Re: [Question] Building whitelists so that spamd greylisting can work without users perceiving delivery delays...

2013-03-28 Thread Steve Williams 

On 3/28/2013 10:52 AM, Sarah Caswell wrote:

Hi all,

I had a question about greylisting (with spamd) in production.

I've successfully run spamd on firewalls (as a frontend to either barracuda or 
SpamAssassin) and have really liked the reduction in SPAM volume.

Unfortunately my employer's wife does not like the delays that this introduces 
into our mail delivery, since she uses email for quick turn-around 
communication.

The main problem occurs with senders like Gmail, yahoo, hotmail, etc. ...i.e. 
all the senders that have large farms of smtp servers from which they can retry 
delivery after initial greylisting delay.

I know this means I'm not doing proper whitelisting of those major sender 
domains, but I'm at a loss on how to best construct and maintain such a 
whitelist.

Are there any up-to-date lists that already track the MTAs of these large mail 
providers?

Or will this mostly be a DIY effort on my part?

Any thoughts/insights/experiences would be greatly appreciated.

:-)

Sarah



Hi,

Years ago I was faced with the same frustration on my own system.  I 
ended up writing a shell/awk script that I run 2x a day.


Basically, you build up a list of "trusted" hosts and whitelist them.  
Whenever I got delayed mail that I noticed, I would add the hostname to 
the "trusted" list and my script would automatically whitelist them the 
next time it ran (or when I ran it manually).


It may not be perfect, but it's worked flawlessly for probably 4 years now.

It's designed to work with sites that use "spf" records, and it doesn't 
know about ip6, not an issue in my case


If you are interested in my script, feel free to contact me off list

The output for google.com is:
#---
# google.com
#---
# Got 5 elements in [v=spf1 include:_spf.google.com ip4:216.73.93.70/31 
ip4:216.73.93.72/31 ~all]

# queueing for spf lookup: [_spf.google.com]
216.73.93.70/31
216.73.93.72/31
# ==
# Recursing for additional spf records
# ==
#---
# _spf.google.com
#---
# Got 5 elements in [v=spf1 include:_netblocks.google.com 
include:_netblocks2.google.com include:_netblocks3.google.com ?all

]
# queueing for spf lookup: [_netblocks.google.com]
# queueing for spf lookup: [_netblocks2.google.com]
# queueing for spf lookup: [_netblocks3.google.com]
# ==
# Recursing for additional spf records
# ==
#---
# _netblocks.google.com
#---
# Got 12 elements in [v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 
ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/
17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 
ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all]

216.239.32.0/19
64.233.160.0/19
66.249.80.0/20
72.14.192.0/18
209.85.128.0/17
66.102.0.0/20
74.125.0.0/16
64.18.0.0/20
207.126.144.0/20
173.194.0.0/16
#---
# _netblocks2.google.com
#---
# Got 8 elements in [v=spf1 ip6:2001:4860:4000::/36 
ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 i

p6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ?all]
# UNKNOWN: [ip6:2001:4860:4000::/36]
# UNKNOWN: [ip6:2404:6800:4000::/36]
# UNKNOWN: [ip6:2607:f8b0:4000::/36]
# UNKNOWN: [ip6:2800:3f0:4000::/36]
# UNKNOWN: [ip6:2a00:1450:4000::/36]
# UNKNOWN: [ip6:2c0f:fb50:4000::/36]
#---
# _netblocks3.google.com
#---
# Got 2 elements in [v=spf1 ?all]
# Returning from recursion
# Returning from recursion

Re: OpenBSD as NAS

2013-03-28 Thread Alan Cheng 
I did this on a similar hardware (Atom d525 + 4G + 100M LAN + 1 SATA2
drive) a few weeks ago with OpenBSD AMD64 snapshot, but now I switched to
Ubuntu due to file copy performance issue. I can get around 10MB/s on
OpenBSD, but around 20MB/s with Ubuntu on the same hardware.

One major difference here: my NAS is not for disaster, it's simply for file
sharing.  All data is  back'ed up somewhere else. It's also my wireless AP,
btw.

I'll be glad to know if there is any tips/advices to get better file copy
speed on a OpenBSD NAS.


