Draft: Postfix, TLS with Let’s encrypt and SASL

I wanted to setup a SMTP server to handle mail, which would require TLS for encryption and SASL for authentication.

Let’s encrypt has a webroot plugin, which is a way for them to be certain that you own the domains you request certificates for. To get automatic renewal (certificates expires after 90 days) we’d have to install a webserver as well.

Let’s encrypt

Start off by installing a ACME client:

cd /usr/loca/sbin
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x certbot-auto


I chosed nginx as the webserver.

sudo apt-get install nginx

Edit /etc/nginx/sites-available/default.

server {
  listen 80;
  server_name example.org, smtp.example.org, www.example.org;
  location ~ /.well-known {
    allow all;


To generate the certificates:

sudo certbot-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d example.org -d www.example.org -d smtp.example.org

Further increase security:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Automatic renewal

This is done with a cron job that runs once a day, and with a renew hook that will reload nginx every time there’s an updated certificate.

sudo bash -c 'cat > /etc/cron.daily/letsencrypt <<EOF
/usr/local/sbin/certbot-auto -q renew --renew-hook "service nginx reload"
sudo chmod a+x /etc/cron.daily/letsencrypt

dpkg-divert –add –rename /etc/init.d/postfix


  • https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
  • https://help.ubuntu.com/community/Postfix
  • https://github.com/webmin/webmin/issues/58#issuecomment-22985720
  • https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  • https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score
  • https://www.howtoforge.com/greylisting_postfix_postgrey

Packet history in Ubuntu

Trying to figure out what packages has been changed since a specific date. A quick hack.

package_history() {
    local since="${1}"
    local action="${2:-install}"

    [[ -z "${since}" ]] && { echo "Need a valid date as first argument"; exit -1; }

    sed -n '/^Start-Date: '"${since}"' /,$p' /var/log/apt/history.log | awk '/Start-Date:/ || /'"${action}"':/' | sed -r 's|\),|\)\n|g; s|('"${action}"': )|\1\n |'

Examples, if you want to know all packages installed since 2016-05-17:
package_history "2016-05-17"

If you want to know all packages removed since 2016-05-09:
package_history "2016-05-17" remove

FreeBSD and UTF-8

I want to have all the locales set to en_US.UTF-8, but I don’t want 12h time (AM/PM).

Modify /etc/login.conf as follows:

--- /etc/login.conf.orig	2016-05-17 20:19:47.189836683 +0200
+++ /etc/login.conf	2016-05-17 20:04:48.151898313 +0200
@@ -26,7 +26,7 @@
-	:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
+	:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,LC_COLLATE=C:\
 	:path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\
@@ -44,7 +44,9 @@
-	:umask=022:
+	:umask=022:\
+    :charset=UTF-8:\
+    :lang=en_US.UTF-8:
 # A collection of common class names - forward them all to 'default'

After changing execute sudo cap_mkdb /etc/login.conf.

To change to 24h clock in uptime, w etc. Change /usr/share/locale/en_US.UTF-8/LC_TIME as follows:

--- LC_TIME.orig	2016-05-17 20:14:40.018856258 +0200
+++ LC_TIME	2016-05-17 20:15:36.835860995 +0200
@@ -39,8 +39,8 @@
 %a %b %e %X %Y
 %a %b %e %X %Z %Y
@@ -55,4 +55,4 @@
-%I:%M:%S %p

Note: Don’t remove the lines, only all characters on the lines.


Hibernate in Ubuntu 14.04, with iwlwifi

Update: After a lot of troubleshooting and testing different combinations of my kernel parameters; I conclude that it works a lot better when leaving pcie_aspm=force (think I got it from an Arch wiki?), and also never resume when docked if the computer was hibernated on battery. This seems to be working even with the linux-image-generic-lts-xenial kernel. You can check this pastebin with the results and combination that I’ve tested.

To enable hibernate in the menu, create /etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla with the following content:

[Re-enable hibernate by default in upower]

[Re-enable hibernate by default in logind]

[Re-enable hibernate for multiple users by default in logind]

Update /etc/default/grub and add RESUME parameter set to your swap partition in GRUB_CMDLINE_LINUX_DEFAULT. Example:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash i915.enable_fbc=1 i915.enable_rc6=7"

Don’t forget to run sudo update-grub2.

Check if iwlwifi has any dependencies:

$ lsmod | egrep "^iwlwifi"
iwlwifi               196608  1 iwlmvm

Add, in this case, iwlwifi and iwlmvm to /etc/pm/config.d/modules:

SUSPEND_MODULES="iwlmvm iwlwifi"

Create /etc/pm/sleep.d/99_wpa_supplicant:


case "$1" in
/usr/bin/pkill wpa_supplicant

Don’t forget to make it executable, chmod +x /etc/pm/sleep.d/99_wpa_supplicant.

Killing wpa_supplicant on resume and thaw is needed due to bug #1311257.

And lastly, if you have TLP, make sure to restore previous device state on startup:

$ egrep "^RESTORE_" /etc/default/tlp

Note: I had hibernate working perfect, but then I upgraded to linux-image-generic-lts-xenial which caused KernelOops on every thawn. After reverting back it worked great again. I’m guessing the reason is that the gfx stack (xserver-xorg-video-intel-xenial etc.) isn’t available in 14.04 (yet?).

Build i3-gaps in Docker

Automated way

So, the very automated way:

git clone git@github.com:mgor/docker-ubuntu-i3-gaps-builder.git
cd docker-ubuntu-i3-gaps-builder/

Packages available in packages/.

Build environment

First, get the build environment and start it:

git clone git@github.com:mgor/docker-ubuntu-pkg-builder.git
cd docker-ubuntu-pkg-builder


Install the needed dependencies:

apt update
apt install libxcb1-dev libxcb-keysyms1-dev \
libpango1.0-dev libxcb-util0-dev libxcb-icccm4-dev \
libyajl-dev libstartup-notification0-dev \
libxcb-randr0-dev libev-dev libxcb-cursor-dev \
libxcb-xinerama0-dev libxcb-xkb-dev libxkbcommon-dev \
apt-get build-dep i3


Get i3-gaps from github[0].

git clone https://www.github.com/Airblader/i3 i3-gaps
cd i3-gaps

If you want to run on the stable branch:

git checkout gaps
git pull

Build the packages:

debuild -i -us -uc -b

If successful, the packages will be in ../. Transfer them to your host and install.