Install exim4 STARTTLS using a free LetsEncrypt certificate

Here we are on a Debian Linux, such as Ubuntu and we want to run a mail server. Exim4 is currently the most popular email server, but getting it up and working for free is a hassle – who wants to pay for a SSL certificate, on an ongoing basis? And then there’s the maintenance of the security of it – constant renewal, renouncing and re-installation of the certificates.

Wherever you see, swap in your Fully Qualified Domain Name. That may be
It’s assumed you’re not logged in as root, but user ubuntu
Wherever you see, swap in your machine’s local IP address, from
ifconfig | grep "inet addr" | grep -v ""

Security is all handled automatically by LetsEncrypt’s certbot. I’ll let you look that one up yourself. Run it up and get your certificate for

Once you’ve got that handled, punch a hole in your firewall so that port 25 can get through from the outside world to your machine. Be aware: the outside world is filled full of botnets trying to hack into your machine.  After installing exim, keep an eye on the logs in /var/log/exim4/ for a while.

Let’s install exim4:
sudo apt-get install exim4
sudo dpkg-reconfigure exim4-config

  • pick “Internet site”
  • system mail name is
  • IP address is (the one returned by ifconfig, not the externally accessable one)
  • Other destinations:
  • No relays
  • No smarthost
  • No Dial-on-Demand
  • mbox format (or whatever)
  • Split the files
  • ubuntu for postmaster mail

Check we’re now running a mail server:
sudo netstat -napt
should show
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0* LISTEN 25700/exim4

Now we have a mail server, the world needs to find it. Check your nameserver setting to ensure mail is destined this machine.  You probably want only one MX record.

Check the Internet can send mail to our server. After allowing for the appropriate propagation delay for your nameserver changes, use gmail or something to send an email to – you should be able to read it by typing

Now it’s time to enable MTA-MTA link encryption for secure transport of mail, by enabling STARTTLS on exim4 using our LetsEncrypt certificate
sudo nano /etc/exim4/conf.d/main/03_exim4-config_tlsoptions
Enable STARTTLS by adding/setting in the tlsoptions section:

before any of the IF shenanigans. Also add/replace pointers to the certificates:
tls_certificate = /etc/letsencrypt/live/
tls_privatekey = /etc/letsencrypt/live/

The MAIN_TLS_CERTKEY = no entry fixes an exim4 log message
2017-04-16 09:13:24 TLS error on connection from (IcePlanet) [] (cert/key setup: cert=/etc/exim4/exim.crt key=/etc/exim4/exim.key): Error while reading file.
You will see this when testing with swaks:
$ swaks -a -tls -q HELO -s -au test -ap '<>'
=== Trying
=== Connected to
< - 220 ESMTP Exim 4.86_2 Ubuntu Sun, 16 Apr 2017 09:13:24 +0000 -> EHLO IcePlanet
< - Hello []
< ** 454 TLS currently unavailable *** STARTTLS attempted but failed -> QUIT
< - 221 closing connection
=== Connection closed with remote host.

Allow exim (which when running runs as user Debian-exim) to get to the certificates:

sudo groupadd privkey_users
sudo usermod -aG privkey_users Debian-exim
sudo sudo chmod g+rx /etc/letsencrypt/live/
sudo sudo chmod g+rx /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/live/
sudo chown root:privkey_users /etc/letsencrypt/live/

Changing these permissions doesn’t affect apache2’s ability to get them.
The reason we’ve used a group here is to allow both exim and any other app (for example, a secondary service that wants to use 8080 to serve up a configuration page) to access the private keys; just add any other user that needs to use the private keys to the privkey_users group.

These permission changes prevent the following error message in your log file:
2008-06-03 08:27:35 TLS error on connection from ([]) [] (cert/key setup: cert=/etc/ssl/certs/server.pem key=/etc/ssl/private/server.key): Error while reading file.

