHP 7.1.X to 7.2.X

RHEL7 Software Collections – Migrate from PHP 7.1.X to 7.2.X

We needed to migrate our Drupal servers to a newer version of PHP. RedHat Software Collections is a little odd, but provides newer software and allows administrators to run multiple versions of PHP side-by-side.

Software Collections is replaced by Applications Streams in RHEL8. I basically wanted to quickly document the commands. If you are following this, please make sure you understand what each command does before running it in production.

sudo yum install rh-php72-runtime rh-php72-php-cli rh-php72-php-pear rh-php72 rh-php72-php-fpm rh-php72-php-zip rh-php72-php-process rh-php72-php-gd rh-php72-php-mbstring rh-php72-php rh-php72-php-common rh-php72-php-pdo rh-php72-php-devel rh-php72-php-ldap rh-php72-php-json rh-php72-php-xml rh-php72-php-mysqlnd

sudo sed -i 's/rh-php71/rh-php72/g' /etc/profile.d/enablephp7.sh

cat /etc/profile.d/enablephp7.sh

#!/bin/bash
source scl_source enable rh-php72

sudo ln -s /opt/rh/rh-php72/root/usr/bin/php /usr/bin/php

We double the memory limit.

sudo sed -i 's/128M/256M/g' /etc/opt/rh/rh-php72/php.ini

sudo pecl install oci8

echo 'extension=oci8.so' | sudo tee -a /etc/opt/rh/rh-php72/php.d/oci8.ini

We also wanted to remove an old newrelic client that was used for monitoring.

sudo rpm -qa | grep newrelic | xargs sudo yum remove -y

sudo rpm -qa | grep php71 | xargs sudo yum remove -y

Finishing up and making sure everything looks good.

sudo systemctl restart httpd24-httpd

sudo systemctl status httpd24-httpd

FreeRADIUS Post Authentication

FreeRADIUS Post Authentication

I recently performed a migration from NPS on Server 2008 over to RedHat Linux running FreeRADIUS. We mostly use this for Cisco device authentication, but it could easily be extended to WiFi or other application needs.

LDAP authentication against Active Directory is pretty well documented so I won’t go into that unless there is an interest. However, I did want to talk about post-auth.

I found a basic example at Flaz.net where the author uses LDAP groups to update the cisco-avpair reply. I personally had trouble finding good documentation on more advanced post-auth options.

The example below shows some of the more advance options I was able to come up with after a bit of trial and error.

post-auth {
### Cisco Auth ###
  if (client-shortname == "office" && User-Name == "bliss") {
    update reply {
      cisco-avpair = "clientusername-test"
    }
  }  
  elsif (client-shortname == "office") {
    update reply {
      cisco-avpair = "client-test"
    }
  }
  elsif (User-Name == "bliss") {
    update reply {
      cisco-avpair = "username-test"
                }
        }
  elsif (LDAP-Group == "admins") {
    update reply {
      cisco-avpair = "shell:priv-lvl=15",
    }
  }
  elsif (LDAP-Group == "ops") {
    update reply {
      cisco-avpair = "shell:priv-lvl=1",
    }
  }
  else {
    reject
  }

Since this code uses if statements it will run from top to bottom and accept the first match.

In the first option I strung together “client-shortname” which is setup under the clients.conf with my username to send back clientusername-test.

The additional elsif statements are just an example of ordering importance.

Radtest is the best tool for making sure the proper responses are coming back.

Cisco Prime authentication requires sending additional cisco-avpair attributes. The example below is what I was able to get working for me.

post-auth {
### Cisco Auth ###
  if (LDAP-Group == "network") {
    reply_log
    update reply {
      cisco-avpair = "shell:priv-lvl=15",
      cisco-avpair += "NCS:role0=Admin", 
      cisco-avpair += "NCS:virtual-domain0=ROOT-DOMAIN"
    }
  }
  elsif (LDAP-Group == "support") {
    reply_log
    update reply {
      cisco-avpair = "NCS:role0=User Defined 1", 
      cisco-avpair += "NCS:virtual-domain0=ROOT-DOMAIN"
    }
  }
  elsif (LDAP-Group == "security") {
    reply_log
    update reply {
      cisco-avpair = "NCS:role0=User Defined 2", 
      cisco-avpair += "NCS:virtual-domain0=ROOT-DOMAIN"
    }
  }
  else {
    reject
  }

The only trick here was properly formatting everything. Authentication against Prime did not work when I tried to send role0 and virtual-domain0 inside the same attribute.

Let me know if this is helpful to you or if I can go into anymore details. This is just what is working in my environment. Your usage may vary.

HP iLO Amplifier Pack – Installing VMware Tools

HP iLO Amplifier Pack – Installing VMware Tools

We recently installed the iLO Amplifier Pack at work. HP ships this software as a way to easily manage their servers from a central location. The interface looks nice, however they really lock you out of the virtual machine and limit the command line. This presents a major annoyance because they decided to ship this OVA file without installing VMware tools or open-vm-tools.

I did a little digging around through the Veeam backup and discovered the virtual machine was running Debian 9.5. HP pretty much locks out the Administrator account by not assigning the user a shell and using ForceCommand within the sshd_config configuration.

ForceCommand /opt/wolfram/bin/wcli

I was able to install open-vm-tools by booting into the Debian Live CD and using change root to modify the virtual machine environment. We don’t have DHCP on the server network, so I had to set an IP address and DNS server. Make sure the live environment has access to the network before continuing.

sudo mount /dev/sda1 /mnt
sudo mount --bind /dev /mnt/dev
sudo mount --bind /proc /mnt/proc
sudo mount --bind /sys /mnt/sys
sudo chroot /mnt

nano /etc/apt/source.list
apt update
apt install open-vm-tools

I confirmed VMware tools was running after rebooting the machine.

