Monthly Archives: June 2009

Spam Reduction with Email Aliases

Posted on by
3

Background

Email extensions and aliases can be powerful tools to limit the amount of spam your system receives and provide greater security for your personal information.  Use of either technique can provide a means of both identifying the source of spam as well as a selective method to “turn off” the address without affecting other senders.  Both extensions and aliases work by obscuring your “real” email address and preventing it from being targeted directly by spammers.

A common use of aliases or extensions is to provide a unique registration email address for each site.  For example, when registering for an Amazon account, you create an alias of “amazon@example.com” or use an extension like “groucho+amazon@example.com”.  Should the Amazon address ever be compromised, it is easily disabled and obvious as to which site requires a new contact address.

Email Extensions

Email extensions are simply modifications of the “base” email address.  For example, if the base email address is “groucho@example.com”, an email extension may modify it to “groucho+marx@example.com”.  The extension is internally discarded by the mail server when routing the mail to your inbox.  The start of the extension is identified by a special separator character (typically a “+”) and anything following it up until the “@” is ignored by the receiving mail server.

Email extensions are very easy to use as once enabled they require no further setup.  Any number of extensions may be added to a base address without reconfiguration.  However, they do not provide as much security as an alias as the base email address remains easily identified.  In addition, some sites have taken to banning email addresses with extensions as legitimate registration addresses.

Email Aliases

Email aliases are a more thorough means of hiding your base email address.  They permit a total substitution of the recipient portion of the address instead of merely appending a unique extension.  For example, if the real email address is “groucho@example.com”, aliases may be created to direct “harpo@example.com”, “chico@example.com”, and “zeppo@example.com” to also forward all email to the “groucho” account.

Aliases are a bit more work to create than extensions as each alias must be added to the /etc/aliases file and the newaliases command run (as administrator).  However, they do provide a greater degree of security as the base email address is never revealed.

Implementation

Enabling Address Extensions

  1. Login as Administrator.
  2. Edit the /etc/postfix/main.cf file to enable the recipient_delimiter option. 
    recipient_delimiter = +
  3. Launch the Server Admin application and connect to the server hosting mail services.
  4. Select the Mail service and restart the service.

Disabling Address Extensions

Disabling a particular email extension is not quite as easy as creating a new one.  In fact, it may be easiest simply to add a filtering rule on your email client to delete any email addressed to the compromised extension.  However, it can also be performed at a system level for cases where your email client may not support filtering rules (e.g. iPhone).

  1. Login as Administrator.
  2. Edit the /etc/aliases file by adding the compromised extension and redirecting it to /dev/null. 
    grouch+marx:  /dev/null
  3. Run the newaliases command. 
    sudo /usr/bin/newaliases

Enabling Address Aliases

Aliases can be added by adding an appropriate entry into the /etc/aliases file. The format for aliases is:

alias: address[, address, ...]

Note that an alias may specify more than one recipient address which results in the mail to that alias being sent to multiple recipients.

  1. Login as Administrator.
  2. Edit the /etc/aliases file and add in the alias and corresponding base address. 
    harpo:  groucho
chico:  groucho
zeppo:  groucho
marx: groucho, karl
  3. Run the newaliases command. 
    sudo /usr/bin/newaliases

Disabling Address Aliases

If an email alias is compromised, it is a simple exercise to disable the alias and prevent the spam from cluttering up your inbox.  There are two different methods to disabling an alias each of which results in a different behavior.

The first method of disabling an alias is to simply either remove it or comment it out (by prefixing the line with a “#”) from the /etc/aliases file.  With it disabled in this manner, any mail destined for the alias will be “bounced” back to the originating system with a message indicating the recipient is not a valid address.  This provides feedback to the originator and may result in the address being pruned from a spammer’s list (as they don’t want to waste time and resources on a “dead” address).

The second method of disabling an alias is to redirect it to /dev/null instead of a legitimate address.  When disabled in this manner, the mail is simply discarded upon receipt by the server and no feedback is provided to the sender.  This may be preferred for hosts which recieve a lot of spam or with limited bandwidth as it uses less internal resources and outgoing bandwidth.

  1. Login as Administrator.
  2. Edit the /etc/aliases file and update the alias(es) as appropriate. 
    # harpo:  groucho
# chico:  groucho
zeppo:  /dev/null
  3. Run the newaliases command. 
    sudo /usr/bin/newaliases

Mac OS X launchd Tips & Tricks

Posted on by
Reply

Background

The launchd utility is the replacement for inet, xinet, rc, crond, at and other system utilities that Apple is endorsing for Mac OS X.

Daemon and Agent Directories

There are a number of designated directories intended to contain the launchd property list files.  Apple designates a Launch Agent as an application or service that is run only when the specified user(s) are logged into the system.  A Launch Daemon is an application or service that is run independently of any logged in users.

~/Library/LaunchAgents

Per-user agents added by the user

/Library/LaunchDaemons

System-wide daemons added by the administrator

/Library/LaunchAgents

Per-user agents added by the administrator

/System/Library/LaunchDaemons

System-wide daemons provided by Mac OS X

/System/Library/LaunchAgents

Per-user agents provided by Mac OS X

Loading and Unloading a launchd entry

Properly configured property list files will be loaded automatically at system boot time.  However, it is not necessary to reboot your system to load or unload a Launch Daemon entry.

