Congratulations!

[Valid RSS] This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

Source: http://www.michael-prokop.at/blog/wp-rss2.php

  1. <?xml version="1.0" encoding="ISO-8859-1"?><rss version="2.0"
  2. xmlns:content="http://purl.org/rss/1.0/modules/content/"
  3. xmlns:wfw="http://wellformedweb.org/CommentAPI/"
  4. xmlns:dc="http://purl.org/dc/elements/1.1/"
  5. xmlns:atom="http://www.w3.org/2005/Atom"
  6. xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
  7. xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
  8. >
  9.  
  10. <channel>
  11. <title>mikas blog</title>
  12. <atom:link href="https://michael-prokop.at/blog/feed/" rel="self" type="application/rss+xml" />
  13. <link>https://michael-prokop.at/blog</link>
  14. <description>... and even if no one reads it</description>
  15. <lastBuildDate>Fri, 16 Feb 2024 15:54:36 +0000</lastBuildDate>
  16. <language>en-US</language>
  17. <sy:updatePeriod>hourly</sy:updatePeriod>
  18. <sy:updateFrequency>1</sy:updateFrequency>
  19. <generator>https://wordpress.org/?v=5.0.3</generator>
  20. <item>
  21. <title>Mein Lesejahr 2023</title>
  22. <link>https://michael-prokop.at/blog/2024/01/03/mein-lesejahr-2023/</link>
  23. <comments>https://michael-prokop.at/blog/2024/01/03/mein-lesejahr-2023/#comments</comments>
  24. <pubDate>Wed, 03 Jan 2024 11:39:37 +0000</pubDate>
  25. <dc:creator><![CDATA[mika]]></dc:creator>
  26. <category><![CDATA[Allgemein]]></category>
  27. <category><![CDATA[Bücher & CO]]></category>
  28.  
  29. <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6849</guid>
  30. <description><![CDATA[Ich habe auch 2023 keine Bookdumps geschrieben (zu viel Aufwand), darum gibt es auch diesmal wieder (siehe Lesejahr 2022 für die letzte Ausgabe) eine Art Best-Of der von mir 2023 fertig gelesenen Bücher, also jene die ich besonders lesenswert fand bzw. empfehlen möchte (die Reihenfolge entspricht dem Foto und stellt keinerlei Reihung oder dergleichen dar): [&#8230;]]]></description>
  31. <content:encoded><![CDATA[<p><img src="/blog/img/buecher_2023.jpg" alt="Foto der hier vorgestellten Bücher" style="border: 0px; margin-right: 20px" align=left /></p>
  32. <p>Ich habe auch 2023 keine Bookdumps geschrieben (zu viel Aufwand), darum gibt es auch diesmal wieder (siehe <a href="/blog/2023/01/03/mein-lesejahr-2022/">Lesejahr 2022</a> für die letzte Ausgabe) eine Art Best-Of der von mir 2023 fertig gelesenen Bücher, also jene die ich besonders lesenswert fand bzw. empfehlen möchte (die Reihenfolge entspricht dem Foto und stellt keinerlei Reihung oder dergleichen dar):</p>
  33. <ul>
  34. <li><a href="https://www.penguin.de/Daniel-Everett-Das-gluecklichste-Volk-DVA/Das-gluecklichste-Volk/aid20724_4354.rhd"><strong>Das glücklichste Volk: Sieben Jahre bei den Pirahã-Indianern am Amazonas</strong>, Daniel L. Everett</a>. Diese Buch ist eine Empfehlung von Khaled Hakami, der u.a. im Erklär-mir-die-Welt-Podcast zum Thema <a href="https://xn--erklrmir-3za.at/2021/03/02/153-erklaer-mir-jaeger-und-sammler-khaled-hakami/">Erklär mir Jäger und Sammle</a> zu Gast war. Das Buch ist eine große Empfehlung speziell für all jene Leute, die sich für andere Kulturen interessieren. Es ist eines der horizonterweiterndsten Bücher, das ich in den letzten Jahren gelesen habe.</li>
  35. <li><a href="https://www.kiwi-verlag.de/buch/nele-pollatschek-kleine-probleme-9783869712406"><strong>Kleine Probleme</strong>, Nele Pollatschek</a>. Der letzte Tag des Jahres, eine To-do-Liste, unerledigte Dinge und die Sehnsucht nach Ordnung. Die Autorin schreibt aus Sicht von Lars, Familienvater und Endvierziger ein unterhaltsames Buch.</li>
  36. <li><a href="https://www.mare.de/buecher/gentleman-uber-bord-8696"><strong>Gentleman über Bord</strong>, Herbert Clyde Lewis</a>. Ein Roman aus dem Jahr 1937, in dem der Protagonist Henry bei einer Schiffsreise bei einem Missgeschick über Bord geht, und die restliche Besatzung des Schiffes jede Menge Ausreden für sich (er)findet, um das Verschwinden des Passagiers Henry zu entschuldigen. Bedeutungstief und zeitlos.</li>
  37. <li><a href="https://en.wikipedia.org/wiki/The_Undoing_Project"><strong>The Undoing Project: A Friendship That Changed Our Minds</strong>, Michael Lewis</a>. Ein Buch das die Freundschaft und Lebensweg von Daniel Kahneman (bekannt u.a. für das Buch &#8220;Thinking, Fast and Slow&#8221;) und Amos Tversk beleuchtet, jene Herren die u.a. für die <a href="https://de.wikipedia.org/wiki/Prospect_Theory">Prospect Theory</a> bekannt sind. Ich wurde auf das Buch über die <a href="https://www.piqd.de/literatur/the-undoing-project-und-der-beginn-einer-automatischen-sachbuchkritik">wunderbare Rezension von Kathrin Passig</a> aufmerksam, und mir hat das Buch voll zugesagt (auch wenn ein Lesebuddy zurecht anmerkte, dass man kein Problem mit amerikanischen Journalisten als Autor wie auch ein bisserl Drama haben sollte, <em>mich</em> hat beides nicht gestört). Für mich war das Buch insgesamt sehr gut gemacht, es gab einige interessante Stellen und diente mir als Erinnerung, dass ich die Werke von Kahneman (wieder) mal (fertig)lesen sollte.</li>
  38. <li><a href="https://www.rowohlt.de/buch/dirk-stermann-mir-geht-s-gut-wenn-nicht-heute-dann-morgen-9783498003746"><strong>Mir geht&#8217;s gut, wenn nicht heute, dann morgen</strong>, Dirk Stermann</a>. Eine wunderbare Mischung aus ernsten Themen und Schmäh.</li>
  39. <li><a href="https://www.hanser-literaturverlage.de/buch/vati/978-3-446-26917-0/"><strong>Vati</strong>, Monika Helfer</a>. Eine Fortsetzung ihrer eigenen Familiengeschichte, ich mag die schlichte und trotzdem berührende Sprache.</li>
  40. <li><a href="https://www.hanser-literaturverlage.de/buch/eigentum/978-3-446-27833-2/"><strong>Eigentum</strong>, Wolf Haas</a>. Ich habe Haas erst 2022 für mich entdeckt, er ist einer meiner Lieblingsautoren und ich bin seither auf dem Weg alles von ihm zu lesen. Auch <em>Eigentum</em> ist ein wunderschönes Buch, in dem Haas von seiner sterbenden Mutter schreibt. Sprachkünstler, Hilfsausdruck!</li>
  41. <li><a href="https://www.rowohlt.de/buch/wolfgang-herrndorf-arbeit-und-struktur-9783499268519"><strong>Arbeit und Struktur</strong>, Wolfgang Herrndorf</a>. Los ging es mit dem Schließen einer Bildungslücke: <a href="https://de.wikipedia.org/wiki/Tschick_(Roman)">Tschick</a> vom selbigen Autor hat mich dermaßen reingezogen, dass ich auch endlich mal dessen <em>Arbeit und Struktur</em> angefangen habe, ein Buch das <a href="https://daslesenderanderen.de/episodes/20-clemens-j-setz-und-der-buerostuhl-von-ernst-jandl/">Clemens J. Setz im Podcast &#8220;Das Lesen der Anderen&#8221;</a> empfohlen hat. Das Buch ist die Autobiografie der letzten Lebensjahre des Autors. Ursprünglich als Blog aufgesetzt nachdem der Autor die Diagnose Hirntumor bekommen hat, wurde sein digitales Tagebuch dann in Papier- und Buchform gebracht. Man möge sich von dem vielleicht etwas sperrigen Titel nicht aufhalten lassen. Ein beeindruckendes, bewegendes und großartiges Buch.</li>
  42. <li><a href="https://www.dumont-buchverlag.de/buch/mariana-leky-die-herrenausstatterin-9783832185442-t-3836"><strong>Die Herrenausstatterin</strong>, Mariana Leky</a>. Ich bin ein Fan von Mariana Leky und habe über die letzten Jahre regelmäßig Bücher von ihr gelesen, so auch dieses wunderbare Buch über eine Dreiecksgeschichte.</li>
  43. </ul>
  44. <p>Ich freue mich übrigens über Feedback, wenn jemand von euch ein Buch aufgrund dieses Beitrags hier gelesen oder selbst Lese-Empfehlungen für mich hat.</p>
  45. ]]></content:encoded>
  46. <wfw:commentRss>https://michael-prokop.at/blog/2024/01/03/mein-lesejahr-2023/feed/</wfw:commentRss>
  47. <slash:comments>2</slash:comments>
  48. </item>
  49. <item>
  50. <title>Postfix failing with &#8220;no shared cipher&#8221;</title>
  51. <link>https://michael-prokop.at/blog/2023/09/25/postfix-failing-with-no-shared-cipher/</link>
  52. <comments>https://michael-prokop.at/blog/2023/09/25/postfix-failing-with-no-shared-cipher/#comments</comments>
  53. <pubDate>Mon, 25 Sep 2023 18:35:15 +0000</pubDate>
  54. <dc:creator><![CDATA[mika]]></dc:creator>
  55. <category><![CDATA[Computer]]></category>
  56. <category><![CDATA[Debian]]></category>
  57. <category><![CDATA[English]]></category>
  58.  
  59. <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6838</guid>
  60. <description><![CDATA[I&#8217;m one of the few folks left who run and maintain mail servers. Recently I had major troubles receiving mails from the mail servers used by a bank, and when asking my favourite search engine, I&#8217;m clearly]]></description>
  61. <content:encoded><![CDATA[<p>I&#8217;m one of the few folks left who run and maintain mail servers. Recently I had major troubles receiving mails from the mail servers used by a bank, and when <a href="https://duckduckgo.com/?q=%22no+shared+cipher%22+%22lost+connection+after+STARTTLS+from%22">asking my favourite search engine</a>, I&#8217;m clearly <a href=https://community.keyhelp.de/viewtopic.php?t=10987">not</a> the only <a href="https://talk.plesk.com/threads/two-words-about-postfix-and-ssl-tls.345772/">one</a> who <a href="https://serverfault.com/questions/1006059/postfix-3-4-9-ssl-issues-no-shared-cipher-from-servers-using-tlsv1">ran into</a> such <a href="https://github.com/docker-mailserver/docker-mailserver/issues/1784">an issue</a>. Actually, I should have checked off the issue and not become a customer at that bank, but the tech nerd in me couldn&#8217;t resist getting to the bottom of the problem. Since I got it working and this might be useful for others, here we are. :)</p>
  62. <p>I was trying to get an online banking account set up, but the corresponding account creation mail didn&#8217;t arrive me, at all. Looking at my mail server logs, my postfix mail server didn&#8217;t accept the mail due to:</p>
  63. <pre>
  64. postfix/smtpd[3319640]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:
  65. postfix/smtpd[3319640]: lost connection after STARTTLS from mx01.arz.at[193.110.182.61]
  66. </pre>
  67. <p>Huh, what&#8217;s going on here?! Let&#8217;s increase the TLS loglevel (setting <em>smtpd_tls_loglevel = 2</em>) and retry. But how can I retry receiving yet another mail? Luckily, on the registration website of the bank there was a URL available, that let me request a one-time password. This triggered another mail, so I did that and managed to grab this in the logs:</p>
  68. <pre>
  69. postfix/smtpd[3320018]: initializing the server-side TLS engine
  70. postfix/tlsmgr[3320020]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_scache
  71. postfix/tlsmgr[3320020]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
  72. postfix/smtpd[3320018]: connect from mx01.arz.at[193.110.182.61]
  73. postfix/smtpd[3320018]: setting up TLS connection from mx01.arz.at[193.110.182.61]
  74. postfix/smtpd[3320018]: mx01.arz.at[193.110.182.61]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
  75. postfix/smtpd[3320018]: SSL_accept:before SSL initialization
  76. postfix/smtpd[3320018]: SSL_accept:before SSL initialization
  77. postfix/smtpd[3320018]: SSL3 alert write:fatal:handshake failure
  78. postfix/smtpd[3320018]: SSL_accept:error in error
  79. postfix/smtpd[3320018]: SSL_accept error from mx01.arz.at[193.110.182.61]: -1
  80. postfix/smtpd[3320018]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:
  81. postfix/smtpd[3320018]: lost connection after STARTTLS from mx01.arz.at[193.110.182.61]
  82. postfix/smtpd[3320018]: disconnect from mx01.arz.at[193.110.182.61] ehlo=1 starttls=0/1 commands=1/2
  83. postfix/smtpd[3320018]: connect from mx01.arz.at[193.110.182.61]
  84. postfix/smtpd[3320018]: disconnect from mx01.arz.at[193.110.182.61] ehlo=1 quit=1 commands=2
  85. </pre>
  86. <p>Ok, so this <em>TLS cipher list &#8220;aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH&#8221;</em> looked like the <em>tls_medium_cipherlist</em> setting in postfix, but which ciphers <em>might</em> we expect? Let&#8217;s see what their SMTP server would speak to us:</p>
  87. <pre>
  88. % testssl --cipher-per-proto -t=smtp mx01.arz.at:25
  89. [...]
