Re: UTF-8 problem with php-7.4

[Boudewijn Dijkstra]

Op Thu, 24 Sep 2020 02:56:51 +0200 schreef Andrew Hewus Fresh  
:

On Wed, Sep 23, 2020 at 09:11:44AM +0200, Boudewijn Dijkstra wrote:

Op Thu, 10 Sep 2020 04:01:30 +0200 schreef Bambero :
> Hi,
>
> It seems that perl regular expressions lost one polish letter (ą):
> https://www.compart.com/en/unicode/U+0105
>
> I can see this problem only under OpenBSD 6.7 with php-7.4 (same >  
version of php under linux is OK)

>
> Ex.:
>
> PHP 7.4.10 or 7.4.5
>  int(1) // OK
>
> PHP 7.4.10 or 7.4.5
>  int(0) // UPS???
>
> PHP 7.3.21
>  int(1) // OK
>
> PHP 7.3.21
>  int(1) // OK
>
> Any ideas how to fix that?
>
> Regards,
> Bambero

The same happens with any UTF-8 sequence that ends in 0x85.  I guess (a  
part of) PHP's PCRE code is not in UTF-8 mode, causing triggers on 
CHAR_NEL (=0x85).


I don't know a lot about PHP or the external PCRE library, but my guess
would be that php is treating the string as bytes not characters.  Can
you try using the "u" (PCRE_UTF8) modifier?

https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php


Indeed with "u" the expected 1 is returned! Now the question is, why is  
this needed on OpenBSD but not in Linux or Windows?





--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: UTF-8 problem with php-7.4

[Boudewijn Dijkstra]

Op Thu, 10 Sep 2020 04:01:30 +0200 schreef Bambero :

Hi,

It seems that perl regular expressions lost one polish letter (ą):
https://www.compart.com/en/unicode/U+0105

I can see this problem only under OpenBSD 6.7 with php-7.4 (same version  
of php under linux is OK)


Ex.:

PHP 7.4.10 or 7.4.5


The same happens with any UTF-8 sequence that ends in 0x85.  I guess (a  
part of) PHP's PCRE code is not in UTF-8 mode, causing triggers on  
CHAR_NEL (=0x85).


for ($i = 0x75; $i <= 0x825; $i++) {
$u = mb_chr($i);
$str = 'dasw' . $u . 'zdas';
$r = preg_match('/^.{5,64}$/', $str);
if ($r == 0) {
printf("%04x:", $i);
for ($j = 0; $j < strlen($u); $j++) {
$b = ord(substr($str, 4 + $j));
printf(" %02x", $b);
}
printf(": %s\n", $str);
}
}


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: spamDB - blacklist mode

[Boudewijn Dijkstra]

Op Thu, 27 Feb 2020 00:19:59 +0100 schreef :

Questions:
Does the spamDB play a role at all in pure Black listing mode ?


No, that DB is used for bookkeeping and decision-making. In blacklist-only  
mode, there is none of that.


Does the spamDB only get created/configured when running in Normal/Grey  
mode ?


It should.


Does is require Manual creation ?


No.


Issue:
When Attempting to review SPAMDB entries i get an error:
spamdb: cannot open /var/db/spamd for reading: No such file or directory


What kind of entries did you expect to find?


Setup:
[...]


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: dhcpd and unbound on a small LAN

[Boudewijn Dijkstra]

Op Mon, 06 Jan 2020 13:24:50 +0100 schreef Anders Andersson  
:

I'm in the process of replacing an aging OpenWRT device on my home LAN
with an apu4d4 running OpenBSD as my personal router.

I would like to use unbound as a caching DNS server for my local
hosts, but I'm trying to figure out how to handle local hostnames. It
seems like a common scenario but I can't find a solution that feels
like the "right" way. I have two problems, one is trivial compared to
the other.


My first and very minor issue is that I would like to register my
static hosts in a more convenient way than what's currently offered by
unbound. From what I understand you would configure your local hosts
something like this:

local-zone: "home.lan." static
local-data: "laptop.home.lan.IN A 10.0.0.2"
local-data-ptr: "10.0.0.2  laptop.home.lan"

Every time information has to be entered twice there is room for error
and inconsistencies, so preferably this list should be automatically
generated from a simpler file, maybe /etc/hosts. I can of course
easily write such a script, but I'm wondering if there might be a
standard, go-to way of doing this.



My second and more difficult issue is that I can't seem to find a way
to feed information from the DHCP server into unbound, so that locally
assigned hosts can be queried by their hostnames. To clarify with an
example:

1. I install a new system and in the installation procedure I name it  
"alice".

2. "alice" asks for and receives an IP number from my DHCP server.
3. Every other machine can now connect to "alice" by name, assuming
that "alice" informed the DHCP server of its name when asking for an
address.

Currently this works because OpenWRT is using dnsmasq which is both a
caching DNS server and a DHCP server, so the left hand knows what the
right hand is doing. How can I solve this in OpenBSD base without
jumping through hoops?

Right now I'm considering something that monitors dhcpd.leases for
changes and updates a running unbound using unbound-control(8) but I
don't feel confident enough writing such a tool that does not miss a
lot of corner cases and handle startup/shutdown gracefully. I'm also
thinking that it can't be such an unusual use case, so someone surely
must have written such a tool already. I just haven't found any in my
search.

Or am I doing this the wrong way? I've now read about things like mDNS
and Zeroconf and Avahi and I'm just getting more and more confused.
Ideas are welcome!


Another way is to configure the DHCP server to give alice the same address  
every time.


host alice {
hardware ethernet 00:19:b9:e0:2f:de;
fixed-address 192.168.0.68;
}


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Blank/black screen for 6.6 - any general debugging hints?

[Boudewijn Dijkstra]

Op Mon, 30 Dec 2019 19:07:10 +0100 schreef lu hu :

Hello,

I was using 6.5 on a desktop PC.

I did a sysupgrade, but after the blue boot text, I only get black/blank  
screen.


I don't think it is just the screen, since I cannot reach it via network.

I booted the 6.6 bsd.rd then did a clean install with 6.6. The same  
issue.


I had the same issue (I have yet to report it.)  Disabling amdgpu fixed it  
for me.



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Erratically losing connection on usb port from UPS unit

[Boudewijn Dijkstra]

Op Wed, 21 Aug 2019 15:06:17 +0200 schreef Walter Alejandro Iglesias  
:

[...]

It has been working for days (with and without NUT) apparently without
problems except for three times in which the usb signal from the ups got
cut, apparently for no reason.  I get this message in console:

  upd0 detached
  uhidev0 detached


I have a similar recurring message, also very erratically, mean period is  
about a month:


ugen0 detached
ugen0 at uhub1 port 2 "American Power Conversion Smart-UPS 1000 FW:UPS  
09.2 / ID=18" rev 2.00/1.06 addr 2



While using NUT I got "stale" messages from upsmon when that happened.


I'm using apcupsd, I also get messages for these occurrences.



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: lrint(INT_MAX) != INT_MAX

[Boudewijn Dijkstra]

Op Fri, 09 Aug 2019 19:19:14 +0200 schreef Jan Stary :

On Jul 31 14:40:42, mailinglists.boudew...@indes.com wrote:

Op Tue, 30 Jul 2019 17:12:56 +0200 schreef :
> This is what happens on my relatively current
> OpenBSD bbb.stare.cz 6.5 GENERIC#0 armv7   (BeagleBone Black)
> OpenBSD ppc.stare.cz 6.5 GENERIC#0 macppc  (an old MacMini)
>
> #include 
> #include 
> #include 
>
> int
> main()
> {
>long l;
>double d = INT_MAX;
>
>l = lrint(d);
>printf("%f is %ld\n", d, l);
>
>l = lround(d);
>printf("%f is %ld\n", d, l);
>
>return 0;
> }
>
> 2147483647.00 is -1
> 2147483647.00 is -1
>
> That doesn't seem right: isn't INT_MAX representable as a long,
> even on these machines where sizeof(int) == sizeof(long)?

If it is less than LONG_MAX, then yes.


Less than, as in strictly less?
Why? Do you mean <= ?


My statement is true for both < and <=, but I guess it would have been  
less confusing if I had written "less then or equal to".



> If so, shouldn't lrint(INT_MAX) == INT_MAX = lround(INT_MAX)?

If the double type provides enough mantisse (which I think it does on  
all

platforms), and if I read a few C standards correctly, then yes.

> On i386 (an ALIX), I see
>
> 2147483647.00 is 2147483647
> 2147483647.00 is -1
>
> so lrint() returns the expected value but lround() does not.
>
> On the amd64s I have, I see the expected:
> 2147483647.00 is 2147483647
> 2147483647.00 is 2147483647
>
> Is this a bug or am I missing something obvious?

I'd say it's a bug. Also with a float variable and with lrintf/lroundf  
the

outcome should ideally be 2147483647.


OK, how can I help debug this?
(The code in lib/libm/src/*rint*.c seems a bit over my head.)


What Otto said. You could download {Free,Net}BSD code and expand your  
program to compare different variants.




--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: lrint(INT_MAX) != INT_MAX

[Boudewijn Dijkstra]

Op Tue, 30 Jul 2019 17:12:56 +0200 schreef :

This is what happens on my relatively current
OpenBSD bbb.stare.cz 6.5 GENERIC#0 armv7(BeagleBone Black)
OpenBSD ppc.stare.cz 6.5 GENERIC#0 macppc   (an old MacMini)

#include 
#include 
#include 

int
main()
{
long l;
double d = INT_MAX;

l = lrint(d);
printf("%f is %ld\n", d, l);

l = lround(d);
printf("%f is %ld\n", d, l);

return 0;
}

2147483647.00 is -1
2147483647.00 is -1

That doesn't seem right: isn't INT_MAX representable as a long,
even on these machines where sizeof(int) == sizeof(long)?


If it is less than LONG_MAX, then yes.


If so, shouldn't lrint(INT_MAX) == INT_MAX = lround(INT_MAX)?


If the double type provides enough mantisse (which I think it does on all  
platforms), and if I read a few C standards correctly, then yes.



On i386 (an ALIX), I see

2147483647.00 is 2147483647
2147483647.00 is -1

so lrint() returns the expected value but lround() does not.

On the amd64s I have, I see the expected:
2147483647.00 is 2147483647
2147483647.00 is 2147483647

Is this a bug or am I missing something obvious?


I'd say it's a bug. Also with a float variable and with lrintf/lroundf the  
outcome should ideally be 2147483647.




--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: How to synchronise 2 spamd instances

[Boudewijn Dijkstra]

Op Fri, 31 May 2019 00:34:39 +0200 schreef Mik J :

 Hello,

I'm back again with spamd synchronisation.

I made further tests and it seems to me that only new entries in spamd  
are synchronised.
All existing entries before the synchronisation and not sent to the  
other spamd instance.


Is it supposed to work like that ?


Yes. From the spamd(8) manual:
"The databases are synchronised for greylisted and trapped
entries; whitelisted entries and entries made manually using spamdb(8)
are not updated."





--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: could use some spamdb output

[Boudewijn Dijkstra]

Op Fri, 21 Dec 2018 17:10:46 +0100 schreef Gilles Chehade  
:



spamdb | grep -E '^(GREY|WHITE)\|' | cut -d\| -f1,2



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Running your own mail server

[Boudewijn Dijkstra]

Op Sat, 08 Sep 2018 17:36:07 +0200 schreef Ken M :

On Sat, Sep 08, 2018 at 11:32:00AM -0400, Jay Hart wrote:
I've run my own email server for 15 years now I think. I stick with  
Linux for email server,
OpenBSD for routing/firewall. I personally find this is the best of  
both worlds...


Just my 35 cents...


