Re: Dropping Connections Upon Connect
> On 28 Jul 2023, at 20:06, Stuart D Gathman wrote: > > On Wed, 19 Jul 2023, Pete Long wrote: > >> The filter ‘works’ in the sense that I get “421 Internal Server Error” >> when something matches my regex table. > > That's more likely to discourage the spammer than any rant you might > supply instead. :-) > > But maybe you want to provide a channel for false positives to appeal > the rejection. Good point, no chance of further deliveries being successful due to a configuration error. Yes I could and perhaps should give more info. Thanks. Pete.
Re: Dropping Connections Upon Connect
Hi, I seem to have resolved the issue but time will tell. Using my AOL account as a test, I amended the filter line in smtpd.conf so it read “550 Connection dropped.” *I didn’t put the SMTP error code in before. After doing so, it seems to have resolved the issue.* Here’s the command I used for debugging: smtpd -dv -T all >smtpd.log 2>&1 After sending a couple test mails, I saw this entry in the ’smtpd.log’: lookup: match "sonic304-56.consmr.mail.bf2.yahoo.com" as REGEX in table static:rejecthost -> true 013352e3bbdd5118 filters protocol phase=ehlo, resume=n, action=disconnect, filter=hostrejects, query=sonic304-56.consmr.mail.bf2.yahoo.com, response=550 Connection dropped. I used the same regular expression syntax as shown below ie. ^.*.yahoo.com$ Cool! Pete. > On 19 Jul 2023, at 20:18, Pete Long wrote: > > Hi all, > > Need some help here. > > I would like to find a way to drop connections (with an arbitrary message) > without having to wait for the connecting clients to issue anything at all. > > Here’s my configuration line in /etc/mail/smtpd.conf in OpenBSD 7.3 running > OpenSMTPD 7.0.0: > > filter hostrejects phase ehlo match helo regex disconnect > "Connection dropped.” > > > The filter ‘works’ in the sense that I get “421 Internal Server Error” when > something matches my regex table. > > > Here’s the format of one line in my table: > > ^.*.prod-infinitum.com.mx$ > > > Have I screwed up the regex, the config line or both? > > Please let me know if you require further information. > > Thanks for your time. > > > > Pete. > >
Dropping Connections Upon Connect
Hi all, Need some help here. I would like to find a way to drop connections (with an arbitrary message) without having to wait for the connecting clients to issue anything at all. Here’s my configuration line in /etc/mail/smtpd.conf in OpenBSD 7.3 running OpenSMTPD 7.0.0: filter hostrejects phase ehlo match helo regex disconnect "Connection dropped.” The filter ‘works’ in the sense that I get “421 Internal Server Error” when something matches my regex table. Here’s the format of one line in my table: ^.*.prod-infinitum.com.mx$ Have I screwed up the regex, the config line or both? Please let me know if you require further information. Thanks for your time. Pete.
Re: Remove the first Received header
On Thu, Jan 26, 2023 at 10:58:18PM +0100, Joel Carnat wrote: > Hi, > > When using smtpd as a mail gateway and authenticating from various > desktop/mobile clients, the first Received header always references the > client host, ip, fqdn, etc. Some (maybe stupid) SMTP servers seem to > consider these information when doing SPAM checks so you end getting > blacklisted because the mail comes from a user IP-range and IP is not > referenced in SPF... > > Not sure it even makes sense and/or break SMTP RFCs but, is there a way to > tell smtpd to not include that first "user connection" in the mail headers? Hi Joel, listen on bge0 port submission tls-require pki mydomain.tld auth \ hostname mydomain.tld mask-src The mask-src option does the trick for me. Pete.
