Posted on April 16, 2021 @ 09:51:00 AM by Paul Meagher
Last night I upgraded webserver software that hosts these sites and encountered some upgrade issues that caused my email systems not to work for awhile. The websites were up but it took about 6 hrs to resolve the email issues. Quite frustrating but I did manage to learn a few things that I figured I would share.
1) If you upgrade webserver software and run into a problem getting it working again, there is a good chance that some new security feature of the software is the cause.
2) One piece of the email system software that was upgraded failed because the keys used for authentication were too short. A config file setting for the software allowed you to specify the number of bits to use for the cryptographic keys. The number of bits was too small so I had to increase the number of bits to use to a higher recommended number. I also had to generate new keys using new crypto algorithms that the upgraded software provided. Once I did this, the email system software would now startup because the new cryptographic security requirements were met.
3) Another piece of the email system software that was upgraded failed because you have to sanitize user emails in a new way in the "router" module before you can hand the email data to the "transport" module. The old way I was doing things involved sending "tainted" data to the transport module. So I had to rewrite the "routers" section of the config file so it "untainted" the email data before handing it off to the "transports". The transport configs had to be revised as well to use new untainted variable names.
My objective when I upgraded the webserver last night was to simply run newer versions of the software using existing configs. I believed that simply upgrading the software would lead to upgrading the security because I would be running newer versions of the software. Newer versions of the software often address security vulnerabilities in the older versions. In the case of upgrading webserver software, however, the old settings you currently have may not be compatible with the way developers and maintainers of the newer version of the software want it to run so you may have to dig back into your config files and change some settings and perhaps generate more secure keys to actually upgrade the security aspect of the software.
If you can endure frustration for a few hours and solve your problems, you will often come out the other end with some new and useful ideas you didn't know before. When you are banging away on a problem at 2:30 am in the morning, you are often not thinking about the value of frustration, although sometimes I do in fact remind myself of the learning value of frustration and it does help to calm your nerves and keep you working productively on the problem. What I took away from my frustration was that we all talk about the need for increased
cybersecurity but what does that mean? Well three things it means is using better cryptographic algorithms in your software, making sure to properly sanitize (or "untaint") all data coming into your programs before you use them, and anticipating that when I upgrade software in the future that some old configs might conflict with a more secure way that the
newest version of the software wants to run. My frustration has given me a new appreciation for cybersecurity and a desire to keep more up to date on certain aspects of it.