Let’s do Dovecot slowly and properly – Part 3: LMTP

So far I have had a pretty clear division of labour between Postfix and Dovecot. Postfix accepts mail from other MTAs and puts it into my maildir. Dovecot accepts my client’s inquiries and hands it the mail it finds in same maildir. I muddied the waters a bit when I started asking Dovecot to serve as authenticator for SMTP but those waters are about to get a fair bit murkier. Postfix will now relinquish the job of actually delivering the mail to maildirs and instead hand it over to a Dovecot service.

Why? Postfix has done a fine job of it so far, has it not? Yes, but Postfix is not a very sophisticated mailman. It shoves my mail in the mailbox/maildir that I tell it to based on virtual_mailbox_base and virtual_mailbox_maps but that’s all it can do. If I want to set up filtering rules or other intelligent processing of mail delivery, I am going to need to insert another step, namely using the Local Mail Transfer Protocol or LMTP for short. In essence, LMTP is the protocol that allows Postfix and Dovecot to actually talk to one another, rather than one just leaving messages for the other on the kitchen counter. Insert your own old-married-couple joke here.

(more…)
https://www.flickr.com/photos/29158180@N04/5406683716

Let’s do Postfix slowly and properly – Part 6: Relay authenticating with SASL

I have explored the default setting of Postfix to allow local machines to send without authenticating, simply based on them being on the local network (permit_mynetworks). Even if I am not always on my own local network I could make this work by installing a webmail client on the same server (or in the same docker network). Even if we are accessing the client over the internet, the client is on a local machine and part of the local network’seen from the perspective of the postfix. Therefore permit_mynetworks would give the OK and allow it to send without any further restrictions. But then there are smartphones and getting notified whenever I have mail rather than having to check manually. So I need a way to authenticate as a legitimate user who should be allowed to send when I’m not on the local network of the server. One way to do this is by piggybacking on the MDA’s authentication. In other words: If I am already authenticating with the IMAP server, why not use that to also authenticate me with Postfix for sending? This link between the two reminds me of what I said in the first post in this series: That the division into MTA and MDA probably wasn’t engineered as much as just arrived at by stops and starts.

In this post I will create such a setup with Dovecot playing the part of the MDA. Dovecot will offer up an authentication service on the machine. When I ask Postfix to send something, Postfix will approach this service and ask if I should be allowed to send. And Dovecot will say yes or no, depending on whether or not I have previously properly authenticated with it.

(more…)

Proxy-set-header: Forwarding HTTP headers from Nginx to a WordPress container

I detailed in a recent post how I got a working WordPress container setup, complete with database and PHP engine. I saved the bit about how to redirect traffic to the container (and apply encryption to the outbound connections) because I knew it was going to be just as much work as getting the setup running. Also I needed to first get up to speed on HTTP headers in general and how to inspect them specifically.

This post is not a how-to any more than it’s a how-not-to. I wanted to detail as much the attempts that did not work as the final one that did because the former were just as illuminating as the latter.

(more…)

My life as an IP hobo and the promise of Dynamic DNS

When your servers don’t respond / who you gonna call? Well, maybe not call but look. And I’m talking about my server residing on my HTPC not yours. And it’s rhetorical question anyway because I know where to look once I get home. At one of the many what-is-my-ip address sites because the problem inevitably boils down to my ISP having changed my IP address.

This may elicit “duh”s from people whose IP addresses change every lunch break but mine used to be stable for months if not years on end. So I never bothered with my ISP’s 2€/month offer of a permanent IP address. Recently though, they changed their practices and now I rarely get in to a new pair of underpants before the address has changed. Read into that what you will. Oh, also the offer is 4€/month now. Coincidence? /conspiracy

(more…)

Moving site: Using MySQL to search-and-replace WordPress domain name

It seems that the recommended way to change the references to the domain name in MySQL on a WordPress install is to take the whole thing offline and do it by using text tools on a database dump. Either that or change the settings in WordPress while the site is still live on the old domain.

It was too late for the latter and I could not be bothered to do the former – partly because I had just gone through the whole mysql dump routine, partly because the site I wanted to move was only one among a number of sites contained in the dump. While the web server was all set up to use the new domain name, WordPress persisted in redirecting me to the old.

So I looked at the recent database dump, figured out what tables and fields to target so that I could replace the domain name on a live install.

(more…)

WordPress on Docker: The 1-2-3 approach

There’s an official WordPress docker image on the hub. Which means I have no good excuse to go make my own. Here’s my bad excuse: The official approach contains Apache and WordPress files all mashed up in one image. This feels icky to me partly because I don’t know Apache, having decided early on to hitch my wagon to Nginx, partly because it feels un-containerly to have everything in one big pot.

I cannot argue the merits and demerits of the official image with regards to performance, scalability, or security. What I saw was an opportunity to solve the problem in a way that felt more correct to me – 1 network, 2 volumes, 3 containers,  – that would also work as a learning experience. Here’s how I did it.

(more…)

Let’s do Dovecot slowly and properly: Part 2 – Proper authentication

In part 1 we set up the very most basic dovecot install we could get away with. In this part we will try to redeem it a bit by improving the security of the the authentication mechanism and the storage of passwords on the server. In other words we will make it much harder to snoop on our communications with the imap server and decrease the overall likelihood of somebody learning our password, including anybody with access – legitimate or otherwise – to our server.

(more…)