Re: cannot send emails to self
> Strangely it does work if I send mail to "john...@example.com" This, I think, is the smoking gun. When you send mail to yourself, it matches the "accept for local" rule rather than the "accept from any for domain" rule, so the expansion is based on "alias " rather than "virtual ". My stab in the dark for why johnsm...@example.net->johnsm...@example.net works is that the server believes its mailname is example.com, so example.net does not match the local rule. For debugging these types of configurations, it's often quite illuminating to trace expand and lookup (smtpd -F -T expand -T lookup). Hope this helps. Simon On 2/27/20 12:47 PM, Erik Harmon wrote: > I have set up a new instance of OpenSMTPD 6.0.3-portable (the packaged > version on Ubuntu 18.04) servicing the same end user on two domains, with two > inboxes. The problem arises when I try to send an email to myself > "johnsm...@example.com" to "johnsm...@example.com". I get an Invalid > Recipient error. I have included my configuration below: > > > # cert valid for both domains > pki example.com certificate "/etc/letsencrypt/live/example.com/fullchain.pem" > pki example.com key "/etc/letsencrypt/live/example.com/privkey.pem" > > listen on eth0 tls pki example.com mask-source > listen on eth0 port 587 tls-require pki example.com auth mask-source > listen on lo port 10029 tag dkim mask-source > > table aliases { "johnsm...@example.com" => johncom, "johnsm...@example.net" > => johnnet } > table domains { "example.com", "example.net" } > > accept for local alias deliver to lmtp "/var/run/dovecot/lmtp" > accept from any for domain virtual deliver to lmtp > "/var/run/dovecot/lmtp" > accept tagged ! dkim for any relay via smtp://127.0.0.1:10028 > accept tagged dkim for any relay pki example.com > > > Strangely it does work if I send mail to "john...@example.com". Sending from > example.com to example.net also works. sending from example.net to > example.com does not work, "Invalid Recipient". Sending from example.net to > example.net works. It appears only the first domain has a problem where mail > from either account can't be sent to the first one. > > What am I doing wrong? > > Regards, > Erik
Re: How to deal with spam and opensmtpd
On 04/18/2018 01:44 AM, Mik J wrote:> What other (not spamd and spamassassing) do you use ? I use bgp-spamd [1] and a hand-assembled blacklist (using dovecot-pigeonhole) of certain terms that usually only appear in spam. It's not as good as SpamAssassin but it seems to stop the majority of the spam I get. I'm down from 2-3 spam messages per day to one 10 days or so. Simon [1] https://bgp-spamd.net/ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Sending on IPv6 by default
Hey, I have a pretty simple OpenSMTPD setup on a host with IPv6. However, while it has no trouble recieving email delivered via IPv6, I have noticed that it seems to send on IPv4, even when the destination MX has an record. I use dkimproxy_out to add DKIM to outgoing messages. I tried changing all the dkimproxy-related stuff (including the listen and relay directives in dkimproxy_out.conf) to use ::1 instead of 127.0.0.1, but dkimproxy_out doesn't seem to work when listening on ::1, although it will relay to ::1. Changing dkimproxy_out to listen on 127.0.0.1 but relay via ::1 still caused mail to be sent via IPv4. Gmail to me: Received: from mail-pf0-x22b.google.com (mail-pf0-x22b.google.com [IPv6:2607:f8b0:400e:c00::22b]) by kanna.desu.ne.jp (OpenSMTPD) with ESMTPS Me to Gmail: Received: from kanna.desu.ne.jp (kanna.desu.ne.jp. [44.26.108.130]) by mx.google.com with ESMTPS Relevant portion of smtpd.conf: listen on lo0 listen on lo0 port 10028 tag DKIM listen on egress port smtp tls listen on egress smtps listen on egress port submission tls-require mask-source auth # Incoming accept from local for local alias \ deliver to lmtp "/var/dovecot/lmtp" rcpt-to accept from any for domain virtual \ deliver to lmtp "/var/dovecot/lmtp" rcpt-to # Outgoing accept tagged DKIM for any relay accept for any relay via smtp://127.0.0.1:10027 Thanks, Simon -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Avoiding backscatter with spampd
