1. 19

    Self-hosted on OpenBSD with OpenSMTPD and dovecot. Self-hosting my emails for over a decade so I’ve been through all ups and downs. I like to run my own stuff, have a maximum level of privacy and always learn new stuff. On the downside, I nearly lost my complete inbox twice (restored from backups, so take backups!), learned very fast that having a primary and a backup MX is different from having two primaries.

    1. 5

      I am also self-hosting using OpenBSD, OpenSMTPD and dovecot for a number of years. I’ve got a primary and a secondary server with SPF and DKIM. My netblock was blacklisted by outlook.com but was easy enough to fix by filling into an online form.

      I also recommend to get yourself onto whitelists like https://www.dnswl.org/.

      1. 4

        I think it’s really cool that you are self-hosted but I have to ask; how are your delivery rates? Do you have DKIM and SPF records? I know it’s quite the challenge to develop a good sending reputation so I am always curious to see how others fare.

        1. 3

          I have SPF records (mainly to make google happy) but no DKIM. However, DKIM is not a hassle to set up. There are plenty of good howtos out there.

          I cannot complaint about reputation, it seems all my email reach the recipient (and yes, also the ones at gmail). I once had some trouble with outlook.com and German Telekom when I had a system at Hetzner because their IP addresses have a very bad reputation. Once I moved away, everything works fine.

        2. 2

          Did the same 4/5 years ago. Never looked back and would not go back to a third-party provider for a million bucks.

        1. 5

          With a xterm and ksh on OpenBSD I just see ^T and nothings happens. When I manually send a SIGINFO it works as expected. What am I doing wrong?

          Edit, solved: I needed to run “stty status ^T” on ksh invocation.

          1. 10

            I am totally impressed by the article. The authors tries to silence his computers for decades, I am doing the exactly opposite. All my workstations in the past were equipped with large fans (not the small and noisy ones, the large ones that run slow) to generate a decent amount of white noise.

            When I am usually sitting in my room and nothing is running, I can hear the noise from the trains, cars, kids, etc outside and from my neighbours inside the house. As soon as I turn my computer on the room is filled with white noise and I can concentrate on my work. Thus, I personally would never, ever use a silent workstation :)

            Am I the only one using “noisy” computers?

            1. 1

              Have you tried listening to ‘pink noise’? I don’t use it all that often as I prefer silence, but it does help me concentrate sometimes.

              1. 1

                Sounds interesting. Currently, I am only having the noise generated by my noisy computer.

                How do you generate the noise? Do you use a specific hardware/tool/… ?

                1. 2

                  I first tried listening to YouTube videos like speps mentioned and that got me interested. I had a shell alias for it named ‘pink’ that used sox, but I don’t seem to have it on the computer I’m currently using. I’m pretty sure it was just something like this:

                  $ play -n synth pinknoise vol 0.25
                  

                  I just start it up when I get too distracted. There’s also ‘brownnoise’ and (suprise) ‘whitenoise’. Listening to regular white noise first gives you something to compare it with. I find pink noise to sound kind of like flowing water and not at all distracting. You might be fine with the sound of your computer ;).

                  $ play -n synth brownnoise vol 0.25
                  $ play -n synth whitenoise vol 0.25
                  

                  Actually it might have been this one (sounds more like what I remember): https://askubuntu.com/a/789469

                  1. 1

                    YouTube has videos like 10 hours of whatever noise you want.

                    1. 1

                      I use the iOS app from https://mynoise.net. It generates various types of noises and lets you change levels, save presets, etc. They also have albums on iTunes, Amazon, and Google Play. Most generators cost money but I find the free set to be good enough. Although it does “coloured noises” I prefer the “rain storm” generator.

                1. 2

                  I don’t get it. Why on earth is every article about DNS recommending Google’s DNS server? I mean, it’s not like the world hasn’t operated a DNS server before 8.8.8.8…

                  1. 1

                    Presumably because (like 1.1.1.1 & 9.9.9.9) it is very easy to remember.

                    1. 1

                      Why does anyone need to remember the address of some 3rd party DNS server?

                      1. 3

                        Because frequently ISPs have really terrible or slow DNS.