Dare I ask, is there a specific technical reason for using Linux as your  
email server. I ask as I already run a Debian web server on Digital  
Ocean.


Hmm, non-spammers use DigitalOcean too? I have them blacklisted.


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: clearing the disk cache

[Boudewijn Dijkstra]

Op Tue, 03 Jul 2018 16:06:37 +0200 schreef Maximilian Pichler  
:

Now I'm resorting to "sysctl kern.bufcachepercent=5; sysctl
kern.bufcachepercent=90" to "almost" clear the cache. If only setting
it to 0 were allowed...


--- sys/kern/kern_sysctl.c.orig Mon Feb 19 09:59:52 2018
+++ sys/kern/kern_sysctl.c  Wed Jul  4 10:20:53 2018
@@ -602,7 +602,7 @@
);
if (error)
return(error);
-   if (bufcachepercent > 90 || bufcachepercent < 5) {
+   if (bufcachepercent > 90) {
bufcachepercent = opct;
return (EINVAL);
}


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Virtualbox vs latest snapshot

[Boudewijn Dijkstra]

Op Thu, 12 Apr 2018 15:47:18 +0200 schreef Consus :

On 08:28 Thu 12 Apr, Nick Holland wrote:

Another "failure mode" of VirtualBox people should be aware of:
I understand through good sources, Oracle monitors the IP addresses that
it's downloaded from, and if they can trace it back to a commercial IP
(i.e., not a home address), and if they see you download (or update) the
"not for unrestricted free use" parts, their lawyers will contact you
and send you a bill...and they really don't care about "for work" or
"not for work related" uses.

I'd really recommend removing this product from your computers.


This won't stand in court. You sources are so high on crack it's not
even funny.


The point is not to go to court, the point is to bully people into paying  
up.



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Virtualbox vs latest snapshot

[Boudewijn Dijkstra]

Op Thu, 12 Apr 2018 14:28:14 +0200 schreef Nick Holland  
:

Another "failure mode" of VirtualBox people should be aware of:
I understand through good sources, Oracle monitors the IP addresses that
it's downloaded from, and if they can trace it back to a commercial IP
(i.e., not a home address), and if they see you download (or update) the
"not for unrestricted free use" parts, their lawyers will contact you
and send you a bill...and they really don't care about "for work" or
"not for work related" uses.


I suppose this only works if you have your own netblock. Otherwise they  
cannot know the legal entity behind an IP-address. Except in totalitarian  
states I guess.



I'd really recommend removing this product from your computers.


By which you mean the Oracle VM VirtualBox Extension Pack, presumably.


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: noob question: driver separation?

[Boudewijn Dijkstra]

Op Mon, 19 Feb 2018 21:19:27 +0100 schreef Hess THR  
:
I mean.. did it ever happened in the history that a microphone driver  
sent its data via the network?


Quite unlikely with open source drivers. And even load-modules can be  
checked to see which kernel functions they call. The recently introduced  
random ordering of kernel objects (KARL) makes it very difficult to call a  
function without explicitly linking to it.



if these attacks aren't very likely, then I was just loudly thinking..

wouldn't it be great to held some idea day for: "how to increase  
security? "


If you are really concerned about security, then there are other ways of  
achieving physical separation. Like using separate devices.



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: noob question: driver separation?

[Boudewijn Dijkstra]

Op Fri, 16 Feb 2018 21:51:12 +0100 schreef Hess THR  
:

Hello,

are there any (at least on plan or theoretical level) that drivers will  
be/are/would be separated? ex.:


- touchpad drivers shouldn't have to do anything with network access
- wireless drivers shouldn't be able to touch anything from ex.: /home
- graphics/wireless/sound/disk/etc. drivers shouldn't be able to get  
anything from keyboards

- and so on.

or is this only a dream or bad concept that separation needed "inside  
kernel level"?


Why do you think it is needed?  Did you see any dubious or sketchy OpenBSD  
driver code?




--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: fsck: CANNOT READ: BLK 4235468160

[Boudewijn Dijkstra]

Op Sun, 07 Jan 2018 03:45:06 +0100 schreef Maximilian Pichler  
:

If the disk is damaged, shouldn't the problematic blocks be
consistent?


If you mean the actual platters, then probably yes, but there are other  
components that can damage. If for instance the bearings are worn, you can  
get a HDD that works fine at first and starts getting more and more read  
errors as it heats up.

Re: nobreak powers down openbsd

[Boudewijn Dijkstra]

Op Mon, 23 Oct 2017 20:08:56 +0200 schreef Friedrich Locke  
:

When i wrote nobreak, i really meant UPS.
I don't have a model; may some one  suggest a model that power off  
openbsd ?


I'm using an APC UPS with apcupsd. You can define time-outs, thresholds,  
also script events and do more complicated stuff by parsing the UPC status  
report. Small caveat is this particular device requires disabling of  
uhidev(4) in the kernel.




--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: spamd randomly and silently dying on OpenBSD 6.1

[Boudewijn Dijkstra]

Op Fri, 06 Oct 2017 10:49:39 +0200 schreef rosjat :

[...]
Is there some way to get a more verbose autput when the process is  
daemonized? the -v switch only seems to aplay to the foreground mode.


Depends on your syslog.conf; I have:
!!spamd
daemon.err;daemon.warn;daemon.info;daemon.debug /var/log/spamd
!*

Have you checked whether interaction with spamd-setup is causing any  
problems?




--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: openSMTPD relaying and aliases

[Boudewijn Dijkstra]

Op Wed, 04 Oct 2017 11:31:25 +0200 schreef rosjat :

[...]
But I get mails in my log account
From: r...@machinename.domain.tld
To:r...@machinename.domain.tld

but i would like to have a it with
From: r...@machinename.domain.tld
To: logs+...@domain.tld

to make my filtering easier in the mail account.

So is it possible to get smtpd to use the alias  in the to: field by  
default when sending a mail from a user account?


Can't you filter using the "Delivered-To" header?



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: the whole greylisting, spam filtering thing

[Boudewijn Dijkstra]

Op Sun, 01 Oct 2017 22:11:27 +0200 schreef Rupert Gallagher  
:
Spammers keep trying, from the same IPs, for days here, so graylisting  
is useless for us.


All of them?  On my end about 90% only try once.



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: FF vs. Chrome/Chromium

[Boudewijn Dijkstra]

Op Wed, 27 Sep 2017 16:44:01 +0200 schreef Theo de Raadt  
:

Firefox has W^X compliance and so runs with the secure defaults.


it uses page aliasing, which is a shitty way of being compliant


Do you mean dual-mapping a.k.a. double-mapping?  I found some old patches  
using a temporarily file and mmap w/ fd to achieve this, but they never  
went in.


This blog:
https://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-firefox/
suggests that it is simply switching between RW and RX using mprotect.

Can you please elaborate?


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: running spamd on firewall ord on the mailsystem

[Boudewijn Dijkstra]

Op Tue, 19 Sep 2017 09:35:04 +0200 schreef Peter N. M. Hansteen  
:

On 09/19/17 09:10, rosjat wrote:


I like to get some opinions on where to use the spamd daemon. Is it
better to do the heavy stuff on the firewall or let it all pass to the
mailsystem and do the filtering there?


OpenBSD's spamd is not in any way a 'heavy' service.


Indeed.  On my site, with 12k messages tarpitted last week, spamd (with  
-v) took about the same cpu time as ntpd.  Spamlogd even less.  Together  
about 7.5M resident memory.



It's entirely
possible to run it on the actual mail server, but I tend to recommend
stopping unwanted traffic early and set up on the directly
internet-facing host (aka the firewall).


Note that the spamd(8) manual page assumes it's the same machine, so using  
different machines is a less trivial pf.conf setup.  IIRC it requires  
route-to in stead of divert-to for your whitelist(s), or a divert-to with  
a relayd/nc relay.




--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Spamtrap doesn't work for me

[Boudewijn Dijkstra]

Op Thu, 18 May 2017 10:23:40 +0200 schreef Peter N. M. Hansteen  
:

On Thu, May 18, 2017 at 06:09:19AM +, Mik J wrote:

I was reading the man spamd
http://man.openbsd.org/spamd

Which was saying

"When a host that is currently greylisted attempts to send mail to a  
spamtrap address, it is blacklisted for 24 hours by adding the host to  
the spamd blacklist . Spamtrap addresses are added to  
the /var/db/spamd database with the following spamdb(8) command:"


So I'm expecting a spamd-greytrap table


That does sound like we should look into rephrasing that bit of the man  
page.


I'll see if I can come up with suitable wording unless somebody beats me  
to it.


Every time a pf table is mentioned, it says "pf table" or "table" with the  
name of the table in angle brackets.  In this case it doesn't say "table"  
but "list", but perhaps the name could be between quotes.


--- libexec/spamd/spamd.8   16 Mar 2017 15:16:21 -  1.133
+++ libexec/spamd/spamd.8   19 May 2017 07:43:41 -
@@ -385,7 +385,7 @@ spamtrap address,
 it is blacklisted for 24 hours by adding the host to the
 .Nm
 blacklist
-.
+'spamd-greytrap'.
 Spamtrap addresses are added to the
 .Pa /var/db/spamd
 database with the following


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Spamtrap doesn't work for me

[Boudewijn Dijkstra]

Op Wed, 17 May 2017 16:59:27 +0200 schreef Peter N. M. Hansteen  
<pe...@bsdly.net>:

On 05/17/17 16:51, Boudewijn Dijkstra wrote:

Op Wed, 17 May 2017 13:55:58 +0200 schreef Mik J <mikyde...@yahoo.fr>:

SPAMTRAP|<t...@mydomain.org>


It looks like spamdb actually accepts addresses both with and without
angle brackets -


It accepts anything that has contains an '@'.




--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Spamtrap doesn't work for me

[Boudewijn Dijkstra]

Op Wed, 17 May 2017 13:55:58 +0200 schreef Mik J :

Hello,
I'm trying to make spamtrap to work
I added a spamtrap address# spamdb | grep trap
SPAMTRAP|


From spamdb(8):
 If adding or deleting a SPAMTRAP address (-T), keys should be  
specified

 as email addresses:

   spamt...@mydomain.org


So without angle brackets.



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: spamd and outlook.com

[Boudewijn Dijkstra]

Op Fri, 21 Apr 2017 14:12:56 +0200 schreef Reyk Floeter <r...@openbsd.org>:

On Fri, Apr 21, 2017 at 01:52:05PM +0200, Boudewijn Dijkstra wrote:
Op Fri, 21 Apr 2017 12:16:31 +0200 schreef Reyk Floeter  
<r...@openbsd.org>:

> On Fri, Apr 21, 2017 at 11:59:20AM +0200, Peter N. M. Hansteen wrote:
> > On Fri, Apr 21, 2017 at 11:25:14AM +0200, Markus Rosjat wrote:
> > >
>
> I use the attached script to fetch the SPF entries recursively, in a
> plain text format that can be fed into pfctl.

Have you tried mx3a.certifiedfactory.info ?  ;)



great

I think you got something wrong:

I don't use this simple script automatically or for "untrusted
domains", I just use it _manually_ and for _well-known_ offenders like
outlook.com that break greylisting.


I only pointed out a weakness. Infinite loops may happen regardless of  
trust or reputation, so the weakness should IMHO be either documented or  
fixed.



 SPF is not a security solution,
but it is a band-aid that helps to handle these stupid cloud-based MTAs.

The script below fixes it - or akpoff's slightly more complicated (and
probably more correct) version.


Thanks.

--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: spamd and outlook.com

[Boudewijn Dijkstra]

Op Fri, 21 Apr 2017 12:16:31 +0200 schreef Reyk Floeter :

On Fri, Apr 21, 2017 at 11:59:20AM +0200, Peter N. M. Hansteen wrote:

On Fri, Apr 21, 2017 at 11:25:14AM +0200, Markus Rosjat wrote:
>


I use the attached script to fetch the SPF entries recursively, in a
plain text format that can be fed into pfctl.


