Wednesday, November 8, 2017

The Fallacy of Being Right

Something's been worrying me about discussions on the Internet. I'm calling it the fallacy of being right. The value of a statement of truth on any topic is dependent on more than it being true.
The 3 I've identified so far:
  • Context. Does something being true contribute or derail a discussion by it being true? Take, for example, people who seem to only care about men in abusive relationships when people are discussing domestic violence in the context of the casualness around rape culture which disproportionately puts women on the back foot. It is true that men are abused. Its being true doesn't help to advance a discussion on how to minimize domestic violence toward women.
  • Scale. Let's talk economics. In NZ we had a politician admit to committing benefit fraud and our hypocrisy was shown in all its colors. People were angry with her because "benefit fraud is benefit fraud!". In truth, we were looking at a woman lying to gain an extra $15 or so a week. The cost of 3 coffees.... It's true, she committed a crime. But then, people don't show the same amount of fury at businesses who commit tax avoidance. A problematic comparison BUT at a completely insanely different scale. The burden of making up that shortfall falls to individuals paying taxes and is often in the millions.
  • Superiority. Why argue the point? Is your being right important? I found myself in an argument online about whether eggs should be considered vegetarian. When I was vegetarian, I never considered them vegetarian because to me there's very little difference between an egg and a chicken (I also didn't eat gelatin or rennet). A random Internet guy started getting almost aggressive in his wanting to be right about eggs being considered vegetarian. He knew he wasn't going to change my mind and he was totally free to disagree with my opinion (to be fair I was talking about it in the context of trying to find food while out), but it wasn't long until he was spouting off a whole lot of other irrelevant (possibly true?) bits about milk having udder blood and puss in it. The only reason I can possibly think of to get that invested about whether some random person agrees with your opinion is to feel superior to them.
The main problem is that we tend to talk in absolutes about whether something is true rather than looking at the context, scale or whether an argument is being made to make someone feel superior.
Take trickle down economics. The idea is that investment at the top leads to more jobs being created. Does it work? It's tempting to say "No. It does not work at all". But that assumes that everyone who believes in trickle down economics is stupid. The reality is that there's some truth to it but it likely doesn't provide the results to the scale that is promised.
If we break down the language "trickle down", we're left with a feeling that a lot of content at the top leads to a "trickle" downwards. Which would lead any reasonable person to conclude that if it only trickles down, then to create jobs there needs to be a flow upwards, in which case putting the money at the bottom leads to lots of smaller trickles on its way up. We're essentially taking about the ability of businesses to hire individuals. For example, say I go to a dairy and buy a soft drink. The dairy is a potentially able to hire staff, the distributor of the soft drink can pay staff, the soft drink manufacturer can also employ staff (I'm intentionally ignoring automation). The licenser of the branding of the soft drink gets the effects too. et el. Trickle down economics encourages putting the money at the top, to the licenser of the soft drink. As it's already at the top, there's no flow up effects and it ends up in the pockets of shareholders who may or may not use it to create employment opportunities.
So does money trickle down? Yes. Does that make it an effective way to run an economy? Well... we've been trying it and it hasn't proved to be effective thus far.

Monday, May 8, 2017

On The Maker Movement

Years and years ago, being a mostly unemployed programmer, I was organizing events for my local Linux User Group. When we didn't have guest speakers (my favorite was one where I'd organized a bunch of the younger guys - there were very few women in the group and none of them in their teens - to do short presentations each), we'd go to a pizzaria and just share things in a more 1 on 1 setting.

At one of these meetings, I'd had to cancel a Christmas BBQ due to weather and instead we met at a pub. We're sitting around and someone, once again, talked about how "someone" needed to start a hackerspace in Auckland. We'd laughed about "someone" being in the abstract.

A few weeks after this (after Christmas) a friend contacted me and said "we should be 'someone'". And so, we met, at a pub. There were 4 of us initially. We were meeting to get on the same page. Essentially it was to be non-profit, open ended, flat organisation and absolutely about community.

1 of those 4 was kicked out of the group as our meetings were spent trying to get him on the same page as the rest of us. His interpretations of what was being said were well off base and suddenly he was talking about sponsorship and the like while the rest of us were in a state of disbelief to what he was telling other people.

The result of these meetings was simply to (figure out how) to invite people to discuss and ultimately form a hackerspace (though we were avoiding the term hacker and going with maker).

Long story short, Tangleball was formed.

Now, a few years on, and the maker movement has taken off.

Auckland Libraries have put a couple of 3D printers in a corner and called it a hackerspace. I did attend a meeting with the libraries about what hackerspaces are and we were adamant about their direction having to, by necessity, be driven by the community. I could see a few lights flickering in people's heads as they looked like they were about to get it only to be extinguished by the highly hierarchical nature of Auckland Libraries.

The Auckland Council also have a bunch of spaces around. I even got involved, for a short time, with one. Results vary.