Restart the service and the TLS settings ought to be working
sudo service exim4 restart
Test STARTTLS is working from another machine
swaks -a -tls -q HELO -s -au test -ap '<>'
There shouldn’t be any obvious complaining.


Cheap passport photos using The Gimp and 10c printing

Australian Passport requirements are specified by Border Force.  The step that’s most avoidably expensive is the generation of compliant photographic representation of the individual (at $17-$20 per person).

The fun part is that the published instructions talk about “face size” (the skin-visible bit of your head, so from your hairline down to your chin) needs to be between 32mm and 36mm; to allow for the vagueries of conversion we’re going to shoot for exactly 34mm.  The passport application form talks about “chin to crown measurement” being in this range, and the bit where you stick the photo on implies that the chin-to-hairtop has to fit in the image; which one will be enforced is up to the interviewing officer and may lead you to tears.  I ended up taking two scaled images and let the officer choose.  The top we’ll measure to I’ll call “head top”.

Take your appropriately posed and positioned photograph. Don’t crop too aggressively: there’s plenty of pixels in modern photographs, and you can’t add “more person” if you got the ratios wrong.

Load the photo into the Gimp.

Find out how many pixels there are from the chin to headtop by picking Tools | Measure and measuring as close to vertically as you can between these two features. I got 1573 on my image.

Whip out your calculator and divide this by 68% (34mm face height/50mm image height), getting you the number of pixels high your image needs to be to make 50mm – 2313 in my case. The width is 80% (40mm image width/50mm image height) of this number – I get 1850.  Photographs nowadays typically use square pixels.

Now for the image we’re going to paste into. Standard photographs are 6″x4″, or about 152mm x 101mm – let’s call it 150×100. So select File | New, with a size double the height of the cutout, and a width of triple the height of the cutout – mine was 4626 x 6939.

Now we’ll put some guidelines on to help us place accurately. Select Image | Print Size... and put in 6″x4″ (Once you put in the 6″, the 4 should magically fill itself in). Pick View | Show Grid and View | Snap to Grid. Select Image | Configure Grid... and set up a 5mm x 5mm grid. There should be a lot of 5mm boxes on your image now.

Switch to your photograph.

Now check Windows | Dockable Dialogs | Tools Options has got a dialog up, and pick Tools | Selection Tools | Rectangular Select. On the options dialog (which may need resizing so you can see all the options), check Fixed and pick Size from the accompanying drop-down. Enter the dimensions you’ve calculated.

Now select your face, and copy it. Switch to the new image, and paste you image. Position it, and paste in your face. You ought to fit three across, and two down. Six passport photos for 10c! Yay!

Suppose you’re doing two different faces on the one photograph (or more!). Once you’ve gotten as far as doing the calculations for the second image (what are the chances you’ll get the same framing of the face?) and then copying the face, stop. Instead of pasting it into the printable image, pick Edit | Paste As | New Image. Pick Image | Scale Image, ensure Width and Height are locked with a chain symbol, then enter the Height of your original face (2313 in my case). If everything is going hunky-dory, the calculated width will match the new width in the dialog. Press the Scale button, Select | All, copy the image and paste it into your printable image, then position appropriately.

Now, to print out you’ll need a JPEG. Select File | Export, type in a filename ending in .jpg and you’re set. Take to your local Officeworks/Harvey Norman, and 10c later you’ve got your Australian passport photos.

Windows 10 close desktop: default action

In previous versions of Windows, they made it easy to change the default power option to be Log Off. This is handy for me – we tend to leave our PCs on, but logged off most of the time (with the power settings such that they put themselves to sleep).

Not so in Windows 10. If you Alt-F4 (close window) on the desktop, it’ll default to Shut down.

Worse, they’ve renamed all the options so that you can’t use a letter as the initial for Log Off. S now stands for not just Switch User and Sleep, but also Sign Out and Shut Down!

Thankfully there is a way to change the default. It involves going into the Registry.

