Re: OpenLDAP question
* Bryan Irvine [EMAIL PROTECTED] [2007-05-21 09:01]: Older versions of bdb went bad a fairly regular basis. I had DB's go corrupt as often as once a day under older verson of OL using bdb. This hasn't been a problem for a while though. I havn't had a db go bad in 2 years, even after power failures. aha, that is good news. tried it sth nasty like a sparc64 too? :) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: OpenLDAP question
* Dave Harrison [EMAIL PROTECTED] [2007-05-21 08:26]: Henning Brauer wrote: * Uv Pzaf [EMAIL PROTECTED] [2007-05-20 23:12]: I wonder why OpenBSD packages (i.e. openldap-server-2.3.24.tgz) still uses ldbm as database backend especially since the OpenLDAP folks are stating that this is no good any more: (http://www.openldap.org/faq/data/cache/756.htm) and not bdb or hdb. because ldbm works fine, very much opposed to the other two you mention. My personal experiences with ldbm were equally fine, I recommend you use it unless you are performing frequent writes, or are in need of high performance lookups. Once I started making regular writes, ldbm started to pack it in rather frequently (db corruption) so I went to bdb, however bdb takes careful tuning to get right. now that is funny, in the, what, 5 years? of using openldap/ldbm, i have never seen database corruption. trying to use bdb, pretty much immediately. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: OpenLDAP question
Henning Brauer wrote: * Dave Harrison [EMAIL PROTECTED] [2007-05-21 08:26]: Henning Brauer wrote: * Uv Pzaf [EMAIL PROTECTED] [2007-05-20 23:12]: I wonder why OpenBSD packages (i.e. openldap-server-2.3.24.tgz) still uses ldbm as database backend especially since the OpenLDAP folks are stating that this is no good any more: (http://www.openldap.org/faq/data/cache/756.htm) and not bdb or hdb. because ldbm works fine, very much opposed to the other two you mention. My personal experiences with ldbm were equally fine, I recommend you use it unless you are performing frequent writes, or are in need of high performance lookups. Once I started making regular writes, ldbm started to pack it in rather frequently (db corruption) so I went to bdb, however bdb takes careful tuning to get right. now that is funny, in the, what, 5 years? of using openldap/ldbm, i have never seen database corruption. trying to use bdb, pretty much immediately. As I said, depends on how you're using it. After a year, as the usage grew, I found ldbm was corrupting regularly and bdb solved the problem nicely. 3 years later, bdb is still perfectly fine. Obviously the other, valid, concern is what the OpenLDAP project intends to support. With this kind of thing I think the mantra of YMMV is probably wise.
Re: OpenBSD 4.1 install issue?? [RESOLVED]
Hi, On Mon, 21.05.2007 at 18:00:30 +0200, Toni Mueller [EMAIL PROTECTED] wrote: Is this problem worth opening a bug on the OpenBSD web site? after reading the great advice of Rob Waite, the answer is obviously NO. Sorry for the noise. Best, --Toni++
Spamd default behaviour of accepting everything
Hello, I just used dnsstuff to test one of my domain names and it showed me (the first time only) that my server is an openrelay, which is obviously not true. This is due to the default behaviour of spamd of accepting everything, even when a spamd.alloweddomains file is present. I think this could choke some automated tests as nearly none of them goes to the point of actually sending data. here is a well known spamd session: telnet elrond.llorien.org 25 Trying 88.198.156.90... Connected to elrond.llorien.org. Escape character is '^]'. 220 elrond.llorien.org ESMTP ; Tue May 22 09:09:33 2007 ehlo test 250 Hello, spam sender. Pleased to be wasting your time. mail from: 250 You are about to try to deliver spam. Your time will be spent, for nothing. rcpt to:[EMAIL PROTECTED] 250 This is hurting you more than it is hurting me. I know that I can configure spamd to send a 550 error to the client, but only after DATA, which will clearly almost never happen in automated tests. So I think it could probably be a good idea to add an option which makes the 550 reply at RCPT TO for domains not being in spamd.alloweddomains. This would still allow to make spamtraps but only those sent at alloweddomains would waste the most time to the sender. What are your feelings bout this?
Re: 4.1 upgrade and squid
Bryan Irvine wrote: I've upgraded my firewall to 4.1 and all of the packages. Now squid fails to start with the new version. I get the following errors: 2007/05/21 16:22:32| aclParseAclLine: WARNING: empty ACL: acl BlockSites url_regex /etc/squid/blocksites.txt 2007/05/21 16:22:32| parseConfigFile: line 2191 unrecognized: 'httpd_accel_host virtual' 2007/05/21 16:22:32| parseConfigFile: line 2192 unrecognized: 'httpd_accel_port 80' 2007/05/21 16:22:32| parseConfigFile: line 2223 unrecognized: 'httpd_accel_with_proxy on' 2007/05/21 16:22:32| parseConfigFile: line 2245 unrecognized: 'httpd_accel_uses_host_header on' Any ideas what I need to change on the new version of squid? Check the Squid 2.6 release notes, it's all explained in there. I only had to add transparent after http_port 3128 in squid.conf.
