from:"Craig Skinner"

Re: Relaying and forwarding between multiple servers

2020-05-26 Thread Craig Skinner


Hi Chris,

On 24/05/2020 21:46, Christian Baer wrote:

I want to move the full fledged server


That server is known as the 'primary mail exchanger' (primary MX).



to the machine in my basement


You'll need a static IP address from your home ISP, and be able to set 
the reverse DNS to match the forward DNS hostname. Can your home ISP 
provide static IP addresses and reverse DNS hostname management? If not, 
don't proceed with this project.



and want to use mx1, mx2 and mx3 as smart hosts that accept mail for my 
domains and forward it to the server in my basement.


Mail smart hosts are sending hosts on a LAN that are smart enough to 
know which hosts on the LAN to relay outbound mail for.


I think you mean you want your remote rented servers to all be backup MX 
machines, as mx2 & mx3 are now. Simple:- configure mx1 as another backup 
and have your home machine as mx0 (i.e;- the primary MX server).



They also should relay mail sent from this server. Perfect would be a setup where they'll be used round robin. 


DNS is your friend: configure relay.mail.your.domain with the IP address 
of all 3 remote mail servers. Use this DNS hostname as your outbound 
relay. Set your authoritative DNS daemon (NSD, BIND, etc.) to serve 
records in round-robin fashion. Done!


But if you have a static IP address & rDNS at home, you don't need to 
relay via your remote servers. Your primary MX can send to the world.


Cheers,
Craig.

Re: request (privately) for maillog

2020-02-25 Thread Craig Skinner

On Mon, 24 Feb 2020 18:41:19 +0100 "Peter J. Philipp" wrote:
> I got another "bouncing messages from misc@opensmtpd.org" message. The
> particular message was 4669 that bounced. Yet I have no record of this in
> my maillog,...

Same here.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: 421 errors

2020-02-18 Thread Craig Skinner

G'day Jeff,

On Mon, 17 Feb 2020 18:48:41 -0500 Jeff Moskow wrote:
> (host foo.bar.com[192.168.2.2] said: 421 try again later (in reply to end of 
> DATA command))

The primary MX OpenBSD machine is running spamd.

http://man.OpenBSD.Org/spamd

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: different lmtp destinations from table for mail delivery depending on email address

2018-12-27 Thread Craig Skinner

Hi Mabi,

On Wed, 26 Dec 2018 21:24:53 mabi wrote:
> I would like to setup one OpenSMTPD server as MX server for incoming
> mails and have OpenSMTPD deliver the mail to different Dovecot
> mailbox servers using LTMP depending on the e-mail address of the
> recipient.

Can your public MX machine route to your private IMAP machines via SMTP?

Each of your IMAP servers would have an MTA on it.

Make those MTAs send via LMTP to the local Dovecot over a UNIX socket.

Keeps it simple, no SQL nor proxies needed.

Set up a mapping on the public MX machine like this
(have a cron job write it when users are added/removed):

joe@public.domain -> joe@imap1.private
sarah@public.domain -> sarah@imap2.private
andy@public.domain -> andy@imap3.private

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Opensmtpd failover

2018-11-29 Thread Craig Skinner

Thomas, you're a stupid, standards breaking, sack of shit.

STOP EMAILING ME PRIVATELY YOUR FUCKWIT CRAP!!!

MX records have a purpose. Read what they are for.


STOP SENDING ME YOUR FUCKWIT PRIVATE IDEAS ABOUT MX RECORDS



On Wed, 28 Nov 2018 13:06:03 Craig Skinner wrote:
> On Wed, 28 Nov 2018 02:41:42 +0100 Thomas Bohl wrote:
> > ... Who cares about the original concept of MX priorities?
> 
> You're a fucking stupid arsehole Thomas.
> 
> Due to you emailing me off list, you seem to want me to mentor you
> from being a postmoron into becoming a postmaster.
> 
> For private tuition, I charge GB£60/hour. PayPal me GB£3,000 to start.
> 
> Pay up.
> -- 
> Craig Skinner | http://linkd.in/yGqkv7

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Opensmtpd failover

2018-11-26 Thread Craig Skinner

Hi Thomas,

On Sun, 25 Nov 2018 04:12:10 +0100 Thomas Bohl wrote:
> > smtp2 doesn't deliver the mail to an IMAP mail storage daemon.
> > 
> > Instead, it spools it and waits
> 
> But why? Just deliver it and be done. Can't see many drawbacks in
> that.
> 

Backup MX servers don't have any mail storage, nor IMAP/POP daemon.

