Log explanation
Hello, Does anyone knows where I could find an explanation of the different fields in the logs example:34e21ed2c47fe7e3 mta delivery evpid=9765e121d002d97d from= to= rcpt=<-> source="10.1.2.2" relay="66.102.1.27 (wb-in-f27.1e100.net)" delay=1s result="Ok" stat="250 2.0.0 OK 1698365590 i10-20020a05600c354a00b003fefa764302si226827wmq.9 - gsmtp" What is 34e21ed2c47fe7e3 What is 2.0.0and so on Regards
How to bypass rdns filter
Hello, I have this filter configuredfilter check_rdns phase connect match !rdns disconnect "550 no rDNS is so 80s" It works however all my servers on my LAN that do not have a reverse DNS entry match it. I would like this rule to be valid except for 192.168.1.0/24 Is it possible ?
Re: How to write the rule to avoid spam
Hello Thomas, Thank you for your answer.However it doesn't work because "from domain..." is an invalid syntax Le mercredi 5 avril 2023 à 11:33:09 UTC+2, Thomas Bohl a écrit : Hello, > So I would tend to write a rule such as > match ! from domain for domain action TO-CLAM_SMTPD_IN > Considering that users that write from mydomain2.org to mydomain1.org > match the first rule since they are local or authenticated or coming > from one of the known IPs. > But this rule is not correct Hm, maybe like this (untested): match !auth from domain for domain reject (Remember, first match wins. So it should be before match from any for domain action TO-CLAM_SMTPD_IN)
How to write the rule to avoid spam
Hello, Sometimes I'm getting spam because I have a weakness in my configuration At the moment I have action TO-CLAM_SMTPD_IN relay host smtp://127.0.0.1:10027 match from src for domain action TO-CLAM_SMTPD_IN match from any for domain action TO-CLAM_SMTPD_IN The table clients is a file that contains IPs including 127.0.0.1, the table domaines is a list of domains that I host on my mail server My problem is that a spammer is able to send mails to me when it uses a domain that I host.For example, the file domaines contains mydomain1.org and mydomain2.orgThe spammer doesehlo emtpmail from: rcpt to: data subject: This is a spam Spamspamspam . So I would tend to write a rule such asmatch ! from domain for domain action TO-CLAM_SMTPD_INConsidering that users that write from mydomain2.org to mydomain1.org match the first rule since they are local or authenticated or coming from one of the known IPs.But this rule is not correct Thank you
Re: Mails sent in IPv4 while I expect IPv6
Hello Tobias, > Did you try reloading the report page? I went on the report page again today and it seems to me that I have a better score, 8.When I was trying to set up my myserver and DNS I sometimes had a score of 4 even after improvements.So yes it seems that, we should not go too fast on the report page otherwise some results may show problematic whereas they're not. Once again great work Le dimanche 19 mars 2023 à 15:37:06 UTC+1, Tobias Fiebig a écrit : Heho, > - In DMARC Report Deliverability, it's written "To authorize this > RUA, add the following DMARC DNS record:", first it was not obvious > to me in which zone I have to add the record, maybe you can write "To > authorize this RUA, add the following DMARC DNS record in zone > xyz.org:" > I guessed it when i read the record > mydomain.fr._report._dmarc.mydomain.com. IN TXT "v=DMARC1;" > but it was not 100% obvious, because there was mydomain with > different extensions Good point; I will put that on the todo. > - Transport Encryption "Your email provider/server does not support > transport encryption. I don't get what I'm doing wrong and what I > have to do What may also be the case is that the mail has not yet arrived (the base-tls-support mail has to have arrived for the other TLS mails to be evaluated). Did you try reloading the report page? With best regards, Tobias
Re: Mails sent in IPv4 while I expect IPv6
Hello Tobias, This tool is a great work thank you.I had tested it a few days/weeks ago but I used it again today. I worked things to improve my score (signed the ipv6 reverse zone, added the ipv6 rdns for my mail server). Notes: - In DMARC Report Deliverability, it's written "To authorize this RUA, add the following DMARC DNS record:", first it was not obvious to me in which zone I have to add the record, maybe you can write "To authorize this RUA, add the following DMARC DNS record in zone xyz.org:" I guessed it when i read the recordmydomain.fr._report._dmarc.mydomain.com. IN TXT "v=DMARC1;" but it was not 100% obvious, because there was mydomain with different extensions - Transport Encryption "Your email provider/server does not support transport encryption."I don't get what I'm doing wrong and what I have to do Here are my logs Mar 18 21:10:21 expevelimx711 smtpd[13199]: b0635ce3c4e1801b mta cert-check result="unverified" fingerprint="SHA256:38fedffc1f423e85e80bb05d5d4f0570537df597fafee22f6bb6f006edf37bfd" Mar 18 21:10:21 expevelimx711 smtpd[13199]: b0635ce14999d44a mta delivery evpid=aa099001e75945c4 from= to= rcpt=<-> source="10.1.2.3" relay="195.191.197.82 (tlsv13.measurement.email-security-scans.org)" delay=2s result="Ok" stat="250 2.0.0 Ok: queued as B50E63F4DA" Mar 18 21:10:22 expevelimx711 smtpd[13199]: b0635ce0c27e897e mta delivery evpid=aa0990012b099f8b from= to= rcpt=<-> source="10.1.2.3" relay="195.191.197.86 (mail.measurement.email-security-scans.org)" delay=3s result="Ok" stat="250 2.0.0 Ok: queued as 1339C3F4EF" Mar 18 21:10:22 expevelimx711 smtpd[13199]: b0635ce3c4e1801b mta delivery evpid=aa099001ff0c1fff from= to= rcpt=<-> source="10.1.2.3" relay="195.191.197.87 (medium-force-tls.measurement.email-security-scans.org)" delay=3s result="Ok" stat="250 2.0.0 Ok: queued as 43FE63F503" Mar 18 21:10:23 expevelimx711 smtpd[13199]: b0635cde85c7359e mta tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256 Mar 18 21:10:23 expevelimx711 smtpd[13199]: b0635cde85c7359e mta cert-check result="unverified" fingerprint="SHA256:04ec5a1f21afe4638022284447af2d8906933e28a6c5180da7557a3efcc3a145" Mar 18 21:10:24 expevelimx711 smtpd[13199]: b0635c966b5f7eb3 smtp disconnected reason=quit Mar 18 21:10:24 expevelimx711 smtpd[13199]: b0635c9538e2ec2c mta disconnected reason=quit messages=1 Mar 18 21:10:24 expevelimx711 smtpd[13199]: b0635cde85c7359e mta delivery evpid=aa0990011e39465d from= to= rcpt=<-> source="[fa12:cafe:eff::3]" relay="[2a06:d1c0:dead:3::89] (tls-force.measurement.email-security-scans.org)" delay=5s result="Ok" stat="250 2.0.0 Ok: queued as 7B9DA3F4F8" After a few hours I found what was the problem with my original question: I had pf running on my system hosting opensmtpd When I wrote the pf rules, I didn't do anything regarding IPv6. Thank you very much Regards Le vendredi 17 mars 2023 à 14:51:58 UTC+1, tob...@reads-this-mailinglist.com a écrit : Heho, Just a followup as this is live now; You can also start a test at https://email-security-scans.org/ ; If you select 'store received mails' you can download the messages we got from you (on various MX configured to have v4 only/v6 only/dual-stack) and check how they were delivered by the delivered-to headers (v4/v6). With best regards, Tobias
Re: Mails sent in IPv4 while I expect IPv6
Hello, Sorry to ask the question again but are your mails transmitted in IPv6 ?Does opensmtpd favors IPv6 over IPv4 when it has the choice ? Regards Le jeudi 12 janvier 2023 à 02:35:41 UTC+1, Mik J a écrit : Hello John, Tobias, Thank you for your answers. I was not favoring the DNS. * On my mail server # dig google.fr mx ; <<>> dig 9.10.8-P1 <<>> google.fr mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1014 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;google.fr. IN MX ;; ANSWER SECTION: google.fr. 300 IN MX 0 smtp.google.com. ;; ADDITIONAL SECTION: smtp.google.com. 278 IN 2a00:1450:400c:c02::1a smtp.google.com. 278 IN 2a00:1450:400c:c07::1b smtp.google.com. 278 IN 2a00:1450:400c:c08::1a smtp.google.com. 278 IN 2a00:1450:400c:c08::1b # dig smtp.google.com ; <<>> dig 9.10.8-P1 <<>> smtp.