Re: ^L causing DKIM validation errors with opensmtpd+rspamd
On 7/26/22 21:24, Jason A. Donenfeld wrote: > This appears rather easy to reproduce. Just include the char 0x0c in a > message, and the signature will be invalid. Playing with the resultant > message, I can make it valid by removing the \x0c character, > suggesting that it's being stripped from whatever rspamd receives for > signing. I suspect the problem is that \x0c is a space character (according to isspace(3), but is *not* \x20, \n, or \r. What OS are you using? -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: Is nooSMTPD available anywhere?
On 6/23/22 17:52, gil...@poolp.org wrote: > June 23, 2022 9:02 PM, "Simon Harrison" wrote: > >> On Thu, 23 Jun 2022 14:54:36 -0400 >> Demi Marie Obenour wrote: >> >>> Is nooSMTPD available anywhere? >> >> That's weird. I'm sure it used to be on Gilles github: >> >> https://github.com/poolpOrg >> >> Seems to have been removed. > > Hi, > > Long story short, nooSMTPD (not openbsd's opensmtpd) was a custom version of > OpenSMTPD where I removed > and added stuff that I could not do in OpenBSD for various reasons (legacy or > divergence of opinions), > but I decided not to go on with it and simply accept that OpenSMTPD won't > meet all of my goals. > > There are multiple reasons for that but the main ones: > > a- shortly after, people started looking at the repository, asking for > features, asking me to make the >portable version, and this started looking like a real fork (which it > wasn't) with no benefits: I'd >have to do even more work than before, completely alone, and since I left > due to almost burning out >this was a nope-nope. That is 100% valid. Maintaining an MTA is a LOT of work. > b- it would hurt OpenSMTPD considerably. I was always the most active > developer, partly because I knew >the entire code base and its history but also because I'm a very active > person that works part-time >leaving me many hours to work on pet projects. If I started working on > nooSMTPD during this time, I >would end up creating a fork which OpenSMTPD would be lagging behind... > add to this that I wouldn't >have the constraints of OpenBSD developers (release cycles, base libraries > only or rejected diffs), >and we end up with trees that diverge enough that the OpenSMTPD developers > would not necessarily be >able to bring back stuff from nooSMTPD to their tree. Which one would you > use ? if its nooSMTPD, we >loop back to a- > > c- it would not be nice to OpenBSD / OpenSMTPD developers and we are in good > terms so I have no reason >to put them in an uncomfortable situation with a fork. > > d- I'd rather right code in Golang these days when possible :-p Same here, though Rust is even better in some cases. Go is definitely a much better choice than C when it comes to writing network servers, not least because of security. Do you by any chance have the golang code you are using anywhere? -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Is nooSMTPD available anywhere?
Is nooSMTPD available anywhere? -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: EMails to "ORCPT=rfc822;u...@example.com" are rejected
On 5/30/22 12:30, opensmtpd.open...@xpoundit.com wrote:
> Hi Harri,
>
> we had issues with e-mails containing ORCPT as well and fixed the
> rejection with a patch. Originally, we created the patch when 6.7 was
> out and applied it to the version of OpenSMTPD available in the FreeBSD
> ports.
>
> As of today, OpenSMTPD 6.8 is available in the FreeBSD ports system.
> The attached patches can be applied to this version (if you are on
> FreeBSD, just put them into ports/mail/opensmtpd/files).
>
> If needed, I can massage the patches so they can be applied against the
> OpenBSD base as well, where OpenSMTPD resides in nowadays (we mainly
> use it on FreeBSD). I did not do this yet, since I wanted to provide a
> quick answer.
>
> In our case, the above mentioned groupware introduced characters in the
> ORCPT field (colons.., 0x3a), that led smtp_tx_rcpt_to()
> (usr.sbin/smtpd/smtp_session.c) to return with "553 ORCPT address
> syntax error".
>
> RFC3461 led us to the solution we are using today.
>
> In section 4.2 [1], the ABNF of ORCPT is defined as:
>
>> orcpt-parameter = "ORCPT=" original-recipient-address
>> original-recipient-address = addr-type ";" xtext
>> addr-type = atom
>
> The log you see is:
>
>> May 27 08:42:30 mymta smtpd[10310]: f06a752b657b4a05 smtp failed-
>> command command="RCPT TO:
>> ORCPT=rfc822;u...@example.com" result="550 Invalid recipient:
>> "
>
> According to the ABNF of ORCPT, everything after addr-type ";"
> ("rfc822;" in your case) is supposed to be xtext, which is described a
> bit earlier in the introductory part of section 4 [2].