quick pppoa howto. get the ip and bypass the router nat
hi all, i have an Adsl internet connection with the tiscali provider and i just solved my problem of getting the IP address on my openbsd machine. i wish to share my experience here, feel free to correct my english :P tiscali's adsl support only pppoa protocol (rfc 2364) and this is a problem if you want to connect with pppoe with a modem/router with ethernet port and you don't want to be natted behind the router. i tried the so called Bridge Mode Only without success while i succesfully used it on another adsl line with pppoe protocol configured by the ISP. The trick come out with the last router's firmware update. The new firmware let me flag an Half Bridge mode. I own a Linksys am200 (annex A) router, you should check if your model support half bridge if you want to try this configuration. Once in Half Bridge the router connect with pppoa to the ISP router, log on with pap/chap and give you the public IP with dbcp protocol, after this it start to work as half bridge: copy the IP packets from the ethernet to the pppoa channel and vice versa. to configure the openbsd box is very simple, just put in /etc/hostname.nfe0 (change with your lan card name): dhcp up !route add -host 213.205.24.16 -interface -link nfe0 -expire 1 !route add default 213.205.24.16 change 213.205.24.16 with the gateway's IP of your ISP (i check this on the router's web administration page, it never change for me), also change nfe0 with your lan card. you can try without the 2 route add command if it works, i had to use them because the gateway is on a different subnet of my public IP and the dhclient command doesn't configure it automatically (anyone know another solution to this?). regards Luigi
Re: Spamd default behaviour of accepting everything
Renaud Allard [EMAIL PROTECTED] writes: I just used dnsstuff to test one of my domain names and it showed me (the first time only) that my server is an openrelay, which is obviously not true. This is due to the default behaviour of spamd of accepting everything, even when a spamd.alloweddomains file is present. I would say that a more accurate description of spamd's behavior with respect to relay checkers would be 'appears to accept but does not forward'. What you are seeing is most likely that the relay checker performs a limited parse of the SMTP dialogue but does not check if its test message is actually forwarded. This is AFAIK the intended behavior, and it might even fool gullible spammers. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD 4.1: pf is not blocking anything
Marcos Laufer wrote: Hello, I am testing pf in an OpenBSD 4.1. This same configuration works fine on OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing thru, just like as if there was no 'block all'. What worries me most is that anyone on the outside can see my ssh service . Is there anything wrong with the state of my rules? If i didn't misunderstand , this rules should work just fine Any ideas? Thanks in advance, Marcos # good guys table goodhosts persist pass in quick on egress from goodhosts to any keep state I'm no pf expert, so here's a simple question. What, if anything, is in table goodhosts? Maybe you're allowing everything in because of that table, or maybe you're testing from an IP defined as OK in that table?
Re: OpenBSD 4.1: pf is not blocking anything
I am testing pf in an OpenBSD 4.1. This same configuration works fine on OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing thru, just like as if there was no 'block all'. Is pf enabled? (pfctl -si) Did your ruleset load ok? (pfctl -sr) What worries me most is that anyone on the outside can see my ssh service . I do different things on different boxes, but my usual setup these days is something like this: PasswordAuthentication no Match Address 192.168.*,10.* PasswordAuthentication yes This allows passwords to work on selected networks and forces keys for the rest of the internet. Allows me to hop from machine to machine on an internal network, access it from anywhere from trusted boxes with keys, and discourages me from typing passwords in from untrusted boxes (reduces risk from keyloggers).
Re: OpenBSD 4.1: pf is not blocking anything
Marcos Laufer [EMAIL PROTECTED] writes: I am testing pf in an OpenBSD 4.1. This same configuration works fine on OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing thru, just like as if there was no 'block all'. Are you sure that your rule set actually does get loaded? pfctl -s rules will show you which rules are loaded (a possible first step), but syntax errors should show up (with line number indicated) when you try to load your rules. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: wpi and wpa
WPA is not implemented in OpenBSD On 5/22/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello! The man page of the wpi driver states that WEP is supported, but i cannot see WPA (WPA2) mentioned. I have a laptop with a 3945 wifi chipset that works under linux with WPA2. I need WPA2, and wonder if it will work under OpenBSD ? kind regards, -nn -- Julien Cabillot
PF: round-robin routing and multiple gateways, one outgoing interface.
Hi list. My network is extremely strange i know, nothing i can do about about it. Just working with what i got. I have a local network 10.0.0.0/16. This local network has several gateways to the internet. for example 10.0.1.1, 10.0.2.1, 10.0.3.1 are all gateways to the net. I want to make a pf box that NATs one interface and then routes round-robin style over all the gateways. here is the PF-script that I've been working with: (ripped from the PF FAQ, without comments) lan_net = 10.0.0.0/16 int_if = rl2 # 10.0.1.2 ext_if1 = rl1 # 10.0.1.3 ext_if2 = rl0 # 10.0.1.4 ext_gw1 = 10.0.2.1 ext_gw2 = 10.0.3.1 nat on $ext_if1 from $lan_net to any - ($ext_if1) nat on $ext_if2 from $lan_net to any - ($ext_if2) block in from any to any block out from any to any pass out on $int_if from any to $lan_net pass in quick on $int_if from $lan_net to $int_if # This is the interesting part i guess: pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net to any flags S/SA modulate state pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto { udp, icmp } from $lan_net to any keep state pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out on $ext_if2 proto { udp, icmp } from any to any keep state pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any This script works exactly like i want. connections get routed round-robin to different gateways. The problem is that i have a limited number of switch ports and PCI-slots so i can't have more than 3 physical NICs. I want to use one or two outgoing NICs to route over maybe 5 gateways. See my problem? I've tried just changing $ext_if1 and $ext_if2 to the same interface. But connections only get routed trough one gateway. In short: pass in on rl2 route-to \ { (rl0 10.0.2.1), (rl0 10.0.3.1) } round-robin \ proto tcp from 10.0.0.0/16 to any flags S/SA modulate state Doesn't work, and only routes trough 10.0.3.1. How can i do something like this? Maybe there is some different way of doing this? Virtual interfaces maybe? P.S. Using OpenBSD 4.1 Thanks list.
