![[Valid RSS]](images/valid-rss-rogers.png "Valid RSS")
This is a valid RSS feed.
This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
line 37, column 463: (9 occurrences) [help]
... ha Lobo, Tex Rubinowitz, Klaus Nüchtern,\x85).</li>
^
line 45, column 3: (14 occurrences) [help]
]]></content:encoded>
^
line 59, column 39: (7 occurrences) [help]
<description><![CDATA[We did it again\x99! Just in time, we\x92re excited to ann ...
^
<content:encoded><![CDATA[<p>I’m one of the few folks left who run ...
<style>
<tr style="background-color: lightgrey; font-weight:bold">
<?xml version="1.0" encoding="ISO-8859-1"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>mikas blog</title> <atom:link href="https://michael-prokop.at/blog/feed/" rel="self" type="application/rss+xml" /> <link>https://michael-prokop.at/blog</link> <description>... and even if no one reads it</description> <lastBuildDate>Tue, 31 Dec 2024 13:25:19 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod>hourly</sy:updatePeriod> <sy:updateFrequency>1</sy:updateFrequency> <generator>https://wordpress.org/?v=5.0.3</generator> <item> <title>Mein Lesejahr 2024</title> <link>https://michael-prokop.at/blog/2024/12/31/mein-lesejahr-2024/</link> <pubDate>Tue, 31 Dec 2024 12:30:06 +0000</pubDate> <dc:creator><![CDATA[mika]]></dc:creator> <category><![CDATA[Allgemein]]></category> <category><![CDATA[Bücher & CO]]></category> <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6949</guid> <description><![CDATA[Mein Lesejahr 2024 war mit durchschnittlich einem Buch pro Woche ähnlich wie 2023. Mein Best-Of der von mir 2024 fertig gelesenen Bücher (jene die ich besonders lesenswert fand bzw. empfehlen möchte, die Reihenfolge entspricht dem Foto und stellt keinerlei Reihung dar): Die Geschichten in uns: Vom Schreiben und vom Leben, Benedict Wells. Schön gemacht und […]]]></description> <content:encoded><![CDATA[<p><img src="/blog/img/buecher_2024.jpg" alt="Foto der hier vorgestellten Bücher" style="border: 0px; margin-right: 20px" align=left /></p><p>Mein Lesejahr 2024 war mit durchschnittlich einem Buch pro Woche ähnlich wie <a href="/blog/mein-lesejahr-2023/">2023</a>. Mein Best-Of der von mir 2024 fertig gelesenen Bücher (jene die ich besonders lesenswert fand bzw. empfehlen möchte, die Reihenfolge entspricht dem Foto und stellt keinerlei Reihung dar):</p><ul><li><a href="https://www.diogenes.ch/leser/titel/benedict-wells/die-geschichten-in-uns-9783257073140.html"><strong>Die Geschichten in uns: Vom Schreiben und vom Leben</strong>, Benedict Wells</a>. Schön gemacht und speziell für jene interessant, die sich für das “was steckt an Schreibarbeit hinter einem Buch” interessieren. Wells ist mit dem Buch die deutsche Version von Stephen Kings “On Writing” gelungen.</li><li><a href="https://www.rowohlt.de/buch/wolfgang-herrndorf-sand-9783499258640"><strong>Sand</strong>, Wolfgang Herrndorf</a>. Ich bin <a href="https://michael-prokop.at/blog/2024/01/03/mein-lesejahr-2023/">bekannterweise</a> Fan von Herrndorfs “Tschick” und “Arbeit und Struktur”, und damit war dieses Buch entsprechend eine Pflichtlektüre für mich, und <em>wow</em>.</li><li><a href="https://www.rowohlt.de/buch/daniel-kehlmann-f-9783499249273"><strong>F</strong>, Daniel Kehlmann.</a> Von einem lieben Nachbarn vor die Tür gelegt bekommen und es war wirklich <em>f</em>antastisch zu lesen, es <em>f</em>lutschte nur so.</li><li><a href="https://www.suhrkamp.de/buch/julia-jost-wo-der-spitzeste-zahn-der-karawanken-in-den-himmel-hinauf-fletscht-t-9783518431672"><strong>Wo der spitzeste Zahn der Karawanken in den Himmel hinauf fletscht</strong>, Julia Jost</a>. Das Buch wurde in der Literaturszene ziemlich gehypt, aber nach nur wenigen Seiten hab ich mich schon auf die Sprache eingegroovt. Viele Schauplätze sind mir bekannt und das Buch hatte dann eine interessante Sog-Wirkung. Die kursiv gesetzten umgangssprachlichen Ausdrücke finde ich sehr gelungen.</li><li><a href="https://www.rowohlt.de/buch/tobias-ruether-herrndorf-9783737100823"><strong>Herrndorf: Eine Biographie</strong>, Tobias Rüther</a>. Ein Buch das für mich zum Verständnis der Texte von Herrndorf beiträgt. Eine schöne und stringente Geschichte, oder um es mit den Worten von Herrndorf zu sagen: “hohe Durchlesbarkeit”. Man findet auch viele bekannte Namen wieder (Kathrin Passig, Daniela Strigl, Sascha Lobo, Tex Rubinowitz, Klaus Nüchtern,\x85).</li><li><a href="https://www.rowohlt.de/buch/stefanie-sargnagel-iowa-9783498003401"><strong>Iowa: Ein Ausflug nach Amerika</strong>, Stefanie Sargnagel</a>. Sehr unterhaltsam und mit der gewohnten Beobachtungsgabe der Autorin, vielen Bonmots sowie super Fußnoten von Christiane Rösinger.</li><li><a href="https://www.hanser-literaturverlage.de/buch/monika-helfer-loewenherz-9783446272699-t-3621"><strong>Löwenherz</strong>, Monika Helfer</a>. Nachdem mir schon ihr “Die Bagage” (siehe <a href="https://michael-prokop.at/blog/2020/06/16/bookdump-03-2020/">Blogeintrag von 2020</a>) und “Vati” (siehe <a href="https://michael-prokop.at/blog/2024/01/03/mein-lesejahr-2023/">Blogeintrag von 2023</a>) so gut gefallen haben, war das Buch über ihren Bruder Richard entsprechend ein Must-Read, und es wird nicht mein letztes Buch von Helfer sein.</li><li><a href="https://www.hanser-literaturverlage.de/buch/barbara-bleisch-mitte-des-lebens-9783446280885-t-5425"><strong>Mitte des Lebens</strong>, Barbara Bleisch</a>. Die Gedichte und Zitate hätte es für mich nicht gebraucht, aber das Buch regt zum Nachdenken rund um die eigene Lebensmitte an, und es hat bei mir zeitlich gut in mein Leben gepasst.</li><li><a href="https://www.hanser-literaturverlage.de/buch/toxische-pommes-ein-schoenes-auslaenderkind-9783552074101-t-5287"><strong>Ein schönes Ausländerkind</strong>, Toxische Pommes</a>. Schön und traurig, aber wunderbar zu lesen – ich hoffe auf weitere Bücher von Toxische Pommes.</li><li><a href="https://www.kiwi-verlag.de/buch/joachim-meyerhoff-man-kann-auch-in-die-hoehe-fallen-9783462006995"><strong>Man kann auch in die Höhe fallen</strong>, Joachim Meyerhoff</a>. Wer mich kennt, weiß, dass ich Fan von Meyerhoffs <a href="https://www.kiwi-verlag.de/buch/reihe/alle-toten-fliegen-hoch">“Alle Toten fliegen hoch”-Serie</a> bin. Auch der neue Band ist wieder wunderbar geworden. (Ich bin nach wie vor auf der Suche nach ähnlich unterhaltsamen Büchern!)</li></ul><p>Mein SuB bzw. Lesestapel für 2025 ist bereits gut gefüllt, ich freue mich aber trotzdem über etwaige Leseempfehlungen. Ebenso freue ich mich über Feedback, wenn jemand ein Buch aufgrund dieses Beitrags hier gelesen hat.</p>]]></content:encoded> </item> <item> <title>Grml 2024.12 – codename Adventgrenze</title> <link>https://michael-prokop.at/blog/2024/12/20/grml-2024-12-codename-adventgrenze/</link> <pubDate>Fri, 20 Dec 2024 18:05:45 +0000</pubDate> <dc:creator><![CDATA[mika]]></dc:creator> <category><![CDATA[Computer]]></category> <category><![CDATA[Debian]]></category> <category><![CDATA[English]]></category> <category><![CDATA[Links]]></category> <category><![CDATA[Open Source]]></category> <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6947</guid> <description><![CDATA[We did it again\x99! Just in time, we\x92re excited to announce the release of Grml stable version 2024.12, code-named \x91Adventgrenze\x92! (If you\x92re not familiar with Grml, it\x92s a Debian-based live system tailored for system administrators.) This new release is built on Debian trixie, and for the first time, we\x92re introducing support for 64-bit ARM CPUs […]]]></description> <content:encoded><![CDATA[<p><a href="/blog/img/grml-work-2024.png"><img src="/blog/img/grml-work-2024.jpg" alt="Picture with metrics of three user profiles on GitHub.com, with many contributions especially in the last quarter of the year" style="border: 0px; margin-right: 20px" align=left /></a></p><p>We did it again\x99! Just in time, we\x92re excited to announce the release of <a href="https://grml.org/">Grml</a> stable version 2024.12, code-named \x91<a href="https://grml.org/faq/#releasename">Adventgrenze</a>\x92! (If you\x92re not familiar with Grml, it\x92s a Debian-based live system tailored for system administrators.)</p><p>This new release is built on Debian trixie, and for the first time, we\x92re introducing support for 64-bit ARM CPUs (arm64 architecture)!</p><p>I\x92m incredibly proud of the hard work that went into this release. A significant amount of behind-the-scenes effort went into reworking our infrastructure and redesigning the build process. Special thanks to Chris and Darsha – our Grml developer days in November and December were a blast!</p><p>For a detailed overview of the changes between releases 2024.02 and 2024.12, check out our <a href="https://grml.org/changelogs/README-grml-2024.12/">official release announcement</a>. And, as always, after a release comes the next one – exciting improvements are already in the works!