  90. Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
  91. -----------------------------------------------------------------------------------------------------------------------------
  92. SSLv2
  93. SSLv3
  94. TLS 1
  95. TLS 1.1
  96. TLS 1.2
  97. xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  98. xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  99. xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  100. x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384
  101. x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256
  102. x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
  103. xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  104. xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  105. xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  106. x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256
  107. x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256
  108. x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
  109. TLS 1.3
  110. </pre>
  111. <p>Looks like a very small subset of ciphers, and they don&#8217;t seem to be talking TLS v1.3 at all? Not great. :(</p>
  112. <p>A nice web service to verify the situation from another point of view is <a href="https://www.checktls.com/TestReceiver">checktls</a>, which also confirmed this:</p>
  113. <pre>
  114. [000.705] &lt;-- 220 2.0.0 Ready to start TLS
  115. [000.705] STARTTLS command works on this server
  116. [001.260] Connection converted to SSL
  117. SSLVersion in use: TLSv1_2
  118. Cipher in use: ECDHE-RSA-AES256-GCM-SHA384
  119. Perfect Forward Secrecy: yes
  120. Session Algorithm in use: Curve P-256 DHE(256 bits)
  121. Certificate #1 of 3 (sent by MX):
  122. Cert VALIDATED: ok
  123. Cert Hostname VERIFIED (mx01.arz.at = *.arz.at | DNS:*.arz.at | DNS:arz.at)
  124. [...]
  125. [001.517] TLS successfully started on this server
  126. </pre>
  127. <p>I got distracted by some other work, and when coming back to this problem, the one-time password procedure no longer worked, as the password reset URL was no longer valid. :( I managed to find the underlying URL, and with some web developer tools tinkering I could still use the website to let me trigger sending further one-time password mails, phew.</p>
  128. <p>Let&#8217;s continue, so <em>my</em> mail server was running Debian/bullseye with postfix v3.5.18-0+deb11u1 and openssl v1.1.1n-0+deb11u5, let&#8217;s see what it offers:</p>
  129. <pre>
  130. % testssl --cipher-per-proto -t=smtp mail.example.com:25
  131. [...]
  132. Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
  133. -----------------------------------------------------------------------------------------------------------------------------
  134. SSLv2
  135. SSLv3
  136. TLS 1
  137. xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  138. xc019   AECDH-AES256-SHA                  ECDH 253   AES         256      TLS_ECDH_anon_WITH_AES_256_CBC_SHA
  139. x3a     ADH-AES256-SHA                    DH 2048    AES         256      TLS_DH_anon_WITH_AES_256_CBC_SHA
  140. x89     ADH-CAMELLIA256-SHA               DH 2048    Camellia    256      TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
  141. xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  142. xc018   AECDH-AES128-SHA                  ECDH 253   AES         128      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  143. x34     ADH-AES128-SHA                    DH 2048    AES         128      TLS_DH_anon_WITH_AES_128_CBC_SHA
  144. x9b     ADH-SEED-SHA                      DH 2048    SEED        128      TLS_DH_anon_WITH_SEED_CBC_SHA
  145. x46     ADH-CAMELLIA128-SHA               DH 2048    Camellia    128      TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
  146. TLS 1.1
  147. xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  148. xc019   AECDH-AES256-SHA                  ECDH 253   AES         256      TLS_ECDH_anon_WITH_AES_256_CBC_SHA
  149. x3a     ADH-AES256-SHA                    DH 2048    AES         256      TLS_DH_anon_WITH_AES_256_CBC_SHA
  150. x89     ADH-CAMELLIA256-SHA               DH 2048    Camellia    256      TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
  151. xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  152. xc018   AECDH-AES128-SHA                  ECDH 253   AES         128      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  153. x34     ADH-AES128-SHA                    DH 2048    AES         128      TLS_DH_anon_WITH_AES_128_CBC_SHA
  154. x9b     ADH-SEED-SHA                      DH 2048    SEED        128      TLS_DH_anon_WITH_SEED_CBC_SHA
  155. x46     ADH-CAMELLIA128-SHA               DH 2048    Camellia    128      TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
  156. TLS 1.2
  157. xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 253   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  158. xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  159. xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  160. xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  161. xc0af   ECDHE-ECDSA-AES256-CCM8           ECDH 253   AESCCM8     256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
  162. xc0ad   ECDHE-ECDSA-AES256-CCM            ECDH 253   AESCCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM
  163. xc073   ECDHE-ECDSA-CAMELLIA256-SHA384    ECDH 253   Camellia    256      TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
  164. xc019   AECDH-AES256-SHA                  ECDH 253   AES         256      TLS_ECDH_anon_WITH_AES_256_CBC_SHA
  165. xa7     ADH-AES256-GCM-SHA384             DH 2048    AESGCM      256      TLS_DH_anon_WITH_AES_256_GCM_SHA384
  166. x6d     ADH-AES256-SHA256                 DH 2048    AES         256      TLS_DH_anon_WITH_AES_256_CBC_SHA256
  167. x3a     ADH-AES256-SHA                    DH 2048    AES         256      TLS_DH_anon_WITH_AES_256_CBC_SHA
  168. xc5     ADH-CAMELLIA256-SHA256            DH 2048    Camellia    256      TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
  169. x89     ADH-CAMELLIA256-SHA               DH 2048    Camellia    256      TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
  170. xc05d   ECDHE-ECDSA-ARIA256-GCM-SHA384    ECDH 253   ARIAGCM     256      TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
  171. xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 253   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  172. xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  173. xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  174. xc0ae   ECDHE-ECDSA-AES128-CCM8           ECDH 253   AESCCM8     128      TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
  175. xc0ac   ECDHE-ECDSA-AES128-CCM            ECDH 253   AESCCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_CCM
  176. xc072   ECDHE-ECDSA-CAMELLIA128-SHA256    ECDH 253   Camellia    128      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
  177. xc018   AECDH-AES128-SHA                  ECDH 253   AES         128      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  178. xa6     ADH-AES128-GCM-SHA256             DH 2048    AESGCM      128      TLS_DH_anon_WITH_AES_128_GCM_SHA256
  179. x6c     ADH-AES128-SHA256                 DH 2048    AES         128      TLS_DH_anon_WITH_AES_128_CBC_SHA256
  180. x34     ADH-AES128-SHA                    DH 2048    AES         128      TLS_DH_anon_WITH_AES_128_CBC_SHA
  181. xbf     ADH-CAMELLIA128-SHA256            DH 2048    Camellia    128      TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256
  182. x9b     ADH-SEED-SHA                      DH 2048    SEED        128      TLS_DH_anon_WITH_SEED_CBC_SHA
  183. x46     ADH-CAMELLIA128-SHA               DH 2048    Camellia    128      TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
  184. xc05c   ECDHE-ECDSA-ARIA128-GCM-SHA256    ECDH 253   ARIAGCM     128      TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
  185. TLS 1.3
  186. x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
  187. x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
  188. x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256
  189. </pre>
  190. <p>Not so bad, but sadly no overlap with any of the ciphers that mx01.arz.at offers.</p>
  191. <p>What about disabling STARTTLS for the mx01.arz.at (+ mx02.arz.at being another one used by the relevant domain) mail servers when talking to mine? Let&#8217;s try that:</p>
  192. <pre>
  193. % sudo postconf -nf smtpd_discard_ehlo_keyword_address_maps
  194. smtpd_discard_ehlo_keyword_address_maps =
  195.    hash:/etc/postfix/smtpd_discard_ehlo_keywords
  196.  
  197. % cat /etc/postfix/smtpd_discard_ehlo_keywords
  198. # *disable* starttls for mx01.arz.at / mx02.arz.at:
  199. 193.110.182.61 starttls
  200. 193.110.182.62 starttls
  201. </pre>
  202. <p>But the remote mail server doesn&#8217;t seem to send mails without TLS:</p>
  203. <pre>
  204. postfix/smtpd[4151799]: connect from mx01.arz.at[193.110.182.61]
  205. postfix/smtpd[4151799]: discarding EHLO keywords: STARTTLS
  206. postfix/smtpd[4151799]: disconnect from mx01.arz.at[193.110.182.61] ehlo=1 quit=1 commands=2
  207. </pre>
  208. <p>Let&#8217;s verify this further, but without fiddling with the main mail server too much. We can add a dedicated service to postfix (see <a href="https://serverfault.com/questions/1045230/disable-postfix-server-tls-for-specific-clients">serverfault</a>), and run it in verbose mode, to get more detailled logging:</p>
  209. <pre>
  210. % sudo postconf -Mf
  211. [...]
  212. 10025      inet  n       -       -       -       -       smtpd
  213.    -o syslog_name=postfix/smtpd/badstarttls
  214.    -o smtpd_tls_security_level=none
  215.    -o smtpd_helo_required=yes
  216.    -o smtpd_helo_restrictions=pcre:/etc/postfix/helo_badstarttls_allow,reject
  217.    -v
  218.  
  219. [...]
  220.  
  221. % cat /etc/postfix/helo_badstarttls_allow
  222. /mx01.arz.at/ OK
  223. /mx02.arz.at/ OK
  224. /193.110.182.61/ OK
  225. /193.110.182.62/ OK
  226. </pre>
  227. <p>We redirect the traffic from mx01.arz.at + mx02.arz.at towards our new postfix service, listening on port 10025:</p>
  228. <pre>
  229. % sudo iptables -t nat -A PREROUTING -p tcp -s 193.110.182.61 --dport 25 -j REDIRECT --to-port 10025
  230. % sudo iptables -t nat -A PREROUTING -p tcp -s 193.110.182.62 --dport 25 -j REDIRECT --to-port 10025
  231. </pre>
  232. <p>With this setup we get very detailed logging, and it seems to confirm our suspicion that the mail server doesn&#8217;t want to talk unencrypted with us:</p>
  233. <pre>
  234. [...]
  235. postfix/smtpd/badstarttls/smtpd[3491900]: connect from mx01.arz.at[193.110.182.61]
  236. [...]
  237. postfix/smtpd/badstarttls/smtpd[3491901]: disconnect from mx01.arz.at[193.110.182.61] ehlo=1 quit=1 commands=2
  238. postfix/smtpd/badstarttls/smtpd[3491901]: master_notify: status 1
  239. postfix/smtpd/badstarttls/smtpd[3491901]: connection closed
  240. [...]
  241. </pre>
  242. <p>Let&#8217;s step back and revert those changes, back to our original postfix setup. Might the problem be related to our Let&#8217;s Encrypt certificate? Let&#8217;s see what we have:</p>
  243. <pre>
  244. % echo QUIT | openssl s_client -connect mail.example.com:25 -starttls
  245. [...]
  246. issuer=C = US, O = Let's Encrypt, CN = R3
  247.  
  248. ---
  249. No client certificate CA names sent
  250. Peer signing digest: SHA384
  251. Peer signature type: ECDSA
  252. Server Temp Key: X25519, 253 bits
  253. ---
  254. SSL handshake has read 4455 bytes and written 427 bytes
  255. Verification: OK
  256. ---
  257. New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
  258. Server public key is 384 bit
  259. [...]
  260. </pre>
  261. <p>We have an ECDSA based certificate, what about switching to RSA instead? Thanks to the wonderful <a href="https://github.com/dehydrated-io/dehydrated/">dehydrated</a>, this is as easy as:</p>
  262. <pre>
  263. % echo KEY_ALGO=rsa &gt; certs/mail.example.com/config
  264. % ./dehydrated -c --domain mail.example.com --force
  265. % sudo systemctl reload postfix
  266. </pre>
  267. <p>With switching to RSA type key we get:</p>
  268. <pre>
  269. % echo QUIT | openssl s_client -connect mail.example.com:25 -starttls smtp
  270. CONNECTED(00000003)
  271. [...]
  272. issuer=C = US, O = Let's Encrypt, CN = R3
  273.  
  274. ---
  275. No client certificate CA names sent
  276. Peer signing digest: SHA256
  277. Peer signature type: RSA-PSS
  278. Server Temp Key: X25519, 253 bits
  279. ---
  280. SSL handshake has read 5295 bytes and written 427 bytes
  281. Verification: OK
  282. ---
  283. New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
  284. Server public key is 4096 bit
  285. </pre>
  286. <p>Which ciphers do we offer now? Let&#8217;s check:</p>
  287. <pre>
  288. % testssl --cipher-per-proto -t=smtp mail.example.com:25
  289. [...]
