Category Archives: SysAdmin

Porting a mobile number to AAISP

Just look at my custom network name

St Columba’s has had the same 07 mobile number for a long time, and consequently it’s printed on various signage and readily available online. Traditionally, it’s been assigned to a pay as you go SIM card in a creaky old Nokia phone carried by our facilities manager. However, this approach has its limitations: when they’re on holiday, they have to physically pass the handset to someone else to handle the calls, and it leaves the phone number (arguably an important asset in itself) attached to a pay as you go SIM which might have an employee’s name on it rather than the church’s.

Issuing a new smartphone seemed like the opportune moment to sort this out. I did some digging into business mobile contracts – having the number on one of those would sort the ownership – but none of them seemed to feature call divert which could be configured without having possession of the phone. So I turned to a service I’ve written about here before. In addition to being able to buy 07 numbers on VOIP, AAISP will let you port in existing numbers using a PAC code. Coupled with a Sip2Sim SIM card in the phone, this neatly de-couples the number from where the calls get sent to and gives us the divert via a web page and all the other bells and whistles.

The ordering process was nice and simple and fully automated – I punched the PAC into the order form at A&A, and the number moved over within a couple of working days (it got briefly stuck in the middle, but A&A fixed it out of hours when I asked on IRC – try getting that level of service from a big company). Billing is all via direct debit, and no messing around with paper invoices, which suits us fine.

As the icing on the cake, I calculate that for the volume of calls and data usage of this particular device, it will work out cheaper than any of the mainstream corporate mobile deals I saw. I’ll report back on that.

Virgin Media

We got a Virgin Media (business) line in the church office recently, and although it was quite unstable for the first few weeks, it has now settled down nicely. I can run my monitoring on the end of it without getting lots of false alarms:

vmedia

Colour me impressed, especially for what we’re paying.

URC e-mail fail

I don’t know exactly who my church has outsourced @urc.org.uk e-mail to, but whoever it is clearly hasn’t read RFC822 (“SMTP systems are expected to make every reasonable effort to accept mail directed to Postmaster from any other system on the Internet.”)…

fail

Rather difficult to complain about the original broken address I found…

Update: They did get back to me via Facebook eventually. Still not had an answer on why postmaster@ doesn’t work, though.

Proxy DHCP

Somebody should have thought of this, and it turns out that somebody did.

A couple of years ago, I wrote about setting up a network boot server on my home LAN. I said this meant “taking the job of doing DHCP away from the router and doing it myself on a Linux box”.

Reader, I was wrong.

Setting up my new connection from BT today, I really didn’t want to keep running DHCP separately on a Raspberry Pi. What I wanted was for the Pi to just talk to clients which wanted to do network boot, and leave the BT router to do DHCP for ordinary devices.

This exists, and it’s called proxy DHCP. dnsmasq on the Pi can handle it; this tutorial is the one I got working. Sadly proxy DHCP doesn’t seem to honour options, so I had to take the path prefix (option 210) and manually prepend it to all the paths in my boot config.

This is all back up and working now, and hopefully should prove useful and less disruptive for a few years yet to come.

Now that i have native IPv6 and DHCP is back on the router, the Pi ceases to be a single point of failure, though it’s been rock solid for nearly three years now.

VirtualBox does network boot, of course

VirtualBox does network boot, of course

IPv6 at home from BT

It works – 10/10 on test-ipv6.com; can’t really say fairer than that. I did however enjoy the comedy reverse DNS:

$ curl http://files.dnorth.net/ipquick.php   (05/04 19:19)
2a00:23c4:e81:3100:fdbc:e60a:226e:9903
broadband.bt.com

Oddly enough, broadband.bt.com doesn’t resolve forwards to every IPv6 address on their network, so why bother claiming the reverse?

IPv6 only IMAP server

Because why not.

I have an IPv6 only virtual machine hosted at Mythic Beasts. Sadly, I don’t have much time to play with it these days, so I’m retiring it next month. Meanwhile, I’ve got something working which I thought ought to be possible but failed at the last time I tried…

I participate in the minority sport of hosting my own e-mail. That means I run an IMAP server which mail clients can view and search messages using. For myself, I have native IPv6 on my home internet connection, but when I’m out and about, my mobile phone is still IPv4 only, and most of my relatives who I host mail for are v4 only too. Mythic and others have blogged at length on hosting websites behind their IPv4-to-IPv6 reverse proxy, but can it handle IMAP?