</p><p>BTW: recently we also celebrated 20(!) years of Grml Releases. If you’re a Grml and or grml-zsh user, please join us in celebrating and <a href="https://blog.grml.org/archives/417-20-years-grml-releases.html">send us a postcard</a>!</p>]]></content:encoded> </item> <item> <title>HTU Bigband Konzert am 04.06.2024</title> <link>https://michael-prokop.at/blog/2024/05/28/htu-bigband-konzert-am-04-06-2024/</link> <pubDate>Tue, 28 May 2024 14:32:20 +0000</pubDate> <dc:creator><![CDATA[mika]]></dc:creator> <category><![CDATA[Allgemein]]></category> <category><![CDATA[Events]]></category> <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6909</guid> <description><![CDATA[Am Dienstag den 4. Juni spielen wir ab 19:30 Uhr unser nächstes HTU-Bigband-Konzert. Das Konzert findet im Innenhof der TU Graz (Alte Technik, Rechbauerstraße 12, 8010 Graz) statt, bei Schlechtwetter geht es an der gleichen Adresse in den wunderbaren Hörsaal 2. Wir sind über 25 Musikerinnen und Musiker und haben ein anspruchsvolles Programm – von […]]]></description> <content:encoded><![CDATA[<p><a href="/blog/img/htu-bigband-2024-06-04.jpg"><img src="/blog/img/htu-bigband-2024-06-04-small.jpg" alt="Plakat für das HTU Bigband-Konzert am 04.06.2024" style="border: 0px; margin-right: 20px" align=left /></a></p><p>Am Dienstag den 4. Juni spielen wir ab 19:30 Uhr unser nächstes <a href="https://htugraz.at/deine-htu/htu-big-band">HTU-Bigband</a>-Konzert. Das Konzert findet im Innenhof der TU Graz (<a href="https://www.openstreetmap.org/#map=19/47.06894/15.44980">Alte Technik, Rechbauerstraße 12, 8010 Graz</a>) statt, bei Schlechtwetter geht es an der gleichen Adresse in den wunderbaren Hörsaal 2. Wir sind über 25 Musikerinnen und Musiker und haben ein anspruchsvolles Programm – von Swing, über Soul, Funk und Latin bis Pop ist alles dabei. Es gibt über 2 Stunden Musik vom Feinsten, und das Ganze bei freiem Eintritt.</p><p>Das Event gibt es auch auf <a href="https://www.facebook.com/HTUGraz/posts/pfbid02FdAKWch5Rb2B1kxexhNBQywmeziXYEXuTd2XRAtHLDb45pdBYXBu7c7Fxfd8xWbWl">Facebook</a> und <a href="https://www.instagram.com/htugraz/p/C6yFjaVozaS/">Instagram</a> zum “Liken” und Weiterverteilen.</p><p>Ich freue mich schon tierisch darauf und würde mich über bekannte Gesichter freuen. Ich hoffe man sieht und hört sich! :-)</p>]]></content:encoded> </item> <item> <title>Being a Debian Developer since 15 years</title> <link>https://michael-prokop.at/blog/2024/05/28/being-a-debian-developer-since-15-years/</link> <pubDate>Tue, 28 May 2024 11:37:59 +0000</pubDate> <dc:creator><![CDATA[mika]]></dc:creator> <category><![CDATA[Computer]]></category> <category><![CDATA[English]]></category> <category><![CDATA[Open Source]]></category> <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6905</guid> <description><![CDATA[15 years ago I became an official Debian Developer. Incredible how time flies.]]></description> <content:encoded><![CDATA[<p><a href="/blog/2009/05/28/debiandeveloper-add_membermika/">15 years ago</a> I became an official Debian Developer. Incredible how time flies.</p>]]></content:encoded> </item> <item> <title>Vortrag: We got hacked: Lektionen aus realen Security-Vorfällen @ GLT24</title> <link>https://michael-prokop.at/blog/2024/04/07/vortrag-we-got-hacked-lektionen-aus-realen-security-vorfallen-glt24/</link> <pubDate>Sun, 07 Apr 2024 10:22:35 +0000</pubDate> <dc:creator><![CDATA[mika]]></dc:creator> <category><![CDATA[Computer]]></category> <category><![CDATA[Events]]></category> <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6897</guid> <description><![CDATA[Auf den Grazer Linuxtagen 2024 (GLT24) war ich als Referent mit einem Vortrag zum Thema “We got hacked: Lektionen aus realen Security-Vorfällen” vertreten. In meinem Vortrag gibt es einen Einblick in reale Security-Incidents und welche Lektionen sich aus solchen Vorfällen mitnehmen lassen. Es gibt den Vortrag dank des fantastischen c3voc-Teams bereits als Videomitschnitt online. Meine […]]]></description> <content:encoded><![CDATA[<p>Auf den <a href="https://www.linuxtage.at/">Grazer Linuxtagen 2024</a> (GLT24) war ich als Referent mit einem Vortrag zum Thema “<a href="https://pretalx.linuxtage.at/glt24/talk/3MMQBF/">We got hacked: Lektionen aus realen Security-Vorfällen</a>” vertreten. In meinem Vortrag gibt es einen Einblick in reale Security-Incidents und welche Lektionen sich aus solchen Vorfällen mitnehmen lassen.</p><p>Es gibt den Vortrag dank des fantastischen c3voc-Teams bereits als <a href="https://media.ccc.de/v/glt24-418-we-got-hacked-lektionen-aus-realen-security-vorfllen">Videomitschnitt online</a>. Meine <a href="https://michael-prokop.at/slides/glt24_we-got-hacked.pdf">Vortragsfolien (2.1MB, PDF)</a> stehen ebenfalls online zur Verfügung. Viel Spaß beim Anschauen!</p>]]></content:encoded> </item> <item> <title>Mein Lesejahr 2023</title> <link>https://michael-prokop.at/blog/2024/01/03/mein-lesejahr-2023/</link> <comments>https://michael-prokop.at/blog/2024/01/03/mein-lesejahr-2023/#comments</comments> <pubDate>Wed, 03 Jan 2024 11:39:37 +0000</pubDate> <dc:creator><![CDATA[mika]]></dc:creator> <category><![CDATA[Allgemein]]></category> <category><![CDATA[Bücher & CO]]></category> <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6849</guid> <description><![CDATA[Ich habe auch 2023 keine Bookdumps geschrieben (zu viel Aufwand), darum gibt es auch diesmal wieder (siehe Lesejahr 2022 für die letzte Ausgabe) eine Art Best-Of der von mir 2023 fertig gelesenen Bücher, also jene die ich besonders lesenswert fand bzw. empfehlen möchte (die Reihenfolge entspricht dem Foto und stellt keinerlei Reihung oder dergleichen dar): […]]]></description> <content:encoded><![CDATA[<p><img src="/blog/img/buecher_2023.jpg" alt="Foto der hier vorgestellten Bücher" style="border: 0px; margin-right: 20px" align=left /></p><p>Ich habe auch 2023 keine Bookdumps geschrieben (zu viel Aufwand), darum gibt es auch diesmal wieder (siehe <a href="/blog/2023/01/03/mein-lesejahr-2022/">Lesejahr 2022</a> für die letzte Ausgabe) eine Art Best-Of der von mir 2023 fertig gelesenen Bücher, also jene die ich besonders lesenswert fand bzw. empfehlen möchte (die Reihenfolge entspricht dem Foto und stellt keinerlei Reihung oder dergleichen dar):</p><ul><li><a href="https://www.penguin.de/Daniel-Everett-Das-gluecklichste-Volk-DVA/Das-gluecklichste-Volk/aid20724_4354.rhd"><strong>Das glücklichste Volk: Sieben Jahre bei den Pirahã-Indianern am Amazonas</strong>, Daniel L. Everett</a>. Diese Buch ist eine Empfehlung von Khaled Hakami, der u.a. im Erklär-mir-die-Welt-Podcast zum Thema <a href="https://xn--erklrmir-3za.at/2021/03/02/153-erklaer-mir-jaeger-und-sammler-khaled-hakami/">Erklär mir Jäger und Sammle</a> zu Gast war. Das Buch ist eine große Empfehlung speziell für all jene Leute, die sich für andere Kulturen interessieren. Es ist eines der horizonterweiterndsten Bücher, das ich in den letzten Jahren gelesen habe.</li><li><a href="https://www.kiwi-verlag.de/buch/nele-pollatschek-kleine-probleme-9783869712406"><strong>Kleine Probleme</strong>, Nele Pollatschek</a>. Der letzte Tag des Jahres, eine To-do-Liste, unerledigte Dinge und die Sehnsucht nach Ordnung. Die Autorin schreibt aus Sicht von Lars, Familienvater und Endvierziger ein unterhaltsames Buch.</li><li><a href="https://www.mare.de/buecher/gentleman-uber-bord-8696"><strong>Gentleman über Bord</strong>, Herbert Clyde Lewis</a>. Ein Roman aus dem Jahr 1937, in dem der Protagonist Henry bei einer Schiffsreise bei einem Missgeschick über Bord geht, und die restliche Besatzung des Schiffes jede Menge Ausreden für sich (er)findet, um das Verschwinden des Passagiers Henry zu entschuldigen. Bedeutungstief und zeitlos.</li><li><a href="https://en.wikipedia.org/wiki/The_Undoing_Project"><strong>The Undoing Project: A Friendship That Changed Our Minds</strong>, Michael Lewis</a>. Ein Buch das die Freundschaft und Lebensweg von Daniel Kahneman (bekannt u.a. für das Buch “Thinking, Fast and Slow”) und Amos Tversk beleuchtet, jene Herren die u.a. für die <a href="https://de.wikipedia.org/wiki/Prospect_Theory">Prospect Theory</a> bekannt sind. Ich wurde auf das Buch über die <a href="https://www.piqd.de/literatur/the-undoing-project-und-der-beginn-einer-automatischen-sachbuchkritik">wunderbare Rezension von Kathrin Passig</a> aufmerksam, und mir hat das Buch voll zugesagt (auch wenn ein Lesebuddy zurecht anmerkte, dass man kein Problem mit amerikanischen Journalisten als Autor wie auch ein bisserl Drama haben sollte, <em>mich</em> hat beides nicht gestört). Für mich war das Buch insgesamt sehr gut gemacht, es gab einige interessante Stellen und diente mir als Erinnerung, dass ich die Werke von Kahneman (wieder) mal (fertig)lesen sollte.