raspberry as status screen / wall calendar / mpd player

I need fridges all over the house. Why? Because fridge-magnets are the secret to getting things done. However, in the morning I often don’t go to the fridge. Also it isn’t magnetic
So I want a whiteboard/magnet thingie at the door so I see it before I exit the house.
Now this does not match my philosophy of “we need modern things” so let’s build it using a raspberry and hang it to the wall.
Obviously, it should look nice, too so lets not have error messages, mouse-cursors or other stuff that distracts from what is important!
Continue reading

summer ending

today is the last beautiful day in this summer, they say – the weather man calling it the last day where we will have sun and 20+ degrees celsius
From tomorrow on it will be truly autumn and more rain is going to come
How nice of my depression to chose this day to creep back on me – because I have the feeling that I _have to_ go out today and enjoy this day I am developing all kind of aversions against going out.
Oh, how I hate this..

snowboard

so I need a new board – snowflower has died and is now a surfboard/toy for my kids ;)

having ridden a longboard (K2 Eldorado) last winter I got addicted to long boards and carving. Skip the park, park is for dogs :P – I want speed and I want to learn to ride in fresh snow – so what’s to do?

http://www.extremecarving.com/forum/viewtopic.php?t=2524

being 172 and 90 kilos I obviously need something a little special:
no clue about that camber/rocker stuff, will have to test it but lets start dreaming
apparently keywords to use are
– freeride
– carving
– longboard
– somewhat wider
– stiff

so finding this:

– K2 Eldorado obviously (apparently a masterful allrounder)
– Rad Air Tanker (grandfather of longboards, apparently)
– Dupraz D1 (comes in + and ++ – depending how heavy you are / how agressive you ride)
– LTB – supreme
– Swoard – dual
– good – keep should know more

enable netflix from linux

it works when using pipelight-plugin and user-agent-overrider

add-apt-repository ppa:pipelight/stable
apt-get update
apt-get install pipelight
(pipelight-multi?)

pipelight-plugin –update

pipelight-plugin –enable silverlight

install user-agent-overrider

https://addons.mozilla.org/de/firefox/addon/user-agent-overrider/

enable, go preferences
add these two for Netflix and Unity3D:

# Netflix/Unity3D
Firefox 15/Windows: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1
Safari/OSX: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10

test silverlight plugin here:

http://bubblemark.com/silverlight2.html

then Netflix should work using the overrider set to Firefox 15 / Windows

Any DRM-errors you still get are caused by Noscript, https-everywhere and Adblock or flash – just create exceptions for them

Screenshot - 020714 - 19:54:15

FAIL: native VPN with iPhone and linux (raspian/ubuntu)

FAIL: this experiment did not work / needs more testing

I want a working on-demand VPN for my iPhone to tunnel all my traffic in case I have to use some dubious wlan (such as the one at techinc or in some hotel)

as openswan is not working, yet but I need a quick solution I will start with PPTP – better than nothing! (it will connect to my raspberry pi)

