Re: /etc/mail/aliases question

2023-06-14 Thread J Doe 

On 2023-06-14 18:32, Thomas Bohl wrote:



The default is
-rw-r--r--  1 root  wheel  2045 Oct 28  2022 aliases


My question is - why does smtpd output what it does - particularly the 
"failed to update table" portion ?


Because _smtpd does not have read access to /etc/mail/aliases.


Hi Thomas,

Ah, you are correct!  When I reset the permissions on: alias, alias.db 
to the defaults you mentioned and then edited aliases and re-ran: 
newaliases, all is good:


Jun 14 20:07:45 server smtpd[87551]: info: Table "aliases" successfully 
updated


Silly mistake on my part ... I must have changed the permissions at some 
point.  Thanks for your help!


- J

Re: /etc/mail/aliases question

2023-06-14 Thread Thomas Bohl 

Hello,


However, the output from: newaliases shows:

     $ doas newaliases
     /etc/mail/aliases: 69 aliases

Test messages also show that the changes to the aliases file are being 
picked up.


That should not be the case. But hard to tell without the full config.



The current permissions I have on: /etc/mail/aliases are:

-rw-r-   1 root   wheel   2.1K Jun 14 17:31 aliases
-rw-r-   1 root   wheel  64.0K Jun 14 17:31 aliases.db

... and I don't believe I've changed the file permissions (please 
correct me if this isn't the default set of permissions).


The default is
-rw-r--r--  1 root  wheel  2045 Oct 28  2022 aliases


My question is - why does smtpd output what it does - particularly the 
"failed to update table" portion ?


Because _smtpd does not have read access to /etc/mail/aliases.

/etc/mail/aliases question

2023-06-14 Thread J Doe 

Hi,

I have a question regarding some output to: /var/log/maillog when I 
update the: /etc/mail/aliases file.


If I make a change to: /etc/mail/aliases:

   $ doas vim /etc/mail/aliases
   $ doas newaliases

I see the following in: /var/log/maillog:

... server smtpd[50072]: /etc/mail/aliases: fopen: Permission denied
... server smtpd[50072]: info: Failed to update table "aliases"

However, the output from: newaliases shows:

$ doas newaliases
/etc/mail/aliases: 69 aliases

Test messages also show that the changes to the aliases file are being 
picked up.


The current permissions I have on: /etc/mail/aliases are:

-rw-r-   1 root   wheel   2.1K Jun 14 17:31 aliases
-rw-r-   1 root   wheel  64.0K Jun 14 17:31 aliases.db

... and I don't believe I've changed the file permissions (please 
correct me if this isn't the default set of permissions).


My question is - why does smtpd output what it does - particularly the 
"failed to update table" portion ?


Thanks,

- J

Re: Question Regarding The 'poolp' Guide On How To Deploy A Mail Server's Last Portion Regarding Dovecot With 'sieve' Scripts

2021-06-17 Thread Samuel Banya 
Thanks for this idea, yeah I posted about this on that mailing list too, thanks 
for the suggestion!

Happy to have tried OpenBSD for a mailing server though, its been fun so far :)

On Fri, Jun 18, 2021, at 3:36 AM, Ryan Kavanagh wrote:
> On Fri, Jun 18, 2021 at 03:23:35AM +, Samuel Banya wrote:
> > This is what was present AFTER my changes in
> > '/etc/dovecot/conf.d/90-plugin.conf' (aka I followed this post's
> > workaround
> > http://dovecot.2317879.n4.nabble.com/sieve-compile-error-td70414.html):
> 
> Visually comparing this with my own working configuration, I can't see
> any meaningful differences. FWIW, I have:
> 
>   sieve_plugins = sieve_imapsieve sieve_extprograms
>   sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
> 
> Seeing that this is a dovecot issue and not an opensmtpd issue, you'll
> probably have better luck asking on the dovecot mailing lists
> https://www.dovecot.org/mailing-lists or in #dovecot on OFTC.
> 
> Best,
> Ryan
> 
> -- 
> |)|/  Ryan Kavanagh  | GPG: 4E46 9519 ED67 7734 268F
> |\|\  https://rak.ac |  BD95 8F7B F8FC 4A11 C97A
> 
>

Re: Question Regarding The 'poolp' Guide On How To Deploy A Mail Server's Last Portion Regarding Dovecot With 'sieve' Scripts

2021-06-17 Thread Ryan Kavanagh 
On Fri, Jun 18, 2021 at 03:23:35AM +, Samuel Banya wrote:
> This is what was present AFTER my changes in
> '/etc/dovecot/conf.d/90-plugin.conf' (aka I followed this post's
> workaround
> http://dovecot.2317879.n4.nabble.com/sieve-compile-error-td70414.html):

Visually comparing this with my own working configuration, I can't see
any meaningful differences. FWIW, I have:

  sieve_plugins = sieve_imapsieve sieve_extprograms
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment

Seeing that this is a dovecot issue and not an opensmtpd issue, you'll
probably have better luck asking on the dovecot mailing lists
https://www.dovecot.org/mailing-lists or in #dovecot on OFTC.

Best,
Ryan

-- 
|)|/  Ryan Kavanagh  | GPG: 4E46 9519 ED67 7734 268F
|\|\  https://rak.ac |  BD95 8F7B F8FC 4A11 C97A

Question Regarding The 'poolp' Guide On How To Deploy A Mail Server's Last Portion Regarding Dovecot With 'sieve' Scripts

2021-06-17 Thread Samuel Banya 
Hello everyone,

I've been following the "poolp" guide on how to deploy an email server on 
OpenBSD:
- 
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/

I'm currently at the very end of the guide in which he is using sieve with 
Dovecot to do some final filtering.

The unfortunate thing is that when I run these two commands in the 
'/usr/local/lib/dovecot/sieve' directory:
sievec report-ham.sieve
sievec report-spam.sieve

I'm getting the following error:
# sievec report-ham.sieve
report-ham: line 1: error: require command: unknown Sieve capability 
`vnd.dovecot.pipe'.
report-ham: line 1: error: require command: unknown Sieve capability 
`imapsieve'.
report-ham: line 15: error: unknown command 'pipe' (only reported once at first 
occurrence).
report-ham: error: validation failed.
sievec(root): Fatal: failed to compile sieve script 'report-ham.sieve'
# sievec report-spam.sieve
report-spam: line 1: error: require command: unknown Sieve capability 
`vnd.dovecot.pipe'.
report-spam: line 1: error: require command: unknown Sieve capability 
`imapsieve'.
report-spam: line 7: error: unknown command 'pipe' (only reported once at first 
occurrence).
report-spam: error: validation failed.
sievec(root): Fatal: failed to compile sieve script 'report-spam.sieve'

What's interesting is that this same post has the same exact error, and I tried 
his workaround which did NOT work unfortunately:
- http://dovecot.2317879.n4.nabble.com/sieve-compile-error-td70414.html

This is what was present BEFORE my changes in '
plugin {
  sieve_plugins = sieve_imapsieve sieve_extprograms

  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment

  imapsieve_mailbox1_name = Junk
  imapsieve_mailbox1_causes = COPY APPEND
  imapsieve_mailbox1_before = 
file:/usr/local/lib/dovecot/sieve/report-spam.sieve

  imapsieve_mailbox2_name = *
  imapsieve_mailbox2_from = Junk
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve

  imapsieve_mailbox3_name = Inbox
  imapsieve_mailbox3_causes = APPEND
  imapsieve_mailbox3_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve

  sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
}

This is what was present AFTER my changes in 
'/etc/dovecot/conf.d/90-plugin.conf' (aka I followed this post's workaround
http://dovecot.2317879.n4.nabble.com/sieve-compile-error-td70414.html):
plugin {
  sieve_plugins = sieve_imapsieve sieve_extprograms

  sieve_global_extensions = +vnd.dovecot.environment +vnd.dovecot.debug 
+vnd.dovecot.pipe

  imapsieve_mailbox1_name = Junk
  imapsieve_mailbox1_causes = COPY APPEND
  imapsieve_mailbox1_before = 
file:/usr/local/lib/dovecot/sieve/report-spam.sieve

  imapsieve_mailbox2_name = *
  imapsieve_mailbox2_from = Junk
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve

  imapsieve_mailbox3_name = Inbox
  imapsieve_mailbox3_causes = APPEND
  imapsieve_mailbox3_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve

  sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
}

Any ideas on what I can do?

Thanks,

~ Sam

Hello and mixed dex/dns operation question

2020-10-12 Thread Stuart D. Gathman 
I have been using opensmtpd for fully dex operation, as described in 
https://fedoramagazine.org/decentralize-common-fedora-apps-cjdns/
(Yes the smtpd.conf has changed a bit since that article was written.)

Now, I wanted to also relay outgoing mail that is *not* a raw IP
through a server.  Using relay host is straightforward, but then I lose
the fully dex operation.  Is there any way to have my cake and eat it
too?

Can't get opensmtpd to match rules and deliver to dovecot (possibly another newbie question)

2020-08-26 Thread Fabian Müller 
Hi again!

 

About two weeks ago I had my first newbie-question where this list helped me – 
thank you again!

 

Back then Marcus Merighi recommended that I already make opensmtpd validate if 
the recipient exists and refuse if he doesn’t. I am having a hard time 
accomplishing this. I am feeling like I don’t understand some fundamental 
concepts of opensmtpd but I can’t figure out how to learn them.

 

 

# Goals

1. I want to get my opensmtpd to get all user and alias information via mysql. 
(working at least regarding goal 2)

2. I want it to deliver emails from authenticated users via smtp to anywhere. 
(already working)

3. I want it to take emails for existing users and deliver them via lmtp to 
dovecot.

4. I want it to take emails for aliases and forward them to the destination 
both internally and externally.

 

(complete config below)

 

 

# 3. Deliver to existing users via lmtp

I am failing to get a rule to match.

 

Originally I had this rule which should accept all emails for the domains in 
the table (the wanted user-check was not included):

 

match from any for domain  action "inbound"

 

But that always results in 550 Invalid recipient. Then I rcpt-to and to 
hardcode one email-address

 

match from any rcpt-to *EMAILADDRESSHERE* action "inbound"

 

but I still get 550 Invalid recipient.

 

 

Furthermore I am totally confused by the virtual users concept. I don’t really 
get the difference between user, userbase and virtual and I don’t understand 
how, if I specify mysql as a table, opensmtpd knows which query from the mysql 
config-file it should use to get the needed table-items.

 

Logically the syntax should be something like

 

Match from any rcpt-to  action "inbound"

 

and then I should have table domains mysql:/etc/mail/mysql.conf Where I can 
specify a query that is run with what ever is the real rcpt-to. But that seems 
to be a big misconception, so how is it right?

 

 

# 4. Forward for aliases

Haven’t even tried yet. I fail to understand how that would work. 

 

# smtpd.conf

# Variablen setzen

ipv4addr = *removed*

hostn = mx01.*domainremoved*

 

# komprimiert die Warteschlange, verschlüsselt sie und löscht nach 4 Stunden 
(optional)

#queue compression

#queue encryption key "***"

#expire 4h

 

# Zertifikate hinzufügen

pki mx01.mx.itsmind.dev cert "/etc/ssl/mx01.*domainremoved*.crt"

pki mx01.mx.itsmind.dev key "/etc/ssl/private/mx01.*domainremoved*.key"

 

# Relevante Tabellen laden

table domains mysql:/etc/mail/mysql.conf

table credentials mysql:/etc/mail/mysql.conf

table virtuals mysql:/etc/mail/mysql.conf

 

# Zuhören

listen on $ipv4addr port smtp tls

listen on $ipv4addr smtps pki mx01.*domainremoved* auth 

listen on $ipv4addr port submission tls-require pki mx01.*domainremoved* auth 


 

# define actions

action "inbound" lmtp "mda1:24"

action "outbound" relay

 

# define triggers

match from any for domain  action inbound

#match from any rcpt-to "EMAIL-ADDRESS-HERE" action "inbound"

#match for any action "outbound"

match auth from any for any action "outbound"

 

# /etc/mail/mysql.conf

host XXX

username XXX

password XXX

database XXX

 

query_credentials SELECT email, password FROM virtual_users WHERE email=?;

query_domain SELECT name FROM virtual_domains WHERE name=?;

#query_userinfo SELECT uid,gid,maildir FROM virtual_users WHERE email=?;

query_alias SELECT destination FROM virtual_aliases WHERE source=?;

 

 

Conclusion

Getting started with opensmtpd is acutally extremely hard… but I am happy that 
there is this mailinglist!

 

Thank you in advance!

 

Kind regards

Fabian  

Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)

2020-08-16 Thread Marcus MERIGHI 
Hello Fabian, 

not answering your question and not solving you problem, but after your
introduction I feel compelled to say:

f...@1lb.eu (Fabian Müller), 2020.08.16 (Sun) 02:15 (CEST):
> 1. take e-mails on port 25, check via mysql if it's for a domain it is
> responsible for and then forward via lmtp to dovecot which then takes
> care of everything else (including rejecting unknown users).

I'd recommend to deny delivery right at the front door, i.e. let
OpenSMTPd do the rejection. That way the sender gets the
Non-Delivery-Notification from her/his own mail server. 

Otherwise the sending server sees the 
"250 2.0.0 XXYYZZ Message accepted for delivery"
and thinks all is well.

Later, when dovecot rejects, your server has to send the NDN,
possibly to a spammer, which might bounce and all of that.

Marcus

Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)

2020-08-16 Thread Fabian Müller 
Hi Edgar, hi Reio,

smptd -dv did the job:

It turned out, that opensmtpd could not connect to the db because there was a 
Space after the db-name. So „host db.example.com “ instead of „host 
db.example.com“.

Now it connects fine but I get illegal table-api version which prevents 
opensmtpd from starting up. I guess that‘s from a version mismatch between the 
debian buster packages of opensmtpd and opensmtpd-extras. According to the 
Debian bugtracker this is fixed in the latest backport packages. I‘ll give it a 
try.

Thanks a lot for your help!

Greetings
Fabian


Am 16.08.2020 um 11:00 schrieb Reio Remma :


On 16.08.2020 03:15, Fabian Müller wrote:
> So what we know: It has something to do with the mysql-tables. What I don’t 
> understand is, what opensmtpd is trying to do which leads to that error. To 
> my understanding opensmtpd should only try to connect to the database if it 
> needs to read from the tables, which – if just starting up – obviously is not 
> the case.

IIRC OpenSMTPD opens the connection to MySQL server at startup. Just like it 
opens all other tables at startup.

Anything in MySQL logs? I'm fairly certain it is a connection issue.

Like Edgar recommended, try running smtpd -dv possibly with trace enabled as 
well.

Good luck,
Reio

Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)

2020-08-16 Thread Reio Remma 

On 16.08.2020 03:15, Fabian Müller wrote:


So what we know: It has something to do with the mysql-tables. What I 
don’t understand is, what opensmtpd is trying to do which leads to 
that error. To my understanding opensmtpd should only try to connect 
to the database if it needs to read from the tables, which – if just 
starting up – obviously is not the case.




IIRC OpenSMTPD opens the connection to MySQL server at startup. Just 
like it opens all other tables at startup.


Anything in MySQL logs? I'm fairly certain it is a connection issue.

Like Edgar recommended, try running smtpd -dv possibly with trace 
enabled as well.


Good luck,
Reio

Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)

2020-08-15 Thread Edgar Pettijohn 
On Sun, Aug 16, 2020 at 02:15:52AM +0200, Fabian M??ller wrote:
> 
> is your user allowed to connect to the host above?
> 
> ** Which host do you mean? mx01 is allowed to connect to db (ha-proxy) and 
> even db1, db2, db3 directly (which I also tried, but did not change 
> anything). And the internet is allowed to connect to mx1. Or did you mean the 
> mda1? mda1 is not yet set up.
>

The user from mysql.conf needs to be able to connect to the mysql server
found at host db.[removed for privacy].

>  
> 
> > username [removed for privacy]
> 
> > password [removed for privacy]
> 
> > database [removed for privacy]
> 
> > 
> 
> > query_credentials SELECT email, password FROM virtual_users WHERE email=?;
> 
> > query_domain SELECT name FROM virtual_domains WHERE name=?;
> 
> > query_userinfo SELECT uid,gid,maildir FROM virtual_users WHERE email=?;
> 
> > query_alias SELECT destination FROM virtual_aliases WHERE source=?;
> 
>  
> 
> # Further explinations: What I've tried
> 
> First I guess the error has something to do with the mysql-stuff.
> 
>  
> 
> But I am really really confused about the whole mysql-tables thing and can't 
> find a place where actually somebody explained (or documented) how it works.
> 
>  
> 
> Have you tried:
> 
>  
> 
> man table-mysql
> 
>  
> 
> Perhaps its missing if so you can find it on github.
> 
>  
> 
>  
> 
> ** I found the source for a man that sheds light on what those config options 
> are for. 
> 
>  
> 
> But that actually doesn???t help me with the error which occurs or if they 
> are needed.
> 
>  
> 
> By taking a look at table_proc.c from the opensmdpd source on github I guess 
> 
>  
> 
> > warn: table-proc: pipe closed
> 
>  
> 
> means that opensmtpd got an emty response when trying to do something (?) 
> with a table. I am unsure what opensmtpd is trying to do with the table. 
> Strangely it isn???t even trying to connect to the db-server (tcpdump 
> unrevals that). 
> 
>  
>

table-proc is a seperate process if I'm not mistaken that needs to talk
to the table-mysql which is a seperate process. If the pipe is closed
they can't talk to eachother.

> So what we know: It has something to do with the mysql-tables. What I don???t 
> understand is, what opensmtpd is trying to do which leads to that error. To 
> my understanding opensmtpd should only try to connect to the database if it 
> needs to read from the tables, which ??? if just starting up ??? obviously is 
> not the case. 
> 
>

If you try something like:

# smtpd -dv

You should get some useful messages from table-mysql if its not
connecting or what have you.

Edgar

Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)

2020-08-15 Thread Fabian Müller 
Hi Edgar

 

thanks for your reply!

 

Von: Edgar Pettijohn 
Datum: Sonntag, 16. August 2020 um 01:00
An: Fabian M??ller 
Cc: 
Betreff: Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a 
newbie-question)

 

On Sun, Aug 16, 2020 at 12:13:41AM +0200, Fabian M??ller wrote:

Hi!

 

I am hopefully a new opensmtpd user and before I???ll start off with my first 
newbie question I???d be happy to briefly introduce myself: I???m Fabian from 
Germany. Actually I am studying german law, but as ??? in opposite to legal 
work ??? anyone who wants to can ???do??? IT-stuff I???ve also been in IT since 
I left school. Together with some friends I own a small IT-company which makes 
me here and there a few bucks but is actually there more for the fun rather 
than the profit. During shool-time I???ve already run a mailserver (postfix + 
dovecot, but that actually doesn???t mean I???ve known anything about mail ;)) 
but after we started offering services to businesses we somehow switched over 
to an all in one solution (plesk).

 

As those AiO-solutions sucks because they are a blackbox and debugging is a 
nightmare we've decided to do hosting ourself again. And as I am the only one 
of us who is motivated to dive into mail, it became my part. So after some days 
googeling around and spending a serious amount of time on youtube watching 
mail-server-congress-talks I decided to go with a setup including opensmtpd 
rather than postfix. As the best way to start with something is to start trying 
I span up a few cloud-servers and started trying. As expected I ran into 
problems but ??? not expected ??? reading the man and googeling around couldn't 
solve them.

 

So that's how I ended up here, hoping for your help!

 

# General Setup

1. OpenSMTPD (tables via mysql, delivering via lmtp)

2. Dovecot (not yet set up)

3. MariaDB Galera Cluster as Backend-Database

 

# The Problem

I'm getting the following error and can't connect to port 25 from outside world 
(telnet port 25).

 

Are you sure your ISP isn't blocking you? Can you connect to a non

standard port or the submission port from outside?

 

listen on egress port 5000

 

telnet yourhost.com 5000

 

** It turned out that opensmtd is exiting with status=1/FAILURE after 
generating the already mentioned error (I only looked at the mail-log and not 
at the syslog as I thought opensmtpd might be at least starting up successfully 
as the start command did not return an error (as it would if eg I had a syntax 
error in my config). So no ISP-Block.

 

 

 

> Aug 15 23:17:25 mx01 smtpd[32458]: info: OpenSMTPD 6.0.3-portable starting

> Aug 15 23:17:25 mx01 smtpd[32462]: warn: table-proc: pipe closed

> Aug 15 23:17:25 mx01 smtpd[32462]: lookup: table-proc: exiting

> Aug 15 23:17:25 mx01 smtpd[32459]: smtpd: process lka socket closed 

 

 

Is mysqld up and running? Have you verified from the command line that

your username and password are correct?

 

mysql --user=username --password=password dbase

 

** Yes! I even tried the command used in the mysql.conf (SELECT name FROM 
virtual_domains WHERE name=[mailhost];) which returned the expected hostname.

 

# Host-System

OS: Debian 10

OpenSMTPd: 6.0.3p1-5+deb10u4

Openssmtpd-extras: 5.7.1-4+b2

 

# /etc/smtpd.conf

> # Variablen setzen

> ipv4addr = [removed for privacy]

> hostn = mx01.[removed for privacy]

> 

> # komprimiert die Warteschlange, verschl??sselt sie und l??scht nach 4 
> Stunden (optional)

> #queue compression

> #queue encryption key "[removed for privacy]"

> #expire 4h

> 

> # Zertifikate hinzuf??gen

> pki mx01.[removed for privacy] certificate "/etc/ssl/mx01.[removed for 
> privacy].crt"

> pki mx01.[removed for privacy] key "/etc/ssl/private/mx01.[removed for 
> privacy].key"

> 

> # Relevante Tabellen laden

> table domains mysql:/etc/mail/mysql.conf

> table credentials mysql:/etc/mail/mysql.conf

> 

> # Zuh??ren

> listen on $ipv4addr port smtp tls

> listen on $ipv4addr smtps pki mx01.mx.itsmind.dev auth 

> listen on $ipv4addr port submission tls-require pki mx01.mx.itsmind.dev auth 
> 

> 

> # E-Mails annehmen und weitergeben

> accept from any for domain  deliver to lmtp "mda1:24"

> accept for any relay

 

# /etc/mail/mysql.conf

> host db.[removed for privacy]

 

is your user allowed to connect to the host above?

** Which host do you mean? mx01 is allowed to connect to db (ha-proxy) and even 
db1, db2, db3 directly (which I also tried, but did not change anything). And 
the internet is allowed to connect to mx1. Or did you mean the mda1? mda1 is 
not yet set up.

 

> username [removed for privacy]

> password [removed for privacy]

> database [removed for privacy]

> 

> query_credentials SELECT email, password FROM virtual_users WHERE email=?;

> query_domain SELECT name FROM virtual_doma

Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)

2020-08-15 Thread Edgar Pettijohn 
On Sun, Aug 16, 2020 at 12:13:41AM +0200, Fabian M??ller wrote:
> Hi!
> 
> I am hopefully a new opensmtpd user and before I???ll start off with my first 
> newbie question I???d be happy to briefly introduce myself: I???m Fabian from 
> Germany. Actually I am studying german law, but as ??? in opposite to legal 
> work ??? anyone who wants to can ???do??? IT-stuff I???ve also been in IT 
> since I left school. Together with some friends I own a small IT-company 
> which makes me here and there a few bucks but is actually there more for the 
> fun rather than the profit. During shool-time I???ve already run a mailserver 
> (postfix + dovecot, but that actually doesn???t mean I???ve known anything 
> about mail ;)) but after we started offering services to businesses we 
> somehow switched over to an all in one solution (plesk).
> 
> As those AiO-solutions sucks because they are a blackbox and debugging is a 
> nightmare we've decided to do hosting ourself again. And as I am the only one 
> of us who is motivated to dive into mail, it became my part. So after some 
> days googeling around and spending a serious amount of time on youtube 
> watching mail-server-congress-talks I decided to go with a setup including 
> opensmtpd rather than postfix. As the best way to start with something is to 
> start trying I span up a few cloud-servers and started trying. As expected I 
> ran into problems but ??? not expected ??? reading the man and googeling 
> around couldn't solve them.
> 
> So that's how I ended up here, hoping for your help!
> 
> # General Setup
> 1. OpenSMTPD (tables via mysql, delivering via lmtp)
> 2. Dovecot (not yet set up)
> 3. MariaDB Galera Cluster as Backend-Database
> 
> # The Problem
> I'm getting the following error and can't connect to port 25 from outside 
> world (telnet port 25).

