• chevron_right

      What we know about the xz Utils backdoor that almost infected the world

      news.movim.eu / ArsTechnica · Monday, 1 April - 06:55

    Malware Detected Warning Screen with abstract binary code 3d digital concept

    Enlarge / Malware Detected Warning Screen with abstract binary code 3d digital concept (credit: Getty Images)

    On Friday, researchers revealed the discovery of a backdoor that was intentionally planted in xz Utils, an open-source data compression utility available on almost all installations of Linux and other Unix-like operating systems. The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux when an eagle-eyed software developer spotted something fishy.

    "This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library," software and cryptography engineer Filippo Valsorda said of the effort, which came frightfully close to succeeding.

    Researchers have spent the weekend gathering clues. Here's what we know so far.

    Read 22 remaining paragraphs | Comments

    • Sp chevron_right

      OpenDKIM and Postfix: Signing DKIM for multiple domains

      pubsub.slavino.sk / spam_resource · Tuesday, 2 November, 2021 - 12:00 · 1 minute

    How do I use OpenDKIM with multiple domain names on a single postfix server? That's a question I myself had when I first set up my current VPS to host my current email system. So I searched around a bit. I found this guide , but it's kind of a pain in. Too much heavy lifting.

    So I tried this instead. It's a bit of a hacker trick nobody seems to mention online: In your opendkim.conf file, where you specify the domain, you can just include multiple domains here, separated by commas.

    Instead of
    domain example.com
    Just put
    domain example.com,example.org,mydomain3.com
    In your opendkim.conf file.

    Upside : Super easy.
    Downside : All domains have to share the same DKIM key, because there's only one DKIM key setting in opendkim.conf.

    It works fine. Though you specify the domain name when creating a DKIM key, there's nothing in the key that is actually domain-specific. At scale, this is insecure. At the hobbyist level, where I've got three domains running on my one server that send a grand total of 150 emails a day, it's not a concern.

    You can also put an asterisk (*) to wildcard the domain setting in opendkim.conf. However, I don't recommend this, because it will try to sign all mail for any domain, without checking to see if a DKIM public key actually exists for that domain. So if you send or forward any mail at all for any other domain, that mail will end up with a broken DKIM signature attached to it. An example where this will happen and be very bad for you is mailing lists. Some mailing lists rewrite the from address to use their own domain to bypass DMARC concerns, but not all do, and some only do it sometimes. So I strongly recommend against using a wildcard here, unless you know what you're doing.

    Značky: #opendkim, #llinux, #dkim, #howto, #postfix, #Network