Re: OpenSMTPD 7.5.0 fails to start?

[Thomas Bohl]

I am on OpenBSD 7.5-current playing around a bit and noticed that
smtpd fails to start.



I then ran smtpd -d and I get:
credentials[40067]: warn: table-api: imsg_get: Result too large
lookup: table-proc: no services registered
smtpd: process lka socket closed


Probably the beginning of API changes:
https://www.mail-archive.com/misc@opensmtpd.org/msg06266.html

Re: DKIM Verification Failures

[Thomas Bohl]

Hi,


DKIM verfication of my emails has been failing for outbound email when
received by other systems. This email contains those signatures. I don't
check DKIM inbound so that's not a concern.

I created DNS entries for both rsa and ed25519 keys.


The public TXT DNS record of dk-rsa-20240404._domainkey and 
dk-metis-rsa-20240404._domainkey only contain "v=DKIM1".


$ dig +short txt dk-rsa-20240404._domainkey.rbcarleton.net
"v=DKIM1"

$ dig +short txt dk-metis-rsa-20240404._domainkey.rbcarleton.net
"v=DKIM1"


In regards to metis.rbcarleton.net no TXT records show up at all.

$ dig +short txt dk-metis-rsa-20240404._domainkey.metis.rbcarleton.net

$ dig +short txt dk-metis-ed25519-20240404._domainkey.metis.rbcarleton.net



I've also done some
reading to sanity check my DNS. Any suggestions. I'm kind of
stumped.


It has to be a problem with your DNS. The public doesn't see what you 
see/think you have put in.


https://mxtoolbox.com/SuperTool.aspx?action=dkim%3arbcarleton.net%3adk-rsa-20240404
https://mxtoolbox.com/SuperTool.aspx?action=dkim%3arbcarleton.net%3adk-metis-rsa-20240404
https://mxtoolbox.com/SuperTool.aspx?action=dkim%3ametis.rbcarleton.net%3adk-metis-rsa-20240404


For when you have fixed your DNS: https://dkimvalidator.com is a nice test.

Re: match from mail-from reject not working

[Thomas Bohl]

match from mail-from  reject


That line doesn't have a for option, so "for local" is implied.

match from any for any mail-from  reject

should do the trick.



However, if i use telnet/openssl s_client to connect to the server, I get an OK 
in
response to MAIL FROM: and can state RCPT TO and DATA 
without
any problems.


The reject (550 Invalid recipient) will happen after RCPT TO. (Earlier 
is only possible with a filter.) That is good and bad. The bad side is 
that the error message is "wrong", which makes stuff harder to debug. 
The good side of this behaviour is that it signals "Invalid recipient" 
to an adversary.


hth

SMTP Smuggling

[Thomas Bohl]

Happy new year.

I just stumbled upon this "novel technique for e-mail spoofing":
https://www.postfix.org/smtp-smuggling.html
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide

Given that among others Postfix, Sendmail and Exchange Online are/were 
effected it raises the question whether OpenSMTPD is affected as well.


Can someone from the project comment on this?


Apparently the problem arrases if the server is lenient with the end of 
data sequence

.

Re: maildir error when receiving mail to alias

[Thomas Bohl]

Hello,

Am 20.11.2023 um 01:19 schrieb :

Hello,

I have set up my account on this mailserver to deliver mail to my Maildir. This
works (as demonstrated by being able to subscribe to this list); now I am trying
to set up the required aliases (postmaster, etc).
I set up the aliases to point to my own address, but I am seeing this error when
sending email to the aliases:

56:56 nas mail.info smtpd[27770]: 4b2a3ccfa487433c mda delivery
evpidK7cc012bedeffe6 from=<[my-test-address]@gmail.com>
to= rcpt=
user=postmaster delay=1h20m40s result=TempFail stat=Error (temporary
failure: "mail.maildir: No such file or directory")

Could someone help me figure out where this error is coming from?

> action "local_mail" maildir "/home/%{rcpt.user}/Maildir/INBOX" alias 



Try %{user.username} or %{dest.user} instead of %{rcpt.user}.

Re: Need help with mail server configuration

[Thomas Bohl]

I received it (even in Thunderbird)! May I ask how did you do that? I 
tried so many ways today but none worked...


I clicked "New Message" in Thunderbird, entered your email and hit send. 
:-) Have you tried sending from your nogafam.eu address?




telnet mail.ivanroth.fr 25 times out, same for nc -4 mail.ivanroth.fr 25

mail command sends no error but no message is received.


To little information to help. Don't know what you entered, nor what the 
corresponding service logs were. What I would do at this stage is, I 
would run smtpd in the foreground with verbose output, to see it live 
reacting to inputs.

"smtpd -dvvv"



I changed the smtpd.conf to listen to 465:

-listen on 0.0.0.0 tls pki mail.ivanroth.fr filter { check_dyndns, 
check_rdns, check_fcrdns, senderscore, rspamd }
-listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth 
filter rspamd


+listen on 0.0.0.0 port 25 tls pki mail.ivanroth.fr filter { 
check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
+listen on 0.0.0.0 port 465 smtps pki mail.ivanroth.fr auth filter { 
check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
+listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth 
filter rspamd


does this looks good to you?


You have two different filter sets for 465 and 587. Both ports a for 
you/your users to send mail. (Aka with Thunderbird) So I wouldn't use 
check_dyndns/etc. for 465. All public mail will be over 25.


Also, you aren't forcing the right hostname. Did you change the 
computers hostname instead?




When restarting the opensmtpd service, I noticed the following warnings:

warn: invalid envelope e84235315f00364e: unknown dispatcher

warn: invalid envelope b6797a98aad69976: unknown dispatcher

what do they mean?


You have two mails in the queue that can't be send/delivered. Happens 
when you have unfinished config and testing around.

"smtpctl show queue"
"smtpctl remove e84235315f00364e"
"smtpctl remove b6797a98aad69976"

Re: Need help with mail server configuration

[Thomas Bohl]

Hi,

Thank you for your reply. I spent a couple of hours on this today with 
not much luck. Please find my replies below.




Than check what is blocking port 25. Is it your Debian firewall or 
your VPS provider.


There is no VPS provider firewall. The one I can use is disabled. I 
asked support if there were any firewall beyond mine and their answer is 
no. I should get full access to any port I may need.


On the VPS, iptables is set to ACCEPT in every way, INPUT, OUTPUT and 
FORWARD. I added explicit ACCEPT rules for testing but did not get 
better results.


But everything looks good now, all ports are publicly reachable. I did 
send you a test mail and your sever accepted it. (In plaintext but still.)


I also gave http://www.antispam-ufrj.pads.ufrj.br/test-relay.html a 
shot. It reached your server. It couldn't do it the last time.




Still, I can reach port 587 in addition do 143 but no 25 nor 465 and 993.


I can reach all, except for 465. But that is ok because according to 
your smtpd.conf the server isn't listening on it.




Here is my smtpd.conf:

pki mail.ivanroth.fr cert 
"/etc/letsencrypt/live/mail.ivanroth.fr/fullchain.pem"
pki mail.ivanroth.fr key 
"/etc/letsencrypt/live/mail.ivanroth.fr/privkey.pem"


filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', 
'.*\.dsl\..*' } junk


filter check_rdns phase connect match !rdns junk

filter check_fcrdns phase connect match !fcrdns junk

filter senderscore proc-exec "filter-senderscore -junkBelow 70 
-slowFactor 5000"


filter rspamd proc-exec "filter-rspamd"

table aliases file:/etc/aliases

listen on 0.0.0.0 tls pki mail.ivanroth.fr \
     filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }

listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth 
filter rspamd


Your sever greets the world with

220 ivanroth.fr ESMTP OpenSMTPD

which is the wrong hostname, which leads to "opportunistic TLS failed, 
downgrading to plain". Try forcing the right hostname:


listen on 0.0.0.0 hostname mail.ivanroth.fr tls pki mail.ivanroth.fr \
 filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }

listen on 0.0.0.0 port submission tls-require \
 hostname mail.ivanroth.fr pki mail.ivanroth.fr auth \
 filter rspamd



#listen on ens3 tls pki mail.ivanroth.fr filter { check_dyndns, 
check_rdns, check_fcrdns, senderscore, rspamd }
#listen on ens3 port submission tls-require pki mail.ivanroth.fr auth 
filter rspamd


action "local_mail" maildir junk alias 
action "outbound" relay helo mail.ivanroth.fr

match from any for domain "ivanroth.fr" action "local_mail"
match for local action "local_mail"

match from any auth for any action "outbound"
match for any action "outbound"


If I'm not mistaken, the last line is redundant. (Without a "from", 
"from local" is implied, which intern implies "auth". Which is covered 
by the line "from any auth" before it.)




$ nmap localhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-10 21:58 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00028s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 993 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
143/tcp open  imap
443/tcp open  https
587/tcp open  submission
993/tcp open  imaps


Every port is reachable from the public now. (For me at least.) Only you 
can tell if you went overboard with opening up everything.

Re: Need help with mail server configuration

[Thomas Bohl]

Hello,

I am running a Debian 12 server hosted at OVH. It's a fresh VPS, and the 
domain I'm using for that test is ivanroth.fr, with the subdomain 
mail.ivanroth.fr as advised in the article.


DNS and rDNS seems fine, host and dig reply what they are supposed to.

On the server, I created an account with my first name (ivan) and I am 
using i...@ivanroth.fr as the test mail address.



  * I cannot send a mail to myself (i...@ivanroth.fr) using mutt from
the server
  * I cannot send from the outside to that address
  * I cannot send from that address using Thunderbird

When looking at systemctl status opensmtpd, I see some errors I don't 
understand like :


debian opensmtpd smtp-out: No valid route for 
[connector:[]->[relay:ivanroth.fr,smtp],0x0]


Your smtp server can't be reached by others.

$ nc -4 mail.ivanroth.fr 25

Closes immediately: Server isn't running or firewall answers with 
REJECT. It could be a iptables firewall on your VPS as well as one from 
OVH. (I don't know OVH but I do know that some VPS providers have a 
extra firewall you need to configure separately.)



$ nc -6 mail.ivanroth.fr 25
Eventually times out: IPv6 not working or a firewall is configured to 
just DROP incoming packages. (I can't even ping your IPv6 address, while 
IPv4 works.)



