exim4 smarthost smtp password
Note to self:
To use a smarthost you have to authenticate to with exim4, edit /etc/exim4/passwd.client
# password file used when the local exim is authenticating to a remote # host as a client. # # see exim4_passwd_client(5) for more documentation # # Example: ### target.mail.server.example:login:password *:myusername:myawfullylongpassword
Here I added a username and password for all target mail servers (*) because this host sends everything through the smarthost.
If yours does not, you have to be more specific (like the example).
Surprisingly, there is no need to reload or restart exim4 after modifying the passwd.client file.
Use OpenDNS with Smoothwall Express 3.x
If you're using DHCP to get your public IP, Smoothwall doesn't allow you to override the DNS addresses given by your ISP through the DHCP protocol. Time to override Smoothwall 
Edit /etc/rc.d/rc.updatered, and add "DNSMASQ_DNS1=208.67.222.222" and "DNSMASQ_DNS2=208.67.220.220" at the bottom of the DHCP section, making the file look like this:
#!/bin/sh
. /var/smoothwall/ethernet/settings
if [ "$RED_TYPE" = "DHCP" ]; then
DNSMASQ_DNS1=`/usr/bin/smoothwall/getdnsfromdhcpc.pl 1`
DNSMASQ_DNS2=`/usr/bin/smoothwall/getdnsfromdhcpc.pl 2`
. /var/lib/dhcpc/dhcpcd-${RED_DEV}.info
echo "$IPADDR" >/var/smoothwall/red/local-ipaddress
echo "$GATEWAY" >/var/smoothwall/red/remote-ipaddress
DNSMASQ_DNS1=208.67.222.222
DNSMASQ_DNS2=208.67.220.220
elif [ "$RED_TYPE" = "STATIC" ]; then
DNSMASQ_DNS1=$DNS1
DNSMASQ_DNS2=$DNS2
echo "$RED_ADDRESS" >/var/smoothwall/red/local-ipaddress
echo "$DEFAULT_GATEWAY" >/var/smoothwall/red/remote-ipaddress
fi
echo -n "$RED_DEV" >/var/smoothwall/red/iface
touch /var/smoothwall/red/active
echo "$DNSMASQ_DNS1" >/var/smoothwall/red/dns1
echo "$DNSMASQ_DNS2" >/var/smoothwall/red/dns2
/usr/bin/smoothcom dnsproxyrestart $DNSMASQ_DNS1 $DNSMASQ_DNS2
/usr/bin/smoothcom setxtaccess
/usr/bin/smoothcom setincoming
/usr/bin/smoothcom snortrestart
/usr/bin/smoothcom upnpdrestart
/usr/bin/smoothcom trafficrestart
/usr/bin/smoothwall/setddns.pl
/usr/bin/smoothwall/updatelists.pl
/etc/rc.d/rc.vpn.up
/etc/rc.d/rc.machineregister
The next time you Smoothwall connects, the setting you just put will override the ones from your ISP. Reboot or reconnect to apply.
What’s touching that config file?!
Recently I started wondering what the heck was putting "root: bolt" at the end of /etc/aliases "every time" I did an upgrade of something.
I asked #debian on irc.freenode.net, who told me to run this:
grep /etc/aliases /var/lib/dpkg/info/*postinst
What it does is basically to look though all files which names end in "postinst" in the /var/lib/dpkg/info/ directory, showing all lines which contain "/etc/aliases", and where they're at.
