Re: lmtps
First off - could we stay on the rationale rather and avoid introducing tags like [ complaining ] and [ insist ] or [ *you* ]. Having started the thread was not meant as a complaint but simply inquiring about it. Not been insistent or insinuated such either. And [ *you* ] appears to be elevating the discussion to a personal level. > Someone asking developers to add TLS to a daemon for a protocol that is > meant to be ran *locally* or on a trusted network, while complaining > that the proposed alternatives add unnecessary complexity. Oh the > irony... Fair enough if the developers are not inclined to the idea. The (V)LAN are trusted but it does not mean that (certain) types of traffic to flow unencrypted within such networks. > Even if you insist on running something called "local" on a different > host, you have presented yet another possible solution yourself: a VLAN. VLAN is not really about transport layer security and certain traffic may have to traverse across different VLANs. What is the semantic of [ local ] - a single physical machine, (V)LAN behind NAT, (V)LAN spawned from a secure tunnel? > If you really really really need TLS then you'll probably be better off > running a different instance of smtpd on the dovecot host, with an > extremely simple config that does nothing else than listening on 25 > using TLS and delivering everything via lmtpd. I am aware of it but that was not the point of asking about lmpts. > There are plenty of solutions. Unfortunately for you, nearly all of > them require that it is you that handle the complexity *you* require, > instead of offloading it to the devs. That was again not the point of asking about lmpts but certainly musing of why the dovecot/postfix developers bothered with bloating their code by implementing lmpts if it is such an outlandish idea? > >> Neither is utilizing dovecot's native lmpts stack though and adding >> (unnecessary) complexity to the network. >> postfix has ltmps implemented and perhaps the smptd developers may >> consider to follow suit some day. >>> I can recommend lmtp over spiped, works great. You could probably use ssh to tunnel it or something similar. > Sure and makes certainly sense, but you can still have (V)LAN servers > with different subnets and not necessarily everything on a single > server/subnet. >> from the lmtp rfc >> >> Â Â Â The LMTP protocol SHOULD NOT be used over wide area networks. You don't really need to do secure lmtp because lmtp primarily runs on a trusted network anyway. In fact, if you're running smtp and dovecot on the same server, just use lmtp over a Unix domain socket. > dovecot supports TLS over LMTP(S). Been searching the net but could > not > find a trace about smtpd support for lmtps and hence wondering whether > such implemented? >> -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: lmtps
Neither is utilizing dovecot's native lmpts stack though and adding (unnecessary) complexity to the network. postfix has ltmps implemented and perhaps the smptd developers may consider to follow suit some day. > I can recommend lmtp over spiped, works great. >> You could probably use ssh to tunnel it or something similar. >>> Sure and makes certainly sense, but you can still have (V)LAN servers >>> with different subnets and not necessarily everything on a single >>> server/subnet. from the lmtp rfc    The LMTP protocol SHOULD NOT be used over wide area networks. >> You don't really need to do secure lmtp because lmtp primarily runs on a >> trusted network anyway. In fact, if you're running smtp and dovecot on >> the same server, just use lmtp over a Unix domain socket. >>> dovecot supports TLS over LMTP(S). Been searching the net but could not >>> find a trace about smtpd support for lmtps and hence wondering whether >>> such implemented? >>> -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: lmtps
Sure and makes certainly sense, but you can still have (V)LAN servers with different subnets and not necessarily everything on a single server/subnet. > from the lmtp rfc > >The LMTP protocol SHOULD NOT be used over wide area networks. >>> You don't really need to do secure lmtp because lmtp primarily runs on a >>> trusted network anyway. In fact, if you're running smtp and dovecot on the >>> same server, just use lmtp over a Unix domain socket. >>> Hi, dovecot supports TLS over LMTP(S). Been searching the net but could not find a trace about smtpd support for lmtps and hence wondering whether such implemented? > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: lmtps