Are you sure your ISP isn't blocking you? Can you connect to a non
standard port or the submission port from outside?

listen on egress port 5000

telnet yourhost.com 5000

> 
> > Aug 15 23:17:25 mx01 smtpd[32458]: info: OpenSMTPD 6.0.3-portable starting
> > Aug 15 23:17:25 mx01 smtpd[32462]: warn: table-proc: pipe closed
> > Aug 15 23:17:25 mx01 smtpd[32462]: lookup: table-proc: exiting
> > Aug 15 23:17:25 mx01 smtpd[32459]: smtpd: process lka socket closed 
> 

Is mysqld up and running? Have you verified from the command line that
your username and password are correct?

mysql --user=username --password=password dbase

> # Host-System
> OS: Debian 10
> OpenSMTPd: 6.0.3p1-5+deb10u4
> Openssmtpd-extras: 5.7.1-4+b2
> 
> # /etc/smtpd.conf
> > # Variablen setzen
> > ipv4addr = [removed for privacy]
> > hostn = mx01.[removed for privacy]
> >
> > # komprimiert die Warteschlange, verschl??sselt sie und l??scht nach 4 
> > Stunden (optional)
> > #queue compression
> > #queue encryption key "[removed for privacy]"
> > #expire 4h
> >
> > # Zertifikate hinzuf??gen
> > pki mx01.[removed for privacy] certificate "/etc/ssl/mx01.[removed for 
> > privacy].crt"
> > pki mx01.[removed for privacy] key "/etc/ssl/private/mx01.[removed for 
> > privacy].key"
> > 
> > # Relevante Tabellen laden
> > table domains mysql:/etc/mail/mysql.conf
> > table credentials mysql:/etc/mail/mysql.conf
> > 
> > # Zuh??ren
> > listen on $ipv4addr port smtp tls
> > listen on $ipv4addr smtps pki mx01.mx.itsmind.dev auth 
> > listen on $ipv4addr port submission tls-require pki mx01.mx.itsmind.dev 
> > auth 
> > 
> > # E-Mails annehmen und weitergeben
> > accept from any for domain  deliver to lmtp "mda1:24"
> > accept for any relay
> 
> # /etc/mail/mysql.conf
> > host db.[removed for privacy]

is your user allowed to connect to the host above?

> > username [removed for privacy]
> > password [removed for privacy]
> > database [removed for privacy]
> > 
> > query_credentials SELECT email, password FROM virtual_users WHERE email=?;
> > query_domain SELECT name FROM virtual_domains WHERE name=?;
> > query_userinfo SELECT uid,gid,maildir FROM virtual_users WHERE email=?;
> > query_alias SELECT destination FROM virtual_aliases WHERE source=?;
> 
> # Further explinations: What I've tried
> First I guess the error has something to do with the mysql-stuff.
> 
> But I am really really confused about the whole mysql-tables thing and can't 
> find a place where actually somebody explained (or documented) how it works.

Have you tried:

man table-mysql

Perhaps its missing if so you can find it on github.

> 
> In the beginning I thought it works like if I write 
> 
> > table domains mysql:/etc/mail/m

warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)

2020-08-15 Thread Fabian Müller 
Hi!

I am hopefully a new opensmtpd user and before I’ll start off with my first 
newbie question I’d be happy to briefly introduce myself: I’m Fabian from 
Germany. Actually I am studying german law, but as – in opposite to legal work 
– anyone who wants to can “do” IT-stuff I’ve also been in IT since I left 
school. Together with some friends I own a small IT-company which makes me here 
and there a few bucks but is actually there more for the fun rather than the 
profit. During shool-time I’ve already run a mailserver (postfix + dovecot, but 
that actually doesn’t mean I’ve known anything about mail ;)) but after we 
started offering services to businesses we somehow switched over to an all in 
one solution (plesk).

As those AiO-solutions sucks because they are a blackbox and debugging is a 
nightmare we've decided to do hosting ourself again. And as I am the only one 
of us who is motivated to dive into mail, it became my part. So after some days 
googeling around and spending a serious amount of time on youtube watching 
mail-server-congress-talks I decided to go with a setup including opensmtpd 
rather than postfix. As the best way to start with something is to start trying 
I span up a few cloud-servers and started trying. As expected I ran into 
problems but – not expected – reading the man and googeling around couldn't 
solve them.

So that's how I ended up here, hoping for your help!

# General Setup
1. OpenSMTPD (tables via mysql, delivering via lmtp)
2. Dovecot (not yet set up)
3. MariaDB Galera Cluster as Backend-Database

# The Problem
I'm getting the following error and can't connect to port 25 from outside world 
(telnet port 25).

> Aug 15 23:17:25 mx01 smtpd[32458]: info: OpenSMTPD 6.0.3-portable starting
> Aug 15 23:17:25 mx01 smtpd[32462]: warn: table-proc: pipe closed
> Aug 15 23:17:25 mx01 smtpd[32462]: lookup: table-proc: exiting
> Aug 15 23:17:25 mx01 smtpd[32459]: smtpd: process lka socket closed 

# Host-System
OS: Debian 10
OpenSMTPd: 6.0.3p1-5+deb10u4
Openssmtpd-extras: 5.7.1-4+b2

# /etc/smtpd.conf
> # Variablen setzen
> ipv4addr = [removed for privacy]
> hostn = mx01.[removed for privacy]
>
> # komprimiert die Warteschlange, verschlüsselt sie und löscht nach 4 Stunden 
> (optional)
> #queue compression
> #queue encryption key "[removed for privacy]"
> #expire 4h
>
> # Zertifikate hinzufügen
> pki mx01.[removed for privacy] certificate "/etc/ssl/mx01.[removed for 
> privacy].crt"
> pki mx01.[removed for privacy] key "/etc/ssl/private/mx01.[removed for 
> privacy].key"
> 
> # Relevante Tabellen laden
> table domains mysql:/etc/mail/mysql.conf
> table credentials mysql:/etc/mail/mysql.conf
> 
> # Zuhören
> listen on $ipv4addr port smtp tls
> listen on $ipv4addr smtps pki mx01.mx.itsmind.dev auth 
> listen on $ipv4addr port submission tls-require pki mx01.mx.itsmind.dev auth 
> 
> 
> # E-Mails annehmen und weitergeben
> accept from any for domain  deliver to lmtp "mda1:24"
> accept for any relay

# /etc/mail/mysql.conf
> host db.[removed for privacy]
> username [removed for privacy]
> password [removed for privacy]
> database [removed for privacy]
> 
> query_credentials SELECT email, password FROM virtual_users WHERE email=?;
> query_domain SELECT name FROM virtual_domains WHERE name=?;
> query_userinfo SELECT uid,gid,maildir FROM virtual_users WHERE email=?;
> query_alias SELECT destination FROM virtual_aliases WHERE source=?;

# Further explinations: What I've tried
First I guess the error has something to do with the mysql-stuff.

But I am really really confused about the whole mysql-tables thing and can't 
find a place where actually somebody explained (or documented) how it works.

In the beginning I thought it works like if I write 

> table domains mysql:/etc/mail/mysql.conf

to the smtpd.conf the value domains is retrieved from what's stated after

query_domains  (query_domains because the name of the table is domains. So from 
my guess table example would translate to query_example).

Therefor I only had one line 

query_domain SELECT name FROM virtual_domains WHERE name=?;

in my mysql.conf. I've also tried using $1 instead of ?. After every conf I 
found in the internet (about 3) had query_credentials, query_domain, 
query_userinfo and query_alias I thought those are fixed terms, so I included 
them all in the mysql-config. 


In conclusion I think what I am trying to achive is not too complex: opensmtpd 
should

1. take e-mails on port 25, check via mysql if it's for a domain it is 
responsible for and then forward via lmtp to dovecot which then takes care of 
everything else (including rejecting unknown users).
2. Authenticate users on port 465 and 587 against mysql and forward their mails 
if successful. 

Later on I'd like to add rspamd and DKIM… but one step at a time.

I would be glad if anyone could shed some light on the whole mysql-hassle and 
knows what prevents my opensmtpd from doing what I want it to do.

Thank you in advance!

Fabian

Re: Newbie config question

2020-06-13 Thread David Favor 

David Favor wrote:

I've been wrestling with this for days with no progress.

Can someone drop me a v6.6.4 config to do something similar to the 
following.


   da...@davidfavor.com   - maildir
   i...@davidfavor.com- forward to da...@davidfavor.com
   supp...@davidfavor.com - forward to f...@helpdesk.com using MailGun 
Relay Service


   supp...@radicalhealth.com - maildir
   i...@radicalhealth.com- forward to supp...@radicalhealth.com
   da...@radicalhealth.com   - send natively to da...@davidfavor.com (no 
Smarthost or Relay Service)


Just a raw config file will be fine, I can remove
whatever I don't require right now, like DKIM signing,
which I'll add later.

I'm just trying to get basic OpenSMTPD delivery working.

Thanks.


Still be great to have a working config.

No requirement for long explanation, just a copy of
a working config, that handles all the above.

Thanks.

Re: Newbie config question

2020-06-05 Thread Edgar Pettijohn 
On Fri, Jun 05, 2020 at 11:28:12AM -0500, David Favor wrote:
> I've been wrestling with this for days with no progress.
> 
> Can someone drop me a v6.6.4 config to do something similar to the following.
> 
>da...@davidfavor.com   - maildir
>i...@davidfavor.com- forward to da...@davidfavor.com
>supp...@davidfavor.com - forward to f...@helpdesk.com using MailGun Relay 
> Service
> 
>supp...@radicalhealth.com - maildir
>i...@radicalhealth.com- forward to supp...@radicalhealth.com
>da...@radicalhealth.com   - send natively to da...@davidfavor.com (no 
> Smarthost or Relay Service)
> 
> Just a raw config file will be fine, I can remove
> whatever I don't require right now, like DKIM signing,
> which I'll add later.
>

It would likely be easier if you just posted your current smtpd.conf and
associated tables. 

Edgar

> I'm just trying to get basic OpenSMTPD delivery working.
> 
> Thanks.

Re: Newbie config question

2020-06-05 Thread gilles 
On my phone but I'll show you tomorrow if no one answers before, this is trivialGillesOn Jun 5, 2020 18:28, David Favor  wrote:I've been wrestling with this for days with no progress.

Can someone drop me a v6.6.4 config to do something similar to the following.

    da...@davidfavor.com   - maildir
    i...@davidfavor.com    - forward to da...@davidfavor.com
    supp...@davidfavor.com - forward to f...@helpdesk.com using MailGun Relay Service

    supp...@radicalhealth.com - maildir
    i...@radicalhealth.com    - forward to supp...@radicalhealth.com
    da...@radicalhealth.com   - send natively to da...@davidfavor.com (no Smarthost or Relay Service)

Just a raw config file will be fine, I can remove
whatever I don't require right now, like DKIM signing,
which I'll add later.

I'm just trying to get basic OpenSMTPD delivery working.

Thanks.

Newbie config question

2020-06-05 Thread David Favor 

I've been wrestling with this for days with no progress.

Can someone drop me a v6.6.4 config to do something similar to the following.

   da...@davidfavor.com   - maildir
   i...@davidfavor.com- forward to da...@davidfavor.com
   supp...@davidfavor.com - forward to f...@helpdesk.com using MailGun Relay 
Service

   supp...@radicalhealth.com - maildir
   i...@radicalhealth.com- forward to supp...@radicalhealth.com
   da...@radicalhealth.com   - send natively to da...@davidfavor.com (no 
Smarthost or Relay Service)

Just a raw config file will be fine, I can remove
whatever I don't require right now, like DKIM signing,
which I'll add later.

I'm just trying to get basic OpenSMTPD delivery working.

Thanks.

Re: bgp-spamd question

2020-04-12 Thread Bryan Harris 

Thanks Pierre-Edouard,

Well that's okay. Perhaps they ended the project.

V/r,
Bryan



On 4/11/2020 10:48 AM, Pierre-Edouard wrote:

Hi,
I was also using bgpd-spamd, and it stopped working recently as well.

It's not your config, issue is seen on my side too.(was working fine 
for many months before)


Cheers,
Pywy

Le 11/04/2020 à 16:09, Bryan Harris a écrit :

Hi folks,

I was able to setup my OpenSMTPd on my server maybe 1-2 years ago, 
and everything has been working fine. However, recently the bgp-spamd 
list that comes down into my bgp settings has not been populating. As 
far as email everything is still working I just don't get those bgp 
lists anymore, so they don't go into spamd.


I tried looking at the website but it appears it's not working.

Would anybody want to charge me some money in exchange for helping me 
figure out my bgp spamd problem?


I will post my config details at the end. I'm using OpenBSD 6.6 and 
the OpenSMTPd that comes with that version.


Thanks for any advice.

V/r,
Bryan

[root@sally:/root]
$ smtpd -h
version: OpenSMTPD 6.6.0
usage: smtpd [-dFhnv] [-D macro=value] [-f file] [-P system] [-T trace]

[root@sally:/root]
$ uname -r
6.6

[root@sally:/root]
$ bgpctl show rib community 65066:666
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
   S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete

flags ovs destination  gateway  lpref   med aspath 
origin


[root@sally:/root]
$ cat /etc/bgpd.conf
# http://bgp-spamd.net/client/bgpd.html

spamdAS="65066"  # AS id of bgp-spamd server - don't edit this


AS 65000 # editable but 65001 is a sane default
fib-update no  # Mandatory, to not update the local routing table
nexthop qualify via default

group "spamd-bgp" {
    remote-as $spamdAS
    multihop 64
  export none  # Do not send Route Server any information


  # uncomment one
  #
    # us.bgp-spamd.net
    neighbor 64.142.121.62

    # eu.bgp-spamd.net
    neighbor 217.31.80.170

  # IPv6 eu.bgp-spamd.net
  neighbor 2a00:15a8:0:100:0:d91f:50aa:1

  # RS
  neighbor 64.142.121.62
}

# deny to any
# deny from any

# allow from group "spamd-bgp"

# 'match' is required, to remove entries when routes are withdrawn
match from group "spamd-bgp" community $spamdAS:42  set pftable 
"bgp-spamd-bypass"
match from group "spamd-bgp" community $spamdAS:666 set pftable 
"bgp-spamd"




--
"If thou examinest a man for illness in his cardia and he has pains in his arms 
and in his
breast and in one side of his cardia ... it is death threatening him."
—Ebers Papyrus (description of a heart attack, 1550BC)

"The beauty of doing nothing is that you can do it perfectly. Only when you do 
something is it almost impossible to do it without mistakes."
—Thomas Sowell

bgp-spamd question

2020-04-11 Thread Bryan Harris 

Hi folks,

I was able to setup my OpenSMTPd on my server maybe 1-2 years ago, and 
everything has been working fine. However, recently the bgp-spamd list 
that comes down into my bgp settings has not been populating. As far as 
email everything is still working I just don't get those bgp lists 
anymore, so they don't go into spamd.


I tried looking at the website but it appears it's not working.

Would anybody want to charge me some money in exchange for helping me 
figure out my bgp spamd problem?


I will post my config details at the end. I'm using OpenBSD 6.6 and the 
OpenSMTPd that comes with that version.


Thanks for any advice.

V/r,
Bryan

[root@sally:/root]
$ smtpd -h
version: OpenSMTPD 6.6.0
usage: smtpd [-dFhnv] [-D macro=value] [-f file] [-P system] [-T trace]

[root@sally:/root]
$ uname -r
6.6

[root@sally:/root]
$ bgpctl show rib community 65066:666
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
   S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete

flags ovs destination  gateway  lpref   med aspath origin

[root@sally:/root]
$ cat /etc/bgpd.conf
# http://bgp-spamd.net/client/bgpd.html

spamdAS="65066"  # AS id of bgp-spamd server - don't edit this


AS 65000 # editable but 65001 is a sane default
fib-update no  # Mandatory, to not update the local routing table
nexthop qualify via default

group "spamd-bgp" {
    remote-as $spamdAS
    multihop 64
  export none  # Do not send Route Server any information


  # uncomment one
  #
    # us.bgp-spamd.net
    neighbor 64.142.121.62

    # eu.bgp-spamd.net
    neighbor 217.31.80.170

  # IPv6 eu.bgp-spamd.net
  neighbor 2a00:15a8:0:100:0:d91f:50aa:1

  # RS
  neighbor 64.142.121.62
}

# deny to any
# deny from any

# allow from group "spamd-bgp"

# 'match' is required, to remove entries when routes are withdrawn
match from group "spamd-bgp" community $spamdAS:42  set pftable 
"bgp-spamd-bypass"

match from group "spamd-bgp" community $spamdAS:666 set pftable "bgp-spamd"

--
"If thou examinest a man for illness in his cardia and he has pains in his arms 
and in his
breast and in one side of his cardia ... it is death threatening him."
—Ebers Papyrus (description of a heart attack, 1550BC)

"The beauty of doing nothing is that you can do it perfectly. Only when you do 
something is it almost impossible to do it without mistakes."
—Thomas Sowell

Re: filter question

2020-03-09 Thread Edgar Pettijohn 

On Mar 9, 2020 1:34 AM, Martijn van Duren  wrote:
>
> On 3/6/20 5:00 PM, epektasis wrote:
> > Greetings.  I have my own blacklist file of email addresses
> > (some in the format microcen...@microcenter.com and some in 
> > the format *@squaredeals.com), one per line.  I would like to
> > filter each incoming email so that a mail-from address
> > that matches any line in the blacklist file will go to a
> > junk file.  In the smtpd.conf I have tried
> > 
> > table blksender file:/etc/blksender
> > filter mail-from  junk
> > match filter mail-from  junk
> > 
> > but get syntax errors on both of the last two lines when
> > checking the configuration.  There's something I'm not
> > understanding and am asking for advice.
> > epektasis
> > 
> Have another look at the manpage:
>  filter filter-name phase phase-name match conditions decision
>  Register a filter filter-name.  A decision about what to do
>  with the mail is taken at phase phase-name when matching
>  conditions.  Phases, matching conditions, and decisions are
>  described in MAIL FILTERING, below.
>
> So without testing (you should do that yourself anyway) I think what you
> want would be:
>
> table blksender file:/etc/blksender
> filter blksender phase mail-from match mail-from  junk
> listen on   filter blksender
>

Also look at table(5) '*' is only allowed on the domain side of the '@'.

Edgar

Re: filter question

2020-03-09 Thread Martijn van Duren 
On 3/6/20 5:00 PM, epektasis wrote:
> Greetings.  I have my own blacklist file of email addresses
> (some in the format microcen...@microcenter.com and some in 
> the format *@squaredeals.com), one per line.  I would like to
> filter each incoming email so that a mail-from address
> that matches any line in the blacklist file will go to a
> junk file.  In the smtpd.conf I have tried
> 
> table blksender file:/etc/blksender
> filter mail-from  junk
> match filter mail-from  junk
> 
> but get syntax errors on both of the last two lines when
> checking the configuration.  There's something I'm not
> understanding and am asking for advice.
>   epektasis
> 
Have another look at the manpage:
 filter filter-name phase phase-name match conditions decision
 Register a filter filter-name.  A decision about what to do
 with the mail is taken at phase phase-name when matching
 conditions.  Phases, matching conditions, and decisions are
 described in MAIL FILTERING, below.

So without testing (you should do that yourself anyway) I think what you
want would be:

table blksender file:/etc/blksender
filter blksender phase mail-from match mail-from  junk
listen on   filter blksender

filter question

2020-03-06 Thread epektasis 
Greetings.  I have my own blacklist file of email addresses
(some in the format microcen...@microcenter.com and some in 
the format *@squaredeals.com), one per line.  I would like to
filter each incoming email so that a mail-from address
that matches any line in the blacklist file will go to a
junk file.  In the smtpd.conf I have tried

table blksender file:/etc/blksender
filter mail-from  junk
match filter mail-from  junk

but get syntax errors on both of the last two lines when
checking the configuration.  There's something I'm not
understanding and am asking for advice.
epektasis

--

Re: Question about OpenSMTPD and Debian package and filters/spam filtering

2019-11-28 Thread Demetri A. Mkobaranov 



On 8/21/19 12:50 PM, Michiel van Es wrote:

I am running a small VPS with 1 GB memory with Debian 10 amd64 with OpenSMTPD 
(6.0.3)



Hello, can you really use Buster's official opensmptd package? I tried 
it about 3 weeks ago and it was broken out of the box for me (can't 
really remember what was the issue at the moment). I had to use pinning 
and install stretch package.

Re: builtin filter regex question

2019-11-20 Thread Joerg Jung 
On Mon, Nov 04, 2019 at 10:18:07PM +0100, Joerg Jung wrote:
> On Thu, Oct 31, 2019 at 08:28:23AM +, gil...@poolp.org wrote:
> > October 24, 2019 8:35 PM, "Joerg Jung"  wrote:
> > 
> > > I used some regex filters in the past which I'm trying to convert to the
> > > latest builtin filters. In particular, I stumbled over a HELO filter,
> > > which rejects non-FQDN HELO forcing SMTP protocol, aka: 
> > > Sendmail FEATURE(block_bad_helo) or Postfix reject_non_fqdn_helo_hostname
> > > 
> > > I had significant success rate with this kind of blocking, since a good
> > > portions of spammers seem to be too lazy to configure HELO correctly.
> > > 
> > > Here is what I came up with:
> > > 
> > > # reject HELO/EHLO with leading or trailing dot, and without dots 
> > > (non-FQDN)
> > > filter helo phase helo connect match helo regex { "^\.", "\.$", 
> > > "^[^\.]*$" } disconnect "554 5.7.1
> > > HELO rejected" 
> > > filter ehlo phase ehlo connect match helo regex { "^\.", "\.$", 
> > > "^[^\.]*$" } disconnect "554 5.7.1
> > > EHLO rejected
> > > 
> > > Now, I just need a way to skip/allow IPv6 address literals, e.g. there
> > > are no dots in EHLO [::1], but still a valid/allowed value.
> > > With old filter-regex I just did a negotiation: ! regex "^\[" to
> > > not apply filter to v6 literals
> > > 
> > > Any ideas/hints how to add/implement this with the new builtin regex
> > > filter syntax?
> > > 
> > 
> > Sadly there would have been a very easy way if I had that use-case in mind 
> > pre-release,
> > which would be to make the "proceed" action explicit, you could have had a 
> > filter
> > match the inet6 address and proceed to shortcut the matching of non fqdn.
> 
> :)
> 
> > As of today, there will be no option but to craft your regex to contain 
> > both the pattern
> > you want to match AND exclude [ as far as I see it.
> 
> But that AND EXCLUDE (aka AND NOT) is not possible with re_format(7), 
> because no zero-width negative lookahead or similar tricks are 
> available, right?
> 
> I wonder if abusing "match" instead of filtering is an option here, with
> match I have the negotiation operator available, so something like this
> would probably work, right?
> 
> match ! helo regex "^\[" myaction
> match helo regex { "^\.", "\.$", "^[^\.]*$" } reject
> # further standard match rules following...
> 
> The question is, what to put into: myaction, there is no 
> pass/accept/skip/jump to other match rules... and "relay" 
> will probably result in a loop, no?
> 
> Seems like this is just not possible with the built-in syntax for now
> and I need to write a tiny proc-exec filter instead?

I took a quick shot and wrote a tiny and portable ~20 lines sed based 
filter, which can be found below and is released here:
https://www.umaxx.net/dl/filter-fqdn-0.1.tar.gz

I'm not an sed expert and I'm pretty sure the script can be shortened
and further simplified e.g. with some hold buffer exchange, yalla, yalla
Any suggestions or comments are welcome, but for now it does what I want
and works fine for me. 