Have you tried mx3a.certifiedfactory.info ?  ;)


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Spamd question with Spamtrap

[Boudewijn Dijkstra]

Op Mon, 13 Mar 2017 18:25:30 +0100 schreef Mik J :
Spamd has been really efficient in blocking spam. A few of them passed  
through once in a while but there's no discomfort.


So this is not really an OpenSMTPd question.


But, I'm not able to use spamtrap.
# spamdb -T -a ""


The example in the manpage doesn't use angle brackets. Remove them.


# spamdb | grep SPAMTRAP
SPAMTRAP|
But when I telnet port 25 and try to send a mail, a GREY entry is  
created, and after the holdtime mail are passing through


When a SPAMTRAP is hit, no GREY entry is created.



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Spammer whitelisted by spamd. How?

[Boudewijn Dijkstra]

Op Sat, 04 Feb 2017 10:03:02 +0100 schreef Clint Pachl
:
Can someone explain how the spammer at 81.7.16.33 got white listed by  
spamd and delivered 3 spam emails to me? What exactly triggered the  
white listing?


I may not understand spamd's behavior, but according to the spamd log  
below, the spammer attempted only 5 deliveries via spamd, each with a  
different envelope-from address. Correct?


At 17:12 there is a 6th connection. Presumably this is a re-try of one of
the existing grey entries.

With -v you would have seen something like:
Feb  3 17:12:29 zeus spamd[34374]: (GREY) 81.7.16.33:
 -> 

/B



If so, shouldn't white listing be considered only if, during passtime,  
the retries from a GREY host contain the same envelope-from and  
envelope-to? Legitimate mail would be resent with the same  
envelope-from/-to, but spammers (this one in particular) often do not.  
Ensuring consistent envelope addresses may be a way to stop more spam.  
No?



# passtime set short as I'm currently experimenting
$ rcctl get spamd | grep flags
spamd_flags=-G 1:10:1080

$ fgrep 81.7.16.33 /var/log/spamd
Feb  3 16:58:27 zeus spamd[34374]: 81.7.16.33: connected (3/1)
Feb  3 17:00:05 zeus spamd[21625]: new entry 81.7.16.33 from  
 to , helo minyu1esc.com
Feb  3 17:00:10 zeus spamd[34374]: 81.7.16.33: disconnected after 103  
seconds.

Feb  3 17:06:50 zeus spamd[34374]: 81.7.16.33: connected (3/2)
Feb  3 17:07:10 zeus spamd[21625]: new entry 81.7.16.33 from  
 to , helo minyu1esc.com
Feb  3 17:07:10 zeus spamd[34374]: 81.7.16.33: disconnected after 20  
seconds.

Feb  3 17:07:47 zeus spamd[34374]: 81.7.16.33: connected (3/2)
Feb  3 17:08:00 zeus spamd[21625]: new entry 81.7.16.33 from  
 to , helo minyu1esc.com
Feb  3 17:08:02 zeus spamd[34374]: 81.7.16.33: disconnected after 15  
seconds.

Feb  3 17:08:28 zeus spamd[34374]: 81.7.16.33: connected (4/3)
Feb  3 17:08:41 zeus spamd[21625]: new entry 81.7.16.33 from  
 to , helo minyu1esc.com
Feb  3 17:08:41 zeus spamd[34374]: 81.7.16.33: disconnected after 13  
seconds.

Feb  3 17:10:22 zeus spamd[34374]: 81.7.16.33: connected (4/3)
Feb  3 17:10:39 zeus spamd[21625]: new entry 81.7.16.33 from  
 to , helo minyu1esc.com
Feb  3 17:10:39 zeus spamd[34374]: 81.7.16.33: disconnected after 17  
seconds.

Feb  3 17:12:13 zeus spamd[34374]: 81.7.16.33: connected (5/4)
Feb  3 17:12:29 zeus spamd[34374]: 81.7.16.33: disconnected after 16  
seconds.

Feb  3 17:12:50 zeus spamd[17428]: queueing add of 81.7.16.33
Feb  3 17:12:50 zeus spamd[17428]: whitelisting 81.7.16.33 in  
/var/db/spamd





--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Memory alignment

[Boudewijn Dijkstra]

Op Sat, 28 Jan 2017 06:26:16 +0100 schreef Damian McGuckin  
:
What is the recommended most portable way to force memory alignment for  
a datum of any type, assuming one has a pointer say


char *x

I currently use something like

char *xany = aligntonext(x, sizeof(long))

where I use my own function 'aligntionext' which is defined below and I  
also assume that a 'long' will be the natural word-size of the machine  
and that any datum things just needs to align to this boundary. That  
said, if the second argument is say 4k, the function will align its  
result to a 4k boundary.


I was wondering if there is an optimal, better, more acceptable, or more  
portable, way.




Easy and very portable:

void *
aligntonext(void *x, size_t size)
{
return (void *)uintptr_t)x + size - 1u) / size) * size);
}

Whether it is optimal depends on compiler optimization.


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: spamd: howto blacklist hosts in greylisting mode?

[Boudewijn Dijkstra]

Op Mon, 16 Jan 2017 16:26:25 +0100 schreef Harald Dunkel  
<harald.dun...@aixigo.de>:

On 01/16/17 13:58, Boudewijn Dijkstra wrote:

Op Mon, 16 Jan 2017 11:08:06 +0100 schreef Harald Dunkel
<harald.dun...@aixigo.de>:


But spamd's blacklisting (without "-b") lacks proper documen-
tation. spamd-setup(8) says that it sends blacklist data to
spamd, but it doesn't tell the details.


Which details do you need and what do you need them for?


For verification I would like to see the IP addresses it blocks
without waiting for an appropriate spam mail. Obviously spamdb
doesn't tell.


I have a cronjob that mirrors my blacklists and I use those mirrors in my  
spamd.conf.  With [z]less I can then view the addresses.



How can I drop an IP address from the blacklist,
in case that there is a false positive, and go back to grey-
listing?


You can add those addresses to a list in spamd.conf with the :white:  
capability, which doesn't have a corresponding table in pf.



And spamd(8) mentions
spamd-setup only for "blacklist-only" mode.


No.


You know what I mean:

"When spamd is run in default mode, it will greylist connections from
new hosts. Depending on its configuration, it may choose to blacklist
the host or, if the checks described below are met, eventually
whitelist it.

When spamd is run in blacklist-only mode, using the -b flag, it will
consult a pre-defined set of blacklist addresses to decide whether
to tarpit the host or not."

The missing part here is the work-together between spamd and spamd-
setup in default mode.


Isn't that described in spamd-setup(8)?  I don't see any missing part, I'm  
sorry.



Where does spamd store the
information retrieved form spamd-setup? Its not in spamdb,
I checked.


In the memory allocated to one of spamd's processes.


So on a restart of spamd all blacklist information is gone until
cron runs spamd-setup next morning? I had expected that spamd
would use spamdb for its blacklists as well.


When starting up, spamd runs spamd-setup, see /etc/rc.d/spamd .



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: spamd: howto blacklist hosts in greylisting mode?

[Boudewijn Dijkstra]

Op Mon, 16 Jan 2017 11:08:06 +0100 schreef Harald Dunkel
:

Hi folks,

I am running spamd for greylisting on my MTA for several
years. I also know how to use spamd for blacklist-only mode
and how to configure pf.conf accordingly (even though I never
tried).

But spamd's blacklisting (without "-b") lacks proper documen-
tation. spamd-setup(8) says that it sends blacklist data to
spamd, but it doesn't tell the details.


Which details do you need and what do you need them for?


And spamd(8) mentions
spamd-setup only for "blacklist-only" mode.


No.


How are blacklisted sites supposed to be redirected to spamd
for tarpitting, if spamd-setup doesn't update ?


Because in default mode, you redirect everything to spamd except your
whitelist(s).


Is it reasonable to omit the "-b"?


Only if you omit it from both spamd and spamd-setup.


Where does spamd store the
information retrieved form spamd-setup? Its not in spamdb,
I checked.


In the memory allocated to one of spamd's processes.



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: spamd and network whitelisting

[Boudewijn Dijkstra]

Op Tue, 20 Dec 2016 12:31:05 +0100 schreef Clint Pachl  
:

[...]
grep "^GREY" |
tr "|" "\t" |
[...]


I've learned to do all parsing of /var/db/spamd via the  interface  
as the envelope-from sometimes contains a "|" (pipe) character.



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: spamd and network whitelisting

[Boudewijn Dijkstra]

Op Tue, 20 Dec 2016 12:51:19 +0100 schreef Clint Pachl  
:

Devin Reade wrote on 12/19/16 12:59:

With respect to dealing with SPF, the simple solution (permitting an
IP if it is on the sending domain's SPF list) doesn't work too well
in the general case since it appears many spammers publish SPF records.


You're right. When I ran ruby-spf against the the TRAPPED IPs in my  
spamdb, a surprising number passed SPF (like 15%). On the other hand,  
one of the popular email domains from our customer DB is @att.net, which  
doesn't even publish SPF. After some real life testing against our  
client email DB, I determined SPF was not effective in filtering spam  
for us. If it is used, it should be a small factor at best.


SPF was never meant for making accept/reject decisions on arbitrary  
domains.  If you don't trust the sending domain, then SPF evaluation is  
pointless.



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: OpenBSD green computing tips

[Boudewijn Dijkstra]

- adaptive fan speed (??)


Can often be set to "auto" in BIOS.


- lcd (??)


wsdisplay(4) WSDISPLAYIO_PARAM_BACKLIGHT


- cdrom (??)


Unplug it?


- hard-drives (??)


atactl(8) or use solid-state.


- usb (??)


Unplug it?


- 802.11 power-saving (??)


Don't transmit packets.


- vmd (suspending/hibernation for vms?)


Does vmctl stop not do what you want?


What are your experience with decreasing energy usage
of OpenBSD boxes - laptops but also home-servers.


Two tips:
* only decrease energy usage when it's worth it
* use modern but modest hardware.



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: How to make spamd more annoying ?

[Boudewijn Dijkstra]

Op Wed, 14 Dec 2016 18:07:15 +0100 schreef Craig Skinner  
<skin...@britvault.co.uk>:

On Tue, 13 Dec 2016 18:29:00 + (UTC) Mik J wrote:

I use spamlogd so that every outgoing mail adds the remote mx IP in
my whitelist.


As with many domains, large mail services deploy/out source separate
inbound & outbound clusters, so spamlogd'ing outbound mail wont help.

These spamlogd flags seem to work best here:

spamlogd_flags='-I -Y ... -Y ... -Y '



I'm not sure I understood what this patch does.
It's used to give some additional statistics?



spamd expires trapped IP addresses after 24 hours.

Boudewijn's patch keeps them trapped while they continue to spam.
His stats prove it works.


My stats just prove that senders exist who will happily continue delivery  
attempts for weeks or months.  ;)


To see that it works, you have to turn on verbose logging and realise that  
spammers who get greytrapped sometimes also use valid envelope-to  
addresses. My patch is intended to reduce the chances of those spammers  
getting whitelisted. It can also be used as an ad-hoc blacklist for e.g.  
senders of daily newsletters who refuse to unsubscribe you.



I read somewhere that gmail servers change their IPs when they retry
to send the mails.


This tool helps to auto white list silly round robin senders:
http://web.Britvault.Co.UK/products/ungrey-robins/

(SPF lists are often not trustworthy.)


Whitelisting an address simply because it appears on an SPF record of a  
domain used for legitimate mail, is indeed a bad idea.  SPF was never  
meant for that.


