Log explanation

[Mik J]

Hello,
Does anyone knows where I could find an explanation of the different fields in 
the logs
example:34e21ed2c47fe7e3 mta delivery evpid=9765e121d002d97d 
from= to= rcpt=<-> 
source="10.1.2.2" relay="66.102.1.27 (wb-in-f27.1e100.net)" delay=1s 
result="Ok" stat="250 2.0.0 OK  1698365590 
i10-20020a05600c354a00b003fefa764302si226827wmq.9 - gsmtp"
What is 34e21ed2c47fe7e3
What is 2.0.0and so on
Regards

How to bypass rdns filter

[Mik J]

Hello,
I have this filter configuredfilter check_rdns phase connect match !rdns 
disconnect "550 no rDNS is so 80s"

It works however all my servers on my LAN that do not have a reverse DNS entry 
match it.
I would like this rule to be valid except for 192.168.1.0/24
Is it possible ?

Re: How to write the rule to avoid spam

[Mik J]

 Hello Thomas,
Thank you for your answer.However it doesn't work because "from domain..." is 
an invalid syntax

Le mercredi 5 avril 2023 à 11:33:09 UTC+2, Thomas Bohl 
 a écrit :  
 
 Hello,

> So I would tend to write a rule such as
> match ! from domain  for domain  action TO-CLAM_SMTPD_IN
> Considering that users that write from mydomain2.org to mydomain1.org 
> match the first rule since they are local or authenticated or coming 
> from one of the known IPs.
> But this rule is not correct

Hm, maybe like this (untested):
match !auth from domain  for domain  reject

(Remember, first match wins. So it should be before
match from any for domain  action TO-CLAM_SMTPD_IN)

  

How to write the rule to avoid spam

[Mik J]

Hello,
Sometimes I'm getting spam because I have a weakness in my configuration
At the moment I have
action TO-CLAM_SMTPD_IN relay host smtp://127.0.0.1:10027
match from src  for domain  action TO-CLAM_SMTPD_IN
match from any for domain  action TO-CLAM_SMTPD_IN
The table clients is a file that contains IPs including 127.0.0.1, the table 
domaines is a list of domains that I host on my mail server

My problem is that a spammer is able to send mails to me when it uses a domain 
that I host.For example, the file domaines contains mydomain1.org and 
mydomain2.orgThe spammer doesehlo emtpmail from: 
rcpt to: data
subject: This is a spam
Spamspamspam
.

So I would tend to write a rule such asmatch ! from domain  for 
domain  action TO-CLAM_SMTPD_INConsidering that users that write from 
mydomain2.org to mydomain1.org match the first rule since they are local or 
authenticated or coming from one of the known IPs.But this rule is not correct

Thank you

Re: Mails sent in IPv4 while I expect IPv6

[Mik J]

 
Hello Tobias,
> Did you try reloading the report page?
I went on the report page again today and it seems to me that I have a better 
score, 8.When I was trying to set up my myserver and DNS I sometimes had a 
score of 4 even after improvements.So yes it seems that, we should not go too 
fast on the report page otherwise some results may show problematic whereas 
they're not.
Once again great work

Le dimanche 19 mars 2023 à 15:37:06 UTC+1, Tobias Fiebig 
 a écrit :  
 
 Heho,
> - In DMARC Report Deliverability, it's written "To authorize this
> RUA, add the following DMARC DNS record:", first it was not obvious
> to me in which zone I have to add the record, maybe you can write "To
> authorize this RUA, add the following DMARC DNS record in zone
> xyz.org:"
> I guessed it when i read the record
> mydomain.fr._report._dmarc.mydomain.com. IN TXT "v=DMARC1;"
> but it was not 100% obvious, because there was mydomain with
> different extensions
Good point; I will put that on the todo.


> - Transport Encryption "Your email provider/server does not support
> transport encryption. I don't get what I'm doing wrong and what I
> have to do

What may also be the case is that the mail has not yet arrived (the
base-tls-support mail has to have arrived for the other TLS mails to be
evaluated).

Did you try reloading the report page?

With best regards,
Tobias


  

Re: Mails sent in IPv4 while I expect IPv6

[Mik J]

 Hello Tobias,
This tool is a great work thank you.I had tested it a few days/weeks ago but I 
used it again today. I worked things to improve my score (signed the ipv6 
reverse zone, added the ipv6 rdns for my mail server).
Notes:
- In DMARC Report Deliverability, it's written "To authorize this RUA, add the 
following DMARC DNS record:", first it was not obvious to me in which zone I 
have to add the record, maybe you can write "To authorize this RUA, add the 
following DMARC DNS record in zone xyz.org:"
I guessed it when i read the recordmydomain.fr._report._dmarc.mydomain.com. IN 
TXT "v=DMARC1;"
but it was not 100% obvious, because there was mydomain with different 
extensions
- Transport Encryption "Your email provider/server does not support transport 
encryption."I don't get what I'm doing wrong and what I have to do
Here are my logs 
 Mar 18 21:10:21 expevelimx711 smtpd[13199]: b0635ce3c4e1801b mta cert-check 
result="unverified" 
fingerprint="SHA256:38fedffc1f423e85e80bb05d5d4f0570537df597fafee22f6bb6f006edf37bfd"
Mar 18 21:10:21 expevelimx711 smtpd[13199]: b0635ce14999d44a mta delivery 
evpid=aa099001e75945c4 from= 
to= rcpt=<-> 
source="10.1.2.3" relay="195.191.197.82 
(tlsv13.measurement.email-security-scans.org)" delay=2s result="Ok" stat="250 
2.0.0 Ok: queued as B50E63F4DA"
Mar 18 21:10:22 expevelimx711 smtpd[13199]: b0635ce0c27e897e mta delivery 
evpid=aa0990012b099f8b from= 
to= 
rcpt=<-> source="10.1.2.3" relay="195.191.197.86 
(mail.measurement.email-security-scans.org)" delay=3s result="Ok" stat="250 
2.0.0 Ok: queued as 1339C3F4EF"
Mar 18 21:10:22 expevelimx711 smtpd[13199]: b0635ce3c4e1801b mta delivery 
evpid=aa099001ff0c1fff from= 
to= 
rcpt=<-> source="10.1.2.3" relay="195.191.197.87 
(medium-force-tls.measurement.email-security-scans.org)" delay=3s result="Ok" 
stat="250 2.0.0 Ok: queued as 43FE63F503"
Mar 18 21:10:23 expevelimx711 smtpd[13199]: b0635cde85c7359e mta tls 
ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
Mar 18 21:10:23 expevelimx711 smtpd[13199]: b0635cde85c7359e mta cert-check 
result="unverified" 
fingerprint="SHA256:04ec5a1f21afe4638022284447af2d8906933e28a6c5180da7557a3efcc3a145"
Mar 18 21:10:24 expevelimx711 smtpd[13199]: b0635c966b5f7eb3 smtp disconnected 
reason=quit
Mar 18 21:10:24 expevelimx711 smtpd[13199]: b0635c9538e2ec2c mta disconnected 
reason=quit messages=1
Mar 18 21:10:24 expevelimx711 smtpd[13199]: b0635cde85c7359e mta delivery 
evpid=aa0990011e39465d from= 
to= rcpt=<-> 
source="[fa12:cafe:eff::3]" relay="[2a06:d1c0:dead:3::89] 
(tls-force.measurement.email-security-scans.org)" delay=5s result="Ok" 
stat="250 2.0.0 Ok: queued as 7B9DA3F4F8"

After a few hours I found what was the problem with my original question: I had 
pf running on my system hosting opensmtpd
When I wrote the pf rules, I didn't do anything regarding IPv6.

Thank you very much

Regards




Le vendredi 17 mars 2023 à 14:51:58 UTC+1, 
tob...@reads-this-mailinglist.com  a écrit : 
 
 
 Heho,

Just a followup as this is live now; You can also start a test at 
https://email-security-scans.org/ ; 

If you select 'store received mails' you can download the messages we got from 
you (on various MX configured to have v4 only/v6 only/dual-stack) and check how 
they were delivered by the delivered-to headers (v4/v6).

With best regards,
Tobias


  

Re: Mails sent in IPv4 while I expect IPv6

[Mik J]

 Hello,
Sorry to ask the question again but are your mails transmitted in IPv6 ?Does 
opensmtpd favors IPv6 over IPv4 when it has the choice ?
Regards

Le jeudi 12 janvier 2023 à 02:35:41 UTC+1, Mik J  a 
écrit :  
 
  
Hello John, Tobias,
Thank you for your answers.
I was not favoring the DNS.
* On my mail server # dig google.fr mx

; <<>> dig 9.10.8-P1 <<>> google.fr mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1014
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.fr. IN  MX

;; ANSWER SECTION:
google.fr.  300 IN  MX  0 smtp.google.com.

;; ADDITIONAL SECTION:
smtp.google.com.    278 IN      2a00:1450:400c:c02::1a
smtp.google.com.    278 IN      2a00:1450:400c:c07::1b
smtp.google.com.    278 IN      2a00:1450:400c:c08::1a
smtp.google.com.    278 IN      2a00:1450:400c:c08::1b



# dig smtp.google.com 

; <<>> dig 9.10.8-P1 <<>> smtp.google.com 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9990
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;smtp.google.com.   IN  

;; ANSWER SECTION:
smtp.google.com.    300 IN      2a00:1450:400c:c07::1b
smtp.google.com.    300 IN      2a00:1450:400c:c02::1a
smtp.google.com.    300 IN      2a00:1450:400c:c08::1b
smtp.google.com.    300 IN      2a00:1450:400c:c08::1a



