Category Archives: Platforms

Pitivi timeline end is in the wrong place. How to move the end of the timeline?

Once again the Internet has failed me. I was using the Pitivi non-linear video editor, and discovered my three minute video had the end of the timeline (where the video ends) at over ten minutes. This would triple the render time: unacceptable, time is money.

You can reach the start/end of the timeline by pressing the Go To Start and Go To End buttons on the video player thing. I spent quite some time trying to find how to alter the timeline end.

Turns out there’s no way to move or adjust the end of the timeline. However if you close the project and reopen it, Pitivi correctly detects where the last clip ends and makes that the end of the video. Render time reduced.

New used laptop

I just realised it’s the new year, and I should push out some posts that I wrote last year but never got around to finishing.

I’m rarely in a rush to upgrade my laptop – the old one is a secondhand Thinkpad T430 which I got in 2018 – that model was first released in 2012.

It’s been good, and I was reluctant to invest the $1000+ for a new one, so I thought I’d try another secondhand one: an ex-government T480s for $499. i5-8350U CPU (1.7 GHz), 12 Gb RAM, 256 Gb SSD.

This is a big upgrade for me – from then 7-year-old tech to 4-year-old tech. The T480s was first released in 2019. It got good reviews at the time.

Comparing the CPUs in CPUBenchmark.net’s ratings, the old scored 2639, the new 6265, or 2.37 times faster. Up against that is a shift from Windows 10 to Windows 11… which at first glance seems to have more cruft in it, but runs mostly okay… except Chrome, which is a little slow to get going.

(For comparison the new-used desktop that I recently got given has an i5-4670K CPU that scores 5557, but it’s got a much better GPU.)

Laptop setup:

  • It came with Windows 11. I did a reset on that to get rid of anything funky.
  • It also came set up to automatically logon as “User” – after creating my own standard and admin users, turning off the auto logon seemed quite tricky, and I ended up using the SysInternals Autologon tool, which once found was quick and easy.
  • Find the Lenovo site and check for driver upgrades. For some reason the Lenovo tool for checking for updates is quite finicky, and needs to be run as an Admin user. Updates included a BIOS upgrade.
  • Swap Ctrl-Fn in the BIOS – I just can’t get used to Ctrl being anywhere but the bottom left corner, as on every other keyboard I use
  • Turn off Touchpad taps. I’m terrible for false clicks on this, though this one seems less prone to it than the T430

Other than these last two dot points, the keyboard seems good, as Thinkpads generally are.

The proper touchpad buttons are at the top; on the T430 they were at the bottom. This may take a bit of getting used to.

But overall I like this new machine. Heaps lighter and thinner, faster, better screen.

(I also recently got a new used desktop machine, courtesy of a friend who was upgrading. It’s a beefy beast, but uses Win10, and can’t be upgraded to 11. No matter, at least for now. 2023 seems to have been the year of new PCs for me.)

iPhone – directions in Google/Apple Maps not being announced

I was trying to figure out why my iPhone driving directions weren’t being announced – in both Google Maps and Apple Maps.

All the relevant options seemed to be on – within the apps and in Settings.

As is sometimes the case, the typical internet help articles weren’t any help at all. They made various suggestions for settings I’d already found, along with restarts, reinstalls, and factory resets which I didn’t fancy doing as I had no confidence they’d help.

It took finding this Apple Community discussion to solve it. Bluetooth was the problem.

The phone was sending the audio via Bluetooth, but unless the car was on the BT Audio setting, it wouldn’t hear it and repeat it. I do use Bluetooth occasionally in the car for podcasts, but usually it’s on the radio.

The Apple Community discussion mentioned a setting for audio output. I haven’t actually found that yet, but turning off Bluetooth on the phone works just as well.

EDIT: I’ve also found that Google Maps on iPhone won’t announce directions when the screen is turned off to conserve battery. Apple Maps will continue to announce directions. Apparently Google Maps on Android will do it.

On a Zoom/Teams call? Turn off your sounds

I think a few people need to know this:

If your computer is set up with audible alerts for email and other events, unless you’re on mute, sounds will blast out for everybody else on a group Zoom or Teams call with you.

This will block out your voice (and anybody else’s) and is very jarring.

The easiest way to avoid this is to turn off these system sounds.

Windows:

  • Search for “Change System Sounds” – or go via Control Panel to Sounds
  • Select the Sound Scheme: “No Sounds”

I’m not a Mac OSX user, but it looks like the option is in System Preferences / Sounds – you need to turn “Play user interface sound effects” off.

