Re: Multi-domain DKIM signature with OpenSMTPd
On 3/19/20 5:06 AM, Graeme Lee wrote: > > > On 19/03/2020 8:45 am, Martijn van Duren wrote: >> On 3/18/20 8:41 PM, Matthieu wrote: >>> Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit : On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: > Hi everybody > I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it > before ? > My first intention is to sign mails from different domains on a single > mail > server. So the > > OpenDKIM works with a socket and I don't know how and if it works with the > smptd filter. > I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify > one domaine. > > Otherwise I'd be looking at the side of dkimproxy if it can do the job or > not. > > Thx for any help. > Hi, Theres an example described in the smtpd.conf(5) man page. opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c It's relatively small and also privilege-separated. It has a parameter to set the domain name (-d). In smtpd.conf you can define multiple filters. See also the man page filter-dkimsign(8) for detailed information. I've replaced dkimproxy (Perl-based and complex) with opensmtpd-filter-dkimsign. It works well for my needs. >>> Hi Hiltjo, >>> Currently I already use opensmtpd-filter-dkimsign, but I didn't >>> understand how to use it for multiple domains at once. >>> >>> I've seen the example in the man page : >>> https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign >>> >>> I thought was to be replaced by only one domain to sign. Is a >>> domain a table like Alias? If so, what is the format of the file? But I >>> doubt it since in the filter code it doesn't look like a list. >>> >>> static char *domain = NULL; >>> […] >>> box 'd': >>> domain = optarg; >>> […] >>> if (!dkim_signature_printf(message, >>> "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1", >>> cryptalg, hashalg, >>> canonheader == CANON_SIMPLE ? "simple": "relaxed." >>> canonbody == CANON_SIMPLE ? "simple": "relaxed." >>> domain, selector)) >>> >>> Finally in the example given in this presentation it is indeed a single >>> domain: >>> https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf >>> >> That's because filter-dkimsign doesn't support multiple domains, and >> unless someone can give me a good reason to do so it probably is going >> to stay that way. > I'm using dkimproxy for this. I host multiple domain names. dkimproxy > is pretty easy to configure to sign outbound on a per domain basis. > > /etc/dkimproxy_out.conf > listen 127.0.0.1: > relay 127.0.0.1: > sender_map /etc/mail/dkim/sender_map > > /etc/dmail/dkim/sender_map > example.com > dkim(key=/etc/mail/dkim/example.com.key,d=example.com,c=relaxed,s=selector1) > example.org > dkim(key=/etc/mail/dkim/example.org.key,d=example.org,c=simple,s=selector1) > ... > > I can send the smtpdconf through if you're stuck. > > If the domain being relayed is not in the map, it isn't signed. > dkimproxy is not doing any inbound processing. It would be awesome to > pull this from a pgsql db source, which is how I manage what smtpd can > and cannot relay. > >> >> I know that some mail providers add an additional positive score to >> your spam rating if you have DKIM, but I reckon this is BS, because >> DKIM is nothing more than a glorified debugging tool to tell you which >> server butchered the content of your mail if every server in the chain >> adds a DKIM signature. To be precise: it only tells you that a >> particular domain owner (d-option) knows what server(s) a particular key >> (s-option) belongs to, so that if a signature fails it it could only >> have happened before the last server which has a valid signature. >> >> Could you explain why you (think you) need to have multiple domain >> support? > I own (and manage) multiple domains. Why would I not take advantage of > virtual domains