Jump to content

Computer Nerd Kev

Members
  • Posts

    52
  • Joined

  • Last visited

Profile Information

  • Gender
    Male
  • Location
    Australia

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

Computer Nerd Kev's Achievements

Newbie

Newbie (1/14)

  • First Post Rare
  • Collaborator Rare
  • Week One Done Rare
  • One Month Later Rare
  • One Year In Rare

Recent Badges

3

Reputation

  1. Probably not of much help, but for what it's worth my email accounts on Tommy were all set to forward to other addresses hosted by an email provider, and the forwarding kept on working so I don't think I lost anything (except maybe when I was switching the DNS records over to my VPN replacement server). Maybe if putting a .forward file in your home directory worked on Heliohost you can do that via sftp and forward mail to your [username]@mysite.heliohost.org (etc.) address somewhere else while the server's still up. I have just now set up an email server via SSH on a VPN (not heliohost's, just because if I'm setting up a VPS I'd like to be able to use Heliohost as a backup if it goes down in the future, and if Heliohost's VPS server goes down in the future the web hosting is likely to have troubles at the same time). This guide is a little too concise in places, but it helped. I still need to set up auth in Postfix (currently it's set not to send emails from any other computers so I'm using my ISP's SMTP server instead), and SSL in Dovecot.
  2. There are some surprisingly good free VPS deals out there, both short and long term. You'd want to avoid ones that don't come with an IP v4 address though. Oracle's Free Teir is pretty amazing. If you pick their ARM-based VPS you apparantly get four "OCPU" cores with 24 GB RAM between them, 200GB+ storage, two IPv4 addresses, and 10 TB outbound data per month, with no expiry date. Detailed specs. However when I tried to sign up it failed, apparantly due to a problem with confirming my identity via my Visa Debit Card (which is required even though they don't charge unless you use their paid services). That's probably because I'm Australian though, and the exact same thing happened when I tried to sign up for AWS's free VPN years ago. Support aren't interested in helping (though at least Oracle's support replied to me, AWS just left me hanging).
  3. Hello, Could GNU Enscript please be installed on Tommy? It should be a pretty small package. I want to use it to generate print-formated documents with a simple CGI script. Thanks.
  4. Hello, I've donated $23. Current storage for my account is 2GB, so I gather it can now go up to 5GB, and four months of inactivity immunity. Username: cnk2 PayPal Transaction: 10C88794JG259883N Thanks, and hope it gets to $2,700.
  5. A user in the US has been unable to access my sites (either computernerdkev.heliohost.org or www.ombertech.com), or open an FTP connection to tommy.heliohost.org, for many weeks. Their ISP assigns them a dynamic IP address, of which one example is: 24.243.100.168 All connection attempts time out. They have run traceroute with the following output: $ traceroute computernerdkev.heliohost.org traceroute to computernerdkev.heliohost.org (65.19.143.6), 30 hops max, 60 byte packets 1 router (192.168.2.1) 5.689 ms 7.986 ms 7.924 ms 2 * * * 3 tge0-0-20.edbgtx1101h.rgv.rr.com (66.68.194.245) 39.967 ms 43.620 ms 43.339 ms 4 agg24.phrrtxgy01r.texas.rr.com (24.175.56.130) 25.059 ms 23.983 ms 25.453 ms 5 agg26.dllatxl301r.texas.rr.com (24.175.56.72) 46.915 ms 54.508 ms 40.182 ms 6 bu-ether14.dllstx976iw-bcr00.tbone.rr.com (66.109.6.88) 46.831 ms 66.109.1.216 (66.109.1.216) 32.597 ms bu-ether14.dllstx976iw-bcr00.tbone.rr.com (66.109.6.88) 45.757 ms 7 66.109.5.121 (66.109.5.121) 39.299 ms 50.577 ms 50.841 ms 8 10ge7-7.core1.dal1.he.net (184.105.55.249) 47.837 ms 42.734 ms 42.099 ms 9 100ge2-2.core4.fmt2.he.net (184.105.64.221) 81.441 ms 77.495 ms 77.616 ms 10 100ge14-2.core3.fmt1.he.net (184.105.80.93) 93.010 ms 86.576 ms 79.323 ms 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * This ends at a similar point to where it does if I run traceroute, yet I can access Heliohost fine. So it seems like it's not an issue with routing from the user's ISP - therefore I wonder if their IP address range has been blocked at the Heliohost server for some reason?