http://www.domoticz.com/wiki/Installing_a_PPTP-VPN_server_on_a_Raspberry_Pi

problem: NAT seems broken…

Jun 23 12:19:12 pi pppd[2421]: Connect: ppp0 < --> /dev/pts/1
Jun 23 12:19:15 pi pppd[2421]: peer from calling number 80.252.84.2 authorized
Jun 23 12:19:15 pi pppd[2421]: MPPE 128-bit stateless compression enabled
Jun 23 12:19:15 pi pppd[2421]: local IP address 89.18.174.10
Jun 23 12:19:15 pi pppd[2421]: remote IP address 192.168.1.1
Jun 23 12:19:16 pi kernel: [ 322.838123] [UFW BLOCK] IN=ppp0 OUT=eth0 MAC= SRC=192.168.1.1 DST=8.8.8.8 LEN=55 TOS=0x00 PREC=0x00 TTL=254 ID=33883 PROTO=UDP SPT=58293 DPT=53 LEN=35
Jun 23 12:19:16 pi kernel: [ 322.838236] [UFW BLOCK] IN=ppp0 OUT=eth0 MAC= SRC=192.168.1.1 DST=8.8.8.8 LEN=87 TOS=0x00 PREC=0x00 TTL=254 ID=33984 PROTO=UDP SPT=55601 DPT=53 LEN=67
Jun 23 12:19:16 pi kernel: [ 322.838324] [UFW BLOCK] IN=ppp0 OUT=eth0 MAC= SRC=192.168.1.1 DST=8.8.8.8 LEN=69 TOS=0x00 PREC=0x00 TTL=254 ID=103 PROTO=UDP SPT=60048 DPT=53 LEN=49
Jun 23 12:19:16 pi kernel: [ 322.838850] [UFW BLOCK] IN=ppp0 OUT=eth0 MAC= SRC=192.168.1.1 DST=8.8.8.8 LEN=59 TOS=0x00 PREC=0x00 TTL=254 ID=52840 PROTO=UDP SPT=57961 DPT=53 LEN=39
Jun 23 12:19:16 pi kernel: [ 322.84024

so tried allowing 192.168.1.1 using “ufw allow” – no joy
then tried to allow the default forwarding policy: still no joy
/etc/default/ufw
>>> DEFAULT_FORWARD_POLICY=”ACCEPT”
service ufw restart

disabling ufw still doesn’t work – is PP2P really dead?

now for L2TP:

Install the necessary packages.
sudo apt-get install openswan ppp xl2tpd

question if I want to create a cert for this host? – yes
“create”
“self-sign”

Alternatively you can reject this option and later use the command “dpkg-reconfigure openswan” to come back.

Using the following setup:

172.31.1.11 Ubuntu Server IP Address
172.31.1.1 Gateway Internal IP

On your router, forward ports 500/udp and 4500/udp to the server
(e.g. ufw allow 500/udp) etc…

===================
Here’s my /etc/ipsec.conf file.
===================
version 2.0

config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

include /etc/ipsec.d/l2tp-psk.conf

==================
Here’s my /etc/ipsec.d/l2tp-psk.conf file.
(change left & leftnexthop values)
Important NOTE: dpd entries allow you to connect multiple times without having to restart IPSEC…Thanks to user “FTT” for this
==================
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
left=172.31.1.11
leftnexthop=172.31.1.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=15
dpdtimeout=30
dpdaction=clear
#Uncomment the line below for OSX on MAC? untested!
#rightprotoport=17/0

==================
Here’s my /etc/xl2tpd/xl2tpd.conf file.
(change ip range & local ip)
Important NOTES: “local ip” value must be outside “ip range”
Both “local ip” and “ip range” MUST be outside the DHCP range on your local router or DHCP server. – using: 17 for local and 18 – 19 for VPN IP assignment
==================

[global]
ipsec saref = yes
[lns default]
ip range = 172.31.1.18-172.31.1.19
local ip = 172.31.1.17
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

==================
Here’s my /etc/ppp/options.xl2tpd file.
(change ms-dns value)
==================

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

==================
Here’s my /etc/ppp/chap-secrets file.
(change username & password values)
Example uses (username=test and password=testpass)
Important NOTE: The 233 IP Address must be in the “ip range” from the /etc/xl2tpd/xl2tpd.conf setting. Repeat for additional users using different IP addresses within the range.
==================

test l2tpd testpass 172.31.1.18
l2tpd test testpass 172.31.1.18

==================
Here’s my /etc/ipsec.secrets file. (change IP address & Secret values)
==================

include /var/lib/openswan/ipsec.secrets.inc
172.31.1.11 %any: PSK "TestSecret"

================

Run these three commands to restart everything

sudo /etc/init.d/pppd-dns restart
sudo /etc/init.d/xl2tpd restart
sudo /etc/init.d/ipsec restart

==================

Run the following command, you should get the text below.

sudo ipsec verify

Got a warning: disabled it for eth0

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

==================
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.24-23-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

If the two netkey / ICMP lines fail, don’t worry…it should still work. Not sure why this happens for some and not others. I tried changing the ipv4 ICMP settings and got no change in the verify results. Not quite sure what the problem is here yet??