$ nc -vv proxy.mythic-beasts.com 993                                 (01/04 17:06)
DNS fwd/rev mismatch: proxy.mythic-beasts.com != rproxy46-hex-a.mythic-beasts.com
DNS fwd/rev mismatch: proxy.mythic-beasts.com != rproxy46-sov-a.mythic-beasts.com
proxy.mythic-beasts.com [46.235.225.189] 993 (imaps) open

The fact that they’ve got it listening on the standard port for IMAP over SSL is encouraging. Let’s give it a go…

Prerequisites

In addition to your IPv6 only VM, you’ll need a domain and you’ll need to point some DNS. The examples below assume you’ve CNAMEd imap6.example.com to proxy.mythic-beasts.com.

Part 1: Install and configure Dovecot

Couldn’t be easier if we’re using Debian:

# apt-get install dovecot-imapd

Configuring Dovecot to properly store mail is beyond the scope of this article, so we’ll just do some minimal setup.

Part 2: SSL

It’s 2017, and SSL certificates are free. So let’s get some.

# apt-get install dehydrated apache2 dehydrated-apache2

The Apache server is only necessary because I’m taking the path of least resistance to getting SSL certificates from letsencrypt, which involves them verifying control over the domains using HTTP based challenges. You could set up Mythic’s DNS API to eliminate the need for this.

Once you’ve done this, edit /etc/dehydrated/domains.txt to include your domain (e.g. imap6.example.com) and add /etc/dehydrated/conf.d/config.sh containing CONTACT_EMAIL=”you@example.com”.

Having done this, you can run “dehydrated -c”. I’d recommend not running it as root, which means fixing the directory permissions when it falls over the first time. All that sorted, we should now have a directory /var/lib/dehydrated/certs/imap6.example.com/. That means we can go ahead and edit /etc/dovecot/conf.d/11-ssl.conf to read:

ssl = required
ssl_cert = </var/lib/dehydrated/certs/imap6.example.com/fullchain.pem
ssl_key = </var/lib/dehydrated/certs/imap6.example.com/privkey.pem

While you’re there, you should set port=0 on the non-SSL IMAP listener in 10-master.conf, to stop it listening on non-SSL ports.

All that sorted, we can restart Dovecot:

# service dovecot restart

And now we can jump over to a client machine and try it out:

$ ncat --ssl -v imap6.example.com 993
Ncat: Version 6.47 ( http://nmap.org/ncat )
Ncat: SSL connection to 2a00:1098:0:82:1000:3b:1:1:993.
Ncat: SHA-1 fingerprint: 2FB3 9166 A7B7 6552 6215 963C 43D0 824E A02F 9FB3
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.

Assuming all is well, you’ll see the OK response from Dovecot, and when you hit Ctrl-C, you’ll get a line logged in /var/log/syslog on the server complaining about how your client hung up.

At this point, you should be able to try it with a real mail client, e.g. Thunderbird. And you’ll notice that everything in the garden is lovely, except that the logs show all connections coming from Mythic’s proxy, rather than their true source IPs.

Part 3: Proper IP addresses in the logs

Mythic’s proxy supports the PROXY protocol to enable this, but does Dovecot? As it turns out, they added support in 2.2.19, but Debian stable has 2.2.13. Backports to the rescue:

# apt-get install -t jessie-backports dovecot-imapd

Now we need to turn on PROXY support for imap6.example.com using the Mythic control panel. Having done that, I was very impressed with Dovecot – the logging in /var/log/syslog walked me through fixing each mistake I made, starting with needing to configure Dovecot for PROXY:

Edit /etc/dovecot/conf.d/10-master.conf and add haproxy = yes to the imaps listener. The defaults are sensibly secure: to avoid clients spoofing IP addresses, you must provide a whitelist of clients allowed to speak to listeners with haproxy support turned on. That means setting haproxy_trusted_networks in the same file. You can find the necessary IPv6 addresses to space-separate on this page.

Having done that and restarted Dovecot, I moved my laptop over to my guest wifi network (where there is no IPv6), and restarted Thunderbird…

$ grep dovecot /var/log/syslog
Apr  1 17:17:55 test-box dovecot: imap-login: Login: user=<david>, method=PLAIN, rip=192.0.2.1, lip=93.93.129.174, mpid=1234, TLS, session=<...>

Result! The IP quoted as “rip” (remote IP) is the IPv4 one I’m running Thunderbird on. Interestingly, Dovecot has chosen to log the IPv4 of Mythic’s proxy as the local IP (lip).