  6. @Piotr_GRD I agree entirely, inidviduals with browsers that support the newer encryption standards can use those without needing to force upgrades on others. In fact my favourite browser is Dillo, and although it can be built to work with TLS 1.2 (maybe even TLS 1.3), SNI is causing me all sorts of trouble. A lot of my browsing (where I don't need to log in) is going via a web proxy that serves over HTTP now, just so that I can use the browser that I like. I'm planning to write a patch to get SNI working in the current stable version myself when I get the chance. Also on my sites I only use HTTP to HTTPS redirects for parts where user information is transfered. For general browsing of publicly viewable webpages HTTPS has only very limited advantages for privacy, and there is no need to force it on people who might not be so paranoid about others potentially finding out (with some fair degree of effort) what page they've viewed within a website. Well rant over. Back on the TLS topic, according to this service (and problems with old browsers that I try to run affirm it) TLS 1.0 and 1.1 are already disabled on Tommy: https://www.ssllabs.com/ssltest/analyze.html?d=tommy.heliohost.org A more productive debate might be over whether TLS 1.3 should enabled (that site says it's not on Tommy), for those who do have the latest browsers and want to ensure maximum security when they connect.
  7. The clone URL in the video is for SSH access and Heliohost accounts don't allow this (except on the VPS accounts). There's a banner at the top of the CPanel Git config. page in my account that says: Git also supposably supports HTTP/S URLs, not that I fully understand how this works for uploading. I tried it once by creating a git repo under ~/public_html/, but although I tried hard, I couldn't get it to work (I can't find my notes on this, so not sure what the exact errors were). The Git documentation is far from clear on how HTTP-hosted repos work (though I don't find it particularly clear about anything for that matter).
  8. Well as it turns out I've now managed to get msmtp to build with SSL/TLS support, and got my old email MUA to use it instead of the built-in MTA (which took a bit more scripting than I expected), so I can do SMTP with encryption on port 465 now. So whether or not you want to change the default so that SMTP works unencrypted, I don't need it now personally. Ideally I would still prefer the option to use unencrypted SMTP in case of future troubles though. Thanks for the explainations and for looking into this. Now to try and set up an MRA/MDA for the IMAP side of things...
  9. Technically it doesn't have to be AUTH PLAIN, it could be AUTH CRAM-MD5 (or similar) for a little more security, but I'm not sure if this is relevent to the rest of your reply because that's nothing to do with STARTTLS or SSL/TLS in general. The AUTH method is just the way of specifying the password, with methods that make it more secure do so over unencrypted connections. I've actually turned this off briefly a few times to confirm this exact problem was the issue with my apps, but since it's a security issue I turned it back on and found more secure solutions once I knew where the problem was. Well the security risk is that without SSL/TLS the authentication details can be read by someone snooping on the connection. That won't compromise the server itself (it's the same info as in the logs that I posted), but of course they can use them to get passwords that other people use to send email. That's why I was only looking to do it with one account where security isn't very important and the password isn't used for anything else. Similar to how FTP and HTTP CPanel/Webmail is enabled even though they're unencrypted, presumably for people who aren't concerned about a targeted attack on their account. There is an argument that someone snooping on all of the internet traffic that goes to Heliohost (eg. a hacked machine or rogue employee at the datacentre or an ISP) could pick out the passwords for all Heliohost email accounts that users connect to without encryption. Then they could use Heliohost for sending spam out via other user's accounts - without an easy way of blocking them (if they connect from a large range of IP addresses). So from that perspective it could be a risk to the whole server because if it gets Heliohost on spam blacklists, and can't be fixed while there are users connecting unencrypted to their email, it would affect all users on the system. But Tommy does accept webmail logins over unencrypted HTTP at port 2085, which is just as bad as unencrypted SMTP (maybe worse because I'm not sure if there's anything like CRAM-MD5 for HTTP) for security of authentication details. Also IMAP on port 143 works without SSL/TLS. As the same passwords are used with SMTP for sending email, then that risk is still open via those routes. Sorry for the lecture, I'm just trying to cover all sides of the topic. Security stuff always gets complicated. Technically the software I'm using does support STARTTLS and SSL/TLS directly on port 465. This still works on other servers. The trouble is that the encryption library used by my software is old and Tommy's software no longer supports any of the encryption methods that it can use. That's presumably because they've all got security issues, so I am resigned to trying to upgrade eventually (complicated by me wanting to use software that isn't maintained - I'm currently looking at installing a separate MDA and MTA (msmtp from the first SSL log) instead of the ones built into my old MUA, but what do you know I'm having trouble getting the SSL support to compile...). I'm not trying to draw Heliohost into my own world of software frustration, and do plan to get my Email working everywhere over the latest encryption eventually. This was just an attempt at a quick fix for one account where encryption doesn't matter in the first place, and seeing as unencrypted connections are allowed for pretty much everything else (including webmail and IMAP) it seemed unlikely that SMTP was deliberately meant to be SSL-only. If it is deliberate, then I think the logic is a bit inconsistent, but I won't tell you to re-evaluate everything just for the sake of my temporary issue, not unless you want to anyway.
  10. Hello, I've come to the conclusion that the non-SSL SMTP email port on Tommy doesn't actually work without SSL (aka TLS). The background is that some of my Email software is old and when Tommy was upgraded after the crash, the new encryption libraries were no longer compatible with my old software. I've been slowly working to get that software working with a newer OpenSSL library, and making do until then in various ways. I recently set up a new email account (using a unique password) for which security isn't very important, so I tried going unencrypted using the non-SSL port for SMTP (587 on Tommy). But it wouldn't work. Long story short, the email server software isn't providing any authentication methods to the client unless STARTTLS is used to enable encryption. Here I'm trying to connect without SSL: <-- 220-tommy.heliohost.org ESMTP Exim 4.92 #2 Sat, 25 Jul 2020 05:38:10 +0000 <-- 220-We do not authorize the use of this system to transport unsolicited, <-- 220 and/or bulk e-mail. --> EHLO heliohost.org <-- 250-tommy.heliohost.org Hello heliohost.org [1.136.169.170] <-- 250-SIZE 52428800 <-- 250-8BITMIME <-- 250-PIPELINING <-- 250-STARTTLS <-- 250 HELP --> QUIT <-- 221 tommy.heliohost.org closing connection msmtp: the server does not support authentication msmtp: could not send mail Here's what it looks like talking unencrypted to another server where it does work properly (some info redacted): <-- 220 [SERVERNAME] ESMTP Postfix (Ubuntu) --> EHLO localhost <-- 250-[SERVERNAME] <-- 250-PIPELINING <-- 250-SIZE 10240000 <-- 250-VRFY <-- 250-ETRN <-- 250-STARTTLS <-- 250-AUTH PLAIN LOGIN <---- We don't get this on Tommy! <-- 250-ENHANCEDSTATUSCODES <-- 250-8BITMIME <-- 250-DSN <-- 250 SMTPUTF8 --> AUTH PLAIN [ENCODED PASSWORD] <---- It tells us that we can do this <-- 235 2.7.0 Authentication successful --> MAIL FROM:<[MY EMAIL ADDRESS]> --> RCPT TO:<[RECEIVER'S EMAIL ADDRESS]> --> DATA <-- 250 2.1.0 Ok <-- 250 2.1.5 Ok <-- 354 End data with <CR><LF>.<CR><LF> --> Date: Sat, 25 Jul 2020 15:14:05 +1000 [MESSAGE] --> . <-- 250 2.0.0 Ok: queued as 7C7FE3B25F1 --> QUIT <-- 221 2.0.0 Bye Here I'm back with Tommy using another client where the SSL is new enough to work, and STARTTLS is enabled (this is still on the non-SSL port 587): * Connecting to SMTP server: mail.ombertech.com ... [17:02:20] SMTP< 220-tommy.heliohost.org ESMTP Exim 4.92 #2 Sat, 25 Jul 2020 06:56:29 +0000 [17:02:20] SMTP< 220-We do not authorize the use of this system to transport unsolicited, [17:02:20] SMTP< 220 and/or bulk e-mail. [17:02:20] ESMTP> EHLO The-Overheating-Giant [17:02:20] ESMTP< 250-tommy.heliohost.org Hello The-Overheating-Giant [1.136.166.92] [17:02:20] ESMTP< 250-SIZE 52428800 [17:02:20] ESMTP< 250-8BITMIME [17:02:20] ESMTP< 250-PIPELINING [17:02:20] ESMTP< 250-STARTTLS [17:02:20] ESMTP< 250 HELP [17:02:20] ESMTP> STARTTLS [17:02:21] ESMTP< 220 TLS go ahead * SSL certificate of mail.ombertech.com previously accepted [17:02:21] ESMTP> EHLO The-Overheating-Giant [17:02:21] ESMTP< 250-tommy.heliohost.org Hello The-Overheating-Giant [1.136.166.92] [17:02:21] ESMTP< 250-SIZE 52428800 [17:02:21] ESMTP< 250-8BITMIME [17:02:21] ESMTP< 250-PIPELINING [17:02:21] ESMTP< 250-AUTH PLAIN LOGIN <---- Now Tommy talks about AUTH, but only after STARTTLS has enabled TLS/SSL [17:02:22] ESMTP< 250 HELP [17:02:22] ESMTP> AUTH PLAIN ******** [17:02:22] ESMTP< 235 Authentication succeeded [17:02:22] SMTP> MAIL FROM:<[MY EMAIL ADDRESS]> [17:02:22] SMTP< 250 OK [17:02:22] SMTP> RCPT TO:<[RECEIVER'S EMAIL ADDRESS]> [17:02:22] SMTP< 250 Accepted [17:02:22] SMTP> DATA [17:02:23] SMTP< 354 Enter message, ending with "." on a line by itself [17:02:23] SMTP> . (EOM) [17:02:23] SMTP< 250 OK id=1jzE6i-000PnH-MD [17:02:23] SMTP> QUIT [17:02:24] SMTP< 221 tommy.heliohost.org closing connection In that same client if I disable STARTTLS it fails like on the other system. Here though I can force it to attempt the AUTH command even though no AUTH methods are provided by the server, but the server won't accept that: * Connecting