=========

Last but not least, place the following line into your /etc/rc.local file
(This allows forwarding of packets so you can access WAN addresses, not just LAN addresses and persistent across reboots.)
echo 1 > /proc/sys/net/ipv4/ip_forward
=========

Running the following command enables it currently, no need to reboot

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

(permission denied? hacking it manually?)

================================================== =============

Now for the Iphone Setup

Settings -> General -> Network -> VPN -> Add VPN Configuration

L2TP
Description: WhateverYouWantToCallIt
Server: WANipAddress (could be a DynamicDNS URL)
Account: test
RSA SecurID=OFF
Password: testpass
Secret: TestSecret
Send All Traffic=On

Save it, then turn your VPN on, it should connect and you will see a VPN icon in the upper status bar (left side on 3gs, right side on 4). Now all your traffic will be protected in WiFi hotspots, 3G, etc.

if /var/log/syslog complains about:

ipsec__plutorun: 003 “/etc/ipsec.secrets” line 16: error loading RSA private key file

in your syslog

root@:/etc/ipsec.d/private# openssl rsa -in vpn.example.com.key -outform pem -out vpn.example.com.key.new
writing RSA key

may very well help.

on techinc and society

Back in the days I met people who were fundamentalist vegans, calling themselves “straight edge” – we lived for half a year in the same building till we could not stand each other anymore – Some people would boycott what the other was doing/liking/listening to because somewhere it conflicted with the ethics of one of the Vegans.

We stopped listening to music together (because %recordlabel% was supporting the exploitation of children somewhere), we stopped cooking and eating together (because %shop% supports the destruction of rice fields somewhere) and so on.. everything had a problem that made it unethical/impossible to reach common ground

Now you could ask yourself why this happened.. were the fundamentalists too fundamentalist? They would not be fundamentalist, then, right? <<— edit: maybe ideologist/ideology would be more fitting – thanks

Were we too “corrupted” by society to accept their point of view?

In fact, everyone had sound arguments and reasons for what he was doing, yet our shared apartment that was started on the premise of “Hey, you people are cool, we meet at many parties, lets live together”

The two emails I received on the techinc mailing list regarding hitb and the reputation of techinc painfully remind me of that time…

Probably the katholics/protestants felt similar like 500 years ago.. we all know how that ended ;)
Heck, the entire civilization we currently live in has been like that and I still don’t like it but you know what? Democracy may be inherently bad it it is still the most common form of “how to piss the least people off and still manage to keep the show going”. This system is powered by public reward for things done well (salary, media, etc.. ) and punishment for things not done right (penalties, fees, court, jail, public shaming, exclusion from the “club”)

Again, I don’t think it is the best system to have but all the alternatives cause only more fragmentation and dissent.. do we want that? Shall we continue as one block of awesome people standing together or shall we just let it fall apart because we don’t like the hair of the other person?
(*glances at Mitch Altman and giggles*)

windows media / gaming pc

windows 8.1 seems solid so as I want to play games I decided to throw some servers / services on there, too

but first disable that tablet crap and the “metro” interface
I will be using desktop software anyway so no need for that touch stuff

Right-click the taskbar on the desktop and under “Navigation” disable all “corner navigation” charms/crap
then select “show desktop instead of start” and “show apps view” – disable “search all” and enable “list apps first”

go to the metro search > uninstall programs and delete them all

install vlc, foxit reader, itunes, steam, quasselclient, firefox, spotify, etc)

also> gpedit > comuter management > administrative > windows components > onedrive > prevent onedrive

install calibre ebook server and plex media server (once I have a NAS this will change)

enable file sharing and streaming for the home group

check firewall for permissions / check device is not reachable from the outside

enable file history / add shared media folders to libraries

consider growing disks for backup > FAIL – not enough SATA ports > see NAS project :)

dolby downmixing for games

assuming a gaming PC using windows, transporting video and audio via hdmi to a TV and connected an amplifier with a 2.1 setup to that. however the subwofer is controlled by the amplifier so all I want is plain stereo into the amplifier.