SPF can be used for accept/reject decisions, but your policy of what to do  
with a certain SPF result should be based on your level of trust in the  
publishing domain.




--
Boudewijn Dijkstra
Indes-IDS B.V.
+31 345 545 535

Re: Disable Laptops Keyboard in OpenBSD

[Boudewijn Dijkstra]

Op Tue, 22 Nov 2016 10:24:16 +0100 schreef pasta  
:
Hi, I can't figure out how to disable my laptops keyboard so I can only  
use my USB one.

xinput doesn't list each keyboard as in Linux I believe.
I could write a xorg.conf but what if I dont have my keyboard with  
myself then?

wsconsctl can't disable a keyboard, can it?


Have you tried wsconscfg(8)?


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Because in this day and age, there’s no one else doing what OpenBSD is doing?

[Boudewijn Dijkstra]

Op Tue, 15 Nov 2016 22:14:23 +0100 schreef SOUL_OF_ROOT 55  
:

Theo de Raadt wrote:

*Because in this day and age, there's no one else doing what OpenBSD is
doing?*


The interview was published July 2005. Do you think that "this day and  
age" still applies?




--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: strange behaviour spamd

[Boudewijn Dijkstra]

Op Thu, 21 Jul 2016 17:34:37 +0200 schreef Markus Rosjat :
I noticed that a trapped ip gets whitelisted when there are still  
greylisted messages. this shouldn't happen when I use the -a -t switches  
to trap the ip or do I miss something here ?


Indeed it shouldn't and since OpenBSD 4.9 it is believed that it doesn't.

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/libexec/spamd/grey.c.diff?r1=1.49=1.50=h

If it does anyway, then maybe there is a mistake in your configuration or  
your spamlogd is interfering (w/ outgoing mail).



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: making OpenBSD 5.9 live system on USB key

[Boudewijn Dijkstra]

Op Sat, 09 Jul 2016 14:10:26 +0200 schreef Matthias Apitz  
:


dwiic at acpi0 not configured
dwiic at acpi0 not configured


What is connected to these?


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: making OpenBSD 5.9 live system on USB key

[Boudewijn Dijkstra]

Op Sat, 09 Jul 2016 16:16:45 +0200 schreef Matthias Apitz
:

El día Saturday, July 09, 2016 a las 02:44:39PM +0200, Peter N. M.
Hansteen escribió:


[...] I suspect that's the case with your touchpad as well.

[...]
Re/ the touchpad: the imt(4) man page says, it should have support.
Is there some method in OpenBSD to get verboseor even debug boot
messages and


-DIHIDEV_DEBUG


to verify that the imt(4) driver is in the kernel?


config(8), boot_config(8)
fgrep imt /usr/src/sys/arch/amd64/conf/GENERIC


I read
that OpenBSD does not have loadable kernel modules, true?


True.


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Quick APU2 review

[Boudewijn Dijkstra]

Op Fri, 15 Apr 2016 18:12:41 +0200 schreef Christian Weisgerber  
:

A "make -j4 build" took exactly 120 minutes.


Using which physical disk type(s)?



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Redirect SMTP traffic

[Boudewijn Dijkstra]

Op Thu, 14 Apr 2016 11:51:25 +0200 schreef :

Hello the list,


I trying to put SPAMD in front of an Exchange Server but i think doing  
it in the wrong way.


My Lab is like this :

   FW
|
 SPAMD--Exchange

SPAMD and Exchange are in separate LAN. Routing is done via the FW


I'm just running smtpd on the spamd box with:

listen on egress
accept from any for any relay via smtp://Exchange \
hostname spamd.example.com




--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: segfault with stripped lib, works fine when non-stripped

[Boudewijn Dijkstra]

Op Mon, 04 Jan 2016 22:54:24 +0100 schreef Jeremie Le Hen :

Yeah... when you read that subject you probably had this weird gaze ô_Ò
like I did when I came to that conclusion.

I've been experiencing segfaults in milter-greylist [...]
 So after some more tinkering I came to the following
conclusion: if I run strip(1) on /usr/local/lib/libbind/libbind.so.5.0
to remove the debugging symbols, then it will crash with the stacktrace
below.

Has anyone of you seen such a behavior in the past?

#0  0x1cc53e386d40 in memcpy (dst0=0x1cc5c48b7000, src0=Variable "src0"

is not available.

) at /usr/src/lib/libc/string/memcpy.c:94
#1  0x1cc4f4d496d8 in __res_vinit () from

/usr/local/lib/libbind/libbind.so.5.0

#2  0x1cc4f4d48bda in __res_ninit () from

/usr/local/lib/libbind/libbind.so.5.0

#3  0x1cc50b181905 in SPF_dns_resolv_lookup

(spf_dns_server=0x1cc5c48ab780, domain=0x1cc55122c1d0 "mydomain.org",
rr_type=ns_t_spf, should_cache=1) at spf_dns_resolv.c:261

[...]


I had the same stack trace with a simple test application
(http://www.libspf2.org/docs/html/ ). Except that my memcpy showed src=0,
len=16.  OpenBSD 5.8 i386 with stock libs (from packages). The prebuilt tools
(in /usr/local/libexec/libspf2/) ran fine. My Makefile had:
LDADD+= -lspf2

Segfaults disappeared when I changed that to:
LDADD+= -lbind -lspf2

So yeah, looks like conflicts between symbols.


--
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: verification spamd and traffic

[Boudewijn Dijkstra]

Op Tue, 13 Oct 2015 20:55:27 +0200 schreef Stuart Henderson 
<s...@spacehopper.org>:

On 2015-10-13, Boudewijn Dijkstra <sp4mtr4p.boudew...@indes.com> wrote:

Op Thu, 08 Oct 2015 11:06:45 +0200 schreef Markus Rosjat <ros...@ghweb.de>:

Hi there,

I have a spamd running in greylisting mode and maintain my own blacklist
that I update manually. So far so good yesterday I just did a quite
radical adding to my blacklist :) and I noticed my outgoing traffic
jumped from around 500mb per day to 3,2gb per day. I checked the traffic
with tcpdump and it was no strange traffic going on just my mailports
and the 25 for the spamd. So my question is, could the radical adding of
IPs cause this (and yeah its a lot because I added some ranges)?  As far
as I understand it when some IP is on a blacklist it get redirected to
spamd right away by pf and then I get some traffic going on. If a IP is
not on the blacklist and not known Greylisting jumps in an sends the
server away to come back later to decide if it goes through or on the
blacklist. So by adding a lot of possible spammer on a black list in the
first place I generate traffic with them.

Could someone confirm this ?


Adding to a blacklist shouldn't increasetraffic.


It's totally possible. Blacklist mode by default returns a temporary failure
so a standard MTA would keep trying, whereas with greylisting or no spamd
it would stop after the mail is accepted. And in stuttering mode you send
one character per packet so there's one TCP header for each character.


Retries do indeed increase outgoing traffic, but assuming 'normal' SMTP 
conversations, 'normal' outgoing mail bodies and 'normal' spammers, the 
increase in outgoing application-layer traffic should barely be noticeable.

If the OP was measuring IP bytes, then yes there might be a significant 
increase.  By how much, mostly depends on the number and ratio of 
incoming/outgoing SMTP conversations, I think.



--
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: verification spamd and traffic

[Boudewijn Dijkstra]

Op Thu, 08 Oct 2015 11:06:45 +0200 schreef Markus Rosjat :

Hi there,

I have a spamd running in greylisting mode and maintain my own blacklist
that I update manually. So far so good yesterday I just did a quite
radical adding to my blacklist :) and I noticed my outgoing traffic
jumped from around 500mb per day to 3,2gb per day. I checked the traffic
with tcpdump and it was no strange traffic going on just my mailports
and the 25 for the spamd. So my question is, could the radical adding of
IPs cause this (and yeah its a lot because I added some ranges)?  As far
as I understand it when some IP is on a blacklist it get redirected to
spamd right away by pf and then I get some traffic going on. If a IP is
not on the blacklist and not known Greylisting jumps in an sends the
server away to come back later to decide if it goes through or on the
blacklist. So by adding a lot of possible spammer on a black list in the
first place I generate traffic with them.

Could someone confirm this ?


Adding to a blacklist shouldn't increase traffic. I suspect there is an error 
in your pf.conf.



--
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: odd behaviour of spamdb

[Boudewijn Dijkstra]

Op Mon, 13 Jul 2015 09:14:37 +0200 schreef Markus Rosjat ros...@ghweb.de:

hi there,

I have a script the following script to delete spam mx ip from the spamd
whitelist and write them in my own blacklist. After that I reload the
blacklist with spamd- setup.  This seems to work but I noticed when the
same ip has another mail in the greylist the ip becomes whitelisted if
the delivery attempt is successful (which it shouldnt in the first place
because I trapped the ip and put it in my blacklist). This seems like an
odd behaviour to me, its not the end of the world but it feels kinda
wrong :)

here is the script:

ip_range=$1

for i in `spamdb | grep $ip_range | grep WHITE | awk -F | '{print $2}'`;
  do
   echo $i
   /usr/sbin/spamdb -d $i
   /usr/sbin/spamdb -a -t $i
   echo $i  /etc/mail/blacksheep.txt
  done

/usr/libexec/spamd-setup

maybe someone give me some hints for improvement


The explicit deletion (-d) is unnecessary and may have race condition problems. 
 An IP that is both trapped and grey will not be re-added to the whitelist, 
unless spamlogd interferes.



--
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Random PID implementation and security

[Boudewijn Dijkstra]

Op Tue, 26 May 2015 11:07:06 +0200 schreef Simon 
openbsd.li...@whitewinterwolf.com:

Le 2015-05-26 00:10, Miod Vallat a écrit :

It is not the responsibility of the operating system to protect its
users against software which assumes using the pid as a random source
is
a bright and wise idea.


Isn't this the whole goal of random PIDs, to put a defense at OS level
protecting software against themselves when they make wrong assumption
regarding the PID and use it for wrong purposes?


One can protect against programmers assuming sequential allocation and one can 
protect against programmers assuming random allocation, but not both.


--
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Performance Counters

[Boudewijn Dijkstra]

Op Wed, 18 Feb 2015 10:15:26 +0100 schreef Sai Prajeeth cspraje...@gmail.com:

Is there any command that will let me access the processor's performance
counters?? I am looking for something like Linux's perf / FreeBSDs pmcstat
that will help me get the IPC (Instructions per cycle) of the system.


$ apropos 'performance counter'
pctr(1) - display CPU performance counters
pctr(4/amd64) - driver for CPU performance counters
pctr(4/i386) - driver for CPU performance counters
uperf(4/sparc64) - performance counters driver


--
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: LibreSSL Official T-shirts

[Boudewijn Dijkstra]

Op Thu, 29 Jan 2015 17:53:10 +0100 schreef OpenBSD Store Misc 
m...@openbsdstore.com:

Some new awesome LibreSSL T-shirts are available to help fund
developments. You can see them on https://www.openbsdstore.com.


Why not use Comic Sans?

Or: This T-shirt specifically designed to annoy web hipsters


--
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Former Yugoslavia in countrycodes

[Boudewijn Dijkstra]

Op Sun, 04 Jan 2015 14:42:41 +0100 schreef Milun Rajkovic rmi...@gmail.com:

Because it's not a country (Kosovo).


It is not recognized as an independent state by an overwhelming majority of 
nations (but a majority nonetheless).


Btw it uses mobile networks of Monaco
or Luxembour or something like that, and landlines (and call number +381)
from Serbian infrastructure.


+383 since this year.


On Sun, Jan 4, 2015 at 12:58 PM, Jan Stary h...@stare.cz wrote:


The breakup of Yugoslavia seems to be incomplete in countrycodes.
AFAIK, Kosovo does not have a country code assigned.


