Software - 3

Epilogue

This story is so unbelievable, I have to share it with all of you. It has Hollywood material in it: it's a story about a hard working man who succeeds and then gets dealt bad cards. As the final good thing he does share his fortune with people he trusts. Then there is the surprising twist in the plot and he bounces back. The real surprise is when the ungrateful people don't want him back. That results in a bitter fight in the court. But as in all Hollywood flicks, there is a happy end.

All this started years ago, but my version starts two days ago when I received an e-mail. I found it from my spam-box and my initial glace was, that it was some kind of 419-scam. Something in the style of the text struck me as a scam, so I was just about to file a report of it into SpamCop, and then I saw the subject of the mail. It had word Storix in it. The mail was sent to one of my ancient addresses, which I had used with Storix. A random bulk spam wouldn't be about Storix, backups aren't that lucrative when compared to regular spam-topics, women, money or medicine.

The e-mail

This is the entire e-mail as I received it:

Subject: Notice of Copyright Infringement by Storix, Inc.
Date: Tue, 6 Oct 2015 16:15:31 -0700

 

Dear Sir or Madam,
This letter is to inform you that you may be in possession of unauthorized and infringing copies of Storix System Backup Administrator (SBAdmin). I am the author of the software, which is protected by US Copyright Registration No. TXu000988741, and expert testimony in the US Southern California District Court case No. 14-cv-1873 H (BLM) has
indisputably determined that I am the owner, have never transferred, nor received any consideration for its license by Storix.

 

I hold none of Storix' customers or business partners accountable, and you may continue using the current software, even if you received an infringing license after it was revoked. However, I must demand that you cease any further payment to Storix in relation to this software and refrain from downloading any further copies.

 

I founded Storix in, Inc in 2003 to sell and support the software I had already been marketing since 1999. In 2011 I was diagnosed with terminal cancer and gifted 60% of the company shares to long term employees before taking my medical leave. Those shareholders then elected themselves as directors and officers of the corporation:

 

David Huffman, President and CEO
Richard Turner, Director of Software Development
Manuel Altamirano, Director of Sales and Marketing
David Kinney, Director of Software Support

 

No new programmers were hired, and the software has now seen little change in over 4 years. After an unlikely recovery, I returned to the company full time in 2013 to continue development of the software, working alone for 9 months on major enhancements to address known security vulnerabilities and increase the network security. After requesting that others assist in the final development and testing, I was harassed by my former employees until I left in May, 2014.

 

After exhausting every effort to negotiate, the board was notified that I would assert my rights to the software if not given a position of control over its development. Instead, they chose to challenge my copyright. Using my remaining 40% stock, I took control of 2 board seats, but not before a 5th seat was added and occupied by David Smilkjovich, the new CEO and personal friend of Mr. Huffman. Every effort since to save the company, its employees and customers from the damages of this litigation has failed in a 3/2 vote.

 

As Storix has been well aware since my departure, I continued development of the software, believing we would eventually work out our differences. I made no effort to disparage or compete with Storix in any way. Yet, as a decision in the copyright case grew near, they filed new action against me for unfair competition and breach of duty as a company director (San Diego County Superior Court No. 37-2017-00028262-CU-BT-CTL). After I warned them in advance of this very notice, they requested, and were denied, a motion for temporary restraining order (San Diego US District Court Court No. 14-cv-1873 H
(BLM)).

 

Although a plaintiff in the copyright case, I'm also a 40% shareholder and a director of the company, and am obligated to do everything possible to put an end to this nonsense before the company is lost. Iwould have preferred the customers and employees remain unaware of this needless battle, but the actions taken by these individuals to protect their majority positions have resulted in the company becoming unprofitable for the first time in its history. They will accept no personal responsibility or compromise, and are now turning to a new employee stock incentive program to cover their losses. This nonsense
cannot continue.

 

The security enhancements to the software have been completed, along with much more. Unfortunately, far too much damage has been done to me personally and financially to allow these greedy individuals to profit from my work any longer. Many of you I had worked with personally for many years, so it pains me to inform you that support for Storix SBAdmin
will very likely end when a ruling is made on the copyright case at the end of the month.

 

Whatever the eventual outcome, I sincerely hope to rebuild your trust as well as the thriving company and innovative product I once had.

 

Best Regards,
Anthony Johnson
Author and Owner of Storix Backup Administrator
Former President/CEO, Storix Inc.

Show me the proof!

Ok, this is all sad and cool at the same time, but how do we know that all this is legit? I don't have any solid proof, but here is what I have:

• My own records indicate, I've been using Storix back in 2004 to 2009 when I did DLT backups. Then the company got greedy and the price of licence went out of my reach. At that point, I stopped doing tape-backups and went for Bacula and USB-drives. Software free and USB-drives are very inexpensive to store backups.
• The e-mail in question may very well be sent to me, because I have a customer account at Storix, Inc.
• In the e-mail Mr. Johnson wants you to: pretty much do nothing, he doesn't want your money, he just says not to pay any more to the software company not owning copyright of his work, but he does not want you to pay him for it. Asking for nothing is not a typical request in spam.
• Motive: What would be the alternate motivation or hidden agenda for doing this? Throwing mud at his own company? Slinging mud at some people he doesn't like (anymore)? I guess, the classic ones: money and power have something to do with this. Depleting Storix, Inc. main source of turnover is the primary motive.
• The origin of the mail is from Google. Yes, there is some Google spam, but no way it can be considered as a major source of crap.
• Google got the mail from a Comcast user located in Miami, Florida. Again, there is no typical source of hijacked computer, it can be any, even from Florida. However, it would be very unlikely scenario for a malware to hijack Google credentials for sending misinformation from a random Comcast user.
• There is a man in Linkedin with name Anthony Johnson claiming to be author of Storix
• There is a man in Linkedin with name David Huffman claiming to be the CEO of Storix, inc. He is registered as the president of the business entity C2494479 in California.
• There is a legal case 3:14-cv-01873-H-BLM in California Southern District Court, it is Johnson v. Storix, Inc.:
  • Lawsuitdata.com
  • RFCExpress.com
  • I don't know which, if any, of the documents contain the judge's ruling.
• If assumed, that the judge ruled as the e-mail explains, it would be obvious for not to pay for a product to somebody who doesn't own it. That would be fraud if anybody else than a legal owner would ask for you money.

When all of this is combined, there are two possible scenarios left: either this is the weirdest scam I've seen, or it is all true. My take here is: after looking, searching and using my own judgement, I believe the above story of a complete stranger. I sympathize all that happened to him. I also believe, that people shouldn't be thrown out of their own companies, that's just wrong.

Pitch in with a comment, if you have some knowledge of this. I'll be waiting for the movie.

Update 9th Oct 2015:

It's given, that I replied to the mail. I sent the link to this article and told that he has my support.
This is what he wrote back: "Wow, quite an endorsement, and no, it's definitely not a scam. Thanks!"

Last year I spent couple of days tinkering PHP-packages that will work on my Parallels Plesk Panel box. To my surprise, my box failed to auto-upgrade itself. The reason was: "Exception: Failed to solve dependencies:
plesk-php54-mysqlnd-5.4.31-1.el6.x86_64 requires plesk-php54-pdo = 5.4.31-1.el6
plesk-php55-mysqlnd-5.5.6-1.el6.x86_64 requires plesk-php55-pdo = 5.5.6-1.el6". I was dumbfounded, as the proper packages were already installed.

A closer inspection revealed, that packages from my own repository weren't good for installation. There were package dependencies, that required packages with exactly the same name, but from somebody else's repository.

Here are some links:

• http://autoinstall.plesk.com/PHP_5.4.40/dist-rpm-CentOS-6-x86_64/packages/
• http://autoinstall.plesk.com/PHP_5.5.24/dist-rpm-CentOS-6-x86_64/packages/
• http://autoinstall.plesk.com/PHP_5.6.8/dist-rpm-CentOS-6-x86_64/packages/

If you need to install new version, do something like this:

yum install --enablerepo PHP_5_6_8-dist plesk-php56-cli

The information for those came from file /etc/yum.repos.d/autoinstaller-sources.repo.

My only conclusion is, that Parallels guys took my source RPMs and created their own. Thanks for ripping me off!
Ok, this is open-source. I put my stuff out there willingly and knowing, that somebody eventually will use it. The sensible thing to do is to give appropriate credit, though. That one the big greedy corporation didn't do.

I have a policy of running a lot of different browsers on my computers. The idea is to gain experience of what works and what won't. When doing web development, any run-of-the-mill developer gets a tunnel vision and starts spewing out the classic "it works for me!" -style answers, when there are issues with a site.

So, I'm fighting hard to defeat that by using a lot of different browsers. One of my tools has been Maxthon browser. It isn't anymore. Goodbye Maxthon!

I was reading an article about "Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections" and went to https://filippo.io/Badfish/ to check my browser. Amazingly it showed YES:

Whaat!

If I download the https://badfish.filippo.io/yes.png directly, then there is a proper notification about the problem:

... but seeing the picture embedded nicely in a website means, that the browser won't bother checking while rendering a page. Anybody can display anything on a web page and I won't get any information about the dropped security. Not good.

There is no other way, than to uninstall. I absolutely won't recommend using anything that insecure!

One day I was SSHing into my ArchLinux, but it didn't succeed. The thing didn't even attempt authentication. It said:

Key exchange failed.

No compatible cipher. The server supports these ciphers: AES-128-CTR,AES-192-CTR,AES-256-CTR,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

That was surprising. It did work earlier. Ok, Arch is one of those bleeding-edge distros. It does use newest of the new stuff in it. My client is SecureCRT and it has been serving me well for years, actually over decade. I had to confirm the connectivity with Cygwin's OpenSSH client. It worked just fine. Connection opens, no grievance from there. So, something must be wrong with my SecureCRT's settings. This is what the cipher list looked like in Session Options -> Connection -> SSH2 -> Advanced:

Darn! It didn't have the newest big guns enabled. I must have ran too many upgrades to it. Apparently the upgrade doesn't enable that in my settings. I manually changed it into:

... which made the connection succeed.

I checked the server version number and it was OpenSSH_6.7p1. The sshd_config manual says:

Ciphers

The default is:

aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
chacha20-poly1305@openssh.com

Also I found OpenSSH 6.7 release notes saying:

Changes since OpenSSH 6.6
=========================

Potentially-incompatible changes

* sshd(8): The default set of ciphers and MACs has been altered to
   remove unsafe algorithms. In particular, CBC ciphers and arcfour*
   are disabled by default.

So the defaults did change in that upgrade. I checked Fedora 20 defaults and they are:

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour

That explains the change!

