A Day Late

I’ve taken a few days off from writing anything and I’ll probably end up taking a few more. Working full time and keeping up with all my school assignments is proving to be a challenge. So, until graduation rolls around in April my blog writing is probably going to be pretty sporadic.

Lately it’s been my Computer Graphics class that’s been keeping me busy (we had a project due today). I didn’t really want to take the class. It basically came down to I needed another CS class to graduate and the only options were Digital Processing, Compilers, Artificial Intelligence, etc. Well…I ended up choosing Computer Graphics. Not because I was more interested in it, just because it sounded less excruciating than the others. Now I’m starting to second guess that decsion. I dunno, only 3 more months to go!!

I’ve setup and started hosting a blog for one of my friends, called The Movie Review. In his own words, Dave is a

…movie buff. Aficionado. Connoisseur [of movies].

Unlike myself Dave is pretty good at picking movies apart. The most I can do is tell you whether I liked a movie or not. Describing why I liked it or didn’t like it is where we get into somewhat of a gray area. How gray you ask? Charcoal. Dave on the other hand can describe in detail what he did and didn’t like so we thought a movie review weblog would be a good idea. Anyway, enjoy. Oh…and naturally, the views and opinions of themoviereview.net do not necesarilly reflect those of daylate.com.

I read something earlier (can’t find the link now) that indicated the SQL Slammer worm’s effect on Europe wasn’t as widespread as it was in other parts of the world. It would be interesting to see what the Windows Server market share is in Europe compared to other places around the globe.

I also read this:

…The flaw was known and the patch was readily available so there are no excuses for the victims.

What exactly do they mean by victims? I’m assuming it’s directed at System Admins, but in seems like they weren’t the only victims. In my opinion the guy that couldn’t use the ATM was a victim. I was a victim in the sense that no one could access my linux servers because my ISP was out of service due to all the garbage coming from the MSSQL servers. Neither myself nor the guy at the ATM had anyway of preventing this from affecting us, which is what the quote seems to imply.

I’m also a little miffed at the implication that this was solely the result of System Administrators (notice the quote came from a Microsoft affiliated organization). As a Sys Admin myself I’m perfectly willing to accept it’s our responsibility to keep systems patched and up to date. Considering the patch has been published for 6 months I’ll agree, most of the blame should rest with lazy Sys Admins, under staffed IT departments, etc, but I don’t think that completely absolves Microsoft from providing systems that aren’t riddled with security holes. keep in mind the last major internet attacks (SQL Slammer and Code Red, Nimda) were results of Microsoft security flaws.

I had to go into work on a Saturday because of this stupid thing. So much for sleeping in. I’m not sure who I’m more displeased with, the person that wrote the worm or the developer(s) at microsoft that created the vulnerability.

So I stayed up till 2am last night browsing weblogs. I also setup . Yes, I realize these probably aren’t considered ideal friday night activities, but I did go to the gym, that ought to count for something, right?

Anyway, here’s a link for blogs and urls near me .

Oh yeah and if you want to see what my apartment building looks like on an aerial photo, here it is (ok…so my apartment wasn’t built when the picture was taken, but you can see the dirt it’s built on :). Oh yeah, and the golf course you can see immediately east of it, is now just a bunch of scrub brush. What a shame). Computers really are cool.

Much like enabling SSL, confuring Sendmail to use authentication was much easier than I first thought. The hardest part was locating some decent instructions to do it. Fortunataly I eventually came across some here. It looks like they were written for RedHat 7.x but seem to work for 8.0. Basically I just had to modify my /etc/mail/sendmail.mc file and then update my /etc/mail/sendmail.cf file. Here’s the step by step process:

backed up my configuration files:
cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.bak
cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.bak

added to /etc/mail/sendmail.mc (NOTE: Watch the directed quotes. The first quote is made using the key just above the TAB key, the other is a normal apostrophe):
define(`confAUTH_OPTIONS’, `A’)dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl

Updated the configuration file:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Restarted sendmail:
/etc/rc.d/init.d/sendmail restart

Verified it worked:
telnet 127.0.0.1 25
EHLO localhost
250-SERVERNAME Hello CLIENT NAME [CLIENTIP], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP

The 250-AUTH LOGIN PLAIN indicates that everything seems to be working. I modified my mail client to use authentication and sent myself a test email (to an email account located on a different domain, to require relaying). I received the email just fine. Just to be safe I then turned off authentication in my mail client and tried to send the same email and received the ever popular “relaying denied” error (error messages aren’t so bad when I intend to get them).

I also wanted to verify that no user or password information was getting sent in cleartext. So I enabled authentication in the mail client again, sent myself another test email and sniffed the network traffic (have I ever mentioned how much I love ethereal?). I monitored the whole transaction between the client and the server. The SSL/TLS authentication was successful after which all content was encrypted. So, I think the mail system is finally to a point I’m satisfied with.

Well, it turns out enabling SMTP over SSL wasn’t as difficult as I anticipated. I had to create another certificate for it in /usr/share/ssl/certs, although I’m sure I could have just copied the imap certificate and used it. None the less I created one for sendmail using make sendmail.pem (in the /usr/share/ssl/certs directory).

Next I had to modify my /etc/mail/sendmail.mc file. Specifically I had to add the following:
define(`confCACERT_PATH’,`/usr/share/ssl/certs’)
define(`confCACERT’,`/usr/share/ssl/certs/ca-bundle.crt’)
define(`confSERVER_CERT’,`/usr/share/ssl/certs/sendmail.pem’)
define(`confSERVER_KEY’,`/usr/share/ssl/certs/sendmail.pem’)

I updated the sendmail.cf file by running m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf and restarted the sendmail daemon. To test it I used telnet localhost 25 and issued the EHLO localhost command. The server returned some information including “250-STARTTLS” indicating that SSL was enabled. I changed the configuration of my mail client to use SMTP over SSL and sent a few test emails to myself. Everything looks good. All of these changes were specifically for sendmail shipped with RedHat 8.0, but sendmail has a more generic setup description on their site.

The next thing I’d like to do is enable AUTH on sendmail so relaying will be enabled by the mail client authenticating. Right now I’ve specified the hosts to allow relaying from in a file but that causes problems if I’m using DHCP or dialing in. Unfortunately it looks like I’m going to have to recompile sendmail to do that. Hmm…something for a rainy day.

I’ve been wanting to setup secure email on the server so I can use a mail client on my laptop to access and send email regardless of what network I’m connected to. Setting up IMAP over SSL was very simple. I changed the “disabled” entry in my /etc/xinetd.d/imaps file to no and then removed the default localhost imapd.pem certificate in /usr/share/ssl/certs and created a new one using make imapd.pem (here are some instructions I followed). I restarted the xinetd daemon and configured my mail client to use IMAP over SSL and everything worked. Very nice!

That takes care of receiving mail but I have a feeling setting up SMTP over SSL might be a little more difficult. Esspecially since I’m still using sendmail. Perhaps this would be a good time to switch over to postfix. Hmm… I think I’ll save all that for another day.