Re: security(8) and maildir

[Zé Loff]

 It is hard to guess what you need from the scarce information you
provide. I'm sorry... On hindsight, that was _very_ little information.
I'm running 5.0, with postfix as an MTA, delivering mail for two virtual
domains (maildir). Courier is used for IMAP, and runs as vmail:vmail. 
Can you show the output of  # ls -al /var/mail $ ls -l /var/mail total
2148 -rw--- 1 root wheel 1076477 Jan 14 16:13 root drwx-- 4 vmail
vmail 512 Dec 5 00:33 vmail -rw--- 1 zeloff users 0 Jan 10 2011
zeloff Inside /var/mail/vmail is a folder of each of the virtual domains,
and inside that one for every user, etc. Every thing from here on down
has either 700 (folders) or 600 (files) permissions.  on the machine in
question, and the exact messages you see in your  daily security emails?
Running security(8): Checking mailbox ownership. user vmail mailbox is
drwx--, group vmail If I chmod 600 /var/mail/vmail, security(8) runs
clean, so its the executable bit that's causing the trouble, but
unsetting it is not an option for the obvious reasons. Relocating the
whole thing is most probably the best idea, but is there anything wrong
with this patch I came up with? --- /usr/libexec/security Mon Apr 16
10:43:36 2012 +++ security Mon Apr 16 11:43:20 2012 @@ -457,7 +457,7 @@
my $gname = (getgrgid $fgid)[0] // $fgid; nag $fname ne $name, user
$name mailbox is owned by $fname; - nag S_IMODE($mode) != (S_IRUSR |
S_IWUSR), + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR | +
(S_ISDIR(S_IFMT($mode))  S_IXUSR) ), sprintf 'user %s mailbox is %s,
group %s', $name, strmode($mode), $gname; } I have no proper perl skills
whatsoever, but I tested it on a few files with different permissions and
it appears to work properly... So, what's the verdict? Should maildirs be
kept out of /var/mail altogether, or is patching security(8) a viable
alternative? Many thanks Zi (with an acute-accented 'e', damn
encodings...)

Re: security(8) and maildir

[Rod Whitworth]

On Mon, 16 Apr 2012 12:45:12 +0100, Zi Loff wrote:

 It is hard to guess what you need from the scarce information you
provide. I'm sorry... On hindsight, that was _very_ little information.
I'm running 5.0, with postfix as an MTA, delivering mail for two virtual
domains (maildir). Courier is used for IMAP, and runs as vmail:vmail. 
Can you show the output of  # ls -al /var/mail $ ls -l /var/mail total
2148 -rw--- 1 root wheel 1076477 Jan 14 16:13 root drwx-- 4 vmail
vmail 512 Dec 5 00:33 vmail -rw--- 1 zeloff users 0 Jan 10 2011
zeloff Inside /var/mail/vmail is a folder of each of the virtual domains,
and inside that one for every user, etc. Every thing from here on down
has either 700 (folders) or 600 (files) permissions.  on the machine in
question, and the exact messages you see in your  daily security emails?
Running security(8): Checking mailbox ownership. user vmail mailbox is
drwx--, group vmail If I chmod 600 /var/mail/vmail, security(8) runs
clean, so its the executable bit that's causing the trouble, but
unsetting it is not an option for the obvious reasons. Relocating the
whole thing is most probably the best idea, but is there anything wrong
with this patch I came up with? --- /usr/libexec/security Mon Apr 16
10:43:36 2012 +++ security Mon Apr 16 11:43:20 2012 @@ -457,7 +457,7 @@
my $gname = (getgrgid $fgid)[0] // $fgid; nag $fname ne $name, user
$name mailbox is owned by $fname; - nag S_IMODE($mode) != (S_IRUSR |
S_IWUSR), + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR | +
(S_ISDIR(S_IFMT($mode))  S_IXUSR) ), sprintf 'user %s mailbox is %s,
group %s', $name, strmode($mode), $gname; } I have no proper perl skills
whatsoever, but I tested it on a few files with different permissions and
it appears to work properly... So, what's the verdict? Should maildirs be
kept out of /var/mail altogether, or is patching security(8) a viable
alternative? Many thanks Zi (with an acute-accented 'e', damn
encodings...)




Formatting properly doesn't work for you?
That made my eyes bleed.

*** NOTE *** Please DO NOT CC me. I am subscribed to the list.
Mail to the sender address that does not originate at the list server is
tarpitted. The reply-to: address is provided for those who feel compelled to
reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Re: security(8) and maildir

[Zé Loff]

 It is hard to guess what you need from the scarce information you
 provide.