  • Go to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • If it doesn’t already exist, create a DWORD Start_PowerButtonAction
  • Defaults are as follows (in decimal): 1 = Sign out, 2 = Shut down, 4 = Restart, 16 = Sleep, 64 = Hibernate, 256 = Switch user

Beats me why they didn’t build that into the UI somewhere.

Unfortunately it doesn’t affect the Start / Power button.

For ease of use, we also created a prominent Log Off short cut on the desktop/Start menu, pointing to:

C:\Windows\System32\shutdown.exe -l

(That’s a lowercase L)

Logitech Harmony 650 universal remote

Logitech Harmony 650 universal remoteI bought myself a Logitech Harmony 650 universal remote, $59 at Officeworks (RRP $89.95).

The packaging and some of the promotional material says it replaces 5 remotes, but it’s had a firmware upgrade and now replaces 8, so I think it’s pretty good value.

Although Logitech sells a range of remotes, I decided $59 was a sweet spot for what I wanted to do. This model can’t control Bluetooth devices such as the Wii U, or those controlled via WiFi/LAN such as Sonos — you’ll need to spend up on a more complex model for that, but personally I couldn’t justify the $240+ investment.

To set it up you plug it into a PC/Mac and install a setup program which guides you through it. All pretty easy, and even works with my obscure no-name PVR.

Curiously it didn’t recognise my Panasonic Blu-ray player, but it made an educated guess as to what IR sequences would match, and that worked well.

It lets you set up Devices, then group them into Actions (eg Watch a Blu-ray: turn on the Blu-ray player, turn on the TV, switch it to AV, turn on the Receiver, switch it to HDMI1/Blu-ray).

The defaults for some of the actions are a bit odd, for instance the menu navigation for Watch a Blu-ray turned out to default to navigating the TV menus. This can be overridden to a more logical setting.

One issue I’ve noted: the TV takes a really long time to start up… easily 10-15 seconds to be ready for viewing. It looks like the remote doesn’t allow enough time before changing to the appropriate input/channel, and the TV misses this step. You can insert delays in some parts of Activity sequences, but it appears not here.

Clone to a bigger drive, and convert MBR to GPT

I wanted to partly upgrade Windows to a new drive.

Currently, Windows itself and Program Files are on C: drive, which is an SSD (which I meant to blog about in detail, but never got around to) and documents are on D: drive (which was the tricky bit of the SSD upgrade — to do it properly involves using SysPrep with an Unattend.xml configuration file that tells Windows that documents will live on D: not C:. This article describes it in detail.

Anyway that’s really irrelevant to the problem at hand, which is that D: drive had run out of space. Here’s a brief description of what I did:

  • The new drive is a 4 Tb drive, replacing a 1 Tb drive.
  • Plug the new drive in, use Clonezilla to clone the old D: onto the new drive. Following the detailed instructions, this all went pretty smoothly.
  • But… the catch is the old drive was formatted in MBR, which has a limitation of 2 Tb. For beyond that, you need GPT.
  • I looked around for tools to convert the drive. It’s easy if you’re prepared to wipe it, but I wanted to preserve the data I’d just moved across. Finding ways to do it without wiping everything was tricky, but I settled on the free version of Minitools Partition Wizard — this has an easy-to-understand interface, and did the job
  • Once that MBR is converted to GPT, you can enlarge the partition to make the whole drive available.
  • Unplug the old drive, move the new one into the same slot as the old (this is on a Mac Pro booting in Windows Bootcamp) and it works. Done!

PS. Similar exercise afterwards shuffling the OS X partition from a 320 Gb drive to the old 1 Tb. That required GParted, as it seems the GPT partition couldn’t be expanded due to a formatting issue (which GParted helpfully offered to fix as it started up) and another small 600 Mb partition being in the way — not sure what it is, but it seems to be essential for booting OS X — GParted was able to move it to the end of the disk.

Viali VCCG90SS and VCCG60SS rangehood installation instuctions

As the current home reno project is a kitchen rebuild (walls added and removed, nothing left behind – it’s dramatically more than a remodel) the first step followed was to acquire all the appliances (constructing the kitchen and then finding the oven that you’ve got a very specific sized hole made for is “no longer available” would be… disappointing).