They are another hop along the delivery path to the primary MX servers.

Backup MX machines are not the message's final destination;-

Pretend you are going to the world's biggest party, which is held every
New Year's Eve in Edinburgh, so you board an aeroplane to Edinburgh.

But the snow hits Scotland, so your aeroplane lands in London. England
is not your final destination. It is a backup airport in a different
country. You have not travelled to the party capital. So you wait/spool
in London until Edinburgh airport is receiving traffic. Then then you
get the next flight to your final destination & Hogmanay for 3 days.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: OpenSMTP as mx backup

2018-11-26 Thread Craig Skinner

On Sun, 25 Nov 2018 15:49:44 +0100 Gilles Chehade wrote:
> .. if you have a secondary MX that keeps your mail for longer
> than 4 days, which is already quite long, it means that you have more
> trust in the reliability of your secondary MX than your primary MX and
> this essentially means your setup is wrong.

There are many possible problems.

If your primary MX's network goes down while you are away on 3 weeks
holiday, the backup MX can spool mail until you return from holiday to
have the ISP fix the wiring, etc. which might take a few days...

Or if the primary MX has a failure on Friday evening, and you can't
order parts until Monday, which take a week to arrive

Some shit takes more than 4 days to fix.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Opensmtpd failover

2018-11-24 Thread Craig Skinner

Hi Peter,

On Sat, 24 Nov 2018 08:21:46 +0100 "Peter J. Philipp" wrote:

> ... the MX priority was all the same in DNS ...

This is a vastly different scenario to Mik's question. Not the same...

>  backup MX's too I think with a higher priority field in DNS,
> ... all they did was queue the mail and wait for the main mail hosts
> to come back from whatever caused them to be down, then they'd
> deliver the mail there. It was just a relayer.

Yes, that is what Mik was asking about;- The MX backup servers spool
mail while the primary mail servers are down, then relay over SMTP when
the primary can recieve the spooled mail.

> ... A solution is to use dot-lock files ...

Maildirs solve the hideous problems of mboxes... whether on NFS or not.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Opensmtpd failover

2018-11-24 Thread Craig Skinner

Hi Mik

On Sat, 24 Nov 2018 00:15:33 + Mik J wrote:
> Let's say smtp1 is down, the internet client resolves the other mx
> with a lower priority and the mail goes to smtp2. Now smtp2 writes
> the message on the disk in order to store it.

smtp2 doesn't deliver the mail to an IMAP mail storage daemon.

Instead, it spools it and waits

The MX backup machine can be in a different country.

When the primary MX comes back up, the MX backup machine will relay
spooled mail to it over the Internet via SMTP.

That is a benefit of different priority MX records within a DNS zone.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Vacation with smtpd doesn't work in 6.4

2018-11-17 Thread Craig Skinner

Hi postmasters,

On Sat, 17 Nov 2018 17:01:50 +0100 Aham Brahmasmi wrote:
> ... or to block mail from this particular domain in case the mails
> are of a sensitive nature.

Most mail is not sensitive.

Most mail is social chit-chat.

Much mail (like this) is archived on public websites.

So, encrypting mail transport is optional.

If the contents of mail is sensitive, the CONTENT should be
encrypted (e.g. PGP, Enigmail, etc.), because most mail lives in clear
text on freemail providers' disks, for any government to rape at will.

e.g: GMX, gMail, Yahoo, Hotmail, etc all open their disks to govts.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Report Domain: dotbit.ro Submitter: fastmail.com Report-ID:2018.10.15.155619520

2018-10-19 Thread Craig Skinner

Hi Dimitrios,

On Tue, 16 Oct 2018 10:39:25 +0300 Dimitrios wrote:
> 1. SPF.
> 212.83.129.132 is not my IP

It is the mailing list's IP. See mail headers from the list, or:

$ nice dig -x 212.83.129.132 +short
out.mailbrix.mx.