                        RCN had a DNS outage that lasted days, which made my internet at home look like it had no connection to anything even though network traffic was flowing as expected. I switched to Google’s DNS servers because I never want to deal with ISP DNS again.

                        I also updated some DNS once, which AT&T’s mobile DNS cached as nothing for far too long (making me suspect their negative TTL is like 2h+ long), and changing my phone’s DNS server allowed me to get at what I needed.

                        1. 2

                          Using some DNS server, your own, or 3rd party, in no shape of form requires the operator to mentally memorize the address of said DNS server.

                          I run my own DNS servers. I can’t tell you offhand what their IPs are. I only cared about that when I configured my DHCP server, and then I copy-pasted the IPs without having to commit them to memory.

                          1. 2

                            8.8.8.8 and 8.8.4.4 are really easy to remember. They’re also known high-uptime IPs, so they’re really useful for troubleshooting a server to determine where in a network stack issues may be arising (if any).

                            I’m not recommending that everyone remember them, but if you use them enough times they start to stick around just because thats how brains work.

                            1. 1

                              How do you copy-paste them onto a device that doesn’t yet have a working DNS server, exactly…?

                              1. 1

                                Copy the IP from the file containing the DNS server IP into the file containing the DHCP configuration?

                                Sorry, I don’t understand the question.

                                1. 1

                                  How does the file with the DNS server IP get onto the device in the first place?

                                  1. 1

                                    I write it?

                                    1. 1

                                      How do you know what to write?

                                      You seem to be belabouring the point here but I’ll humour you.

                                      1. 1

                                        I know what to write in my config files because I know basic system and network administration so that I can plan a network.

                                        1. 2

                                          Good for you. For everybody else, there’s 8.8.8.8 ;-p

                          2. 1

                            Presumably for configuring a router or overriding the shitty DNS server provided by one’s ISP.

                            1. 1

                              I didn’t say you should not use some other DNS server, I asked why do you need to mentally remember the address of some DNS server.

                              1. 1

                                Because it’s faster than looking it up.

                                1. 1

                                  Do you remember the IPv6 address too? I sure don’t. If you don’t remember the IPv6 address, what’s the point of remembering the IPv4 one?

                                  Personally I always want to use my own DNS server, for many reasons including privacy, security, and local zones, and then yes, I do have to look it up. Never considered that to be a problem.

                                  1. 1

                                    You still don’t really need IPv6 for typical Internet usage.

                                    Look, you can run your own DNS server if you want to. Nobody’s stopping you. But the overwhelming majority of people neither care to nor know how. For them it’s good enough to just remember 8.8.8.8

                          3. 1

                            Indeed, they are easy to remember. However, that’s not the point I want to made. Your upstream DNS can see/log/sell every (!) DNS resolution you will ever do. So if you’re are resolving helpmewithmymedicalissue.com or ilikethisp0rndomain.com they’ll know it. And since Facebook and Cambridge Analytica we know that they will sell it.

                            So please keep a list of trusted DNS resolvers or operate your own and add them to your systems.

                            1. 1

                              Google’s 8.8.8.8 does not store your IP address for more than 48 hours or sell it.

                              See https://developers.google.com/speed/public-dns/faq#privacy

                        1. 6

                          Anyone know of cloud providers (either virtualized or real hardware) that either offer OpenBSD, or allow you to install OpenBSD easily and without hacks?

                          I only know of prgmr.com, RootBSD and ARP Networks. I am interested in companies offering real professional support running on server grade hardware (ECC, Xeon, etc) with proper redundant networking, etc, so amateur (but cheap) stuff like Hetzner doesn’t count.

                          Somewhat tangential, but I am also interested in European companies. I only know of CloudSigma, Tilaa, Exoscale and cloudscale.ch. Are they any good?

                          EDIS and ITL seem to be Russian companies or shells operating in European locations, not interested in those.

                          Many thanks!

                          1. 5

                            https://www.vultr.com/servers/openbsd

                            I wouldn’t consider Gilles’ method a hack at this point, now that online.net gives you console access. Like usual, you first have to get the installer on to a disk attached to the machine. Since you can’t walk up to the machine with a stick of USB flash, copying it to the root disk from recovery mode makes all the sense.