One of the acquisitions was two Viali VCCG90SS rangehood extractor units, one for each cooktop. Noise during operation, rated capacity and acquisition cost all seem acceptable. The instruction manual seems, at first glance, fabulous: large, clear font, line drawings giving unit dimensions, step-by-step installation images and all in a matte A4-sized, easy-to-read format.

When you actually read the instruction manual with the intent of following the instructions for installation, that’s when you run into some difficulties. Let’s be clear: I’ve installed a couple of ducted extractor fans in the past, so rangehoods are not some unknown quantity for me. This is not my first rodeo. I consider myself handy, I’ve installed kitchens from the ground up. I’ve spent quite some time puzzling over this booklet, I’ve searched the Interwebs, I’ve really battled with this.

I will now try to explain how the heck you’re meant to install this Viali rangehood, because the shipped instructions sure don’t. Perhaps I’ll do it via annotation. Continue reading

Install updates and shutdown actually means start updating, then shutdown part way through

Last night my laptop said it wanted to install updates. So when I’d finished using it, I chose “Install Updates and Shutdown”, thinking it would be all finished and ready to go in the morning, right?

Wrong. When I started it back up this morning, it proclaimed that it was 1% through the updates, and “This will take some time.”

It took almost an hour to get through everything, but finally it got to the log on screen.

At that point I had to do something else, so I shut it down again. Later I booted it back up, logged on, and … more delay, as it went through a protracted “Getting things ready” phase.

Maybe this is a rarity given this is apparently the Windows 10 “Anniversary Update“, which brings a whole bunch of new functionality — none of which, so far, I think I actually need.

But the lesson for next time is to use “Update and Restart” (which truly is something Windows 8 and 10 have over Windows 7) rather than “Update and Shut down”, which clearly doesn’t do what I thought it would do.

Compress PDF files

Just a quick mention of a cool online tool I found…

I was about to email off a PDF (that I hadn’t created myself) to a discussion list when I noticed it was 6 Mb… which seemed a tad excessive.

Digging around I found SmallPDF, which can shrink them down. It got down to 1.2 Mb, with no noticeable loss of detail/fidelity.

SmallPDF is free for two files per hour, with no watermarks, or USD$6 a month for unlimited, and they have a few other related PDF functions such as file conversions.

Worth a look if you need to do something like this.

LG TV insists on turning itself off

We’ve got an LG TV being used in the office for displaying system information from a Raspberry Pi plugged into the back. The Pi is powered via USB from the TV.

We’ve used the timer to get it to switch on at 6am on weekdays, off at 5:45pm, reflecting the hours people are in the office.

It was consistently switching itself off at the wrong time, exactly two hours after it came on.

Turns out it’s a long-running bug in LG televisions.

In the forum, some found if they could get into the service menu, they could remove the 2 hour sleep setting.

Others found setting it to “hotel mode” would disable all timers – in our case this would waste a lot of power though.

New laptop – bloatware to remove

My old laptop was old when I got it, and I just realised that was four years ago. I tried to breathe a little more life into it by putting Linux on it… with some success, but I’ve got some stuff I need Windows for, and that crawls along these days.

So I bought a new cheap laptop, for web and email use (definitely not an attempt at a desktop replacement)… a Lenovo B41-30.

Vital stats: A$299 (which seems to be an okay price; apparently it’s $100 off) from Centrecom. 14 inch screen. Celeron N3050, 1.6 GHz, 2 cores. 500 Gb hard drive. Intel graphics. Windows 10 (x64).

Only 2 Gb RAM, but I’ve paid A$35 for a 4 Gb stick – why wouldn’t you? Unfortunately it only likes alike sticks in the two slots, so the original 2Gb had to come out. Perhaps I might put another 4 in there to make it 8. You can always do with more RAM, right?

