主页 / user-494645

philolegein's questions

Martin Hope
philolegein
Asked: 2021-10-02 22:36:55 +0800 CST
  • 4

我正在尝试诊断 OpenDKIM 验证错误(请参阅此问题)。在野兽的肚子里,我正试图确保生成的密钥实际上是正确的。

我正在生成我的密钥opendkim-genkey -r -d example.com。这会生成两个文件。一个是 RSA 私钥(文件default.private):

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDJy9S18vHtrIQNep9PogJfrKNLKKf2VSOvUwOzItlWkY3cRCFx
scSNjfC4QHREcMeUuNO78wvQ+oOk+exLdyl2BggcA659Wi6v8X/+awLXpa9sB6vi
GPi8Zx560GbZu6jGLlEzcOaGDCYqdUxZIdAaOICDORFa3XAywHi87eQPMwIDAQAB
AoGAVSjAvnwlHqEEJVAPNSLwj4Gic9BXeXwakB2fXRSi1YadcEwMNRfJE9fHs2n3
5v4VK60IJbP+05U0wwV5c6t5AgZqpP0GBW8CKUr3BwaF2cJbd+uOXlAm4cx6/S1E
Ocoku0c/vrr3mkO41IuBkB+FRm0y7WXFi7e7M32Tictt0CkCQQDzE08wRLNXxkaM
LyUDMvCtlNzACcmkU73NAHDHhwtrJMMLp7q/s4VIDbmhysoNBblNHJQvA/7zVd13
1CGxbh8/AkEA1IajRLNJ6XTuv9RmK1622BDWix4ogEvbev/zR8ti2JifO6A5gv+L
na5hVAATo563pWjtNZW3sAVKqN7juN5HDQJAP1xKKP/Pa9LQMtxbHoFZwTVrcVdb
y0zUzaoOu8PU0yHrAY/AGxY1aLnDKIxOrKRQT+xiJ/s3qsA4EXMnMTPOSwJBAK5N
dl6EBRyZsK5YDyuG1MNEnBEhPOpsTKgGf4rkfj9SfVYzxLdxyxoZyO1R2smZBNl+
wv3tuud8j40MsQwQEYkCQBCzH+1IaxoMsSggutvEvqz2SqkFbD5rq/+uL6P6xyYg
PHCYIWomK8zOlmnO+bfbRIzQb7I81vOFq2sr0yQLK+0=
-----END RSA PRIVATE KEY-----

一个生成 DKIM DNS 条目,我假设它包含公钥:

default._domainkey  IN  TXT ( "v=DKIM1; k=rsa; s=email; "
      "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJy9S18vHtrIQNep9PogJfrKNLKKf2VSOvUwOzItlWkY3cRCFxscSNjfC4QHREcMeUuNO78wvQ+oOk+exLdyl2BggcA659Wi6v8X/+awLXpa9sB6viGPi8Zx560GbZu6jGLlEzcOaGDCYqdUxZIdAaOICDORFa3XAywHi87eQPMwIDAQAB" )  ; ----- DKIM key default for example.com

我假设“p=”条目是公钥,但如果是,我不知道如何验证它们是否匹配。我想我可以用 来做到这一点ssh-keygen -y -f default.private,但是,它的输出与 DNS 条目的“p =”部分中的输出明显不同(它甚至不是相同的长度):

# ssh-keygen -y -f default.private 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDJy9S18vHtrIQNep9PogJfrKNLKKf2VSOvUwOzItlWkY3cRCFxscSNjfC4QHREcMeUuNO78wvQ+oOk+exLdyl2BggcA659Wi6v8X/+awLXpa9sB6viGPi8Zx560GbZu6jGLlEzcOaGDCYqdUxZIdAaOICDORFa3XAywHi87eQPMw==

那么,这里发生了什么?ssh-keygen 不是正确的方法吗(也许我应该用 OpenSSL 做点什么?)?“p=”不是公钥吗?或者,事实上,我的私钥和公钥不匹配?

谢谢!