I'm sorry... On hindsight, that was _very_ little information.
I'm running 5.0, with postfix as an MTA, delivering mail for two virtual
domains (maildir). Courier is used for IMAP, and runs as vmail:vmail.

 Can you show the output of
 # ls -al /var/mail

$ ls -l /var/mail
total 2148
-rw---  1 rootwheel  1076477 Jan 14 16:13 root
drwx--  4 vmail   vmail  512 Dec  5 00:33 vmail
-rw---  1 zeloff  users0 Jan 10  2011 zeloff

Inside /var/mail/vmail is a folder of each of the virtual domains, and
inside that one for every user, etc. Every thing from here on down has
either 700 (folders) or 600 (files) permissions.

 on the machine in question, and the exact messages you see in your
 daily security emails?

Running security(8):

Checking mailbox ownership. user vmail mailbox is
drwx--, group vmail

If I chmod 600 /var/mail/vmail, security(8) runs clean, so its the
executable bit that's causing the trouble, but unsetting it is not an
option for the obvious reasons.

Relocating the whole thing is most probably the best idea, but is there
anything wrong with this patch I came up with?

--- /usr/libexec/security Mon Apr 16 10:43:36 2012
+++ security Mon Apr 16 11:43:20 2012
@@ -457,7 +457,7 @@
my $gname = (getgrgid $fgid)[0] // $fgid;
nag $fname ne $name,
user $name mailbox is owned by $fname;
-   nag S_IMODE($mode) != (S_IRUSR | S_IWUSR),
+   nag S_IMODE($mode) != (S_IRUSR | S_IWUSR |
+   (S_ISDIR(S_IFMT($mode))  S_IXUSR) ),
sprintf 'user %s mailbox is %s, group %s',
$name, strmode($mode), $gname; }

I have no proper perl skills whatsoever, but I tested it on a few files
with different permissions and it appears to work properly...

So, what's the verdict? Should maildirs be kept out of /var/mail
altogether, or is patching security(8) a viable alternative?

Many thanks
Ze (with an acute-accented 'e', damn encodings...) 

From IFC

[Harry Cole]

Good day,
An inquest by my bank (IFC) conducted on inactive/dormant account, revealed
that you are a potential beneficiary to an unclaimed sum

The similarity in your name and email (misc@openbsd.org) makes it possible for
us to liquidate the deceased account in your favour. Please contact me via:
harri_c...@w.cn mailto:harri_c...@w.cn mailto:hari.c...@yahoo.co.uk
mailto:haric...@w.cn so we can discuss how to take advantage of this
opportunity.

Regards
Harry Cole

Call for Presenter: OpenBSD/IDS @ITSec class

[Steffen Wendzel]

Dear OpenBSD Misc,


I am looking for a presenter to give an open source IDS related speech
at the University of Applied Sciences in Augsburg, Germany.
If you are interested in, for instance, give a talk on OpenBSD-based
Intrusion Detection or Prevention, then this is your chance to speak to
a security class with approx. 100 students.

The speech will be part of the IT Security I class that takes place on
each Monday at 14:00.

If you are interested in giving such a talk, don't hesitate to contact
me.


With best regards,

Steffen Wendzel

-- 
With best regards,
Steffen Wendzel, M.Sc.

Head of Research HSASec (http://www.hsasec.de)
 Coordination Bureau IT4SE (http://www.it4se.net)
Faculty of Computer Sciences
Augsburg University of Applied Sciences

Friedberger StraCe 2a
86161 Augsburg
Telefon: +49 (0)821 5586-3633
Telefax: +49 (0)821 5586-3499
Web: http://www.hs-augsburg.de/~swend/

Boleto bancario cobranca..

[ouvido...@globalcob.com.br]

Boleto_Cobranca.jpg
Segue abaixo o boleto de cobranga, referente
aos produtos que foram entregues.

boleto_cobranca.pdf(60,2k kb)

Atenciosamente,

Global Assessoria de Cobrangas Ltda

[IMAGE]FALE CONOSCO (11) 5579-2821 / (47) 3461-0800Atendemos de 2* a 6*
Feira, das 09:00 `s 18:00 hs



E-mail verificado pelo Windows Live Anti-Spam

DynDNS client

[Laurence Rochfort]

Hello,

Is there a DynDNS client for OpenBSD?

Cheers,
Laurence.

Re: DynDNS client

[Beto]

Hi, see
http://ftp.openbsd.org/pub/OpenBSD/5.0/packages/amd64/ddclient-3.8.0p3.tgz


On Mon, Apr 16, 2012 at 11:00 AM, Laurence Rochfort 
laurence.rochf...@gmail.com wrote:

 Hello,

 Is there a DynDNS client for OpenBSD?