On Thu, Mar 28, 2013 at 11:03 PM, Jan Lambertz wrote:

> Hi there,
> to be prepared for storage desaster i am planning to upgrade my home
> box.itis a intel atom d525 with 2gig mem. Im planning to build up a
> small raid 10
> with standard sata 5.25 inch drives. 1000 mbit lan. This storage will
> mainly be used for samba shares, backups and nfs shares. Of course i want
> massive performance. What du you suggest ?
> Change cpu
> Change filesystem (os)
> Parameters ?
> Do something other ?
> Any experiences in read /write speed of this hardware ?

Re: ftp(1) errors on an HTTPS url

2013-03-28 Thread Stuart Henderson 
Stuart Henderson  spacehopper.org> writes:
> On 2012-11-18, Rodolfo Gouveia  cosmico.net> wrote:
> > On Fri, Nov 16, 2012 at 08:23:40PM +, Rodolfo Gouveia wrote:
> >> Hello,
> >> It seems that https://www.prelude-ids.org doesn't play well with
> >> the ftp(1).
>
> One thing I noticed is that if I connect with openssl s_client and
> make a GET or HEAD request using the HOST header, this server does a
> renegotiation. [...]

Found another site hitting this; https://issues.asterisk.org/.

Just like prelude-ids.org, this one renegotiates as soon as you send a GET/HEAD
with a HOST header.

$ openssl s_client -connect issues.asterisk.org:443
[...]
Start Time: 1364503452
Timeout   : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
GET /jira/ HTTP/1.0
HOST: issues.asterisk.org

depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
read R BLOCK
HTTP/1.1 302 Moved Temporarily
Date: Thu, 28 Mar 2013 20:44:18 GMT
[...]

Responses to "ftp -o- https://issues.asterisk.org/jira/browse/ASTERISK-21207";
vary between

ftp: Improper response from issues.asterisk.org

Segmentation fault (core dumped) 

ftp: Error retrieving file: Inc.1^T0^R^F<...bunch of data from the new cert..>

EuroBSDcon 2013 Call for Proposals

2013-03-28 Thread Claudio Jeker 
EuroBSDcon 2013: September 26-29 in Malta
=

EuroBSDcon is the European technical conference for users and
developers of BSD-based systems. The conference will take place on
Thursday, September 26 through Sunday, September 29 at the Hilton
http://goo.gl/maps/hnACd in St. Julian's, Malta (tutorials on
Thursday and Friday, talks on Saturday and Sunday).

Call for Proposals
--
The EuroBSDcon program committee is inviting BSD developers and
users to submit innovative and original talk proposals not previously
presented at other European conferences.

Topics of interest to the conference include, but are not limited
to applications, architecture, implementation, performance and
security of BSD-based operating systems, as well as topics concerning
the economic or organizational aspects of BSD use.

Presentations are expected to be 45 minutes and are to be delivered
in English.

Call for Tutorial Proposals
---
The EuroBSDcon program committee is also inviting qualified
practitioners in their field to submit proposals for half or full
day tutorials on topics relevant to development, implementation and
use of BSD-based systems.

Half-day tutorials are expected to be 2.5 to 3 hours and full-day
tutorials 5 to 6 hours. Tutorials are held in English.

Submissions
---
Proposals should be sent by email to .
They should contain a short and concise text description in about
100 words The submission should also include a short CV of the
speaker and an estimate of the expected travel expenses.  Please
submit each proposal as a separate email.

Important dates
---
The EuroBSDcon program committee is accepting talk and tutorial
proposals until Monday, May 25 2013. Other important dates will be
announced soon the conference website http://2013.EuroBSDcon.org/.

Re: ftp-proxy(8) and ftpd(8) on the same host

2013-03-28 Thread LEVAI Daniel 
On cs, márc 28, 2013 at 08:11:07 +0100, Camiel Dobbelaar wrote:
> It does not work on the same server.
> 
> You might try rules with "user _ftp" in pf.conf.
> 

On cs, márc 28, 2013 at 10:14:15 +, Alexey E. Suslikov wrote:
> Camiel Dobbelaar  sentia.nl> writes:
> 
> > It does not work on the same server.
> 
> There was an attempt to handle such a things
> 
> http://article.gmane.org/gmane.os.openbsd.tech/23343/


Thanks guys, I went with the username based pf rule, it was a good call,
I didn't remember this pf parameter, but it fit well with this setup. I
only have to keep the username list up-to-date, which is not much of a
burden, really.


Thanks again,
Daniel

-- 
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F

Re: [Question] Building whitelists so that spamd greylisting can work without users perceiving delivery delays...