yes > I guess this is you: https://github.com/OpenSMTPD/OpenSMTPD/issues/868 ? lmpts implementation in dovecot and postfix does not serve a practical purpose? What if dovecot and the mta are not on the same server? > You don't really need to do secure lmtp because lmtp primarily runs on a > trusted network anyway. In fact, if you're running smtp and dovecot on the > same server, just use lmtp over a Unix domain socket. > >> Hi, >> >> dovecot supports TLS over LMTP(S). Been searching the net but could not >> find a trace about smtpd support for lmtps and hence wondering whether >> such implemented? > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
lmtps
Hi, dovecot supports TLS over LMTP(S). Been searching the net but could not find a trace about smtpd support for lmtps and hence wondering whether such implemented? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
>> The way is set and working now: >> >> listen on lo inet4 port 25 tls-require hostname mail mask-source tag lo > `tls-require` on `lo` is a bit strange… `mask-source` too. Of course it is, [ tls-require ] at least. That is now removed thus. [ mask-source ] for lo/127.0.0.1 is perhaps a little silly indeed but it does not cause any harm I suppose. >> listen on lo inet4 port 587 smtps hostname mail mask-source tag lo >> listen on eth0 inet4 port 25 tls-require auth hostname mail mask-source tag >> lan > Do you intend to receive mail from other mail servers? Because using > `auth` here will prevent that. `tls-require` likely too in my experience > (unfortunately a lot of mail providers still don’t use TLS at all). Also > I’m not sure `mask-source` is relevant here, but I might be wrong. eth0 ports 25/587 are only for lan clients and those are supporting TLS/SMTPAUTH For receiving from WAN there are: listen on eth0 inet4 port 40025 tls hostname foo.bar tag wan listen on eth0 inet4 port 40587 smtps hostname foo.bar tag wan On the WAN iface the netfilter rules are forwarding WAN ports 25/587 to the smtpd server ports 40025/40587 with the smtpd server deployed in an unprivileged LXC container. > >> listen on eth0 inet4 port 587 smtps auth hostname mail mask-source tag lan >> listen on lo port 10028 mask-source tag DKIM >> >> accept tagged DKIM for any relay >> accept for any relay via smtp://127.0.0.1:10027 >> accept from local for any relay >> accept from source 172.25.120.2 for any relay > Those last two lines are useless: everything that would match them will > already have matched one of the first two. > Yes, the other list subscriber Reio kindly pointed that one out too, and those two lines were purged meantime. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
> The following 2 lines are redundant. The above will match first for > authenticated submissions. > >> accept from local for any relay >> accept from source 172.25.120.2 for any relay > Thanks for pointing that out, the logic apparently escaped me. Keeps he code tidy and prevents redundancy. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
>> Having sorted PAM SMTPAUTH the user/client 172.25.120.2 is now treated >> as server's local user and filter rules using from local are matched. >> Thence, amended >> >> [ accept from source 172.25.120.2 for any relay via >> smtp://127.0.0.1:10027 ] to [ accept from source 172.25.120.2 for any >> relay ] and DKIM is working now for that client as well. >> >> Appreciate the feedback/assistance provided here. > > The matching rule for you should now be: > > accept (from local) for any relay viasmtp://127.0.0.1:10027 > > This rule matching would again bypass DKIM and is redundant: > > accept from source 172.25.120.2 for any relay > The way is set and working now: listen on lo inet4 port 25 tls-require hostname mail mask-source tag lo listen on lo inet4 port 587 smtps hostname mail mask-source tag lo listen on eth0 inet4 port 25 tls-require auth hostname mail mask-source tag lan listen on eth0 inet4 port 587 smtps auth hostname mail mask-source tag lan listen on lo port 10028 mask-source tag DKIM accept tagged DKIM for any relay accept for any relay via smtp://127.0.0.1:10027 accept from local for any relay accept from source 172.25.120.2 for any relay -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