Now, when playing old games sometimes the audio is just off or very silent (like: wing commander 4, many gog games that use dolby stereo in the cutscenes) – this is because the software has “dolby stereo” hardcoded on the CD/DVD and windows assumes that the hdmi interface can process dolby stereo.

windows itself doesn’t help you here, blaming the game/the TV and it kinda annoys me to hear only the left and right channel and not the center, rear and subwofer channels – it apparently assumes that the game specifies the desired output or whatnot… and we all know who’s mother assumption is

remedy is an AC3 splitter or directshow filter
a very good one is included in the “shark007 codec pack” – get it here
I am sure there are others but that one is my favorite since I migrated away from CCCP (combined community codec pack) years ago (which was needed to decode mkv anime with dual audio, etc…)

just install the “advanced” package, use shark007’s recommended settings and then in the settings set up “2.0” stereo downmixing (or whatever you are feeding into your amplifier) – I have only two wires – left and right – for the moment. once I upgrade my amplifier this will basically work against me… but hey, first I need a better amp ;)

private server install log 03/2014

this is taken from here:

https://github.com/al3x/sovereign

and I want to play with ansible on my other server (the .eu domain) but this will be my private server where things are (of course) different.
UPDATE 7/2014: added webmail and roundcube and owncloud plugin
NEEDS: backup scripts / dumps

– create a VM with basic specs for Ubuntu
– set up 12.04 LTS with 64bit flavor >> UPDATE: 14.04 LTS is out – mail server is on 14, rest stays on 12 for now…
– chose for LVM and encrypted home directory during install
– install VMware tools / xen tools > or stick to KVM

- allow SSH on the firewall
dont’ forget IPv6 for the rules or use UFW
#ufw allow ssh
#ufw limit ssh/tcp < -- is this actually useful in combination with fail2ban?
check /etc/ssh/sshd_conf if it uses PAM - we can plug in the 2-factor-authenticator, then :)

- mosh – useful
apt-get install mosh
open ports correspondingly
#ufw allow proto udp from any to any port 60000:60010
this allows for mosh instead of ssh to your server which helps with lag/latency

- htop – interactive “top”

http://hisham.hm/htop/

- fail2ban – block connection attempts
apt-get install fail2ban
edit /etc/fail2ban/fail2ban.conf
and edit
/etc/fail2ban/jail.conf
or better: create a jail.local (it overrules the jail.conf)
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

here check for the following:

separate whitelisted hosts/subnets/cidr blocks using space under ‘ignoreip’
also, set up your mta and receipient address under destemail
bantime and maxretry can be adjusted
backend can be auto

edit /etc/fail2ban/jail.local
and apply the banactions for UFW as we are not using iptables directly (we suck!)

[ssh]
enabled = true
banaction = ufw-ssh
port = 2992
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

[apache]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-auth
logpath = /var/log/apache*/error*.log
maxretry = 4

[apache-filenotfound]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-nohome
logpath = /var/log/apache*/error*.log
maxretry = 3

[apache-noscript]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-noscript
logpath = /var/log/apache*/error*.log
maxretry = 6

[apache-overflows]
enabled = true
port = http,https
banaction = ufw-apache
filter = apache-overflows
logpath = /var/log/apache*/error*.log
maxretry = 2

create /etc/fail2ban/action.d/ufw-ssh.conf:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from to any app OpenSSH
actionunban = ufw delete deny from
to any app OpenSSH

and /etc/fail2ban/action.d/ufw-apache.conf:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 2 deny from to any app “Apache Full”
actionunban = ufw delete deny from
to any app “Apache Full”

DISCUSS: IPv6 – hack a little 64 gateway or block SSH for IPv6 (which would be silly…)

restart ufw and fail2ban to activate:

andreas@telecity:~$ sudo service fail2ban restart
* Restarting authentication failure monitor fail2ban [ OK ]
andreas@telecity:~$ sudo service ufw restart
ufw stop/waiting
ufw start/running

check status (default only SSH is enabled)
andreas@telecity:~# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh
root@telecity:~#

it works! UFW injects a deny statement for every host that tries to bruteforce

tail -f /var/log/fail2ban.log
2014-07-19 11:24:49,201 fail2ban.actions: WARNING [ssh] Ban 116.10.191.163

