This feed contains pages in the "xmpp" category.

After beating a dead horse once, you have to do it again.

Quite some time ago now, I ran in to an article where Wietse Venema was interviewed about security focused programming. He is the guy who initially started writing postfix. While he does have some good insights in to why the internet is getting more insecure, there are some things that I think he is missing.

While I understand that reinventing the internet is pointless, there are some things that need to be reinvented. The SMTP protocol is one of those things. The protocol itself was designed for a completely different type of a network. It doesn't do any authentication or verification for the sender. It basically trusts everything that is fed to it. Now, Wietse offers nice ideas on counteracting spam, but the inner problem still persists. The reason why we have so much spam in our mailboxes is because of SMTP.

I was about to write some code and put my money where my mouth is, but today I ran in to yet another scheme to stop spam and realized that I would eventually forget to write this all down before I get the time to write some code. The scheme I ran in to is EmailReg.org which allows you to register the mail servers that are allowed to send mail for your hosts for a nominal(?) fee of $20. While this nominal fee will keep some of the spammers off the lists, it's still reinventing the wheel and trying to fix a symptom of the problem.

There are similar projects, that work with different types of protections. There is SPF, DomainKeys, Sender ID and many more that aim for similar solutions.

I'm not saying that we don't need those kinds of solutions, but rather the solutions are solving the symptom and not fixing the problem. The only real solution is to replace SMTP with something more suitable for the task. The thing that comes in to mind is XMPP. XMPP is a protocol designed for XML packet routing. It's mostly used as an instant messaging platform, but it's not a huge leap to transfer mail through the protocol.

XMPP as a protocol is designed on an age when spoofing and spamming was already a problem and it has safeguards in place to prevent malicious activity. The protocol is suitable for transferring e-mails already so no real modifications are needed for the protocol. Only thing that needs to be done is to document the common practice.

Changing an internet protocol is a large task and one can't take it lightly. The beauty in it all is that most mail servers are already capable of supporting multiple transport protocols. Initial versions of Sendmail delivered the mail through FTP (with some obscure extensions), so switching protocols isn't really that far fetched. Today, Sendmail supports various protocols while the most commonly used one is SMTP. Same goes for postfix and other mail servers. So implementing a new protocol isn't really out of the question.

I'm sorry that I wasn't able to write the code to back this all up, but at least the idea is out there in written form. It shouldn't be too complicated to implement this and get things started. The change won't happen over night, but it has to start somewhere.

Posted Tue Nov 18 00:34:41 2008 Tags: xmpp

Quite some time ago I used to host update.ressukka.net which was a service for certain Jabber clients that allowed the clients to query the latest released version and offer it to the client without using any other protocol than XMPP. It was a useful service at the time, but over time it became easier to just do the same thing over HTTP (since the download was done through HTTP too)

Over time I've noticed mail coming in to that domain, which is kind of natural since mail harvesters quickly pick up Jabber IDs as e-mail addresses since they use the same format. Recently I received a massive scan for to that domain and since it's not hosted on the server that receives my mail, it gets queued for delivery. This is where things go wrong.

Mails for that domain should never be queued in the first place. I've configured my mail server to accept mails to ressukka.net. Apparently historically postfix has accepted mails for subdomains automatically, so if you configure mydestination to "localhost" mails are accepted for "invalid.localhost" too. Apparently the devs have noticed this problem and have added an option to control this behaviour. There is an option called parent_domain_matches_subdomains (how logical is that?) that allows you to define which features behave this way.

The fix for me was to change the default setting:

parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps

in to:

parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps

By removing the relay_domains setting I was able to limit incoming mails to just the domains that are actually on the server.

Problem solved? Not quite...

I still have ~2500 mails waiting to be delivered to update.ressukka.net (and various other removed hosts). Luckily there are tools out there to remove certain mails from the postfix queue. By (ab)using the script mentioned in Postfix: The definitive guide (download script) I was able to easily clear the offending mails from the queue. The trick was to use a regexp as the mail address for the script.

./pfdel.pl .\*@update.ressukka.net

In any other script I would call this a security problem, but here it's a feature =)

Posted Sun Sep 9 13:34:25 2007 Tags: xmpp

In opensource software world it's rather common to hear something like "Does it work just like some-other-application" or "Why can't I use application-X instead of this one, everyone else has application-X".

In a way that's peer pressure. Microsoft is prime example of a company that uses peer pressure for marketing. They managed to acquire a fair share of the market by getting their operating system to OEM markets and by donations to schools. It's interesting that the old saying "There is no such thing as free lunch" applies here too. By donating something they are creating a user base that already knows some application or operating system. By using that user base it is possible to push your products to new markets.

That is actually brilliant marketing.

How is this related to me? Well, some time ago I decided to rebuild my old server. I decided that I would utilize the skills I've learned through my work experience, even if it is a home server. I set up a Xen server that separated my jabber server from my firewall. And since I already had a working IPv6 tunnel and plenty of addresses for my local network I could allow direct connections through IPv6 and forward ports through IPv4. I already knew that XMPP system had already implemented SRV records that allowed me to create clean rule sets how I wanted my servers to be contacted.

But there was a problem. It only occurred to me once I had finished the DNS configuration. It appears that Google Talk doesn't fully support SRV records. It appears that the IPv6 only record throws the servers off and I'm unable to connect to Gtalk users.

So due to peer pressure I was forced to change my preferences on how to connect to my jabber server. Suddenly it became clear to me why it is so hard to introduce new services and technologies. It's not enough if it's innovative or useful, there has to be solid interoperability with the competing products and minimal learning curve. Knowing this, it's not a wonder that the e-mail system is still in place even if it's flawed by design.

Posted Sun May 6 22:28:00 2007 Tags: xmpp

.. Fruit flies like a banana.

So, it has been a month since my last post. I hate it when time goes by too fast and you don't get to look back and think what has happened. Sometimes it's good to reflect a bit on the past, it brings thing back to perspective.

I switched my OpenID provider to The South African XMPP Federation OpenID Server which allows me to log in to websites through jabber. On first thought it sounds like unreasonable thing to do, but if you consider the phising discussion it suddenly becomes more sane. It's one of the few methods that can circumvent phishing. I don't have a password for my openid account, but i do have a password (for now) for my jabber account.

While playing with the new OpenID provider, i noticed some bugs with Gajim (yes, i'll try and get bugs filed for those) and eventually noticed that there has been a new release of Telepathy-Gabble. This release fixes the bug that i've been seeing and it no longer crashes. This means that i can finally move back to Gossip-telepathy which is nice and clean. I just have to remember to close those bugs i filed earlier about the bugs.

I've also been upgrading firmwares for my phones. It's annoying how phones have turned in to computers that require updating. Phones are more painful to upgrade since usually you will loose all the data on the phone when you upgrade. I'm still waiting for good phone that runs linux and has a sane way of storing configuration and other data. At the moment there appears to be a good drive to new linux phones, but i don't want to buy a phone that lacks most of the features that i will be using in the future. At the moment linux phones are playing the same catch up game as linux did in on the desktop. Hopefully it will get there eventually and i'll get up switch to a sane phone with proper updating model.

As a side project i've been thinking about creating a blocklist for Adblock Plus that filters finnish sites. The problem is that the list of sites i visit is quite short. I'll have to see what comes out of all this.

Posted Fri Mar 23 00:00:08 2007 Tags: xmpp