I updated all Parallels Plesk Panel PHP-versions to latest. Included in my yum-repo, there is a PHP 5.6.0 version with fully working PHP-FPM.

If something doesn't work in PHP 5.6, please drop me a comment. 

All the nerds like me (escpecially me!) love new versions of software.

Backup

I got new toys for my Parallels Plesk Panel box and went for the automated upgrade. I attempted to do the mandatory full backup first:

/usr/local/psa/bin/pleskbackup server \
 --output-file=/Backups/pre-12.0.18.backup.tar -v -v

... just to make sure, that I have something to roll back to if it hits the fan. But it kept failing on me. Any domains having PostgreSQL databases failed to backup properly. I got log entries like:

Failed to execute backup database
Failed to pack files backup_hqcs_blog_1407141359 in /dumps/domains/hqcodeshop.fi/databases/hqcs_blog [ 115057410048 bytes free of 158532106240 bytes total on mount point 0]

Totally puzzling. Didn't make any sense at all! Looking at the detailed XML-log of the backup revealed following:

<?xml version="1.0" encoding="UTF-8"?>

<object name="server" type="server">
    <object name="hqcodeshop.fi" type="domain" uuid="domain#hqcodeshop.fi">
        <object name="hqcs_blog" type="postgresql">
            <message id="e6d718ef-5b52-49af-8c4f-4473393b30bd" severity="error" code="msgtext">
                <description>Failed to execute backup database</description>
            </message>
            <message id="d5e6cfd1-fa94-45d4-89b6-a47a0627134a" severity="warning" code="msgtext">
                <description>sh: AB12: command not found
                    sh: AB12: command not found
                    sh: AB12: command not found
                    sh: AB12: command not found
                    sh: AB12: command not found
                    sh: AB12: command not found
                </description>
            </message>
        </object>
    </object>
</object>

What command not found!? After a few puzzling moments later I realized it, that is the end of my panel admin's password! In the original form the password was [lot of characters here]>AB12. Somebody at the Parallels goofed! What would happen if your password has special characters. What if some of those characters were special in your command prompt? Not very solid backup code, huh!

The next thing was to change the password to one not containing any of these characters £$<>()&;"'`, they have special meaning on *nix command prompt. I always use randomly generated passwords and during my quests I regularily bump into systems that do not sanitize user input properly. I find that the ones from the number keys with shift are especially nasty. During registration process it is very easy to input a proper random passwod, but the system botches something and don't let me log in, or does something nasty like Parallels Plesk did.

Unfortunately changing the admin password didn't make the backup succeed! Apparently PostgreSQL password is stored somewhere else. I did do a:

/usr/local/psa/bin/admin --show-password

... to confirm, that system knows what the new password was. The thing is, that PostgreSQL password needs to be changed manually. I found the knowledge base article about that KB 120262 - How to update password for PostgreSQL admin user in Plesk? Running:

# plesk bin database-server --update-server localhost:5432 \
 -type postgresql \
-passwd `/usr/local/psa/bin/admin --show-password`
SUCCESS: Server localhost:5432 is successfully updated.

... did solve it. Then I managed to get backups.

Upgrade

There were no issues during upgrade. The web-upgrader took a while and then it said everything was done. There really was nothing special about this part.

During my checkings I found a really good knowledge base article about system settings. This is something that Parallels didn't have for previous versions. This is really good stuff: Parallels Plesk Panel for Linux services logs and configuration files. I kept going back to that one a lot.

Testing

When the new version was running, I naturally wanted to see that all my services were running properly. Things I found to be broken were POP3 and IMAP SSL-certificates. Also the Presence Builder didn't upgrade properly.

The funny thing about Courier IMAP/POP3 was, that upgrade reset my certificate settings back to something really stupid. I went to /etc/courier-imap/ to check the imapd-ssl and pop3d-ssl. I changed both of them to contain:

TLS_PROTOCOL=TLS1

That was done to reflect the setting I have in my /etc/postfix/main.cf:

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

My policy is, that if you're running something that does not support TLSv1, v1.1 nor v1.2 then you should use somebody else's services. It simply is insane to rely on SSL!

The Web Presence Builder said this on startup:

File: /usr/local/sb/include/Base/ORM/Object.php; Line: 249
Message: Undefined property "controlPanelLink" in object "SB_ORM_TokenAccess".; Code: 0

Luckily, that issue is covered by knowledge base article KB 119875: Cannot open a site in Web Presence Builder: "Undefined property "controlPanelLink" in object "SB_ORM_TokenAccess". A simple SQL-command:

ALTER TABLE `token_access` ADD `control_panel_link` VARCHAR( 255 ) NULL DEFAULT '' AFTER `skin_code`;

did do the fix.

Life after the upgrade

My system has been running as usual. There hasn't been any complaints from the users or I have not encountered anything else that didn't work.

Something changed in Firefox 30. Once in a while everybody runs into an untrusted certificate while browsing. There is a support article "This Connection is Untrusted" error message appears - What to do at Mozilla's support site. The idea is to click I Understand the Risks and proceed to the site.

Now the latest version chose not to display the button:

If the HTTPS-connection would fail miserably, it wouldn't display the option anyways, as there isn't any possibility to continue to the site. Here is an example:

But since this is not that case, the button should be there. Something changed, since it was there before. Googling gave me an about:config variable of browser.xul.error_pages.expert_bad_cert:

It had been turned into false for some reason. When the setting is true, the error screen changes:

Now there is an option to proceed. While at it, they failed. Adding an exception won't work:

Storing the option permanently or not has no effect. It still won't proceed.