Then on my DNS I log the queries11-Jan-2023 22:48:01.846 client @0xf4ff7212d0 
10.mailserverIP#40443 (gmail.com): query: gmail.com IN MX + 
(10.dnserverIP)11-Jan-2023 22:48:01.854 client @0xf4ff7212d0 10.mailserverIP 
#32810 (alt2.gmail-smtp-in.l.google.com): query: 
alt2.gmail-smtp-in.l.google.com IN A + (10.dnserverIP)11-Jan-2023 22:48:01.854 
client @0xf571e5f2d0 10.mailserverIP #17570 (gmail-smtp-in.l.google.com): 
query: gmail-smtp-in.l.google.com IN A + (10.dnserverIP)11-Jan-2023 
22:48:01.855 client @0xf4a58892d0 10.mailserverIP #14392 
(alt1.gmail-smtp-in.l.google.com): query: alt1.gmail-smtp-in.l.google.com IN A 
+ (10.dnserverIP)11-Jan-2023 22:48:01.855 client @0xf5223412d0 10.mailserverIP 
#31444 (alt4.gmail-smtp-in.l.google.com): query: 
alt4.gmail-smtp-in.l.google.com IN A + (10.dnserverIP)11-Jan-2023 22:48:01.856 
client @0xf4df0972d0 10.mailserverIP #1669 (alt3.gmail-smtp-in.l.google.com): 
query: alt3.gmail-smtp-in.l.google.com IN A + (10.dnserverIP)11-Jan-2023 
22:48:01.869 client @0xf571e5f2d0 10.mailserverIP #10862 
(gmail-smtp-in.l.google.com): query: gmail-smtp-in.l.google.com IN  + 
(10.dnserverIP)11-Jan-2023 22:48:01.876 client @0xf5223412d0 10.mailserverIP 
#11052 (alt2.gmail-smtp-in.l.google.com): query: 
alt2.gmail-smtp-in.l.google.com IN  + (10.dnserverIP)11-Jan-2023 
22:48:01.877 client @0xf4a58892d0 10.mailserverIP #31097 
(alt1.gmail-smtp-in.l.google.com): query: alt1.gmail-smtp-in.l.google.com IN 
 + (10.dnserverIP)11-Jan-2023 22:48:01.877 client @0xf4ff7212d0 
10.mailserverIP #15242 (alt4.gmail-smtp-in.l.google.com): query: 
alt4.gmail-smtp-in.l.google.com IN  + (10.dnserverIP)11-Jan-2023 
22:48:01.878 client @0xf5336c82d0 10.mailserverIP #1836 
(alt3.gmail-smtp-in.l.google.com): query: alt3.gmail-smtp-in.l.google.com IN 
 + (10.dnserverIP)

On my mail server logs I can see that IPv6 is not used Jan 11 22:47:56 
mailserver smtpd[20101]: 3c9017a91b90aff8 smtp connected address=127.0.0.1 
host=localhost
Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017a91b90aff8 smtp message 
msgid=d1edf87d size=1104 nrcpt=1 proto=ESMTP
Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017a91b90aff8 smtp envelope 
evpid=d1edf87d4087c230 from= to=
Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017a91b90aff8 smtp disconnected 
reason=quit
Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017ac667d462b mta connecting 
address=smtp://127.0.0.1:10025 host=localhost
Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017ac667d462b mta connected
Jan 11 22:47:56 mailserver clamsmtpd: 100181: accepted connection from: 
127.0.0.1
Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017ada88be21f smtp connected 
address=127.0.0.1 host=localhost
Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017ada88be21f smtp message 
msgid=da09c4a0 size=1339 nrcpt=1 proto=ESMTP
Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017ada88be21f smtp envelope 
evpid=da09c4a09c71da8f from= to=
Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017ac667d462b mta delivery 
evpid=d1edf87d4087c230 from= to= 
rcpt=<-> source="127.0.0.1" relay="127.0.0.1 (localhost)" delay=0s result="Ok" 
stat="250 2.0.0 da09c4a0 Message accepted for deliv

Re: Mails sent in IPv4 while I expect IPv6

[Mik J]

ost=localhost
Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017af9e152f41 mta connected
Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b0b9b5ff23 smtp connected 
address=127.0.0.1 host=localhost
Jan 11 22:48:01 mailserver dkimproxy.out[53636]: DKIM signing - signed; 
message-id=<05793887b3def150dcc2054d56510...@mydomain.org>, 
signer=, from=
Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b0b9b5ff23 smtp message 
msgid=9e291457 size=2269 nrcpt=1 proto=ESMTP
Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b0b9b5ff23 smtp envelope 
evpid=9e29145712d79b97 from= to=
Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017af9e152f41 mta delivery 
evpid=da09c4a09c71da8f from= to= 
rcpt=<-> source="127.0.0.1" relay="127.0.0.1 (localhost)" delay=5s result="Ok" 
stat="250 2.0.0 9e291457 Message accepted for delivery"
Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b3991746f4 mta connecting 
address=smtp://64.233.184.27:25 host=wa-in-f27.1e100.net
Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b3991746f4 mta connected
Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b3991746f4 mta tls 
ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b3991746f4 mta cert-check 
result="unverified" 
fingerprint="SHA256:c52373769af03068082fccc8a93a45de2aef4ad6d6e279020dfc73b7373d720c"
Jan 11 22:48:02 mailserver smtpd[20101]: 3c9017b3991746f4 mta delivery 
evpid=9e29145712d79b97 from= to= 
rcpt=<-> source="10.mailserverIP" relay="64.233.184.27 (wa-in-f27.1e100.net)" 
delay=1s result="Ok" stat="250 2.0.0 OK  1673473682 
i22-20020a05600c355600b003cf484ba59dsi18528521wmq.122 - gsmtp"
Jan 11 22:48:06 mailserver smtpd[20101]: 3c9017ada88be21f smtp disconnected 
reason=quit

The last rules in my configuration areaction VERS-DKIM_OUT relay host 
smtp://127.0.0.1:10029
match from local tag CLAM_OUT for any action VERS-DKIM_OUT

action RELAIE relay
match from local tag DKIM_SIGNE for any action RELAIE

Does opensmtpd favors IPv6 over IPv4 or does it favor IPv4 ?
Regards


Le mercredi 11 janvier 2023 à 20:11:47 UTC+1, John Batteen 
 a écrit :  
 
  
When I've run into this before, it was DNS.  My resolver needed to be 
configured to default to ipv6 responses.  Not sure that will fix your issue but 
it's a place to look.
 
 
Good luck,
 
John
 

 On 1/10/2023 8:20 PM, Mik J wrote:
  
 
 Hello, 
  My server has an IPv6 adress and is able to contact gmail mail server $ 
telnet 2a00:1450:400c:c0a::1a 25  Trying 2a00:1450:400c:c0a::1a...
 Connected to 2a00:1450:400c:c0a::1a.
 Escape character is '^]'.
 220 mx.google.com ESMTP q7-20020a05600c46c700b003d9f3cf68d3si5203102wmo.92 - 
gsmtp
 
  I relay using this rule  action RELAIE relay
 match from local tag DKIM_SIGNE for any action RELAIE
 
  But when I look at my logs, the mails are sent over IPv4 smtpd[30274]: 
79ebd464bef0b2e0 mta delivery evpid=d2651839f3f0795f from= 
to= rcpt=<-> source="10.1.2.2" relay="142.251.5.27 
(wg-in-f27.1e100.net)" delay=1s result="Ok" stat="250 2.0.0 OK  1673402672 
g14-20020adfa48e00b00285261d0e19si12019405wrb.385 - gsmtp"
  
  Any idea why this would happen ? 
  version: OpenSMTPD 7.0.0 

  

Mails sent in IPv4 while I expect IPv6

[Mik J]

Hello,
My server has an IPv6 adress and is able to contact gmail mail server$ telnet 
2a00:1450:400c:c0a::1a 25Trying 2a00:1450:400c:c0a::1a...
Connected to 2a00:1450:400c:c0a::1a.
Escape character is '^]'.
220 mx.google.com ESMTP q7-20020a05600c46c700b003d9f3cf68d3si5203102wmo.92 - 
gsmtp

I relay using this ruleaction RELAIE relay
match from local tag DKIM_SIGNE for any action RELAIE

But when I look at my logs, the mails are sent over IPv4smtpd[30274]: 
79ebd464bef0b2e0 mta delivery evpid=d2651839f3f0795f from= 
to= rcpt=<-> source="10.1.2.2" relay="142.251.5.27 
(wg-in-f27.1e100.net)" delay=1s result="Ok" stat="250 2.0.0 OK  1673402672 
g14-20020adfa48e00b00285261d0e19si12019405wrb.385 - gsmtp"

Any idea why this would happen ?
version: OpenSMTPD 7.0.0

Re: Redirect queue to another smtp

[Mik J]

 Hello Maksim, Marcus, thank you for your answers.

Le dimanche 14 août 2022 à 21:02:27 UTC+2, Marcus MERIGHI 
 a écrit :  
 
 Hello Mik, 

mikyde...@yahoo.fr (Mik J), 2022.08.14 (Sun) 05:14 (CEST):
> I have received some mails on my "SMTP2" which is misconfigured and
> mails are stuck in the queue. They look like
> that25eed6a533daaed1|inet4|mda||cxxx@gmail.com|m...@e.xxx|m...@e.xxx|1660443800|1660443800|0|17|pending|181|"mail.maildir:
> No such file or directory"
> Is there a way to resend them to "SMTP1" ?
> I have tried to add rules such asaction TO-SMTP1 relay host smtp://10.1.2.2:25
> match mail-from " cxxx@gmail.com" for any action TO-SMTP1
> Or evenaction TO-SMTP1 relay host smtp://10.1.2.2:25match from any for
> any action TO-SMTP1

$ doas find /var/spool/smtpd/ -type f
        /var/spool/smtpd/queue/6e/6e800d91/6e800d911b1d350c
        /var/spool/smtpd/queue/6e/6e800d91/message

"message" is, hum, the message. "6e800d911b1d350c" is the control data
of OpenSMTPd: 

$ doas cat /var/spool/smtpd/queue/6e/6e800d91/6e800d911b1d350c
version: 3
dispatcher: outbound    # <= the "action" that was applied
type: mta
smtpname: fifi.foo.bar
helo: localhost
hostname: fifi.foo.bar
sockaddr: local
sender: a...@def.gh
rcpt: i...@lmn.op
dest: i...@lmn.op
ctime: 1660479966
last-try: 0
last-bounce: 0
ttl: 0
retry: 0
flags: authenticated
dsn-notify: 0

With this information, look for the smtpd.conf(5) "action" named "outbound"
and change it to do what you want it to do. Restart smtpd(8) afterwards,
delivery according to your new "action" will start shortly.

Marcus

  

Redirect queue to another smtp

[Mik J]

Hello,
I have received some mails on my "SMTP2" which is misconfigured and mails are 
stuck in the queue. They look like 
that25eed6a533daaed1|inet4|mda||cxxx@gmail.com|m...@e.xxx|m...@e.xxx|1660443800|1660443800|0|17|pending|181|"mail.maildir:
 No such file or directory"
Is there a way to resend them to "SMTP1" ?
I have tried to add rules such asaction TO-SMTP1 relay host smtp://10.1.2.2:25
match mail-from " cxxx@gmail.com" for any action TO-SMTP1
Or evenaction TO-SMTP1 relay host smtp://10.1.2.2:25match from any for any 
action TO-SMTP1

I didn't have any success.

What can we do when mails are stuck in the queue ?

