Frank Leonhardt's Blog

Static IP addresses for network printers

I had a call a couple of days ago from a company planning to sell some networked printers to a user site I oversee. The first I heard about it was a form from the supplier asking a few questions about the network; questions that suggested they expect to find a Microsoft small office plug and play kind of LAN. Time to get on the blower.

The question that worried me most was their demand for a static IP address, subnet mask and so on. Not happening; everything is on DHCP and managed centrally, for good reason. Kit like printers needs to auto-configure to the correct subnet depending on where it’s plugged in, and users will expect it to work. So why is anyone thinking of hard configuring the IP address at the printer?

The simple answer is that it’s the easy way, and in the bad old days, it was the norm. It may even be necessary on a network controlled by a crude domestic router with a DHCP server that can be configured to either be “on” or “off”. If you’re using from a Windows PC you need to set up a virtual printer port, and to do this you must supply the IP address of the physical printer, so just set a static one and plug this in when the driver configurations asks for it. Simple. If you’re Fred in a Shed, with two PCs and one shared printer.

If you’re playing with the big boys, you’re creating a world of pain by hard configuring printers, as you have to manually reconfigure each printer and EVERY PC in the company when you move it around on the LAN.

So what should you be doing instead? If your company (and/or its budget) is large enough you can get a point+click print server to manage the whole lot. I’ve found these a bit vendor-specific, and only really do it if you have a Wizard that understands all your printers and the LAN. Otherwise you’re going to have to get your hands dirty anyway. So for a SME, with a savvie IT guy, there are two simple approaches that achieve the results you need without the fuss: NetBIOS and DNS. Leave the network printers stand-alone, as nature intended.

The easy option with Windows PCs is to use the NetBIOS name. Most fancy printers have one, and it’s usually programmable if you dig around in the menus. It can sometimes be hard to recognise as it defaults to something akin to gibberish. You also have to enable NetBIOS on the printer if necessary, although in my experience most enable every protocol they know about by default. Once done, just use the NetBIOS name instead of he IP address in the virtual printer driver and you’re away – nothing more to do. The down side is that not everything understands NetBIOS/SMB/CFIS, although most UNIX systems can resolve them using SAMBA if necessary. And to be honest, Microsoft’s self-configuring peer-to-peer networking has always been a bit hit and miss. (Luser: “I can’t see xxxx!”)

A more complete solution is to use DNS. This obviously means you’re going to need a local DNS server, and also a proper DHCP server. If you want to get clever, have the DHCP server update the DNS with the host name associated with the IP addresses it’s just given out. This works in theory, but good luck in practice. However, there’s an easier way that is almost as good.

All you need to do is configure the DHCP server to issue fixed IP addresses when it gets a request from the MAC addresses of each of your printers. On GUI based DHCP servers this is often called “Bind IP to MAC” or similar. On dhcpd you just need a specific entry in the config file, such as:
host bigprinter1 { hardware ethernet 11:22:33:44:55:66; fixed-address 192.168.1.123; }
Okay, this is giving it a fixed address, but all the fixed addresses are found in one file, along with the other network configuration stuff, and you don’t need to trail around to each printer (or even visit the site) to change it. And besides, this is never referenced in the printer or any of the workstations; they use a symbolic name.

To achieve this you need to add an A record for the printer at this address in your DNS zone file. e.g.:


bigprinter1 A 192.168.1.123

You don’t even need to use on-site DNS if you have a reliable Internet connection (or your domestic router has a caching DNS relay). Just go to the easy peasy web configuration thingy for your outside-hosted domain and add it. The fact that its a local, non-routing IP address won’t matter – people outside the building just won’t get what they’re expecting if they try to use it, but they shouldn’t be doing this anyway.

As a final point, it’s safer to make sure the NetBIOS name and the DNS hostname match, but its not essential.

Whichever method you use for the name lookup, just plug the NetBIOS name or DNS hostname in to the printer driver instead of a fixed IP address and you’ll never have to physically mess with the printer again – wherever the users choose to plug it in.