Re: Spamd default behaviour of accepting everything
Peter N. M. Hansteen wrote: Renaud Allard [EMAIL PROTECTED] writes: I just used dnsstuff to test one of my domain names and it showed me (the first time only) that my server is an openrelay, which is obviously not true. This is due to the default behaviour of spamd of accepting everything, even when a spamd.alloweddomains file is present. I would say that a more accurate description of spamd's behavior with respect to relay checkers would be 'appears to accept but does not forward'. What you are seeing is most likely that the relay checker performs a limited parse of the SMTP dialogue but does not check if its test message is actually forwarded. This is AFAIK the intended behavior, and it might even fool gullible spammers. Indeed, but it could cause you to get blacklisted by some automated checkers, which is clearly something you don't want. I know this kind of checker is not accurate, but some local checkers will do it that way and you will end up with the problems. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Spamd default behaviour of accepting everything
Renaud Allard [EMAIL PROTECTED] writes: Indeed, but it could cause you to get blacklisted by some automated checkers, which is clearly something you don't want. I know this kind of checker is not accurate, but some local checkers will do it that way and you will end up with the problems. After reading your original message, I looked around the first 20-odd relay checkers and lists of open relays google could find for me (search string: mail relay test). Some these sites in turn link to extensive lists of publicly available lists of open relays, but I never found any indication that any of our servers (all spamd protected) were on any of them. I take this as an indication that at least the more commonly used ones do not behave as you suspect. If other, less common ones or or pay to use lists are more trigger happy and as a consequence offer less accurate data than the free ones, that is of course unfortunate. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
African American Hair prdts Overstock Sale
The following items are clearance priced and will be discontinued after our in stock quantity has been sold.nbsp; Please click on the corresponding link to order a product.nbsp; Please forward to anyone who may find it useful.nbsp; Thank you for your continuing patronage. Product and Price URL Africa's Best Organics FERTILIZER HAIR THERAPY 4 OZ $4.50 http://www.sheldeez.com/zoom.php?SKU=102056ln=en Africa's Best Organics CHOLESTEROL WITH TEA-TREE OIL 15 OZ $3.75 http://www.sheldeez.com/zoom.php?SKU=102067ln=en Africa's Best Organics STIMULATING THERAPY SHAMPOO 12 OZ $3.75 http://www.sheldeez.com/zoom.php?SKU=102070ln=en Africa's Best Organics OLIVE OIL 7 OZ $3.75 http://www.sheldeez.com/zoom.php?SKU=102064ln=en Africa's Best Organics CORNROW BRAID REVITALIZER 6 OZ $3.75 http://www.sheldeez.com/zoom.php?SKU=102112ln=en Blue Magic PRESSING OIL 5 OZ $2.75 http://www.sheldeez.com/zoom.php?SKU=SHL406ln=en At One Naturals DRY-ITCH SCALP SHAMPOO 16 OZ $6.75 http://www.sheldeez.com/zoom.php?SKU=103005ln=en Organic Root Stimulator SCALP SCRUB 6 OZ 9.5 http://www.sheldeez.com/zoom.php?SKU=513046ln=en Nadinola SKIN DISCOLORATION FADE CREAM - EXTRA 2.25 OZ $6.25 http://www.sheldeez.com/zoom.php?SKU=480005ln=en Nadinola CLEANSING SKIN CREAM 4 OZ $1.25 http://www.sheldeez.com/zoom.php?SKU=480021ln=en Nadinola COCOA BUTTER CREAM 4 OZ $1.25 http://www.sheldeez.com/zoom.php?SKU=480010ln=en Dons COMB BACK HAIR 4 OZ $3.50 http://www.sheldeez.com/zoom.php?SKU=232507ln=en Posner EXOTIC HAIR BUTTER 4 OZ $4.50 http://www.sheldeez.com/zoom.php?SKU=530458ln=en 911 Emergency Hair Treatment Leave-In Conditioner Original Formula http://www.sheldeez.com/zoom.php?SKU=SHL67ln=en Remedi PERM SCALP REJUVENATOR 5.5oz $8.00 http://www.sheldeez.com/zoom.php?SKU=SHL1179ln=en Africa's Best DETANGLING CONDITIONER 12oz http://www.sheldeez.com/zoom.php?SKU=102035ln=en Nadinola DELUXE SOAP 3 OZ $3.00 http://www.sheldeez.com/zoom.php?SKU=480011ln=en Next Image AVOCADO OIL SHEA BUTTER 2 IN 1 COND 8 OZ$4.50 http://www.sheldeez.com/zoom.php?SKU=176512ln=en Africa's Best CASTOR OIL HAIR SCALP CONDITIONER 