Your SPF record is too tight, change the "-all" to "~all"

$ nice dig dotbit.ro TXT +short
"v=spf1 ip4:86.34.153.250 -all"


Same for your main domain:

$ nice dig lampero.ro TXT +short
"v=spf1 ip4:86.34.153.250 -all"







For simplicity, change your main domain's SPF record,
then include it in all your other domains, e.g:


$ dig lampero.ro TXT +short
"v=spf1 include:_spf.%{d} ~all"

$ dig _spf.lampero.ro TXT +short
"v=spf1 +a:mail.lampero.ro ~all"

$ dig dotbit.ro TXT +short
"v=spf1 include:_spf.lampero.ro ~all"






Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: spamd

2018-10-17 Thread Craig Skinner

On Mon, 15 Oct 2018 09:44:41 +0300 Dimitrios wrote:

> ... For ex. talking on the phone and telling people to send you some
> info by e-mail but not being able to receive it for aprox. an hour.

Email is not designed to be instant messaging. IM is.


> ... Find solution for easily whitelisting domains.

See: http://web.Britvault.Co.UK/products/ungrey-robins/


Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Testing SMTP Authentication CLI

2018-09-10 Thread Craig Skinner

Hi Nino,

On Sun, 9 Sep 2018 04:16:42 + Antonino Sidoti wrote:
> openssl s_client -connect mail.example.com:25 -starttls smtp. 
> 
> The connection is successful and I can see TLS handshake, etc. 
> I now enter ‘helo’ and 'auth login’, each are successful.

587 is the mail user agent (MUA) authenticated mail submission port.

25 is for MTA to MTA duties, not for user authentication.

Regards,
-- 
Craig Skinner | http://linkd.in/yGqkv7

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Credentials Table

2018-08-28 Thread Craig Skinner

See these Dovecot documents Antonino:

http://wiki2.dovecot.org/
http://wiki2.dovecot.org/PasswordDatabase
http://wiki2.dovecot.org/UserDatabase
http://wiki2.dovecot.org/AuthDatabase/Passwd
http://wiki2.dovecot.org/AuthDatabase/PasswdFile
http://wiki2.dovecot.org/HowTo
http://wiki2.dovecot.org/HowTo/CRAM-MD5
http://wiki2.dovecot.org/Authentication
http://wiki2.dovecot.org/Authentication/Mechanisms
http://wiki2.dovecot.org/Authentication/Mechanisms/DigestMD5
http://wiki2.dovecot.org/Authentication/PasswordSchemes
http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: OpenSMTPD 6.4.0

2018-06-29 Thread Craig Skinner

On Thu, 28 Jun 2018 22:47:37 -0400 Matt Schwartz wrote:
>  I cannot send emails to anyone outside of my server and I am
> having trouble determining why. 

Try it temporarily without DKIM Matt;-
match anything that's not local to your "outbound" action.

On your mail server, do something like this & watch the logs:
user$ print delete | mail -s test matt.schwart...@gmail.com

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Problem sending mail with Apple Mail

2018-04-10 Thread Craig Skinner

On Tue, 10 Apr 2018 10:22:28 Nick Gyurov wrote:
> ... autoconfiguration worked when listening on submission

Fuck me!

_WHAT_A_BIG_SURPRISE_!!!

Bloody hell!

Perhaps Firefox will start browsing on port 80 next! Whoop!!!

Maybe ssh will one day connect to port 22 too!

Stunned!
-- 
Craig Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Problem sending mail with Apple Mail

2018-04-10 Thread Craig Skinner

On Tue, 10 Apr 2018 17:49:56 +0800 Nick Gyurov wrote:
> ... (check my previous mail).

I read that & wrote what I wrote, *because* I saw you using the wrong port.

I also wrote that perhaps Apple Mail was expecting to use the RFC port.

If you use port 56789 and tell Apple Mail to use that non-standard
port, it would work too - but you are using a non-RFC port and hard
coding it Hey, why not use port 22? Hmmm I wonder...

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Problem sending mail with Apple Mail

2018-04-10 Thread Craig Skinner

On Tue, 10 Apr 2018 12:51:55 +0300 Reio Remma  wrote:
> Curious indeed, if Apple autoconfiguration would work properly on the 
> submission port.
> 

Yes Reio:-

> >> On 10 Apr 2018, at 5:43 PM, Craig Skinner wrote:
> >>
> >> Port 465 is not RFC compliant.
> >>
> >> Perhaps Apple Mail expects the RFC port 587 to be operative?

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Problem sending mail with Apple Mail

2018-04-10 Thread Craig Skinner

Hi Nick,

Port 587 is the proper MUA submission port, not 465.

https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol

https://tools.ietf.org/html/rfc6409

http://blog.mailgun.com/25-465-587-what-port-should-i-use/


Port 465 is not RFC compliant.

