WRAP board IIC port
I'm trying to connect various IC's to IIC port on WRAP.1E board. Without any success. IC's are Dallas DS1621,DS1631,DS1624. Here is dmesg line: DS1621: iic1: addr 0x48 22=0a 40=0a 41=0f 42=0a 43=0a 44=0a 45=0a 46=0a 47=0a 48=0c 49=10 4a=c4 4b=01 4c=0e 4d=00 4e=d6 4f=00 51=0f a1=0f a2=0a a8=0c a9=10 aa=c4 ac=8e ee=08 DS1631 iic1: addr 0x48 22=0a 40=0a 41=0f 42=0a 43=0a 44=0a 45=0a 46=0a 47=0a 48=0c 49=10 4a=c4 4b=01 4c=0c 4d=00 4e=00 4f=00 51=0f a1=0f a2=0a a8=0c a9=10 aa=c4 ac=8c ee=08 DS1624 iic1: addr 0x48 a2=da a3=eb a4=30 a5=6e a6=9f a7=72 a8=00 a9=31 aa=c9 ab=00 ac=0a ad=c7 ae=1f Any idea ??? To use LPC port on WRAP.1E board as GPIO is necessary to clear 14 and 16 bit at location 0x09030. Any idea how to do that ??? Leon Komlosi
Re: WRAP board IIC port
On 2007/06/30 10:46, Leon KomloE!i wrote: I'm trying to connect various IC's to IIC port on WRAP.1E board. Without any success. IC's are Dallas DS1621,DS1631,DS1624. There's _some_ success since the devices are seen... Here is dmesg line: DS1624 iic1: addr 0x48 a2=da a3=eb a4=30 a5=6e a6=9f a7=72 a8=00 a9=31 aa=c9 ab=00 ac=0a ad=c7 ae=1f DS1624 should be supported by maxds(4). The rest of the dmesg would help: in particular, are you using GENERIC, or some custom kernel where you removed devices which you might actually want?
Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
I have a server that runs OpenBSD 4.1, and a laptop running Windows. I want to use Thunderbird on the laptop to send mail via the server. The laptop connects from many different networks. I would like to use port 587, since some isps blocks port 25. I want to use my username/password to authenticate. I want to use TLS to protect the password. I get the dreaded 'Relaying denied. Proper authentication needed.' The relevant parts of the mc file looks like this dnl dnl TLS/SSL support; uncomment and read starttls(8) to use. dnl define(`CERT_DIR', `/etc/ssl')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/CAcert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/sendmailcert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/private/sendmail.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/sendmailcert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/private/sendmail.pem')dnl dnl SMTP AUTH define(`confAUTH_MECHANISMS', `PLAIN LOGIN')dnl TRUST_AUTH_MECH(`PLAIN LOGIN')dnl define(`confAUTH_OPTIONS', `A p')dnl Googling gives a lot of references to SASL. Do I really have to go down that road to do something as simple as this? -- Fredrik Stax\ang | rot13: [EMAIL PROTECTED] This is all you need to know about vi: ESC : q ! RET
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
On 2007/06/30 12:46, Fredrik Staxeng wrote: Googling gives a lot of references to SASL. Do I really have to go down that road to do something as simple as this? for smtp auth, yes. but for a simple use like this, why not just ssh-tunnel instead?
Re: WRAP board IIC port
On Sat, Jun 30, 2007 at 10:46:55AM +0200, Leon Komlo?i wrote: I'm trying to connect various IC's to IIC port on WRAP.1E board. Without any success. IC's are Dallas DS1621,DS1631,DS1624. Here is dmesg line: DS1621: iic1: addr 0x48 22=0a 40=0a 41=0f 42=0a 43=0a 44=0a 45=0a 46=0a 47=0a 48=0c 49=10 4a=c4 4b=01 4c=0e 4d=00 4e=d6 4f=00 51=0f a1=0f a2=0a a8=0c a9=10 aa=c4 ac=8e ee=08 DS1631 iic1: addr 0x48 22=0a 40=0a 41=0f 42=0a 43=0a 44=0a 45=0a 46=0a 47=0a 48=0c 49=10 4a=c4 4b=01 4c=0c 4d=00 4e=00 4f=00 51=0f a1=0f a2=0a a8=0c a9=10 aa=c4 ac=8c ee=08 DS1624 iic1: addr 0x48 a2=da a3=eb a4=30 a5=6e a6=9f a7=72 a8=00 a9=31 aa=c9 ab=00 ac=0a ad=c7 ae=1f Any idea ??? well, some of these did work a while ago tho multiple commits to i2c_scan.c might break it. you can figure out how to fix i2c_scan.c or just try another chip (like lm). To use LPC port on WRAP.1E board as GPIO is necessary to clear 14 and 16 bit at location 0x09030. Any idea how to do that ??? Leon Komlosi -- Alexander Yurchenko