>>> listen on eth0 inet4 port 587 smtps hostname mail mask-source tag lan >>> >>> >>> Either you trimmed this config line or you're missing "auth". Otherwise I >>> suspect you're running without authentication. >> >> Uhum well, is there no PAM authentication? I was under the impression >> that it gets PAM authenticated. Such is being compounded when using the >> Thunderbird mail client and having the TB SMTP server -> authentication >> method set to encrypted password which works without a hitch - no error >> in Thunderbird and the message gets sent. >> >> Commonly TB displays an error if the chosen authentication method is not >> available/supported on the smtp server but apparently not here. >> However, now that you mentioned it I set the TB authentication method to >> OAuth2 and again no error in TB and the message went. >> >> The spread is rather thin when searching the net for [ opensmtpd pam ] >> and basically boils down to >> https://github.com/OpenSMTPD/OpenSMTPD/issues/712 >> >> So, the package was compiled with: >> >> ./configure \ >> --prefix=/usr \ >> --sysconfdir=/etc/smtpd \ >> --sbindir=/usr/bin \ >> --libexecdir=/usr/lib/smtpd \ >> --with-path-mbox=/var/spool/mail \ >> --with-path-empty=/var/empty \ >> --with-path-socket=/run \ >> --with-path-CAfile=/etc/ssl/certs/ca-certificates.crt \ >> --with-user-smtpd=smtpd \ >> --with-user-queue=smtpq \ >> --with-group-queue=smtpq \ >> --with-auth-pam \ >> --with-libssl='/usr/lib/openssl-1.0' \ >> --with-cflags='-I/usr/include/openssl-1.0' >> >> but I do not understand the remainder instruction -> "and provide the >> auth service name as parameter then configure the PAM side on your system"? >> >> "and provide the auth service name as parameter" - where and when is >> that supposed to happen? >> At compile ./config? Is it supposed to read like [ --with-auth-pam=smtpd >> \ ] as opposed to just [ --with-auth-pam \ ]? >> What if the [ auth service name ] was omitted -> does [ >> --with-user-smtpd=smtpd ] suffice? >> >> "then configure the PAM side on your system" -> supposed that would be >> something like [ /etc/pam.d/spmtd ] reading ?: >> >> #%PAM-1.0 >> >> auth required pam_unix.so nullok >> account required pam_unix.so >> >> > I know very little about Pam, so I'm not sure. I'd start a new thread with > Pam in the subject line and maybe someone who knows can help out. Having sorted PAM SMTPAUTH the user/client 172.25.120.2 is now treated as server's local user and filter rules using from local are matched. Thence, amended [ accept from source 172.25.120.2 for any relay via smtp://127.0.0.1:10027 ] to [ accept from source 172.25.120.2 for any relay ] and DKIM is working now for that client as well. Appreciate the feedback/assistance provided here. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - openssl api?
> Noticed the ./config provides the following options for openssl: > > --with-libssl='/usr/lib/openssl-1.0' \ > --with-cflags='-I/usr/include/openssl-1.0' > > What I could not figure from the man pages or wiki or the source package > is whether that tells smptd only the path to the openssl libraries on > the system or whether it also provides an API for smtpd to call openssl? It was tried to build with OpenSSL 1.1.0 but that failed. Reading on github it seems that OpenSSL 1.1.0 is not (yet) supported. That aside it seems that OpenSSL API call [ SSL_CTX_set1_groups_list ] is not implemented (with OpenSSL 1.0) and smptd relying solely on its own RSA crypto engine? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - PAM authentication
> been looking for guidance on PAM authentication. The spread is rather > thin/sparse when searching the net for [ opensmtpd pam ] and basically > boils down to > https://github.com/OpenSMTPD/OpenSMTPD/issues/712. > > Another hint appears to be [ compile ] from the source package: > > [ --with-auth-pam=SERVICE Enable PAM authentication support > (default=smtpd) ] > > The Archlinux package was compiled with > > [ --with-auth-pam \ ] and thus wondering whether it translates thus to [ > --with-auth-pam=smtpd \ ] ? > > Apparently PAM needs to be configured on the system for smtpd. Would > that suffice > > [ /etc/pam.d/spmtd ] reading ?: > > #%PAM-1.0 > > auth required pam_unix.so nullok > account required pam_unix.so > > Further reading into [ configure ] from the source package reveals at line 17439 [ if a service name is not set smtpd will be used ] Having then created [ /etc/pam.d/spmtd ] with the aforementioned content and added [ auth ] to the [ listen on ] directive in the smptd configuration gets PAM auth to work as expected. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
6.0.3p1-2 - openssl api?