on 1 host? I do to, but as far as I'm aware there's nothing in the spec that states that a mail domain should be signed with a key in its own domain; and I'd to think that I've be pretty thorough while reading it multiple times. If I want I can sign a mail with an @gmail.com sender on it with my personal imperialat.at DKIM key and recipients will properly validate it. So yes, I have multiple virtual hosts and only one key (domain+selector) per server. And if you were to look through your mailbox you'd find multiple vendors who also sign their mail with a different domain in their DKIM signature than is in the domain component of their from header; including office365. > > Graeme > >
Re: Uptime in seconds
$ echo $(( $(date +%s) - $(sysctl -n kern.boottime) )) 221493 Cool! Thank you
Uptime in seconds
Hello, for a shell script I needed the uptime in seconds. I came up with the following. I'm just wondering, is there an one-liner that does the same thing? # Inspired by https://unix.stackexchange.com/a/270454 uptime=`ps -o etime= -p 1` uptd=`echo $uptime | grep '-' | awk -F "-" '{print $1}'` if [ "$uptd" == "" ] then upth=`echo $uptime | awk -F ":" '{print $1}'` uptm=`echo $uptime | awk -F ":" '{print $2}'` upts=`echo $uptime | awk -F ":" '{print $3}'` if [ "$upts" == "" ] then upts=$uptm uptm=$upth upth=0 fi uptimeseconds=$((10#$upts + 10#$uptm * 60 + 10#$upth * 3600)) else upth=`echo $uptime | awk -F "-" '{print $2}' | awk -F ":" '{print $1}'` uptm=`echo $uptime | awk -F "-" '{print $2}' | awk -F ":" '{print $2}'` upts=`echo $uptime | awk -F "-" '{print $2}' | awk -F ":" '{print $3}'` uptimeseconds=$((10#$upts + 10#$uptm * 60 + 10#$upth * 3600 + $uptd * 86400)) fi echo $uptimeseconds
Re: Uptime in seconds
On 2020-03-19 20:33, Thomas Bohl wrote: > Hello, > > for a shell script I needed the uptime in seconds. I came up with the > following. I'm just wondering, is there an one-liner that does the > same thing? $ echo $(( $(date +%s) - $(sysctl -n kern.boottime) )) 221493 > # Inspired by https://unix.stackexchange.com/a/270454 > uptime=`ps -o etime= -p 1` > uptd=`echo $uptime | grep '-' | awk -F "-" '{print $1}'` > > if [ "$uptd" == "" ] > then > upth=`echo $uptime | awk -F ":" '{print $1}'` > uptm=`echo $uptime | awk -F ":" '{print $2}'` > upts=`echo $uptime | awk -F ":" '{print $3}'` > > if [ "$upts" == "" ] > then > upts=$uptm > uptm=$upth > upth=0 > fi > > uptimeseconds=$((10#$upts + 10#$uptm * 60 + 10#$upth * 3600)) > else > upth=`echo $uptime | awk -F "-" '{print $2}' | awk -F ":" '{print > $1}'` > uptm=`echo $uptime | awk -F "-" '{print $2}' | awk -F ":" '{print > $2}'` > upts=`echo $uptime | awk -F "-" '{print $2}' | awk -F ":" '{print > $3}'` > uptimeseconds=$((10#$upts + 10#$uptm * 60 + 10#$upth * 3600 + > $uptd * 86400)) > fi > > echo $uptimeseconds
Re: Multi-domain DKIM signature with OpenSMTPd
On 3/19/20 9:21 PM, Matthieu wrote: > Le 19/03/2020 à 20:46, Martijn van Duren a écrit : >> On 3/19/20 8:24 PM, Matthieu wrote: >>> Thank you for your response. >>> My main reason is that, as a freelancer, I have a professional email >>> that I don't want to mix with my personal email. Moreover, a friend asks >>> me to host his emails and I don't want to mix it up either. >> >> Please be more concise. What do you mean "don't want to mix it up"? >> What would be mixed up? What would be the consequences of that? >> Based on what would it need to be separated? > I don't want the personal or professional domain name to appear in the > other's signature. I understand that nobody is going to look at it and > that it's a bit maniacal, but I find it cleaner. > Knowing that Gmail and others are quite strict about their spam filters, > I don't find it useless. > So basically the warm and fuzzies. :-) No problem, but in that case dkimsign is not for you and dkimproxy might be more suitable.