Anyway, after setting it up, here’s the bloatware I’ve removed:

  • BT Locker – locks your computer if your phone is too far way, using Bluetooth I assume
  • Cyberlink Power2Go – for ripping CDs and DVDs… not actually very useful on a laptop with no optical disc player.
  • PowerDVD – DVD/media player – ditto.
  • McAfee LiveSafe
  • AppExplorer – recommends apps to install – all I want on this thing is the basics. I certainly don’t want it being clogged up with extra apps.
  • Lenovo Solution Center
  • Lenovo ReachIt
  • Lenovo ShareIt

That’s all for now. It’s running at an acceptable speed.

Scammers making use of Telstra landline bug – part 4

It is a good idea to keep your computer systems up-to-date, by installing the latest software fixes. But there is one fix that Telstra needs to request and install, to fix a bug lurking on Telstra’s landline telephone system which scammers are making use of.

This is Part 4 of 4 of Scammers making use of Telstra landline bug.

  • To learn about the scam, read Part 1
  • to learn more about testing your landline and protecting yourself, read Part 2
  • To find out how I became an unwitting victim 21 years ago, read Part 3.

Here, we explore some myths and facts about this bug, and I have some requests for information (please comment if you can answer any of the questions).

Facts and myths

Scammers can intercept calls you make (shortly after they call you)
They’re intercepting all calls that everyone is making to 000, or the bank
The truth: there’s been a few crimes like this in the past (against radio stations), but not this time. Only one person’s calls get intercepted.
An evil caller can control your landline, preventing you from making calls, for up to five minutes.
Scammers can make calls to sex lines in Nigeria from your line
The truth: They cannot; if you see such calls on your bill, it was probably a family member or employee.
Scammers can imitate the bank’s phone menu (or they could make a temporary, actual connection which they cut off at the right time)
This bug enables them to fake my Caller ID
The truth: A separate hack applies to Caller ID, which the scammer might also use as part of their fraud.
An evil caller can prevent other callers from getting through to you (they get busy tone).
They can listen in on everyone who calls you
The truth: They have to physically wire a listening device across your line to do that. The method described here only allows a scammer to intercept calls you make, shortly after their call.
There is no indication if a call is still connected on the line after you hang up.
A scammer can be secretly connected to your line at any time
The truth: It doesn’t “just happen”. They have to call you first, and the effect only lasts for five minutes (maximum, in Australia).
Mechanical exchanges also had this characteristic

Map of Australia showing various towns.

Land of the Long Held Call[1]

Map of New Zealand showing various towns

Land of the Long White Cloud[2]

Every country operates like this
The truth: Only a few countries have this bug. New Zealand, Canada, the U.S., and many other countries do not have this bug. And mobile phone systems do not have this bug, either.
Various scams and tricks arising from this bug have been in use for some time. In the past, there was no five-minute timer, so it was possible to lock out someone’s line for weeks. Journalists and reporters, having interviewed someone for a story, would leave the call open preventing competeting journalists from calling their victim and getting the same story.
Surely the Police would speak to Telstra about this?
The (horrible) truth: I’m not convinced it’s even occurred to them that it’s a bug, nor am I convinced that they’ve actually spoken to Telstra about it. But I am sending information to the Police about this, firstly to ascertain what has transpired, and secondly, (from a crime prevention perspective) to persuade them to be more on the front foot with Telstra on this issue.
The only sign of action by the authorities I can find is the British Financial Ombudsman Service has called for action by (British) telecoms companies to remedy the flaw in hanging up phone lines.

Where is the bug?

It is in the telephone exchanges – specifically, the software running inside the exchange. This has to be fixed, either by the manufacturer of the telephone exchanges (Ericsson), or by someone changing a configuration setting. Telstra has to request this in either case, and it is likely to take 3-6 months to fix.

The official term for this is CSH (Called Subscriber Held) or A-party Release. I call it a nasty bug, but unfortunately, it is hard to convince Telstra that this needs fixing.

