Security & Compliance System Administration

Anti-spam measurements are working?

It has been a while, but it appears challenge-response spam filtering is back and now even more stupid.

If yes, it got caught as unsolicited email by our spam blocker. You can release the mail from spam quarantine by simply replying to this message. At the same time the spam blocker will recognize you as a trusted sender (from this email address) and automatically add you to my Allow list for this and any future communication.

Many illegal spammers forge email addresses to try to get past spam blocking software. These spammers send hundreds of millions of spam messages a day, clogging email servers and wasting people’s time. We regret that these spammers have forced us to send this message to you.

But why stupid? First of all no relevant data at all, only a source and target email address and a company URL where you should be able to find how to clear it. Wasn’t able to find anything btw. When matching the timestamps it appears to be related to a posting I did on a mailing list, a double opt-in mailing list. And RFC 5230, section 4.6 has some nice hints for vacation responders that may also apply to these kinds of spam filters. Also, my email domain has a closed SPF-record in DNS, meaning you can identify if I’m really the sender. Which will not be the case as a mailing list has a different return-path header. Another indicator that the software isn’t using the right data from the headers.

Looking at the headers from their response it appears they know how to set an SPF record for their own domain, but validating incoming no. Also, their software forgot to add a Date-field to the mail headers. For now, I fed this e-mail from to the Bayesian filter and if it keeps coming back it will get its own line in my blacklist for SpamAssassin.

System Administration

Renaming database in PostgreSQL

Sometimes you have a system with legacy naming standards, but you really want to switch over to the new standard to keep all the scripting clean without some exceptions no one is going to remember in 12 months. Oracle had the command ALTER DATABASE, but since Oracle 10 you need to take the database offline and do some magic. MySQL got the RENAME DATABASE option with release 5.1.7 and lost the option again with release 5.1.23 as it was eating data.

Luckily PostgreSQL still has the command ALTER DATABASE so let rename a database and the owner. Before we start we need the password and then we need to log in as the PostgreSQL superuser postgres or another account with similar privileges. So first we check the database name and owner.

postgres=# \l
                                    List of databases
     Name     |  Owner   | Encoding  |  Collation  |    Ctype    |   Access privileges   
 dbu0001      | dbu0001  | UTF8      | en_US.UTF-8 | en_US.UTF-8 | 

Now we rename the database owner as we made a typo and we need to set the password again.

postgres=# alter user dbu0001 rename to dbo0001;
NOTICE:  MD5 password cleared because of role rename
postgres=# alter user dbo0001 password 'yeaxaureiraeLohsh6deJ2ohngahpu9a';

The second task is to rename the database to the correct name.

postgres=# alter database dbu0001 rename to dbs0001;

And basically we are now done as the ownership was already modified when we renamed the account with our first statement, but let check what PostgreSQL says it now has.

postgres=# \l
                                    List of databases
     Name     |  Owner   | Encoding  |  Collation  |    Ctype    |   Access privileges   
 dbs0001      | dbo0001  | UTF8      | en_US.UTF-8 | en_US.UTF-8 | 

Please don’t forget to update the connection strings for applications using this database and maybe GRANTS that have been set and the pg_hba.conf file.

System Administration

SpamAssassin to blacklist and unblacklist

SpamAssassin has a feature to blacklist and unblacklist certain e-mail addresses. But recently I noticed something interesting that may need some more investigation. I have all addresses for domain blacklisted, but also unblacklisted certain functional addresses as is shown in the example below.

blacklist_from          *
unblacklist_from        abuse@*
unblacklist_from        hostmaster@*
unblacklist_from        postmaster@*
unblacklist_from        security@*
unblacklist_from        webmaster@*

Now I expected that was going to be unblacklisted, meaning the mail would have both a spam score of both +100 and -100 making it effective 0 again. This modification resulted in a spam score of +100 and makes me worry that unblacklisting will demand that the domain part needs to be specified instead of having a wildcard. This will require some more testing in the near future, but for now, it may affect other installations.

System Administration

Getting Ext3/4 journal size

Ext3 is a successor of Ext2 with support for journaling which means it can have a log of all it’s recent changes it made or is going to make to the file system. This allows fsck to get the file system back in a good state when a power failure happens for example. But what is the size of the journal? Reading the manpage for tune2fs it says it needs to be between 1024 and 102400 blocks which means it can start with 1MB on a file system with a 1KB block size and 4M on a file system with 4KB block size.

So let start to see which inode contains the journal and normally this should be inode 8 unless you have a file system that was upgraded from Ext2 to Ext3/4.

$ sudo LANG=C tune2fs -l /dev/sda1 | awk '/Journal inode/ {print $3}'

Now that we have the inode responsible for the in file system journal we can retrieve it details by doing a stat() with debugfs for that inode. Debugfs retrieve the details from the inode and on of them is de allocated size on disk.

$ sudo LANG=C debugfs -R "stat <8>" /dev/sda1 | awk '/Size: /{print $6}'|head -1
debugfs 1.42.4 (12-Jun-2012)

Now let use the same procedure on an other file system:

$ sudo LANG=C tune2fs -l /dev/mapper/data00-srv | awk '/Journal inode/ {print $3}'
$ sudo LANG=C debugfs -R "stat <8>" /dev/mapper/data00-srv | awk '/Size: /{print $6}'|head -1
debugfs 1.42.4 (12-Jun-2012)

There is also an easy way as dumpe2fs provides an interface to a lot of these values directly.

$ sudo LANG=C dumpe2fs /dev/mapper/data00-srv | grep ^Journal
dumpe2fs 1.42.4 (12-Jun-2012)
Journal inode:            8
Journal backup:           inode blocks
Journal features:         journal_incompat_revoke
Journal size:             128M
Journal length:           32768
Journal sequence:         0x0111fd4c
Journal start:            3380

Keep in mind that changing something on a live journal can destroy your file system, so never move the journal location or change it’s size unless it’s a clean unmounted file system.

System Administration

Create home directory on first login

Creating home directories for new users can be a difficult task and especially in an LDAP-based environment, but most PAM installations have the option to create a new home directory before the user login is completed. Debian also ships the module mpam_mkhomedir, but without a manifest to set it up correctly. Bug 640918 covers this issue, but for now, creating the file /usr/share/pam-configs/mkhomedir with the content below resolves the problem.

Name: Create home directory on first login
Default: no
Priority: 0
Session-Type: Additional
 required umask=0027

After creating the file, the command below updates the PAM-config to create the home directory when a user’s home directory doesn’t exist. In the example configuration above the default umask is 0027 so only the user and group will have access to the home directory.

$ sudo pam-auth-update --package mkhomedir

By default, the configuration in /etc/skel is being used to create a new home directory. This is a point of attention when the user needs files and/or directories when the user logs in and an example of this may be a Maildir for receiving mail.