The one I was involved with wanted to engage children. They'd gone to existing groups, brought the equipment they suggested (a vinyl cutter, some sound recording gear, a green screen and of course a 3D printer) and were now struggling to get people in the door. The computers in the space were on the Auckland Council network and were subjected to their filtering. Users of the space couldn't, for example, download FLOSS (Free/Libre/Open Source Software) or get information on abortion. But more damaging, rather than being a space for creating and making, the employees of the council wanted it to be quantifiable which of course implies a top down relationship rather than collaborative.

Another one that I visited leased out a space to a group and then then leased out the downstairs of the same space to another group. This probably doesn't sound too bad except that it created a really toxic gender divide as well as splitting resources. The upstairs is totally unsuitable for workshop like equipment like drill presses and the like and the downstairs is run by a group who's membership is by and large old white guys.

Don't get me wrong. Tangleball has some really serious problems.

Imagine you have a group who's membership is made up by people able to jump over a particular height. Which means that the control is also in the hands of people who can also jump that height and do so regularly. If the people in control can't understand the problem of having to jump that height, then those who are unable to jump that height are unrepresented. The bar is never lowered.

Tangleball is, first and foremost, about a community. To become a full member, people must attend a certain number of meetings. The people who are comfortable with those meetings are the ones who are in control. Those who are uncomfortable with the meetings either don't become full members OR while they are full members, don't attend those meetings. i.e. do not represent those who find the meetings hostile.

This creates a very particular demographic for those in charge at Tangleball. This isn't to say that the aims behind these decisions aren't valuable.

The whole point of the meeting requirement was so that Tangleball didn't become a service. It doesn't exist on a gym membership like basis. I'm of the opinion that a makerspace of that nature has to be, by necessity, run as a commercial entity i.e. an elected board with a top down provider of a service/equipment/facilities. There has to be more to "membership" than just paying your dues.

So it has got its problems but those problems exist for good reason. Tangleball is still, currently as far as I know, the single community run and focused, not controlled by a hierarchical structure makerspace in Auckland.

I always imagined we'd be sitting around drinking a beer, talking about ideas, offering little tidbits like "have you considered.....?" or meshing skills.
If I had to do it all over again, I think I'd want to move it into a poor neighborhood and focus on empowerment. What can we do to improve a community?

What has the maker movement turned into? The idea of community is seldom seen. There's talk of mobile makerspaces for example. Easy membership/Hackerspace as a service i.e. pay your dues and you're in. A 3D printer in the corner seems to be enough to call a space a makerspace. There are even commercial interests looking at makerspaces to their own end. I don't actually have a problem with this. A makerspace that's also R&D for a company is a grand thing so long as they're up front about it.

The most galling thing for me though is that there's a small body of people who purport to being about all things maker while dismissing the idea of community (unless they're in control). This is far more damaging than Council run spaces just because a community should decide for itself what their makerspace is going to be. These people ARE their own community though tend to instill their will of what a makerspace should be on other communities.

I was at an art installation and the conversations around the installation felt very similar to those early conversations about a makerspace.

"This is a place to relax and make and derive pleasure"

And really, instead of people telling you what a hackerspace (forget about the rubbish that is "State of the Maker Nation") is, think about "What kind of space would your community be able to relax, make and derive pleasure from?".

Thursday, October 13, 2016

Setting Up A Mail Server - Part 1: MySQL, Postfix and Dovecot - Incomplete

I've spent a few days going through the ISPMail server (debian Jessie with dovecot and postfix) tutorial and I've found the experience somewhat frustrating.

The use of the database, for example, seems to introduce redundancy when the whole point of a relational database is to remove that risk. Nothing in the tutorial seems to scale all that well i.e. how do you separate out functions but allow them to keep communicating between different machines?

More frustrating for me was the fact that it attempts to tackled everything NOW NOW NOW rather than addressing things in a logical order (I had to pull out my whiteboard to make sense of it).

Within code snippets, any text in red should/could be changed. Blue indicates that the same data is going to be used for a whole chunk.

I'm making an assumption about the structure of the sort of network this is sitting on. The MySQL, File Server, Postfix, Dovecot and web server machines can all be set up on different machines BUT exist on a trusted network i.e. they sit behind a firewall making communication between the machines relatively trusted. Most of this should still work if this isn't the case BUT avoid anything to do with lmtp - it's not made for an untrusted environment.

Warning: This tutorial is incomplete and untested. I will be testing it within the next couple of days and figuring out the missing bits. It needs a test at the end to make sure that it is all working as expected. The SMTP server doesn't appear to have been configured yet (the ISPMail tutorial does this after setting up roundcube) and security on that to make sure the mail server isn't used for relaying spam.


So here goes...

The Structure of an E-mail Server

Very basically you need to be able to send emails, get your emails, which are handled by a 'mta server' (Mail Transport Agent) and retrieve our emails using either IMAP or POP3.