Blast from the past

I was surprised to find my less-than-a-year-old HP Microserver Gen8 taking over half an hour to come back from each reboot. Closer inspection showed the system clock jumping back to 2016 every time it restarted, which forces an fsck when Linux realises its disks have been modified “in the future”. Checking >1TB of disk takes a long time.

It’s been a while since I had to replace a CMOS battery, but it fixed the problem:

img_20170322_204555

HPE Microserver Gen8

It was about time I pensioned off the tired old Core2 Duo desktop running as my home fileserver. It sucked up sufficient electricity that it was worth having a Raspberry Pi sat on top of it, to issue a wake-on-LAN before running various tasks (e.g. backups) and turn it off again afterwards. It was also starting to develop reliability issues – who knew buying used-up hardware for a nominal £1 would barely give three years’ service…

HP’s Microservers have a good reputation as a basic home NAS box, and the £60 cashback offer running in November certainly helps: I got the Gen8 with a dual core 2.3Ghz Celeron and 4GB of RAM for £120 after cashback. Here it is:

HPE Gen8 Microserver

HPE Gen8 Microserver

It looks quite swish and is very quiet, especially if you select the power-saving options in the BIOS – it also puts out reassuringly little heat. The BIOS is quite nicely laid out and easy to follow, though it does seem to lack the classic “discard changes and exit” option.

HPE Microserver Gen8 BIOS

HPE Microserver Gen8 BIOS

Disks

It has four SATA bays which are inside the front door and have trays to slide the disks in and out with. They’re not hot-swap apparently they are as long as you don’t use the inbuilt RAID controller!, but at least physically moving disks in and out isn’t a problem: they even supply a little tool to handle the screws with. I put the boot disk from my old server in the leftmost slot, and the two 1.5TB halves of my main RAID array in slots 2 and 3. It booted from the first disk and Just Worked, though the BIOS takes a while to wade through all the checks.

I believe it has some sort of built in hardware RAID controller, but I prefer to stick to good ol’ fashioned Linux software RAID (newer, cooler solutions are also available): you can set up an array on any old hardware, plug the disks into something new and different, and it all comes back to life trivially. Linux is really good at moving to new hardware, and after an fsck* (even that could have been avoided if I’d set the system clock right) it was all ready to go. Try doing that with hardware RAID, where moving disks to a new controller is often impossible without wiping them and starting over.

Network

It has no less than three network ports on the back – two are ordinary dual NICs and the third is for HP’s “iLO” remote management stuff. Since I’ve run out of ports on my router I haven’t had a chance to try that out. Linux recognised the NICs as eth2 and eth3, but that might just be a hangover from the installation starting life on other hardware.

Other thoughts

I’ve only had it a few days, but it’s been solid and reliable so far … here’s hoping it outlasts its Core2 predecessor by a good few years.

*File System ChecK – it’s a Linux command. Obviously.

Sip2Sim and the OnePlus Two

Andrews and Arnold do an interesting service where they supply a SIM card which connects to VOIP at their end. Annoyingly, they don’t have a sensibly usable set of 07… UK mobile numbers they can route onto VOIP to go with the service, but since my OnePlus Two has two SIM slots, that seemed like a way to give it a punt…

Double SIM carding it ... like a pro

Double SIM carding it … like a pro (this is the drawer from the OnePlus Two)

The particular variant of SIM I ordered (O2/EU Voice) doesn’t push out to Nano SIM, instead requiring a pair of scissors and a steady hand (or a proper tool, but who has one of those?) As you can see from the picture, I got away with the scissors and it even worked afterwards:

Custom network name and two signal strength indicators

Custom network name and two signal strength indicators

Android has some pretty impressive native support for more than one SIM, and shows two signal strength selectors as you’d expect. As you can see at the top left, the SIM networks (operator names) are shown with a pipe separating them. For some reason you can’t fiddle with this on the control pages, but you can set it when ordering and contact support to alter it.

I ordered a London number on AAISP’s VOIP service to go with the SIM, and that all works as expected. Texts are a bit clunky (presenting as from “SIP2SIM”), but it looks like that may be configurable/changable.

Mobile data appears to go via NAT and emerge from an IP address registered to Manx Telecom.

The two things I really wanted to play with are setting up my own Asterisk again, and using the roaming to get decent data on the train up north. I’ll report back when I’ve had a play.