Thanks,
Regards,
Joerg


#!/usr/bin/sed -Enuf
# $Id: filter-fqdn.sed 53 2019-11-20 19:27:59Z umaxx $
# Copyright (c) 2019 Joerg Jung 
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

# filter-fqdn - opensmtpd filter for HELO/EHLO FQDN filtering
#
# version: 0.1
#
# uncomment for debug
#s/(.*)/\1/w /dev/stderr

/^config|ready$/ { a\
register|filter|smtp-in|helo\
register|filter|smtp-in|ehlo\
register|ready
}

/^filter\|0.4\|.*\|smtp-in\|.*/ {
# skip address literals
/^.*smtp-in\|(.*)\|(.*)\|\[.*$/ {
bproceed
}
# reject leading dot
/^.*smtp-in\|(.*)\|(.*)\|(.*)\|\..*$/ {
s//filter-result\|\3|\2\|reject\|554 5.7.1 \1 failed/p
}
# reject trailing dot
/^.*smtp-in\|(.*)\|(.*)\|(.*)\|.*\.$/ {
s//filter-result\|\3|\2\|reject\|554 5.7.1 \1 failed/p
}
# reject without dots (non-FQDN)
/^.*smtp-in\|(.*)\|(.*)\|(.*)\|[^\.]*$/ {
s//filter-result\|\3|\2\|reject\|554 5.7.1 \1 failed/p
}
:proceed
/^.*smtp-in\|.*\|(.*)\|(.*)\|.*$/ {
s//filter-result\|\2|\1\|proceed/p
}
}

Re: builtin filter regex question

2019-11-04 Thread Joerg Jung 
On Thu, Oct 31, 2019 at 08:28:23AM +, gil...@poolp.org wrote:
> October 24, 2019 8:35 PM, "Joerg Jung"  wrote:
> 
> > Hi,
> > 
> > I used some regex filters in the past which I'm trying to convert to the
> > latest builtin filters. In particular, I stumbled over a HELO filter,
> > which rejects non-FQDN HELO forcing SMTP protocol, aka: 
> > Sendmail FEATURE(block_bad_helo) or Postfix reject_non_fqdn_helo_hostname
> > 
> > I had significant success rate with this kind of blocking, since a good
> > portions of spammers seem to be too lazy to configure HELO correctly.
> > 
> > Here is what I came up with:
> > 
> > # reject HELO/EHLO with leading or trailing dot, and without dots (non-FQDN)
> > filter helo phase helo connect match helo regex { "^\.", "\.$", "^[^\.]*$" 
> > } disconnect "554 5.7.1
> > HELO rejected" 
> > filter ehlo phase ehlo connect match helo regex { "^\.", "\.$", "^[^\.]*$" 
> > } disconnect "554 5.7.1
> > EHLO rejected
> > 
> > Now, I just need a way to skip/allow IPv6 address literals, e.g. there
> > are no dots in EHLO [::1], but still a valid/allowed value.
> > With old filter-regex I just did a negotiation: ! regex "^\[" to
> > not apply filter to v6 literals
> > 
> > Any ideas/hints how to add/implement this with the new builtin regex
> > filter syntax?
> > 
> 
> Sadly there would have been a very easy way if I had that use-case in mind 
> pre-release,
> which would be to make the "proceed" action explicit, you could have had a 
> filter
> match the inet6 address and proceed to shortcut the matching of non fqdn.

:)

> As of today, there will be no option but to craft your regex to contain both 
> the pattern
> you want to match AND exclude [ as far as I see it.

But that AND EXCLUDE (aka AND NOT) is not possible with re_format(7), 
because no zero-width negative lookahead or similar tricks are 
available, right?

I wonder if abusing "match" instead of filtering is an option here, with
match I have the negotiation operator available, so something like this
would probably work, right?

match ! helo regex "^\[" myaction
match helo regex { "^\.", "\.$", "^[^\.]*$" } reject
# further standard match rules following...

The question is, what to put into: myaction, there is no 
pass/accept/skip/jump to other match rules... and "relay" 
will probably result in a loop, no?

Seems like this is just not possible with the built-in syntax for now
and I need to write a tiny proc-exec filter instead?

Re: builtin filter regex question

2019-10-31 Thread gilles 
October 24, 2019 8:35 PM, "Joerg Jung"  wrote:

> Hi,
> 
> I used some regex filters in the past which I'm trying to convert to the
> latest builtin filters. In particular, I stumbled over a HELO filter,
> which rejects non-FQDN HELO forcing SMTP protocol, aka: 
> Sendmail FEATURE(block_bad_helo) or Postfix reject_non_fqdn_helo_hostname
> 
> I had significant success rate with this kind of blocking, since a good
> portions of spammers seem to be too lazy to configure HELO correctly.
> 
> Here is what I came up with:
> 
> # reject HELO/EHLO with leading or trailing dot, and without dots (non-FQDN)
> filter helo phase helo connect match helo regex { "^\.", "\.$", "^[^\.]*$" } 
> disconnect "554 5.7.1
> HELO rejected" 
> filter ehlo phase ehlo connect match helo regex { "^\.", "\.$", "^[^\.]*$" } 
> disconnect "554 5.7.1
> EHLO rejected
> 
> Now, I just need a way to skip/allow IPv6 address literals, e.g. there
> are no dots in EHLO [::1], but still a valid/allowed value.
> With old filter-regex I just did a negotiation: ! regex "^\[" to
> not apply filter to v6 literals
> 
> Any ideas/hints how to add/implement this with the new builtin regex
> filter syntax?
> 

Sadly there would have been a very easy way if I had that use-case in mind 
pre-release,
which would be to make the "proceed" action explicit, you could have had a 
filter
match the inet6 address and proceed to shortcut the matching of non fqdn.

As of today, there will be no option but to craft your regex to contain both 
the pattern
you want to match AND exclude [ as far as I see it.

builtin filter regex question

2019-10-24 Thread Joerg Jung 
Hi,

I used some regex filters in the past which I'm trying to convert to the
latest builtin filters.  In particular, I stumbled over a HELO filter,
which rejects non-FQDN HELO forcing SMTP protocol, aka: 
Sendmail FEATURE(block_bad_helo) or Postfix reject_non_fqdn_helo_hostname

I had significant success rate with this kind of blocking, since a good
portions of spammers seem to be too lazy to configure HELO correctly.

Here is what I came up with:

# reject HELO/EHLO with leading or trailing dot, and without dots (non-FQDN)
filter helo phase helo connect match helo regex { "^\.", "\.$", "^[^\.]*$" } 
disconnect "554 5.7.1 HELO rejected" 
filter ehlo phase ehlo connect match helo regex { "^\.", "\.$", "^[^\.]*$" } 
disconnect "554 5.7.1 EHLO rejected

Now, I just need a way to skip/allow IPv6 address literals, e.g. there
are no dots in EHLO [::1], but still a valid/allowed value.
With old filter-regex I just did a negotiation: ! regex "^\[" to
not apply filter to v6 literals

Any ideas/hints how to add/implement this with the new builtin regex
filter syntax?

Thanks,
Regards,
Joerg

Re: Question about match auth with the new syntax.

2019-08-28 Thread Edgar Pettijohn 

On Aug 28, 2019 1:52 PM, Reio Remma  wrote:
>
> Hello!
>
> I've pretty much converted my setup to the new syntax now and I'm 
> wondering if I get this right.
>
> I understand that from local was changed to not include authenticated 
> users, but my question is does "match auth" match both authenticated and 
> local users?
>
> I currently have - "match auth from any for any action dkim" - and I see 
> that I can send mail from command line using that rule, so I'm guessing 
> yes. :)
>
> Maybe the man page could reflect these bits for match auth and match 
> from local.
>

Match from local for local is a default rule. You have to specifically negate 
it if you don't want it. 

Edgar

> Thanks!
> Reio
>

Question about match auth with the new syntax.

2019-08-28 Thread Reio Remma 

Hello!

I've pretty much converted my setup to the new syntax now and I'm 
wondering if I get this right.


I understand that from local was changed to not include authenticated 
users, but my question is does "match auth" match both authenticated and 
local users?


I currently have - "match auth from any for any action dkim" - and I see 
that I can send mail from command line using that rule, so I'm guessing 
yes. :)


Maybe the man page could reflect these bits for match auth and match 
from local.


Thanks!
Reio

Re: table api question

2019-08-24 Thread Edgar Pettijohn 
On Sat, Aug 24, 2019 at 08:19:00AM +, gil...@poolp.org wrote:
> 24 ao??t 2019 02:59 "Edgar Pettijohn"  a ??crit:
> 
> > I am writing a table-lua, however the table_lua_update function doesn't 
> > appear to be called.
> > Here are relevant pieces of the code.
> > 
> > The lookup function works. However, it would be more ideal to have the 
> > update() called early
> > to fill in the tables for the other functions. As is the lookup() has to do 
> > the work of both.
> > 
> > Any help is appreciated.
> > 
> 
> update is called when you issue an `smtpctl table update ` command.

Makes sense. However, the smtpctl manual says its for tables using the "file" 
backend.

> 
> On a side note, I had this discussion with someone a few days ago but can't 
> remember
> who, so if it was you and you already know, disregard:
>
> I have a plan for the next two releases to switch the implementation of 
> tables to an
> API similar to that of filters, so we can have tables become scripts that 
> read lines
> from stdin, write answers to stdout, be written in any language, etc..
> 

Not me but sounds interesting.
 
> Not discouraging you from writing something using the current API, it is not 
> so much
> work anyways, but just letting you know that in a relatively short term your 
> code is
> going to need a rewrite.

I was using table-passwd as a bit of a go by. Armed with this new knowledge. I 
see that 
table_passwd_update is called from main.  I think that is what I need to do.

Thanks,

Edgar

table api question

2019-08-23 Thread Edgar Pettijohn 
I am writing a table-lua, however the table_lua_update function doesn't appear 
to be called.
Here are relevant pieces of the code.

The lookup function works. However, it would be more ideal to have the update() 
called early
to fill in the tables for the other functions. As is the lookup() has to do the 
work of both.

Any help is appreciated.

Thanks,

Edgar

table_lua.c

static int
table_lua_update(void)
{
int ret;

lua_getglobal(L, "update");

lua_pushnil(L);
if (lua_pcall(L, 1, 1, 0)) {
log_warnx("warn: update: %s", lua_tostring(L, -1));
return -1;
}

ret = lua_toboolean(L, -1);

log_warnx("\t\tlua-update: %d\n", ret);
return ret;
}

int
main(int argc, char **argv)
{
int ch;
char *path;

log_init(1);

while ((ch = getopt(argc, argv, "")) != -1) {
switch (ch) {
default:
fatalx("bad option");
/* NOTREACHED */
}
}
argc -= optind;
argv += optind;

if (argc == 0)
fatalx("missing path");
path = argv[0];

L = luaL_newstate();

make_global_table(L, "service", services);
make_global_table(L, "Lookup", NULL);
make_global_table(L, "Fetch", NULL);
make_global_table(L, "Check", NULL);
make_global_table(L, "Update", NULL);

luaL_openlibs(L);
if (luaL_loadfile(L, path) || lua_pcall(L, 0, 0, 0))
fatalx("%s", lua_tostring(L, -1));

log_debug("debug: starting...");

table_api_on_update(table_lua_update);
table_api_on_check(table_lua_check);
table_api_on_lookup(table_lua_lookup);
table_api_on_fetch(table_lua_fetch);

table_api_dispatch();

log_debug("debug: exiting");

lua_close(L);

return 1;
}

table.lua

function update ()
io.stderr:write("\n\t\ttable-lua is updating\n")

return true
end

Re: Question about OpenSMTPD and Debian package and filters/spam filtering

2019-08-21 Thread Michiel van Es 



> On 21 Aug 2019, at 13:58, Gilles Chehade  wrote:
> 
> On Wed, Aug 21, 2019 at 12:50:10PM +0200, Michiel van Es wrote:
>> Hi!
>> 
> 
> Hi,
> 
> 
>> I am running a small VPS with 1 GB memory with Debian 10 amd64 with 
>> OpenSMTPD (6.0.3) for private email and am looking what my best options are 
>> to limit spam.
>> I know there are some filters from Joerg 
>> (https://www.mail-archive.com/misc@opensmtpd.org/msg04402.html) but am not 
>> sure if these will work with my version of OpenSMTPD (I get a syntax error 
>> when trying the old filter syntax).
>> 
>> I can also relay everything to Amavisd/SpamAssassin but then email won???t 
>> get blocked at the SMTP level, also ASSP or Rspamd is an option but they are 
>> pretty resource intensive and will eat all my VPS memory ;) 
>> 
>> What would be my best option?
>> 
> 
> 6.0.3 is a fairly old version and there aren't many options available.
> 
> if you're forced to stick with that version, which suffers from at least
> one denial of service as far as I know, your best option is to relay via
> something like SpamPD so it can interface with SpamAssassin, but this is
> not going to operate at SMTP level, it will happen at delivery time.

That’s interesting since Debian has a good track record of back porting 
security fixes in their stable packages.
I will ask the maintainer if he applied the patch or upgraded the package to 
latest version.
For now I use spampd which works fine for bayesian spam detection.

> 
> there will be no way of blocking at SMTP level before next release 6.6.0
> that is going to happen in a few weeks, during October, so any option is
> going to be post delivery: either as a custom MDA, or as a relay via for
> some smtp proxy that will reinject in smtpd like the dkimproxy stuff.

I will wait for 6.6.0 ;)

> 
> your best option would really be to build from source 6.4.2: it will not
> block at SMTP level but will provide mechanisms to ease interfacing with
> spamassassin or rspamd for post-SMTP handling.
> 
> if you're not too easily scared, running the development version is good
> too because it's very close to release now, very stable and will not get
> much changes until October as I'm busy busy these days ;-)

Might give that a try, thanks :) 
> 
> 
>> I like to do some DNSBL and SpamAsssassin checks if possible.
>> 
>> My config if that is to any use to give some insights:
>> 
>> pki server.pragmasec.nl certificate 
>> "/etc/letsencrypt/live/pragmasec.nl/fullchain.pem"
>> pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem"
>> listen on localhost
>> listen on eth0 port 25 tls pki server.pragmasec.nl hostname 
>> server.pragmasec.nl auth-optional
>> listen on eth0 port 587 tls-require pki server.pragmasec.nl hostname 
>> server.pragmasec.nl auth
>> table vdomains file:/etc/mail/domains
>> table vusers file:/etc/mail/vusers
>> expire 7d
>> limit mta inet4
>> accept from any for domain  virtual  deliver to mda 
>> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
>> accept from local for any relay
>> 
>> Cheers,
>> 
>> Michiel
>> 
>> 
>> 
> 
> -- 
> Gilles Chehade   @poolpOrg
> 
> https://www.poolp.orgpatreon: https://www.patreon.com/gilles

Re: Question about OpenSMTPD and Debian package and filters/spam filtering

2019-08-21 Thread Gilles Chehade 
On Wed, Aug 21, 2019 at 12:50:10PM +0200, Michiel van Es wrote:
> Hi!
> 

Hi,


> I am running a small VPS with 1 GB memory with Debian 10 amd64 with OpenSMTPD 
> (6.0.3) for private email and am looking what my best options are to limit 
> spam.
> I know there are some filters from Joerg 
> (https://www.mail-archive.com/misc@opensmtpd.org/msg04402.html) but am not 
> sure if these will work with my version of OpenSMTPD (I get a syntax error 
> when trying the old filter syntax).
> 
> I can also relay everything to Amavisd/SpamAssassin but then email won???t 
> get blocked at the SMTP level, also ASSP or Rspamd is an option but they are 
> pretty resource intensive and will eat all my VPS memory ;) 
> 
> What would be my best option?
> 

6.0.3 is a fairly old version and there aren't many options available.

if you're forced to stick with that version, which suffers from at least
one denial of service as far as I know, your best option is to relay via
something like SpamPD so it can interface with SpamAssassin, but this is
not going to operate at SMTP level, it will happen at delivery time.

there will be no way of blocking at SMTP level before next release 6.6.0
that is going to happen in a few weeks, during October, so any option is
going to be post delivery: either as a custom MDA, or as a relay via for
some smtp proxy that will reinject in smtpd like the dkimproxy stuff.

your best option would really be to build from source 6.4.2: it will not
block at SMTP level but will provide mechanisms to ease interfacing with
spamassassin or rspamd for post-SMTP handling.

if you're not too easily scared, running the development version is good
too because it's very close to release now, very stable and will not get
much changes until October as I'm busy busy these days ;-)


> I like to do some DNSBL and SpamAsssassin checks if possible.
> 
> My config if that is to any use to give some insights:
> 
> pki server.pragmasec.nl certificate 
> "/etc/letsencrypt/live/pragmasec.nl/fullchain.pem"
> pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem"
> listen on localhost
> listen on eth0 port 25 tls pki server.pragmasec.nl hostname 
> server.pragmasec.nl auth-optional
> listen on eth0 port 587 tls-require pki server.pragmasec.nl hostname 
> server.pragmasec.nl auth
> table vdomains file:/etc/mail/domains
> table vusers file:/etc/mail/vusers
> expire 7d
> limit mta inet4
> accept from any for domain  virtual  deliver to mda 
> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
> accept from local for any relay
> 
> Cheers,
> 
> Michiel
> 
> 
> 

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

Question about OpenSMTPD and Debian package and filters/spam filtering

2019-08-21 Thread Michiel van Es 
Hi!

I am running a small VPS with 1 GB memory with Debian 10 amd64 with OpenSMTPD 
(6.0.3) for private email and am looking what my best options are to limit spam.
I know there are some filters from Joerg 
(https://www.mail-archive.com/misc@opensmtpd.org/msg04402.html) but am not sure 
if these will work with my version of OpenSMTPD (I get a syntax error when 
trying the old filter syntax).

I can also relay everything to Amavisd/SpamAssassin but then email won’t get 
blocked at the SMTP level, also ASSP or Rspamd is an option but they are pretty 
resource intensive and will eat all my VPS memory ;) 

What would be my best option?

I like to do some DNSBL and SpamAsssassin checks if possible.

My config if that is to any use to give some insights:

pki server.pragmasec.nl certificate 
"/etc/letsencrypt/live/pragmasec.nl/fullchain.pem"
pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem"
listen on localhost
listen on eth0 port 25 tls pki server.pragmasec.nl hostname server.pragmasec.nl 
auth-optional
listen on eth0 port 587 tls-require pki server.pragmasec.nl hostname 
server.pragmasec.nl auth
table vdomains file:/etc/mail/domains
table vusers file:/etc/mail/vusers
expire 7d
limit mta inet4
accept from any for domain  virtual  deliver to mda 
"/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
accept from local for any relay

Cheers,

Michiel

Re: Question about backup mx

2018-10-31 Thread Matt Schwartz 
Ok, thanks for the clarification. I guess one way to avoid the wait is to
just manually schedule all.

On Wed, Oct 31, 2018, 8:48 AM Gilles Chehade  On Mon, Oct 22, 2018 at 01:36:07PM -0400, Matt Schwartz wrote:
> > If I have two mail exchange servers and the primary one goes down, do
> > I then have to manually issue an smtpctl schedule all to resume
> > delivery from the backup to the primary?
> >
>
> no, you just have to way for the backup one to realize the primary is up
> which may take some time depending how long the primary was down.
>
>
>
> --
> Gilles Chehade
>
> https://www.poolp.org  @poolpOrg
>

Re: Question about backup mx

2018-10-31 Thread Gilles Chehade 
On Mon, Oct 22, 2018 at 01:36:07PM -0400, Matt Schwartz wrote:
> If I have two mail exchange servers and the primary one goes down, do
> I then have to manually issue an smtpctl schedule all to resume
> delivery from the backup to the primary?
> 

no, you just have to way for the backup one to realize the primary is up
which may take some time depending how long the primary was down.



-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: userbase question

2018-09-01 Thread Matt Schwartz 
Hi Gilles,

Thank you for your advice about using wrappers. I decided to implement
an mda wrapper as per your suggestion. It is interesting that I still
needed to specify either an mbox or maildir in the syntax when I
specify a wrapper. In this case, it doesn't seem to matter if I use
mbox or maildir because dovecot's LDA is doing the final delivery.
This works but I might be doing it wrong.

action "local" mbox wrapper "deliver" alias 
action "domain" mbox wrapper "deliver" virtual 
match for local action "local"
match from any for domain  action "domain"

I have to agree that using the mda wrapper feature is a heck of a lot
cleaner. I am even going to do some testing using OpenSMTPD for final
delivery now that there is explicit support for junk mail delivery. I
think the reason that the userbase didn't work is that I am using
dovecot for final delivery of the email. Below is a patch for the
smtpd.conf(8) man page to reflect where to use the wrapper specified
by mda wrapper.

--- smtpd.conf.5Sat Sep  1 08:52:32 2018
+++ smtpd.conf.5 Sat Sep  1 08:55:23 2018
@@ -156,6 +156,9 @@
 .Pq see Sx FORMAT SPECIFIERS .
 .It Cm relay
 Relay the message to another SMTP server.
+.It Cm wrapper Ar name
+Use a wrapper specified by
+.Cm mda wrapper .It command.
 .El
 .Pp
 The local delivery methods support additional options:
On Sat, Sep 1, 2018 at 8:01 AM Gilles Chehade  wrote:
>
> On Mon, Aug 27, 2018 at 09:54:05AM -0400, Matt Schwartz wrote:
> > I am hoping not to have to use sqlite tables. I like the simplicity of
> > file-based configuration.
>
> just for the record:
>
> besides table-specific features, all smtpd features are usable from file
> configurations since I write the features for the file backend _then_ we
> adapt the other backends.
>
>
>
> > On Mon, Aug 27, 2018 at 9:47 AM Reio Remma  wrote:
> > >
> > > Iirc I got the .forward file working with sqlite tables, where the user 
> > > query also returned the virtual user???s maildir as an extra parameter.
> > >
> > > Good luck,
> > > Reio
> > >
> > > > On 27 Aug 2018, at 16:11, Matt Schwartz  
> > > > wrote:
> > > >
> > > > Hello misc@,
> > > >
> > > > Below is my configuration file. I am trying to use the userbase
> > > > parameter and when I try to send an email to myself, I get the 550
> > > > Invalid Recipient error. I am trying to get the usrbase parameter
> > > > working so that I can add a .forward file for virtual users as per the
> > > > table(5) man page. If I don't use the userbase parameter, mail
> > > > delivery works just fine. I am not certain what I am doing wrong here.
> > > >
> > > > #smtpd.conf
> > > > pki mail cert "/etc/ssl/smtpd.crt"
> > > > pki mail key "/etc/ssl/private/smtpd.key"
> > > >
> > > > table aliases file:/etc/mail/aliases
> > > > table addrnames file:/etc/mail/addrnames
> > > > table credentials file:/etc/mail/credentials
> > > > table domains file:/etc/mail/domains
> > > > table virtuals file:/etc/mail/virtuals
> > > > table usrbase file:/etc/mail/usrbase
> > > > table rejects file:/etc/mail/rejects
> > > >
> > > > # Listeners
> > > > #
> > > > listen on lo0
> > > > listen on lo0 port 10028 tag DKIM
> > > > listen on vio0 tls pki mail hostnames 
> > > > listen on vio0 port 587 tls-require pki mail auth  \
> > > >hostnames 
> > > >
> > > > # Actions
> > > > #
> > > > action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> > > > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> > > > %{rcpt}'" alias 
> > > > action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> > > > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> > > > %{rcpt}'" userbase  virtual 
> > > > action "dkim" relay host smtp://127.0.0.1:10027
> > > > action "relay" relay
> > > >
> > > > # Incoming
> > > > #
> > > > match from any mail-from  for any reject
> > > > match from local for local action "local"
> > > > match from any for domain  action "domain"
> > > >
> > > > # Outgoing
> > > > #
> > > > match tag DKIM for any action "relay"
> > > > match from local for any action "dkim"
> > > > match auth from any for any action "dkim"
> > > >
> > > > #usrbase
> > > > m...@example.org 2000:2000:/var/vmail/example.org/matt
> > > >
> > > > #virtuals
> > > > m...@example.org vmail
> > > >
> > > > Thanks in advance,
> > > > Matt
> > > >
> > > > --
> > > > You received this mail because you are subscribed to misc@opensmtpd.org
> > > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> > > >
> > >
> > >
> > > --
> > > You received this mail because you are subscribed to misc@opensmtpd.org
> > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> > >
> >
> > --
> > You received this mail because you are subscribed to misc@opensmtpd.org
> > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> >
>
> --
> Gilles Chehade
>
> https://www.poolp.org  @poolpOrg

-- 
You received this mail because you

Re: userbase question

2018-09-01 Thread Gilles Chehade 
On Mon, Aug 27, 2018 at 09:54:05AM -0400, Matt Schwartz wrote:
> I am hoping not to have to use sqlite tables. I like the simplicity of
> file-based configuration.

just for the record:

besides table-specific features, all smtpd features are usable from file
configurations since I write the features for the file backend _then_ we
adapt the other backends.