Re: Converting from old format to new format

[Mik J]

 Thank you for your answer
I wrote this line as you suggestedaction DELIVRE_VIRTUELS maildir 
"/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" rcpt-to 
virtual But the syntax seems to be incorrect

Le dimanche 23 août 2020 à 11:33:40 UTC+2, Archange  a 
écrit :  
 
  Le 22/08/2020 à 22:23, Mik J a écrit :
  
 
In old format I had accept tagged CLAM_IN for domain  virtual 
 deliver to maildir 
"/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" 
  In new format I wrote action DELIVRE_VIRTUELS maildir 
"/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir"
  match tag CLAM_IN for domain  rcpt-to  action 
DELIVRE_VIRTUELS 
  The table  points to a file that looks like this domain1.org 
*.domain2.org 
  The table  points to a file that looks like this
  i...@domain1.org    myu...@domain1.org myu...@domain1.org    _vmail The error 
message displayed is  /etc/mail/smtpd.conf:64: table "utilisateurs" may not be 
used for rcpt-to lookups   
Your config should read:
 action DELIVRE_VIRTUELS maildir 
"/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" rcpt-to 
virtual   match tag CLAM_IN for domain  action 
DELIVRE_VIRTUELS   

Converting from old format to new format

[Mik J]

Hello,
I'm trying to convert my old configuration to the new format and I'm missing 
some bits
I used to use the following instructionexpire 4hI'm not sure how is it known in 
the new format: queue ttl delay ?
--
limit mta for domain gmail.com inet4I have no idea about this one
--In old format I hadaccept tagged CLAM_IN for domain  virtual 
 deliver to maildir 
"/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir"
In new format I wroteaction DELIVRE_VIRTUELS maildir 
"/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir"
match tag CLAM_IN for domain  rcpt-to  action 
DELIVRE_VIRTUELS
The table  points to a file that looks like 
thisdomain1.org*.domain2.org
The table  points to a file that looks like this
i...@domain1.org    myuser@domain1.orgmyu...@domain1.org    _vmailThe error 
message displayed is/etc/mail/smtpd.conf:64: table "utilisateurs" may not be 
used for rcpt-to lookups


Do you have any idea ?

Re: Non stop /bsd: smtpctl[51626]: pledge "fattr", syscall 124

[Mik J]

 Hello,Thank you for your answers.I did nothing except applying the errata 
patches.So after reading your emails I recompiled libc# cd /usr/src/lib/libc && 
make obj && make && make installAnd in the past 15 minutes I have not seen any 
more messages.Let's see how it goes

Le mardi 7 janvier 2020 à 17:17:43 UTC+1, Martijn van Duren 
 a écrit :  
 
 Quite some time I made a change that made smtpctl use tmpfile(3).
Are you kernel, libc and smtpctl all up to date?
(e.g. did you compile smtpctl from source without updating libc)

martijn@

On 1/7/20 5:04 PM, Johannes Krottmayer wrote:
> On 07.01.20 at 07:22,  Mik J wrote:
>> Hello,
>>
>> I keep having these logs in my /var/log/messages do you know what this
>> means ?
>> Jan  7 06:51:01 v /bsd: smtpctl[51626]: pledge "fattr", syscall 124
>> Jan  7 06:52:01 v /bsd: smtpctl[64532]: pledge "fattr", syscall 124
>> Jan  7 06:52:01 v /bsd: smtpctl[13532]: pledge "fattr", syscall 124
>> Jan  7 06:53:01 v /bsd: smtpctl[20480]: pledge "fattr", syscall 124
>> Jan  7 06:53:01 v /bsd: smtpctl[70486]: pledge "fattr", syscall 124
>> Jan  7 06:54:01 v /bsd: smtpctl[88165]: pledge "fattr", syscall 124
>> Jan  7 06:54:01 v /bsd: smtpctl[96175]: pledge "fattr", syscall 124
>> Jan  7 06:55:01 v /bsd: smtpctl[22724]: pledge "fattr", syscall 124
>> Jan  7 06:55:01 v /bsd: smtpctl[56931]: pledge "fattr", syscall 124
>> Jan  7 06:55:01 v /bsd: smtpctl[99044]: pledge "fattr", syscall 124
>>
>> Thank you
> 
> FYI:
> 
> The pledge mechanism is a security feature from OpenBSD.
> 
> I your case it means that the kernel AFAIK has prevent "smtpctl" to call
> the function "fattr".
> 
> Details:
> https://man.openbsd.org/pledge.2
> 
> Cheers,
> Johannes K.
> 
> 
> 
> 

  

Non stop /bsd: smtpctl[51626]: pledge "fattr", syscall 124

[Mik J]

Hello,
I keep having these logs in my /var/log/messages do you know what this means 
?Jan  7 06:51:01 v /bsd: smtpctl[51626]: pledge "fattr", syscall 124
Jan  7 06:52:01 v /bsd: smtpctl[64532]: pledge "fattr", syscall 124
Jan  7 06:52:01 v /bsd: smtpctl[13532]: pledge "fattr", syscall 124
Jan  7 06:53:01 v /bsd: smtpctl[20480]: pledge "fattr", syscall 124
Jan  7 06:53:01 v /bsd: smtpctl[70486]: pledge "fattr", syscall 124
Jan  7 06:54:01 v /bsd: smtpctl[88165]: pledge "fattr", syscall 124
Jan  7 06:54:01 v /bsd: smtpctl[96175]: pledge "fattr", syscall 124
Jan  7 06:55:01 v /bsd: smtpctl[22724]: pledge "fattr", syscall 124
Jan  7 06:55:01 v /bsd: smtpctl[56931]: pledge "fattr", syscall 124
Jan  7 06:55:01 v /bsd: smtpctl[99044]: pledge "fattr", syscall 124

Thank you

Re: RBLs?

[Mik J]

 Hello Gilles,
I'm not at all familiar with filters but it seems to me that everyone has its 
own way to fight spam: shell script, python script, filters...
Right now I'm not able to avoid spam I use spamd and grey/black listing but 
it's not enough.
I don't find a simple way to avoid mails with a specific regexp in the subject 
or body of the mail. Or synchronise with RBLs or ask opensmtpd to make some 
checks."if IP of the sender is not a mx for the sender domain then reject" with 
an opensmtpd rule."if subject of the domain is in table then reject"
That's what I mean by native.
Probably you'll answer that the goal of smtpd is to deliver mails not to do 
this kind of tasks.
Regards


Le dimanche 30 juin 2019 à 13:47:04 UTC+2, Gilles Chehade 
 a écrit :  
 
 On Sat, Jun 29, 2019 at 01:03:46PM +, Mik J wrote:
>  Hello,

Hello,


> I'm also interested in this topic. A lot of spam are still passing through.
> On my personal mailbox, I receive almost no spam.But on addresses that are 
> visible on a website I receive spam, two/three per day many are blocked 
> though.
> I have the same strategy as Thomas and use spamd and spam trap mails.
> 

I'm currently working on bringing a filter-rspamd to life, see:

https://poolp.org/posts/2019-06-30/june-2019-report-fion-bpg-and-smtpd/


> Joerg your filter looks nice but I don't understand how it works.I'm looking 
> forward to have something native with opensmtpd, spam is a pain.
>

I don't understand what you mean by "native".


-- 
Gilles Chehade                              @poolpOrg

https://www.poolp.org           patreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

  

Re: RBLs?

[Mik J]

 Hello,
I'm also interested in this topic. A lot of spam are still passing through.
On my personal mailbox, I receive almost no spam.But on addresses that are 
visible on a website I receive spam, two/three per day many are blocked though.
I have the same strategy as Thomas and use spamd and spam trap mails.

Joerg your filter looks nice but I don't understand how it works.I'm looking 
forward to have something native with opensmtpd, spam is a pain.
Regards
Le vendredi 21 juin 2019 à 14:08:00 UTC+2, Joerg Jung  a 
écrit :  
 
 


On 20. Jun 2019, at 00:40, Thomas Smith  wrote:
Hi,

I’ve been using a combination of OpenSMTPd and spamd on OpenBSD (currently at 
6.5) for some time and with success. However, there are still some 
false-negatives and I’m looking at ways of reducing those. One way is by making 
use of RBLs.

(I’ve evaluated delivered spam and the majority of it seems to be coming from 
IPs that are on various blacklists but aren’t being caught by greylisting.)

spamd doesn’t support RBLs, at least that I’ve found, it can only use lists 
that can be downloaded locally—the particular service I’m wanting to use only 
provides DNS-based RBLs. So that’s my problem…

I’m looking for ways of including an RBL in either spamd or OpenSMTPd, 
preferring to stay in OpenBSD base as much as possible. (In other words, I’d 
prefer to not rip out spamd or replace or supplement it with SpamAssassin or 
rspamd—I’d rather find a solution that will plugin _specifically_ for RBLs 
without all of the other bloat that SpamAssassin and similar products bring.

Can anyone offer some input on this please?

I’m not opposed to writing an OpenSMTPd filter, though I’d need to locate some 
documentation for that (I’ve looked but haven’t been able to find it, so I’m 
probably looking in the wrong places—suggestions welcomed).


I’ve written a filter already: 
https://www.umaxx.net/dl/filter-dnsbl-0.4.tar.gzDon’t expect support, see other 
mails and comments from Gilles on the filter topic.  

Intercepting mails with opensmtpd

[Mik J]

Hello,

I didn't find the right syntax to intercept a mail.

Server (www) => Server opensmtpd (relay) => other server such as gmail

There is spam (along with legitimate mails) coming from the www server and 
opensmtp is relaying them to other mtas such as gmail.
I wanted for a short time period to redirect all mails coming from a specific 
mail address that is relayed by opensmtpd to my mailbox. Unfortunately I 
couldn't find the right way to do so.

accept from source  sender "" deliver to 
maildir "/home/mail/mydomain1/myuser/Maildir"

 is a table containing the IP of the www server

So this rule doesn't seem to match for some reason.

Do you have an idea ?

PS: Please don't ask me to fix the security hole on the www server, it's 
interesting to know how the answer about the opensmtpd rule

Rule to prevent spam from my domain

[Mik J]

Hello,

I have wrote rules for my opensmtpd but some spams are passing through.

The ones that I go through have a source like em...@mydomain.org and are sent 
to i...@mydomain.org
I'm wondering if some of you have written this kind of rule ?

reject from source ! sender  for domain 

Regards

root privileges for smtpctl show stats

[Mik J]

Hello,

I can see that retriving the statistics requires root privileges

$ /usr/sbin/smtpctl show stats
smtpctl: need root privileges

But in my opinion some users should be able to retrieve these stats.
In my context, it's the snmpd process which tries to retrieve the stats.

Regards
  

Re: Opensmtpd failover

[Mik J]

 Thank you everyone for replying to my question.

First I think to work on the backup mx server (without any storage), as it was 
suggested. And see how it goes.