These settings will let media and audio calls play as normal, but otherwise the computer should shut up when a calendar reminder pops up, or an email or Slack message arrives.

Upgrading Win7 to Win10 with a non-standard Profiles location

Windows 7 has come out of mainstream support, so it’s definitely time to upgrade.

I’d held off because I like Windows Media Center, which isn’t available on Win10, though there is an unofficial method. More about that later.

The machine in question is an old Mac Pro 2008 that I got some years ago.

Apparently some Macs this old have problems with Boot Camp not allowing versions of Windows later than 7. This didn’t affect me (and others have had no issues), but it can be worked around by changing the Boot Camp config file.

From there it should have been like any other Windows 7 machine – use the Windows 10 Media Creation Tool and choose “Upgrade this computer”. (Despite the free upgrade offer having finished years ago, just about everyone finds this still works and the resultant upgrade is fully licenced – assuming the old version of Windows had a proper licence.)

But there was a hiccup. It failed midway through with an error:

0x80070011 – 0x2000D
The installation failed in the SAFE_OS phase with an error during MIGRATE_DATA operation

If you Google around, you’ll find lots of generic advice on forums suggesting to scan your drives, turn off your virus scanner, even try it again in Safe Mode (which doesn’t work – you can’t start an upgrade in Safe Mode).

Only this tip seemed relevant to me:

0x80070011 indicates that the system was trying to move data to another disk drive

0x2000D indicates that there was a problem during the data migration.

It would seem that you have data on another disk drive that the system is trying to migrate and it fails. With your current Win 7 have you moved data about and changed the location of system folders such as programs, users, etc. If so, you should try and get everything back to default locations and try the upgrade again.

Thank you to that person who actually looked into what the error means!

This rang alarm bells for me because some years ago I moved Windows to an SSD (drive C) and put the user directories onto drive D, using SYSPREP so Windows would figure out what was meant to be where.

It seemed like a good idea at the time, but I now realise Microsoft warns this is not supported for Windows upgrades. Damn.

In my case, the SSD is too small to hold all the users’ documents/photos/videos, but should be okay with most other files.

How to fix it

I’ve worked through this (it took several attempts).

Here is my solution, assuming that like me, your user and ProgramData directories are on D: drive and Windows needs to be convinced they’re on C: drive:

  1. If you’re short of disk space, you might want to clean up each user’s D:\users\USERNAME\AppData\Local\Temp directory – eg delete everything older than today.
    (Be warned, this could cause some minor issues with some applications, so if in doubt, don’t delete.)
  2. Disk Cleanup to remove all the unused temp files and empty all the Recycle Bins and free up any other possible space on C:
  3. Copy all the D:\users\USERNAME directories (except the ones that are likely to be big, and can still be located on D: drive: Documents, Pictures, Videos, Music, Downloads) to c:\users
  4. The tricky bit: we need empty Pictures, Videos, Music, Downloads directories, as these don’t get created automatically once the user profile is moved in step 5. I found it was easiest to start copying these one by one, but cancel, then remove all the files in the c: copy, so each was empty – for step 7. We’re using Copy instead of just creating them new to hopefully avoid any permissions problems.
  5. Edit the Registry: Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList change each user’s ProfileImagePath to the new drive
  6. Log on as each user and check everything looks okay. If it refuses to log you in, you know something’s gone wrong with the C: drive directories or their permissions.
  7. As each user, open Windows Explorer or the Start Menu and browse to My Documents, Pictures, Videos, Music, Downloads, for each of these go into Properties and Move the location back to D:\Users\USERNAME\Whatever. When asked if you want to move files, choose No (since at step 3 you didn’t copy them). (You can do this after upgrading to Win10 if you prefer)
  8. You can then delete the directories you DID copy in step 3 from d:\users\USERNAME – since these are no longer used
  9. Also the ProgramData directory needs to be on C: if it isn’t already. There’s probably no need to copy it back, as applications should re-create what they need. Check and change if required the ProgramData setting in the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to point to C: drive or %SystemDrive%
  10. Verify Win7 is still working okay for each user, then do another Disk Cleanup to clear out the Recycle Bins again. (Clearing old Windows Update files is also possible, but takes ages.)

After all that I found it was okay to go install the Win10 upgrade.

After the upgrade, Public Documents/Pictures/Videos also didn’t show up by default for the users, but these can be added by browsing to the old D:\Users\Public directory and right-clicking each one and choosing Pin To Quick Access.