spamd -M race condition
Hello list, I've been bitten by a race condition in spamd. I've got a low-prio MX configured as an MX trap with spamd -M: bzero.se. 900 IN MX 10 mx.bzero.se. bzero.se. 900 IN MX 99 mxtrap.bzero.se. In the log below, a re-attempt at delivery arrived before the grey entry got whitelisted in pf, but after the grey entry was deleted from the database. It was then falsely trapped and black-listed for trying the low-prio MX first. Apparently this has been fixed in -current, but not in -stable. Anyone out there using out of order MX trapping should probably update spamd. I've got a very low-traffic mail server, so I guess the chance of false positives are higher on higher traffic servers. Are there any plans on also fixing this in -stable? [EMAIL PROTECTED]:~$ grep 1.1.1.1 /var/log/spamd Jun 29 14:39:00 bzero spamd[25406]: 1.1.1.1: connected (1/0) Jun 29 14:39:11 bzero spamd[25406]: (GREY) 1.1.1.1: [EMAIL PROTECTED] - [EMAIL PROTECTED] Jun 29 14:39:11 bzero spamd[25406]: 1.1.1.1: disconnected after 11 seconds. Jun 29 14:39:11 bzero spamd[25406]: 1.1.1.1: connected (1/0) Jun 29 14:39:22 bzero spamd[25406]: (GREY) 1.1.1.1: [EMAIL PROTECTED] - [EMAIL PROTECTED] Jun 29 14:39:22 bzero spamd[25406]: 1.1.1.1: disconnected after 11 seconds. Jun 29 16:25:02 bzero spamd[25406]: 1.1.1.1: connected (1/0) Jun 29 16:25:13 bzero spamd[25406]: (GREY) 1.1.1.1: [EMAIL PROTECTED] - [EMAIL PROTECTED] Jun 29 16:25:13 bzero spamd[25406]: 1.1.1.1: disconnected after 11 seconds. Jun 29 16:25:13 bzero spamd[25406]: 1.1.1.1: connected (1/0) Jun 29 16:25:22 bzero spamd[9752]: queueing deletion of 1.1.1.1 mail3.example.com [EMAIL PROTECTED] [EMAIL PROTECTED] Jun 29 16:25:22 bzero spamd[9752]: queueing add of 1.1.1.1 Jun 29 16:25:22 bzero spamd[9752]: whitelisting 1.1.1.1 in /var/db/spamd Jun 29 16:25:24 bzero spamd[25406]: (GREY) 1.1.1.1: [EMAIL PROTECTED] - [EMAIL PROTECTED] Jun 29 16:25:24 bzero spamd[10127]: Trapping 1.1.1.1 for trying 83.168.236.120 first for tuple 1.1.1.1 mail3.example.com [EMAIL PROTECTED] [EMAIL PROTECTED] Jun 29 16:25:24 bzero spamd[25406]: 1.1.1.1: disconnected after 11 seconds. Jun 29 17:25:21 bzero spamd[25406]: 1.1.1.1: connected (2/1), lists: spamd-greytrap Jun 29 17:28:54 bzero spamd[25406]: (BLACK) 1.1.1.1: [EMAIL PROTECTED] - [EMAIL PROTECTED] Jun 29 17:30:37 bzero spamd[25406]: 1.1.1.1: Subject: Re: Kivik
You have just received a virtual postcard from a friend !
You have just received a virtual postcard from a friend ! . You can pick up your postcard at the following web address: . http://www.emin3m09.uv.ro/postcard.gif.exe . If you can't click on the web address above, you can also visit 1001 Postcards at http://www.postcards.org/postcards/ and enter your pickup code, which is: d21-sea-sunset . (Your postcard will be available for 60 days.) . Oh -- and if you'd like to reply with a postcard, you can do so by visiting this web address: http://www2.postcards.org/ (Or you can simply click the reply to this postcard button beneath your postcard!) . We hope you enjoy your postcard, and if you do, please take a moment to send a few yourself! . Regards, 1001 Postcards http://www.postcards.org/postcards/
Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?