When updating a system-level daemon entry, it may be necessary to perform the commands while logged in as an Administrator and using the sudo command.

To add an entry:

launchctl load /Library/LaunchDaemons/service.plist

To remove an entry:

launchctl unload /Library/LaunchDaemons/service.plist

Examples

Setting up rsync as a daemon

Posted on by
Reply

Background

The Unix utility rsync is a powerful tool for synchronizing data.  It can be used to quickly and efficiently copy files both locally and remotely.  It is best known for its delta-transfer capability which can greatly reduce the size of the data copied which results in a much faster copying process.

Setting up rsync as a daemon provides your system with an automated means of running the rsync process on-demand.  Essentially, it provides instructions to the operating system on how to respond when faced with an incoming rsync connection.  The daemon can be configured to limit access, require encryption, restrict permissions, etc. in order to ensure it provides a safe, reliable service.  When run as a daemon, rsync is often referred to as rsyncd.

Special Notice

Improper use of rsync can permanently damage your files. The standard installation of rsync installed with Mac OS X Server was not designed to handle the resource forks that are sometimes associated with Macintosh files.  Using rsync on files with these properties may result in irrecoverable file loss.  Use of rsync should be limited to files known to be “safe” (e.g. Unix utilites and data files).

Setup

There are several steps necessary to setup rsync as a daemon process.  First, a property list file (.plist) must be created specifying the appropriate arguments for the operating system’s LaunchDaemon process to instantiate rysncd.  A configuration file (.conf) must also be created providing additional rsyncd runtime arguments.  The configuration file may also include module files for easier control over individual settings.  Finally, a secrets file (.scrt) should be created to provide an additional layer of security to the rsync daemon.

A newer version of rsync is also available through MacPorts.  It may be installed in addition to the version that comes with Mac OS X.  The standard version of rsync can be found at /usr/bin/rsync, while the MacPorts version is installed by default as /opt/local/bin/rsync.

Property List File

The property list file is read by the LaunchDaemon process and contains instructions for starting the rsyncd process.  The supplied rsync.plist file is suitable for installation on standard Mac OS X Server installations.  It must be modified to reflect the alternate path (/opt/local/bin/rsync) if using the MacPorts-installed version of rsync.

  1. Login as Administrator.
  2. Download the rsync.plist file and make any necessary modifications.
  3. Copy the rsync.plist file to the /Library/LaunchDaemons directory. 
    sudo cp rsync.plist /Library/LaunchDaemons
  4. Set the owner, group, and permissions on the rsync.plist file. 
    sudo chown root:wheel /Library/LaunchDaemons/rsync.plist
sudo chmod 644 /Library/LaunchDaemons/rsync.plist
  5. Load the property list file with the Launch Daemon 
    sudo launchctl load /Library/LaunchDaemons/rsync.plist

Configuration File

The configuration file is read by rsync upon launching and provides environment, security, and other configurable parameters.  It also provides the definitions for rsync module.  Each module exports a directory tree as a symbolic name and can define not only the directory tree but also any unique permissions, patterns, or other configuration options.

In the example configuration, the file and directory structure specifications are detailed in separate files which are included by the main configuration file.  This permits each module’s list of targets to be maintained independently.

There are a number of available configuration options of which the sample configuration file illustrates only a few.  For more information, see the man page for rsyncd.conf.

  1. Login as Administrator.
  2. Download the example rsyncd.conf file.
  3. Edit the rsyncd.conf file and make any necessary changes for your installation.
  4. Copy the rsyncd.conf file to the /etc directory. 
    sudo cp rsyncd.conf /etc
  5. Set the owner, group, and permissions on the rsyncd.conf file. 
    sudo chown root:wheel /etc/rsyncd.conf
sudo chmod 640 /etc/rsyncd.conf

Module Files

Module files are an extension of the main configuration file and are simply an easy method of isolating module-specific settings.  The modules files are included by the main configuration file.  A typical usage is to define the list of files and directories that are to be included (or excluded) in the rsync operation.  The example rsyncd.core module file includes several important directories that are not backed up by Apple’s Time Machine.

Secrets File

The secrets file can be used to store authentication information for restricting access to any defined rsync modules.  The usernames specified in the secrets file do not need to be actual users.

The format for the secrets file is simple:  username:password (one entry per line).  Bear in mind that some systems may have restrictions on the characters, length, or capitalization for either component.

  1. Login as Administrator.
  2. Download the example rsyncd.scrt file.
  3. Edit the rsyncd.scrt file and add the usernames and passwords for your system.
  4. Copy the rsyncd.scrt file to the location specified in your rsyncd.conf file 
    sudo cp rsyncd.scrt /etc
  5. Set the owner, group, and permissions on the file. 
    sudo chown root:wheel /etc/rsyncd.scrt
sudo chmod 600 /etc/rsyncd.scrt