Other stuff

  • To my surprise, Microsoft Security Essentials wasn’t removed by the Win10 upgrade, at least not the time it worked. The normal MSE uninstall is buggy – you have to jump through some hoops. Running its SETUP.EXE worked for me, but note you have to set the compatibility for ALL users if your normal user it not an Administrator.
  • I briefly tried the claimed method of installing Windows Media Center, which didn’t work for me. I tried Kodi, which needs NextPVR to watch and record broadcast TV… then I discovered that NextPVR can do that on its own – so I removed Kodi again, since I don’t need it!
  • NextPVR did need the LAV decoders, but other than that, it seems to have worked fine with my old EyeTV Diversity USB tuner.

Good luck!

New used laptop: Thinkpad T430

I meant to post this ages ago: in early 2018 I got my first Thinkpad – an old T430. Very nice.

I had been looking for my first Thinkpad; an upgrade off a slow Lenovo (non-Thinkpad) laptop, and I thought I might splash out on a new one.

But then I discovered my sister had an ex-work T430 she didn’t want. Sold it to me for what she got it for: AUD $100.

Specs: i5-3320M (2.6 GHz), 4 Gb RAM, 1600 x 900 display, SSD. With a dock (that I’m not sure I’ll ever use)

Some scuffing on the case, but overall it’s in very nice condition. Not sure how old it is, but this model was first sold in 2012.

And I found I could still upgrade it from Win7 to Win10 for free, using the Media Creation Tool.

I added another 4 Gb of RAM.

The keyboard is lovely, but I never did get used to the Fn/Ctrl key locations being backwards from most layouts, so I ended up swapping them in the BIOS.

Problems

One oddity after upgrading to Win10: Microsoft Edge was extremely slow to respond to clicks. The solution was a clean Win10 install – via the “reset your PC” feature.

I also found that under Win10, the trackpad would sometimes freeze up for a few seconds, particularly after two-finger scrolling:

  • This turns out to be an issue with the Lenovo trackpad “palm check” feature. Set this to the minimum setting (or turn it off) and it seems to go away. The same problem occurs for some other Lenovo laptops.
  • This can also occur if Trackpad Tapping is disabled – I’d prefer it was disabled to avoid false positive clicks when I’m just trying to move the pointer, but oh well.

Modding

More reading for myself when I get the chance: Modding guide

But I hope this old laptop will keep me going for a while for my on-the-go computing needs.

Windows Update on Windows 7 repeatedly installs KB4103718

Surely I can’t be the only one with this problem?

For the past few days, Windows 7 Update has been repeatedly installing 4103718, the May 2018 rollup of security updates.

(Before you ask: I still run Windows 7 on one machine because I like Windows Media Center, which isn’t available on Windows 10.)

Every time, it thinks the patch is successful, but then wants to do it again. And again. And again.

I tried the Fix Windows Errors web page, which included the Windows Update Troubleshooter. It didn’t seem to help.

This article describes what to do: go to the list of available updates, right click, Hide Update.

This didn’t fix it alone. Checking for updates again, 4103718 popped up again in the guise of the April 2018 rollup.

Once I hid that version as well, it seemed to stop wanting to reinstall it.

4103718 has other problems, including in some cases disabling network connections. Hopefully they fix this one soon.

Securely run a low memory/low CPU Minecraft server

If you’ve got next to no memory and CPU available to run a Minecraft server, don’t fret. Cuberite is what you’re after. At them moment, Cuberite isn’t bug-free, nor indiscernible from a genuine Minecraft server, but it’s quite usable – and instead of needing 4GB+ of RAM, it needs less than 300MB. And it needs next to no processing power: some people run Cuberite on their Raspberry Pi and have plenty of CPU available.

I would at this point go on about how this is a significant point of difference between C++ and Java, but Java optimizes for something different to C++.  I got into an interesting discussion with Cathy about this after reading a question someone had about what Java was trying to be good at. I used to think that VB was the new COBOL, but clearly Java is the new COBOL; those Java programs are going nowhere, they’re verbose and easy to understand and maintain.

A point to note: The Minecraft protocols are bandwidth heavy, I found if I wanted to run a server at home I’d be able to have one, perhaps two players. Thus is Internet in Australia. Instead I’ve dropped this onto a free AWS VPS instance and bandwidth is no problem.