Oh, I see what I was doing wrong: I was having spampd relay back to OpenSMTPD for delivery rather than on towards Dovecot. And of course, OpenSMTPD does not speak LMTP inwardly. Thank you for your help! On 12/02/2016 01:18 PM, Jake Hartz wrote: I ran into a similar issue, and I ended up having OpenSMTPD deliver the mail to spampd via LMTP, then spampd delivers it (in my case, to Dovecot). This way, smtpd can still reject invalid recipients with a 550 before it ships the mail thru spamassassin. If you want to try it this way, I have Dovecot configured to listen (LMTP) on some port, e.g. 1024, and spampd listening via LMTP on some port, e.g. 1026: spampd_flags="--port=1026 --relayhost=127.0.0.1:1024 --tagall" Dovecot can be configured (/etc/dovecot/conf.d/10-master.conf) to listen on LMTP on a certain port, e.g. 1024. Then, in smtpd.conf, I deliver straight to spampd: accept from any for domain virtual \ deliver to lmtp localhost:1026 rcpt-to (spampd then relays it to Dovecot after checking). Hope this helps! spampd's LMTP relaying seems to be working fine for me with this setup; do you have any specific issues you're running in to? --Jake On 12/02/2016 03:26 PM, Simon McFarlane wrote: For those unfamiliar: Backscatter bounces are Non-Delivery Notifications, but they're for email you didn't send. A spammer sends out some of his spew with one or more of your addresses as the From, and poorly configured servers don't properly reject it, instead they send an NDN to the forged From address. I'm trying to integrate SpamAssassin into my setup, but I accidentally got myself on a couple blacklists because my setup was producing backscatter. The relevant lines of my smtpd.conf: listen on lo0 port 10026 tag SPAMCHECK accept tagged SPAMCHECK for domain virtual \ deliver to lmtp "/var/dovecot/lmtp" rcpt-to accept from any for domain \ deliver to smtp://127.0.0.1:10025 and from rc.conf.local: spampd_flags=--port=10025 --relayhost=127.0.0.1:10026 Without the relay to spampd, OpenSMTPD just sends back a 550 Invalid recipient as it should, but when relaying to spampd, it sends a bounce to the forged From address. I've tried delivering via LMTP to spampd instead, but spampd's LMTP support seems to be broken (I'm not sure it would fix the problem anyway). I could filter only valid recipients through the initial relay, but the table-sqlite manpage seems to indicate that there's no way to set up a recipients table with sqlite. Does anybody know how to fix this problem? Thanks, Simon -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Avoiding backscatter with spampd
After looking through the source code, I found an undocumented table-sqlite directive called "query_mailaddr", which allows me to contruct a valid recipients table. I added a recipient modifier to the intial relay and everything seems to be working as expected now. On 12/02/2016 12:26 PM, Simon McFarlane wrote: For those unfamiliar: Backscatter bounces are Non-Delivery Notifications, but they're for email you didn't send. A spammer sends out some of his spew with one or more of your addresses as the From, and poorly configured servers don't properly reject it, instead they send an NDN to the forged From address. I'm trying to integrate SpamAssassin into my setup, but I accidentally got myself on a couple blacklists because my setup was producing backscatter. The relevant lines of my smtpd.conf: listen on lo0 port 10026 tag SPAMCHECK