Le mercredi 5 décembre 2018 à 10:31:35 UTC+1, Gilles Chehade 
 a écrit :  
 
 On Wed, Dec 05, 2018 at 10:21:13AM +0100, Aham Brahmasmi wrote:
> Hello Craig,
> 
> > > But why? Just deliver it and be done. Can't see many drawbacks in
> > > that.
> > > 
> > 
> > Backup MX servers don't have any mail storage, nor IMAP/POP daemon.
> > 
> > They are another hop along the delivery path to the primary MX servers.
> > 
> > 
> > 
> > Backup MX machines are not the message's final destination;-
> > 
> > Pretend you are going to the world's biggest party, which is held every
> > New Year's Eve in Edinburgh, so you board an aeroplane to Edinburgh.
> > 
> > But the snow hits Scotland, so your aeroplane lands in London. England
> > is not your final destination. It is a backup airport in a different
> > country. You have not travelled to the party capital. So you wait/spool
> > in London until Edinburgh airport is receiving traffic. Then then you
> > get the next flight to your final destination & Hogmanay for 3 days.
> 
> Thank you for the excellent analogy.
> 
> I will now never forget that Edinburgh is The Party Capital.
> 
> And that Scotland is a different country than England :) .
> 

that has got to be the best analogy I read :-))



-- 
Gilles Chehade                              @poolpOrg

https://www.poolp.org                 tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

  

root privileges for smtpctl show stats

[Mik J]

Hello,

I can see that retriving the statistics requires root privileges

$ /usr/sbin/smtpctl show stats
smtpctl: need root privileges

But in my opinion some users should be able to retrieve these stats.
In my context, it's the snmpd process which tries to retrieve the stats.

Regards

Opensmtpd failover

[Mik J]

Hello,

I'm wondering how to do a proper mail server failover.

Let's say smtp1 is down, the internet client resolves the other mx with a lower 
priority and the mail goes to smtp2.
Now smtp2 writes the message on the disk in order to store it.
What do you people do in order to have a common storage for both smtp which can 
be correct regardless whether a smtp goes up or down.
How do you manage the failover ?

Thank you

Re: people using elk / grafana ?

[Mik J]

Hello Gilles,

I use ELK and cacti, that's why I made a feature request a few months ago 
regarding the monitoring.

In cacti/snmp: I want to poll OID and see if mail volume grow. Long term trends
In ELK: I want to detect spam, where is it comming from etc.

if you can see the image, this is what I graph for spamd.
In october I relocated my mx from cloud to my server running opensmtpd.
But it's still low volume.
 

Le mardi 13 novembre 2018 à 18:00:05 UTC+1, Gilles Chehade 
 a écrit :  
 
 HELO,

I'm looking for people that are regular users of ELK / Grafana or alike.

I'd like to discuss improvements that can be made to the event reporting
mechanism to ease integration with monitoring and alerting tools.

If creating dashboards and alerts is part of your daily routing, ping me
so we can talk.

-- 
Gilles Chehade                              @poolpOrg

https://www.poolp.org                 tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

  

Re: How to deal with spam and opensmtpd

[Mik J]

I don't know how it works for you but for me these marketing companies change 
their IPs every week (they use a few different subnets everyweek).So this task 
can be very time consuming.
 

Le jeudi 19 avril 2018 à 13:31:33 UTC+2, Martijn van Duren 
<opensm...@list.imperialat.at> a écrit :  
 
 Hello Mik,

On 04/19/18 13:18, Mik J wrote:
> Thank you Simon for your answer.
> 
> Actually, this marketing company is not doing heavy spam so they qualify mail 
> adresses then have time to retry to send their email.
> Their unsubscribe button is worthless.
> 
> Another option could be to subscribe their services with a spamtrap adress.
> 
> But I was wondering what do you guys use to filter content of emails at the 
> smtp server level.

For these kind of cases I keep it rather low-tech. I added the following
line to my smtpd.conf:
reject from any sender  for any

and just manually add the the spam addresses to this table.
> 
> Regards
> 
> Le mercredi 18 avril 2018 à 22:50:32 UTC+2, Simon McFarlane <s...@desu.ne.jp> 
> a écrit :
> 
> 
> On 04/18/2018 01:44 AM, Mik J wrote:> What other (not spamd and
> 
> spamassassing) do you use ?
> 
> 
> I use bgp-spamd [1] and a hand-assembled blacklist (using
> dovecot-pigeonhole) of certain terms that usually only appear in spam.
> It's not as good as SpamAssassin but it seems to stop the majority of
> the spam I get. I'm down from 2-3 spam messages per day to one 10 days
> or so.
> 
> Simon
> 
> [1] https://bgp-spamd.net/
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org 
> <mailto:misc@opensmtpd.org>
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org 
> <mailto:unsubscr...@opensmtpd.org>
> 
> 

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

  

Re: How to deal with spam and opensmtpd

[Mik J]

 Thank you Simon for your answer.
Actually, this marketing company is not doing heavy spam so they qualify mail 
adresses then have time to retry to send their email.Their unsubscribe button 
is worthless.
Another option could be to subscribe their services with a spamtrap adress.
But I was wondering what do you guys use to filter content of emails at the 
smtp server level.
Regards

Le mercredi 18 avril 2018 à 22:50:32 UTC+2, Simon McFarlane 
<s...@desu.ne.jp> a écrit :  
 
 On 04/18/2018 01:44 AM, Mik J wrote:> What other (not spamd and 
spamassassing) do you use ?

I use bgp-spamd [1] and a hand-assembled blacklist (using 
dovecot-pigeonhole) of certain terms that usually only appear in spam. 
It's not as good as SpamAssassin but it seems to stop the majority of 
the spam I get. I'm down from 2-3 spam messages per day to one 10 days 
or so.

Simon

[1] https://bgp-spamd.net/

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

  

How to deal with spam and opensmtpd

[Mik J]

Hello,
I'm using Openbsd and Opensmtpd + Spamd. I have been able to reduce the spam.
However there are some marketing companies that constantly change their IPs and 
pass through the greylisting, they really attempt to send the mail (multiple 
times).
I looked at bogofilter and it looks nice.However I would like to know if 
there's a way for opensmtpd to work with bogofilter.So that the mails can be 
trashed or classified as spam.
First I read that bogofilter works at the user level, I'd like it to work at 
the server mail level.
What other (not spamd and spamassassing) do you use ?
Regards

Re: warn: smtpd: parent_forward_open

[Mik J]

Hello all,
What do you think about my initial question.When I receive an email, I have the 
following messagewarn: smtpd: parent_forward_open: /var/mail/_vmail: No such 
file or directory
 With /var/mail... not /var/rep... like I wrote in my first message
I don't store my mails in /var/mail/_vmail. I mounted a NFS share to another 
server and the mount point is not /var/mail
This message comes from smtpd.c
    if (stat(directory, ) < 0) {
    log_warn("warn: smtpd: parent_forward_open: %s", directory);
    return -1;
    }


or    if (errno == ELOOP)
...
    else
    log_warn("warn: smtpd: parent_forward_open: %s", 
pathname);
    return -1;


Regards


Le mercredi 3 janvier 2018 à 15:25:25 UTC+1, Scott Court <z...@z5t1.com> a 
écrit :  
 
  
That's ok; it's all good.
 
 
One thing though: I noticed that there have been several API version bumps 
between 6.0.2 and the current git version in smtpd/smtpd-api.h (namely 
PROC_*_API_VERSION has been bumped from 1 to 2). When I was working with the 
git version the other day I realized that this change in the API version breaks 
backwards compatibility with any extras that have been installed (from 
OpenSMTPD-extras).
 
This makes me wonder if this 6.0.3 release might actually warrant a larger 
version number bump (maybe to 6.1.0 or even 7.0.0) to signify this backwards 
incompatible change.
 
 On Tue, Jan 02, 2018 at 09:43:52AM -0500, Scott Court wrote:
 
 On 01/01/2018 07:19 PM, Mik J wrote:
 
 # smtpd -h
version: OpenSMTPD 6.0.0

Also, if anyone knows why 6.0.2 is not the version shipped in the
latest 6.2 openbsd.

Thanks
 
 I have been wondering about this myself. After taking a look at the code
in the OpenBSD CVS tree though, it looks like the "6.0.0" version of
OpenSMTPD shipped with OpenBSD 6.2 is actually not the 6.0.0 version
available on opensmtpd.org. It appears that it is actually closer to a
recent fork of the CVS version of OpenSMTPD.

Additionally, the OpenSMTPD version in OpenBSD has been upgraded with
the release of OpenBSD 6.1 and 6.2; however, the version number seems to
stay at "6.0.0" for some reason. I tried building OpenSMTPD 6.0.2 from
source the other day, just to find out it was actually older than the
"6.0.0" version in my stock OpenBSD 6.2.

This seems very strange to me.

 
 You are absolutely right.

We used to have a release process specifically for OpenSMTPD when it was
using git as a main repository and synchronized to OpenBSD but since the
switch we never discussed our versionning despite the fact that there is
a different workflow and we often have many minor commits that we do not
think warrant a version update... but causes OpenSMTPD to have different
code for identical versions.

In the meantime, I have bumped the version in OpenBSD -current to 6.0.3,
this will make it obvious that the code is more ahead than on github.

This weekend, I will update the code on github and prepare a 6.0.3 minor
release so everyone gets the same code for that version, then we'll have
a discussion on how we will prevent this from happening in the future.

This was entirely my fault so... apologies

 
 
   

warn: smtpd: parent_forward_open

[Mik J]

Hello,
I have this message in my logs but it's surprising since no reference to 
/var/mail is present in my opensmtpd.conf
smtpd[78301]: warn: smtpd: parent_forward_open: /var/rep/_vmail: No such file 
or directory
table utilisateurs file:/etc/mail/utilisateurs
accept tagged CLAM_IN for domain  virtual  deliver to 
maildir 
"/home/rep/_vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir"
$ cat /etc/mail/utilisateurs
myu...@mydomain.org  _vmail
It's like there's something like a hardcoded default path
# smtpd -h
version: OpenSMTPD 6.0.0

Also, if anyone knows why 6.0.2 is not the version shipped in the latest 6.2 
openbsd.
Thanks

Syslog messages and opensmtpd

[Mik J]

Hello,
Do you know where I can find a full list of different syslog messages that can 
be sent by opensmtpd ?
I'm using logstash to match parameters but the syslog messages are not clear to 
me
exemples:6a933eae3e6c0974 smtp event=closed reason=quit6a933eadd23a179c mta 
event=closed reason=quit messages=1I think the first string is the smtp session
 mta event=delivery evpid=50795e11e05548d5 from=<> 
to= rcpt=<-> source=- 
relay=sxerexd.top delay=1d1h1m21s result=TempFail stat=Network error on 
destination MXs
||  smtp-out: No valid route for [connector:[]->[relay:sxerexd.top],0x0]
6a933e7f7f1d1849 mta event=connecting address=smtp+tls://139.199.1.220:25 
host=139.199.1.220
6a933e5f37f31b53 mta event=error reason=Connection timeout

So sometimes it starts with a smtp session number, sometimes with 000... 
sometimes with smtp-out. It seems the logs are not standardised

Also it seems to me that from that message
6a933e5f37f31b53 mta event=error reason=Connection timeout
it's very hard to identify what mail is causing the problem
Matching the smtp session I found this
6a933e5f37f31b53 mta event=connecting address=smtp+tls://139.199.1.220:25 
host=139.199.1.220
but it's very hard to understand which domain is faulty or constantly faulty

Thank you

 |

Re: Grok patterns for opensmtpd

[Mik J]

 

Le Mardi 23 mai 2017 9h47, Mik J <mikyde...@yahoo.fr> a écrit :
 

 Hello,I would like to know if some of you already worked on Grok patterns for 
opensmtpd with logstash.


