Avira Antivirus E-Mail “security”

 VirusScan, Windows  Comments Off on Avira Antivirus E-Mail “security”
Oct 292014
 

The current Avira Antivirus has got a module it calls “Internet security” which in turn has an option for e-mail security.

What it does is capturing all connections to POP3, IMAP and SMTP servers and scanning them for viruses. That sounds good until you find, that your e-mail client stopped working even though you haven’t changed anything in its configuration.

Why is that? It’s because of this e-mail “security” feature. If you are using encrypted transport (START TLS or SSL/TLS), Avira cannot read the traffic and blocks it! This is so stupid, there must be an award for it somewhere.

To work around this, you can of course

  • disable the e-mail security feature
  • disable transport encryption

The first has the drawback that Avira now complains that your computer is not secure. The second has the drawback that your e-mails can be read by everybody who can access your connection to the server. So both options aren’t really solutions. If Avira forces you to do that (e.g. if the following doesn’t work for you because your mail server does not have alternative ports for encrypted connections), your computer is actually less secure than without Avira e-mail “security”.

Then there is the third option: Don’t use the default SMTP (25), POP3 (110) and IMAP (143) ports but use different ones, e.g. the ones that are reserved for encrypted transports:

  • SMTPS: 465
  • POP3S: 995
  • IMAPS: 993

Unfortunately that means your mail servers must support these protocols / ports. E.g. if you are using postfix you have to change / uncomment the following lines in the /etc/postfix/master.cf file:

smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

And, or course, restart postfix.

The same applies to your POP3 or IMAP server.

If you can’t do that and your e-mail provider doesn’t support this, tough luck!

In addition, you must change the configuration in your e-mail client. In Thunderbird that’s pretty much straight forward:

WARNING: I will not fix your computer if you break it even if you followed my instructions. It’s your own responsibility. Making a mistake in the Thunderbird configuration will prevent it from receiving and/or sending e-mails.

  • Open the account settings dialog.
  • Select “Server Settings”.
  • Under Connection Security, select SSL/TLS (preferred) or STARTTLS, depending on what your server supports.
  • The port number will change automatically. If it doesn’t or your server does not use the default ports for encrypted transport, change the port number.
  • Select “Outgoing Server (SMTP)” (it’s down, below “Local Folders”).
  • Edit the entry you want to change (usually there is only one).
  • Change Connection Security to SSL/TLS (preferred) or STARTTLS, depending on what your server supports.
  • The port number will change automatically. If it doesn’t or your server does not use the default ports for encrypted transport, change the port number.

Now test it and have fun.

 Posted by on 2014-10-29 at 18:59

Fighting Secure Boot

 Windows, Windows 8.1  Comments Off on Fighting Secure Boot
Oct 232014
 

I have bought an Acer Extensa notebook after reading the under 300 Euros notebooks test in the latest c’t magazine where it came up as the winner regarding battery life and the rest wasn’t too bad either. I chose the 4 GB model so it won’t thrash the hd all the time. The Extensa comes pre-installed with Windows 8.1 and – as so many computers nowadays comes without an install medium and also without a user’s manual. (The link given in the short setup guide for downloading the manual http://go.acer.com/?id=17833 leads to a non-functional site. Not very user friendly in my book.)

Now, what is the first thing you do, when you get a new computer which comes pre-installed with an operating system but does not come with an install medium? I for one, make a backup, preferably an image backup of the whole hard disk using Clonezilla. Since this is my image backup tool of choice I carry it with me on a USB stick almost all the time (Hey, I work in IT, so it’s pretty much normal to carry USB sticks and other stuff. 😉 ). So I plugged that USB stick into the notebook and booted it up. It went straight into the Windows 8.1 setup screen. 🙁

So I tried to get a boot menu. Perusing Google told me that Acer notebooks use F12 for the boot menu. Unfortunately this didn’t work. Windows 8.1 setup again. 🙁

Next, I tried to get into the BIOS, or whatever the UEFI stuff nowadays calls this tool. The usual DEL key didn’t work but after several reboots and key presses I ended up in some windows boot menu that allowed me to boot from an USB stick. Only, it didn’t. It told me there was a secure boot failure and stopped.

Turning the computer off and on again, this time I apparently got the BIOS setup key right: F2 (It didn’t work the first several times I tried it, why?) I got something called “Insydeh” which looked like a BIOS of old. And there it was: An option to turn off “secure boot”, only it was disabled. I could only switch to BIOS mode which I didn’t want to. WTF?

Google to the rescue again: To turn off secure boot, you first must set a supervisor password. So I did that, came back to the secure boot screen and lo and behold, the option to turn it off was enabled now. After turning it off, I could clear the supervisor password and the option was still enabled. Another setting I changed was the F12 boot menu. It was disabled by default so I enabled it.

