David Kalnischkieshttps://david.kalnischkies.de/blog/tags/securitystaticsite2016-10-01T16:49:26Zapt-get a life: posts tagged securitythe new apt-transport-torhttps://david.kalnischkies.de/blog/2016/the_new_apt-transport-tor2016-10-01T16:49:26Z2016-10-01T16:49:26Z
<figure>
<img alt='sliced red onions' width='480' height='320' src='https://david.kalnischkies.de/blog/2016/the_new_apt-transport-tor-small.jpg' title='As if me having upload rights wouldn't be enough to make people cry'></img>
<figcaption class="credits"><a href="https://pixabay.com/photos/onion-red-onion-raw-antibacterial-2699531/">Image by ulleo on pixabay</a></figcaption>
</figure>
<p>It happened: Now that I am an uploading DD for a few months I finally
made <a href="https://tracker.debian.org/news/801620">my first upload</a> of
a package – mind you, not of apt, but of a package I declared my intend
to "steal" from another person a few weeks ago on
<a href="https://lists.debian.org/deity/2016/08/msg00012.html">deity@</a> and
later also in a bugreport (#835128).</p>
<p>The result is that apt-transport-tor which used to be maintained by Tim
Retout as a modified copy of apt code is now maintained by the APT team
(with him and me as uploaders) using the apt code directly via a few
symlinks.</p>
<p>That brings along a bunch of changes which I mentioned in the list/bug
as well, but for completeness:</p>
<ul>
<li>tor+https options consistently fall back to tor -> https -> http</li>
<li>tor+http options consistently fall back to tor -> http</li>
<li>socks5h isn't forced. It is just the default (and the only one which
will work with (tor+)http at the moment; any with tor+https)</li>
<li>a tor-proxy having apt-transport-tor as username & no password
(default) will automatically pick a password based on the target
host to get you in a new circuit for each host.</li>
<li>the User-Agent isn't forced to an all-tor-users-have-the-same value.
Especially with tor+http being our normal http I think its better to
"hide" between other http users than saying straight that you are
a tor user (even if the IP gives it away that you are).</li>
<li>tor+https doesn't allow redirection to tor+http. We have this for
a while for https -> http already (-tor "broke" it). I think if a user
went as far as configuring a https source it should stay an https
source or fail.</li>
<li>http/https can be disabled to avoid accidentally adding such sources</li>
<li>http will not try to connect to .onion domains (RFC7687) and the error
hints at using tor+http</li>
<li>the methods run as <code>_apt</code> instead of <code>root</code> (like the rest of the apt methods)</li>
</ul>
<p>I had tried a few times to get people to provide feedback, but there
wasn't much. I guess this is good as it means nobody has any complains
about it. We will see if that will change now that it is on its way to
archive, buildds, mirrors and users: Brace for impact in any case!</p>
<p><small><a rel="canonical" href="https://david.kalnischkies.de/blog/2016/the_new_apt-transport-tor">This article</a> was written by David Kalnischkies on <a href="https://david.kalnischkies.de">apt-get a life</a> and republished here by pulling it from a syndication feed. You should check there for updates and more articles about apt, debian and security.</small></p>
SPF, DKIM and DMARChttps://david.kalnischkies.de/blog/2016/SPF_DKIM_DMARC2016-05-15T12:27:39Z2016-05-15T12:27:39Z
<figure>
<img alt='hand drawing lots and lots of letters' width='480' height='120' src='https://david.kalnischkies.de/blog/2016/SPF_DKIM_DMARC-small.jpg' title='Handwritten letters are so much better than mails'></img>
<figcaption class="credits"><a href="https://pixabay.com/illustrations/letters-email-mail-hand-write-2794672/">Image by geralt on pixabay</a></figcaption>
</figure>
<p>I sign all my mails with GPG for a few years now. Beside the huge
hypothetical boner and the moral highground this provides it is also
nice to get some minor benefits like a ham bonus on Debian mailinglists
(even if <a href="https://xkcd.com/1181/">we all know how that is implemented</a>).</p>
<p>It is hard to belief sometimes, but I don't sent mails to Debian only
through. Sometimes I get questions what that strange attachment is
nobody can open. Its okay through, I don't blame them.</p>
<p>What I can't tolerate through is mails from me ending up in Spam because