Perhaps they'll fix this into Firefox 31.

Making the choice of a default browser in Windows 7 should be an easy task, right? If you are a fan of 64-bit Firefox browser like I do, then you should consider Cyberfox. The problem is, that ever since Cyberfox stopped using Firefox user profiles, it fails to set itself as the default browser.

Every single time you start your beloved Cyberfox, it will do something like this:

No matter what you try, it will do the same thing every single time. Crap!

The good thing is that this particular issue is a common one. It has been discussed in [Error] Problems Setting As Default Browser and [Solved] Cyberfox 28.0.1 Not the Default Browser bug, which contains enough information to solve the problem. The information is in the cracks of the discussion thread, but I managed to scavenge enough to fix my browser.

Start the fix by setting something else as the default browser:

Confirm, that Cyberfox should be the default browser, but it just doesn't work:

I'm setting IE as the default browser for the time being. Later I'll switch back to Cyberfox, but the fix requires you to change into something else:

Next, go to Cyberfox and go to Options, Advanced, General settings and un-check the Always check to see if Cyberfox is the default browser on startup. Later you need to be able to start Cyberfox without the check:

Download (or copy/paste) a small registry file defaults-64.reg. The entire file will be 7 lines (2 blank ones):

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\CYBERFOX.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\CYBERFOX.EXE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\FIREFOX.EXE]

When you have the file in your disc, start File Explorer and right click the file:

Select Merge. It should say something like this (The keys and values successfully added to the registry):

Next thing is to start Cyberfox with administrator permissions. This is very important. If you attempt the fix with regular user permissions, you will fail and need to start over. Example:

Go to Options, Advanced, General settings again:

This time click the Make Cyberfox the default browser (you can check Always check to see if Cyberfox is the default browser on startup, if you want to). This time the button will disappear:

If the button disappears, it means that you succeeded! Cyberfox is the default browser for your Windows and it won't complain about it on startup.

All this trouble pays off. Now your super efficient and well optimizer browser works even better!

The obligatory shame-on-you prize goes out to Mozilla for scrapping their 64-bit Windows browser project. Even Google Chrome is heading towards 64-bit on Windows. Anyway, the 64-bitness is a weird subject, on Linux or Mac OS X 64-bit browsers have existed a very long time. What's with the Windows having only 32-bit versions?

The latest PHP versions are available for CentOS Plesk Panel admins. If you are using my YUM-repo as suggested, the update should be a painless one.

I managed to get the FPM running for PHP 5.4, for the PHP 5.5 it is still pending. Example:

# service php-fpm54 status     
php-fpm (pid  4318) is running...

Please note, that the FPM is still work-in-progress and it may contain bugs.

The latest PHP FPM has a fix for CVE-2014-0185. It is not a really dangerous one, it just takes care of 0666 permissions for the FastCGI unix-socket. It can be considered a security flaw if any local user can execute code via FastCGI-interface. Most web-servers don't have many local users, but this flaw can be combined with other security issues to get more gain out of it.

Us server guys are becoming a rare breed. Any server-related tasks can be outsourced to any free-of-charge cloud service provider. One very good example of that is e-mail, nobody runs their own mail server nowadays. Companies are using external services and any regular Joe and Jane have gone for Gmail years ago. However, once in a while something funny happens and people want a NSA-free e-mail account.

The fact is that every Linux-installation has a mail server installed and running in it. The purpose for the mail server is to deliver local in-server mail to user(s), also depending on your Internet-connection it may be possible to send outgoing mail to the wild wild Net. Most ISPs block this due to excessive spamming from consumer's computers.

Setting up a receiving Postfix MTA is outside of this blog post, but my idea is to present you configuration help to:

1. Configure Postfix to tunnel outgoing e-mail via you ISP's SMTP
2. (optional) Redirect root's e-mail to an external mailbox
3. (optional) Increase mail transport security by using TLS encryption for e-mail
   

So ... here goes.

Configure Postfix to tunnel outgoing e-mail via you ISP's SMTP

To fight spam most (all reasonable) ISPs have blocked outgoing TCP/25 traffic. This very effectively makes your computer not being able to inject new e-mails into receiving servers. Because of this, for example Google instructs users to use TCP-ports 465 or 587 instead, see their setup instructions.

For a mail server (like your Postfix), that is not a solution. Your box must be able to deliver e-mail to any server's TCP/25. All ISPs I've ever seen share a SMTP-server for their customers. The idea is to route all your external e-mail to that server, it will relay the e-mail to the final destination. Remember, that as a spam prevention measure, the amount of mail you can send via ISP's SMTP is limited. For example my ISP has a 50 e-mails per hour policy. It simply refuses to serve any excess requests based on IP-address of the sender.

The subject of routing outgoing e-mail is covered (among many others) in this article with title Configuring postfix to forward all email to a smtp gateway. All you have to do is add:
transport_maps = hash:/etc/postfix/transport
into your Postfix's main.cf. Typically there is a transport-file, but it does not contain your ISP's configuration in it.