Indeed not assigned yet, but XK seems to be used for now.
https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#XK


--
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

spamd.conf blacklists link

[Boudewijn Dijkstra]

spamlinks.net server currently not responding, last update 2010:
https://web.archive.org/web/20140208054036/http://spamlinks.net/filter-bl.htm
Last blog entry 2010:
http://blog.spamlinks.net/
I don't know a replacement page, but maybe somebody else does...


--- /etc/mail/spamd.conf.orig   Thu Sep 11 01:42:13 2014
+++ /etc/mail/spamd.confMon Sep 22 16:05:08 2014
@@ -12,9 +12,6 @@
 # all must be here, and defines the order in which lists are applied.
 # Lists specified with the :white: capability apply to the previous
 # list with a :black: capability.
-#
-# As of November 2004, a place to search for blacklists is
-# http://spamlinks.net/filter-bl.htm

 all:\
:uatraps:nixspam:



--
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: low power device

[Boudewijn Dijkstra]

Op Fri, 12 Sep 2014 15:27:39 +0200 schreef Martijn van Duren 
martijn...@gmail.com:

[...] I would like to acquire something [...]
low power, and has at least 2 sata ports, [...].


Spinning hard disks also use power.  Why 2× SATA?


--
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Alix 3D3 disconnects from network after random amount of time

[Boudewijn Dijkstra]

Op Sat, 30 Aug 2014 14:20:43 +0200 schreef Erwin Geerdink 
open...@erwingeerdink.com:

pcibios0: bad IRQ table checksum
pcibios0: PCI Exclusive IRQs: 5 10 11
pcibios0: Warning, unable to fix up PCI interrupt routing
vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 11,
auglx0 at pci0 dev 15 function 3 AMD CS5536 Audio rev 0x01: irq 11,


Could there be a problem with IRQ sharing?



--
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

[spamd] longer retention of blacklist entries

[Boudewijn Dijkstra]

OBSOLETE WHEN UA.CA IMPLEMENTS NEW SPAMLOGD

Because traplist.gz sometimes expires hosts that are still sending spam to
the world, I'd like to keep these addresses tarpitted for a while after
they are removed, say 24 hours. This logic doesn't apply to the nixspam
list because it contains addresses of legitimate hosts that temporarily
send spam. (I've found that keeping these addresses tarpitted longer is
counterproductive.)

This blacklist specifies single addresses (not blocks), so I could
add/update all these addresses as TRAPPED entries in /var/db/spamd, but
that would make the database quite unwieldy and also makes it impossible
to see in the log files which blacklist it was.

So I modified spamdb(8) to add an -f option for specifying an alternate db
file and an -e option for removing all expired entries. Then I created a
script that is called by cron every half hour (:15 and :45) and does the
following:

- sleep randomly 0..5 minutes to spread the peak load
- fetch traplist.gz using wget/curl (because ftp(1) doesn't do
HTTP timestamping)
- add/update the addresses from this list in a separate db file
- remove expired db entries
- dump the db into a new blacklist file
- run spamd-setup(8), aggregating this new file (and a few others)

I've been running this set-up for a few months now. The DB manipulation
places a significant load on the server, but I believe that further
optimizations are possible.

Does anyone feel the need to comment on this approach?


--
Boudewijn Dijkstra
Indes-IDS B.V.
+31 345 545 535

Re: Sorry OpenBSD people, been a bit busy

[Boudewijn Dijkstra]

Op Wed, 09 Oct 2013 00:01:13 +0200 schreef Scott McEachern  
sc...@blackstaff.ca:

On 10/08/13 16:41, Kevin Chadwick wrote:

Back in the pre-WW2 days, Belgium (or was it the Netherlands?  I  
forget.) kept detailed census and medical data on their citizens,  
including their religious affiliation.  It was useful data for a  
friendly government, never to be abused.


I don't know about Belgium, but certainly in the Netherlands local  
authorities were required to keep resident registration, except at that  
time not medical data.


Then WW2 happened, and Hitler's Nazis invaded.  They found that data,  
especially the religion part, quite useful, and we all know how that  
turned out.


The problem was not that the data existed, the problem was that there  
wasn't a general preparedness to hide, evacuate or destroy it when  
justified.



--
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: spamd(8) more persistent greytrapping

[Boudewijn Dijkstra]

Op Thu, 29 Aug 2013 14:04:59 +0200 schreef Boudewijn Dijkstra  
sp4mtr4p.boudew...@indes.com:
Here's a suggested improvement to spamlogd(8) which keeps greytrap  
entries tarpitted while they keep trying. [...]


Because at least one person expressed an interest in my modification, find  
below an updated patch that fixes a subtle bug. The previous version could  
accidentally trap hosts that were just whitelisted but not yet added in  
the pf table spamd-white. The version below leaves these entries alone.


--- spamlogd.c.54   Fri Mar 18 23:37:06 2011
+++ spamlogd.c  Mon Sep  9 10:52:51 2013
@@ -21,7 +21,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */

-/* watch pf log for mail connections, update whitelist entries. */
+/* watch pf log for mail connections, update spamdb entries. */

 #include sys/types.h
 #include sys/socket.h
@@ -33,6 +33,7 @@
 #include netinet/in.h
 #include netinet/in_systm.h
 #include netinet/ip.h
+#include netinet/tcp.h
 #include arpa/inet.h

 #include net/pfvar.h
@@ -64,6 +65,7 @@
 int greylist = 1;
 FILE *grey = NULL;

+u_short spamd_port;
 u_short sync_port;
 int syncsend;
 u_int8_tflag_debug = 0;
@@ -74,13 +76,14 @@
 pcap_t *hpcap = NULL;
 struct syslog_data  sdata  = SYSLOG_DATA_INIT;
 time_t  whiteexp = WHITEEXP;
+time_t  trapexp = TRAPEXP;
 extern char*__progname;

 void   logmsg(int , const char *, ...);
 void   sighandler_close(int);
 intinit_pcap(void);
 void   logpkt_handler(u_char *, const struct pcap_pkthdr *, const u_char *);
-intdbupdate(char *, char *);
+intdbupdate(char *, char *, int);
 void   usage(void);

 void
@@ -110,9 +113,11 @@
 init_pcap(void)
 {
struct bpf_program  bpfp;
-   charfilter[PCAPFSIZ] = ip and port 25 and action pass 
-   and tcp[13]0x12=0x2;
+   charfilter[PCAPFSIZ];

+   snprintf(filter, PCAPFSIZ, ip and (port 25 or %d) and action pass 
+   and tcp[13]0x12=0x2, spamd_port);
+
if ((hpcap = pcap_open_live(pflogif, PCAPSNAP, 1, PCAPTIMO,
errbuf)) == NULL) {
logmsg(LOG_ERR, Failed to initialize: %s, errbuf);
@@ -157,6 +162,11 @@
const struct ip *ip = NULL;
const struct pfloghdr   *hdr;
char ipstraddr[40] = { '\0' };
+   int  white = 1;
+   unsigned int off;
+   const struct tcphdr *tcp;
+   unsigned int iplen;
+   unsigned int port;

hdr = (const struct pfloghdr *)sp;
if (hdr-length  MIN_PFLOG_HDRLEN) {
@@ -185,26 +195,34 @@
else if (hdr-dir == PF_OUT  !flag_inbound)
inet_ntop(af, ip-ip_dst, ipstraddr,
sizeof(ipstraddr));
+   off = ntohs(ip-ip_off);
+   if ((off  0x1fff) == 0) {
+   iplen = ip-ip_hl * 4;
+   tcp = (const struct tcphdr *)(sp + hdrlen + iplen);
+   port = ntohs(tcp-th_dport);
+   if (port == spamd_port)
+   white = 0;
+   }
}

if (ipstraddr[0] != '\0') {
-   if (hdr-dir == PF_IN)
-   logmsg(LOG_DEBUG,inbound %s, ipstraddr);
-   else
-   logmsg(LOG_DEBUG,outbound %s, ipstraddr);
-   dbupdate(PATH_SPAMD_DB, ipstraddr);
+   logmsg(LOG_DEBUG, %s %s %s,
+   hdr-dir == PF_IN ? inbound : outbound,
+   white ? white : spamd,
+   ipstraddr);
+   dbupdate(PATH_SPAMD_DB, ipstraddr, white);
}
 }

 int
-dbupdate(char *dbname, char *ip)
+dbupdate(char *dbname, char *ip, int white)
 {
HASHINFOhashinfo;
DBT dbk, dbd;
DB  *db;
struct gdatagd;
time_t  now;
-   int r;
+   int r, mod;
struct in_addr  ia;

now = time(NULL);
@@ -224,7 +242,7 @@
dbk.data = ip;
memset(dbd, 0, sizeof(dbd));

-   /* add or update whitelist entry */
+   /* add or update entry */
r = db-get(db, dbk, dbd, 0);
if (r == -1) {
logmsg(LOG_NOTICE, db-get failed (%m));
@@ -237,18 +255,11 @@
gd.first = now;
gd.bcount = 1;
gd.pass = now;
-   gd.expire = now + whiteexp;
-   memset(dbk, 0, sizeof(dbk));
-   dbk.size = strlen(ip);
-   dbk.data = ip;
-   memset(dbd, 0, sizeof(dbd));
-   dbd.size = sizeof(gd);
-   dbd.data = gd;
-   r = db-put(db, dbk, dbd, 0);
-   if (r) {
-   logmsg(LOG_NOTICE, db-put failed (%m));
-   goto bad

Re: spamd(8) more persistent greytrapping

[Boudewijn Dijkstra]

Op Thu, 29 Aug 2013 14:04:59 +0200 schreef Boudewijn Dijkstra
sp4mtr4p.boudew...@indes.com:
Here's a suggested improvement to spamlogd(8) which keeps greytrap  
entries tarpitted while they keep trying.


To this end I modified spamlogd.c [...]


Is anybody even remotely interested in this?



--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

spamd(8) more persistent greytrapping

[Boudewijn Dijkstra]

Hello folks,

Here's a suggested improvement to spamlogd(8) which keeps greytrap entries
tarpitted while they keep trying.

To this end I modified spamlogd.c so that a known greytrapped host is
updated as a greytrap entry in /var/db/spamd on every incoming connection  
to
port 8025. This requires a pf(4) rule that logs incoming connections to  
this

port.

In spamd(8)'s default mode, also greylisted hosts connect to this port, so  
we
have to look in the database and not interfere with the greylisting  
process.


In spamd(8)'s blacklist-only mode, this idea could be used to add/update
greytrap entries for all blacklisted hosts (so also those from  
spamd.conf(5)).
However, these blacklists often contain false positives and legitimate  
hosts
that are blacklisted for a short period, so this is probably not a good  
idea.


Thoughts?


