Guillaume Vaillant

This is not about arquing with the usefulness of it. It’s not even about the evenutal gain in privacy or security that it brings. Even if obviously, this thing is a bit useless if you need a hostname to use it, since you would have to do a traditionnal clear text DNS query :-) Prerequisite Ideally, if you want to run your own DoT/DoH server, a good starting point would be to already have your own DNSSEC enabled DNS server.

Recently, I tried two things with SSLH: using it properly with systemd having it working with both IPv4 and IPv6 (since it runs a machine that supports both) and of course, the firewalling part is now managed with nftables configuration of SSLH itself SSLH is pretty simple: if you tell it listen on a hostname that resolves to both an IPv4 and v6, then, it will work in dual-stack if you tell it to forward request to a hostname that resoves to both an IPv4 and v6, same thing.

This post is about replacing a good old toolchain for email filtering with Rspamd. Namely : Spamassassin/Amavis/Clamav, opendkim/opendmarc/policyd-spf. In the following post, I’ll assume that you already have a running postfix/dovecot setup, and that you read this really nice article: bombats.net/rspamd… my tweaks compared with the pre-mentioned documentation: In the local firewall, allow outgoing traffic to port udp/11335 fuzzy.rspamd.com. You can limit it that the IP address of fuzzy1.rspamd.com (see the fuzzy check module doc enable greylisting (/etc/rspam.

Prérequis: activer le SNMP sur le NAS: en gros, dire quelle version de SNMP utiliser (1 ou 2c), et le nom de la communauté, ça propose de chopper la MIB du NAS, elle est nécessaire, donc on la récupère (copie ici) installer les packages snmp (pour snmpget/walk/…) et bc (si ça n’est pas déjà fait (sur le endpoint icinga2 qui fera les checks. installer la MIBi (toujours sur le endpoint): pour un user: mettre le fichier dans ~/.

Tout est dans le titre :) Les raisons sont un peu les même que celles décrites ici C’est juste que c’est dommage de se limiter à un seul service alors que sur un même port on peut tout à fait faire tourner en même temps: le serveur ssh le serveur openvpn le serveur web Tout ça grâce à SSLH, qui en prime est packagé chez Debian. D’abord, on installe le package sslh.