Recent Questions - Server Fault

Postfix relay to M365: two hosts lists, one auth to send external and other internal only
Roundcube with Dovecot - disappearing/not present inbox and emails
Redirect works, pass-through does not
Debian: "apt install build-essential" fails because of unmet dependencies
Perfect SSL Labs score with nginx and TLS 1.3?
Ansible: find and replace with remote IP
How can I use a virtual host to redirect https subfolders to different ports in apache?
HAProxy SSL Handshake failure on one server but not the other
SSH to VM rejecting password, works from virt-manager console

Postfix relay to M365: two hosts lists, one auth to send external and other internal only

Posted: 06 Feb 2022 11:30 AM PST

I'm a security admin with mailboxes on Exchange Online (aka Microsoft 365), not seasoned to postmail, but I have to deploy a postmail service on premises to allow some devices (internal applications, switches, etc) to send e-mail through Exchange Online.

My preferred approoach is an internal device (example: printer) or application (ex: some on premises server) talks SMTP with my on premises postfix that in turn talks SMTP to Exchange Online.

I have everything configured on Exchange side to this, with a relay connector, no problem receiving e-mail.

I configured postfix to relay and at first it's working ok, allowing only hosts on a file to use the service:

mynetworks = hash:/etc/postfix/hosts_auth_to_relay

But I want to mantain two authorization lists:

List1: hosts authorized to relay only to Exchange internal mailboxes... The criteria is mail to my domain (example: mycorpdomain.com).

List2: hosts authorized to relay to all domains (i.e.: gmail.com, hotmail.com, etc.com)

I'm struggling with smtpd_recipient_restrictions and smtpd_relay_restrictions but I got all mail denied when using them. Do you know how to state this two authorizations on main.cf?

Roundcube with Dovecot - disappearing/not present inbox and emails

Posted: 06 Feb 2022 11:15 AM PST

Versions: Debian 11 5.10.92-1 x86_64 - nginx/1.21.6 - mysql 15.1 10.5.12-MariaDB - PHP 7.4.25 (cli) - dovecot-core/stable,now 1:2.3.13+dfsg1-2

I've got my postfix/dovecot configration working for receiving emails. After switching from rainloop to roundcube, I can't see any inbox emails in roundcube web. But occasionally I will login to roundcube and I will see all my emails in the inbox, but if I click on anything or refresh the page, they all disappear. Sending emails from roundcube also just results in an endless loading wheel with no timeout.

Unfortunately roundcube has no error logs, and dovecot only has successful login logs. Nothing to indicate that anything is broken; other than the dissapearing emails.

/var/log/mail.info:

Feb  6 13:30:52 mail dovecot: imap-login: Login: user=<admin@domain.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=9717, secured, session=<WKMOr13Xss5/AAAB>  Feb  6 13:30:52 mail dovecot: imap(admin@domain.com)<9717><WKMOr13Xss5/AAAB>: Logged out in=82 out=756 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0  Feb  6 13:30:52 mail dovecot: imap-login: Login: user=<admin@domain.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=9719, secured, session=<ZuEPr13Xts5/AAAB>  Feb  6 13:30:52 mail dovecot: imap(admin@domain.com)<9719><ZuEPr13Xts5/AAAB>: Logged out in=44 out=739 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0  Feb  6 13:30:56 mail dovecot: imap-login: Login: user=<admin@domain.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=9723, secured, session=<cedKr13XuM5/AAAB>  Feb  6 13:30:56 mail dovecot: imap(admin@domain.com)<9723><cedKr13XuM5/AAAB>: Logged out in=44 out=739 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

/var/log/roundcube/error.log is empty.

I am pretty sure its something with IMAP on dovecot, since login works, but the retrieval of emails only works about 10% of the time. Without any error logs to troubleshoot, I don't know where to go from here, other than trial and error messing with config files.

Can anyone please help?

I have excluded a lot of the configs because of how massive they are. I can add any additional conf files, but I thought these were most relevant.