  290. Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
  291. -----------------------------------------------------------------------------------------------------------------------------
  292. SSLv2
  293. SSLv3
  294. TLS 1
  295. xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  296. x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  297. x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
  298. xc019   AECDH-AES256-SHA                  ECDH 253   AES         256      TLS_ECDH_anon_WITH_AES_256_CBC_SHA
  299. x3a     ADH-AES256-SHA                    DH 2048    AES         256      TLS_DH_anon_WITH_AES_256_CBC_SHA
  300. x89     ADH-CAMELLIA256-SHA               DH 2048    Camellia    256      TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
  301. x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
  302. x84     CAMELLIA256-SHA                   RSA        Camellia    256      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  303. xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  304. x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  305. x9a     DHE-RSA-SEED-SHA                  DH 2048    SEED        128      TLS_DHE_RSA_WITH_SEED_CBC_SHA
  306. x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
  307. xc018   AECDH-AES128-SHA                  ECDH 253   AES         128      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  308. x34     ADH-AES128-SHA                    DH 2048    AES         128      TLS_DH_anon_WITH_AES_128_CBC_SHA
  309. x9b     ADH-SEED-SHA                      DH 2048    SEED        128      TLS_DH_anon_WITH_SEED_CBC_SHA
  310. x46     ADH-CAMELLIA128-SHA               DH 2048    Camellia    128      TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
  311. x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
  312. x96     SEED-SHA                          RSA        SEED        128      TLS_RSA_WITH_SEED_CBC_SHA
  313. x41     CAMELLIA128-SHA                   RSA        Camellia    128      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  314. TLS 1.1
  315. xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  316. x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  317. x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
  318. xc019   AECDH-AES256-SHA                  ECDH 253   AES         256      TLS_ECDH_anon_WITH_AES_256_CBC_SHA
  319. x3a     ADH-AES256-SHA                    DH 2048    AES         256      TLS_DH_anon_WITH_AES_256_CBC_SHA
  320. x89     ADH-CAMELLIA256-SHA               DH 2048    Camellia    256      TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
  321. x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
  322. x84     CAMELLIA256-SHA                   RSA        Camellia    256      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  323. xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  324. x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  325. x9a     DHE-RSA-SEED-SHA                  DH 2048    SEED        128      TLS_DHE_RSA_WITH_SEED_CBC_SHA
  326. x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
  327. xc018   AECDH-AES128-SHA                  ECDH 253   AES         128      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  328. x34     ADH-AES128-SHA                    DH 2048    AES         128      TLS_DH_anon_WITH_AES_128_CBC_SHA
  329. x9b     ADH-SEED-SHA                      DH 2048    SEED        128      TLS_DH_anon_WITH_SEED_CBC_SHA
  330. x46     ADH-CAMELLIA128-SHA               DH 2048    Camellia    128      TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
  331. x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
  332. x96     SEED-SHA                          RSA        SEED        128      TLS_RSA_WITH_SEED_CBC_SHA
  333. x41     CAMELLIA128-SHA                   RSA        Camellia    128      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  334. TLS 1.2
  335. xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  336. xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  337. xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  338. x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  339. xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  340. xccaa   DHE-RSA-CHACHA20-POLY1305         DH 2048    ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  341. xc0a3   DHE-RSA-AES256-CCM8               DH 2048    AESCCM8     256      TLS_DHE_RSA_WITH_AES_256_CCM_8
  342. xc09f   DHE-RSA-AES256-CCM                DH 2048    AESCCM      256      TLS_DHE_RSA_WITH_AES_256_CCM
  343. x6b     DHE-RSA-AES256-SHA256             DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  344. x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  345. xc077   ECDHE-RSA-CAMELLIA256-SHA384      ECDH 253   Camellia    256      TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
  346. xc4     DHE-RSA-CAMELLIA256-SHA256        DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
  347. x88     DHE-RSA-CAMELLIA256-SHA           DH 2048    Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
  348. xc019   AECDH-AES256-SHA                  ECDH 253   AES         256      TLS_ECDH_anon_WITH_AES_256_CBC_SHA
  349. xa7     ADH-AES256-GCM-SHA384             DH 2048    AESGCM      256      TLS_DH_anon_WITH_AES_256_GCM_SHA384
  350. x6d     ADH-AES256-SHA256                 DH 2048    AES         256      TLS_DH_anon_WITH_AES_256_CBC_SHA256
  351. x3a     ADH-AES256-SHA                    DH 2048    AES         256      TLS_DH_anon_WITH_AES_256_CBC_SHA
  352. xc5     ADH-CAMELLIA256-SHA256            DH 2048    Camellia    256      TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
  353. x89     ADH-CAMELLIA256-SHA               DH 2048    Camellia    256      TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
  354. x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384
  355. xc0a1   AES256-CCM8                       RSA        AESCCM8     256      TLS_RSA_WITH_AES_256_CCM_8
  356. xc09d   AES256-CCM                        RSA        AESCCM      256      TLS_RSA_WITH_AES_256_CCM
  357. x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256
  358. x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
  359. xc0     CAMELLIA256-SHA256                RSA        Camellia    256      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
  360. x84     CAMELLIA256-SHA                   RSA        Camellia    256      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  361. xc051   ARIA256-GCM-SHA384                RSA        ARIAGCM     256      TLS_RSA_WITH_ARIA_256_GCM_SHA384
  362. xc053   DHE-RSA-ARIA256-GCM-SHA384        DH 2048    ARIAGCM     256      TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
  363. xc061   ECDHE-ARIA256-GCM-SHA384          ECDH 253   ARIAGCM     256      TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
  364. xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  365. xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  366. xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  367. x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  368. xc0a2   DHE-RSA-AES128-CCM8               DH 2048    AESCCM8     128      TLS_DHE_RSA_WITH_AES_128_CCM_8
  369. xc09e   DHE-RSA-AES128-CCM                DH 2048    AESCCM      128      TLS_DHE_RSA_WITH_AES_128_CCM
  370. xc0a0   AES128-CCM8                       RSA        AESCCM8     128      TLS_RSA_WITH_AES_128_CCM_8
  371. xc09c   AES128-CCM                        RSA        AESCCM      128      TLS_RSA_WITH_AES_128_CCM
  372. x67     DHE-RSA-AES128-SHA256             DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  373. x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  374. xc076   ECDHE-RSA-CAMELLIA128-SHA256      ECDH 253   Camellia    128      TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
  375. xbe     DHE-RSA-CAMELLIA128-SHA256        DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
  376. x9a     DHE-RSA-SEED-SHA                  DH 2048    SEED        128      TLS_DHE_RSA_WITH_SEED_CBC_SHA
  377. x45     DHE-RSA-CAMELLIA128-SHA           DH 2048    Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
  378. xc018   AECDH-AES128-SHA                  ECDH 253   AES         128      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  379. xa6     ADH-AES128-GCM-SHA256             DH 2048    AESGCM      128      TLS_DH_anon_WITH_AES_128_GCM_SHA256
  380. x6c     ADH-AES128-SHA256                 DH 2048    AES         128      TLS_DH_anon_WITH_AES_128_CBC_SHA256
  381. x34     ADH-AES128-SHA                    DH 2048    AES         128      TLS_DH_anon_WITH_AES_128_CBC_SHA
  382. xbf     ADH-CAMELLIA128-SHA256            DH 2048    Camellia    128      TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256
  383. x9b     ADH-SEED-SHA                      DH 2048    SEED        128      TLS_DH_anon_WITH_SEED_CBC_SHA
  384. x46     ADH-CAMELLIA128-SHA               DH 2048    Camellia    128      TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
  385. x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256
  386. x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256
  387. x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
  388. xba     CAMELLIA128-SHA256                RSA        Camellia    128      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
  389. x96     SEED-SHA                          RSA        SEED        128      TLS_RSA_WITH_SEED_CBC_SHA
  390. x41     CAMELLIA128-SHA                   RSA        Camellia    128      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  391. xc050   ARIA128-GCM-SHA256                RSA        ARIAGCM     128      TLS_RSA_WITH_ARIA_128_GCM_SHA256
  392. xc052   DHE-RSA-ARIA128-GCM-SHA256        DH 2048    ARIAGCM     128      TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
  393. xc060   ECDHE-ARIA128-GCM-SHA256          ECDH 253   ARIAGCM     128      TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
  394. TLS 1.3
  395. x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
  396. x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
  397. x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256
  398. </pre>
  399. <p>With switching our SSL certificate to RSA, we gained around 51 new cipher options, amongst them being ones that also mx01.arz.at claimed to support.</p>
  400. <p>FTR, the result from above is what you get with the default settings for postfix v3.5.18, being:</p>
  401. <pre>
  402. smtpd_tls_ciphers = medium
  403. smtpd_tls_mandatory_ciphers = medium
  404. smtpd_tls_mandatory_exclude_ciphers =
  405. smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
  406. </pre>
  407. <p>But the delay between triggering the password reset mail and getting a mail server connect was getting bigger and bigger. Therefore while waiting for the next mail to arrive, I decided to capture the network traffic, to be able to look further into this if it should continue to be failing:</p>
  408. <pre>
  409. % sudo tshark -n -i eth0 -s 65535 -w arz.pcap -f "host 193.110.182.61 or host 193.110.182.62"
  410. </pre>
  411. <p>A few hours later the mail server connected again, and the mail went through!</p>
  412. <pre>
  413. postfix/smtpd[4162835]: connect from mx01.arz.at[193.110.182.61]
  414. postfix/smtpd[4162835]: Anonymous TLS connection established from mx01.arz.at[193.110.182.61]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
  415. postfix/smtpd[4162835]: E50D6401E6: client=mx01.arz.at[193.110.182.61]
  416. postfix/smtpd[4162835]: disconnect from mx01.arz.at[193.110.182.61] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
  417. </pre>
  418. <p>Now also having the captured network traffic, we can check the details there:</p>
  419. <pre>
  420. [...]
  421. % tshark -o smtp.decryption:true -r arz.pcap
  422.    1 0.000000000 193.110.182.61 &#8594; 203.0.113.42 TCP 74 24699 &#8594; 25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2261106119 TSecr=0 WS=128
  423.    2 0.000042827 203.0.113.42 &#8594; 193.110.182.61 TCP 74 25 &#8594; 24699 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3233422181 TSecr=2261106119 WS=128
  424.    3 0.020719269 193.110.182.61 &#8594; 203.0.113.42 TCP 66 24699 &#8594; 25 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=2261106139 TSecr=3233422181
  425.    4 0.022883259 203.0.113.42 &#8594; 193.110.182.61 SMTP 96 S: 220 mail.example.com ESMTP
  426.    5 0.043682626 193.110.182.61 &#8594; 203.0.113.42 TCP 66 24699 &#8594; 25 [ACK] Seq=1 Ack=31 Win=29312 Len=0 TSval=2261106162 TSecr=3233422203
  427.    6 0.043799047 193.110.182.61 &#8594; 203.0.113.42 SMTP 84 C: EHLO mx01.arz.at
  428.    7 0.043811363 203.0.113.42 &#8594; 193.110.182.61 TCP 66 25 &#8594; 24699 [ACK] Seq=31 Ack=19 Win=65280 Len=0 TSval=3233422224 TSecr=2261106162
  429.    8 0.043898412 203.0.113.42 &#8594; 193.110.182.61 SMTP 253 S: 250-mail.example.com | PIPELINING | SIZE 20240000 | VRFY | ETRN | AUTH PLAIN | AUTH=PLAIN | ENHANCEDSTATUSCODES | 8BITMIME | DSN | SMTPUTF8 | CHUNKING
  430.    9 0.064625499 193.110.182.61 &#8594; 203.0.113.42 SMTP 72 C: QUIT
  431.   10 0.064750257 203.0.113.42 &#8594; 193.110.182.61 SMTP 81 S: 221 2.0.0 Bye
  432.   11 0.064760200 203.0.113.42 &#8594; 193.110.182.61 TCP 66 25 &#8594; 24699 [FIN, ACK] Seq=233 Ack=25 Win=65280 Len=0 TSval=3233422245 TSecr=2261106183
  433.   12 0.085573715 193.110.182.61 &#8594; 203.0.113.42 TCP 66 24699 &#8594; 25 [FIN, ACK] Seq=25 Ack=234 Win=30336 Len=0 TSval=2261106204 TSecr=3233422245
  434.   13 0.085610229 203.0.113.42 &#8594; 193.110.182.61 TCP 66 25 &#8594; 24699 [ACK] Seq=234 Ack=26 Win=65280 Len=0 TSval=3233422266 TSecr=2261106204
  435.   14 1799.888108373 193.110.182.61 &#8594; 203.0.113.42 TCP 74 10330 &#8594; 25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2262906007 TSecr=0 WS=128
  436.   15 1799.888161311 203.0.113.42 &#8594; 193.110.182.61 TCP 74 25 &#8594; 10330 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3235222069 TSecr=2262906007 WS=128
  437.   16 1799.909030335 193.110.182.61 &#8594; 203.0.113.42 TCP 66 10330 &#8594; 25 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=2262906028 TSecr=3235222069
  438.   17 1799.956621011 203.0.113.42 &#8594; 193.110.182.61 SMTP 96 S: 220 mail.example.com ESMTP
  439.   18 1799.977229656 193.110.182.61 &#8594; 203.0.113.42 TCP 66 10330 &#8594; 25 [ACK] Seq=1 Ack=31 Win=29312 Len=0 TSval=2262906096 TSecr=3235222137
  440.   19 1799.977229698 193.110.182.61 &#8594; 203.0.113.42 SMTP 84 C: EHLO mx01.arz.at
  441.   20 1799.977266759 203.0.113.42 &#8594; 193.110.182.61 TCP 66 25 &#8594; 10330 [ACK] Seq=31 Ack=19 Win=65280 Len=0 TSval=3235222158 TSecr=2262906096
  442.   21 1799.977351663 203.0.113.42 &#8594; 193.110.182.61 SMTP 267 S: 250-mail.example.com | PIPELINING | SIZE 20240000 | VRFY | ETRN | STARTTLS | AUTH PLAIN | AUTH=PLAIN | ENHANCEDSTATUSCODES | 8BITMIME | DSN | SMTPUTF8 | CHUNKING
  443.   22 1800.011494861 193.110.182.61 &#8594; 203.0.113.42 SMTP 76 C: STARTTLS
  444.   23 1800.011589267 203.0.113.42 &#8594; 193.110.182.61 SMTP 96 S: 220 2.0.0 Ready to start TLS
  445.   24 1800.032812294 193.110.182.61 &#8594; 203.0.113.42 TLSv1 223 Client Hello
  446.   25 1800.032987264 203.0.113.42 &#8594; 193.110.182.61 TLSv1.2 2962 Server Hello
  447.   26 1800.032995513 203.0.113.42 &#8594; 193.110.182.61 TCP 1266 25 &#8594; 10330 [PSH, ACK] Seq=3158 Ack=186 Win=65152 Len=1200 TSval=3235222214 TSecr=2262906151 [TCP segment of a reassembled PDU]
  448.   27 1800.053546755 193.110.182.61 &#8594; 203.0.113.42 TCP 66 10330 &#8594; 25 [ACK] Seq=186 Ack=3158 Win=36096 Len=0 TSval=2262906172 TSecr=3235222214
  449.   28 1800.092852469 193.110.182.61 &#8594; 203.0.113.42 TCP 66 10330 &#8594; 25 [ACK] Seq=186 Ack=4358 Win=39040 Len=0 TSval=2262906212 TSecr=3235222214
  450.   29 1800.092892905 203.0.113.42 &#8594; 193.110.182.61 TLSv1.2 900 Certificate, Server Key Exchange, Server Hello Done
  451.   30 1800.113546769 193.110.182.61 &#8594; 203.0.113.42 TCP 66 10330 &#8594; 25 [ACK] Seq=186 Ack=5192 Win=41856 Len=0 TSval=2262906232 TSecr=3235222273
  452.   31 1800.114763363 193.110.182.61 &#8594; 203.0.113.42 TLSv1.2 192 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
  453.   32 1800.115000416 203.0.113.42 &#8594; 193.110.182.61 TLSv1.2 117 Change Cipher Spec, Encrypted Handshake Message
  454.   33 1800.136070200 193.110.182.61 &#8594; 203.0.113.42 TLSv1.2 113 Application Data
  455.   34 1800.136155526 203.0.113.42 &#8594; 193.110.182.61 TLSv1.2 282 Application Data
  456.   35 1800.158854473 193.110.182.61 &#8594; 203.0.113.42 TLSv1.2 162 Application Data
  457.   36 1800.159254794 203.0.113.42 &#8594; 193.110.182.61 TLSv1.2 109 Application Data
  458.   37 1800.180286407 193.110.182.61 &#8594; 203.0.113.42 TLSv1.2 144 Application Data
  459.   38 1800.223005960 203.0.113.42 &#8594; 193.110.182.61 TCP 66 25 &#8594; 10330 [ACK] Seq=5502 Ack=533 Win=65152 Len=0 TSval=3235222404 TSecr=2262906299
  460.   39 1802.230300244 203.0.113.42 &#8594; 193.110.182.61 TLSv1.2 146 Application Data
  461.   40 1802.251994333 193.110.182.61 &#8594; 203.0.113.42 TCP 2962 [TCP segment of a reassembled PDU]
  462.   41 1802.252034015 203.0.113.42 &#8594; 193.110.182.61 TCP 66 25 &#8594; 10330 [ACK] Seq=5582 Ack=3429 Win=63616 Len=0 TSval=3235224433 TSecr=2262908371
  463.   42 1802.252279083 193.110.182.61 &#8594; 203.0.113.42 TLSv1.2 1295 Application Data
  464.   43 1802.252288316 203.0.113.42 &#8594; 193.110.182.61 TCP 66 25 &#8594; 10330 [ACK] Seq=5582 Ack=4658 Win=64128 Len=0 TSval=3235224433 TSecr=2262908371
  465.   44 1802.272816060 193.110.182.61 &#8594; 203.0.113.42 TLSv1.2 833 Application Data, Application Data
  466.   45 1802.272827542 203.0.113.42 &#8594; 193.110.182.61 TCP 66 25 &#8594; 10330 [ACK] Seq=5582 Ack=5425 Win=64128 Len=0 TSval=3235224453 TSecr=2262908392
  467.   46 1802.338807683 203.0.113.42 &#8594; 193.110.182.61 TLSv1.2 131 Application Data
  468.   47 1802.398968611 193.110.182.61 &#8594; 203.0.113.42 TCP 66 10330 &#8594; 25 [ACK] Seq=5425 Ack=5647 Win=44800 Len=0 TSval=2262908518 TSecr=3235224519
  469.   48 1863.257457500 193.110.182.61 &#8594; 203.0.113.42 TLSv1.2 101 Application Data
  470.   49 1863.257495688 203.0.113.42 &#8594; 193.110.182.61 TCP 66 25 &#8594; 10330 [ACK] Seq=5647 Ack=5460 Win=64128 Len=0 TSval=3235285438 TSecr=2262969376
  471.   50 1863.257654942 203.0.113.42 &#8594; 193.110.182.61 TLSv1.2 110 Application Data
  472.   51 1863.257721010 203.0.113.42 &#8594; 193.110.182.61 TLSv1.2 97 Encrypted Alert
  473.   52 1863.278242216 193.110.182.61 &#8594; 203.0.113.42 TCP 66 10330 &#8594; 25 [ACK] Seq=5460 Ack=5691 Win=44800 Len=0 TSval=2262969397 TSecr=3235285438
  474.   53 1863.278464176 193.110.182.61 &#8594; 203.0.113.42 TCP 66 10330 &#8594; 25 [RST, ACK] Seq=5460 Ack=5723 Win=44800 Len=0 TSval=2262969397 TSecr=3235285438
  475. </pre>
  476. <pre>
  477. % tshark -O tls -r arz.pcap
  478. [...]