I don't sent mails from one of the big (free) mail providers (and to
a bunch of people all at once). There are a bunch of options available
to make my mails look a bit more legit even for those mailservers which
don't understand gpg in the form of
<a href="https://en.wikipedia.org/wiki/Sender_Policy_Framework">SPF</a>,
<a href="https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail">DKIM</a> and
<a href="https://en.wikipedia.org/wiki/DMARC">DMARC</a>. The bonus they provide
isn't huge (if not non-existent) and there are problems and shortcoming
involved I don't have to deal with with gpg signing but the things you
do to avoid having to hear a "lets all just use
a facebook/whatsapp/whatever group for communication"…</p>
<p>[note that I have added most of this to kalnischkies.de, but the setup
was initially setup for and tested on an other domain – I will just say
example.org here to not have you confused by blogpost vs. reality]</p>
<h3>SPF</h3>
<p>Easy to do if you have just one place you sent mails from – which in my
case is true as I sent mails by letting msmtp connect to the SMTP of my
hoster, which for rough emergencies also has a webfrontend so all I had
to do is add a TXT record in DNS: "v=spf1 mx -all".</p>
<p>And as I have subdomains (for mailinglists mainly) which sent mails,
too, add for all these subdomains "v=spf1 mx:example.org -all" as well.
Additionally, if you have subdomains which do not sent mails, you can
say that they all should fail spf unconditionally: "v=spf1 -all" (You
can set this also for subdomains you don't have, but spammers use
anyhow).</p>
<h3>DKIM</h3>
<p>Is a bit harder. My hosts SMTP doesn't support it (they are equally
dubious of its usefulness as I am), but don't fear: I can add a DKIM
signature locally before passing it on the hosts SMTP! Arch user
2ion has <a href="https://bbs.archlinux.org/viewtopic.php?pid=1617714#p1617714">documented his
setup</a> and
mine is rather similar, just that I installed python3-dkim, took
<a href="https://anonscm.debian.org/cgit/python-modules/packages/dkimpy.git/tree/dkimsign.py">dkimsign.py</a>
from git (changing interpreter to python3) and adapted my already
existent sendmail wrapper [= a forgot to attach attachement detection
script] to use that python script.</p>
<p>Of course, I had to generate some private keys for this exercise. I used
"opendkim-genkey -b 2048 -d example.org -s mail" for that (the default
keylength is 1024 – the spec seems to suggest that implementations are
required to support up to 2048, so if I have to do it, lets do it big).
The "-s mail" part is freely choosable by the way for keyrollovers and
stuff. Beside the private key that command also generates a textfile
which contains what has to be added as another TXT record in DNS.</p>
<h3>DMARC</h3>
<p>That's easy again: Yet another TXT record in DNS: "v=DMARC1; p=none".
I think I will eventually use more stricter settings and might even
explore the report facilities but for now that seems to work okayish.</p>
<h3>Testing</h3>
<p>Sending mails to a Google Mail account (as they make use of those
features and add results to mail headers) can tell you if its working.
<a href="http://mail-tester.com/">Mail-Tester</a> is also a nice service to test
your setup (even through it targets mostly at newsletter creators) which
tests various details, presents it friendly and even gives some tips (if
it works that is, sometimes it seems to have problems).</p>
<h3>Summary</h3>
<p>A bit of busy work and I see how that could be oh so much more complex
if I would have a different setup, but in the one I have it seems to
have a very slight net-benefit, even if I would like to not need it in
the first place…</p>
<p>On the upside, it gives me another bunch of ham bonuspoints on Debian
mailinglists, which means I can probably spam quite a bit now… <span class="emoji" data-unicode="1F609" title=";)">😉</span></p>
<p>I just hope I also get enough bonus points on setups I was setting this
up for…</p>
<p><small><a rel="canonical" href="https://david.kalnischkies.de/blog/2016/SPF_DKIM_DMARC">This article</a> was written by David Kalnischkies on <a href="https://david.kalnischkies.de">apt-get a life</a> and republished here by pulling it from a syndication feed. You should check there for updates and more articles about mail and security.</small></p>