Roundcube Configuration:

<?php    $config = array();    // Do not set db_dsnw here, use dpkg-reconfigure roundcube-core to configure database!  include_once("/etc/roundcube/debian-db-roundcube.php");    $config['default_host'] = 'localhost';    $config['smtp_server'] = 'localhost';    // SMTP port. Use 25 for cleartext, 465 for Implicit TLS, or 587 for STARTTLS (default)  $config['smtp_port'] = 587;    // SMTP username (if required) if you use %u as the username Roundcube  // will use the current username for login  $config['smtp_user'] = '%u';    // SMTP password (if required) if you use %p as the password Roundcube  // will use the current user's password for login  $config['smtp_pass'] = '%p';    // provide an URL where a user can get support for this Roundcube installation  // PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!  $config['support_url'] = '';    // Name your service. This is displayed on the login screen and in the window title  $config['product_name'] = 'Roundcube Webmail';    // This key is used to encrypt the users imap password which is stored  // in the session record. For the default cipher method it must be  // exactly 24 characters long.  $config['des_key'] = 'k';    // List of active plugins (in plugins/ directory)  // Debian: install roundcube-plugins first to have any  $config['plugins'] = array(  );    // skin name: folder from skins/  $config['skin'] = 'elastic';    // Disable spellchecking  // Debian: spellchecking needs additional packages to be installed, or calling external APIs  //         see defaults.inc.php for additional informations  $config['enable_spellcheck'] = false;    <?php  $dbuser='roundcube';  $dbpass='pass';  $basepath='';  $dbname='roundcube';  $dbserver='localhost';  $dbport='3306';  $dbtype='mysql';  <?php  include_once("/etc/roundcube/debian-db.php");    switch ($dbtype) {   case "sqlite":   case "sqlite3":     $config['db_dsnw'] = "sqlite:///$basepath/$dbname?mode=0640";     break;   default:     if ($dbport != '') $dbport=":$dbport";     if ($dbserver == '') $dbserver="localhost";     $config['db_dsnw'] = "$dbtype://$dbuser:$dbpass@$dbserver$dbport/$dbname";     break;   }  ?>

Dovecot configuration:

## Dovecot configuration file    # Enable installed protocols  !include_try /usr/share/dovecot/protocols.d/*.protocol  protocols = imap pop3 lmtp  listen = *  postmaster_address = postmaster at aperturecorp.net    ##  ## Dictionary server settings  ##    dict {    #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext    #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext  }    !include conf.d/*.conf    # This file is commonly accessed via passdb {} or userdb {} section in  # conf.d/auth-sql.conf.ext    driver = mysql  connect = host=127.0.0.1 dbname=mailsrvdb user=maildbuser password=pass  default_pass_scheme = SHA512-CRYPT  password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';    ##  ## Authentication processes  ##    disable_plaintext_auth = yes  auth_mechanisms = plain login  !include auth-system.conf.ext    ##  ## Mailbox locations and namespaces  ##    mail_location = maildir:/var/mail/vhosts/%d/%n/    namespace inbox {    inbox = yes  }    mail_privileged_group = mail    protocol !indexer-worker {  }    service imap-login {    inet_listener imap {      port = 143    }    inet_listener imaps {      port = 993      ssl = yes    }  }    service pop3-login {    inet_listener pop3 {      port = 0    }    inet_listener pop3s {      port = 995      ssl = yes    }  }    service submission-login {    inet_listener submission {      #port = 587    }  }    service lmtp {    unix_listener /var/spool/postfix/private/dovecot-lmtp {      #mode = 0666i      mode = 0600      user = postfix      group = postfix    }  }    service imap {    # Most of the memory goes to mmap()ing files. You may need to increase this    # limit if you have huge mailboxes.    #vsz_limit = $default_vsz_limit      # Max. number of IMAP processes (connections)    #process_limit = 1024  }    service pop3 {    # Max. number of POP3 processes (connections)    #process_limit = 1024  }    service submission {    # Max. number of SMTP Submission processes (connections)    #process_limit = 1024  }    service auth {    unix_listener /var/spool/postfix/private/auth {      mode = 0660      user = postfix      group = postfix    }      unix_listener auth-userdb {      mode = 0600      user = vmail    }      user = dovecot  }    service auth-worker {    # Auth worker process is run as root by default, so that it can access    # /etc/shadow. If this isn't necessary, the user should be changed to    # $default_internal_user.    user = vmail  }    service dict {    # If dict proxy is used, mail processes should have access to its socket.    # For example: mode=0660, group=vmail and global mail_access_groups=vmail    unix_listener dict {      #mode = 0600      #user =       #group =     }  }  ##  ## SSL settings  ##    ssl = required    ssl_cert = </etc/ssl/certs/mailtls-selfsigned.crt   ssl_key = </etc/ssl/private/mailtls-selfsigned.key    ssl_client_ca_dir = /etc/ssl/certs    ssl_dh = </usr/share/dovecot/dh.pem    ##  ## LDA specific settings (also used by LMTP)  ##    protocol lda {  }    ##  ## Mailbox definitions  ##    namespace inbox {    # These mailboxes are widely used and could perhaps be created automatically:    mailbox Drafts {      special_use = \Drafts    }    mailbox Junk {      special_use = \Junk    }    mailbox Trash {      special_use = \Trash    }      # For \Sent mailboxes there are two widely used names. We'll mark both of    # them as \Sent. User typically deletes one of them if duplicates are created.    mailbox Sent {      special_use = \Sent    }    mailbox "Sent Messages" {      special_use = \Sent    }  }  ##  ## IMAP specific settings  ##    protocol imap {  }    ##  ## LMTP specific settings  ##  protocol lmtp {    # Authentication via dict backend. Included from 10-auth.conf.  #  # <doc/wiki/AuthDatabase.Dict.txt>    passdb {    driver = dict    args = /etc/dovecot/dovecot-dict-auth.conf.ext  }    userdb {    driver = dict    args = /etc/dovecot/dovecot-dict-auth.conf.ext  }    # Authentication for system users. Included from 10-auth.conf.  passdb {    driver = sql    args = /etc/dovecot/dovecot-sql.conf.ext  }    userdb {    driver = static    args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n  }