accept tagged SPAMCHECK for domain virtual \ deliver to lmtp "/var/dovecot/lmtp" rcpt-to accept from any for domain \ deliver to smtp://127.0.0.1:10025 and from rc.conf.local: spampd_flags=--port=10025 --relayhost=127.0.0.1:10026 Without the relay to spampd, OpenSMTPD just sends back a 550 Invalid recipient as it should, but when relaying to spampd, it sends a bounce to the forged From address. I've tried delivering via LMTP to spampd instead, but spampd's LMTP support seems to be broken (I'm not sure it would fix the problem anyway). I could filter only valid recipients through the initial relay, but the table-sqlite manpage seems to indicate that there's no way to set up a recipients table with sqlite. Does anybody know how to fix this problem? Thanks, Simon -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Avoiding backscatter with spampd
For those unfamiliar: > Backscatter bounces are Non-Delivery Notifications, but they're for > email you didn't send. A spammer sends out some of his spew with one > or more of your addresses as the From, and poorly configured servers > don't properly reject it, instead they send an NDN to the forged From > address. I'm trying to integrate SpamAssassin into my setup, but I accidentally got myself on a couple blacklists because my setup was producing backscatter. The relevant lines of my smtpd.conf: listen on lo0 port 10026 tag SPAMCHECK accept tagged SPAMCHECK for domain virtual \ deliver to lmtp "/var/dovecot/lmtp" rcpt-to accept from any for domain \ deliver to smtp://127.0.0.1:10025 and from rc.conf.local: spampd_flags=--port=10025 --relayhost=127.0.0.1:10026 Without the relay to spampd, OpenSMTPD just sends back a 550 Invalid recipient as it should, but when relaying to spampd, it sends a bounce to the forged From address. I've tried delivering via LMTP to spampd instead, but spampd's LMTP support seems to be broken (I'm not sure it would fix the problem anyway). I could filter only valid recipients through the initial relay, but the table-sqlite manpage seems to indicate that there's no way to set up a recipients table with sqlite. Does anybody know how to fix this problem? Thanks, Simon -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
filter-spamassassin gone?
Hi, I used to run filter-spamassassin on my MX, but after the filter API bump, the filter no longer worked and I had to disable spam filtering (aside from spamd). Now, it looks like opensmtpd-extras-spamassassin is missing from ports. Is filter-spamassassin gone for good? Thanks, Simon -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Filter-API Error
I also get this error, with filter-spamassassin. I've had to remove all the filters from my smtpd.conf to keep my server up. Running the latest snapshot and packages as of today. filter-spamassassin[98857]: filter is EXPERIMENTAL and NOT meant to be used in production. domains[50926]: debug: table-sqlite: config successfully updated filter-spamassassin[98857]: warn: filter-api:filter-spamassassin API mismatch filter-spamassassin[98857]: fatal: filter-api: exiting warn: pony -> filter-spamassassin: pipe closed passwd[28342]: debug: table-sqlite: opening /etc/mail/users.db warn: filter "filter-spamassassin" closed unexpectedly fatal: exiting On 07/04/2016 01:35 AM, Heiko wrote: Hi together, I get some Filter-API errors. Build with current Snapshot and Ports. Any chance for me to fix this? Or do I have to wait for a Source Code Update? Thank you in advance. Heiko snip Jul 4 10:17:05 atarax filter-dnsbl-spamcop[17487]: warn: filter_api:filter-dnsbl-spamcop API mismatch Jul 4 10:17:05 atarax filter-dnsbl-sorbs[45978]: warn: filter-api:filter-dnsbl-sorbs API mismatch Jul 4 10:17:05 atarax filter-dnsbl-spamhaus[16763]: warn: filter-api:filter-dnsbl-spamhaus API mismatch Jul 4 10:17:05 atarax filter-dnsbl-sorbs[45978]: fatal: filter-api: exiting Jul 4 10:17:05 atarax filter-dnsbl-spamhaus[16763]: fatal: filter-api: exiting Jul 4 10:17:05 atarax smtpd[82042]: warn: pony -> filter-dnsbl-spamcop: pipe closed Jul 4 10:17:05 atarax smtpd[82042]: warn: filter "filter-dnsbl-spamcop" closed unexpectedly ... snip -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