5.25oz $2.50 http://www.sheldeez.com/zoom.php?SKU=102003ln=en African Pride Braid Sheen Spray Regular 12oz $5 http://www.sheldeez.com/zoom.php?SKU=SHL92ln=en S-Curl TEXTURIZER STYLIN SPRAY 8 OZ $5 http://www.sheldeez.com/zoom.php?SKU=SHL1199ln=en Topiclear BEAUTY LOTION 16 OZ $8 http://www.sheldeez.com/zoom.php?SKU=635003ln=en Pro-Line Comb Thru LITE CREME MOISTURIZER 8 OZ $3.25 http://www.sheldeez.com/zoom.php?SKU=535133ln=en At One Naturals BOTANICAL RECONSTRUCTOR COND 8 OZ $4 http://www.sheldeez.com/zoom.php?SKU=103022ln=en S-Curl WAVE-CONTROL POMADE 3 OZ $2.50 http://www.sheldeez.com/zoom.php?SKU=SHL1201ln=en Black Thang SHINING CONDITIONING GEL - MAXIMUM 6 OZ $4.25 http://www.sheldeez.com/zoom.php?SKU=175605ln=en Next Image AVOCADO OIL SHEA BUTTER GLOSSER 8 OZ $5 http://www.sheldeez.com/zoom.php?SKU=176516ln=en SEA BREEZE 12 OZ $5 http://www.sheldeez.com/zoom.php?SKU=200021ln=en African Formula BLACK CREAM - TUBE 1.76 OZ $2.25 http://www.sheldeez.com/zoom.php?SKU=635083ln=en Remedi HERBAL SAGE SULPHUR TREATMENT 4oz $6.75 http://www.sheldeez.com/zoom.php?SKU=SHL1176ln=en Remedi DANDRUFF TREATMENT SHAMPOO 8oz $8 http://www.sheldeez.com/zoom.php?SKU=SHL1161ln=en Remedi FORTIFY-COND. ANTI-FRIZZ $11 http://www.sheldeez.com/zoom.php?SKU=SHL1173ln=en Remedi INTERLINK-PROTEIN BONDING COMPLEX 8oz $15.25 http://www.sheldeez.com/zoom.php?SKU=SHL1166ln=en S-Curl WAVE JEL ACTIVATOR - REGULAR 10.5 OZ $4.25 http://www.sheldeez.com/zoom.php?SKU=445011-1ln=en Exelento Healthy Hair Pomade 3oz $5.25 http://www.sheldeez.com/zoom.php?SKU=SHL622ln=en African Natural SUPER GRO 5.25oz $3.25 http://www.sheldeez.com/zoom.php?SKU=102402ln=en Wildroot CREME - JAR 3.3 OZ $5 http://www.sheldeez.com/zoom.php?SKU=415072ln=en Cornrow Magic CONDITIONING GEL POMADE 4 OZ $5 http://www.sheldeez.com/zoom.php?SKU=590229ln=en Naturelle Volumax WAX 3.2 OZ $5 http://www.sheldeez.com/zoom.php?SKU=84637ln=en Ampro PROTEIN STYLING GEL (BONUS) 6 OZ $1.25 http://www.sheldeez.com/zoom.php?SKU=115004-5ln=en Hollywood TEA TREE OIL 2 OZ $3 http://www.sheldeez.com/zoom.php?SKU=950119ln=en S-Curl TEXTURIZER WAVE CURL CREME - EXTRA 1 LB $6.50 http://www.sheldeez.com/zoom.php?SKU=445050-1ln=en Dr Miracles BRAID RELIEF SPRAY 6 OZ $7.25 http://www.sheldeez.com/zoom.php?SKU=466013ln=en Creme Of Nature NO BASE CREME RELAXER - MILD 15 OZ $6.25 http://www.sheldeez.com/zoom.php?SKU=180037ln=en AT ONE - LEAVE IN CONDITIONER $8 http://www.sheldeez.com/zoom.php?SKU=SHL185ln=en Royal Crown HAIR DRESSING 1.75 OZ $1.75
Re: Spamd default behaviour of accepting everything
Peter N. M. Hansteen wrote: Renaud Allard [EMAIL PROTECTED] writes: Indeed, but it could cause you to get blacklisted by some automated checkers, which is clearly something you don't want. I know this kind of checker is not accurate, but some local checkers will do it that way and you will end up with the problems. After reading your original message, I looked around the first 20-odd relay checkers and lists of open relays google could find for me (search string: mail relay test). Some these sites in turn link to extensive lists of publicly available lists of open relays, but I never found any indication that any of our servers (all spamd protected) were on any of them. I take this as an indication that at least the more commonly used ones do not behave as you suspect. If other, less common ones or or pay to use lists are more trigger happy and as a consequence offer less accurate data than the free ones, that is of course unfortunate. I speak mostly of SMTP-time checkers. Imagine you are sending a mail to someone and while you are doing the SMTP transaction, the remote host also connects to your server to see if it may be an openrelay. Given current spamd behaviour and the time the remote host has to check your server, it will judge it as an openrelay as it won't be able to pass through the data phase. As a secondary effect, sender callouts made from a remote server will also be accepted (at least the first time) even if the recipient doesn't exist on your server. But that's probably not really that important. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Spamd default behaviour of accepting everything