Because editing text files sucks a great big one to handle email addresses, a database is a damn good idea. And of course, we're going to want to do a whole lot of things around reducing the spam coming in and stop our server from being used to send lots of spam. We also want to do this securely so we're going to need some domain verification certificates. Oh and we have to set up DNS to tell the Internet where mail should go to. Eventually we're probably going to want to set up a web front end for the mail so that you can check it anywhere you like and/or configure an email client (ick).

Yep. It's messy.

If you need more information, go and have a look at this page.

We're going to use Postfix as our MTA, Dovecot for our IMAP/POP3 server (though we're going to disable POP3. I'll explain later). For our database we're going to use MySQL (although the instructions likely don't change for MariaDB).

Setting up the Infrastructure

DNS

I'm going to trust that you have purchased a domain name. In your DNS records you'll have something like:
 A  example.org     8.8.8.8  

Which is your A record for the base domain. Add another A record for something like mx.example.org or mail.example.org I'm going to stick to mx (Mail eXchange). Then add an MX record. It should look something like this:

 A  example.org       8.8.8.8  
 A  mx.example.org    8.8.8.8  
 MX example.org       mx.example.org  

This is basically saying "use mail.example.org to serve mail for @example.org". If you don't know who to use for your DNS, I've found Cloudflare to be pretty good.

Certificates

This is something I was kind of annoyed about with most tutorials. They'd talk about using self signed certificates and there was little information on using the free certificates issued by Let's Encrypt. This is what I'm using.

Let's Encrypt state in their FAQ that the certificates they issue are for domain verification only and aren't suitable for email encryption.

My concern here is that there's an ambiguity. I care more about the encryption when transmitting the email than I do about encrypting the email itself. I hope to be able to trust the user to be able to worry about the encryption of the email if it is needed via PGP (Pretty Good Privacy) or some other means. In which case, I have no idea why I should be worried about my Certificate Authority being able to encrypt emails.

To get started, go to this site, and get instructions on how to download certbot. I'm not going to go into using this tool. You'll need to set up a web server (I recommend nginx myself. I was using Apache but found it horrendously slow) to get the certificates.

Sharing Files - add ssh-keygen and move to it's own tutorial

In my case, I want to keep my mail server well away from other functions such as my database and web server. Which means there's the potential of me needing to securely share some files, such as certificates, between machines (Let's Encrypt uses my webserver to verify my domain but I'm not sure if it needs it to renew. It's just easier for me be able to share the files).

While I have a firewall and my network seems to be reasonably secure, it's worthwhile having some security on the inside of your own network. In which case, I'm going to use SSH to share files and lock things down as much as humanly possible.

I'm going to assume you have ssh servers on all of your machines.

On the machine containing the files:

 apt-get install openssh-server  
Edit /etc/ssh/sshd_config:
Change the line starting:
 Subsystem sftp  
To:
 Subsystem sftp internal-sftp
If you need to debug sshfs later on, change this to:
 Subsystem sftp internal-sftp -l DEBUG1  
At the end of this file (It must be at the end), add something along the following:
 Match User cert  
   ChrootDirectory /etc/letsencrypt  
   ForceCommand internal-sftp  
   AllowTCPForwarding no  
   X11Forwarding no  
   PasswordAuthentication no  

WARNING: When using ChrootDirectory, that folder MUST be owned by root and not be group writable.
 
What this does is allows a user named "cert" to access our certificates only. The cert user can not log in or do anything else except access the /etc/letsencrypt folder.

Add the cert user (at BASH):
 useradd cert -p '!' -s /bin/false  

Give the cert user permissions to the files it actually needs:
 chgrp cert /etc/letsencrypt/live /etc/letsencrypt/archive  
 chmod 750 /etc/letsencrypt/live /etc/letsencrypt/archive  

On the machine that needs the files:

We're going to use a combination of sshfs and autofs just for robustness (read: we don't really want to have to worry too much about the order in which machines have to be booted in).

Install the needed software:
 apt-get install sshfs autofs  
Make a folder for autofs to control:
 mkdir /mnt/sshfs  
Edit /etc/auto.master. And the following line:
 /mnt/sshfs /etc/auto.sshfs uid=1000,gid=1000,--timeout=30,--ghost  
If only one user will be using the files from here, it's worthwhile setting the uid and gid to that user. I can get that information with:
 id dovecot  
Save and exit. Make the file /etc/auto.sshfs and put in the following:
 certs -fstype=fuse,ro,nodev,nonempty,noatime,max_read=65536 :sshfs\#cert@webserver1\:/  
I could change the 'ro' to 'rw' for readwrite access. I could also add "allow_other" which would give everyone on the system access to that mount.

The Database - MySQL

We want to use a database to store information about 3 things:
  • Domain(s) - we're setting things up to allow for scalability which means we should be able to easily add domains should we need to.
  • Mailboxes.
  • Aliases - virtual addresses that lead to mailboxes.
On the machine you're setting MySQL up on (this can be the same machine as anything else. It will create little branches throughout this tutorial), install the needed software:

 apt-get install mysql-server mysql-client 

We're going to rely on the command line to configure our database. The reasoning for this is that phpMyAdmin doesn't really abstract things away to become any more or less user friendly though does install a piece of web accessible software on your server that seems unnecessary.