From all the ports(25, 465, 587, 143, 993) I have tested only IPv4 
IMAP(143) is reachable. (Which is consistent with you saying Thunderbird 
reading works.)

$ nc -4 mail.ivanroth.fr 143
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
LITERAL+ STARTTLS LOGINDISABLED] Dovecot (Debian) ready.

^C




I don't really know where to start digging. If someone could point me to 
some direction, it would be nice.


I would first suggest to get IPv4 working and therefore temporarily 
removing the  record from mail.ivanroth.fr.
Than check what is blocking port 25. Is it your Debian firewall or your 
VPS provider.
You than most likely want to unblock port 465 or 587 for mail submission 
with Thunderbird.


If after that you still have problems post your entire smptd.conf please.

Last step. Fix IPv6.

Re: smtpd.conf - Possible Issues with "mail-from"

[Thomas Bohl]

Hello,


It appears that the “mail-from” is not working. I can see this in the mail 
logs. I am sending emails in a backup script using the command;

e.g. mail -s “My Backup" n...@sidoti.id.au < somefile

Extract from /var/log/maillog
Nov  6 17:34:36 fw2 smtpd[43484]: 7cb40a8b67fe96f9 mta connecting 
address=smtp+tls://45.79.238.223:25 host=mail-in12.smtp2go.com
Nov  6 17:34:36 fw2 smtpd[43484]: 7cb40a8b67fe96f9 mta connected
Nov  6 17:34:36 fw2 smtpd[43484]: 7cb40a8b67fe96f9 mta tls 
ciphers=TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256
Nov  6 17:34:36 fw2 smtpd[43484]: 7cb40a8b67fe96f9 mta cert-check result="valid" 
fingerprint="SHA256:0543063b2b0d6f3fedcf9e4772d534e030b65628e34f90941e04607730abe2b7"
Nov  6 17:34:36 fw2 smtpd[43484]: 7cb40a8b67fe96f9 mta delivery evpid=a7b3da0fc3085f6d from= 
to= rcpt= source="116.255.12.39" relay="45.79.238.223 
(mail-in12.smtp2go.com)" delay=6m40s result="PermFail" stat="550-From header sender domain not verified 
(fw2.sidoti.local)On your Sending > Verified Senders pageverify the sender domain or email to be allowed to send."


mail-from touches the "mail from:" part of the smtp connection. Not the 
"From:" part in the email header. (Which in your case is produced by the 
mail tool.) Your relay host checks the From-Header too though.



stat="550-From header sender domain not verified (fw2.sidoti.local)
On your Sending > Verified Senders pageverify the sender domain or
email to be allowed to send."


I don't know smtp2go. But it reads like you have to allow your account 
to send from "fw2.sidoti.local". Alternatively try to add "-r" to mail:

mail -s "My Backup" -r "f...@sidoti.id.au" n...@sidoti.id.au



Nov  6 17:34:37 fw2 smtpd[43484]: 7cb40a8c9d9105ad smtp connected address=local 
host=fw2.sidoti.local
Nov  6 17:34:37 fw2 smtpd[43484]: 7cb40a8c9d9105ad smtp message msgid=74854ebc 
size=1796 nrcpt=1 proto=ESMTP
Nov  6 17:34:37 fw2 smtpd[43484]: 7cb40a8c9d9105ad smtp envelope evpid=74854ebc8c255a4c 
from=<> to=
Nov  6 17:34:37 fw2 smtpd[43484]: 7cb40a8c9d9105ad smtp disconnected reason=quit
Nov  6 17:34:38 fw2 smtpd[43484]: 7cb40a8b67fe96f9 mta delivery evpid=74854ebc8c255a4c from=<> to= 
rcpt= source="116.255.12.39" relay="45.79.238.223 (mail-in12.smtp2go.com)" delay=1s 
result="PermFail" stat="550 to send email from a blank sender, enable blank senders"
Nov  6 17:34:38 fw2 smtpd[60932]: warn: queue: no return path!
Nov  6 17:34:48 fw2 smtpd[43484]: 7cb40a8b67fe96f9 mta disconnected reason=quit 
messages=0


That looks like a misdirected bounce.



Is there some new way of using “mail-from” with OpenSMTPD?


No



In OpenBSD 7.3, this was working fine.


Did your hostname change by any chance?

Re: Mail not delivered, permission denied

[Thomas Bohl]

https://github.com/OpenSMTPD/OpenSMTPD/issues/1200

I am facing the issue above exactly as it is. What is smtpd, and smtpq wrt 
users. I have given all permissions and added them to mail group but still I 
cannot remove the error msgs.


The secondary/supplementary group (mail) of your users don't count in 
this case. Only their primary group. Simply give others read access:


# chmod 755 /var/mail

Re: Issue when relaying one smtpd to another with tls

[Thomas Bohl]

Hello,


I have two smtpd nodes, i'll call them A and B.

Node A is exposed to internet, Node B is not and is relaying everything 
to node A.


The action line on node B looks like this :


action "send" relay host smtps://[some kind of ipv6] srs


On Node A, i have a match for that "some kind of ipv6" that does a relay 
for everything that comes from node B.



match from src [some kind of ipv6] action "send"
action "send" relay srs


It always helps if you show the whole configuration.

Do you have a certificate for A-[some kind of ipv6]? Since it is a IP 
and not a domain I assume it is self-signed? Does B know about your CA?

Re: Issues with outbound connections to dualstack on v6 only host

[Thomas Bohl]

Sorry for the late response.


I am currently facing an issue that OpenSMTPd disables a route for a
dual-stack MX if a connection to the v4 address fails, without retrying
v6.

The system has a local v4 network, but no routes; A v6 default route is
set and the system is reachable via IPv6.


Have you tried forcing IPv6 with a IPv6 src address at the relay action?

action "outbound" relay src $v6adr

Re: Permissions error when sending to mailing list after upgrade to v.7.3.0

[Thomas Bohl]

Am 16.08.2023 um 16:58 schrieb Reio Remma:

On 15.08.2023 10:49, Thomas Bohl wrote:



You where already pretty close when you got this line though:
warn: smtpd: /var/vmail/mlmmj/domain/listname/.forward: unsecure file
There was probably just wrong write permissions for the group.


...on the home directory. 


I changed permissions from 0700 vmail:vmail to 0750 vmail:smtpd and 
coaxed a new error out of mlmmj:


/usr/bin/mlmmj-receive[114552]: mlmmj-receive.c:112: Have to invoke 
either as root or as the user owning listdir Invoked with uid = [997]


So it seems OpenSMTPD is trying to deliver with uid 997 (which is 
'smtpd' user on the system), ignoring the uid/git from userinfo table.


That is what the man page says it does (running a command from the 
.forward file as smtpd). Since the man page of 6.8.0 said the same thing 
I don't know what changed. I assume you are using a Linux port. Maybe it 
behaved different from the what was descried.


I don't have a Linux test system at hand to play around. So this is just 
a guess. But maybe you could use sudo to change the user back to vmail.
|sudo -g /vmail -u vmail //usr/bin/mlmmj-receive -L 
/var/vmail/mlmmj/domain/list/

Re: Permissions error when sending to mailing list after upgrade to v.7.3.0

[Thomas Bohl]

You where already pretty close when you got this line though:
warn: smtpd: /var/vmail/mlmmj/domain/listname/.forward: unsecure file
There was probably just wrong write permissions for the group.


...on the home directory.

Re: Permissions error when sending to mailing list after upgrade to v.7.3.0

[Thomas Bohl]

It must be owned by the user who makes the delivery. Is vmail or 
mlmmj a system user?


man forward
...
Permissions on the .forward file are very strict and expansion is
rejected if the file is group or world-writable; if the home 
directory is

group writeable; or if the file is not owned by the user.


I've been using mlmmj with this in the .forward file:

|/usr/bin/mlmmj-receive -L /var/vmail/mlmmj/domain/list/

Permissions 0700 and 0600 on /var/vmail/mlmmj and vmail:vmail user/group.


man aliases
...
|command
    Pipe the message to command on its standard input.  The command
    is run under the privileges of the daemon's unprivileged account.

Sounds to me that smtpd needs reading rights. Something like
/var/vmail/mlmmj/domain/listname/.forward 640 vmail:smtpd


You where already pretty close when you got this line though:
warn: smtpd: /var/vmail/mlmmj/domain/listname/.forward: unsecure file
There was probably just wrong write permissions for the group.

Re: Permissions error when sending to mailing list after upgrade to v.7.3.0

[Thomas Bohl]

Hello,

I just found that my mailing lists have stopped working after the 
upgrade with the following error:


/usr/bin/mlmmj-receive[102515]: mlmmj-receive.c:122: Could not stat 
/var/vmail/mlmmj/domain/listname/: Permission denied


I recall reading the delivery user was changed at some point. Was it 
delivered by root before?


Only mails to root where delivered as root. But that possibility was 
removed for security reasons.


What user/permissions should I give the directory now? 


It must be owned by the user who makes the delivery. Is vmail or mlmmj a 
system user?


man forward
...
Permissions on the .forward file are very strict and expansion is
rejected if the file is group or world-writable; if the home directory is
group writeable; or if the file is not owned by the user.

Re: /etc/mail/aliases question

[Thomas Bohl]

Hello,


However, the output from: newaliases shows:

     $ doas newaliases
     /etc/mail/aliases: 69 aliases

Test messages also show that the changes to the aliases file are being 
picked up.


That should not be the case. But hard to tell without the full config.



The current permissions I have on: /etc/mail/aliases are:

-rw-r-   1 root   wheel   2.1K Jun 14 17:31 aliases
-rw-r-   1 root   wheel  64.0K Jun 14 17:31 aliases.db

... and I don't believe I've changed the file permissions (please 
correct me if this isn't the default set of permissions).


The default is
-rw-r--r--  1 root  wheel  2045 Oct 28  2022 aliases


My question is - why does smtpd output what it does - particularly the 
"failed to update table" portion ?


Because _smtpd does not have read access to /etc/mail/aliases.

Re: Format specifiers: partial expansion + modifier

[Thomas Bohl]

Hello,


I was wondering if it is possible to use partial expansions together
with format modifiers in smtpd.conf. For example, I'd like to reduce an
email with a format like

-+z...@example.org

to



I've tried the following variations:

%{sender.user[5:]:strip}
%{sender.user:strip[5:]}
%{%{sender.user[5:]}:strip}


I tried many more. I don't think it is possible to combine substrings 
with modifiers.