Redirect works, pass-through does not

Posted: 06 Feb 2022 11:12 AM PST

Our CMS has a handler named root, which works: http://example.com/root serves, what we want it to serve.

We'd like requests for "naked" domain (http://example.com) to be handled by that same handler automatically -- without requiring /root to be part of the request.

What I expected to "just work" -- results in a 404:

RewriteRule ^/*$ /root [L]   # Results in 404

The best I can come up with is a redirect, which exposes the name root:

RewriteRule ^/*$ /root [R=permanent,L]   # Works

How can I do this without redirecting? I tried adding PT to no avail...

Debian: "apt install build-essential" fails because of unmet dependencies

Posted: 06 Feb 2022 11:09 AM PST

Using Debian Stretch v9.11.

I try to install build-essential, but fails because of unmet dependencies:

sudo apt install build-essential  Reading package lists... Done  Building dependency tree  Reading state information... Done  Some packages could not be installed. This may mean that you have  requested an impossible situation or if you are using the unstable  distribution that some required packages have not yet been created  or been moved out of Incoming.  The following information may help to resolve the situation:    The following packages have unmet dependencies:   build-essential : Depends: libc6-dev but it is not going to be installed or                              libc-dev                     Depends: g++ (>= 4:6.3) but it is not going to be installed  E: Unable to correct problems, you have held broken packages.

apt-cache policy shows:

apt-cache policy  Package files:   100 /var/lib/dpkg/status       release a=now   500 http://security.debian.org/debian-security stretch/updates/non-free amd64 Packages       release v=9,o=Debian,a=oldstable,n=stretch,l=Debian-Security,c=non-free,b=amd64       origin security.debian.org   500 http://security.debian.org/debian-security stretch/updates/contrib amd64 Packages       release v=9,o=Debian,a=oldstable,n=stretch,l=Debian-Security,c=contrib,b=amd64       origin security.debian.org   500 http://security.debian.org/debian-security stretch/updates/main amd64 Packages       release v=9,o=Debian,a=oldstable,n=stretch,l=Debian-Security,c=main,b=amd64       origin security.debian.org   500 http://deb.debian.org/debian stretch/non-free amd64 Packages       release v=9.11,o=Debian,a=oldstable,n=stretch,l=Debian,c=non-free,b=amd64       origin deb.debian.org   500 http://deb.debian.org/debian stretch/contrib amd64 Packages       release v=9.11,o=Debian,a=oldstable,n=stretch,l=Debian,c=contrib,b=amd64       origin deb.debian.org   500 http://deb.debian.org/debian stretch/main amd64 Packages       release v=9.11,o=Debian,a=oldstable,n=stretch,l=Debian,c=main,b=amd64       origin deb.debian.org

I have following content in /etc/apt/sources.list:

# deb cdrom:[Debian GNU/Linux 9.5.0 _Stretch_ - Official amd64 DVD Binary-1 20180714-10:25]/ stretch contrib main    deb http://deb.debian.org/debian stretch main contrib non-free  deb-src http://deb.debian.org/debian stretch main contrib non-free    # deb http://deb.debian.org/debian stretch-updates main  # deb-src http://deb.debian.org/debian stretch-updates main      # deb http://deb.debian.org/debian-security/ stretch/updates main  # deb-src http://deb.debian.org/debian-security/ stretch/updates main    deb http://security.debian.org/debian-security stretch/updates main contrib non-free  deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free    # add backports  # deb http://ftp.debian.org/debian stretch-backports main      # stretch-updates, previously known as 'volatile'  # A network mirror was not selected during install.  The following entries  # are provided as examples, but you should amend them as appropriate  # for your mirror of choice.  #  # deb http://deb.debian.org/debian/ stretch-updates main contrib  # deb-src http://deb.debian.org/debian/ stretch-updates main contrib

EDIT1: apt-cache policy libc6-dev shows:

apt-cache policy libc6-dev  libc6-dev:    Installed: (none)    Candidate: 2.24-11+deb9u4    Version table:       2.24-11+deb9u4 500          500 http://deb.debian.org/debian stretch/main amd64 Packages       2.24-11+deb9u1 500          500 http://security.debian.org/debian-security stretch/updates/main amd64 Packages

apt-cache policy g++ shows:

apt-cache policy g++  g++:    Installed: (none)    Candidate: 4:6.3.0-4    Version table:       4:6.3.0-4 500          500 http://deb.debian.org/debian stretch/main amd64 Packages

EDIT2: I had deb http://ftp.de.debian.org/debian buster main in /etc/apt/sources.list.d/.mc.list

I remember, that once I had to install a newer mc, which had specific bugfix.

EDIT3:

apt update  Get:1 http://security.debian.org/debian-security stretch/updates InRelease [94.3 kB]  Ign:2 http://deb.debian.org/debian stretch InRelease  Hit:3 http://deb.debian.org/debian stretch Release  Fetched 94.3 kB in 1s (69.7 kB/s)  Reading package lists... Done  Building dependency tree  Reading state information... Done  All packages are up to date.    apt upgrade  Reading package lists... Done  Building dependency tree  Reading state information... Done  Calculating upgrade... Done  0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.    apt-get install --fix-broken  Reading package lists... Done  Building dependency tree  Reading state information... Done  0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

EDIT4:

sudo apt install libc6-dev g++  Reading package lists... Done  Building dependency tree  Reading state information... Done  Some packages could not be installed. This may mean that you have  requested an impossible situation or if you are using the unstable  distribution that some required packages have not yet been created  or been moved out of Incoming.  The following information may help to resolve the situation:  The following packages have unmet dependencies:  libc6-dev : Depends: libc6 (= 2.24-11+deb9u4) but 2.27-6 is to be installed  Depends: libc-dev-bin (= 2.24-11+deb9u4) but it is not going to be installed  E: Unable to correct problems, you have held broken packages.    sudo apt install build-essential  Reading package lists... Done  Building dependency tree  Reading state information... Done  Some packages could not be installed. This may mean that you have  requested an impossible situation or if you are using the unstable  distribution that some required packages have not yet been created  or been moved out of Incoming.  The following information may help to resolve the situation:  The following packages have unmet dependencies:  build-essential : Depends: libc6-dev but it is not going to be installed or  libc-dev  Depends: g++ (>= 4:6.3) but it is not going to be installed  E: Unable to correct problems, you have held broken packages.