2013-03-28 Thread Peter N. M. Hansteen 
Sarah Caswell  writes:

> The main problem occurs with senders like Gmail, yahoo, hotmail,
> etc. ...i.e. all the senders that have large farms of smtp servers
> from which they can retry delivery after initial greylisting delay.
>
> I know this means I'm not doing proper whitelisting of those major
> sender domains, but I'm at a loss on how to best construct and
> maintain such a whitelist.
>
> Are there any up-to-date lists that already track the MTAs of these large 
> mail providers?

I think you would need to construct it by hand. I very occasionally
update my /etc/mail/nospamd, and then mostly by looking for relevant
domains' published spf records. for example for gmail, 

[Thu Mar 28 18:49:27] peter@deeperthought:~$ host -ttxt gmail.com
gmail.com descriptive text "v=spf1 redirect=_spf.google.com"
[Thu Mar 28 18:49:37] peter@deeperthought:~$ host -ttxt _spf.google.com
_spf.google.com descriptive text "v=spf1 include:_netblocks.google.com 
include:_netblocks2.google.com include:_netblocks3.google.com ?all"

[Thu Mar 28 18:52:02] peter@deeperthought:~$ for foo in _netblocks.google.com 
_netblocks2.google.com _netblocks3.google.com ; do host -ttxt $foo ; done
_netblocks.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 
ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 
ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 
ip4:173.194.0.0/16 ?all"
_netblocks2.google.com descriptive text "v=spf1 ip6:2001:4860:4000::/36 
ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 
ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ?all"
_netblocks3.google.com descriptive text "v=spf1 ?all"

and so forth. Not all domains publish SPF, and you may need to work
around a certain bitrot factor. And spend some time poring over your
spamd log to weed out the non-obvius ones. 

Then again, I just decided to share mine, which is the product of just
the process I've described.  It's up at http://www.bsdly.net/~peter/nospamd
free to use, corrections welcome (will be rewarded with a personal thank
you message ;)).

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

[Question] Building whitelists so that spamd greylisting can work without users perceiving delivery delays...

2013-03-28 Thread Sarah Caswell 
Hi all,

I had a question about greylisting (with spamd) in production.

I've successfully run spamd on firewalls (as a frontend to either barracuda or 
SpamAssassin) and have really liked the reduction in SPAM volume.

Unfortunately my employer's wife does not like the delays that this introduces 
into our mail delivery, since she uses email for quick turn-around 
communication.

The main problem occurs with senders like Gmail, yahoo, hotmail, etc. ...i.e. 
all the senders that have large farms of smtp servers from which they can retry 
delivery after initial greylisting delay. 

I know this means I'm not doing proper whitelisting of those major sender 
domains, but I'm at a loss on how to best construct and maintain such a 
whitelist.

Are there any up-to-date lists that already track the MTAs of these large mail 
providers?

Or will this mostly be a DIY effort on my part?

Any thoughts/insights/experiences would be greatly appreciated.

:-)

Sarah


-- 
"To speak another language is to possess another soul" - Charlemagne

Re: OpenBSD as NAS

2013-03-28 Thread Zoran Kolic 
> to be prepared for storage desaster i am planning to upgrade my home
> box.itis a intel atom d525 with 2gig mem. Im planning to build up a
> small raid 10
> with standard sata 5.25 inch drives. 1000 mbit lan. This storage will
> mainly be used for samba shares, backups and nfs shares. Of course i want
> massive performance. What du you suggest ?

Since you posted on openbsd list, I suppose you wonna
use openbsd. You seem to be not shy of spending some
bucks on the security of the content, so there is ano-
ther option to look for:

http://www.qnap.com/useng/index.php?lang=en-us&sn=862&c=355&sc=526&t=694&n=12501

Personally, I'd go after cheaper solution in the same tribe. Some
older model, if available.
If you build your own box, that might prove itself better. I always
do it. The very question is to find proper applications to fulfil
your needs.
Best regards

   Zoran

delete-old

2013-03-28 Thread Christian Weisgerber 
Those who also update FreeBSD machines from source may know "make
delete-old", which offers to delete obsolete files and directories.

Here's the same as a shell script.