Still, it’s a random piece of software off the Internet, so we’re going to give it its own user account for our own safety. Let’s install the software:

curl -sSfL https://download.cuberite.org | sh
sudo mv Server /usr/local/cuberite
cd /usr/local/cuberite

Cuberite allows configuration through a web interface.  We now enable webadmin.ini
[User:admin]
; Please restart Cuberite to apply changes made in this file!
Password=yourstrongpassword
[WebAdmin]
Ports=8080
Enabled=1

Port 8080 is the alternative html port (http/https).  You could cd into webadmin and run GenerateSelfSignedHTTPSCertUsingOpenssl.sh and get https serving, but your browser will barf on the certificate. Instead, let’s use a LetsEncrypt certificate, one that we installed earlier. First we make our one-line shell script for running the daemon:

sudo useradd -c "Cuberite server" -f -1 -M -r cuberite
chown -R cuberite:`whoami` /usr/local/cuberite/
sudo nano /etc/init.d/cuberite.sh

#!/bin/sh
### BEGIN INIT INFO
# Provides: cuberite
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: cuberite
# Description: Cuberite server, a Minecraft server lookalike
### END INIT INFO
cd /usr/local/cuberite
sudo -u cuberite /usr/local/cuberite/Cuberite -d &

Next we set it going when the box starts up:

sudo chmod +x /etc/init.d/cuberite.sh
sudo update-rc.d cuberite.sh defaults

Before we can go to the website we need to allow user cuberite to get to the certificates:

sudo groupadd privkey_users
sudo usermod -aG privkey_users cuberite
sudo sudo chmod g+rx /etc/letsencrypt/live/
sudo sudo chmod g+rx /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/cert1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/chain1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/privkey1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/fullchain1.pem
sudo chown root:privkey_users /etc/letsencrypt/live/
sudo chown root:privkey_users /etc/letsencrypt/live/example.com/
sudo -u cuberite ln -s /etc/letsencrypt/live/example.com/cert.pem /usr/local/cuberite/webadmin/httpscert.crt
sudo -u cuberite ln -s /etc/letsencrypt/live/example.com/privkey.pem /usr/local/cuberite/webadmin/httpskey.pem

Changing these permissions doesn’t affect apache2’s ability to get them.
The reason we’ve used a group here is to allow both Cuberite and any other app (for example, exim) to access the private keys; just add any other user that needs to use the private keys to the privkey_users group.

Remember to punch a firewall hole for port 8080. Fire up Cuberite now:

sudo service cuberite restart

And check if that worked, there should be about one entry:

ps -aux | grep cuberitps -aux | grep cuberit

If not, you can check in the logs directory to see what’s wrong.

So now:

sudo lsof -i :8080
https://example.com:8080/

should be secure.  Note the https is mandatory, as your browser will use http if you fail to specify a protocol.

Windows WannaCrypt attack

This is interesting, and perhaps not unexpected: a vulnerability in Windows SMB 1 (used for shared drives) which was patched by Microsoft in March April, has been exploited.

It’s hit unpatched computers in numerous countries – most infamously, the UK’s National Health Service.

Despite what some Australian media is reporting, this tracker shows we are not immune — though it may be a reduced impact for now thanks to the weekend. Could be a different story on Monday.

For now it appears to have stopped thanks to someone finding a “kill switch”, but no doubt it or another version will hit again.

The lesson here for any of your computers that are connected to a network:

Patch them. Keep them up to date — preferably set them to automatically install patches.

If you’re using XP or older, Microsoft has just issued a patch, which you can get here.

You can also disable SMB 1 — note there are server and client portions, and that later versions of Windows make this a lot easier than earlier ones.

If you’re using Vista or older, find out about getting an upgrade. Vista patches stopped being issued earlier this year. You’ll be safe from this specific attack if you’re patched, but maybe not the next one. (Windows 7 keeps going until 2020.)

My assumption is that home users who use a broadband modem of some kind may not be at immediate risk this time from outside attack, since the modem can function as a basic firewall, but accidentally running an infected file from an email or web site could bring it in.

This attack has been serious, and other future ones will be too. So stay up to date, and stay safe.

  • Blatant plug: If you’re in southeast Melbourne and have no idea how to fix your computer, my brother-in-law runs this company that may be able to help: Bayside PC Services
  • In this blog post, Microsoft basically tells governments that they shouldn’t keep discovered vulnerabilities secret and exploit them for themselves (as the NSA did in this case, until that information was stolen) — that they should instead tell vendors so they can be fixed quickly. Difficult to argue with that.
  • Update May 2021: This new article notes that it is still a threat

Making a captcha deamon for spamgourmet installations

For those of you following along at home, this is part of a cookbook style instruction set for getting spamgourmet going, but because of screwed up permission logic I can’t post this section there.