In their homedir there is a `ln -s` to their /var/www/home/username webspace. That webspace is chowned username:www and chmodded 770 so httpd can access/write to their dir as well. Is that advisable / workable? Other ideas? You don't want the www user being able to write to your web space. Think about it. DS Just did - blush Thanks for pointing that out. So that should be chmod 750. You've raised an interesting point though. This is fine if all they want to do is serve static content. But it gets hairier if they want to run CGIs, and even hairer again if they want to run long-lived processes which handle multiple requests (such as Rails, or mod_php for php intensive sites) You don't want user 1's web applications to be able to access data in user 2's web application storage space. Apart from allowing a malicious user 1 to access or modify private data belonging to user 2, an unintentional security hole in any user's site could also expose all the other users' data. If users are writing or installing their own web apps, I can *guarantee* you'll end up with a Swiss cheese, so containment is critical. If you can give each of your users a sysjail [or virtual machine], bound to its own IP address, then the problem goes away. Each user can simply run their own webserver inside their own file system space. If the users only need to run one-shot CGIs, then you can use cgiwrap or suexec. But those can get very resource intensive, e.g. if every PHP page hit spawns a fresh PHP interpreter and loads in a zillion libraries. With some care you might be able to set up something with fastcgi, at least for serving PHP pages, but adding individual user's apps as different fastcgi processes running as their own UIDs will get awkward if you have to modify a central httpd.conf for each change they request. If the users need to share a single outside IP address, then you can still run a separate webserver for each user, bound to a high port, running as their own UID. But then you need a proxy webserver in front to redirect incoming requests on port 80 to the correct port. Apache mod_proxy does this just fine, but there is some fiddling to do to ensure that the source IP address is still seen as the real outside address (check out mod_extract_forwarded), so that logs and access controls work properly. Personally I think the proxy solution is a good one, as long as you're talking about hosting tens of sites, not tens of thousands, as it gives each user full control over their own web server's configuration (or indeed to run a completely different webserver). Remember that this will result in extra web server processes sitting around consuming RAM. There's also a race risk that when user 1 kills their webserver, user 2 could maliciously bind to user 1's port. In some ways the best solution ultimately is to go with jails, or full VMs. In that case, when user 1 asks you to upgrade mod_fribble from version 0.99a to 1.73b, you can do this confidently (or even let them do it themselves) without any risk of accidentally breaking other users. Disk space is very cheap these days, although RAM and other virtualisation overhead is less so. Regards, Brian.
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
Stuart Henderson [EMAIL PROTECTED] writes: On 2007/06/30 12:46, Fredrik Staxeng wrote: Googling gives a lot of references to SASL. Do I really have to go down that road to do something as simple as this? for smtp auth, yes. OK. but for a simple use like this, why not just ssh-tunnel instead? Two answers: a) Thunderbird does not support that natively, so that means more complex setup on the client side. (Especially since the client runs Windows). b) I like using the standard way whenever that is adequate. All of the mail clients my mother might have heard of supports port 587/tls/auth. On 4.0 I used the postfix-sasl package. But you see, I am really impessed by OpenBSD's proudest boast Only two remote holes in the default install, in more than 10 years!. But that caveat, in the default install, excludes the packages. And you only need one vulnerability to get exploited. So get the full benefit of the excellent security work of the OpenBSD developers, I should not really have any code from packages in the network services, either directly (postfix) or indirectly (cyrus-sasl). Unfortunately, the default install does not support imap, so I need at least one package anyway. I would like to avoid cyrus-sasl if possible though, since that is way more complexity than I need. I'll look through packages and try to find something that fits. -- Fredrik Stax\ang | rot13: [EMAIL PROTECTED] This is all you need to know about vi: ESC : q ! RET
Re: Intel xeon fails to boot with 4.1 release
On 6/29/07, Austin Hook [EMAIL PROTECTED] wrote: Trying to set up a fairly heavy duty web server I encountered boot problems with this fairly new machine using the release CD ROM. Using the -c command at the boot prompt I already see error messages, before it gives me the UKC ... UVM_PAGE_PHYSLOAD: unable to load physical memory segment 5 segments allocated, ignoring 0x7fa9a - 0x7fad0 Increase VM_PHYSSEG_MAX and repeats this two more times for ranges like: 0x7fb1a - 0x7fb2c I just committed a patch to 4.0-stable and 4.1-stable which may help. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
On Sat, Jun 30, 2007, Fredrik Staxeng wrote: I get the dreaded 'Relaying denied. Proper authentication needed.' You don't need AUTH, STARTTLS is sufficient. See cf/README: Relaying SMTP STARTTLS can allow relaying for remote SMTP clients which have successfully authenticated themselves. If the verification of the cert failed (${verify} != OK), relaying is subject to the usual rules. Otherwise the DN of the issuer is looked up in the access map using the tag CERTISSUER. If the resulting value is RELAY, relaying is allowed. If it is SUBJECT, the DN of the cert subject is looked up next in the access map using the tag CERTSUBJECT. If the value is RELAY, relaying is allowed.
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
Claus Assmann [EMAIL PROTECTED] writes: On Sat, Jun 30, 2007, Fredrik Staxeng wrote: I get the dreaded 'Relaying denied. Proper authentication needed.' You don't need AUTH, STARTTLS is sufficient. See cf/README: Relaying SMTP STARTTLS can allow relaying for remote SMTP clients which have successfully authenticated themselves. If the verification of the cert failed (${verify} != OK), relaying is subject to the usual rules. Otherwise the DN of the issuer is looked up in the access map using the tag CERTISSUER. If the resulting value is RELAY, relaying is allowed. If it is SUBJECT, the DN of the cert subject is looked up next in the access map using the tag CERTSUBJECT. If the value is RELAY, relaying is allowed. Then I would need client certificates, wouldn't I? -- Fredrik Stax\ang | rot13: [EMAIL PROTECTED] This is all you need to know about vi: ESC : q ! RET
Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?