EDIT5

sudo aptitude -f install build-essential  The following NEW packages will be installed:  build-essential dpkg-dev{a} fakeroot{a} g++{a} g++-6{a} libalgorithm-diff-perl{a} libalgorithm-diff-xs-perl{a} libalgorithm-merge-perl{a} libc-dev-bin{ab} libc6-dev{ab} libdpkg-perl{a} libfakeroot{a} libfile-fcntllock-perl{a} libstdc++-6-dev{a} linux-libc-dev{a} manpages-dev{a} 0 packages upgraded, 16 newly installed, 0 to remove and 0 not upgraded. Need to get 17.9 MB of archives. After unpacking 69.7 MB will be used.  The following packages have unmet dependencies:  libc6-dev : Depends: libc6 (= 2.24-11+deb9u4) but 2.27-6 is installed  libc-dev-bin : Depends: libc6 (< 2.25) but 2.27-6 is installed  The following actions will resolve these dependencies:    Keep the following packages at their current version:  1) build-essential [Not Installed]  2) g++ [Not Installed]  3) g++-6 [Not Installed]  4) libc-dev-bin [Not Installed]  5) libc6-dev [Not Installed]  6) libstdc++-6-dev [Not Installed]    Leave the following dependencies unresolved:  7) dpkg-dev recommends build-essential        Accept this solution? [Y/n/q/?]  The following NEW packages will be installed:  dpkg-dev{a} fakeroot{a} libalgorithm-diff-perl{a}  libalgorithm-diff-xs-perl{a} libalgorithm-merge-perl{a}  libdpkg-perl{a} libfakeroot{a} libfile-fcntllock-perl{a}  manpages-dev{a}  The following packages are RECOMMENDED but will NOT be installed: build-essential  0 packages upgraded, 9 newly installed, 0 to remove and 0 not upgraded.  Need to get 5,267 kB of archives. After unpacking 8,773 kB will be used.  Do you want to continue? [Y/n/?]  Get: 1 http://deb.debian.org/debian stretch/main amd64 libdpkg-perl all 1.18.25 [1,287 kB]  Get: 2 http://deb.debian.org/debian stretch/main amd64 dpkg-dev all 1.18.25 [1,595 kB]  Get: 3 http://deb.debian.org/debian stretch/main amd64 libfakeroot amd64 1.21-3.1 [45.7 kB]  Get: 4 http://deb.debian.org/debian stretch/main amd64 fakeroot amd64 1.21-3.1 [85.6 kB]  Get: 5 http://deb.debian.org/debian stretch/main amd64 libalgorithm-diff-perl all 1.19.03-1 [48.7 kB]  Get: 6 http://deb.debian.org/debian stretch/main amd64 libalgorithm-diff-xs-perl amd64 0.04-4+b2 [11.6 kB]  Get: 7 http://deb.debian.org/debian stretch/main amd64 libalgorithm-merge-perl all 0.08-3 [12.7 kB]  Get: 8 http://deb.debian.org/debian stretch/main amd64 libfile-fcntllock-perl amd64 0.22-3+b2 [35.3 kB]  Get: 9 http://deb.debian.org/debian stretch/main amd64 manpages-dev all 4.10-2 [2,145 kB]  Fetched 5,267 kB in 0s (15.0 MB/s)  Selecting previously unselected package libdpkg-perl.  (Reading database ... 38475 files and directories currently installed.)  Preparing to unpack .../0-libdpkg-perl_1.18.25_all.deb ...  Unpacking libdpkg-perl (1.18.25) ...  Selecting previously unselected package dpkg-dev.  Preparing to unpack .../1-dpkg-dev_1.18.25_all.deb ...  Unpacking dpkg-dev (1.18.25) ...  Selecting previously unselected package libfakeroot:amd64.  Preparing to unpack .../2-libfakeroot_1.21-3.1_amd64.deb ...  Unpacking libfakeroot:amd64 (1.21-3.1) ...  Selecting previously unselected package fakeroot.  Preparing to unpack .../3-fakeroot_1.21-3.1_amd64.deb ...  Unpacking fakeroot (1.21-3.1) ...  Selecting previously unselected package libalgorithm-diff-perl.  Preparing to unpack .../4-libalgorithm-diff-perl_1.19.03-1_all.deb ...  Unpacking libalgorithm-diff-perl (1.19.03-1) ...  Selecting previously unselected package libalgorithm-diff-xs-perl.  Preparing to unpack .../5-libalgorithm-diff-xs-perl_0.04-4+b2_amd64.deb ...Unpacking libalgorithm-diff-xs-perl (0.04-4+b2) ...  