Re: How to write the rule to avoid spam

[Thomas Bohl]

Thank you for your answer.
However it doesn't work because "from domain..." is an invalid syntax


I personally use this:

table legalto file:/etc/mail/legal-rcpt-to

match !auth from any for any mail-from  reject


# cat /etc/mail/legal-rcpt-to
@mx.example.com
m...@mydomain2.org
foo...@mydomain2.org
bar...@mydomain2.org


My file lists all existing email addresses. But you don't have to list 
them all. You could just list your domains like this:

@exmaple.com
@mydomain1.org
@mydomain2.org

Re: How to write the rule to avoid spam

[Thomas Bohl]

Hello,


So I would tend to write a rule such as
match ! from domain  for domain  action TO-CLAM_SMTPD_IN
Considering that users that write from mydomain2.org to mydomain1.org 
match the first rule since they are local or authenticated or coming 
from one of the known IPs.

But this rule is not correct


Hm, maybe like this (untested):
match !auth from domain  for domain  reject

(Remember, first match wins. So it should be before
match from any for domain  action TO-CLAM_SMTPD_IN)

Re: opensmtpd personal mail server setup

[Thomas Bohl]

Hello,


# certificate
pki mail_cert cert "/etc/letsencrypt/live/***/fullchain.pem"
pki mail_cert key "/etc/ssl/private/server.key"


I don't know which system has this paths. But it looks wrong to me. Are 
you sure the server-key isn't in "/etc/letsencrypt/live/***/"?

Which acme-client do you use?



Any idea on what could the reason be?


The config looks ok.

Test the following:
Stop the smtpd daemon: # rcctl stop stmpd
Start smtpd in the foreground: # smtpd -d
Send a testmail: $ sendmail username
abcd test
Ctrl+d

Post the output of smtpd.

Re: Using Exchange online as relay

[Thomas Bohl]

Hello,

action "relay" relay host smtp+tls://smtp.office365.com:587 
auth 


the relay-url is missing the label.

man smtpd.conf
...
The format for relay-url is
[proto://[label@]]host[:port].
...
The label corresponds to an entry in a credentials table,
as documented in table(5).  It is used with the
“smtp+tls” and “smtps” protocols for authentication.
...

This should work:

action "relay" relay host smtp+tls://msexcha...@smtp.office365.com:587 
auth 


cat /etc/mail/secrets:
msexchange ad...@mydomain.com.au:*password*

Re: Email Sending Test-Setup

[Thomas Bohl]

Heho,
together with some colleagues i setup an email-sending-selftest
(powered by openbsd, and partially opensmtpd ;-)) In case it is useful
for some: https://www.email-security-scans.org/


That is a real cool project!

I didn't knew signed rDNS is possible.

Re: Mixing login and virtual/table authentication

[Thomas Bohl]

My question is pretty simple: Is it possible to have OpenSMTPD listen on a 
single socket (smtps or submission) and authenticate both “real” users (i.e., 
/etc/passwd” and virtual users from a credentials table (without adding the 
real users to the table).  I think the answer is ‘no’ (and that is a fine 
answer, if that is the answer).


There where talks in the past about making auth as flexible/programmable 
as filters are. So maybe that becomes possible in the future.




For context, I’m setting up some relaying from an internal set of hosts.  The 
internal relay needs to relay mail to my external mail server.  I currently 
have this working by having my internal relay connecting on the submission port 
(port 25 is firmly blocked) and authenticating as a user from /etc/passwd.

Internally, I have provided self-signed certs for all the machines to 
authenticate with to the internal relay.  I can’t do this on the external relay 
because adding new CA on a listen command *adds* the CA, it doesn’t *replace* 
the CA (thus causing any host with a legitimately signed cert able to relay).


I'm not sure if I understand you a 100%. But maybe you could add 
multiple OpenSMTPD sockets with different authentication and have the 
firewall forward connections, depending on the source-IP, to the right 
internal port. So technically the mail server is only reachable on a 
single port. But depending on who asks, supports different 
authentication types.

Re: Opensmtp as simple relay service

[Thomas Bohl]

I had initially some authentication issues with my ISP Exchange SMTP 
host ("530 5.7.1 Client was not authenticated")


If I'm not mistaken that is probably because the host-option doesn't 
have a label for the credentials table. Your /etc/mail/secrets has to 
look like this:

label1  user:password

and the host entry has to contain it like this:
action "relay" relay host smtp+tls://label1@exchange.example:587 auth 




but when I switched to 
their general purpose SMTP host, it worked fine.


They probably accept everything as long as the sending IP is from their 
own range.

Re: Opensmtp as simple relay service

[Thomas Bohl]

Hello,

I hope someone can help me here. I have a small wordpress website from 
which I am sending emails using a free plugin to my ISP SMTP server over 
STARTTLS (smtpauth.exchange.iinet.net.au:587.


Now I am trying OpenSMTP which should do the job but for some reason it 
returns "550 Invalid recipient" when I try to send emails through it.


All I want is the MTA to accept the mail and forward it to the 
smarthost. Any idea?


Here's my /etc/smtpd.conf file:

table secrets file:/etc/mail/secrets
listen on 192.168.1.101 port 25
action "relay" relay host smtp+tls://smtpauth.exchange.iinet.net.au:587 
 auth 

match for any action "relay"


Try

match from any for any action "relay"

If that doesn't fix it, its because OpenSMTPD has build in protections 
against accidental "open relay" configurations, requiring authentication 
from a incoming non local connection. I'm guessing that 192.168.1.101 
could make it non local, though.


If OpenSMTPD runs on the same machine as the webserver you could just 
"listen on" your loopback device and let wordpress connect to 
127.0.0.1:25. If it needs to be done over 192.168.1.101 it gets 
complicated. You will need to activate authentication, which requires an 
encrypted connection thus a need for a certificate.

Re: delivering mail from virtual user

[Thomas Bohl]

i had to do a re-installation, and now i cn only receive mail, i lost the
configuration for smtp, the combination port + ssl or startssl i am
confuse!


You posted your configuration to this mailinglist.
https://www.mail-archive.com/misc@opensmtpd.org/msg05679.html
In theory all you need to do is to reseed your cert and tables.

Re: delivering mail from virtual user

[Thomas Bohl]

Hello,


expected. But i ned that 1 Virtual user re-send e-mail to 5 different
address or users.



table virtuals file:/etc/mail/virtuals



action "lmtp" lmtp "/var/dovecot/lmtp" rcpt-to virtual 


Your /etc/mail/virtuals probably looks like this:
u...@agroena.org user1
u...@agroena.org user2
u...@agroena.org user3
u...@agroena.org user4
u...@agroena.org user5


According to "man 5 table" a line like

foo...@agroena.org user1,user2,user3,user4,user5

should be all it takes.

Re: Invalid recipient for local account.

[Thomas Bohl]

Hi,

All user on registered on the LDAP directory received emails, local 
users get "Invalid recipient":


Aug 22 14:14:16 mx-01 smtpd[15911]: 1413a338b810bc82 smtp failed-command 
command="RCPT TO:" result="550 Invalid recipient: 
"
Aug 22 14:14:17 mx-01 smtpd[15911]: 1413a338b810bc82 smtp disconnected 
reason=disconnect


I confirm the user exist on the OpenSMTPD server.

~$ getent passwd mob
mob:x:1079:1011:Mob,,,:/home/mob:/bin/bash

Here the configuration files :



action "inbound" maildir junk userbase  alias 



match from any for domain "passerelles34.fr" action "inbound"


The man pages says:
userbase 
Use the mapping table for user lookups instead of the
getpwnam(3) function.

So there is no lookup for your local users anymore. It only looks up 
ldap:/etc/mail/ldap.conf.


I don't think it is possible to use two lookup tables. I believe you 
need another match line before this line

match from any for domain "passerelles34.fr" action "inbound"
that only matches for the local users. (Or the other way around.) Maybe 
the rcpt-to option can help.


(Maybe, if you can query ldap for all valid mail addresses, you could 
generate a rcpt-to recipient table (just a list of all valid addresses) 
via a cron job.


And then
match from any for rcpt-to  action "inbound"
match from any for domain "passerelles34.fr" action "inbound-localusers"

Don't know. Just a late night idea.)

Re: Reject mails with a customized error messages

[Thomas Bohl]

Hello,


I would like to reject mails with a customized error message. As
far as I understand the documentation, I cannot pass any additional
parameters to a "reject" command. Am I missing something? How can
I return a specific error message?


You will need to rewrite your config to use filtering.

This examples rejects mails that are in the table "ileglfr".

match from any for any mail-from  reject


This is the same thing but with a filter and a custom reject message:

filter "ileglfr" phase mail-from match mail-from  reject "550 
No mails from you pl0x"


listen on ... filter { "ileglfr" }

Re: Tried, and failed, to use a wildcard in an action rule ... possible ?

[Thomas Bohl]

Is it possible to use a wildcard like this in an action rule ?


No.

man 5 table
...
In a virtual domain context, the key is either a user part, a full email
address or a catch-all, following selection rules described in
smtpd.conf(5), and the value is one or many recipients as described in
aliases(5):

  user1   otheruser
  us...@example.org   otheruser1,otheruser2
  @example.orgotheru...@example.com
  @   catch...@example.com
...


But maybe it's doable with a SQL extra and a fancy query, though.

Re: Am I running an open relay? And a few questions.

[Thomas Bohl]

Hello,


1a) Have I left anything too open to spammers to use my server? Have I
done anything stupid?


http://www.antispam-ufrj.pads.ufrj.br/test-relay.html
Tries to send emails over your server using various techniques. If it 
works you have a problem.


http://zy0.de
Shows whether your IP is used for anything stupid.


5) Does anyone here successfully use the rspamd filter for DKIM
Ed25519? I set it up, rspamd was signing with Ed25519, and online
checkers said my DNS was correct, but GMail reported: "dkim=neutral
(no key)".


IMHO ed25519 in DKIM is to new for now.
You can also use https://dkimvalidator.com to test your config.

Re: filter: HELO matches rDNS or not

[Thomas Bohl]

Hello,


I want to check inbound SMTP connections
to verify that the HELO/EHLO name matches
the associated rDNS entry.