Re: Another Logging Query
On Wed, Mar 23, 2022 at 11:55:16PM +0200, Reio Remma wrote: > On 23.03.2022 23:41, Pete Long wrote: > > Hi all, > > > > When I run the following command, I see lots of useful information about > > what's happening with OpenSMTPD; particularly with filters. > > > > smtpd -dv -Tlookup > > > > However, I can't seem to find a way to capture the output to a file. I've > > tried 'tee' but my syntax is probably wrong. > > > > Does the command above log events on a different level or are they > > ephemeral? > > > iirc you can also force the running daemon to log to maillog or whatever > it's logging to using 'smtpctl trace lookup' ('smtpctl untrace' to stop), > also 'smtpctl log verbose' and 'smtpctl log brief' might come handy. Thanks again Reio, I'll give that command a try. Pete. smime.p7s Description: S/MIME cryptographic signature
Re: Filter Logging
On Mon, Mar 21, 2022 at 03:58:23PM +0200, Reio Remma wrote: > On 21.03.2022 15:54, Pete Long wrote: > > Hi all, > > > > I have a filter defined in smtpd.conf which looks like the following: > > > > filter rejects phase data match mail-from \ > > disconnect "550 Policy enforcement." > > > > The referenced table contains a list of addresses in the following > > formats: > > > > @dailynuisance.tld > > bigmarketing.tld > > @weneverunsubsribeanyone.tld > > > > First of all, are these valid formats for the filter? > > I see I've set up blacklists with a table like this: > > match \ > from any \ > for any \ > mail-from \ > reject Thanks Reio, that's nice and simple. I'll give that a try. For some reason, I've always placed reject lists in a filter which are are referenced in a 'listen on' line. Perhaps its time for a change :) Pete. smime.p7s Description: S/MIME cryptographic signature
Filter Logging
Hi all, I have a filter defined in smtpd.conf which looks like the following: filter rejects phase data match mail-from \ disconnect "550 Policy enforcement." The referenced table contains a list of addresses in the following formats: @dailynuisance.tld bigmarketing.tld @weneverunsubsribeanyone.tld First of all, are these valid formats for the filter? Secondly, this filter seems to be working well but I don't see any other information in the logs except the 550 and whatever rejection message I've used. I chose the data phase as I previously had a similar filter which acted earlier on in the SMTP transaction but which didn't seem reject all required addresses. I've since stupidly deleted this filter so I cannot be more precise. So to summarise, how can I see more information from my current filter and am I using the correct syntax in the first place for the referenced table? Thanks for your time. Pete. smime.p7s Description: S/MIME cryptographic signature
Re: mutt can't send emails via localhost 25 with error 503 5.5.1
On Sun, Mar 06, 2022 at 02:28:54PM +0100, Jiri Navratil wrote: > Hi, > > I'm using notebook with OpenBSD and every email from mail and from mutt > goes firstly to OpenSMTPD on localhost and then are relayed to my > server with static IP. > > I have been using in OpenBSD 6.7 for mutt > > set smtp_url="smtp://127.0.0.1" > > but after switch to OpenBSD 7.0, I'm getting from OpenSMTPD > > SMTP session failed: 503 5.5.1 Invalid command: Command not supported [...] Hi Jiri, I have a slightly different configuration but all hosts are on the LAN. Here are what I believe to be the relevant config lines for Mutt. I'm using the same version as yourself: Mutt 2.1.3 (2021-09-10), which is running on OpenBSD 7.0. OpenSMTPD is version 7.0.0. set smtp_url = "smtp://ch...@chunkymonkey.tld:587/" set smtp_pass = "superpassw0rd" set ssl_starttls=yes set ssl_verify_host=no Pete. smime.p7s Description: S/MIME cryptographic signature
opensmtpd-filter-dnsbl
Hi all, I hope this is ok but I just wanted to say thanks to the developer of 'opensmtpd-filter-dnsbl' whom I believe is Martijn van Duren. This filter is superb and just what I was looking for in order to use the great resource that is Spamhaus. I can't seem to find a personal email address on the following site so that's why I'm saying thanks on the list: https://openports.pl/path/mail/opensmtpd-filters/dnsbl Here's how I've used it in my smtpd.conf on OpenBSD 7.0: filter dnsbl proc-exec "filter-dnsbl -mv zen.spamhaus.org" listen on em0 tls pki mydomain.tld \ hostname mydomain.tld filter { check_rdns, dnsbl } I will shortly remove the -m flag which just adds headers rather than rejecting the mail. Pete. smime.p7s Description: S/MIME cryptographic signature
[Solved] Submission Creds Only Accepted on LAN?