26-August-1523-September-16

Problems receiving mail from GMail – STARTTLS is a bad idea

Gmail Fail

Note: You may wish to read this follow-up article, which contains a solution.

A couple of weeks ago, users started complaining that people using GMAIL (and possibly iCloud) were having their emails bounced back to them from my servers. This is odd – most complaints on the Internet are from users of dodgy hosting companies having their mail rejected by GMail as likely spam. But I haven’t blacklisted Google, and all other mail is working, so they must have been mistaken.

But as soon as I could, I tried it for myself. And sure enough, a bounce came back. The relevent bit is:

Technical details of temporary failure:
TLS Negotiation failed: generic::failed_precondition:
               starttls error (0): protocol error

On fishing around in Sendmail logs, I found evidence that this has been going on all over the place:

sm-mta[84848]: STARTTLS=server, error: accept failed=-1, SSL_error=1, 
               errno=0, retry=-1, relay=mail-qg0-f50.google.com [209.85.192.50]
sm-mta[84848]: STARTTLS=server: 84848:error:1408A0C1:SSL
               routines:SSL3_GET_CLIENT_HELLO:no shared cipher:/usr/src/secure
               /lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:1073:
sm-mta[84848]: t7QJXCPI084848: mail-qg0-f50.google.com [209.85.192.50] did
               not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Oh my! The STARTTLS stuff isn’t working because there’s no shared cypher! Hang on a minute, there isn’t supposed to be. Who told Google they could use STARTTLS on port 25. It’d be neat if it worked, but it’s not configured – at least not with a certificate from a public CA. It actually works just fine if you are cool with self-signed (private) certificates. So what is Google playing at?

In the wake of Edward Snowden, people have started worrying about this kind of thing, so companies like Google are trying to be seen doing something about it, and encrypting mail might seem like a good idea. Unfortunately STARTTLS is a bad idea. The rationale behind STARTTLS was to add encryption to a previously unencrypted port’s traffic. If the sender issued a STARTTLS as part of the protocol it could switch in to TLS mode if it knew how; otherwise it would just work as normal. The IETF was very keen on this in the late 1990’s as an easy fix, citing all sorts of iffy reasons, generally to do with having two ports; one standard and one encrypted. They thought it would be confusing, requiring different URLs and not allow for opportunistic automatic encryption of the kind Google seems to be attempting.

As far as I’m concerned, this is rubbish. Having clearly defined encrypted and unencrypted ports means you know where you are. It either is or it isn’t. If you say something must be encrypted, turn off the unencrypted port. STARTTLS allows a fall-back to plain text if you specify the clear text port; and if you have a man-in-the-middle you’ll never know that the STARTTLS was stripped from the negotiations. It opens up a vulnerability that need not be there, all for the sake of saving a port. And time is on my side in this argument. Since 1999 the implementation of encrypted ports has really taken off, with https, smtps (in spite of 465 being rescinded), imaps – you name it – all servers and clients support it and you know where you are.

So what’s this sudden clamouring for the insecure STARTTLS? Naivety on the part of the large internet companies, or a plot to make people think their email traffic is now safe from snoopers when its not?

I’ve reported this problem and I await an answer from Google, but my best guess is that they’re speculatively using STARTTLS, and then barfing and throwing their toys from the pram when it doesn’t work because the verify can’t be done. Having thought about it, I’m okay with the idea of trying STARTTLS as long as you don’t mind about the CA used for the certificate; and if you can’t negotiate a TLS link, go back to plain text. In many ways it’d be better to use the well known port 465 for TLS, and if it can’t be opened, go to plain text on 25. Except there’s no guarantee that port 465 is on the same server as port 25, and it’s normally configured to require SASL authentication. As everyone knows, apart from Google it seems, assumption is the mother of all foul-ups.

Encryption is a good idea, but making assumptions about Port 25 being anything other that straight SMTP is asking for trouble.