  479. Transport Layer Security
  480.    TLSv1 Record Layer: Handshake Protocol: Client Hello
  481.        Content Type: Handshake (22)
  482.        Version: TLS 1.0 (0x0301)
  483.        Length: 152
  484.        Handshake Protocol: Client Hello
  485.            Handshake Type: Client Hello (1)
  486.            Length: 148
  487.            Version: TLS 1.2 (0x0303)
  488.            Random: 4575d1e7c93c09a564edc00b8b56ea6f5d826f8cfe78eb980c451a70a9c5123f
  489.                GMT Unix Time: Dec  5, 2006 21:09:11.000000000 CET
  490.                Random Bytes: c93c09a564edc00b8b56ea6f5d826f8cfe78eb980c451a70a9c5123f
  491.            Session ID Length: 0
  492.            Cipher Suites Length: 26
  493.            Cipher Suites (13 suites)
  494.                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
  495.                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
  496.                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
  497.                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
  498.                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
  499.                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
  500.                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
  501.                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
  502.                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
  503.                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
  504.                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
  505.                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
  506.                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
  507. [...]
  508. Transport Layer Security
  509.    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
  510.        Content Type: Handshake (22)
  511.        Version: TLS 1.2 (0x0303)
  512.        Length: 89
  513.        Handshake Protocol: Server Hello
  514.            Handshake Type: Server Hello (2)
  515.            Length: 85
  516.            Version: TLS 1.2 (0x0303)
  517.            Random: cf2ed24e3300e95e5f56023bf8b4e5904b862bb2ed8a5796444f574e47524401
  518.                GMT Unix Time: Feb 23, 2080 23:16:46.000000000 CET
  519.                Random Bytes: 3300e95e5f56023bf8b4e5904b862bb2ed8a5796444f574e47524401
  520.            Session ID Length: 32
  521.            Session ID: 63d041b126ecebf857d685abd9d4593c46a3672e1ad76228f3eacf2164f86fb9
  522.            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
  523. [...]
  524. </pre>
  525. <p>In this network dump we see what cipher suites are offered, and the <em>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</em> here is the Cipher Suite Name in IANA/RFC speak. Whis corresponds to the <em>ECDHE-RSA-AES256-GCM-SHA384</em> in openssl speak (see Mozilla&#8217;s <a href="https://wiki.mozilla.org/Security/Cipher_Suites">Mozilla&#8217;s cipher suite correspondence table</a>), which we also saw in the postfix log.</p>
  526. <p>Mission accomplished! :)</p>
  527. <p>Now, if we&#8217;re interested in avoiding certain ciphers and increase security level, we can e.g. get rid of the SEED, CAMELLIA and all anonymous ciphers, and could accept only TLS v1.2 + v1.3, by further adjusting postfix&#8217;s main.cf:</p>
  528. <pre>
  529. smtpd_tls_ciphers = high
  530. smtpd_tls_exclude_ciphers = aNULL CAMELLIA
  531. smtpd_tls_mandatory_ciphers = high
  532. smtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.3
  533. smtpd_tls_protocols = TLSv1.2 TLSv1.3
  534. </pre>
  535. <p>Which would then gives us:</p>
  536. <pre>
  537. % testssl --cipher-per-proto -t=smtp mail.example.com:25
  538. [...]
  539.  
  540. Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
  541. -----------------------------------------------------------------------------------------------------------------------------
  542. SSLv2
  543. SSLv3
  544. TLS 1
  545. TLS 1.1
  546. TLS 1.2
  547. xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  548. xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  549. xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  550. x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  551. xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  552. xccaa   DHE-RSA-CHACHA20-POLY1305         DH 2048    ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  553. xc0a3   DHE-RSA-AES256-CCM8               DH 2048    AESCCM8     256      TLS_DHE_RSA_WITH_AES_256_CCM_8
  554. xc09f   DHE-RSA-AES256-CCM                DH 2048    AESCCM      256      TLS_DHE_RSA_WITH_AES_256_CCM
  555. x6b     DHE-RSA-AES256-SHA256             DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  556. x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  557. x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384
  558. xc0a1   AES256-CCM8                       RSA        AESCCM8     256      TLS_RSA_WITH_AES_256_CCM_8
  559. xc09d   AES256-CCM                        RSA        AESCCM      256      TLS_RSA_WITH_AES_256_CCM
  560. x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256
  561. x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
  562. xc051   ARIA256-GCM-SHA384                RSA        ARIAGCM     256      TLS_RSA_WITH_ARIA_256_GCM_SHA384
  563. xc053   DHE-RSA-ARIA256-GCM-SHA384        DH 2048    ARIAGCM     256      TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
  564. xc061   ECDHE-ARIA256-GCM-SHA384          ECDH 253   ARIAGCM     256      TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
  565. xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  566. xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  567. xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  568. x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  569. xc0a2   DHE-RSA-AES128-CCM8               DH 2048    AESCCM8     128      TLS_DHE_RSA_WITH_AES_128_CCM_8
  570. xc09e   DHE-RSA-AES128-CCM                DH 2048    AESCCM      128      TLS_DHE_RSA_WITH_AES_128_CCM
  571. xc0a0   AES128-CCM8                       RSA        AESCCM8     128      TLS_RSA_WITH_AES_128_CCM_8
  572. xc09c   AES128-CCM                        RSA        AESCCM      128      TLS_RSA_WITH_AES_128_CCM
  573. x67     DHE-RSA-AES128-SHA256             DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  574. x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  575. x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256
  576. x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256
  577. x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
  578. xc050   ARIA128-GCM-SHA256                RSA        ARIAGCM     128      TLS_RSA_WITH_ARIA_128_GCM_SHA256
  579. xc052   DHE-RSA-ARIA128-GCM-SHA256        DH 2048    ARIAGCM     128      TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
  580. xc060   ECDHE-ARIA128-GCM-SHA256          ECDH 253   ARIAGCM     128      TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
  581. TLS 1.3
  582. x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
  583. x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
  584. x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256
  585. </pre>
  586. <p>Don&#8217;t forget to also adjust the <em>smpt_tls_*</em> accordingly (for your sending side). For further information see <a href="https://www.postfix.org/TLS_README.html">the Postfix TLS Support documentation</a>. Also check out options like <a href="https://www.postfix.org/postconf.5.html#tls_ssl_options"><em>tls_ssl_options</em></a> (setting it to e.g. <em>NO_COMPRESSION</em>) and <a href="https://www.postfix.org/postconf.5.html#tls_preempt_cipherlist"><em>tls_preempt_cipherlist</em></a> (setting it to <em>yes</em> would prefer the servers&#8217; order of ciphers over clients).</p>
  587. <p><strong>Conclusions:</strong></p>
  588. <ul>
  589. <li>no matter what you change in your mail server settings, be aware that the type of your SSL certificate also matters for what ciphers are offered and used</li>
  590. <li>there are mail servers out there that don&#8217;t support SSL certificates with ECDSA, using RSA for those ensure better compatibility (nowadays postfix supports parallel usage of ECDSA <em>and</em> RSA keys BTW, check out the <a href="https://www.postfix.org/postconf.5.html#smtpd_tls_eccert_file"><em>smtpd_tls_eccert_file</em></a> + <a href="https://www.postfix.org/postconf.5.html#smtpd_tls_eckey_file"><em>smtpd_tls_eckey_file</em></a> options)</li>
  591. <li><a href="https://packages.debian.org/search?keywords=testssl.sh"><em>testssl</em></a> is a very useful tool, especially with its <em>&#8211;cipher-per-proto -t=smtp</em> option to check SMTP servers</li>
  592. <li>if you&#8217;re uncertain what&#8217;s going on, consider capturing network data (tshark/tcpdump/&#8230; are your friends)</li>
  593. <li>review your postfix configuration and logs every now and then :)</li>
  594. </ul>
  595. ]]></content:encoded>
  596. <wfw:commentRss>https://michael-prokop.at/blog/2023/09/25/postfix-failing-with-no-shared-cipher/feed/</wfw:commentRss>
  597. <slash:comments>1</slash:comments>
  598. </item>
  599. <item>
  600. <title>What to expect from Debian/bookworm #newinbookworm</title>
  601. <link>https://michael-prokop.at/blog/2023/06/11/what-to-expect-from-debian-bookworm-newinbookworm/</link>
  602. <pubDate>Sun, 11 Jun 2023 09:50:05 +0000</pubDate>
  603. <dc:creator><![CDATA[mika]]></dc:creator>
  604. <category><![CDATA[Computer]]></category>
  605. <category><![CDATA[Debian]]></category>
  606. <category><![CDATA[English]]></category>
  607. <category><![CDATA[Open Source]]></category>
  608.  