8<
#!/bin/sh

ARCH=$(uname -m)
BASE=-rOPENBSD_5_3_BASE

list=$(
cd /usr/src/distrib/sets/lists &&
cvs -Rq diff -u ${BASE} */mi */md.${ARCH} |
sed -n 's:^-\./:/:p'
)

files=
libs=
dirs=
while read file; do
if [ -f "$file" -o -h "$file" ]; then
case $file in
*.so.[0-9].[0-9] | \
*.so.[0-9].[0-9][0-9] | \
*.so.[0-9][0-9].[0-9] | \
*.so.[0-9][0-9].[0-9][0-9] )
if [ -z "$libs" ]; then libs=$file
else libs="$libs
$file"
fi
;;
*)
if [ -z "$files" ]; then files=$file
else files="$files
$file"
fi
;;
esac
elif [ -d "$file" ]; then
if [ -z "$dirs" ]; then dirs=$file
else dirs="$dirs
$file"
fi
fi
done <>> Removing old files"
if [ -n "$files" ]; then
exec 3>&0
while read file; do
rm -i "$file" <&3
done <<-EOF
$files
EOF
fi
}

delete-old-libs()
{
echo ">>> Removing old libraries"
if [ -n "$libs" ]; then
exec 3>&0
while read file; do
rm -i "$file" <&3
done <<-EOF
$libs
EOF
fi
}

delete-old-dirs()
{
echo ">>> Removing old directories"
if [ -n "$dirs" ]; then
while read file; do
rmdir "$file" && echo "$file"
done <<-EOF
$dirs
EOF
fi
}

delete-old-files
delete-old-libs
delete-old-dirs
>8

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: newline characters in kernel messages

2013-03-28 Thread Sergey Bronnikov 
new patch below

On 09:03 Thu 28 Mar , Alexander Hall wrote:
> On 03/28/13 08:27, Sergey Bronnikov wrote:
> >please commit
> >
> >On 17:20 Sat 23 Mar , Sergey Bronnikov wrote:
> >>Hi
> >>
> >>I have found that several kernel messages doesn't contain newline character.
> >>Patches attached.
> 
> For the record, that patch sure looks reversed... Eh, and redundant. :-)
> 
> Preferrably, use `cvs diff -uNp`.
> 
> /Alexander

Index: sys/arch/amd64/amd64/acpi_machdep.c
===
RCS file: /cvs/src/sys/arch/amd64/amd64/acpi_machdep.c,v
retrieving revision 1.52
diff -u -p -u -p -r1.52 acpi_machdep.c
--- sys/arch/amd64/amd64/acpi_machdep.c 27 Nov 2012 17:38:45 -  1.52
+++ sys/arch/amd64/amd64/acpi_machdep.c 28 Mar 2013 15:28:49 -
@@ -300,7 +300,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in
if (state == ACPI_STATE_S4) {
uvm_pmr_zero_everything();
if (hibernate_suspend()) {
-   printf("%s: hibernate_suspend failed",
+   printf("%s: hibernate_suspend failed\n",
DEVNAME(sc));
hibernate_free();
uvm_pmr_dirty_everything();
@@ -318,7 +318,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in
boothowto &= ~RB_POWERDOWN;
 
acpi_sleep_pm(sc, state);
-   printf("%s: acpi_sleep_pm failed", DEVNAME(sc));
+   printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc));
return (ECANCELED);
}
/* Resume path */


Index: sys/arch/i386/i386/acpi_machdep.c
===
RCS file: /cvs/src/sys/arch/i386/i386/acpi_machdep.c,v
retrieving revision 1.46
diff -u -p -u -p -r1.46 acpi_machdep.c
--- sys/arch/i386/i386/acpi_machdep.c   27 Nov 2012 17:38:45 -  1.46
+++ sys/arch/i386/i386/acpi_machdep.c   28 Mar 2013 15:30:51 -
@@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in
if (state == ACPI_STATE_S4) {
uvm_pmr_zero_everything();
if (hibernate_suspend()) {
-   printf("%s: hibernate_suspend failed",
+   printf("%s: hibernate_suspend failed\n",
DEVNAME(sc));
hibernate_free();
uvm_pmr_dirty_everything();
@@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in
boothowto &= ~RB_POWERDOWN;
 
acpi_sleep_pm(sc, state);
-   printf("%s: acpi_sleep_pm failed", DEVNAME(sc));
+   printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc));
return (ECANCELED);
}
/* Resume path */