</li><li><a href="https://www.rowohlt.de/buch/dirk-stermann-mir-geht-s-gut-wenn-nicht-heute-dann-morgen-9783498003746"><strong>Mir geht’s gut, wenn nicht heute, dann morgen</strong>, Dirk Stermann</a>. Eine wunderbare Mischung aus ernsten Themen und Schmäh.</li><li><a href="https://www.hanser-literaturverlage.de/buch/vati/978-3-446-26917-0/"><strong>Vati</strong>, Monika Helfer</a>. Eine Fortsetzung ihrer eigenen Familiengeschichte, ich mag die schlichte und trotzdem berührende Sprache.</li><li><a href="https://www.hanser-literaturverlage.de/buch/eigentum/978-3-446-27833-2/"><strong>Eigentum</strong>, Wolf Haas</a>. Ich habe Haas erst 2022 für mich entdeckt, er ist einer meiner Lieblingsautoren und ich bin seither auf dem Weg alles von ihm zu lesen. Auch <em>Eigentum</em> ist ein wunderschönes Buch, in dem Haas von seiner sterbenden Mutter schreibt. Sprachkünstler, Hilfsausdruck!</li><li><a href="https://www.rowohlt.de/buch/wolfgang-herrndorf-arbeit-und-struktur-9783499268519"><strong>Arbeit und Struktur</strong>, Wolfgang Herrndorf</a>. Los ging es mit dem Schließen einer Bildungslücke: <a href="https://de.wikipedia.org/wiki/Tschick_(Roman)">Tschick</a> vom selbigen Autor hat mich dermaßen reingezogen, dass ich auch endlich mal dessen <em>Arbeit und Struktur</em> angefangen habe, ein Buch das <a href="https://daslesenderanderen.de/episodes/20-clemens-j-setz-und-der-buerostuhl-von-ernst-jandl/">Clemens J. Setz im Podcast “Das Lesen der Anderen”</a> empfohlen hat. Das Buch ist die Autobiografie der letzten Lebensjahre des Autors. Ursprünglich als Blog aufgesetzt nachdem der Autor die Diagnose Hirntumor bekommen hat, wurde sein digitales Tagebuch dann in Papier- und Buchform gebracht. Man möge sich von dem vielleicht etwas sperrigen Titel nicht aufhalten lassen. Ein beeindruckendes, bewegendes und großartiges Buch.</li><li><a href="https://www.dumont-buchverlag.de/buch/mariana-leky-die-herrenausstatterin-9783832185442-t-3836"><strong>Die Herrenausstatterin</strong>, Mariana Leky</a>. Ich bin ein Fan von Mariana Leky und habe über die letzten Jahre regelmäßig Bücher von ihr gelesen, so auch dieses wunderbare Buch über eine Dreiecksgeschichte.</li></ul><p>Ich freue mich übrigens über Feedback, wenn jemand von euch ein Buch aufgrund dieses Beitrags hier gelesen oder selbst Lese-Empfehlungen für mich hat.</p>]]></content:encoded> <wfw:commentRss>https://michael-prokop.at/blog/2024/01/03/mein-lesejahr-2023/feed/</wfw:commentRss> <slash:comments>2</slash:comments> </item> <item> <title>Postfix failing with “no shared cipher”</title> <link>https://michael-prokop.at/blog/2023/09/25/postfix-failing-with-no-shared-cipher/</link> <comments>https://michael-prokop.at/blog/2023/09/25/postfix-failing-with-no-shared-cipher/#comments</comments> <pubDate>Mon, 25 Sep 2023 18:35:15 +0000</pubDate> <dc:creator><![CDATA[mika]]></dc:creator> <category><![CDATA[Computer]]></category> <category><![CDATA[Debian]]></category> <category><![CDATA[English]]></category> <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6838</guid> <description><![CDATA[I’m one of the few folks left who run and maintain mail servers. Recently I had major troubles receiving mails from the mail servers used by a bank, and when asking my favourite search engine, I’m clearly]]></description> <content:encoded><![CDATA[<p>I’m one of the few folks left who run and maintain mail servers. Recently I had major troubles receiving mails from the mail servers used by a bank, and when <a href="https://duckduckgo.com/?q=%22no+shared+cipher%22+%22lost+connection+after+STARTTLS+from%22">asking my favourite search engine</a>, I’m clearly <a href=https://community.keyhelp.de/viewtopic.php?t=10987">not</a> the only <a href="https://talk.plesk.com/threads/two-words-about-postfix-and-ssl-tls.345772/">one</a> who <a href="https://serverfault.com/questions/1006059/postfix-3-4-9-ssl-issues-no-shared-cipher-from-servers-using-tlsv1">ran into</a> such <a href="https://github.com/docker-mailserver/docker-mailserver/issues/1784">an issue</a>. Actually, I should have checked off the issue and not become a customer at that bank, but the tech nerd in me couldn’t resist getting to the bottom of the problem. Since I got it working and this might be useful for others, here we are. :)</p><p>I was trying to get an online banking account set up, but the corresponding account creation mail didn’t arrive me, at all. Looking at my mail server logs, my postfix mail server didn’t accept the mail due to:</p><pre>postfix/smtpd[3319640]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:postfix/smtpd[3319640]: lost connection after STARTTLS from mx01.arz.at[193.110.182.61]</pre><p>Huh, what’s going on here?! Let’s increase the TLS loglevel (setting <em>smtpd_tls_loglevel = 2</em>) and retry. But how can I retry receiving yet another mail? Luckily, on the registration website of the bank there was a URL available, that let me request a one-time password. This triggered another mail, so I did that and managed to grab this in the logs:</p><pre>postfix/smtpd[3320018]: initializing the server-side TLS enginepostfix/tlsmgr[3320020]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_scachepostfix/tlsmgr[3320020]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanuppostfix/smtpd[3320018]: connect from mx01.arz.at[193.110.182.61]postfix/smtpd[3320018]: setting up TLS connection from mx01.arz.at[193.110.182.61]postfix/smtpd[3320018]: mx01.arz.at[193.110.182.61]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"postfix/smtpd[3320018]: SSL_accept:before SSL initializationpostfix/smtpd[3320018]: SSL_accept:before SSL initializationpostfix/smtpd[3320018]: SSL3 alert write:fatal:handshake failurepostfix/smtpd[3320018]: SSL_accept:error in errorpostfix/smtpd[3320018]: SSL_accept error from mx01.arz.at[193.110.182.61]: -1postfix/smtpd[3320018]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:postfix/smtpd[3320018]: lost connection after STARTTLS from mx01.arz.at[193.110.182.61]postfix/smtpd[3320018]: disconnect from mx01.arz.at[193.110.182.61] ehlo=1 starttls=0/1 commands=1/2postfix/smtpd[3320018]: connect from mx01.arz.at[193.110.182.61]postfix/smtpd[3320018]: disconnect from mx01.arz.at[193.110.182.61] ehlo=1 quit=1 commands=2</pre><p>Ok, so this <em>TLS cipher list “aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH”</em> looked like the <em>tls_medium_cipherlist</em> setting in postfix, but which ciphers <em>might</em> we expect? Let’s see what their SMTP server would speak to us:</p><pre>% testssl --cipher-per-proto -t=smtp mx01.arz.at:25[...]Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)-----------------------------------------------------------------------------------------------------------------------------SSLv2SSLv3TLS 1TLS 1.1TLS 1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHATLS 1.3</pre><p>Looks like a very small subset of ciphers, and they don’t seem to be talking TLS v1.3 at all? Not great. :(</p><p>A nice web service to verify the situation from another point of view is <a href="https://www.checktls.com/TestReceiver">checktls</a>, which also confirmed this:</p><pre>[000.705] <-- 220 2.0.0 Ready to start TLS[000.705] STARTTLS command works on this server[001.260] Connection converted to SSL SSLVersion in use: TLSv1_2 Cipher in use: ECDHE-RSA-AES256-GCM-SHA384 Perfect Forward Secrecy: yes Session Algorithm in use: Curve P-256 DHE(256 bits) Certificate #1 of 3 (sent by MX): Cert VALIDATED: ok Cert Hostname VERIFIED (mx01.arz.at = *.arz.at | DNS:*.arz.at | DNS:arz.at)[...][001.517] TLS successfully started on this server</pre><p>I got distracted by some other work, and when coming back to this problem, the one-time password procedure no longer worked, as the password reset URL was no longer valid. :( I managed to find the underlying URL, and with some web developer tools tinkering I could still use the website to let me trigger sending further one-time password mails, phew.</p><p>Let’s continue, so <em>my</em> mail server was running Debian/bullseye with postfix v3.5.18-0+deb11u1 and openssl v1.1.1n-0+deb11u5, let’s see what it offers:</p><pre>% testssl --cipher-per-proto -t=smtp mail.example.com:25[...]Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)-----------------------------------------------------------------------------------------------------------------------------SSLv2SSLv3TLS 1 xc00a ECDHE-ECDSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA xc019 AECDH-AES256-SHA ECDH 253 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA x3a ADH-AES256-SHA DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA x89 ADH-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA xc009 ECDHE-ECDSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA xc018 AECDH-AES128-SHA ECDH 253 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA x34 ADH-AES128-SHA DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA x9b ADH-SEED-SHA DH 2048 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA x46 ADH-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHATLS 1.1 xc00a ECDHE-ECDSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA xc019 AECDH-AES256-SHA ECDH 253 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA x3a ADH-AES256-SHA DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA x89 ADH-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA xc009 ECDHE-ECDSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA xc018 AECDH-AES128-SHA ECDH 253 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA x34 ADH-AES128-SHA DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA x9b ADH-SEED-SHA DH 2048 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA x46 ADH-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHATLS 1.2 xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 xc024 ECDHE-ECDSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 xc00a ECDHE-ECDSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 xc0af ECDHE-ECDSA-AES256-CCM8 ECDH 253 AESCCM8 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 xc0ad ECDHE-ECDSA-AES256-CCM ECDH 253 AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM xc073 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDH 253 Camellia 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 xc019 AECDH-AES256-SHA ECDH 253 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA xa7 ADH-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DH_anon_WITH_AES_256_GCM_SHA384 x6d ADH-AES256-SHA256 DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA256 x3a ADH-AES256-SHA DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA xc5 ADH-CAMELLIA256-SHA256 DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 x89 ADH-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA xc05d ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDH 253 ARIAGCM 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 xc009 ECDHE-ECDSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA xc0ae ECDHE-ECDSA-AES128-CCM8 ECDH 253 AESCCM8 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 xc0ac ECDHE-ECDSA-AES128-CCM ECDH 253 AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM xc072 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDH 253 Camellia 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 xc018 AECDH-AES128-SHA ECDH 253 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA xa6 ADH-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DH_anon_WITH_AES_128_GCM_SHA256 x6c ADH-AES128-SHA256 DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA256 x34 ADH-AES128-SHA DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA xbf ADH-CAMELLIA128-SHA256 DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 x9b ADH-SEED-SHA DH 2048 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA x46 ADH-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA xc05c ECDHE-ECDSA-ARIA128-GCM-SHA256 ECDH 253 ARIAGCM 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256TLS 1.3 x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256</pre><p>Not so bad, but sadly no overlap with any of the ciphers that mx01.arz.at offers.</p><p>What about disabling STARTTLS for the mx01.arz.at (+ mx02.arz.at being another one used by the relevant domain) mail servers when talking to mine? Let’s try that:</p><pre>% sudo postconf -nf smtpd_discard_ehlo_keyword_address_mapssmtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/smtpd_discard_ehlo_keywords % cat /etc/postfix/smtpd_discard_ehlo_keywords# *disable* starttls for mx01.arz.at / mx02.arz.at:193.110.182.61 starttls193.110.182.62 starttls</pre><p>But the remote mail server doesn’t seem to send mails without TLS:</p><pre>postfix/smtpd[4151799]: connect from mx01.arz.at[193.110.182.61]postfix/smtpd[4151799]: discarding EHLO keywords: STARTTLSpostfix/smtpd[4151799]: disconnect from mx01.arz.at[193.110.182.61] ehlo=1 quit=1 commands=2</pre><p>Let’s verify this further, but without fiddling with the main mail server too much. We can add a dedicated service to postfix (see <a href="https://serverfault.com/questions/1045230/disable-postfix-server-tls-for-specific-clients">serverfault</a>), and run it in verbose mode, to get more detailled logging:</p><pre>% sudo postconf -Mf[...]10025 inet n - - - - smtpd -o syslog_name=postfix/smtpd/badstarttls -o smtpd_tls_security_level=none -o smtpd_helo_required=yes -o smtpd_helo_restrictions=pcre:/etc/postfix/helo_badstarttls_allow,reject -v [...] % cat /etc/postfix/helo_badstarttls_allow/mx01.arz.at/ OK/mx02.arz.at/ OK/193.110.182.61/ OK/193.110.182.62/ OK</pre><p>We redirect the traffic from mx01.arz.at + mx02.arz.at towards our new postfix service, listening on port 10025:</p><pre>% sudo iptables -t nat -A PREROUTING -p tcp -s 193.110.182.61 --dport 25 -j REDIRECT --to-port 10025% sudo iptables -t nat -A PREROUTING -p tcp -s 193.110.182.62 --dport 25 -j REDIRECT --to-port 10025</pre><p>With this setup we get very detailed logging, and it seems to confirm our suspicion that the mail server doesn’t want to talk unencrypted with us:</p><pre>[...]postfix/smtpd/badstarttls/smtpd[3491900]: connect from mx01.arz.at[193.110.182.61][...]postfix/smtpd/badstarttls/smtpd[3491901]: disconnect from mx01.arz.at[193.110.182.61] ehlo=1 quit=1 commands=2postfix/smtpd/badstarttls/smtpd[3491901]: master_notify: status 1postfix/smtpd/badstarttls/smtpd[3491901]: connection closed[...]</pre><p>Let’s step back and revert those changes, back to our original postfix setup. Might the problem be related to our Let’s Encrypt certificate? Let’s see what we have:</p><pre>% echo QUIT | openssl s_client -connect mail.example.com:25 -starttls[...]issuer=C = US, O = Let's Encrypt, CN = R3 ---No client certificate CA names sentPeer signing digest: SHA384Peer signature type: ECDSAServer Temp Key: X25519, 253 bits---SSL handshake has read 4455 bytes and written 427 bytesVerification: OK---New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384Server public key is 384 bit[...]</pre><p>We have an ECDSA based certificate, what about switching to RSA instead? Thanks to the wonderful <a href="https://github.com/dehydrated-io/dehydrated/">dehydrated</a>, this is as easy as:</p><pre>% echo KEY_ALGO=rsa > certs/mail.example.com/config% ./dehydrated -c --domain mail.example.com --force% sudo systemctl reload postfix</pre><p>With switching to RSA type key we get:</p><pre>% echo QUIT | openssl s_client -connect mail.example.com:25 -starttls smtpCONNECTED(00000003)[...]issuer=C = US, O = Let's Encrypt, CN = R3 ---No client certificate CA names sentPeer signing digest: SHA256Peer signature type: RSA-PSSServer Temp Key: X25519, 253 bits---SSL handshake has read 5295 bytes and written 427 bytesVerification: OK---New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384Server public key is 4096 bit</pre><p>Which ciphers do we offer now? Let’s check:</p><pre>% testssl --cipher-per-proto -t=smtp mail.example.com:25[...]Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)-----------------------------------------------------------------------------------------------------------------------------SSLv2SSLv3TLS 1 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA x88 DHE-RSA-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA xc019 AECDH-AES256-SHA ECDH 253 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA x3a ADH-AES256-SHA DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA x89 ADH-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA x9a DHE-RSA-SEED-SHA DH 2048 SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA x45 DHE-RSA-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA xc018 AECDH-AES128-SHA ECDH 253 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA x34 ADH-AES128-SHA DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA x9b ADH-SEED-SHA DH 2048 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA x46 ADH-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHATLS 1.1 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA x88 DHE-RSA-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA xc019 AECDH-AES256-SHA ECDH 253 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA x3a ADH-AES256-SHA DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA x89 ADH-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA x9a DHE-RSA-SEED-SHA DH 2048 SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA x45 DHE-RSA-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA xc018 AECDH-AES128-SHA ECDH 253 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA x34 ADH-AES128-SHA DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA x9b ADH-SEED-SHA DH 2048 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA x46 ADH-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHATLS 1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xccaa DHE-RSA-CHACHA20-POLY1305 DH 2048 ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc0a3 