MY FILTER
filter "HELO_FQDN" phase ehlo match !helo rdns disconnect "NNN:msg."

REPORTED ERROR
doas smtpd -n
/etc/mail/smtpd.conf:191: syntax error

IDEA ORIGINATION (smtpd.conf man page, as follows)
match
  [!] helo helo-name | 
   Specify that session's HELO/EHLO should match the string \
      or list table helo-name.

ALSO TRIED
filter "HELO_FQDN" phase ehlo match !helo {rdns} disconnect "NNN:msg."
filter "HELO_FQDN" phase ehlo match !helo fcrdns disconnect "NNN:msg."
filter "HELO_FQDN" phase ehlo match !helo {fcrdns} disconnect "NNN:msg."
with identical errors to that above.


According to man 5 smtpd.conf
...
helo  helo name is in table
...

What follows helo must be a table with allowed!disallowed hostnames. 
rdns after helo is not a function or comparison.



SUMMARY
smtpd has the rDNS name associated with the calling SMTP session;
how to use that name in a filter?


Someone has to program a custom filter with smtpd-filters API.
man 7 smtpd-filters

Re: Why isn't there a simple way to add a catchall alias to OpenSMTP ?

[Thomas Bohl]

     match from any for domain "domain.com" action "local_mail"
     match from any for domain "domain.com" action "catchall"


match for local action "local_mail"
match from any for domain "domain.com" action "catchall"


I hope I understood you correctly.
If not, merge the tables.

Re: Why isn't there a simple way to add a catchall alias to OpenSMTP ?

[Thomas Bohl]

Instead of being cranky you should have posted your "very simple, very 
readable smtpd.conf file".


This is what a catchall email address looks like and this is a very 
simple and reasonable to expect this to function.


An alias file has never accepted an @. It is therefore not at all 
reasonable to expect it to function. IIRC even with Postfix you will 
need a virtual map.


Also, FWIW, I am on attempt number four of cramming virtusers into my 
setup that doesn't need it ... and failing.  My five minute task of 
adding a catchall email is in hour number four and it still doesn't work.


-->  Why ?  <--


Because you didn't exchanged one keyword for another? We will never know.

Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certsy

[Thomas Bohl]

client# cat /tmp/server.crt >> /etc/ssl/certs.pem


BTW it's /etc/ssl/cert.pem not /etc/ssl/certs.pem




Not the cert of the server but, like he said, the CACert.pem


The certificate is self-signed. Sorry, I should have mentioned that.


Especially since you started by saying "A private CA has issued server 
certs to mail.example.org." :-) You could just create your own CA...




Just go with free "ACME certificate".)


Not possible.


...or do not have control over mail.example.org?

Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certs

[Thomas Bohl]

IIUC the client server needs the CA Certificate that was used to
generate the SMTP-server Certificate in its /etc/ssl/cert.pem (on
OpenBSD).


Thanks. I did try this but it's still not working out.




Download the server certificate and append it to our /etc/ssl/certs.pem

client# scp relay-server:/etc/ssl/server.crt /tmp/
client# file /tmp/server.crt
/tmp/server.crt: PEM certificate
client# cat /tmp/server.crt >> /etc/ssl/certs.pem


Not the cert of the server but, like he said, the CACert.pem

(And now you have to do that every time you update the system. Just go 
with free "ACME certificate".)

Re: How to set up virtual users?

[Thomas Bohl]

I've got a situation which doesn't seem all that unusual, but I can't
figure out how to properly set it up with OpenSMTPd on OpenBSD
7.0-release. I need to receive email from anywhere to my local users
(most, but not all, of whom should not have accounts on the mailserver)
and relay email from any local system to anywhere. Incoming mail for my
local users should be saved to /var/virtual//Maildir (all owned
by one special user) for pickup via pop3 or imap.


I hope I understooded you correctly.

table aliases file:/etc/mail/aliases
table mail2user {
f...@example.com = user1,
b...@example.com = user2,
@example.com = user3 }

action "receivedLocally" maildir "/var/virtual/%{dest.user}/Maildir" 
user onespecialuser alias 
action "receivedRemotely" maildir "/var/virtual/%{dest.user}/Maildir" 
user onespecialuser virtual 

action "relay2Internet" relay

match for local action "receivedLocally"
match auth from any for domain example.com action "receivedRemotely"
match auth from any for any action "relay2Internet"

(Untested because I personally only ever use lmtp.)



'action' interact is murky at best. In particular, the interactions
among 'alias', 'userbase', and 'virtual' are not obvious to me, as is
exactly what 'userbase' does (though the manpage for table(5) helps.).


alias
xyz: user1

Mails for xyz will be delivered to user1.


userbase 
Instead of looking into /etc/passwd to get informations about the user 
(for example what the /home/dir is) the table foobar is used.



virtual
xyz user1
z...@example.comuser2
@example.comallexample
@   all

For a description of the difference between alias and virtual see 
Aliasing tables in man 5 table. (Not sure if one could say alias exists 
more because of tradition. It makes sure that on an unconfigured system 
root gets system messages. (Because of file:/etc/mail/aliases))




Also, 'postmaster', and several other names listed in RFC 2142, are
supposed to always be processed case-insensitively; I don't see any
mention of what, if anything, is done about this. Even if nothing is
done an explicit statement to that effect would be useful.


All lookups are case-insensitive.

Re: Message submission vs message acceptance/relay?

[Thomas Bohl]

I'm working on getting OpenSMTPd on OpenBSD 7.0-release working
properly, and don't see any information about the special handling that
MSAs can/should do that MTAs shouldn't and don't see any obvious way to
tell OpenSMTPd to do this handling on the submission/submissions ports.


listen on 0.1.2.3 port 25 tls \
hostname mx.example.com pki $foo \
filter { "rdns", "fcrdns" }

listen on 0.1.2.3 port 465 smtps \
hostname smtp.example.com pki $bar \
mask-src auth 

Two different ports, two different ways of handling things.

hth

Re: restart necessary on certificate upgrade (letsencrypt)?

[Thomas Bohl]

Hi,

I wonder if opensmtpd starts using new key and certificate chain 
automagically,

in case they replaced the old files? Do I have to hup or restart smtpd?


I'm not sure about a new key file[1], but for a renewed certificate 
chain[2], renewed for example by acme-client, no restart is necessary.


If used you need to reload httpd and dovecot though! (On OpenBSD:
rcctl reload httpd
rcctl reload dovecot)

[1] pki example.com key "/etc/ssl/example.com_Key.pem"
[2] pki example.com cert "/etc/ssl/example.com_Fullchain.pem"

Re: Google domain ownership tokens for an mx. domain

[Thomas Bohl]

I will, now that I thought of it, but I was wondering. Does this make
any difference to my domains (A records) avoiding getting sent messages
SPAM blocked, especially by the BIG GUYS?


No, https://support.google.com/mail/answer/81126 doesn't mention 
google-site-verification and other services can't verify the proprietary 
code.

Re: relay via smtps with special characters in username

[Thomas Bohl]

fixed it for myself. I changed the delimiter in sourcecode, table.c Line 
557 from : to ; and build my own Opensmtpd from scratch.


My secrets file ist now myrelay username;password

Everything works as expected :)


Did you had a problem with the # symbol?

The man page states: "Comments can be put anywhere in the file using a
hash mark (‘#’), and extend to the end of the current line."

Re: crypto: ca_imsg: invalid pkey hash

[Thomas Bohl]

Am 09.11.2021 um 22:48 schrieb Brenckle, Nicholas M.:
OpenSMTPd running on an OpenBSD7.0 box. Over the last few days I've had 
the daemon stop and I had to manually restart it. It always has a 
message similar to this:


Nov 9 15:57:29 prd-smtp01 smtpd[87213]: crypto: ca_imsg: invalid pkey hash
Nov 9 15:57:29 prd-smtp01 smtpd[10097]: dispatcher: pipe closed

Anyone seen similar behavior, or can suggest a remedy?


I didn't have, until now. Somewhat different message though.

$ tail -f /var/log/mail
...
Nov 21 03:59:51 o3 smtpd[20299]: 70b4bbdacb96ef5a smtp connected 
address=[fe80::20a:cdff:fe38:c433%re0] host=
Nov 21 03:59:51 o3 smtpd[20299]: 70b4bbdacb96ef5a smtp tls 
ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Nov 21 03:59:52 o3 smtpd[20299]: 70b4bbdacb96ef5a smtp authentication 
user=e_maschine result=ok

Nov 21 03:59:52 o3 smtpd[3838]: envelope: invalid field "sockaddr"
Nov 21 03:59:52 o3 smtpd[3838]: lookup: failed to retrieve envelope
Nov 21 03:59:52 o3 smtpd[32396]: smtpd: process lka socket closed
^C

$ ps | grep smtp
 3716 p0  S+p  0:00.01 grep smtp

# rcctl restart smtpd
smtpd(ok)

# tail -f /var/log/maillog
...
Nov 21 04:03:11 o3 smtpd[12523]: info: OpenSMTPD 7.0.0 starting
Nov 21 04:08:51 o3 smtpd[22281]: 1f9a09f9c083cf2c smtp connected 
address=[fe80::20a:cdff:fe38:c433%re0] host=
Nov 21 04:08:51 o3 smtpd[22281]: 1f9a09f894494d3b smtp connected 
address=[fe80::20a:cdff:fe38:c433%re0] host=
Nov 21 04:08:51 o3 smtpd[22281]: 1f9a09f9c083cf2c smtp tls 
ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Nov 21 04:08:52 o3 smtpd[22281]: 1f9a09f894494d3b smtp tls 
ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Nov 21 04:08:52 o3 smtpd[22281]: 1f9a09f9c083cf2c smtp authentication 
user=e_maschine result=ok
Nov 21 04:08:53 o3 smtpd[22281]: 1f9a09f894494d3b smtp authentication 
user=e_maschine result=ok

Nov 21 04:08:53 o3 smtpd[68213]: envelope: invalid field "sockaddr"
Nov 21 04:08:53 o3 smtpd[68213]: lookup: failed to retrieve envelope
Nov 21 04:08:53 o3 smtpd[54145]: smtpd: process lka socket closed
^C

