serverfault.com

My server's IP address is listed on Spamhaus. It is running on Ubuntu and using Postfix to forward incoming emails to certain emails, such as my Gmail emails. According to Spamhaus: "Make sure port 25 access is limited to mail server access only / end-users should be using SMTP authentication on port 587 or 465" So how can I "Make sure port 25 access is limited to mail server access only"? I found this answer : iptables -I OUTPUT -m owner ! --uid-owner postfix -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp-admin-prohibited ip6tables -I OUTPUT -m owner ! --uid-owner postfix -m tcp -p tcp --dport 25 -j REJECT --reject-with icmp6-adm-prohibited But I don't think my Postfix has a username and password set up (how can I set up the username and password?). Any ideas wha

I'm running a rootless podman container where I mount an NFS4 volume. Writing to NFS works Inside the container, I can move a directory that is not in NFS into NFS, and it also works But if I move to NFS from the host instead of from the container, I can't write to it inside the container The ACL & owner for both directories are the same podman run -it --rm \ -v /tmp/local:/local:U \ -v /mnt/nfs:/nfs \ ubuntu:latest # my subuid is 558752 so this maps to 559752 on the host useradd -u 1001 myuser su myuser # creating folder from container works fine mkdir /nfs/created_from_container touch /nfs/created_from_container/file1 #OK! # moving a folder to nfs from within the container also works fine mkdir /local/moved_by_container touch /local/moved_by_container/file1 #OK! mv /local/moved_by_container/ /nfs/ touch /nfs/moved_by_container/file1 #OK! # but this doesn't work

I made a release update of my server and unfortunately it has an exim4 instance and now it has been upgrade to v.4.97 It seems this version introduced a tainted data check and for some reason all my email are not delivered anymore. I tried to add this config .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA allow_insecure_tainted_data = yes .endif But it didn't help, maybe this workaround is deprecated. Then my current transport config: local_mysql_delivery: driver = appendfile directory = /var/mail/${domain}/${local_part}/ maildir_format delivery_date_add envelope_to_add return_path_add user = mail group = mail mode = 0660 Doesn't work, but I didn't understand from documentation how I have to change the directory property.

We are testing Azure Backup File Recovery for a Linux OS-disk (Ubuntu 22.04). The VM has two disks: OS Disk Data Disk The Azure Portal reports: The VM is protected successfully The selected recovery point includes both the OS disk and the data disk No warnings or skipped disks appear in the Backup Jobs view What happens during File Recovery We downloaded and executed the File Recovery script on multiple test VMs and multiple recovery points (including older ones). In all cases: Azure provides only one single LUN through iSCSI: /dev/disk/by-path/...-lun-0 -> /dev/sdc /dev/disk/by-path/...-lun-0 -> /dev/sdd These two iSCSI paths combine into a single multipath device: /dev/m

A resource group is a collection of resources that share the same lifecycle, permissions, and policies. How many resources can a resource group contain? I mostly care about Cognitive Services resources. Here are the hierarchy levels in Azure: Management Group ├─ Quota: how many subscriptions are allowed? ↓ Subscription ├─ Quota: how many resource groups are allowed? ↓ Resource Group ├─ Quota: how many Cognitive Services resources can it contain? ↓ Cognitive Services Resource (aka instance) ├─ Example quotas: │ - OpenAI deployments │ - TPS / RPM / Tokens per minute (visible when creating or editing an endpoint in that resource) │ └─ Contains: - models - deployments - endpoints

I'm installing Proxmox via PXE, but due to my circumstances, I have to do it over a trunk on VLAN10. I have configured Dell iDRAC and iPXE to tag with VLAN10 and it works fine. Problem is, it gets handed off to Proxmox and dies because Proxmox DOES NOT tag the traffic. I've tried passing it via kernel params like: kernel ${dir}/linux26 \ initrd=initrd ramdisk_size=16777216 rw quiet splash=silent \ proxmox-start-auto-installer \ vlan={{ proxmox.interfaces.trunk }}.10:{{ proxmox.interfaces.trunk }} \ ip=dhcp:::::{{ proxmox.interfaces.trunk }}.10 but while that flows through, it doesn't take. It doesn't actually create the VLAN interface and it fails. How do you get Proxmox autoinstall to tag traffic with a VLAN?

I am provisioning Windows 2022 EC2 instances using Terraform and a PowerShell User Data script. I want to add functionality where this User Data script will configure a shutdown PowerShell script that will copy some files to a S3 bucket upon shutdown. This needs to be done without using the Windows GUI. This the code I am currently using: # ------------------------------------------------------------------------- # Create a PowerShell script for shutdown # ------------------------------------------------------------------------- $shutdownScriptPath = "C:\Scripts\BackupOnShutdown.ps1" # Ensure the Scripts folder exists New-Item -ItemType Directory -Path "C:\Scripts" -Force # Create the shutdown script @" # Backup Gateway Backups folder to S3 try { aws s3 sync "C:\Users\Administrator\Desktop\Gateway Backups" "s3://${backup_bucket}/gateway-backups/" --exact-timestamps aws s3 cp "C:\Users\Adm

(First, please excuse me. Not a professional sysadmin, just someone who has had to set up a VPS recently). I recently set up a new Almalinux 10 box, and I wanted to add port knocking to it to further secure it besides the regular stuff (fail2ban, no root SSH logins, etc.). However, after spending a few hours, I found out that the two port knocking/SPA packages I was looking for (knockd and fwknop) only work with iptables, while Almalinux 10 has removed it entirely and works with nftables now. Is there a simple port knocking solution available for newer Linux distributions such as mine?

I am improving an existing CI and CD setup and the team wants to move toward a stronger DevSecOps model where security validation happens much earlier in the pipeline. The challenge is that our deployments are time sensitive and any added scan or check can slow down the delivery cycle. Currently we use basic static checks, but want to add more depth such as cloud config validation, container image scanning, secret scanning, and automated policy testing. We need to run inside our existing Git based workflow without forcing developers to change how they commit or merge. For teams that follow DevSecOps practices, how do you add early stage security checks while keeping build and deploy times under control? Do you run all scans on every commit or only on merge? Do you separate fast checks and deep scans into different stages? Any recommendations for tools or patterns that balance speed and security? Looking for practical setups that have worked

I want to install a single-node OKD 4.19 cluster in an air-gapped environment. I prepared the Harbor registry, but mirroring the images needed for OKD 4.19 failed. The 4.19 documentation was not helpful. The problem with the mirrored images is the SHA256 hashes are changed, and the OKD installer does not find them. Installing OKD 4.19 in connected environment works fine. How can I install OKD 4.19 in air-gapped environment, specifically, how to correctly mirror needed images to local Harbor?