Category: Linux

Debian SID Opendmarc Installation and Configuration

November 20, 2016
LinuxOpendmarc
0 Comment

In this post i will capture the installation of opendmarc and how its configure alongside Opendkim.

Install opendmarc

apt-get install opendmarc

Configure systemd service file

cat > /lib/systemd/system/opendkim.service <<EOT
[Unit]
Description=OpenDMARC Milter
Documentation=man:opendmarc(8) man:opendmarc.conf(5)
After=network.target nss-lookup.target 

[Service]
EnvironmentFile=/etc/default/opendmarc
Type=forking
PIDFile=/var/run/opendmarc/opendmarc.pid
User=opendmarc
ExecStart=/usr/sbin/opendkim -p $SOCKET -x /etc/opendmarc.conf -u opendmarc -P /var/run/opendmarc/opendmarc.pid
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID

[Install]
WantedBy=multi-user.target
EOT

The specific changes here are lines #9 EnvironmentFile #13 -p $SOCKET

Defaults File

cat > /etc/default/opendmarc <<EOT
SOCKET="inet:12302@localhost"
EOT

Opendmarc Config file

cat > /etc/opendmarc.conf <<EOT
AuthservID example.com
PidFile /var/run/opendmarc.pid
#RejectFailures false
Syslog true
SyslogFacility mail
UMask 0002
UserID opendmarc:opendmarc
TemporaryDirectory /tmp
AutoRestart true
EOT

Modify Postfix milters

If you are running both opendkim and opendmarc your milters will look like this:

non_smtpd_milters = inet:127.0.0.1:12301, inet:127.0.0.1:12302
smtpd_milters = inet:127.0.0.1:12301, inet:127.0.0.1:12302

Restart the service

systemctl daemon-reload
systemctl restart opendmarc
systemctl restart postfix

DNS

Now go modify your DNS, adding a TXT record ‘_dmarc‘with the value ‘v=DMARC1; p=none; rua=mailto:postmaster@example.com

When you have validated dmarc is working properly you can change p=none to p=reject

How can you validate it?

There are a number of tools online to help you with this, also you open up a mail in google and click ‘show original’.

screenshot_2016-11-20_12-32-23

Enjoy

Other resources

https://www.google.com/search?q=opendkim+setup

https://www.google.com/search?q=opendmarc+setup

Debian SID Opendkim Installation and Configuration Woes

November 19, 2016
LinuxOpendkim
0 Comment

TL;DR Opendkim. Hats off the to folk who do marvelous packing 99.99999% percent of the time.

But sometimes they just get it wrong or at least all documentation regarding the package, does not match up with the behavior the packager intended.
That said, hopefully i will help solve some of these issues here.

I assume you have postfix already working and you are just looking to add dkim support.

Install opendkim

apt-get install opendkim opendkim-tools

Configure systemd service file

cat > /lib/systemd/system/opendkim.service <<EOT
[Unit]
Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target nss-lookup.target 

[Service]
EnvironmentFile=/etc/default/opendkim
Type=forking
PIDFile=/var/run/opendkim/opendkim.pid
User=opendkim
ExecStart=/usr/sbin/opendkim -P /var/run/opendkim/opendkim.pid -p $SOCKET
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID

[Install]
WantedBy=multi-user.target
EOT

The specific changes here are lines #9 EnvironmentFile #13 -p $SOCKET

Defaults File

cat > /etc/default/opendkim <<EOT
SOCKET="inet:12301@localhost"
EOT

Opendkim Config file

cat > /etc/opendkim <<EOT
Mode                sv
Syslog              yes
SyslogSuccess       yes
LogWhy              yes
#Socket              inet:12301@localhost
Umask               002
SendReports         yes
SoftwareHeader      yes
Canonicalization    relaxed/relaxed
Selector            default
MinimumKeyBits      1024
KeyTable            refile:/etc/dkimkeys/KeyTable
SigningTable        refile:/etc/dkimkeys/SigningTable
ExternalIgnoreList  refile:/etc/dkimkeys/TrustedHosts
OversignHeaders     From
TrustAnchorFile     /usr/share/dns/root.key
EOT

Specific changes here are lines #7 hashed out socket file,  it simply does not work.
The only way to get opendkim to honour this setting is passing it to the command line #13 of the service file.

Modify /etc/postfix/main.cf and add/edit the following lines

smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

Create referenced folders for your open dkim keys

mkdir -vp /etc/dkimkeys/keys

TrustedHosts

cat > /etc/dkimkeys/TrustHosts <<EOT
127.0.0.1
::1
localhost
example.com
*.exmaple.com
EOT

SingingTable

cat > /etc/dkimkeys/SigningTable <<EOT
*@exmaple.com default._domainkey.example.com
EOT

KeyTable

cat> /etc/dkimkeys/KeyTable <<EOT
default._domainkey.example.com example.com:default:/etc/dkimkeys/keys/default.private
EOT