# smtpd -dvv
...
debug: smtp: will accept at most 499 clients
debug: queue: done loading queue into scheduler
debug: smtpd: scanning offline queue...
debug: smtpd: offline scanning done
d082cb71ac2e975d smtp connected address=[fe80::20a:cdff:fe38:c433%re0] 
host=

debug: dispatcher: rsae_priv_enc
d082cb71ac2e975d smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
d082cb720e2bd977 smtp connected address=[fe80::20a:cdff:fe38:c433%re0] 
host=

debug: dispatcher: rsae_priv_enc
d082cb73941ea8c6 smtp connected address=91.65.XXX.XXX 
host=ipZ.dynamic.kabel-deutschland.de

d082cb720e2bd977 smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
debug: dispatcher: rsae_priv_enc
d082cb73941ea8c6 smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
debug: lka: authenticating for passwd:e_maschine
d082cb71ac2e975d smtp authentication user=e_maschine result=ok
debug: lka: authenticating for passwd:e_maschine
debug: smtp: SIZE in MAIL FROM command
debug: lka: authenticating for passwd:e_maschine
debug: lka: mailaddrmap legladr:e_maschine
subrcpt: [foo...@aloof.de]
d082cb720e2bd977 smtp authentication user=e_maschine result=ok
d082cb73941ea8c6 smtp authentication user=e_maschine result=ok
subrcpt: [foobar-123...@aloof.de]
subrcpt: [@vm1.aloof.local]
debug: smtp: SIZE in MAIL FROM command
debug: lka: mailaddrmap legladr:e_maschine
subrcpt: [foo...@aloof.de]
subrcpt: [foobar-123...@aloof.de]
subrcpt: [@vm1.aloof.local]
debug: smtp: SIZE in MAIL FROM command
envelope: invalid field "sockaddr"
lookup: failed to retrieve envelope
debug: dispatcher -> lookup: pipe closed
debug: dispatcher agent exiting
debug: ca -> dispatcher: pipe closed
debug: ca agent exiting
debug: parent -> lka: pipe closed
smtpd: process lka socket closed
debug: control -> lookup: pipe closed
debug: control agent exiting
debug: scheduler -> control: pipe closed
debug: scheduler agent exiting
debug: queue -> lookup: pipe closed
debug: queue agent exiting


The sender is a newly installed Debian 11.1 machine with postfix 3.5.6. 
They (OpenBSD-OpenSMTPD-Server and Debian-Postfix-Client) are on the 
same LAN. It must have something to do with IPv6. If I deactivate it on 
the sender machine, the queued mails go through.

Re: Regex in db table

[Thomas Bohl]

Question: How can I use regular expressions in db files?


Don't know, but



Text files
don't seem to be an option, because they are only read on startup so I
cannot update them on the fly.


# smtpctl update table helotable


File is recommended over db:
https://www.mail-archive.com/misc@opensmtpd.org/msg03302.html

Re: Block mails from senders

[Thomas Bohl]

Hello,


i cant get mails rejected that come from a list of specific senders

smtpd.conf

table bad_guys file:/etc/mail/bad_guys
match from mail-from  reject



Whats wrong?


If you don't specify for whom the rule is it will default to local.
So the current rule is:
match from mail-from  for local reject

It will not match an incoming smtp connection.


So you want:
match from mail-from  for any reject


If that doesn't work use:
match from any for any mail-from  reject

That is a line I use in production for years.

Re: need help to solve route loop

[Thomas Bohl]

Hello,

> action "outbound" relay
>
> action "tomailer" relay host 172.16.2.5
>

match from local for local action "local_mail"
match from local for any action "outbound"

match from any for domain "mydomain.here" action "tomailer"
match from src  for any action "outbound"


The line "match from local for any action "outbound"" comes before 
"match from any for domain "mydomain.here" action "tomailer"".


Therefore, locally send mails to "mydomain.here" go straight to relay, 
instead of 172.16.2.5. Relay uses the public MX record and lands on itself.




looks like this is a message from mailer-daemon with subject: Message
accepted for delivery


"Message accepted" is not a mail subject. It just says that the 
receiving server accepted the mail.

Re: Syntax Error

[Thomas Bohl]

I am attaching my log file for reference.


Which is not really helping. It has over 7000 lines. It clearly shows 
that the daemon is running, so there can't be a syntax error.


Please be more specific. Show the commands you enter and the output that 
is generates. Try to use smtpd -d


There are a lot of "Connection timeout"-Errors in the maillog. Are you 
sure you can connect to port 25?

Re: Syntax Error

[Thomas Bohl]

I am Vigneshwaran R @ vgnshlvnz. I am a FreeBSD OS enthusiast. Recently I tried 
to deploy opensmtpd in FreeBSD 12.2-RELEASE, I get syntax error when I run 
`smtpd -n`. I have attached the file for reference. Can someone point out the 
issue?


Since you didn't show your error message, I got to assume its the fact 
that the file has CR LF at the end of a line (Windows encoding for a new 
line) instead of just LF (What a *nix systems expects).

Re: How to check if TLS enabled?

[Thomas Bohl]

 From what I can gather, SPF and DKIM are in the mail headers. What is
an easy way to check that TLS is working correctly?


There should be TLS mentioned in the headers too. In the Received line.

Looking into the header of your mail shows TLSv1.2 was used to connect 
to mx-in.poolp.org. But not between the systems coming before that.


You can also look into the mail.log and see lines like
tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256

Re: Authentication problem

[Thomas Bohl]

Authentication does now work with this line in the file "smtpd.conf" :
---
table secrets file:/etc/mail/secrets
---

But if instead of a text file I use a db file, it does not work


Than don't use it. :-)

file is recommended over db anyway:
https://www.mail-archive.com/misc@opensmtpd.org/msg03302.html

Re: How to copy all outgoing mails based on sender definition

[Thomas Bohl]

So I have a list of users defined on a server and I want to copy all 
mails of users with a specific mail domain.


I don't think that is possible without writing a custom filter or mda.

Re: How to reject a domain

[Thomas Bohl]

Hello,

In my logs, I see that the host "starttls-virginia.proxy-research.com 
" regularly connect to my 
server and disconnect without doing anything.


To not make it appear anymore in the logs, I tried to block it with this 
rule in smtpd.conf but it does not work :

match \
from mail-from "proxy-research.com " \
for domain $DOMAIN \
reject

Where $DOMAIN is "mydomain.tld".

Where is my mistake ?


That would only reject the mail reception if a sender would try to send 
mails to *@mydomain.tld with *@proxy-research.com as a sender address. 
(And even then I believe you would have to at an @ before 
proxy-research.com)
But you stated that the connection doesn't do anything. So the 
rejection-rule can't apply.


Even if you would use

match from rdns starttls-virginia.proxy-research.com reject

you would still get a log entry. You have to block them with a firewall.

Re: Forwarding to one or more accounts

[Thomas Bohl]

us...@foo.com, us...@foo.com and us...@bar.com can access there emails 
via IMAP over Dovecot, OpenSMTPD hands of emails via lmtp to Dovecot and 
emails send to user1al...@foo.com are stored in the us...@foo.com account.


But here is my problem, now i want to add "forwardings" for some 
accounts. An email send to us...@foo.com should be stored in the mailbox 
but also send ot us...@external-domain-gmail.com. Sadly i have no idea 
on how to do that. Any ideas?



Since you use Dovecot this can be achieved with a Sieve script:

require ["copy", "fileinto"];

if address :matches "Delivered-To" "us...@foo.com" {
   redirect :copy "us...@external-domain-gmail.com";
}

Re: What DKIM RSA key length to use

[Thomas Bohl]

That´s weird. I just tested this with simple/simple, relaxed/simple,
relaxed/relaxed and simple/relaxed, all with a 2048 bits key, but all my
messages got accepted. Can you reproduce this issue and share me the
content of the mail (ncluding headers) that had the issue?


I did send you something off list.

Re: What DKIM RSA key length to use

[Thomas Bohl]

Hello,


In the filter-dkimsign readme I suggest to use 2048 and I stand by it.


Thanks for mentioning and coding filter-dkimsign! Somehow I was unaware 
of it. I used rspamd just for DKIM. Which is overkill. The daemon racks 
up nearly 28000 daily DNS requests to free services (like dnswl.org, 
senderscore.com, spamhaus.org etc.) just by running. (I didn't use it as 
an inbound filter. I overwrote rbl.conf. I have no clue what it is 
doing.) So I switched to filter-dkimsign.


I also switched to a 2048 bits key. Which looks good so far. Ironically 
only dkimvalidator.com had a problem verifying until I relaxed the 
canonicalization algorithms.
(Other tests like mail-tester.com or github.com/lieser/dkim_verifier had 
no problem with it being simple.)

Re: Handling of local delivery errors: TempFail on 5xx?

[Thomas Bohl]

Hi,


In the event that the local delivery fails with a 5xx error, OpenSMTPD
queues the message for retry (and eventually supplies the sender with
a "delayed" delivery notification, etc). My naive expectation is that
SMTP 5xx means permanent failure, so an immediate bounce would be more
appropriate.
(if I read it right) according to RFC 1893 both codes should be treated 
as permanent failures. I don't see anything in RFC 2033 that would 
negate that for LMTP.


Having said that: Accepting a message as an MX only to immediately let 
it bounce is bad practice. I have last seen such a setup 15 years ago. 
Where the MX would accept mails for subdomains it had no mailbox- 
knowledge. Before the system was finally overhauled 90% of the data 
centres internet upload was bounce messages! Insane!


Think about it. Your setup accepts everything. It takes responsibility. 
Now it turns out the address can't (for what ever reason) be delivered 
to. Your system has to inform the sender. If you hadn't accepted the 
mail, the responsibility would still lie with the senders system and not 
yours.
If the MAIL FROM was forged the bounce messages could go to a 
non-involved party. To them it could look like your system is sending spam.
If you get hit by a spam-wave in the form of 
$every_name_in_the_b...@example.com. Your system will give the spammer 
positive feedback for seriously every address. Not only will they come 
again. Your system will send thousands of bounce messages to god knows 
where.


You should seriously bring the mailbox status to the front!

What DKIM RSA key length to use

[Thomas Bohl]

  
  
Hello,

I only recently started to use DKIM and DMARC. (Yesterday to be
exact. Now mails to Gmail go to the inbox and not the spam-folder.
Which is nice.) I started with a 1024 bits RSA key.