Example:
My ISP TeliaSonera Finland has a SMTP running @ mail.inet.fi. Initially I had following line in my transport-file:
*         smtp:mail.inet.fi

But it didn't work! Looking into source code src/trivial-rewrite/resolve.c reveals that Postfix keeps resolving the address via MX-record. The correct one will be:
*         smtp:195.156.147.15

This setting will skip any resolving of the given address and use the given IP-address as-is.

Test the setup by sending e-mail to one of your own external addresses. It can be achieved by running something like this:
date | mail -s "Testing outgoing mail" test@user.at.somewhere

Confirm the functionality from Postfix's log, it should read something like this:

postfix/pickup[12869]: D13F8209AF: uid=0 from=<user>
postfix/cleanup[13427]: D13F8209AF: message-id=<20140407161546.D13F8209AF@my.linux.box>
postfix/qmgr[2185]: D13F8209AF: from=<user@my.linux.box>, size=482, nrcpt=1 (queue active)
postfix/smtp[13429]: D13F8209AF: to=<test@user.at.somewhere>, relay=195.156.147.15[195.156.147.15]:25, delay=0.35, delays=0.06/0.01/0.04/0.24, dsn=2.0.0, status=sent (250 <529734CF0ADA3B46> Mail accepted)
postfix/qmgr[2185]: D13F8209AF: removed

It clearly says "Mail accepted" and Postfix's queue manager eventually removes the outgoing mail from outgoing queue. Remember to confirm, that the mail landed to the external mailbox.

Redirect root's e-mail to an external mailbox

A good starting point is to look at /etc/aliases. For example OpenSuse has this in it:

# It is probably best to not work as user root and redirect all
# email to "root" to the address of a HUMAN who deals with this
# system's problems. Then you don't have to check for important
# email too often on the root account.

So, I put this into my aliases:

root:           test@user.at.somewhere

There is a catch ... Having that in /etc/aliases won't work for your system's internal e-mails. Now that your box is not a receiving mail server, all of you mail is internal. You can confirm the non-functionality by:
date | mail -s "Testing outgoing root mail" root

Your maillog will read something like in the previous example. Mail will be routed to your ISP's SMTP, but the problem is, that the e-mail address is wrong. It will read root@your.server.name, your ISP does not have a clue what to do with such a mail, and it will bounce back. Now that your server cannot receive mail, the bounce will be dropped and is lost.

There is a fix for that. The two articles of Rewriting to address on postfix local aliases and Postfix masquerading or changing outgoing SMTP email or mail address will contain clues how to do it. I added following line into my main.cf:
smtp_generic_maps = hash:/etc/postfix/generic

The /etc/postfix/generic will read:
root@your.server.name        test@user.at.somewhere

Postmap the transport-file, reload the postfix-service and test again. Now Postfix will re-write the outgoing e-mail properly as planned. The re-write can not be confirmed from the maillog, it will display the original root@your.server.name in there. However, on the receiving end the e-mail address will be correct.

Increase mail transport security by using TLS encryption for e-mail

The last item on my checklist is to start encrypting the mail. Note that this is pointless if your ISP does not support encryption. If it does and your Postfix is not configured to use encryption, you will get a lot of "warning: no entropy for TLS key generation: disabling TLS support" in your maillog.

As a prerequisite, you will need a SSL-certificate. Any certificate will do, even a crappy self-signed one. I'd never recommend using self-signed certificates, but if you're lazy and don't want to get a free one from the net, go for the path of least resistance. This is what I have in main.cf:

# SSL/TLS
# SMTP (sending)
smtp_tls_security_level = may
smtp_tls_key_file = /etc/ssl/private/the.certificate.key
smtp_tls_cert_file = /etc/ssl/certs/the.certificate.cer
smtp_tls_CApath = /etc/ssl/certs

To confirm that TLS is being used will look like this on received e-mails headers:

Received: from mail.inet.fi ([2001:15d8:172::]) by
 mx.google.com with ESMTPS id 1si12730620lam.174.2014.04.07.09.57.37 for
 <test@user.at.somewhere> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256
 bits=128/128); Mon, 07 Apr 2014 09:57:37 -0700 (PDT)
Received: from your.server.name ([172.16.141.138])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256
 bits)) (No client certificate requested) by mail.inet.fi (Postfix) with
 ESMTPS id E75004355F for <test@user.at.somewhere>; Mon,  7 Apr 2014 19:57:35
 +0300 (EEST)

Notice how both servers specify the TLS cipher used. In this case Google's server uses only 128-bit encryption.

Note:
You don't need to enable tlsmgr in master.cf for any this to work. I've seen incorrect instructions about that. To repeat: For sending TLS-encrypted e-mail having tlsmgr is not necessary.

I'm in the IRC 24/7. For the "idling" on my favorite channel I have used EPIC4 for a very long time. Couple of decades, in fact. The project is in a bad shape. Anything IRC-related is. For the record: I'll be the last dinosaur to punch the clock for the last time and turn off the lights when I notice that I'll be idling there alone. It won't come for another couple of decades, though.

Based on epicsol.org website, there is actually nobody to contact about EPIC4 bugs, no mailing list anymore (last one died 2009) nor any contact e-mail or a form. So, there literally is nobody who I could notify about anything. Writing on my own blog about it is pretty much all I can do for the project.

Back to business... My Linux-box is a mail-host and whenever something new arrives, it is really nice to get notified about that while doing absolutely nothing on the channel. However, when I stopped using mbox for storing the mail in my box, my favorite IRC-client stopped doing the notifying. It didn't not have the code for the more effective Maildir format. It does now.

