Grade A SSL report

It’s important that we setup ssl/tls encryption properly, and like most good students achieve an “A” grade.

The test can be done for instance at

All you have to do is to enter your site name, then wait until several tests and checks are performed. Provided that you have nginx, try the following ssl/tls options:

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;





xMatters Atlassian DevOps Maturity SURVEY REPORT 2017

Link to the pdf:



Sidenotes for a mail migration

I’ve decided to migrate my emails to another host. It includes a postfix sandwich config with a spam filter in the middle. By the way, I use dovecot as the virtual transport to let my emails sorted to different folder, including spam to the Junk folder.

So far so good (even though there was hell of a troubleshooting why the spam filter became terribly slow. It’s fixed by now, anyway). Then I tested with some emails, and found that I got a mail loops back for my@email. Wtf?

The culprit was the already existing Delivered-To: header in the emails. So I’ve fixed like

dovecot unix – n n – – pipe
flags=Rhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient} -e

and it started to work propely.

However, I just couldn’t let it go that it was working properly with DRhu flags.

Then I’ve fixed the email, and removed any additional header that was added by either the local postfix or the content filter, and reverted the flags to DRhu, and it worked!

dovecot unix – n n – – pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient} -e

The moral of the story: test with new emails. Or at least remove any locally added headers 🙂


Mariadb tuning guide

MariaDB Performance Tuning and Optimization from MariaDB Corporation

Docker vs. systemd

I’ve decided to setup a few docker hosts. I needed to access them remotely, so I deployed the necessary CA and server keys and certs (see for more). So far, so good.

I knew that docker should have been instructed to use these files, also to listen on So I edited /etc/default/docker (on Ubuntu Bionic), restarted the docker daemon, and nothing happened.

I rushed to the docker site to figure out what da heck, and end up at  telling me that unfortunately it wouldn’t work with systemd, you must use /etc/docker/daemon.json.

I’ve created the file:

“hosts”: [“”],
“tlsverify”: true,
“tlscacert”: “/etc/docker/ca.pem”,
“tlscert”: “/etc/docker/server-cert.pem”,
“tlskey”: “/etc/docker/server-key.pem”


then restarted docker, and still nothing. The -H fd:// option in /lib/systemd/system/docker.service file caused trouble preventing docker to listen on

ExecStart=/usr/bin/dockerd -H fd://

Fear not, the fix is to remove -H fd:// as follows:


Then run systemctl daemon-reload && systemctl restart docker, and you should be able to connect to docker on the remote host.


Disable udp ports for Jenkins

I’ve noticed that Jenkins has an unpleasant habit to listen on two UDP ports (5353 and 33848) on all interfaces even if it was told to listen on

These ports are for UDP multicast broadcast. You may not need either of them, and you can disable them by adding the following options:

-Dhudson.DNSMultiCast.disabled=true -Dhudson.udp=-1


java -Dhudson.DNSMultiCast.disabled=true -Dhudson.udp=-1 -jar jenkins.war –httpListenAddress= –httpPort=8080 –daemon –logfile=/home/jenkins/jenkins.log

See the Jenkins docs for more