I followed
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
and
https://prefetch.eu/blog/2020/email-server/#dkim

poolp.org talks in length about why to use a 1024 bits key in order
not to truncate the DNS TXT record.
prefetch.eu uses 2048 bits and talks shortly about why not to use
something bigger. (Which makes sense, since RFC 6376 says that up to
2048 bits MUST be supported and larger keys only MAY be.)

Microsoft 365 talks about that 1024 and 2048 bitness is supported,
but defaults to 1024.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide#manually-upgrade-your-1024-bit-keys-to-2048-bit-dkim-encryption-keys

Google Workspace recommends a key with 2048 bits, if your domain
host can manage it.
https://support.google.com/a/answer/174126


I guess my question is: Is the problem with a truncate the DNS TXT
record, as described on poolp.org still a think to worry about, or
have think improved since 2019 and one can unhesitatingly use a 2048
bits key?

Thanks for reading

  

Re: help me understand local mail please

[Thomas Bohl]

what is address=local? is this smtpd.sock?


As far as I understand it, yes.
(Which makes the first part of my original answer somewhat wrong. I was 
thinking about something else while answering.)




I cannot understand in what moment connection automatically authenticates.


When you use mail, sendmail is used, which is smtpctl (see 
/etc/mailer.conf). smtpctl uses /var/run/smtpd.sock to communicate with 
smtpd. Connections via /var/run/smtpd.sock are (as you can see in your 
logs) from local. This local connections are automatically authenticated.
As far as I understand, connections over IP (even from 127.0.0.1) are 
never automatically authenticated, in order to prevent accidental open 
relays.

Re: help me understand local mail please

[Thomas Bohl]

Hello,


match action "mbox"
match from any for domain  action "deliver"
match auth from any for any action "relay"

--
as i can imagine, the "mbox" match is expanded to
match from local to local action "mbox"
if I understand it correctly, "from local" means that mail has come from 
127.0.0.1(or what?), 


Connections from mx.kasakoff.net are "from local".


> and "for local" is what?

Mails going to @mx.kasakoff.net.


I am asking, because actually, with this config, i can send mail to any 
server, look:
mx$ mail -v -r nore...@kasakoff.net  -s 
"test mail" kos...@tvema.ru 

test
.
EOT
<<< 220 mx.kasakoff.net ESMTP OpenSMTPD
 >>> EHLO localhost
<<< 250-mx.kasakoff.net Hello localhost 
[local], pleased to meet you

<<< 250-8BITMIME
<<< 250-ENHANCEDSTATUSCODES
<<< 250-SIZE 104857600
<<< 250 HELP
 >>> MAIL FROM:mailto:nore...@kasakoff.net>>
<<< 250 2.0.0 Ok
 >>> RCPT TO:mailto:kos...@tvema.ru>>
<<< 250 2.1.5 Destination address valid: Recipient ok
 >>> DATA
<<< 354 Enter mail, end with "." on a line by itself
 >>> .
<<< 250 2.0.0 6bc3d534 Message accepted for delivery
 >>> QUIT
<<< 221 2.0.0 Bye

"tvema.ru" is not local, then, why does it work?


Because of this line in your config:

match auth from any for any action "relay"

Your connection is local, so it's automatically authenticated and 
matches with "auth".

Mail from is "nore...@kasakoff.net" so it matches with "from any".
Rcpt to is "kos...@tvema.ru", which is not in the domains table, so it 
matches with "for any".

Ergo the the mail will be relayed to mail.tvema.ru.

Re: Relaying local mail

[Thomas Bohl]

Is there a reason you don't want to make root@host2 or @host2 a valid
recipient on host1?



Mainly because if I were to spin up host3, 4 and 5, I'd prefer not to
have to change the config on host1.


Than I would suggest to use authentication.

On hostX:

action "relay2host1" relay \
host smtps://foo@host1 \
auth { foo = password }

match from any for any action "relay2host1"



And on host1 mail from foo gets accepted no matter what:

listen on $v4adr port 12345 smtps \
hostname host1 pki host1 \
auth { foo = $2b$08$dB1z...$ smtpctl encrypt password }

action "send_by_hostX" ... virtual { "@" => user }

match auth foo from any for any action "send_by_hostX"


HTH

Re: Relaying local mail

[Thomas Bohl]

Hi,


If on host2 I do

 # sendmail -t <<- .
 From: root
 To: root
 Subject: Test

 .

it expands the address to root@host2 and gets rejected by the host1
because it doesn't know what to do with the address.


Is there a reason you don't want to make root@host2 or @host2 a valid 
recipient on host1?

Re: Problem with Dovecot LMTP delivery

[Thomas Bohl]

Hi,


action remote_delivery lmtp "/usr/lib/dovecot/lmtp" rcpt-to virtual 



    Camping - inotifywait -mrq /usr/lib/dovecot - show the
    lmtp executable is never touched, when Dovecot is running.


You have to call the LMTP server by IP:Port or UNIX socket, not by 
executable.


On OpenBSD it would look like this:
action remote_delivery lmtp "/var/dovecot/lmtp" rcpt-to virtual 


With
# doveconf | grep lmtp
you can look if your config uses "unix_listener lmtp"

# doveconf | grep state_dir
should tell you the directory of the lmtp unix socket.



2) Also there doesn't seem to be a working Dovecot LMTP
    example, anywhere I can find. If someone can point me
    to an example (using new syntax), that would be great.


https://prefetch.eu/blog/2020/email-server/

Re: smtp-out: Address family mismatch

[Thomas Bohl]

Currently I have 100+ EMails queued with "Network error on
destination MX". This is a severe regression since OpenBSD
6.6.

Every insightful comment is highly appreciated


Please show your complete config file. Maybe it has an error.



My current (new-style) smtpd.conf has a line

 action "relay_external" relay src 192.168.1.1 helo 
"mail.example.com"


Does your original config has a private IP-address too? Maybe you are 
behind a janky NAT router?

Re: smtp-out: Address family mismatch

[Thomas Bohl]

Hello,


I see a lot of outgoing EMails queued with a message "smtp-out:
Address family mismatch" in the log file. My colleagues don't like
EMails being put on hold at all.



My current (new-style) smtpd.conf has a line

 action "relay_external" relay src 192.168.1.1 helo "mail.example.com"



My guess would be that the target domain, at the time of the DNS query, 
only returned a IPv6 address.



I have a similar problem. My config is

action "relay2Internet" relay \
helo $hostn \
src {$v4adr, $v6adr}

as I want to allow IPv4 and IPv6. Since the src-adresses are getting 
alternated I often get "Address family mismatch" because the target 
doesn't have IPv6 yet. (At least I believe that is what's happening.)

Re: 553 ORCPT address syntax error

[Thomas Bohl]

In /etc/mail/aliases I used to say
  root: sys...@example.com 


Your /etc/aliases must look like:

root: sys...@example.com


And that’s what I used if you read my mail correctly.


The plane text version of your mail has exactly the quoted line.

https://www.mail-archive.com/misc@opensmtpd.org/msg05036.html

Re: plain text authentication

[Thomas Bohl]

Hi,

I need to use plain text authentication. I have to migrate an old 
postfix server that uses this authentication mode. I have a lot of 
devices configured in this way. I have to plan the migration to TLS, 
while I want to use OpenSMTPD with plain text authentication. It's possible?


It's not possible to use plain text authentication with OpenSMTPD.
https://www.mail-archive.com/misc@opensmtpd.org/msg04397.html

I guess your migration plan has to give OpenSMTPD a different hostname 
or port and let postfix run till ever device is moved to a TLS config.

Re: How to set from: for bounce mails from OpenSMTPD

[Thomas Bohl]

Hello,


Let me know if you upgrade and this fixes the issue. I would be really 
interested to know if this is a bug which has been fixed in a newer version of 
OpenSMTPD.



updating to OpenBSD 6.6 (OpenSMTPD 6.6.0) indeed fixed the issue. Now I 
receive bounce back messages.


From: mailer-dae...@mx.aloof.de

Hi!

This is the MAILER-DAEMON, please DO NOT REPLY to this email.

An error has occurred while attempting to deliver a message for
the following list of recipients:

bouncet...@tribulant.com: 550 No such person at this address.

Below is a copy of the original message:


Reporting-MTA: dns; mx.aloof.de

Final-Recipient: rfc822; bouncet...@tribulant.com
Action: failed
Status: 5.0.0

...

The maillog still has the from=<> thing though.
May 10 21:24:29 o3 smtpd[79692]: 23da0fd0c56b2c65 smtp envelope 
evpid=a6a961ff5fbfaf7b from=<> to=

Re: Catchall user

[Thomas Bohl]

Hi,


Let' s assume I have 3 virtual users A, B and X on my domain
I want to receive mail for all of them. No problem, that's easy to set up.

But now, suppose some one (locally or non-locally) sends a mail to user 
C that does not exist (nor virtual nor as a account). I want my set-up 
to be able to deliver it to user X. Basically, I want X to receive all 
the mails that were sent to my domain, but not to an existing virtual user.


Is there a way to achieve that?


You have a virtual . Just do this:

a@mydomain  user_a
b@mydomain  user_b
@mydomain   user_x

You even can write
@   user_x
to receive absolutely everything.


> And more generally, is that a good idea?

Some bosses like it, so a potential customer email doesn't get lost 
because of a typo. But X will most likely only ever receive spam.

Do it and make your own experience :-)

Re: how to match my relay rules against a list of IP's?

[Thomas Bohl]

arrowhead$ more /etc/mail/localhosters
[::1]/128


It looks like there is bug. The table has to start with a IPv4 address.

This works
127.0.0.1
::1

while this doesn't
::1
127.0.0.1

Re: How to set from: for bounce mails from OpenSMTPD

[Thomas Bohl]

I have the same problem (my logs look the same) and are very interested
in a solution.


I was wondering which version of OpenBSD are you using? and which version of 
Dovecot?


Fully syspatched and 'pkg_add -u'ed
OpenBSD 6.5
OpenSMTPD 6.5.0
dovecot-2.3.9.2v0

I usually upgrade in a timely manner to the latest stable, but due to 
circumstances I'm still on 6.5.




Have you found a solution in the mean time?


Haven't found time to investigate further. I hope to find time in a view 
weeks to upgrade and look again into this topic. Will post an update if 
I find a solution.