   

Re: Messages stuck in queue don't show up with smtpctl

[Mik J]

 

Le Mardi 23 mai 2017 10h09, Mik J <mikyde...@yahoo.fr> a écrit :
 

 Version: 6.0.2
Hello,
The smtpctl don't show me any result# smtpctl show queue
# smtpctl show message 03fbbf757050fe8c
smtpctl: fopen: No such file or directory# smtpctl show envelope 
03fbbf757050fe8c
smtpctl: fopen: No such file or directory


But my server is constantly trying to connect to someserverssmtpd[31407]: 
03fbbf757050fe8c mta event=connecting address=smtp+tls://x.x.68.171:25 
host=x.x.68.171
smtpd[31407]: 03fbbf76f1f61135 mta event=connecting 
address=smtp+tls://x.x.68.183:25 host=x.x.68.183
smtpd[31407]: 03fbbf7701630140 mta event=connecting 
address=smtp+tls://x.x.68.170:25 host=x.x.68.170
These are bulkmail.cn.com MTAs

If I try to find where this coming fromMay 22 23:01:18 myserver smtpd[53]: 
cbf8cde01d31da9e smtp event=connected address=133.130.114.91 
host=v133-130-114-91.a045.g.tyo1.static.cnode.io
May 22 23:01:19 myserver smtpd[53]: cbf8cde01d31da9e smtp event=message 
msgid=66bfe7d4 from=<q...@bulkmail.cn.com> to=<cont...@mydomain.org> size=26145 
ndest=1 proto=ESMTP
May 22 23:01:20 myserver smtpd[53]: cbf8cde01d31da9e smtp event=closed 
reason=quit
My MTA wants to reply that cont...@mydomain.org doesn't exist and tries on an on
Does anyone knows how to stop my MTA from trying to reply back to this domain ?




   

Re: Opensmtpd with multiple certificates

[Mik J]

Hello Bruno, Edgar,
Thank you for sharing
You wrote domain1.com and domain2.com but you don't use them there afterpki 
domain1.com certificate "/etc/smtpd/tls/domain1.com.crt"
 pki domain1.com key "/etc/smtpd/tls/domain1.com.key"
 pki domain2.com certificate "/etc/smtpd/tls/domain2.com.crt"
 pki domain2.com key "/etc/smtpd/tls/domain2.com.key"
 listen on  hostname  port 25 tls
Also, could you repeat what is , a table of IP addresses ?
Could you post your complete configuration because I don't understand it right 
now
 

Le Dimanche 14 mai 2017 16h16, Bruno Pagani <bruno.pag...@ens-lyon.org> a 
écrit :
 

  Le 14/05/2017 à 15:45, Edgar Pettijohn a écrit :
  
 
 On 05/14/17 07:20, Bruno Pagani wrote:
 
 
Le 14/05/2017 à 09:59, Mik J a écrit :
  
  Thank you Edgar, You wrote multiple IP adresses. Does it mean that 1 IP 
address = 1 certificate ? Can't be do 1 IP address = x certificates ?
   
 
 No, you can do 1 IP = x certs, thanks to SNI. I do that, my conf:
 
 pki domain1.com certificate "/etc/smtpd/tls/domain1.com.crt"
 pki domain1.com key "/etc/smtpd/tls/domain1.com.key"
 pki domain2.com certificate "/etc/smtpd/tls/domain2.com.crt"
 pki domain2.com key "/etc/smtpd/tls/domain2.com.key"
 
 listen on  hostname  port 25 tls
 
 The hostname part is only necessary if you want to advertise a specific 
hostname when contacted without SNI. The important thing is to not specify a 
pki.
 
 Regards,
 Bruno
 I think I used two because the  table is a mapping from an ip to a 
name.  I'll have to give this a try.  
 
 It’s a table if you use the hostnameS parameter. But you’re not forced to. It 
helps if you’re facing servers without SNI. But I don’t expect any such server 
to be compliant with modern mail rules (SPF,DKIM…) anyway, or even to check the 
certificate/support non-broken crypto.
 
 Bruno 

   

Opensmtpd with multiple certificates

[Mik J]

Hello,
I would like to know if it's possible to use multiple certificates/keys with 
opensmtpd
domain.com has MX mx.domain.comacme.com has MX mx.acme.com
When a clients (remote mta such as gmail) connects to my server, my opensmtpd 
should send the according certificate.Something like virtual hosts with httpd
Otherwise, what should I do when my opensmtpd server hosts multiple domaines 
with multiple mx records.
Thank you

Spamd question with Spamtrap

[Mik J]

Hello,
Spamd has been really efficient in blocking spam. A few of them passed through 
once in a while but there's no discomfort.

But, I'm not able to use spamtrap.
#spamdb -T -a ""# spamdb | grep SPAMTRAP
SPAMTRAP|
But when I telnet port 25 and try to send a mail, a GREY entry is created, and 
after the holdtime mail are passing through
1) During the GREY phase, my PF redirects connections to spamdmatch in on 
$ext_if proto tcp to $ext_if port 25 rdr-to $mailserver port 25
pass in quick on $ext_if proto tcp from any to $mailserver port 25 divert-to 
127.0.0.1 port 8025

2) But after the holdtime flows by pass spamd and go directly to the mail 
serverpass in log (to pflog1) quick on $ext_if proto tcp from  to 
$mailserver port 25 flags S/SA modulate state
And I placed PF rules in this ordermatch in on $ext_if proto tcp to $ext_if 
port 25 rdr-to $mailserver port 25pass in log (to pflog1) quick on $ext_if 
proto tcp from  to $mailserver port 25 flags S/SA modulate state
pass in quick on $ext_if proto tcp from any to $mailserver port 25 divert-to 
127.0.0.1 port 8025
Do you see anything abnormal or have advice ?
Regards
 

Re: plans for 2017

[Mik J]

Hello Gilles,
Thanks too for sharing.
I've implemented a quick and dirty way to retrieve statistics with bind and 
spamd through snmp. I could do the same with opensmtpd but the trafic of my 
mail server is close from 0 at the moment.I just wanted to say that in a real 
production environnement monitoring is quite important for instance with snmp.
I don't know if other people using opensmtpd share this opinion.
However, thank you all for the good work


Le Jeudi 9 février 2017 11h26, Gilles Chehade  a écrit :
 

 On Thu, Feb 09, 2017 at 10:48:14AM +0100, Mischa wrote:
> Hi Gilles,
> 
> Thank you for expressing your plans. Looking forward to the changes.
> Keep it coming, you are doing great things!
> 

Thanks

Also, when we've made a bit of progress, we're going to explain a bit
more where we're going with the filters, the goal is not to keep it a
secret until last day but to allow us to move forward without all the
noise that would happen from the "i'd do it differently" people ;-)

Regarding the MTA changes we now exactly what we want to do but there
is a bit of a chicken & the egg issue with the last changes that were
mentionned. The idea is that we can achieve an MTA layer implem which
is isofunctionnal to the current one with most of the complexity that
is currently taking charge of optimizing routing, reusing connections
and managing limits entirely gone. This will not only improve quality
but also allow for new features which are painful to implement today,
as they require touching a very tricky brick of code.

Regarding the later changes all I can say for now is that it is going
to imply a configuration file format change, we'll probably find ways
to retain some syntaxic sugar but we're essentially going to have the
envelope template (the accept part) decorrelated from the action (the
deliver to / relay part) which seems like an innocent change but will
have (GOOD) implications on pretty much *every* layer of the daemon.

Now i'm done with the explaining, still swamped for a few days and I
will dive back into the code.

Gilles


> > On 9 Feb 2017, at 10:44, Gilles Chehade  wrote:
> > 
> > Hello misc@,
> > 
> > It's been calm for a while due to "real-life (tm)" events that had
> > to be handled in priority as far as I'm concerned, I don't know of
> > the reasons why the others are slacking though :-)
> > 
> > I've been willing to send this mail for a while to outline some of
> > the big plans for 2017 regarding OpenSMTPD and some of the changes
> > that are planned in different parts of the daemon.
> > 
> > 
> > 
> > First of all, regarding filters, since that's the question that is
> > coming the more often:
> > 
> > Filters are neither dead or alive.
> > We have implemented an API and the mechanics to make that API work
> > and this is what people started using while we warned them not to.
> > 
> > Turns out that while implementing a specific filter I hit an issue
> > which made it clear that there was a fundamental design issue with
> > the mechanics below the API that couldn't be worked around without
> > requiring a non-trivial refactor.
> > 
> > We had a long chat with eric@ about this design issue and how this
> > could be redesigned in a way that all the work we've done is still
> > usable and we figured a way which will reuse a big part of what we
> > already did, which guarantees that we will not find a design error
> > later down the chain and which as a bonus simplifies the daemon.
> > 
> > We're going to be working towards this way but now that we have an
> > experience in how providing the code early turned into a nightmare
> > for me, we'll work in a private branch then show the diff when the
> > code is working enough that it can be part of snapshots :-)
> > 
> > 
> > 
> > Then, regarding the MTA we're going to do a pass of simplification
> > because the code has evolved into something quite complex and from
> > experience gathered in the mail industry these last few years, the
> > code can be made much more efficient while MUCH simpler.
> > 
> > 
> > 
> > Finally, there is ongoing work that's going to span over months to
> > improve some configuration structures which is going to have a lot
> > of interesting side-effects which I'm going to keep as a surprise,
> > but that are going to be impressive. I personnally look forward to
> > this more than filters given the amounts of improvements this will
> > unlock in many areas ranging from configuration, to reload, to MTA
> > and MDA.
> > 
> > 
> > Stay tuned !
> > 
> > 
> > -- 
> > Gilles Chehade
> > 
> > https://www.poolp.org                                         @poolpOrg
> > 
> > -- 
> > You received this mail because you are subscribed to misc@opensmtpd.org
> > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> > 
> 
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 

Re: OpenSmtpd not RFC compliant ?

