blackstrat

I've run my own email server for a few years now without too many troubles. I also pay for a ProtonMail account that's been very good. But I've always struggled with PGP keys for encrypting messages to non-Proton users - basically everyone. The PGP key distribution setup just seemed half baked and a bit broken relying on central key servers.

Then I noticed that email I set from my personal email to my company provided email were being encrypted even though I wasn't doing anything to achieve this. This got me curious as to why that was happening which lead me to WKD (Web Key Directory). It's such a simple idea for providing discoverable downloads for public keys and it works really well having set it up for my own emails now.

It's basically a way of discovering the public key of someone's email by making it available over HTTPS at an address that can be calculated based on the email address itself. So if your email is name@example.com, then the public key can be hosted at (in this case) https://openpgpkey.example.com/.well-known/openpgpkey/example.com/hu/pmw31ijkbwshwfgsfaihtp5r4p55dzmc?l=name this is derived using a command like gpg-wks-client --print-wkd-url name@example.com. You just need an email client that can do this and find the key for you automatically. And when setting up your own server you generate the content using the keys in your gpg key ring using env GNUPGHOME=$(mktemp -d) gpg --locate-keys --auto-key-locate clear,wkd,nodefault name@example.com. Move this generated folder structure to your webserver and you're basically good to go.

I have this working with Thunderbird, which now prompts me to do the discoverability step when I enter an email that doesn't have an associated key. On Android, I've found OpenKeyChain can also do a search based just on the email address that apps like K9-Mail (to be Thunderbird mail) can then use.

Anyway, I thought this was pretty cool and was excited to see such an improvement in seamless encryption integration. It'd be nicer if on Thunderbird and K9 it all happened as soon as you enter an email address rather than a few extra steps to jump through to perform the search and confirm the keys. But it's a major improvement.

Does your email provider have WKD setup and working or do you use it already?

I noticed that I wasn't getting many mails (I need better monitoring), and discovered that my iredmail server was poorly.

I have spent far too much time and energy on getting it back and working these past few days, but I've finally got it back up and stable.

Some background: I've had iredmail running for probably going on 6 years now and have had very few issues at all. It runs on an Ubuntu VM on Proxmox and originally was running in the same VM on ESXi (I migrated it over). I haven't changed anything to do with the VM for years other than the Ubuntu LTS updates every 2-3 years, it's always been there and stable. I occasionally will update the Ubuntu OS and iredmail itself, no problems.

Back to the problem... I noticed that Postfix was running OK, but was showing a bunch of errors about clamav not being able to connect. Odd. I then noticed that amavis was not running and had seemed to just die. I couldn't find any reason in any log file. Very strange. Bunch of hunting, checking config file history in the git repo. Nothing significant for years.

Find that restarting the server got everything back up and running. Great, lets go to bed.... Wake up next morning to find that amavis was dead again - it only lasted about 40 mins and then just closed for no reason. Right, ok, time to turn off clamAV as that seemed be be coming up a bit wheilst looking, follow the guide, all is well. Hmm, this seems to be working, but I don't really want clamav off. A whole bunch of duck duck going and I still couldn't figure out a root cause.

And then it clicked, the thing that was causing amavis to close was that it was running out of memory and it was being killed. Bump the memory up to 4GB and re-enable everything as it originally was and.... it seems to have worked. Been going strong for over a day now.

I don't know what it was that's changed recently which has meant the memory requirements have gone up a bit, but at least it's now fixed and it took all of 2 minutes to adjust.

The joys of selfhosting!

There's 3 things that really stand out for me that I would say made a massive difference to my life:

1. Cordless screw driver. Bought the day after building a flat pack bed with a crappy screw.driver that just shredded my hand. Thought it was frivolous at the time, but I've used it so much since. It's light, small enough to fit in my pocket and good for 90% of DIY tasks.

2. Tassimo coffee machine. Bought it 9 years ago, use it every day. Nice quick easy coffee. What's not to like.

3. My first DSLR camera. It was a Nikon D50 back in 2005/6 and it sparked my interest in photography to this day. It gave me a hobby I can take lots of places and do it alone or with others. I never loved the D50 camera itself, but I did get some really nice shots with it

Seems like a shame to throw away and must have a use.

I thought I'd never see the day.

For King Tovalds and Country of FOSS OS's

Wear Arch, but I run EndeavourOS. If EndeavourOS launched a line of shoes I'd probably wear them.

This was a very nerve racking experience as I'd never gone through a major version Proxmox update before and I had spent a lot of time getting everything just so with lots of config around disk and VLANs. The instructions were also a big long page, which never fills me with confidence as it normally means there's a lot of holes to fall in to.

My initial issue was that it says to perform the upgrade with no VM's running, but it requires an internet connection and my router is Opnsense in a VM. Thankfully apt dist-upgrade --download-only, shutdown the Opnsense VM and then apt dist-upgrade did the trick.

A few config files changed and I always hate this part of Debian upgrades, but nothing major or of importance was impacted.

A nervous reboot and everything was back up running the new Proxmox with the new kernel. Surprisingly smooth overall and the most time consuming part by far was backing up my VM's just in case. The upgrade itself including reboot was probably 15 mins, the backups and making sure I was prepared and mentally ready was about an hour.

Compared to upgrading ESXi on old hardware like I was doing last year, it was a breeze.

Highly recommended, would upgrade again.