Re: How to set from: for bounce mails from OpenSMTPD

[Thomas Bohl]

Hello,


I am running OpenBSD 6.5 with OpenSMTPD and dovecot and if I send an email to 
an invalid email address, I do not get a bounce back from OpenSMTPD telling me 
that the email address is invalid. So this means I never know that I made a 
mistake in sending my email.



I have the same problem (my logs look the same) and are very interested 
in a solution.



$ cat /etc/mail/smtpd.conf
v4adr = 192.168.0.202
v6adr = 1:2:3:4:5:6:7:8
hostn = example.com

table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table ma2user file:/etc/mail/mail2user
table legladr file:/etc/mail/legal-mail-from
table loclonl file:/etc/mail/local-mail-only
table pwdauth file:/etc/mail/pwdauth
table passwd  file:/etc/mail/passwd

pki $hostn cert "/etc/mail/example.com_Cert.pem"
pki $hostn key "/etc/mail/example.com_Key.pem"

smtp max-message-size 150M

listen on lo0
listen on $v4adr port 465 smtps \
hostname $hostn pki $hostn \
mask-src auth  senders 
listen on $v6adr port 465 smtps \
hostname $hostn pki $hostn \
mask-src auth  senders 
listen on $v4adr port 587 tls-require \
hostname $hostn pki $hostn \
auth  senders 
listen on $v6adr port 587 tls-require \
hostname $hostn pki $hostn \
auth  senders 

action "receivedLocally" lmtp "/var/dovecot/lmtp" alias 
action "receivedRemotely" lmtp "/var/dovecot/lmtp" virtual 
action "relay2MX" relay \
host smtps://e...@mx.example.com:465 \
auth  \
helo $hostn \
src $v6adr

match for local action "receivedLocally"
match auth from any for domain  action "receivedRemotely"
match auth from any for any mail-from  action "receivedRemotely"
match auth from any for any action "relay2MX"

Re: Skip recipient verification and forward everything to a LMTP socket

[Thomas Bohl]

> Hi,

Hi


I would like to put a OpenSMTPD server in front of a sourcehut lists
installation [1] (that is, a mailing list system for sourcehut).
OpenSMTPD and sourcehut communicate through a lmtp unix socket. Here is
my configuration (without the filter and pki parts):


 listen on eth0 tls pki lists.forge.mydomain.tld
 action sourcehut lmtp /tmp/lists.forge.mydomain-tld-lmtp.sock


try
action sourcehut lmtp /tmp/lists.forge.mydomain-tld-lmtp.sock rcpt-to



 match from any for domain "lists.forge.yaal.fr" action "sourcehut"

Now with this configuration I only get "550 Invalid recipient" errors,
which is expected because OpenSMTPD has no way to know what is a valid
sourcehut list recipient.


Your config doesn't verify recipients.



How can I make OpenSMTPD just skip the recipient verification, and just
forward everything to the lmtp socket?


In your case OpenSMTPD only "verifies" whether the host-part is 
"@rlists.forge.yaal.f" and than tries to forward it to lmtp. But lmtp 
additionally expects a local user for delivery. The rcpt-to parameter 
passes through the recipient email-address instead of a local user.


HTH

Re: myca submission and letsencrypt smtp

[Thomas Bohl]

Hello,


letsencrypt for tls on port 25 for remote servers to verify

and tls-require verify auth on port 587 permitting self signed certificates



You will need to use different hostnames.


hostmx = mx.example.com
hostsub = mail.example.com

pki $hostmx cert "/etc/ssl/letsencrypt-mx.example.com_Fullchain.pem"
pki $hostmx key "/etc/ssl/letsencrypt-mx.example.com_Key.pem"

pki $hostsub cert "/etc/ssl/myca-mail.example.com_Fullchain.pem"
pki $hostsub key "/etc/ssl/myca-mail.example.com_Key.pem"


listen on $v4adr port 25 tls \
hostname $hostmx pki $hostmx

listen on $v4adr port 587 tls-require \
hostname $hostsub pki $hostsub \

Re: table-passwd

[Thomas Bohl]

Hello,


Is there anyone using table-passwd for _any_ other purposes than sharing
with Dovecot ?


Unless I'm misunderstanding the question, I use it all the time.

If an appliance or server needs to be able to send or relay e-mail it 
gets an entry in the table-passwd, with an individual username and 
password combo. No need for Dovecot access under that user, no need for 
a system user.




I have built a fully virtual setup which shares credentials with Dovecot
and since I managed to do it _without_ table-passwd I'm wondering if the
table backend is really useful


My MXs are using individual credentials in order to relay incoming mails 
to the mailbox system. These credentials can't be abused to access a 
mailbox though. Same is true the other way around. (Mailbox server to 
"smarthost".) Without the table one would need to create system users?

Re: smarthost + aliases

[Thomas Bohl]

accept from local for any relay via \
   smtps+auth://gm...@smtp.gmail.com:465 \
   as tschwei...@gmail.com \
   auth  verify


Sorry, that is obviously wrong. I misunderstood.

Re: smarthost + aliases

[Thomas Bohl]

Hello,


listen on localhost
table aliases db:/etc/aliases.db
table secrets db:/etc/smtpd.secrets.db


(Just use file. There is no gain in using Berkeley DB.)


expire 4h


accept from local for any relay via \
  smtps+auth://gm...@smtp.gmail.com:465 \
  as tschwei...@gmail.com \
  auth  verify

https://man.openbsd.org/OpenBSD-6.3/smtpd.conf#relay_via

hth

Re: Virtual users with Dovecot/Neomutt/OpenSMTPD

[Thomas Bohl]

Hi,

what does your smtpd.conf look like? What versions are you using?

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: what's your LMTP use-case

[Thomas Bohl]

Hello,


I know plenty of people use the lmtp action to deliver mail through LMTP
and I'm genuinely curious: what is your use-case ?


I use dovecot's lmtp to utilise Sieve[1] scripts and mailbox replication[2].

[1] https://wiki2.dovecot.org/Pigeonhole
[2] https://wiki2.dovecot.org/Replication

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: relay from authenticated users only

[Thomas Bohl]

Hello,


I'd like to change somehow the config to let authenticated users only
use my OpenSMPTD as a relay. Authentication should be based on the
machine's local user and password table (/etc/passwd).

I tried "listen on ... auth ..." but it complained about the lack of
TLS/smtps.


That is because you can't use authentication without encryption. Best 
you start looking into Let’s Encrypt. Though you could start with a 
self-signed certificate. Like it is shown in man smtpd.conf




accept from any for ! domain 486.hu relay via
tls+auth://t-onl...@mail.t-online.hu auth 


accept from local for any relay via \
tls+auth://t-onl...@mail.t-online.hu auth 


That should stop the visitors for now.

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Intercepting mails with opensmtpd

[Thomas Bohl]

Hello,

accept from source  sender "" deliver 
to maildir "/home/mail/mydomain1/myuser/Maildir"


accept from source  sender "www-d...@mydomain2.com" deliver to 
maildir "/home/mail/mydomain1/myuser/Maildir"




Do you have an idea ?


Make sure it's above the relay rule.

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: how could a safety mechanism be configured?

[Thomas Bohl]

Hello,


So what happened to me was that I activated a crontab accidentally that
fetchmails POP3 mail.  It connects to localhost and delivers to me
(pjp@localhost).  In my case the lmtp delivery caused a no such mailbox
error, and opensmtpd then sent a bounce to the originators of the mail as
MAILER-DAEMON via the relay.  How can I in future prevent this through the
config?


Let fetchmail directly deliver to /var/imap/socket/lmtp should do the 
trick, because no bouncing smtpd is involved.


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Static Table Entry - smtpd.conf

[Thomas Bohl]

Hi,


Is it valid if I add a static table entry in "smtpd.conf" like so;

table blacklist { "@*.anonymous-email.*" }


Yes


Spamd is not stopping it so I though I can reject emails using a static 
table as noted above. Will my wildcard work?


Yes, given an appropriate match action like
match from any for any mail-from  reject

(The reject line has to be above other match lines.)

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Unable to relay email

[Thomas Bohl]

This is my host and the source of the connection info I use:
https://support.bell.ca/internet/email/how-to-use-bell-mail?step=5


(That is what you find when you search for smtphm. The .co.jp-part 
doesn't really anonymise it. You should have used the original from the 
get go.)




I get local "daily output" emails from "r...@local.home" sent to
"r...@local.home".


Do you have
root: wt...@bell.net
in /etc/mail/aliases?


Note: the domain is "local.home" and not "local.home.org" which is what it is
when I try to send to external addresses.


Not sure if I understand you there.

My last guess:

action "relay" relay \
host smtp+tls://my_re...@smtphm.sympatico.ca:587 \
mail-from wt...@bell.net \
auth 


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Unable to relay email

[Thomas Bohl]

The format of my secrets file is:

my_relay sender:PASSWORD


Any strange glyph to be concerned about?


At one point I was trying to connect to the server with openssl and when I used
"
perl -MMIME::Base64 -e 'print encode_base64("SomeBase64Code");' " for my
password it was truncating because of a char, so I changed that password out but
it made no difference.


Can you authenticate with openssl?


Ok, lets rethink this. Assuming it stopped working the moment the system 
got rebooted. Than there once was a working configuration, that can be 
recreated. But if it stopped working around the time of the reboot there 
is the possibility the provider changed something, making it 
incompatible with OpenSMTPD. (Than it would be nice to have real hostnames.)


You could try:

action "relay" relay host smtps://my_re...@smtphm.example0.co.jp:465 
auth 


or:
action "relay" relay host smtp+tls://smtphm.example0.co.jp

(I assume you use smtpd only to send system message to your personal 
inbox on smtphm.example0.co.jp. So maybe sending to someone on the 
system doesn't require authentication.)


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Unable to relay email

[Thomas Bohl]

Looks good.
I bet money that the username:password pair in  is just wrong :-)


How much would you like to wager? :)


10€ for the project :-)



I copied and pasted the info into a weblogin and it worked (unfortunately?)


Hm, maybe you need a "application password".

Try
# smtpd -dv -Ttransfer

There will be the line "mta: 0x: >>> AUTH PLAIN SomeBase64Code

$ echo YourBase64Code | openssl enc -base64 -d
to see whether it contains the right login data.



