dblsaiko

Mirror’s Edge Catalyst-ass computer

Hm, okay, that does sound like the real client IP will get lost and every connection will appear to come from the proxy then. It would be good if that were passed somehow. My current setup adds the X-Forwarded-For header for example.

Oh interesting, I’ll have to look into that. Is this with that “proxy protocol” I’ve seen mentioned? If not, does this preserve it pass through the client socket address?

Tbf, technically data is still decrypted at the reverse proxy and then re-encrypted. So if someone manages to reconfigure the proxy or read its memory somehow they could read traffic in plain text.

However then since they have to control the VPS, they could also get a new cert for that domain (at least the way I’ve configured it) even if it was passed as is to the real host via a tunnel and read the plaintext data that way, so I don’t think a tunnel protects against anything.

If someone manages to get root (!) access on this VPS it’s over either way.

Yes, you can just use a reverse proxy for IPv4 only and point it to the IPv6 upstream. That is what I do, with a separate DNS record which then combines the two. See the DNS records for id.knifepoint.net (CNAME), http.vineta.knifepoint.net (AAAA, A) and vineta.knifepoint.net (AAAA).

The reverse proxy config and certificate management is set up with NixOS, if it helps: https://git.dblsaiko.net/systems/tree/nixos/defaults/v4proxy.nix https://git.dblsaiko.net/systems/tree/nixos/modules/sys2x/v4proxy.nix

Two different rDNS names, for stuff that uses it. For example if you want to run mail and an IRC bouncer under different domain names.

Tbh I haven’t had too many problems with Postfix – however it is certainly a footgun and it would be nice to have fewer parts to connect together, and better defaults. I might try it out, it looks interesting.

From its web page it sounds like it is both a MTA and MDA, has a built-in spam filter, plus has calendar, contacts and file storage. Do you know how it compares to my current setup of Postfix, Dovecot, and rspamd (and Nextcloud for the others)?

I’m partially very sad but also kinda glad that I never got to use 10.4 or other previous versions (first one I used was Ventura). The more I hear about it, the more it sounds like I would have absolutely loved it and would be incredibly mad right now at the changes they made since.

I might give you Windows 7 on functionality, it has been forever since I used either. But definitely not design. 2000 has a UI that is consistent throughout, clear, and professional. It’s a masterclass in UI usability engineering. Plus it’s also heavily customizable if you want to do so. A lot of that was lost with Vista and some with XP.

AppImages are precompiled archives with extra steps. Meh. No, some of my problems with Flatpak are:

• it conflates app sandboxing with app distribution
• it mandates using bespoke APIs to work in sandbox mode instead of the established APIs (to the point where I’ve heard “we can’t implement X, it needs to work in Flatpak”)
• these APIs are often very Flatpak-focused but regardless become the standard for non-Flatpak because there is no existing alternative
• it ships its own builds of code that should be part of the system (for example, UI toolkits which would otherwise load global plugins, breaking stuff such as IME or themes)

Some of that (and why it’s necessary in the first place) is due to Linux’s incredible fragmentation and lack of an extensive backwards-compatible system API (such as macOS’s Cocoa), which causes a lot of other problems everywhere – but a lot of it is also self-inflicted. In fact, the massive focus on Flatpak and looking like that is the direction the Linux desktop is going was partly what drove me to try out a Mac.

My three operating system hills:

• Windows peaked with 2000 (design-wise) and XP (functionality-wise)
• macOS’ separation of the application vs window concepts — i.e. an app has exactly one menu bar and dock icon, and is expected to be able to stay open without any windows (without needing nonsense like tray icons) — is much better than anything else and it sucks nobody is copying it
• Flatpak and everything related is atrocious architecture-wise in every single way and it’s a massive condemnation of Linux (desktop)’s compatibility state that it actually solves a real problem

Carl Poppa

Holy shit, memories unlocked. Uploaded 10 years ago…

I’ll need to listen to all the others again.

Can you export it as an email archive file and copy it to a USB stick or upload somewhere accessible from your personal computer?

It sounds like you need a split DNS setup. systemd-resolved can do this for example. As soon as you need any sort of slightly more complex DNS setup using just resolv.conf isn’t going to cut it.

Ah okay, so you know some behind the scenes info or at least more than just this. My bad, but tbh you should have lead with that because initially I thought you completely misread what the text was saying because I pretty clearly read the queer mentions as “this is not just transphobic attacks by bigots” (see my other comment). Sorry!

There isn’t really, you can probably use sendmail as well. Postfix is just the MTA I’m used to and know can do all of this.

From what I’ve heard about sendmail’s config file, I personally wouldn’t want to use it specifically though…

Yeah, this should work (assuming by email client you mean MTA).

Alternatively, you can set up Postfix to deliver mail over SSH to another MTA by defining a new service in master.cf that calls sendmail on the destination server. This postfix could run in a container as well or on the host, whatever is reachable.

Old NixOS configuration for that here, see the default_transport and masterConfig parts: https://git.dblsaiko.net/systems/tree/modules/sys2x/mail/relay.nix?h=ssh-mail

Alternatively, if you don’t have another mail server somewhere that you want to relay to, the simplest option is probably to just have Postfix deliver into a local mailbox and access that over IMAP (the imaps port should not be blocked, right? You can use a non-standard port though). Turn off non-local delivery though.

I assume you’re talking about the iOS feature, which is pretty new, and they have their own photo selector UI which has existed before that. They probably just didn’t make it work well with limited access yet, Signal has a lot of small UX warts in general when it comes to system integration.

I didn’t say that. I would say it makes it much less likely though especially for someone who is openly trans and given someone who has text like “trans rights are human rights” on her web page. Of course it’s not impossible, but it would certainly be hypocritical and goes contrary to the vibe I’m getting from her.

You’re the first one who brought this up. Where is the context for what you are talking about? Which people are saying she’s a bigot?