Mail-in-a-Box… some days the struggle is real.

I would just like to say they at I really like Mail-in-a-Box. It is a great, free option for running and administering your own email server. A lot of the features make it really easy to use and maintain.

That is except when something goes wrong… which seems to be much more than it should.

I’ve had updates fail.

I’ve had issue with OpenSSL dependencies.

Most recently I’ve had an issue with renewing the Let’s Encrypt SSL certificate.

Each time this happens, I spend hours digging through the forums, trying things and hoping I don’t somehow make the problem worse!

If you use Mail-in-a-Box, and it fails to auto-renew your SSL certificate (which Mail-in-a-Box is supposed to do for you automatically 14 days before expiration) and starts giving you the following error:

Something unexpected went wrong: Error creating new cert :: 
Too many certificates already issued for exact set of domains:

Then I would suggest you try the following BEFORE you try anything else:

  1. Log in as an admin to the Mail-in-a-Box control panel.
  2. Go to Mail > Users.Mail-in-a-Box add new users
  3. Add a new email (such as test@box1.yourdomain.com).new user add
  4. Go to System > TLS (SSL) Certificates. You should now be able to re-issue the certificate.manage TLS (SSL)
  5. Afterwards you can delete the new email you added.

The entire process I’ve described here will take you 2-3 minutes. Much better than wasting hours trying to uninstall, reinstall, reconfigure, etc as suggested in the Mail-in-a-Box forums. If it doesn’t fix it, then move on to the more complicated “fixes” and hopefully one of them will work for you. They didn’t work for me. Personally I suspect it is a bug in Mail-in-a-Box but based on the forums I don’t think the developers agree.

Practice what you preach: HTTPS Everywhere!

I have long been a proponent of the Electronic Frontier Foundation’s HTTPS Everywhere campaign. Using HTTPS for all websites, whether you are exchanging personally identifiable information or not, simply makes sense.

I don’t say this out of some concern about Big Brother and the NSA watching me. I say it because the average, everyday user expects privacy.

When average Jane sits down at a coffee shop and uses the free WIFI she would get really upset if a stranger started looking over her shoulder and watching what she was doing and what websites she was accessing.

What she doesn’t realize is that I could sit in my car in the coffee shop parking lot and use a free program like Wireshark to spy on everything she is doing without her ever knowing. That is, unless she is using encryption.

One of the best things users can do to protect themselves is use a VPN service. A VPN encrypts all of the traffic in and out of your computer. Some people use a VPN to connect remotely to their work intranet. Others use it to to protect their privacy or to anonymize their web browsing. But we are talking about average Jane here who has never even heard of this magical VPN thingy.

This is where HTTPS comes in. It doesn’t cost her anything and all internet browsers can do it right out of the box. Not only can it help prevent someone from snooping on her browsing, but it also ensures she is connected to the website that she thinks she is connected to.

For example, everyone has at some point typed a website URL incorrectly and ended up someplace else. If that someplace else is a malicious website attempting to pass as the legitimate site you can more easily identify it by looking at the site’s encryption certificate, or lack thereof.

So why don’t everyone’s websites support HTTPS? Because encryption certificates can be expensive. Fortunately, there is a great organization called the Internet Security Research Group. They have a free and open certificate authority service.

But wait, it gets even better! The Certbot from the Electronic Frontier Foundation makes it incredibly easy to enable HTTPS on your website and automatically provision (and renew) certificates from Let’s Encrypt.

Thanks to Let’s Encrypt and Certbot, I’ve now changed my website over to HTTPS. Now everyone else should too. Let’s Encrypt and Certbot make it so easy there really aren’t many excuses that can be made for not doing it.

For more information, check out:

Malware Analysis: Capstone Update 6 – Finished!

I probably could have kept working on this project for much longer, but like all good things it had to come to an end at some point.

I have learned so much, and as my adventure at Drake University comes to a close, I can’t wait to apply everything I’ve learned to the real world. Plus, I’ve found one more fun hobby. Don’t be surprised if you see the occasional malware analysis post every once in a while moving forward.

If you are interested in reading my final paper I am posting it here.

Mitigating x86 based Windows Cyber Incidents by way of Malware Reverse Engineering
(Full Paper)

Mitigating x86 based Windows Cyber Incidents by way of Malware Reverse Engineering
(Poster Presentation)

Christmas in Florida 2015

This slideshow requires JavaScript.