Skip to content

Instantly share code, notes, and snippets.

View gwire's full-sized avatar

gwire

1 follower · 0 following
View GitHub Profile
@gwire
gwire / dovecot_tls_log.md
Created November 15, 2021 14:55
Log Dovecot TLS protocol and cipher

In order to determine if TLS can be restricted to TLSv1.2 or above I need to check the usage in the logs. Unfortuately dovecot (2.3.x) doesn't log this information by default.

We need to append %k to login_log_format_elements (and include the variable for session)

login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c session=<%{session}> (%k)

example syslog output:

@gwire
gwire / exim_acl_reject_plaintext.config
Last active April 22, 2023 11:06
Exim4 ACL to reject a random 5% of non-TLS deliveries
## %5 rejection of plaintext transmission
## add to acl_smtp_mail or later (eg acl_smtp_rcpt, acl_smtp_data)
## change "defer" to "drop" to force a permanent rejection code
defer !encrypted = *
condition = ${if eq{${randint:20}}{2}{true}}
message = 4.7.0 Unlucky! Try STARTTLS command before MAIL
@gwire
gwire / exim_dkim.conf
Last active April 25, 2023 10:14
DKIM selectors for exim4 based on From: header
DKIM_DOMAIN = ${extract{domain} {${lookup{${lc:${if def:h_List-Id: {$sender_address_domain}{${domain:${address:$h_From:}}}}}}lsearch*@{CONFDIR/dkim_domains}}}{$value}{}}
DKIM_SELECTOR = ${extract{selector}{${lookup{${lc:${if def:h_List-Id: {$sender_address_domain}{${domain:${address:$h_From:}}}}}}lsearch*@{CONFDIR/dkim_domains}}}{$value}{}}
DKIM_PRIVATE_KEY = ${extract{key} {${lookup{${lc:${if def:h_List-Id: {$sender_address_domain}{${domain:${address:$h_From:}}}}}}lsearch*@{CONFDIR/dkim_domains}}}{$value}{}}
DKIM_CANON = ${extract{canon} {${lookup{${lc:${if def:h_List-Id: {$sender_address_domain}{${domain:${address:$h_From:}}}}}}lsearch*@{CONFDIR/dkim_domains}}}{$value}{relaxed}}
DKIM_STRICT = ${extract{strict} {${lookup{${lc:${if def:h_List-Id: {$sender_address_domain}{${domain:${address:$h_From:}}}}}}lsearch*@{CONFDIR/dkim_domains}}}{$value}{false}}
@gwire
gwire / 40_smtp_data_sharepoint
Created February 26, 2022 15:22
Exim ACL to block SharePoint spam
## add to the data acl
## if Microsoft's `X-Forefront-Antispam-Report:` contains "SCL:9" then that's "High confidence spam"
## so why do they then choose to DKIM sign it and forward it on?
## https://docs.microsoft.com/en-gb/microsoft-365/security/office-365-security/spam-confidence-levels
deny condition = ${if match_domain{$sender_address_domain}{sharepointonline.com}}
condition = ${if match{$h_X-Forefront-Antispam-Report:}{;SCL:9;}}
@gwire
gwire / local-acme.conf
Last active September 22, 2024 00:31
nginx config snippet to allow acme validation for TLS certificate
## Only permit acme-challenge requests that match the ACME spec,
## return 403 for everything else
## RFC8555 specifies a base64url token (no "=")
## with at least 128 bits of entropy (ie 22 chars minimum)
## root matches the "webroot" directory used in the certbot configuration
location ~ "^/.well-known/acme-challenge/([A-Za-z0-9_-]{22,})$" {
default_type "text/plain";
root /var/www/acme/;
}
@gwire
gwire / safari_cloud_tab_delete.md
Created May 19, 2022 11:25
Deleting phantom cloud tabs in Safari

I have Safari synchonised between my Mac and iPad.

Fow weeks an iPad search for "far cry 6 pelicans" (I needed assistance finding pelicans in a videogame) has been listed in the cloud tabs, despite being closed weeks ago.

Wiping the Safari data on the iPad and resetting the cloud syncing didn't seem to affect anything. So instead I tried removing the tab directly on the Mac.

As with most macOS data, the Safari tabs live in an sqlite database somewhere under the users home directory.

Library/Safari/CloudTabs.db has several tables, including cloud_tabs with the following schema

@gwire
gwire / tinyipv6.py
Last active September 22, 2024 00:31
Generate IPv6 AAAA records in tinydns format
#!/usr/bin/env python3
#
# tinyipv6 - generate an IPv6 type 28 AAAA record in the tinydns format
#
# example: ./tinyipv6.py -l 60 -d host.example.com -i 2001:db8:85a3:8d3:1319:8a2e:370:7348
# :host.example.com:28:\040\001\015\270\205\243\010\323\023\031\212\056\003\160\163\110:60
#
# -3 and -6 options will generate "3:" and "6:" type records, if your server supports them
#
# 2022 Lee Maguire
@gwire
gwire / hblhash.py
Created July 28, 2022 21:48
Generate an email hash to check the Spamhaus Hash Blocklist (HBL)
#!/usr/bin/env python3
#
# hblhash.py - generate hashes to check against the Spamhaus Hash Blocklist
#
# Spamhaus operates a blocklist of hashed email addresses (and other data types)
# it can't be used without an API key - but single hash queries can be made
# via check.spamhaus.org (eg useful for diagnosing specific delivery issues)
#
# This script will take an email address and generate a URL to check the HBL
#
@gwire
gwire / tinysvcb.py
Last active August 10, 2022 22:18
Tool to generate SVCB/HTTPS DNS records for tinydns
#!/usr/bin/env python3
# tinysvcb - generate a RR type 64 SVCB or 65 HTTPS records in tinydns wire format
#
# example: ./tinysvcb.py --https --domain example.com --priority 0 --target host.example.com
#
# Based on https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/10/
#
# 2022 Lee Maguire
@gwire
gwire / tinycaa.py
Last active August 15, 2022 22:31
Tool to generate CAA records for tinydns
#!/usr/bin/env python3
# tinycaa - generate a CAA RR type 257
#
# example: ./tinycaa.py --domain example.com --flag 1 --tag issue --ca ca.example.net
#
# https://www.rfc-editor.org/rfc/rfc8659
#
# 2022 Lee Maguire