The captcha is for validating humanity when creating spamgourmet accounts. We’re going to limit what parts of the OS it can tromp over:

sudo useradd -c "captcha server for spamgourmet" -f -1 -M -r captcha
sudo /bin/mkdir -p /var/www-spamgourmet/captchasrv/
sudo chown -R captcha /usr/local/lib/spamgourmet/captchasrv/
sudo chown -R captcha /var/www-spamgourmet/captcha

Now we make our one-line shell script for running the daemon

sudo nano /etc/init.d/captcha.sh

#!/bin/sh
### BEGIN INIT INFO
# Provides:          captchasrv
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: captchasrv
# Description:       captcha daemon for spamgourmet
### END INIT INFO
sudo -u captcha perl /usr/local/lib/spamgourmet/captchasrv/captchasrv.pl &

Next we get it going

sudo chmod +x /etc/init.d/captcha.sh
sudo update-rc.d captcha.sh defaults

And check if that worked, there should be about four entries:

ps -aux | grep captc

Now the captcha server will start whenever the computer starts.

Installing a secure Apache webserver to run Perl

So, you want to run Perl on the web, because it’s the 90s all over again. You want HTTPS, because… no, there’s no because.  You want HTTPS.  Who wouldn’t?  Here’s what you do on a Debian Linux such as Ubuntu:
sudo apt-get install apache2 libapache2-mod-perl2
mod-perl is an Apache module that allows Perl programs to be executed from Apache.

Our goal is to get /var/www/html/index.pl running at http://www.example.com/index.pl:

#!/usr/bin/perl
print "Hello World"

Disable the default Apache virtual host:

sudo a2dissite 000-default.conf

Create an example.com.conf file in /etc/apache2/sites-available with your text editor, replacing instances of example.com with your own domain name in both the configuration file and in the file name /etc/apache2/sites-available/example.com.conf

<VirtualHost *:80>
     ServerName example.com
     ServerAlias www.example.com
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
     <Directory /var/www/>
              Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
              AllowOverride None
              AddHandler cgi-script .pl
              Require all granted
     </Directory>
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
     ServerName example.com
     ServerAlias www.example.com
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
     <Directory /var/www/>
              Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
              AllowOverride None
              AddHandler cgi-script .pl
              Require all granted
     </Directory>
</VirtualHost>
</IfModule>

If you have multiple sites, you’ll want to do things with DocumentRoot to isolate them from each other. But that’s for another post.

You might add in DirectoryIndex /index.pl to make http://www.example.com/ execute your program.

The Directory section above allows you to isolate executable code from served code, which is good practice. For this example we’re dumping the executable in with everything else, which is questionable.

Repeat this process for any other domains you host.

sudo a2ensite example.com.conf
sudo ln -r -s /etc/apache2/sites-available/example.com.conf /etc/apache2/sites-enabled/example.com.conf
sudo service apache2 restart

Punch holes in your firewall for ports 80 and 443.  Navigate to http://www.example.com/index.pl to check all is okay. You ought to see Hello World displayed for your website.

Having security used to be a pain.  SSL certificates signed by a recognised CA cost money, and then you’d have to keep them up to date, and there wasn’t process automation, so you’d do all that stuff by hand.  LetsEncrypt address all these problems, handing out free certificates and scripted everything.

Now it’s time for the S part of HTTPS:
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
sudo certbot --apache

certbot renew
If that works, we’ll automatically renew our 90-day certificates every month:
echo '@monthly root /usr/bin/certbot renew >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append /etc/crontab

Done.  You’ll never have to worry about certificates again. Now alter your Apache sites-available file (look in /etc/apache2/sites-available/) to include the (optional) redirect HTTP to HTTPS and the mandatory location of the SSL certificates:

<VirtualHost *:80>
....
# Only allow HTTPS
RewriteEngine on
RewriteCond %{SERVER_NAME} = example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
...
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Now make the secure version live, and in the process the insecure one… shy? When a request is made for a http page, like http://example.com/index.html, the response will be “Here’s https://example.com/index.html where what you asked for has moved to… forever!”:
sudo service apache2 restart
Now requesting http://www.example.com/index.pl ought to deliver you to https://www.example.com/index.pl

Install exim4 STARTTLS using a free LetsEncrypt certificate

Here we are on a Debian Linux, such as Ubuntu and we want to run a mail server. Exim4 is currently the most popular email server, but getting it up and working for free is a hassle – who wants to pay for a SSL certificate, on an ongoing basis? And then there’s the maintenance of the security of it – constant renewal, renouncing and re-installation of the certificates.