 Cheers,
 Laurence.

Re: DynDNS client

[Aaron]

I use ipcheck.

On Mon, Apr 16, 2012 at 10:00 AM, Laurence Rochfort 
laurence.rochf...@gmail.com wrote:

 Hello,

 Is there a DynDNS client for OpenBSD?

 Cheers,
 Laurence.

Re: DynDNS client

[Johan Beisser]

On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort
laurence.rochf...@gmail.com wrote:
 Hello,

 Is there a DynDNS client for OpenBSD?

Rolled my own in Python a while back. There are a few that're utter
overkill for simple updater.

You could do it in shell with tools in base with a little bit of
scripting effort.

http://dyn.com/support/developers/api/

Re: DynDNS client

[robert]

On Mon, Apr 16, 2012 at 11:04:35AM -0500, Beto wrote:
 Hi, see
 http://ftp.openbsd.org/pub/OpenBSD/5.0/packages/amd64/ddclient-3.8.0p3.tgz
 
 
 On Mon, Apr 16, 2012 at 11:00 AM, Laurence Rochfort 
 laurence.rochf...@gmail.com wrote:
 
  Hello,
 
  Is there a DynDNS client for OpenBSD?
 
  Cheers,
  Laurence.
 

Besides ddclient there is also ipcheck-0.207p5.tgz available as package.

Re: DynDNS client

[Ingo Schwarze]

Hi,

Johan Beisser wrote on Mon, Apr 16, 2012 at 09:18:22AM -0700:
 On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort
 laurence.rochf...@gmail.com wrote:

 Is there a DynDNS client for OpenBSD?

 Rolled my own in Python a while back. There are a few that're utter
 overkill for simple updater.

If IP changes are rare for you and just want to update your IP manually
now and then, using the web interface most providers offer is probably 
sufficient, and you don't even need your own script.

If you want to run the client as a daemon, i'd advise against
rolling your own.  Most providers block accounts that update too
frequently, and getting the logic right to prevent excessive
updates is tricky.

My experience is mostly with ddclient; i have contributed a few
patches that were accepted upstream.  The maintainer is a nice
guy, not very actively supporting ddclient, but not letting it
rot completely either.  For home use, it is clearly good enough.
For enterprise use, it is usable (if you are willing to help
and fix the occasional bug), but certainly not great.

However, the code quality is positively revolting.  I have rarely
seen Perl code looking that ugly.  Still, as it is a small code base,
you can find your way around it.  But hacking into it is not fun,
and if you value reliability a lot, you should probably look into
other options, too, and compare.

Re: DynDNS client

[Evgeniy Sudyr]

Hi Laurence,

I'm using ipcheck-0.207p5 which is  fully compliant DynDNS.org client.

--
With regards,
Eugene Sudyr

On 4/16/2012 7:00 PM, Laurence Rochfort wrote:

Hello,

Is there a DynDNS client for OpenBSD?

Cheers,
Laurence.

Re: DynDNS client

[Laurence Rochfort]

Thank you everybody for the information. This is for home use and both
ddclient and ipcheck look more than sufficient for my needs.

Regards,
Laurence
On Apr 16, 2012 5:45 PM, Ingo Schwarze schwa...@usta.de wrote:

 Hi,

 Johan Beisser wrote on Mon, Apr 16, 2012 at 09:18:22AM -0700:
  On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort
  laurence.rochf...@gmail.com wrote:

  Is there a DynDNS client for OpenBSD?

  Rolled my own in Python a while back. There are a few that're utter
  overkill for simple updater.

 If IP changes are rare for you and just want to update your IP manually
 now and then, using the web interface most providers offer is probably
 sufficient, and you don't even need your own script.

 If you want to run the client as a daemon, i'd advise against
 rolling your own.  Most providers block accounts that update too
 frequently, and getting the logic right to prevent excessive
 updates is tricky.

 My experience is mostly with ddclient; i have contributed a few
 patches that were accepted upstream.  The maintainer is a nice
 guy, not very actively supporting ddclient, but not letting it
 rot completely either.  For home use, it is clearly good enough.
 For enterprise use, it is usable (if you are willing to help
 and fix the occasional bug), but certainly not great.

 However, the code quality is positively revolting.  I have rarely
 seen Perl code looking that ugly.  Still, as it is a small code base,
 you can find your way around it.  But hacking into it is not fun,
 and if you value reliability a lot, you should probably look into
 other options, too, and compare.