Re: Multi-domain DKIM signature with OpenSMTPd
On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote: > That's because filter-dkimsign doesn't support multiple domains, and > unless someone can give me a good reason to do so it probably is going > to stay that way. > > I know that some mail providers add an additional positive score to > your spam rating if you have DKIM, but I reckon this is BS, because > DKIM is nothing more than a glorified debugging tool to tell you which > server butchered the content of your mail if every server in the chain > adds a DKIM signature. To be precise: it only tells you that a > particular domain owner (d-option) knows what server(s) a particular key > (s-option) belongs to, so that if a signature fails it it could only > have happened before the last server which has a valid signature. > > Could you explain why you (think you) need to have multiple domain > support? > You (currently?) can't. If you want multiple conditions on different > filters you would need to create multiple listening sockets (e.g. > multiple ips or ports) and apply the correct match-rules based on the > socket. > > martijn@ > OK, thanks for clearing that up. I learned a lot using it. I would also like to use multiple domains, but I don't see any reason to ask you to do any more work than you want to. Thanks for your work. I appreciate it. And trying to use multiple domains was a good lesson in strange results. :-} Chris Bennett
Re: Multi-domain DKIM signature with OpenSMTPd
On 3/19/20 7:49 PM, Chris Bennett wrote: > On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote: >> That's because filter-dkimsign doesn't support multiple domains, and >> unless someone can give me a good reason to do so it probably is going >> to stay that way. >> >> I know that some mail providers add an additional positive score to >> your spam rating if you have DKIM, but I reckon this is BS, because >> DKIM is nothing more than a glorified debugging tool to tell you which >> server butchered the content of your mail if every server in the chain >> adds a DKIM signature. To be precise: it only tells you that a >> particular domain owner (d-option) knows what server(s) a particular key >> (s-option) belongs to, so that if a signature fails it it could only >> have happened before the last server which has a valid signature. >> >> Could you explain why you (think you) need to have multiple domain >> support? >> You (currently?) can't. If you want multiple conditions on different >> filters you would need to create multiple listening sockets (e.g. >> multiple ips or ports) and apply the correct match-rules based on the >> socket. >> >> martijn@ >> > > OK, thanks for clearing that up. I learned a lot using it. I would also > like to use multiple domains, but I don't see any reason to ask you to > do any more work than you want to. > Thanks for your work. I appreciate it. And trying to use multiple > domains was a good lesson in strange results. :-} > > Chris Bennett > I've had multiple people tell me that they want to have multiple domain support, but either they misunderstood the workings of DKIM, or it's a case of "but it gives me the warm and fuzzies". So please, be as clear as you can be on why you want to use it and how you want to use it; and either we can improve your understanding of the spec and your setup (and help people on the list at the same time) or you make a valid case (maybe I did miss something) and I might be motivated to add it. In other words, I'm not definitively saying no, but it will only complicate the code even further with all the additional risks; there must be a damn good reason to go down that path.
Re: Multi-domain DKIM signature with OpenSMTPd
On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote: Could you explain why you (think you) need to have multiple domain support? You (currently?) can't. If you want multiple conditions on different filters you would need to create multiple listening sockets (e.g. multiple ips or ports) and apply the correct match-rules based on the socket. martijn@ Thank you for your response. My main reason is that, as a freelancer, I have a professional email that I don't want to mix with my personal email. Moreover, a friend asks me to host his emails and I don't want to mix it up either. I'm not develloper C, but if I propose a patch for this feature, does it have a possibility to be integrated ?