Perhaps Apple Mail expects the RFC port 587 to be operative?


Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Help setting up anti-spam using Dovecot and whatever with 6.3

2018-03-28 Thread Craig Skinner

Hi Chris,

On Tue, 27 Mar 2018 10:41:32 -0700 Chris Bennett wrote:
> .. help setting up some spam filtering before I turn on spamd.

See the man pages:
http://man.openbsd.org/spamd
http://man.openbsd.org/spamlogd


I've found these settings reliable:

<postmaster@primary-mx:~ 0>$ fgrep spam /etc/rc.conf.local
spamd_flags='-S 90 -s 5 -w 1 -y public.ip.add.ress -Y backup.mx.host.name -Y 
another.mx.host.name'
spamlogd_flags='-I -Y backup.mx.host.name -Y another.mx.host.name'


<postmaster@mx-backup:~ 0>$ fgrep spam /etc/rc.conf.local
spamd_flags='-S 90 -s 5 -w 1 -M high.listing.ip.address -y main.ip.add.ress -Y 
primary.mx.host.name -Y another.mx.host.name'
spamlogd_flags='-I -Y primary.mx.host.name -Y another.mx.host.name'


Consider ungrey-robins to cope with round-robin dumb fuck freemailers:
http://web.Britvault.Co.UK/products/ungrey-robins/


Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: QUIT quickly when message is over SIZE

2017-09-01 Thread Craig Skinner

Hi Edgar,

On Thu, 31 Aug 2017 15:23:06 -0500 Edgar wrote:
> Postfix logs on opensmtpd list. Seems like heresy to me.

The SMT _Protocol_ was created to inter-operate on various daemons.

Interaction with other daemons is simply the protocol of mail transfer.

Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: QUIT quickly when message is over SIZE

2017-09-01 Thread Craig Skinner

Hi Gilles/all again,

With a bit of commentary below:

On Thu, 31 Aug 2017 11:41:04 +0100 Craig Skinner wrote:
> 
> Transcript of session follows.
> 

OpenSMTPd running on lists.OpenBSD.Org has a message to send,
and knows what size that message is.

lists: knock knock teak

>  Out: 220 teak.britvault.co.uk ESMTP Postfix
>  In:  EHLO openbsd.org
>  Out: 250-teak.britvault.co.uk
>  Out: 250-PIPELINING
>  Out: 250-SIZE 1024
>  Out: 250-ETRN
>  Out: 250-ENHANCEDSTATUSCODES
>  Out: 250-8BITMIME
>  Out: 250 DSN

teak has helpfully told lists messages over 10Mb will not be accepted.

As lists knows what size the message is, now is the time to QUIT.

There's no point in proceeding further >> fail fast.

But lists ignores the notice and tries anyway:

>  In:  MAIL FROM:<owner-ports+M87556=skinner=britvault.co...@openbsd.org>
>  Out: 250 2.1.0 Ok
>  In:  RCPT TO:<skin...@britvault.co.uk>
>  Out: 250 2.1.5 Ok
>  In:  DATA
>  Out: 354 End data with .

lists wastes time, bandwidth & CPU sending a message it cannot deliver..
..
.

...
..

>  Out: 552 5.3.4 Error: message file too big

teak says 552 off! I told you at the start not to post big parcels.

>  In:  QUIT
>  Out: 221 2.0.0 Bye
> 
> 
> For other details, see the local mail logfile
> 

Does OpenSMTPd parse the '250-SIZE' parameter?

Cheers.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

QUIT quickly when message is over SIZE

2017-08-31 Thread Craig Skinner

Hi,

From the SMTP session trace below,
OpenSMTPd should have QUIT quickly after reading the SIZE parameter:

Cheers.

- Forwarded message from Mail Delivery System 
 -

Date: Thu, 31 Aug 2017 00:18:05 +0100 (BST)
From: Mail Delivery System 
To: Postmaster 
Subject: Postfix SMTP server: errors from
lists.openbsd.org[192.43.244.163]

Transcript of session follows.