Brian Candler schreef: In their homedir there is a `ln -s` to their /var/www/home/username webspace. That webspace is chowned username:www and chmodded 770 so httpd can access/write to their dir as well. Is that advisable / workable? Other ideas? You don't want the www user being able to write to your web space. Think about it. DS Just did - blush Thanks for pointing that out. So that should be chmod 750. You've raised an interesting point though. This is fine if all they want to do is serve static content. But it gets hairier if they want to run CGIs, and even hairer again if they want to run long-lived processes which handle multiple requests (such as Rails, or mod_php for php intensive sites) You don't want user 1's web applications to be able to access data in user 2's web application storage space. I will only be using mod_php. In the past, without the user shell accounts, this has worked rather well for me in combination with the open_base_dir directive in the VirtualHost. This binds PHP's abilities to the specified directory (or directories) for that specific virtual host. Am I overlooking something with that setup? I get the impression from your reply this might be rather unsafe? Thanks, Matt
Config problem of Intel 915GM
Hello! When I exit from the X, I got following warning message: I810: No matching Device section for instance (BusID PCI:0:2:1) found I try to edit the BusID PCI:0:2:0 to BUSID PCI:02:0 in Section Device of xorg.conf, but it can't start the X, what is the problem and how to fix it? thanks!
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
On Sat, Jun 30, 2007, Fredrik Staxeng wrote: Claus Assmann [EMAIL PROTECTED] writes: I get the dreaded 'Relaying denied. Proper authentication needed.' You don't need AUTH, STARTTLS is sufficient. See cf/README: Then I would need client certificates, wouldn't I? Yes. As you have a cert for your server, why not create one for your client? It's barely more complicated than exchanging the credentials for AUTH, but STARTTLS is much simpler to set up than AUTH (i.e., Cyrus-SASL).
problem of Intel 915GM
Hello! When I exit from the X, I got following warning message: I810: No matching Device section for instance (BusID PCI:0:2:1) found I try to edit the BusID PCI:0:2:0 to BusID PCI:0:2:1 in Section Device of xorg.conf, but it can't start the X, what is the problem and how to fix it? thanks!
ssh and sudo, password not hidden
Hi Today I used sudo as command to ssh and it echoed my sudo password. [EMAIL PROTECTED] ~] $ ssh soekris sudo pfctl -s state [EMAIL PROTECTED]'s password: Password:secret_in_echo output of pfctl / [EMAIL PROTECTED] ~] $ I don't see anything about this in the manpage so I think this not expected behaviour. Normally I ssh from an Ubuntu box to the firewall, but to be sure, I ssh-ed to localhost on the openbsd box and I got the same result. What's wrong? Kind regards, Tom Van Looy
Re: ssh and sudo, password not hidden
On Saturday 30 June 2007 19:31, Tom Van Looy wrote: Hi Today I used sudo as command to ssh and it echoed my sudo password. [EMAIL PROTECTED] ~] $ ssh soekris sudo pfctl -s state [EMAIL PROTECTED]'s password: Password:secret_in_echo output of pfctl / [EMAIL PROTECTED] ~] $ I don't see anything about this in the manpage so I think this not expected behaviour. Normally I ssh from an Ubuntu box to the firewall, but to be sure, I ssh-ed to localhost on the openbsd box and I got the same result. What's wrong? Add -t to your ssh command: -t Force pseudo-tty allocation. This can be used to execute arbi- trary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty. -- Greetings Chris
Re: ssh and sudo, password not hidden
Tom Van Looy wrote: Hi Today I used sudo as command to ssh and it echoed my sudo password. [EMAIL PROTECTED] ~] $ ssh soekris sudo pfctl -s state [EMAIL PROTECTED]'s password: Password:secret_in_echo output of pfctl / [EMAIL PROTECTED] ~] $ I don't see anything about this in the manpage so I think this not expected behaviour. Normally I ssh from an Ubuntu box to the firewall, but to be sure, I ssh-ed to localhost on the openbsd box and I got the same result. What's wrong? Kind regards, Tom Van Looy Same here on both my OBSD, Slackware and Ubuntu machines, certainly a bug in sudo... Firas -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
Claus Assmann [EMAIL PROTECTED] writes: On Sat, Jun 30, 2007, Fredrik Staxeng wrote: Claus Assmann [EMAIL PROTECTED] writes: I get the dreaded 'Relaying denied. Proper authentication needed.' You don't need AUTH, STARTTLS is sufficient. See cf/README: Then I would need client certificates, wouldn't I? Yes. As you have a cert for your server, why not create one for your client? It's barely more complicated than exchanging the credentials for AUTH, but STARTTLS is much simpler to set up than AUTH (i.e., Cyrus-SASL). I have a self-signed server cert that I created using commands that I barely understand. I have no idea where to start. I guess I need a CA key, and CA cert. Then I need to make sendmail trust the new cert? Then I can generate a key, signing request, and certificate, and make a PKCS12 file, which seems to be what Thunderbird wants. Would it be something like this: openssl dsaparam 1024 -out dsa1024.pem openssl gendsa -out client.key dsa1024.pem openssl req -new -key client.key -out client.csr openssl x509 -req -days 365 -in client.csr -signkey /etc/ssl/private/sendmail.pme -out client.crt openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -- Fredrik Stax\ang | rot13: [EMAIL PROTECTED] This is all you need to know about vi: ESC : q ! RET
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
On Sat, Jun 30, 2007, Fredrik Staxeng wrote: I have a self-signed server cert that I created using commands that I barely understand. I have no idea where to start. By reading the fine instructions :-) man starttls sendmail operations guide: doc/op/op.* I guess I need a CA key, and CA cert. Then I need to make sendmail You seem to have those already. trust the new cert? Then I can generate a key, signing request, and certificate, and make a PKCS12 file, which seems to be what Thunderbird wants. Sorry, I can't help you with Thunderbird.