> On Mon, Aug 27, 2018 at 9:47 AM Reio Remma  wrote:
> >
> > Iirc I got the .forward file working with sqlite tables, where the user 
> > query also returned the virtual user???s maildir as an extra parameter.
> >
> > Good luck,
> > Reio
> >
> > > On 27 Aug 2018, at 16:11, Matt Schwartz  wrote:
> > >
> > > Hello misc@,
> > >
> > > Below is my configuration file. I am trying to use the userbase
> > > parameter and when I try to send an email to myself, I get the 550
> > > Invalid Recipient error. I am trying to get the usrbase parameter
> > > working so that I can add a .forward file for virtual users as per the
> > > table(5) man page. If I don't use the userbase parameter, mail
> > > delivery works just fine. I am not certain what I am doing wrong here.
> > >
> > > #smtpd.conf
> > > pki mail cert "/etc/ssl/smtpd.crt"
> > > pki mail key "/etc/ssl/private/smtpd.key"
> > >
> > > table aliases file:/etc/mail/aliases
> > > table addrnames file:/etc/mail/addrnames
> > > table credentials file:/etc/mail/credentials
> > > table domains file:/etc/mail/domains
> > > table virtuals file:/etc/mail/virtuals
> > > table usrbase file:/etc/mail/usrbase
> > > table rejects file:/etc/mail/rejects
> > >
> > > # Listeners
> > > #
> > > listen on lo0
> > > listen on lo0 port 10028 tag DKIM
> > > listen on vio0 tls pki mail hostnames 
> > > listen on vio0 port 587 tls-require pki mail auth  \
> > >hostnames 
> > >
> > > # Actions
> > > #
> > > action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> > > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> > > %{rcpt}'" alias 
> > > action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> > > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> > > %{rcpt}'" userbase  virtual 
> > > action "dkim" relay host smtp://127.0.0.1:10027
> > > action "relay" relay
> > >
> > > # Incoming
> > > #
> > > match from any mail-from  for any reject
> > > match from local for local action "local"
> > > match from any for domain  action "domain"
> > >
> > > # Outgoing
> > > #
> > > match tag DKIM for any action "relay"
> > > match from local for any action "dkim"
> > > match auth from any for any action "dkim"
> > >
> > > #usrbase
> > > m...@example.org 2000:2000:/var/vmail/example.org/matt
> > >
> > > #virtuals
> > > m...@example.org vmail
> > >
> > > Thanks in advance,
> > > Matt
> > >
> > > --
> > > You received this mail because you are subscribed to misc@opensmtpd.org
> > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> > >
> >
> >
> > --
> > You received this mail because you are subscribed to misc@opensmtpd.org
> > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> >
> 
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: userbase question

2018-09-01 Thread Gilles Chehade 
On Mon, Aug 27, 2018 at 09:11:02AM -0400, Matt Schwartz wrote:
> Hello misc@,
> 
> Below is my configuration file. I am trying to use the userbase
> parameter and when I try to send an email to myself, I get the 550
> Invalid Recipient error. I am trying to get the usrbase parameter
> working so that I can add a .forward file for virtual users as per the
> table(5) man page. If I don't use the userbase parameter, mail
> delivery works just fine. I am not certain what I am doing wrong here.
> 
> #smtpd.conf
> pki mail cert "/etc/ssl/smtpd.crt"
> pki mail key "/etc/ssl/private/smtpd.key"
> 
> table aliases file:/etc/mail/aliases
> table addrnames file:/etc/mail/addrnames
> table credentials file:/etc/mail/credentials
> table domains file:/etc/mail/domains
> table virtuals file:/etc/mail/virtuals
> table usrbase file:/etc/mail/usrbase
> table rejects file:/etc/mail/rejects
> 
> # Listeners
> #
> listen on lo0
> listen on lo0 port 10028 tag DKIM
> listen on vio0 tls pki mail hostnames 
> listen on vio0 port 587 tls-require pki mail auth  \
> hostnames 
> 
> # Actions
> #
> action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> %{rcpt}'" alias 
> action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> %{rcpt}'" userbase  virtual 
> action "dkim" relay host smtp://127.0.0.1:10027
> action "relay" relay
> 

you might want to have a look at mda wrappers, it will simplify your
actions considerably ;-)


> # Incoming
> #
> match from any mail-from  for any reject
> match from local for local action "local"
> match from any for domain  action "domain"
> 
> # Outgoing
> #
> match tag DKIM for any action "relay"
> match from local for any action "dkim"
> match auth from any for any action "dkim"
> 
> #usrbase
> m...@example.org 2000:2000:/var/vmail/example.org/matt
> 

userbase maps a user to an account, so you shouldn't use an email address
here, it should be 'vmail' since that's what you use as the delivery user
in your virtuals table below:

> #virtuals
> m...@example.org vmail
> 


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: userbase question

2018-08-27 Thread Edgar Pettijohn 
Sent from my Verizon SmartphoneOn Aug 27, 2018 8:54 AM, Matt Schwartz  wrote:>> I am hoping not to have to use sqlite tables. I like the simplicity of > file-based configuration. > On Mon, Aug 27, 2018 at 9:47 AM Reio Remma  wrote: > > > > Iirc I got the .forward file working with sqlite tables, where the user query also returned the virtual user’s maildir as an extra parameter. > > > > Good luck, > > Reio > > > > > On 27 Aug 2018, at 16:11, Matt Schwartz  wrote: > > > > > > Hello misc@, > > > > > > Below is my configuration file. I am trying to use the userbase > > > parameter and when I try to send an email to myself, I get the 550 > > > Invalid Recipient error. I am trying to get the usrbase parameter > > > working so that I can add a .forward file for virtual users as per the > > > table(5) man page. If I don't use the userbase parameter, mail > > > delivery works just fine. I am not certain what I am doing wrong here. > > > > > > #smtpd.conf > > > pki mail cert "/etc/ssl/smtpd.crt" > > > pki mail key "/etc/ssl/private/smtpd.key" > > > > > > table aliases file:/etc/mail/aliases > > > table addrnames file:/etc/mail/addrnames > > > table credentials file:/etc/mail/credentials > > > table domains file:/etc/mail/domains > > > table virtuals file:/etc/mail/virtuals > > > table usrbase file:/etc/mail/usrbase > > > table rejects file:/etc/mail/rejects > > > > > > # Listeners > > > # > > > listen on lo0 > > > listen on lo0 port 10028 tag DKIM > > > listen on vio0 tls pki mail hostnames  > > > listen on vio0 port 587 tls-require pki mail auth  \ > > >    hostnames  > > > > > > # Actions > > > # > > > action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec > > > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a > > > %{rcpt}'" alias  > > > action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec > > > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a > > > %{rcpt}'" userbase  virtual  > > > action "dkim" relay host smtp://127.0.0.1:10027 > > > action "relay" relay > > > > > > # Incoming > > > # > > > match from any mail-from  for any reject > > > match from local for local action "local" > > > match from any for domain  action "domain" > > > > > > # Outgoing > > > # > > > match tag DKIM for any action "relay" > > > match from local for any action "dkim" > > > match auth from any for any action "dkim" > > > > > > #usrbase > > > m...@example.org 2000:2000:/var/vmail/example.org/matt > > > > > > #virtuals > > > m...@example.org vmail > > > > > > Thanks in advance, > > > Matt > > > > > > -- > > > You received this mail because you are subscribed to misc@opensmtpd.org > > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > > > > > > > > -- > > You received this mail because you are subscribed to misc@opensmtpd.org > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > >> -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >It seems to be a bug. Look at the thread about forwarding a single email. He has the same issue. I switched to MySQL tables about a year ago and it is so much easier.

Re: userbase question

2018-08-27 Thread Matt Schwartz 
I am hoping not to have to use sqlite tables. I like the simplicity of
file-based configuration.
On Mon, Aug 27, 2018 at 9:47 AM Reio Remma  wrote:
>
> Iirc I got the .forward file working with sqlite tables, where the user query 
> also returned the virtual user’s maildir as an extra parameter.
>
> Good luck,
> Reio
>
> > On 27 Aug 2018, at 16:11, Matt Schwartz  wrote:
> >
> > Hello misc@,
> >
> > Below is my configuration file. I am trying to use the userbase
> > parameter and when I try to send an email to myself, I get the 550
> > Invalid Recipient error. I am trying to get the usrbase parameter
> > working so that I can add a .forward file for virtual users as per the
> > table(5) man page. If I don't use the userbase parameter, mail
> > delivery works just fine. I am not certain what I am doing wrong here.
> >
> > #smtpd.conf
> > pki mail cert "/etc/ssl/smtpd.crt"
> > pki mail key "/etc/ssl/private/smtpd.key"
> >
> > table aliases file:/etc/mail/aliases
> > table addrnames file:/etc/mail/addrnames
> > table credentials file:/etc/mail/credentials
> > table domains file:/etc/mail/domains
> > table virtuals file:/etc/mail/virtuals
> > table usrbase file:/etc/mail/usrbase
> > table rejects file:/etc/mail/rejects
> >
> > # Listeners
> > #
> > listen on lo0
> > listen on lo0 port 10028 tag DKIM
> > listen on vio0 tls pki mail hostnames 
> > listen on vio0 port 587 tls-require pki mail auth  \
> >hostnames 
> >
> > # Actions
> > #
> > action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> > %{rcpt}'" alias 
> > action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> > %{rcpt}'" userbase  virtual 
> > action "dkim" relay host smtp://127.0.0.1:10027
> > action "relay" relay
> >
> > # Incoming
> > #
> > match from any mail-from  for any reject
> > match from local for local action "local"
> > match from any for domain  action "domain"
> >
> > # Outgoing
> > #
> > match tag DKIM for any action "relay"
> > match from local for any action "dkim"
> > match auth from any for any action "dkim"
> >
> > #usrbase
> > m...@example.org 2000:2000:/var/vmail/example.org/matt
> >
> > #virtuals
> > m...@example.org vmail
> >
> > Thanks in advance,
> > Matt
> >
> > --
> > You received this mail because you are subscribed to misc@opensmtpd.org
> > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> >
>
>
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: userbase question

2018-08-27 Thread Reio Remma 
Iirc I got the .forward file working with sqlite tables, where the user query 
also returned the virtual user’s maildir as an extra parameter.

Good luck,
Reio

> On 27 Aug 2018, at 16:11, Matt Schwartz  wrote:
> 
> Hello misc@,
> 
> Below is my configuration file. I am trying to use the userbase
> parameter and when I try to send an email to myself, I get the 550
> Invalid Recipient error. I am trying to get the usrbase parameter
> working so that I can add a .forward file for virtual users as per the
> table(5) man page. If I don't use the userbase parameter, mail
> delivery works just fine. I am not certain what I am doing wrong here.
> 
> #smtpd.conf
> pki mail cert "/etc/ssl/smtpd.crt"
> pki mail key "/etc/ssl/private/smtpd.key"
> 
> table aliases file:/etc/mail/aliases
> table addrnames file:/etc/mail/addrnames
> table credentials file:/etc/mail/credentials
> table domains file:/etc/mail/domains
> table virtuals file:/etc/mail/virtuals
> table usrbase file:/etc/mail/usrbase
> table rejects file:/etc/mail/rejects
> 
> # Listeners
> #
> listen on lo0
> listen on lo0 port 10028 tag DKIM
> listen on vio0 tls pki mail hostnames 
> listen on vio0 port 587 tls-require pki mail auth  \
>hostnames 
> 
> # Actions
> #
> action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> %{rcpt}'" alias 
> action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> %{rcpt}'" userbase  virtual 
> action "dkim" relay host smtp://127.0.0.1:10027
> action "relay" relay
> 
> # Incoming
> #
> match from any mail-from  for any reject
> match from local for local action "local"
> match from any for domain  action "domain"
> 
> # Outgoing
> #
> match tag DKIM for any action "relay"
> match from local for any action "dkim"
> match auth from any for any action "dkim"
> 
> #usrbase
> m...@example.org 2000:2000:/var/vmail/example.org/matt
> 
> #virtuals
> m...@example.org vmail
> 
> Thanks in advance,
> Matt
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

userbase question

2018-08-27 Thread Matt Schwartz 
Hello misc@,

Below is my configuration file. I am trying to use the userbase
parameter and when I try to send an email to myself, I get the 550
Invalid Recipient error. I am trying to get the usrbase parameter
working so that I can add a .forward file for virtual users as per the
table(5) man page. If I don't use the userbase parameter, mail
delivery works just fine. I am not certain what I am doing wrong here.

#smtpd.conf
pki mail cert "/etc/ssl/smtpd.crt"
pki mail key "/etc/ssl/private/smtpd.key"

table aliases file:/etc/mail/aliases
table addrnames file:/etc/mail/addrnames
table credentials file:/etc/mail/credentials
table domains file:/etc/mail/domains
table virtuals file:/etc/mail/virtuals
table usrbase file:/etc/mail/usrbase
table rejects file:/etc/mail/rejects

# Listeners
#
listen on lo0
listen on lo0 port 10028 tag DKIM
listen on vio0 tls pki mail hostnames 
listen on vio0 port 587 tls-require pki mail auth  \
hostnames 

# Actions
#
action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
'/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
%{rcpt}'" alias 
action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
'/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
%{rcpt}'" userbase  virtual 
action "dkim" relay host smtp://127.0.0.1:10027
action "relay" relay

# Incoming
#
match from any mail-from  for any reject
match from local for local action "local"
match from any for domain  action "domain"

# Outgoing
#
match tag DKIM for any action "relay"
match from local for any action "dkim"
match auth from any for any action "dkim"

#usrbase
m...@example.org 2000:2000:/var/vmail/example.org/matt

#virtuals
m...@example.org vmail

Thanks in advance,
Matt

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: AW: hello! ... and first question

2018-05-30 Thread Damiano Venturin 
On 22/05/18 21:52, Damiano Venturin wrote:
> On 22/05/18 06:48, Michael Taubert wrote:
>>
>> Hi Dam!
>>
>>  
>>
> Hello!
>>
>> Did you try to add „example—com“ to your virtual Domains table? E.g.
>> https://www.opensmtpd.org/faq/example1.html

Let me change the angle a little.

What's the best practice to follow for naming the users when a server
uses multiple domains?

I tried again with u...@example.com which matches the local user
u...@example.com but I get this error which disappears if I remove the
"@" from the local username.

smtpd event=failed-command command="RCPT TO:
NOTIFY=FAILURE,DELAY" result="550 Invalid recipient"

I'm insisting on this because I would like my users to be able to use
"u...@example.com" to login both against IMAP and SMTP avoiding
situations like "user-example--com"

What can I do?



-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: AW: hello! ... and first question

2018-05-22 Thread Damiano Venturin 
On 22/05/18 06:48, Michael Taubert wrote:
>
> Hi Dam!
>
>  
>
Hello!
>
> Did you try to add „example—com“ to your virtual Domains table? E.g.
> https://www.opensmtpd.org/faq/example1.html
>
>  
>

ehm I'm not sure what to answer ...  yes I've added example.com but I
didn't not add example--com

The thought of adding example--com never crossed my mind. I'll try and
report.

Dam

AW: hello! ... and first question

2018-05-21 Thread Michael Taubert 
Hi Dam!

Did you try to add „example—com“ to your virtual Domains table? E.g. 
https://www.opensmtpd.org/faq/example1.html

Best regards,
Michael

Von: Damiano Venturin
Gesendet: Dienstag, 22. Mai 2018 01:16
An: misc@opensmtpd.org
Betreff: hello! ... and first question

Hello, this is Dam

I'm in the process of freeing myself from Gmail and I'm trying to
configure my debian vm as a mailserver using OpenSMTPD.

Back in the days I was used to run my own mailserver with Postfix (then
I don't know what happened to me and I moved to 3rd party services) but
this is my first time with OpenSMTPD so I'm really trying to learn how
to configure it properly.

So far so good I've to say. Chess Griffin's guide has been of great help.

There is one thing that I've noticed: if the local user contains @ in
the name, OpenSTMD can't route an incoming email properly. I'm not sure
if this something expected or a bug or if I'm missing something.

So this is the scenario:

d...@venturin.net sends an email to u...@example.com (123.123.123.123)
which is is mapped on the server as user@example--com.

So this is what you see in my /etc/opensmtd/vuser:

u...@example.com:             user@example--com


As you can see from the log below, the incoming email is accepted, goes
through clamsmtp filtering process (listening on 127.0.0.1:10025)

smtpd[2794]: b22a8aceadaec265 smtp event=connected
address=209.35.192.171 host=mail-pf1-f171.google.com
smtpd[2794]: b22a8aceadaec265 smtp event=message msgid=9c2da050
from=<d...@venturin.net> to=<u...@example.com> size=2847 ndest=1 proto=ESMTP
smtpd[2794]: b22a8aceadaec265 smtp event=closed reason=quit
smtpd[2794]: b22a8ad7d4f8e7b8 mta event=connecting
address=smtp://127.0.0.1:10025 host=localhost
smtpd[2794]: b22a8ad7d4f8e7b8 mta event=connected
smtpd[2794]: b22a8ad89531da2b smtp event=connected address=127.0.0.1
host=localhost
smtpd[2794]: b22a8ad89531da2b smtp event=message msgid=9a2845eb
from=<d...@venturin.net> to=<u...@example.com> size=3043 ndest=1 proto=ESMTP

I think that now OpenSMTPD tries to send back a receipt to the email
server which has sent the email. Am I right?

Accordingly to the configuration, the message is sent again to clamsmtp
which is listening on 127.0.0.1:10027

smtpd[2794]: b22a8ae0d78126ae mta event=connecting
address=smtp://127.0.0.1:10027 host=localhost
smtpd[2794]: b22a8ad7d4f8e7b8 mta event=delivery evpid=9c2da05070285532
from=<d...@venturin.net> to=<u...@example.com> rcpt=<-> source=127.0.0.1
relay=
127.0.0.1 (localhost) delay=11s result=Ok stat=250 2.0.0: 9a2845eb
Message accepted for delivery
smtpd[2794]: b22a8ae0d78126ae mta event=connected

But then something happens: all of the sudden the recipient is no more
u...@example.com but user@example--com (which is the name of the real
local user)

smtpd[2794]: b22a8ae11170b5b4 smtp event=connected address=127.0.0.1
host=localhost
smtpd[2794]: b22a8ae11170b5b4 smtp event=message msgid=f33aeeec
from=<d...@venturin.net> to=<user@example--com> size=3243 ndest=1 proto=ESMTP
smtpd[2794]: b22a8ae0d78126ae mta event=delivery evpid=9a2845eb454ddf26
from=<d...@venturin.net> to=<user@example--com>rcpt=<u...@example.com>
source=127.0.0.1 relay=127.0.0.1 (localhost) delay=5s result=Ok stat=250
2.0.0: f33aeeec Message accepted for delivery
smtpd[2794]: b22a8ad89531da2b smtp event=closed reason=quit
smtpd[2794]: b22a8ad7d4f8e7b8 mta event=closed reason=quit messages=1
smtpd[2794]: smtp-out: Failed to resolve MX for [relay:example--com]:
Domain does not exist

Of course the domain example--com is not found

smtpd[2794]:  mta event=delivery evpid=f33aeeecc889f968
from=<d...@venturin.net> to=<user@example--com> rcpt=<-> source=-
relay=example--
info delay=5s result=PermFail stat=Domain does not exist
smtpd[2794]: b22a8aeac0c27769 smtp event=connected address=local
host=localhost
smtpd[2794]: b22a8aeac0c27769 smtp event=message msgid=57f4cae9 from=<>
to=<d...@venturin.net> size=4459 ndest=1 proto=ESMTP
smtpd[2794]: b22a8aeac0c27769 smtp event=closed reason=quit
smtpd[2794]: b22a8ae11170b5b4 smtp event=message msgid=e121e32c from=<>
to=<d...@venturin.net> size=4660 ndest=1 proto=ESMTP
smtpd[2794]: b22a8ae0d78126ae mta event=delivery evpid=57f4cae9a970f282
from=<> to=<d...@venturin.net> rcpt=<-> source=127.0.0.1 relay=127.0.0.1 (loc
alhost) delay=1s result=Ok stat=250 2.0.0: e121e32c Message accepted for
delivery
smtpd[2794]: b22a8ae11170b5b4 smtp event=closed reason=quit
smtpd[2794]: b22a8ae0d78126ae mta event=closed reason=quit messages=2
smtpd[2794]: b22a8af88282d316 mta event=connecting
address=smtp+tls://66.102.1.27:25 host=wb-in-f27.1e100.net
smtpd[2794]: b22a8af88282d316 mta event=connected
smtpd[2794]: b22a8af88282d316 mta event=starttls
ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128
smtpd[2794]: smtp-out: Server certificate verification succeeded on

hello! ... and first question

2018-05-21 Thread Damiano Venturin 
Hello, this is Dam

I'm in the process of freeing myself from Gmail and I'm trying to
configure my debian vm as a mailserver using OpenSMTPD.

Back in the days I was used to run my own mailserver with Postfix (then
I don't know what happened to me and I moved to 3rd party services) but
this is my first time with OpenSMTPD so I'm really trying to learn how
to configure it properly.

So far so good I've to say. Chess Griffin's guide has been of great help.

There is one thing that I've noticed: if the local user contains @ in
the name, OpenSTMD can't route an incoming email properly. I'm not sure
if this something expected or a bug or if I'm missing something.

So this is the scenario:

d...@venturin.net sends an email to u...@example.com (123.123.123.123)
which is is mapped on the server as user@example--com.

So this is what you see in my /etc/opensmtd/vuser:

u...@example.com:             user@example--com


As you can see from the log below, the incoming email is accepted, goes
through clamsmtp filtering process (listening on 127.0.0.1:10025)

smtpd[2794]: b22a8aceadaec265 smtp event=connected
address=209.35.192.171 host=mail-pf1-f171.google.com
smtpd[2794]: b22a8aceadaec265 smtp event=message msgid=9c2da050
from= to= size=2847 ndest=1 proto=ESMTP
smtpd[2794]: b22a8aceadaec265 smtp event=closed reason=quit
smtpd[2794]: b22a8ad7d4f8e7b8 mta event=connecting
address=smtp://127.0.0.1:10025 host=localhost
smtpd[2794]: b22a8ad7d4f8e7b8 mta event=connected
smtpd[2794]: b22a8ad89531da2b smtp event=connected address=127.0.0.1
host=localhost
smtpd[2794]: b22a8ad89531da2b smtp event=message msgid=9a2845eb
from= to= size=3043 ndest=1 proto=ESMTP

I think that now OpenSMTPD tries to send back a receipt to the email
server which has sent the email. Am I right?