PS,作为一个可能无关的旁白,我假设由 opendkim 生成的公钥对于前 34 个字符总是相同的MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ——并且总是以IDAQAB.

rsa openssl opendkim ssh-keys
Martin Hope
philolegein
Asked: 2021-09-20 22:38:36 +0800 CST
  • 0

我已经amavis从 安装epel,它报告

# systemctl status amavisd
● amavisd.service - Amavis mail content checker
   Loaded: loaded (/usr/lib/systemd/system/amavisd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-09-17 14:39:27 UTC; 2 days ago
     Docs: http://www.ijs.si/software/amavisd/#doc
# amavisd -V
amavisd-new-2.12.0 (20190725)

我正在尝试查找文档,但是,AFAICT(包括基于上述输出systemctl status)IJS 是 amavisd-new 的最终归宿,但 2.12 似乎并不存在。指向“最新”的软链接指向 2.8,并且绝对最新列出的是 amavisd-new-2.11.1。也许我的 google-foo 很弱,但是…… 2.12 版的最终归宿在哪里?

amavis
Martin Hope
philolegein
Asked: 2021-04-28 21:51:06 +0800 CST
  • 0

我正在运行一个 postfix/dovecot 邮件服务器。今天早上,我发现它没有反应。结果,/var/log 已满。似乎其中一位用户的帐户被黑,并被用来发送垃圾邮件。

大约有 50 万个这样的条目:

Apr 28 04:12:06 ip-10-0-200-85 postfix/qmgr[3813]: E49F58330A: from=<user@mmydomain.com>, size=2353, nrcpt=20 (queue active)

我暂时关闭了 postfix 和 dovecot,暂时还好,因为我们只有 6 个人在使用它。但是,除了重置用户密码之外,我还应该采取哪些步骤?我应该删除该用户的出站后缀队列中的某些内容(我将如何删除?)?我应该采取任何其他步骤吗?

spam postfix email-server dovecot
Martin Hope
philolegein
Asked: 2021-04-27 21:06:26 +0800 CST
  • 2

我已经收到了我的第一份(有史以来!)DMARC 取证报告,我不确定这是否意味着我应该设置不同的东西,或者这是否是所需的行为,或者它是否不受欢迎但没有什么可做的。

实际报告说

Feedback-Type: auth-failure
User-Agent: szn-mime/2.0.46
Version: 1
Original-Mail-From: cwr@cwrichardson.com
Original-Rcpt-To: maru.sucha@seznam.cz
Source-Ip: 2a00:1450:4864:20::348
Reported-Domain: cwrichardson.com
Authentication-Results: email.seznam.cz 1;
    spf_align=fail;
    dkim_align=pass
Delivery-Result: delivered

查看返回的标头,我猜在我发送电子邮件的位置 (@skolaseiferta.cz) 和收件人的实际电子邮件地址 (@seznam.cz) 之间发生了一些内部转发/别名。谷歌中间有一堆东西,看起来一切(SPF、DKIM、DMARC)都在通过。我有模糊的回忆,我在某个地方读过,有时谷歌在不更新标题的情况下转发,这会导致问题。也许这就是这里发生的事情,但我的核心问题是,这种失败(SPF 对齐;但传递的消息)是否表明我配置错误,如果是,我应该改变什么?

这是取证报告中报告的最终标题:

Received: from mail-wm1-x348.google.com (mail-wm1-x348.google.com [2a00:1450:4864:20::348])
    by email-smtpd17.ko.seznam.cz (Seznam SMTPD 1.3.125) with ESMTP;
    Wed, 21 Apr 2021 21:28:04 +0200 (CEST)  
Received: by mail-wm1-x348.google.com with SMTP id j128-20020a1c55860000b02901384b712094so754950wmb.2
       for <maru.sucha@seznam.cz>; Wed, 21 Apr 2021 12:28:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
       d=1e100.net; s=20161025;
       h=x-gm-message-state:dkim-filter:dkim-signature:from:message-id
        :mime-version:subject:date:in-reply-to:cc:to:references:delivered-to;
       bh=z9XlWb3jRfloYwjMKz59BkGnJPKn5q9UeC0Yjl3uFpU=;
       b=OmOkt9uiFimeL2nbIAnz89lXQh6/L47XxRfQcpkktf1KCjK1csYPs/I5UxzzgBxXDL
        QbkfBy3W6l6txQfM+E821xvBU63wXirBdbN8Gxo3Ldw6dQvZ+6uzatuCkEeFVHL6KO6H
        E1O27CVqbz6bhqvaDKEgZRItL6bSAO3OhprafiZk6Yhqr170cAKArDzfTyFgvXX4FGfI
        MFr/1BqM3VQnEyPRBRTiF5i4h1ZxRhnSUvcDH900v+7RN4AZ7+XLAcWjGfHBmWWHea6J
        GV14l7zl22LLRRGIhSaxP+L8qzSG6GM+NRFRJIA8OEfTHkpTXTI1q1aMzLRWIefkMFK/
        C9iQ==
X-Gm-Message-State: AOAM531OlI1F9zTh1HsZoHNZWRw2CRCcaLXZmaWuT10mdobzsf1XdbXR
    jVsZvqhPh/16vPkDdJdHwZdNzDTJ7CYTnntl2W3Ylv1iWfO45ExY/3J5H2S8LMTc9m/Vg1HzH9N
    unIJoFt2ngq8JpN5PRnXe3TbNIRVN5ypsMMYp9rWdDmXRlI/X3Q==
X-Received: by 2002:a5d:47c1:: with SMTP id o1mr27285827wrc.216.1619033282566;
       Wed, 21 Apr 2021 12:28:02 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxghHJgfoFCadI4rf70xN3TaKsadvCo5viffMf7GjVOMzjZImFo2jdnWEOn8V+OIxc8YVlx
X-Received: by 2002:a5d:47c1:: with SMTP id o1mr27285733wrc.216.1619033281236;
       Wed, 21 Apr 2021 12:28:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619033281; cv=none;
       d=google.com; s=arc-20160816;
       b=i9HgJPQWyJQaj9eHYTRTLX30VfCcgk3coymQyyGzs3jKpMtoTGTSkTJoakmG4kpamB
        HBf9tf6FdxKZK1EPYUhu2HoIB99JSwU5/hm7+LjM9izktRYp12apYf37Q1XqUqWXXJkx
        iUUEVpjE33D6TmhklEOw6HZaSK+GI+AYESoUkIWuqJLG95+5gt2Ckq21Xs3zGw57m5vE
        pkusUkEKxR/8UOrFag6U4OLMr6ydy/oUNtQhUiAr2imI2qYUbMCoGpwDiIm4NI6n7Wtx
        WSTvKGZymXugiv51qBlmtL0u5U3dNTVTtJSKr2Vo4oDIQBIZaw1hm2oudeLPOvmdwSP0
        YfGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
       h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
        :from:dkim-signature:dkim-filter;
       bh=z9XlWb3jRfloYwjMKz59BkGnJPKn5q9UeC0Yjl3uFpU=;
       b=R3Rk9Xazyo8BwHtxFEETi3RxVnAMqd8aFzNgQYVSQ7eTSEFbkxquX3YWP5blsnu7el
        GinyOV6vxvBuRJpZOgx+7+zgT4os0xGP7naNBG8kyMBuFjvTTvt/g592KmZj0RurQezb
        lspa6TLQ+x1wpysKvlg7Dy0VKFhfAkww8vXDNNbaJuC/YlBFNGab+x2B2FLtrITIxR6B
        OyOpCsX2MvbXtuRikXRgzkvm5DWVqyt6XFH/a3kw9PvbzR23eEmX/OMZe/g+W9ZW8O7D
        /hbimfG2OjKsOAFOCX1yeUUlV0M2hdphi3yI3zSOgoqpTgQfieaHCm9LtkuYAmBBoFH7
        nuDw==
ARC-Authentication-Results: i=1; mx.google.com;
      dkim=pass header.i=@cwrichardson.com header.s=default header.b=rKVHfdcx;
      spf=pass (google.com: domain of cwr@cwrichardson.com designates 54.93.189.174 as permitted sender) smtp.mailfrom=cwr@cwrichardson.com;
      dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cwrichardson.com
Return-Path: <cwr@cwrichardson.com>
Received: from mercury.mirovoysales.com (mercury.mirovoysales.com. [54.93.189.174])
       by mx.google.com with ESMTP id r5si462898wrl.256.2021.04.21.12.28.00;
       Wed, 21 Apr 2021 12:28:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of cwr@cwrichardson.com designates 54.93.189.174 as permitted sender) client-ip=54.93.189.174;
Authentication-Results: mx.google.com;
      dkim=pass header.i=@cwrichardson.com header.s=default header.b=rKVHfdcx;
      spf=pass (google.com: domain of cwr@cwrichardson.com designates 54.93.189.174 as permitted sender) smtp.mailfrom=cwr@cwrichardson.com;
      dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cwrichardson.com
Received: from localhost (unknown [127.0.0.1])
    by mercury.mirovoysales.com (Postfix) with ESMTP id EF3C88004B;
    Wed, 21 Apr 2021 19:27:59 +0000 (UTC)
X-Virus-Scanned: amavisd-new at example.com
Received: from mercury.mirovoysales.com ([127.0.0.1])
    by localhost (ip-10-0-200-85.eu-central-1.compute.internal [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id wQKPlvH_4S8m; Wed, 21 Apr 2021 19:27:57 +0000 (UTC)
Received: from [192.168.1.2] (213.121.broadband6.iol.cz [88.101.121.213])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mercury.mirovoysales.com (Postfix) with ESMTPSA id 3A67080037;
    Wed, 21 Apr 2021 19:27:57 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mercury.mirovoysales.com 3A67080037
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cwrichardson.com;
    s=default; t=1619033277;
    bh=z9XlWb3jRfloYwjMKz59BkGnJPKn5q9UeC0Yjl3uFpU=;
    h=From:Subject:Date:In-Reply-To:Cc:To:References:From;
    b=rKVHfdcxSd1ZhsD1G1X5jvil3lpme2V8tNU+3D0PgdBklG/uYMEdRFVOjr6vqkp9y
     GhZa5D1MVyG1Zd/OZ8v7OZ6x2YZsObnWz92Q5B+X1H5lvbD7/1K9AuNAVmMMmWdlMl
     EY7thbBBQyT1f7j4TvHJTwuJx2JZszR1BjlGoEiY=
From: Christopher Richardson <cwr@cwrichardson.com>
Message-Id: <F670ECB5-9957-4288-8D0B-FB5D54B4F523@cwrichardson.com>
Content-Type: multipart/alternative;
    boundary="Apple-Mail=_4FC50147-75FE-4FDF-B8EC-F651F9EF7F63"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Subject: =?utf-8?B?UmU6IMWha29sYSB2IHDFmcOtcm9kxJs=?=
Date: Wed, 21 Apr 2021 21:27:56 +0200
In-Reply-To: <C81CB58C-CAD1-4A07-BDAD-76E1DC7A83D1@gmail.com>
Cc: Sarah Richardson <ssghotane@gmail.com>,
sucha@skolaseiferta.cz
To: pfauserova@skolaseiferta.cz
References: <CAOSANHi3e3EPsdvvBU5sh_r3T5h+m8+4Mmwsek=ZxHj3rmEaZQ@mail.gmail.com>
<C81CB58C-CAD1-4A07-BDAD-76E1DC7A83D1@gmail.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Delivered-To: sucha@skolaseiferta.czArrival-Date: Wed, 21 Apr 2021 21:28:10 +0200 (CEST)
Reporting-MTA: dns; email.seznam.cz