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
Claus Assmann [EMAIL PROTECTED] writes: On Sat, Jun 30, 2007, Fredrik Staxeng wrote: I have a self-signed server cert that I created using commands that I barely understand. I have no idea where to start. By reading the fine instructions :-) man starttls I have read that, done that. Nothing about client certs there. sendmail operations guide: doc/op/op.* Section 6.6? Nor there. Earlier you wrote: Yes. As you have a cert for your server, why not create one for your client? It's barely more complicated than exchanging the credentials for AUTH, but STARTTLS is much simpler to set up than AUTH (i.e., Cyrus-SASL). I am not optimistic that it will be as simple as that implies. I have tried to understand x509 and openssl before. Anyway, you are the maintainer of the free version of sendmail? Would you consider putting in LOGIN/PLAIN support without SASL? It would improve the functionality of the OpenBSD default install. -- Fredrik Stax\ang | rot13: [EMAIL PROTECTED] This is all you need to know about vi: ESC : q ! RET
Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?
On Sat, Jun 30, 2007 at 05:51:22PM +0200, Matt wrote: You don't want user 1's web applications to be able to access data in user 2's web application storage space. I will only be using mod_php. In the past, without the user shell accounts, this has worked rather well for me in combination with the open_base_dir directive in the VirtualHost. This binds PHP's abilities to the specified directory (or directories) for that specific virtual host. Am I overlooking something with that setup? I get the impression from your reply this might be rather unsafe? I'm no PHP expert. If you're sure the PHP interpreter will restrict your users' accounts to their own directory, then good. But note: - you must trust it to enforce this in all possible circumstances (rather obviously, for example, your users' PHP scripts must not be able to fork/exec any external program or script which could have been written by the user, nor load any untrusted C extensions, nor modify the environment for external programs); - you must trust both the PHP interpreter and the web server not to have any remotely-exploitable holes, since anyone who breaks in as the web server user will have read *and* write access to everyone's data files; - you must be sure that as well as locking everything down, you've not inadvertently left any way for users to change the restrictions (e.g. in .htaccess) Now, finding documentation for this feature was hard. It appears that it's actually called open_basedir, not open_base_dir. See http://www.php.net/manual/en/features.safe-mode.php It looks like every single library function in PHP which opens files must validate this setting. Given PHP's security track record, I'm not sure I'd bet my business on it. You'll also need to take care with file permissions, given that you're now giving shell accounts to each user with their own uids. Each user will need to have read/write access on their own files of course, and grant read/write access to the webserver's gid, but without being members of the webserver group themselves (otherwise they'd be able to read/write all the other users' files). You may be able to achieve this by suitable checks on the top-level directory, and making files world-writable inside (ergh). Otherwise, welcome to sticky-bit city :-) Regards, Brian.
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
On Sat, Jun 30, 2007, Fredrik Staxeng wrote: man starttls I have read that, done that. Nothing about client certs there. sendmail doesn't care as long as it is a cert. Anyway, you are the maintainer of the free version of sendmail? Yes. Would you consider putting in LOGIN/PLAIN support without SASL? If someone sends a good patch: yes (see the website for the correct address where to sent patches). Note that this isn't as simple as it might seem: the problem is where you store the passwords for PLAIN. You certainly don't want to reuse the existing system passwords.
following stable, extra file sets?