                            1. 2

                              Thanks, I forgot about vultr.

                              As for installing, I would vastly prefer PXE boot. It’s not just about getting it installed. It’s about having a supported configuration. I am not interested in running configurations not supported by the provider. What if next year they change the way they boot the machines and you can’t install OpenBSD using the new system anymore? A guarantee for PXE boot ensures forward compatibility.

                              Or what if some provider that is using virtualization updates their hypervisor which has a new bug that only affects OpenBSD? If the provider does not explicitly support OpenBSD, it’s unlikely they will care enough to roll back the change or fix the bug.

                              You’re not paying for hardware, as Hetzner showed, hardware is cheap, you’re paying for support and for the network. If they don’t support you, then why pay?

                              1. 2

                                Yeah I share your concerns. That’s why I’ve hesitated to pay for hosting and am still running all my stuff at home. It would suck to pay only to hear that I’m on my own if something changes and my system doesn’t work well after that change.

                                Given how often OpenBSD makes it to the headlines on HN and other tech news outlets, it is really disappointing how few seem to actually care enough to run or support it. It’s also disappointing considering that the user base has a healthy disdain for twisting knobs, and the system itself doesn’t suffer much churn. It should be quite easy to find a stable & supported hardware configuration that just works for all OpenBSD users.

                                1. 1

                                  It should be quite easy to find a stable & supported hardware configuration that just works for all OpenBSD users.

                                  Boom! There it is. The consumer side picks their own hardware expecting whatever they install to work on it. They pick for a lot of reasons other than compatibility, like appearance. OpenBSD supporting less hardware limits it a lot there. I’ve always thought an OpenBSD company should form that uses the Apple model of nice hardware with desktop software preloaded for some market segment that already buys Linux, terminals, or something. Maybe with some must-have software for business that provides some or most of the revenue so not much dependency on hardware sales. Any 3rd party providing dediboxes for server-side software should have it easiest since they can just standardize on some 1U or 2U stuff they know works well with OpenBSD. In theory, at least.

                            2. 4

                              https://www.netcup.de/

                              I run the above setup on a VPS. OpenBSD is not officially supported, but you can upload custom images. Support was very good in the last 3-4 years (didn’t need it recently).

                              1. 2

                                Looks nice, especially since they are locals :) Do you mind answering some questions?

                                • Do they support IPv6 for VPS (/64)?
                                • Have you tried to restore a snapshot from a VPS?
                                • Mind sharing a dmesg?
                                1. 3
                              2. 2

                                I have two OpenBSD vservers running at Hetzner https://www.hetzner.com . They provide OpenBSD ISO images and a “virtual KVM console” via HTTP. So installing with softraid (RAID or crypto) is easily possible.

                                Since one week there is no official vServer product more. Nowadays, they call it … wait for it … cloud server. The control panel looks different, however, I have no clue if something[tm] changed.

                                Here is a dmesg from one server: http://dmesgd.nycbug.org/index.cgi?do=view&id=3441

                                1. 2

                                  Joyent started providing a KVM OpenBSD image for Triton last May: https://docs.joyent.com/public-cloud/instances/virtual-machines/images/openbsd

                                  (This has been possible for some time if you had your own Triton cluster, but there was no official way until this was published.)

                                  1. 1

                                    What’s the deal for cloud providers for not making OpenBSD available? Is it technically complex to offer, or just that they don’t have the resources for the support? Maybe just a mention that it’s not supported by their customer service would already help users no?

                                    1. 11

                                      As far as I know, it’s a mix of things. Few people ask for OpenBSD, so there’s little incentive to offer it. Plus a lot of enterprise software tends to target RHEL and other “enterprise-y” offerings. Even in the open source landscape, things are pretty dire:

                                      OpenBSD also seems to have pretty bad timing issues on qemu/KVM that have fairly deeply rooted causes. Who knows what other horrors lurk in OpenBSD as a guest.

                                      OpenBSD doesn’t get people really excited, either. Many features are security features and that’s always a tough sell. They’d rather see things like ZFS.