If you don't know your mysql root password, you may need to reset it:

 sudo service mysql stop  
 sudo mysqld --skip-grant-tables &  
 mysql -u root mysql  
 UPDATE user SET Password=PASSWORD('YOURNEWPASSWORD') WHERE User='root';  
 exit;  
 sudo service mysql restart  

Log into mysql:
 mysql -u root -p  

Create and configure the user that Postfix and Dovecot will use to access the database:
 CREATE USER 'mailuser'@'127.0.0.1' IDENTIFIED BY 'DBPassword';  
 GRANT SELECT,INSERT,UPDATE,DELETE ON mailserver.* TO 'mailuser'@'127.0.0.1';  

Both Postfix and Dovecot need access to the database. If you're running MySQL on a different machine from postfix and dovecot, you need to change '127.0.0.1' to the IP address of the machine running Postfix or Dovecot. If Postfix and Dovecot are running on different machines from each other, you need to create separate accounts for each of those users. They can be the same user name. It's just the host portion that needs to be different.

To test that you're able to log in from the computer you're going to need to access the database from, install mysql-client and attempt to login via:

 mysql --host database.example.org -u mailuser -p  

Back to the database.... Make your database:
 CREATE DATABASE mailserver;  
 USE mailserver;

Our first table is going to contain information about the domain names we're providing email for. A domain name can be a maximum size of around 255 characters long.
 CREATE TABLE domains (  
   id    INT(11)       NOT NULL AUTO_INCREMENT,  
   name  VARCHAR(255)  NOT NULL,  
   PRIMARY KEY ( id )  
 );  

 INSERT INTO domains( id, name ) VALUES( 1, 'example.org' ); # test data

The next table is all about our mailboxes:
 CREATE TABLE mailboxes(  
   id         INT             NOT NULL AUTO_INCREMENT,  
   domain_id  INT             NOT NULL,  
   name       VARCHAR(65)     NOT NULL,  
   password   VARCHAR(128)    NOT NULL,  
   PRIMARY KEY( id ),  
   UNIQUE( name, domain_id ),  
   FOREIGN KEY(domain_id) REFERENCES domains(id)  
     ON DELETE CASCADE  
 );  

 INSERT INTO mailboxes( domain_id, name, password )
 VALUES( 1, 'test', 'b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86' );

For password we're going to use SHA512 which should be available on most Linux systems. SHA512 hashes passwords into 128 hexidecimal characters i.e. the length doesn't need to be variable.

We don't need to store the email address because that's a concatenation between the mailbox name and domain name and given that the domain name is already stored in the domains table, and we've got a link to the domain using a foreign key, it can be considered a calculated field.

And finally, aliases...
 CREATE TABLE aliases(  
   id          INT           NOT NULL AUTO_INCREMENT,  
   domain_id   INT           NOT NULL,  
   source      VARCHAR(65)   NOT NULL,  
   destination VARCHAR(320)  NOT NULL,  
   PRIMARY KEY( id ),  
   FOREIGN KEY( domain_id ) REFERENCES domains( id ),  
   UNIQUE( domain_id, source, destination )
 );  

 INSERT INTO aliases( domain_id, source, destination )
 VALUES( 1, 'alias', 'otheraddress@testdomain.com' );

You'll notice that source and destination have completely different lengths. The source can be calculated by the source and domain name whereas the destination can potentially be sent to an entirely different domain.

Postfix

 apt-get install postfix postfix-mysql  

We're going to put our configuration in its own folder just because it's a touch cleaner. Then we need to create 3 files which tell Postfix how to access our database.

 mkdir /etc/postfix/config  

Make a file called /etc/postfix/config/domains.cf and populate it with the following:
 user = mailuser  
 password = DBPassword  
 hosts = 127.0.0.1  
 dbname = mailserver  
 query = SELECT 1 FROM domains WHERE name='%s'  

You can test the query in mysql (substituting %s for a domain name). If the domain exists, it returns 1 (true). Otherwise it returns an empty set (false).

Enable the configuration in Postfix:
 postconf virtual_mailbox_domains=mysql:/etc/postfix/config/domains.cf  

And finally, test this configuration setting:
 postmap -q example.org mysql:/etc/postfix/config/domains.cf  

Make a file called /etc/postfix/config/mailboxes.cf and populate it with the following:
 user = mailuser  
 password = DBPassword  
 hosts = 127.0.0.1  
 dbname = mailserver  
 query = SELECT 1 FROM mailboxes JOIN domains ON mailboxes.domain_id=domains.id WHERE CONCAT_WS('@',mailboxes.name,domains.name )='%s'  

What's happening here is that we're joining the domains table so that we can get the domain name to form the email address. The reason for doing this is that it leads to less errors. i.e. if I'm delivering emails for 'example.org' but accidentally put in 'example.com', using this configuration theres only one place I could have made that mistake - in the domains table and fixing it for one fixes it for all. Whereas if I store the entire email address in a single field in the mailboxes table, I can make that mistake in a bunch of different places.