Accordingly to the configuration, the message is sent again to clamsmtp
which is listening on 127.0.0.1:10027

smtpd[2794]: b22a8ae0d78126ae mta event=connecting
address=smtp://127.0.0.1:10027 host=localhost
smtpd[2794]: b22a8ad7d4f8e7b8 mta event=delivery evpid=9c2da05070285532
from= to= rcpt=<-> source=127.0.0.1
relay=
127.0.0.1 (localhost) delay=11s result=Ok stat=250 2.0.0: 9a2845eb
Message accepted for delivery
smtpd[2794]: b22a8ae0d78126ae mta event=connected

But then something happens: all of the sudden the recipient is no more
u...@example.com but user@example--com (which is the name of the real
local user)

smtpd[2794]: b22a8ae11170b5b4 smtp event=connected address=127.0.0.1
host=localhost
smtpd[2794]: b22a8ae11170b5b4 smtp event=message msgid=f33aeeec
from= to= size=3243 ndest=1 proto=ESMTP
smtpd[2794]: b22a8ae0d78126ae mta event=delivery evpid=9a2845eb454ddf26
from= to=rcpt=
source=127.0.0.1 relay=127.0.0.1 (localhost) delay=5s result=Ok stat=250
2.0.0: f33aeeec Message accepted for delivery
smtpd[2794]: b22a8ad89531da2b smtp event=closed reason=quit
smtpd[2794]: b22a8ad7d4f8e7b8 mta event=closed reason=quit messages=1
smtpd[2794]: smtp-out: Failed to resolve MX for [relay:example--com]:
Domain does not exist

Of course the domain example--com is not found

smtpd[2794]:  mta event=delivery evpid=f33aeeecc889f968
from= to= rcpt=<-> source=-
relay=example--
info delay=5s result=PermFail stat=Domain does not exist
smtpd[2794]: b22a8aeac0c27769 smtp event=connected address=local
host=localhost
smtpd[2794]: b22a8aeac0c27769 smtp event=message msgid=57f4cae9 from=<>
to= size=4459 ndest=1 proto=ESMTP
smtpd[2794]: b22a8aeac0c27769 smtp event=closed reason=quit
smtpd[2794]: b22a8ae11170b5b4 smtp event=message msgid=e121e32c from=<>
to= size=4660 ndest=1 proto=ESMTP
smtpd[2794]: b22a8ae0d78126ae mta event=delivery evpid=57f4cae9a970f282
from=<> to= rcpt=<-> source=127.0.0.1 relay=127.0.0.1 (loc
alhost) delay=1s result=Ok stat=250 2.0.0: e121e32c Message accepted for
delivery
smtpd[2794]: b22a8ae11170b5b4 smtp event=closed reason=quit
smtpd[2794]: b22a8ae0d78126ae mta event=closed reason=quit messages=2
smtpd[2794]: b22a8af88282d316 mta event=connecting
address=smtp+tls://66.102.1.27:25 host=wb-in-f27.1e100.net
smtpd[2794]: b22a8af88282d316 mta event=connected
smtpd[2794]: b22a8af88282d316 mta event=starttls
ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128
smtpd[2794]: smtp-out: Server certificate verification succeeded on
session b22a8af88282d316
smtpd[2794]: b22a8af88282d316 mta event=delivery evpid=e121e32cb085713e
from=<> to= rcpt=<-> source=123.123.123.123
relay=66.102.1.
27 (wb-in-f27.1e100.net) delay=20s result=Ok stat=250 2.0.0 OK
1526942107 a7-v6si5619866wrq.344 - gsmtp

Now, if I change the local username to, say, user-example--com or
user-example.com, rebuild the vuser.db everything works fine but

Re: Userbase question.

2018-02-04 Thread Reio Remma 

On 04.02.2018 22:21, Reio Remma wrote:

The only reference I've found that tackles a similar problem:

https://hugo.barrera.io/journal/2015/02/15/opensmtpd-dovecot-shared-sql-db/

Rather convoluted for a simple thing though. :)

Reio


On 04.02.2018 22:01, Reio Remma wrote:

On 04.02.2018 21:56, Reio Remma wrote:

Hello!

query_userinfo select 1001,1001,'/var/vmail/' from vusers where 
email=$1;


I now realize you version doesn't return the actual user's virtual 
mail directory. But maybe it doesn't need to. I suspect Dovecot can 
handle .forward files as well, though it would be nice if they were 
checked without turning to Dovecot.


In my setup currently OpenSMTPD can use .forward files by itself, 
which is nice.




Does it match against an actual (whole) e-mail addess or username 
for you?


What does your "accept for domain ..." line in smtpd.conf look like?

All the best,
Reio

On 04.02.2018 21:11, Olivier wrote:


Hello

I am using my own server with a postgresql database to store 
domains, users & password:


vmail=> \d

List of relations

Schema |   Name   |   Type   | Owner

+--+--+---

public | credentials  | table    | vmail

public | seq_vmail_credentials_id | sequence | vmail

public | seq_vmail_vdomains_id    | sequence | vmail

public | seq_vmail_vusers_id  | sequence | vmail

public | vdomains | table    | vmail

public | vusers   | table    | vmail

This database is used by dovecot & opensmtpd for authentication 
(for encoding: use smtpctl encrypt).


All email are stored in the Maildir format, and store in the disk:

/var/vmail/some.domain.tld/SomeUsers/Maildir

For this, following packages have to be installed

_opensmtpd-extras-201703132115p1 extras

_opensmtpd-extras-pgsql-201703132115p1

Extract from smtpd.conf:

(…)

###

#

## Define Table

#

table aliases   db:/etc/mail/aliases.db

table vdomains postgres:/etc/mail/pgsql.conf

table passwd postgres:/etc/mail/pgsql.conf

table valiases postgres:/etc/mail/pgsql.conf

(…)

Below, the database interface  (/etc/mail/pgsql.conf)

# smtpd.conf: table users pgsql:/etc/mail/pgsql.conf

conninfo host='myHost' user=’myUser' password='myPassword' 
dbname='myDBName'


# Alias lookup query

#

query_alias select destination from myRelation where email=$1;

#

# Domain lookup query

#

query_domain select domain from myRelation where domain=$1;

#

# User lookup query

#

#query_userinfo select 1001,1001,'/var/vmail/' from vusers where 
email=$1;


#

# Credentials lookup query

#

query_credentials select email, password from credentials where 
email=$1 and active = 'Y';  # <-- here your SQL request


Sorry for my bad english. I hope that it will be helping.

Olivier.

*De :*Reio Remma [mailto:r...@mrstuudio.ee]
*Envoyé :* Sunday, February 4, 2018 3:02 PM
*À :* misc@opensmtpd.org
*Objet :* Userbase question.

Hello!

I'm trying to figure out how I can have virtual domains/users 
working completely decoupled from system users.


Every virtual/alias path seem to want to end up at a system account 
so I'm trying to use userbase, but userbase seems to take username 
without the domain part as key.


query_userinfo  SELECT 5000, 5000, 
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir 
FROM users WHERE username = ?;


domain-one.com
- bob
- emily

domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com 
<mailto:b...@domain-one.com>)


Mail sent to b...@domain-two.com <mailto:b...@domain-two.com> will 
end up at b...@domain-one.com <mailto:b...@domain-one.com> mailbox.


Am I missing something about using virtuals in general? I'm 
starting to feel a little stupid here. :)


Thanks,
Reio



I think I may have solved it (with a similar approach to Hugo Barrera's).

OpenSMTPD now sees all virtual maildirs' .forward files etc.

query_alias SELECT CONCAT( username, '_', domain ) FROM 
users WHERE email = ?;

query_domain    SELECT domain FROM users WHERE domain = ? LIMIT 1;
query_userinfo  SELECT 5000, 5000, 
CONCAT('/home/dovecot/domains/', domain, '/', username ) as maildir FROM 
users WHERE
                                        domain = SUBSTRING_INDEX( @u := 
?, "_", -1 ) AND
                                        username = TRIM( TRAILING 
CONCAT('_', SUBSTRING_INDEX( @u, "_", -1 ) ) FROM @u );


I do hope query_userinfo will one day accept a second parameter (domain).

Good night!
Reio

Re: Userbase question.

2018-02-04 Thread Reio Remma 

The only reference I've found that tackles a similar problem:

https://hugo.barrera.io/journal/2015/02/15/opensmtpd-dovecot-shared-sql-db/

Rather convoluted for a simple thing though. :)

Reio


On 04.02.2018 22:01, Reio Remma wrote:

On 04.02.2018 21:56, Reio Remma wrote:

Hello!

query_userinfo select 1001,1001,'/var/vmail/' from vusers where email=$1;


I now realize you version doesn't return the actual user's virtual 
mail directory. But maybe it doesn't need to. I suspect Dovecot can 
handle .forward files as well, though it would be nice if they were 
checked without turning to Dovecot.


In my setup currently OpenSMTPD can use .forward files by itself, 
which is nice.




Does it match against an actual (whole) e-mail addess or username for 
you?


What does your "accept for domain ..." line in smtpd.conf look like?

All the best,
Reio

On 04.02.2018 21:11, Olivier wrote:


Hello

I am using my own server with a postgresql database to store 
domains, users & password:


vmail=> \d

List of relations

Schema |   Name   |   Type   | Owner

+--+--+---

public | credentials  | table    | vmail

public | seq_vmail_credentials_id | sequence | vmail

public | seq_vmail_vdomains_id    | sequence | vmail

public | seq_vmail_vusers_id  | sequence | vmail

public | vdomains | table    | vmail

public | vusers   | table    | vmail

This database is used by dovecot & opensmtpd for authentication (for 
encoding: use smtpctl encrypt).


All email are stored in the Maildir format, and store in the disk:

/var/vmail/some.domain.tld/SomeUsers/Maildir

For this, following packages have to be installed

_opensmtpd-extras-201703132115p1 extras

_opensmtpd-extras-pgsql-201703132115p1

Extract from smtpd.conf:

(…)

###

#

## Define Table

#

table aliases   db:/etc/mail/aliases.db

table vdomains  postgres:/etc/mail/pgsql.conf

table passwd    postgres:/etc/mail/pgsql.conf

table valiases  postgres:/etc/mail/pgsql.conf

(…)

Below, the database interface  (/etc/mail/pgsql.conf)

# smtpd.conf: table users pgsql:/etc/mail/pgsql.conf

conninfo host='myHost' user=’myUser' password='myPassword' 
dbname='myDBName'


# Alias lookup query

#

query_alias select destination from myRelation where email=$1;

#

# Domain lookup query

#

query_domain select domain from myRelation where domain=$1;

#

# User lookup query

#

#query_userinfo select 1001,1001,'/var/vmail/' from vusers where 
email=$1;


#

# Credentials lookup query

#

query_credentials select email, password from credentials where 
email=$1 and active = 'Y';  # <-- here your SQL request


Sorry for my bad english. I hope that it will be helping.

Olivier.

*De :*Reio Remma [mailto:r...@mrstuudio.ee]
*Envoyé :* Sunday, February 4, 2018 3:02 PM
*À :* misc@opensmtpd.org
*Objet :* Userbase question.

Hello!

I'm trying to figure out how I can have virtual domains/users 
working completely decoupled from system users.


Every virtual/alias path seem to want to end up at a system account 
so I'm trying to use userbase, but userbase seems to take username 
without the domain part as key.


query_userinfo  SELECT 5000, 5000, 
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir 
FROM users WHERE username = ?;


domain-one.com
- bob
- emily

domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com 
<mailto:b...@domain-one.com>)


Mail sent to b...@domain-two.com <mailto:b...@domain-two.com> will end 
up at b...@domain-one.com <mailto:b...@domain-one.com> mailbox.


Am I missing something about using virtuals in general? I'm starting 
to feel a little stupid here. :)


Thanks,
Reio

Re: Userbase question.

2018-02-04 Thread Reio Remma 

On 04.02.2018 21:56, Reio Remma wrote:

Hello!

query_userinfo select 1001,1001,'/var/vmail/' from vusers where email=$1;


I now realize you version doesn't return the actual user's virtual mail 
directory. But maybe it doesn't need to. I suspect Dovecot can handle 
.forward files as well, though it would be nice if they were checked 
without turning to Dovecot.


In my setup currently OpenSMTPD can use .forward files by itself, which 
is nice.




Does it match against an actual (whole) e-mail addess or username for you?

What does your "accept for domain ..." line in smtpd.conf look like?

All the best,
Reio

On 04.02.2018 21:11, Olivier wrote:


Hello

I am using my own server with a postgresql database to store domains, 
users & password:


vmail=> \d

List of relations

Schema |   Name   |   Type   | Owner

+--+--+---

public | credentials  | table    | vmail

public | seq_vmail_credentials_id | sequence | vmail

public | seq_vmail_vdomains_id    | sequence | vmail

public | seq_vmail_vusers_id  | sequence | vmail

public | vdomains | table    | vmail

public | vusers   | table    | vmail

This database is used by dovecot & opensmtpd for authentication (for 
encoding: use smtpctl encrypt).


All email are stored in the Maildir format, and store in the disk:

/var/vmail/some.domain.tld/SomeUsers/Maildir

For this, following packages have to be installed

_opensmtpd-extras-201703132115p1 extras

_opensmtpd-extras-pgsql-201703132115p1

Extract from smtpd.conf:

(…)

###

#

## Define Table

#

table aliases   db:/etc/mail/aliases.db

table vdomains  postgres:/etc/mail/pgsql.conf

table passwd    postgres:/etc/mail/pgsql.conf

table valiases  postgres:/etc/mail/pgsql.conf

(…)

Below, the database interface  (/etc/mail/pgsql.conf)

# smtpd.conf: table users pgsql:/etc/mail/pgsql.conf

conninfo host='myHost' user=’myUser' password='myPassword' 
dbname='myDBName'


# Alias lookup query

#

query_alias select destination from myRelation where email=$1;

#

# Domain lookup query

#

query_domain select domain from myRelation where domain=$1;

#

# User lookup query

#

#query_userinfo select 1001,1001,'/var/vmail/' from vusers where 
email=$1;


#

# Credentials lookup query

#

query_credentials select email, password from credentials where 
email=$1 and active = 'Y';  # <-- here your SQL request


Sorry for my bad english. I hope that it will be helping.

Olivier.

*De :*Reio Remma [mailto:r...@mrstuudio.ee]
*Envoyé :* Sunday, February 4, 2018 3:02 PM
*À :* misc@opensmtpd.org
*Objet :* Userbase question.

Hello!

I'm trying to figure out how I can have virtual domains/users working 
completely decoupled from system users.


Every virtual/alias path seem to want to end up at a system account 
so I'm trying to use userbase, but userbase seems to take username 
without the domain part as key.


query_userinfo  SELECT 5000, 5000, 
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir 
FROM users WHERE username = ?;


domain-one.com
- bob
- emily

domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com 
<mailto:b...@domain-one.com>)


Mail sent to b...@domain-two.com <mailto:b...@domain-two.com> will end 
up at b...@domain-one.com <mailto:b...@domain-one.com> mailbox.


Am I missing something about using virtuals in general? I'm starting 
to feel a little stupid here. :)


Thanks,
Reio

RE: Userbase question.

2018-02-04 Thread Olivier 
Hello

 

I am using my own server with a postgresql database to store domains, users & 
password:

 

vmail=> \d

  List of relations

Schema |   Name   |   Type   | Owner

+--+--+---

public | credentials  | table| vmail

public | seq_vmail_credentials_id | sequence | vmail

public | seq_vmail_vdomains_id| sequence | vmail

public | seq_vmail_vusers_id  | sequence | vmail

public | vdomains | table| vmail

public | vusers   | table| vmail

 

 

This database is used by dovecot & opensmtpd for authentication (for encoding: 
use smtpctl encrypt).

 

All email are stored in the Maildir format, and store in the disk:

/var/vmail/some.domain.tld/SomeUsers/Maildir

 

For this, following packages have to be installed

 

_opensmtpd-extras-201703132115p1 extras

_opensmtpd-extras-pgsql-201703132115p1

 

Extract from smtpd.conf:

(…)

###

#

## Define Table

#

table aliases   db:/etc/mail/aliases.db

table vdomains  postgres:/etc/mail/pgsql.conf

table passwdpostgres:/etc/mail/pgsql.conf

table valiases  postgres:/etc/mail/pgsql.conf

(…)

 

 

Below, the database interface  (/etc/mail/pgsql.conf)

 

# smtpd.conf: table users pgsql:/etc/mail/pgsql.conf

conninfo host='myHost' user=’myUser' password='myPassword' dbname='myDBName'

 

# Alias lookup query

#

query_alias select destination from myRelation where email=$1;

#

# Domain lookup query

#

query_domain select domain from myRelation where domain=$1;

#

# User lookup query

#

#query_userinfo select 1001,1001,'/var/vmail/' from vusers where email=$1;

#

# Credentials lookup query

#

query_credentials select email, password from credentials where email=$1 and 
active = 'Y';  # <-- here your SQL request

 

Sorry for my bad english. I hope that it will be helping.

 

 

Olivier.

 

 

De : Reio Remma [mailto:r...@mrstuudio.ee] 
Envoyé : Sunday, February 4, 2018 3:02 PM
À : misc@opensmtpd.org
Objet : Userbase question.

 

Hello!

I'm trying to figure out how I can have virtual domains/users working 
completely decoupled from system users.

Every virtual/alias path seem to want to end up at a system account so I'm 
trying to use userbase, but userbase seems to take username without the domain 
part as key.

query_userinfo  SELECT 5000, 5000, CONCAT('/home/dovecot/domains/', 
domain, '/', username ) AS homedir FROM users WHERE username = ?;

domain-one.com
- bob
- emily

domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com)

Mail sent to b...@domain-two.com will end up at b...@domain-one.com mailbox.

Am I missing something about using virtuals in general? I'm starting to feel a 
little stupid here. :)

Thanks,
Reio

Re: Userbase question.

2018-02-04 Thread Reio Remma 

Hey!

uid/gid are for vmail (/home/dovecot directory). I've looked at the 
smtpd lookup trace and query_userinfo queries the database purely by 
user name (without domain part). That is essentially where all 
virtuality fails. :/ If the database was queried by the full e-mail 
address (not unlike the virtual alias query), I could extract the domain 
part easily and proceed from there.


In Dovecot I've specified the username + domain separately in MySQL 
lookups where clauses.


Thanks!
Reio


On 04.02.2018 19:18, Edgar Pettijohn wrote:


does the system have a uid and gid 5000? I'm using mysql myself, but i 
don't have a userinfo section.  I'm guessing it should still work the 
same as the userinfo table described in table(5) though. Unfortunantly 
I am no sql expert, so I would just recommend verifying that your 
query does what you expect it to do perhaps run it from the command 
line and see what you get.



On 02/04/18 10:32, Reio Remma wrote:

Current smtpd.conf below.

As I understand userbase is the only way to let OpenSMTPD know where 
to look for


table aliases  mysql:/etc/opensmtpd/mysql.conf
table domains mysql:/etc/opensmtpd/mysql.conf
table userinfo mysql:/etc/opensmtpd/mysql.conf
table credentials mysql:/etc/opensmtpd/mysql.conf

listen on 0.0.0.0 port 25 tls pki bwo.mrstuudio.ee
listen on 0.0.0.0 port 587 tls-require pki bwo.mrstuudio.ee auth 



listen on lo port 10025 tag Filtered
listen on lo port 10027 tag Signed

accept tagged Filtered for domain  virtual  
userbase  deliver to lmtp "/var/run/dovecot/lmtp" rcpt-to


accept from any for domain  relay via lmtp://127.0.0.1:10024

accept tagged Signed for any relay via tls://orc.mrstuudio.ee

accept from local for any relay via lmtp://127.0.0.1:10026

---

mysql.conf

query_alias SELECT username FROM users WHERE email = ?;
query_domain    SELECT domain FROM users WHERE domain = ? 
LIMIT 1;
query_userinfo  SELECT 5000, 5000, 
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir 
FROM users WHERE username = ?;
query_credentials   SELECT username, password FROM users WHERE 
email = ?;


Thanks,
Reio

On 04.02.2018 18:09, Edgar Pettijohn wrote:


what does your smtpd.conf look like?


On 02/04/18 08:01, Reio Remma wrote:

Hello!

I'm trying to figure out how I can have virtual domains/users 
working completely decoupled from system users.


Every virtual/alias path seem to want to end up at a system account 
so I'm trying to use userbase, but userbase seems to take username 
without the domain part as key.


query_userinfo  SELECT 5000, 5000, 
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir 
FROM users WHERE username = ?;


domain-one.com
- bob
- emily

domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com)

Mail sent to b...@domain-two.com will end up at b...@domain-one.com 
mailbox.


Am I missing something about using virtuals in general? I'm 
starting to feel a little stupid here. :)


Thanks,
Reio

Re: Userbase question.

2018-02-04 Thread Edgar Pettijohn 

what does your smtpd.conf look like?


On 02/04/18 08:01, Reio Remma wrote:

Hello!

I'm trying to figure out how I can have virtual domains/users working 
completely decoupled from system users.


Every virtual/alias path seem to want to end up at a system account so 
I'm trying to use userbase, but userbase seems to take username 
without the domain part as key.


query_userinfo  SELECT 5000, 5000, 
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir 
FROM users WHERE username = ?;


domain-one.com
- bob
- emily

domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com)

Mail sent to b...@domain-two.com will end up at b...@domain-one.com mailbox.

Am I missing something about using virtuals in general? I'm starting 
to feel a little stupid here. :)


Thanks,
Reio

Re: FAQ question

2017-10-30 Thread Chris Eidem 
Mea cup, mea maxima culpa…

Thank you for the swat with the clue stick.

> On Oct 30, 2017, at 9:54 AM, Bruno Pagani  wrote:
> Both. A passwd table is a passwd table, an auth table is an auth table. The 
> latter is the standard format for OpenSMTPd, the former is a classical format 
> that OpenSMTPd support through the file driver of the same name.
> 
> 

It was the error that Joris pointed out with the {BLF-CRYPT} in the passwd file.

> You’ve missed one line: “A standard OpenBSD installation as well as a recent 
> installation of OpenSMTPD-extras including: table-passwd […] is assumed”.
> 
> Regards,
> Bruno

I did indeed and that was carelessness on my part.  Again, thanks all for the 
correction.

smime.p7s
Description: S/MIME cryptographic signature

Re: FAQ question

2017-10-30 Thread Bruno Pagani 
Hi,

Le 30/10/2017 à 15:23, Chris Eidem a écrit :

> I’m attempting to create a multi-domain opensmtpd+dovecot set up.  I have a 
> question about the FAQ example.  In it you have the following line in the 
> config:
>
> listen on egress port 587 tls-require pki mail.example.com auth 
>
> and you have the passwd table in the dovecot as follows:
>
> j...@example.com:$2b$...encrypted...password...::
> u...@example.net:$2b$...encrypted...password...::userdb_quota_rule=*:storage=1G
>
> But in tables.5 it is stated that auth tables are in this format:
>
> Credentials tables are mappings of credentials. They can be used in two 
> contexts:
> listen on tls [...] auth  
>
> In a listener context, the credentials are a mapping of username and 
> encrypted passwords:
> user1 $2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe 
> user2 $2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK
>
> I am getting failures attempting to connect to my submission port.  The part 
> of my config relevant is:
> listen on lo0
> listen on egress port 25 tls pki mail.ceidem.com
> listen on egress port 465 tls-require pki mail.ceidem.com
> listen on egress port 587 tls-require pki mail.ceidem.com auth 
>
> with the passwd file:
>
> cei...@ceidem.com:{BLF-CRYPT}$2a$05$...encrypted...password...::
>
> Which is correct?  What have I missed?

Both. A passwd table is a passwd table, an auth table is an auth table.
The latter is the standard format for OpenSMTPd, the former is a
classical format that OpenSMTPd support through the file driver of the
same name.

To understand your issue, we would need to know the table you have defined.
You should have something like `table passwd passwd:/etc/mail/passwd`
pointing toward your passwd file.

Also, are you trying to connect to 587 or 465? If the latter, note that
you’re missing the auth part on this line, so this might only be used to
deliver mail to local recipients.

In any case, please give more details about “failures attempting to
connect”, what kind of failures ?

> Also, in the FAQ, you have the following config section:
>
> # tables setup
> table aliases file:/etc/mail/aliases
> table domains file:/etc/mail/domains
> table passwd passwd:/etc/mail/passwd
> table virtuals file:/etc/mail/virtuals
>
> But is it never mentioned that the passwd file driver is included in 
> opensmtpd-extras.  Took me a bit to figure that out.

You’ve missed one line: “A standard OpenBSD installation as well as a
recent installation of OpenSMTPD-extras including: table-passwd […] is
assumed”.

Regards,
Bruno


signature.asc
Description: OpenPGP digital signature

Re: FAQ question

2017-10-30 Thread Joris Vanhecke 
I suggest reading the FAQ again.