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9990 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;smtp.google.com. IN ;; ANSWER SECTION: smtp.google.com. 300 IN 2a00:1450:400c:c07::1b smtp.google.com. 300 IN 2a00:1450:400c:c02::1a smtp.google.com. 300 IN 2a00:1450:400c:c08::1b smtp.google.com. 300 IN 2a00:1450:400c:c08::1a Then on my DNS I log the queries11-Jan-2023 22:48:01.846 client @0xf4ff7212d0 10.mailserverIP#40443 (gmail.com): query: gmail.com IN MX + (10.dnserverIP)11-Jan-2023 22:48:01.854 client @0xf4ff7212d0 10.mailserverIP #32810 (alt2.gmail-smtp-in.l.google.com): query: alt2.gmail-smtp-in.l.google.com IN A + (10.dnserverIP)11-Jan-2023 22:48:01.854 client @0xf571e5f2d0 10.mailserverIP #17570 (gmail-smtp-in.l.google.com): query: gmail-smtp-in.l.google.com IN A + (10.dnserverIP)11-Jan-2023 22:48:01.855 client @0xf4a58892d0 10.mailserverIP #14392 (alt1.gmail-smtp-in.l.google.com): query: alt1.gmail-smtp-in.l.google.com IN A + (10.dnserverIP)11-Jan-2023 22:48:01.855 client @0xf5223412d0 10.mailserverIP #31444 (alt4.gmail-smtp-in.l.google.com): query: alt4.gmail-smtp-in.l.google.com IN A + (10.dnserverIP)11-Jan-2023 22:48:01.856 client @0xf4df0972d0 10.mailserverIP #1669 (alt3.gmail-smtp-in.l.google.com): query: alt3.gmail-smtp-in.l.google.com IN A + (10.dnserverIP)11-Jan-2023 22:48:01.869 client @0xf571e5f2d0 10.mailserverIP #10862 (gmail-smtp-in.l.google.com): query: gmail-smtp-in.l.google.com IN + (10.dnserverIP)11-Jan-2023 22:48:01.876 client @0xf5223412d0 10.mailserverIP #11052 (alt2.gmail-smtp-in.l.google.com): query: alt2.gmail-smtp-in.l.google.com IN + (10.dnserverIP)11-Jan-2023 22:48:01.877 client @0xf4a58892d0 10.mailserverIP #31097 (alt1.gmail-smtp-in.l.google.com): query: alt1.gmail-smtp-in.l.google.com IN + (10.dnserverIP)11-Jan-2023 22:48:01.877 client @0xf4ff7212d0 10.mailserverIP #15242 (alt4.gmail-smtp-in.l.google.com): query: alt4.gmail-smtp-in.l.google.com IN + (10.dnserverIP)11-Jan-2023 22:48:01.878 client @0xf5336c82d0 10.mailserverIP #1836 (alt3.gmail-smtp-in.l.google.com): query: alt3.gmail-smtp-in.l.google.com IN + (10.dnserverIP) On my mail server logs I can see that IPv6 is not used Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017a91b90aff8 smtp connected address=127.0.0.1 host=localhost Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017a91b90aff8 smtp message msgid=d1edf87d size=1104 nrcpt=1 proto=ESMTP Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017a91b90aff8 smtp envelope evpid=d1edf87d4087c230 from= to= Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017a91b90aff8 smtp disconnected reason=quit Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017ac667d462b mta connecting address=smtp://127.0.0.1:10025 host=localhost Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017ac667d462b mta connected Jan 11 22:47:56 mailserver clamsmtpd: 100181: accepted connection from: 127.0.0.1 Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017ada88be21f smtp connected address=127.0.0.1 host=localhost Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017ada88be21f smtp message msgid=da09c4a0 size=1339 nrcpt=1 proto=ESMTP Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017ada88be21f smtp envelope evpid=da09c4a09c71da8f from= to= Jan 11 22:47:56 mailserver smtpd[20101]: 3c9017ac667d462b mta delivery evpid=d1edf87d4087c230 from= to= rcpt=<-> source="127.0.0.1" relay="127.0.0.1 (localhost)" delay=0s result="Ok" stat="250 2.0.0 da09c4a0 Message accepted for deliv
Re: Mails sent in IPv4 while I expect IPv6
ost=localhost Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017af9e152f41 mta connected Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b0b9b5ff23 smtp connected address=127.0.0.1 host=localhost Jan 11 22:48:01 mailserver dkimproxy.out[53636]: DKIM signing - signed; message-id=<05793887b3def150dcc2054d56510...@mydomain.org>, signer=, from= Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b0b9b5ff23 smtp message msgid=9e291457 size=2269 nrcpt=1 proto=ESMTP Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b0b9b5ff23 smtp envelope evpid=9e29145712d79b97 from= to= Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017af9e152f41 mta delivery evpid=da09c4a09c71da8f from= to= rcpt=<-> source="127.0.0.1" relay="127.0.0.1 (localhost)" delay=5s result="Ok" stat="250 2.0.0 9e291457 Message accepted for delivery" Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b3991746f4 mta connecting address=smtp://64.233.184.27:25 host=wa-in-f27.1e100.net Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b3991746f4 mta connected Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b3991746f4 mta tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256 Jan 11 22:48:01 mailserver smtpd[20101]: 3c9017b3991746f4 mta cert-check result="unverified" fingerprint="SHA256:c52373769af03068082fccc8a93a45de2aef4ad6d6e279020dfc73b7373d720c" Jan 11 22:48:02 mailserver smtpd[20101]: 3c9017b3991746f4 mta delivery evpid=9e29145712d79b97 from= to= rcpt=<-> source="10.mailserverIP" relay="64.233.184.27 (wa-in-f27.1e100.net)" delay=1s result="Ok" stat="250 2.0.0 OK 1673473682 i22-20020a05600c355600b003cf484ba59dsi18528521wmq.122 - gsmtp" Jan 11 22:48:06 mailserver smtpd[20101]: 3c9017ada88be21f smtp disconnected reason=quit The last rules in my configuration areaction VERS-DKIM_OUT relay host smtp://127.0.0.1:10029 match from local tag CLAM_OUT for any action VERS-DKIM_OUT action RELAIE relay match from local tag DKIM_SIGNE for any action RELAIE Does opensmtpd favors IPv6 over IPv4 or does it favor IPv4 ? Regards Le mercredi 11 janvier 2023 à 20:11:47 UTC+1, John Batteen a écrit : When I've run into this before, it was DNS. My resolver needed to be configured to default to ipv6 responses. Not sure that will fix your issue but it's a place to look. Good luck, John On 1/10/2023 8:20 PM, Mik J wrote: Hello, My server has an IPv6 adress and is able to contact gmail mail server $ telnet 2a00:1450:400c:c0a::1a 25 Trying 2a00:1450:400c:c0a::1a... Connected to 2a00:1450:400c:c0a::1a. Escape character is '^]'. 220 mx.google.com ESMTP q7-20020a05600c46c700b003d9f3cf68d3si5203102wmo.92 - gsmtp I relay using this rule action RELAIE relay match from local tag DKIM_SIGNE for any action RELAIE But when I look at my logs, the mails are sent over IPv4 smtpd[30274]: 79ebd464bef0b2e0 mta delivery evpid=d2651839f3f0795f from= to= rcpt=<-> source="10.1.2.2" relay="142.251.5.27 (wg-in-f27.1e100.net)" delay=1s result="Ok" stat="250 2.0.0 OK 1673402672 g14-20020adfa48e00b00285261d0e19si12019405wrb.385 - gsmtp" Any idea why this would happen ? version: OpenSMTPD 7.0.0
Mails sent in IPv4 while I expect IPv6
Hello, My server has an IPv6 adress and is able to contact gmail mail server$ telnet 2a00:1450:400c:c0a::1a 25Trying 2a00:1450:400c:c0a::1a... Connected to 2a00:1450:400c:c0a::1a. Escape character is '^]'. 220 mx.google.com ESMTP q7-20020a05600c46c700b003d9f3cf68d3si5203102wmo.92 - gsmtp I relay using this ruleaction RELAIE relay match from local tag DKIM_SIGNE for any action RELAIE But when I look at my logs, the mails are sent over IPv4smtpd[30274]: 79ebd464bef0b2e0 mta delivery evpid=d2651839f3f0795f from= to= rcpt=<-> source="10.1.2.2" relay="142.251.5.27 (wg-in-f27.1e100.net)" delay=1s result="Ok" stat="250 2.0.0 OK 1673402672 g14-20020adfa48e00b00285261d0e19si12019405wrb.385 - gsmtp" Any idea why this would happen ? version: OpenSMTPD 7.0.0
Re: Redirect queue to another smtp
Hello Maksim, Marcus, thank you for your answers. Le dimanche 14 août 2022 à 21:02:27 UTC+2, Marcus MERIGHI a écrit : Hello Mik, mikyde...@yahoo.fr (Mik J), 2022.08.14 (Sun) 05:14 (CEST): > I have received some mails on my "SMTP2" which is misconfigured and > mails are stuck in the queue. They look like > that25eed6a533daaed1|inet4|mda||cxxx@gmail.com|m...@e.xxx|m...@e.xxx|1660443800|1660443800|0|17|pending|181|"mail.maildir: > No such file or directory" > Is there a way to resend them to "SMTP1" ? > I have tried to add rules such asaction TO-SMTP1 relay host smtp://10.1.2.2:25 > match mail-from " cxxx@gmail.com" for any action TO-SMTP1 > Or evenaction TO-SMTP1 relay host smtp://10.1.2.2:25match from any for > any action TO-SMTP1 $ doas find /var/spool/smtpd/ -type f /var/spool/smtpd/queue/6e/6e800d91/6e800d911b1d350c /var/spool/smtpd/queue/6e/6e800d91/message "message" is, hum, the message. "6e800d911b1d350c" is the control data of OpenSMTPd: $ doas cat /var/spool/smtpd/queue/6e/6e800d91/6e800d911b1d350c version: 3 dispatcher: outbound # <= the "action" that was applied type: mta smtpname: fifi.foo.bar helo: localhost hostname: fifi.foo.bar sockaddr: local sender: a...@def.gh rcpt: i...@lmn.op dest: i...@lmn.op ctime: 1660479966 last-try: 0 last-bounce: 0 ttl: 0 retry: 0 flags: authenticated dsn-notify: 0 With this information, look for the smtpd.conf(5) "action" named "outbound" and change it to do what you want it to do. Restart smtpd(8) afterwards, delivery according to your new "action" will start shortly. Marcus
Redirect queue to another smtp
Hello, I have received some mails on my "SMTP2" which is misconfigured and mails are stuck in the queue. They look like that25eed6a533daaed1|inet4|mda||cxxx@gmail.com|m...@e.xxx|m...@e.xxx|1660443800|1660443800|0|17|pending|181|"mail.maildir: No such file or directory" Is there a way to resend them to "SMTP1" ? I have tried to add rules such asaction TO-SMTP1 relay host smtp://10.1.2.2:25 match mail-from " cxxx@gmail.com" for any action TO-SMTP1 Or evenaction TO-SMTP1 relay host smtp://10.1.2.2:25match from any for any action TO-SMTP1 I didn't have any success. What can we do when mails are stuck in the queue ?