My stuff is at http://opensource.hqcodeshop.com/EPIC/4/
It contains 64-bit RPM for Fedora 20 and the .src.rpm if you want to do the build by yourself. Note that my version is the latest EPIC4 2.10.4, not the Fedora-boxed 2.10.2.

To start using the Maildir-mode, say:
set mail_type maildir
in your .ircrc-file. The thing relies on $MAIL-environment variable to know where your mail is stored at.

Update 31th March 2014:
I actually got hold of Mr. Jeremy Nelson, the author or EPIC4 and EPIC5. He took my patch and said that it will be released in 2.10.5. We had a brief conversation in #epic-channel and he also said, that he is about to publish the EPIC5 project in Github.

My patch (epic4-2.10.1-maildir.patch) is as follows:

diff -aur epic4-2.10.1/include/config.h epic4-2.10.1.JT/include/config.h
--- epic4-2.10.1/include/config.h    2006-06-18 20:33:51.000000000 +0300
+++ epic4-2.10.1.JT/include/config.h    2012-08-30 13:22:20.319515332 +0300
@@ -412,7 +412,7 @@
 #define DEFAULT_LOGFILE "irc.log"
 #define DEFAULT_MAIL 2
 #define DEFAULT_MAIL_INTERVAL 60
-/ #define DEFAULT_MAIL_TYPE "mbox" /
+#define DEFAULT_MAIL_TYPE "mbox"
 #define DEFAULT_MAX_RECONNECTS 4
 #define DEFAULT_METRIC_TIME 0
 #define DEFAULT_MODE_STRIPPER 0
diff -aur epic4-2.10.1/include/vars.h epic4-2.10.1.JT/include/vars.h
--- epic4-2.10.1/include/vars.h    2006-06-18 20:33:51.000000000 +0300
+++ epic4-2.10.1.JT/include/vars.h    2012-08-30 13:24:19.719723226 +0300
@@ -93,7 +93,7 @@
     LOG_REWRITE_VAR,
     MAIL_VAR,
     MAIL_INTERVAL_VAR,
-    / MAIL_TYPE_VAR, /
+    MAIL_TYPE_VAR,
     MANGLE_INBOUND_VAR,
     MANGLE_LOGFILES_VAR,
     MANGLE_OUTBOUND_VAR,
diff -aur epic4-2.10.1/source/mail.c epic4-2.10.1.JT/source/mail.c
--- epic4-2.10.1/source/mail.c    2006-06-18 20:33:51.000000000 +0300
+++ epic4-2.10.1.JT/source/mail.c    2012-08-30 15:25:05.568641118 +0300
@@ -353,7 +353,7 @@
         return 0;
     }

-    maildir_path = malloc_strdup(tmp_maildir_path);
+    maildir_path = malloc_strdup(maildir);
     maildir_last_changed = -1;
     return 1;
 }
@@ -375,13 +375,29 @@
 {
     int    count = 0;
     DIR     dir;
+    Filename     tmp_maildir_path;
+    struct dirent*    dir_data;

-    if ((dir = opendir(maildir_path)))
+    strlcpy(tmp_maildir_path, maildir_path, sizeof(Filename));
+    strlcat(tmp_maildir_path, "/new", sizeof(Filename));
+    if ((dir = opendir(tmp_maildir_path)))
     {
-        while (readdir(dir) != NULL)
-            count++;
+        while ((dir_data = readdir(dir)) != NULL) {
+            if (dir_data->d_name[0] != '.')
+                count++;
+        }
+        closedir(dir);
+    }
+
+    strlcpy(tmp_maildir_path, maildir_path, sizeof(Filename));
+    strlcat(tmp_maildir_path, "/cur", sizeof(Filename));
+    if ((dir = opendir(tmp_maildir_path)))
+    {
+        while ((dir_data = readdir(dir)) != NULL) {
+            if (dir_data->d_name[0] != '.')
+                count++;
+        }
         closedir(dir);
-        count -= 2;    / Don't count . or .. /
     }

     return count;
@@ -398,6 +414,7 @@
 {
     Stat    sb;
     Stat     stat_buf;
+    Filename     tmp_maildir_path;

     if (ptr)
         stat_buf = (Stat )ptr;
@@ -408,8 +425,11 @@
         if (!init_maildir_checking())
             return 0;        / Can't find maildir /

+    strlcpy(tmp_maildir_path, maildir_path, sizeof(Filename));
+    strlcat(tmp_maildir_path, "/new", sizeof(Filename));
+
     / If there is no mailbox, there is no mail! /
-    if (stat(maildir_path, stat_buf) == -1)
+    if (stat(tmp_maildir_path, stat_buf) == -1)
         return 0;