On Mon, 30 Oct 2017, at 03:23 PM, Chris Eidem wrote:
> I’m attempting to create a multi-domain opensmtpd+dovecot set up.  I have
> a question about the FAQ example.  In it you have the following line in
> the config:
> 
> listen on egress port 587 tls-require pki mail.example.com auth 
> 
> and you have the passwd table in the dovecot as follows:
> 
> j...@example.com:$2b$...encrypted...password...::
> u...@example.net:$2b$...encrypted...password...::userdb_quota_rule=*:storage=1G
> 
> But in tables.5 it is stated that auth tables are in this format:
> 
> Credentials tables are mappings of credentials. They can be used in two
> contexts:
> listen on tls [...] auth  

Yes but this is table-passwd.5
It's OpenSMTPD-extras feature.

> 
> In a listener context, the credentials are a mapping of username and
> encrypted passwords:
> user1   $2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe 
> user2   $2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK
> 
> I am getting failures attempting to connect to my submission port.  The
> part of my config relevant is:
> listen on lo0
> listen on egress port 25 tls pki mail.ceidem.com
> listen on egress port 465 tls-require pki mail.ceidem.com
> listen on egress port 587 tls-require pki mail.ceidem.com auth 
> 
> with the passwd file:
> 
> cei...@ceidem.com:{BLF-CRYPT}$2a$05$...encrypted...password...::

Did you try what is exactly in the FAQ? 
Without the {BLF-CRYPT} part?

> 
> Which is correct?  What have I missed?
> 
> Also, in the FAQ, you have the following config section:
> 
> # tables setup
> table aliases file:/etc/mail/aliases
> table domains file:/etc/mail/domains
> table passwd passwd:/etc/mail/passwd
> table virtuals file:/etc/mail/virtuals
> 
> But is it never mentioned that the passwd file driver is included in
> opensmtpd-extras.  Took me a bit to figure that out.  

Yes it is.

> 
> Thank you for your time,
> Chris
> Email had 1 attachment:
> + smime.p7s
>   3k (application/pkcs7-signature)

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

FAQ question

2017-10-30 Thread Chris Eidem 
I’m attempting to create a multi-domain opensmtpd+dovecot set up.  I have a 
question about the FAQ example.  In it you have the following line in the 
config:

listen on egress port 587 tls-require pki mail.example.com auth 

and you have the passwd table in the dovecot as follows:

j...@example.com:$2b$...encrypted...password...::
u...@example.net:$2b$...encrypted...password...::userdb_quota_rule=*:storage=1G

But in tables.5 it is stated that auth tables are in this format:

Credentials tables are mappings of credentials. They can be used in two 
contexts:
listen on tls [...] auth  

In a listener context, the credentials are a mapping of username and encrypted 
passwords:
user1   $2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe 
user2   $2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK

I am getting failures attempting to connect to my submission port.  The part of 
my config relevant is:
listen on lo0
listen on egress port 25 tls pki mail.ceidem.com
listen on egress port 465 tls-require pki mail.ceidem.com
listen on egress port 587 tls-require pki mail.ceidem.com auth 

with the passwd file:

cei...@ceidem.com:{BLF-CRYPT}$2a$05$...encrypted...password...::

Which is correct?  What have I missed?

Also, in the FAQ, you have the following config section:

# tables setup
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table passwd passwd:/etc/mail/passwd
table virtuals file:/etc/mail/virtuals

But is it never mentioned that the passwd file driver is included in 
opensmtpd-extras.  Took me a bit to figure that out.  

Thank you for your time,
Chris

smime.p7s
Description: S/MIME cryptographic signature

question about procmail and delimiter

2017-08-28 Thread Michiel van Es 
Hi,

I am using OpenSMTPD (6.0.2) on Debian Stretch and want to pass the delimiter 
values via procmail to dovecot sieve.

My smtpd.conf:

pki server.pragmasec.nl certificate 
"/etc/letsencrypt/live/pragmasec.nl/fullchain.pem"
pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem"
listen on localhost
listen on ens3 port 25 tls pki server.pragmasec.nl hostname server.pragmasec.nl 
auth-optional
listen on ens3 port 587 tls-require pki server.pragmasec.nl hostname 
server.pragmasec.nl auth-optional
table vdomains file:/usr/local/etc/vdomains
table vusers file:/usr/local/etc/vusers
expire 7d
limit mta inet4
accept from any for domain  virtual  deliver to mda 
"/usr/bin/procmail -f -"
accept from local for any relay

My .procmailrc:

SHELL=/usr/local/bin/bash
VERBOSE=yes
DELIVER=/usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
#DELIVER=/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -a %{rcpt}
LOGFILE=/var/log/procmail.log
DEFAULT=$HOME/Maildir/
ORGMAIL=$HOME/Maildir/
#DROPPRIVS=yes
DEBUG=YES
#
### virus scanning
#
:0fw
| /usr/local/procmail2virustotal/checkvirus.py
:0
* ^X-Virus-Flag: YES
$DEFAULT/.Virus/new
:0 w
| $DELIVER
:0
$DEFAULT


The thing is, when I am using postfix and use '/usr/bin/procmail -p’ it proxies 
the username+det...@domain.com nicely to procmail which then delivers it to 
dovecot sieve and it finally filters the delimiter nicely.
If I change to OpenSMTPD and use the same procmail command the detail is cut of 
by OpenSMTPD:

procmail: Assigning "DEFAULT=/home/mve/Maildir/"
procmail: Assigning "ORGMAIL=/home/mve/Maildir/"
procmail: Assigning "DEBUG=YES"
procmail: Executing "/usr/local/procmail2virustotal/checkvirus.py"
procmail: [12334] Mon Aug 28 11:47:43 2017
procmail: No match on "^X-Virus-Flag: YES"
procmail: Executing "/usr/lib/dovecot/dovecot-lda"
procmail: Assigning "LASTFOLDER=/usr/lib/dovecot/dovecot-lda"
procmail: Notified comsat: "mve@:/usr/lib/dovecot/dovecot-lda"
 Subject: sd
  Folder: /usr/lib/dovecot/dovecot-lda

Notice the comsat line where mve@ is passed and not mve+detail@ to dovecot 
sieve.

My question: what kind of command do I have to use in smtpd.conf to pass these 
values to procmail?
I’ve got it working with dovecot-lda directly by using: deliver to mda 
"/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -a %{rcpt}” but when 
changing this to deliver to mda “/usr/bin/procmail -f %{sender} -a %{rcpt}” it 
does not work.
Also tried the -p option and -f - but all options seem not to pass the 
user+detail@ to procmail when using OpenSMTPD.

Not saying this is because of OpenSMTPD and mostly my own config error but I am 
just trying to figure out if someone got it working with procmail preserving 
the user+detail@ with procmail.

Thanks for any help.

regards,

Michiel





--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Spamd question with Spamtrap

2017-03-11 Thread Mik J 
Hello,
Spamd has been really efficient in blocking spam. A few of them passed through 
once in a while but there's no discomfort.

But, I'm not able to use spamtrap.
#spamdb -T -a ""# spamdb | grep SPAMTRAP
SPAMTRAP|
But when I telnet port 25 and try to send a mail, a GREY entry is created, and 
after the holdtime mail are passing through
1) During the GREY phase, my PF redirects connections to spamdmatch in on 
$ext_if proto tcp to $ext_if port 25 rdr-to $mailserver port 25
pass in quick on $ext_if proto tcp from any to $mailserver port 25 divert-to 
127.0.0.1 port 8025

2) But after the holdtime flows by pass spamd and go directly to the mail 
serverpass in log (to pflog1) quick on $ext_if proto tcp from  to 
$mailserver port 25 flags S/SA modulate state
And I placed PF rules in this ordermatch in on $ext_if proto tcp to $ext_if 
port 25 rdr-to $mailserver port 25pass in log (to pflog1) quick on $ext_if 
proto tcp from  to $mailserver port 25 flags S/SA modulate state
pass in quick on $ext_if proto tcp from any to $mailserver port 25 divert-to 
127.0.0.1 port 8025
Do you see anything abnormal or have advice ?
Regards
 

Re: Memiks a new user of opensmtpd and question about rspamd

2017-02-07 Thread Gilles Chehade 
On Tue, Feb 07, 2017 at 12:38:54PM +, M??m??ks wrote:
> Hello,
> 

Hello,


> I am a new user of opensmtpd and I really like it.
> 

Cool


> I would like to create a filter to interact with rspamd or a plugin...
>

Filters are not a thing yet, I'll post a lengthy explanation about plans
for it next week and why it's taking the time it's taking as well as how
we intend to move forward with them.

For now, your only option is either to integrate the spam filter through
the spampd proxy or a custom mda. There is a tutorial currently floating
in Russian that explains how to use it with a custom mda, I do not speak
Russian but Google translate made it understandable to me.


> Do you know where I can find some documentation about development of 
> opensmtpd?
> 

use the source, Luke.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Memiks a new user of opensmtpd and question about rspamd

2017-02-07 Thread Mémîks 
Hello,

I am a new user of opensmtpd and I really like it.

I would like to create a filter to interact with rspamd or a plugin...
Do you know where I can find some documentation about development of opensmtpd?

Thanks a lot,
BR,
Frédéric LESUR.

Re: question about CentOS 7 and OpenSMTPD-Extras

2016-07-28 Thread Markus Julen 
Hi!

There's a very good step by step "recipe" at http://technoquarter.blogspot.ch, 
including ClamAV and spamassassin (and more). It's very easy to set up - even 
without filters.

Another very good guide can be found at 
https://frozen-geek.net/openbsd-email-server-1/

Virtual users, mysql? No problem. 
https://www.mail-archive.com/misc@opensmtpd.org/msg01426.html

regards,
--markus

> On 28.07.2016, at 10:21, Michiel van Es  wrote:
> 
> Hello,
> 
> I am trying to replace my Postfix + Amavisd-new setup with OpenSMTPD with the 
> OpenSMTPD-Extras setup.
> 
> I have 2 questions:
> 
> - I don’t see the clamav, spam assassin, etc filters not anymore, are they 
> now default installed? If not how do I install them?
> 
> ...
> 
> How can I fix this?
> 
> Thanks for the help.
> 
> Cheers,
> 
> Michiel




--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question about CentOS 7 and OpenSMTPD-Extras

2016-07-28 Thread Gilles Chehade 
On Thu, Jul 28, 2016 at 11:42:27AM +0200, Michiel van Es wrote:
> 
> > On 28 Jul 2016, at 11:01, Gilles Chehade  wrote:
> > 
> > On Thu, Jul 28, 2016 at 10:21:04AM +0200, Michiel van Es wrote:
> >> Hello,
> >> 
> >> I am trying to replace my Postfix + Amavisd-new setup with OpenSMTPD with 
> >> the OpenSMTPD-Extras setup.
> >> 
> >> I have 2 questions:
> >> 
> >> - I don???t see the clamav, spam assassin, etc filters not anymore, are 
> >> they now default installed? If not how do I install them?
> >> 
> > 
> > Yes, there's been an abuse of this.
> > 
> > We enabled filters to help us developers find the proper API, stabilize
> > it and get it ready now that the server-side part is done. The goal was
> > to write filters that stress particular bits of the API, and figure out
> > if we missed stuff in the API for a filter to be able to do things. The
> > filters were marked experimental in the release not precisely for that.
> > 
> > It turns out that very quickly this ran out of control.
> > 
> > Filters were written FOR users, many working around API limitations and
> > not trying to plug them, people advocated use of many filters without a
> > clear warning that they were experimental and soon we started getting a
> > tons of bug reports about specific filters that resulted in crashes.
> > 
> > I decided to cut the crap and remove them from -extras into their own
> > specific branches so people don't get tricked into installing
> > experimental / buggy stuff assuming its stable.
> > 
> > You have to be a developer to use them, figure out if they are doing
> > something that should better be in the API and fix your own bugs. If
> > you are not a developer, you can still install them by fetching the
> > appropriate branch on git, but you're on your own then.
> > 
> 
> I am no developer but am willing to try the different branches :)
> How would i install them? one by one? so first the opensmtpd-extras, then the 
> filters that I like?
> 

If you're asking, then you're the wrong audience ;-)


> > 
> > This needs a fix, please fill a bug report on github and I'll deal with it 
> > shortly ;-)
> 
> I can not create an issue at the OpenSMTPD-Extras repo, I can create an issue 
> for OpenSMTPD but not the extras repo.
> Shall I create it on the OpenSMTPD repo?
> 

Yes, we only have one bug tracker to make it easier to process.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

question about CentOS 7 and OpenSMTPD-Extras

2016-07-28 Thread Michiel van Es 
Hello,

I am trying to replace my Postfix + Amavisd-new setup with OpenSMTPD with the 
OpenSMTPD-Extras setup.

I have 2 questions:

- I don’t see the clamav, spam assassin, etc filters not anymore, are they now 
default installed? If not how do I install them?

- When trying to compile the OpenSMTPD-Extras git repo on my CentOS 7 64 bit 
machine I get:

../../../api/rfc2822.c: In function ‘rfc2822_header_callback’:
../../../api/rfc2822.c:221:45: warning: comparison between signed and unsigned 
integer expressions [-Wsign-compare]
  if (strlcpy(buffer, header, sizeof buffer) >= sizeof buffer)
 ^
../../../api/rfc2822.c: In function ‘rfc2822_missing_header_callback’:
../../../api/rfc2822.c:249:45: warning: comparison between signed and unsigned 
integer expressions [-Wsign-compare]
  if (strlcpy(buffer, header, sizeof buffer) >= sizeof buffer)
 ^
make[4]: *** [../../../api/rfc2822.o] Error 1
make[4]: Leaving directory 
`/usr/local/OpenSMTPD-extras/extras/filters/filter-stub'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/usr/local/OpenSMTPD-extras/extras/filters'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/usr/local/OpenSMTPD-extras/extras'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/OpenSMTPD-extras'
make: *** [all] Error 2

How can I fix this?

Thanks for the help.

Cheers,

Michiel
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: recipient question

2016-03-24 Thread Ian Darwin 
Thanks for these two answers!

On Thu, Mar 24, 2016, Edgar Pettijohn wrote:
> I've used it in the past.  The following should work.

> accept from any for domain  recipient  deliver to mbox

On Thu, Mar 24, 2016, Gilles Chehade wrote:
> You can't name a table after a keyword:
> 
> recipient 

Actually that was a typo, the table is named . Serves me right for
re-typing an example, which I usually know better than to try.

The syntax errors were caused by the order of things in the grammar.

As Edgar pointed out, the syntax he gave does work once you get past #1, BUT
it does not work if you put the aliases back in, unless you put it just the 
right place:

WORKS:
accept from any for domain  recipient  deliver to lmtp 
localhost:
accept from any for domain  alias  deliver to mbox

FAILS:
accept from any for domain  alias  recipient  
deliver to lmtp localhost:
accept from any for domain  alias  deliver to mbox

WORKING SMTPD ACCEPT RECIPIENT SYNTAX:
accept from any for domain  recipient  alias  
deliver to lmtp localhost:
accept from any for domain  alias  deliver to mbox

I hope that, despite requiring the mildly counter-intuitive order, that it will 
expand
the aliases before selecting the recipients?
Guess I'll find out later today when/if I get the alternate experimental MDA up 
and running,
now that I know what I was trying here is at least plausible.

Thanks

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: recipient question

2016-03-23 Thread Edgar Pettijohn 

I've used it in the past.  The following should work.

table tablename file:/etc/mail/something

accept from any for domain  recipient  deliver to mbox

/etc/mail/something
u...@something.com

On 03/23/16 17:31, Ian Darwin wrote:

At this time, the list is very low volume, feel free to introduce yourself
;-)

Hola! This is Ian Darwin, sometime OpenBSD committer (ports, mostly, but I also 
wrote
the old file(1) command "a while ago"), Java geek, tech instructor/author, and 
photographer.

I've been running smtpd on my OpenBSD laptop for I think a couple of years
and in production on a low-volume server for maybe a year (it's been up for
220 days so maybe 3/4 of a year, I dunno).

I'm asking if anybody has a working example with "recipient"?

What I planned to do was divert one person's (myself, #1 guinea pig) incoming
mail to a different MDA for testing a new MDA. I tried taking this existing 
line:

accept from any for domain  alias  deliver to mbox

and cloning it, the first version to add "recipient { "per...@dom.ain" }"
and the second as above. I tried putting the recipient after the domain, e.g.,

accept from any for domain  recipient  alias  
deliver to mbox

Why after?  Because the man page says "Further filtering may be achieved on
specific recipients if desired" and "further" implies after - the man page
has no example of this (whether you write the table as a table rule or
inline should not matter, but I did try both before sending this post).

Also tried putting it in a variety of other places, replacing some phrases, etc.

I could not come up with anything that didn't give the dreaded :-) "smtpd.conf:24: 
syntax error"

Is this the right tool for this job, and, if so, how does it actually work?

Thanks if anyone can steer me right on this.

Ian




--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

recipient question

2016-03-23 Thread Ian Darwin 
> At this time, the list is very low volume, feel free to introduce yourself
> ;-)

Hola! This is Ian Darwin, sometime OpenBSD committer (ports, mostly, but I also 
wrote
the old file(1) command "a while ago"), Java geek, tech instructor/author, and 
photographer.

I've been running smtpd on my OpenBSD laptop for I think a couple of years
and in production on a low-volume server for maybe a year (it's been up for
220 days so maybe 3/4 of a year, I dunno).

I'm asking if anybody has a working example with "recipient"?

What I planned to do was divert one person's (myself, #1 guinea pig) incoming
mail to a different MDA for testing a new MDA. I tried taking this existing 
line:

accept from any for domain  alias  deliver to mbox

and cloning it, the first version to add "recipient { "per...@dom.ain" }"
and the second as above. I tried putting the recipient after the domain, e.g.,

accept from any for domain  recipient  alias  
deliver to mbox

Why after?  Because the man page says "Further filtering may be achieved on
specific recipients if desired" and "further" implies after - the man page
has no example of this (whether you write the table as a table rule or
inline should not matter, but I did try both before sending this post).

Also tried putting it in a variety of other places, replacing some phrases, etc.

I could not come up with anything that didn't give the dreaded :-) 
"smtpd.conf:24: syntax error"

Is this the right tool for this job, and, if so, how does it actually work?

Thanks if anyone can steer me right on this.

Ian

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question to package maintainers

2015-12-24 Thread Tim Hume 
Having OpenSSL and LibreSSL living together on the same system seems 
reasonable. Surely name conflicts can be worked around somehow?

Out of curiosity, does anyone know how many people run OpenSMTP on the 
offending systems compared to OpenBSD?

Cheers,

Tim Hume. 

> On 24 Dec 2015, at 03:06, Gilles Chehade  wrote:
> 
>> On Wed, Dec 23, 2015 at 07:56:02AM -0800, Richard wrote:
>>> On Wed, 23 Dec 2015, Gilles Chehade wrote:
>>> 
>>> What I'm wondering is if there's any reason that would prevent RHEL, for
>>> example, to package LibreSSL in the same way that libasr was packaged so
>>> that OpenSMTPD could specifically depend on it.
>>> 
>>> The system would keep its default SSL library.
>> 
>> Library name collision
>> --
>> Libasr is a unique library name on Linux as far as I know and there is no
>> problem installing it.
>> 
>> LibreSSL contains library names libcrypto and libssl which collide with
>> the identical names in OpenSSL on most Linux systems.
>> 
>> Can the libcrypto and libssl library names in LibreSSL be changed?
>> 
>> Maybe they can change to liblibrecrypto and liblibressl?
>> 
>> LibreSSL also uses library libtls.
>> Is libtls unique in Linux?
>> 
>> If not maybe it can change to liblibretls?
>> 
>> Changing the library names allows LibreSSL and OpenSSL to exist
>> side by side on any Linux system.
> 
> I'm well aware of that, but that's precisely what I'm suggesting:
> 
> If the ONLY reason keeping from depending on LibreSSL is that there is a
> problem currently with the library name, then we can take a step back to
> think of a solution that would solve this and help us move forward.
> 
> 
> -- 
> Gilles Chehade
> 
> https://www.poolp.org  @poolpOrg
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question to package maintainers

2015-12-24 Thread Gilles Chehade 
On Thu, Dec 24, 2015 at 07:25:36PM +1100, Tim Hume wrote:
> Having OpenSSL and LibreSSL living together on the same system seems 
> reasonable. Surely name conflicts can be worked around somehow?
> 

That's my point ;-)


> Out of curiosity, does anyone know how many people run OpenSMTP on the 
> offending systems compared to OpenBSD?
> 

Nope, I'd say half users are OpenBSD, half are Linux/FreeBSD if my mails
are anything close to reality.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question to package maintainers

2015-12-24 Thread Gilles Chehade 
Just before we dive further into this thread, I'd like to clarify that the
reason for this debate is really to help establish a strategy forward, not
a way to push for a change next week disregarding packagers.

I want to be sure I understand the limiting factors here and there, so the
change CAN happen (it is going to sooner or later), but in a way that does
not hurt users and that packagers can cope with.



On Thu, Dec 24, 2015 at 04:34:34AM +0600, Denis Fateyev wrote:
> On Wed, Dec 23, 2015 at 9:16 PM, Gilles Chehade <gil...@poolp.org> wrote:
> 
> >
> > What I'm wondering is if there's any reason that would prevent RHEL, for
> > example, to package LibreSSL in the same way that libasr was packaged so
> > that OpenSMTPD could specifically depend on it.
> >
> > The system would keep its default SSL library.
> >
> 
> Well, it's only my opinion so I can miss some points here. Briefly, why
> libressl doesn't come here:
>
> 1) The first problem is that unlike third-party "libasr" library these
> chaps "libressl" and "openssl" are way too close, and it creates
> temptations and mistakes. Due to human nature, new options provide more
> possibility to slip up. Being provided with two similar options, some
> developers won't be considering open-(libre-)ssl corner cases you've
> mentioned for example, some will mix these two solutions up, etc. All
> users, in general, hate the idea that due to these changes something can be
> randomly broken.
> 

This loses me, or I'm missing a keypoint:

To me, the fact that two libraries are close is not really a technical issue
that can't be overcome. Two different versions of OpenSSL could be installed
in different places, and this holds true for LibreSSL no ?

This seems more like a packaging issue because LibreSSL could very well stay
in /usr/lib/libressl, or whatever is the convention on the target distro, so
it lives side by side and doesn't affect other applications.

Say tomorrow I started OpenWhateverD, it relied solely on LibreSSL's libtls,
and you REALLY had an interest in it, how would you work that out ?


> It can be solved, but I don't know anybody from the Fedora community who'd
> be willing to:
> 
>   - reconcile issues on similar soname provides, naming, versioning etc.
> with Fedora and RedHat technical board in order to avoid all possible
> intersections with this critical system component;
>   - support "libressl" globally similar to "openssl" case, fixing security
> CVEs always getting in touch (being such package maintainer is not a
> one-time task);
>   - consult RH/Fedora developers promptly fixing their libressl-specific
> issues - and all this responsibility on a voluntary basis.
>

I can understand this but then it's a distribution specific issue and it isn't
limited by a technical problem. This can be taken into account when making the
move so that the package maintainer can sort things out but I don't think that
it should be a justification to prevent move and limit our progress.

If no one in the Fedora community would be willing to work out a solution then
it would be an indicator that we're holding back for a community that does not
really care so much about having the project or not. If that was the case then
it would question why we're holding back really :-)

If there is a technical problem, then it is different because we're willing to
help work things out.


> 2) From the enterprise point of view, there is no sense to support it as an
> openssl replacement now.
> It's not FIPS-certified so they cannot use it in enterprise solutions where
> openssl currently in charge. For simplicity, better not to have an unusable
> alternative (in context of this situation, of course). They won't sponsor
> its maintenance so it's up to the community. Surely this can change if
> business sees a use case for this specific library's clone but there is no
> any so far.
> 

Unlike the above, this is irrelevant to me, I don't think any opensource
project should be driven by what makes sense to a particular company.

We were sponsored full-time for over a year by my employer, and then the
direction we were taking no longer made sense for them.

We could have adapted our direction to keep the sponsoring, but it would
have been a bad thing for the project, so we part ways (on sponsorship).