Enable the configuration in Postfix:
 postconf virtual_mailbox_maps=mysql:/etc/postfix/config/mailboxes.cf  

And test it...
 postmap -q test@example.org mysql:/etc/postfix/config/mailboxes.cf  

And finally, create a file called /etc/postfix/config/aliases.cf and populate it with the following:
 user = mailuser  
 password = DBPassword  
 hosts = 127.0.0.1  
 dbname = mailserver  
 query = SELECT aliases.destination FROM aliases JOIN domains ON aliases.domain_id = domains.id WHERE CONCAT_WS('@',aliases.source,domains.name)='%s'

This query string is much like the last.

Enable the configuration:
 postconf virtual_alias_maps=mysql:/etc/postfix/config/aliases.cf  

And test it...
 postmap -q alias@example.org mysql:/etc/postfix/config/aliases.cf   

Set your permissions on the files:
 chgrp postfix /etc/postfix/config/*  
 chmod u=rw,g=r,o= /etc/postfix/config/*  

Enabling outgoing mail
1. Get postfix to use dovecot for authentication
At the command line run:
 postconf smtpd_sasl_type=dovecot  
 postconf smtpd_sasl_path=private/auth  
 postconf smtpd_sasl_auth_enable=yes  

2. Enable encryption
At the command line run:
 postconf smtpd_tls_security_level=may  
 postconf smtpd_tls_auth_only=yes  
 postconf smtpd_tls_cert_file=/etc/ssl/certs/mailserver.pem  
 postconf smtpd_tls_key_file=/etc/ssl/private/mailserver.pem  


If Postfix and Dovecot are going to run on the same machine:
Run:
 postconf virtual_transport=lmtp:unix:private/dovecot-lmtp  

If Postfix and Dovecot are going to run on different machines:
Run:
 postconf virtual_transport = lmtp:inet:dovecot.example.org  
Use the address of the dovecot machine here. The port specified here is one that's reserved for private mail use.

Dovecot

 apt-get install dovecot-mysql dovecot-imapd dovecot-managesieved dovecot-lmtpd  

Dovecot handles how we get our emails and is also going to be responsible for storing emails. The line above is missing POP3 support. If you need it, then do this:
 apt-get install dovecot-pop3d   

POP3 just isn't great with Spam Assassin. POP3 can't grab folders. Instead it just grabs emails from the inbox. Very simple. The problem with this is that you then can't put emails that have been marked as spam  into their own folder. In a POP3 system, the user never gets these emails. In an imap world, email folders are stored on the server.

First things first: Set up a user (and group) for the dovecot service to run under:
 groupadd -g 5000 vmail  
 useradd -g vmail -u 5000 vmail -d /var/vmail -m  

Create a place to store emails in /var/vmail. For me, I'm going to be using the sshfs stuff because my file storage is on a different machine from where my mail server is being run. I'm not going to step you through how to do this as there's (hopefully) enough detail in the sshfs section to do this along with using 'mount -o bind' to get the folder accessible from the right place.

Set your permissions:
 chown -R vmail.vmail /var/vmail  

Dovecot, by default on Debian, stores its configuration files in:
/etc/dovecot/conf.d/
The files are processed in order so files starting with 99 are processed after files starting with 01. Most of the files are commented out and mostly contain examples so most of what we're doing here is appending to the relevant files.

10-auth.conf

Make sure that this line is uncommented.
 auth_mechanisms = plain  

If you're using Outlook Express on Windows XP or Windows Vista (though there's really no good reason you should be), that line needs to be:
 auth_mechanisms = plain login  

Plain may look dangerous though by default dovecot does not accept passwords sent via plain text i.e. TLS encrypted passwords only.

Uncomment (remove the '#') the following line.
 !include auth-sql.conf.ext  

Comment out the all of the '!include auth-' lines. They're well out of scope for this hastily thrown together tutorial.

auth-sql.conf.ext

Comment out the userdb section entirely and append the following to the bottom:
 userdb {  
  driver = static  
  args = uid=vmail gid=vmail home=/var/vmail/%d/%n  
 }  

This tells the dovecot daemon to run as the user 'vmail', group 'vmail' and where to place our emails (/var/vmail/[domain_name]/[mailbox_name]).