>
>> xtext = *( xchar / hexchar )
>>
>> xchar = any ASCII CHAR between "!" (33) and "~" (126) inclusive,
>> except for "+" and "=".
>>
>> ; "hexchar"s are intended to encode octets that cannot appear
>> ; as ASCII characters within an esmtp-value.
>>
>> hexchar = ASCII "+" immediately followed by two upper case
>> hexadecimal digits
>
> smtp_tx_rcpt_to() in usr.sbin/smtpd/smtp_session.c tries to convert the
> text of the ORCPT DSN into an e-mail address and wants to check the
> validity of the local and the domain part. We replaced this check, are
> validating the xtext portion as specified above and are replying with a
> more precise error message if this check fails:
>
> if (strncasecmp(opt, "rfc822;", 7) == 0)
> opt += 7;
>
> -if (!text_to_mailaddr(>evp.dsn_orcpt, opt) ||
> -!valid_localpart(tx->evp.dsn_orcpt.user) ||
> -(strlen(tx->evp.dsn_orcpt.domain) != 0 &&
> - !valid_domainpart(tx->evp.dsn_orcpt.domain))) {
> +if (!valid_xtext(opt)) {
> smtp_reply(tx->session,
> -"553 ORCPT address syntax error");
> +"553 ORCPT xtext syntax error");
> return;
> }
>
>
> In usr.sbin/smtpd/util.c we added valid_xtext():
>
> +int
> +valid_xtext(const char *s)
> +{
> +while (*s != '\0') {
> +if(*s == '\x2b' || *s == '\x3d') {
> +return 0;
> +} else if(*s <= '\x21' || *s >= '\x7e') {
> +return 0;
> +} else {
> +s++;
> +continue;
> +}
> +return 0;
> +}
> +return 1;
> +}
>
> I hope this helps to narrow down your issue a bit. What kind of non-e-
> mailish characters do you see in the ORCPT?
>
> In our case, the xtext portion of the ORCPT quite often contained valid
> e-mail addresses, but sometimes, it did not. As far as we understood
> the RFCs, xtext doas not necessarily need to be an e-mail address. This
> is why we decided to replace the original check. The above mentioned
> groupware used colons as field separators inside the xtext portion to
> keep track of the communication belonging to certain thread or, well,
> recipients.
>
> What do the others think of the way we are handling the ORCPT?
This patch does not consider the case of hexchars in ORCPT.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
Re: Why does OpenSMTPD not support pipelining?
On 5/3/22 08:00, gil...@poolp.org wrote: > May 3, 2022 12:14 PM, "Demi Marie Obenour" wrote: > >> Why does OpenSMTPD not support pipelining? Was it just never >> implemented, or is it a spam prevention feature? >> > > There were multiple reasons but it most generally boiled down to: > > It's not worth the effort. > > Adding support for pipelining wouldn't be that hard, instead of reading lines > and passing them to the command dispatcher, all you'd have to do is pass them > to a FIFO and have the command dispatcher read from that FIFO. > > As you can see, it's not really a technical issue or limitation, just that we > didn't think the benefits of pipelining would be worth it when the protocol's > transactional and causing commands to be serialised by design (cancelling the > transport pipelining gains in handling time) and when we live at an era where > MTA implement artificial limits to avoid blasting other ends because they are > already capable of being "too fast". Would pipelining provide any benefits for submissions/smtps on port 465? -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Why does OpenSMTPD not support pipelining?