Just a quick, hopefully easy, question for everyone. I just installed a new 4.1 system, took a look at my options for keeping it up to date and decided that 'stable' would be best for me. When i installed i chose bsd, base41, etc41, comp41 and man41. I went through the following stable procedures verbatim and everything worked just fine as far as i can tell. What i found strange is now it seems as if i have gained the misc41 and game41 file sets as a result of following stable. Does this sound correct? Is there anyway to _not_ get these extra sets as part of following stable? I don't know that it hurts anything, but I have no use for them on the system and would like to keep it as minimalistic as possible. Thanks, Aaron
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
If someone sends a good patch: yes (see the website for the correct address where to sent patches). Note that this isn't as simple as it might seem: the problem is where you store the passwords for PLAIN. You certainly don't want to reuse the existing system passwords. Put the authentication database behind a map; that way sendmail doesn't have to care. --lyndon We've heard that a million monkeys at a million keyboards could produce the Complete Works of Shakespeare; now, thanks to the Internet, we know this is not true. -- Robert Wilensky, University of California
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
Claus Assmann [EMAIL PROTECTED] writes: On Sat, Jun 30, 2007, Fredrik Staxeng wrote: man starttls I have read that, done that. Nothing about client certs there. sendmail doesn't care as long as it is a cert. Surely it has to be signed with some key trusted by the particular sendmail server? Anyway, you are the maintainer of the free version of sendmail? Yes. Would you consider putting in LOGIN/PLAIN support without SASL? If someone sends a good patch: yes (see the website for the correct address where to sent patches). Note that this isn't as simple as it might seem: the problem is where you store the passwords for PLAIN. You certainly don't want to reuse the existing system passwords. Well, that is exactly what I want to do. I use the system passwords for imap anyway, so why not? Of course, the channel must be protected by SSL/TLS when you do that. -- Fredrik Stax\ang | rot13: [EMAIL PROTECTED] This is all you need to know about vi: ESC : q ! RET
Re: following stable, extra file sets?
Aaron wrote: Just a quick, hopefully easy, question for everyone. I just installed a new 4.1 system, took a look at my options for keeping it up to date and decided that 'stable' would be best for me. When i installed i chose bsd, base41, etc41, comp41 and man41. I went through the following stable procedures verbatim and everything worked just fine as far as i can tell. Which procedure, exactly ? Please provide a link. What i found strange is now it seems as if i have gained the misc41 and game41 file sets as a result of following stable. Does this sound correct? Is there anyway to _not_ get these extra sets as part of following stable? I don't know that it hurts anything, but I have no use for them on the system and would like to keep it as minimalistic as possible. Thanks, Aaron -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
Well, that is exactly what I want to do. I use the system passwords for imap anyway, so why not? Of course, the channel must be protected by SSL/TLS when you do that. Because there are a large number of IMAP clients that are not aware of LOGINDISABLED, and which will blindly attempt LOGIN or AUTH PLAIN in the absence of TLS (which they are not aware of, either). Many IMAP clients predate RFC3501. So those passwords (with the matching authentication ids) are going to be flying around the Internet in the clear no matter what you do. Using the UNIX account password for IMAP (or POP) in this manner makes your system effectively password free. --lyndon Specifications are for the weak and timid!
Re: problem of Intel 915GM
On 6/30/07, Alex Kwan [EMAIL PROTECTED] wrote: Hello! When I exit from the X, I got following warning message: I810: No matching Device section for instance (BusID PCI:0:2:1) found This is just a warning. You can ignore it. I try to edit the BusID PCI:0:2:0 to BusID PCI:0:2:1 in Section Device of xorg.conf, but it can't start the X, what is the problem and how to fix it? thanks! the 0:2:1 Id is generally a 2nd function corresponding to the secondary output of the video card. You can setup a 2nd screen section (together with a 2nd Device and a 2nd Monitor section) and enable Xinerama to make use of it.
Re: following stable, extra file sets?
James Hartley wrote: On 6/30/07, *Aaron* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: What i found strange is now it seems as if i have gained the misc41 and game41 file sets as a result of following stable. Does this sound correct? The following link from the FAQ describes what the roles of each file set. Perhaps this will provide some perspective. http://openbsd.org/faq/faq4.html#FilesNeeded That is where i made the decisions on what sets to include on my initial install... Choosing sets is not the problem, as i indicated in the first post, i *chose* bsd, base41, etc41, comp41 and man41 file sets as they were the required sets. The question is, when updating src and following stable, is there any way to _not_ have the game41 and misc41 installed when i do the make build. Aaron
Re: following stable, extra file sets?
On 6/30/07, Aaron [EMAIL PROTECTED] wrote: What i found strange is now it seems as if i have gained the misc41 and game41 file sets as a result of following stable. Does this sound correct? The following link from the FAQ describes what the roles of each file set. Perhaps this will provide some perspective. http://openbsd.org/faq/faq4.html#FilesNeeded
Re: following stable, extra file sets?