Re: Converting from old format to new format
Thank you for your answer I wrote this line as you suggestedaction DELIVRE_VIRTUELS maildir "/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" rcpt-to virtual But the syntax seems to be incorrect Le dimanche 23 août 2020 à 11:33:40 UTC+2, Archange a écrit : Le 22/08/2020 à 22:23, Mik J a écrit : In old format I had accept tagged CLAM_IN for domain virtual deliver to maildir "/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" In new format I wrote action DELIVRE_VIRTUELS maildir "/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" match tag CLAM_IN for domain rcpt-to action DELIVRE_VIRTUELS The table points to a file that looks like this domain1.org *.domain2.org The table points to a file that looks like this i...@domain1.org myu...@domain1.org myu...@domain1.org _vmail The error message displayed is /etc/mail/smtpd.conf:64: table "utilisateurs" may not be used for rcpt-to lookups Your config should read: action DELIVRE_VIRTUELS maildir "/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" rcpt-to virtual match tag CLAM_IN for domain action DELIVRE_VIRTUELS
Converting from old format to new format
Hello, I'm trying to convert my old configuration to the new format and I'm missing some bits I used to use the following instructionexpire 4hI'm not sure how is it known in the new format: queue ttl delay ? -- limit mta for domain gmail.com inet4I have no idea about this one --In old format I hadaccept tagged CLAM_IN for domain virtual deliver to maildir "/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" In new format I wroteaction DELIVRE_VIRTUELS maildir "/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" match tag CLAM_IN for domain rcpt-to action DELIVRE_VIRTUELS The table points to a file that looks like thisdomain1.org*.domain2.org The table points to a file that looks like this i...@domain1.org myuser@domain1.orgmyu...@domain1.org _vmailThe error message displayed is/etc/mail/smtpd.conf:64: table "utilisateurs" may not be used for rcpt-to lookups Do you have any idea ?
Re: Non stop /bsd: smtpctl[51626]: pledge "fattr", syscall 124
Hello,Thank you for your answers.I did nothing except applying the errata patches.So after reading your emails I recompiled libc# cd /usr/src/lib/libc && make obj && make && make installAnd in the past 15 minutes I have not seen any more messages.Let's see how it goes Le mardi 7 janvier 2020 à 17:17:43 UTC+1, Martijn van Duren a écrit : Quite some time I made a change that made smtpctl use tmpfile(3). Are you kernel, libc and smtpctl all up to date? (e.g. did you compile smtpctl from source without updating libc) martijn@ On 1/7/20 5:04 PM, Johannes Krottmayer wrote: > On 07.01.20 at 07:22, Mik J wrote: >> Hello, >> >> I keep having these logs in my /var/log/messages do you know what this >> means ? >> Jan 7 06:51:01 v /bsd: smtpctl[51626]: pledge "fattr", syscall 124 >> Jan 7 06:52:01 v /bsd: smtpctl[64532]: pledge "fattr", syscall 124 >> Jan 7 06:52:01 v /bsd: smtpctl[13532]: pledge "fattr", syscall 124 >> Jan 7 06:53:01 v /bsd: smtpctl[20480]: pledge "fattr", syscall 124 >> Jan 7 06:53:01 v /bsd: smtpctl[70486]: pledge "fattr", syscall 124 >> Jan 7 06:54:01 v /bsd: smtpctl[88165]: pledge "fattr", syscall 124 >> Jan 7 06:54:01 v /bsd: smtpctl[96175]: pledge "fattr", syscall 124 >> Jan 7 06:55:01 v /bsd: smtpctl[22724]: pledge "fattr", syscall 124 >> Jan 7 06:55:01 v /bsd: smtpctl[56931]: pledge "fattr", syscall 124 >> Jan 7 06:55:01 v /bsd: smtpctl[99044]: pledge "fattr", syscall 124 >> >> Thank you > > FYI: > > The pledge mechanism is a security feature from OpenBSD. > > I your case it means that the kernel AFAIK has prevent "smtpctl" to call > the function "fattr". > > Details: > https://man.openbsd.org/pledge.2 > > Cheers, > Johannes K. > > > >
Non stop /bsd: smtpctl[51626]: pledge "fattr", syscall 124
Hello, I keep having these logs in my /var/log/messages do you know what this means ?Jan 7 06:51:01 v /bsd: smtpctl[51626]: pledge "fattr", syscall 124 Jan 7 06:52:01 v /bsd: smtpctl[64532]: pledge "fattr", syscall 124 Jan 7 06:52:01 v /bsd: smtpctl[13532]: pledge "fattr", syscall 124 Jan 7 06:53:01 v /bsd: smtpctl[20480]: pledge "fattr", syscall 124 Jan 7 06:53:01 v /bsd: smtpctl[70486]: pledge "fattr", syscall 124 Jan 7 06:54:01 v /bsd: smtpctl[88165]: pledge "fattr", syscall 124 Jan 7 06:54:01 v /bsd: smtpctl[96175]: pledge "fattr", syscall 124 Jan 7 06:55:01 v /bsd: smtpctl[22724]: pledge "fattr", syscall 124 Jan 7 06:55:01 v /bsd: smtpctl[56931]: pledge "fattr", syscall 124 Jan 7 06:55:01 v /bsd: smtpctl[99044]: pledge "fattr", syscall 124 Thank you
Re: RBLs?
Hello Gilles, I'm not at all familiar with filters but it seems to me that everyone has its own way to fight spam: shell script, python script, filters... Right now I'm not able to avoid spam I use spamd and grey/black listing but it's not enough. I don't find a simple way to avoid mails with a specific regexp in the subject or body of the mail. Or synchronise with RBLs or ask opensmtpd to make some checks."if IP of the sender is not a mx for the sender domain then reject" with an opensmtpd rule."if subject of the domain is in table then reject" That's what I mean by native. Probably you'll answer that the goal of smtpd is to deliver mails not to do this kind of tasks. Regards Le dimanche 30 juin 2019 à 13:47:04 UTC+2, Gilles Chehade a écrit : On Sat, Jun 29, 2019 at 01:03:46PM +, Mik J wrote: > Hello, Hello, > I'm also interested in this topic. A lot of spam are still passing through. > On my personal mailbox, I receive almost no spam.But on addresses that are > visible on a website I receive spam, two/three per day many are blocked > though. > I have the same strategy as Thomas and use spamd and spam trap mails. > I'm currently working on bringing a filter-rspamd to life, see: https://poolp.org/posts/2019-06-30/june-2019-report-fion-bpg-and-smtpd/ > Joerg your filter looks nice but I don't understand how it works.I'm looking > forward to have something native with opensmtpd, spam is a pain. > I don't understand what you mean by "native". -- Gilles Chehade @poolpOrg https://www.poolp.org patreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: RBLs?
Hello, I'm also interested in this topic. A lot of spam are still passing through. On my personal mailbox, I receive almost no spam.But on addresses that are visible on a website I receive spam, two/three per day many are blocked though. I have the same strategy as Thomas and use spamd and spam trap mails. Joerg your filter looks nice but I don't understand how it works.I'm looking forward to have something native with opensmtpd, spam is a pain. Regards Le vendredi 21 juin 2019 à 14:08:00 UTC+2, Joerg Jung a écrit : On 20. Jun 2019, at 00:40, Thomas Smith wrote: Hi, I’ve been using a combination of OpenSMTPd and spamd on OpenBSD (currently at 6.5) for some time and with success. However, there are still some false-negatives and I’m looking at ways of reducing those. One way is by making use of RBLs. (I’ve evaluated delivered spam and the majority of it seems to be coming from IPs that are on various blacklists but aren’t being caught by greylisting.) spamd doesn’t support RBLs, at least that I’ve found, it can only use lists that can be downloaded locally—the particular service I’m wanting to use only provides DNS-based RBLs. So that’s my problem… I’m looking for ways of including an RBL in either spamd or OpenSMTPd, preferring to stay in OpenBSD base as much as possible. (In other words, I’d prefer to not rip out spamd or replace or supplement it with SpamAssassin or rspamd—I’d rather find a solution that will plugin _specifically_ for RBLs without all of the other bloat that SpamAssassin and similar products bring. Can anyone offer some input on this please? I’m not opposed to writing an OpenSMTPd filter, though I’d need to locate some documentation for that (I’ve looked but haven’t been able to find it, so I’m probably looking in the wrong places—suggestions welcomed). I’ve written a filter already: https://www.umaxx.net/dl/filter-dnsbl-0.4.tar.gzDon’t expect support, see other mails and comments from Gilles on the filter topic.
