Why does(n't) it work?

This post is based on https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixadmin-and-roundcube/ with adjustments for my situation and updated links to the documentation. I use PostfixAdmin 3.3.15, Roundcube 1.6.11 and Dovecot Community Edition (CE) 2.4.1 .

When I was migrating from Debian bookworm to trixie, I noticed that Dovecot was upgraded to version 2.4.1 and because I had to enable the deprecated auth_allow_weak_schemes option, I thought it would be a good idea to look at how to improve the security of the passwords that are stored for my email setup. On the documentation site for Dovecot CE there is a nice page on Converting Password Schemes which pointed to the site where is post is based on.

Originally I choose to use the MD5-CRYPT scheme, because it was the most universal supported scheme which was not plain text. Now it is time to move to something more secure.

This post is based on https://jacksonchen666.com/posts/2022-12-03/14-33-00/ .

When running synapse as a matrix server it will eventually take a lot of disk space, especially when it is a federated server where local users have joined a lot or busy rooms.

This blog post is based on http://evolvisforge.blog.tarent.de/archives/124 . Mozilla Firefox has a tentancy to create a ~/Desktop directory among others (things like ~/Downloads). If you want to prevent this, you can use the following commands: mkdir -p -m0700 ~/.config cat >~/.config/user-dirs.dirs <<EOF XDG_DESKTOP_DIR="$HOME/" XDG_DOCUMENTS_DIR="$HOME/" XDG_DOWNLOAD_DIR="$HOME/" XDG_MUSIC_DIR="$HOME/" XDG_PICTURES_DIR="$HOME/" XDG_PUBLICSHARE_DIR="$HOME/" XDG_TEMPLATES_DIR="$HOME/" XDG_VIDEOS_DIR="$HOME/" EOF Upon next start, Firefox (and other XDG-compliant applications) will throw stuff into ~/ instead.

Why add subject to postfix logging

If you are running your own email server, you might have gotten a question if an email has been handled correctly. And since users mostly only remember the subject of the message, it is useful to have that in the logging of postfix, so you can search for that.

Preparing for the rollover with bind and it’s DNSSEC policies

Make sure you have at least bind 9.16.0, because otherwise the policies are not available. To be able to use bind’s DNSSEC-policy feature first the current setup has to be migrated to a policy. The original setup was the following:

zone "t0d.nl" {
    ...
        auto-dnssec maintain;
        inline-signing yes;
    ...
};

And I converted this to the following custom policy :

dnssec-policy  "rsa_default" {
    dnskey-ttl 24h;
    keys {
        ksk lifetime unlimited algorithm RSASHA256 2560;
        zsk lifetime 90d algorithm RSASHA256 1536;
    };
    max-zone-ttl 3600;
    parent-ds-ttl 600;
    parent-propagation-delay 2d;
    publish-safety 14d;
    retire-safety 14d;
    signatures-refresh 5d;
    signatures-validity 15d;
    signatures-validity-dnskey 15d;
    zone-propagation-delay 2h;
};

And then using that policy on the zone definition.

zone "t0d.nl" {
        type master;
        dnssec-policy rsa_default;
        //auto-dnssec maintain;
        //inline-signing yes;
        ...
};