This is a talk held by my friend Katolaz some months ago, explaining what minimalism is and how it is relevant when developing OpenSource software.
Between yesterday and today I changed the SSL certificate used on the websites of lonestar.it and unixportal.net, and for the SMTP / IMAP mail services of mail.lonestar.it.
Up to now I used a wildcard certificate, regularly purchased on StartSSL . It was a cost-effective service to get a 2-year wildcard certificate. The convenience is that the certificate was valid for * .lonestar.it, and therefore in any network service.
But the StartSSL Certification Authority has been deprecated by major browsers because of some irregularities committed after acquisition by a Chinese company.
As a result, as of recent versions of Firefox and Chrome, certificates issued by this authority are no longer accepted as valid (green color next to the url bar), but are shown as unrecognized (red color next to the url bar).
So I’ve decided to start using the free service of Let’s Encrypt , which has been very successful lately thanks to the new philosophy of free release of certificates to anyone, for a short time (90 days maximum), so as to encourage adoption of https and tls protocols by everyone.
The short duration of certificates implies the transition to an automatic renewal and replacement mechanism, compared to the previous habit of obtaining a valid certificate for a few years and then install it manually on the various servers involved.
Let’s Encrypt offers an official python-based client to perform these automated tasks on the most popular distributions and common services. But since I use Slackware as distribution and s/qmail as a mail service, I preferred to use the Dehydrated script, which is based on bash and curl.
So I’ve set up some scripts that request certificates, no longer wildcard but individual for each service, and install them where necessary.
All seems to be working 🙂
SMTP-VRFY enabled
views
These days I have enabled SMTP-VRFY functionality in the LoneStar Network MTA service, so that I can create/remove mailboxes through Vmail and have them automatically recognized by the ASSP antispam filter
that is put to upfront protection to the service itself.
Up to now, manual intervention was required by means of editing a text file containing the list of acceptable mailbox addresses.
With this change, any box created through the management web interface will be dynamically recognized as enabled.
Migration to s/qmail
views
As already discussed in the past, LoneStar Network’s mail system is based on qmail. In spite of the many criticisms for the pluridecentennial abandonment of this software and the wide preferences of many for Postfix, qmail has never given the least problem and with the integration of the Erwin Hoffmann’s Spamcontrol patch has always been proven a very good choice, at least for my needs.
For a number of years it was expected that the original author of qmail would keep the promise of releasing a version 2.0, but that never happened. Even the netqmail branch, which for some time had gained some popularity, has been abandoned for a long time.
Instead, Erwin Hoffmann continued to carry on his Spamcontrol patch over the years, adding features and fixing problems, which eventually made it a kind of qmail 1.5 rather than a simple patch with anti-spam functionality.
And since some time Hoffmann has made the leap of quality. He has stopped developing a patch to be applied on the original qmail 1.03 code, and started issuing a fully revised and extended qmail code, of which the previous Spamcontrol patch contents have become an integral part, and new additional features such as native IPv6 support and compilability in x86_64 environments. He called this “risen” qmail with the name of s/qmail.
S/qmail started with version 3.0 and is now released to release 3.1.9. This is a drop-in replacement that can be installed as an update of an original qmail while maintaining its configuration and installation paths, as well as all commonly used external extensions and software (eg Dovecot, ezmlm, VMailMgr, Vpopmail, etc.).
So I finally decided to move from my previous qmail 1.03 + Spamcontrol 2.7.33 to the new s/qmail 3.1.9 and for some days the LoneStar Network’s MTA is already running with this new version. There were no problems of any kind in the migration and I think they should not appear later.
Mota
views