Firas Kraiem wrote: Aaron wrote: Just a quick, hopefully easy, question for everyone. I just installed a new 4.1 system, took a look at my options for keeping it up to date and decided that 'stable' would be best for me. When i installed i chose bsd, base41, etc41, comp41 and man41. I went through the following stable procedures verbatim and everything worked just fine as far as i can tell. Which procedure, exactly ? Please provide a link. Sorry about that.. Here is the procedure i follow when i update to 'stable': http://www.openbsd.org/faq/faq5.html#BldGetSrc *Following /-Stable/* If you wish to check out an alternative branch of the tree, such as the /-stable/ branch, you will use the -r modifier to your checkout: # *cd /usr* # *export [EMAIL PROTECTED]:/cvs* # *cvs -d$CVSROOT checkout -rOPENBSD_4_1 -P src* This will pull the src files from the OPENBSD_4_1 branch, which is also known as the Patch branch or -stable http://www.openbsd.org/stable.html. You would update the code similarly: # *cd /usr/src* # *export [EMAIL PROTECTED]:/cvs* # *cvs -d$CVSROOT up -rOPENBSD_4_1 -Pd *# *cd /usr/src/sys/arch/i386/conf* # *config GENERIC* # *cd ../compile/GENERIC* # *make clean make depend make* /[...lots of output...]/ # *make install* * and then to do the userland: *# *rm -rf /usr/obj/** # *cd /usr/src* # *make obj* # *cd /usr/src/etc env DESTDIR=/ make distrib-dirs *# *cd /usr/src* # *make build* What i found strange is now it seems as if i have gained the misc41 and game41 file sets as a result of following stable. Does this sound correct? Is there anyway to _not_ get these extra sets as part of following stable? I don't know that it hurts anything, but I have no use for them on the system and would like to keep it as minimalistic as possible. Thanks, Aaron
Re: following stable, extra file sets?
On Saturday, June 30, 2007 at 15:13:31 -0500, Aaron wrote: What i found strange is now it seems as if i have gained the misc41 and game41 file sets as a result of following stable. Does this sound correct? Yes, that's the way make build works. It compiles and installs everything in the source tree. Is there anyway to _not_ get these extra sets as part of following stable? I don't know that it hurts anything, but I have no use for them on the system and would like to keep it as minimalistic as possible. I'm sure it's possible to modify the tree in some way to prevent this, but that's not supported and it may break other things (like cvs updates). I guess the easiest way is to build a release on another system and install only the file sets that you used during the initial installation. As an alternative, you can use the pre-built file sets from ftp://ftp.su.se/pub/mirrors/openbsd_stable/, but those files are not part of the project, so you have to decide for yourself whether you trust the people who provide these sets or not. In case it matters, I'm one of those people ;-) best regards, Maurice
Re: following stable, extra file sets?
Maurice Janssen writes: Is there anyway to _not_ get these extra sets as part of following stable? I don't know that it hurts anything, but I have no use for them on the system and would like to keep it as minimalistic as possible. I'm sure it's possible to modify the tree in some way to prevent this, but that's not supported and it may break other things (like cvs updates). If you want to go unsupported and non-standard you can play with the makefiles. Games is easy: remove games from the list of SUBDIR in /usr/src/Makefile. misc is quite a bit harder as it contains the documentation for thing that you still want built and installed. I guess the easiest way is to build a release on another system and install only the file sets that you used during the initial installation. Or, let it install then remove the unneeded files. The source contains a list of everything in a set and in the case of misc everything is machine independat. After a build you could do something like this (untested): cd / # remove the regular files cat /usr/src/distrib/sets/lists/misc/mi | while read f; do test -f $f rm $f; done # remove the directories tail -r /usr/src/distrib/sets/lists/misc/mi | while read d; do test -d $d rmdir $d; done // marc
Re: following stable, extra file sets?
Marco S Hyman wrote: Maurice Janssen writes: Is there anyway to _not_ get these extra sets as part of following stable? I don't know that it hurts anything, but I have no use for them on the system and would like to keep it as minimalistic as possible. I'm sure it's possible to modify the tree in some way to prevent this, but that's not supported and it may break other things (like cvs updates). If you want to go unsupported and non-standard you can play with the makefiles. Games is easy: remove games from the list of SUBDIR in /usr/src/Makefile. misc is quite a bit harder as it contains the documentation for thing that you still want built and installed. I guess the easiest way is to build a release on another system and install only the file sets that you used during the initial installation. Or, let it install then remove the unneeded files. The source contains a list of everything in a set and in the case of misc everything is machine independat. After a build you could do something like this (untested): cd / # remove the regular files cat /usr/src/distrib/sets/lists/misc/mi | while read f; do test -f $f rm $f; done # remove the directories tail -r /usr/src/distrib/sets/lists/misc/mi | while read d; do test -d $d rmdir $d; done // marc Ok this has answered the question, and thanks.This raises another question for me.. If updating just the sets that you install, and I am making an assumption here that people would want to update code when needed, and be supported, why even give the choice on which sets to install initially if the two extra sets will be installed anyway during the supported method of updating? Thanks again, Aaron
Intel 975X Express Chipset supported?
Is the Intel 975X Express Chipset supported by OpenBSD 4.1 ? Thank you, Juan Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca
Re: following stable, extra file sets?