filter-spamassassin crashes smtpd on boot
Hi, I have a rather uninteresting setup consisting of Dovecot and OpenSMTPD with few configuration tweaks on an OpenBSD system. The only filter I have is filter-spamassassin. I'm running the latest -current snapshot and filter and extras from pkg. I can rcctl start smtpd just fine, however, smtpd fails to start automatically on boot. Every time I reboot the system, I have to shell back in and start smtpd manually. I get this in /var/log/maillog: Jun 29 22:24:01 mx smtpd[76577]: info: OpenSMTPD 5.9.1 starting Jun 29 22:24:01 mx smtpd[64252]: setup_peer: klondike -> control[77736] fd=4 Jun 29 22:24:01 mx smtpd[77736]: setup_peer: control -> klondike[64252] fd=5 Jun 29 22:24:01 mx smtpd[65295]: setup_peer: queue -> control[77736] fd=8 Jun 29 22:24:01 mx smtpd[77736]: setup_peer: control -> lookup[45356] fd=6 Jun 29 22:24:01 mx smtpd[45356]: setup_peer: lookup -> control[77736] fd=6 Jun 29 22:24:01 mx smtpd[64252]: setup_peer: klondike -> pony express[82409] fd=5 Jun 29 22:24:01 mx smtpd[77736]: setup_peer: control -> pony express[82409] fd=7 Jun 29 22:24:01 mx smtpd[65295]: setup_peer: queue -> pony express[82409] fd=9 Jun 29 22:24:01 mx smtpd[77736]: setup_peer: control -> queue[65295] fd=8 Jun 29 22:24:01 mx smtpd[45356]: setup_peer: lookup -> pony express[82409] fd=7 Jun 29 22:24:01 mx smtpd[50073]: setup_peer: scheduler -> control[77736] fd=9 Jun 29 22:24:01 mx smtpd[64252]: setup_proc: klondike done Jun 29 22:24:01 mx smtpd[79591]: setup_done: ca[64252] done Jun 29 22:24:01 mx smtpd[65295]: setup_peer: queue -> lookup[45356] fd=10 Jun 29 22:24:01 mx smtpd[77736]: setup_peer: control -> scheduler[50073] fd=9 Jun 29 22:24:01 mx smtpd[45356]: setup_peer: lookup -> queue[65295] fd=8 Jun 29 22:24:01 mx smtpd[82409]: setup_peer: pony express -> control[77736] fd=7 Jun 29 22:24:01 mx smtpd[50073]: setup_peer: scheduler -> queue[65295] fd=10 Jun 29 22:24:01 mx smtpd[65295]: setup_peer: queue -> scheduler[50073] fd=11 Jun 29 22:24:01 mx smtpd[79591]: setup_done: control[77736] done Jun 29 22:24:01 mx smtpd[82409]: setup_peer: pony express -> klondike[64252] fd=8 Jun 29 22:24:01 mx smtpd[77736]: setup_proc: control done Jun 29 22:24:01 mx smtpd[45356]: setup_proc: lookup done Jun 29 22:24:01 mx smtpd[82409]: setup_peer: pony express -> lookup[45356] fd=9 Jun 29 22:24:01 mx smtpd[79591]: setup_done: lka[45356] done Jun 29 22:24:01 mx smtpd[82409]: setup_peer: pony express -> queue[65295] fd=10 Jun 29 22:24:01 mx smtpd[79591]: setup_done: pony[82409] done Jun 29 22:24:01 mx smtpd[82409]: setup_proc: pony express done Jun 29 22:24:01 mx smtpd[65295]: setup_proc: queue done Jun 29 22:24:01 mx smtpd[79591]: setup_done: queue[65295] done Jun 29 22:24:01 mx smtpd[79591]: setup_done: scheduler[50073] done Jun 29 22:24:01 mx smtpd[50073]: setup_proc: scheduler done Jun 29 22:24:01 mx smtpd[79591]: smtpd: setup done Jun 29 22:24:01 mx filter-spamassassin[81659]: fatal: resolve: failed Jun 29 22:24:01 mx smtpd[82409]: warn: pony -> filter-spamassassin: pipe closed Jun 29 22:24:01 mx smtpd[82409]: warn: filter "filter-spamassassin" closed unexpectedly Jun 29 22:24:01 mx smtpd[82409]: fatal: exiting Jun 29 22:24:01 mx smtpd[79591]: warn: parent -> pony: pipe closed Jun 29 22:24:01 mx smtpd[64252]: warn: ca -> pony express: pipe closed Jun 29 22:24:01 mx smtpd[77736]: warn: control -> pony express: pipe closed Jun 29 22:24:01 mx smtpd[50073]: warn: scheduler -> control: pipe closed Jun 29 22:24:01 mx smtpd[65295]: warn: queue -> pony express: pipe closed Jun 29 22:24:01 mx smtpd[45356]: warn: lka -> control: pipe closed It tries to start, but spamassassin crashes with "fatal: resolve: failed", bringing smtpd with it. Has anyone seen this before? Is this a bug in filter-spamassassin or a fault in my setup? Thanks, Simon -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Pledge issue with opensmtpd-extras