5-August-152-September-15

Docker on FreeBSD

Docker is available on FreeBSD. Yeah! Er. Hang on a minute – what’s the point.

People are talking about Docker a lot in the Linux world. It’s a system that allows a configured piece of software, together with all its ancillaries, to be in its own closed environment on any machine you choose. It’s not a VM – no emulation required. Well not much. It’s much more efficient that running multiple kernels on a hypervisor (as VirtualBox or VMWare).

But isn’t this one of the things Jails are for? Well, yes. It’s a kind of poor-man’s jail system for the poor deprived Linux users. Solaris and FreeBSD have been doing this kind of things for years with kernel support (i.e. out-of-the box and lot more efficiently).

So why should anyone be interested that FreeBSD also has Docker? Well, one of the things the Docker community has together is preconfigured applications you can just download and run. Given what a PITA it can be getting something running on a Linux box, which lacks a UNIX-like base system you can rely on, this does make sense. And running these pre-configured server applications on FreeBSD may be of interest, especially if you lack the in-house expertise to set them up yourself. But it won’t be all plain sailing. You need FreeBSD 11 (not yet released) to do it, together with the 64-bit Linux emulation library.

This does kind-of make sense. Stuff that’s currently Linux-only may be easier to deal with – I’m thinking Oracle here.

30-July-1530-July-15

Spam from WH Smith?

Whoever next? We’ve intercepted a load of spam sent by French company EmailVision on behalf of WH Smith to honeypot addresses – i.e. definitely not opt-in and definitely not legal in the UK. EmailVision is getting quite a reputation for this kind of thing, with PayDay loan spam and suchlike. W H Smith – I’m surprised at you! Or perhaps I’m not.

28-July-1514-January-16

Windows 10 – just say no

I’ve had a lot of people ask me about Windows 10. Here’s the simple answer: No thanks.

Apparently it’s a bit faster than Windows 7 on the same hardware, although I’m not convinced people who say this have tested it scientifically. In other words, it may have been faster as a clean install compared with a crufty old Windows 7 installation, and in theory it could have been written to be fundamentally faster, but actually writing code that’s more efficient that previous versions isn’t really Microsoft’s style. Although the new web browser (Edge) is promising. But will it still be faster when it fully functional (i.e. supports HTML5 and suchlike properly).

That’s the good bit. Everything else is bad compared to Windows 7. Compared to Windows 8, yes, it’s better. That’s from a user’s perspective. From my perspective, it’s a big “no thanks” to the added spyware, telling Redmond exactly what you’re up to all the time and the enforced software updates, that I have an nasty suspicion are going to end up mandatory even on the business (Pro) version. Basically I don’t see what Microsoft has done to restore any trust I once had in them.

If you’ve got Windows 7, stick with it. If you’re on Windows 8 it’s swings and roundabouts but you might want to take a serious look at a Linux instead.

Unfortunately, because this is Microsoft, there’s a good chance that we’ll all be forced to use Windows 10 whether we like it or not. They had the sense to keep Windows 7 for serious users when they rebelled against Windows 8; I somehow see them fighting hard to force the issue when it comes to Windows 10.

28-July-1529-July-15

Stagefright on Android

This is a quick post as I’m a but busy at the moment, but it’s worth saying something about it this serious Android security flaw.

As I understand it, there is a buffer over run problem with the decoder for MMS messages. On receipt and decoding of a specially crafted MMS an attacker can get control of the process,
which on Android 4 or later means access to SD card data, your camera and microphone and other awkward stuff. On Android 2 they get the whole phone. I’ve yet to be convinced that this is a game over type problem on Android 4 but it bad enough. On earlier versions of Android, it’s a complete disaster.
The solution, of course, is to get a software update from your phone manufacturer. Good luck waiting for that to arrive.

My advice in the meantime is to disable MMS messages completely. I do this by default, because I think they are ridiculously overpriced and there are plenty of other alternatives such as email or even Instagram (so I’m told buy the teenagers hereabouts).

