Postings related to Linux and Linux facilities.

Configuring Postfix mail submission to support SSL client certificates


Typically, when a mail user agent submits a message for delivery, it authenticates to the server with a username and password. If you are using that server as a "smart host" for a workstation, the server needs to know that the workstation can be trusted. One way you can do that is by using an SSL cetficate on the workstation (client), and having the server accept mail based on that identity.

This note illustrates how a postfix mail server can be configured to add support for SSL client certificates.

First, add to file:

relay_clientcerts = hash:/etc/postfix/clientcerts
smtpd_tls_fingerprint_digest = sha1

The clientcerts file will list the fingerprints for the SSL client certificates that we want to trust.

Next, search for all the smtpd_<whatever>_restrictions definitions that contain a permit_sasl_authenticated entry. Ensure that each one found also contains a permit_tls_clientcerts entry.

For instance, here is my smtpd_relay_restrictions entry:

HowTo: Make umount Work with sshfs


sshfs is an easy way to provide file access to a remote system with ssh. On Ubuntu, all you need to install it (on the remote client, nothing to do on the server if it already runs ssh) is run:

sudo apt-get install sshfs

To make things easier, you can make an /etc/fstab entry with the settings to mount a remote directory: /home/chip/Remote-Home fuse umask=0,defaults,noauto,user 0 0

Now, to mount the directory I just type (from my home directory):

$ mount Remote-Home

The problem is that if I try to unmount the directory it fails:

$ umount Remote-Home
umount: /home/chip/Remote-Home mount disagrees with the fstab

The command you have to use is:

$ fusermount -u Remote-Home

But you can make umount work with two simple steps.

First (this is the trick), run:

$ sudo ln -s mount.fuse mount.fuse.sshfs

HowTo: Specify Web Browser Preference for Thunderbird 3.1


In previous versions of the Thunderbird mail reader, you had to manually edit the prefs.js file and add lines such as:

user_pref("", "/usr/bin/sensible-browser");
user_pref("", "/usr/bin/sensible-browser");
user_pref("", "/usr/bin/sensible-browser");

With Thunderbird 3.1 that no longer works. Even worse, when my properties were migrated over, I didn't have any way to change the browser (it was defaulting to Firefox).

To fix, do: Edit -> Preferences -> Advanced -> Config Editor

In the properties window filter on "warn-external". Set all the items to "true".

Next time you click on a link, you will be prompted to select your web browser. (Hint: for Debian and variants such as Ubuntu, you want to pick "/usr/bin/sensible-browser". If that fails to launch the browser you want, then fix your preferences in the control center.)

PATA is a PITA (and other thoughts on SSD)

A couple months ago I started gathering components to build myself a new workstation. One of the components I got to try is an Intel X25-V 40GB solid-state disk (SSD). That particular part has since been discontinued, but at that time it was $100. That's pretty pricey as compared to a conventional hard disk of the same size, but would be completely worth it if it provided the performance benefit I expected.

It performed as well as I hoped. I set it up with Kubuntu Linux 10.10, and was completely blown away by the speed-up in boot time.

As great as it was on the workstation, this device was just screaming to be put in a laptop. After all, my workstation gets booted once a season. I can cycle a laptop a dozen times in an afternoon.

The workstation project has been stuck on idle, but I've become increasingly enamored with the laptop idea.

First Look at the Neuros LINK

I built my first home media computer over four years ago. Its primary uses were web streaming video, local music files, and the occasional communal web surfing during living room gatherings. Unfortunately, the system had reached an age where ATI dropped support for the display in their accelerated (proprietary) drivers, and the open source drivers couldn't keep up with full screen video. To make matters worse, in that time I've upgraded the display from an 800x600 Sony picture tube to a 1360x768 Samsung high def LCD.

The old computer was choking to keep up. It was time for an upgrade.

This weekend I replaced the old media computer with a Neuros LINK. The LINK is an open source media computer. It's constructed of standard, off-the-shelf OEM components. It runs on Linux, configured and tuned for media center operations. It costs $299.

HOWTO: Load ssh Key at KDE Startup


The ssh program allows you to securely access systems across the network. By default ssh prompts you for your password on the remote system. If you setup a secure key you can skip the password prompts.

For instance:

$ ssh uname -a
Linux 2.6.26-2-686 #1 SMP Fri Aug 14 01:27:18 UTC 2009 i686 GNU/Linux

In this example I ran the uname command on the remote system Since I've setup a secure ssh key, the command ran without prompting for a password.

Here is an easy -- but bad! -- procedure for setting up your ssh key:

The problem with this procedure is that it tells you to create the key without a passphrase. The passphrase prevents unauthorized access to your ssh key. When your ssh key is secured by a passphrase, the key is useless to somebody who doesn't have the passphrase. If your ssh key does not have a passphrase, then every system you use is at risk if an attacker gets a hold of your key.

Linux: Harmful and Illegal

An article is currently circulating the blogosphere about an irate Austin middle school teacher. The teacher, first name Karen, is incensed at a student for showing classmates how to get Linux software for free. She's even more angry at the person who provided Linux to the student. She wrote, in a letter of complaint:

At this point, I am not sure what you are doing is legal. No software is free and spreading that misconception is harmful. These children look up to adults for guidance and discipline. I will research this as time allows and I want to assure you, if you are doing anything illegal, I will pursue charges as the law allows.

This is all laughably uninformed, except I'm not laughing.

I'm concerned that most people are responding by amping up an even greater level of outrage, and that doesn't seem to be a helpful way to move this forward.

Linux Network Problems with RTL8111C


Today, I tried to setup a new server using an ECS A780VM-M2 Motherboard. It takes an AMD AM2/AM2+ socket processor. It uses the AMD 780V "business class" chipset, which mostly means basic functionality and unspectacular graphics; ideal for a Linux server.

I was trying to install the Debian Etch (stable) Linux kernel and ran into a major snag: the network doesn't work. That's because the version of the r8169 Ethernet driver currently included in the Debian Etch (stable) kernel (version 2.6.18-5) doesn't support the Realtek RTL8111C Ethernet chip on the motherboard.

There are several workarounds, neither pretty.

Creating a Debian Linux Installation USB Memory Stick


Monday night, I learned how to use a USB memory stick as bootable install media for Debian Linux. It's a little complicated, mostly because piecing together bootable media is just that way. Once complete, it works great. I can still use the stick for usual file transport purposes, but now if I boot off it then it will offer a Debian Linux installation.

The Preparing Files for USB Memory Stick Booting chapter of the Debian Installation Guide outlines the process.

It describes two ways to do it: an "easy" way and a "flexible" way. The "easy" way makes sense for a one-time deal (and you are willing to reformat the stick afterwards), or if you are willing to dedicate a stick to the installation. I didn't. I've got a 4GB stick that I wanted to make bootable and hold the Debian installation files, but continue to use it for other purposes. That's what the "flexible" method allows.

This note describes the procedure I used.

Interested in the Dell Mini

Dell Inspiron Mini 9 sub-notebook computerDell has announced availability of the Inspiron Mini 9 sub-notebook computer, and I have to admit it's caught my eye. Dell didn't invent the sub-notebook form factor, but they did produce the first one that's grabbed my interest.

There are two things I like about the Mini. First, like many other sub-notebooks, it offers a Linux option. Second, unlike all the other sub-notebooks, it looks like a machine I could do business on.

Out of all the places where a sub-notebook has to make sacrifices, the one that concerns me most is the keyboard. The Mini seems like it may be the one to most closely approach the experience of a full-sized keyboard.

One thing they did to achieve this was to eliminate the row of dedicated function keys along the top. That's ok with me.

Syndicate content