Let’s do Postfix slowly and properly – Part 6: Relay authenticating with SASL

I have explored the default setting of Postfix to allow local machines to send without authenticating, simply based on them being on the local network (permit_mynetworks). Even if I am not always on my own local network I could make this work by installing a webmail client on the same server (or in the same docker network). Even if we are accessing the client over the internet, the client is on a local machine and part of the local network’seen from the perspective of the postfix. Therefore permit_mynetworks would give the OK and allow it to send without any further restrictions. But then there are smartphones and getting notified whenever I have mail rather than having to check manually. So I need a way to authenticate as a legitimate user who should be allowed to send when I’m not on the local network of the server. One way to do this is by piggybacking on the MDA’s authentication. In other words: If I am already authenticating with the IMAP server, why not use that to also authenticate me with Postfix for sending? This link between the two reminds me of what I said in the first post in this series: That the division into MTA and MDA probably wasn’t engineered as much as just arrived at by stops and starts.

In this post I will create such a setup with Dovecot playing the part of the MDA. Dovecot will offer up an authentication service on the machine. When I ask Postfix to send something, Postfix will approach this service and ask if I should be allowed to send. And Dovecot will say yes or no, depending on whether or not I have previously properly authenticated with it.


Powerline secrets

You know that XKCD comic where the protagonist googles a tech question and the only matching result is from a long dead thread or even forum that details the issue but provides no answers? I am wondering if other people sometimes happen on the subcategory of that where the thread originator instead of being DenverCoder9 is… yourself. Instead of “closeness to another soul”, it just engenders a slight disappointment. Right, I’ve been here before, trying the same thing and given up.

Trying to customize my powerline setup raised a number of questions that I could not find answers to in the official documentation, including the question of whether root’s bash prompt could be coloured anything other than fire engine red. Luckily I found answers to all of these this time round.


StackExchange Answers: Shells

Sometimes a Stackoverflow answer is so good that it helps me understand something I had kind of given up on. The distinctions of login and interactive shells are a good example. Some ressources had pointed me to the INVOCATION section of the bash man page. Here’s the explanation of what login and interactive shells are:

A login shell is one whose first character of argument zero is a , or one started with the –login option.
An interactive shell is one started without non-option arguments and without the -c option whose standard input and error are both connected to terminals (as determined by isatty(3)), or one started with the -i option. PS1 is set and $- includes i if bash is interactive, allowing a shell script or a startup file to test this state.

I’m sure it’s correct and proper. From the perspective of someone trying to understand when .bashrc is invoked, it’s also absurdly unhelpful. Askubuntu user terdon to the rescue.

They just provide examples of each of the four combinations (and two binary tests that will tell you if the shell you’re in is login/interactive or nor) but from those examples, the defining characteristics become so much clearer. A shell is a login shell if I changed user when entering it be that by using su, ssh or logging in on a tty. An interactive shell is basically anything with a prompt and a non-interactive one is running something scripted. The combinations are then as follows:

ExamplesInteractive shellNon-interactive shell
Login shellTTY, su -, sshPiping commands into ssh
Non-login shellA terminal emulator, starting a shell within a login shellScripts

I’m not summarizing to replace the answer, just to check that I understand. terdon’s examples do a much better job of explaining it – go have a read.

How to force Steam UI doubling on linux

In 2018 Steam on linux got the ability to autodetect HiDPI screens and resize the UI accordingly. I would guess this kicks in on 4k resolutions. I’m guessing because I don’t have one. What I do have is a laptop with a 14″ 2560×1440 screen and failing eyesight. Alas, neither one triggers the UI resize. Here’s how to consistently force the UI resizing instead of relying on Steam’s autoconfiguration.


Proxy-set-header: Forwarding HTTP headers from Nginx to a WordPress container

I detailed in a recent post how I got a working WordPress container setup, complete with database and PHP engine. I saved the bit about how to redirect traffic to the container (and apply encryption to the outbound connections) because I knew it was going to be just as much work as getting the setup running. Also I needed to first get up to speed on HTTP headers in general and how to inspect them specifically.

This post is not a how-to any more than it’s a how-not-to. I wanted to detail as much the attempts that did not work as the final one that did because the former were just as illuminating as the latter.


My life as an IP hobo and the promise of Dynamic DNS

When your servers don’t respond / who you gonna call? Well, maybe not call but look. And I’m talking about my server residing on my HTPC not yours. And it’s rhetorical question anyway because I know where to look once I get home. At one of the many what-is-my-ip address sites because the problem inevitably boils down to my ISP having changed my IP address.

This may elicit “duh”s from people whose IP addresses change every lunch break but mine used to be stable for months if not years on end. So I never bothered with my ISP’s 2€/month offer of a permanent IP address. Recently though, they changed their practices and now I rarely get in to a new pair of underpants before the address has changed. Read into that what you will. Oh, also the offer is 4€/month now. Coincidence? /conspiracy