Re: Multi-domain DKIM signature with OpenSMTPd
Le 19/03/2020 à 20:46, Martijn van Duren a écrit : On 3/19/20 8:24 PM, Matthieu wrote: Thank you for your response. My main reason is that, as a freelancer, I have a professional email that I don't want to mix with my personal email. Moreover, a friend asks me to host his emails and I don't want to mix it up either. Please be more concise. What do you mean "don't want to mix it up"? What would be mixed up? What would be the consequences of that? Based on what would it need to be separated? I don't want the personal or professional domain name to appear in the other's signature. I understand that nobody is going to look at it and that it's a bit maniacal, but I find it cleaner. Knowing that Gmail and others are quite strict about their spam filters, I don't find it useless. And just to be clear, I'm not trying to be a pedantic asshole for its own sake. I honestly don't see where our interpretations diverge. No problem to discuss it. I'm not develloper C, but if I propose a patch for this feature, does it have a possibility to be integrated ? Any patch is welcome if properly motivated. If it's not up to par we can always polish it further. But I'd advise to first come to an understanding on the motivation. My motivations are those set out above. Otherwise I can always fall back on dkimproxy.
Re: Openbsd 6.6 amd64 stable bridge with 90 vlans does not forward packets after reboot
Hi Tom Just looking at /etc/netstart (admittedly for 6.1) and by all rights that shouldn't be happening - the VLAN interfaces should be starting well before the bridges. Maybe add !sleep 1 to the top of the /etc/hostname.bridge101 file and see if it does better? On Fri, Mar 20, 2020 at 12:22 PM Tom Smyth wrote: > > Hello, > > I have a box that I use to aggregate a number of vlans which are > isolated from each other(using port protection groups and bridged > onto a 10G interface ix0 > these are configured using a standard hostname.bridgefile as follows, > cat /etc/hostname.bridge101 > maxaddr 16384 timeout 300 > up > add ix0 -stp ix0 > add vlan604 protected vlan604 1 -stp vlan604 > add vlan4069 protected vlan4069 1 -stp vlan4069 > . > . > . > add vlan3982 protected vlan43982 1 -stp vlan3982 > > when I reboot the box ... the system does not seem to forward frames ) > > but if I run > sh /etc/netstart bridge101 > > then the bridge forwards the packets just fine. > > interface configs are as follows > cat /etc/hostname.ix0 > mtu 1700 up > > cat /etc/hostname.ix1 > mtu 1708 up > > cat /etc/hostname.vlan3982 > parent ix1 vnetid 3982 mtu 1700 up > > > ifconfig bridge101 yields similar results after reboot as opposed to > ifconfig bridge101 after restarting the interface > > the only differences I saw was the index > > after reboot the index of bridge101 was 6 > > but after restarting the bridge101 the index of bridge101 was 98 > (which sounds to me like perhaps the bridge was being started before > the vlans on bootup) > > > has anyone come across this issue before? > Thanks > > > > > -- > Kindest regards, > Tom Smyth. > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Openbsd 6.6 amd64 stable bridge with 90 vlans does not forward packets after reboot
hi Aaron, I tried that, no such luck !/bin/sleep 20 didnt work i also tried adding sh /etc/netstart bridge101 to the rc.local that didnt work, I ended up just manually destroying the bridge and starting it with sh /etc/netstart to get it running... Thanks Tom Smyth On Fri, 20 Mar 2020 at 02:04, Aaron Mason wrote: > > Hi Tom > > Just looking at /etc/netstart (admittedly for 6.1) and by all rights > that shouldn't be happening - the VLAN interfaces should be starting > well before the bridges. Maybe add !sleep 1 to the top of the > /etc/hostname.bridge101 file and see if it does better? > > On Fri, Mar 20, 2020 at 12:22 PM Tom Smyth > wrote: > > > > Hello, > > > > I have a box that I use to aggregate a number of vlans which are > > isolated from each other(using port protection groups and bridged > > onto a 10G interface ix0 > > these are configured using a standard hostname.bridgefile as follows, > > cat /etc/hostname.bridge101 > > maxaddr 16384 timeout 300 > > up > > add ix0 -stp ix0 > > add vlan604 protected vlan604 1 -stp vlan604 > > add vlan4069 protected vlan4069 1 -stp vlan4069 > > . > > . > > . > > add vlan3982 protected vlan43982 1 -stp vlan3982 > > > > when I reboot the box ... the system does not seem to forward frames ) > > > > but if I run > > sh /etc/netstart bridge101 > > > > then the bridge forwards the packets just fine. > > > > interface configs are as follows > > cat /etc/hostname.ix0 > > mtu 1700 up > > > > cat /etc/hostname.ix1 > > mtu 1708 up > > > > cat /etc/hostname.vlan3982 > > parent ix1 vnetid 3982 mtu 1700 up > > > > > > ifconfig bridge101 yields similar results after reboot as opposed to > > ifconfig bridge101 after restarting the interface > > > > the only differences I saw was the index > > > > after reboot the index of bridge101 was 6 > > > > but after restarting the bridge101 the index of bridge101 was 98 > > (which sounds to me like perhaps the bridge was being started before > > the vlans on bootup) > > > > > > has anyone come across this issue before? > > Thanks > > > > > > > > > > -- > > Kindest regards, > > Tom Smyth. > > > > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse -- Kindest regards, Tom Smyth.