$ diff -u spamlogd.c{.54,}
--- spamlogd.c.54   Wed Aug 21 18:13:30 2013
+++ spamlogd.c  Thu Aug 29 13:30:58 2013
@@ -21,7 +21,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */

-/* watch pf log for mail connections, update whitelist entries. */
+/* watch pf log for mail connections, update spamdb entries. */

 #include sys/types.h
 #include sys/socket.h
@@ -33,6 +33,7 @@
 #include netinet/in.h
 #include netinet/in_systm.h
 #include netinet/ip.h
+#include netinet/tcp.h
 #include arpa/inet.h

 #include net/pfvar.h
@@ -64,6 +65,7 @@
 int greylist = 1;
 FILE *grey = NULL;

+u_short spamd_port;
 u_short sync_port;
 int syncsend;
 u_int8_tflag_debug = 0;
@@ -74,13 +76,14 @@
 pcap_t *hpcap = NULL;
 struct syslog_data  sdata  = SYSLOG_DATA_INIT;
 time_t  whiteexp = WHITEEXP;
+time_t  trapexp = TRAPEXP;
 extern char*__progname;

 void   logmsg(int , const char *, ...);
 void   sighandler_close(int);
 intinit_pcap(void);
 void   logpkt_handler(u_char *, const struct pcap_pkthdr *, const u_char  
*);

-intdbupdate(char *, char *);
+intdbupdate(char *, char *, int);
 void   usage(void);

 void
@@ -110,9 +113,11 @@
 init_pcap(void)
 {
struct bpf_program  bpfp;
-   charfilter[PCAPFSIZ] = ip and port 25 and action pass 
-   and tcp[13]0x12=0x2;
+   charfilter[PCAPFSIZ];

+   snprintf(filter, PCAPFSIZ, ip and (port 25 or %d) and action pass  


+   and tcp[13]0x12=0x2, spamd_port);
+
if ((hpcap = pcap_open_live(pflogif, PCAPSNAP, 1, PCAPTIMO,
errbuf)) == NULL) {
logmsg(LOG_ERR, Failed to initialize: %s, errbuf);
@@ -157,6 +162,11 @@
const struct ip *ip = NULL;
const struct pfloghdr   *hdr;
char ipstraddr[40] = { '\0' };
+   int  white = 1;
+   unsigned int off;
+   const struct tcphdr *tcp;
+   unsigned int iplen;
+   unsigned int port;

hdr = (const struct pfloghdr *)sp;
if (hdr-length  MIN_PFLOG_HDRLEN) {
@@ -185,26 +195,34 @@
else if (hdr-dir == PF_OUT  !flag_inbound)
inet_ntop(af, ip-ip_dst, ipstraddr,
sizeof(ipstraddr));
+   off = ntohs(ip-ip_off);
+   if ((off  0x1fff) == 0) {
+   iplen = ip-ip_hl * 4;
+   tcp = (const struct tcphdr *)(sp + hdrlen + iplen);
+   port = ntohs(tcp-th_dport);
+   if (port == spamd_port)
+   white = 0;
+   }
}

if (ipstraddr[0] != '\0') {
-   if (hdr-dir == PF_IN)
-   logmsg(LOG_DEBUG,inbound %s, ipstraddr);
-   else
-   logmsg(LOG_DEBUG,outbound %s, ipstraddr);
-   dbupdate(PATH_SPAMD_DB, ipstraddr);
+   logmsg(LOG_DEBUG, %s %s %s,
+   hdr-dir == PF_IN ? inbound : outbound,
+   white ? white : spamd,
+   ipstraddr);
+   dbupdate(PATH_SPAMD_DB, ipstraddr, white);
}
 }

 int
-dbupdate(char *dbname, char *ip)
+dbupdate(char *dbname, char *ip, int white)
 {
HASHINFOhashinfo;
DBT dbk, dbd;
DB  *db;
struct gdatagd;
time_t  now;
-   int r;
+   int r, mod;
struct in_addr  ia;

now = time(NULL);
@@ -224,7 +242,7 @@
dbk.data = ip;
memset(dbd, 0, sizeof(dbd));

-   /* add or update whitelist entry */
+   /* add or update entry */
r = db-get(db, dbk, dbd, 0);
if (r == -1) {
logmsg(LOG_NOTICE, db-get failed (%m));
@@ -237,27 +255,29 @@
gd.first = now;
gd.bcount = 1;
gd.pass = now;
-   gd.expire = now + whiteexp;
-   memset(dbk, 0, sizeof(dbk));
-   dbk.size = 

Re: spamd database breaks after time_t change

[Boudewijn Dijkstra]

Op Tue, 20 Aug 2013 18:33:46 +0200 schreef Renaud Allard  
ren...@allard.it:
I just found out that spamd database breaks after upgrading to a  
snapshot with the 64 bits time_t resulting in:

Aug 20 16:04:18 pippin spamd[26092]: scan of /var/db/spamd failed
Aug 20 16:05:18 pippin spamd[26092]: bogus entry in spamd database

As for the utmp and lastlog, a clear of the database obviously solves  
the problem.


Or if you value your white and spamtrap entries, do something like the  
following:


Before upgrade:
spamdb|grep '^WHITE|'|cut -d'|' -f2/var/db/spamd.white
spamdb|grep '^SPAMTRAP|'|cut -d'|' -f2/var/db/spamd.spamtrap

After upgrade:
rm -f /var/db/spamd
for a in `cat /var/db/spamd.white`; do spamdb -a $a; done
for a in `cat /var/db/spamd.spamtrap`; do spamdb -Ta $a; done
rm -f /var/db/spamd.{white,spamtrap}

--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply privately.)

Re: remove entry from spamdb greylist

[Boudewijn Dijkstra]

Op Tue, 13 Aug 2013 17:49:51 +0200 schreef ML mail mlnos...@yahoo.com:
I am using spamd in greylisting mode and would like to delete the  
following entry:


GREY|207.126.144.121|eu1sys200aog106.obsmtp.com|no_reply@sender|recipient@domain|1376398715|1376400232|1376413115|4|0

I tried the following command:

spamdb -d 207.126.144.121


Unfortunately it does not remove the entry as it is still there. Any  
ideas what could be wrong?


An IP address can only be used as a key for WHITE and TRAPPED entries. The
spamdb(8) utility was not designed to remove GREY entries, but if you are
clever, you might be able to use it for this purpose.

Anyway, the important question is: what are you trying to accomplish?


--
Gemaakt met Opera's revolutionaire e-mailprogramma:
http://www.opera.com/mail/
(Remove the obvious prefix to reply privately.)

Re: remove entry from spamdb greylist

[Boudewijn Dijkstra]

If that PF table is spamd-white, then it will get reset when you run  
spamd-setup(8) or reboot. Maybe a better way is to manually add this IP to  
the spamdb whitelist:

spamdb -a 207.126.144.121
In this case the grey entry will be ignored and stay in the database until  
it expires.


Or, even better, regularly add/update all OBSMTP addresses in your  
whitelist via SPF. Search the archives for people who made scripts for  
this kind of thing.


Greylisting is great, but some mail delivery networks need a little help  
in the form of manual whitelisting of their netblocks.



Op Wed, 14 Aug 2013 15:38:50 +0200 schreef ML mail mlnos...@yahoo.com:
This mail server has been somehow wrongly marked as grey and would stay  
stuck
like in this state not allowing mails flowing in. Somehow after 3  
attempts it
should have whitelisted this IP so it didn't. What I now did is to  
manually
add this IP my PF spamd whitelist. The final goal being simply to allow  
mail coming in from this mail server.


Regards,
M.L.

 From: Boudewijn Dijkstra
sp4mtr4p.boudew...@indes.com
To: misc misc@openbsd.org
Sent: Wednesday,
August 14, 2013 12:39 PM
Subject: Re: remove entry from spamdb greylist

Op
Tue, 13 Aug 2013 17:49:51 +0200 schreef ML mail mlnos...@yahoo.com:

I am

using spamd in greylisting mode and would like to delete the

following entry:



GREY|207.126.144.121|eu1sys200aog106.obsmtp.com|no_reply@sender|recipient@
domain|1376398715|1376400232|1376413115|4|0


I tried the following command:

spamdb -d 207.126.144.121


Unfortunately it does not remove

the entry as it is still there. Any

ideas what could be wrong?


An IP
address can only be used as a key for WHITE and TRAPPED entries. The
spamdb(8)
utility was not designed to remove GREY entries, but if you are
clever, you might be able to use it for this purpose.

Anyway, the important question is:
what are you trying to accomplish?





--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply privately.)

Re: spamd and greyscanner help needed..

[Boudewijn Dijkstra]

Op Tue, 16 Oct 2012 22:01:54 +0200 schreef Joakim Aronius  
joa...@aronius.com:

I need somone to hit me with a clue-by-four..

Im trying to set up spamd and greyscanner to trap a flood of incoming  
spam. Now running with default settings for spamd and with recomended  
pf.conf rules. Can't get it to work properly..

joakim@heimdall$ uname -rsv
OpenBSD 5.1 GENERIC#160
joakim@heimdall$ grep spam /etc/rc.conf.local
spamd_flags=-v -h mail.aronius.se

Example:
joakim@heimdall$ grep 81.172.0.62 /var/log/spamd
Oct 16 21:38:33 heimdall spamd[14216]: 81.172.0.62: connected (2/0)
Oct 16 21:38:44 heimdall spamd[14216]: (GREY) 81.172.0.62:  
skeptic...@yahoo.nl - a8c9...@aronius.com
Oct 16 21:38:44 heimdall spamd[14216]: 81.172.0.62: disconnected after  
11 seconds.


Hosts are _immediately_ listed as both WHITE and GREY:
joakim@heimdall$ spamdb |grep 81.172.0.62
WHITE|81.172.0.62|||1350416314|1350416314|1353526714|1|0
GREY|81.172.0.62|81.172.0.62.dyn.user.ono.com|skeptic...@yahoo.nl|a8c9...@aronius.com|1350416324|1350430724|1350430724|1|0

Looking at the WHITE record it has the same time for 'first' and 'pass'
joakim@heimdall$ date -r 1350416314
Tue Oct 16 21:38:34 CEST 2012

Is it not first supposed to be GREY until the sender tries again after  
'passtime' but before 'greyexp' and then is added as WHITE?


Yes.

As the sender is now whitelisted 'greyscanner' will not touch it so I  
assume that the above is the root problem..


The _real_ root problem is the thing that is broken.


Any ideas on what I am doing wrong?


I would guess that there is a mistake in your pf.conf.


--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply privately.)

Re: the idea of /fastboot ?

[Boudewijn Dijkstra]

Op Wed, 10 Oct 2012 03:43:35 +0200 schreef Artturi Alm  
artturi@gmail.com:

2012/10/10 Philip Guenther guent...@gmail.com:
On Tue, Oct 9, 2012 at 5:01 PM, Theo de Raadt dera...@cvs.openbsd.org  
wrote:

Yes, it is a relic.  You may take action against it, Ted.


Don't forget to also remove the shutdown(8) bits that use it.

Philip Guenther



was bored, does this miss anything?

Index: rc.8
Index: pathnames.h
Index: shutdown.8
Index: shutdown.c
Index: rc


What about init.8 and init.c?  They also mention fastboot.


--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply privately.)

Re: OpenBSD's webpage desing

[Boudewijn Dijkstra]

Op Wed, 27 Jun 2012 10:54:11 +0200 schreef Hugo Osvaldo Barrera
h...@osvaldobarrera.com.ar:

On 2012-06-26 18:46, Pablo Velasco Fernández wrote:

Hi. I was loolong the FreeBSD web page. And its a cool page with a cool
desing. Maybe OpenBSD should change their own page to a most visual
web page. ( Its only my opinion ) What do you think?


The FreeBSD website seems optimized for really low resolution, and I've
over 50% of my monitor covered in white margins.

The OpenBSD website fills my monitor with lots of information.  The idea
of a large monitor, is, to be able to see more stuff on screen.  Yet, on
the other hand, it'll still work fine on lynx.

I don't see how FreeBSD's is an improvement.


Smaller columns make speed reading easier.  My browser windows don't all
take up the whole width of my screen, and some of my browser tabs don't
take up the whole width of the browser window it is in.


--
Gemaakt met Opera's revolutionaire e-mailprogramma:
http://www.opera.com/mail/
(Remove the obvious prefix to reply privately.)

spamd(8) more persistent blacklisting

[Boudewijn Dijkstra]

Hello folks,

Here's a suggested improvement to spamd(8) that keeps blacklisted entries  
tarpitted while they keep trying.  Rationale: often blacklists like  
uatraps will remove hosts because they have stopped trying there, but will  
continue elsewhere.  If your host is 'elsewhere', and a blacklisted  
spammer has tried to deliver mail to you, then you will want to keep this  
spammer trapped for a while even though it has vanished from the blacklist.