Selecting previously unselected package libalgorithm-merge-perl.  Preparing to unpack .../6-libalgorithm-merge-perl_0.08-3_all.deb ...  Unpacking libalgorithm-merge-perl (0.08-3) ...  Selecting previously unselected package libfile-fcntllock-perl.  Preparing to unpack .../7-libfile-fcntllock-perl_0.22-3+b2_amd64.deb ...  Unpacking libfile-fcntllock-perl (0.22-3+b2) ...  Selecting previously unselected package manpages-dev.  Preparing to unpack .../8-manpages-dev_4.10-2_all.deb ...  Unpacking manpages-dev (4.10-2) ...  Setting up libdpkg-perl (1.18.25) ...  Setting up libfile-fcntllock-perl (0.22-3+b2) ...  Setting up dpkg-dev (1.18.25) ...  Processing triggers for libc-bin (2.27-6) ...  Setting up libfakeroot:amd64 (1.21-3.1) ...  Setting up libalgorithm-diff-perl (1.19.03-1) ...  Processing triggers for man-db (2.7.6.1-2) ...  Setting up manpages-dev (4.10-2) ...  Setting up fakeroot (1.21-3.1) ...  update-alternatives: using /usr/bin/fakeroot-sysv to provide /usr/bin/fakeroot (fakeroot) in auto mode  Setting up libalgorithm-merge-perl (0.08-3) ...  Setting up libalgorithm-diff-xs-perl (0.04-4+b2) ...  Processing triggers for libc-bin (2.27-6) ...  [master 77f42a4] committing changes in /etc after apt run  13 files changed, 28 insertions(+)  create mode 120000 alternatives/faked.1.gz  create mode 120000 alternatives/faked.es.1.gz  create mode 120000 alternatives/faked.fr.1.gz  create mode 120000 alternatives/faked.sv.1.gz  create mode 120000 alternatives/fakeroot  create mode 120000 alternatives/fakeroot.1.gz  create mode 120000 alternatives/fakeroot.es.1.gz  create mode 120000 alternatives/fakeroot.fr.1.gz  create mode 120000 alternatives/fakeroot.sv.1.gz  create mode 100644 dpkg/shlibs.default  create mode 100644 dpkg/shlibs.override  create mode 100644 ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf    sudo aptitude -f install build-essential  The following NEW packages will be installed:  build-essential g++{a} g++-6{a} libc-dev-bin{ab}  libc6-dev{ab} libstdc++-6-dev{a} linux-libc-dev{a}  0 packages upgraded, 7 newly installed, 0 to remove and 0 not upgraded.  Need to get 12.6 MB of archives. After unpacking 60.9 MB will be used.  The following packages have unmet dependencies:  libc6-dev : Depends: libc6 (= 2.24-11+deb9u4) but 2.27-6 is installed  libc-dev-bin : Depends: libc6 (< 2.25) but 2.27-6 is installed  The following actions will resolve these dependencies:    Keep the following packages at their current version:  1) build-essential [Not Installed]  2) g++ [Not Installed]  3) g++-6 [Not Installed]  4) libc-dev-bin [Not Installed]  5) libc6-dev [Not Installed]  6) libstdc++-6-dev [Not Installed]        Accept this solution? [Y/n/q/?]  No packages will be installed, upgraded, or removed.  0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.  Need to get 0 B of archives. After unpacking 0 B will be used.      apt install build-essential  Reading package lists... Done  Building dependency tree  Reading state information... Done  Some packages could not be installed. This may mean that you haverequested an impossible situation or if you are using the unstable  distribution that some required packages have not yet been created  or been moved out of Incoming.  The following information may help to resolve the situation:    The following packages have unmet dependencies:  build-essential : Depends: libc6-dev but it is not going to be installed or  libc-dev  Depends: g++ (>= 4:6.3) but it is not going to be installed  E: Unable to correct problems, you have held broken packages.