DHE-RSA-AES256-CCM8 DH 2048 AESCCM8 256 TLS_DHE_RSA_WITH_AES_256_CCM_8 xc09f DHE-RSA-AES256-CCM DH 2048 AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH 253 Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 xc4 DHE-RSA-CAMELLIA256-SHA256 DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 x88 DHE-RSA-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA xc019 AECDH-AES256-SHA ECDH 253 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA xa7 ADH-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DH_anon_WITH_AES_256_GCM_SHA384 x6d ADH-AES256-SHA256 DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA256 x3a ADH-AES256-SHA DH 2048 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA xc5 ADH-CAMELLIA256-SHA256 DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 x89 ADH-CAMELLIA256-SHA DH 2048 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 xc0a1 AES256-CCM8 RSA AESCCM8 256 TLS_RSA_WITH_AES_256_CCM_8 xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc0 CAMELLIA256-SHA256 RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA xc051 ARIA256-GCM-SHA384 RSA ARIAGCM 256 TLS_RSA_WITH_ARIA_256_GCM_SHA384 xc053 DHE-RSA-ARIA256-GCM-SHA384 DH 2048 ARIAGCM 256 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 xc061 ECDHE-ARIA256-GCM-SHA384 ECDH 253 ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 xc0a2 DHE-RSA-AES128-CCM8 DH 2048 AESCCM8 128 TLS_DHE_RSA_WITH_AES_128_CCM_8 xc09e DHE-RSA-AES128-CCM DH 2048 AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM xc0a0 AES128-CCM8 RSA AESCCM8 128 TLS_RSA_WITH_AES_128_CCM_8 xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH 253 Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 xbe DHE-RSA-CAMELLIA128-SHA256 DH 2048 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 x9a DHE-RSA-SEED-SHA DH 2048 SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA x45 DHE-RSA-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA xc018 AECDH-AES128-SHA ECDH 253 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA xa6 ADH-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DH_anon_WITH_AES_128_GCM_SHA256 x6c ADH-AES128-SHA256 DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA256 x34 ADH-AES128-SHA DH 2048 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA xbf ADH-CAMELLIA128-SHA256 DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 x9b ADH-SEED-SHA DH 2048 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA x46 ADH-CAMELLIA128-SHA DH 2048 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xba CAMELLIA128-SHA256 RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 x96 SEED-SHA RSA SEED 128 TLS_RSA_WITH_SEED_CBC_SHA x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA xc050 ARIA128-GCM-SHA256 RSA ARIAGCM 128 TLS_RSA_WITH_ARIA_128_GCM_SHA256 xc052 DHE-RSA-ARIA128-GCM-SHA256 DH 2048 ARIAGCM 128 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 xc060 ECDHE-ARIA128-GCM-SHA256 ECDH 253 ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256TLS 1.3 x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256</pre><p>With switching our SSL certificate to RSA, we gained around 51 new cipher options, amongst them being ones that also mx01.arz.at claimed to support.</p><p>FTR, the result from above is what you get with the default settings for postfix v3.5.18, being:</p><pre>smtpd_tls_ciphers = mediumsmtpd_tls_mandatory_ciphers = mediumsmtpd_tls_mandatory_exclude_ciphers =smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3</pre><p>But the delay between triggering the password reset mail and getting a mail server connect was getting bigger and bigger. Therefore while waiting for the next mail to arrive, I decided to capture the network traffic, to be able to look further into this if it should continue to be failing:</p><pre>% sudo tshark -n -i eth0 -s 65535 -w arz.pcap -f "host 193.110.182.61 or host 193.110.182.62"</pre><p>A few hours later the mail server connected again, and the mail went through!</p><pre>postfix/smtpd[4162835]: connect from mx01.arz.at[193.110.182.61]postfix/smtpd[4162835]: Anonymous TLS connection established from mx01.arz.at[193.110.182.61]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)postfix/smtpd[4162835]: E50D6401E6: client=mx01.arz.at[193.110.182.61]postfix/smtpd[4162835]: disconnect from mx01.arz.at[193.110.182.61] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7</pre><p>Now also having the captured network traffic, we can check the details there:</p><pre>[...]% tshark -o smtp.decryption:true -r arz.pcap 1 0.000000000 193.110.182.61 → 203.0.113.42 TCP 74 24699 → 25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2261106119 TSecr=0 WS=128 2 0.000042827 203.0.113.42 → 193.110.182.61 TCP 74 25 → 24699 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3233422181 TSecr=2261106119 WS=128 3 0.020719269 193.110.182.61 → 203.0.113.42 TCP 66 24699 → 25 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=2261106139 TSecr=3233422181 4 0.022883259 203.0.113.42 → 193.110.182.61 SMTP 96 S: 220 mail.example.com ESMTP 5 0.043682626 193.110.182.61 → 203.0.113.42 TCP 66 24699 → 25 [ACK] Seq=1 Ack=31 Win=29312 Len=0 TSval=2261106162 TSecr=3233422203 6 0.043799047 193.110.182.61 → 203.0.113.42 SMTP 84 C: EHLO mx01.arz.at 7 0.043811363 203.0.113.42 → 193.110.182.61 TCP 66 25 → 24699 [ACK] Seq=31 Ack=19 Win=65280 Len=0 TSval=3233422224 TSecr=2261106162 8 0.043898412 203.0.113.42 → 193.110.182.61 SMTP 253 S: 250-mail.example.com | PIPELINING | SIZE 20240000 | VRFY | ETRN | AUTH PLAIN | AUTH=PLAIN | ENHANCEDSTATUSCODES | 8BITMIME | DSN | SMTPUTF8 | CHUNKING 9 0.064625499 193.110.182.61 → 203.0.113.42 SMTP 72 C: QUIT 10 0.064750257 203.0.113.42 → 193.110.182.61 SMTP 81 S: 221 2.0.0 Bye 11 0.064760200 203.0.113.42 → 193.110.182.61 TCP 66 25 → 24699 [FIN, ACK] Seq=233 Ack=25 Win=65280 Len=0 TSval=3233422245 TSecr=2261106183 12 0.085573715 193.110.182.61 → 203.0.113.42 TCP 66 24699 → 25 [FIN, ACK] Seq=25 Ack=234 Win=30336 Len=0 TSval=2261106204 TSecr=3233422245 13 0.085610229 203.0.113.42 → 193.110.182.61 TCP 66 25 → 24699 [ACK] Seq=234 Ack=26 Win=65280 Len=0 TSval=3233422266 TSecr=2261106204 14 1799.888108373 193.110.182.61 → 203.0.113.42 TCP 74 10330 → 25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2262906007 TSecr=0 WS=128 15 1799.888161311 203.0.113.42 → 193.110.182.61 TCP 74 25 → 10330 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3235222069 TSecr=2262906007 WS=128 16 1799.909030335 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=2262906028 TSecr=3235222069 17 1799.956621011 203.0.113.42 → 193.110.182.61 SMTP 96 S: 220 mail.example.com ESMTP 18 1799.977229656 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=1 Ack=31 Win=29312 Len=0 TSval=2262906096 TSecr=3235222137 19 1799.977229698 193.110.182.61 → 203.0.113.42 SMTP 84 C: EHLO mx01.arz.at 20 1799.977266759 203.0.113.42 → 193.110.182.61 TCP 66 25 → 10330 [ACK] Seq=31 Ack=19 Win=65280 Len=0 TSval=3235222158 TSecr=2262906096 21 1799.977351663 203.0.113.42 → 193.110.182.61 SMTP 267 S: 250-mail.example.com | PIPELINING | SIZE 20240000 | VRFY | ETRN | STARTTLS | AUTH PLAIN | AUTH=PLAIN | ENHANCEDSTATUSCODES | 8BITMIME | DSN | SMTPUTF8 | CHUNKING 22 1800.011494861 193.110.182.61 → 203.0.113.42 SMTP 76 C: STARTTLS 23 1800.011589267 203.0.113.42 → 193.110.182.61 SMTP 96 S: 220 2.0.0 Ready to start TLS 24 1800.032812294 193.110.182.61 → 203.0.113.42 TLSv1 223 Client Hello 25 1800.032987264 203.0.113.42 → 193.110.182.61 TLSv1.2 2962 Server Hello 26 1800.032995513 203.0.113.42 → 193.110.182.61 TCP 1266 25 → 10330 [PSH, ACK] Seq=3158 Ack=186 Win=65152 Len=1200 TSval=3235222214 TSecr=2262906151 [TCP segment of a reassembled PDU] 27 1800.053546755 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=186 Ack=3158 Win=36096 Len=0 TSval=2262906172 TSecr=3235222214 28 1800.092852469 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=186 Ack=4358 Win=39040 Len=0 TSval=2262906212 TSecr=3235222214 29 1800.092892905 203.0.113.42 → 193.110.182.61 TLSv1.2 900 Certificate, Server Key Exchange, Server Hello Done 30 1800.113546769 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=186 Ack=5192 Win=41856 Len=0 TSval=2262906232 TSecr=3235222273 31 1800.114763363 193.110.182.61 → 203.0.113.42 TLSv1.2 192 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 32 1800.115000416 203.0.113.42 → 193.110.182.61 TLSv1.2 117 Change Cipher Spec, Encrypted Handshake Message 33 1800.136070200 193.110.182.61 → 203.0.113.42 TLSv1.2 113 Application Data 34 1800.136155526 203.0.113.42 → 193.110.182.61 TLSv1.2 282 Application Data 35 1800.158854473 193.110.182.61 → 203.0.113.42 TLSv1.2 162 Application Data 36 1800.159254794 203.0.113.42 → 193.110.182.61 TLSv1.2 109 Application Data 37 1800.180286407 193.110.182.61 → 203.0.113.42 TLSv1.2 144 Application Data 38 1800.223005960 203.0.113.42 → 193.110.182.61 TCP 66 25 → 10330 [ACK] Seq=5502 Ack=533 Win=65152 Len=0 