On 2007/05/22 14:49, Renaud Allard wrote: I speak mostly of SMTP-time checkers. Imagine you are sending a mail to someone and while you are doing the SMTP transaction, the remote host also connects to your server to see if it may be an openrelay. They are broken then... Workaround: use different mailer instances on different IP addresses for incoming and outgoing mail (this is often a good idea anyway). As a secondary effect, sender callouts made from a remote server will also be accepted that's exactly why it changed from rejecting at rcpt to: stage. http://www.openbsd.org/cgi-bin/cvsweb.cgi/src/libexec/spamd/spamd.c#rev1.85
A change in libasn1.a
Hello, all! I run an OpenBSD 4.0 system, all patches installed. The installation is rather basic, the only port open to the world is ssh, which provides access to a subversion server and to shell logins, both via keys, or one-time :skey passwords. As the system is exposed to the net, I regularly verify checksums of all files using aide (installed from packages). So, recently I noticed the following: # /some/path/aide --config=/my/config --update /tmp/1 # vi /tmp/1 ... snip ... changed:/usr/lib/libasn1.a changed:/usr/lib/libkafs_pic.a changed:/usr/lib/libkrb5_pic.a ... snip ... File: /usr/lib/libasn1.a MD5 : Wrpax8YvU84JUMMSlIZexQ== , b5em5b4AETeIpboM+NsSQA== File: /usr/lib/libkafs_pic.a MD5 : voiA+l3kYINweu83pWDfLA== , AIjWbC687J7lD+QSDd7pwg== File: /usr/lib/libkrb5_pic.a MD5 : voiA+l3kYINweu83pWDfLA== , AIjWbC687J7lD+QSDd7pwg== ... snip ... The previous check was on May 17, i.e. 5 days ago. After that date the only modifications were: - installed couple packages (wget, screen) - edited ~/.ssh/config for one user (non-root), logged over ssh to a new Linux system - ran normal subversion activity, checkins, checkouts, etc. It the above change in MD5 checksums normal? If yes, what caused it and why nothing like this was observed before? Best regards, Dmitry
Re: Spamd default behaviour of accepting everything
Stuart Henderson wrote: They are broken then... Workaround: use different mailer instances on different IP addresses for incoming and outgoing mail (this is often a good idea anyway). This workaround only works if the checker connects to your MX, not to the host sending the mail. I know they are somewhat broken but there is no point in contacting the sender domain server if you want to check for an openrelay as the from header is more than likely a fake. Also, MS exchange servers don't like 4xx errors at DATA time and may forbid the mail from being delivered until the exchange instance is restarted. I know this is also a bug in Exchange, but many people use it. As a secondary effect, sender callouts made from a remote server will also be accepted that's exactly why it changed from rejecting at rcpt to: stage. http://www.openbsd.org/cgi-bin/cvsweb.cgi/src/libexec/spamd/spamd.c#rev1.85 Yes, but that means callouts that should not succeed will (at least the first time). I know no scheme is perfect, so the point is it could be handy to have a flag to determine when the mail should be greylisted and let people choose. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Sun Netra X1 Firewall Throughput?
On Sat, May 19, 2007 at 10:16:33PM -0700, Bryan Vyhmeister wrote: On May 18, 2007, at 2:09 PM, Daniel Ouellet wrote: [drive 137GB on Sun X1?] No it doesn't. I have about 30 of them and putting any drives bigger then that will simply not work. Well, actually it work, but you can't use above that. If you try to even partition it like that, the system will crash and not start, period. I try a good Seagate 180MB for test and can't use it all. That's too bad. I was hoping I could put larger drives in them. Oh well, 120 GB it is. Maybe you can use the same approach I used with my U10 - I've put in a Promise PCI IDE controller and a 160GB and that worked fine (see the archives of the sparc list - I had some crashes in the beginning which were due to bad RAM). Downside is that you can't boot from them. I don't know whether the X1 has free PCI slots, but if it has, it might be an option. Cheerio, Thomas -- ** PLEASE: NO Cc's to me privately, I do read the list - thanks! ** - Thomas Ribbrockhttp://www.ribbrock.orgICQ#: 15839919 You have to live on the edge of reality - to make your dreams come true!
