Re: request (privately) for maillog

2020-02-24 Thread Andreas Broecking 
Same here. I was on my way to grep through my maillog in order to find out more.
Seems like it’s a general issue then?

Kind regards
Andreas

> On 24. Feb 2020, at 18:58, epektasis  wrote:
> 
> I received the same message, for the same message number.
> I get these every once in a while.  FWIW.
>T.
> 
>> On Mon, Feb 24, 2020 at 06:41:19PM +0100, Peter J. Philipp wrote:
>> Hi,
>> 
>> I got another "bouncing messages from misc@opensmtpd.org" message.  The
>> particular message was 4669 that bounced.  Yet I have no record of this in
>> my maillog, so I suspect a DNS fault.  
>> 
>> Feb 24 12:07:04 was the time when the 4668 message came to me so I suspect
>> that 4669 came after.  
>> 
>> I do have a query log for DNS and isolating the fault requires perhaps having
>> some logs from opensmtpd.org for the mail to me (if possible).  These logs
>> should state if it was a DNS fault in their own wording.
>> 
>> Every answered DNS packet should be accounted for.  I have a fairly good 
>> idea 
>> of one of the vultr nameservers that opensmtpd.org uses but there is other 
>> addresses like IPv6 addresses that I'm not sure of.  Being given a list of
>> the nameservers would help me in the debug as well.
>> 
>> Would opensmtpd.org be able to provide me the logs so I can attempt tracking
>> the problem?
>> 
>> Best Regards,
>> -peter
>> 
>> 
> 
> -- 
> 
>

Re: Interim mitigation for CVE-2020-7247

2020-01-29 Thread Andreas Broecking 
Or rather 

filter exploit_check phase mail-from match mail-from regex { '.*\;.*\;.*’ }
disconnect "550 no exploiting, kthx”

to be more specific on the semicolons as delimiter of the command?

(sorry, as I said. regex is my nemesis :))

Best regards
Andreas



> On 29. Jan 2020, at 12:19, Andreas Broecking  wrote:
> 
> Hi all,
> 
> first of all, thanks Gilles for the heads-up and a fix on short notice.
> 
> For people like me who relay on the portable version and for systems which 
> relay on built packages as they lack the local development tools, a filter 
> should help to mitigate the problem until a package could be built on another 
> system.
> 
> Shouldn’t something like 
> 
> filter exploit_check phase mail-from match mail-from regex {  '<*\;*' } \
>disconnect "550 no exploiting, kthx”
> 
> listen on $interface filter exploit_check
> 
> sufficiently mitigate the problem?
> I am not fluent in regex’ing so maybe I am missing an edge case. It does 
> prevent the example exploit and any others I’ve seen in the last hours.
> 
> Best regards
> Andreas

Interim mitigation for CVE-2020-7247

2020-01-29 Thread Andreas Broecking 
Hi all,

first of all, thanks Gilles for the heads-up and a fix on short notice.

For people like me who relay on the portable version and for systems which 
relay on built packages as they lack the local development tools, a filter 
should help to mitigate the problem until a package could be built on another 
system.

Shouldn’t something like 

filter exploit_check phase mail-from match mail-from regex {  '<*\;*' } \
disconnect "550 no exploiting, kthx”

listen on $interface filter exploit_check

sufficiently mitigate the problem?
I am not fluent in regex’ing so maybe I am missing an edge case. It does 
prevent the example exploit and any others I’ve seen in the last hours.

Best regards
Andreas

Re: OpenSMTPD password encryption scheme.

2018-09-18 Thread Andreas Broecking 
Hey,

I struggled with this issue as well on FreeBSD. 

This worked for me after a lot of tracing. 

1. Create your PW hash with doveadm:
echo `doveadm pw -s BLF-CRYPT` | cut -d'}' -f2

This will cut the {BLF-CRYPT}… header created by doveadm.
Opensmtpd uses crypt() to figure out the hash type and should role with it. 

2. Tell dovecot that your password hashes are BLF-CRYPT so it recognises them 
without the {BLF-CRYPT} header

passdb {
driver = passwd-file
args = scheme=blf-crypt /usr/local/etc/mail/passwd
}

This way you can use the same passwd table both for opensmtpd and dovecot.

HTH
Andreas



> On 18. Sep 2018, at 09:06, Reio Remma  wrote:
> 
> Hello!
> 
> I'm curious as to what determines the password scheme used by OpenSMTPD on a 
> Linux system (CentOS 7 in my case). When setting up the system I ended up 
> with using SHA512, because it seems to be what works both in OpenSMTPD and 
> Dovecot, but would really like to use Blowfish instead. Dovecot seems to work 
> with it, but is there any way I can make OpenSMTPD also agree with it?
> 
> Thanks,
> Reio
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org