$ sudo ufw status
Status: active
To Action From
— —— —-
OpenSSH DENY 116.10.191.163

– install build-essential, openssl and libssl-dev to be able to create a wildcard certificate (self-signed) and other stuff we have to build from scratch

– owncloud – via owncloud.com
install according to manual there (#apt-get install owncloud)
admin docs: http://doc.owncloud.com/
modify your webserver to allow owncloud to do its magic:
#chown -R www-data:www-data /path/to/your/owncloud/apps
#chown -R www-data:www-data /path/to/your/owncloud/data
#chown -R www-data:www-data /path/to/your/owncloud/config
set ‘AllowOverride All’ in the /var/www/ section of apache2 config file
(/etc/apache2/sites-available/default)
#a2enmod rewrite
#a2enmod headers
then restart apache
#service apache2 restart
open firewall ports: ufw enable http(s)
then point browser to https://[your server’s URL]/owncloud
if you want to install into mysql chose “advanced” – otherwise just go with sqlite and create an admin user
you are done!

go admin > create a group and some users
set up the client (owncloud-client) and point it to your server’s URL (use https and a full path)
create folders > they will be synced by owncloud and to your server

other features:
use cardDAV/calDAV
sync music (amaroK/tomahawk)
plugins (roundcube, large files, mobile interface, etc…)

once it works, why not make it secure and install SSL:
– create a self-signed SSL certificate (for web and mail server) or buy one ;)

https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html

and install them
# cp server.crt /etc/ssl/certs
# cp server.key /etc/ssl/private
adjust apache2 config to enable SSL:

edit sites-available/default-ssl
enable “AllowOverride All” for all /var/www instances as before
check ‘SSLEngine On’ is there
add the two certificates to it instead of the “snakeoil” cert

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

enable the engine with
#a2ensite default-ssl

and restart server
#service apache2

and check if your browser accepts the cert :)

hints to make SSL more secure from phra.gs

https://phra.gs/blob/2014-02-14-apachessl.html

now get connected using owncloud client using the username/password you set as admin

NOTE: every time you update the owncloud binaries you need to go to the website once to apply the update!

– quassel

http://bugs.quassel-irc.org/projects/quassel-irc/wiki

apt-get install quassel-core
for the server
open port 4242 on your firewall/iptables

and use quassel-client for the client
there is quasseldroid and iQuassel for mobile clients

it doesn’t use SSL by default – so stop the service and launch quasselcore manually
it will show you where it wants the config files and SSL certs

then create the cert as indicated here:
http://bugs.quassel-irc.org/projects/quassel-irc/wiki/Client-Core_SSL_support
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout ~/.config/quassel-irc.org/quasselCert.pem -out ~/.config/quassel-irc.org/quasselCert.pem

connect to your server for the first time and a welcome dialog will appear
set up the first user (who will be an admin)
and then go play :) (and chat from anywhere)

useful for irssi integration:

https://github.com/phhusson/quassel-irssi

mmarley has a more recent repository on launchpad – use it if you want to use 0.10 and not 0.8

gallery2:
simple: apt-get install gallery2
install mysql-server and set up the database (Remember the user/pass)

http://codex.galleryproject.org/Gallery2:Installation_on_Debian

then run the webinstaller and do the rest

http://yourdomain/gallery2

edit /etc/php5/apache2/php.ini and raise the file limits if you want /need

add a seedbox? transmission-bt !

http://filesharefreak.com/2012/05/10/seedbox-from-scratch-new-server-to-seeding-in-less-than-5-minutes

although that is something for my raspi at home / openelec style

install transmission-daemon – set up config and password
apt-get install transmission-daemon

nano /etc/transmission-daemon/settings.json

and open firewall for the tcp ports – done :)

– diaspora

https://wiki.diasporafoundation.org/Installation/Ubuntu/Precise

seems I need a “valid” SSL cert and a dedicated webserver – so I will do that virtually instead or from home or not at all.