-- 
sergeyb@
Index: sys/arch/amd64/amd64/acpi_machdep.c
===
RCS file: /cvs/src/sys/arch/amd64/amd64/acpi_machdep.c,v
retrieving revision 1.52
diff -u -p -u -p -r1.52 acpi_machdep.c
--- sys/arch/amd64/amd64/acpi_machdep.c 27 Nov 2012 17:38:45 -  1.52
+++ sys/arch/amd64/amd64/acpi_machdep.c 28 Mar 2013 15:28:49 -
@@ -300,7 +300,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in
if (state == ACPI_STATE_S4) {
uvm_pmr_zero_everything();
if (hibernate_suspend()) {
-   printf("%s: hibernate_suspend failed",
+   printf("%s: hibernate_suspend failed\n",
DEVNAME(sc));
hibernate_free();
uvm_pmr_dirty_everything();
@@ -318,7 +318,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in
boothowto &= ~RB_POWERDOWN;
 
acpi_sleep_pm(sc, state);
-   printf("%s: acpi_sleep_pm failed", DEVNAME(sc));
+   printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc));
return (ECANCELED);
}
/* Resume path */
Index: sys/arch/i386/i386/acpi_machdep.c
===
RCS file: /cvs/src/sys/arch/i386/i386/acpi_machdep.c,v
retrieving revision 1.46
diff -u -p -u -p -r1.46 acpi_machdep.c
--- sys/arch/i386/i386/acpi_machdep.c   27 Nov 2012 17:38:45 -  1.46
+++ sys/arch/i386/i386/acpi_machdep.c   28 Mar 2013 15:30:51 -
@@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, in
if (state == ACPI_STATE_S4) {
uvm_pmr_zero_everything();
if (hibernate_suspend()) {
-   printf("%s: hibernate_suspend failed",
+   printf("%s: hibernate_suspend failed\n",
DEVNAME(sc));
hibernate_free();

OpenBSD as NAS

2013-03-28 Thread Jan Lambertz 
Hi there,
to be prepared for storage desaster i am planning to upgrade my home
box.itis a intel atom d525 with 2gig mem. Im planning to build up a
small raid 10
with standard sata 5.25 inch drives. 1000 mbit lan. This storage will
mainly be used for samba shares, backups and nfs shares. Of course i want
massive performance. What du you suggest ?
Change cpu
Change filesystem (os)
Parameters ?
Do something other ?
Any experiences in read /write speed of this hardware ?

Re: Spamassassin fails to start after upgrade to latest snapshot

2013-03-28 Thread James Griffin 
.. Thu 28.Mar'13 at 14:01:10 +0100  Remco ...

> James Griffin wrote:
> 
> > Hi
> > 
> > Basically, as the subject says: I upgraded to the latest snapshot and now
> > spamassassin fails start.
> > 
> > This is the error out when I try to start it from the command-line:

[snip]

> > Cheers, Jamie.
> > 
> > 
> 
> Maybe you're bitten by the perl update as described in 
> http://www.openbsd.org/faq/current.html.

Yes, looks like it. I'll just wait for the updates then. Cheers Remco. 


-- 
James Griffin:  jmz at kontrol.kode5.net 
jmzgriffin at gmail.com

A4B9 E875 A18C 6E11 F46D  B788 BEE6 1251 1D31 DC38

Re: Spamassassin fails to start after upgrade to latest snapshot

2013-03-28 Thread Remco 
James Griffin wrote:

> Hi
> 
> Basically, as the subject says: I upgraded to the latest snapshot and now
> spamassassin fails start.
> 
> This is the error out when I try to start it from the command-line:
> 
> 
> Bad arg length for NetAddr::IP::Util::mask4to6, length is 128, should be
> 32 at /usr/local/libdata/perl5/site_perl/amd64-openbsd/NetAddr/IP/Lite.pm
> line 625. Compilation failed in require at
> /usr/local/libdata/perl5/site_perl/amd64-openbsd/NetAddr/IP.pm line 7.
> BEGIN failed--compilation aborted at
> /usr/local/libdata/perl5/site_perl/amd64-openbsd/NetAddr/IP.pm line 7.
> Compilation failed in require at
> /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/NetSet.pm line 25.
> BEGIN failed--compilation aborted at
> /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/NetSet.pm line 25.
> Compilation failed in require at
> /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/Conf.pm line 86.
> BEGIN failed--compilation aborted at
> /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/Conf.pm line 86.
> Compilation failed in require at
> /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin.pm line 71. BEGIN
> failed--compilation aborted at
> /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin.pm line 71.
> Compilation failed in require at /usr/local/bin/spamassassin line 80.
> BEGIN failed--compilation aborted at /usr/local/bin/spamassassin line 80.
> 
> Not sure exactly what the problem is. Has anyone else seen this and does
> anyone know what I can do to fix it?
> 
> Cheers, Jamie.
> 
> 

Maybe you're bitten by the perl update as described in 
http://www.openbsd.org/faq/current.html.