     /
@@ -547,6 +567,10 @@
     update_mail_level2_maildir();
     if (status == 2)
     {
+        Filename     tmp_maildir_path;
+        strlcpy(tmp_maildir_path, maildir_path, sizeof(Filename));
+        strlcat(tmp_maildir_path, "/new", sizeof(Filename));
+
         / XXX Ew.  Evil. Gross. /
         ts.actime = stat_buf.st_atime;
         ts.modtime = stat_buf.st_mtime;
@@ -642,6 +666,27 @@

 void    set_mail_type (const void stuff)
 {
-    / EPIC4 cannot switch mailbox types (yet) /
+    const char     value;
+    struct mail_checker new_checker;
+    char    old_mailval[16];
+
+    value = (const char )stuff;
+
+    if (value == NULL)
+        new_checker = NULL;
+    else if (!my_stricmp(value, "MBOX"))
+        new_checker = &mail_types[0];
+    else if (!my_stricmp(value, "MAILDIR"))
+        new_checker = &mail_types[1];
+    else
+    {
+        say("/SET MAIL_TYPE must be MBOX or MAILDIR.");
+        return;
+    }
+
+    snprintf(old_mailval, sizeof(old_mailval), "%d", get_int_var(MAIL_VAR));
+    set_var_value(MAIL_VAR, zero);
+    checkmail = new_checker;
+    set_var_value(MAIL_VAR, old_mailval);
 }

diff -aur epic4-2.10.1/source/vars.c epic4-2.10.1.JT/source/vars.c
--- epic4-2.10.1/source/vars.c    2008-03-17 05:42:46.000000000 +0200
+++ epic4-2.10.1.JT/source/vars.c    2012-08-30 13:14:54.801014647 +0300
@@ -194,7 +194,7 @@
     { "LOG_REWRITE",        STR_TYPE_VAR,    0, 0, NULL, NULL, 0, 0 },
     { "MAIL",            INT_TYPE_VAR,    DEFAULT_MAIL, 0, NULL, set_mail, 0, 0 },
     { "MAIL_INTERVAL",        INT_TYPE_VAR,    DEFAULT_MAIL_INTERVAL, 0, NULL, set_mail_interval, 0, 0 },
-    / { "MAIL_TYPE",            STR_TYPE_VAR,    0, 0, NULL, set_mail_type, 0, 0 }, /
+    { "MAIL_TYPE",            STR_TYPE_VAR,    0, 0, NULL, set_mail_type, 0, 0 },
     { "MANGLE_INBOUND",        STR_TYPE_VAR,    0, 0, NULL, set_mangle_inbound, 0, 0 },
     { "MANGLE_LOGFILES",        STR_TYPE_VAR,    0, 0, NULL, set_mangle_logfiles, 0, 0 },
     { "MANGLE_OUTBOUND",        STR_TYPE_VAR,    0, 0, NULL, set_mangle_outbound, 0, 0 },
@@ -350,7 +350,7 @@
     set_string_var(HIGHLIGHT_CHAR_VAR, DEFAULT_HIGHLIGHT_CHAR);
     set_string_var(LASTLOG_LEVEL_VAR, DEFAULT_LASTLOG_LEVEL);
     set_string_var(LOG_REWRITE_VAR, NULL);
-    / set_string_var(MAIL_TYPE_VAR, DEFAULT_MAIL_TYPE); /
+    set_string_var(MAIL_TYPE_VAR, DEFAULT_MAIL_TYPE);
     set_string_var(MANGLE_INBOUND_VAR, NULL);
     set_string_var(MANGLE_LOGFILES_VAR, NULL);
     set_string_var(MANGLE_OUTBOUND_VAR, NULL);

I found a funny quote at Htaccess Rewrites - Rewrite Tricks and Tips, it says:

``Despite the tons of examples and docs, mod_rewrite is voodoo. Damned cool voodoo, but still voodoo. ''

-- Brian Moore
bem@news.cmc.net

The quote is originally at http://httpd.apache.org/docs/2.0/rewrite/. Now obsoleted documentation for old Apache version.

I'll have to second Brian's opinion. I've touched the subject earlier at Advanced mod_rewrite: FastCGI Ruby on Rails /w HTTPS.

My YUM-repo definition RPM had a bug in it (see: CentOS 6 PHP 5.4 and 5.5 yum repository) and I had to release a new version of it. There exist already couple of links to the file. Why didn't I think of a situation where an update is released? Darn! So, let's keep the URL alive, even if a new version of the file with different name is released. That way everybody stays happy.

Attempt 1: Failure

An over enthusiastic "hey, that should be simple!" -type of naive solution. Create a .htaccess-file into the appropriate directory with content:

RedirectPermanent oldname.rpm newname.rpm

Well ... no. The result is a HTTP/500 and in the error log there was a:

/home/the/entire/path/here/.htaccess: Redirect to non-URL

Ok. It didn't work.

Attempt 2: Failure

Let's ramp this up. Forget the simple tools, hit it with mod_rewrite! Make .htaccess contain:

RewriteEngine  on
RewriteRule    ^oldname\.rpm$ newname.rpm [R=301]

Well ... no. The result is a HTTP/404, because the redirect goes really wrong. The result will be http://my.server.name/home/the/entire/path/here/newname.rpm, which is pretty far from being correct. There is a funny mix of URL and the actual filesystem storage.

The reason can be found from the Apache docs at RewriteRule PT-flag:

"The target (or substitution string) in a RewriteRule is assumed to be a file path, by default. The use of the [PT] flag causes it to be treated as a URI instead."
and
"Note that the PT flag is implied in per-directory contexts such as <Directory> sections or in .htaccess files."

That phrase can be translated as:

• Internally RewriteRule works with filesystem paths
• When using RewriteRule from a .htaccess-file it does not use filesystem paths, but URLs
• A .htaccess-file really messes things up
  

Something more elegant is obviously needed.