10-mail.conf

Change the line that reads:
 mail_location = mbox:~/mail:INBOX=/var/mail/%u  

to:
 mail_location = maildir:/var/vmail/%d/%n/Maildir  

10-master.conf

This file deals with what services are available. We need to concern ourselves with 2 things here:
  • Allowing postfix to communicate with dovecot for authentication.
  • Allowing postfix to send emails to dovecot (lmtp)

If postfix and dovecot are running on the same machine: then look for the line that starts with:
 #unix_listener /var/spool/postfix/private/auth {  

Uncomment that line and change the whole stanza to look like the following:
 unix_listener /var/spool/postfix/private/auth {  
  mode = 0660  
  user = postfix  
  group = postfix  
 }  

Change the stanza that looks like:
 unix_listener lmtp {  
  #mode = 0666  
 }  
To:
 service lmtp {  
  unix_listener /var/spool/postfix/private/dovecot-lmtp {  
   group = postfix  
   mode = 0600  
   user = postfix  
  }  
 }  



If postfix and dovecot are running on different machines: 

Dovecot

Look for the stanza that starts with:
 service lmtp {  

and make it look like the following:
 inet_listener lmtp {  
  address = 192.168.0.24 127.0.0.1 ::1  
  port = 24  
 }  
The address is the IP address of the NIC to listen on. You may want to use a firewall on this machine to limit access further i.e. look at the address of traffic coming in on port 24 and limit access to that port to very specific (the machine running postfix) machines.

Look for the block that starts with:
 service auth {  

Within that block, add the following stanza:
 inet_listener {  
   port = 12345  
 }  

Choose a random port between 1024 and 65535.

Postfix

On the command line enter:
 smtpd_sasl_path = inet:dovecot.example.org:12345  
 smtpd_sasl_type = dovecot  

Where it reads "dovecot.example.org", change it to the address (ip or host name) of the machine running dovecot. Use the port number chosen above where it reads 12345.

10-ssl.conf

If you've got a certificate for your mail server domain name (mx.example.org) from let's encrypt, the certificates are probably somewhere along the times of /etc/letsencrypt/live/mx.example.org. The 2 files we care about are cert.pem and privkey.pem.

Look for the line that starts with:
 ssl =   
And make sure it says:
 ssl = yes  

Look for the lines that say:
 #ssl_cert = </etc/dovecot/dovecot.pem  
 #ssl_key = </etc/dovecot/private/dovecot.pem  

Uncomment them and change them to read:
 ssl_cert = </etc/letsencrypt/live/mx.example.org/cert.pem  
 ssl_key = </etc/letsencrypt/live/mx.example.org/privkey.pem  

15-mailboxes.conf

We need to configure a couple of folders to exist by default. Look for the section that says:
 mailbox Drafts {  
  special_use = \Drafts  
 }  
 mailbox Junk {  
  special_use = \Junk  
 }  
 mailbox Trash {  
  special_use = \Trash  
 }  

For each of those stanzas, add auto = subscribe. It should now look like this:
 mailbox Drafts {  
  auto = subscribe
  special_use = \Drafts  
 }  
 mailbox Junk {  
  auto = subscribe
  special_use = \Junk  
 }  
 mailbox Trash {  
  auto = subscribe
  special_use = \Trash  
 }  

This makes it so that your users can't remove these folders. They're all special use folders and users generally expect them to exist anyway.

/etc/dovecot/dovecot-sql.conf.ext

And finally, we need to tell dovecot how to talk to our database. To the bottom of dovecot-sql.conf.ext, add the following:
 driver = mysql  
 connect = host=127.0.0.1 dbname=mailserver user=mailuser password=DBPassword
 default_pass_scheme = SHA512-CRYPT  
 password_query = SELECT mailboxes.name AS username, domains.name AS domain, CONCAT_WS('@', mailboxes.name, domains.name) , mailboxes.password FROM mailboxes JOIN domains ON mailboxes.domain_id = domains.id WHERE mailboxes.name='%n' AND domains.name='%d'  

Change the host to the ip address of the server running the database server and the password to the password of your database for the mailuser user.

Make sure the permissions for dovecot-sql.conf.ext don't allow for users to get your mysql authentication details:

 chown root:root /etc/dovecot/dovecot-sql.conf.ext  
 chmod go= /etc/dovecot/dovecot-sql.conf.ext  

/etc/dovecot/20-lmtp.conf

We want to enable the sieve plugin. This allows us to apply rules to email on the server (filtering and the like). Change the line that reads:
 #mail_plugins = $mail_plugins  
To:
 mail_plugins = $mail_plugins sieve  

Running the new configuration:

On the command line run:
 service dovecot restart  

Monday, September 12, 2016

The Interconnectivity of All Things and Why We Should be Worried About Rape Culture

New Zealand has a serious problem with rape culture. It's in our politics. It's in our sports. One could even go as far as to say that it's our national identity.

Just last year our prime minister, John Key, was found to have harassed a waitress by pulling her ponytail. He did this over a series of months but after the news broke, it was referred to jovially as "Ponytailgate". It was relegated to the realms of playfulness. This, is rape culture. We are saying that the use of power over a woman is just "boys being boys".

Rape culture is a culture that enables, and sometimes even encourages, rape.