Final-Recipient: rfc822; forensicreports@mirovoysales.com
Status: 2.0.0
Diagnostic-Code: x-uknown;
Action: x-unknown
Original-Recipient: rfc822; maru.sucha@seznam.cz
email email-server dmarc
Martin Hope
philolegein
Asked: 2020-07-16 08:34:01 +0800 CST
  • 3

我在搞乱一些超时设置,并试图找出为 systemd/system 守护进程设置东西的正确方法。具体来说,这是一个动力不足的服务器,我在启动 clamd 时一直超时,所以我试图找出设置 TimeoutStartSec 参数需要多高。我试过了

systemctl edit --full clamd@.service

并编辑它说

TimeoutStartSec=20min

然后做了systemctl daemon-reload

但它在 7 分钟后一直神秘地超时。最终,我发现/usr/lib/systemd/system/clamd@.serviceTimeoutStartSec=420.

可能反对所有正确的做事方式,我编辑了/usr/lib文件的版本,并注释掉了该行。果然,这改变了事情,但它似乎仍然没有阅读/etc/systemd版本。一旦我将其注释掉,它会在 90 秒后开始超时,我想这一定是默认设置。

作为临时解决方法,我已将/usr/lib版本编辑为我想要的 20 分钟,但是……这似乎不是正确的做事方式。

systemctl edit应该是在编辑版本吗/etc/systemd/system?这是假定正确的做事方式吗?我必须做更多的事情systemctl daemon-reload吗?

接受有关“正确方法”的任何和所有建议。

TIA

clamav systemd amazon-linux-2
Martin Hope
philolegein
Asked: 2019-02-06 02:31:55 +0800 CST
  • 0

AWS::CloudFormation::Init文档允许在 ec2 实例上创建用户规范,因此:

"users" : {
    "myUser" : {
        "groups" : ["groupOne", "groupTwo"],
        "uid" : "50",
        "homeDir" : "/tmp"
    }
}

我想要做的是以编程方式替换“myUser”。使用 Ref: 不起作用:

"users": {
    "{ "Ref": "UserName" }": {
        "groups": [ "groupOne", "groupTwo" ]
    }
}

它说“模板格式错误:JSON 格式不正确。” 与参考线一致。我已经尝试了大约 800 种不同的方式来键入它,带引号和不带引号,使用不同的函数而不是 Ref,但我一无所获。不幸的是,我不知道如何诊断这是否真的只是“您缺少逗号”类型的问题,或者尝试以编程方式替换“myUser”是否存在更大的问题。如果是后者,解决方案是什么。

有任何想法吗?

谢谢!

amazon-web-services