Wireless client configuration on Ubuntu

Wireless (WiFi) client configuration is a bit of a mess in Ubuntu 22.04. Basic PEAP information about the remote certificate is not communicated through the GUI, but can be found in syslog.

Useful wireless information can be found by running

journalctl -f -u NetworkManager -u wpa_supplicant

Details of the remote PEAP certificate will look like:

wpa_supplicant: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA' hash=4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161
wpa_supplicant: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1' hash=52274c57ce4dee3b49db7a7ff708c040f771898b3be88725a86fb4430182fe14
wpa_supplicant: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=AU/ST=Here/L=Town/O=Example Company/CN=wifi.example.com' hash=.....
wpa_supplicant: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:wifi.example.com
wpa_supplicant: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:wireless.example.com

Relevant details:

• the name of the depth=2 certificate, " DigiCert Global Root CA" in the example. This is what you need to find when configuring wireless
• the CN on the certificate, "wifi.example.com" in this example. This should be entered as the domain to verify.
  

This wifi network may be configured as:

The Domain is the CN from syslog with depth=0.

The path to the CA certificate is where the well known CA certificate files live which is /usr/share/ca-certificates/mozilla/

What is frustrating is that the WiFi provider doesn't always publish the CA they have used, which means you have to look in syslog (as described above) to find the CA. If the WiFi provider changes the CA in the future then WiFi will break until you update it with new CA being used. The current configuration dialogue requires you to use CA pinning which is considered bad practice.

What I would like to see in the GUI configuration is the option to automatically accept any certificate with a CN matching the given domain which is signed by any well known CA - similar to how https currently works.

Sieve configuration with postfix and dovecot on Ubuntu 20.04

With a existing Postfix and Dovecot configuration on a Ubuntu 20.04 server, I required the following changes to get sieve server based mail filtering to work:

Install dovecot-sieve

To install the dovecot sieve plugin run

apt install dovecot-sieve

Change the mailbox transport to lmtp

Edit /etc/postfix/main.cf to set the line

 mailbox_transport = lmtp:unix:private/dovecot-lmtp

If dovecot is configured to use local usernames (without @domain on the end), you also need to edit /etc/dovecot/conf.d/10-auth.conf to add this line:

 auth_username_format = %Ln

This means that for the username dovecot will use the lowercase part to the left of the "@".

Restart daemons

Restart postfix and dovecot so they use the new config, and then check their status:

systemctl restart postfix dovecot
systemctl status postfix dovecot

Enable the sieve plugin in dovecot

Add this section to /etc/dovecot/conf.d/20-lmtp.conf:

protocol lmtp {
    mail_plugins = $mail_plugins sieve
}

 Configure a user's sieve filters

The default location for a user's sieve filters is configured in /etc/dovecot/conf.d/90-sieve.conf as follows:

plugin {
    sieve = file:~/sieve;active=~/.dovecot.sieve
}

So, as yourself (not root) run:

cd
mkdir sieve
touch default.sieve
ln -s sieve/default.sieve .dovecot.sieve

Then edit ~/sieve/default.sieve with your sieve configuration, for example:

require ["fileinto"};
if header :contains "Subject" "test" {
    fileinto "Test";
}

For full details about sieve filters see see RFC5228 Sieve: An Email Filtering Language.

Test

Send yourself an email with "test" (lowercase) in the subject. It should end up in the Test mail folder.

If the test mail isn't filtered check ~/.dovecot.sieve.log and /var/log/mail.log for problems.