[Newsletter] Low Stress, Samba and Extended Attributes, Mail Relay Testing, Certificates in Java, Network Solutions and Sub-domains

Paul Suh paul.suh at ps-enable.com
Tue Apr 15 00:14:31 EDT 2008 

Folks,

Short but lots of links this time.


Desktop Support is a Low Stress Job
--------------------------------------

Just for laughs -- I read it on the Internet so it must be true. Look  
at the last of the 8 careers!

<http://education.yahoo.net/degrees/articles/featured_8_careers_to_help_lower_your_stress_meter.html 
 >


E-mail Relay Testing
----------------------

I've been doing a lot of work on e-mail servers, and I wanted to make  
sure that you know about a great resource to test if your mail server  
is an open relay.

<http://www.abuse.net/relay.html>

This free service performs a dozen different tests and gives you  
instant results. Note that it is not linked to from anywhere else on  
the abuse.net website.


Certificates in Java
--------------------

Did you know that Mac OS X has not one, not two, but THREE (or,  
depending on how you look at it, four) certificate stores?! If you  
need to install a new root certificate or intermediate certificate,  
you need to install them in the SystemRootsCertificates.keychain  
(Leopard) or X509Anchors (Tiger) keychain, the Java cacerts  
certificate store(s), and the /usr/share/curl/curl-ca-bundle.crt  
certificate store.

I found this out when trying to import a new certificate that was  
created using GoDaddy. It turns out that GoDaddy's certificates aren't  
signed by their root certificate. Instead, they're signed by an  
intermediate certificate, which is in turn signed by the GoDaddy root  
certificate. As a result, I had import the intermediate certificate,  
but putting it into the X509Anchors, and wondering why a Java app  
still wasn't accepting the new certificate. It wasn't until I did some  
searching around that I found the Java cacerts file and keytool. This  
intermediate certificate is yet another reason I'm not very happy with  
GoDaddy, beyond their totally tasteless commercials.

For the System keychain, the procedure is:

1) Make sure that the certificate file has a filename extension  
of .cer or .pem
2) Double-click on the file and Keychain Access.app will launch.
3) The dialog box will ask you which keychain to add it to -- select  
the SystemRoots or X509Anchors keychain (depending on which version of  
Mac OS X you're using) from the pop-up menu.
4) Enter your administrator username and password in the Authorization  
Services dialog box that comes up.

The Java certificate store is located at /System/Library/Frameworks/ 
JavaVM.framework/Home/lib/security/cacerts. Note that there are  
*separate* stores for each version of the JVM, 1.4.2 vs. 1.5.0. You  
need to use the command line tool keytool (part of the Java tool set)  
to import the certificate. The command looks like (it should be all  
one *long* line).

sudo keytool -import -alias "Certificate Authority Long Name" \
	-file /path/to/certificate_file.pem -keystore \
	/System/Library/Frameworks/JavaVM.framework/Home/lib/security/cacerts

For the /usr/share/curl/curl-ca-bundle.crt store, you can use a text  
editor. Make sure the certificate is in pem format, and copy and paste  
in the lines that start with "-----BEGIN CERTIFICATE-----" and end  
with "-----END CERTIFICATE-----" (including those two marker lines) at  
the bottom of the file.


Network Solutions and Sub-domains
--------------------------------------

Yet another evil behavior by Network Solutions. Remember a couple of  
years ago there was a big flap over Network Solutions, Inc. (who run  
the .com registry) diverting any domain that wasn't found to their own  
website for registering a domain? E.g., if you typed in  
"www.applw.com", NSI would divert your browser to a web page that  
would try to get you to register that domain with NSI. Most people  
considered that an abuse of their privileged position of running  
the .com registry, and NSI soon gave it up. It also caused many  
scripts to break, since DNS lookups are not used solely by web browsers.

Well, it seems like they're up to the same no-good tricks again. If  
you have your DNS hosted through NSI and don't have a sub-domain or  
host explicitly registered, NSI is now diverting the sub-domain to one  
of their web pages.

<http://www.theregister.co.uk/2008/04/11/network_solutions_sub_domain_parking/ 
 >

Yet another reason to *not* host your domain or DNS through NSI.


--Paul


Paul Suh                                         http://www.ps-enable.com/
paul.suh at ps-enable.com                           (240) 672-4212




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2615 bytes
Desc: not available
Url : http://lists.ps-enable.com/pipermail/newsletter/attachments/20080415/88e8a87b/smime.bin

More information about the Newsletter mailing list