by ·1 Comment

Bei den Eisenstädter Linuxwochen habe ich von einer wirklich netten organisation namens CaCert erfahren. CaCert stellt gratis Zertifikate aller Art aus.

Also dachte ich mir, machen wir uns doch mal daran und erstellen uns so ein Ding für den Server …. naja, leichter gesagt als getan, aber nichts was ein wenig Googlen nicht herausfinden könnte 🙂

Simple SSL cert HOWTO

– Make a new ssl private key:

Generate a new unencrypted rsa private key in PEM format:
openssl genrsa -out privkey.pem 1024
You can create an encrypted key by adding the -des3 option.

– To make a self-signed certificate:

Create a certificate signing request (CSR) using your rsa private key:
openssl req -new -key privkey.pem -out certreq.csr
( This is also the type of CSR you would create to send to a root CA for them to sign for you. )

Self-sign your CSR with your own private key:
openssl x509 -req -in certreq.csr -signkey privkey.pem -out newcert.pem

– To make a certificate signed by your own certificate authority (CA):

Configure /etc/ssl/openssl.cnf and use CA.pl to create the CA private key and certificate:
vi /etc/ssl/openssl.cnf
/usr/lib/ssl/misc/CA.pl -newca
Your copy of openssl.cnf and CA.pl may be located elsewhere.

Create an unsigned certificate using your rsa private key:
openssl req -new -x509 -key privkey.pem -out cert.pem
Use your private key and your certificate to make a CSR:
cat cert.pem privkey.pem | openssl x509 -x509toreq -signkey privkey.pem -out certreq.csr
Sign the certificate with the CA private key using the CSR you just made:
openssl ca -in certreq.csr -out newcert.pem
rm -f certreq.csr

– To install the signed certificate and private key for use by an ssl server:

The newcert.pem is the certificate signed by your local CA that you can then use in an ssl server:
( openssl x509 -in newcert.pem; cat privkey.pem ) > server.pem
ln -s server.pem `openssl x509 -hash -noout -in server.pem`.0 # dot-zero
( The server.pem is a PEM file that can be used by apache along with the hash file. )

You can view the contents of a CSR with:
openssl req -noout -text -in certreq.csr
You can view the contents of a certificate with:
openssl x509 -noout -text -in newcert.pem
You can display the MD5 fingerprint of a certificate with:
openssl x509 -fingerprint -noout -in newcert.pem
You can verify that your private key, CSR, and signed cert match by comparing:
openssl rsa -noout -modulus -in privkey.pem |openssl md5
openssl req -noout -modulus -in certreq.csr |openssl md5
openssl x509 -noout -modulus -in newcert.pem |openssl md5

by ·2 Comments

Ich habe mich endlich mal dran gemacht ein paar spassigere HTTP Error Messages f?r den Apache hier zu basteln. Die standardm?ssigen sind einfach zu langweilig. Hirschy war so nett mich mal mit ein paar netten Spr?chen zu versorgen.

Die Fehler werden alle von einem Script abgefangen, dem der Statuscode ?bergeben wird.
>>> Sourcecode

Im Apache muss nur noch in der httpd.conf f?r jede abgefangene Fehlermeldung ein Eintrag gemacht werden:

# Custom Response Messages
ErrorDocument 402 http://no-panic.at/error.php?e=402
ErrorDocument 403 http://no-panic.at/error.php?e=403
ErrorDocument 404 http://no-panic.at/error.php?e=404
ErrorDocument 405 http://no-panic.at/error.php?e=405
ErrorDocument 406 http://no-panic.at/error.php?e=406
ErrorDocument 407 http://no-panic.at/error.php?e=407
ErrorDocument 409 http://no-panic.at/error.php?e=409
ErrorDocument 410 http://no-panic.at/error.php?e=409
ErrorDocument 411 http://no-panic.at/error.php?e=411
ErrorDocument 414 http://no-panic.at/error.php?e=414
ErrorDocument 415 http://no-panic.at/error.php?e=415
ErrorDocument 417 http://no-panic.at/error.php?e=417

—————————————————–
Wichtig!
Die Direktive f?r den Fehler 401 MUSS ein lokaler Redirect sein, da sonst nicht der richtige Response an den Client geschickt wird und daher vermutlich keine Aufforderung zur Passwort eingabe erfolgt.
—————————————————–

Leider hab ich keine M?glichkeit gefunden, wie man das ganze bewerkstelligen kann ohne einen externen Redirect zu machen (mittels http://…) sodass es trotzdem f?r alle Domains auf diesem Server gilt. Wenn jemand Ideen hat, w?re ich sehr erfreut 🙂 (evtl. mittels mod_rewrite ?).
Wenn man intern weiterleitet hat man n?mlich den Vorteil, dass etliche Variablen vom Server gleich gesetzt werden, man m?sste also nichtmal den Response Code per GET ?bergeben, sondern k?nnte ihn direkt in PHP per $_SERVER[‘REDIRECT_STATUS’] auslesen. Zus?tzlich w?rden noch einige andere sehr interessante Variablen gesetzt werden, die man dann weiterverarbeiten kann.