TSval=3235222404 TSecr=2262906299 39 1802.230300244 203.0.113.42 → 193.110.182.61 TLSv1.2 146 Application Data 40 1802.251994333 193.110.182.61 → 203.0.113.42 TCP 2962 [TCP segment of a reassembled PDU] 41 1802.252034015 203.0.113.42 → 193.110.182.61 TCP 66 25 → 10330 [ACK] Seq=5582 Ack=3429 Win=63616 Len=0 TSval=3235224433 TSecr=2262908371 42 1802.252279083 193.110.182.61 → 203.0.113.42 TLSv1.2 1295 Application Data 43 1802.252288316 203.0.113.42 → 193.110.182.61 TCP 66 25 → 10330 [ACK] Seq=5582 Ack=4658 Win=64128 Len=0 TSval=3235224433 TSecr=2262908371 44 1802.272816060 193.110.182.61 → 203.0.113.42 TLSv1.2 833 Application Data, Application Data 45 1802.272827542 203.0.113.42 → 193.110.182.61 TCP 66 25 → 10330 [ACK] Seq=5582 Ack=5425 Win=64128 Len=0 TSval=3235224453 TSecr=2262908392 46 1802.338807683 203.0.113.42 → 193.110.182.61 TLSv1.2 131 Application Data 47 1802.398968611 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=5425 Ack=5647 Win=44800 Len=0 TSval=2262908518 TSecr=3235224519 48 1863.257457500 193.110.182.61 → 203.0.113.42 TLSv1.2 101 Application Data 49 1863.257495688 203.0.113.42 → 193.110.182.61 TCP 66 25 → 10330 [ACK] Seq=5647 Ack=5460 Win=64128 Len=0 TSval=3235285438 TSecr=2262969376 50 1863.257654942 203.0.113.42 → 193.110.182.61 TLSv1.2 110 Application Data 51 1863.257721010 203.0.113.42 → 193.110.182.61 TLSv1.2 97 Encrypted Alert 52 1863.278242216 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [ACK] Seq=5460 Ack=5691 Win=44800 Len=0 TSval=2262969397 TSecr=3235285438 53 1863.278464176 193.110.182.61 → 203.0.113.42 TCP 66 10330 → 25 [RST, ACK] Seq=5460 Ack=5723 Win=44800 Len=0 TSval=2262969397 TSecr=3235285438</pre><pre>% tshark -O tls -r arz.pcap[...]Transport Layer Security TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 152 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 148 Version: TLS 1.2 (0x0303) Random: 4575d1e7c93c09a564edc00b8b56ea6f5d826f8cfe78eb980c451a70a9c5123f GMT Unix Time: Dec 5, 2006 21:09:11.000000000 CET Random Bytes: c93c09a564edc00b8b56ea6f5d826f8cfe78eb980c451a70a9c5123f Session ID Length: 0 Cipher Suites Length: 26 Cipher Suites (13 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)[...]Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 89 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 85 Version: TLS 1.2 (0x0303) Random: cf2ed24e3300e95e5f56023bf8b4e5904b862bb2ed8a5796444f574e47524401 GMT Unix Time: Feb 23, 2080 23:16:46.000000000 CET Random Bytes: 3300e95e5f56023bf8b4e5904b862bb2ed8a5796444f574e47524401 Session ID Length: 32 Session ID: 63d041b126ecebf857d685abd9d4593c46a3672e1ad76228f3eacf2164f86fb9 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)[...]</pre><p>In this network dump we see what cipher suites are offered, and the <em>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</em> here is the Cipher Suite Name in IANA/RFC speak. Whis corresponds to the <em>ECDHE-RSA-AES256-GCM-SHA384</em> in openssl speak (see Mozilla’s <a href="https://wiki.mozilla.org/Security/Cipher_Suites">Mozilla’s cipher suite correspondence table</a>), which we also saw in the postfix log.</p><p>Mission accomplished! :)</p><p>Now, if we’re interested in avoiding certain ciphers and increase security level, we can e.g. get rid of the SEED, CAMELLIA and all anonymous ciphers, and could accept only TLS v1.2 + v1.3, by further adjusting postfix’s main.cf:</p><pre>smtpd_tls_ciphers = highsmtpd_tls_exclude_ciphers = aNULL CAMELLIAsmtpd_tls_mandatory_ciphers = highsmtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.3smtpd_tls_protocols = TLSv1.2 TLSv1.3</pre><p>Which would then gives us:</p><pre>% testssl --cipher-per-proto -t=smtp mail.example.com:25[...] Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)-----------------------------------------------------------------------------------------------------------------------------SSLv2SSLv3TLS 1TLS 1.1TLS 1.2 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xccaa DHE-RSA-CHACHA20-POLY1305 DH 2048 ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc0a3 DHE-RSA-AES256-CCM8 DH 2048 AESCCM8 256 TLS_DHE_RSA_WITH_AES_256_CCM_8 xc09f DHE-RSA-AES256-CCM DH 2048 AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 xc0a1 AES256-CCM8 RSA AESCCM8 256 TLS_RSA_WITH_AES_256_CCM_8 xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc051 ARIA256-GCM-SHA384 RSA ARIAGCM 256 TLS_RSA_WITH_ARIA_256_GCM_SHA384 xc053 DHE-RSA-ARIA256-GCM-SHA384 DH 2048 ARIAGCM 256 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 xc061 ECDHE-ARIA256-GCM-SHA384 ECDH 253 ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 xc0a2 DHE-RSA-AES128-CCM8 DH 2048 AESCCM8 128 TLS_DHE_RSA_WITH_AES_128_CCM_8 xc09e DHE-RSA-AES128-CCM DH 2048 AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM xc0a0 AES128-CCM8 RSA AESCCM8 128 TLS_RSA_WITH_AES_128_CCM_8 xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xc050 ARIA128-GCM-SHA256 RSA ARIAGCM 128 TLS_RSA_WITH_ARIA_128_GCM_SHA256 xc052 DHE-RSA-ARIA128-GCM-SHA256 DH 2048 ARIAGCM 128 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 xc060 ECDHE-ARIA128-GCM-SHA256 ECDH 253 ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256TLS 1.3 x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256</pre><p>Don’t forget to also adjust the <em>smpt_tls_*</em> accordingly (for your sending side). For further information see <a href="https://www.postfix.org/TLS_README.html">the Postfix TLS Support documentation</a>. Also check out options like <a href="https://www.postfix.org/postconf.5.html#tls_ssl_options"><em>tls_ssl_options</em></a> (setting it to e.g. <em>NO_COMPRESSION</em>) and <a href="https://www.postfix.org/postconf.5.html#tls_preempt_cipherlist"><em>tls_preempt_cipherlist</em></a> (setting it to <em>yes</em> would prefer the servers’ order of ciphers over clients).</p><p><strong>Conclusions:</strong></p><ul><li>no matter what you change in your mail server settings, be aware that the type of your SSL certificate also matters for what ciphers are offered and used</li><li>there are mail servers out there that don’t support SSL certificates with ECDSA, using RSA for those ensure better compatibility (nowadays postfix supports parallel usage of ECDSA <em>and</em> RSA keys BTW, check out the <a href="https://www.postfix.org/postconf.5.html#smtpd_tls_eccert_file"><em>smtpd_tls_eccert_file</em></a> + <a href="https://www.postfix.org/postconf.5.html#smtpd_tls_eckey_file"><em>smtpd_tls_eckey_file</em></a> options)</li><li><a href="https://packages.debian.org/search?keywords=testssl.sh"><em>testssl</em></a> is a very useful tool, especially with its <em>–cipher-per-proto -t=smtp</em> option to check SMTP servers</li><li>if you’re uncertain what’s going on, consider capturing network data (tshark/tcpdump/… are your friends)</li><li>review your postfix configuration and logs every now and then :)</li></ul>]]></content:encoded> <wfw:commentRss>https://michael-prokop.at/blog/2023/09/25/postfix-failing-with-no-shared-cipher/feed/</wfw:commentRss> <slash:comments>1</slash:comments> </item> <item> <title>What to expect from Debian/bookworm #newinbookworm</title> <link>https://michael-prokop.at/blog/2023/06/11/what-to-expect-from-debian-bookworm-newinbookworm/</link> <pubDate>Sun, 11 Jun 2023 09:50:05 +0000</pubDate> <dc:creator><![CDATA[mika]]></dc:creator> <category><![CDATA[Computer]]></category> <category><![CDATA[Debian]]></category> <category><![CDATA[English]]></category> <category><![CDATA[Open Source]]></category> <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6707</guid> <description><![CDATA[Debian v12 with codename bookworm was released as new stable release on 10th of June 2023. Similar to what we had with #newinbullseye and previous releases, now it’s time for #newinbookworm! I was the driving force at several of my customers to be well prepared for bookworm. As usual with major upgrades, there are some […]]]></description> <content:encoded><![CDATA[<p><a href="https://wiki.debian.org/DebianArt/Themes/Emerald"><img src="/blog/img/debian_bookworm_banner.png" alt="Bookworm Banner, Copyright 2022 Juliette Taka" style="border: 0px; margin-right: 20px" align=left width=200px /></a></p><p>Debian v12 with <a href="https://wiki.debian.org/DebianBookworm">codename bookworm</a> was released as new stable release <a href="https://www.debian.org/News/2023/20230610">on 10th of June 2023</a>. Similar to what we had with <a href="/blog/index.php?s=newinbullseye">#newinbullseye</a> and previous releases, now it’s time for <a href="/blog/index.php?s=newinbookworm">#newinbookworm</a>!</p><p>I was the driving force at several of my customers to be well prepared for bookworm. As usual with major upgrades, there are some things to be aware of, and hereby I’m starting my public notes on bookworm that might be worth also for other folks. My focus is primarily on server systems and looking at things from a sysadmin perspective.