Re: Multi-domain DKIM signature with OpenSMTPd
On 3/19/20 8:24 PM, Matthieu wrote: > >> On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote: > >> Could you explain why you (think you) need to have multiple domain >> support? >> You (currently?) can't. If you want multiple conditions on different >> filters you would need to create multiple listening sockets (e.g. >> multiple ips or ports) and apply the correct match-rules based on the >> socket. >> >> martijn@ >> > Thank you for your response. > My main reason is that, as a freelancer, I have a professional email > that I don't want to mix with my personal email. Moreover, a friend asks > me to host his emails and I don't want to mix it up either. Please be more concise. What do you mean "don't want to mix it up"? What would be mixed up? What would be the consequences of that? Based on what would it need to be separated? And just to be clear, I'm not trying to be a pedantic asshole for its own sake. I honestly don't see where our interpretations diverge. > > I'm not develloper C, but if I propose a patch for this feature, does it > have a possibility to be integrated ? > Any patch is welcome if properly motivated. If it's not up to par we can always polish it further. But I'd advise to first come to an understanding on the motivation.
Openbsd 6.6 amd64 stable bridge with 90 vlans does not forward packets after reboot
Hello, I have a box that I use to aggregate a number of vlans which are isolated from each other(using port protection groups and bridged onto a 10G interface ix0 these are configured using a standard hostname.bridgefile as follows, cat /etc/hostname.bridge101 maxaddr 16384 timeout 300 up add ix0 -stp ix0 add vlan604 protected vlan604 1 -stp vlan604 add vlan4069 protected vlan4069 1 -stp vlan4069 . . . add vlan3982 protected vlan43982 1 -stp vlan3982 when I reboot the box ... the system does not seem to forward frames ) but if I run sh /etc/netstart bridge101 then the bridge forwards the packets just fine. interface configs are as follows cat /etc/hostname.ix0 mtu 1700 up cat /etc/hostname.ix1 mtu 1708 up cat /etc/hostname.vlan3982 parent ix1 vnetid 3982 mtu 1700 up ifconfig bridge101 yields similar results after reboot as opposed to ifconfig bridge101 after restarting the interface the only differences I saw was the index after reboot the index of bridge101 was 6 but after restarting the bridge101 the index of bridge101 was 98 (which sounds to me like perhaps the bridge was being started before the vlans on bootup) has anyone come across this issue before? Thanks -- Kindest regards, Tom Smyth.
Re: deep web cookie
I find the equation in the end : c = λ/2 * ( 1 - λ/2 ) is a good explanation for the origin of "light" if λ is taken to mean the "first moment." Sylvain emails by spamgourmet.com - Mail original - > De: "sylvain saboua" > À: misc@openbsd.org > Envoyé: Vendredi 14 Février 2020 07:35:11 > Objet: deep web cookie > > (read attached picture) > > Sylvain > emails by spamgourmet.com > >