  609. <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6707</guid>
  610. <description><![CDATA[Debian v12 with codename bookworm was released as new stable release on 10th of June 2023. Similar to what we had with #newinbullseye and previous releases, now it&#8217;s time for #newinbookworm! I was the driving force at several of my customers to be well prepared for bookworm. As usual with major upgrades, there are some [&#8230;]]]></description>
  611. <content:encoded><![CDATA[<p><a href="https://wiki.debian.org/DebianArt/Themes/Emerald"><img src="/blog/img/debian_bookworm_banner.png" alt="Bookworm Banner, Copyright 2022 Juliette Taka" style="border: 0px; margin-right: 20px" align=left width=200px /></a></p>
  612. <p>Debian v12 with <a href="https://wiki.debian.org/DebianBookworm">codename bookworm</a> was released as new stable release <a href="https://www.debian.org/News/2023/20230610">on 10th of June 2023</a>. Similar to what we had with <a href="/blog/index.php?s=newinbullseye">#newinbullseye</a> and previous releases, now it&#8217;s time for <a href="/blog/index.php?s=newinbookworm">#newinbookworm</a>!</p>
  613. <p>I was the driving force at several of my customers to be well prepared for bookworm. As usual with major upgrades, there are some things to be aware of, and hereby I&#8217;m starting my public notes on bookworm that might be worth also for other folks. My focus is primarily on server systems and looking at things from a sysadmin perspective.</p>
  614. <h3>Further readings</h3>
  615. <p>As usual start at the <a href="https://www.debian.org/releases/bookworm/amd64/release-notes/index.en.html">official Debian release notes</a>, make sure to especially go through <a href="https://www.debian.org/releases/bookworm/amd64/release-notes/ch-whats-new.en.html">What&#8217;s new in Debian 12</a> + <a href="https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html">Issues to be aware of for bookworm</a>.</p>
  616. <h3>Package versions</h3>
  617. <p>As a starting point, let&#8217;s look at some selected packages and their versions in bullseye vs. bookworm as of 2023-02-10 (mainly having amd64 in mind):</p>
  618. <style>
  619.     table {
  620.         border: 1px solid;
  621.         border-collapse: collapse;
  622.         border-spacing: 20px;
  623.         empty-cells: show;
  624.         table-layout: fixed;
  625.      }
  626.      thead th {
  627.          position: -webkit-sticky;
  628.          position: sticky;
  629.          top: 0;
  630.      }
  631.      th {
  632.        background-color: #666;
  633.        color: #fff;
  634.      }
  635.      tr {
  636.        background-color: #fffbf0;
  637.        color: #000;
  638.      }
  639.      tr:nth-child(odd) {
  640.        background-color: #e4ebf2;
  641.      }
  642. </style>
  643. <table>
  644. <thead>
  645. <tr style="background-color: lightgrey; font-weight:bold">
  646. <th scope="col">Package</th>
  647. <th scope="col">bullseye/v11</th>
  648. <th scope="col">bookworm/v12</th>
  649. </tr>
  650. </thead>
  651. <tbody style="text-align:center">
  652. <tr>
  653. <td scope="row">ansible</td>
  654. <td>2.10.7</td>
  655. <td>2.14.3</td>
  656. </tr>
  657. <tr>
  658. <td scope="row">apache</td>
  659. <td>2.4.56</td>
  660. <td>2.4.57</td>
  661. </tr>
  662. <tr>
  663. <td scope="row">apt</td>
  664. <td>2.2.4</td>
  665. <td>2.6.1</td>
  666. </tr>
  667. <tr>
  668. <td scope="row">bash</td>
  669. <td>5.1</td>
  670. <td>5.2.15</td>
  671. </tr>
  672. <tr>
  673. <td scope="row">ceph</td>
  674. <td>14.2.21</td>
  675. <td>16.2.11</td>
  676. </tr>
  677. <tr>
  678. <td scope="row">docker</td>
  679. <td>20.10.5</td>
  680. <td>20.10.24</td>
  681. </tr>
  682. <tr>
  683. <td scope="row">dovecot</td>
  684. <td>2.3.13</td>
  685. <td>2.3.19</td>
  686. </tr>
  687. <tr>
  688. <td scope="row">dpkg</td>
  689. <td>1.20.12</td>
  690. <td>1.21.22</td>
  691. </tr>
  692. <tr>
  693. <td scope="row">emacs</td>
  694. <td>27.1</td>
  695. <td>28.2</td>
  696. </tr>
  697. <tr>
  698. <td scope="row">gcc</td>
  699. <td>10.2.1</td>
  700. <td>12.2.0</td>
  701. </tr>
  702. <tr>
  703. <td scope="row">git</td>
  704. <td>2.30.2</td>
  705. <td>2.39.2</td>
  706. </tr>
  707. <tr>
  708. <td scope="row">golang</td>
  709. <td>1.15</td>
  710. <td>1.19</td>
  711. </tr>
  712. <tr>
  713. <td scope="row">libc</td>
  714. <td>2.31</td>
  715. <td>2.36</td>
  716. </tr>
  717. <tr>
  718. <td scope="row">linux kernel</td>
  719. <td>5.10</td>
  720. <td>6.1</td>
  721. </tr>
  722. <tr>
  723. <td scope="row">llvm</td>
  724. <td>11.0</td>
  725. <td>14.0</td>
  726. </tr>
  727. <tr>
  728. <td scope="row">lxc</td>
  729. <td>4.0.6</td>
  730. <td>5.0.2</td>
  731. </tr>
  732. <tr>
  733. <td scope="row">mariadb</td>
  734. <td>10.5</td>
  735. <td>10.11</td>
  736. </tr>
  737. <tr>
  738. <td scope="row">nginx</td>
  739. <td>1.18.0</td>
  740. <td>1.22.1</td>
  741. </tr>
  742. <tr>
  743. <td scope="row">nodejs</td>
  744. <td>12.22</td>
  745. <td>18.13</td>
  746. </tr>
  747. <tr>
  748. <td scope="row">openjdk</td>
  749. <td>11.0.18 <em>+</em> 17.0.6</td>
  750. <td>17.0.6</td>
  751. </tr>
  752. <tr>
  753. <td scope="row">openssh</td>
  754. <td>8.4p1</td>
  755. <td>9.2p1</td>
  756. </tr>
  757. <tr>
  758. <td scope="row">openssl</td>
  759. <td>1.1.1n</td>
  760. <td>3.0.8-1</td>
  761. </tr>
  762. <tr>
  763. <td scope="row">perl</td>
  764. <td>5.32.1</td>
  765. <td>5.36.0</td>
  766. </tr>
  767. <tr>
  768. <td scope="row">php</td>
  769. <td>7.4+76</td>
  770. <td>8.2+93</td>
  771. </tr>
  772. <tr>
  773. <td scope="row">podman</td>
  774. <td>3.0.1</td>
  775. <td>4.3.1</td>
  776. </tr>
  777. <tr>
  778. <td scope="row">postfix</td>
  779. <td>3.5.18</td>
  780. <td>3.7.5</td>
  781. </tr>
  782. <tr>
  783. <td scope="row">postgres</td>
  784. <td>13</td>
  785. <td>15</td>
  786. </tr>
  787. <tr>
  788. <td scope="row">puppet</td>
  789. <td>5.5.22</td>
  790. <td>7.23.0</td>
  791. </tr>
  792. <tr>
  793. <td scope="row">python2</td>
  794. <td>2.7.18</td>
  795. <td>&#8211; (gone!)</td>
  796. </tr>
  797. <tr>
  798. <td scope="row">python3</td>
  799. <td>3.9.2</td>
  800. <td>3.11.2</td>
  801. </tr>
  802. <tr>
  803. <td scope="row">qemu/kvm</td>
  804. <td>5.2</td>
  805. <td>7.2</td>
  806. </tr>
  807. <tr>
  808. <td scope="row">ruby</td>
  809. <td>2.7+2</td>
  810. <td>3.1</td>
  811. </tr>
  812. <tr>
  813. <td scope="row">rust</td>
  814. <td>1.48.0</td>
  815. <td>1.63.0</td>
  816. </tr>
  817. <tr>
  818. <td scope="row">samba</td>
  819. <td>4.13.13</td>
  820. <td>4.17.8</td>
  821. </tr>
  822. <tr>
  823. <td scope="row">systemd</td>
  824. <td>247.3</td>
  825. <td>252.6</td>
  826. </tr>
  827. <tr>
  828. <td scope="row">unattended-upgrades</td>
  829. <td>2.8</td>
  830. <td>2.9.1</td>
  831. </tr>
  832. <tr>
  833. <td scope="row">util-linux</td>
  834. <td>2.36.1</td>
  835. <td>2.38.1</td>
  836. </tr>
  837. <tr>
  838. <td scope="row">vagrant</td>
  839. <td>2.2.14</td>
  840. <td>2.3.4</td>
  841. </tr>
  842. <tr>
  843. <td scope="row">vim</td>
  844. <td>8.2.2434</td>
  845. <td>9.0.1378</td>
  846. </tr>
  847. <tr>
  848. <td scope="row">zsh</td>
  849. <td>5.8</td>
  850. <td>5.9</td>
  851. </tr>
  852. </tbody>
  853. </table>
  854. <h3>Linux Kernel</h3>
  855. <p>The bookworm release ships a Linux kernel based on version <strong>6.1</strong>, whereas bullseye shipped kernel 5.10. As usual there are plenty of changes in the kernel area, including better hardware support, and this might warrant a separate blog entry, but to highlight some changes:</p>
  856. <ul>
  857. <li><a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=987f20a9dcce3989e48d87cff3952c095c994445">a.out support is gone</a></li>
  858. <li><a href="https://lwn.net/Articles/908347/">initial support for Rust</a></li>
  859. <li>lots of <a href="https://nick-black.com/dankwiki/index.php/Io_uring">io_uring</a> related improvements</li>
  860. <li>lots of <a href="https://lwn.net/Articles/847951/">BPF</a> improvements</li>
  861. <li>support for <a href="https://docs.kernel.org/6.1/x86/sgx.html">Intel Software Guard eXtensions (SGX)</a></li>
  862. <li><a href="https://lwn.net/Articles/837566/">ID mapping for mounted filesystems</a></li>
  863. <li><a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=459c7c565ac36ba09ffbf24231147f408fde4203">unprivileged overlayfs mounts</a> and <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3a761d72fa62eec8913e45d29375344f61706541">ID mapping in overlayfs</a></li>
  864. <li><a href="https://wiki.linux-nfs.org/wiki/index.php/NFS_re-export">NFS re-exporting</a> support</li>
  865. <li><a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed7bcdb374d20fab9e9dc36853a6735c047ad1b1">eager NFS writes</a> with <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a0492339fc70f1f7aa98f0cab55b78b0be124711">new <em>writes=lazy/eager/wait</em> mount options</a></li>
  866. <li><a href="https://lwn.net/Articles/703876/">Landlock security module</a></li>
  867. <li>initial <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2d5ce3fbef324295f7c210f29d724b44b5642cb2">support for Apple M2</a></li>
  868. <li>new <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a72232eabdfcfe365a05a3eb392288b78d25a5ca"><em>misc</em> cgroup</a> and new <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=661ee6280931548f7b3b887ad26a157474ae5ac4">cgroup.kill file</a></li>
  869. <li>new <a href="https://lwn.net/Articles/865256/">memfd_secret(2) system call</a></li>
  870. <li>new <a href="https://docs.kernel.org/filesystems/ntfs3.html">NTFS file system implementation</a></li>
  871. <li><a href="https://www.kernel.org/doc/html/latest/admin-guide/filesystem-monitoring.html">file system monitoring with fanotify</a></li>
  872. <li>lots of improvements around perf, including the new <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d450bc501fbdceb9d71663ba8192b72f01001bf1">daemon</a>, <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0f70d8e9db4f250f694a3befe88501027b1dc88e">kwork</a> and <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f9ed693e8bc0e7de9eb766a3c7178590e8bb6cd5">iostat</a> commands, and <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df936cadfb58ba93601ac351ab6fc2e2650cf591">JSON output option for <em>stat</em></a></li>
  873. </ul>
  874. <p>See <a href="https://kernelnewbies.org/LinuxChanges">Kernelnewbies.org</a> for further changes between kernel versions.</p>
  875. <h3>Configuration management</h3>
  876. <p><strong>puppet</strong>&#8216;s upstream sadly still doesn&#8217;t provide packages for bookworm (see <a href="https://tickets.puppetlabs.com/browse/PA-4995">PA-4995</a>), though Debian provides puppet-agent and puppetserver packages, and even puppetdb is back again, see <a href="https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#puppetserver">release notes for further information</a>.</p>
  877. <p><strong>ansible</strong> is also available and made it with version 2.14 into bookworm.</p>
  878. <h3>Prometheus stack</h3>
  879. <p><a href="https://prometheus.io/">Prometheus server</a> was updated from v2.24.1 to v2.42.0 and all the exporters that got shipped with bullseye are still around (in more recent versions of course).</p>
  880. <h3>Virtualization</h3>
  881. <p>docker (v20.10.24), ganeti (v3.0.2-3), libvirt (v9.0.0-4), lxc (v5.0.2-1), podman (v4.3.1), openstack (<a href="https://releases.openstack.org/zed/index.html">Zed</a>), qemu/kvm (v7.2), xen (v4.17.1) are all still around.</p>
  882. <p><strong>Vagrant</strong> is available in version 2.3.4, also <a href="https://www.vagrantup.com/">Vagrant upstream provides their packages for bookworm already</a>.</p>
  883. <p>If you&#8217;re relying on <strong>VirtualBox</strong>, be aware that upstream doesn&#8217;t provide packages for bookworm <em>yet</em> (see <a href="https://www.virtualbox.org/ticket/21524">ticket 21524</a>), but thankfully version 7.0.8-dfsg-2 is available from Debian/unstable (as of 2023-06-10) (VirtualBox isn&#8217;t shipped with stable releases since quite some time due to lack of cooperation from upstream on security support for older releases, see <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794466">#794466</a>).</p>
  884. <h3>rsync</h3>
  885. <p>rsync was updated from v3.2.3 to <a href="https://download.samba.org/pub/rsync/NEWS#3.2.7">v3.2.7</a>, and we got a few new options:</p>
  886. <ul>
  887. <li><code>--fsync</code>: fsync every written file</li>
  888. <li><code>--old-dirs</code>: works like &#8211;dirs when talking to old rsync</li>
  889. <li><code>--old-args</code>: disable the modern arg-protection idiom</li>
  890. <li><code>--secluded-args, -s</code>: use the protocol to safely send the args (replaces &#8211;protect-args option)</li>
  891. <li><code>--trust-sender</code>: trust the remote sender&#8217;s file list</li>
  892. </ul>
  893. <h3>OpenSSH</h3>
  894. <p>OpenSSH was updated from v8.4p1 to v9.2p1, so if you&#8217;re interested in all the changes, check out the release notes between those version (<a href="https://www.openssh.com/txt/release-8.5">8.5</a>, <a href="https://www.openssh.com/txt/release-8.6">8.6</a>, <a href="https://www.openssh.com/txt/release-8.7">8.7</a>, <a href="https://www.openssh.com/txt/release-8.8">8.8</a>, <a href="https://www.openssh.com/txt/release-8.9">8.9</a>, <a href="https://www.openssh.com/txt/release-9.0">9.0</a>, <a href="https://www.openssh.com/txt/release-9.1">9.1</a> + <a href="https://www.openssh.com/txt/release-9.2">9.2</a>). Let&#8217;s highlight some notable new features:</p>
  895. <ul>
  896. <li>new system for restricting forwarding and use of keys added to ssh-agent(1), see <a href="https://www.openssh.com/agent-restrict.html">SSH agent restriction for details</a>)</li>
  897. <li>switched scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default (see <a href="https://www.openssh.com/txt/release-9.0">release notes for v9.0 for details</a> </li>
  898. <li>ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key</li>
  899. <li>ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys</li>
  900. <li>ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files</li>
  901. <li>ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length</li>
  902. <li>ssh(1): add a &#8220;host&#8221; line to the output of ssh -G showing the original hostname argument</li>
  903. <li>ssh-keygen -A (generate all default host key types) will no longer generate DSA keys</li>
  904. <li>ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. <em>ssh-keyscan 192.168.0.0/24</em></li>
  905. </ul>
  906. <p>One important change you might wanna be aware of is that as of <a href="https://www.openssh.com/txt/release-8.8">OpenSSH v8.8</a>, <strong>RSA signatures using the SHA-1 hash algorithm got disabled by default</strong>, but RSA/SHA-256/512 AKA RSA-SHA2 gets used instead. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since <a href="https://www.openssh.com/txt/release-7.2">release 7.2</a> and existing ssh-rsa keys will automatically use the stronger algorithm where possible. A good overview is also available at <a href="https://www.jhanley.com/blog/ssh-signature-algorithm-ssh-rsa-error/">SSH: Signature Algorithm ssh-rsa Error</a>.</p>
  907. <p>Now tools/libraries not supporting RSA-SHA2 fail to connect to OpenSSH as present in bookworm. For example python3-paramiko v2.7.2-1 as present in bullseye doesn&#8217;t support RSA-SHA2. It tries to connect using the deprecated RSA-SHA-1, which is no longer offered by default with OpenSSH as present in bookworm, and then fails. Support for RSA/SHA-256/512 signatures in Paramiko was requested e.g. at <a href="https://github.com/paramiko/paramiko/issues/1734">#1734</a>, and eventually got <a href="https://github.com/paramiko/paramiko/commit/2b66625659e66858cb5f557325c5fdd9c35fd073">added to Paramiko</a> and in the end the change made it into Paramiko versions >=2.9.0. Paramiko in bookworm works fine, and a backport by rebuilding the python3-paramiko package from bookworm for bullseye solves the problem (<abbr title="Been There, Done That">BTDT</abbr>).</p>
  908. <h3>Misc unsorted</h3>
  909. <ul>
  910. <li>new <strong>non-free-firmware</strong> component/repository (see <a href="https://wiki.debian.org/Firmware#Debian_12_.28bookworm.29_and_later">Debian Wiki</a> for details)</li>
  911. <li>support only the <strong>merged-usr</strong> root filesystem layout (see <a href="https://wiki.debian.org/UsrMerge">Debian Wiki</a> for details)</li>
  912. <li>the <strong>asterisk</strong> package didn&#8217;t make it into bookworm (see <a href="https://bugs.debian.org/1031046">#1031046</a>)</li>
  913. <li><strong>e2fsprogs</strong>: the breaking change related to <em>metadata_csum_seed</em> and <em>orphan_file</em> (see <a href="https://bugs.debian.org/1031325">#1031325</a>) was reverted with v1.47.0-2 for bookworm (also see <a href="https://bugs.debian.org/#1031622">#1031622</a> + <a href="https://bugs.debian.org/#1030939">#1030939</a>)</li>
  914. <li><strong>rsnapshot</strong> is back again (see <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986709">#986709</a>)</li>
  915. <li><em>crmadmin</em> of <strong>pacemaker</strong> no longer interprets the timeout option (-t/&#8211;timeout) in <em>milliseconds</em> (as it used to be until v2.0.5), but as of v2.1.0 (and v2.1.5 is present in bookworm) it now <a href="https://github.com/ClusterLabs/pacemaker/commit/c26c9951d863e83126f811ee5b91a174fe0cc991">interprets the argument as <em>second</em></a> by default</li>
  916. </ul>
  917. <p>Thanks to everyone involved in the release, happy upgrading to bookworm, and let&#8217;s continue with working towards <a href="https://wiki.debian.org/DebianTrixie">Debian/trixie</a>. :)</p>
  918. ]]></content:encoded>
  919. </item>
  920. <item>
  921. <title>HTU Bigband Konzert am 27.06.2023</title>
  922. <link>https://michael-prokop.at/blog/2023/06/02/htu-bigband-konzert-am-27-06-2023/</link>
  923. <pubDate>Fri, 02 Jun 2023 15:35:04 +0000</pubDate>
  924. <dc:creator><![CDATA[mika]]></dc:creator>
  925. <category><![CDATA[Allgemein]]></category>
  926. <category><![CDATA[Events]]></category>
  927.  