The format of my secrets file is:

my_relay sender:PASSWORD


Any strange glyph to be concerned about?

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Unable to relay email

[Thomas Bohl]

For the server I am trying to connect, I was told to use 587 if 25 didn't work,
so I've been trying both.


You should use 587.



Here is the smtpd.conf now:


Looks good.
I bet money that the username:password pair in  is just wrong :-)

Don't forget to run
# smtpctl update table secrets
after you edit /etc/mail/secrets

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Unable to relay email

[Thomas Bohl]

==
/etc/mail/smtpd.conf diffs (-OLD  +NEW)
==
--- /var/backups/etc_mail_smtpd.conf.current    Fri Feb 22 01:30:23 2019
+++ /etc/mail/smtpd.conf    Fri Mar 15 20:49:37 2019
@@ -17,3 +17,5 @@
  # match from any for domain "example.org" action "local"
  match for local action "local"
  match for any action "relay"
+
+#action "relay" relay host smtp+tls://sen...@example0.co.jp:25


I'm confused. The action line is commented out. Plus the explicit 
mention of port 25 while the logs show port 587.

Can't you just post the full /etc/mail/smtpd.conf?



Ok, my bad. The second diff is more current. The point about the port 
number still stands, though. And "user username" there is a syntax error.


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Unable to relay email

[Thomas Bohl]

Am 05.04.2019 um 05:58 schrieb Juan Trippe:

What's the alternative? Did you make an update?


I don't know, it was about a month ago. I was trying to get the relay working so
I was making changes to the smtpd.conf file. AFAIK I was restarting smtpd after
each edit and stopped when it worked.


What happened "late March"? Did you reboot the system or did smtpd crash?



==
/etc/mail/smtpd.conf diffs (-OLD  +NEW)
==
--- /var/backups/etc_mail_smtpd.conf.currentFri Feb 22 01:30:23 2019
+++ /etc/mail/smtpd.confFri Mar 15 20:49:37 2019
@@ -17,3 +17,5 @@
  # match from any for domain "example.org" action "local"
  match for local action "local"
  match for any action "relay"
+
+#action "relay" relay host smtp+tls://sen...@example0.co.jp:25


I'm confused. The action line is commented out. Plus the explicit 
mention of port 25 while the logs show port 587.

Can't you just post the full /etc/mail/smtpd.conf?

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Unable to relay email

[Thomas Bohl]

Yes, I know it's hard to believe, maybe I forget to reload smtpd.conf after I
made the edit, but I don't think so.


What's the alternative? Did you make an update?



Yes, secrets exists and has valid login info. I tested the info with Thunderbird
on a client and was able to send an email


(Assuming Port 587 with STARTTLS.)
Is your server IP on a blacklist? https://www.dnsbl.info/
Can you change the password of bob?

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Unable to relay email

[Thomas Bohl]

Hello,

action “relay” relay user username host smtp+tls://b...@smtp.example.com 
auth 



It worked fine until late March.


Hard to believe, since it is a syntax error.


smtpd -n was ok after user [username] was removed but the relay no 
longer functioned. The main cause seems to be a lack of authentication 
as I get a "mta error reason=AUTH rejected: 535 Authentication failed" 
when I try to send an email while running smtpd -dv.


 exists or smtpd wouldn't start.
An entry for bob exist or a warning would appear.
An authentication is attempted or "530 Authentication required" would 
(most likely) appear.


1. Is bob still an active account on smtp.example.com?
2. Is the password in  still valid?
3. Is smtp.example.com still the preferred smarthost in the eyes of its 
provider?

4. Is your IP on a blacklist? https://www.dnsbl.info/

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: How to setup a "clean MTA" in 2019?

[Thomas Bohl]

Hello,


- setup the mta to use a EHLO name matching DNS for the IP


I continually get that the two do not match using the various email
testers. Yet the domain names do indeed match.


Care to share the logs of one of those testers?
When your server says "EHLO mx1.example.com" then the reverse DNS of the 
connected IP also has to be mx1.example.com.


A beginner's trap on systems with more than one IP address is to forget 
to explicitly set the right outgoing address. (Via src in the action 
directive.) Don't forget IPv6.


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: 550 invalid recipient issue

[Thomas Bohl]

Can you maybe post your virtuals?


Here my /usr/local/etc/mail/virtuals:

ab...@domain.comus...@domain.com
postmas...@domain.com   us...@domain.com
webmas...@domain.comus...@domain.com


The line for us...@domain.com is missing.
The debug output shows that you are trying to send to us...@domain.com 
and no entry is found. Can you mail to ab...@domain.com?


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: 550 invalid recipient issue

[Thomas Bohl]

Which leads to the question: Does user1 exist?



But I do not understand why osmtpd is looking at the /etc/passwd file when I have always used my table files (defined in smtp.conf) with a working environment, 


My understanding is, according to the configuration you presented, that 
it has to lookup /etc/passwd. (I'm only unsure about the role of rcpt-to 
in this.)


https://man.openbsd.org/OpenBSD-6.3/table#Aliasing_tables
"Aliasing tables are mappings that associate a recipient to one or many 
destinations.

...
accept for domain example.org virtual  deliver to mbox
...
In a virtual domain context, the key is either a user part, a full email 
address or a catch all ... and the value is one or many recipients as 
described in aliases(5):"


https://man.openbsd.org/OpenBSD-6.3/aliases.5
"...The file consists of key/value mappings of the form:

key: value1, value2, value3, ...
...The key is expanded to the corresponding values, which consist of one 
or more of the following:


user
A user on the host machine. The user must have a valid entry in the 
passwd(5) database file. ..."



> and user1 has never been a system user.

What is user1 then? A virtual Dovecot user?
Can you maybe post your virtuals?

You could experiment with the "as user" parameter.
https://man.openbsd.org/OpenBSD-6.3/smtpd.conf.5#deliver_to_lmtp

P.S.
Like in your first message you again wrote "smtp.conf". I'm sure you 
meant "smtpd.conf", right?


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: 550 invalid recipient issue

[Thomas Bohl]

The configuration loaded is correct as I see the daemon is loading the correct 
certificates and stuff if launched with smtpd -dv -T smtp. I am very shocked as 
I am not able to figure out what happened. I never changed any config file 
since December and I have installed this environment at least 3 times in my lab 
and was always working. I have forced the daemon to load my config file with -f 
and the issue persist.


At this point I would recreate /usr/local/etc/mail/domains and 
/usr/local/etc/mail/virtuals. Rename the old files.

Start by retyping (no clipboard) one line per file.

Reload them via
# smtpctl update table domains
# smtpctl update table virtuals


You could also test a "catchall"
@   user1

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: 550 invalid recipient issue

[Thomas Bohl]

Both files are looking good/same as before and local delivery with sendmail 
does not work:

ga...@server.com... Connecting to [127.0.0.1] via relay...
220 mail.server.com ESMTP OpenSMTPD

EHLO mail.server.com

250-mail.server.com Hello mail.server.com [127.0.0.1], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 36700160
250-DSN
250 HELP

MAIL From: SIZE=108

250 2.0.0: Ok

RCPT To:

550 Invalid recipient


Hm... You said it stopped working after you restarted smtpd.
Maybe it runs of a wrong config file?

I once accidentally typed "smtpd" in the middle of changing the 
configuration. Which started a daemonized smtpd with an unfinished 
config. No matter how often I changed the smtpd.conf and typed "rcctl 
restart smtpd" the wrong config persisted :-) It toke me about two hours 
until I realised smtpd was still running after "rcctl stop smtpd".


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: 550 invalid recipient issue

[Thomas Bohl]

Hello,


#Allow local delivery
accept from any for local alias  deliver to lmtp 
"/var/run/dovecot/lmtp" rcpt-to

#Allow virtual domains
accept from any for domain  virtual  deliver to lmtp 
"/var/run/dovecot/lmtp" rcpt-to


Are the files /usr/local/etc/mail/domains and 
/usr/local/etc/mail/virtuals still ok?

Does local delivery with sendmail work?

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Mail to root not working anymore with 6.4

[Thomas Bohl]

userdb {
   args = uid=vmail gid=vmail home=/var/vmail/%d/%n
   driver = static
}
nuc#
I had forgotten that I had my dovecot setup like that.
I set it up that way so that I can have e-mail users that are not system 
users.


That is kind of important information.
That makes the question whether farid has a $HOME or the alias edit 
pointless.


...I don't know, have you tried to simply symlink 
/var/vmail/nuc.example.com to /var/vmail/example.com

And go for
fa...@example.com:$2b$09$x.::
fa...@nuc.example.com:$2b$09$x.::

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Mail to root not working anymore with 6.4

[Thomas Bohl]

Hello,


action lmtp-local lmtp "/var/dovecot/lmtp" rcpt-to
#action lmtp-local lmtp "/var/dovecot/lmtp" rcpt-to alias 


Looks like you commented the wrong line out.

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Mail loops when relaying and using smtp auth

[Thomas Bohl]

By default, there is ‘accept from local for any relay’, and I’ve kept that in 
place. Is this what you were referring to?


That is what's casing the loop. "relay" looks for the MX record (Which 
is what you want for everting but your own domain). "relay via" skips that.




As I understand it, ‘accept from any’ would be inclusive of ‘local’—is this not 
the case?


No, I believe you are right.



As a test to understand what you’d recommended, I added

accept from local for domain  relay via 

and tested—that presented the same mail loop problem.


1. Is  what you call "upstream"? Aka your mailbox system?
2. Are the accept lines in the right order? From specific to common.
3. Can you post the error log?
(4. Full smtpd.conf would be nice.)



I’m somewhat new to OpenSMTPd


Then you should skip 6.3 and move to OpenBSD 6.4, because of the new 
configuration style. You are learning a deprecated config style at the 
moment.


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Mail loops when relaying and using smtp auth

[Thomas Bohl]

Hi,


It is possible to configure OpenSMTPd to detect this scenario and to know that 
it should relay that email to domain.com rather than trying to deliver it to 
its MX server, which happens to be the server itself?

Here’s a very abridged version of my config, showing the relay and 
authentication configurations:

accept from any for domain  relay via  # relay config


Use "accept from local" to tell the server what to do with an 
authenticated sessions.


(It would be "match auth" for the new configuration style.)

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org