Intercepting mails with opensmtpd
Hello, I didn't find the right syntax to intercept a mail. Server (www) => Server opensmtpd (relay) => other server such as gmail There is spam (along with legitimate mails) coming from the www server and opensmtp is relaying them to other mtas such as gmail. I wanted for a short time period to redirect all mails coming from a specific mail address that is relayed by opensmtpd to my mailbox. Unfortunately I couldn't find the right way to do so. accept from source sender "" deliver to maildir "/home/mail/mydomain1/myuser/Maildir" is a table containing the IP of the www server So this rule doesn't seem to match for some reason. Do you have an idea ? PS: Please don't ask me to fix the security hole on the www server, it's interesting to know how the answer about the opensmtpd rule
Rule to prevent spam from my domain
Hello, I have wrote rules for my opensmtpd but some spams are passing through. The ones that I go through have a source like em...@mydomain.org and are sent to i...@mydomain.org I'm wondering if some of you have written this kind of rule ? reject from source ! sender for domain Regards
root privileges for smtpctl show stats
Hello, I can see that retriving the statistics requires root privileges $ /usr/sbin/smtpctl show stats smtpctl: need root privileges But in my opinion some users should be able to retrieve these stats. In my context, it's the snmpd process which tries to retrieve the stats. Regards
Re: Opensmtpd failover
Thank you everyone for replying to my question. First I think to work on the backup mx server (without any storage), as it was suggested. And see how it goes. Le mercredi 5 décembre 2018 à 10:31:35 UTC+1, Gilles Chehade a écrit : On Wed, Dec 05, 2018 at 10:21:13AM +0100, Aham Brahmasmi wrote: > Hello Craig, > > > > But why? Just deliver it and be done. Can't see many drawbacks in > > > that. > > > > > > > Backup MX servers don't have any mail storage, nor IMAP/POP daemon. > > > > They are another hop along the delivery path to the primary MX servers. > > > > > > > > Backup MX machines are not the message's final destination;- > > > > Pretend you are going to the world's biggest party, which is held every > > New Year's Eve in Edinburgh, so you board an aeroplane to Edinburgh. > > > > But the snow hits Scotland, so your aeroplane lands in London. England > > is not your final destination. It is a backup airport in a different > > country. You have not travelled to the party capital. So you wait/spool > > in London until Edinburgh airport is receiving traffic. Then then you > > get the next flight to your final destination & Hogmanay for 3 days. > > Thank you for the excellent analogy. > > I will now never forget that Edinburgh is The Party Capital. > > And that Scotland is a different country than England :) . > that has got to be the best analogy I read :-)) -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
root privileges for smtpctl show stats
Hello, I can see that retriving the statistics requires root privileges $ /usr/sbin/smtpctl show stats smtpctl: need root privileges But in my opinion some users should be able to retrieve these stats. In my context, it's the snmpd process which tries to retrieve the stats. Regards
Opensmtpd failover
Hello, I'm wondering how to do a proper mail server failover. Let's say smtp1 is down, the internet client resolves the other mx with a lower priority and the mail goes to smtp2. Now smtp2 writes the message on the disk in order to store it. What do you people do in order to have a common storage for both smtp which can be correct regardless whether a smtp goes up or down. How do you manage the failover ? Thank you
Re: people using elk / grafana ?
Hello Gilles, I use ELK and cacti, that's why I made a feature request a few months ago regarding the monitoring. In cacti/snmp: I want to poll OID and see if mail volume grow. Long term trends In ELK: I want to detect spam, where is it comming from etc. if you can see the image, this is what I graph for spamd. In october I relocated my mx from cloud to my server running opensmtpd. But it's still low volume. Le mardi 13 novembre 2018 à 18:00:05 UTC+1, Gilles Chehade a écrit : HELO, I'm looking for people that are regular users of ELK / Grafana or alike. I'd like to discuss improvements that can be made to the event reporting mechanism to ease integration with monitoring and alerting tools. If creating dashboards and alerts is part of your daily routing, ping me so we can talk. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How to deal with spam and opensmtpd
I don't know how it works for you but for me these marketing companies change their IPs every week (they use a few different subnets everyweek).So this task can be very time consuming. Le jeudi 19 avril 2018 à 13:31:33 UTC+2, Martijn van Duren <opensm...@list.imperialat.at> a écrit : Hello Mik, On 04/19/18 13:18, Mik J wrote: > Thank you Simon for your answer. > > Actually, this marketing company is not doing heavy spam so they qualify mail > adresses then have time to retry to send their email. > Their unsubscribe button is worthless. > > Another option could be to subscribe their services with a spamtrap adress. > > But I was wondering what do you guys use to filter content of emails at the > smtp server level. For these kind of cases I keep it rather low-tech. I added the following line to my smtpd.conf: reject from any sender for any and just manually add the the spam addresses to this table. > > Regards > > Le mercredi 18 avril 2018 à 22:50:32 UTC+2, Simon McFarlane <s...@desu.ne.jp> > a écrit : > > > On 04/18/2018 01:44 AM, Mik J wrote:> What other (not spamd and > > spamassassing) do you use ? > > > I use bgp-spamd [1] and a hand-assembled blacklist (using > dovecot-pigeonhole) of certain terms that usually only appear in spam. > It's not as good as SpamAssassin but it seems to stop the majority of > the spam I get. I'm down from 2-3 spam messages per day to one 10 days > or so. > > Simon > > [1] https://bgp-spamd.net/ > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > <mailto:misc@opensmtpd.org> > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > <mailto:unsubscr...@opensmtpd.org> > > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How to deal with spam and opensmtpd
Thank you Simon for your answer. Actually, this marketing company is not doing heavy spam so they qualify mail adresses then have time to retry to send their email.Their unsubscribe button is worthless. Another option could be to subscribe their services with a spamtrap adress. But I was wondering what do you guys use to filter content of emails at the smtp server level. Regards Le mercredi 18 avril 2018 à 22:50:32 UTC+2, Simon McFarlane <s...@desu.ne.jp> a écrit : On 04/18/2018 01:44 AM, Mik J wrote:> What other (not spamd and spamassassing) do you use ? I use bgp-spamd [1] and a hand-assembled blacklist (using dovecot-pigeonhole) of certain terms that usually only appear in spam. It's not as good as SpamAssassin but it seems to stop the majority of the spam I get. I'm down from 2-3 spam messages per day to one 10 days or so. Simon [1] https://bgp-spamd.net/ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
How to deal with spam and opensmtpd
Hello, I'm using Openbsd and Opensmtpd + Spamd. I have been able to reduce the spam. However there are some marketing companies that constantly change their IPs and pass through the greylisting, they really attempt to send the mail (multiple times). I looked at bogofilter and it looks nice.However I would like to know if there's a way for opensmtpd to work with bogofilter.So that the mails can be trashed or classified as spam. First I read that bogofilter works at the user level, I'd like it to work at the server mail level. What other (not spamd and spamassassing) do you use ? Regards
Re: warn: smtpd: parent_forward_open
Hello all, What do you think about my initial question.When I receive an email, I have the following messagewarn: smtpd: parent_forward_open: /var/mail/_vmail: No such file or directory With /var/mail... not /var/rep... like I wrote in my first message I don't store my mails in /var/mail/_vmail. I mounted a NFS share to another server and the mount point is not /var/mail This message comes from smtpd.c if (stat(directory, ) < 0) { log_warn("warn: smtpd: parent_forward_open: %s", directory); return -1; } or if (errno == ELOOP) ... else log_warn("warn: smtpd: parent_forward_open: %s", pathname); return -1; Regards Le mercredi 3 janvier 2018 à 15:25:25 UTC+1, Scott Court <z...@z5t1.com> a écrit : That's ok; it's all good. One thing though: I noticed that there have been several API version bumps between 6.0.2 and the current git version in smtpd/smtpd-api.h (namely PROC_*_API_VERSION has been bumped from 1 to 2). When I was working with the git version the other day I realized that this change in the API version breaks backwards compatibility with any extras that have been installed (from OpenSMTPD-extras). This makes me wonder if this 6.0.3 release might actually warrant a larger version number bump (maybe to 6.1.0 or even 7.0.0) to signify this backwards incompatible change. On Tue, Jan 02, 2018 at 09:43:52AM -0500, Scott Court wrote: On 01/01/2018 07:19 PM, Mik J wrote: # smtpd -h version: OpenSMTPD 6.0.0 Also, if anyone knows why 6.0.2 is not the version shipped in the latest 6.2 openbsd. Thanks I have been wondering about this myself. After taking a look at the code in the OpenBSD CVS tree though, it looks like the "6.0.0" version of OpenSMTPD shipped with OpenBSD 6.2 is actually not the 6.0.0 version available on opensmtpd.org. It appears that it is actually closer to a recent fork of the CVS version of OpenSMTPD. Additionally, the OpenSMTPD version in OpenBSD has been upgraded with the release of OpenBSD 6.1 and 6.2; however, the version number seems to stay at "6.0.0" for some reason. I tried building OpenSMTPD 6.0.2 from source the other day, just to find out it was actually older than the "6.0.0" version in my stock OpenBSD 6.2. This seems very strange to me. You are absolutely right. We used to have a release process specifically for OpenSMTPD when it was using git as a main repository and synchronized to OpenBSD but since the switch we never discussed our versionning despite the fact that there is a different workflow and we often have many minor commits that we do not think warrant a version update... but causes OpenSMTPD to have different code for identical versions. In the meantime, I have bumped the version in OpenBSD -current to 6.0.3, this will make it obvious that the code is more ahead than on github. This weekend, I will update the code on github and prepare a 6.0.3 minor release so everyone gets the same code for that version, then we'll have a discussion on how we will prevent this from happening in the future. This was entirely my fault so... apologies
warn: smtpd: parent_forward_open
Hello, I have this message in my logs but it's surprising since no reference to /var/mail is present in my opensmtpd.conf smtpd[78301]: warn: smtpd: parent_forward_open: /var/rep/_vmail: No such file or directory table utilisateurs file:/etc/mail/utilisateurs accept tagged CLAM_IN for domain virtual deliver to maildir "/home/rep/_vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" $ cat /etc/mail/utilisateurs myu...@mydomain.org _vmail It's like there's something like a hardcoded default path # smtpd -h version: OpenSMTPD 6.0.0 Also, if anyone knows why 6.0.2 is not the version shipped in the latest 6.2 openbsd. Thanks
Syslog messages and opensmtpd
Hello, Do you know where I can find a full list of different syslog messages that can be sent by opensmtpd ? I'm using logstash to match parameters but the syslog messages are not clear to me exemples:6a933eae3e6c0974 smtp event=closed reason=quit6a933eadd23a179c mta event=closed reason=quit messages=1I think the first string is the smtp session mta event=delivery evpid=50795e11e05548d5 from=<> to=rcpt=<-> source=- relay=sxerexd.top delay=1d1h1m21s result=TempFail stat=Network error on destination MXs || smtp-out: No valid route for [connector:[]->[relay:sxerexd.top],0x0] 6a933e7f7f1d1849 mta event=connecting address=smtp+tls://139.199.1.220:25 host=139.199.1.220 6a933e5f37f31b53 mta event=error reason=Connection timeout So sometimes it starts with a smtp session number, sometimes with 000... sometimes with smtp-out. It seems the logs are not standardised Also it seems to me that from that message 6a933e5f37f31b53 mta event=error reason=Connection timeout it's very hard to identify what mail is causing the problem Matching the smtp session I found this 6a933e5f37f31b53 mta event=connecting address=smtp+tls://139.199.1.220:25 host=139.199.1.220 but it's very hard to understand which domain is faulty or constantly faulty Thank you |
Re: Grok patterns for opensmtpd
Le Mardi 23 mai 2017 9h47, Mik J <mikyde...@yahoo.fr> a écrit : Hello,I would like to know if some of you already worked on Grok patterns for opensmtpd with logstash.