Hi all, I now have authenticated submission on port 587 working regardless of whether the connecting host has a PTR record. Here are the steps taken: 1) Built OpenSMTPd and associated software from ports on FreeBSD 13. 2) Wiped my iPhone and configured my mail account again. This log excerpt is from my phone this morning: smtp connected address=85.255.235.74 host= Aug 15 08:46:41 [redacted] smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256 Aug 15 08:46:42 [redacted] smtpd [redacted] smtp authentication user=pete result=ok I'm not really sure if I have configured anything different by using ports (I used 'pkg install' previously on another server) but all is good. I have a suspicion that it was actually my phone which was causing the issue. Here are my notes which I hope will help. https://valar.uk.net/smtpd-valar.conf Pete. smime.p7s Description: S/MIME cryptographic signature
Fwd: Submission Creds only Accepted on LAN?
> Begin forwarded message: > > From: Pete Long > Subject: Re: Submission Creds only Accepted on LAN? > Date: 8 August 2021 at 21:04:41 BST > To: misc@opensmtpd.org > > >> On 8 Aug 2021, at 19:55, Reio Remma wrote: >> >> On 08.08.2021 21:53, Pete Long wrote: >>> Hi Reio, >>> >>> Yes it's set with SSL (as Apple's iPhone mail app shows) on port 587. The >>> authentication method is 'password'. >> >> Do you see from smtpd logs that a connection is made and credentials fail? > > Here's the output from 'smtpd -dv -Tlookup' when using my mobile phone: > > > debug: smtpd: offline scanning done > 93d95e59d30926fa smtp connected address=148.252.132.246 host= > debug: looking up pki "mydomain.tld" > debug: session_start_ssl: switching to SSL > debug: pony: rsae_priv_enc > 93d95e59d30926fa smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256 > smtp: 0x800ed5000: smtp_cert_verify_cb: no-client-cert > 93d95e59d30926fa smtp authentication user=pete result=permfail > 93d95e59d30926fa smtp failed-command command="AUTH PLAIN (...)" result="535 > Authentication failed" > 93d95e59d30926fa smtp disconnected reason=disconnect > > > Here's the output when I send on my LAN (same debug command): > > debug: looking up pki "mydomain.tld" > debug: session_start_ssl: switching to SSL > debug: pony: rsae_priv_enc > 93d95e5a86cc1911 smtp tls ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 > smtp: 0x800ed5000: smtp_cert_verify_cb: no-client-cert > 93d95e5a86cc1911 smtp authentication user=pete result=ok > lookup: match "10.1.2.3" as NETADDR in table static: -> true > lookup: match "outlook.com" as DOMAIN in table static: -> true > > > I don't see the 'lookup: match' lines in the log output when sending from my > phone for some reason. > > > Pete. > As an update and my conclusion for now, submission auth works if there is a PTR record for the connecting IP address (at least with my config). I created a test account and used the very helpful https://www.smtper.net site (which of course has PTR records) to successfully send an email to an outside domain via my OpenSMTP server. I can live with that for now. Pete. smime.p7s Description: S/MIME cryptographic signature
Re: Submission Creds only Accepted on LAN?
> On 8 Aug 2021, at 19:55, Reio Remma wrote: > > On 08.08.2021 21:53, Pete Long wrote: >> Hi Reio, >> >> Yes it's set with SSL (as Apple's iPhone mail app shows) on port 587. The >> authentication method is 'password'. > > Do you see from smtpd logs that a connection is made and credentials fail? Here's the output from 'smtpd -dv -Tlookup' when using my mobile phone: debug: smtpd: offline scanning done 93d95e59d30926fa smtp connected address=148.252.132.246 host= debug: looking up pki "mydomain.tld" debug: session_start_ssl: switching to SSL debug: pony: rsae_priv_enc 93d95e59d30926fa smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256 smtp: 0x800ed5000: smtp_cert_verify_cb: no-client-cert 93d95e59d30926fa smtp authentication user=pete result=permfail 93d95e59d30926fa smtp failed-command command="AUTH PLAIN (...)" result="535 Authentication failed" 93d95e59d30926fa smtp disconnected reason=disconnect Here's the output when I send on my LAN (same debug command): debug: looking up pki "mydomain.tld" debug: session_start_ssl: switching to SSL debug: pony: rsae_priv_enc 93d95e5a86cc1911 smtp tls ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 smtp: 0x800ed5000: smtp_cert_verify_cb: no-client-cert 93d95e5a86cc1911 smtp authentication user=pete result=ok lookup: match "10.1.2.3" as NETADDR in table static: -> true lookup: match "outlook.com" as DOMAIN in table static: -> true I don't see the 'lookup: match' lines in the log output when sending from my phone for some reason. Pete. smime.p7s Description: S/MIME cryptographic signature
Re: Submission Creds only Accepted on LAN?
