Don’t forgot to backup your automation!
Preferably in a location that you can access even if your server goes poof.
2 Likes
ansible and docker-compose files are on the server, on my laptop and in my git repository which is pushed to our NAS currently. I’ve been pretty religious committing and pushing. I am not yet sure if I will add a repository to the server as well.
But at the moment I would need 3 different places need to fail for me to lose the setup.
I activated automated server backups on hetzner for now. Those are more snapshot like and they get rotated and if I mess up and dont notice it doesn’t help at all.
I know all the files I need to backup and where they live (mostly very nicely separated from the not-data around them–except for f…ing wordpress which stores uploads and themes… somewhere)
It is more of a question of setting up a backup. I could easily write a script that generates a nice tar-ball.
1 Like
I am having trouble sending emails to at least one server. Stupidly, it is t-online where my dad has his email account and previous attempts to get him to move proved impossible. So I need to be able to send emails there.
9DA32159D8A: to=<xxxx@t-online.de>, relay=mx00.t-online.de[194.25.134.8]:25, delay=55019, delays=55018/0.04/0.09/0, dsn=4.0.0, status=deferred (host mx00.t-online.de[194.25.134.8] refused to talk to me: 554 IP=xxx.xxx.xxx.xxx - None/bad reputation. Ask your postmaster for help or to contact tobr@rx.t-online.de for reset. (NOWL))
So I wrote to them. And got a total meh answer and I don’t know what mistake I made with my setup.
I know dkim setup is fine because google talks to me.
The answer more or less said they only allow “commercial grade” servers to talk to them and I should use my hoster’s email relay… and a link to their FAQ as to what qualifies as a commercial grade server.
https://postmaster.t-online.de/index.en.html#t4.11
edit:
I tried understanding this and I failed. My only clue is that I turned off what I thought was an internal option of my mailserver:
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_unknown_client_hostname this is the line without the option that forces “sender verification”, it was making problems with my alias files and I thought on a server where only my partner and me can log in it was not necessary to restrict from addresses… I guess I am wrong. Does my server really advertise these options to the outside world? Not it. I clicked on their provided link. I misunderstood from incorrect auto-completion on my part.
I now think it might be that whois against that domain returns a whole lot of “redacted” stuff from my DNS provider.
1 Like
“We don’t care, we don’t have to, users can get gmail and microsoft and that’s all the email that matters”.
You can jump through as many hoops as you like and they’ll just make up some new ones.
That particular option shouldn’t be a problem as long as you’re not relaying. If they were using one of the blacklists they’d probably tell you which, though you could poke SORBS Database Lookup with your IP.
2 Likes
I am not blacklisted anywhere. If I was, the error message would include “BL” not “NOWL” → I am not whitelisted. and as far as I know my old sever from the same hoster could send emails there. I would need to check what is different with the setup. Possibly plesk was configured to go through a relay at Hetzner. (I don’t think so)
I’ve sent a few mails from to various people all those arrived.
Since so far it only concerns 1 single person, I might consider finding a work-around.
I also found out that “whois” is no longer useful at all. Everything is redacted these days (I haven’t had occasion to use it for years). There must have been a lot of abuse …
I only added the proper reverse DNS for my server yesterday but this is now in place and I still cannot send mails (to t-online)
1 Like
I know some providers just exclude Hetzner ranges, on the basis that getting a machine there is quick and easy and lots of spammers do it. (Though OVH are cheaper and care less.)
2 Likes
My old server lives at Hetzner as well and I swear I was able to send email to him from there. But maybe not. We don’t often do that anymore since he got Signal on his phone. But recently due to renovations it seemed easier a few times. I’ll probably log into the old server and watch logfiles to see if it does better than the new one. If it does, I’ll check differences. If not I’ll know it is Hetzner.
Workaround is also clear by now: My dad has a gmail address he doesn’t use regularly which is why he doesn’t want us to use that. But either my sister (where he is RN) or me (I think I might have his password oO) can put a forward on there and all will be well. There aren’t that many people we know using t-online addreses these days.
2 Likes
So while my IP is NOT listed at this one stupid blacklist, apparently the whole subnet is listed.
My old server IP is not listed neither is my IPV6 address.
I am wondering if I can somehow manage the trick to keep the old IP and move it over to the new server?
The fun thing is my old server couldn’t send anything to gmail because of ip6 misconfiguration on plesk… this was much worse than not being able to send to t-online.
T-online are idiots.
PS: the blacklist guys also have a white list for just 25chf / month:
How can any email hoster seriously be using such a service? Extortion.
2 Likes
On the other side, imagine being a major email provider and having to deal with every 16 year old trying to host email on a virtual machine running on their parents’ desktop computer. You get tired of dealing with randos on the internet.
This particular situation, however, is pretty amateur by itself on their end.
2 Likes
I understand. You need to block some people especially in Germany we get new IP addreses on every restart of our router or after the ISP disconnects which still happens nightly afaik and so running some VM behind the router as an email server is not possible.
But my server is definitely not that. And it is well enough configured that google talks to it and they are picky.
As I said I have a work around but I still wrote another email back to them to let them know about the blacklist entry that isn’t really one. I have owned the IP address for 2 years now and the server was shut down for most of that time. If that is not enough to “clear” it… I don’t know what is.
I am wondering how difficult it is to move the server to another IP (I have my old one which is not blacklisted anywhere…)
2 Likes
My sister sent me some documentation on that (my sister is not a techie oO)
Just remember: t****he only way to get your email through is to have full alignment with your From domain across your SPF, DKIM, and rDNS domains.
Apparently I am not the only one: https://sendgrid.com/blog/how-to-meet-the-new-t-online-de-email-delivery-requirements/
I swear my DKIM setup is fine. SPF Should be fine but I’ll check. I am not sure about reverse DNS.
2 Likes
To finish the year I just deleted my old server (I opted for keeping the IPv4 address for 75eurocents/month for now as it is clean and on no blocklists and I may want to start experimenting again and my internet skills do not extend to understanding ipv6)
3 Likes
Getting at least a basic facility with IPv6 is probably worth doing – it’s increasingly becoming the default, especially for cheap hosting – and there’s a freebie course at IPv6 Certification which I quite enjoyed.
4 Likes
While I wasn’t paying attention… (on vacation?) someone (script-)hacked 1 of my 2 wordpress blogs. The bigger one. Obviously. On “googling” it seems to be some kind of automated thing that happens when you have a) an old installation (nope) or b) an insecure password (generated) or c) an insecure hoster (hmf?) or d) an old theme (nope) or (most likely) e) some kind of untrustworthy plugin… (one I used to recover my uploads after previous deletion probably, I was a bit desperate before figuring out everything was still there). It was possibly some other unknown php problem with wordpress.
Since I had previously managed to lose the blog at least once, I had backups. But today I sat down instead of just resting on the last day before work and finally made up my mind about rsyncing some important files and creating button-press backups of my mysql databases via ansible: it can copy dated snapshot mysql dumps to my local computer… and I checked those are not empty 
I do think I lost something. I had tons of uploaded images on the blog, arranged in galleries… for my boardgame collection. And that part I didn’t manage to recover. I thought I had previously managed to do that.
It’s not like I am actively writing on the blog but I had planned to after the move. And it is part of my server and my online presence and while it is not the first time some part of my server gets hacked or destroyed… I still hate when it happens.
4 Likes
I sympathise. Managed to avoid this so far but it’s probably only a matter of time.
One of my personal unreasonable stands is that I don’t run PHP. This started in the late 1990s with Squirrelmail; run with an SSL wrapper it would occasionally lock up the whole box it was running on. Dev comments: why would anyone do that?
So since then no PHP. I know it’s not as bad as it was. And it means no OwnCloud which would be dead handy. Still.
2 Likes
PHP is terrible.
I am considering moving away from WordPress. I don‘t blog a lot anymore. And wordpress is too popular. It‘s like running that old PHP forum software everyone had at one point. That one I got hacked, too.
I need to get a server-wide fail2ban installation. Plesk managed it for me previously. Currently only my Mailserver has a module. I saw I had 300k login attempts via ssh since Jan 1. No good that.
My server was running something like load 60-70 sometime today. I am not sure what happened. Everytime I logged in from WSL I was logged in twice. A reboot of both WSL and server fixed it but I am still … confused and suspicious.
And I put prometheus + Grafana on my list of things I need to figure out. Prometheus being the complicated part. A friend recommended trying it. It is probably overkill but so is using ansible for a single server.
2 Likes
According to my hoster, my server has been accused by someone of sending spam. I probably made a mistake. I have no idea how to fix that and just 48 hours to do something about it. This is really not how I planned to spent easter. Once again my wordpress installation has been hacked.
I guess there is no saving that blog. I will need to figure out a way to extract my old posts into some kind of static tool just so I can have it somewhere.
Wordpress is THE WORST.
5 Likes
So I asked chatGPT about alternatives… this is the list it came up with:
- Ghost
- Jekyll
- Hugo
- Grav
- Drupal
Except Drupal which I will not used, I have not heard of any of these. Any recommendations? I am not actively blogging, I just want to host my old content and maybe maybe every once in a while add a post. I do not need comments or stuff like that I just want to be able to have my written articles somewhere.
It’s played with Grav. It’s very clever. But I cannot speak to it’s security or stability
1 Like
Hugo is getting good reports in circles I move in, even with people who aren’t in general fans of Golang.
1 Like