[Mik J]

Thank you Gilles for this clarification





> Le Lundi 30 janvier 2017 9h35, Gilles Chehade <gil...@poolp.org> a écrit :
> > On Sun, Jan 29, 2017 at 08:12:21PM +, Mik J wrote:
>>  Hello Gilles,
>>  Thank you for your answer.
>>  For the first point I have this ruletable domains file:/etc/mail/domains
>>  table users file:/etc/mail/users
>>  accept tagged CLAM_IN for domain  virtual  
> deliver to maildir 
> "/var/mail/vmail/%{rcpt.domain}/%{dest.user}/Maildir"
>>  In /etc/mail/domains I havemydomain.org
>>  In /etc/mail/users I haveu...@mydomain.org _vmail
>>  I read a few times what you wrote and- "all variations of cases within 
> the domain will match that rule as they refer to the same domain" => I 
> agree- "they will all deliver to the same local user as far as OpenSMTPD is 
> concerned" => With virtual users it didn't work like that for me 
> when I wrote the message so after your email I did tests and search and saw 
> this 
> option %{dest.user:lowercase} which seem to solve my problem.
>>  From what I understood in the RFC, upper case and lower case should be the 
> same for the user part and I shouldn't have had to specify that lowercase 
> option, it should have worked by default in my humble opinion and if my 
> understanding in english is correct.
>> 
> 
> That's because you assume that the delivery method is covered by the
> RFC which it isn't. The SMTP RFC covers SMTP, it doesn't cover mbox,
> maildir, virtual users, virtual domains and whatnot.
> 
> Turns out that by default virtual users work the way I explained, if
> you use virtual domains with virtual users and request Maildir or
> mbox, you will find no problem happens.
> 
> But in your case, you explicitely asked for the path to include the
> domain and this domain is not normalized by default, it's up to the
> user to normalize it with the filters as you figured.
> 
> 
> 
>>  For my second point the %{rcpt.domain:lowercase} option solved my 
> problem
>>  Thank you for these explanations
>> 
> 
> -- 
> Gilles Chehade
> 
> https://www.poolp.org  @poolpOrg
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Difference between rcpt and dest

[Mik J]

Hello,


I didn't understand the difference between
%{rcpt.user} and %{dest.user}
%{rcpt.domain} and %{dest.domain}

I've had issues with rcpt.xxx when I tried to redirect mails 
webmas...@mydomain1.org to u...@mydomain.org
It worked only with dest.xxx and I'll probably stick with it.

My question is what's the difference between both and when should we use 
rcpt.xxx ?

Regards

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: OpenSmtpd not RFC compliant ?

[Mik J]

Hello Gilles,
Thank you for your answer.
For the first point I have this ruletable domains file:/etc/mail/domains
table users file:/etc/mail/users
accept tagged CLAM_IN for domain  virtual  deliver to maildir 
"/var/mail/vmail/%{rcpt.domain}/%{dest.user}/Maildir"
In /etc/mail/domains I havemydomain.org
In /etc/mail/users I haveu...@mydomain.org _vmail
I read a few times what you wrote and- "all variations of cases within the 
domain will match that rule as they refer to the same domain" => I agree- "they 
will all deliver to the same local user as far as OpenSMTPD is concerned" => 
With virtual users it didn't work like that for me when I wrote the message so 
after your email I did tests and search and saw this option 
%{dest.user:lowercase} which seem to solve my problem.
>From what I understood in the RFC, upper case and lower case should be the 
>same for the user part and I shouldn't have had to specify that lowercase 
>option, it should have worked by default in my humble opinion and if my 
>understanding in english is correct.

For my second point the %{rcpt.domain:lowercase} option solved my problem
Thank you for these explanations

 

Le Dimanche 29 janvier 2017 17h09, Gilles Chehade <gil...@poolp.org> a 
écrit :
 
 

 On Sat, Jan 28, 2017 at 09:35:01PM +, Mik J wrote:
> Version: OpenSMTPD 5.9.2
> Hello,

Hello,


> I know that my version is not the latest but my question might still be valid.
> *
> The RFC5321 states in paragraph 2.4 that "Mailbox domains follow normal DNS 
> rules and are hence not case sensitive."But when I write to emails like 
> u...@mydomain.org or u...@mydomain.org or u...@mydomain.org they arrive in 
> different subdirectories# lsMyDomain.org?? mydomain.org MYDOMAIN.ORG
> so it seems to me that opensmtpd doesn't follow the RFC

This is not correct and slightly out of context.

Let me clarify:

"Mailbox domains follow normal DNS rules and are hence not case sensitive."

This means that sending to x...@opensmtpd.org or x...@opensmtpd.org is 
essentially
the same and implies that the MX handling opensmtpd.org will also handle the
OpenSMTPD.org and oPENsmtpd.ORG domains.

As far as OpenSMTPD goes, if your smtpd.conf states:

  accept for domain opensmptd.org [...]

Then all variations of cases within the domain will match that rule as they
refer to the same domain and they will all deliver to the same local user
as far as OpenSMTPD is concerned. There is no violation of the RFC here.

Your problem, which I'm going to guess because you didn't show a config,
is in how you declared the delivery should take place once the message
has been accepted.


> *
> The RFC also states this"The local-part of a mailbox MUST BE treated as case 
> sensitive."
> How can I ignore the case sensitive in the local part (the name) ?
> 

You can't.

While RFC states that the local-part of a mailbox MUST BE treated as case 
sensitive,
it also states a few paragraphs earlier:

  [...] due to a long history of problems when intermediate hosts have 
attempted to
      optimize transport by modifying them, the local-part MUST be
          interpreted and assigned semantics only by the host specified in the
        domain part of the address.

Which essentially means that as long as a node is not a final destination
it must not try to make sense of addresses and forward them AS IS but the
final destination may have its own semantics assigned to the local-part.

The local-part is the part before the @ in the email address.

As far as OpenSMTPD goes:

1- during the SMTP transaction the domain is considered case-insensitive
  as I explained above and the local-part is considered case-sensitive,
  the envelope we save on disk retains the case for both parts.

2- if the mail is to be relayed, the address is forwarded AS IS using
  the same case as it had when we received it.

3- if the MX is the final destination, then our semantics is to fold
  the user-part to lowercase and consider that OpenSMTPD only knows
  how to deliver to system usernames that are all lowercase.

In all cases, the address as displayed in DATA part of mail (in headers)
will retain the case it had when submitted.

You can't alter the behavior for 3, it is a design decision that we
took to keep code simpler, less error and ambiguity prone and we
have no intent to change that.



-- 
Gilles Chehade

https://www.poolp.org                                         @poolpOrg


 
   

OpenSmtpd not RFC compliant ?

[Mik J]

Version: OpenSMTPD 5.9.2
Hello,
I know that my version is not the latest but my question might still be valid.
*
The RFC5321 states in paragraph 2.4 that "Mailbox domains follow normal DNS 
rules and are hence not case sensitive."But when I write to emails like 
u...@mydomain.org or u...@mydomain.org or u...@mydomain.org they arrive in 
different subdirectories# lsMyDomain.org  mydomain.org MYDOMAIN.ORG
so it seems to me that opensmtpd doesn't follow the RFC
*
The RFC also states this"The local-part of a mailbox MUST BE treated as case 
sensitive."
How can I ignore the case sensitive in the local part (the name) ?

Thank you

How to both redirect to console and screen

[Mik J]

Hello,
It is possible to redirect the boot sequence to the console using
# cat /etc/boot.conf
set tty com0
But then there is no screen output. How is it possible to have both of them ?
Thank you

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: My aliases don't work

[Mik J]

Hello Edgar,

Sorry

This is a very simple question but yet 
didn't find the answer.I have a machine m1 which is a webserver.
On 
openbsd there are daily reports and I want them to be sent to an 
external address.


# grep ^root /etc/mail/aliasesroot: myexternaladdr...@mydomain.org


After modifying the aliases files I run the command

# newaliases

My opensmtpd configuration is very simple

listen on lo0
table aliases file:/etc/mail/aliases
accept from local for any relay via smtp://192.168.1.1
As I'm writing this message I realise that the line "table aliases 
file:/etc/mail/aliases" is useless, but fair enough.


My problem is when I do:

# mail -s "Resolv" root < /etc/resolv.conf

it writes to r...@m1.mydomain.org instead of myexternaladdr...@mydomain.org

So it looks like the aliases file is ignored. Do you know why ?
What's the right way to do it ?My web server should use my local mail server as 
a relay which is going to sign emails etc.
Thank you



Le Mercredi 7 septembre 2016 0h34, Edgar Pettijohn <ed...@pettijohn-web.com> a 
écrit :


>
>
>On 16-09-06 21:53:14, Mik J wrote:
>
>> Hello,
>> This is a very simple question but yet didn't find the answer.I have a 
>> machine m1 which is a webserver. On openbsd there are daily reports and I 
>> want them to be sent to an external address.
>> # grep ^root /etc/mail/aliasesroot: myexternaladdress@mydomain.orgAfter 
>> modifying the aliases files I run the command newaliases
>> My opensmtpd configuration is very simplelisten on lo0table aliases 
>> file:/etc/mail/aliasesaccept from local for any relay via smtp://192.168.1.1
>> As I'm writing this message I realise that the line table aliases 
>> file:/etc/mail/aliases is useless, but fair enough
>> My problem is when I do: # mail -s "Resolv" root < /etc/resolv.conf it 
>> writes to r...@m1.mydomain.org instead of myexternaladdress@mydomain.orgSo 
>> it looks like the aliases file is ignored. Do you know why ?
>> What's the right way to do it ?My web server should use my local mail server 
>> as a relay which is going to sign emails etc.
>> Thank you
>Your message is all globbed up.  Please resend with full smtpd.conf.  
>
>Thanks,
>-- 
>Edgar Pettijohn
>
>-- 
>You received this mail because you are subscribed to misc@opensmtpd.org
>To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>
>
>
>
>

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

My aliases don't work

[Mik J]

Hello,
This is a very simple question but yet didn't find the answer.I have a machine 
m1 which is a webserver. On openbsd there are daily reports and I want them to 
be sent to an external address.
# grep ^root /etc/mail/aliasesroot: myexternaladdress@mydomain.orgAfter 
modifying the aliases files I run the command newaliases
My opensmtpd configuration is very simplelisten on lo0table aliases 
file:/etc/mail/aliasesaccept from local for any relay via smtp://192.168.1.1
As I'm writing this message I realise that the line table aliases 
file:/etc/mail/aliases is useless, but fair enough
My problem is when I do: # mail -s "Resolv" root < /etc/resolv.conf it writes 
to r...@m1.mydomain.org instead of myexternaladdress@mydomain.orgSo it looks 
like the aliases file is ignored. Do you know why ?
What's the right way to do it ?My web server should use my local mail server as 
a relay which is going to sign emails etc.
Thank you