This year, we have a rugby team called "The Chiefs" who have been found to have acted in an abhorrent manner. For one of their celebrations, they hired a stripper. When the stripper spoke out about her treatment, which included being touched between the legs "very forcefully", had gravel and alcohol thrown at her and had her having to kick one of the players to make him stop (because "no" apparently wasn't enough), things went insane.

The sponsors stood with the team. The corporate services executive of Gallagher Group, Margaret Comer, who is also a trustee for the Waikato Women's Refuge, blatantly blamed the stripper. She appears to have suffered no consequences. Neither from Gallagher Group nor Women's Refuge. i.e. the sponsors unashamedly enabled the behavior.

The internal investigation, conducted by NZ Rugby, the governing body of rugby in NZ (and owner of the Chiefs), said "allegations from witnesses could not be substantiated" and so players were issued a caution but no further actions were taken. It wasn't the players who were actually there that were issued a caution. The whole team was.

Does everyone remember the "Roast Busters" a few years back? It was a case that saw a bunch of teenage boys raping, often in groups, and posting photos of said rape on the Internet. When the story broke, the police had said they were aware of the group and had them under investigation. They also stated that no one had complained about the group. It was later revealed that there had been multiple complaints made though the police had, as in this case, decided to take no further action.

Our minister of women, on this matter, as on the matter involving our very own PM harassing a woman over several months, had absolutely no comment on any of this.

The stripper lost 2 jobs.

This is where I think things got really weird. A campaign was started by the Human Rights Commission titled "Love Rugby. Respect Women". The campaign was supported by a whole lot of women's rights advocates and it eventually lead to The Chiefs accepting help in attempting to improve their culture toward women.

Where do we start to untangle this mess? Hint: It is all a culture that enables rape.

But it doesn't stop there. NZ Rugby are a commercial entity. Every time someone buys a ticket to a game, NZ Rugby benefits.

Every time we refer to rugby as being a major part of our national identity or "like a religion" (as was on the "Love Rugby. Respect Women" campaign), we have tied our national identity to NZ Rugby.

We have put rugby above the rights of 50% of our population.

And this is why I find "Love Rugby. Respect Women."  weird. It perpetuates the problem by focusing on a game first. Our very own Human Rights Commission didn't say Respect People and then worry about a game. It said Love a Game. Worry about the humans and their rights second.

And yet, none of this is all that surprising. Last year a prominent rugby player won NZer of the year. His ability to play a game was deemed a greater contribution to NZ than a woman, Louise Nicholas, who the Prime Minister acknowledged as having "....done more for sexual violence and sexual abuse than any other New Zealander." at the award ceremony. Outrage on social media was met with "but he does other things too" or "he deserves it!"

We made, and continue to make, a statement about our values; it seems our values are that we would rather preserve our rape culture than acknowledge our own part in supporting it.

Thursday, March 31, 2016

Why the Microsoft Linux Convergence Could Be Bad News

The web was a buzz with news about MS telling everyone that Bash is going to be a thing in Windows. Not a VM, but rather, a part of Windows.

The way I see it, it's not cause for celebration, but rather, cautious optimism.

Remember when MS Office included support for OpenOffice formats? Now MS Office could open OpenOffice formats! Except that they could only with certain provisions. They didn't follow the specifications of the format and instead broke it. Intentionally. So either OpenOffice had to include support for MS Office's broken implementation of it, or try and control people's perception of it.

MS are completely capable of looking to be being supportive and playing ball but also blindsiding the other players to their advantage.

My main concern though is those people who tell you that they can administer both Windows and Linux. The operating systems are like talking a different language. When I think of solving problems, I think in terms of Linux and I then usually end up having to translate back into Windows if I'm working on Windows. Ditto for Mac OSX. Linux first, translate. More often that not it works well for Mac OSX. Windows I often find myself swearing.

So what happens to people when they appear to be using a Linux type shell? Do they understand that there's a difference between thinking in Linux and thinking in Windows? There's a real issue with EVERYONE doing things badly.

A Windows person then goes and tells everyone that he can do Linux! but is limited by what they can do in Windows (what's a link and what's the difference between a symbolic link and a hard link?)?

A Linux person thinks something is happening in Windows because of commands they use in Linux and then discovers that either the OS doesn't support what they're trying to do at all or does it in a completely different way.

It's not that hard to imagine. It's more likely that Bash on Windows will be like Bash on BSD and Bash on Solaris - they're the same thing but they're not the same thing i.e. there are differences on each of the OSes and those differences make the way you solve problems different.

Whether that means Linux people suddenly think they're experts in Windows and Windows people suddenly think they're experts in Linux remains to be seen.

Thursday, February 18, 2016

New Zealander of the Year and Other Issues of Sexism and Privilege

This morning had me waking up on the wrong side of the bed. I rolled over, opened up my laptop to see what was going on on social media and immediately erupted in a fury of "What the fuck is going on?!?".

Richie McCaw was named New Zealander of the Year.