Re: Spamd default behaviour of accepting everything
On 2007/05/22 15:50, Renaud Allard wrote: Stuart Henderson wrote: They are broken then... Workaround: use different mailer instances on different IP addresses for incoming and outgoing mail (this is often a good idea anyway). This workaround only works if the checker connects to your MX, not to the host sending the mail. I know they are somewhat broken but there is no point in contacting the sender domain server if you want to check for an openrelay as the from header is more than likely a fake. You wouldn't need spamd on the address of a send-only instance.. (if mail's only submitted on 587/465 or from known address ranges, it could just RST port 25 to the rest of the world). Also, MS exchange servers don't like 4xx errors at DATA time and may forbid the mail from being delivered until the exchange instance is restarted. I know this is also a bug in Exchange, but many people use it. Yeuch... I didn't know about that. Found it here (needs user-agent: googlebot) - http://www.windowsitpro.com/Article/ArticleID/95332/95332.html When Exchange 2003 sends a message to a server using greylisting, it gets back a 4xx try again later code. Instead of waiting a reasonable interval, Exchange tries again after only a few seconds. This attempt generally fails too, and Exchange doesn't try again. ... The message isn't delivered, and it doesn't appear in any queues. Exchange won't try to redeliver it again until you restart the SMTP service. The message just disappears, except from the sender's Sent Items folder. that's exactly why it changed from rejecting at rcpt to: stage. http://www.openbsd.org/cgi-bin/cvsweb.cgi/src/libexec/spamd/spamd.c#rev1.85 Yes, but that means callouts that should not succeed will (at least the first time). Unless you teach spamd the valid usernames, the alternative is to have *no* callout succeeding unless the sender is already grey/whitelisted. Either way, that doesn't help the MSexchange problem, and callout is broken by design anyway (DoS problem), it's not worth burning extra cpu cycles to help people who continue to use it. I know no scheme is perfect, so the point is it could be handy to have a flag to determine when the mail should be greylisted and let people choose. How about: --i-dont-want-to-receive-mail-from-people-using-exchange-2003 and --i-dont-want-to-receive-mail-from-people-using-callout-verification I think a better solution would be for *more* people to use greylisting implementations which do this, so that more MSexchange users will either bother Microsoft to fix their bug, or script 'net stop smtpsvc;net start smtpsvc' to run a few times a day so they can send mail to others too. You can always revert r1.85 manually and recompile if you need...
Re: Spamd default behaviour of accepting everything
Stuart Henderson wrote: On 2007/05/22 15:50, Renaud Allard wrote: Stuart Henderson wrote: You wouldn't need spamd on the address of a send-only instance.. (if mail's only submitted on 587/465 or from known address ranges, it could just RST port 25 to the rest of the world). Good point :) Also, MS exchange servers don't like 4xx errors at DATA time and may forbid the mail from being delivered until the exchange instance is restarted. I know this is also a bug in Exchange, but many people use it. Yeuch... I didn't know about that. Found it here (needs user-agent: googlebot) - http://www.windowsitpro.com/Article/ArticleID/95332/95332.html I have only seen this when the 4xx error is sent at DATA time, not when sent at RCPT TO. How about: --i-dont-want-to-receive-mail-from-people-using-exchange-2003 and --i-dont-want-to-receive-mail-from-people-using-callout-verification Those are the default flags indeed. I think a better solution would be for *more* people to use greylisting implementations which do this, so that more MSexchange users will either bother Microsoft to fix their bug, or script 'net stop smtpsvc;net start smtpsvc' to run a few times a day so they can send mail to others too. Most of the time with people running exchange, they don't care and don't have a clue about what happens and argue that _your_ server is broken because they don't have problems elsewhere. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Spamd default behaviour of accepting everything
Renaud Allard wrote: I think a better solution would be for *more* people to use greylisting implementations which do this, so that more MSexchange users will either bother Microsoft to fix their bug, or script 'net stop smtpsvc;net start smtpsvc' to run a few times a day so they can send mail to others too. Most of the time with people running exchange, they don't care and don't have a clue about what happens and argue that _your_ server is broken because they don't have problems elsewhere. lol! i encounter this phenomenon on a regular basis: clueless people misapplying blame for problems they are themselves the cause of. when implementing some new STL code on a printing press, anything that went wrong immediately thereafter was (incorrectly) attributed to my code changes. this is a testament to the cluelessness of the people who operate the machine. these situations remind me of a recent thread about US crypto export laws ;). i do end up having to manually whitelist a number of sender IPs and i believe i now know why the emails didn't get through the greyfilter, thanks for the info y'all. had a microsloth software distributor talk to me for a while about the value added by having an all microsloth shop. more like cluelessness added infrastructure: everybody should sell their state-owned infrastructure to nepotistic private companies, it's obviously more efficient. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Spamd default behaviour of accepting everything
On 2007/05/22 17:12, Renaud Allard wrote: I have only seen this when the 4xx error is sent at DATA time, not when sent at RCPT TO. How about: --i-dont-want-to-receive-mail-from-people-using-exchange-2003 and --i-dont-want-to-receive-mail-from-people-using-callout-verification Those are the default flags indeed. they're mutually exclusive: 4xx at RCPT, break callout verification. 4xx at DATA, break msexchange 2003 direct-to-mx delivery.
Re: OpenBSD 4.1: pf is not blocking anything [solved]
Hello , Just found out what was wrong. I knew that the ruleset was allright... I just forgot to activate pf by placing pf=YES in rc.local.conf I'm glad that OpenBSD works just fine, and it's me who needs to be repaired :) I am very sorry for the noise , thanks to everybody for the tips and advice Marcos - Original Message - From: Peter N. M. Hansteen [EMAIL PROTECTED] To: Marcos Laufer [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Tuesday, May 22, 2007 8:23 AM Subject: Re: OpenBSD 4.1: pf is not blocking anything Marcos Laufer [EMAIL PROTECTED] writes: I am testing pf in an OpenBSD 4.1. This same configuration works fine on OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing thru, just like as if there was no 'block all'. Are you sure that your rule set actually does get loaded? pfctl -s rules will show you which rules are loaded (a possible first step), but syntax errors should show up (with line number indicated) when you try to load your rules. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Sun Netra X1 Firewall Throughput?