Re: Can't map an address to another one

[Mik J]

This is the full debug -vd
smtp-in: Accepted message 3ff99b9d on session 7c7d334d52c5ec39: 
from=<personal...@gmail.com>, to=<i...@mydomain.org>, size=2625, ndest=1, 
proto=ESMTP
debug: scheduler: evp:3ff99b9d4918e017 scheduled (mta)
debug: mta: received evp:3ff99b9d4918e017 for <i...@mydomain.org>
debug: mta: draining [relay:127.0.0.1,port=10027,mx] refcount=1, ntask=1, 
nconnector=0, nconn=0
debug: mta: querying MX for [relay:127.0.0.1,port=10027,mx]...
debug: mta: [relay:127.0.0.1,port=10027,mx] waiting for MX
debug: MXs for domain 127.0.0.1:
    127.0.0.1 preference -1
debug: mta: ... got mx (0x4326ee92420, 127.0.0.1, 
[relay:127.0.0.1,port=10027,mx])
debug: mta: draining [relay:127.0.0.1,port=10027,mx] refcount=1, ntask=1, 
nconnector=0, nconn=0
debug: mta: querying source for [relay:127.0.0.1,port=10027,mx]...
debug: mta: ... got source for [relay:127.0.0.1,port=10027,mx]: []
debug: mta: new [connector:[]->[relay:127.0.0.1,port=10027,mx],0x1]
debug: mta: connecting with [connector:[]->[relay:127.0.0.1,port=10027,mx],0x0]
debug: mta-routing: searching new route for 
[connector:[]->[relay:127.0.0.1,port=10027,mx],0x0]...
debug: mta-routing: selecting candidate route [] <-> 127.0.0.1
debug: mta-routing: spawning new connection on [] <-> 127.0.0.1
debug: mta: 0x432cc955670: spawned for relay [relay:127.0.0.1,port=10027,mx]
debug: mta: connecting with [connector:[]->[relay:127.0.0.1,port=10027,mx],0x0]
debug: mta: cannot use [relay:127.0.0.1,port=10027,mx] before 2s
debug: mta-routing: no route available for 
[connector:[]->[relay:127.0.0.1,port=10027,mx],0x0]: must wait a bit
debug: mta: retrying to connect on 
[connector:[]->[relay:127.0.0.1,port=10027,mx],0x0] in 2s...
debug: mta: draining [relay:127.0.0.1,port=10027,mx] refcount=3, ntask=1, 
nconnector=1, nconn=1
debug: mta: scheduling relay [relay:127.0.0.1,port=10027,mx] in 1s...
smtp-out: Connecting to smtp://127.0.0.1:10027 (localhost) on session 
7c7d335771506ae9...
smtp-out: Connected on session 7c7d335771506ae9
debug: smtp: new client on listener: 0x432be182000
smtp-in: New session 7c7d33580678232e from host localhost [127.0.0.1]
debug: mta-routing: route [] <-> 127.0.0.1 (localhost) is now valid.
debug: mta: connecting with 
[connector:[]->[relay:127.0.0.1,port=10027,mx],0x2]
debug: mta: cancelling connector timeout
debug: mta: enough connections already
debug: mta: 0x432cc955670: handling next task for relay 
[relay:127.0.0.1,port=10027,mx]
smtp: 0x432e87af000: fd 9 from queue
smtp: 0x432e87af000: fd 11 from filter
debug: smtp: 0x432e87af000: data io done (2927 bytes)
filter: deferring eom query...
filter: running eom query...
debug: 0x432e87af000: end of message, msgflags=0x
smtp-in: Accepted message be9a78f5 on session 7c7d33580678232e: 
from=<personal...@gmail.com>, to=<i...@mydomain.org>, size=2927, ndest=1, 
proto=ESMTP
debug: scheduler: evp:be9a78f5243ffd00 scheduled (mta)
relay: Ok for 3ff99b9d4918e017: session=7c7d335771506ae9, 
from=<personal...@gmail.com>, to=<i...@mydomain.org>, rcpt=<->, 
source=127.0.0.1, relay=127.0.0.1 (localhost), delay=0s, stat=250 2.0.0: 
be9a78f5 Message accepted for delivery
debug: mta: waiting for 1s before next transaction
debug: mta: received evp:be9a78f5243ffd00 for <i...@mydomain.org>
debug: mta: draining [relay:127.0.0.1,port=10023,mx] refcount=1, ntask=1, 
nconnector=0, nconn=0
debug: mta: querying source for [relay:127.0.0.1,port=10023,mx]...
debug: mta: ... got source for [relay:127.0.0.1,port=10023,mx]: []
debug: mta: new [connector:[]->[relay:127.0.0.1,port=10023,mx],0x1]
debug: mta: connecting with [connector:[]->[relay:127.0.0.1,port=10023,mx],0x0]
debug: mta-routing: searching new route for 
[connector:[]->[relay:127.0.0.1,port=10023,mx],0x0]...
debug: mta-routing: skipping route [] <-> 127.0.0.1 (localhost): cannot use 
before 5s (delay after connect)
debug: mta-routing: no route available for 
[connector:[]->[relay:127.0.0.1,port=10023,mx],0x0]: must wait a bit
debug: mta: retrying to connect on 
[connector:[]->[relay:127.0.0.1,port=10023,mx],0x0] in 5s...
debug: mta: draining [relay:127.0.0.1,port=10023,mx] refcount=2, ntask=1, 
nconnector=1, nconn=0
debug: mta: scheduling relay [relay:127.0.0.1,port=10023,mx] in 1s...
debug: mta: flush for 3ff99b9d4918e017 (-> i...@mydomain.org)
smtp-in: Closing session 7c7d334d52c5ec39 

Le Dimanche 21 août 2016 9h54, Mik J <mikyde...@yahoo.fr> a écrit :
 
 

 Hello,
This is my configuration
table domains file:/etc/mail/domaines
table aliases file:/etc/mail/aliases
table users file:/etc/mail/users
table courriels file:/etc/mail/courriels
table passwords file:/etc/mail/passwords
table clients file:/etc/mail/clients

max-message-size 50M

pki smtp.mydomain.org certificate "/etc/ssl/certs/smtp.mydomain.org.crt"
pki smtp.mydomain.org key "/etc/ssl/private/smtp.mydomain.org.key"

Re: Can't map an address to another one

[Mik J]

55: 
1 message sent.

In these logs I seeAug 21 09:38:10 mysmtp smtpd[1986]: delivery: Ok for 
d2dd91a7a2457a23: from=<personal...@gmail.com>, to=<u...@mydomain.org>, 
rcpt=<i...@mydomain.org>, user=vmail, method=maildir, delay=0s, stat=Delivered
But then the mail is received in its own mailbox
# cat 
/var/mail/vmail/mydomain.org/info/Maildir/new/1471765090.2083.smtp.mydomain.org
Return-Path: personaladd@gmail.comDelivered-To: i...@mydomain.org...
Received: by mail-x-x.google.com with SMTP id l203so114910462oib.1
    for <i...@mydomain.org>; Sun, 21 Aug 2016 00:38:05 -0700 (PDT)
Regards

 

Le Dimanche 21 août 2016 1h14, Edgar Pettijohn <ed...@pettijohn-web.com> a 
écrit :
 
 

 I think you're entire smtpd.conf would be useful as well as logs.

Sent from my iPhone
On Aug 20, 2016, at 5:57 PM, Mik J <mikyde...@yahoo.fr> wrote:


Hello,
I want to use some kind of alias addresses like mails sent to i...@mydomain.org 
would arrive in u...@mydomain.org. Both are on my mail server.
# cat /etc/mail/usersi...@mydomain.org user@mydomain.orgu...@mydomain.org vmail
In my smtpd.conftable users file:/etc/mail/usersaccept tagged CLAM_IN for 
domain  virtual  deliver to maildir 
"/var/mail/vmail/%{rcpt.domain}/%{rcpt.user}/Maildir"
NB: This is the first rule
When I send a mail to i...@mydomain.org it doesn't arrive in u...@mydomain.org 
it arrives in its own mailbox.
I don't really understand why
Does this configuration seem correct or did I miss something ?



 
  

Can't map an address to another one

[Mik J]

Hello,
I want to use some kind of alias addresses like mails sent to i...@mydomain.org 
would arrive in u...@mydomain.org. Both are on my mail server.
# cat /etc/mail/usersi...@mydomain.org user@mydomain.orgu...@mydomain.org vmail
In my smtpd.conftable users file:/etc/mail/usersaccept tagged CLAM_IN for 
domain  virtual  deliver to maildir 
"/var/mail/vmail/%{rcpt.domain}/%{rcpt.user}/Maildir"
NB: This is the first rule
When I send a mail to i...@mydomain.org it doesn't arrive in u...@mydomain.org 
it arrives in its own mailbox.
I don't really understand why
Does this configuration seem correct or did I miss something ?

Re: What is the correct syntax in opensmtpd

[Mik J]

Thank you for your answer. Indeed I didn't think about this option. 

Le Mercredi 17 août 2016 21h50, Edgar Pettijohn <ed...@pettijohn-web.com> a 
écrit :
 
 

 

Sent from my iPhone
On Aug 17, 2016, at 2:41 PM, Mik J <mikyde...@yahoo.fr> wrote:


Hello,
I have two rules like theseaccept from local for domain  relay via 
smtp://127.0.0.1:10023
accept from source  for domain  relay via 
smtp://127.0.0.1:10023



Seems like you could add your local ip's to the myips table.

Is there a way to make only one rule ?
If a mail is local OR coming from some ips I trust then relay the mails
Regards



 
  

What is the correct syntax in opensmtpd

[Mik J]

Hello,
I have two rules like theseaccept from local for domain  relay via 
smtp://127.0.0.1:10023
accept from source  for domain  relay via 
smtp://127.0.0.1:10023

Is there a way to make only one rule ?
If a mail is local OR coming from some ips I trust then relay the mails
Regards

Monitoring opensmtpd with snmp

[Mik J]

Hello,
I would like to know if monitoring opensmtpd with snmp is supportedIf yes what 
are the OIDs ?The goal would be something like monitoring the queue and 
retrieve the statistics in a standard way (snmp)
Regards

Re: How to have two different policies to send emails

[Mik J]

Hello Olivier,
Thank you for your answer, it helped me and I ended using this configuration
listen on 10.255.89.250 port 25 tls pki mx.domain.org auth-optional 
listen on 10.255.89.250 port 587 tls-require pki mx.domain.org auth 
# To Dkimproxy
accept from local for any relay via smtp://127.0.0.1:10025
accept from source  for any relay via smtp://127.0.0.1:10025

I wanted to have a simple configuration without authentication for some 
specific IPs that might have certain software.But for all other users on 
internet that they would be authenticated before sending mails.
Regards
 

Le Samedi 30 juillet 2016 14h57, Olivier Burelli <oliv...@burelli.fr> a 
écrit :
 
 

 On Fri, 29 Jul 2016 13:02:58 + (UTC)
Mik J <mikyde...@yahoo.fr> wrote:

Hello Mik J.

egress is the routed interface.

