Unexpected Changes

E-mail is one of those things that you take for granted. Once you have set-up an address and a client you can reliably receive mail for many years until something changes.

Over the past 2 months something changed and I almost didn’t notice. There are certain sites that mail me a few offers, I subscribe to a few mailing list items, github updates me on a few projects that I keep an eye on. I don’t get a huge amount of email but there is normally something being downloaded when I open the client. There were a couple of days when I didn’t get as much as I expected. Not a problem as perhaps there wasn’t anything being sent. When this persisted for a few days I began my investigations.

I was aware of my web host updating the mail-server back-end. I had received an email stating that this would be occurring and to expect a little downtime. But apart from that I wasn’t expecting any significant changes. Significant changes had happened.

Having a domain name had allowed me to use a catch-all email address. Any email that would be sent to the domain after being spam filtered would be received. This made it incredibly easy to create a new address on the fly when creating an account for a new service. I had a few actual mail box addresses in addition to the catch-all. What I had noticed was email only being received from actual mailboxes and not the catch-all addresses.

This was a problem as I had a few accounts where I really needed to be receiving correspondence. I needed to get a solution and quickly. I was able to contact my host and get the catch-all re-enabled. This workaround allowed me a little more time to arrange a permanent solution.

The permanent solution would be to create actual mailboxes rather than rely on a catch-all system. How many unique email addresses had I been using over the years? I stopped counting at 114. Creating mailboxes for all these would be too much effort since most wouldn’t see a large volume of traffic.

Looking through the long list of addresses I was quickly able to discard a large number of them. I had a few that I had used for stores and services that have since closed down. I shouldn’t be getting any future mail from these so I have just made a note of them in my spam filter and ignore them. To reduce the remaining addresses I decided it was best to create a single mailbox and then update various accounts to use it. I can then discard the original address. This was a long and time consuming task.

Currently I have reduced my 114+ addresses down to a more manageable 25. In an ideal world I would have been able to reduce it down even more. A stumbling block was not being able to change my email address on some accounts. For the ones that matter it was easier to create a mailbox, for the others it was easier to unsubscribe and resubscribe.

In future I am only going to use a more limited selection of addresses to hopefully reduce the 25 even more. Whilst this process has been an annoyance it has been necessary to tackle it. I think it has been about 5 years since I last tackled a big email change. All being well I shouldn’t have to do anything as significant for at least another 5.

Email Settings

I checked on the connection settings I am using to log into the mailboxes. Technical information from another email provider provides a good overview of the available settings.

RFC8314 (Jan 2018) outlines the current thinking over connection security for email.

Simply put implicit security using SSL/TLS is preferred as it encrypts the connection by default. STARTTLS is discouraged as it begins as a plain text connection which can upgraded to an encrypted connection. It is worth checking your settings with your own provider to ensure you are as secure as you can be.

Poodle SSLv3

Well another week another security issue. This time it is a weakness in SSLv3. This is an older protocol (replaced by TLS) but can still be used in some circumstances. The Mozilla Security Blog article contains details. A quick fix for Firefox users is to install SSL Version Control plugin to disable use of SSLv3. SSLv3 will be disabled by default in Firefox 34 when it is released towards the end of November.

Bash Exploit

Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)

Well I read this article whilst I was at work. Upon getting home I started up my Fedora machine and ran the following check to see if I was vulnerable.

To test if your version of Bash is vulnerable to this issue, run the following command:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks as follows:

this is a test

you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

I was vulnerable. But that is what I expected. Knowing that the fix might take a little time I added the suggested workaround to my firewall script.

Workaround: Using IPTables:

A note on using IPTables string matching:

iptables using -m string --hex-string '|28 29 20 7B|'

Is not a good option because the attacker can easily send one or two characters per packet and avoid this signature easily. However, it may provide an overview of automated attempts at exploiting this vulnerability.

In full knowledge that this vulnerability was/is going to get exploited I was monitoring my firewall logs. I had set the rules to log and drop the packets. Note that the work around says it can be bypassed. A couple of hours with the rule in place and nothing unusuall was being logged and I was carrying on as normal. All of a sudden 4-5 packets were caught by the rule. My system was shutdown seconds later. I susspect that this is some opportunistic scanning taking place, however I am not taking any chances until a patch is ready.

On the plus side it has given me the opportunity to boot and update my Windows machine.

The Legacy Email Problem

Over the years, like many other people, I have obtained numerous email accounts/addresses. Trying to manage all these used to be a problem so a few years back I began to condense them down into the few I actually use.

I maintain access to the older accounts to receive any incoming mail from websites that I need to amend my contact details for. One of these accounts is subscribed to a mailing list and continues to get substantial incoming mail. So it's time to unsubscribe.

Unsubscribing can take a number of forms. On some sites you login uncheck a box and away you go, no more mail. Alternatively changing your email address to something random so you never get the email. In the past I have clicked a link and been taken to a page to enter the subscribed email address and later clicked another link in an unsubscribe confirmation email. These methods have always worked because the mailing list/site doesn't care who or where you are. I needed to send an email from the subscribed account to the unsubscribing email address of the mailing list.

The problem I have today is related to an issue with email accounts and spam prevention in general. Email is usually accessed in 2 ways via webmail/app or desktop client. I am using a Mozilla Thunderbird on the desktop to read my emails. To send email I need to use an SMTP server, every email account specifies which one to use and you need to pass along your login details to use it. Even though I have access to a lot of SMTP servers via a lot of accounts they are slowly locking themselves down. Most will now only send an email with an address they provide.

Smtp.example.com only sends emails from bob@example.com and not bob@somewhere.com.

This can stop spam and reduce traffic on an SMTP server as it isn't processing emails for people who aren't paying for their services.

Back to my unsubscribing problem. I had the correct SMTP server settings for the account and I was sending the email from the subscribed account in question. It failed. The reason was due to the fact that the email address is tied to an Internet Service Provider (I have switched since). It was detected that I was attempting to send an email through their SMTP server from outside their network. This for reasons of reducing spam and server load had been blocked.

So how do I send the email? The easiest option is to find an open SMTP server which would be happy to send the email for me. Google is able to do this, however the caveat is that rewrites the email address to that of the Gmail account used to send it. You can specify an alternative reply address in the account settings which will result in any replies to the email going back to the original account address and not the Gmail address. This is ok for most cases but I need the email to come direct from the subscribed account.

The solution, the webmail interface. Logging into the email account through the providers website allows me to send email from within their network. It means my unsubscribe email is sent from the subscribed account, through an SMTP server that is happy to send it without changes. I still had to confirm an unsubscribe email but luckily this was sent within a few seconds of the initial email. It has meant jumping through a few hoops but the mailing list is no longer sending me any more mail.

Keeping My Hat On

In my previous post I outlined my thinking about moving from Fedora to OpenSuse. I installed OpenSuse 12.3 onto mylaptop and had a play about. The installer was clean and easy to use and everything was setup with the minimum of effort.

Two issues with Fedora prompting a move were the control over the firewall and the Arduino software not being up to date. I was disappointed to that the installation of the Arduino software didn't come with a desktop icon setup but the latest version was there to use. Now onto the firewall; things were not good.

OpenSuse has completely removed the iptables scripts for managing the firewall. It seems you will use their firewall daemon and associated setup program. So basically the future looks like I will be being forced into using a wrapper of some sort around the iptables rules for my firewall. What's more, after doing some reading it would appear that more applications will rely on this dynamic functionality in the future. So what do I do? I can, on Fedora at least, use my existing script in the short term but need to migrate it. Alternatively I can change distro, waiting a little longer for the inevitable push towards dynamic firewalls.

Where does this leave me now then? I'm thinking of staying with Fedora at the moment. Fedora 19 will be due out in around 3-4 months time. At this point I think a clean installation of my main machine will probably be in order. In the mean time I can work on migrating my current firewall script over to the Firewalld system. It will mean I have to manually install the latest Arduino software but that is at least a manageable task.

OpenSuse was removed from the laptop and Fedora 18 reinstalled. A clean installation does appear to have changed a few things. A series of upgrades over the years had left a few legacy options it seems. The Fedora installer was not as user friendly as the OpenSuse installer, especially when it came to creating the dual boot with Windows on a separate hard disk. That said it did install and I'm sure it will improve in the future.

Quick Mailserver Update

I have at long last done a little more work on the mailserver project. The latest thing to report is the addition of dspam to filter out spam. In addition to this clamAV is also integrated.

The next step will be to do some more testing and then plug in another application which should make training and using the spam filter a little easier.

The documentation surrounding the addition of dspam and antivirus to the setup I am working on has been very hard to come by and in some cases is conflicting. Having made significant progress recently I am hoping to eventually have my setup production ready by the end of the year*. *Might as well give myself plenty of time.

Mailserver Project: It Appears To Work

After spending much time and effort on the mailserver project I think I have finally created a secure and working basic setup. It's currently a little to late to do extensive testing but the brief tests carried out so far look good. A laptop with a self signed ssl certificate can securely connect to the mailserver over the local lan and retrieve the email in the imap store and securely send email out again. Trying to use the mail client on the mailserver itself correctly fails to retrieve the imap store or send email due to not having a self signed certificate to send.

If the rest of my tests work out in a similar manner and the services run stable for a week or so I might finally be able to declare the first stage of the project complete and finish off the documenting the process upto this point.

Mailserver Project: Another Update

I was hoping to begin this month with news that my mailserver project was reaching the milestone objective of being secure and working, alas it is not to be. The good news is that over the past month I have made significant progress and am in the final stages of securing and testing.

I have dovecot and postfix talking to each other and maildrop filtering the incomming mail. Work at the moment is partly on documenting my decisions and testing processes and partly on implementing the remote authentication over a secure link. I am taking the security aspect quite seriously and as a result it requires extra time to get it right. Currently my documentation/notes are upto 30+ pages in openoffice and I may even split the guide into sections. The SSL certificate generation and usage notes I have been making are quite extensive and can be used to generate self-signed certificates for other applications too.

Fingers crossed another month might be all I need; only time will tell.