If you want to disable MMS, proceed as follows:

Go to phone settings. The last entry under Wireless and Networks will be More…

Here you will find “Mobile networks”, and under there will be ” Access point names”. On dual SIM phones you will now have to choose each SIM in turn, otherwise you’ll go straight to a list of profiles. This list may contain only one entry.
Choose the entry that is selected, i.e the one you are using. What you will find next depends on the version of Android you have. However somewhere down the list there will be an MMS service centre URL, beginning with HTTP and looking like a web address. Simply delete the contents of this field, and while you are at it, remove the entry for MMS proxy if you have one. This tends to be a dotted quad i.e. an IP address.

Just save this, and you will not be able to send or receive MMS messages from your phone.

7-July-1527-August-15

Problems with Thunderbird 38.0.1 and SSL

Dead Thunderbird — Version 38.0.1 of Thunderbird is an ex-mail client. It has ceased to be.

Thunderbird used to be my mail client of choice, but suddenly I’m not so sure! The latest update on the release channel (version 38.0.1) seems to have broken completely when using self-signed certificates for SSL.

A self-signed certificate makes sense when you know you can trust it; otherwise you get a signing authority you do trust to verify your certificate (for loadsamoney). If you’re talking to your own servers, there’s not point in doing this as there are other ways to check you’re talking to who you think you are. Thunderbird used to warn you that it didn’t recognise a self-signed certificate the first time it saw it, but if you told it to go ahead anyway it would add it to the trusted list and go on encrypting your data for you quite happily.

Since “upgrading” to version 38 it suddenly stopped working. No more email. No more sending email. It just failed silently (that’s bad, for a start), the only clue was that I couldn’t send an email or copy it to the drafts folder.

On examining the logs at the server end I found stuff like this:

Jul  7 23:17:54  dovecot: imap-login: Disconnected (no auth attempts):
    rip=###.###.###.###, lip=###.###.###.###, TLS handshaking: SSL_accept() 
    failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Suspicious! So I turned off SSL in Thunderbird and it all worked again. This is NOT a sensible solution. Unfortunately, I have yet to solve this one, other to simply not upgrade Thunderbird beyond 31.7.

Fortunately, you can still download the previous non-beta version from here, (assuming Mozilla don’t move it). You actually want 31.7.0, because the intervening releases were betas, and 31.7.0 is as recent as May 2015 so it’s not ancient. Just navigate around the site you don’t want the English version. Simply install it everything comes back the way it used to be, or at least it did for me.

Update 15-Jul-2015:

It appears that Thunderbird may have decided not to accept TLS with less that 1024-bit DH keys without telling anyone. Even if they had mentioned it, there’s not a lot users can do with it. This means that if you’re using a 512-bit key (which is considered export-grade) then it’s going to refuse to talk. Worse than that, it doesn’t pop up a message saying WHY it’s not going to talk. It’s just going to fail the connection. Presumably, as my friend Graham put it, this indicates that the Thunderbird open-source developers are hoping to get a job with Apple.

I hope this nonsense will be resolved in 38.1! In the mean time, turn off auto-update.

Update 30-Jul-2015:

I’ve now updated the server certificates being in-date (which doesn’t actually matter), and made sure they were 1024-bit (which they were) and apart from upsetting everyone who has had to accept the new certificate, Thunderbird still barfs.

Update 15-Aug-2015:

It get’s worse – there has been an update to the 31.x branch to 31.8.0, and this has the same problem. Use the link above and make sure you’re using 31.7.0

2-July-154-July-15

Does the iZettle card reader work on Android 5.0 (Lollipop)?

The iZettle card payment system is well worth a look. The company is very SME friendly, unlike the traditional card handlers. There’s no standing charge or transaction charge and the their percentage cut is fair.

Unfortunately they’re all Apple Fanbois, in spite of Android having 90% of the mobile market, and functionality on the most important platform lags. Everyone complains about it. But they’re such nice people when I speak to them on the phone, I still like them.