Hi, Noticed the ./config provides the following options for openssl: --with-libssl='/usr/lib/openssl-1.0' \ --with-cflags='-I/usr/include/openssl-1.0' What I could not figure from the man pages or wiki or the source package is whether that tells smptd only the path to the openssl libraries on the system or whether it also provides an API for smtpd to call openssl? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
6.0.3p1-2 - PAM authentication
Hi, been looking for guidance on PAM authentication. The spread is rather thin/sparse when searching the net for [ opensmtpd pam ] and basically boils down to https://github.com/OpenSMTPD/OpenSMTPD/issues/712. Another hint appears to be [ compile ] from the source package: [ --with-auth-pam=SERVICE Enable PAM authentication support (default=smtpd) ] The Archlinux package was compiled with [ --with-auth-pam \ ] and thus wondering whether it translates thus to [ --with-auth-pam=smtpd \ ] ? Apparently PAM needs to be configured on the system for smtpd. Would that suffice [ /etc/pam.d/spmtd ] reading ?: #%PAM-1.0 auth required pam_unix.so nullok account required pam_unix.so -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
> listen on eth0 inet4 port 587 smtps hostname mail mask-source tag lan > > > Either you trimmed this config line or you're missing "auth". Otherwise I > suspect you're running without authentication. Uhum well, is there no PAM authentication? I was under the impression that it gets PAM authenticated. Such is being compounded when using the Thunderbird mail client and having the TB SMTP server -> authentication method set to encrypted password which works without a hitch - no error in Thunderbird and the message gets sent. Commonly TB displays an error if the chosen authentication method is not available/supported on the smtp server but apparently not here. However, now that you mentioned it I set the TB authentication method to OAuth2 and again no error in TB and the message went. The spread is rather thin when searching the net for [ opensmtpd pam ] and basically boils down to https://github.com/OpenSMTPD/OpenSMTPD/issues/712 So, the package was compiled with: ./configure \ --prefix=/usr \ --sysconfdir=/etc/smtpd \ --sbindir=/usr/bin \ --libexecdir=/usr/lib/smtpd \ --with-path-mbox=/var/spool/mail \ --with-path-empty=/var/empty \ --with-path-socket=/run \ --with-path-CAfile=/etc/ssl/certs/ca-certificates.crt \ --with-user-smtpd=smtpd \ --with-user-queue=smtpq \ --with-group-queue=smtpq \ --with-auth-pam \ --with-libssl='/usr/lib/openssl-1.0' \ --with-cflags='-I/usr/include/openssl-1.0' but I do not understand the remainder instruction -> "and provide the auth service name as parameter then configure the PAM side on your system"? "and provide the auth service name as parameter" - where and when is that supposed to happen? At compile ./config? Is it supposed to read like [ --with-auth-pam=smtpd \ ] as opposed to just [ --with-auth-pam \ ]? What if the [ auth service name ] was omitted -> does [ --with-user-smtpd=smtpd ] suffice? "then configure the PAM side on your system" -> supposed that would be something like [ /etc/pam.d/spmtd ] reading ?: #%PAM-1.0 auth required pam_unix.so nullok account required pam_unix.so -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
>>> From cli it is a different ip. Just add a relay via dkim to the >>> line in question then and see if that works. >>> >> So it is but why makes that difference considering the directives - >> particularly the [ any ] part should cover any (as in 172.25.120.2 for >> instance), or should it not? >> >> accept tagged DKIM for any relay >> accept for any relay via smtp://127.0.0.1:10027 > > The default "from" for accept is "from local", which means only > local/authenticated messages were relayed to DKIM. > > I suspect 172.25.120.2 was sending without authentication? > > from [ !] > local > The rule matches only locally originating > connections. > This is the default, > and may be omitted. 172.25.120.2 gets authenticated by encrypted password over (START)TLS. I would not permit any client for sending messages without authentication first. I do comprehend what you are saying just: [ accept for any relay via smtp://127.0.0.1:10027 ] -> [ for any ] and omitting [ from ] in my logic would expand that source does not matter and the directive applies to any (unconditional) relay. Is my logic thus twisted? -> in the sequential order of directives/rules it comes prior the following and thus my understanding is that it should be processed prior those trailing. Again a miscomprehension on my part? [ accept from local for any relay ] [ accept from source 172.25.120.2 for any relay ]