I'm running an installation of today's snapshot (23-Dec-2015), and can't seem to get smtpd to launch when it is set to query a sqlite database. This is the complete output to /var/log/maillog from launch to crash: info: OpenSMTPD master starting warn: lost child: lookup terminated; signal 6 info: control process exiting info: scheduler handler exiting info: queue handler exiting warn: ca -> control: pipe closed warn: pony -> lka: pipe closed warn: parent terminating and in dmesg, I see this: smtpd(29857): syscall 2 "proc" It looks like smtpd pledges proc during initialization (smtpd.c:704). Running a ktrace/kdump on smtpd -d shows only one call to pledge(), with proc and exec included. Also, # smtpd -d & [1] 4597 # info: OpenSMTPD master starting warn: lost child: lookup terminated; signal 6 info: queue handler exiting info: control process exiting info: scheduler handler exiting warn: pony -> lka: pipe closed warn: parent terminating [1] + Done (1) smtpd -d # dmesg | tail -n 1 smtpd(31636): syscall 2 "proc" The master process (pid 4597 in this instance) is not the process which tries to step outside its pledge boundary (pid 31636 is the offender here). Maybe a worker process needs to have proc added to its pledge in some cases? For reference, my config files look like this: smtpd.conf # Tables table aliases file:/etc/mail/aliases table passwdsqlite:/etc/mail/sqlite.conf table users sqlite:/etc/mail/sqlite.conf table domains sqlite:/etc/mail/sqlite.conf # Ports listen on lo0 listen on lo0 port 10028 tag DKIM listen on egress port smtp tls listen on egress smtps auth # Incoming accept from local for local alias \ deliver to lmtp "/var/dovecot/lmtp" rcpt-to accept from any for domain virtual \ deliver to lmtp "/var/dovecot/lmtp" rcpt-to # Outgoing accept tagged DKIM for any relay accept for any relay via smtp://127.0.0.1:10027 sqlite.conf dbpath /etc/mail/users.db query_credentials SELECT username||'@'||domain, password FROM users WHERE (username||'@'||domain)=?; query_domainSELECT domain FROM users WHERE domain=? LIMIT 1; query_alias SELECT 'vmail' FROM users WHERE ? LIKE (username||'@'||domain); Thanks, Simon -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Login query with full email address
> Combined with lmtp and the new rcpt-to keyword I'm using LMTP to deliver to Dovecot currently, but this is the first I've heard about rcpt-to, and can't find any mention of it in the man pages. What does it do exactly? Is it only available in snapshots? On 12/23/2015 01:27 AM, Joerg Jung wrote: On 23 Dec 2015, at 07:01, Simon McFarlane wrote: I'm attempting to set up a mail server that can serve addresses on several domains. OpenSMTPD works great for a single domain, but I'm having some trouble with mail on multiple domains. … Let me know what you guys think, or if you know of any other possible solutions. I use several virtual users/domains on top of (mapping to) just a single system user (vmail). All maildir folders belong to the user vmail and are managed/handled by dovecot (pop3/imap access). Combined with lmtp and the new rcpt-to keyword it works just fine (no underscore hack required): My smtpd.conf contains: pki ... table aliases file:/etc/mail/aliases table domains file:/etc/mail/domains table passwd file:/etc/mail/passwd table virtuals file:/etc/mail/virtuals listen on lo0 listen on em0 port 25 tls pki ... listen on em0 port 587 tls-require pki … auth … accept from local for local alias deliver to lmtp "/var/dovecot/lmtp" rcpt-to accept from any for domain virtual deliver to lmtp "/var/dovecot/lmtp" rcpt-to accept from local for any relay My domains table contains: foo.com bar.com My aliases table contains: root: baz vmail: /dev/null baz: b...