Anschlie?end noch ein paar Beispiele:

Vorschl?ge zu weiteren Error Messages sind bitte erw?nscht!
Auch Ideen, welche Bilder man bei den jeweiligen Messages verwenden k?nnte.
Fragen, W?nsche und vor allem Erg?nzungen/Anmerkungen zum PHP Code sind ausdr?cklich erbeten 😉

by ·0 Comments

I’m running a mailserver using Virtual Exim. This is a very cool way to manage mail users in a MySQL database. (for a very good HOWTO, try this link. Only in german! 🙁 )
It is really easy to add new domains, aliasdomains etc. all in a rather convinient PHP-based webinterface. As I startet hosting a few domains for some friends, they started asking for a way to get mails from other accounts and fetch it to their IMAP account on my server. I knew that fetchmail could do that. The downside is that fetchmail requires system users, which would make the whole Virtual Exim thing useless again.
So I decidet to hack my way throug vexim and look for a way to implement fetchmail in the vexim webinterface.

Outline of the whole idea:
Provide a form on the user-page in vexim, where the users could put in their fetchmail commands.
Save the individual fetchmail commands in seperate files in a subdirectory of the vexim installation.
Write a shell script that looks for all the files in the subdir and assemble them in a single file. Then call fetchmail and point it to this file.
Voila! fetchmail gets all the user’s mails and delivers it to their local mailboxes.

The following is my “quick & dirty” implementation:

  1. First make a new subdirectory for the individual fetchmail files and make it writeable to the webserver process. (www-data on Debian)
    mkdir fetchmail chown www-data:www-data fetchmail
  2. Then implement the new code in the userchange.php file of vexim at the apropriate place
    (I put it at the very end of the second form, right before the “Submit Profile” button but still in the PHP block)

    # Fetchmail Hack
$datafile = "fetchmail/".$_SESSION['user_id'].".fm";
if (file_exists($datafile)) {
    $output = join("",file($datafile));
    $output = stripslashes($output);
}
print "

    Fetchmail: "    ;
print "Sample: 
    server  post.isp.net
    proto pop3
    user USERNAME-AT-YOUR-ISP is YOUR_ADRESS_HERE here
    password SECRET"    ;
print "";
print "Caution: Mail will be fetched and immediately deleted from the remote server!
    Use the keep keyword if you do not want this."    ;
# end fetchmail hack

  3. Put the following in userchangesubmit.php right bevore "# Finally 'the rest' which is handled by the profile form"

    # Fetchmail Hack
$file = "fetchmail/".$_SESSION['user_id'].".fm";
if($_POST['fetchmail']){
    if(!$handle = fopen($file,"w")) {
        echo "couldn't open file ";
    }
    if(!fwrite ($handle, $_POST['fetchmail'])) {
        echo "couldn't write file ";
    }
    fclose ($handle);
} else {
    unlink($file);
}
# end fetchmail hack

  4. While editing this file I found a bug, which rendered all the form fields, except the two password fields at the top, on this page totally unusable.
    You have to find the following two lines:

    sa_tag={$_POST['sa_tag']},
sa_refuse={$_POST['sa_refuse']},


    and change them to:
    sa_tag='{$_POST['sa_tag']}',
    sa_refuse='{$_POST['sa_refuse']}',
    otherwise the SQL query will always return an error.

  5. Now the last part:
    Save the following little shellscript, I named mine fetchme

    # #!/bin/bash

# remove old file
rm fetch_out

# assembling file: fetch_out
for file in /htdocs/vexim/fetchmail/* ; do
cat $file >> fetch_out
echo " " >> fetch_out
echo " " >> fetch_out
done

# chmodding
chmod 600 fetch_out

# now fetching
fetchmail -s -f fetch_out

  6. Lastly you only have to fire up a cron job to run the script every five minutes or so.

    7. Please feel free to comment and add enhancements.

by ·0 Comments

nach langem probieren und suchen, hab ich endlich ein einfaches und leicht verständliches HOWTO gefunden um SSH dazu zu bewegen, dass ich nicht immer ein passwort eingeben muss wenn ich mich einlogge.

# On your local machine
$ ssh-keygen -t dsa
$ cd ~/.ssh
# for safe keeping
$ mv id_dsa.pub id_dsa.your_machine.pub
# Log in to the remote machine and create your .ssh key there
$ ssh remote_machine
$ ssh-keygen -t dsa
$ exit

# Back on your local machine
$ scp id_dsa.your_machine.pub remote_machine:.ssh/.

# Back to the remote machine
$ ssh remote_machine
$ cd .ssh
$ cat id_dsa.your_machine.pub >> authorized_keys2
$ chmod 600 authorized_keys2
$ exit

… so leicht kanns sein, wenn man mal weiß wies geht 🙂
das funktioniert natürlich nicht nur auf Linux Systemen, sondern auch problemlos auf meinem iBook unter OS X.