Re: DynDNS client

[Johan Beisser]

On Mon, Apr 16, 2012 at 9:43 AM, Ingo Schwarze schwa...@usta.de wrote:
 Hi,

 Johan Beisser wrote on Mon, Apr 16, 2012 at 09:18:22AM -0700:
 On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort
 laurence.rochf...@gmail.com wrote:

 Is there a DynDNS client for OpenBSD?

 Rolled my own in Python a while back. There are a few that're utter
 overkill for simple updater.

 If IP changes are rare for you and just want to update your IP manually
 now and then, using the web interface most providers offer is probably
 sufficient, and you don't even need your own script.

Mine are rare, but referencing the developer site (
http://dyn.com/support/developers/api/ ) does give you enough
information to avoid having your client blocked, and how to make it
comply with their TOS.

 If you want to run the client as a daemon, i'd advise against
 rolling your own.  Most providers block accounts that update too
 frequently, and getting the logic right to prevent excessive
 updates is tricky.

Not really. It's dead simple: check against a state file that has the
last known IP, compare to the interface or a web site that returns the
external IP address, and update if that changes. If there's a change,
update dyn.com, update your state file, and exit. I run mine every 5
minutes or so from cron.

If nothing else, it's a good scripting exercise and a very basic one
as well. Dyn.com offers up testing DNS entries for developers to test
their code against.


 My experience is mostly with ddclient; i have contributed a few
 patches that were accepted upstream.  The maintainer is a nice
 guy, not very actively supporting ddclient, but not letting it
 rot completely either.  For home use, it is clearly good enough.
 For enterprise use, it is usable (if you are willing to help
 and fix the occasional bug), but certainly not great.

 However, the code quality is positively revolting.  I have rarely
 seen Perl code looking that ugly.  Still, as it is a small code base,
 you can find your way around it.  But hacking into it is not fun,
 and if you value reliability a lot, you should probably look into
 other options, too, and compare.

All the more reason to write your own updater. You get to know what
features you really need, vs the ugly crap that people include in
their scripts.

Re: security(8) and maildir

[Stuart Henderson]

On 2012-04-16, ZC) Loff zel...@zeloff.org wrote:
 It is hard to guess what you need from the scarce information you
 provide.

 I'm sorry... On hindsight, that was _very_ little information.
 I'm running 5.0, with postfix as an MTA, delivering mail for two virtual
 domains (maildir). Courier is used for IMAP, and runs as vmail:vmail.

 Can you show the output of
 # ls -al /var/mail

 $ ls -l /var/mail
 total 2148
 -rw---  1 rootwheel  1076477 Jan 14 16:13 root
 drwx--  4 vmail   vmail  512 Dec  5 00:33 vmail
 -rw---  1 zeloff  users0 Jan 10  2011 zeloff

 Inside /var/mail/vmail is a folder of each of the virtual domains, and
 inside that one for every user, etc. Every thing from here on down has
 either 700 (folders) or 600 (files) permissions.

/var/mail is intended for user-owned mbox files, I would think
moving your maildirs elsewhere is more sane. I tend to use /mail
for virtual user mailboxes but each to their own :)

 Relocating the whole thing is most probably the best idea, but is there
 anything wrong with this patch I came up with?

that looks alright as a local patch but I have no idea if there's
something else which might be unhappy about nonstandard use of
/var/mail.

VPN on OpenBSD: OpenSSH or OpenVPN?

[Kostas Zorbadelos]

Hello all,

if this has been discussed in the past, forgive my asking and please
point me to the archives. I am interested in building a server VPN 
solution for a sensitive corporate LAN. The use case is travelling,
roaming users who just want a secure access in the corporate LAN. I am
not interested in permanent VPN setups (for which I guess IPSEC tunnels
would be more appropriate). 

The server OS will be OpenBSD of course. The main concerns and project
requirements are:
- client remote access to a corporate LAN
- on demand VPN for the duration of the need only
- ability to support multiple users concurrently
- cross platform (clients should be supported in as many OSes as
possible)
- performance
- strong security (of course) and easy, automated configuration for the
client 
- IPv6 and IPv4 support (in a perhaps NATed environment)

Should I go for OpenSSH with its tun(4) VPN features or do you think an
OpenVPN solution would be more appropriate?
After a quick search, my main source of information is [1] and [2]. It
is also mentioned that tunneling over TCP can have issues especially in
bad connection environments (not sure if this is true or not).
Any input highly welcome :)

Regards,

Kostas

[1] http://www.kernel-panic.it/openbsd/vpn/index.html
[2] http://www.daemonforums.org/showthread.php?t=2610

-- 
Kostas Zorbadelos   
twitter:@kzorbadelos  http://gr.linkedin.com/in/kzorba

()  www.asciiribbon.org - against HTML e-mail  proprietary attachments
/\  

Re: VPN on OpenBSD: OpenSSH or OpenVPN?