 Out: 220 teak.britvault.co.uk ESMTP Postfix
 In:  EHLO openbsd.org
 Out: 250-teak.britvault.co.uk
 Out: 250-PIPELINING
 Out: 250-SIZE 1024
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM:
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  DATA
 Out: 354 End data with .
 Out: 552 5.3.4 Error: message file too big
 In:  QUIT
 Out: 221 2.0.0 Bye


For other details, see the local mail logfile

- End forwarded message -



Aug 31 00:17:38 teak spamlogd[20435]: inbound 192.43.244.163
Aug 31 00:17:38 teak postfix/postscreen[22544]: CONNECT from 
[192.43.244.163]:30841 to [78.33.153.148]:25
Aug 31 00:17:38 teak postfix/postscreen[22544]: PASS OLD [192.43.244.163]:30841
Aug 31 00:17:38 teak postfix/smtpd[11006]: connect from 
lists.openbsd.org[192.43.244.163]
Aug 31 00:17:39 teak postfix/smtpd[11006]: 3xjLyC1csFz3P: 
client=lists.openbsd.org[192.43.244.163]
Aug 31 00:17:39 teak postfix/cleanup[9525]: 3xjLyC1csFz3P: 
message-id=<605937713.37109.1504133547...@mail.yahoo.com>
Aug 31 00:17:54 teak postfix/smtpd[11006]: warning: 3xjLyC1csFz3P: queue file 
size limit exceeded
Aug 31 00:18:05 teak postfix/cleanup[9525]: 3xjLyj5NtJzDq: 
message-id=<3xjlyj5ntj...@teak.britvault.co.uk>
Aug 31 00:18:05 teak postfix/smtpd[11006]: disconnect from 
lists.openbsd.org[192.43.244.163]

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Guidence to use OpenLDAP with OpenSMTPD

2017-08-02 Thread Craig Skinner

Hi Markus,

On Tue, 1 Aug 2017 18:01:38 +0200 Markus Rosjat wrote:
> Am 01.08.2017 um 16:48 schrieb Craig Skinner:
> 
> > Thunderbird (& others) can use MD5 passwords with Dovecot too:
> > https://wiki2.dovecot.org/HowTo/CRAM-MD5
> 
> I dont know if I go this way since as far as I understand this it
> means I would need a blowfish password and an md5 to check against
> 

Yes;- here users have a different password for mail (IMAP/POP/SMTP)
from their login/ssh password, held in a different db.

If a mail password is leaked, it is useless for SSH.

Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Guidence to use OpenLDAP with OpenSMTPD

2017-08-01 Thread Craig Skinner

Hi Markus/all,

On Tue, 1 Aug 2017 13:17:08 +0200 Markus Rosjat wrote:
> 
> I basically have a working LDAP directory to authenticate with
> dovecot so I'm sure the stuff in there is sane. I installed
> opensmtpd-extras from the ports and now try to get my ldap dir to
> work with opensmtp.
> 
> 
> 
> What is the way to go from here to get opensmtpd to accept my
> credentials?
> 

Can OpenSMTPd hand this duty off to Dovecot?

Both Exim and Postfix have Dovecot do SMTP auth of users via either
chrooted file system sockets, or TCP sockets:

https://wiki2.dovecot.org/HowTo/EximAndDovecotSASL
https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
https://wiki2.dovecot.org/AuthDatabase/LDAP
https://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
https://wiki2.dovecot.org/HowTo/


Thunderbird (& others) can use MD5 passwords with Dovecot too:
https://wiki2.dovecot.org/HowTo/CRAM-MD5


Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Client (r)DNS client hostname restrictions

2017-07-29 Thread Craig Skinner

Hi,

On Sat, 29 Jul 2017 06:12:31 +0500 Sandro Cardelli  spammed:
> Received: from rptf.pisem.net (221.176.221.70 [221.176.221.70])
>  by mx1.poolp.org (OpenSMTPD) with ESMTP id 780e
>  for ;
>  Sat, 29 Jul 2017 03:12:32 +0200 (CEST)
> From: "Sandro Cardelli" 
> To: "misc" 
> Subject: Re: have you heard the news?
> Date: Sat, 29 Jul 2017 06:12:31 +0500
> Message-ID: <1749433327.20170729031...@libero.it>


$ host 221.176.221.70 
Host 70.221.176.221.in-addr.arpa. not found: 3(NXDOMAIN)


Could client (r)DNS client hostname restrictions be built into OpenSMTPd?


This sort of spam is stopped dead by Postfix with these built in settings:

smtpd_helo_restrictions =
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname

smtpd_client_restrictions =
reject_unknown_client_hostname

smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unlisted_sender
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unlisted_recipient
reject_unknown_recipient_domain


Cheers!