Why does OpenSMTPD not support pipelining? Was it just never implemented, or is it a spam prevention feature? -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: Encryption for OpenSMTPD on VPS
On 4/2/22 20:11, Josey Smith wrote: > Hello, > > I'm currently setting up a somewhat unique personal email server. I > have a local server (Raspberry Pi) and a remote server (VPS running > OpenBSD). Emails are sent to the remote server and are then relayed to > my local server. When I send an email it goes from my local server to > the remote server, and is then relayed to it's recipient. Mostly I've > got it all working how I want it to. > > While I'm aware that nothing stored on a VPS (even momentarily) is > completely safe, I'd like to make my remote email server as secure as > possible from prying eyes (for example if my VPS host or a hacker made > a snapshot of my server for maleficent purposes). If you can’t trust your hosting provider, get a different one. > Most of the time messages should only be on my remote server for a > matter of seconds at most before being sent to my local server, but if > my local network is down they could remain there much longer. Also as > the queue is written to disk someone could recover old messages from > deleted queues. > > The three areas I'm looking at so far are: > > 1) OpenSMTPD queue encryption > This is a good step, but presumably the key is stored in memory, so > could be retrieved from a snapshot of the server. Maybe I could > automate the key to change from time to time? Maybe? Be sure you don’t lose all of your existing messages in the queue. > 2) OpenBSD disk encryption > I read in a forum post that OpenBSD disk encryption only stores a part > of the key in memory at any one time. I can't find anywhere else that > says this, and I can't work out how that'd be possible. > > 3) GPG message encryption > I could in theory set up something that takes inward messages out of > the queue (before they are written to disk), encrypts them with my > public key, and then enters them back into the queue. But for most > outward messages GPG encryption won't be an option. That’s your best option for inbound stuff. That said, email isn’t your best option for security. Use something with proper end-to-end encryption and forward secrecy, such as Signal, Wire, Keybase, or Matrix. -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certs
On 3/15/22 19:16, Thomas Bohl wrote: > >>> IIUC the client server needs the CA Certificate that was used to >>> generate the SMTP-server Certificate in its /etc/ssl/cert.pem (on >>> OpenBSD). >> >> Thanks. I did try this but it's still not working out. >> > >> Download the server certificate and append it to our /etc/ssl/certs.pem >> >> client# scp relay-server:/etc/ssl/server.crt /tmp/ >> client# file /tmp/server.crt >> /tmp/server.crt: PEM certificate >> client# cat /tmp/server.crt >> /etc/ssl/certs.pem > > Not the cert of the server but, like he said, the CACert.pem > > (And now you have to do that every time you update the system. Just go > with free "ACME certificate".) OpenSMTPD should provide a way to specify the CA bundle used to validate an individual connection. -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: restart necessary on certificate upgrade (letsencrypt)?
On 1/9/22 05:33, Rodolphe Bréard wrote: > You have to restart it. > > In fact, I don't know any server that watches those files in order to > reload them. As far as I know, most servers starts as root, loads the > private key and the certificate into memory, then switch to an > unprivileged user which cannot read those files. Such a workflow doesn't > allow the feature you are asking for unless your certificate and key > file are wildly accessible, which is so obviously insecure that some > servers (OpenSMTPD is one of them) will refuse to start. OpenSMTPD could actually implement this feature, since the parent process runs as root and can access the secret key. It could then send the key to the correct child process via an imsg. An alternative would be for smtpctl to support sending the secret key and certificate via the control socket. -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: relays - port configuration
On 4/23/21 3:11 AM, Sean Kamath wrote: >> On Apr 22, 2021, at 13:01, ED Fochler wrote: >> >> No. >> >> You're only trying to send mail. Your ISP is only trying to stop you from >> sending mail. >> >> Mail delivery is meant to be very well defined and easy to identify. If >> your ISP is blocking connections to port 25 then they are blocking all mail, spam and otherwise. The solution is to set up a mail server on a network that allows mail. This can be a $5/mo cloud server. You can then 'submit' mail to your mail server using other ports, but the mail server will talk to other mail servers on standard ports, primarily port 25. > > So, I actually have this same problem. > > I do have a VPS, which is my mail server (and have no problems sending mail, > such as this one, using my MUA to connect to the VPS-based MTA). I have about 8 little PCEngines Alix and APU devices, all sitting at home, with an ISP that blocks port 25 (and lord do I wish I had the option for another ISP). They all run OpenBSD/OpenSMTP. > > The problem I’ve run into is I’m not sure how to use the submission port to > “submit” mail to my mail server. Since I have the cron emails being sent, > how do I get those routed to the VPS? How do I get basically all the emails > for a couple of users forwarded to the VPS without, you know, relaying mail? > > Do I set up an account on the VPS, and tell SMTPD to relay all mail to my > domain to that submission port? That sounds like relaying, and, as stated > elsewhere in this thread, "Emails must be relayed on port 25.” > > Back in the before-times, I used sendmail’s concept of a smarthost, and just > pointed it at that host, and could also tell it what port to connect on. OpenSMTPD has full smarthost support. Use smtps://your.host:port or smtp+tls://your.host:port OpenSMTPD also supports authenticating this connection, which your mail server should be requiring. Demi OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