  928. <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6757</guid>
  929. <description><![CDATA[Die HTU Bigband ist zurück! Am 27. Juni 2023 findet im Innenhof der TU Graz (Alte Technik, Rechbauerstraße 12, 8010 Graz) das nächste Konzert statt (bei Schlechtwetter geht es in den Hörsaal 2, der ebenfalls an der gleichen Adresse ist). Mit einem fulminanten Programm von Swing, über Soul, Funk, Latin bis Pop ist alles dabei [&#8230;]]]></description>
  930. <content:encoded><![CDATA[<p><a href="/blog/img/htu-bigband-concert-2023-06-27.jpg"><img src="/blog/img/htu-bigband-concert-2023-06-27-small.jpg" alt="Plakat für das HTU Bigband-Konzert am 27.06.2023" style="border: 0px; margin-right: 20px" align=left /></a></p>
  931. <p>Die HTU Bigband ist zurück! Am 27. Juni 2023 findet im Innenhof der TU Graz (<a href="https://www.openstreetmap.org/#map=19/47.06894/15.44980">Alte Technik, Rechbauerstraße 12, 8010 Graz</a>) das nächste Konzert statt (bei Schlechtwetter geht es in den Hörsaal 2, der ebenfalls an der gleichen Adresse ist). Mit einem fulminanten Programm von Swing, über Soul, Funk, Latin bis Pop ist alles dabei &#8211; es gibt über 2 Stunden Musik vom Feinsten, und das Ganze bei freiem Eintritt.</p>
  932. <p>Für diejenigen mit Facebook-Account unter euch gibt es auch das passende <a href="https://www.facebook.com/events/623929286327453/">Facebook-Event</a>.</p>
  933. <p>Ich bin als Schlagzeuger und Percussionist mit von der Partie und würde mich über bekannte Gesichter freuen, ich hoffe man sieht und hört sich! 8-)</p>
  934. ]]></content:encoded>
  935. </item>
  936. <item>
  937. <title>Vortrag: Debugging für Sysadmins @ GLT23</title>
  938. <link>https://michael-prokop.at/blog/2023/04/16/vortrag-debugging-fur-sysadmins-glt23/</link>
  939. <pubDate>Sun, 16 Apr 2023 08:39:55 +0000</pubDate>
  940. <dc:creator><![CDATA[mika]]></dc:creator>
  941. <category><![CDATA[Computer]]></category>
  942. <category><![CDATA[Events]]></category>
  943.  
  944. <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6748</guid>
  945. <description><![CDATA[Auf den Grazer Linuxtagen 2023 (GLT23) war ich als Referent mit einem Vortrag zum Thema &#8220;Debugging für Sysadmins&#8221; vertreten. In meinem Vortrag gibt es einen Überblick, welche Tools und Strategien rund ums Debugging in der Toolbox von Sysadmins nicht fehlen dürfen. Es gibt den Vortrag dank des wunderbaren c3voc-Teams bereits als Videomitschnitt online. Meine Vortragsfolien [&#8230;]]]></description>
  946. <content:encoded><![CDATA[<p>Auf den <a href="https://www.linuxtage.at/">Grazer Linuxtagen 2023</a> (GLT23) war ich als Referent mit einem Vortrag zum Thema &#8220;<a href="https://pretalx.linuxtage.at/glt23/talk/JHCGUX/">Debugging für Sysadmins</a>&#8221; vertreten. In meinem Vortrag gibt es einen Überblick, welche Tools und Strategien rund ums Debugging in der Toolbox von Sysadmins nicht fehlen dürfen.</p>
  947. <p>Es gibt den Vortrag dank des wunderbaren c3voc-Teams bereits als <a href="https://media.ccc.de/v/glt23-334-debugging-fr-sysadmins">Videomitschnitt online</a>. Meine <a href="http://michael-prokop.at/slides/glt23_debugging-fuer-sysadmins.pdf">Vortragsfolien (1.2MB, PDF)</a> stehen ebenfalls online zur Verfügung. Viel Spaß beim Anschauen!</p>
  948. <p>BTW: weil ich schon mehrfach gefragt wurde, den Vortrag gibt es auch in längerer Workshop-Version, bei Interesse <a href="https://michael-prokop.at/">einfach bei mir melden</a>.</p>
  949. ]]></content:encoded>
  950. </item>
  951. <item>
  952. <title>Automatically unlocking a LUKS encrypted root filesystem during boot</title>
  953. <link>https://michael-prokop.at/blog/2023/03/22/automatically-unlocking-a-luks-encrypted-root-filesystem-during-boot/</link>
  954. <comments>https://michael-prokop.at/blog/2023/03/22/automatically-unlocking-a-luks-encrypted-root-filesystem-during-boot/#comments</comments>
  955. <pubDate>Wed, 22 Mar 2023 12:30:57 +0000</pubDate>
  956. <dc:creator><![CDATA[mika]]></dc:creator>
  957. <category><![CDATA[Computer]]></category>
  958. <category><![CDATA[Debian]]></category>
  959. <category><![CDATA[English]]></category>
  960.  
  961. <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6711</guid>
  962. <description><![CDATA[Update on 2023-03-23: thanks to Daniel Roschka for mentioning the Mandos and TPM approaches, which might be better alternatives, depending on your options and needs. Peter Palfrader furthermore pointed me towards clevis-initramfs and tang. A customer of mine runs dedicated servers inside a foreign data-center, remote hands only. In such an environment you might need [&#8230;]]]></description>
  963. <content:encoded><![CDATA[<p><strong>Update on 2023-03-23:</strong> thanks to Daniel Roschka for mentioning the <a href="https://www.recompile.se/mandos">Mandos</a> and <a href="https://micwan88.github.io/linux/ubuntu/luks/tpm/encryption/2021/05/03/auto-unlock-luks-volume-by-tpm2.html">TPM</a> approaches, which might be better alternatives, depending on your options and needs. Peter Palfrader furthermore pointed me towards <a href="https://packages.debian.org/bookworm/clevis-initramfs">clevis-initramfs</a> and <a href="https://github.com/latchset/tang">tang</a>.</p>
  964. <p>A customer of mine runs dedicated servers inside a foreign data-center, remote hands only. In such an environment you might need a disk replacement because you need bigger or faster disks, though also a disk might (start to) fail and you need a replacement. One has to be prepared for such a scenario, but fully wiping your used disk then might not always be an option, especially once disks (start to) fail. On the other hand you don&#8217;t want to end up with (partial) data on your disk handed over to someone unexpected.</p>
  965. <p>By encrypting the data on your disks upfront you can prevent against this scenario. But if you have a fleet of servers you might not want to manually jump on servers during boot and unlock crypto volumes <em>manually</em>. It&#8217;s especially annoying if it&#8217;s about the root filesystem where a solution like <a href="https://packages.debian.org/stable/dropbear-initramfs">dropbear-initramfs</a> needs to be used for remote access during initramfs boot stage. So my task for the customer was to adjust encrypted LUKS devices such that no one needs to manually unlock the encrypted device during server boot (with some specific assumptions about possible attack vectors one has to live with, see the disclaimer at the end).</p>
  966. <p>The documentation about this use-case was rather inconsistent, especially because special rules apply for the root filesystem (no key file usage), we see different behavior between what&#8217;s supported by systemd (hello key file again), initramfs-tools and dracut, not to mention the changes between different distributions. Since tests with this tend to be rather annoying (better make sure to have a <a href="https://grml.org/">Grml</a> live system available :)), I&#8217;m hereby documenting what worked for us (Debian/bullseye with initramfs-tools and cryptsetup-initramfs).</p>
  967. <p>The system was installed with LVM on-top of an encrypted Software-RAID device, only the /boot partition is unencrypted. But even if you don&#8217;t use Software-RAID nor LVM the same instructions apply. The system looks like this:</p>
  968. <pre>
  969. % mount -t ext4 -l
  970. /dev/mapper/foobar-root_1 on / type ext4 (rw,relatime,errors=remount-ro)
  971.  
  972. % sudo pvs
  973.  PV                    VG     Fmt  Attr PSize   PFree
  974.  /dev/mapper/md1_crypt foobar lvm2 a--  445.95g 430.12g
  975.  
  976. % sudo vgs
  977.  VG     #PV #LV #SN Attr   VSize   VFree
  978.  foobar   1   2   0 wz--n- 445.95g 430.12g
  979.  
  980. % sudo lvs
  981.  LV     VG     Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  982.  root_1 foobar -wi-ao---- &lt;14.90g
  983.  
  984. % lsblk
  985. NAME                  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
  986. [...]
  987. sdd                     8:48   0 447.1G  0 disk
  988. &#9500;&#9472;sdd1                  8:49   0   571M  0 part  /boot/efi
  989. &#9500;&#9472;sdd2                  8:50   0   488M  0 part
  990. &#9474; &#9492;&#9472;md0                 9:0    0   487M  0 raid1 /boot
  991. &#9492;&#9472;sdd3                  8:51   0 446.1G  0 part
  992.  &#9492;&#9472;md1                 9:1    0   446G  0 raid1
  993.    &#9492;&#9472;md1_crypt       253:0    0   446G  0 crypt
  994.      &#9500;&#9472;foobar-root_1 253:1    0  14.9G  0 lvm   /
  995. [...]
  996. sdf                     8:80   0 447.1G  0 disk
  997. &#9500;&#9472;sdf1                  8:81   0   571M  0 part
  998. &#9500;&#9472;sdf2                  8:82   0   488M  0 part
  999. &#9474; &#9492;&#9472;md0                 9:0    0   487M  0 raid1 /boot
  1000. &#9492;&#9472;sdf3                  8:83   0 446.1G  0 part
  1001.  &#9492;&#9472;md1                 9:1    0   446G  0 raid1
  1002.    &#9492;&#9472;md1_crypt       253:0    0   446G  0 crypt
  1003.      &#9500;&#9472;foobar-root_1 253:1    0  14.9G  0 lvm   /
  1004. </pre>
  1005. <p>The actual crypsetup configuration is:</p>
  1006. <pre>
  1007. % cat /etc/crypttab
  1008. md1_crypt UUID=77246138-b666-4151-b01c-5a12db54b28b none luks,discard
  1009. </pre>
  1010. <p>Now, to automatically open the crypto device during boot we can instead use:</p>
  1011. <pre>
  1012. % cat /etc/crypttab
  1013. md1_crypt UUID=77246138-b666-4151-b01c-5a12db54b28b none luks,discard,keyscript=/etc/initramfs-tools/unlock.sh
  1014.  