Clearly, I can take anything into account but not this :-)


> The arguments on switching to libressl are quite logical, but I don't see a
> straight way how to do it in RHEL and Fedora considering all above.
> 

Ok, so then the question is:

There's no straight way, so how do we plan for a curvy way ? :-)


> By the way, how about GnuTLS support?
> 

We have no interest for that.

The code was written using the OpenSSL API because we were used to it
a

Re: question to package maintainers

2015-12-24 Thread Ryan Kavanagh 
On Thu, Dec 24, 2015 at 09:42:56AM +0100, Gilles Chehade wrote:
> > Out of curiosity, does anyone know how many people run OpenSMTP on
> > the offending systems compared to OpenBSD?

According to Debian popcon (an opt-in "popularity contest" for
packages), there are >= 19 people with opensmtpd installed on Debian.
https://qa.debian.org/popcon.php?package=opensmtpd

On Thu, Dec 24, 2015 at 07:17:12PM +0600, Denis Fateyev wrote:
> As an analogue, I can remember a mailing list thread in Debian where
> people were discussing Libressl packaging into Debian. They produced
> tens of messages but came to nothing at that point.

Indeed, Debian doesn't have libressl packaged yet, and as far as I know,
there's nobody actively working on packaging it either. Here's the
referenced discussion regarding getting it into Debian. There's been no
activity on it in a year an a half.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754513

Unfortunately, I don't have the time to take on packaging libressl
mysellf, nor do I want to take on the responsibility of maintaining it
long-term and dealing with any potential security vulnerabilities that
may arise in it, so it boils down to needing someone else to volunteer
to take care of it.

Happy holidays,
Ryan

-- 
|_)|_/  Ryan Kavanagh   | Debian Developer
| \| \  http://ryanak.ca/   | GPG Key 4A11C97A

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question to package maintainers

2015-12-24 Thread Tim Hume 


> On 24 Dec 2015, at 02:16, Gilles Chehade  wrote:
> 
>> On Wed, Dec 23, 2015 at 07:56:25PM +0600, Denis Fateyev wrote:
>>> On Wed, Dec 23, 2015 at 6:23 PM, Gilles Chehade  wrote:
>>> 
>>> 
>>> Would your distribution be affected if LibreSSL became a requirement ?
>>> 
>>> OpenSMTPD is starting to rely on LibreSSL-specific functions that will
>>> force us to go through painful hacks to maintain that dual SSL support
>>> and I'd like to know if switching to a LibreSSL-only mode is an option
>>> at this point or still too early.
>> 
>> 
>> It would be a problem in RHEL (and its derivatives like CentOS, Scientific,
>> Oracle, et al), and Fedora.
>> There were no plans of implementing Libressl support before, and there are
>> no plans to do it now.
> 
> I don't really get this, maybe there's a misunderstanding:
> 
> I understand that RHEL and others don't intend to switch to LibreSSL for
> their default SSL library and I'm not suggesting they should, this isn't
> our call, it's unreasonable to assume every system will switch and there
> is no debate about this.
> 
> What I'm wondering is if there's any reason that would prevent RHEL, for
> example, to package LibreSSL in the same way that libasr was packaged so
> that OpenSMTPD could specifically depend on it.
> 
> The system would keep its default SSL library.
> 
> 
>> As you might realize, linking Libressl statically is also not an option.
> 
> Yes, obviously I'm not advocating this ;-)
> 
> 
>> In my opinion, there is no point to forcibly depend on Libressl unless big
>> commercial players are interested in it.
> 
> Actually there are very strong rationales for this, I'll if you want but
> the bottom line:
> 
> - we're currently trying to support OpenSSL and LibreSSL as being the
>  same library and we're hitting corner cases that require us to hack
>  around detection, hack around compat and backport parts of LibreSSL
>  code in standalone files just so OpenSSL keeps working.
> 
> - we're facing cases of OpenSSL-induced #ifdefs because depending who
>  built it, it lacks AES_GCM, it lacks SNI, it lacks this and that. I
>  have broken SNI support at least once because of this.
> 
> - ultimately, we want to get rid of the OpenSSL historical interface
>  and rely on LibreSSL's libtls which will make TLS code readable. I
>  think we can all agree that it's scary that the most dangerous bit
>  of code in OpenSMTPD is also the less readable and the most error-
>  prone, we should take some steps towards changing this...
> 
> 
> 
> 
> -- 
> Gilles Chehade
> 
> https://www.poolp.org  @poolpOrg
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question to package maintainers

2015-12-24 Thread Denis Fateyev 
On Dec 24, 2015 7:31 PM, "Gilles Chehade"  wrote:
> On Thu, Dec 24, 2015 at 07:17:12PM +0600, Denis Fateyev wrote:
> >
> > Well, you asked what distributions packagers thought, and I presented it
> > from point of the specific distribution. There are always some issues,
not
> > only pure technical ones.
> >
>
> I know and the reason I'm stating clearly my thoughts on this is so that
> you and others understand our position. I get it that you don't have all
> solutions at hands and that it might take time to solve them.

We currently have neither libressl requested nor specific policy for this
very case. Due to possible name collision and such we need to settle and
regulate lots of things, since something will definitely come out even
though the changes might look trivial.

> > I'll re-open libressl packaging discussion in Fedora right after
Christmas,
> > and in case of positive decision me or anybody else would support
libressl
> > pro bono. There is no schedule here.
> >
>
> Understood but that would already be a great step for us,
> Thanks

I'm personally not against of libressl as any other library, too.
But it always brings a lot of flame talks and concerns which packagers
naturally try to avoid. Let's see how it will go this time :-)

---
wbr, Denis.

Re: question to package maintainers

2015-12-23 Thread Gilles Chehade 
On Wed, Dec 23, 2015 at 07:56:25PM +0600, Denis Fateyev wrote:
> On Wed, Dec 23, 2015 at 6:23 PM, Gilles Chehade  wrote:
> 
> >
> > Would your distribution be affected if LibreSSL became a requirement ?
> >
> > OpenSMTPD is starting to rely on LibreSSL-specific functions that will
> > force us to go through painful hacks to maintain that dual SSL support
> > and I'd like to know if switching to a LibreSSL-only mode is an option
> > at this point or still too early.
> 
> 
> It would be a problem in RHEL (and its derivatives like CentOS, Scientific,
> Oracle, et al), and Fedora.
> There were no plans of implementing Libressl support before, and there are
> no plans to do it now.
>

I don't really get this, maybe there's a misunderstanding:

I understand that RHEL and others don't intend to switch to LibreSSL for
their default SSL library and I'm not suggesting they should, this isn't
our call, it's unreasonable to assume every system will switch and there
is no debate about this.

What I'm wondering is if there's any reason that would prevent RHEL, for
example, to package LibreSSL in the same way that libasr was packaged so
that OpenSMTPD could specifically depend on it.

The system would keep its default SSL library.


> As you might realize, linking Libressl statically is also not an option.
>

Yes, obviously I'm not advocating this ;-)


> In my opinion, there is no point to forcibly depend on Libressl unless big
> commercial players are interested in it.
> 

Actually there are very strong rationales for this, I'll if you want but
the bottom line:

- we're currently trying to support OpenSSL and LibreSSL as being the
  same library and we're hitting corner cases that require us to hack
  around detection, hack around compat and backport parts of LibreSSL
  code in standalone files just so OpenSSL keeps working.

- we're facing cases of OpenSSL-induced #ifdefs because depending who
  built it, it lacks AES_GCM, it lacks SNI, it lacks this and that. I
  have broken SNI support at least once because of this.

- ultimately, we want to get rid of the OpenSSL historical interface
  and rely on LibreSSL's libtls which will make TLS code readable. I
  think we can all agree that it's scary that the most dangerous bit
  of code in OpenSMTPD is also the less readable and the most error-
  prone, we should take some steps towards changing this...




-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question to package maintainers

2015-12-23 Thread Gilles Chehade 
On Wed, Dec 23, 2015 at 07:56:02AM -0800, Richard wrote:
> On Wed, 23 Dec 2015, Gilles Chehade wrote:
> 
> > What I'm wondering is if there's any reason that would prevent RHEL, for
> > example, to package LibreSSL in the same way that libasr was packaged so
> > that OpenSMTPD could specifically depend on it.
> >
> > The system would keep its default SSL library.
> >
> 
> Library name collision
> --
> Libasr is a unique library name on Linux as far as I know and there is no
> problem installing it.
> 
> LibreSSL contains library names libcrypto and libssl which collide with
> the identical names in OpenSSL on most Linux systems.
>
> Can the libcrypto and libssl library names in LibreSSL be changed?
> 
> Maybe they can change to liblibrecrypto and liblibressl?
>
> LibreSSL also uses library libtls.
> Is libtls unique in Linux?
> 
> If not maybe it can change to liblibretls?
> 
> Changing the library names allows LibreSSL and OpenSSL to exist
> side by side on any Linux system.
> 

I'm well aware of that, but that's precisely what I'm suggesting:

If the ONLY reason keeping from depending on LibreSSL is that there is a
problem currently with the library name, then we can take a step back to
think of a solution that would solve this and help us move forward.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question to package maintainers

2015-12-23 Thread Denis Fateyev 
On Wed, Dec 23, 2015 at 6:23 PM, Gilles Chehade  wrote:

>
> Would your distribution be affected if LibreSSL became a requirement ?
>
> OpenSMTPD is starting to rely on LibreSSL-specific functions that will
> force us to go through painful hacks to maintain that dual SSL support
> and I'd like to know if switching to a LibreSSL-only mode is an option
> at this point or still too early.


It would be a problem in RHEL (and its derivatives like CentOS, Scientific,
Oracle, et al), and Fedora.
There were no plans of implementing Libressl support before, and there are
no plans to do it now.

As you might realize, linking Libressl statically is also not an option.

In my opinion, there is no point to forcibly depend on Libressl unless big
commercial players are interested in it.

-- 
wbr, Denis.

Re: question to package maintainers

2015-12-23 Thread Richard 
On Wed, 23 Dec 2015, Gilles Chehade wrote:

> What I'm wondering is if there's any reason that would prevent RHEL, for
> example, to package LibreSSL in the same way that libasr was packaged so
> that OpenSMTPD could specifically depend on it.
>
> The system would keep its default SSL library.
>

Library name collision
--
Libasr is a unique library name on Linux as far as I know and there is no
problem installing it.

LibreSSL contains library names libcrypto and libssl which collide with
the identical names in OpenSSL on most Linux systems.

Can the libcrypto and libssl library names in LibreSSL be changed?

Maybe they can change to liblibrecrypto and liblibressl?

LibreSSL also uses library libtls.
Is libtls unique in Linux?

If not maybe it can change to liblibretls?

Changing the library names allows LibreSSL and OpenSSL to exist
side by side on any Linux system.

Richard Narron

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question to package maintainers

2015-12-23 Thread Denis Fateyev 
On Wed, Dec 23, 2015 at 9:16 PM, Gilles Chehade  wrote:

>
> What I'm wondering is if there's any reason that would prevent RHEL, for
> example, to package LibreSSL in the same way that libasr was packaged so
> that OpenSMTPD could specifically depend on it.
>
> The system would keep its default SSL library.
>

Well, it's only my opinion so I can miss some points here. Briefly, why
libressl doesn't come here:

1) The first problem is that unlike third-party "libasr" library these
chaps "libressl" and "openssl" are way too close, and it creates
temptations and mistakes. Due to human nature, new options provide more
possibility to slip up. Being provided with two similar options, some
developers won't be considering open-(libre-)ssl corner cases you've
mentioned for example, some will mix these two solutions up, etc. All
users, in general, hate the idea that due to these changes something can be
randomly broken.

It can be solved, but I don't know anybody from the Fedora community who'd
be willing to:

  - reconcile issues on similar soname provides, naming, versioning etc.
with Fedora and RedHat technical board in order to avoid all possible
intersections with this critical system component;
  - support "libressl" globally similar to "openssl" case, fixing security
CVEs always getting in touch (being such package maintainer is not a
one-time task);
  - consult RH/Fedora developers promptly fixing their libressl-specific
issues - and all this responsibility on a voluntary basis.

2) From the enterprise point of view, there is no sense to support it as an
openssl replacement now.
It's not FIPS-certified so they cannot use it in enterprise solutions where
openssl currently in charge. For simplicity, better not to have an unusable
alternative (in context of this situation, of course). They won't sponsor
its maintenance so it's up to the community. Surely this can change if
business sees a use case for this specific library's clone but there is no
any so far.

The arguments on switching to libressl are quite logical, but I don't see a
straight way how to do it in RHEL and Fedora considering all above.

By the way, how about GnuTLS support?

-- 
wbr, Denis.

question to package maintainers

2015-12-23 Thread Gilles Chehade 
Hi,

Would your distribution be affected if LibreSSL became a requirement ?

OpenSMTPD is starting to rely on LibreSSL-specific functions that will
force us to go through painful hacks to maintain that dual SSL support
and I'd like to know if switching to a LibreSSL-only mode is an option
at this point or still too early.

Gilles

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: n00b question

2015-10-07 Thread Sunil Nimmagadda 
> On Tue, Oct 06, 2015 at 13:38:31 -0400, Bryan C. Everly wrote:
> > I have two servers up and running and would like to know how to clean
> > out the queue on them.  I have a lot of test messages stuck there from
> > early attempts to get the configuration right.
> > 
> > Is there an option to do this?  I read the manpages and didn't see
> > anything.  If it's as simple as deleting some files out of a
> > directory, I'm fine doing that - I just couldn't find the right
> > directory.
> 
> When you're sure you want to get rid of every message in the queue you can us
e
> this one-liner (maybe overly complicated):
>  
> smtpctl show queue | awk -F \| '{ print "smtpctl remove "$1 }' |sh
> 
> Afaik there is no build in way to clean out the whole queue. 

There will be a...
# smtpctl remove all
in the future release. It's already in -current on github.

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: n00b question

2015-10-06 Thread Bryan C. Everly 
Thanks!

Thanks,
Bryan


On Tue, Oct 6, 2015 at 1:42 PM, Joseph Mulloy  wrote:
> Use smtpctl
>
> https://www.opensmtpd.org/smtpctl.8.html
>
> List messages in queue
> smtpctl show queue
>
> To try to flush the queue (Send all messages)
> smtpctl schedule all
>
> To remove messages use the following with the message ids shown by show queue
> smtpctl remove $message-id
>
>> On Oct 6, 2015, at 1:38 PM, Bryan C. Everly  wrote:
>>
>> Hi,
>>
>> I have two servers up and running and would like to know how to clean
>> out the queue on them.  I have a lot of test messages stuck there from
>> early attempts to get the configuration right.
>>
>> Is there an option to do this?  I read the manpages and didn't see
>> anything.  If it's as simple as deleting some files out of a
>> directory, I'm fine doing that - I just couldn't find the right
>> directory.
>>
>> Thanks in advance for any help you can provide.
>>
>> Thanks,
>> Bryan
>>
>> --
>> You received this mail because you are subscribed to misc@opensmtpd.org
>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>>
>

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: n00b question

2015-10-06 Thread Christoph Borsbach 
On Tue, Oct 06, 2015 at 13:38:31 -0400, Bryan C. Everly wrote:
> I have two servers up and running and would like to know how to clean
> out the queue on them.  I have a lot of test messages stuck there from
> early attempts to get the configuration right.
> 
> Is there an option to do this?  I read the manpages and didn't see
> anything.  If it's as simple as deleting some files out of a
> directory, I'm fine doing that - I just couldn't find the right
> directory.

When you're sure you want to get rid of every message in the queue you can use
this one-liner (maybe overly complicated):
 
smtpctl show queue | awk -F \| '{ print "smtpctl remove "$1 }' |sh

Afaik there is no build in way to clean out the whole queue. 

Best,
Christoph

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: n00b question

2015-10-06 Thread Joseph Mulloy 
Use smtpctl

https://www.opensmtpd.org/smtpctl.8.html

List messages in queue
smtpctl show queue

To try to flush the queue (Send all messages)
smtpctl schedule all

To remove messages use the following with the message ids shown by show queue
smtpctl remove $message-id

> On Oct 6, 2015, at 1:38 PM, Bryan C. Everly  wrote:
> 
> Hi,
> 
> I have two servers up and running and would like to know how to clean
> out the queue on them.  I have a lot of test messages stuck there from
> early attempts to get the configuration right.
> 
> Is there an option to do this?  I read the manpages and didn't see
> anything.  If it's as simple as deleting some files out of a
> directory, I'm fine doing that - I just couldn't find the right
> directory.
> 
> Thanks in advance for any help you can provide.
> 
> Thanks,
> Bryan
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Question

2015-05-19 Thread Peter N. M. Hansteen 
On Tue, May 19, 2015 at 09:10:59AM +0200, Gilles Chehade wrote:
 OpenSMTPD does not support bad rcpt throttling as a specific mechanism
 but supports a more generic bad command throttling where a bad command
 is any command that has not helped moved the session forward.
 
 If you accumulate enough bad commands in a row and that your session has
 not moved forward, you get kicked, which is a hard disconnect.
 See bottom of this mail.
 
 Bad clients can then be blocked with a packet filter (just an example):
 
 pass inet proto tcp from any to any port smtp flags S/SA keep state \
 (max-src-conn 10, max-src-conn-rate 15/5, overload bruteforce 
 flush global)

On OpenBSD at least, it should also be possible to periodically run a script 
that parses smtpd logs
for the IP addresses of misbehaving hosts and calls spamdb(8) to add those to 
spamd(8)'s local
greytrap blacklist. In my setup I have some of that as well as automatic 
harvesting of
bad addresses in the local domains for inclusion in the local traplist (see eg 
[1] and references therein).

Also, for the bruteforce table members, I have accumulated some anecdotal 
evidence that
'block drop from bruteforce probability 90%' may have them shut up faster 
than just your
regular block drop (but further studies and data massaging are required for 
firm conclusions).

[1] http://www.bsdly.net/~peter/traplist.shtml

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Odp.: Re: Question

2015-05-19 Thread michalzientara 
Thank you both for quick reply
All is clear now
Regards

--Oryginalna wiadomość--
Od: Peter N. M. Hansteen
Nadawca: Peter N. M. Hansteen,,,
Do: Gilles Chehade
DW: michalzient...@gmail.com
DW: misc@opensmtpd.org
Temat: Re: Question
Wysłano: 19 maj 2015 09:50

On Tue, May 19, 2015 at 09:10:59AM +0200, Gilles Chehade wrote:
 OpenSMTPD does not support bad rcpt throttling as a specific mechanism
 but supports a more generic bad command throttling where a bad command
 is any command that has not helped moved the session forward.
 
 If you accumulate enough bad commands in a row and that your session has
 not moved forward, you get kicked, which is a hard disconnect.
 See bottom of this mail.
 
 Bad clients can then be blocked with a packet filter (just an example):
 
 pass inet proto tcp from any to any port smtp flags S/SA keep state \
 (max-src-conn 10, max-src-conn-rate 15/5, overload bruteforce 
 flush global)

On OpenBSD at least, it should also be possible to periodically run a script 
that parses smtpd logs
for the IP addresses of misbehaving hosts and calls spamdb(8) to add those to 
spamd(8)'s local
greytrap blacklist. In my setup I have some of that as well as automatic 
harvesting of
bad addresses in the local domains for inclusion in the local traplist (see eg 
[1] and references therein).

Also, for the bruteforce table members, I have accumulated some anecdotal 
evidence that
'block drop from bruteforce probability 90%' may have them shut up faster 
than just your
regular block drop (but further studies and data massaging are required for 
firm conclusions).

[1] http://www.bsdly.net/~peter/traplist.shtml

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Question

2015-05-18 Thread michalzientara 
Hello guys,

I have a question, it seems that OpenSMTPD does not support bad rcpt 
throttling, this is a feature that I am using in sendmail to prevent/limit 
DoS/DDoS attack and other hacks against smtp. 
I have found browsing OpenSMTPD code that there is a hardcoded parameter called 
max_failures_per_session but I am not sure if this will work in my case.

In sendmail configuration parameter is called BAD_RCPT_THROTTLE

Quick read about it:
www.securelyspeaking.com/badrcptthrottlesendmail.txt

Without it my sendmail was quite often bombarded with all kind of spam/hacks 
and other kind of bad traffic that was killing sendmail and generating 
gazillions of dns requests.

Would be great if you let me know it OpenSMTPD can handle it.

And thanks for your great work!



-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

question about multiple tagged emails and order of accept tagged filter rules

2015-02-17 Thread Chess Griffin 
I know that the filter rules are applied in order and first match
decides what action is taken.  My question is in regards to tagging
emails (like with using CLAM_IN and SPAM_IN proxies etc)...

Does an email hold more than one tag?  Or does a newer tag replace an
older one?  If it holds more than one tag, then the order of accept
tagged ... rules is important because if smtpd keeps seeing a tag, then
it can go into a loop, correct?

So, for example, the following will result in a loop because the first
accept tagged CLAM_IN will always apply once the last rule sends to
clamsmtpd:

# tagged mail returned from clamsmtpd send to spampd
accept tagged CLAM_IN for any relay via smtp://127.0.0.1:10025 # send to
spampd
...
# tagged mail returned from spampd deliver to maildir
accept tagged SPAM_IN for domain vdomains virtual vusers deliver to
maildir
...
# untagged mail is sent to clamsmtpd
accept from any for domain vdomains relay via smtp://127.0.0.1:11025 #
incoming goes to clamsmtpd


On the other hand, flipping the order of the first two rules will result
in the email being processed correctly:

# tagged mail returned from spampd deliver to maildir
accept tagged SPAM_IN for domain vdomains virtual vusers deliver to
maildir
...
# tagged mail returned from clamsmtpd send to spampd
accept tagged CLAM_IN for any relay via smtp://127.0.0.1:10025 # send to
spampd
...
# untagged mail is sent to clamsmtpd
accept from any for domain vdomains relay via smtp://127.0.0.1:11025 #
incoming goes to clamsmtpd

Is that right?

Thank you.

-- 
Chess Griffin

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Question about auth and auth-optional

2014-05-25 Thread Gilles Chehade 
On Sun, May 25, 2014 at 06:12:13PM +0200, Norman Golisz wrote:
 Hi,
 
 [...]

  And about ancient mua, I will follow the rule if this does't work with
  opensmtpd I will not use it :) 
 
 At least when it comes to security-related stuff. Otherwise, if you
 think there's a useful feature OpenSMTPD doesn't yet support, you're
 always free to bring it into discussion (I'm not entitled to speak in
 the name of this project and its developers, but I think the community
 is generally open to this kind of discussions).


yup, that's why I didn't comment, your answer was 100% accurate ;-)

We're open to this kind of discussions, however one thing that you can
hold true and that discussions will not change:

We're not downgrading security. We want to push for more encryption and
make it so easy to setup that there's no excuse not to have it enabled.
We won't accomodate legacy software if it means downgrading security.


  Sorry for bothering, all questions solved
 
 You're welcome.
 

Yup, discussions and questions are welcome on this list :p


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Question about auth and auth-optional

2014-05-24 Thread Илья Коскин 
The manual for auth-optional looks like this:

If auth-optional is specified, then SMTPAUTH is not required to establish an 
SMTP transaction. This is only useful to let a listener accept incoming mail 
from untrusted senders and outgoing mail from authenticated users in situations 
where it is not possible to listen on the submission port.

What is submission port? I noticed, that if option auth is specified, than 
nobody can send messages to my server without password, even gmail or other 
external services. If option auth-optional is specified, i successfully receive 
mail from gmail, yandex and everything else. So, I think auth-optional is the 
only choise for most of servers, am i right? 

I'm very happy using OpenSMTPD! This is the best MTA ever! 

Could you help me with one more question, please. Will OpenSMTPD ever support 
non-tls PLAIN login auth mechanism? For me it is not a problem to use tls, but 
some old or thin mua does not support tls or ssl, i know this is not secure, 
but for the OpenSMTPD full greatness it would be nice. 

Thank you for all!  