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Fail2Ban filter for OpenSMTPD

2017-06-20 Thread Craig Skinner

On 2017-06-17 Sat 14:56 PM |, Peter N. M. Hansteen wrote:
> 
> Examples in the most recent PF tutorial start at
> https://home.nuug.no/~peter/pftutorial/#44 and there is a oneliner that
> would be an easy starting point for adapting to your needs at the bottom
> of https://home.nuug.no/~peter/pftutorial/#46 - that one is taken from a
> cron job I run somewhere that will not ever need a wordpress install.
> 

Thanks Peter.

This script has awk do the pattern matching, rather than piping from grep.

It is manually run serveral times a week on a dual-homed static only web server,
but could likewise easily be adapted & automated for other tasks.

(NOTE: it needs a private $TMPDIR, in this case for the 'webmaster' user
it is /tmp/webmaster/)

#!/bin/ksh -r
#
#   $Id: error-log-parser,v 1.13 2017/03/23 13:00:22 craig Exp $
#
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#
# Copyright (c) 2015-2017 Craig R. Skinner 
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#

if [[ -f $1 ]]
then
log=$1
[[ ${log} == *.gz ]]
{
cp ${log} ${TMPDIR} || exit
log=${TMPDIR}/${log##*/}
gunzip ${log} || exit
log=${log%.*}
rm_log='true'
}
else
log='/var/www/logs/error.log'
fi
ips=$(mktemp)

awk -F , 
'/\.php|\.cgi|\/wp-content\/|\/wordpress\/|w00tw00t|\/joomla\/|\/phpMyAdmin|\.jsp|\.action|\.asp|\.esp|\/cgi-bin\/|"\/htdocs\/server-status"|"\/htdocs\/rom-0"/
 { if($2 !~ "192.168.1.") split($2, client, " "); print client[2] }' ${log} |
sort -u -o ${ips}

[[ -n ${rm_log} ]] && rm ${log}
[[ -s ${ips} ]] ||
{
print 'No pattern matches.'
rm ${ips}
exit
}
vi ${ips}
mv ${ips} /tmp
print "you$ sudo pfctl -v -t scanners -T add \$(< /tmp/${ips##*/})"

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Failing to relay to gmail

2016-10-25 Thread Craig Skinner

Hello,

On Mon, 24 Oct 2016 14:59:22 +0200 K. Peter wrote:
> 
> It is maybe because smtp.qmail.com is a CNAME:
> 
> $ dig smtp.gmail.com +short mx
> gmail-smtp-msa.l.google.com.
> 


Is the recipient's address u...@smtp.gmail.com ???


Romildo wrote the address of malaqu...@gmail.com, not malaqu...@smtp.gmail.com


gmail.com has valid MX & A records:

$ dig gmail.com MX 

; <<>> DiG 9.4.2-P2 <<>> gmail.com MX
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13330
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gmail.com. IN  MX

;; ANSWER SECTION:
gmail.com.  1126IN  MX  10 
alt1.gmail-smtp-in.l.google.com.
gmail.com.  1126IN  MX  20 
alt2.gmail-smtp-in.l.google.com.
gmail.com.  1126IN  MX  30 
alt3.gmail-smtp-in.l.google.com.
gmail.com.  1126IN  MX  5 gmail-smtp-in.l.google.com.
gmail.com.  1126IN  MX  40 
alt4.gmail-smtp-in.l.google.com.


$ dig gmail-smtp-in.l.google.com

; <<>> DiG 9.4.2-P2 <<>> gmail-smtp-in.l.google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27936
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gmail-smtp-in.l.google.com.IN  A

;; ANSWER SECTION:
gmail-smtp-in.l.google.com. 253 IN  A   74.125.71.26


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Message is not RFC 2822 compliant

2016-09-19 Thread Craig Skinner

Hi Will,

On Sun, 18 Sep 2016 16:04:40 -0700 William Sloan wrote:
X-Mailer: Apple Mail (2.3124)
>   I have a long running email thread with some friends that
> yesterday when I attempted to reply to a message I got an error that
> the message could not be delivered because it was not RFC 2822
> compliant.  I had responded to this email thread in the past with no
> issues and I can send and receive other emails without any issues.  
> 

Check for updates to your Apple Mail client. Some older versions don't
wrap headers. As it is a long thread, there are probably many entries
in the References: header, making the lines to lnnng.