  1015. # touch /etc/initramfs-tools/unlock.sh
  1016. # chmod 0700 /etc/initramfs-tools/unlock.sh
  1017. # $EDITOR etc/initramfs-tools/unlock.sh
  1018. # cat /etc/initramfs-tools/unlock.sh
  1019. #!/bin/sh
  1020. echo -n "provide_the_actual_password_here"
  1021.  
  1022. # update-initramfs -k all -u
  1023. [...]
  1024. </pre>
  1025. <p>The server will then boot <em>without</em> prompting for a crypto password.</p>
  1026. <p>Note that initramfs-tools by default uses an insecure umask of 0022, resulting in the initrd being accessible to everyone. But if you have the dropbear-initramfs package installed, its `<em>/usr/share/initramfs-tools/conf-hooks.d/dropbear</em>` sets `<em>UMASK=0077</em>`, so the resulting /boot/initrd* file should automatically have proper permissions (0600). The cryptsetup hook warns about a permissive umask configuration during update-initramfs runs, but if you want to be sure, explicitly set it via e.g.:</p>
  1027. <pre>
  1028. # cat > /etc/initramfs-tools/conf.d/umask &lt;&lt; EOF
  1029. # restrictive umask to avoid non-root access to initrd:
  1030. UMASK=0077
  1031. EOF
  1032. # update-initramfs -k all -u
  1033. </pre>
  1034. <p><strong>Disclaimer:</strong> Of course you need to trust users with access to <em>/etc/initramfs-tools/unlock.sh</em> as well as the initramfs/initrd on your system. Furthermore you should wipe the boot partition (to destroy the keyfile information) before handing over such a disk. But that is a risk my customer can live with, <abbr title="Your Mileage May Vary">YMMV</abbr>.</p>
  1035. ]]></content:encoded>
  1036. <wfw:commentRss>https://michael-prokop.at/blog/2023/03/22/automatically-unlocking-a-luks-encrypted-root-filesystem-during-boot/feed/</wfw:commentRss>
  1037. <slash:comments>2</slash:comments>
  1038. </item>
  1039. <item>
  1040. <title>Mein Lesejahr 2022</title>
  1041. <link>https://michael-prokop.at/blog/2023/01/03/mein-lesejahr-2022/</link>
  1042. <pubDate>Tue, 03 Jan 2023 17:11:13 +0000</pubDate>
  1043. <dc:creator><![CDATA[mika]]></dc:creator>
  1044. <category><![CDATA[Allgemein]]></category>
  1045. <category><![CDATA[Bücher & CO]]></category>
  1046.  
  1047. <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6614</guid>
  1048. <description><![CDATA[Ich habe 2022 keine Bookdumps geschrieben, weil es mir einerseits zu viel Aufwand war, andererseits wollte ich mir auch nicht immer bzw. zeitnahe zu jedem Buch eine Meinung bilden (müssen). 2022 war aus verschiedenen Gründen intensiv, daher habe ich meine Lese-Gewohnheit von 2021 nicht ganz halten können, aber schlussendlich sind es doch 82 Bücher (ca. [&#8230;]]]></description>
  1049. <content:encoded><![CDATA[<p><img src="/blog/img/buecher_2022.jpg" alt="Foto der hier vorgestellten Bücher" style="border: 0px; margin-right: 20px" align=left width=200px /></p>
  1050. <p>Ich habe 2022 keine <a href="/blog/index.php?s=bookdump">Bookdumps</a> geschrieben, weil es mir einerseits zu viel Aufwand war, andererseits wollte ich mir auch nicht immer bzw. zeitnahe zu jedem Buch eine Meinung bilden (müssen). 2022 war aus verschiedenen Gründen intensiv, daher habe ich meine Lese-Gewohnheit von 2021 nicht ganz halten können, aber schlussendlich sind es doch 82 Bücher (ca. 19k Seiten) geworden.</p>
  1051. <p>Im Gegensatz zu den Vorjahren habe ich diesmal <em>nicht</em> auf das Verhältnis von Autorin zu Autor geachtet, und entsprechend sind es leider auch nur 27 Autorinnen zu 55 Autoren geworden. Ich bin leider noch immer ziemlich schlecht beim Abbrechen von Büchern, aber es waren fast alle Bücher gut. Daher hier nur eine kleine Auswahl jener Bücher, die ich besonders lesenswert fand bzw. empfehlen möchte (die Reihenfolge entspricht dem Foto und stellt keinerlei Reihung oder dergleichen dar):</p>
  1052. <ul>
  1053. <li><a href="https://www.rowohlt.de/buch/dirk-stermann-maksym-9783498002671"><strong>Maksym</strong>, Dirk Stermann</a>. Ein wichtiges Thema (Aufteilung der Kinderbetreuung) ist hier in eine unterhaltsam zu lesende Autofiktion verpackt. Das Buch hat meinen Humor im Sommerurlaub perfekt getroffen und wer mit kabarettistischem Humor kein Problem hat, sollte hier nicht enttäuscht werden.</li>
  1054. <li><a href="https://hoffmann-und-campe.de/products/59396-muell"><strong>Müll (Brenner #9)</strong>, Wolf Haas</a>. Ich hatte zuvor noch kein Buch von Haas gelesen, weil ich einmal den Spruch &#8220;wenn man nicht weiß was man lesen soll greift man zu Haas&#8221; aufgeschnappt habe und mich damit nicht angesprochen fühlte. Großer Fehler, Hilfsausdruck. Auf Empfehlung von Daniela Strigl hin habe ich mir den neuesten Brenner-Roman von Haas besorgt und fühlte mich total abgeholt. Ich habe darauf hin gleich weitere Bücher von Haas gelesen. Danke für den Stupser, Frau Strigl.</li>
  1055. <li><a href="https://www.droschl.com/buch/eine-runde-sache/"><strong>Eine runde Sache</strong>, Tomer Gardi</a>. Zwei Geschichten in einem Buch die miteinander lose verbunden sind &#8211; zuerst eine Odyssee mit einem Schäferhund in gebrochenem Deutsch, dann die Lebensgeschichte des indonesischen Malers Raden Saleh von Java. Danke für die Empfehlung, Insa Wilke.</li>
  1056. <li><a href="https://www.suhrkamp.de/buch/benjamin-labatut-das-blinde-licht-t-9783518429228"><strong>Das blinde Licht</strong>, Benjamín Labatut</a>. In vier Geschichten erzählt Benjamín Labatut vom schmalen Grat zwischen Genie und Wahnsinn, von menschlicher Hybris und der zwiespältigen Kraft der Wissenschaft. Ein wunderbares Buch, das ich nur aufs Wärmste weiterempfehlen kann.</li>
  1057. <li><a href="https://www.residenzverlag.com/buch/die-verschissene-zeit"><strong>Die verschissene Zeit</strong>, Barbi Markovi&#263;</a>. Ein wunderbarer popkultureller Ausflug in das Belgrad der Neunziger.</li>
  1058. <li><a href="https://www.suhrkamp.de/buch/rachel-cusk-coventry-t-9783518225318"><strong>Coventry: Essays</strong>, Rachel Cusk</a>. Unaufgeregte Beobachtungen des Alltags die zum Denken anregen. Ich bin leider erst im Nachhinein drauf gekommen, dass die deutsche Übersetzung wohl um einige Kapitel gekürzt ist, sprachlich hat mich die deutsche Ausgabe trotzdem absolut abgeholt.</li>
  1059. <li><a href="https://www.kiwi-verlag.de/buch/david-foster-wallace-das-hier-ist-wasser-this-is-water-9783462044188"><strong>Das hier ist Wasser / This is water</strong>, David Foster Wallace</a>. Ein 64 Seiten schlankes Buch, das im ersten Teil die deutsche Übersetzung und im zweiten Teil das englische Original beinhaltet. Inspirierende Gedanken rund um Bildung, Denken und Leben.</li>
  1060. <li><a href="https://www.dumont-buchverlag.de/buch/leky-kummer-aller-art-9783832182168/"><strong>Kummer aller Art</strong>, Mariana Leky</a>. Mir war noch Lekys &#8220;<em>Was man von hier aus sehen kann</em>&#8221; in guter Erinnerung, hatte die Autorin aber irgendwie aus den Augen verloren. Dieses Buch war ein Weihnachtsgeschenk an mich &#8211; und wow, was für ein Volltreffer. Ein fantastisches Buch, ich habe mir umgehend weitere Bücher von Mariana Leky besorgt. Klare Leseempfehlung.</li>
  1061. <li><a href="https://www.reclam.de/detail/978-3-15-014211-0/Twain__Mark/Was_ist_der_Mensch_"><strong>Was ist der Mensch? Ein Gespräch über die Welt und Gott</strong>, Mark Twain</a>. Ein philosophisches Zwiegespräch über den freien Willen des Menschen. Sehr anregend, danke für die Empfehlung, Darsha.</li>
  1062. <li><a href="https://www.penguinrandomhouse.de/Taschenbuch/Herr-Lehmann/Sven-Regener/Goldmann/e96191.rhd"><strong>Herr Lehmann (Frank Lehmann #1)</strong>, Sven Regener</a>. Das Buch wurde <a href="https://de.wikipedia.org/wiki/Herr_Lehmann">2001 veröffentlicht und 2003 verfilmt</a>, hat es aber erst 2022 auf mein Buchregal geschafft. Für mich hat sich in der Sommerzeit mit diesem Buch ein wunderbarer Lesesog ergeben, ich habe daraufhin gleich weitere Bücher von Regener besorgt und gelesen.</li>
  1063. <li><a href="https://www.chbeck.de/orwell-reise-ruinen/product/32447680"><strong>Reise durch Ruinen</strong>, George Orwell.</a> Orwell folgte als Kriegsberichterstatter den alliierten Streitkräften durch Deutschland und Österreich. Naturgemäß keine leichte Kost.</li>
  1064. <li><a href="https://en.wikipedia.org/wiki/On_Writing:_A_Memoir_of_the_Craft"><strong>On Writing: A Memoir of the Craft</strong>, Stephen King</a>. Dank eines Geburtstagsgeschenks (thx, Kathi + Karl!) habe ich 2022 endlich den Kosmos &#8220;Stephen King&#8221; betreten. Sprachlich hat mich in &#8220;<em>Finderlohn</em>&#8220;, der deutschen Ausgabe von &#8220;<em>Finders Keepers</em>&#8221; aber irgendetwas irritiert, ohne es wirklich benennen zu können. Im Zuge des Lesens von &#8220;<em>On Writing: A Memoir of the Craft</em>&#8221; habe ich stellenweise das <a href="https://en.wikipedia.org/wiki/On_Writing:_A_Memoir_of_the_Craft">englischsprachige Original</a> mit dessen deutscher Übersetzung &#8220;<a href="https://de.wikipedia.org/wiki/Das_Leben_und_das_Schreiben">Das Leben und das Schreiben</a>&#8221; verglichen und festgestellt, dass ich den &#8220;englischen King&#8221; <em>unvergleichlich</em> lesenswerter empfinde. Dieses Buch gibt einen lesenswerten Einblick in den Werdegang von King und seinem Zugang zum Schreiben. Und ich möchte hier ganz klar für die englische Ausgabe dieses Buches werben.</li>
  1065. </ul>
  1066. ]]></content:encoded>
  1067. </item>
  1068. <item>
  1069. <title>RIP, Sven Guckes</title>
  1070. <link>https://michael-prokop.at/blog/2022/02/26/rip-sven-guckes/</link>
  1071. <comments>https://michael-prokop.at/blog/2022/02/26/rip-sven-guckes/#comments</comments>
  1072. <pubDate>Sat, 26 Feb 2022 08:51:52 +0000</pubDate>
  1073. <dc:creator><![CDATA[mika]]></dc:creator>
  1074. <category><![CDATA[Allgemein]]></category>
  1075. <category><![CDATA[Computer]]></category>
  1076. <category><![CDATA[Debian-German]]></category>
  1077. <category><![CDATA[Open Source]]></category>
  1078.  
