Setting up a mail relay server with Postfix, DKIM, and a little Nebula trickery.

Sep 22 2020

Given the proliferation of spam on just about every vaguely workable platform these days it seems sheer insanity to attempt to run your own mail server.  If it's out there, it's ripe for abuse in one way in another.  And yet, e-mail is still probably one of the best ways to get status reports from your machines every day (my SMTP bridge notwithstanding).  It is thus that the default configuration for mail servers these days defaults to "no way in hell will I relay a message for you," which is a net good for the the Internet as a whole, but by and large a huge pain in the ass if you actually want to set up a mail relay for some reason.  In my case, I wanted to set up Leandra (running in my rack at home) to relay outbound mail through another of my servers on the outside.  I further wanted to ensure that Leandra's outbound mail had the same kind of authentication and protection measures the rest of my machines have so that my servers wouldn't wind up on any spam blacklists and would be significantly difficult (because there is no 'impossible') to abuse.

The first thing I had to do was set up an A record in DNS for pointing at the same IP address as the server I wanted to relay through.  If this were a sane and reasonable world I'd just set an alias with a CNAME record but it seems like nothing out there plays nicely with aliases anymore.  There is nothing that says at a single IP address can't have more than one hostname associated with it, so this isn't a big deal.

However, DKIM is kind of a big deal.  I don't fully understand it but I'll try explaining it as best I can, at least insofar as it applies to our use case.

Calculating entropy with Python.

Sep 13 2020

Fun fact: There is more than one kind of entropy out there.

If you've been through high school chemistry or physics, you might have learned about thermodynamic entropy, which is (roughly speaking) the amount of disorder in a closed system.  Alternatively, and a little more precisely, thermodynamic entropy can be defined as the heat in a volume of space equalizing throughout the volume.  But that's not the kind of entropy that I'm talking about.

Information theory has its own concept of entropy.  One way of explaining information theory is that it's the mathematical study of messages as they travel through a communications system (which you won't need to know anything about for the purposes of this article).  In the year 1948.ev Claude Shannon (the father of information theory) wrote a paper called A Mathematical Theory of Communication in which he proposed that the amount of raw information in a message could be thought of as the amount of uncertainty (or perhaps novelty) in a given volume of bits (a message) in a transmission.  So, Shannon entropy could be thought of as asking the question "How much meaningful information is present in this message?"  Flip a coin and there's only one bit - heads or tails, zero or one.  Look at a more complex message and it's not quite so simple.  However, let's consider a computational building block, if you will:

One bit has two states, zero or one, or 21 states.  Two bits have four possible states: 00, 01, 10, and 11, or 22 possible states.  n bits have 2n possible states, which means that they can store up to n bits of information.  Now we bring in logarithms, which we can think of in this case as "what number foo would we need in 2foo to represent the number of bits in a message?"

COVID-19 quarantine, day... who knows anymore.

Jul 04 2020

I have no idea how long I've been in quarantine.  I've stopped counting because the numbers were just making me twitchy.  Life is going about as well as one could reasonably expect.  We're all save and sound in northern California, as much as we can be during a pandemic.  Working from home is working from home.  To minimize risk we're getting as much stuff delivered as we can, modulo periodic trips to the local pharmacy to pick up filled prescriptions and suchlike. I wish I could say the same of things back home in Pennsylvania, but I'd be lying and I'm really not ready to talk about that right now.

I keep thinking of stuff that I want to write about, but everytime I sit down at a keyboard state-dependent memory kicks in and I forget all of it.  It is equally annoying and frustrating when that happens.  So I think I'm just going to ramble a bit and see what pops out.

Extending a wireless network with OpenWRT.

Jun 13 2020

One of my earliest covid-19 lockdown projects was doing a little work on my home wireless network.  I have a fairly nice wireless access point upstairs running OpenWRT, sitting behind the piece-of-shit DSL modem-slash-wireless access point our ISP makes us use.  All of our devices connect to that AP instead of the DSL modem.  Let's call it Upstairs.  However, the dodginess of the construction of our house being what it is (please don't ask), wireless coverage from upstairs isn't the greatest downstairs.  The fix for this, conveniently, is to set up another wireless access point downstairs and connect the two in such a way that wireless devices downstairs connect to the second access point (let's call this one Downstairs), which then transparently relays the users' traffic to the Upstairs AP, and then to the public Net (or one of the machines also hanging out on Upstairs).  This was a remarkably easy thing to do but it did take a little background research, which was daunting in and of itself so my goal here is to lay out a nitty-gritty, "Here's how you do this thing" process so you can do it yourself.  Also, in today's political climate, this process has the potential for filling in some essential gaps in emergencies.

First, some basic assumptions that you have to make for this to work: Your wireless access points have to be dual-band - they must be capable of supporting both 2.4GHz and 5GHz networking simultaneously.  This means that they have two independent radios on board.  If they don't this won't work.  Seriously, don't try to get clever with this.  Any hackery you try to pull is going to be brittle, and you'll be inflecting upon yourself to kinetic pattern baldness needlessly.  Second, it is entirely possible to extend one SSID using this technique but you don't have to.  We have three related wireless networks here: Upstairs-2.4GHz, Upstairs-5GHz, and Downstairs-5GHz but you can do it differently if you want.  Third, unless you're already using OpenWRT for your wireless network, this probably won't work.