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

datalen mismatch with opensmtpd-201405121706 and permissions question

2014-05-13 Thread John Cox 
Hi

Having got the snapshot to compile on OpenBSD5.5-stable I tried it
out.  I get datalen errors when I try to send mail to it.  Any clues?
Everything works OK on 5.4.2. (run output below)

As a probably separate question, what permissions should there be on
/var/spool/smtpd/*?  I had to create user _smtpq to run the snapshot
and it seemed to want ownership of most of that directory.  Current
setup - is this correct?:

# ls -la /var/spool/smtpd/
total 36
drwx--x--x8 rootwheel   512 May 13 09:55 .
drwxr-xr-x   11 rootwheel   512 Mar  5 16:21 ..
drwx--   27 _smtpq  wheel  1024 Feb 23 11:44 corrupt
drwx--2 _smtpq  wheel   512 May 13 09:59 incoming
drwxrwxrwt2 rootwheel   512 Dec  9 20:27 offline
drwx--   16 _smtpq  wheel   512 May 13 09:55 purge
drwx--  258 _smtpq  wheel  3584 Feb 11 11:00 queue
drwx--2 _smtpq  wheel   512 May 13 09:59 temporary
#

Many thanks

JC

# smtpd -d -v
debug: init ssl-tree
info: loading pki information for yidhra.outer.uphall.net
info: OpenSMTPD 201405121706 starting
debug: bounce warning after 4h
debug: using fs queue backend
debug: using ramqueue scheduler backend
debug: using ram stat backend
info: startup [debug mode]
debug: parent_send_config_ruleset: reloading
filter: building simple chains...
debug: init ssl-tree
debug: parent_send_config: configuring pony process
filter: building complex chains...
info: loading pki keys for yidhra.outer.uphall.net
debug: parent_send_config: configuring ca process
filter: done building complex chains
filter: done building default chain
debug: init private ssl-tree
debug: ca_engine_init: using RSAX engine support
debug: smtp: listen on 127.0.0.1 port 25 flags 0x1 pki 

yidhra.outer.uphall.net
debug: smtp: listen on IPv6:fe80::1%lo0 port 25 flags 0x1 pki 

yidhra.outer.uphall.net
debug: smtp: listen on IPv6:::1 port 25 flags 0x1 pki 

yidhra.outer.uphall.net
debug: smtp: listen on IPv6:fe80::6a05:caff:fe08:e7b1%em2 port 25
flags 

0x1 pki yidhra.outer.uphall.net
debug: smtp: listen on 10.44.0.3 port 25 flags 0x1 pki 

yidhra.outer.uphall.net
debug: pony: rsae_init
debug: pony: rsae_init
debug: smtp: will accept at most 3503 clients
debug: queue: done loading queue into scheduler
debug: smtpd: scanning offline queue...
debug: smtpd: offline scanning done
debug: smtp: new client on listener: 0x56a7dae3000
smtp-in: New session fe1876ed47d20e57 from host 10.44.1.11
[10.44.1.11]
debug: lka: looking up pki yidhra.outer.uphall.net
debug: session_start_ssl: switching to SSL
smtp-in: No PKI entry for requested SNI smtp.outer.uphall.neton
session 

fe1876ed47d20e57
debug: pony: rsae_priv_dec
smtp-in: Started TLS on session fe1876ed47d20e57: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp: 0x56a8451: fd 5 from queue
smtp: 0x56a8451: fd 7 from filter
debug: filter: tx data (255) for req fe1876ed47d20e57
debug: filter: tx data (314) for req fe1876ed47d20e57
debug: smtp: 0x56a8451: data io done (255 bytes)
smtp: 0x56a8451: eom. datalen=255
filter: datalen mismatch on session fe1876ed47d20e57: 569/255:
Undefined 

error: 0
smtp-in: Failed command on session fe1876ed47d20e57: DATA = 530 

Message rejected
debug: filter: tx done for req fe1876ed47d20e57
smtp-in: Received disconnect from session fe1876ed47d20e57
debug: smtp: 0x56a8451: deleting session: disconnected
debug: smtp: new client on listener: 0x56a7dae3000
smtp-in: New session fe1876f6e4a24c68 from host azathoth.uphall.net 

[46.235.226.138]
debug: lka: looking up pki yidhra.outer.uphall.net
debug: session_start_ssl: switching to SSL
debug: pony: rsae_priv_enc
debug: pony: rsae_init
debug: pony: rsae_init
debug: pony: rsae_pub_dec
debug: pony: rsae_bn_mod_exp
debug: pony: rsae_init
debug: pony: rsae_pub_dec
debug: pony: rsae_bn_mod_exp
debug: pony: rsae_pub_dec
debug: pony: rsae_bn_mod_exp
smtp-in: Started TLS on session fe1876f6e4a24c68: version=TLSv1/SSLv3,
cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
smtp-in: Client certificate verification succeeded on session 

fe1876f6e4a24c68
debug: smtp: SIZE in MAIL FROM command
debug: aliases_virtual_get: 'r...@yidhra.outer.uphall.net' resolved to
1 

nodes
debug: aliases_get: returned 1 aliases
smtp: 0x56a8451: fd 5 from queue
smtp: 0x56a8451: fd 7 from filter
debug: filter: tx data (297) for req fe1876f6e4a24c68
debug: filter: tx data (2461) for req fe1876f6e4a24c68
debug: smtp: 0x56a8451: data io done (297 bytes)
smtp: 0x56a8451: eom. datalen=297
filter: datalen mismatch on session fe1876f6e4a24c68: 2758/297:
Undefined 

error: 0
smtp-in: Failed command on session fe1876f6e4a24c68: DATA = 530 

Message rejected
debug: filter: tx done for req fe1876f6e4a24c68


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question about OpenSMTP and Clam

2013-10-23 Thread Michiel van Es 
On Tue, October 22, 2013 3:41 pm, Gilles Chehade wrote:
 On Tue, Oct 22, 2013 at 01:53:55PM -, Michiel van Es wrote:
 Hello,


 Ohai,


 I am using OpenSMTPD 5.3.3p1 portable release on Ubuntu 64 bit.

 I am trying to set up Clamav with OpenSMTPD following:
 https://poolp.org/0x765d/OpenSMTPD:-LDAP-support-selectable-source--DKIM-and-Goodies

 But I am stuck with my own setup.
 The setup is as follows:

 [...]

 Now all mail is catched by the 'accept from any for domain vdomains
 virtual vusers deliver to mda procmail -f -' rule.


 Yup, since we perform first match, then if a mail comes for a domain part
 of your vdomains table, it will necessarily match that rule.


 How can I ensure that all incoming and TLS+AUTH smtp sessions are setup
 via the proxy (smtp://127.0.0.1:10026 = ClamSMTP) ?


 Wouldn't the following do the job ?

 accept for local alias aliases deliver to mda procmail -f -
 accept tagged CLAM from any for domain vdomains virtual vusers deliver
 to mda procmail -f -
 accept tagged CLAM for any relay
 accept for any relay via smtp://127.0.0.1:10026

The config would be like this then right?

listen on lo
listen on eth0 tls certificate mail.pragmasec.nl auth-optional hostname
mail.pragmasec.nl
listen on eth0 port 587 tls certificate mail.pragmasec.nl auth hostname
mail.pragmasec.nl
expire 7d
table vdomains /usr/local/etc/vdomains
table vusers /usr/local/etc/users
table aliases db:/usr/local/etc/aliases.db
# the works
listen on lo port 10025 tag CLAM
accept for local alias aliases deliver to mda procmail -f -
accept tagged CLAM from any for domain vdomains virtual vusers deliver
to mda procmail -f -
accept tagged CLAM for any relay
accept for any relay via smtp://127.0.0.1:10026


I get the following message:

debug: session_start_ssl: switching to SSL
smtp-in: Started TLS on session ef04b129: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Client certificate verification succeeded on session
ef04b129
smtp-in: Failed command on session ef04b129: RCPT
TO:m...@pragmasec.nl = 550 Invalid recipient
smtp-in: Closing session ef04b129
debug: smtp: 0x1874310: deleting session: done

Somehow the vusers lookup goes wrong and my config is not working.
Do you know what I might be missing?

Regards,

Michiel



 --
 Gilles Chehade

 https://www.poolp.org  @poolpOrg

 --
 You received this mail because you are subscribed to misc@opensmtpd.org
 To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org





-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question about OpenSMTP and Clam

2013-10-23 Thread Michiel van Es 
On Wed, October 23, 2013 7:47 am, Michiel van Es wrote:
 On Wed, October 23, 2013 7:42 am, Michiel van Es wrote:
 On Tue, October 22, 2013 3:41 pm, Gilles Chehade wrote:
 On Tue, Oct 22, 2013 at 01:53:55PM -, Michiel van Es wrote:
 Hello,


 Ohai,


 I am using OpenSMTPD 5.3.3p1 portable release on Ubuntu 64 bit.

 I am trying to set up Clamav with OpenSMTPD following:
 https://poolp.org/0x765d/OpenSMTPD:-LDAP-support-selectable-source--DKIM-and-Goodies

 But I am stuck with my own setup.
 The setup is as follows:

 [...]

 Now all mail is catched by the 'accept from any for domain vdomains
 virtual vusers deliver to mda procmail -f -' rule.


 Yup, since we perform first match, then if a mail comes for a domain
 part
 of your vdomains table, it will necessarily match that rule.


 How can I ensure that all incoming and TLS+AUTH smtp sessions are
 setup
 via the proxy (smtp://127.0.0.1:10026 = ClamSMTP) ?


 Wouldn't the following do the job ?

 accept for local alias aliases deliver to mda procmail -f -
 accept tagged CLAM from any for domain vdomains virtual vusers
 deliver
 to mda procmail -f -
 accept tagged CLAM for any relay
 accept for any relay via smtp://127.0.0.1:10026

 The config would be like this then right?

 listen on lo
 listen on eth0 tls certificate mail.pragmasec.nl auth-optional hostname
 mail.pragmasec.nl
 listen on eth0 port 587 tls certificate mail.pragmasec.nl auth hostname
 mail.pragmasec.nl
 expire 7d
 table vdomains /usr/local/etc/vdomains
 table vusers /usr/local/etc/users
 table aliases db:/usr/local/etc/aliases.db
 # the works
 listen on lo port 10025 tag CLAM
 accept for local alias aliases deliver to mda procmail -f -
 accept tagged CLAM from any for domain vdomains virtual vusers
 deliver
 to mda procmail -f -
 accept tagged CLAM for any relay
 accept for any relay via smtp://127.0.0.1:10026


 I get the following message:

 debug: session_start_ssl: switching to SSL
 smtp-in: Started TLS on session ef04b129: version=TLSv1/SSLv3,
 cipher=AES128-SHA, bits=128
 smtp-in: Client certificate verification succeeded on session
 ef04b129
 smtp-in: Failed command on session ef04b129: RCPT
 TO:** = 550 Invalid recipient
 smtp-in: Closing session ef04b129
 debug: smtp: 0x1874310: deleting session: done



is it possible that clamsmtp (a clam proxy for smtp - mostly used by
Postfix) is not working accepting the connection?
I see it should be possible with clamav when reading
http://comments.gmane.org/gmane.mail.opensmtpd.general/279 but I am
interested if this statement is really true and if so with which setup?
Clamav directly? Clamsmtp or clamav-milter or such?
Clamsmtp would be the most obvious as it uses an input and output address
to pass all the mails through.

Any tips would be much appreciated :)


 Somehow the vusers lookup goes wrong and my config is not working.
 Do you know what I might be missing?

 Regards,

 Michiel



 --
 Gilles Chehade

 https://www.poolp.org
 @poolpOrg

 --
 You received this mail because you are subscribed to misc@opensmtpd.org
 To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org





 --
 You received this mail because you are subscribed to misc@opensmtpd.org
 To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org





 --
 You received this mail because you are subscribed to misc@opensmtpd.org
 To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org





-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question about OpenSMTP and Clam

2013-10-23 Thread Gilles Chehade 
On Wed, Oct 23, 2013 at 12:17:06PM -, Michiel van Es wrote:
 
 is it possible that clamsmtp (a clam proxy for smtp - mostly used by
 Postfix) is not working accepting the connection?
 I see it should be possible with clamav when reading
 http://comments.gmane.org/gmane.mail.opensmtpd.general/279 but I am
 interested if this statement is really true and if so with which setup?


Yup, Eric and I made the testing together so we know for sure it works.


 Clamav directly? Clamsmtp or clamav-milter or such?
 Clamsmtp would be the most obvious as it uses an input and output address
 to pass all the mails through.
 
 Any tips would be much appreciated :)
 

I'm not a Clamav user and we did the testing about over 6 months ago, so
I can't recall the exact components that were used. Basically, there's a
Clamav component that knows how to speak smtp and that will forward back
the mail to a configured smtp server after analysis. We used that and it
was as simple to setup as dkim-proxy, we used the exact same config.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question about OpenSMTP and Clam

2013-10-23 Thread Michiel van Es 
On Wed, October 23, 2013 12:50 pm, Gilles Chehade wrote:
 On Wed, Oct 23, 2013 at 07:42:41AM -, Michiel van Es wrote:

 The config would be like this then right?

 listen on lo
 listen on eth0 tls certificate mail.pragmasec.nl auth-optional hostname
 mail.pragmasec.nl
 listen on eth0 port 587 tls certificate mail.pragmasec.nl auth hostname
 mail.pragmasec.nl
 expire 7d
 table vdomains /usr/local/etc/vdomains
 table vusers /usr/local/etc/users
 table aliases db:/usr/local/etc/aliases.db
 # the works
 listen on lo port 10025 tag CLAM
 accept for local alias aliases deliver to mda procmail -f -
 accept tagged CLAM from any for domain vdomains virtual vusers
 deliver to mda procmail -f -
 accept tagged CLAM for any relay
 accept for any relay via smtp://127.0.0.1:10026


 If you're accepting mail from the outside, then the last should be:

   accept from any for any relay via smtp://127.0.0.1:10026

This makes a lot of sense!
Doh!

  

 I get the following message:

 debug: session_start_ssl: switching to SSL
 smtp-in: Started TLS on session ef04b129: version=TLSv1/SSLv3,
 cipher=AES128-SHA, bits=128
 smtp-in: Client certificate verification succeeded on session
 ef04b129
 smtp-in: Failed command on session ef04b129: RCPT
 TO:m...@pragmasec.nl = 550 Invalid recipient
 smtp-in: Closing session ef04b129
 debug: smtp: 0x1874310: deleting session: done

 Somehow the vusers lookup goes wrong and my config is not working.
 Do you know what I might be missing?


 Can you run 'smtpd -dv -T lookup -T expand -T rules' and provide output
 log
 as you reproduce the issue ?

It works with the proposed from any for any rule!
Thanks a lot!

Michiel



 --
 Gilles Chehade

 https://www.poolp.org  @poolpOrg

 --
 You received this mail because you are subscribed to misc@opensmtpd.org
 To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org





-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question about OpenSMTP and Clam

2013-10-23 Thread Michiel van Es 
On Wed, October 23, 2013 12:56 pm, Gilles Chehade wrote:
 On Wed, Oct 23, 2013 at 12:17:06PM -, Michiel van Es wrote:

 is it possible that clamsmtp (a clam proxy for smtp - mostly used by
 Postfix) is not working accepting the connection?
 I see it should be possible with clamav when reading
 http://comments.gmane.org/gmane.mail.opensmtpd.general/279 but I am
 interested if this statement is really true and if so with which setup?


 Yup, Eric and I made the testing together so we know for sure it works.


 Clamav directly? Clamsmtp or clamav-milter or such?
 Clamsmtp would be the most obvious as it uses an input and output
 address
 to pass all the mails through.

 Any tips would be much appreciated :)


 I'm not a Clamav user and we did the testing about over 6 months ago, so
 I can't recall the exact components that were used. Basically, there's a
 Clamav component that knows how to speak smtp and that will forward back
 the mail to a configured smtp server after analysis. We used that and it
 was as simple to setup as dkim-proxy, we used the exact same config.

I have it working.
For people who want to use this:

1) install clamsmtp - it is a clam smtp proxy which accepts incoming and
then outgoing connections (putting a message back in the queue)

2) use something similar as setup - adjust to your own needs:

table vdomains /usr/local/etc/vdomains
table vusers /usr/local/etc/users
listen on lo port 10025 tag CLAM
accept tagged CLAM from any for domain vdomains virtual vusers deliver
to mda procmail -f -
accept tagged CLAM for any relay
accept from any for any relay via smtp://127.0.0.1:10026

Works like a charm!

Thanks to Gilles! :)

Michiel



 --
 Gilles Chehade

 https://www.poolp.org  @poolpOrg

 --
 You received this mail because you are subscribed to misc@opensmtpd.org
 To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org





-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question about OpenSMTP and Clam

2013-10-23 Thread Gilles Chehade 
On Wed, Oct 23, 2013 at 01:03:32PM -, Michiel van Es wrote:
 
 I have it working.
 For people who want to use this:
 
 1) install clamsmtp - it is a clam smtp proxy which accepts incoming and
 then outgoing connections (putting a message back in the queue)
 
 2) use something similar as setup - adjust to your own needs:
 
 table vdomains /usr/local/etc/vdomains
 table vusers /usr/local/etc/users
 listen on lo port 10025 tag CLAM
 accept tagged CLAM from any for domain vdomains virtual vusers deliver
 to mda procmail -f -
 accept tagged CLAM for any relay
 accept from any for any relay via smtp://127.0.0.1:10026
 

The above is working but as an open-relay, you will want to adjust the
ruleset, something along the lines of:

  listen on lo port 10025 tag CLAM_IN
  listen on lo port 10027 tag CLAM_OUT

  accept tagged CLAM_IN for domain vdomains virtual vusers deliver to mda 
procmail -f -
  accept tagged CLAM_OUT for any relay
  accept from local for any relay via smtp://127.0.0.1:10026 # will reinject in 
CLAM_IN
  accept from any for any relay via smtp://127.0.0.1:10028 # will reinject in 
CLAM_OUT

There may be better/other ways, that's just from the top of my head

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question about OpenSMTP and Clam

2013-10-23 Thread Gilles Chehade 
On Wed, Oct 23, 2013 at 01:40:40PM -, Michiel van Es wrote:
 On Wed, October 23, 2013 1:12 pm, Gilles Chehade wrote:
  On Wed, Oct 23, 2013 at 01:03:32PM -, Michiel van Es wrote:
 
  I have it working.
  For people who want to use this:
 
  1) install clamsmtp - it is a clam smtp proxy which accepts incoming and
  then outgoing connections (putting a message back in the queue)
 
  2) use something similar as setup - adjust to your own needs:
 
  table vdomains /usr/local/etc/vdomains
  table vusers /usr/local/etc/users
  listen on lo port 10025 tag CLAM
  accept tagged CLAM from any for domain vdomains virtual vusers
  deliver
  to mda procmail -f -
  accept tagged CLAM for any relay
  accept from any for any relay via smtp://127.0.0.1:10026
 
 
  The above is working but as an open-relay, you will want to adjust the
  ruleset, something along the lines of:
 
listen on lo port 10025 tag CLAM_IN
listen on lo port 10027 tag CLAM_OUT
 
accept tagged CLAM_IN for domain vdomains virtual vusers deliver to
  mda procmail -f -
accept tagged CLAM_OUT for any relay
accept from local for any relay via smtp://127.0.0.1:10026 # will
  reinject in CLAM_IN
accept from any for any relay via smtp://127.0.0.1:10028 # will reinject
  in CLAM_OUT
 
  There may be better/other ways, that's just from the top of my head
 
 Hmm I see the open relay problem with my setup as default everything
 matches the relay option which is not a vuser/vdomain.
 But I don't get the route any more :(
 OpenSMTPD listens on 10025 and 10027
 clamstmpd listens on 10026


In the example above you'd have clamsmtpd listen on two different
ports, one for scanning incoming mails and one for scanning
outgoing mails.

ie:

internet - smtpd - clamsmtpd:10026 - smtpd:10025 (CLAM_IN)
internal - smtpd - clamsmtpd:10028 - smtpd:10027 (CLAM_OUT)

and so the relay rule would only match for internal connections
whereas the mails coming from internet only match the accept
rules for your local domains

 
 but I dont understand what it will do if does not match the above rules?
 it will go to CLAM OUT ? and opensmtpd rejects it? (I have to change 10028
 to 10027 then).
 

When no rule is matched, envelope is rejected.
The best way to understand is to run with -T rules as it will display the
rule that matched an envelope, this way you can test with local mails and
mails from the public interface


 Sorry for all the questions and thanks for all the help! :)
 

NP, also I suspect you're not the only one willing to use ClamAV given
how many times I received private mails on that topic ;-)



-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: question about OpenSMTP and Clam

2013-10-23 Thread Michiel van Es 
On Wed, October 23, 2013 1:48 pm, Gilles Chehade wrote:
 On Wed, Oct 23, 2013 at 01:40:40PM -, Michiel van Es wrote:
 On Wed, October 23, 2013 1:12 pm, Gilles Chehade wrote:
  On Wed, Oct 23, 2013 at 01:03:32PM -, Michiel van Es wrote:
 
  I have it working.
  For people who want to use this:
 
  1) install clamsmtp - it is a clam smtp proxy which accepts incoming
 and
  then outgoing connections (putting a message back in the queue)
 
  2) use something similar as setup - adjust to your own needs:
 
  table vdomains /usr/local/etc/vdomains
  table vusers /usr/local/etc/users
  listen on lo port 10025 tag CLAM
  accept tagged CLAM from any for domain vdomains virtual vusers
  deliver
  to mda procmail -f -
  accept tagged CLAM for any relay
  accept from any for any relay via smtp://127.0.0.1:10026
 
 
  The above is working but as an open-relay, you will want to adjust the
  ruleset, something along the lines of:
 
listen on lo port 10025 tag CLAM_IN
listen on lo port 10027 tag CLAM_OUT
 
accept tagged CLAM_IN for domain vdomains virtual vusers deliver
 to
  mda procmail -f -
accept tagged CLAM_OUT for any relay
accept from local for any relay via smtp://127.0.0.1:10026 # will
  reinject in CLAM_IN
accept from any for any relay via smtp://127.0.0.1:10028 # will
 reinject
  in CLAM_OUT
 
  There may be better/other ways, that's just from the top of my head

 Hmm I see the open relay problem with my setup as default everything
 matches the relay option which is not a vuser/vdomain.
 But I don't get the route any more :(
 OpenSMTPD listens on 10025 and 10027
 clamstmpd listens on 10026


 In the example above you'd have clamsmtpd listen on two different
 ports, one for scanning incoming mails and one for scanning
 outgoing mails.

 ie:

 internet - smtpd - clamsmtpd:10026 - smtpd:10025 (CLAM_IN)
 internal - smtpd - clamsmtpd:10028 - smtpd:10027 (CLAM_OUT)

 and so the relay rule would only match for internal connections
 whereas the mails coming from internet only match the accept
 rules for your local domains

So my config would look like this? =

listen on lo
listen on eth0 tls certificate mail.pragmasec.nl auth-optional hostname
mail.pragmasec.nl
listen on eth0 port 587 tls certificate mail.pragmasec.nl auth hostname
mail.pragmasec.nl
expire 7d
table vdomains /usr/local/etc/vdomains
table vusers /usr/local/etc/users
listen on lo port 10025 tag CLAM_IN
listen on lo port 10027 tag CLAM_OUT
accept tagged CLAM_IN for domain vdomains virtual vusers deliver to
mda procmail -f -
accept tagged CLAM_OUT for any relay
accept from local for any relay via smtp://127.0.0.1:10026 # will reinject
in CLAM_IN
accept from any for any relay via smtp://127.0.0.1:10028 # will reinject
in CLAM_OUT

It still is an open relay.



 but I dont understand what it will do if does not match the above rules?
 it will go to CLAM OUT ? and opensmtpd rejects it? (I have to change
 10028
 to 10027 then).


 When no rule is matched, envelope is rejected.
 The best way to understand is to run with -T rules as it will display the
 rule that matched an envelope, this way you can test with local mails and
 mails from the public interface

I will test it with the -t rules option



 Sorry for all the questions and thanks for all the help! :)


 NP, also I suspect you're not the only one willing to use ClamAV given
 how many times I received private mails on that topic ;-)


Hehe..well I hope I can contribute something (not an open relay :( ;) )


 --
 Gilles Chehade

 https://www.poolp.org  @poolpOrg

 --
 You received this mail because you are subscribed to misc@opensmtpd.org
 To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org





-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

  1   2   >