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: table ownership/permissions issues

2016-08-17 Thread Craig Skinner

Hi Jeremy/all,

On Wed, 17 Aug 2016 00:25:30 -0500 Jeremy Volkening wrote:
> 
> The short of it is that to share the passwd file, either:
> 
> 1. The file must be world-readable (not so good)
> 
> 2. The opensmtpd and dovecot daemon users must share a primary group,
> or
> 
> 3. The daemons must call initgroups() or something similar after 
> dropping privileges.

4. As a workaround, in whatever script/Makefile which creates the file,
copy or hard link the file, e.g:

-rw-r- 1 root postmasters 314 Aug 15 16:58 passwd
-rw-r- 1 root opensmtpd   314 Aug 15 16:58 passwd-smtp
-rw-r- 1 root dovecot 314 Aug 15 16:58 passwd-imap

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Sample Procedure and commands for clearing Spam from your mail queues

2016-07-20 Thread Craig Skinner

On Tue, 19 Jul 2016 16:03:42 +0200 Christian Kellermann wrote:
> Using a blacklist in smtpd.conf and updating that list would spare you
> the troubles of touching the packet filter rules.
> 
> Or am I missing something?

# spamdb -t -a ip.ad.dr.ess

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Verifying addresses on Exchange/AD from an edge server

2016-02-18 Thread Craig Skinner

Hi Jason,

On 2016-02-18 Thu 20:28 PM |, Jason Tubnor wrote:
> 
> Maybe even a script that I can run say every 3 hours, a bit of hackery, uniq
> and a makemap would get me by as well.
> 

Export the recipients from SexChange & putty scp the list to your box.

Adapt these ideas to your situation:

http://www.unixwiz.net/techtips/postfix-exchange-users.html

extract_e3k_recipients.tar.gz from http://www.postfix-book.com/downloads.html

"A collection of scripts to extract valid recipients from a Microsoft
Exchange servers Active Directory. It will also build a map for Postfix
to be used in recipient validation."

Share your success story!

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Mails getting chopped in half

2016-01-30 Thread Craig Skinner

Hi Edd,

On 2016-01-29 Fri 14:09 PM |, Edd Barrett wrote:
> 
>  * Maybe there's a race in reading the /var/mail/edd mbox. (Should I
>even have fdm reading a mbox while smtpd maybe is writing
>to it?)

Compare OpenSMTPd's syslog mail delivery timestamps & your cronjob freq

maildirs are better, for a rake of reasons.

Does the problem still occur when you update to:

  deliver to maildir "/var/mail/%{user.username}"

These steps may help:

# smtpctl pause mda
# mv /var/mail/edd /var/mail/edd~
# install -d -o edd -g edd -m 700 /var/mail/edd/{tmp,new,cur}

Cheers.
-- 
We gave you an atomic bomb, what do you want, mermaids?
-- I. I. Rabi to the Atomic Energy Commission

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: TLS verify

2015-11-28 Thread Craig Skinner

- Forwarded message from Mail Delivery System 
<mailer-dae...@britvault.co.uk> -

Final-Recipient: rfc822; mar...@mdewendt.de
Action: failed
Status: 5.5.1
Remote-MTA: dns; vs1929.mdewendt.de
Diagnostic-Code: smtp; 530 5.5.1 Invalid command: Must issue a STARTTLS command 
first

Date: Sat, 28 Nov 2015 08:48:09 +
From: Craig Skinner <skin...@britvault.co.uk>
To: Martin de Wendt <mar...@mdewendt.de>
Subject: Re: TLS verify
User-Agent: Mutt/1.5.23 (2014-03-12)

On 2015-11-27 Fri 13:32 PM |, Martin de Wendt wrote:
> incoming emails from any tls required

This isn't realistic.

Do you *ONLY* visit https websites?
Do you *ONLY* visit IPv6 websites?

TLS is an optional extra to SMTP.



- End forwarded message -


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: The OpenSMTPD audit, a debrief

2015-10-10 Thread Craig Skinner

On 2015-10-09 Fri 19:40 PM |, Gilles Chehade wrote:
> 
> The report taught us a few things and helped us spot weak points that we
> will work on hardening to make sure. I'll summarize a bit,

MTAs could be the most complex daemon commonly deployed.

For a very small, part time team, this is a huge achivement & very
positive indeed.

Congratulations to the core developers & contributors!

Good on you Gilles for starting this, & keeping it moving forward.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Receiving broken e-mails?