This is an advanced project so you might not want to tackle this on your own if you haven't been tinkering with OpenWRT for a while; this includes being comfortable with SSHing into your access point and installing software (including the web control panel).  I won't walk you through the installation process because OpenWRT already has good documentation for this.  Follow it first to bootstrap your second access point-slash-wireless network extender before you start this tutorial.  I'll also walk you through some of the gotchas I ran into to make life easier for everyone else.  We're going to assume that you're using OpenWRT's default private network layout already but if you aren't adjust the instructions as required.  You do not have to be running the same version of OpenWRT on your access points.  I'm running v18.06.2 on Upstairs and v19.07.2 on Downstairs.

When I built this out at home I purchased a duplicate of the access point I already have.  You probably don't have to do this, but I did just to be sure I knew the make and model was solid.

For the record (and the same of my external memory) here are the instructions I used when I originally figured this out.

Reprint: Making your own superconductor.

May 22 2020

Disclaimer: Times have changed since this article was written so seek legal and scientific advice from qualified personnel if you plan to try making your own superconducting materials.  I am not qualified personnel or a lawyer.  Do not try this at home.  We live in a world in which possession of basic chemistry apparatus is illegal in some places, so do your homework.

Process reprinted from OMNI Magazine, November 1987, page 76.  (local PDF) (local CBR) (right-click -> save as to download))

From How To Make Your Own Superconductors, by Bruce Schecter.  Retyped as faithfully as possible.  Hyperlinks mine, added for background.

Paul Grant, a research scientist at the IBM Almaden Research Center in San Jose, California, believes he has even come up with the first practice use of the new superconductors - science education.  A few months after he and his colleagues had whipped up their first batch, he advised high-school science teacher David Pribyl and his students from Gilroy, California (famous for its garlic), to have a go at making superconductors themselves.  Grant feels that this must be some kind of record.  "In less than six months a major discovery made the trip from the research laboratory to a high-school chemistry project," Grant says.  "Next year year, science fairs will have hundreds of these experiments."

The new superconductors are made up of yttrium, barium, copper, and oxygen - the chemical formula is Y1Ba2Cu3O7-x.  The proportions of the yttrium, barium, and copper have lead scientists to call this material 123 - a nice coincidence since making it is as easy as that.

Faking a telnet server with netcat.

May 20 2020

Let's say that you need to be able to access a server somewhere on your network.  This is a pretty common thing to do if you've got a fair amount of infrastructure at home.  But let's say that your computer, for whatever reason, doesn't have the horsepower to run SSH because the crypto used requires math that older systems can't carry out in anything like reasonable time.  This is a not uncommon situation for retrocomputing enthusiasts.  In the days before SSH we used telnet for this, but pretty much the entire Net doesn't anymore because the traffic wasn't encrypted, so anyone with a mind to eavesdrop could grab your login credentials to abuse later.  However, on a home network behind a firewall between systems you own it doesn't hurt to use once in a while.  Good luck finding systems that still package in.telnetd, though.  However, you can fake it with a tool called netcat.

First, you need a FIFO (first in, first out) that, as far as a Linux machine is concerned is a file that multiple processes can open to read and write.  Whenever something writes into a FIFO, everything reading from it gets whatever came in the other end.  As passing data goes the question is "how hard do you really need it to be," and FIFOs answer the question with "Not hard."  Linux boxen come with a tool called mkfifo that create them; uncreating them is as simple as deleting them like any other file.  This is the first step toward faking a telnet server:

Tunneling across networks with Nebula.

Apr 12 2020

Longtime readers have no doubt observed that I plug a lot weird shit into my exocortex - from bookmark managers to card catalogues to just about anything that has an API.  Sometimes this is fairly straightforward; if it's on the public Net I can get to it (processing that data is a separate issue, of course).  But what about the stuff I have around the lab?  I'm always messing with new toys that are network connected and occasionally useful.  The question is, how do I get it out of the lab and out to my exocortex?  Sometimes I write bots to do that for me, but that can be kind of clunky because a lot of stuff doesn't necessarily need user interaction.  I could always poke some holes in my firewall, lock them to a specific IP address, and set static addresses on my gadgets.  However, out of necessity I've got several layers of firewalls at home and making chains of port forwards work is a huge pain in the ass.  I don't recommend it.  "So, why not a VPN?" you're probably asking.

I'd been considering VPNs as a solution.  For a while I considered the possibility of setting up OpenVPN on a few of my devices-that-are-actually-computers and connecting them to my exocortex as a VPN concentrator.  However, I kept running into problems with trying to make just a single network port available over an OpenVPN connection.  I never managed to figure it out.  Then part of me stumbled across a package called Nebula, originally developed by Slack for doing just what I wanted to do: Make one port inside available to another server in a secure way.  Plus, at the same time it networks all of the servers its running on together.  Here's how I set it up.