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
> From cli it is a different ip. Just add a relay via dkim to the line in > question then and see if that works. > So it is but why makes that difference considering the directives - particularly the [ any ] part should cover any (as in 172.25.120.2 for instance), or should it not? accept tagged DKIM for any relay accept for any relay via smtp://127.0.0.1:10027 accept from local for any relay Anyway, changed the other directive to [ accept from source 172.25.120.2 for any relay via smtp://127.0.0.1:10027 ] and boom wadda ya know it works now! But the logic behind eludes me simpleton really. I am glad and grateful for the solution. If you can spare the time would you terribly mind to educate me on the logic of this? The working config (part) reads now: accept for local alias deliver to lmtp "/var/run/dovecot/lmtp" accept from local for local deliver to lmtp "/var/run/dovecot/lmtp" accept from any for domain "foo.bar" alias deliver to maildir "/var/run/dovecot/lmtp" accept tagged DKIM for any relay accept for any relay via smtp://127.0.0.1:10027 accept from local for any relay accept from source 172.25.120.2 for any relay via smtp://127.0.0.1:10027 accept for any relay hostname server.foo.bar tls verify -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
>> Archlinux kernel 4.17.11 and its repo package opensmtpd 6.0.3p1-2 >> >> messages sent from imap (dovecot) are not passed through dkimproxy >> whilst when sending from cli with swaks the dkim signature is added. It >> is apparent from the dkimproxy log that there is no attempt made to pass >> the message sent from imap. >> >> What I am missing? > Log output. Log (truncated to dkim essentials) for sending from cli with swaks: smtp: 0x561540925e20: STATE_HELO -> STATE_BODY smtp: 0x561540925e20: >>> 354 Enter mail, end with "." on a line by itself <<< [MSG] Date: Tue, 31 Jul 2018 01:21:39 + <<< [MSG] Subject: test Tue, 31 Jul 2018 01:21:39 + <<< [MSG] Message-Id: <20180731012139.012217@mail> <<< [MSG] X-Mailer: swaks v20170101.0 jetmore.org/john/code/swaks/ <<< [MSG] <<< [MSG] This is a test mailing <<< [MSG] <<< [EOM] debug: 0x561540925e20: end of message, error=0 debug: scheduler: evp:51be0555487bf73e scheduled (mta) debug: mta: querying MX for [relay:127.0.0.1,port=10027,mx]... debug: mta: [relay:127.0.0.1,port=10027,mx] waiting for MX debug: MXs for domain 127.0.0.1: 127.0.0.1 preference -1 [connector:[]->[relay:127.0.0.1,port=10027,mx],0 x0]... de35c7da3274723c mta event=connecting address=smtp://127.0.0.1:10027 host=localhost de35c7da3274723c mta event=connected debug: smtp: new client on listener: 0x56154091f410 smtp: 0x561540935e30: connected to listener 0x56154091f410 [hostname=mail, port=10028, tag=D KIM] smtp: 0x561540935e30: STATE_NEW -> STATE_CONNECTED de35c7db27f5cb2c smtp event=connected address=127.0.0.1 host=localhost smtp: 0x561540935e30: >>> 250 HELP debug: mta-routing: route [] <-> 127.0.0.1 (localhost) is now valid. debug: mta: connecting with [connector:[]->[relay:127.0.0.1,port=10027,mx],0x2] debug: mta: 0x56154094cfc0: handling next task for relay [relay:127.0.0.1,port=10027,mx] <<< [MSG] DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foo.bar; h=date <<< [MSG] :to:from:subject:message-id; s=20171231; bh=ecGWgWCJeWxJFeM0urOV <<< [MSG] WP+KOlqqvsQYKOpYUP8nk7I=; b=Nz8C2lJd1NPg8pRwLTLbb2iB1HZMaJe6BCFW <<< [MSG] X-Mailer: swaks v20170101.0 jetmore.org/john/code/swaks/ <<< [MSG] <<< [MSG] This is a test mailing <<< [MSG] <<< [EOM] debug: 0x561540935e30: end of message, error=0 smtp: 0x561540935e30: >>> 250 2.0.0: 724d461b Message accepted for delivery And now when sending from mail client - DKIM is jumped and not showing in the logs smtp: 0x56151e05be20: STATE_HELO -> STATE_BODY smtp: 0x56151e05be20: >>> 354 Enter mail, end with "." on a line by itself <<< [MSG] Subject: test <<< [MSG] Message-ID: <<< [MSG] Date: Tue, 31 Jul 2018 03:33:06 +0200 <<< [MSG] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 <<< [MSG] Thunderbird/60.0 <<< [MSG] MIME-Version: 1.0 <<< [MSG] Content-Type: text/plain; charset=utf-8 <<< [MSG] Content-Transfer-Encoding: 7bit <<< [MSG] Content-Language: en-GB <<< [EOM] debug: 