</p><h3>Further readings</h3><p>As usual start at the <a href="https://www.debian.org/releases/bookworm/amd64/release-notes/index.en.html">official Debian release notes</a>, make sure to especially go through <a href="https://www.debian.org/releases/bookworm/amd64/release-notes/ch-whats-new.en.html">What’s new in Debian 12</a> + <a href="https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html">Issues to be aware of for bookworm</a>.</p><h3>Package versions</h3><p>As a starting point, let’s look at some selected packages and their versions in bullseye vs. bookworm as of 2023-02-10 (mainly having amd64 in mind):</p><style> table { border: 1px solid; border-collapse: collapse; border-spacing: 20px; empty-cells: show; table-layout: fixed; } thead th { position: -webkit-sticky; position: sticky; top: 0; } th { background-color: #666; color: #fff; } tr { background-color: #fffbf0; color: #000; } tr:nth-child(odd) { background-color: #e4ebf2; }</style><table><thead><tr style="background-color: lightgrey; font-weight:bold"><th scope="col">Package</th><th scope="col">bullseye/v11</th><th scope="col">bookworm/v12</th></tr></thead><tbody style="text-align:center"><tr><td scope="row">ansible</td><td>2.10.7</td><td>2.14.3</td></tr><tr><td scope="row">apache</td><td>2.4.56</td><td>2.4.57</td></tr><tr><td scope="row">apt</td><td>2.2.4</td><td>2.6.1</td></tr><tr><td scope="row">bash</td><td>5.1</td><td>5.2.15</td></tr><tr><td scope="row">ceph</td><td>14.2.21</td><td>16.2.11</td></tr><tr><td scope="row">docker</td><td>20.10.5</td><td>20.10.24</td></tr><tr><td scope="row">dovecot</td><td>2.3.13</td><td>2.3.19</td></tr><tr><td scope="row">dpkg</td><td>1.20.12</td><td>1.21.22</td></tr><tr><td scope="row">emacs</td><td>27.1</td><td>28.2</td></tr><tr><td scope="row">gcc</td><td>10.2.1</td><td>12.2.0</td></tr><tr><td scope="row">git</td><td>2.30.2</td><td>2.39.2</td></tr><tr><td scope="row">golang</td><td>1.15</td><td>1.19</td></tr><tr><td scope="row">libc</td><td>2.31</td><td>2.36</td></tr><tr><td scope="row">linux kernel</td><td>5.10</td><td>6.1</td></tr><tr><td scope="row">llvm</td><td>11.0</td><td>14.0</td></tr><tr><td scope="row">lxc</td><td>4.0.6</td><td>5.0.2</td></tr><tr><td scope="row">mariadb</td><td>10.5</td><td>10.11</td></tr><tr><td scope="row">nginx</td><td>1.18.0</td><td>1.22.1</td></tr><tr><td scope="row">nodejs</td><td>12.22</td><td>18.13</td></tr><tr><td scope="row">openjdk</td><td>11.0.18 <em>+</em> 17.0.6</td><td>17.0.6</td></tr><tr><td scope="row">openssh</td><td>8.4p1</td><td>9.2p1</td></tr><tr><td scope="row">openssl</td><td>1.1.1n</td><td>3.0.8-1</td></tr><tr><td scope="row">perl</td><td>5.32.1</td><td>5.36.0</td></tr><tr><td scope="row">php</td><td>7.4+76</td><td>8.2+93</td></tr><tr><td scope="row">podman</td><td>3.0.1</td><td>4.3.1</td></tr><tr><td scope="row">postfix</td><td>3.5.18</td><td>3.7.5</td></tr><tr><td scope="row">postgres</td><td>13</td><td>15</td></tr><tr><td scope="row">puppet</td><td>5.5.22</td><td>7.23.0</td></tr><tr><td scope="row">python2</td><td>2.7.18</td><td>– (gone!)</td></tr><tr><td scope="row">python3</td><td>3.9.2</td><td>3.11.2</td></tr><tr><td scope="row">qemu/kvm</td><td>5.2</td><td>7.2</td></tr><tr><td scope="row">ruby</td><td>2.7+2</td><td>3.1</td></tr><tr><td scope="row">rust</td><td>1.48.0</td><td>1.63.0</td></tr><tr><td scope="row">samba</td><td>4.13.13</td><td>4.17.8</td></tr><tr><td scope="row">systemd</td><td>247.3</td><td>252.6</td></tr><tr><td scope="row">unattended-upgrades</td><td>2.8</td><td>2.9.1</td></tr><tr><td scope="row">util-linux</td><td>2.36.1</td><td>2.38.1</td></tr><tr><td scope="row">vagrant</td><td>2.2.14</td><td>2.3.4</td></tr><tr><td scope="row">vim</td><td>8.2.2434</td><td>9.0.1378</td></tr><tr><td scope="row">zsh</td><td>5.8</td><td>5.9</td></tr></tbody></table><h3>Linux Kernel</h3><p>The bookworm release ships a Linux kernel based on version <strong>6.1</strong>, whereas bullseye shipped kernel 5.10. As usual there are plenty of changes in the kernel area, including better hardware support, and this might warrant a separate blog entry, but to highlight some changes:</p><ul><li><a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=987f20a9dcce3989e48d87cff3952c095c994445">a.out support is gone</a></li><li><a href="https://lwn.net/Articles/908347/">initial support for Rust</a></li><li>lots of <a href="https://nick-black.com/dankwiki/index.php/Io_uring">io_uring</a> related improvements</li><li>lots of <a href="https://lwn.net/Articles/847951/">BPF</a> improvements</li><li>support for <a href="https://docs.kernel.org/6.1/x86/sgx.html">Intel Software Guard eXtensions (SGX)</a></li><li><a href="https://lwn.net/Articles/837566/">ID mapping for mounted filesystems</a></li><li><a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=459c7c565ac36ba09ffbf24231147f408fde4203">unprivileged overlayfs mounts</a> and <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3a761d72fa62eec8913e45d29375344f61706541">ID mapping in overlayfs</a></li><li><a href="https://wiki.linux-nfs.org/wiki/index.php/NFS_re-export">NFS re-exporting</a> support</li><li><a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed7bcdb374d20fab9e9dc36853a6735c047ad1b1">eager NFS writes</a> with <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a0492339fc70f1f7aa98f0cab55b78b0be124711">new <em>writes=lazy/eager/wait</em> mount options</a></li><li><a href="https://lwn.net/Articles/703876/">Landlock security module</a></li><li>initial <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2d5ce3fbef324295f7c210f29d724b44b5642cb2">support for Apple M2</a></li><li>new <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a72232eabdfcfe365a05a3eb392288b78d25a5ca"><em>misc</em> cgroup</a> and new <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=661ee6280931548f7b3b887ad26a157474ae5ac4">cgroup.kill file</a></li><li>new <a href="https://lwn.net/Articles/865256/">memfd_secret(2) system call</a></li><li>new <a href="https://docs.kernel.org/filesystems/ntfs3.html">NTFS file system implementation</a></li><li><a href="https://www.kernel.org/doc/html/latest/admin-guide/filesystem-monitoring.html">file system monitoring with fanotify</a></li><li>lots of improvements around perf, including the new <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d450bc501fbdceb9d71663ba8192b72f01001bf1">daemon</a>, <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0f70d8e9db4f250f694a3befe88501027b1dc88e">kwork</a> and <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f9ed693e8bc0e7de9eb766a3c7178590e8bb6cd5">iostat</a> commands, and <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df936cadfb58ba93601ac351ab6fc2e2650cf591">JSON output option for <em>stat</em></a></li></ul><p>See <a href="https://kernelnewbies.org/LinuxChanges">Kernelnewbies.org</a> for further changes between kernel versions.</p><h3>Configuration management</h3><p><strong>puppet</strong>‘s upstream sadly still doesn’t provide packages for bookworm (see <a href="https://tickets.puppetlabs.com/browse/PA-4995">PA-4995</a>), though Debian provides puppet-agent and puppetserver packages, and even puppetdb is back again, see <a href="https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#puppetserver">release notes for further information</a>.</p><p><strong>ansible</strong> is also available and made it with version 2.14 into bookworm.</p><h3>Prometheus stack</h3><p><a href="https://prometheus.io/">Prometheus server</a> was updated from v2.24.1 to v2.42.0 and all the exporters that got shipped with bullseye are still around (in more recent versions of course).</p><h3>Virtualization</h3><p>docker (v20.10.24), ganeti (v3.0.2-3), libvirt (v9.0.0-4), lxc (v5.0.2-1), podman (v4.3.1), openstack (<a href="https://releases.openstack.org/zed/index.html">Zed</a>), qemu/kvm (v7.2), xen (v4.17.1) are all still around.</p><p><strong>Vagrant</strong> is available in version 2.3.4, also <a href="https://www.vagrantup.com/">Vagrant upstream provides their packages for bookworm already</a>.</p><p>If you’re relying on <strong>VirtualBox</strong>, be aware that upstream doesn’t provide packages for bookworm <em>yet</em> (see <a href="https://www.virtualbox.org/ticket/21524">ticket 21524</a>), but thankfully version 7.0.8-dfsg-2 is available from Debian/unstable (as of 2023-06-10) (VirtualBox isn’t shipped with stable releases since quite some time due to lack of cooperation from upstream on security support for older releases, see <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794466">#794466</a>).