2015-08-17 Thread Craig Skinner

On 2015-07-25 Sat 20:39 PM |, Herbert J. Skuhra wrote:
 
 Later I had this issue with e-mails from a different mailing list.
 Unfortunately those message are missing on gmane. I can reproduce this
 issue easily:
 
 - run OpenSMTPD, request mlm to resend the message ... broken
 - run Postfix, request mlm to resend the message ... OK
 

Retry postfix with these set:

$ postconf | fgrep strict_  
   
strict_7bit_headers = yes   
   
strict_8bitmime = yes   
   
strict_8bitmime_body = yes  
   
strict_mailbox_ownership = yes  
   
strict_mime_encoding_domain = yes   
   
strict_rfc821_envelopes = yes



-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: spamd

2015-08-01 Thread Craig Skinner

On 2015-08-01 Sat 08:16 AM |, SSL wrote:
 
 2) spamd (send mail to gmail but *** cannot recieve from gmail *)
 -
 black.pf
 -
 
 ...
 
 pass in on $ext_if proto tcp to any port submission
 table spamd persist
 table spamd-white persist
 pass in  on $ext_if proto tcp from any to any port smtp rdr-to 127.0.0.1 port 
 spamd
 pass out on lo  proto tcp from any to any   i think problem is here

See the pf.conf fragment of spamd(8).

For google's bizzare random sending servers, you'll need to increase
spamd's greyexp time to 2+ days in /etc/rc.conf.local, restart spamd 
wait 2+ days.


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Debug 'Message is not RFC 2822 compliant'?

2015-07-13 Thread Craig Skinner

On 2015-07-11 Sat 22:26 PM |, Eric Ripa wrote:
 Thanks for the response. I suspected that but given that the actual content 
 in this case is confidential I was a bit hesitant. 
 
 Heres the leading part of the [MSG] section. Can you see anything triggering 
 this?
 

It might be a (UTF) formatting bug in Apple Mail.

If the same message can be sent with Thunderbird/Mutt/etc,
what are the smtpd logging differences?


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: pre-queue spam check

2015-04-11 Thread Craig Skinner

On 2015-04-11 Sat 16:04 PM |, Joerg Jung wrote:
 
 From my understanding, the user connects on port 25 (using STARTTLS and
 SMTP AUTH), is blocked by spamd (451 temporarily greylisted for 25 min), 
 but usually MUAs try again some seconds later...

Users connect to the submission port 587 via their MUAs.

Otherwise, request them to upgrade their mail app to something that's
less than 20 years old.


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Lavabit like encryption with OpenSMTPD

2015-02-09 Thread Craig Skinner

On 2015-02-09 Mon 11:56 AM |, Gilles Chehade wrote:
  
  Because they are not an SMTP (*simple* mail transfer protocol) problem,
  they are a MUA  user training issues.
  
 
 Yes, unfortunately you can't always use PGP because not everyone does.
 

A user training issue, not a technical problem.

 If you rely solely on PGP, then as soon as you exchange with someone who
 doesn't use it... your mail is stored in plaintext.
 

Errr,... no.

An encrypted message is transmitted and stored encrypted,
the recipient can't read it without decrypting it.

Neither can Goatmail, Snotmail, NSA, govt agencies, etc.

Govts  businesses have access to freemail data.
Encrypting only one end of the transaction offers little privacy.

SSL tranmission is of little benefit, for the same reason.


Cheers,
-- 
Craig Skinner | The cost to be the boss:
http://www.youtube.com/watch?v=xVHIGYgDvsI

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Lavabit like encryption with OpenSMTPD

2015-02-09 Thread Craig Skinner

On 2015-02-08 Sun 10:56 AM |, Gilles Chehade wrote:
 
 1- you need the queue to be encrypted.
 2- you need mails delivered to the users to be encrypted.

The SENDER encrypts their message in their MUA, _before_ sending.

 3- you need mails to be decrypted when a user retrieves them.

The recipient decrypts the message in their MUA, when reading.

 
 Queue encryption solves 1/3rd of the problem, the two others are outside
 the OpenSMTPD scope.
 

Because they are not an SMTP (*simple* mail transfer protocol) problem,
they are a MUA  user training issues.

http://konfidi.org/wiki/OpenPGP_Mail_Clients
Thunderbird, Mac Mail, KMail, Mutt, Pine, etc, etc + webmail


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

41 matches

Mail list logo