If you're not sure who Richie McCaw is, it's not entirely surprising. Richie McCaw is a rugby player. He also does some charitable works, but if you Google his name, you'll see only references to rugby.

Not sure what rubgy is? That's not entirely surprising either. Rugby is a game whose importance is over inflated in only very few countries. New Zealand would be the largest country whereby Rugby is THE primary major sport. So it's little wonder then that New Zealand have also always excelled at the sport. What is a mystery though is why the "All Blacks" have failed to win so many World Cups.

Anyway. So Richie McCaw is it. He's what we should all aspire to. That's one hell of a value statement that is amazingly dismissive of just about EVERYTHING else. The two other finalists, an environmentalist and a victim's rights advocate... Yep, Richie McCaw's ability to play a game is somehow more important.

The Victim's Rights Advocate - Louise Nicholas - primarily works within the field of rape victims. So we're saying that Richie McCaw's ability to play a game and some charitable works is somehow of more value than someone who works hard, not at being good at a game, but rather, giving people a voice within a part of society that we are still, excuse the language, shit at. i.e. rape culture.

This reeks of white male privilege to me. My saying so ended up with one guy unfriending me on Facebook, and my arguing with another about whether it was "just" privilege or white male privilege.

I maintain that it can be called white male privilege (I tend to replace the word "male" with "penis" - mainly to be offensive and because it points out the ridiculousness of arguments of gender) because it would take someone of that much privilege to make such a value statement. i.e. that someone who "works" full time at a game and does a bit of charity on the side is of more value than people who dedicate their lives to helping people.

As well as Louise Nicholas as a potential winner, there's Helen Kelly. Helen Kelly is currently dying of cancer (there's a whole other story in there about medical marijuana) and dedicated her life to improving the working conditions of others. In my personal life I know some extraordinary people. People who have dedicated their lives to education, whether facilitating it or pushing it. And in all seriousness, I would've liked a winner who's positive contributions to society were from a place of intelligence. The war being waged on intelligence is terrible!.

My mood didn't improve as the next thing that I read is that TVNZ (a local TV broadcaster) are starting another channel! Aimed at males, with sports and shows like Two and a Half Men. The channel is being called "Duke". As far as I'm concerned, they might as well have just called it "White Penis".

Equity and intelligence took a hit today as value statements were made dismissing those things. We should be striving to make things better. Instead, it feels like we're moving toward a future of casual misogamy as if Mad Men is an inspiration rather than a look into a flawed past.

Monday, January 18, 2016

Define Entertainment

When I first started this blog, it was because I needed somewhere to vent. The media is the worst!

I've changed my view. It's not the media that's the worst. It's the people who excuse the media for their idiotic stunts.

In 2010, Paul Henry, a morning show host resigned after allegations of racism (there had been various other problems with him). Wikipedia has this to say on the matter:
Henry's resignation polarised the New Zealand public, with supporters claiming he was a victim of political correctness, and critics accusing him of pandering to the lowest common denominator.
Remembering that "political correctness" roughly translates to "opportunity to not be a dick". Paul Henry then went to Australia, offended some people there (by stating that Asylum Seekers should 'starve to death') before coming back to NZ. He then ended up back in NZ TV.

At the time there was some outrage. BUT there was also plenty of fans happy to have him back on TV. Apparently "he's just funny" counteracts any social responsibility he has not to push bigoted views to the NZ public in his rather privileged position.

In 2009, the long running Australian show "Hey, Hey, It's Saturday" did a whole black face skit that the guest, Harry Connick Junior, was horrendously offended by. The rationale for the skit? "It's not meant to be racist". That was 2009 people. Are Australians really that clueless about racism?

Fast forward to today. Radio stations, notably "The Edge" here in New Zealand, continually publish "articles" that seem designed to condescend or normalize idiocy. Such articles include things like "Does that celeb who did an interview last night look sick to you?" probably looking to ride the coat tails of the recent celebrity deaths (Lemmy, David Bowie and Alan Rickman).

And in saying all of that, comedy has, for a very long time, been an avenue to creating conversations about awkward things. So sometimes it needs to offend.

The question is, what is entertainment? I don't think a reinforcement of society's worst traits should be excused with a "light entertainment" tag. It's not okay to be racist and/or sexist and then say "just joking" so why is it excused in the media?

There's also an odd sense of a normalizing of stupidity. I guess this has been going on for a long time and is often referred to as "pandering to the lowest common denominator"; although I think this tends to miss something too. It can be hoped that bigotry is not a common denominator. Stupidity also fits this category. Humour in the form of watching people getting hurt (Funniest Home Video type shows), for example, puts my teeth on edge. It's not entertaining. It's gruelling. I've seen other people cringe when they've watched it. Basically, the "common dominator" reasoning needs to be taken out back and shot in the head.

Which then makes it a reflection on ourselves i.e. we consume this so this is what is provided OR this is what the media thinks of us i.e. Hahah! Black face! in which case, we should be demanding better.