Still the same result.

In the meantime I upgraded to Debian v9.12.

apt --dry-run install libc6=2.24-11+deb9u4  Reading package lists... Done  Building dependency tree  Reading state information... Done  Suggested packages:    glibc-doc locales  The following packages will be REMOVED:    libc-bin locales sudo  The following packages will be DOWNGRADED:    libc6  WARNING: The following essential packages will be removed.  This should NOT be done unless you know exactly what you are doing!    libc-bin  0 upgraded, 0 newly installed, 1 downgraded, 3 to remove and 0 not upgraded.  Remv locales [2.27-6]  Remv libc-bin [2.27-6]  Remv sudo [1.8.23-2]  Inst libc6 [2.27-6] (2.24-11+deb9u4 Debian:9.12/oldstable [amd64])  Conf libc6 (2.24-11+deb9u4 Debian:9.12/oldstable [amd64])

May I try apt --dry-run install libc6=2.24-11+deb9u4 ?

How can I fix the unmet dependencies?

Perfect SSL Labs score with nginx and TLS 1.3?

Posted: 06 Feb 2022 10:09 AM PST

I have created an nginx config that got a perfect score on Qualsys SSL Labs using only TLS v1.2, and I'd like to try and get a perfect score using both TLS v1.2 and v1.3.

Consider this snippet of the version of the nginx.conf that is part of the A+ and 100% score:

ssl_protocols TLSv1.2;  ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

It complains about a couple of the cipher suites, but it still gives an otherwise perfect score:

Now, if I add TLS v1.3 to the mix as the only config change, the score changes.

ssl_protocols TLSv1.2 TLSv1.3;

The cipher strength gets scored as a 90%:

I assume it's mad about those weak CBC ciphers:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK 256  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK    256  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 4096 bits   FS   WEAK   256  TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 4096 bits   FS   WEAK

There's not really a good way to remove the CBC mode ciphers perfectly, but maybe excluding SHA1, SHA256, and SHA384 will work. The config line becomes:

ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL:!SHA1:!SHA256:!SHA384;

Let's look at the new score:

The cipher suite strength is still 90%.

It's no longer mad at the strength of the cipher suites:

But apparently it's unhappy about the failing handshakes that worked before:

Which brings us to... the same cipher suites that are required for a successful handshake for older devices/apps are listed as "weak" and pass when only TLS 1.2 is enabled. Somehow enabling TLS 1.3 makes those same weak ciphers that pass before start failing.

It seems like the choice is: either enable TLS 1.2 only to get a perfect score, or, enable TLS 1.3 too but get dinged for the necessary cipher suites? It's a Kobayashi Maru of sorts.

Is it possible to get a perfect 100% score with nginx and TLS 1.2 and 1.3 enabled?

Ansible: find and replace with remote IP

Posted: 06 Feb 2022 12:04 PM PST

I am using Ansible for auto apache configuration in which i have own app.conf. Now I have app.conf in ansible server and want ansible to replace the existing ip address with remote ip address. my app.conf look like this.

<VirtualHost \  10.10.10.10:80 \  10.10.10.10:80 \  >  DocumentRoot /var/www/application/httpdocs  ServerName lists  ServerAlias lists.*  UseCanonicalName Off  ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/  Alias /icons/ /var/www/icons/  Alias /pipermail/ /var/lib/mailman/archives/public/  <Directory /var/lib/mailman/archives/>      Options FollowSymLinks      Order allow,deny      Allow from all  </Directory>

Now I want 10.10.10.10 to be replaced by remote ip address. can we do this using lineinfile module.

lineinfile:    path: /etc/hosts    regexp: '^10\.10\.10\.10'    line: ''    owner: root    group: root    mode: 0644

How can I use a virtual host to redirect https subfolders to different ports in apache?