A little preparation is not a bad thing: Getting Narcan.

Apr 11 2020


There's really no good way to start an article about the epidemic of opiate overdoses and deaths in the United States.  It's a terrible thing.  Unlike a lot of articles out there and stereotyping that happens, a nontrivial number of opioid deaths are due to accidental overdoses of painkillers taken by folks who are trying to manage chronic pain.  I say this as someone whose dental health history reads like Hellraiser fanfic.  If you're in so much pain that you can't even think straight most of the time, especially for years on end, it's really, really easy to make a mistake.  Case in point, the death of Art Bell in 2018 due to an accidental overdose of multiple painkillers.  Many times over the years Bell had complained on the air about his back, and a couple of times his nightly shows were cancelled because he was in too much pain to go on the air.  I've never had to use opiates in such a manner in my life, but I can definitely look at it from the outside and understand at least some of it.

Anyway, I wanted to do a quick writeup about how to get hold of the drug naloxone (local mirror, 20200411), usually sold under the trade name Narcan.  It's an opioid antagonist, which means it shoves molecules of opiate compounds out of their receptor sites and takes their place to arrest and reverse the effects of an overdose.  It can be injected intravenously either by a trained medical professional with a syringe or an autoinjector in the same way as epinepherine if one is deathly allergic to certain foods or insect stings.  Narcan is also available to civilians in the United States in a single-use, single dose nasal spray.  The idea is, you rip the packaging open, flip the little cap off, shove the end of the sprayer up the patient's nose and squeeze the device so that a mist of naloxone squirts into their sinuses to be absorbed.  It doesn't take much training to use one effectively though I do recommend getting training as part of a regular first aid certification.

Not too long ago I set about acquiring a couple of doses of Narcan to carry around with me as part of my field kit, because you never know what's going to happen.  The page on I linked to above says the following about getting naloxone:

Naloxone is a prescription drug. You can buy naloxone in many pharmacies,
in some cases without bringing in a prescription from a physician. The
major pharmacy chains CVS and Walgreens now make naloxone available
without a personal prescription in all stores in the U.S. and the District
of Columbia.

What I did was basically Google 'narcan' and the first hit was how to get Narcan.  Just to be on the safe side I downloaded a copy of the Narcan prescription aid PDF file (local copy), printed it out and brought it with me the next time I went to the pharmacy to pick up my prescriptions.  I just asked for it, handed over the hardcopy of the request, and unfortunately found out that the pharmacist on duty at that moment had never filled such a request before so it wound up not happening.  The next time I went in to get a prescription filled they had it waiting for me along with everything else: A little box of two Narcan nasal sprayers, each with 4mg ready to go.


To be fair, it could just as easily have been the other pharmacist at that store who was on duty, and there would not have been a week's wait and happy surprise on my next trip.  You will probably not run into that particular setback.  Total cost after insurance: $25us.

Do I need to have Narcan in the house? No. None of us use opiates. Do I feel better having it around in case somebody nearby need it?  Yes.  Do I feel better having it in my field kit, just in case? Yes, I do.

Go be safe, people.  And maybe help someone in need.

Using Nginx to spoof HTTP Host headers.

Feb 02 2020

EDIT: s/ to fix part of the backstory.

Let's say that you have a server (like Prosody) that has one or more subsystems (like BOSH and Websockets).  You want to stick them behind a web server like Nginx so that they can be accessed via HTTP - let's say that you want a browser to be able to communicate with those subsystems for some reason.  Or more likely you have a web application that needs to communicate with them in the same way (because Javascript).  Assuming that the above features are already enabled in Prosody, you would put something like this in one of your Nginx config files for, let's say for the sake of argument

    location /http-bind {
        proxy_pass http://localhost:5280/http-bind;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_buffering off;
        tcp_nodelay on;
    location /xmpp-websocket {
        proxy_pass http://localhost:5280/xmpp-websocket;
        proxy_http_version 1.1;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_read_timeout 900s;

location is the part of the URL Nginx knows it has resources for.  proxy_pass tells Nginx that, whenever something tries to access that part of the URL ( or it should transparently proxy the connection to the given URL (http://localhost:5280/http-bind or /xmpp-websocket, depending) and forward responses back to the client).

But what if you did something a bit less sensible, like put the client on a different host?

Integrating Huginn with a Matrix server.

Jan 19 2020

Throughout this series I've shown you how to set up a Matrix server and client using Synapse and Riot, and make it much more robust as a service by integrating a database server and a mechanism for making VoIP more reliable.  Now we'll wrap it up by doing something neat, building a simple agent network in Huginn to post what I'm listening to into a Matrix Room.  I have an account on that my media players log to which we'll be using as our data source.  Of course, this is only a demonstration of the basic technique, you can, in theory plug whatever you want into a Matrix server because the API was designed to be extensible.

We're going to assume that you've already set up a Matrix server and have an account on it, and that you have access to a working Huginn install.