Spamassassin fails to start after upgrade to latest snapshot

2013-03-28 Thread James Griffin 
Hi

Basically, as the subject says: I upgraded to the latest snapshot and now 
spamassassin fails start. 

This is the error out when I try to start it from the command-line:


Bad arg length for NetAddr::IP::Util::mask4to6, length is 128, should be 32 at 
/usr/local/libdata/perl5/site_perl/amd64-openbsd/NetAddr/IP/Lite.pm line 625.
Compilation failed in require at 
/usr/local/libdata/perl5/site_perl/amd64-openbsd/NetAddr/IP.pm line 7.
BEGIN failed--compilation aborted at 
/usr/local/libdata/perl5/site_perl/amd64-openbsd/NetAddr/IP.pm line 7.
Compilation failed in require at 
/usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/NetSet.pm line 25.
BEGIN failed--compilation aborted at 
/usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/NetSet.pm line 25.
Compilation failed in require at 
/usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/Conf.pm line 86.
BEGIN failed--compilation aborted at 
/usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/Conf.pm line 86.
Compilation failed in require at 
/usr/local/libdata/perl5/site_perl/Mail/SpamAssassin.pm line 71.
BEGIN failed--compilation aborted at 
/usr/local/libdata/perl5/site_perl/Mail/SpamAssassin.pm line 71.
Compilation failed in require at /usr/local/bin/spamassassin line 80.
BEGIN failed--compilation aborted at /usr/local/bin/spamassassin line 80.

Not sure exactly what the problem is. Has anyone else seen this and does anyone 
know what I can do to fix it?

Cheers, Jamie. 


-- 
James Griffin:  jmz at kontrol.kode5.net 
jmzgriffin at gmail.com

A4B9 E875 A18C 6E11 F46D  B788 BEE6 1251 1D31 DC38

Re: bad rule, or special filtering needed for bootp packets?

2013-03-28 Thread Patrick Lamaiziere 
Le Wed, 27 Mar 2013 19:28:08 -0700,
David Ruggiero  a écrit :

> Thanks! No, it didn't occur to me, so very appreciated.  I didn't
> remember that you could do that form of the table command to show
> explicit members in a list, so that's also really helpful.
> 
> FWIW, though..I would not have expected that pf would silently
> drop - without any warning message or complaint - an address
> explicitly stated as being a member of a constant table definition.
> Even that address. You're right that (at least in hindsight)
> 0.0.0.0/mask might be treated differently - maybe it uses it as a
> marker for an empty slot or the like?  But regardless of that,  I
> would (a) expect that fact to be documented (if it is, I missed it),
> and (b) expect that the pf parser would say something as it was
> throwing it away (at least a warning message about "unparseable
> address at line XX - ignored" or the like). For it to just drop it on
> the floor and say nothing at all seems - well, kind of non-pf-ish.
> 
> Perhaps worth a documentation patch, if not an actual code patch.

Well, even if 0.0.0.0/32 is not included in the table, your table
should match any address (at least 0.0.0.0/32).

Because !192.168.5.128/25 OR !192.168.10.128/25
OR !192.168.99.128/25 is always true.

int_net = "192.168.5.128/25"
wls_net = "192.168.10.128/25"
ptr_net = "192.168.99.128/25"
table  const { 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, !$int_net, !$wls_net, !$ptr_net, 169.254.0.0/16,
127.0.0.0/8, 192.0.2.0/24, 0.0.0.0/32, 240.0.0.0/4, 255.255.255.255/32 }

I'm wrong? Why 0.0.0.0 does not match this table?

I would be happy to know the behavior, because my "pfulator"(*) does not
work as PF for this.

Thanks, regards.

(*) https://groupes.renater.fr/wiki/jtacl/index

Re: ftp-proxy(8) and ftpd(8) on the same host

2013-03-28 Thread Alexey E. Suslikov 
Camiel Dobbelaar  sentia.nl> writes:

> It does not work on the same server.

There was an attempt to handle such a things

http://article.gmane.org/gmane.os.openbsd.tech/23343/

CARP active-active with OSPF on top of gif

2013-03-28 Thread mxb 
Hello list,

Anyone have a good advise on the ?