With this diff, a tarpitted host is inserted or updated as a TRAPPED entry  
in /var/db/spamd on every incoming tarpit connection.  A downside is that  
the jailed process is no longer chrooted.  If that is unacceptable, it  
could perhaps chroot to dirname(PATH_SPAMD_DB) instead.



--- /usr/src/libexec/spamd/spamd.c  Sat Feb 20 18:59:32 2010
+++ /usr/src/libexec/spamd/spamd.c  Mon Jun  4 10:01:10 2012
@@ -45,6 +45,7 @@

 extern int server_lookup(struct sockaddr *, struct sockaddr *,
 struct sockaddr *);
+extern int trapupdate(char *, char *);

 struct con {
int fd;
@@ -660,6 +661,7 @@
if (greylist  blackcount  maxblack)
cp-stutter = 0;
cp-lists = strdup(loglists(cp));
+   trapupdate(PATH_SPAMD_DB, cp-addr);
}
else
cp-lists = NULL;
@@ -1306,11 +1308,6 @@
}

 jail:
-   if (chroot(/var/empty) == -1 || chdir(/) == -1) {
-   syslog(LOG_ERR, cannot chdir to /var/empty.);
-   exit(1);
-   }
-
if (pw)
if (setgroups(1, pw-pw_gid) ||
setresgid(pw-pw_gid, pw-pw_gid, pw-pw_gid) ||
--- /dev/null   Mon Jun  4 09:52:51 2012
+++ /usr/src/libexec/spamd/trapupdate.c Wed Mar  7 09:54:38 2012
@@ -0,0 +1,89 @@
+/* update trapped entries. */
+
+#include sys/types.h   /* inet_pton, dbopen */
+#include sys/socket.h  /* inet_pton */
+
+#include netinet/in.h  /* inet_pton */
+#include arpa/inet.h   /* inet_pton */
+
+#include db.h  /* dbopen */
+#include errno.h   /* errno */
+#include fcntl.h   /* dbopen */
+#include syslog.h  /* syslog_r */
+#include string.h  /* memset, strerror */
+
+#include grey.h
+#include sync.h
+
+extern int debug;
+extern struct syslog_data  sdata;
+extern int syncsend;
+extern time_t  trapexp;
+
+int
+trapupdate(char *dbname, char *ip)
+{
+   HASHINFOhashinfo;
+   DBT dbk, dbd;
+   DB  *db;
+   struct gdatagd;
+   time_t  now;
+   int r;
+
+   now = time(NULL);
+   memset(hashinfo, 0, sizeof(hashinfo));
+   db = dbopen(dbname, O_EXLOCK|O_RDWR, 0600, DB_HASH, hashinfo);
+   if (db == NULL) {
+   syslog_r(LOG_ERR, sdata, Can not open db %s: %s, dbname,
+   strerror(errno));
+   return -1;
+   }
+   memset(dbk, 0, sizeof(dbk));
+   dbk.size = strlen(ip);
+   dbk.data = ip;
+   memset(dbd, 0, sizeof(dbd));
+
+   /* add or update trapped entry */
+   r = db-get(db, dbk, dbd, 0);
+   if (r == -1) {
+   syslog_r(LOG_NOTICE, sdata, db-get failed (%m));
+   goto bad;
+   }
+
+   if (r) {
+   /* new entry */
+   memset(gd, 0, sizeof(gd));
+   gd.first = now;
+   gd.pass = now;
+   gd.bcount = 1;
+   } else {
+   if (dbd.size != sizeof(gd)) {
+   /* whatever this is, it doesn't belong */
+   db-del(db, dbk, 0);
+   goto bad;
+   }
+   memcpy(gd, dbd.data, sizeof(gd));
+   gd.bcount++;
+   }
+   gd.pcount = -1;
+   gd.expire = now + trapexp;
+   memset(dbk, 0, sizeof(dbk));
+   dbk.size = strlen(ip);
+   dbk.data = ip;
+   memset(dbd, 0, sizeof(dbd));
+   dbd.size = sizeof(gd);
+   dbd.data = gd;
+   r = db-put(db, dbk, dbd, 0);
+   db-close(db);
+   if (r) {
+   syslog_r(LOG_NOTICE, sdata, db-put failed (%m));
+   return -1;
+   }
+   if (syncsend)
+   sync_trapped(now, now + trapexp, ip);
+   return 0;
+bad:
+   db-close(db);
+   return -1;
+}
+



--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply privately.)

Re: OpenBSD 5.0-current (GENERIC) #65: Thu Nov 3 00:58:36 MDT 2011

[Boudewijn Dijkstra]

Op Fri, 20 Jan 2012 11:12:31 +0100 schreef Remco  
re...@d-compu.dyndns.org:

Martin Pelikan wrote:


On Thu, Jan 19, 2012 at 06:16:59PM +0100, Francois Pussault wrote:

I use this :
# echo $PKG_PATH
ftp://ftp.openbsd.org/pub/OpenBSD/5.0/packages/sparc64/



In case someone googles that and would think it's a good idea to set the
variable like so, here's a better alternative:

echo 'export PKG_PATH=ftp://ftp.XX.openbsd.org/pub/OpenBSD/`uname
-r`/packages/`uname -m`/'  ~/.profile

for -release and -stable, or

echo 'export
PKG_PATH=ftp://ftp.XX.openbsd.org/pub/OpenBSD/snapshots/packages/`uname
-m`/'  ~/.profile

for guess what? -current of course! Even that your -current might not be
exactly the same one these packages were built on.


I was advised some time ago that using `uname -m` is wrong:
(`arch -s` should be a better choice)

http://marc.info/?l=openbsd-miscm=131694698627338w=2


That's why I've using this in the past (`arch -s` == `machine -a`):

# selected FTP mirrors in order of distance
OPENBSD_FTP_TIER2='ftp.eu.openbsd.org anga.funkfeuer.at  
ftp.usa.openbsd.org'

OPENBSD_FTP_TIER3='mirror.hostfuss.com ftp.nluug.nl'

PKG_DIR=pub/`uname -s`/`uname -r`/packages/`machine -a`/
PKG_CACHE=/home/ftp/$PKG_DIR
PKG_PATH=$PKG_CACHE
for s in $OPENBSD_FTP_TIER3 $OPENBSD_FTP_TIER2; do
PKG_PATH=$PKG_PATH:ftp://$s/$PKG_DIR
done; s=


And yes, it's time to update my list.

--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply.)

Re: spamd-setup in crontab

[Boudewijn Dijkstra]

Op Mon, 14 Nov 2011 15:28:43 +0100 schreef James J. Lippard  
lippard-open...@discord.org:

I had the same problem, which I worked around by changing my
spamd.conf to use a local file instead of FTP, and downloading the
traplist.gz file in my daily.local.

That is, my spamd.conf now looks like this:

uatraps:\
:black:\
:msg=Your address %A has sent mail to a ualberta.ca spamtrap\n\
within the last 24 hours:\
:method=file:\
:file=/etc/mail/traplist.gz:

And my daily.local now has this:

echo Getting traplist.gz.
/usr/bin/ftp -o /etc/mail/traplist.gz  
http://www.openbsd.org/spamd/traplist.gz


I have a slightly more complicated setup which fetches traplist and  
nixspam every two hours:


root's crontab:
# update spamd on :15 every two hours
15  */2 *   *   *   /etc/mail/spamd-setup.sh


spamd-setup.sh:
#!/bin/sh
# sleep 0..15 minutes
/bin/sleep $(($RANDOM / 72))
/usr/local/bin/wget -o /dev/null -NxP /home/ftp/pub/mirrors -nv \
http://www.openbsd.org/spamd/{traplist,nixspam}.gz
/usr/libexec/spamd-setup


Also, china and korea are fetched in daily.local:
# http://www.openbsd.org/spamd/{china,korea}cidr.txt.gz are not mirrored
# regularly, so we use the original source
/usr/local/bin/wget -NxP /home/ftp/pub/mirrors -nv \
http://www.okean.com/{china,korea}cidr.txt


The advantage of using wget(1) (or curl(1) if you like) is that it will  
only fetch the file if the timestamp has changed.




--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply.)

Re: dedicating a server to spamd

[Boudewijn Dijkstra]

Op Tue, 25 Oct 2011 15:17:45 +0200 schreef ML mail mlnos...@yahoo.com:
Many thanks for your solution based on using the local sendmail  
installation.
That makes sense and sendmail will then be taking care of routing the  
mails to
the qmail server, a nice solution which I will give a go. So is this  
basically

the only solution if someone wants to use spamd on a dedicated box?


You could also use pfctl to periodically dump the spamd-white table and  
place it where it can be downloaded by the firewall.  If you don't have  
any white entries in spamd.conf, then you could also use /var/db/spamd.




--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply.)

Re: dhclient, resolv.conf

[Boudewijn Dijkstra]

Op Sat, 22 Oct 2011 10:41:56 +0200 schreef Philippe Meunier  
meun...@ccs.neu.edu:

Kenneth R Westerback wrote:

If you are using dhclient, then /etc/resolv.conf is not really a
configuration file.


Unless your machine runs its own DNS server.  Then you really don't
want dhclient-script to mess with your /etc/resolv.conf.  But
dhclient-script will still blindly mess with /etc/resolv.conf if the
DHCP server says so, despite the fact that your /etc/dhclient.conf
never asked for anything related to DNS servers in the first place.
Then you will have to mess with supersede and /etc/resolv.conf.tail
in order to fix dhclient-script's mess.


If the DHCP server says things that are wrong, then _that_ needs to be  
fixed.




--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply.)

Re: spamd.black pfctl

[Boudewijn Dijkstra]

Op Mon, 10 Oct 2011 12:12:23 +0200 schreef pavel pocheptsov  
lilit-aibo...@mail.ru:

hello misc.
I have spamd before mail server. and it's work nice with liberal setting  
like this:

spamd_flags=-v -l 127.0.0.1 -G 10:4:864 -h mail.server

pf.conf:
[...]
block in log quick on { $ext_if_a, $ext_if_b } from { bruteforce,  
private, spamd-black } to any

[...]

but I won't want to reload all rules. In best way I want to add in pf  
spamd-black table

only new IP, that I past in the top of spam.txt file.
[...]


I also employ a manual blacklist, but I import it through spamd.conf(5).   
This way, the entries are not blocked by pf, but enter spamd's tarpit.   
This will keep the spammer's machine busy and delay the delivery of other  
spam.



--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply.)

fortune(6) lies

[Boudewijn Dijkstra]

Some of the historic fortune(6) adages are good to have, but I have my
doubts about this one:

===
Imagine that Cray computer decides to make a personal computer.  It has
a 150 MHz processor, 200 megabytes of RAM, 1500 megabytes of disk
storage, a screen resolution of 4096 x 4096 pixels, relies entirely on
voice recognition for input, fits in your shirt pocket and costs $300.
What's the first question that the computer community asks?

Is it PC compatible?
===


--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply privately.)

Re: fortune(6) lies

[Boudewijn Dijkstra]

Op Fri, 24 Jun 2011 13:12:44 +0200 schreef Nick Holland  
n...@holland-consulting.net:

On 06/24/11 04:44, Boudewijn Dijkstra wrote:

Some of the historic fortune(6) adages are good to have, but I have my
doubts about this one:

===
Imagine that Cray computer decides to make a personal computer.  It has
a 150 MHz processor, 200 megabytes of RAM, 1500 megabytes of disk
storage, a screen resolution of 4096 x 4096 pixels, relies entirely on
voice recognition for input, fits in your shirt pocket and costs $300.
What's the first question that the computer community asks?