Re: Messages stuck in queue don't show up with smtpctl
Le Mardi 23 mai 2017 10h09, Mik J <mikyde...@yahoo.fr> a écrit : Version: 6.0.2 Hello, The smtpctl don't show me any result# smtpctl show queue # smtpctl show message 03fbbf757050fe8c smtpctl: fopen: No such file or directory# smtpctl show envelope 03fbbf757050fe8c smtpctl: fopen: No such file or directory But my server is constantly trying to connect to someserverssmtpd[31407]: 03fbbf757050fe8c mta event=connecting address=smtp+tls://x.x.68.171:25 host=x.x.68.171 smtpd[31407]: 03fbbf76f1f61135 mta event=connecting address=smtp+tls://x.x.68.183:25 host=x.x.68.183 smtpd[31407]: 03fbbf7701630140 mta event=connecting address=smtp+tls://x.x.68.170:25 host=x.x.68.170 These are bulkmail.cn.com MTAs If I try to find where this coming fromMay 22 23:01:18 myserver smtpd[53]: cbf8cde01d31da9e smtp event=connected address=133.130.114.91 host=v133-130-114-91.a045.g.tyo1.static.cnode.io May 22 23:01:19 myserver smtpd[53]: cbf8cde01d31da9e smtp event=message msgid=66bfe7d4 from=<q...@bulkmail.cn.com> to=<cont...@mydomain.org> size=26145 ndest=1 proto=ESMTP May 22 23:01:20 myserver smtpd[53]: cbf8cde01d31da9e smtp event=closed reason=quit My MTA wants to reply that cont...@mydomain.org doesn't exist and tries on an on Does anyone knows how to stop my MTA from trying to reply back to this domain ?
Re: Opensmtpd with multiple certificates
Hello Bruno, Edgar, Thank you for sharing You wrote domain1.com and domain2.com but you don't use them there afterpki domain1.com certificate "/etc/smtpd/tls/domain1.com.crt" pki domain1.com key "/etc/smtpd/tls/domain1.com.key" pki domain2.com certificate "/etc/smtpd/tls/domain2.com.crt" pki domain2.com key "/etc/smtpd/tls/domain2.com.key" listen on hostname port 25 tls Also, could you repeat what is , a table of IP addresses ? Could you post your complete configuration because I don't understand it right now Le Dimanche 14 mai 2017 16h16, Bruno Pagani <bruno.pag...@ens-lyon.org> a écrit : Le 14/05/2017 à 15:45, Edgar Pettijohn a écrit : On 05/14/17 07:20, Bruno Pagani wrote: Le 14/05/2017 à 09:59, Mik J a écrit : Thank you Edgar, You wrote multiple IP adresses. Does it mean that 1 IP address = 1 certificate ? Can't be do 1 IP address = x certificates ? No, you can do 1 IP = x certs, thanks to SNI. I do that, my conf: pki domain1.com certificate "/etc/smtpd/tls/domain1.com.crt" pki domain1.com key "/etc/smtpd/tls/domain1.com.key" pki domain2.com certificate "/etc/smtpd/tls/domain2.com.crt" pki domain2.com key "/etc/smtpd/tls/domain2.com.key" listen on hostname port 25 tls The hostname part is only necessary if you want to advertise a specific hostname when contacted without SNI. The important thing is to not specify a pki. Regards, Bruno I think I used two because the table is a mapping from an ip to a name. I'll have to give this a try. It’s a table if you use the hostnameS parameter. But you’re not forced to. It helps if you’re facing servers without SNI. But I don’t expect any such server to be compliant with modern mail rules (SPF,DKIM…) anyway, or even to check the certificate/support non-broken crypto. Bruno
Opensmtpd with multiple certificates
Hello, I would like to know if it's possible to use multiple certificates/keys with opensmtpd domain.com has MX mx.domain.comacme.com has MX mx.acme.com When a clients (remote mta such as gmail) connects to my server, my opensmtpd should send the according certificate.Something like virtual hosts with httpd Otherwise, what should I do when my opensmtpd server hosts multiple domaines with multiple mx records. Thank you
Spamd question with Spamtrap
Hello, Spamd has been really efficient in blocking spam. A few of them passed through once in a while but there's no discomfort. But, I'm not able to use spamtrap. #spamdb -T -a ""# spamdb | grep SPAMTRAP SPAMTRAP| But when I telnet port 25 and try to send a mail, a GREY entry is created, and after the holdtime mail are passing through 1) During the GREY phase, my PF redirects connections to spamdmatch in on $ext_if proto tcp to $ext_if port 25 rdr-to $mailserver port 25 pass in quick on $ext_if proto tcp from any to $mailserver port 25 divert-to 127.0.0.1 port 8025 2) But after the holdtime flows by pass spamd and go directly to the mail serverpass in log (to pflog1) quick on $ext_if proto tcp from to $mailserver port 25 flags S/SA modulate state And I placed PF rules in this ordermatch in on $ext_if proto tcp to $ext_if port 25 rdr-to $mailserver port 25pass in log (to pflog1) quick on $ext_if proto tcp from to $mailserver port 25 flags S/SA modulate state pass in quick on $ext_if proto tcp from any to $mailserver port 25 divert-to 127.0.0.1 port 8025 Do you see anything abnormal or have advice ? Regards
Re: plans for 2017
Hello Gilles, Thanks too for sharing. I've implemented a quick and dirty way to retrieve statistics with bind and spamd through snmp. I could do the same with opensmtpd but the trafic of my mail server is close from 0 at the moment.I just wanted to say that in a real production environnement monitoring is quite important for instance with snmp. I don't know if other people using opensmtpd share this opinion. However, thank you all for the good work Le Jeudi 9 février 2017 11h26, Gilles Chehadea écrit : On Thu, Feb 09, 2017 at 10:48:14AM +0100, Mischa wrote: > Hi Gilles, > > Thank you for expressing your plans. Looking forward to the changes. > Keep it coming, you are doing great things! > Thanks Also, when we've made a bit of progress, we're going to explain a bit more where we're going with the filters, the goal is not to keep it a secret until last day but to allow us to move forward without all the noise that would happen from the "i'd do it differently" people ;-) Regarding the MTA changes we now exactly what we want to do but there is a bit of a chicken & the egg issue with the last changes that were mentionned. The idea is that we can achieve an MTA layer implem which is isofunctionnal to the current one with most of the complexity that is currently taking charge of optimizing routing, reusing connections and managing limits entirely gone. This will not only improve quality but also allow for new features which are painful to implement today, as they require touching a very tricky brick of code. Regarding the later changes all I can say for now is that it is going to imply a configuration file format change, we'll probably find ways to retain some syntaxic sugar but we're essentially going to have the envelope template (the accept part) decorrelated from the action (the deliver to / relay part) which seems like an innocent change but will have (GOOD) implications on pretty much *every* layer of the daemon. Now i'm done with the explaining, still swamped for a few days and I will dive back into the code. Gilles > > On 9 Feb 2017, at 10:44, Gilles Chehade wrote: > > > > Hello misc@, > > > > It's been calm for a while due to "real-life (tm)" events that had > > to be handled in priority as far as I'm concerned, I don't know of > > the reasons why the others are slacking though :-) > > > > I've been willing to send this mail for a while to outline some of > > the big plans for 2017 regarding OpenSMTPD and some of the changes > > that are planned in different parts of the daemon. > > > > > > > > First of all, regarding filters, since that's the question that is > > coming the more often: > > > > Filters are neither dead or alive. > > We have implemented an API and the mechanics to make that API work > > and this is what people started using while we warned them not to. > > > > Turns out that while implementing a specific filter I hit an issue > > which made it clear that there was a fundamental design issue with > > the mechanics below the API that couldn't be worked around without > > requiring a non-trivial refactor. > > > > We had a long chat with eric@ about this design issue and how this > > could be redesigned in a way that all the work we've done is still > > usable and we figured a way which will reuse a big part of what we > > already did, which guarantees that we will not find a design error > > later down the chain and which as a bonus simplifies the daemon. > > > > We're going to be working towards this way but now that we have an > > experience in how providing the code early turned into a nightmare > > for me, we'll work in a private branch then show the diff when the > > code is working enough that it can be part of snapshots :-) > > > > > > > > Then, regarding the MTA we're going to do a pass of simplification > > because the code has evolved into something quite complex and from > > experience gathered in the mail industry these last few years, the > > code can be made much more efficient while MUCH simpler. > > > > > > > > Finally, there is ongoing work that's going to span over months to > > improve some configuration structures which is going to have a lot > > of interesting side-effects which I'm going to keep as a surprise, > > but that are going to be impressive. I personnally look forward to > > this more than filters given the amounts of improvements this will > > unlock in many areas ranging from configuration, to reload, to MTA > > and MDA. > > > > > > Stay tuned ! > > > > > > -- > > Gilles Chehade > > > > https://www.poolp.org @poolpOrg > > > > -- > > You received this mail because you are subscribed to misc@opensmtpd.org > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > > > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >
Re: OpenSmtpd not RFC compliant ?