I currently have SiteA and SiteB with two OpenBSD machines on each end in 
active-active setup.
I also have OSPF on top of gif(on top of IPSec) from each node and crossover 
between nodes.

fw1.siteA  fw1.siteB
fw2.siteA  fw2.siteB

fw1.siteA fw2.siteA.

I occasionally experience "breakdowns" on site-to-site links. It looks like 
ospfd stops talking on gif, but gifs are up and I'm able to ping each peer. 
ipsecctl shows that tunnels are up and I can confirm this via tcpdump. "pass on 
enc0 keep state (if-bound)" should not let unencrypted traffic to escape anyway.

My goal with this setup is to have redundancy and let OSPF to decide routing 
path.
So the priority is not set in ospfd.conf.

area 0.0.0.0 {

# siteA-siteB
interface gif0 { metric 10 }

# crossover
interface trunk0 { metric 5 }

#LAN
interface carp1 { passive }

# ANYCAST
interface lo1 { metric 5 }
}

pfsync0: flags=41 mtu 1500
priority: 0
pfsync: syncdev: trunk0 maxupd: 128 defer: on
groups: carp pfsync

//mxb

Re: newline characters in kernel messages

2013-03-28 Thread Jeffrey 'jf' Lim 
If your aim is to introduce newline characters, you got ur patch wrong
(reversed!)

-jf

On Thu, Mar 28, 2013 at 3:27 PM, Sergey Bronnikov  wrote:
> please commit
>
> On 17:20 Sat 23 Mar , Sergey Bronnikov wrote:
>> Hi
>>
>> I have found that several kernel messages doesn't contain newline character.
>> Patches attached.
>>
>> --
>> sergeyb@
>
>> --- arch/i386/i386/acpi_machdep.c Sat Mar 23 16:59:09 2013
>> +++ arch/i386/i386/acpi_machdep.c_Sat Mar 23 16:58:48 2013
>> @@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state)
>>   if (state == ACPI_STATE_S4) {
>>   uvm_pmr_zero_everything();
>>   if (hibernate_suspend()) {
>> - printf("%s: hibernate_suspend failed\n",
>> + printf("%s: hibernate_suspend failed",
>>   DEVNAME(sc));
>>   hibernate_free();
>>   uvm_pmr_dirty_everything();
>> @@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state)
>>   boothowto &= ~RB_POWERDOWN;
>>
>>   acpi_sleep_pm(sc, state);
>> - printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc));
>> + printf("%s: acpi_sleep_pm failed", DEVNAME(sc));
>>   return (ECANCELED);
>>   }
>>   /* Resume path */
>
>> --- arch/i386/i386/acpi_machdep.c Sat Mar 23 16:59:09 2013
>> +++ arch/i386/i386/acpi_machdep.c_Sat Mar 23 16:58:48 2013
>> @@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state)
>>   if (state == ACPI_STATE_S4) {
>>   uvm_pmr_zero_everything();
>>   if (hibernate_suspend()) {
>> - printf("%s: hibernate_suspend failed\n",
>> + printf("%s: hibernate_suspend failed",
>>   DEVNAME(sc));
>>   hibernate_free();
>>   uvm_pmr_dirty_everything();
>> @@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state)
>>   boothowto &= ~RB_POWERDOWN;
>>
>>   acpi_sleep_pm(sc, state);
>> - printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc));
>> + printf("%s: acpi_sleep_pm failed", DEVNAME(sc));
>>   return (ECANCELED);
>>   }
>>   /* Resume path */
>
>
> --
> sergeyb@

Re: newline characters in kernel messages

2013-03-28 Thread Alexander Hall 

On 03/28/13 08:27, Sergey Bronnikov wrote:

please commit

On 17:20 Sat 23 Mar , Sergey Bronnikov wrote:

Hi

I have found that several kernel messages doesn't contain newline character.
Patches attached.


For the record, that patch sure looks reversed... Eh, and redundant. :-)

Preferrably, use `cvs diff -uNp`.