Is it PC compatible?
===




What lie?  Looks dead-on to me.


Taken out of its unspecified context into the present day, the computer  
community won't ask that.



As someone who's interest in the small computer predates the IBM PC
(0.625M RAM, 10M HD, 4.8MHz proc, 320x200 graphics), I can relate to
everything on that quote, other than an imbalance in the imagined
progress (STILL waiting for my 4096x4096 screen).


That the 'computer community' would ask that question, is based entirely  
on the assumption that the PC platform is and will be the only platform  
that has a decent choice in apps.  Did the 'computer community' worry  
about app availability when the iPhone came out?  Hardly.  The gradual  
miniaturization of computer platforms has expanded the 'computer  
community' to almost every consumer.  The above phrase imagine that not  
only includes technological progress, but also sociological changes.   
Granted, the latter is much harder to predict.



yes, there was a time when Meg was a woman's name and Gig was
something a band did, and if you said gigahertz to someone, they'd
probably look around to see if there were any children or members of the
opposite sex around, and all those numbers were absurdly big.

Long ago (~1989), in a job much closer than where I'm working now, I
worked for Zenith Data Systems.  We had an interesting machine called a
Z-1000 -- an asymetric multi-processor machine (20MHz 80386 work
processors, 16MHz 80386 control processor...or maybe other way around,
I'm not going to swear to those specs), fair amount of RAM for the day
per processor, no video board, lots of serial port concentrators.  Ran
SCO Xenix, about the size of a dorm room fridge, and a lot heavier.

To deal with the questions (which I found annoying), I put a sign on it,
Zenith Z-1000.  Not PC Compatable.  Will not run Flight Simulator, will
not run Lotus 123, not even at gun point.  I was somewhat horrified to
find out it would boot a PC's version of MSDOS over the serial console,
but fortunately no one noticed my experiment or that it worked.

Didn't sell a single one of them.  That's all people wanted to know.
Is it PC compatible?  Does it run Flight Simulator?  Does it run Lotus
123? (FS and 123 were the benchmarks of PC compatibility.  In the
earlier days, there were a few machines which were built to the
benchmarks, ran Lotus 123 and Flight Simulator and little else).

Nick.
(showing his age)


I often seem to somehow get old people to tell good stories.  ;)


--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply.)

Re: man cp: -i versus -f

[Boudewijn Dijkstra]

Op Wed, 15 Jun 2011 16:52:12 +0200 schreef Jan Stary h...@stare.cz:

The manpage of cp says

 -f	 For each existing destination pathname, remove it and  
create a

 new file, without prompting for confirmation, regardless of its
 permissions.  This option overrides any use of -i.

 -i	 Write a prompt to the standard error output before copying  
a file

 that would overwrite an existing file.  If the response from the
 standard input begins with the character `y', the file copy is
 attempted.

but that isnot what cp actually does:

$ rm -f echo bar
$ echo new  foo
$ echo old  bar
$ cp -fi foo bar
overwrite bar? n
$ cat bar
old

Accoording to the manpage, the '-f' should have overrided the '-i'.
Instead, it asked for confirmation, which said 'n', and cp(1) did
not copy foo over bar, as it still has the old content.


Manpage has been like this forever.  Looks like the behaviour has been  
bugged since 1999:


--- src/bin/cp/cp.c 1998/07/03 17:43:56 1.12
+++ src/bin/cp/cp.c 1999/05/06 18:19:45 1.13
@@ -91,7 +91,7 @@ static char rcsid[] = $OpenBSD: cp.c,v 1.12 1998/07/0
 PATH_T to = { to.p_path,  };

 uid_t myuid;
-int Rflag, iflag, pflag, rflag;
+int Rflag, fflag, iflag, pflag, rflag;
 int myumask;

 enum op { FILE_TO_FILE, FILE_TO_DIR, DIR_TO_DNE };
@@ -129,10 +129,12 @@ main(argc, argv)
Rflag = 1;
break;
case 'f':
+   fflag = 1;
iflag = 0;
break;
case 'i':
iflag = isatty(fileno(stdin));
+   fflag = 0;
break;
case 'p':
pflag = 1;

So the behaviour depends on the order of the arguments.  E.g. when doing:
$ cp -if foo bar
no confirmation is asked, and:
$ cat bar
new
.

Here's a fix (tested):

--- src/bin/cp/cp.c.origSun Nov  4 03:01:57 2007
+++ src/bin/cp/cp.c Wed Jun 15 17:20:25 2011
@@ -113,8 +113,10 @@
iflag = 0;
break;
case 'i':
-   iflag = isatty(STDIN_FILENO);
-   fflag = 0;
+   if (!fflag) {
+   iflag = isatty(STDIN_FILENO);
+   fflag = 0;
+   }
break;
case 'p':
pflag = 1;




--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply.)

Re: spamd in blacklist mode 4.8 not working?

[Boudewijn Dijkstra]

Op Wed, 25 May 2011 15:46:01 +0200 schreef Ivo Chutkin open...@bgone.net:

On 25.5.2011 P3. 15:32 Q%07., Stuart Henderson wrote:

On 2011-05-25, Ivo Chutkinopen...@bgone.net  wrote:

Hello Misc,
Some months ago I upgraded my firewall to 4.8 -stable form 4.5.
Everything went well except my spamd setup. I run it in blacklist mode  
only.
It is running according to logs, netstat, ps ax and top. The table  
spamd

in pf.conf gets populated by spamd-setup but nothing gets to the spamd.
I am missing something obvious here but I am lost...


in /etc/rc look for this line

/usr/libexec/spamd-setup -D

please add -b to it, see if that helps, and report back.



I did so, but I am not able to reboot it now. It is production system.
When I get it done I will report back for sure.


You can run that as root without rebooting.

But, it should also be run periodically from crontab.


--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

(Remove the obvious prefix to reply.)

Re: A bad entry in the spamdb kills pfctl

[Boudewijn Dijkstra]

Op Tue, 23 Nov 2010 18:05:14 +0100 schreef Peter Fraser p...@thinkage.ca:
Somehow I have an bad  entry in my /var/db/spamdb the entry in question  
is a follows.


GREY|kadorken.thspamdb -t -a  
itroll.03092...@thinkage.chinkage.on.ca|spamdb -t
-a kgdykesb...@thinkage.on.ca|spamdb -t -a  
kgdykesb...@thinkage.on.ca|spamdb

-t -a kgdykescxspamdb|1160168514|0|0|1|-2

I have no idea how the entry got there.

How can I delete it?  I cannot  get the  spamdb -d to work, it is  
expecting an IP address


The entry ends with 0|0|1|-2 so it is actually a spamtrap entry that  
contains newlines.  That's why it didn't expire although you'd think it  
should have.  I could successfully use spamdb(8) to add spamtrap entries  
containing a few newlines and then remove them (phew!).  So try this:


# spamdb -Td 'kadorken.thspamdb -t -a  
itroll.03092...@thinkage.chinkage.on.ca

spamdb -t -a kgdykesb...@thinkage.on.ca
spamdb -t -a kgdykesb...@thinkage.on.ca
spamdb -t -a kgdykescxspamdb'

If that doesn't work, then possibly the real key is longer and you need a  
modified version of spamdb(8) to extract it.



--
Gemaakt met Opera's revolutionaire e-mailprogramma:  
http://www.opera.com/mail/

Re: spamd -G whiteexp not honored?

[Boudewijn Dijkstra]

Op Mon, 01 Nov 2010 20:08:00 +0100 schreef Daniel Perup dan...@perup.net:
I'm having problems with spamd and the -G option. It seems that spamd  
does not honor the whiteexp value at all, but uses the default value at  
all times:


That is a sweeping statement, coming from just one test case.


# pkill spam
# /usr/libexec/spamd -G 4:10:500
# /usr/libexec/spamd-setup -D
# /usr/libexec/spamlogd
# spamdb -a 1.2.3.4
# spamdb|grep 1.2.3.4
WHITE|1.2.3.4|||1288600451|1288600451|1291710851|1|0
# date -r 1288600451
Mon Nov  1 09:34:11 CET 2010
# date -r 1291710851
Tue Dec  7 09:34:11 CET 2010

As you can see, the default 36 days are still in effect.


spamdb(8) doesn't talk to spamd(8) when whitelisting, not even to receive
the whiteexp value.  It just manipulates spamd's database using default
values.


This happens with
all the whiteexp values I have tried, from 50 to 5000. I am using OpenBSD
4.6, but I have not seen anything related to this in the newer  
changelogs.
It should be easy for someone on 4.7 (or 4.8) to verify if this  
behaviour is still there.


Thanks,

   Daniel




--
Gemaakt met Opera's revolutionaire e-mailprogramma:
http://www.opera.com/mail/

Re: zombies - solved

[Boudewijn Dijkstra]

Op Wed, 12 Mar 2008 17:05:01 +0100 schreef Pete Vickers  
[EMAIL PROTECTED]:

If you want to serve http content via IPv6, then perhaps you can run
httpd on your (IPv4) loopback interface, and have relayd listen on
your public IPv6 interface, and forward requests over IPv4 to it ?


And then what if the HTTP request reads something like GET [::1] ?



--
Boudewijn Dijkstra
Indes - IDS B.V.
+31 345 545 535

Re: The Dilbert Problem...

[Boudewijn Dijkstra]

Op Wed, 05 Mar 2008 13:42:48 +0100 schreef Peter N. M. Hansteen  
[EMAIL PROTECTED]:

Mayuresh Kathe [EMAIL PROTECTED] writes:


The first (dilbert) tab takes a long time to load during which the
other tabs too show nothing, they get stuck at Looking up...


another data point - here the dilbert site loads very slowly in a
firefox with about 15 tabs open already (lots of graphics it seems)
but other sites opened after it in separate tabs load normally.


The delay is most likely caused by the DNS requests for all the different  
advert sites.  My guess is that Firefox handles the DNS requests in order,  
using the same execution context for all tabs, waiting for each one before  
proceeding to the next.  Requesting an  record that does not exist (or  
trying to connect to the first four bytes of an IPv6-address) might very  
well cause an additional slowdown.




--
Boudewijn Dijkstra
Indes - IDS B.V.
+31 345 545 535

Re: Monitoring Battery...

[Boudewijn Dijkstra]

Op Mon, 25 Feb 2008 13:08:10 +0100 schreef Mayuresh Kathe  
[EMAIL PROTECTED]:

Is there any way to monitor the charge left on the battery of a laptop?
Like how much percentage of the battery charge is left to allow us to
estimate how long it will work without connecting to a wall socket?

I googled for monitoring battery openbsd but got nothing satisfactory.


$ apropos power|grep '(8)'
apm (8) - Advanced Power Management control program
apmd (8) - Advanced Power Management monitor daemon





--
Boudewijn Dijkstra
Indes - IDS B.V.
+31 345 545 535

Re: Monitoring Battery...

[Boudewijn Dijkstra]

Op Mon, 25 Feb 2008 13:22:24 +0100 schreef Mayuresh Kathe  
[EMAIL PROTECTED]:
On Mon, Feb 25, 2008 at 5:45 PM, Antoine Jacoutot [EMAIL PROTECTED]  
wrote:

On Mon, 25 Feb 2008, Mayuresh Kathe wrote:
  I googled for monitoring battery openbsd but got nothing  
satisfactory.


 apm(8)


I tried 'apm -b' to get the battery status, but it showed 255, which
is 'unknown', is it because my laptop isn't properly supported?


$ if [ `dmesg|grep apm` ];then echo No.;else echo Yes.;fi



--
Boudewijn Dijkstra
Indes - IDS B.V.
+31 345 545 535