One case in point is that iZettle have finally launched a contactless reader. Yeah! Unfortunately the contactless feature only works on Apple, although my sources say that an Android upgrade is in development.

The contactless reader replaces the bluetooth-connected Pro version. In fact it’s the Pro version with a NFC reader built in, and it costs an extra £10, at £80+VAT (bargain).

If you’re a real tightwad there’s the £30+VAT (or free) blue keypad, which is actually quite a solid piece of kit, but it connects to the device using the headphone connector and modulating it’s data with burst of audio carrier (from listening to it). What could possibly go wrong?

Well, having tried it with Android 5.0 (Lollipop) I can tell you that it’s not going to work beyond Android 4.x until they fix the App. Version 2.5.1 of the iZettle App was supposed to support Lollipop, but take it from me, the support is far from complete.

Bluetooth Reader does work

I gave up and ordered the Reader Pro Contactless, the current bluetooth-connected unit, and I’m happy to report that seems to work perfectly. I was up and running within a minute; just pair it and off you go. For what it’s worth, this was with a Doogee DG700 with Android 5.0. iZettle is planning to release an update so it will make contactless payments, and (in theory), this will work.

Note that iZettle replaced the Reader Pro with the Reader Pro Contactless recently. They look the same. I have a hunch the older one will also work.

27-June-152-July-15

Web developerz

Another in my occasional series of desperate sales pitches:

A friend said his company web site looked a bit sad. It is a bit dull. There’s not much in the way of product photos, only soothing words. I’m not one for the pictures with everything craze, but in this case an illustration would be worth a bit thousand words.

“Get some proper photography done, and I don’t mean iPhone snaps. That’s all you need.”, I said.

A few days later, after talking to his prospective web developer, he came back with the following:

“…I have told that using iphone pictures is good internationally since the pixel number is lower [which means web pages] loading quicker”

26-June-1526-June-15

Malware claiming to come from Transport for London

I often get Transport for London information messages. I suspect a few million people in London do. But until just now, I’ve not seen it used as a malware distribution trick. Here’s what they look like:

Received: from [80.122.72.234] ([80.122.72.234])
	by  (8.14.4/8.14.4) with ESMTP id t5QAj0ns002218
	for ; Fri, 26 Jun 2015 11:45:01 +0100 (BST)
	(envelope-from noresponse@cclondon.com)
Date: Fri, 26 Jun 2015 12:45:04 +0200
From: 
Subject: Email from Transport for London
To: 
Message-ID: 
MIME-Version: 1.0
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: SAP Web Application Server 7.00
Content-Type: multipart/mixed;
 boundary="=_5557BCCC15D34570E10080000A82A3EC"
Envelope-To: 


--=_5557BCCC15D34570E10080000A82A3EC
Content-Disposition: inline
Content-Type: text/plain;
 charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Description: Email from Transport for London


Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in DOC format you may need Adobe Acrobat Reader to
read or download this attachment.

Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are s=
trictly confidential and may be legally privileged. If you are not the int=
ended recipient any reading, dissemination, copying or any other use or re=
liance is prohibited. If you have received this email in error please noti=
fy the sender immediately by email and then permanently delete the email.
______________________________________________________________________
--=_5557BCCC15D34570E10080000A82A3EC
Content-Disposition: attachment;
 filename="AP0210932630.doc"
Content-Type: application/doc;
 name="AP0210932630.doc"
Content-Transfer-Encoding: base64
Content-Description: AP0210932630.doc

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAJwAAAAAA

The file attachment is a dodgy Microsoft Word document, unknown to malware scanners, and in spite of the faulty English it’s unlikely that Bayesian analysis will think it odd, although the SPF records don’t match and the IP address is currently flagged as slightly dodgy with no reverse lookup. It belongs to Telekom Austria, and I suspect it’s NOT a botnet at this time.

If anyone else has received one, I’d be interested to know! I let TFL know, and, refreshingly, got through to the right people and they took the matter seriously. This is hardly ever the case, so my feelings for TFL have gone up several notches!