I also discovered a couple other things that I will write another post about some day…

HP – In the meantime, please consider shipping this OVA file with open-vm-tools. It is pretty rare to run into a situation where it is not included.

6/13/19 – As of right now the OVA is running Debian Stretch and the sources.list should look like the one below.

This post was written on release 1.30
Qubes OS 4.0 Release

Qubes OS 4.0 Release

Qubes OS 4.0 was recently released after a fairly lengthy development cycle. https://www.qubes-os.org/doc/releases/4.0/schedule/

I have been running the new release on my Librem 13 laptop since RC3 and all the changes have been great. I am sure the release notes on their website will do a better job describing all of the changes than me. If you are interested you can find them here: https://www.qubes-os.org/doc/releases/4.0/release-notes/

My favorite noticeable changes were to the user interface. Widgets were added for mounting/unmounting USB devices, interacting with or shutting down running Qubes, and showing system disk space usage. Despite it being a controversial idea, the Qube Manager was slated to removed from this release. In the end the Qube Manager stayed, but with the addition of the new widgets I find myself rarely opening it anyways.

Purism has also released new firmware that supports Intel VT-d which is “required” in version 4.0. The update process was pretty straight forward on my Librem 13. I ran the update from a Debian Stretch installation I had on a 32GB flashdrive. https://code.puri.sm/kakaroto/coreboot-files/src/master/Changelog.txt

I previously wrote a short post detailing a business use case for running Qubes OS and would recommend anyone who wants better control of their data and security to give it a try.

Purism Librem 13 v2 Review

Purism Librem 13 v2 Review

At first I thought about writing your typical hardware review, however, it seems like they can become repetitive by following a similar layout to cover similar hardware and software aspects of the machine. Instead, I want to briefly talk about how I justified the cost of and my first impressions of the laptop as an end user.

I wanted to replace my old and cracking Thinkpad x230 running Coreboot, gain NVMe support, and finally get back to a 1080p screen. My main reasons for purchasing this laptop was because Purism supports privacy and ships Coreboot on their machines. As I said in an earlier post, I think it’s important to support companies providing specialty hardware like this so it continues to be available and may prompt others to follow suit. For example, it was great to see Purism start disabling Intel Me, followed by System 76, and even Dell.

Initially, I was supposed to receive my laptop around August… My understanding is there were supply chain issues, Coreboot kinks to work out, and a large effort on the phone (I pre-ordered one of these too) funding campaign which delayed shipments. The laptop finally arrived in December. I tried to be very understanding of this because, in my view, Purism is a smaller company that does not have the resources to have a large amount of stock on hand like other established hardware providers. They do everything in batches. They were also releasing the first i7 version of the Librem 13 v2 with Coreboot support. Sill, it would have been nice to have had better expectations set upfront and to have been better kept in the loop of progress and delays.

After unboxing the laptop I was honestly I little worried it would not meet my expectations. I have been using a Thinkpad of some sort for the last eight years and have grown accustomed to their feel and durability. While the aluminum body looks great, it almost felt fragile, and at first I was worried about damaging it. I also read some reviews about it showing lots of grease from your fingers. However, after using the laptop for the last three weeks it has really grown on me and I am happy with the feel of everything.

The finish does show some spots, but they are not nearly as bad as some other posts made me think. I actually think the trackpad will be more resistant to the typical Thinkpad-trackpad-wear, in which a large greasy/polished/shiny spots shows up where it is used the most. Time will tell.

I killed PureOS in favor of running Qubes OS too quickly to give much of a review, but the setup was quick and easy. If you are new to running Linux I would recommend sticking with PureOS because it is easy to use, a derivative of Debian, and was recently added to the Free Software Foundation‘s list of endorsed distributions. Currently, I am having a major problem with Qubes 3.2 as it will not resume from suspend…

Overall, I am real happy with the final product that was delivered. It will take a little time to get used to a new keyboard layout and I am eagerly awaiting VT-d support to be added so Qubes OS 4.0 will be supported.

I bricked (and recovered) the Meraki Z1

I bricked (and recovered) the Meraki Z1

I purchased a used Meraki Z1 on eBay (~ $70) because it is supported by LEDE and seems to be pretty good hardware. It has 4 GbE LAN ports, 1 WAN port, and dual-concurrent 802.11n radios 2×2 MIMO. The LEDE support is important because I am not paying Cisco a yearly license to put my device in their cloud. Unfortunately, while flashing it the first time around I ended up with a brick.


TL;DR

Bricked after using beta build on Github. Lesson learned – Build from source.

  1. Build from source
  2. Follow directions and flash
  3. Win

Read More Read More

Purism Librem 13 Ordered

Purism Librem 13 Ordered

I have been happy with my Lenovo x230 up until this point, but was really looking for a 1080p screen, NVMe support, and USB-C. Purism recently started supporting Coreboot and added an i7 processor to the 13″ model which helped sway my decision on purchasing a new laptop.

It certainly was not a cheap purchase, nevertheless I am glad that they are supporting Coreboot and working on reverse engineering Intel ME. Hopefully they will continue to contribute to open source and their work on freedom-respecting computers. I believe in voting with your dollars and want to see more current hardware supported by Coreboot in the future.

The i7 models are currently back ordered, but it sounds like my new laptop should ship sometime in August or September. I may decide to write up a simple review or comparison to the x230 once it arrives.

https://puri.sm/