                                      For better or for worse, OpenBSD has a very small following. For everybody else, it just seems to be the testing lab where people do interesting things with OS development, such as OpenSSH, LibreSSL, KASLR, KARL, arc4random, pledge, doas, etc. that people then take into OSes that poeple actually use. Unless some kind of Red Hat of OpenBSD emerges, I don’t see that changing, too. Subjectively, it feels very UNIX-y still. You can’t just google issues and be sure people have already seen them before; you’re on your own if things break.

                                      1. 9

                                        Rust’s platform support has OpenBSD/amd64 in tier 3 (“which are not built or tested automatically, and may not work”).

                                        I can talk a little about this point, as a common problem: we could support OpenBSD better if we had more knowledge and more people willing to integrate it well into our CI workflow, make good patches to our libc and so on.

                                        It’s a damn position to be in: on the one hand, we don’t want to be the people that want to inflict work to OpenBSD. We are in no position to ask. On the other hand, we have only few with enough knowledge to make OpenBSD support good. And if we deliver half-arsed support but say we have support, we get the worst of all worlds. So, we need people to step up, and not just for a couple of patches.

                                        This problem is a regular companion in the FOSS world, sadly :(.

                                        Also, as noted by mulander: I forgot semarie@ again. Thanks for all the work!

                                        1. 7

                                          semarie@ has been working upstream with rust for ages now… It would be more accurate to say ‘we need more people to step up’.

                                          1. 3

                                            Right, sorry for that. I’ll change the wording.

                                  1. 4

                                    I use the ZIM Desktop Wiki (http://zim-wiki.org/) for years now. Pretty good edit capabilities including images, tables and you can easily export HTML.

                                    To sync between multiple machines I put all Notebooks into a git repo synced via SSH with my personal server.

                                    1. 2

                                      Zim is really awesome, I’m using it both as a personal Wiki and as a Wiki for the dev team at the studio. The main drawback for me is that the markup is not markdown and that the default styling is a bit uninspiring. Before that, I was using Tomboy.

                                      1. 2

                                        Right, the default style is ugly. I fixed this by adding a customized style.conf.

                                    1. 6

                                      Next for Windows users :)

                                      curl | sh

                                      1. 2

                                        curl | powershell.exe

                                        (at least that would require explicitly allowing random powershell scripts to run, but every developer would do that)

                                      1. 1

                                        The link does not work, so here is my handle @xhr

                                        1. 1

                                          People get accustomed to things, get emotional and don’t particularly like change very much. I’m sure Firefox 57 will also get a fair share of sour feedback and comments written in uppercase. That’s inevitable. But sometimes, in order to move forward and do good stuff, we have to make some tough decisions for the greater good that not everyone will agree with.

                                          You guys have fun with your greater good. I’ll stick with 56 where my add-ons still work.

                                          1. 3

                                            There’s a hidden flag you can toggle to reenable legacy extension support in the non-stable channels, but continued compatibility going forward isn’t guaranteed.

                                            1. 2

                                              Do you know if this secret flag is also in the released 57?

                                              Thanks for the tip either way ;)

                                              1. 5

                                                It won’t. And lots of internal APIs have already been removed and replaced with asynchronous code, to make Firefox 57 as snappy as it is. Breakage is imminent, I’m afraid.

                                            2. 2

                                              Thought so too when recognizing that my add-ons stopped working when I switched to Firefox 57 beta. Then, I contained my emotional side and searched for alternative add-ones that run on 57.

                                              Guess what, I replaced all my add-ons and I really like the new ones. Wish I have replaced them earlier.

                                            1. 9

                                              A few other methods:

                                              libetc is a LD_PRELOAD-able library, which intercepts opening of dotfiles under $HOME and opens them from $XDG_CONFIG_HOME instead.

                                              rewritefs is a FUSE filesystem which lets you configure rewriting of paths similar to Apache HTTPd’s mod_rewrite. You can configure it to perform a mapping of $HOME/.* to $XDG_CONFIG_HOME/* as well.

                                              1. 3

                                                The description from libetc reads as follows:

                                                “On my system I had way too much dotfiles […] For easier maintenance I wrote libetc.”