– XMPP
apt-get install prosody
configure as per example / global settings and add an admin user there

create some keys:

openssl req -new -x509 -days 1000 -nodes -out “/etc/ssl/certs/xxxxxxxx.crt” -newkey rsa:4096 -keyout “/etc/ssl/private/xxxxxxxx.key”

under your server add the certs
ssl = {
/path/to,,,

and create symlinks

test the keys:
sudo chmod 600 /path/to/certificate.key
sudo chown prosody:prosody /path/to/certificate.key

Prosody should also be able to read the parent directories of the file.

To test that only Prosody can read the file:

sudo -u prosody cat /path/to/certificate.key # Should succeed
sudo -u nobody cat /path/to/certificate.key # Should fail

Declaring host

The configuration of the host im.example.org will be done in the file « /etc/prosody/conf.avail/im.example.org.cfg.lua », the file example.com.cfg.lua may serve as a model:

cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/.cfg.lua

With your favorite editor change the settings for VirtualHost and enabled so you have:

VirtualHost “im.example.org”
–enabled = false — Remove this line to enable this host

The line “- enabled = […]” can also be removed, instead of of removing the comment like above.

Also represent the key and the SSL certificate:

ssl = {
key = “/etc/prosody/certs/im.example.org.key”;
certificate = “/etc/prosody/certs/im.example.org.cert”;
}

If you already have a key / certificate pair on the same domain name (Common Name), for example for apache, point to it instead of the files listed above.

Now create the symbolic link in« /etc/prosody/conf.d/ » with:

ln -sf /etc/prosody/conf.avail/im.example.org.cfg.lua /etc/prosody/conf.d/im.example.org.cfg.lua

Several host by one configuration

Here is an example to declare a single configuration for multiple hosts (thank you MattJ):

for _, host in ipairs { “example.net”, “example.org” } do
VirtualHost (host)
option1 = “foo”
option2 = “bar”
end

Create users (single)

Creating user accounts is done with the command « prosodyctl »

prosodyctl adduser romeo@im.example.org

open firewall for ports 5222 and 5269 IP and IPv6

create DNS SRV records for optimal federation / domain delegation
use this template:
_xmpp-client._tcp.example.com. 18000 IN SRV 0 5 5222 xmpp.example.com.
_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 xmpp.example.com.
_jabber._tcp.example.com 18000 IN SRV 0 5 5222 xmpp.example.com < -- that still relevant? also.. no dots after TLD? doubt this will work...

in fact: the domain is automatically added so just add this:
_xmpp-client._tcp type SRV with value 0 5 5222 xmpp.domain.com.
and
_xmpp-server._tcp type SRV with value 0 5 5222 xmpp.domain.com.

it must point to an existing A-record - not an IP address (this also helps with IPv6 I guess...)

;; QUESTION SECTION:
;_xmpp-client._tcp.rudel.nl. IN SRV

;; ANSWER SECTION:
_xmpp-client._tcp.rudel.nl. 3600 IN SRV 0 5 5222 telecity.rudel.nl.

;; ADDITIONAL SECTION:
telecity.rudel.nl. 3600 IN A 80.252.86.117

– rkhunter

– sendmail / mail sever?
— dovecot imap and roundcube look neat – with a plugin for owncloud? awesome!
– tarpitting / greylisting / smarthost with ISP relay?
found iredmail!

http://www.iredmail.org/install_iredmail_on_ubuntu.html

install script works nice on a new /fresh ubuntu server – delete defaults later and change passwords
set up domain records (MX and A-records) and set up SPF

– two-factor authentication? google authenticator?
sudo apt-get install libpam-google-authenticator
run google-authenticator as the user you will be logging in as
it will create a qr code with the secret key that google authenticator app can scan
it will also update the PAM module and ask you some questions
do this for every user

now edit /etc/pam.d/sshd
add this line(s):
# enable Google authenticator
auth required pam_google_authenticator.so

then edit /etc/ssh/sshd_config
and change or add this line to say yes
ChallengeResponseAuthentication yes

restart ssh to enable
sudo service ssh restart

next login looks like that:
login as: andreas
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Verification code: