Wednesday 23 August 2017

Setting up DKIM for your domain / MTA

What is DKIM and how is it different to SPF?

Both DKIM and SPF provide protection for your email infrastructure.

SPF is used to prevent disallowed IP addresses from spoofing emails originating from your domain.

DKIM validates that the message was initially sent by a specific domain and ensures its integrity.

The two can (and should) be used together - since using DKIM might ensure the integrity of the email - but they can be re-sent (providing the message isn't modified) and potentially used for spam or phishing - hence employing SPF in addition ensures that whomever is re-sending the message is authorised to do so.

How does DKIM work?

DKIM (or rather the MTA) inserts a digital signature (generated with a private key) into a message that when received by another mail system is checked to ensure the authenticity of the sending domain by checking the public key via the domains DNS zone (specifically a TXT record).

Setting up DKIM

For this example we'll use the domain 'example.com'. We should firstly generate a private / public key pair for use with DKIM - this can be generated via numerous online wizards - but I'd strongly discourage this (for obvious reasons!) We'll instead uses openssl to accomplish this:

openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key

We should also choose a 'selector' - which is an arbitrary value e.g. TA9s9D0q3164rpz

The public portion goes into a txt record in your zone file (append it to 'p=') - making sure you replace the domain 'test.com' with yours and the selector value as well!:

Name: TA9s9D0q3164rpz._domainkey.test.com

Value: k=rsa; p=123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789123456789\123456789+\123456789

and a second txt record - which indicates how DKIM is configured for your domain.

Name: _domainkey.test.com

Value: t=y;o=~;

'o=' can either be "o=-" (which states that all messages should be signed) or "o=~" (which states that only some* of the messages are signed.)

and the private portion (along with the selector and domain name) will be provided to your MTA. (This will differ dependant on your MTA.)

Validating Results

To ensure that the DKIM validation is succeeding we need to inspect the mail headers - looking specifically at the 'Authentication-Results' header:

Authentication-Results: mail.example.com;
       dkim=pass header.i=@xyz.com;


Wednesday 16 August 2017

Creating an internal / NAT'd network using a vSwitch on Server 2012 / 2016

We'll firstly need to install the Hyper V role - since we'll require the management tools in order to create our interface:

Install-WindowsFeature Hyper-V –IncludeManagementTools
Install-WindowsFeature Routing -IncludeManagementTools

However I had the following message returned when attempting installation:

Hyper-V cannot be installed: A hypervisor is already running.

As I was running under VMWare I had to install the feature using a slightly different method (bare in mind we have no intention of using the Hyper V hypervisor - however we do want to take advantage of the virtualized networking capabilities.

So instead I installed Hyper with:

Enable-WindowsOptionalFeature –Online -FeatureName Microsoft-Hyper-V –All -NoRestart

and the management tools with:

Install-WindowsFeature RSAT-Hyper-V-Tools -IncludeAllSubFeature

Ensure the NAT routing protocol is available to RRAS - 'Administrative Tools' >> 'Routing and Remote Access' >> Expand the following: Server, IPv4 and right hand click on general and select 'New Routing Protocol' >> Select NAT

We can now create our new virtual switch with:

New-VMSwitch -SwitchName "SwitchName" -SwitchType Internal

and assign the interface with an IP:

New-NetIPAddress -IPAddress 10.0.0.1 -PrefixLength 16 -InterfaceIndex <id>

(You can get the associated interface index with: Get-NetAdapter)

At this point you won't be able to ping any external hosts from that interface - we can verify that using the '-S' switch with ping:

ping -S 10.0.0.1 google.com

So - we'll need to enable NAT with:

New-NetNat -Name "NATNetwork" -InternalIPInterfaceAddressPrefix 10.0.0.0/16

and then attempt to ping from the interface again:

ping -S 10.0.0.1 google.com

Wednesday 9 August 2017

Useful find command examples in Linux

The below is a compilation of 'find' commands that I often use myself.

Finding files greater (or small) than 50mb

find /path/to/directory -size +50m

find /path/to/directory -size -50m

Finding files with a specific file extension

find /path/to/directory -name "prefix_*.php"

Finding files (or folders) with specific permissions

find /home -type f -perm 777

Finding files that have been changed  in the last hour

find / -cmin -60

Performing an action with matched files (-exec switch)

find / -cmin -60 -exec rm {} \;

Saturday 5 August 2017

Adding a custom / unlisted resolution in Fedora / CentOS / RHEL

Sometimes I find that xrandr doesn't always advertise all of the supported resolutions for graphic cards - this can sometimes be down to using an unofficial driver or an older one.

However in Fedora the latest drivers are usually bundled in for Intel graphics cards - unfortunately xrandr is only reporting that one resolution is available:

xrandr -q

Screen 0: minimum 320 x 200, current 1440 x 900, maximum 8192 x 8192
XWAYLAND0 connected (normal left inverted right x axis y axis)
   1440x900      59.75 +

In order to add a custom resolution we can use the 'cvt' utility - this calculates the VESA Coordinated Video Timing modes for us.

The syntax is as follows:

cvt <width> <height> <refreshrate>

for example:

cvt 800 600 60

# 800x600 59.86 Hz (CVT 0.48M3) hsync: 37.35 kHz; pclk: 38.25 MHz
Modeline "800x600_60.00"   38.25  800 832 912 1024  600 603 607 624 -hsync +vsync

We then create a new mode with (appending the above in bold):

sudo xrandr --newmode "800x600_60.00"   38.25  800 832 912 1024  600 603 607 624 -hsync +vsync

and then adding that mode to the display (in our case this is WAYLAND0):

sudo xrandr --addmode VGA-0 800x600_60.00

and then set this mode with:

sudo xrandr --output VGA1 --mode 1280x1024_60.00

Wine: Could Not Initialize Graphics System. Make sure that your video card and driver are compatible with Direct Draw

For anyone else getting this problem when attempting to run older games on Wine - in my case this due to the graphics card not supporting the native resolution of the game (800x600) - you can check supported resolution types with:

xrandr -q

However you might be able to add custom resolutions as well.

Otherwise within the Wine configuration you will need to ensure 'Emulate a virtual desktop' is ticked and the appropriate resolution for the game is set.