Thank you Gilles for this clarification > Le Lundi 30 janvier 2017 9h35, Gilles Chehade <gil...@poolp.org> a écrit : > > On Sun, Jan 29, 2017 at 08:12:21PM +, Mik J wrote: >> Hello Gilles, >> Thank you for your answer. >> For the first point I have this ruletable domains file:/etc/mail/domains >> table users file:/etc/mail/users >> accept tagged CLAM_IN for domain virtual > deliver to maildir > "/var/mail/vmail/%{rcpt.domain}/%{dest.user}/Maildir" >> In /etc/mail/domains I havemydomain.org >> In /etc/mail/users I haveu...@mydomain.org _vmail >> I read a few times what you wrote and- "all variations of cases within > the domain will match that rule as they refer to the same domain" => I > agree- "they will all deliver to the same local user as far as OpenSMTPD is > concerned" => With virtual users it didn't work like that for me > when I wrote the message so after your email I did tests and search and saw > this > option %{dest.user:lowercase} which seem to solve my problem. >> From what I understood in the RFC, upper case and lower case should be the > same for the user part and I shouldn't have had to specify that lowercase > option, it should have worked by default in my humble opinion and if my > understanding in english is correct. >> > > That's because you assume that the delivery method is covered by the > RFC which it isn't. The SMTP RFC covers SMTP, it doesn't cover mbox, > maildir, virtual users, virtual domains and whatnot. > > Turns out that by default virtual users work the way I explained, if > you use virtual domains with virtual users and request Maildir or > mbox, you will find no problem happens. > > But in your case, you explicitely asked for the path to include the > domain and this domain is not normalized by default, it's up to the > user to normalize it with the filters as you figured. > > > >> For my second point the %{rcpt.domain:lowercase} option solved my > problem >> Thank you for these explanations >> > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Difference between rcpt and dest
Hello, I didn't understand the difference between %{rcpt.user} and %{dest.user} %{rcpt.domain} and %{dest.domain} I've had issues with rcpt.xxx when I tried to redirect mails webmas...@mydomain1.org to u...@mydomain.org It worked only with dest.xxx and I'll probably stick with it. My question is what's the difference between both and when should we use rcpt.xxx ? Regards -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSmtpd not RFC compliant ?
Hello Gilles, Thank you for your answer. For the first point I have this ruletable domains file:/etc/mail/domains table users file:/etc/mail/users accept tagged CLAM_IN for domain virtual deliver to maildir "/var/mail/vmail/%{rcpt.domain}/%{dest.user}/Maildir" In /etc/mail/domains I havemydomain.org In /etc/mail/users I haveu...@mydomain.org _vmail I read a few times what you wrote and- "all variations of cases within the domain will match that rule as they refer to the same domain" => I agree- "they will all deliver to the same local user as far as OpenSMTPD is concerned" => With virtual users it didn't work like that for me when I wrote the message so after your email I did tests and search and saw this option %{dest.user:lowercase} which seem to solve my problem. >From what I understood in the RFC, upper case and lower case should be the >same for the user part and I shouldn't have had to specify that lowercase >option, it should have worked by default in my humble opinion and if my >understanding in english is correct. For my second point the %{rcpt.domain:lowercase} option solved my problem Thank you for these explanations Le Dimanche 29 janvier 2017 17h09, Gilles Chehade <gil...@poolp.org> a écrit : On Sat, Jan 28, 2017 at 09:35:01PM +, Mik J wrote: > Version: OpenSMTPD 5.9.2 > Hello, Hello, > I know that my version is not the latest but my question might still be valid. > * > The RFC5321 states in paragraph 2.4 that "Mailbox domains follow normal DNS > rules and are hence not case sensitive."But when I write to emails like > u...@mydomain.org or u...@mydomain.org or u...@mydomain.org they arrive in > different subdirectories# lsMyDomain.org?? mydomain.org MYDOMAIN.ORG > so it seems to me that opensmtpd doesn't follow the RFC This is not correct and slightly out of context. Let me clarify: "Mailbox domains follow normal DNS rules and are hence not case sensitive." This means that sending to x...@opensmtpd.org or x...@opensmtpd.org is essentially the same and implies that the MX handling opensmtpd.org will also handle the OpenSMTPD.org and oPENsmtpd.ORG domains. As far as OpenSMTPD goes, if your smtpd.conf states: accept for domain opensmptd.org [...] Then all variations of cases within the domain will match that rule as they refer to the same domain and they will all deliver to the same local user as far as OpenSMTPD is concerned. There is no violation of the RFC here. Your problem, which I'm going to guess because you didn't show a config, is in how you declared the delivery should take place once the message has been accepted. > * > The RFC also states this"The local-part of a mailbox MUST BE treated as case > sensitive." > How can I ignore the case sensitive in the local part (the name) ? > You can't. While RFC states that the local-part of a mailbox MUST BE treated as case sensitive, it also states a few paragraphs earlier: [...] due to a long history of problems when intermediate hosts have attempted to optimize transport by modifying them, the local-part MUST be interpreted and assigned semantics only by the host specified in the domain part of the address. Which essentially means that as long as a node is not a final destination it must not try to make sense of addresses and forward them AS IS but the final destination may have its own semantics assigned to the local-part. The local-part is the part before the @ in the email address. As far as OpenSMTPD goes: 1- during the SMTP transaction the domain is considered case-insensitive as I explained above and the local-part is considered case-sensitive, the envelope we save on disk retains the case for both parts. 2- if the mail is to be relayed, the address is forwarded AS IS using the same case as it had when we received it. 3- if the MX is the final destination, then our semantics is to fold the user-part to lowercase and consider that OpenSMTPD only knows how to deliver to system usernames that are all lowercase. In all cases, the address as displayed in DATA part of mail (in headers) will retain the case it had when submitted. You can't alter the behavior for 3, it is a design decision that we took to keep code simpler, less error and ambiguity prone and we have no intent to change that. -- Gilles Chehade https://www.poolp.org @poolpOrg
OpenSmtpd not RFC compliant ?
Version: OpenSMTPD 5.9.2 Hello, I know that my version is not the latest but my question might still be valid. * The RFC5321 states in paragraph 2.4 that "Mailbox domains follow normal DNS rules and are hence not case sensitive."But when I write to emails like u...@mydomain.org or u...@mydomain.org or u...@mydomain.org they arrive in different subdirectories# lsMyDomain.org mydomain.org MYDOMAIN.ORG so it seems to me that opensmtpd doesn't follow the RFC * The RFC also states this"The local-part of a mailbox MUST BE treated as case sensitive." How can I ignore the case sensitive in the local part (the name) ? Thank you
How to both redirect to console and screen
Hello, It is possible to redirect the boot sequence to the console using # cat /etc/boot.conf set tty com0 But then there is no screen output. How is it possible to have both of them ? Thank you -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: My aliases don't work
Hello Edgar, Sorry This is a very simple question but yet didn't find the answer.I have a machine m1 which is a webserver. On openbsd there are daily reports and I want them to be sent to an external address. # grep ^root /etc/mail/aliasesroot: myexternaladdr...@mydomain.org After modifying the aliases files I run the command # newaliases My opensmtpd configuration is very simple listen on lo0 table aliases file:/etc/mail/aliases accept from local for any relay via smtp://192.168.1.1 As I'm writing this message I realise that the line "table aliases file:/etc/mail/aliases" is useless, but fair enough. My problem is when I do: # mail -s "Resolv" root < /etc/resolv.conf it writes to r...@m1.mydomain.org instead of myexternaladdr...@mydomain.org So it looks like the aliases file is ignored. Do you know why ? What's the right way to do it ?My web server should use my local mail server as a relay which is going to sign emails etc. Thank you Le Mercredi 7 septembre 2016 0h34, Edgar Pettijohn <ed...@pettijohn-web.com> a écrit : > > >On 16-09-06 21:53:14, Mik J wrote: > >> Hello, >> This is a very simple question but yet didn't find the answer.I have a >> machine m1 which is a webserver. On openbsd there are daily reports and I >> want them to be sent to an external address. >> # grep ^root /etc/mail/aliasesroot: myexternaladdress@mydomain.orgAfter >> modifying the aliases files I run the command newaliases >> My opensmtpd configuration is very simplelisten on lo0table aliases >> file:/etc/mail/aliasesaccept from local for any relay via smtp://192.168.1.1 >> As I'm writing this message I realise that the line table aliases >> file:/etc/mail/aliases is useless, but fair enough >> My problem is when I do: # mail -s "Resolv" root < /etc/resolv.conf it >> writes to r...@m1.mydomain.org instead of myexternaladdress@mydomain.orgSo >> it looks like the aliases file is ignored. Do you know why ? >> What's the right way to do it ?My web server should use my local mail server >> as a relay which is going to sign emails etc. >> Thank you >Your message is all globbed up. Please resend with full smtpd.conf. > >Thanks, >-- >Edgar Pettijohn > >-- >You received this mail because you are subscribed to misc@opensmtpd.org >To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > > > > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
