Recent Posts
Archives
- January 2016 (2)
- October 2014 (2)
- September 2014 (15)
Live and Learn
Dnscrypt-proxy is a protocol for securing communications between a client and a DNS resolver.
dnscrypt-proxy provides local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server.
The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver.
While not providing end-to-end security, it protects the local network, which is often the weakest point of the chain, against man-in-the-middle attacks. It also provides some confidentiality to DNS queries.
Sodium is a new, easy-to-use software library for encryption, decryption, signatures, password hashing and more.
Download the latest libsodium version libsodium-0.7.0.tar.gz and extract it:
$ tar -xzvf libsodium-0.7.0.tar.gz
Compile and install it:
$ ./configure $ make && make check $ sudo make install
Download the latest dnscrypt-proxy version dnscrypt-proxy-1.4.0.tar.gz and extract it:
$ tar -xzvf dnscrypt-proxy-1.4.0.tar.gz
Compile and install it:
$ ./configure $ make $ sudo make install
The proxy will be installed as /usr/local/sbin/dnscrypt-proxy
by default.
Start the daemon:
$ dnscrypt-proxy --daemonize --local-address=0.0.0.0:5353 --resolver-name=opendns
Now we test it:
$ dig @127.0.0.1 -p 5353 youtube.com ; <<>> DiG 9.9.5-3-Ubuntu <<>> @127.0.0.1 -p 5353 youtube.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28830 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;youtube.com. IN A ;; ANSWER SECTION: youtube.com. 300 IN A 74.125.225.198 youtube.com. 300 IN A 74.125.225.200 youtube.com. 300 IN A 74.125.225.201 youtube.com. 300 IN A 74.125.225.192 youtube.com. 300 IN A 74.125.225.194 youtube.com. 300 IN A 74.125.225.193 youtube.com. 300 IN A 74.125.225.206 youtube.com. 300 IN A 74.125.225.195 youtube.com. 300 IN A 74.125.225.196 youtube.com. 300 IN A 74.125.225.199 youtube.com. 300 IN A 74.125.225.197 ;; Query time: 56 msec ;; SERVER: 127.0.0.1#5353(127.0.0.1) ;; WHEN: Wed Sep 03 02:31:44 UTC 2014 ;; MSG SIZE rcvd: 216
Msmtp is an SMTP client.
In the default mode, it transmits a mail to an SMTP server (for example at a free mail provider) which takes care of further delivery.
To use this program with your mail user agent (MUA), create a configuration file with your mail account(s) and tell your MUA to call msmtp instead of /usr/sbin/sendmail.
Features include:
Mutt is a small but very powerful text-based mail client for Unix operating systems.
Some of Mutt’s features include:
$ sudo apt-get update $ sudo apt-get install msmtp mutt
Create the file .msmtprc in your home directory, with no more permissions than user read/write (0600).
# Set default values for all following accounts defaults #tls_trust_file /etc/ssl/certs/ca-certificates.crt logfile ~/.msmtp.log # Default account account default host smtp.qq.com from demo@qq.com auth plain user demo password demo
This is a simple configuration file and usuallly is sufficient.
Try to send a mail to test it:
$ msmtp demo@gmail.com
Input message and ctrl + D to send it.
Using TLS encryption is always a good idea.
If you are not sure whether the SMTP server supports authentication and/or TLS encryption, find it out with:
$ msmtp --host=smtp.demo.com --serverinfo
To use TLS, it is required to either enable full server certificate verification using the ‘tls_trust_file’ command or ‘–tls-trust-file’ option, or to trust one particular peer certificate using the ‘tls_fingerprint’ command or ‘–tls-fingerprint’ option, or to disable all certificate checks using ‘tls_certcheck off’ or ‘–tls-certcheck=off’.
If your system has a file that collects all system-wide trusted CA certificates, it is easiest to just use this in the ‘defaults’ section of your configuration file. On Debian-based systems, for example, the adequate command would be
tls_trust_file /etc/ssl/certs/ca-certificates.crt
But you can also find out manually which CA certificate you need to trust.
First, issue the following command:
$ msmtp --serverinfo --host=smtp.demo.com --tls=on --tls-certcheck=off
The option ‘–tls-certcheck=off’ allows msmtp to accept any certificate, so that it can print some information about it. The output of this command tells you the common name of the server certificate issuer. You have to trust this issuer to use full TLS security. Usually you can find the CA certificate on the issuer’s homepage.
Now let us add gmail account to configuration file.
First we need to get CA certificate:
$ msmtp --serverinfo --host=smtp.gmail.com --tls=on --tls-certcheck=off SMTP server at smtp.gmail.com (ig-in-x6c.1e100.net [2607:f8b0:4001:c05::6c]), port 25: mx.google.com ESMTP ga10sm76109igd.0 - gsmtp TLS certificate information: Owner: Common Name: smtp.gmail.com Organization: Google Inc Locality: Mountain View State or Province: California Country: US Issuer: Common Name: Google Internet Authority G2 Organization: Google Inc Country: US Validity: Activation time: Tue 15 Jul 2014 08:40:38 AM UTC Expiration time: Sat 04 Apr 2015 03:15:55 PM UTC Fingerprints: SHA1: 9C:0A:CC:93:1D:E7:51:37:90:61:6B:A1:18:28:67:95:54:C5:69:A8 MD5: E7:48:1D:0B:99:4A:C3:A8:31:86:E5:8F:E5:EE:4F:2A Capabilities: SIZE 35882577: Maximum message size is 35882577 bytes = 34.22 MiB PIPELINING: Support for command grouping for faster transmission STARTTLS: Support for TLS encryption via the STARTTLS command AUTH: Supported authentication methods: PLAIN LOGIN
The issuer name is Google Internet Authority G2, we got the CA certificate here.
Convert the CA certificate to readable format:
$ openssl x509 -inform DER -in GIAG2.crt -outform PEM -out gmail-smtp.crt
With this CA certificate, the following should succeed:
$ msmtp --serverinfo --host=smtp.gmail.com --tls=on --tls-trust-file=gmail-smtp.crt
Now we add gmail account to configuration file
# Gmail account gmail host smtp.gmail.com from demo@gmail.com auth on user demo@gmail.com password demo tls on tls_starttls on tls_certcheck on tls_trust_file ~/.ssl/certs/gmail-smtp.crt
Create the file .muttrc in your home directory
set sendmail="/usr/bin/msmtp" set use_from=yes set realname="demo" set from=demo@outlook.com set envelope_from=yes
Send a mail to test mutt:
$ echo "Hello World" | mutt -s "Hello" -c demo@outlook.com demo@gmail.com
Send a mail with attachment:
$ echo "Hello World" | mutt -s "Hello" -a ~/tmp/demo.tar.gz demo@gmail.com
Recent Comments