Create private/public key for signing

cd /etc/dkimkeys/keys
opendkim-genkey -s default

Your directory should now look like this

Opendkim Treeview of files

Tell systemd to reload the the daemon files and restart

systemctl daemon-reload
systemctl restart opendkim
systemctl restart postfix

DNS

Now go modify your DNS, adding a TXT record ‘default._domainkey’.
Copy and paste everything between the parenthesis. ( everything here ) into the value field of the TXT record

cat keys/default.txt 
default._dkim   IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIGfMA0GCSqGSIGNA....BIG LONG DIRTY HASH ....ciaxOhS24T4MFwIDAQAB" )  ; ----- DKIM key default for com

Enjoy

Other resources
https://www.google.com/search?q=opendkim+setup

BIND9 with DDNS updates on Debian Sid

November 17, 2016
BindLinux
0 Comment

As part of some work to resolve a kubernetes application deployment.
The particular application i\u2019m working with has hard dependencies on DNS, particularity, A, TXT and SRV records.
For each kubernetes pod that spins up, i need it to register itself into DNS.
Then the other services can discover themselves.

Here is a basic excerpt of enabling DDNs updates on example.com

Install the basics

apt-get install bind bind9utils dnsutils

Forward Lookup Zone

cat > /etc/named/db.example.com.conf <<EOF
$ORIGIN .
$TTL 86400      ; 1 day
example.com             IN SOA  example.com. root.example.com. (
                                3          ; serial
                                604800     ; refresh (1 week)
                                86400      ; retry (1 day)
                                2419200    ; expire (4 weeks)
                                86400      ; minimum (1 day)
                                )
                        NS      ns1.example.com.
$ORIGIN example.com.
ns1                     A       10.1.1.6 ; replace with your server IP address.
EOF

Reverse Lookup Zone

cat > /etc/named/db.10.1.1.conf <<EOF
$TTL    86400
@       IN      SOA     example.com. root.example.com. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                          86400 )       ; Negative Cache TTL
;
@       IN      NS      ns1.example.com.
6       IN      PTR     ns1.example.com. ; replace 6 with your server ip last octet
EOF

Named local config (should be included from named.conf)

cat > /etc/named/named.conf.local <<EOF
zone "example.com" IN 
{
  type master;
  file "/etc/bind/db.example.com.conf";
  notify no;
  allow-query {any;};
  allow-update { key "rndc-key"; };
};

zone "1.1.10.in-addr.arpa" {
  type master;
  notify no;
  file "/etc/bind/db.10.1.1.conf";
  allow-update { key "rndc-key"; };
};

key "rndc-key" {
  algorithm hmac-md5;
  secret "VBJev6+xzhFVXXYY7tAq4A=="; // this came from the rndc-key file /etc/bind
};
EOF

Key file

cat > /etc/named/rndc-key <<EOF
key "rndc-key" {
  algorithm hmac-md5;
  secret "VBJev6+xzhFVXXYY7tAq4A==";
};
EOF

Fix any permissions issues and restart the server

chown root:bind /etc/bind/*
chmod g+w /etc/bind
systemctl restart bind9.service

Test the DDNS updates works

(
  echo "server 127.0.0.1"
  echo "zone example.com"

  echo "update delete xyz.example.com A"
  echo "update add xyz.example.com 120 A 192.0.2.1"
  echo "send"
) | /usr/bin/nsupdate -k "/etc/bind/rndc.key"

Nslookup for good measure

nslookup xyz.example.com 127.0.0.1

Debian Sid Intel I217-V Not Working

November 15, 2016
BashCodeLinux
0 Comment

After scouring for ages looking for this fix. I\u2019ve decided to document it.
It comes form a number of sources. Kudos to the individual people.

Problem
Rebooting from windows into Linux renders the NIC unusable. the classic \u201clights are on but no one is home\u201d
Some people advice disabling PXE etc in the bios. There is a better solution

Identify the NIC

root@dave-pc:/lib/systemd/system# lspci | grep Ether
00:19.0 Ethernet controller: Intel Corporation Ethernet Connection I217-V (rev 04)

Create a systemd oneshot service file

cat > /lib/systemd/system/intelnicreset.service <<EOT
[Unit]
Description=Reset Intel Nic on Boot before it comes up
Before=NetworkManager.service
Wants=NetworkManager.service

[Service]
Type=oneshot
ExecStart=/usr/bin/resetintelnic
RemainAfterExit=no

[Install]
WantedBy=multi-user.target
EOT

Reset NIC bash file

cat > /usr/bin/resetintelnic <<EOT
#!/bin/bash

#Get the PCI-Address of network card (Caution: This works ONLY with ONE NIC)
PCI=`/usr/bin/lspci | /bin/egrep -i 'network|ethernet' | /usr/bin/cut -d' ' -f1`
PCIPATH=`/usr/bin/find /sys -name *\${PCI} | /bin/egrep -i *pci0000*`
/usr/bin/logger -t "ResetNIC" "Resetting PCI NIC ${PCIPATH}"

#Reset the PCI Device completely (like Power-ON/Off)
echo 1 >${PCIPATH}/reset
EOT

Make it executable

chmod +x /usr/bin/resetintelnic

Synology Filebot Autonaming cron job

November 15, 2016
BashCodeFilebotLinuxPHP
2 Comments

Having a synology NAS is great. However when dealing with 32tb, good file management is a must!
I have 2 primary folders, Films and Series. The set of below scripts iterate the files and use the TVDB and MovieDB to clean up the file names.
The second scripts downloads any missing subtitles for the media 🙂

File renaming

<?php

$email = "you@yourdomain.comd";

error_reporting(E_ALL);

$log = "/volume1/homes/admin/cleanup/report-rename.txt";
unlink( $log );
touch( $log );

$ploglines = array();
$loglines = explode( "\n", shell_exec( "filebot -rename /volume1/Entertainment/Films/ --db TheMovieDB 2>&1" ) );

foreach( $loglines as $logline )
{
  $line = trim( $logline );

  if( $line == "" ) continue;
  if( preg_match( "/^Skipped.*$/", $line, $dontcare ) ) continue;
  if( preg_match( "/^Auto-detect movie from context.*$/", $line, $dontcare ) ) continue;
  if( preg_match( "/.*Rename movies using.*$/", $line, $dontcare ) ) continue;

  $ploglines[] = $line;
}

$frt = implode( "\r\n" , $ploglines );

$body = "Dear user,\n\n $frt \n\nSincerely,\nSynology DiskStation\n\n";
mail($email, 'DSM - Filebot Rename Report - Films', "$body");


$log = "/volume1/homes/admin/cleanup/report-rename.txt";
unlink( $log );
touch( $log );

if ($handle = opendir('/volume1/Entertainment/Series/'))
{
  while (false !== ($entry = readdir($handle)))
  {
    if ($entry != "." && $entry != "..")
    { 
      $cmd = "filebot -r -rename \"/volume1/Entertainment/Series/$entry/\" --db TheTVDB 2>&1";
      $frt = shell_exec( $cmd );
      file_put_contents( $log, $frt . "\n\n", FILE_APPEND | LOCK_EX );
    }
  }
  closedir($handle);
}

$ploglines = array();
$loglines = file( $log );

foreach( $loglines as $logline )
{
  $line = trim( $logline );

  if( $line == "" ) continue;
  if( preg_match( "/'^Skipped.*$/", $line, $dontcare ) ) continue;
  if( preg_match( "/^Fetching episode data.*$/", $line, $dontcare ) ) continue;
  if( preg_match( "/^Processed.$*/", $line, $dontcare ) ) continue;
  if( preg_match( "/^Done.*$/", $line, $dontcare ) ) continue;
  if( preg_match( "/^Failure.*$/", $line, $dontcare ) ) continue;
  if( preg_match( "/^No media files.*$/", $line, $dontcare ) ) continue;

  $ploglines[] = $line;
}

$frt = implode( "\r\n" , $ploglines );

$body = "Dear user,\n\n $frt \n\nSincerely,\nSynology DiskStation\n\n";
mail($email, "DSM - Filebot Rename Report - Series $entry", "$body");

Subtitles scripts

<?php

$email = "you@yourdomain.com";

$log = "/volume1/homes/admin/cleanup/report-subtitles.txt";
unlink( $log );
touch( $log );

$fst = shell_exec( "filebot -script fn:suball /volume1/Entertainment/Films/ --lang en -non-strict 2>&1" );
$body = "Dear user,\n\n $fst \n\nSincerely,\nSynology DiskStation\n\n";
mail($email, 'DSM - Filebot Subtitles Report - Films', "$body");

if ($handle = opendir('/volume1/Entertainment/Series/'))
{
  while (false !== ($entry = readdir($handle)))
  {
    if ($entry != "." && $entry != "..")
    { 
      $cmd = "filebot -r -script fn:suball \"/volume1/Entertainment/Series/$entry/\" --lang en -non-strict --db TheTVDB 2>&1";
      $frt = shell_exec( $cmd );
      file_put_contents( $log, $frt . "\n\n", FILE_APPEND | LOCK_EX );
    }
  }
  closedir($handle);
}

$frt = file_get_contents( $log );
$body = "Dear user,\n\n $frt \n\nSincerely,\nSynology DiskStation\n\n";
mail('dave@fio.ie', "DSM - Filebot Subtitles Report - Series $entry", "$body");

Cron Job

ash-4.3# cat /etc/crontab 
MAILTO=""
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin
#minute hour    mday    month   wday    who     command
0       0       1       *       *       root    /usr/syno/bin/syno_disk_health_record
0       0       *       *       3       root    /usr/bin/php /var/services/homes/admin/cleanup/filebot-rename.php
0       0       *       *       5       root    /usr/bin/php /var/services/homes/admin/cleanup/filebot-subtitles.php
5       3       *       *       6       root    /usr/syno/bin/synomyds --report_info
0       3       *       *       1       root    /tmp/synoschedtask --run id=1
0       3       13      *       *       root    /tmp/synoschedtask --run id=2
11      2       *       *       4       root    /tmp/synoschedtask --run id=3