                                                Really, why should I care? They do not pop up during ls, they will be backuped like all other files and the most important ones live in a git repo. LDPRELOADing a lib just to have a clean $HOME seems a lot like being a Unix Hipster. Or maybe I am getting just old…

                                              1. 3

                                                The analysis has been sponsored by Google. X41 D-Sec GmbH accepted this sponsorship on the condition that Google would not interfere with our testing methodology or control the content of our paper. We are aware that we could unconsciously be biased to produce results favorable to our sponsor, and have attempted to eliminate this by being as transparent as possible about our decision-making processes and testing methodologies.

                                                (Emphasis is mine.)

                                                Is this the reason why Mozilla Firefox is notably absent from this test, I wonder?

                                                1. 2

                                                  I dunno why, but Firefox was absent from a lot of things[tm] in the past. It’s not part of the paper above, it’s not a big part of the recent Browser Security paper by Cure53 (https://github.com/cure53/browser-sec-whitepaper) and it wasn’t part of the latest pwn2own contests.

                                                  1. 1

                                                    At the time the report was commissioned, I’m not sure Firefox had much sandboxing to speak of.

                                                    1. 1

                                                      On Windows, there were several sandboxing products people combined with Firefox since it was a general problem not limited to Firefox. Linux had mechanisms for it, too. So, they should improve their security but built-in sandboxing wasn’t strictly necessary. That said, I think it was organizational priorities and talent that was root cause.

                                                    2. 1

                                                      The cure53 paper mentions they really wanted to include it. Google was against it, citing a 2014 study about the Tor browser (which is pre-e10s, pre sandboxing etc.)

                                                      I personally think, that the goal of this paper is to get Enterprises switch from Edge/IE to Chrome. To make it easier for corporate decision makers, the comparison is only to their main rival for this specific market.

                                                    1. 3

                                                      This is one of the reasons why I use a rather simple terminal (st - https://st.suckless.org/) for daily use. The code size with 4k LoC is still something you can have a look at.

                                                      1. 2

                                                        st doesn’t even have the ability to scroll. Comparing it to iTerm2 which has a ton of functionality is a joke. People are using iTerm2 for that extra functionality or else they’d just use Terminal.app.

                                                        1. 1

                                                          Just use that patch: https://st.suckless.org/patches/scrollback/

                                                          However, you’re missing the point. This discussion is not about “ton of functionality”, it is about security and privacy. The bug complains about a privacy issue. And if I want to have a terminal that respects both I need one which can be easily reviewed. I suspect st is more easy to review than iTerm2…

                                                      1. 5

                                                        I am with @amontalenti in the group of long time Thinkpad users. Started with a T32, T42, T43, X200, X220, T450s all of them running either Linux or DragonFly BSD or recently OpenBSD. You can see I am a clear fan of their Laptops.

                                                        However, a recent event might changed my mind. The Display on my T450 broke and I sent it to Lenovo for repair. At first, I was really surprised to get a notification about my cost estimation being ready after 3 working days (including shipment from Germany to Poland). Interestingly, they asked for my sales tax ID and would not send me the cost estimation without providing one. Since I am a private person and not a company I do not have a sales tax ID (at least that’s the way in Germany). After explaining them this, the whole customer experience process went to hell :/

                                                        The repair center in Poland that wanted the sales tax ID stopped responding to my emails. The call center in Croatia could reach them only via email and no escalation helped. Nobody could give me the exact status of my cost estimation, my laptop at all and everybody blamed the others. Since I knew that the cost estimation was already written I was pretty disappointed and nobody spoke to me for 3.5 weeks. Then someone from UK approached me and told me that there was a hiccup in the financial dept and they now know that private persons have no sales tax ID. Finally, another week later I got my estimation and another week later my laptop back. Summarized, it took them over 5 weeks to replace a simple display.

                                                        1. 2

                                                          That sounds like a pretty poor experience. I imagine this is some foolish attempt to prevent repairs by bootleggers. But I wouldn’t read into it too deeply. For a contrasting experience, I had recently received a factory outlet model from Lenovo that had some screen damage, and I called them up and they instantly refunded the full purchase. I could order its replacement straight away and without hassle.

                                                          One thing to recognize about Lenovo is that it is offering PC hardware choice in an industry that is tending to be dominated by Apple, Microsoft, and Google “vertically-integrated” hardware+software. It’s a tough business.