Hi Reio, Yes it's set with SSL (as Apple's iPhone mail app shows) on port 587. The authentication method is 'password'. Pete. > On 8 Aug 2021, at 19:46, Reio Remma wrote: > > Hello! > > Is your phone configured to submit to port 587? > > Good luck > Reio > > > On 08.08.2021 20:56, Pete Long wrote: >> Oops, I hope this is now visible. >> >> >> Pete. >> >> >>> Begin forwarded message: >>> >>> From: Pete Long >>> Subject: Submission Creds only Accepted on LAN? >>> Date: 8 August 2021 at 18:46:49 BST >>> To: misc+h...@opensmtpd.org >>> >>> Hi, >>> >>> I've just begun using OpenSMTP and find it fascinating with its speed and >>> simplicity. >>> >>> All is working fine except for one issue I can't fix. If I send email from >>> my computer to the OpenSMTP server on my LAN, the creds used for submission >>> work fine. >>> >>> However if I try the same thing from my phone over a 3G connection, the >>> same creds fail. The username/password used is the same as my user account >>> on the VMWare virtual server with FreeBSD 13.0 installed on which OpenSMTP >>> is running ie. no seperate maps. >>> >>> Here's the line in smtpd.conf that I think is relevant: >>> >>> listen on em0 port submission filter { rspamd } tls-require pki >>> mydomain.tld auth hostname mydomain.tld mask-src >>> >>> All outbound mail passes through a smart host as per this line: >>> >>> action "relay" relay host smtp+tls://myauthla...@smarthost.provider.tld:25 >>> auth helo mydomain.tld >>> >>> By the way, I've tried removing the 'filter { rspamd }' section but the >>> same result occurs: non-LAN submission attempts 'permfail' with the same >>> creds that work on a LAN connection. >>> >>> Can anyone help me here? >>> >>> Let me know if you require more information. >>> >>> >>> Thanks. >>> >>> >>> Pete. >> > smime.p7s Description: S/MIME cryptographic signature
Submission Creds only Accepted on LAN?
Oops, I hope this is now visible. Pete. > Begin forwarded message: > > From: Pete Long > Subject: Submission Creds only Accepted on LAN? > Date: 8 August 2021 at 18:46:49 BST > To: misc+h...@opensmtpd.org > > Hi, > > I've just begun using OpenSMTP and find it fascinating with its speed and > simplicity. > > All is working fine except for one issue I can't fix. If I send email from my > computer to the OpenSMTP server on my LAN, the creds used for submission work > fine. > > However if I try the same thing from my phone over a 3G connection, the same > creds fail. The username/password used is the same as my user account on the > VMWare virtual server with FreeBSD 13.0 installed on which OpenSMTP is > running ie. no seperate maps. > > Here's the line in smtpd.conf that I think is relevant: > > listen on em0 port submission filter { rspamd } tls-require pki mydomain.tld > auth hostname mydomain.tld mask-src > > All outbound mail passes through a smart host as per this line: > > action "relay" relay host smtp+tls://myauthla...@smarthost.provider.tld:25 > auth helo mydomain.tld > > By the way, I've tried removing the 'filter { rspamd }' section but the same > result occurs: non-LAN submission attempts 'permfail' with the same creds > that work on a LAN connection. > > Can anyone help me here? > > Let me know if you require more information. > > > Thanks. > > > Pete. smime.p7s Description: S/MIME cryptographic signature