Wherever you see example.com, swap in your Fully Qualified Domain Name. That may be mail.example.com
It’s assumed you’re not logged in as root, but user ubuntu
Wherever you see 1.2.3.4, swap in your machine’s local IP address, from
ifconfig | grep "inet addr" | grep -v "127.0.0.1"

Security is all handled automatically by LetsEncrypt’s certbot. I’ll let you look that one up yourself. Run it up and get your certificate for example.com

Once you’ve got that handled, punch a hole in your firewall so that port 25 can get through from the outside world to your machine. Be aware: the outside world is filled full of botnets trying to hack into your machine.  After installing exim, keep an eye on the logs in /var/log/exim4/ for a while.

Let’s install exim4:
sudo apt-get install exim4
sudo dpkg-reconfigure exim4-config

  • pick “Internet site”
  • system mail name is example.com
  • IP address is 1.2.3.4 (the one returned by ifconfig, not the externally accessable one)
  • Other destinations: example.com
  • No relays
  • No smarthost
  • No Dial-on-Demand
  • mbox format (or whatever)
  • Split the files
  • ubuntu for postmaster mail

Check we’re now running a mail server:
sudo netstat -napt
should show
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 1.2.3.4:25 0.0.0.0:* LISTEN 25700/exim4

Now we have a mail server, the world needs to find it. Check your nameserver setting to ensure mail is destined this machine.  You probably want only one MX record.

Check the Internet can send mail to our server. After allowing for the appropriate propagation delay for your nameserver changes, use gmail or something to send an email to ubuntu@example.com – you should be able to read it by typing
mail

Now it’s time to enable MTA-MTA link encryption for secure transport of mail, by enabling STARTTLS on exim4 using our LetsEncrypt certificate
sudo nano /etc/exim4/conf.d/main/03_exim4-config_tlsoptions
Enable STARTTLS by adding/setting in the tlsoptions section:
MAIN_TLS_ENABLE = yes
MAIN_TLS_CERTKEY = no

before any of the IF shenanigans. Also add/replace pointers to the certificates:
tls_certificate = /etc/letsencrypt/live/example.com/fullchain.pem
tls_privatekey = /etc/letsencrypt/live/example.com/privkey.pem

The MAIN_TLS_CERTKEY = no entry fixes an exim4 log message
2017-04-16 09:13:24 TLS error on connection from your.home.ip.com (IcePlanet) [5.6.7.8] (cert/key setup: cert=/etc/exim4/exim.crt key=/etc/exim4/exim.key): Error while reading file.
You will see this when testing with swaks:
$ swaks -a -tls -q HELO -s example.com -au test -ap '<>'
=== Trying example.com:25...
=== Connected to example.com.
< - 220 your.vps.host.com ESMTP Exim 4.86_2 Ubuntu Sun, 16 Apr 2017 09:13:24 +0000 -> EHLO IcePlanet
< - 250-your.vps.host.com Hello your.home.ip.com [5.6.7.8]
STARTTLS
< ** 454 TLS currently unavailable *** STARTTLS attempted but failed -> QUIT
< - 221 your.vps.host.com closing connection
=== Connection closed with remote host.

Allow exim (which when running runs as user Debian-exim) to get to the certificates:

sudo groupadd privkey_users
sudo usermod -aG privkey_users Debian-exim
sudo sudo chmod g+rx /etc/letsencrypt/live/
sudo sudo chmod g+rx /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/cert1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/chain1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/privkey1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/fullchain1.pem
sudo chown root:privkey_users /etc/letsencrypt/live/
sudo chown root:privkey_users /etc/letsencrypt/live/example.com/

Changing these permissions doesn’t affect apache2’s ability to get them.
The reason we’ve used a group here is to allow both exim and any other app (for example, a secondary service that wants to use 8080 to serve up a configuration page) to access the private keys; just add any other user that needs to use the private keys to the privkey_users group.

These permission changes prevent the following error message in your log file:
2008-06-03 08:27:35 TLS error on connection from me.at.home.com ([1.2.3.4]) [5.6.7.8] (cert/key setup: cert=/etc/ssl/certs/server.pem key=/etc/ssl/private/server.key): Error while reading file.

Restart the service and the TLS settings ought to be working
sudo service exim4 restart
Test STARTTLS is working from another machine
swaks -a -tls -q HELO -s example.com -au test -ap '<>'
There shouldn’t be any obvious complaining.

Done!