Save and reboot, press F12 and – voila – a boot menu which finally allowed me to boot Clonezilla from my USB stick. The backup is running now.

Praise Microsoft for requiring PC manufacturers to have an option to turn off secure boot if they want to be Windows 8 compliant (I wonder whether that will still be a requirement for Windows 10, though.). But curse Microsoft and the bloody PC manufacturers to come up with the pretty much useless secure boot feature at all. It’s my computer, I paid for it, so it should be my choice to install whatever operating system I want on it!

 Posted by on 2014-10-23 at 20:26

mounting a Samba share

 Linux  Comments Off on mounting a Samba share
Oct 092014
 

The Linux mount command can also access Samba (Windows) shares, but in contrast to the smbclient command it does not do a Netbios based lookup for machine names. So while

smbclient //server/share

will work, the corresponding

mount -t cifs //server/share /mnt/point

will tell you that it can’t resolve the host name (unless you add the host to your hosts file or it can be looked up via dns).

This StackExchange answer pointed me in the right direction:

There is a command for actually doing that lookup. It’s called nmblookup.
It returns the IP address of the server like this:

nmblookup server
192.168.1.234 server<00>

While this is fine for manually looking it up, if you want to mount a share multiple times or in shell script, this won’t do because you need the IP address only, not the suffix after it.

It gets even worse if the machine in question has more than one IP address:

nmblookup server2
192.168.1.234 server2<00> 192.168.2.234 server2<00>

Bash to the rescue (I found that solution via this StackOverflow question and this article.)

#!/bin/bash
MACHINE=$1
shift  # Remove machine name from argument list

SHARE=$1
shift  # Remove share name from argument list

# nmblookup the machine
RES=$(nmblookup $MACHINE)
#echo "RES=\""${RES}"\""

# remove everything but the ip address
# note that this will not return anything meaningful
# if nmblookup returns an error (e.g. cannot find the machine)
IP=${RES%% $MACHINE*}
#echo "IP=\""${IP}"\""

# Mount smbclient share (passing any arguments on to smbmount
mount -t cifs -r //${IP}/${SHARE} "$@"

Put this code into a file, e.g.

/usr/local/bin/mount-win-share

and call it like

mount-win-share server share /mnt/point

If you add additional parameters or options, they will be passed on to mount.

 Posted by on 2014-10-09 at 18:18

Creating a new RAID 5

 Linux  Comments Off on Creating a new RAID 5
Oct 082014
 

Another reminder to myself, so I don’t forget it again.

Warning: Use this on your own risk! You might lose all the data stored on any of the hard disk drives if you make a mistake!

To create a new raid, all the disks must be partitioned first.

To actually create the RAID we need the tool mdadm which is not installed (on Ubuntu Server) by default.

apt-get install mdadm

This will also install a few dependencies, in particular it will install a mail transfer agent (MTA, postfix in my case). This MTA needs to be configured so it can send e-mails to the administrator (root).

Creating the raid is as easy as typing:

mdadm --create /dev/md0 --level=5 --raid-devices=4 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1

Mdadm might detect that the disks have already been used in a different raid and will warn you. It then gives you the option to continue creating a new array or not.

Create an ext3 file system on the newly created RAID device with the label “daten1”:

mkfs --type=ext3 -L daten1 /dev/md0

This takes quite a while.

To automatically start the RAID, it must be added to mdadm.conf:

mdadm -Es | grep md[0-9]  >>/etc/mdadm/mdadm.conf

Note that this will append to mdadm.conf, so if you execute it multiple times you will get duplicate entries. So make sure to check the file afterwards.

To mount the partition, it must be added to /etc/fstab like this:

/dev/md0    /mnt/daten1   ext3    defaults,noauto

noauto means that it should not be mounted automatically on boot. This is a safeguard against boot failures on headless servers. If any of the automatically mounted devices fails. We don’t reboot our servers very often so we will just ssh into it after reboot and mount the partition manually with

mount /mnt/daten1

To check the RAID status, use

cat /proc/mdstat
 Posted by on 2014-10-08 at 12:18

Using parted to partition a drive

 Linux  Comments Off on Using parted to partition a drive
Oct 082014
 

This is just a reminder to myself so I don’t forget again.

Warning: Use this on your own risk! You might lose all the data stored on any of the hard disk drives if you make a mistake!

On Linux hard drives > 2 GB must be partitioned with parted and a partition table in gpt format.

Create a new gpt partition table (deleting the entire drive!):

parted /dev/sdX mklabel gpt

Create a new partition spanning the entire drive and using optimal alignment:

parted -a opt /dev/sdX mkpart primary 0% 100%

Set a partition’s raid flag:

parted /dev/sdX set 1 raid on
 Posted by on 2014-10-08 at 11:19