0x56151e05be20: end of message, error=0 debug: scheduler: evp:19bf6dd45e65c3d2 scheduled (mta) smtp: 0x56151e05be20: >>> 250 2.0.0: 19bf6dd4 Message accepted for delivery 5e7644f56363e9ee smtp event=message address=172.25.120.2 host=172.25.120.2 msgid=19bf6dd4 from= to= size=551 ndest=1 proto=ESMTP smtp: 0x56151e05be20: STATE_BODY -> STATE_HELO debug: mta: received evp:19bf6dd45e65c3d2 for debug: mta: draining [relay:bar.com] refcount=1, ntask=1, nconnector=0, nconn=0 debug: mta: querying MX for [relay:bar.com]... >> config: > If this is the complete config you are missing an interface for incoming mail. > > listen on egress port submission auth tag RELAY > > I like to tag it just to make sure unauthenticated stuff doesn't accidentally > get through. Just posted the full config in a previous response to the thread, don't want to create a redundancy by repeating it. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
>> Archlinux kernel 4.17.11 and its repo package opensmtpd 6.0.3p1-2 >> >> messages sent from imap (dovecot) are not passed through dkimproxy >> whilst when sending from cli with swaks the dkim signature is added. It >> is apparent from the dkimproxy log that there is no attempt made to pass >> the message sent from imap. >> >> What I am missing? Appreciate some help to get this sorted. The smptd >> config: >> >> listen on lo port 10028 mask-source tag DKIM >> accept for local alias deliver to lmtp "/var/run/dovecot/lmtp" >> accept from local for local deliver to lmtp "/var/run/dovecot/lmtp" >> accept tagged DKIM for any relay >> accept for any relay via smtp://127.0.0.1:10027 > Are you sure you are sending message via imap? Never heard about such a > setup before… > > Also, your config isn’t listening for messages at all currently from > that excerpt. Ok, I did not express the matter correctly apparently since imap and smpt are 2 different things that I mixed up, my bad. I meant sending from a mail client (thunderbird) the message is not passing through the dkimproxy whilst sending from the cli on the server with swaks it does. Truncated some lines from the smptd config - here is the full lot then: ca mail certificate '/etc/pki/certs/ca-chain.cert.pem' pki mail key '/etc/pki/private/RSA_smtp_lan_server_foo.bar.key.pem' pki mail certificate '/etc/pki/certs/RSA_smtp_lan_server_foo.bar.cert.pem' ca server.foo.bar certificate '/etc/pki/certs/ca-chain.cert.pem' pki server.foo.bar key '/etc/pki/private/RSA_smtp_wan_server_foo.bar.key.pem' pki server.foo.bar certificate '/etc/pki/certs/RSA_smtp_wan_server_foo.bar.cert.pem' listen on lo inet4 port 25 tls hostname mail mask-source tag lo listen on lo inet4 port 587 smtps hostname mail mask-source tag lo listen on eth0 inet4 port 25 tls-require hostname mail mask-source tag lan listen on eth0 inet4 port 587 smtps hostname mail mask-source tag lan listen on lo port 10028 mask-source tag DKIM # listen on eth0 inet4 port 40025 tls-require hostname server.foo.bar tag wan # listen on eth0 inet4 port 40587 smtps hostname server.foo.bar tag wan table aliases file:/etc/smtpd/aliases accept for local alias deliver to lmtp "/var/run/dovecot/lmtp" accept from local for local deliver to lmtp "/var/run/dovecot/lmtp" accept tagged DKIM for any relay accept for any relay via smtp://127.0.0.1:10027 accept for any relay hostname server.foo.bar tls verify accept from local for any relay accept from source 172.25.120.2 for any relay accept from any for domain "foo.bar" alias deliver to maildir lmtp "/var/run/dovecot/lmtp" limit mta inet4 max-message-size 5M expire 10m bounce-warn 1m, 10m, 1h, 2h queue encryption key [obfuscated] queue compression ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384 Hope that makes it more clear.. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3 - unable to load CA file : Permission denied