to SMTP server: mail.ombertech.com ... [16:31:38] SMTP< 220-tommy.heliohost.org ESMTP Exim 4.92 #2 Sat, 25 Jul 2020 06:25:47 +0000 [16:31:38] SMTP< 220-We do not authorize the use of this system to transport unsolicited, [16:31:38] SMTP< 220 and/or bulk e-mail. [16:31:38] ESMTP> EHLO The-Overheating-Giant [16:31:38] ESMTP< 250-tommy.heliohost.org Hello The-Overheating-Giant [1.136.169.176] [16:31:38] ESMTP< 250-SIZE 52428800 [16:31:38] ESMTP< 250-8BITMIME [16:31:38] ESMTP< 250-PIPELINING [16:31:38] ESMTP< 250-STARTTLS [16:31:38] ESMTP< 250 HELP [16:31:38] ESMTP> AUTH PLAIN ******** [16:31:38] ESMTP< 503 AUTH command used when not advertised <---- Tommy knows when I'm trying to cheat ** LibSylph-WARNING: [16:31:38] error occurred on SMTP session ** error occurred on SMTP session ** Sylpheed-WARNING: send: error: 503 AUTH command used when not advertised ** LibSylph-WARNING: [16:31:38] Error occurred while sending the message. ** Error occurred while sending the message. The intended SSL Port 465 works fine, if the client's encryption library is new enough. Perhaps port 587 is actually supposed to only work with STARTTLS and therefore SSL, even though the CPanel info suggests differently. So if it's intentional I'll go away with my tail between my legs and try to wrestle my old systems into the modern encrypted world (which I'm working on anyway). If it's a mistake in Exim's configuration though, I'd be glad to see it fixed. PS. No my current ISP doesn't have an authentication-free SMTP server available to customers, which I could use for sending by using my Heliohost-hosted email address in the "From:" header.
  11. Hello, I notice that there's a new (since I last checked) wiki. Trouble is that it seems to be missing the one thing that I always checked the wiki for, which was the table of server ports for connecting over SFTP and similar protocols. I found the specific port number that I was after by looking in the configuration of another PC, but for the future I'd really like that info restored on the Wiki, and I think I'll save a copy this time - the Wayback Machine didn't even capture it!
  12. Ah right, that's OK. I wasn't sure if I'd remembered it correctly, but the description disappeared after the fundraiser was closed and the page wasn't archived by the Wayback Machine, so I trusted my "optimistic" recollection of it.
  13. Hello, I donated during the fundraiser for the Lilly server and even though the terms for that don't seem to be online anymore, I believe I received 4 months inactivity immunity. It was apparantly restored after I was moved from Ricky back to Tommy after the hardware failure in this thread: https://www.helionet.org/index/topic/37017-ricky-to-tommy-move/?do=findComment&comment=164633 My account just got locked out after what I'm pretty sure was more like one month. Could someone check the setting for this again please? Thanks.
  14. If the OP's internet connection for the server is via mobile broadband, as he suggests, then the problem likely goes a bit deeper than port blocking. Many (most?) mobile broadband ISPs use Carrier-grade NAT, which prevents any inbound connections from reaching a computer "inside". To make a server accessible from the internet via such a connection, the only option is to have the server first open a connection to the client via SSH. Then the client is configured to send HTTP requests to a port that communicates via the open SSH tunnel to the server. It would indeed be preferable that the client connects on a port other than 80, so that it can still connect to other websites on the internet using that port, but this bypasses any port blocking implemented by the ISP. I remember now that the actual term for this is a "reverse tunnel". This is one example for a web server (look at the reply to the first answer for what worked). It's also suggested there that setting up a VPN is another solution. The issue with this is that someone has to specifically configure this on the client before it can connect. So if, for example, you want to test integration with a service like PayPal IPN that makes inbound HTTP requests to the server, it won't help you because you can't set up PayPal's "client" to use your SSH tunnel (or VPN). I use mobile broadband for my home internet connection myself, so for this I resigned to uploading to Heliohost and doing the final testing there. The software is OpenSSH. It may work on Windows via Cygwin, but I suspect you'd be in for a lot of headaches trying to make that work. Best if both server and client are running Linux, BSD, Mac OS, or some other UNIX-based OS. If you just want to test with a device that can't run the web server itself (eg. a smart phone), I suggest that connecting it to the same LAN (router) as your server computer would be much easier and more reliable than doing SSH Tunneling over the internet.
×
×
  • Create New...