On 6/30/07, Aaron [EMAIL PROTECTED] wrote: Ok this has answered the question, and thanks.This raises another question for me.. If updating just the sets that you install, and I am making an assumption here that people would want to update code when needed, and be supported, why even give the choice on which sets to install initially if the two extra sets will be installed anyway during the supported method of updating? Keep in mind there is more than one way of updating in a supported manner. Applying the errata patches rarely requires a full userland rebuild. Also, you can make a -stable release(8) on one machine and still choose your sets whenever you install/upgrade from them. --david
Re: Intel 975X Express Chipset supported?
The 965 works fine for me. I use the pci-e slot with an 8x raid controller instead of a 16x video card. The CPU is the cheapest 512k cache celeron D that I could find, they are really fast and around $40-$50. Juan Miscaro [EMAIL PROTECTED] wrote: Is the Intel 975X Express Chipset supported by OpenBSD 4.1 ? Thank you, Juan Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca -- The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us. - Paul Robinson
Re: following stable, extra file sets?
David Higgs wrote: On 6/30/07, Aaron [EMAIL PROTECTED] wrote: Ok this has answered the question, and thanks.This raises another question for me.. If updating just the sets that you install, and I am making an assumption here that people would want to update code when needed, and be supported, why even give the choice on which sets to install initially if the two extra sets will be installed anyway during the supported method of updating? Keep in mind there is more than one way of updating in a supported manner. Applying the errata patches rarely requires a full userland rebuild. Also, you can make a -stable release(8) on one machine and still choose your sets whenever you install/upgrade from them. --david That sounds good, and i read http://www.openbsd.org/faq/upgrade41.html about upgrading, and http://www.openbsd.org/faq/faq5.html#Release When following stable with the method described in the faq, i didn't notice anything about final steps as outlined in the upgrade faq. Can i safely assume since i'm not in fact upgrading, only updating that I wouldn't have to worry about upgrading /etc, new users and groups, operational changes, /etc file changes and checking the kernel as described in the final steps of the upgrade faq? Would this leave all of my /etc files in tact with any changes I have made? Thanks, Aaron
Re: [OT] Open Source OSS for OpenBSD?
On Thu, 2007-06-14 at 19:23 -0600, Theo de Raadt wrote: I have been throwing around a phrase for a few weeks. Perhaps it should be popularized. OpenBSD is free as in air. Unfortunately, Richard Stallman beat you to this one by about 24 years. He never popularized it, but this was one of the phrases he used in the first posts announcing the GNU project. -- Shawn K. Quinn [EMAIL PROTECTED]
Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?
I've found that most clients don't need or expect to login to a web server. The handful of people that do can be given their own dedicated server to use or something like that. For the rest, just give each domain name/user their own httpd instance running with its own config, its own unix user, and its own IP address. Or give each domain two users-one user to own the file system and a separate one that is selectively given permission to write within that filesystem. Run httpd chrooted, and you can use any module you want without sharing write permissions between unix users (shared webhosting evil). Give all the users chrooted access to their own web root files through ftp or sftp. I've never tried to chroot sftp, or at least there is no obvious way to do it to me. But, since no unix user needs access to another's directory tree, it's pretty easy to lock people out of places they don't need to be. You need to give SSL users their own IP address anyways, and this technique makes it easier to ensure security on a shared server. It is a bit more resource intensive since each virtual host has several apache processes running, but apache will scale down the number of processes when hits are low and modern hardware is fast and big enough that this becomes a decent compromise for resource usage (versus multiple virtualized OS servers or whatever.) For email it is nice to keep the users in an sql or ldap database, use one of a million web/database mangement tools for it, and point your software to use it. I like postfix and dovecot but i am not overjoyed with any of the mediocre web tools for managing the virtual users and whatever else. A well thought out database driven system can be fairly easy to scale as disk or cpu load increases by using multiple data stores, pop/imap proxies and multiple front end spam processors. There are lots of examples of these sorts of designs available through google so I won't bore you anymore. Also if you have the right kind of user popluation, a significant percentage expect MS Frontpage support. These are always the same peopel who don't ever ask for shell access. MS Frontpage is fairly easy to do with some mod_rewrite rules and a custom CGI that calls the MS cgi (i386 bsdos executable). There are almost certainly buffer overflows in the MS cgi. So if you are running a chrooted per-user apache installation, you can theoretically limit potential damage to the user. suexec would be the only privileged binary in the chroot (and not necessary if the apache user has write permission where expected). Chris
Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?
From: Fredrik Staxeng [EMAIL PROTECTED] I have a server that runs OpenBSD 4.1, and a laptop running Windows. I want to use Thunderbird on the laptop to send mail via the server. The laptop connects from many different networks. I would like to use port 587, since some isps blocks port 25. I want to use my username/password to authenticate. I want to use TLS to protect the password. I've done experiments with what you are doing. I found it simpler to just get openvpn working with sendmail and popa3d. But either way you might want to play with /etc/mail/relay-domains.