No issue with the search path or chmod. Like mentioned the CA chain certificate has the same mask as the PKI certificates which are also in the same directory. Tearing down does not solve it and the issue remains even the simplest set. I suspect it rather being an EC key issue which the CA root chain and its certificate signing request generated from a private EC key whilst the PKI certificates signing request are private RSA key based. Since OpenSMTPD being a portable app I would reckon that it relies solely on its own (RSA) crypto engine, that has no support for EC keys, rather than having the OpenSSL API [ SSL_CTX_set1_groups_list ] call implemented for supporting EC keys? The thing is that the entire CA is standardized on EC [ brainpoolP512r1 ] keys and I cannot escape from that standard, at least not for CA root chain. > The cert should be chmod 600 owned by root. I've had issues where the search > path was the cause so make sure /etc/pki/certs can be read by root also. You > have a lot going on. I would suggest tearing it down to the bare essentials > and add pieces one at a time so you are only debugging one issue at a time. > It could also be the cert is just made wrong. What were your steps to make it? > On Jul 30, 2018 12:11 PM, ѽ҉ᶬḳ℠ wrote: >> >>>> Getting this error and not sure what to make of that error code 0B084002: >>>> >>>> warn: unable to load CA file /etc/pki/certs/ca-chain.cert.pem: >>>> Permission denied >>>> debug: lka: X509 verify: error:0B084002:x509 certificate >>>> routines:X509_load_cert_crl_file:system lib >>>> smtp-out: Server certificate verification failed on session >>>> 21fb77fa13301003 >>>> >>>> The file has the same permission as the PKI certificates (and PEM >>>> format) but for which no such error is exhibited. >>>> >>>> # file: etc/pki/certs/ca-chain.cert.pem >>>> # owner: root >>>> # group: root >>>> user::r-- >>>> group::--- >>>> other::r-- >>>> >>>> >>>> This is on Archlinux kernel 4.17.9 and its repo package opensmtpd 6.0.3p1-2 >>>> >>> The config you posted previously didn't show any of the tls information >>> needed to assist you. >> That is config: >> >> ca mail certificate '/etc/pki/certs/ca-chain.cert.pem' >> pki mail key '/etc/pki/private/RSA_smtp_lan_server_vtol.km.key.pem' >> pki mail certificate '/etc/pki/certs/RSA_smtp_lan_server_vtol.km.cert.pem' >> ca server.foo.bar certificate '/etc/pki/certs/ca-chain.cert.pem' >> pki server.foo.bar key >> '/etc/pki/private/RSA_smtp_wan_server_vtol.km.key.pem' >> pki server.foo.bar certificate >> '/etc/pki/certs/RSA_smtp_wan_server_vtol.km.cert.pem' >> >> listen on lo inet4 port 25 tls hostname mail mask-source tag lo >> listen on lo inet4 port 587 smtps hostname mail mask-source tag lo >> listen on eth0 inet4 port 25 tls-require hostname mail mask-source tag lan >> listen on eth0 inet4 port 587 smtps hostname mail mask-source tag lan >> listen on lo port 10028 mask-source tag DKIM >> # listen on eth0 inet4 port 40025 tls-require hostname server.foo.bar >> tag wan >> # listen on eth0 inet4 port 40587 smtps hostname server.foo.bar tag wan >> >> accept for local alias deliver to lmtp "/var/run/dovecot/lmtp" >> accept from local for local deliver to lmtp "/var/run/dovecot/lmtp" >> accept tagged DKIM for any relay >> accept for any relay via smtp://127.0.0.1:10027 >> accept for any relay hostname server.foo.bar tls verify >> accept from local for any relay >> accept from source 172.25.120.2 for any relay >> accept from any for domain "foo.bar" alias deliver to maildir >> "~/Maildir" >> >> limit mta inet4 >> max-message-size 5M >> expire 10m >> bounce-warn 1m, 10m, 1h, 2h >> queue encryption key [ obfuscted ] >> queue compression >> ciphers >> ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384 >> >> >> >> >> >> >> >> -- >> You received this mail because you are subscribed to misc@opensmtpd.org >> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >> > b��yǢ��m�+)[yƮ�쨹���r��y�h�+ kiv��N�r��zǧu���[h�+ ��칻 �&ޢ���kiv�� -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3 - unable to load CA file : Permission denied
>> Getting this error and not sure what to make of that error code 0B084002: >> >> warn: unable to load CA file /etc/pki/certs/ca-chain.cert.pem: >> Permission denied >> debug: lka: X509 verify: error:0B084002:x509 certificate >> routines:X509_load_cert_crl_file:system lib >> smtp-out: Server certificate verification failed on session 21fb77fa13301003 >> >> The file has the same permission as the PKI certificates (and PEM >> format) but for which no such error is exhibited. >> >> # file: etc/pki/certs/ca-chain.cert.pem >> # owner: root >> # group: root >> user::r-- >> group::--- >> other::r-- >> >> >> This is on Archlinux kernel 4.17.9 and its repo package opensmtpd 6.0.3p1-2 >> > The config you posted previously didn't show any of the tls information > needed to assist you. That is config: ca mail certificate '/etc/pki/certs/ca-chain.cert.pem' pki mail key '/etc/pki/private/RSA_smtp_lan_server_vtol.km.key.pem' pki mail certificate '/etc/pki/certs/RSA_smtp_lan_server_vtol.km.cert.pem' ca server.foo.bar certificate '/etc/pki/certs/ca-chain.cert.pem' pki server.foo.bar key '/etc/pki/private/RSA_smtp_wan_server_vtol.km.key.pem' pki server.foo.bar certificate '/etc/pki/certs/RSA_smtp_wan_server_vtol.km.cert.pem' listen on lo inet4 port 25 tls hostname mail mask-source tag lo listen on lo inet4 port 587 smtps hostname mail mask-source tag lo listen on eth0 inet4 port 25 tls-require hostname mail mask-source tag lan listen on eth0 inet4 port 587 smtps hostname mail mask-source tag lan listen on lo port 10028 mask-source tag DKIM # listen on eth0 inet4 port 40025 tls-require hostname server.foo.bar tag wan # listen on eth0 inet4 port 40587 smtps hostname server.foo.bar tag wan accept for local alias deliver to lmtp "/var/run/dovecot/lmtp" accept from local for local deliver to lmtp "/var/run/dovecot/lmtp" accept tagged DKIM for any relay accept for any relay via smtp://127.0.0.1:10027 accept for any relay hostname server.foo.bar tls verify accept from local for any relay accept from source 172.25.120.2 for any relay accept from any for domain "foo.bar" alias deliver to maildir "~/Maildir" limit mta inet4 max-message-size 5M expire 10m bounce-warn 1m, 10m, 1h, 2h queue encryption key [ obfuscted ] queue compression ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384 -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from mail client are not passed through dkimproxy
>> Hi, >> >> Archlinux kernel 4.17.11 and its repo package opensmtpd 6.0.3p1-2 >> >> messages sent from imap (dovecot) are not passed through dkimproxy >> whilst when sending from cli with swaks the dkim signature is added. It >> is apparent from the dkimproxy log that there is no attempt made to pass >> the message sent from imap. >> >> What I am missing? Appreciate some help to get this sorted. The smptd >> config: >> >> listen on lo port 10028 mask-source tag DKIM >> accept for local alias deliver to lmtp "/var/run/dovecot/lmtp" >> accept from local for local deliver to lmtp "/var/run/dovecot/lmtp" >> accept tagged DKIM for any relay >> accept for any relay via smtp://127.0.0.1:10027 > Are you sure you are sending message via imap? Never heard about such a > setup before… > > Also, your config isn’t listening for messages at all currently from > that excerpt. Ok, I did not express the matter correctly apparently since imap and smpt are 2 different things, my bad. I meant sending from a mail client (thunderbird) the message is not passing through the dkimproxy whilst sending from the cli on the server with swaks it does. Truncated some line from the smptd config: listen on lo inet4 port 25 tls hostname mail mask-source tag lo listen on lo inet4 port 587 smtps hostname mail mask-source tag lo listen on eth0 inet4 port 25 tls-require hostname mail mask-source tag lan listen on eth0 inet4 port 587 smtps hostname mail mask-source tag lan listen on lo port 10028 mask-source tag DKIM Hope that makes it more clear.. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
6.0.3 - unable to load CA file : Permission denied
Hi, Getting this error and not sure what to make of that error code 0B084002: warn: unable to load CA file /etc/pki/certs/ca-chain.cert.pem: Permission denied debug: lka: X509 verify: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib smtp-out: Server certificate verification failed on session 21fb77fa13301003 The file has the same permission as the PKI certificates (and PEM format) but for which no such error is exhibited. # file: etc/pki/certs/ca-chain.cert.pem # owner: root # group: root user::r-- group::--- other::r-- This is on Archlinux kernel 4.17.9 and its repo package opensmtpd 6.0.3p1-2 -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
Hi, Archlinux kernel 4.17.11 and its repo package opensmtpd 6.0.3p1-2 messages sent from imap (dovecot) are not passed through dkimproxy whilst when sending from cli with swaks the dkim signature is added. It is apparent from the dkimproxy log that there is no attempt made to pass the message sent from imap. What I am missing? Appreciate some help to get this sorted. The smptd config: listen on lo port 10028 mask-source tag DKIM accept for local alias deliver to lmtp "/var/run/dovecot/lmtp" accept from local for local deliver to lmtp "/var/run/dovecot/lmtp" accept tagged DKIM for any relay accept for any relay via smtp://127.0.0.1:10027 -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