My aliases don't work
Hello, This is a very simple question but yet didn't find the answer.I have a machine m1 which is a webserver. On openbsd there are daily reports and I want them to be sent to an external address. # grep ^root /etc/mail/aliasesroot: myexternaladdress@mydomain.orgAfter modifying the aliases files I run the command newaliases My opensmtpd configuration is very simplelisten on lo0table aliases file:/etc/mail/aliasesaccept from local for any relay via smtp://192.168.1.1 As I'm writing this message I realise that the line table aliases file:/etc/mail/aliases is useless, but fair enough My problem is when I do: # mail -s "Resolv" root < /etc/resolv.conf it writes to r...@m1.mydomain.org instead of myexternaladdress@mydomain.orgSo it looks like the aliases file is ignored. Do you know why ? What's the right way to do it ?My web server should use my local mail server as a relay which is going to sign emails etc. Thank you
Re: Can't map an address to another one
This is the full debug -vd smtp-in: Accepted message 3ff99b9d on session 7c7d334d52c5ec39: from=<personal...@gmail.com>, to=<i...@mydomain.org>, size=2625, ndest=1, proto=ESMTP debug: scheduler: evp:3ff99b9d4918e017 scheduled (mta) debug: mta: received evp:3ff99b9d4918e017 for <i...@mydomain.org> debug: mta: draining [relay:127.0.0.1,port=10027,mx] refcount=1, ntask=1, nconnector=0, nconn=0 debug: mta: querying MX for [relay:127.0.0.1,port=10027,mx]... debug: mta: [relay:127.0.0.1,port=10027,mx] waiting for MX debug: MXs for domain 127.0.0.1: 127.0.0.1 preference -1 debug: mta: ... got mx (0x4326ee92420, 127.0.0.1, [relay:127.0.0.1,port=10027,mx]) debug: mta: draining [relay:127.0.0.1,port=10027,mx] refcount=1, ntask=1, nconnector=0, nconn=0 debug: mta: querying source for [relay:127.0.0.1,port=10027,mx]... debug: mta: ... got source for [relay:127.0.0.1,port=10027,mx]: [] debug: mta: new [connector:[]->[relay:127.0.0.1,port=10027,mx],0x1] debug: mta: connecting with [connector:[]->[relay:127.0.0.1,port=10027,mx],0x0] debug: mta-routing: searching new route for [connector:[]->[relay:127.0.0.1,port=10027,mx],0x0]... debug: mta-routing: selecting candidate route [] <-> 127.0.0.1 debug: mta-routing: spawning new connection on [] <-> 127.0.0.1 debug: mta: 0x432cc955670: spawned for relay [relay:127.0.0.1,port=10027,mx] debug: mta: connecting with [connector:[]->[relay:127.0.0.1,port=10027,mx],0x0] debug: mta: cannot use [relay:127.0.0.1,port=10027,mx] before 2s debug: mta-routing: no route available for [connector:[]->[relay:127.0.0.1,port=10027,mx],0x0]: must wait a bit debug: mta: retrying to connect on [connector:[]->[relay:127.0.0.1,port=10027,mx],0x0] in 2s... debug: mta: draining [relay:127.0.0.1,port=10027,mx] refcount=3, ntask=1, nconnector=1, nconn=1 debug: mta: scheduling relay [relay:127.0.0.1,port=10027,mx] in 1s... smtp-out: Connecting to smtp://127.0.0.1:10027 (localhost) on session 7c7d335771506ae9... smtp-out: Connected on session 7c7d335771506ae9 debug: smtp: new client on listener: 0x432be182000 smtp-in: New session 7c7d33580678232e from host localhost [127.0.0.1] debug: mta-routing: route [] <-> 127.0.0.1 (localhost) is now valid. debug: mta: connecting with [connector:[]->[relay:127.0.0.1,port=10027,mx],0x2] debug: mta: cancelling connector timeout debug: mta: enough connections already debug: mta: 0x432cc955670: handling next task for relay [relay:127.0.0.1,port=10027,mx] smtp: 0x432e87af000: fd 9 from queue smtp: 0x432e87af000: fd 11 from filter debug: smtp: 0x432e87af000: data io done (2927 bytes) filter: deferring eom query... filter: running eom query... debug: 0x432e87af000: end of message, msgflags=0x smtp-in: Accepted message be9a78f5 on session 7c7d33580678232e: from=<personal...@gmail.com>, to=<i...@mydomain.org>, size=2927, ndest=1, proto=ESMTP debug: scheduler: evp:be9a78f5243ffd00 scheduled (mta) relay: Ok for 3ff99b9d4918e017: session=7c7d335771506ae9, from=<personal...@gmail.com>, to=<i...@mydomain.org>, rcpt=<->, source=127.0.0.1, relay=127.0.0.1 (localhost), delay=0s, stat=250 2.0.0: be9a78f5 Message accepted for delivery debug: mta: waiting for 1s before next transaction debug: mta: received evp:be9a78f5243ffd00 for <i...@mydomain.org> debug: mta: draining [relay:127.0.0.1,port=10023,mx] refcount=1, ntask=1, nconnector=0, nconn=0 debug: mta: querying source for [relay:127.0.0.1,port=10023,mx]... debug: mta: ... got source for [relay:127.0.0.1,port=10023,mx]: [] debug: mta: new [connector:[]->[relay:127.0.0.1,port=10023,mx],0x1] debug: mta: connecting with [connector:[]->[relay:127.0.0.1,port=10023,mx],0x0] debug: mta-routing: searching new route for [connector:[]->[relay:127.0.0.1,port=10023,mx],0x0]... debug: mta-routing: skipping route [] <-> 127.0.0.1 (localhost): cannot use before 5s (delay after connect) debug: mta-routing: no route available for [connector:[]->[relay:127.0.0.1,port=10023,mx],0x0]: must wait a bit debug: mta: retrying to connect on [connector:[]->[relay:127.0.0.1,port=10023,mx],0x0] in 5s... debug: mta: draining [relay:127.0.0.1,port=10023,mx] refcount=2, ntask=1, nconnector=1, nconn=0 debug: mta: scheduling relay [relay:127.0.0.1,port=10023,mx] in 1s... debug: mta: flush for 3ff99b9d4918e017 (-> i...@mydomain.org) smtp-in: Closing session 7c7d334d52c5ec39 Le Dimanche 21 août 2016 9h54, Mik J <mikyde...@yahoo.fr> a écrit : Hello, This is my configuration table domains file:/etc/mail/domaines table aliases file:/etc/mail/aliases table users file:/etc/mail/users table courriels file:/etc/mail/courriels table passwords file:/etc/mail/passwords table clients file:/etc/mail/clients max-message-size 50M pki smtp.mydomain.org certificate "/etc/ssl/certs/smtp.mydomain.org.crt" pki smtp.mydomain.org key "/etc/ssl/private/smtp.mydomain.org.key"
Re: Can't map an address to another one
55: 1 message sent. In these logs I seeAug 21 09:38:10 mysmtp smtpd[1986]: delivery: Ok for d2dd91a7a2457a23: from=<personal...@gmail.com>, to=<u...@mydomain.org>, rcpt=<i...@mydomain.org>, user=vmail, method=maildir, delay=0s, stat=Delivered But then the mail is received in its own mailbox # cat /var/mail/vmail/mydomain.org/info/Maildir/new/1471765090.2083.smtp.mydomain.org Return-Path: personaladd@gmail.comDelivered-To: i...@mydomain.org... Received: by mail-x-x.google.com with SMTP id l203so114910462oib.1 for <i...@mydomain.org>; Sun, 21 Aug 2016 00:38:05 -0700 (PDT) Regards Le Dimanche 21 août 2016 1h14, Edgar Pettijohn <ed...@pettijohn-web.com> a écrit : I think you're entire smtpd.conf would be useful as well as logs. Sent from my iPhone On Aug 20, 2016, at 5:57 PM, Mik J <mikyde...@yahoo.fr> wrote: Hello, I want to use some kind of alias addresses like mails sent to i...@mydomain.org would arrive in u...@mydomain.org. Both are on my mail server. # cat /etc/mail/usersi...@mydomain.org user@mydomain.orgu...@mydomain.org vmail In my smtpd.conftable users file:/etc/mail/usersaccept tagged CLAM_IN for domain virtual deliver to maildir "/var/mail/vmail/%{rcpt.domain}/%{rcpt.user}/Maildir" NB: This is the first rule When I send a mail to i...@mydomain.org it doesn't arrive in u...@mydomain.org it arrives in its own mailbox. I don't really understand why Does this configuration seem correct or did I miss something ?
Can't map an address to another one
Hello, I want to use some kind of alias addresses like mails sent to i...@mydomain.org would arrive in u...@mydomain.org. Both are on my mail server. # cat /etc/mail/usersi...@mydomain.org user@mydomain.orgu...@mydomain.org vmail In my smtpd.conftable users file:/etc/mail/usersaccept tagged CLAM_IN for domain virtual deliver to maildir "/var/mail/vmail/%{rcpt.domain}/%{rcpt.user}/Maildir" NB: This is the first rule When I send a mail to i...@mydomain.org it doesn't arrive in u...@mydomain.org it arrives in its own mailbox. I don't really understand why Does this configuration seem correct or did I miss something ?