On May 22, 2007, at 7:09 AM, T. Ribbrock wrote: On Sat, May 19, 2007 at 10:16:33PM -0700, Bryan Vyhmeister wrote: That's too bad. I was hoping I could put larger drives in them. Oh well, 120 GB it is. Maybe you can use the same approach I used with my U10 - I've put in a Promise PCI IDE controller and a 160GB and that worked fine (see the archives of the sparc list - I had some crashes in the beginning which were due to bad RAM). Downside is that you can't boot from them. I don't know whether the X1 has free PCI slots, but if it has, it might be an option. I appreciate that suggestion. Unfortunately, the Netra X1, like the Sun Fire V100, does not have any PCI slots. Bryan
Re: Sun Netra X1 Firewall Throughput?
On 22/05/07, T. Ribbrock [EMAIL PROTECTED] wrote: I don't know whether the X1 has free PCI slots, but if it has, it might be an option. I just checked mine. It has no PCI slots, however there are USB ports. You could add an external one, but I wouldnt rely on it for production environments. -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
smtp auth + greylisting
I just moved my super-fantastic spamd soekris in front of a new mail server that requires SMTP Auth to send mail... and it broke. No one can send mail from that server. My old server didn't require SMTP Auth and it worked fine. I couldn't find anything in the docs or on the net that suggests that I need to make changes - but obviously I do. Can anyone point me in the right direction? Your help is much appreciated! Best Regards, Stephen
Re: flowcharts
On Mon, May 21, 2007 at 08:41:18AM +0200, [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anthony Howe Sent: 18 May 2007 07:00 PM Cc: misc@openbsd.org Subject: Re: flowcharts [EMAIL PROTECTED] wrote: Thanks to those that responded. I have a few ideas. Once i figure out how to add arrowheads, QCad may be just the thing. I got the idea from Douglas' xfig idea. Thanks man. OpenOffice's Draw program can do Visio like flowcharts. Yes it can, and very well too. But openoffice is not on the CD, and such a large download is quite simply out of the question for an ordinary citizen in an African country. Call me old-fashioned, but why not just use some paper? As mentioned before, flowcharts make poor documentation anyway, and paper is very convenient, especially if you're erasing and redrawing a lot. You could enter the final design in an appropriate program, if so inclined, but doing it straight in software seems unnecessarily painful. Joachim -- PotD: x11/gob2 - GTK+ Object Builder
Re: Spamd default behaviour of accepting everything
Stuart Henderson wrote: On 2007/05/22 17:12, Renaud Allard wrote: I have only seen this when the 4xx error is sent at DATA time, not when sent at RCPT TO. How about: --i-dont-want-to-receive-mail-from-people-using-exchange-2003 and --i-dont-want-to-receive-mail-from-people-using-callout-verification Those are the default flags indeed. they're mutually exclusive: 4xx at RCPT, break callout verification. 4xx at DATA, break msexchange 2003 direct-to-mx delivery. Well, 4xx at RCPT doesn't really break callout, it just delays the mail a little bit further. Unless the callout is broken and answers the sending server with a 5xx when it receives a 4xx as response from the callout. But to be sure not to delay or break callouts, MAIL FROM: should be redirected to the real server directly. However, this is quite tricky to do as the communication with spamd has already started and you could not just pipe the input to the real server. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: smtp auth + greylisting
Stephen Schaff wrote: I just moved my super-fantastic spamd soekris in front of a new mail server that requires SMTP Auth to send mail... and it broke. No one can send mail from that server. My old server didn't require SMTP Auth and it worked fine. i have spamd setup at work and have users relay SASL authenticated SMTP through port 587 (submission) instead of port 25. if you have them relaying through port 25 they're bound to get tarpitted or have a tough time getting on the whitelist. I couldn't find anything in the docs or on the net that suggests that I need to make changes - but obviously I do. Can anyone point me in the right direction? Your help is much appreciated! Best Regards, Stephen
Re: Spamd default behaviour of accepting everything
I just used dnsstuff to test one of my domain names and it showed me (the first time only) that my server is an openrelay, which is obviously not true. This is due to the default behaviour of spamd of accepting everything, even when a spamd.alloweddomains file is present. I think this could choke some automated tests as nearly none of them goes to the point of actually sending data. here is a well known spamd session: telnet elrond.llorien.org 25 Trying 88.198.156.90... Connected to elrond.llorien.org. Escape character is '^]'. 220 elrond.llorien.org ESMTP ; Tue May 22 09:09:33 2007 ehlo test 250 Hello, spam sender. Pleased to be wasting your time. mail from: 250 You are about to try to deliver spam. Your time will be spent, for nothing. rcpt to:[EMAIL PROTECTED] 250 This is hurting you more than it is hurting me. I know that I can configure spamd to send a 550 error to the client, but only after DATA, which will clearly almost never happen in automated tests. So I think it could probably be a good idea to add an option which makes the 550 reply at RCPT TO for domains not being in spamd.alloweddomains. This would still allow to make spamtraps but only those sent at alloweddomains would waste the most time to the sender. What are your feelings bout this? Any automated test I've ever set up for open relay, (and I run them) as well as any sane ones I ever see test for open relay by actually relaying a message not looking at the smtp dialoge. You're making much ado over nothing and spreading FUD - the tester you are using is just making stupid assumptions. -Bob