Posted: 06 Feb 2022 11:04 AM PST

I have a web service running on port 8112 and I can redirect a subdomain eg http://myapp.mydomain.com to 127.0.0.1:8112 using a virtual host by setting the ServerAlias, proxypass and proxypassreverse parameters.

I acheive this with the virtual host outlined below:

<VirtualHost *:80>    ServerName mydomain.com    ServerAlias myapp.mydomain.com myapp    ProxyRequests off    ProxyPass / http://127.0.0.1:8112/    ProxyPassReverse / http://127.0.0.1:8112/    ProxyPassReverseCookieDomain 127.0.0.1 %{HTTP:Host}    <Proxy *>      Order deny,allow      Allow from all    </Proxy>  </VirtualHost>

However, I would like to use https and set a subfolder to be redirected to it instead. ie I would like to be able to expose https://secure.mydomain.com/myapp

I dont want to redirect an https subdomain because I want to do this for several different services I'm running at the same ip and I only have certs for one secure subdomain.

I'm guessing some kind of rewrite? but it's too different from a starting point of the proxypass method for me to figure out. I looked at these examples but none seemed to apply.

My ssl certs are all good and my ssl virtual host is happily pointing at a root directory with a hello world in it but I cant figure out what to add to get my subfolders to redirect to services running on different ports the way I can with subdomains over http

HAProxy SSL Handshake failure on one server but not the other

Posted: 06 Feb 2022 11:04 AM PST

I've been searching the net extensively but I'm not able to find a solution to this problem.

I have setup two servers behind KeepAlived and HAProxy. When both servers are up, I can see that both servers are hit (looking at the application logs) and that both work fine. However, when I take down the primary server, the clients are not able to connect to the second server and fail with SSL Handshake failure. Both servers have identical configurations for HAProxy and their SSL certificates are both identical.

My partial HAProxy configuration is:

listen authentication_service      bind xxx.xxx.xxx.111:2222 ssl crt /etc/ssl/certs/mycert.pem ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+R$      balance  roundrobin      option  tcpka      option  tcplog      server serv1 xxx.xxx.xxx.xx1:2222  check inter 2000 rise 2 fall 5      server serv2 xxx.xxx.xxx.xx2:2222  check inter 2000 rise 2 fall 5

To re-iterate, serv1 on its own or together with serv2 works fine. It's only when I take down serv1 that I get the SSL failures.

The HAProxy log for the failure is:

Jan 3 14:21:08 serv-2 haproxy[9075]: [client ip address]:xyz [03/Jan/2015:14:21:08.734] authentication_service/1: SSL handshake failure

Would anyone be able to help me?

Many thanks in advance,

SSH to VM rejecting password, works from virt-manager console

Posted: 06 Feb 2022 12:04 PM PST

First of all, I'm sorry if there is a duplicate post somewhere. I searched for a while but none of the posts I found fixed my problem.

It's fairly annoying. I created a new VM on our network and when using virt-manager I can log into the VM fine with the username and password. When I try to ssh to the VM from anywhere else it rejects the password, but I know the password is correct. I've even changed it multiple times to make sure its correct.

The address I'm ssh'ing to is definitely pointing at the right VM as well, I've tested all this.

It's still usable, but the virt-manager console is very limited so the sooner I can get to the bottom of this the better. VM is running ubuntu 12.04 btw.

EDIT 1 Checked the auth.log and all I'm getting is "sshd[29304]:Connection closed by 'server.ip.address' [preauth]". I also tried allowing logging in as root, and even turned off password auth altogether in sshd_config and still nothing! I then turned on "AllowEmptyPasswords", still a whole lot of nothing.

e-techbytes

Sunday, February 6, 2022

Recent Questions - Server Fault

Recent Questions - Server Fault

No comments:

Post a Comment