System Administration

Removing SPF Resource Records

With the creation of RFC 4408 also new a record type 99 for DNS was created to identify SPF Resource Records. It was advised to have both TXT and SPF records in DNS with the same content.  RFC 4408 was obsoleted by RFC 7208 in 2014 with paragraph 3.1 stating the following:

SPF records MUST be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035] only. The character content of the record is encoded as [US-ASCII]. Use of alternative DNS RR types was supported in SPF’s experimental phase but has been discontinued.

RFC 7208, paragraph 3.1

Now that the SPF Resource Record has been discontinued for a while, the time has come to remove it from DNS (if not done already) and make sure it never comes back. Luckily most code libraries already preferred the TXT variant, but still, this is one to put on the maintenance checklist to remove it for any application code and/or infrastructure.

System Administration

Disabling SSLv3 in Apache

Yesterday I wrote a post about disabling SSLv3 in Postfix and today we take a close look at Apache. While taking a closer look at the current installation of Apache and the version shipped with Debian 8 that was released a few days back it showed that or the Apache project or Debian has taken the responsibility to completely disable SSLv2. Hopefully, SSLv3 will get the same treatment soon, as broken security is worse than no security due to the false sense of security.

After a clean install on Debian Wheezy /etc/apache2/mods-available/ssl.conf contains the following entries:

SSLProtocol all -SSLv2

After a clean install on Debian Jessie /etc/apache2/mods-available/ssl.conf contains the following entries:

SSLCipherSuite HIGH:!aNULL
SSLProtocol all -SSLv3

First, we see that the cipher suite is different between both, and for now, I’ll ignore them. Those will be touched in a later posting as RC4 also needs to be phased-out. For Debian Jessie installations everything is well on the protocol level, but for Wheezy the option “-SSLv3” is missing and since TLS is compiled into Apache and OpenSSL on Debian Wheezy it is pretty safe to turn SSLv3 off unless you want to keep servicing Internet Explorer 6.

SSLProtocol all -SSLv3 -SSLv2

As with Postfix also for Apache a hard restart to enforce this on all connection from that point forward to make sure no one keeps an old connection with SSLv3.

$ sudo systemctl restart apache2.service

Keep in mind that these settings can be set also on a virtual host level within Apache and will override any global setting. So it may be wise to also verify other configuration files for Apache and/or run sslscan against your websites to verify the SSL protocol offered.

System Administration

Disabling SSLv3 in Postfix

The POODLE attack was made public late 2014 and as most vendors have taken action to solve possible issues related to POODLE. The time definitely has come to close SSLv3 in all parts of the public-facing infrastructure. By default Postfix still only disallows SSLv2 and hopefully, this will change in the form of stricter default behavior in Postfix or distributions/vendors that stop shipping SSLv3 libraries.

For now, you can set with the postconf command restrictions which protocols shouldn’t be used by Postfix.

$ sudo postconf -e smtpd_tls_mandatory_protocols=\!SSLv2,\!SSLv3
$ sudo postconf -e smtpd_tls_protocols=\!SSLv2,\!SSLv3
$ sudo postconf -e smtp_tls_mandatory_protocols=\!SSLv2,\!SSLv3
$ sudo postconf -e smtp_tls_protocols=\!SSLv2,\!SSLv3

As this is a change to /etc/postfix/ Postfix can be reloaded to reread the configuration, but it may be smarter to just restart Postfix to make it effective for all connection from the moment Postfix restarts.

$ sudo systemctl restart postfix.service

All encrypted sessions Postfix allows will require TLSv1+. The next step will be to disable the RC4 cipher suite but will do that in another posting.


Hack your mailbox and start to declutter

Brievenbussen met een Nee-Nee-sticker
Dutch mailbox with a No-No-sticker – © Martin Abegglen

The Dutch postal services have gone from six to five delivery days since 2014 and to be honest without any notice on my side. This as most commercial mail is delivered on Tuesday and Thursday for years now and the streams of non-interesting commercial mail has dropped the last years to acceptable levels. To a level even where I barely have any paper waste.

The first step was to put a “No-No” sticker on my mailbox which made me opt-out of house to house advertorials and saved my from going through an inch of mail a week to make sure I got all my mail before dumping it in the wastebin. Sometimes I still get some advertorials, but it is limited. And all the advertorials I want/need to read are online available and are there when I make my weekly shopping list.

The second step was to start bouncing and complaining about all commercial mail I didn’t asked for and to register with Stichting Postfilter to get remove from a lot of mailinglists for a couple of years before you need to extend your registration. If companies keep sending you mail and don’t respond to complaints, then at least in The Netherlands you can complain at Stichting Reclame Code, but until now I didn’t have to do that.

The third step was to see which companies would offer a digital alternative to the paper mail they normally sended. And most companies now offer a digital notification and/or invoicing system. When set up correctly it can correctly make your workflow easier.

This all reduced my mailflow to a level where it is basically only the mail which is required by law to be sended to you by paper mail. Hopefully this will also change over time, but for now I only check my mailbox three times a week instead of six because of the low amount of mail. Another 15 a 20 minutes per week saved that I could spend on other things.