                                                          1. 2

                                                            This is all Lenovo repairs, including my thoroughly botched repair. I think it would be a mistake to buy a Lenovo laptop until they’ve had a major corporate reorganization. These are organizational problems, not technical.

                                                          1. 3

                                                            I’m using vi/vim now for over 20 years and never stumbled upon the session feature. Damn, I’m getting old…

                                                            1. 2

                                                              I’m sure the Linux ecosystem would be open to the changes necessary for openntpd to do its thing on that platform, wouldn’t it?

                                                              1. 3

                                                                The interface in question is the use of libtls, but even that is just an API. libtls could be “ported” to OpenSSL trivially.

                                                                1. 3

                                                                  Since libtls is just a wrapper around the OpenSSL API anyway, this shouldn’t be a show stopper by any means. I suppose @hanno is just unfamiliar with libtls, and hence got a wrong impression.

                                                                  Edit: See this talk for an intro to libtls and its intentions: https://www.youtube.com/watch?v=Wd_dyRbE4AA

                                                                  1. 1

                                                                    I think I’m aware of the intention of libtls. But intentions are irrelevant.

                                                                    I think my requirement was stated clearly: It should be available on common Linux distributions. Aka “I want to do [packagemanagement installcommand] openntpd and get the feature”. I don’t think that’s the case right now.

                                                                    If that would give me a wrapper of libtls around OpenSSL I’d be happy to change my opinion.

                                                                    1. 1

                                                                      Ok, I understand. I agree it would be great if somebody had already done the work to make that happen.

                                                                2. 1

                                                                  I’m sure it already works on Linux though? At least on Arch and Alpine, OpenNTPD is included in official packages. Some distro I’ve installed recently — IIRC it was Alpine — asked me right in the installer whether I wanted ntpd, chrony or openntpd.

                                                                  1. 2

                                                                    You can install OpenNTPd on nearly all Linux distributions, however, nearly all of them lack constrains support because it depends on LibreSSL’s libtls. Thus, Hanno has a valid point here. I’d love to see a “usable” version of LIbreSSL on Linux.

                                                                1. 4

                                                                  This is by the author of Synth who was kicked out of the FreeBSD ports community in a storm of controversy. While I don’t know anything about Ravenports I wish this effort would be spent on making Nix more universal. Or at least implementing Nix in something other than a hot mess of C++ code. And I hate manifest files, why can’t the package manager figure that out for me on install!??!

                                                                  1. 3

                                                                    I guess this is John’s way to make Nix more universal :) Developing dports and retiring pkgsrc moved DragonFly a big step forward.

                                                                    1. 1

                                                                      Would you have any links to the discussion(s) surrounding the switch from pkgsrc to dports? I’m curious about the details.

                                                                    2. 2

                                                                      Wait, what?! I just knew him as a long-time dports maintainer in DFly, had no idea he had since been kicked out of the FreeBSD ports. I guess I missed another layer of controversy in *BSD!

                                                                      For how relatively small all the *BSD projects are, and being all volunteer-based effort, it’s quite amazing how often folks get ‘fired’ from the various projects. Curious — does it happen in the Linux world as often?!

                                                                    1. 5

                                                                      Are there existing stories that are currently poorly tagged but would fit well with this tag? That’s usually the clincher in discussions like this.

                                                                      1. 2

                                                                        I already asked some authors of existing stories to edit them and add the tag.

                                                                        1. 2

                                                                          I believe most stories can’t be edited after a while - best you can do is use the suggest option to suggest the tag on related stories.

                                                                      1. 1

                                                                        @trousers: Could you add a dragonflybsd tag. Make searches/filters more easy. Thanks!

                                                                        1. 1

                                                                          I certainly will next time. Alas, I don’t think I can add tags after a certain period of time. At least I don’t see any way to do so…

                                                                        1. 1

                                                                          @angersock : Could you add a dragonflybsd tag. Make searches/filters more easy. Thanks!

                                                                          1. 1

                                                                            I can’t at this time. Maybe @jcs?

                                                                          1. 12

                                                                            Added.

                                                                            1. 3

                                                                              Thanks!