/Alexander



--
sergeyb@



--- arch/i386/i386/acpi_machdep.c   Sat Mar 23 16:59:09 2013
+++ arch/i386/i386/acpi_machdep.c_  Sat Mar 23 16:58:48 2013
@@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state)
if (state == ACPI_STATE_S4) {
uvm_pmr_zero_everything();
if (hibernate_suspend()) {
-   printf("%s: hibernate_suspend failed\n",
+   printf("%s: hibernate_suspend failed",
DEVNAME(sc));
hibernate_free();
uvm_pmr_dirty_everything();
@@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state)
boothowto &= ~RB_POWERDOWN;

acpi_sleep_pm(sc, state);
-   printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc));
+   printf("%s: acpi_sleep_pm failed", DEVNAME(sc));
return (ECANCELED);
}
/* Resume path */



--- arch/i386/i386/acpi_machdep.c   Sat Mar 23 16:59:09 2013
+++ arch/i386/i386/acpi_machdep.c_  Sat Mar 23 16:58:48 2013
@@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state)
if (state == ACPI_STATE_S4) {
uvm_pmr_zero_everything();
if (hibernate_suspend()) {
-   printf("%s: hibernate_suspend failed\n",
+   printf("%s: hibernate_suspend failed",
DEVNAME(sc));
hibernate_free();
uvm_pmr_dirty_everything();
@@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state)
boothowto &= ~RB_POWERDOWN;

acpi_sleep_pm(sc, state);
-   printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc));
+   printf("%s: acpi_sleep_pm failed", DEVNAME(sc));
return (ECANCELED);
}
/* Resume path */

Re: newline characters in kernel messages

2013-03-28 Thread Sergey Bronnikov 
please commit

On 17:20 Sat 23 Mar , Sergey Bronnikov wrote:
> Hi
> 
> I have found that several kernel messages doesn't contain newline character.
> Patches attached.
> 
> -- 
> sergeyb@

> --- arch/i386/i386/acpi_machdep.c Sat Mar 23 16:59:09 2013
> +++ arch/i386/i386/acpi_machdep.c_Sat Mar 23 16:58:48 2013
> @@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state)
>   if (state == ACPI_STATE_S4) {
>   uvm_pmr_zero_everything();
>   if (hibernate_suspend()) {
> - printf("%s: hibernate_suspend failed\n",
> + printf("%s: hibernate_suspend failed",
>   DEVNAME(sc));
>   hibernate_free();
>   uvm_pmr_dirty_everything();
> @@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state)
>   boothowto &= ~RB_POWERDOWN;
>  
>   acpi_sleep_pm(sc, state);
> - printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc));
> + printf("%s: acpi_sleep_pm failed", DEVNAME(sc));
>   return (ECANCELED);
>   }
>   /* Resume path */

> --- arch/i386/i386/acpi_machdep.c Sat Mar 23 16:59:09 2013
> +++ arch/i386/i386/acpi_machdep.c_Sat Mar 23 16:58:48 2013
> @@ -325,7 +325,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state)
>   if (state == ACPI_STATE_S4) {
>   uvm_pmr_zero_everything();
>   if (hibernate_suspend()) {
> - printf("%s: hibernate_suspend failed\n",
> + printf("%s: hibernate_suspend failed",
>   DEVNAME(sc));
>   hibernate_free();
>   uvm_pmr_dirty_everything();
> @@ -343,7 +343,7 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state)
>   boothowto &= ~RB_POWERDOWN;
>  
>   acpi_sleep_pm(sc, state);
> - printf("%s: acpi_sleep_pm failed\n", DEVNAME(sc));
> + printf("%s: acpi_sleep_pm failed", DEVNAME(sc));
>   return (ECANCELED);
>   }
>   /* Resume path */


-- 
sergeyb@

Re: ftp-proxy(8) and ftpd(8) on the same host

2013-03-28 Thread Camiel Dobbelaar 

On 3/27/13 4:14 PM, LEVAI Daniel wrote:

On 5.2-stable, I'm trying to setup the stock ftpd(8) on a machine where
the incoming traffic is not allowed arbitrarily above
net.inet.ip.porthifirst, and the clients wish to use passive mode data
connections.
I thought I could use ftp-proxy(8) to append a pass in rule to the
ftp-proxy anchor every time the client issues a PASV command, allowing
the passive inbound data connection from the client to the server.
I'm running ftp-proxy(8) and ftpd(8) like this:
/usr/sbin/ftp-proxy -D 7 -b  -p  -R 127.0.0.1 -P 21
/usr/libexec/ftpd -D -A -ll -4 -n -W -u 027 -d [-P] # I've tried with
and without -P


It does not work on the same server.

You might try rules with "user _ftp" in pf.conf.