@bar.com My virtuals table contains: f...@bar.comb...@bar.com b...@bar.com vmail f...@foo.comvmail My passwd table contains: b...@bar.com $2b$… f...@foo.com $2b$... -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Login query with full email address
Hi, I'm attempting to set up a mail server that can serve addresses on several domains. OpenSMTPD works great for a single domain, but I'm having some trouble with mail on multiple domains. After some research, it seems one of the common ways of going about this is to replace the @ sign with an underscore with some fancy query_alias. To the best of my understanding it goes like this: u...@domain.tld --virtuals--> user_domain.tld user_domain.tld --userbase--> (normal userdb info) and then the mail is delivered to the virtual mail folder. [1] This works great, but on top of being a somewhat inelegant hack (essentially tricking OpenSMTPD by replacing the @ with a _), it means all the aliases (like those listed in /etc/mail/aliases) have to be put into the database, and there is no recursion (ie, you cannot have an alias pointing to an alias). I tried to solve this problem in several ways. First I tried to add the default alias db (/etc/mail/aliases.db), as an alias to the accept line. The problem with this is that, peeking at smtpd -d -T lookup, the name lookup goes like this: postmas...@domain.tld alias---> r...@domain.tld root --userbase--> ??? Of course, the second line is where it fails, because there is no entry for just 'root' in the userbase. OpenSMTPD does not pass the domain along with the user, so the userbase cannot determine which domain it means. I thought I might try having the server relay aliased mail back to itself once the alias is resolved, however you cannot relay with an alias. I then thought I might be able to run the resulting alias through the virtualusers db, so it would look like this: postmas...@domain.tld alias---> r...@domain.tld r...@domain.tld --virtuals--> root_domain.tld root_domain.tld --userbase--> (normal userdb info) However, it seems you cannot chain aliases or virtuals like this. After all this, I think the solution I'm looking for is to have OpenSMTPD pass the domain to the userdb. This would remove the need for having a query_alias that replaces @ with _, and would also mean it would be possible to use aliases.db on multiple domains. Searching the mailing list archives, I found two similar threads. Ultimately, both posters resorted to a hack like having a separate accept line for every single domain, or the aforementioned @ replacement hack. [2] [3] Gilles wrote in one of these threads in 2014: we may want to support email addresses as login, this can be discussed it was not designed this way to start with because we didn't support !system auth but this has changed and the use case has come up a few times If the developers' position on this has not changed, I would be willing to submit a patch to add this feature (though I'm not sure of the optimal way to express to the config file that you want the userdb query to include the full email address. I'd love some input on this). Let me know what you guys think, or if you know of any other possible solutions. Thanks, Simon [1] https://hugo.barrera.io/journal/2015/02/15/opensmtpd-dovecot-shared-sql-db/ [2] https://www.marc.info/?t=14238013302 [3] https://www.marc.info/?t=14085240872 -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org