  1079. <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6442</guid>
  1080. <description><![CDATA[Die älteste mir zugängliche Mail von Sven Guckes direkt an mich stammt aus dem Jahr 2002, und startet seinerseits mit: eine dokumentierte loesung &#8211; das ist prima! :-) Natürlich ging es um: Vim. Viele Mails unter anderem zum Kunsthaus Graz, den Chemnitzer Linux-Tagen, den Grazer Linuxtagen (GLT) und seinem Geek Brunch sollten folgen. Unvergessen bleibt [&#8230;]]]></description>
  1081. <content:encoded><![CDATA[<p>Die älteste mir zugängliche Mail von Sven Guckes direkt an mich stammt aus dem Jahr 2002, und startet seinerseits mit:</p>
  1082. <blockquote><p>eine dokumentierte loesung &#8211; das ist prima! :-)</p></blockquote>
  1083. <p>Natürlich ging es um: Vim. Viele Mails unter anderem zum <a href="https://lists.infodrom.org/debian-events-de/2004/0967.html">Kunsthaus Graz</a>, den <a href="https://chemnitzer.linux-tage.de/">Chemnitzer Linux-Tagen</a>, den <a href="https://www.linuxtage.at/">Grazer Linuxtagen</a> (GLT) und seinem Geek Brunch sollten folgen.</p>
  1084. <p>Unvergessen bleibt mir unser Ausflug 2003 zu den Chemnitzer Linux-Tagen mit dem von ihm organisierten Bustransfer aus Berlin. Sven hat netterweise meine Freunde Karl, Thorsten und mich in seiner Wohnung in Berlin gehostet. Einzigartig war Svens Berlin-Führung, von der mir speziell sein mehrfaches &#8220;<em>ist gleich ums Eck!</em>&#8221; gut in Erinnerung geblieben ist. (Wer das nicht kennt: das war Svens Euphemismus für einen Spaziergang von mehreren Kilometern.)</p>
  1085. <p>Ich habe Sven dann weiterhin regelmäßig bei den Chemnitzer Linuxtagen, sowie besonders auf den &#8211; von mir mitorganisierten &#8211; Grazer Linuxtagen getroffen. Sven konnte dabei für Event-Organisatoren schon auch mal eine Herausforderung sein, er war aber trotzdem immer eine Bereicherung. Svens Sonntags-Brunch war ebenso legendär wie seine Feature-Shows (siehe z.B. <a href="https://metalab.at/wiki/VIM_Feature_Show_(Sven_Guckes)">Vim Feature Show</a>), oder auch seine späteren <a href="https://showtell.it/">&#8220;show+tell&#8221;-Events</a>.</p>
  1086. <p>Technisch hatte ich mit Sven viele Anknüpfungspunkte, von centericq und irssi, über mutt und slrn, bis hin zu screen, vim und zsh. Wir haben zum Thema Texttools 2004 sogar gemeinsam Workshops auf den Grazer Linuxtagen und der KDE Community World Summit 2004 gehalten. Sein Enthusiasmus war im besten Sinne des Wortes ansteckend, seine Geduld und sein Umgang mit Newbies kann für uns alle nur ein Vorbild sein. Aber auch mit Nicht-Techies konnte sich Sven wunderbar unterhalten. Sven war neugierig und hilfsbereit, tolerant aber speziell auch verbindend und ein Menschenfreund. Ich habe viele Bekannte und Freunde dank Sven kennengelernt, und wenn ich mir heute alte Bildergalerien durchschaue, wird mir wieder bewusst, wie viel Einfluss Sven auf mich und mein Umfeld hatte. </p>
  1087. <p>Mein nach wie vor verwendetes Mailsetup mit mutt ist mittlerweile über 20 Jahre alt, und noch heute finden sich Schnipsel von Sven in meinen Konfigurationsdateien. Sven ist nach wie vor in der <a href="https://github.com/grml/grml-etc/blob/67a839b0139c385bbb60513facac4d6f867aa6d1/etc/skel/.muttrc#L8">muttrc von Grml</a> vertreten, und exakt am Abend des 20.02.2022 habe ich zur muttrc von Grml eine Mail von einem Anwender erhalten, kurz bevor Sven uns leider für immer verlassen hat. :( Meine vimrc hat noch immer jede Menge <em>iab</em>-Einträge, die ich damals gemeinsam mit Sven erstellt habe. Sven hatte großen Einfluss auf <a href="https://github.com/grml/grml.org/blob/cd3b68d/zsh/zsh-lovers.1.txt#L1497">zsh-lovers</a>, aber generell auch auf das gesamte <a href="https://grml.org/">Grml</a>-Projekt (siehe dazu übrigens sein wunderbares <a href="https://zshbuch.org/">Zsh-Buch</a> gemeinsam mit Julius Plenz.)</p>
  1088. <p>Svens Leidenschaft für freie Software und die Arbeit mit der Kommandozeile haben mich geprägt, er hatte maßgeblichen Einfluss darauf, wer ich heute bin. Er bleibt mir als Lebenskünstler und Freigeist mit rotem Schal in Erinnerung.</p>
  1089. <p>Svens letzte Mail an mich endet übrigens so:</p>
  1090. <blockquote><p>
  1091. joa.. xundheit hat prio!<br />
  1092. denn die beste krankheit nutzt nix. ;)</p>
  1093. <p>euch allen ebenfalls alles gute.<br />
  1094. auf ein wiedersehen bei den glt22!
  1095. </p></blockquote>
  1096. <p>:wq</p>
  1097. ]]></content:encoded>
  1098. <wfw:commentRss>https://michael-prokop.at/blog/2022/02/26/rip-sven-guckes/feed/</wfw:commentRss>
  1099. <slash:comments>1</slash:comments>
  1100. </item>
  1101. <item>
  1102. <title>Revisiting 2021</title>
  1103. <link>https://michael-prokop.at/blog/2022/01/12/revisiting-2021/</link>
  1104. <pubDate>Wed, 12 Jan 2022 17:30:11 +0000</pubDate>
  1105. <dc:creator><![CDATA[mika]]></dc:creator>
  1106. <category><![CDATA[Allgemein]]></category>
  1107. <category><![CDATA[Debian]]></category>
  1108. <category><![CDATA[English]]></category>
  1109. <category><![CDATA[General]]></category>
  1110.  
  1111. <guid isPermaLink="false">https://michael-prokop.at/blog/?p=5543</guid>
  1112. <description><![CDATA[Uhm yeah, so this shirt didn&#8217;t age well. :) Mainly to recall what happened, I\x92m once again revisiting my previous year (previous edition: 2020). 2021 was quite challenging overall. It started with four weeks of distance learning at school. Luckily at least at school things got back to &#34;some kind of normal&#34; afterwards. The lockdowns [&#8230;]]]></description>
  1113. <content:encoded><![CDATA[<p><img src="/blog/img/revisiting_2020.jpg" alt="*" style="border: 0px; margin-right: 20px" align="left" /></p>
  1114. <p>Uhm yeah, so this shirt didn&#8217;t age well. :) Mainly to recall what happened, I\x92m once again revisiting my previous year (previous edition: <a href="/blog/2021/01/16/revisiting-2020/">2020</a>).</p>
  1115. <p>2021 was quite challenging overall. It started with four weeks of distance learning at school. Luckily at least at school things got back to &quot;some kind of normal&quot; afterwards. The lockdowns turned out to be an excellent opportunity for practising <a href="https://www.geocaching.com/">Geocaching</a> though, and that&#8217;s what I started to do with my family. It&#8217;s a great way to grab some fresh air, get to know new areas, and spend time with family and friends &#8211; I plan to continue doing this. :)</p>
  1116. <p> We bought a family season ticket for <a href="https://www.holding-graz.at/en/activities/bad-strasgang/">Freibäder (open-air baths) in Graz</a>; this turned out to be a great investment &#8211; I enjoyed the open air swimming with family, as well as going for swimming laps on my own <em>very</em> much, and plan to do the same in 2022. Due to the lockdowns and the pandemics, the weekly <a href="https://en.wikipedia.org/wiki/Badminton">Badminton</a> sessions sadly didn&#8217;t really take place, so I pushed towards the above-mentioned outdoor swimming and also some running; with my family we managed to do some cycling, inline skating and even practiced some boulder climbing.</p>
  1117. <p>For obvious reasons plenty of concerts I was looking forward didn&#8217;t take place. With my parents we at least managed to attend a concert performance of Puccinis Tosca with Jonas Kaufmann at Schloßbergbühne Kasematten/Graz, and with the kids we saw &quot;Robin Hood&quot; in Oper Graz and &quot;Pippi Langstrumpf&quot; at Studiobühne of Oper Graz. The lack of concerts and rehearsals once again and still severely impacts my playing the drums, including at HTU BigBand Graz. :-/</p>
  1118. <p><a href="https://grml.org/">Grml</a>-wise we managed to publish <a href="https://grml.org/changelogs/README-grml-2021.07/">release 2021.07</a>, codename <a href="https://grml.org/faq/#releasename">JauKerl</a>. <a href="https://debian.org/">Debian</a>-wise we got <a href="https://www.debian.org/News/2021/20210814">version 11 AKA bullseye</a> released as new stable release in August.</p>
  1119. <p>For 2021 I planned to and also managed to minimize buying (new) physical stuff, except for books and other reading stuff. Speaking of reading, 2021 was nice \x97 I managed to finish more than 100 books (see &#8220;<a href="/blog/2022/01/04/mein-lesejahr-2021/">Mein Lesejahr 2021</a>&#8220;), and I&#8217;d like to keep the reading pace.</p>
  1120. <p>Now let&#8217;s hope for better times in 2022!</p>
  1121. ]]></content:encoded>
  1122. </item>
  1123. <item>
  1124. <title>Mein Lesejahr 2021</title>
  1125. <link>https://michael-prokop.at/blog/2022/01/04/mein-lesejahr-2021/</link>
  1126. <pubDate>Tue, 04 Jan 2022 10:26:46 +0000</pubDate>
  1127. <dc:creator><![CDATA[mika]]></dc:creator>
  1128. <category><![CDATA[Allgemein]]></category>
  1129. <category><![CDATA[Bücher & CO]]></category>
  1130.  
  1131. <guid isPermaLink="false">https://michael-prokop.at/blog/?p=5756</guid>
  1132. <description><![CDATA[Auch 2021 habe ich wieder mittels Bookdumps versucht, kurze Reviews zu den von mir gelesenen Büchern festzuhalten (wobei sich das auf Belletristik- und Sachbücher beschränkt, also grundsätzlich keine Fachbücher und IT-Bücher, bzw. auch keine Kinderbücher :)). Dazu erschienen 2021 folgende Bookdumps: Bookdump 1/2021 Bookdump 2/2021 Bookdump 3/2021 Bookdump 4/2021 In Summe habe ich 2021 mindestens [&#8230;]]]></description>
  1133. <content:encoded><![CDATA[<p>Auch 2021 habe ich wieder mittels Bookdumps versucht, kurze Reviews zu den von mir gelesenen Büchern festzuhalten (wobei sich das auf Belletristik- und Sachbücher beschränkt, also grundsätzlich keine Fachbücher und IT-Bücher, bzw. auch keine Kinderbücher :)). Dazu erschienen 2021 folgende Bookdumps:</p>
  1134. <ul>
  1135. <li><a href="/blog/2021/04/02/bookdump-01-2021/">Bookdump 1/2021</a></li>
  1136. <li><a href="/blog/2021/07/05/bookdump-02-2021/">Bookdump 2/2021</a></li>
  1137. <li><a href="/blog/2021/10/01/bookdump-03-2021/">Bookdump 3/2021</a></li>
  1138. <li><a href="/blog/2022/01/04/bookdump-04-2021/">Bookdump 4/2021</a></li>
  1139. </ul>
  1140. <p>In Summe habe ich 2021 mindestens 102 Bücher mit insgesamt 24266 Seiten gelesen, das durchschnittliche Buch hatte also 238 Seiten und ich kam auf durchschnittlich &gt;66 Seiten pro Tag. Diesmal hab ich nicht speziell darauf geachtet, wie das Verhältnis von Autorin zu Autor ist, und mit 69 Autoren zu 32 Autorinnen (sowie 1x gemischt) ist es leider auch entsprechend unausgewogen ausgefallen.</p>
  1141. <p>Wie schon in &#8220;<a href="/blog/2021/01/06/mein-lesejahr-2020/">Mein Lesejahr 2020</a>&#8221; geschrieben, helfen mir die Reviews beim Erinnern an die gelesenen Bücher sowie beim Austausch mit Lesekollegen. Die Reviews habe ich diesmal bewusst kürzer bzw. unaufwendiger gehalten und auf die vier Quartale aufgeteilt. Trotzdem passt das Verhältnis Aufwand vs. Nutzen für mich noch nicht ganz. Besonders, da ich den Diskurs mittlerweile in persönlichen Gesprächen mit meinen Lesebuddies suche (und dort eine andere Form von Notizen gefragt ist), die Bookdumps nicht bei der Vorab-Auswahl der Bücher helfen und ich auch viele Bücher ohne Lesebuddy lese. Für 2022 könnte ich mir daher das Format eines &#8220;Best Of&#8221; vorstellen \x96 let&#8217;s see.</p>
  1142. <p>Was waren 2021 meine Lieblingsbücher? Es waren <em>viele</em> gute Bücher dabei, die folgenden sind mir aber besonders im Gedächtnis geblieben (keine Reihung):</p>
  1143. <ul>
  1144. <li>Dunkelblum, Eva Menasse (siehe <a href="/blog/2022/01/04/bookdump-04-2021/">Bookdump 4/2021</a>)</li>
  1145. <li>Das Ereignis, Annie Ernaux (siehe <a href="/blog/2022/01/04/bookdump-04-2021/">Bookdump 4/2021</a>)</li>
  1146. <li>Die Wahrheit über das Lügen, Benedict Wells (siehe <a href="/blog/2021/10/01/bookdump-03-2021/">Bookdump 3/2021</a>)</li>
  1147. <li>Vom Aufstehen, Helga Schubert (siehe <a href="/blog/2021/10/01/bookdump-03-2021/">Bookdump 3/2021</a>)</li>
  1148. <li>2001, Angela Lehner (siehe <a href="/blog/2021/10/01/bookdump-03-2021/">Bookdump 3/2021</a>)</li>
  1149. <li>Hamster im hinteren Stromgebiet, Joachim Meyerhoff (siehe <a href="/blog/2021/07/05/bookdump-02-2021/">Bookdump 2/2021</a>)</li>
  1150. <li>Eurotrash, Christian Kracht (siehe <a href="/blog/2021/07/05/bookdump-02-2021/">Bookdump 2/2021</a>)</li>
  1151. <li>Die Bienen und das Unsichtbare, von Clemens J. Setz (siehe <a href="/blog/2021/04/02/bookdump-01-2021/">Bookdump 1/2021</a>)</li>
  1152. <li>Tyll, von Daniel Kehlmann  (siehe <a href="/blog/2021/04/02/bookdump-01-2021/">Bookdump 1/2021</a>)</li>
  1153. <li>Mädchen, Frau etc., von Bernardine Evaristo (siehe <a href="/blog/2021/04/02/bookdump-01-2021/">Bookdump 1/2021</a>)</li>
  1154. </ul>
  1155. <p>Mein Bücherregal für 2022 ist bereits gut gefüllt, wer aber noch Empfehlungen hat oder Bücher &#8220;gemeinsam&#8221; mit mir lesen möchte: ich freue mich über Kommentare hier im Blog oder via Mail (bookdump at michael-prokop.at).</p>
  1156. ]]></content:encoded>
  1157. </item>
  1158. </channel>
  1159. </rss>
  1160.  

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

  1. Download the "valid RSS" banner.

  2. Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)

  3. Add this HTML to your page (change the image src attribute if necessary):

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=http%3A//www.michael-prokop.at/blog/wp-rss2.php

Copyright © 2002-9 Sam Ruby, Mark Pilgrim, Joseph Walton, and Phil Ringnalda