</p><h3>rsync</h3><p>rsync was updated from v3.2.3 to <a href="https://download.samba.org/pub/rsync/NEWS#3.2.7">v3.2.7</a>, and we got a few new options:</p><ul><li><code>--fsync</code>: fsync every written file</li><li><code>--old-dirs</code>: works like –dirs when talking to old rsync</li><li><code>--old-args</code>: disable the modern arg-protection idiom</li><li><code>--secluded-args, -s</code>: use the protocol to safely send the args (replaces –protect-args option)</li><li><code>--trust-sender</code>: trust the remote sender’s file list</li></ul><h3>OpenSSH</h3><p>OpenSSH was updated from v8.4p1 to v9.2p1, so if you’re interested in all the changes, check out the release notes between those version (<a href="https://www.openssh.com/txt/release-8.5">8.5</a>, <a href="https://www.openssh.com/txt/release-8.6">8.6</a>, <a href="https://www.openssh.com/txt/release-8.7">8.7</a>, <a href="https://www.openssh.com/txt/release-8.8">8.8</a>, <a href="https://www.openssh.com/txt/release-8.9">8.9</a>, <a href="https://www.openssh.com/txt/release-9.0">9.0</a>, <a href="https://www.openssh.com/txt/release-9.1">9.1</a> + <a href="https://www.openssh.com/txt/release-9.2">9.2</a>). Let’s highlight some notable new features:</p><ul><li>new system for restricting forwarding and use of keys added to ssh-agent(1), see <a href="https://www.openssh.com/agent-restrict.html">SSH agent restriction for details</a>)</li><li>switched scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default (see <a href="https://www.openssh.com/txt/release-9.0">release notes for v9.0 for details</a> </li><li>ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key</li><li>ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys</li><li>ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files</li><li>ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length</li><li>ssh(1): add a “host” line to the output of ssh -G showing the original hostname argument</li><li>ssh-keygen -A (generate all default host key types) will no longer generate DSA keys</li><li>ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. <em>ssh-keyscan 192.168.0.0/24</em></li></ul><p>One important change you might wanna be aware of is that as of <a href="https://www.openssh.com/txt/release-8.8">OpenSSH v8.8</a>, <strong>RSA signatures using the SHA-1 hash algorithm got disabled by default</strong>, but RSA/SHA-256/512 AKA RSA-SHA2 gets used instead. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since <a href="https://www.openssh.com/txt/release-7.2">release 7.2</a> and existing ssh-rsa keys will automatically use the stronger algorithm where possible. A good overview is also available at <a href="https://www.jhanley.com/blog/ssh-signature-algorithm-ssh-rsa-error/">SSH: Signature Algorithm ssh-rsa Error</a>.</p><p>Now tools/libraries not supporting RSA-SHA2 fail to connect to OpenSSH as present in bookworm. For example python3-paramiko v2.7.2-1 as present in bullseye doesn’t support RSA-SHA2. It tries to connect using the deprecated RSA-SHA-1, which is no longer offered by default with OpenSSH as present in bookworm, and then fails. Support for RSA/SHA-256/512 signatures in Paramiko was requested e.g. at <a href="https://github.com/paramiko/paramiko/issues/1734">#1734</a>, and eventually got <a href="https://github.com/paramiko/paramiko/commit/2b66625659e66858cb5f557325c5fdd9c35fd073">added to Paramiko</a> and in the end the change made it into Paramiko versions >=2.9.0. Paramiko in bookworm works fine, and a backport by rebuilding the python3-paramiko package from bookworm for bullseye solves the problem (<abbr title="Been There, Done That">BTDT</abbr>).</p><h3>Misc unsorted</h3><ul><li>new <strong>non-free-firmware</strong> component/repository (see <a href="https://wiki.debian.org/Firmware#Debian_12_.28bookworm.29_and_later">Debian Wiki</a> for details)</li><li>support only the <strong>merged-usr</strong> root filesystem layout (see <a href="https://wiki.debian.org/UsrMerge">Debian Wiki</a> for details)</li><li>the <strong>asterisk</strong> package didn’t make it into bookworm (see <a href="https://bugs.debian.org/1031046">#1031046</a>)</li><li><strong>e2fsprogs</strong>: the breaking change related to <em>metadata_csum_seed</em> and <em>orphan_file</em> (see <a href="https://bugs.debian.org/1031325">#1031325</a>) was reverted with v1.47.0-2 for bookworm (also see <a href="https://bugs.debian.org/#1031622">#1031622</a> + <a href="https://bugs.debian.org/#1030939">#1030939</a>)</li><li><strong>rsnapshot</strong> is back again (see <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986709">#986709</a>)</li><li><em>crmadmin</em> of <strong>pacemaker</strong> no longer interprets the timeout option (-t/–timeout) in <em>milliseconds</em> (as it used to be until v2.0.5), but as of v2.1.0 (and v2.1.5 is present in bookworm) it now <a href="https://github.com/ClusterLabs/pacemaker/commit/c26c9951d863e83126f811ee5b91a174fe0cc991">interprets the argument as <em>second</em></a> by default</li></ul><p>Thanks to everyone involved in the release, happy upgrading to bookworm, and let’s continue with working towards <a href="https://wiki.debian.org/DebianTrixie">Debian/trixie</a>. :)</p>]]></content:encoded> </item> <item> <title>HTU Bigband Konzert am 27.06.2023</title> <link>https://michael-prokop.at/blog/2023/06/02/htu-bigband-konzert-am-27-06-2023/</link> <pubDate>Fri, 02 Jun 2023 15:35:04 +0000</pubDate> <dc:creator><![CDATA[mika]]></dc:creator> <category><![CDATA[Allgemein]]></category> <category><![CDATA[Events]]></category> <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6757</guid> <description><![CDATA[Die HTU Bigband ist zurück! Am 27. Juni 2023 findet im Innenhof der TU Graz (Alte Technik, Rechbauerstraße 12, 8010 Graz) das nächste Konzert statt (bei Schlechtwetter geht es in den Hörsaal 2, der ebenfalls an der gleichen Adresse ist). Mit einem fulminanten Programm von Swing, über Soul, Funk, Latin bis Pop ist alles dabei […]]]></description> <content:encoded><![CDATA[<p><a href="/blog/img/htu-bigband-concert-2023-06-27.jpg"><img src="/blog/img/htu-bigband-concert-2023-06-27-small.jpg" alt="Plakat für das HTU Bigband-Konzert am 27.06.2023" style="border: 0px; margin-right: 20px" align=left /></a></p><p>Die HTU Bigband ist zurück! Am 27. Juni 2023 findet im Innenhof der TU Graz (<a href="https://www.openstreetmap.org/#map=19/47.06894/15.44980">Alte Technik, Rechbauerstraße 12, 8010 Graz</a>) das nächste Konzert statt (bei Schlechtwetter geht es in den Hörsaal 2, der ebenfalls an der gleichen Adresse ist). Mit einem fulminanten Programm von Swing, über Soul, Funk, Latin bis Pop ist alles dabei – es gibt über 2 Stunden Musik vom Feinsten, und das Ganze bei freiem Eintritt.</p><p>Für diejenigen mit Facebook-Account unter euch gibt es auch das passende <a href="https://www.facebook.com/events/623929286327453/">Facebook-Event</a>.</p><p>Ich bin als Schlagzeuger und Percussionist mit von der Partie und würde mich über bekannte Gesichter freuen, ich hoffe man sieht und hört sich! 8-)</p>]]></content:encoded> </item> <item> <title>Vortrag: Debugging für Sysadmins @ GLT23</title> <link>https://michael-prokop.at/blog/2023/04/16/vortrag-debugging-fur-sysadmins-glt23/</link> <pubDate>Sun, 16 Apr 2023 08:39:55 +0000</pubDate> <dc:creator><![CDATA[mika]]></dc:creator> <category><![CDATA[Computer]]></category> <category><![CDATA[Events]]></category> <guid isPermaLink="false">https://michael-prokop.at/blog/?p=6748</guid> <description><![CDATA[Auf den Grazer Linuxtagen 2023 (GLT23) war ich als Referent mit einem Vortrag zum Thema “Debugging für Sysadmins” vertreten. In meinem Vortrag gibt es einen Überblick, welche Tools und Strategien rund ums Debugging in der Toolbox von Sysadmins nicht fehlen dürfen. Es gibt den Vortrag dank des wunderbaren c3voc-Teams bereits als Videomitschnitt online. Meine Vortragsfolien […]]]></description> <content:encoded><![CDATA[<p>Auf den <a href="https://www.linuxtage.at/">Grazer Linuxtagen 2023</a> (GLT23) war ich als Referent mit einem Vortrag zum Thema “<a href="https://pretalx.linuxtage.at/glt23/talk/JHCGUX/">Debugging für Sysadmins</a>” vertreten. In meinem Vortrag gibt es einen Überblick, welche Tools und Strategien rund ums Debugging in der Toolbox von Sysadmins nicht fehlen dürfen.</p><p>Es gibt den Vortrag dank des wunderbaren c3voc-Teams bereits als <a href="https://media.ccc.de/v/glt23-334-debugging-fr-sysadmins">Videomitschnitt online</a>. Meine <a href="http://michael-prokop.at/slides/glt23_debugging-fuer-sysadmins.pdf">Vortragsfolien (1.2MB, PDF)</a> stehen ebenfalls online zur Verfügung. Viel Spaß beim Anschauen!</p><p>BTW: weil ich schon mehrfach gefragt wurde, den Vortrag gibt es auch in längerer Workshop-Version, bei Interesse <a href="https://michael-prokop.at/">einfach bei mir melden</a>.</p>]]></content:encoded> </item> </channel></rss> If you would like to create a banner that links to this page (i.e. this validation result), do the following:
Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):
If you would like to create a text link instead, here is the URL you can use:
http://www.feedvalidator.org/check.cgi?url=http%3A//www.michael-prokop.at/blog/wp-rss2.php
