Passport disk
Two weeks ago I tried to understand why my backup disk did not stop spinning after the configured 30 minutes. I finally found the problem: smartd (the SMART daemon) is configured to poll all the disks at a 30 minutes interval and because the CHECK POWER MODE is not implemented on this disk, smartd was preventing it to spinning down. Unfortunately smartd cannot be configured to use different polling interval per disk, so my only solution was to completely disable polling for this disk – which is not possible directly, so I had to configure an explicit list of disks to poll. That brought another issue, which is that the drive name (/dev/sda, etc…) is not stable between reboot, so I had to find the mapping in /dev/disk/by-id/, which finally gave me the correct configuration in smartd.conf:
DEFAULT -a -m root -M exec /usr/share/smartmontools/smartd-runner
/dev/disk/by-id/ata-WDC_WD10EURS-630AB1_WD-WCAVXXXXXXX
/dev/disk/by-id/ata-WDC_WD10EFRX-68JCSN0_WD-WCC1XXXXXXXX
/dev/disk/by-id/ata-ST3750640AS_3QD0TXXX
/dev/disk/by-id/ata-ST3750640AS_3QD0RXXX
That does not solve my initial problem, which is to know if the drive is spinning or not before opening the safe – I tried upgrading the disk firmware, but the CHECK POWER MODE is still not implemented (and the upgrade cannot be done from a Windows guest) – but at least I lowered the probability of damaging it.
SMTP over IPv6
On July 16 Comcast started blocking port 25 on its IPv6 network. I was already using port 465 for the emails sent from my mailer, but I was using the IPv6 loophole for the messages sent by the system (SMART alerts, backup result, security audits, etc…). I suppose that this is a sign that IPv6 is getting deployed, so that’s a good thing, but that means that I had to start using TLS for my system emails too.
Unfortunately postfix does not support port 465, so I had to configure port 587 in the /etc/postfix/master.cf file on the server side:
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_req_ccert=yes
My client certificate is stored in a smartcard, but postfix does not seem to support smartcards, so I had to generate a new key and CSR on the client side just for this:
openssl req -new -nodes -keyout client.key -out client.csr -days 365
then sign the csr on the server side:
openssl ca -config ca.conf -utf8 -out client.crt -infiles client.csr
After sending the certificate back to the client, I just added the key and certificate in the local /etc/postfix/main.cf:
relayhost = xxxxx.org:submission
smtp_use_tls = yes
smtp_tls_key_file = /etc/postfix/client.key
smtp_tls_cert_file = /etc/postfix/client.crt