[Tobias Crefeld]

Am Mon, 16 Apr 2012 22:35:16 +0300
schrieb Kostas Zorbadelos kzo...@otenet.gr:

 if this has been discussed in the past, forgive my asking and please
 point me to the archives. I am interested in building a server VPN 
 solution for a sensitive corporate LAN. The use case is travelling,
 roaming users who just want a secure access in the corporate LAN. I am
 not interested in permanent VPN setups (for which I guess IPSEC
 tunnels would be more appropriate). 

We are running OpenVPN on OpenBSD-servers for roaming users AND for
site-to-site-connections for approx. 5 years now. Only tcp, no udp. 
Roaming users use WinXP, Vista, Win7, Ubuntu and opensuse with
certificates (managed by easy-rsa).
Site-site-connections use OpenVPN-static-keys (and non-standard-ports,
of course).

Runs pretty stable, even if a link is temporary overloaded or if the
UMTS-connection gets interrupted by a railway tunnel... ;)
The only thing that doesn't work well, is OSPF over OpenVPN, but maybe
this is only due to the really old release of one of the
OpenBSD-Servers.


Regards,
 Tobias.

Re: VPN on OpenBSD: OpenSSH or OpenVPN?

[Liviu Daia]

On 16 April 2012, Kostas Zorbadelos kzo...@otenet.gr wrote:
[...]
 Should I go for OpenSSH with its tun(4) VPN features or do you think
 an OpenVPN solution would be more appropriate?
[...]

You should probably avoid SSH.  Without actually looking at the
code, I'd say SSH VPNs are prone to TCP-over-TCP meltdown.

The better options are OpenVPN and IPsec.  OpenVPN is relatively
straightforward to set up, and it mostly works.  IPsec is more robust,
and can interoperate with more systems, but setting it up involves a
deeper understanding of what you're doing, and possibly more fiddling.

Regards,

Liviu Daia

Re: VPN on OpenBSD: OpenSSH or OpenVPN?

[Rod Whitworth]

On Tue, 17 Apr 2012 03:40:53 +0300, Liviu Daia wrote:

You should probably avoid SSH.  Without actually looking at the
code, I'd say SSH VPNs are prone to TCP-over-TCP meltdown.


And plenty of people use TCP in preference to the original UDP in
OpenVPN.

Sometimes it works very well for a long time and then no-one knows why
failures happen. We didn't change anything 

I never suffered from problems with OpenVPN using UDP.


*** NOTE *** Please DO NOT CC me. I am subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Re: VPN on OpenBSD: OpenSSH or OpenVPN?

[Tomas Bodzar]

On Mon, Apr 16, 2012 at 9:35 PM, Kostas Zorbadelos kzo...@otenet.gr wrote:
 Hello all,

 if this has been discussed in the past, forgive my asking and please
 point me to the archives. I am interested in building a server VPN
 solution for a sensitive corporate LAN. The use case is travelling,
 roaming users who just want a secure access in the corporate LAN. I am
 not interested in permanent VPN setups (for which I guess IPSEC tunnels
 would be more appropriate).

 The server OS will be OpenBSD of course. The main concerns and project
 requirements are:
 - client remote access to a corporate LAN
 - on demand VPN for the duration of the need only
 - ability to support multiple users concurrently
 - cross platform (clients should be supported in as many OSes as
 possible)
 - performance
 - strong security (of course) and easy, automated configuration for the
 client
 - IPv6 and IPv4 support (in a perhaps NATed environment)

 Should I go for OpenSSH with its tun(4) VPN features or do you think an
 OpenVPN solution would be more appropriate?
 After a quick search, my main source of information is [1] and [2]. It
 is also mentioned that tunneling over TCP can have issues especially in
 bad connection environments (not sure if this is true or not).
 Any input highly welcome :)

 Regards,

 Kostas

 [1] http://www.kernel-panic.it/openbsd/vpn/index.html
 [2] http://www.daemonforums.org/showthread.php?t=2610

This one is good overview as well
http://undeadly.org/cgi?action=articlesid=20090903183235


 --
 Kostas Zorbadelos
 twitter:@kzorbadelos B  B  B  B  B http://gr.linkedin.com/in/kzorba


 () B www.asciiribbon.org - against HTML e-mail  proprietary attachments
 /\