Re: What is the correct syntax in opensmtpd
Thank you for your answer. Indeed I didn't think about this option. Le Mercredi 17 août 2016 21h50, Edgar Pettijohn <ed...@pettijohn-web.com> a écrit : Sent from my iPhone On Aug 17, 2016, at 2:41 PM, Mik J <mikyde...@yahoo.fr> wrote: Hello, I have two rules like theseaccept from local for domain relay via smtp://127.0.0.1:10023 accept from source for domain relay via smtp://127.0.0.1:10023 Seems like you could add your local ip's to the myips table. Is there a way to make only one rule ? If a mail is local OR coming from some ips I trust then relay the mails Regards
What is the correct syntax in opensmtpd
Hello, I have two rules like theseaccept from local for domain relay via smtp://127.0.0.1:10023 accept from source for domain relay via smtp://127.0.0.1:10023 Is there a way to make only one rule ? If a mail is local OR coming from some ips I trust then relay the mails Regards
Monitoring opensmtpd with snmp
Hello, I would like to know if monitoring opensmtpd with snmp is supportedIf yes what are the OIDs ?The goal would be something like monitoring the queue and retrieve the statistics in a standard way (snmp) Regards
Re: How to have two different policies to send emails
Hello Olivier, Thank you for your answer, it helped me and I ended using this configuration listen on 10.255.89.250 port 25 tls pki mx.domain.org auth-optional listen on 10.255.89.250 port 587 tls-require pki mx.domain.org auth # To Dkimproxy accept from local for any relay via smtp://127.0.0.1:10025 accept from source for any relay via smtp://127.0.0.1:10025 I wanted to have a simple configuration without authentication for some specific IPs that might have certain software.But for all other users on internet that they would be authenticated before sending mails. Regards Le Samedi 30 juillet 2016 14h57, Olivier Burelli <oliv...@burelli.fr> a écrit : On Fri, 29 Jul 2016 13:02:58 + (UTC) Mik J <mikyde...@yahoo.fr> wrote: Hello Mik J. egress is the routed interface. If i understood your case you have to : _ configure PF (with divert-to) for your specifics requirements _ configure opensmtpd to define your policies. (you can also use specific tag and redirection for it) I added in attachment an overview of my implementation of opensmtpd + spamd + clamav & spamassassin (via filter) + bgpd + ... And sorry i am not a designer, the picture reflects only my understanding. I guess i did not error. > Hello, > I would like to have two different policies for clients (MUA) that send > mails.- Clients (applications) that send mails without authentication, they > have a specific IP address > - Clients (users) that send mails with an authentication, I don't know their > IP address > For case 1, it workslisten on 10.1.1.1 > accept from source for any relay > For case 2, there are examples in the man (I know that authenticated users > are considered local) depends if they are defined as virtual or not. However for my point of view an user has to be provides always an authentication. For my point of view, MTA has to knocks on the door and has to try in first to open a TLS exchange. > listen on egress tls pki mail.example.com authaccept for any relay if you perform netstat -na -f inet you will see that you request to opensmtpd to listen on a specific port. For example : ### # ## Deliver : treatment depends from the flow () # # Manage flow listen on lo0 port 10030 tag DKIM_OUT # outgoing email to another MTA # # Inbound listen on lo0 port 25 filter sub listen on egress port 25 filter all hostname daenerys.burelli.fr tls pki daenerys.burelli.fr auth-optional listen on egress port 587 filter sub hostname daenerys.burelli.fr tls-require pki daenerys.burelli.fr auth netstat -na -f inet : tcp 0 0 127.0.0.1.10030 *.* LISTEN tcp 0 0 127.0.0.1.25 *.* LISTEN tcp 0 0 95.130.9.14.25 *.* LISTEN tcp 0 0 95.130.9.14.587 *.* LISTEN tcp 0 0 127.0.0.1.10029 *.* LISTEN tcp 0 0 127.0.0.1.783 *.* LISTEN tcp 0 0 127.0.0.1.8026 *.* LISTEN tcp 0 0 127.0.0.1.8025 *.* LISTEN You have also to indicate the flow with. ### # ## Allow to deliver # accept from any for domain virtual deliver to lmtp "/var/dovecot/lmtp" rcpt-to # deliver via lmtp accept for local alias deliver to mbox ### # ## Relay # # Tagged mail returned from DKIM accept tagged DKIM_OUT for any relay # # Start here (inbound) accept from local for any relay via smtp://127.0.0.1:10029 # to DKIM_OUT > I don't understand fully the linelisten on egress tls pki mail.example.com > authbecause in the man page, the egress word is not definedOpenBSD manual > pagesTo what correspond the egress word ? > Regarding case 1 + case 2 I'm afraid there could be a conflict between listen > on 10.1.1.1 and listen on egress... > Do you have any idea on how to reach this ? > -- regards, Olivier
Start Opensmtpd with a key protected by password
Hello, I'm able to start opensmtpd manually as it prompts me the password for the private keyHowever don't know how to do this automatically so opensmtpd starts at boot. # /etc/rc.d/smtpd start smtpdpassphrase for hostname.org: I looked at the man but didn't find any directive. Regards
How to have two different policies to send emails
Hello, I would like to have two different policies for clients (MUA) that send mails.- Clients (applications) that send mails without authentication, they have a specific IP address - Clients (users) that send mails with an authentication, I don't know their IP address For case 1, it workslisten on 10.1.1.1 accept from source for any relay For case 2, there are examples in the man (I know that authenticated users are considered local) listen on egress tls pki mail.example.com authaccept for any relay I don't understand fully the linelisten on egress tls pki mail.example.com authbecause in the man page, the egress word is not definedOpenBSD manual pagesTo what correspond the egress word ? Regarding case 1 + case 2 I'm afraid there could be a conflict between listen on 10.1.1.1 and listen on egress... Do you have any idea on how to reach this ?
Opensmtpd crash because of loop (version: 5.9.1)
version: 5.9.1 Hello,I'm configuring Opensmtpd with dkimproxy and of course I did many tests but one email is stuck somewhere and makes the daemon to crash. smtpd.conf listen on 127.0.0.1 listen on 127.0.0.1 port 10028 tag DKIM_OUT # Emails from dkimproxy listen on 10.x.x.x # Emails from clients# Mails tagged received from dkimproxy_out are sent outside accept tagged DKIM_OUT for any relay# Mails received from local or authorised networks are sent to dkimproxy accept from local for any relay via smtp://127.0.0.1:10027 accept from source for any relay via smtp://127.0.0.1:10027 dkimproxy_out.conf # specify what address/port DKIMproxy should listen on listen 127.0.0.1:10027 # specify what address/port DKIMproxy forwards mail to relay 127.0.0.1:10028 # specify what domains DKIMproxy can sign for (comma-separated, no spaces) domain mydomain.com # specify what signatures to add signature dkim(c=relaxed) signature domainkeys(c=nofws) # specify location of the private key keyfile /var/dkimproxy_private.key # specify the selector (i.e. the name of the key record put in DNS) selector selector1 I'm not saying my configuration is good or that I didn't do anything wrong, but to me the opensmtpd shouldn't crash. It should do another action but not crashing. Regards # smtpd -vd debug: mta: waiting for 1s before next transaction debug: mta: flush for d52ef88fdf8981ad (-> r...@mymx.mydomain.com) debug: mta: received evp:8b6db1a643cfeb5d fordebug: mta: draining [relay:mymx.mydomain.com] refcount=3, ntask=3, nconnector=1, nconn=1 debug: mta: [relay:mymx.mydomain.com] waiting for connector mta: timeout for session hangon debug: mta: 0xe4560120670: handling next task for relay [relay:mymx.mydomain.com] mta: timeout for session hangon debug: mta: 0xe45c8c20670: handling next task for relay [relay:127.0.0.1,port=10027,mx] smtp: 0xe4600176000: fd 11 from queue smtp: 0xe4600176000: fd 13 from filter smtp: 0xe45ee852000: fd 15 from queue smtp: 0xe45ee852000: fd 17 from filter warn: loop detected: Undefined error: 0 debug: smtp: 0xe4600176000: data io done (133750 bytes) smtp-in: Failed command on session 1e3ede1e65cff40a: "DATA" => 500 5.4.6 Routing loop detected: Loop detected relay: PermFail for 4477466d6c1e0f40: session=1e3ede1dbb8fd8f2, from= , to= , rcpt=<->, source=10.1.1.2, relay=10.1.1.2 (mymx.mydomain.com), delay=3s, stat=500 5.4.6 Routing loop detected: Loop detected debug: mta: waiting for 1s before next transaction filter: eom not received yet debug: mta: flush for 4477466d6c1e0f40 (-> r...@mymx.mydomain.com) debug: queue: bouncing evp:4477466d6c1e0f40 as evp:4477466df0027753 debug: scheduler: evp:4477466df0027753 scheduled (bounce) debug: bounce: new message 4477466d debug: bounce: adding report 4477466df0027753: r...@mymx.mydomain.com: 500 5.4.6 Routing loop detected: Loop detected debug: bounce: drain: nmessage=1 running=0 debug: bounce: next message not ready yet debug: bounce: setting timer debug: smtp: 0xe45ee852000: data io done (272204 bytes) filter: deferring eom query... filter: running eom query... debug: 0xe45ee852000: end of message, msgflags=0x smtp-in: Accepted message 536b9882 on session 1e3ee0b37b2eb128: from=<>, to= , size=272204, ndest=1, proto=ESMTP debug: scheduler: evp:536b98820ca287a8 scheduled (mta) debug: mta: received evp:536b98820ca287a8 for debug: mta: draining [relay:mymx.mydomain.com] refcount=3, ntask=3, nconnector=1, nconn=1 debug: mta: [relay:mymx.mydomain.com] waiting for connector relay: Ok for a781d87f733b347e: session=1e3ee0b24957ff6b, from=<>, to= , rcpt=<->, source=127.0.0.1, relay=127.0.0.1 (localhost), delay=1s, stat=250 2.0.0: 536b9882 Message accepted for delivery debug: mta: waiting for 1s before next transaction debug: mta: flush for a781d87f733b347e (-> u...@mymx.mydomain.com) mta: timeout for session hangon debug: bounce: timeout debug: bounce: drain: nmessage=1 running=0 debug: bounce: requesting new enqueue socket... debug: bounce: enough sessions running debug: mta: 0xe4560120670: handling next task for relay [relay:mymx.mydomain.com] mta: timeout for session hangon debug: mta: 0xe45c8c20670: no task for relay [relay:127.0.0.1,port=10027,mx] mta: debug: last connection: hanging on for 9s debug: smtp: new client on listener: 0xe45a62ca000 smtp-in: New session 1e3ee0f6c4669080 from host mymx.mydomain.com [local] smtp-in: Failed command on session 1e3ede1e65cff40a: "MAIL FROM:<>" => 503 5.5.1 Invalid command: Command not allowed at this point. debug: bounce: got enqueue socket 5 debug: bounce: new session 0xe458e0e2200 relay: PermFail for a0a53973398497c8: session=1e3ede1dbb8fd8f2, from=<>, to= , rcpt=<->, source=10.1.1.2, relay=10.1.1.2 (mymx.mydomain.com), delay=3s, stat=503 5.5.1 Invalid command: Command not allowed at this point. debug: mta: flush for
Unix users and Virtual users
version: OpenSMTPD 5.4.4 Hello,I already asked a similar question a long time ago but OpenSmtp has changed a lot since then. a) For the same domain domain.xx, I would like that both, my unix user r...@domain.xx and my virtual user v...@domain.xx, receive mails.Do I have to make my domain domain.xx virtual or is there a way to handle both unix and virtual users at the same time ? b) In the case I have to make this domain.xx virtual only, I'll have to create a unix account like _vmail ? Thank you