If i understood your case you have to :

_ configure PF (with divert-to) for your specifics requirements
_ configure opensmtpd to define your policies.

(you can also use specific tag and redirection for it)

I added in attachment an overview of my implementation of opensmtpd + spamd + 
clamav & spamassassin (via filter) + bgpd + ...

And sorry i am not a designer, the picture reflects only my understanding. I 
guess i did not error.


> Hello,
> I would like to have two different policies for clients (MUA) that send 
> mails.- Clients (applications) that send mails without authentication, they 
> have a specific IP address
> - Clients (users) that send mails with an authentication, I don't know their 
> IP address
> For case 1, it workslisten on 10.1.1.1
> accept from source  for any relay
> For case 2, there are examples in the man (I know that authenticated users 
> are considered local)

depends if they are defined as virtual or not. However for my point of view an 
user has to be provides always an authentication.

For my point of view, MTA has to knocks on the door and has to try in first to 
open a TLS exchange.

> listen on egress tls pki mail.example.com authaccept for any relay

if you perform netstat -na -f inet you will see that you request to opensmtpd 
to listen on a specific port.

For example :
###
#
## Deliver : treatment depends from the flow () 
#
# Manage flow
listen on lo0 port 10030 tag DKIM_OUT  # outgoing email to another MTA 
#
# Inbound
listen on lo0 port 25 filter sub 
listen on egress port 25 filter all hostname daenerys.burelli.fr tls pki 
daenerys.burelli.fr auth-optional 
listen on egress port 587 filter sub hostname daenerys.burelli.fr tls-require 
pki daenerys.burelli.fr auth 


netstat -na -f inet :

tcp          0      0  127.0.0.1.10030        *.*                    LISTEN
tcp          0      0  127.0.0.1.25          *.*                    LISTEN
tcp          0      0  95.130.9.14.25        *.*                    LISTEN
tcp          0      0  95.130.9.14.587        *.*                    LISTEN
tcp          0      0  127.0.0.1.10029        *.*                    LISTEN
tcp          0      0  127.0.0.1.783          *.*                    LISTEN
tcp          0      0  127.0.0.1.8026        *.*                    LISTEN
tcp          0      0  127.0.0.1.8025        *.*                    LISTEN


You have also to indicate the flow with.

###
#
## Allow to deliver
#
accept from any for domain  virtual  deliver to lmtp 
"/var/dovecot/lmtp" rcpt-to # deliver via lmtp
accept for local alias  deliver to mbox
###
#
## Relay
#
# Tagged mail returned from DKIM
accept tagged DKIM_OUT for any relay
#
# Start here (inbound)
accept from local for any relay via smtp://127.0.0.1:10029 # to DKIM_OUT



> I don't understand fully the linelisten on egress tls pki mail.example.com 
> authbecause in the man page, the egress word is not definedOpenBSD manual 
> pagesTo what correspond the egress word ?
> Regarding case 1 + case 2 I'm afraid there could be a conflict between listen 
> on 10.1.1.1 and listen on egress...
> Do you have any idea on how to reach this ?
> 


-- 
regards,
Olivier


 
  

Start Opensmtpd with a key protected by password

[Mik J]

Hello,
I'm able to start opensmtpd manually as it prompts me the password for the 
private keyHowever don't know how to do this automatically so opensmtpd starts 
at boot.
# /etc/rc.d/smtpd start
smtpdpassphrase for hostname.org:
I looked at the man but didn't find any directive.
Regards

How to have two different policies to send emails

[Mik J]

Hello,
I would like to have two different policies for clients (MUA) that send mails.- 
Clients (applications) that send mails without authentication, they have a 
specific IP address
- Clients (users) that send mails with an authentication, I don't know their IP 
address
For case 1, it workslisten on 10.1.1.1
accept from source  for any relay
For case 2, there are examples in the man (I know that authenticated users are 
considered local)
listen on egress tls pki mail.example.com authaccept for any relay
I don't understand fully the linelisten on egress tls pki mail.example.com 
authbecause in the man page, the egress word is not definedOpenBSD manual 
pagesTo what correspond the egress word ?
Regarding case 1 + case 2 I'm afraid there could be a conflict between listen 
on 10.1.1.1 and listen on egress...
Do you have any idea on how to reach this ?

Opensmtpd crash because of loop (version: 5.9.1)

[Mik J]

version: 5.9.1
Hello,I'm configuring Opensmtpd with dkimproxy and of course I did many tests 
but one email is stuck somewhere and makes the daemon to crash.
smtpd.conf
listen on 127.0.0.1
listen on 127.0.0.1 port 10028 tag DKIM_OUT # Emails from dkimproxy
listen on 10.x.x.x # Emails from clients# Mails tagged received from 
dkimproxy_out are sent outside
accept tagged DKIM_OUT for any relay# Mails received from local or authorised 
networks are sent to dkimproxy
accept from local for any relay via smtp://127.0.0.1:10027
accept from source  for any relay via smtp://127.0.0.1:10027

dkimproxy_out.conf
# specify what address/port DKIMproxy should listen on
listen    127.0.0.1:10027
# specify what address/port DKIMproxy forwards mail to
relay 127.0.0.1:10028
# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain    mydomain.com
# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)
# specify location of the private key
keyfile   /var/dkimproxy_private.key
# specify the selector (i.e. the name of the key record put in DNS)
selector  selector1


I'm not saying my configuration is good or that I didn't do anything wrong, but 
to me the opensmtpd shouldn't crash. It should do another action but not 
crashing. Regards

# smtpd -vd
debug: mta: waiting for 1s before next transaction
debug: mta: flush for d52ef88fdf8981ad (-> r...@mymx.mydomain.com)
debug: mta: received evp:8b6db1a643cfeb5d for 
debug: mta: draining [relay:mymx.mydomain.com] refcount=3, ntask=3, 
nconnector=1, nconn=1
debug: mta: [relay:mymx.mydomain.com] waiting for connector
mta: timeout for session hangon
debug: mta: 0xe4560120670: handling next task for relay 
[relay:mymx.mydomain.com]
mta: timeout for session hangon
debug: mta: 0xe45c8c20670: handling next task for relay 
[relay:127.0.0.1,port=10027,mx]
smtp: 0xe4600176000: fd 11 from queue
smtp: 0xe4600176000: fd 13 from filter
smtp: 0xe45ee852000: fd 15 from queue
smtp: 0xe45ee852000: fd 17 from filter
warn: loop detected: Undefined error: 0
debug: smtp: 0xe4600176000: data io done (133750 bytes)
smtp-in: Failed command on session 1e3ede1e65cff40a: "DATA" => 500 5.4.6 
Routing loop detected: Loop detected
relay: PermFail for 4477466d6c1e0f40: session=1e3ede1dbb8fd8f2, 
from=, to=, rcpt=<->, 
source=10.1.1.2, relay=10.1.1.2 (mymx.mydomain.com), delay=3s, stat=500 5.4.6 
Routing loop detected: Loop detected
debug: mta: waiting for 1s before next transaction
filter: eom not received yet
debug: mta: flush for 4477466d6c1e0f40 (-> r...@mymx.mydomain.com)
debug: queue: bouncing evp:4477466d6c1e0f40 as evp:4477466df0027753
debug: scheduler: evp:4477466df0027753 scheduled (bounce)
debug: bounce: new message 4477466d
debug: bounce: adding report 4477466df0027753: r...@mymx.mydomain.com: 500 
5.4.6 Routing loop detected: Loop detected
debug: bounce: drain: nmessage=1 running=0
debug: bounce: next message not ready yet
debug: bounce: setting timer
debug: smtp: 0xe45ee852000: data io done (272204 bytes)
filter: deferring eom query...
filter: running eom query...
debug: 0xe45ee852000: end of message, msgflags=0x
smtp-in: Accepted message 536b9882 on session 1e3ee0b37b2eb128: from=<>, 
to=, size=272204, ndest=1, proto=ESMTP
debug: scheduler: evp:536b98820ca287a8 scheduled (mta)
debug: mta: received evp:536b98820ca287a8 for 
debug: mta: draining [relay:mymx.mydomain.com] refcount=3, ntask=3, 
nconnector=1, nconn=1
debug: mta: [relay:mymx.mydomain.com] waiting for connector
relay: Ok for a781d87f733b347e: session=1e3ee0b24957ff6b, from=<>, 
to=, rcpt=<->, source=127.0.0.1, relay=127.0.0.1 
(localhost), delay=1s, stat=250 2.0.0: 536b9882 Message accepted for delivery
debug: mta: waiting for 1s before next transaction
debug: mta: flush for a781d87f733b347e (-> u...@mymx.mydomain.com)
mta: timeout for session hangon
debug: bounce: timeout
debug: bounce: drain: nmessage=1 running=0
debug: bounce: requesting new enqueue socket...
debug: bounce: enough sessions running
debug: mta: 0xe4560120670: handling next task for relay 
[relay:mymx.mydomain.com]
mta: timeout for session hangon
debug: mta: 0xe45c8c20670: no task for relay [relay:127.0.0.1,port=10027,mx]
mta: debug: last connection: hanging on for 9s
debug: smtp: new client on listener: 0xe45a62ca000
smtp-in: New session 1e3ee0f6c4669080 from host mymx.mydomain.com [local]
smtp-in: Failed command on session 1e3ede1e65cff40a: "MAIL FROM:<>" => 503 
5.5.1 Invalid command: Command not allowed at this point.
debug: bounce: got enqueue socket 5
debug: bounce: new session 0xe458e0e2200
relay: PermFail for a0a53973398497c8: session=1e3ede1dbb8fd8f2, from=<>, 
to=, rcpt=<->, source=10.1.1.2, relay=10.1.1.2 
(mymx.mydomain.com), delay=3s, stat=503 5.5.1 Invalid command: Command not 
allowed at this point.
debug: mta: flush for 

Unix users and Virtual users

[Mik J]

version: OpenSMTPD 5.4.4
Hello,I already asked a similar question a long time ago but OpenSmtp has 
changed a lot since then.
a) For the same domain domain.xx, I would like that both, my unix user 
r...@domain.xx and my virtual user v...@domain.xx, receive mails.Do I have to 
make my domain domain.xx virtual or is there a way to handle both unix and 
virtual users at the same time ?
b) In the case I have to make this domain.xx virtual only, I'll have to create 
a unix account like _vmail ?
Thank you