The result was this:
$ grep /etc/aliases /var/lib/dpkg/info/*postinst
/var/lib/dpkg/info/exim4-config.postinst: echo "root: ${poma}" >> /etc/aliases
/var/lib/dpkg/info/exim4-config.postinst:#initialize /etc/aliases
/var/lib/dpkg/info/exim4-config.postinst:echo '# /etc/aliases' > /etc/aliases.tmp
/var/lib/dpkg/info/exim4-config.postinst:echo 'mailer-daemon: postmaster' >> /etc/aliases.tmp
/var/lib/dpkg/info/exim4-config.postinst:done >> /etc/aliases.tmp
/var/lib/dpkg/info/exim4-config.postinst:mv /etc/aliases.tmp /etc/aliases
/var/lib/dpkg/info/exim4-config.postinst: if [ ! -e /etc/aliases ] ; then
/var/lib/dpkg/info/exim4-config.postinst: if ! grep -q '^root:[[:space:]]*[[:alnum:]]' /etc/aliases && \
This tells you a lot of things. Firstly, exim4 is likely the culprit here. Upgrading it will likely cause "root: bolt" (or whoever is set as your postmaster in exim4) to be added to the end of the file again. Also, if you notice the last line there, it's actually grepping for a line starting with "root:", followed by a space and something alpha-numeric.
This means that if I, instead of removing or commenting the "root: bolt" line, replace it with "root: root", directing all of root's mail... to root, there will be a line matching the aforementioned description, and exim4's postinst script will leave /etc/aliases alone.
Hooray!
OTP (one-time passwords) on Debian Squeeze SSH logins
So, you're out of your secret lair and now you need to log in from a computer you don't trust. After all, every computer you don't administer is most likely full of viruses, malware and probably even a hardware keylogger somewhere along the keyboard cord, right?
So you want to use a one-time password, so that even if someone snatches it, it has already been used and can never be used again.
Fortunately, one-time passwords on Debian is a breeze to set up.
apt-get install opie-server
This will install opie-server, which will drag along opie-client and libpam-opie as dependencies, unless you have them already.
Now you have to choose if you want one-time passwords for every single login, or only the ones happening over SSH
I wanted it only for SSH logins, so I edit /etc/pam.d/sshd (might be named just "ssh" in other distros)
At the bottom of the file, I appended:
auth sufficient pam_opie.so auth required pam_deny.so
This will make your server first ask for your password, then ask for the one-time password if the password is correct. If you want it to not ask for your normal password, comment out the last line of the file, saying "@include common-auth"
"common-auth", in /etc/pam.d, is also the file you have to edit if you want one-time passwords for all logins, not just for SSH. Don't have sshd ask for your normal password if you also use that for FTP connections or other stuff which doesn't also require a one-time password. Your normal password should be unique.
Then you need to enable challenge response authentication in SSH, which is disabled by default in Debian Squeeze. Edit /etc/ssh/sshd_config and locate the line "ChallengeResponseAuthentication no" change this to "yes" and restart sshd
/etc/init.d/ssh restart
Next, all you have to do is set a passphrase for your one-time passwords:
opiepasswd -cf
-c is for console mode, -f is only needed if you're currently logged in remotely, to force opiepasswd to assume the connection is secure.
Enter the passphrase it asks for. This should be some sentence you can easily remember, preferably with upper and lower case and punctuation.
Now you're ready to try it. Connect, enter your password, watch the one-time password challenge appear:
ssh myserver.dhampir.no Password: otp-md5 498 sl8229 ext, Response:
You can generate the one-time passwords using any suitable tool. I use VeJOTP to generate the passwords on my Java phone, which is really neat, but you can also just use "opiekey" to generate passwords and print them out:
$ opiekey -n 10 498 sl8229 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Sorry, but you don't seem to be on the console or a secure terminal. Warning: Continuing could disclose your secret pass phrase to an attacker! Enter secret pass phrase: 489: BABY NAN GALL MONA WEST LUG 490: FEND DES WOO RACE BED AQUA 491: GET FAST HECK BELA NONE RAY 492: NINE SUCH CUNY ARID JUNO SOUR 493: DOTE DUG BRED WARN AWRY SAID 494: FAWN ABUT SAY KILL WAVE WATS 495: RASH AMES BLUE SAP DEE GAB 496: JACK DIRE LUCY ROOM JACK RENA 497: FLUE LOAM TICK LAMB ROWS BEST 498: GLIB ELBA POE OUCH ROW LEN
This command generates the 10 next passphrases, counting down from the requested one (498) based on challenge sl8229.
One-time passwords count downwards, because every key is based on the previous ones, and starting at the end of the list, you then can't calculate the "next" (previous) key.