I have some questions

While researching anything like this, it is natural for questions to arise. Does anyone have information on anything below, or anything else? Please leave a comment.

Note that comments usually require approval before appearing, which I generally check three times a day … agree or disagree, I approve “anything” on-topic.

  • Australia: Does anybody using Optus Cable (or other HFC services) experience the problem? Please do the test to find out.
  • New Zealand: Did CSH apply on Crossbar or Step-by-Step exchanges (say, before 1980)?
  • New Zealand – TelstraClear subscribers: Can someone do a test, to see if CSH applies to Telstra’s exchanges in NZ?
    You are probably a TelstraClear subscriber if your telephone number begins with 9xx xxxx, and if your TelstraClear bill shows a line item for Telephone Line Rental or Monthly Charges.
  • Britain: There was a proposal to reduce the CSH hold period to 10 seconds. Was this implemented?
  • U.S.: I don’t want to believe the movies too much 🙂 but they frequently show the B-party hanging up and the A-party receiving dial tone. Is that true?
  • All countries: Please do the test. It’s for your benefit to be aware of the situation, as well as our curiosity 🙂

If you have information, please fill out a comment (note: DELAY before it appears, for most people).


Scammers making use of Telstra landline bug – part 3

Oops, a change of plan

It is only just this week that it occurred to me that I was most likely an unwitting victim of this bug, 21 years ago (early 1995). The planned Facts and myths about this landline bug will now be Part 4.

This is Part 3 of Scammers making use of Telstra landline bug. Read about the scam in Part 1, and learn how to test your landline for the bug in Part 2.

An unwitting victim

I was not able to call for an ambulance to a neighbour’s kitchen knife accident.

Of the six people involved in the incident, only my wife and I understand English clearly, which added to the problems/confusion.

My mother-in-law was visiting neighbours when she called out to us there had been an accident in the kitchen (and then continued in Khmer[1], to my wife). I rushed into the house and saw the mother and son huddled together. The mother was clearly distressed, and there was quite a bit of blood, but there was no ongoing blood loss and they weren’t losing consciousness, so I picked up the phone to call 000. But there was an Asian voice on the line.

Queensland Ambulance Service vehicle


I hung up for a few seconds, but the voice was still there, saying “Hello, hello”. Despite saying “please hang up”, and “Emergency here, please hang up”, it was a case of message received but not understood. I asked the victims where the other telephone was (thinking the voice was on another telphone extension somewhere else in the house, unaware of the drama). And I raced around the house and into the bedroom, but found no-one and no other telephone. We had just moved in and didn’t have our own telephone, so after trying the telephone once more, I ran to the payphone down the street and called the Ambulance.

The Ambulance eventually came and took them to hospital.

In the days and weeks afterward

Me, my wife, and my mother-in-law had come from New Zealand a few months before, where one can disconnect a remote caller by simply hanging up, provided that no-one else on your line has another phone off-hook.

Diagram showing a telephone call from phone A to phone line B which has two phones, B-x and B-y. Phone B-y is off-hook talking to A. Phone B-x is on-hook (idle)

Diagram of telephone call[3]
In New Zealand, phone B-x can get dial-tone provided phone B-y also hangs up.
In Australia, phone A must also hang up.

Referring to the diagram above, I raced around the house looking for phone B-y. But my mother-in-law knew the neighbours quite well and clarified there’s only one phone in the house, and that it was working (the day after), leading me to assume that it was on a party line[4]. They were unusual in urban areas, but one of my own friends had a 2-party line in Johnsonville (NZ) in 1989 – so it definitely wasn’t impossible.

I will never be absolutely certain of the truth, but it wasn’t until a few weeks after the scam story broke, and a few days after I wrote Part 2 that I realised that this bug is a much more plausible explanation for the difficulties. It means that in Australia, both the A-party and other telephones on the B-party’s line must hang up before the B-party can get dial-tone.

This has to change.

UPDATE Part 4 – Facts and myths about this landline bug is now available.

Links and Footnotes