Attempt 3: Failure

I studied the Apache docs and found a perfect solution! What about if there was a way to discard the filesystem path entirely. Nice! Let's go that way, make .htaccess contain:

RewriteEngine  on
RewriteRule    ^oldname\.rpm$ newname.rpm [R=301,DPI]

Well ... no. I have the DiscardPathInfo-flag there, but it changes absolutely nothing. It is the same with or without the flag. It clearly says that "The DPI flag causes the PATH_INFO portion of the rewritten URI to be discarded" in the docs. Apparently the flag is used for completely different thing (which I'm having hard time to comprehend), but the thing is that I cannot use it to fix my redirect.

Attempt 4: Success!

After browsing the Apache-docs even more I struck gold. The docs for RewriteBase-directive say:

"This directive is required when you use a relative path in a substitution in per-directory (htaccess) context"
and
"This misconfiguration would normally cause the server to look for an "opt" directory under the document root."

That's exactly what I'm doing here. I have a relative path. I'm using a substitution in a .htaccess-file. It even mis-behaves precisely like in the example from the docs.

The solution is to make .htaccess contain:

RewriteEngine  on
RewriteBase    /path/here/
RewriteRule    ^oldname\.rpm$ newname.rpm [R=301]

Now it works exactly as I want it to do! Nice!
When a request is done for the old filename, Apache will do an external redirect and notify browser about the new version. wget fails to save the file with the new name (it will use the old name), but for example Firefox does that correctly.

Conclusion

Darn that voodoo is hard.

The mod_rewrite's complexity simply laughs at any system administrator. I consider myself to be one of the experienced ones, but still ... I find myself struggling with the subject.

One day I needed to drill a hole to a Cisco firewall. I went to Adaptive Security Device Manager and could not log in. Whaat?!

It did work before, but apparently something changed. Sneak peek with Wireshark revealed that SSL handshake failed. Java console has something like this in it:

java.lang.SecurityException: Missing required Permissions manifest attribute in main jar: https://dm-launcher.jar
    at com.sun.deploy.security.DeployManifestChecker.verifyMainJar(Unknown Source)
    at com.sun.deploy.security.DeployManifestChecker.verifyMainJar(Unknown Source)
    at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
    at com.sun.javaws.Launcher.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

and:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java couldn't trust Server
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)

Little bit of googling revealed Issues Accessing ASDM at Cisco's learning network and Cisco ASDM blocked by Java? at spiceworks.com. So I wasn't alone with the problem. Oracle's release notes for update 51 revealed a number of changes to earlier versions. Java is still piece of shit, but they're trying to fix it. Too little, too late. It is very unfortunate that I have to have Java Runtime installed and use it for a number of important applications. Now Oracle is making radical changes to JRE to improve its flaky security and these customer companies like Cisco cannot keep up with the changes.

Anyway, enough rant, here is how to fix it. The idea is to take the self-signed certificate from the Cisco firewall and import it for Java. This is yet another nice feature of a Windows-computer. There needs to be separate a separate certificate store for operating system, browser and Java.

First go to web-interface of the Cisco appliance. Internet Explorer cannot export a certificate from a web site, so use a Firefox or Chrome or pretty much any other browser. Save the certificate to a file. Like this:

When you have the file, go to Control Panel on Windows:

Select Java and Security-tab:

From there you can find Manage Certificates. Import the certificate-file from there:

It is very, very important that you first select Certificate Type: Secure Site. Any other certificate type won't fix the problem.

On the security-tab there is an exception list for certificates. Adding an exception won't fix this, since the problem is with the fact that the certificate is self-signed.

Now login works again.
When I first encountered this issue, I asked help from couple of guys who are very familiar with Cisco IOS (not Apple iOS). The initial response was "What is ASDM?" Apparently the GUI is not the expert's way to go.

Once upon a time there was a Firefox version which remembered where something was saved from a website. I think the last download destination directory was stored per host. I clearly remember that when I downloaded something from SourceForge, it would remember the directory, but since there are number of projects I download from it didn't always be a correct one. But for websites, I use for only one piece of software, it was always correct.

Then something changed. My Firefox wouldn't remember my destinations anymore.

Now for some nostalgic reason I wanted the functionality back. My loyal/hated aide Google found me a solution for that. A Mozilla support forum discussion named Changing FF25 download location in Win7 - Browse will not get past /User folder. It clearly states that such a setting exists, but is now off by default. When I went to my about:config, it looked like this:

Like the support forum promised, the configuration directive is hidden. They say hidden, but actually it is not created at all. Luckily you can add it by yourself by right clicking on the Firefox configuration:

Just add a new boolean variable with name browser.download.lastDir.savePerSite and you're good to go. Remember to set the value into true. It is enabled immediately, no restarting or anything needed.

The last thing for me to do is keep wondering why it was enabled in a couple of versions when it was introduced and then turned off.

I maintain RPM-packages for PHP 5.4 and 5.5, see earlier post about it.

As any sysadmin can expect, there was too much trouble running the updates. Since CentOS 6 native way is running yum repositories, I created one.

Kick things going by installing the repo-definition:

yum install \
 http://opensource.hqcodeshop.com/CentOS/6%20x86_64/Parallels%20Plesk%20Panel/plesk-php-repo-1.0-1.el6.noarch.rpm

After that, a simple yum install command:

yum install plesk-php55

... will yield something like this:

/opt/php5.5/usr/bin/php -v
PHP 5.5.9 (cli) (built: Feb  9 2014 22:04:05)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies

I'll be compiling new versions to keep my own box in shape.