Re: smtp auth + greylisting
have your smtp-auth people use port 587/465[1]. That will also solve the problem of traveling users being blocked at public access points. [1] smtp+sasl or smtp wrapped in ssl, depending on the client. Don't forget to enable this in your MTA. On 2007 May 22 (Tue) at 10:22:19 -0600 (-0600), Stephen Schaff wrote: :I just moved my super-fantastic spamd soekris in front of a new mail :server that requires SMTP Auth to send mail... and it broke. No one :can send mail from that server. :My old server didn't require SMTP Auth and it worked fine. : :I couldn't find anything in the docs or on the net that suggests that :I need to make changes - but obviously I do. Can anyone point me in :the right direction? Your help is much appreciated! : : :Best Regards, :Stephen : -- We gave you an atomic bomb, what do you want, mermaids? -- I. I. Rabi to the Atomic Energy Commission
Re: Spamd default behaviour of accepting everything
Bob Beck wrote: Any automated test I've ever set up for open relay, (and I run them) as well as any sane ones I ever see test for open relay by actually relaying a message not looking at the smtp dialoge. You're making much ado over nothing and spreading FUD - the tester you are using is just making stupid assumptions. This was certainly not my intention to spread FUD and I am sorry if I did. Maybe I am a little bit too paranoid. I just wanted people to share their experiences with this. However, there is clearly a problem with MS exchange and current spamd behavior. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Spamd default behaviour of accepting everything
Jacob Yocom-Piatt wrote: Renaud Allard wrote: I think a better solution would be for *more* people to use greylisting implementations which do this, so that more MSexchange users will either bother Microsoft to fix their bug, or script 'net stop smtpsvc;net start smtpsvc' to run a few times a day so they can send mail to others too. Most of the time with people running exchange, they don't care and don't have a clue about what happens and argue that _your_ server is broken because they don't have problems elsewhere. lol! i encounter this phenomenon on a regular basis: clueless people misapplying blame for problems they are themselves the cause of. when implementing some new STL code on a printing press, anything that went wrong immediately thereafter was (incorrectly) attributed to my code changes. this is a testament to the cluelessness of the people who operate the machine. these situations remind me of a recent thread about US crypto export laws ;). i do end up having to manually whitelist a number of sender IPs and i believe i now know why the emails didn't get through the greyfilter, thanks for the info y'all. had a microsloth software distributor talk to me for a while about the value added by having an all microsloth shop. more like cluelessness added infrastructure: everybody should sell their state-owned infrastructure to nepotistic private companies, it's obviously more efficient. Unfortunately, this little MS-behaviour is very likely to be the last straw that gets our greylisting turned off here. Despite my logs that prove that greylisting has removed over 95% of incoming spam before spamassassin has to deal with it, the fact that some legitimate mail is lost or overly delayed has been deemed unacceptable to the corporate masters. The people inconvenienced by this pay more in taxes than I make in a year so they need to be kept happy. And the mail that is often missed is quite often something time-sensitive. It really is a shame. Greylisting has made such a huge difference in the spam-volume here. We receive about 10 complaints per week about either mail that never came in or mail that came in too late to act on. These missing emails have sometimes cost us tens of thousands of dollars in lost profits. So that makes the tens of thousands of blocked emails per day seem a lot less significant. I have whitelisted source IPs where possible but there is always some new complaint right around the corner. They appreciate the reduction in spam that gets through but they are the first to complain if mail is delayed or if they don't get something. In the financial trading sector, you would be shocked at the number of small, one-man analyst companies operate from home and send out mail to subscribers from dynamic IP addresses. Couple that with lots of non-standard mailers and it's a wonder any of their mail makes it past a decent SMTP sanity-checker... /J
Re: Spamd default behaviour of accepting everything
Bob Beck wrote: Any automated test I've ever set up for open relay, (and I run them) as well as any sane ones I ever see test for open relay by actually relaying a message not looking at the smtp dialoge. You're making much ado over nothing and spreading FUD - the tester you are using is just making stupid assumptions. It should also be noted that at least some versions of Mdaemon interpret a 4xx error code at DATA as a permanent error. I know, the problem is on their side too.
Tcpdstat
Hi, does anybody get on a OpenBSD 4.x tcpdstat installed? Tcpdstat from http://staff.washington.edu/dittrich/talks/core02/tools/tcpdstat-uw.tar is a very nice tool to get summary information of a tcpdump file. The output includes the number of packets, the average rate and its standard deviation, the number of unique source and destination address pairs, and the breakdown of protocols. I would appreciate every help or hint to get it compiled. I can remember me that I could compile it on a OpenBSD 3.6 but on the new one 4.1 it fails always. Regards, Stefan
Re: smtp auth + greylisting
Since having users change their settings can be problematic in many environments, instead change the MX record. This way you can implement spamd right away and your users will not have to change anything. Though I would suggest moving the users to 587/465 in the future so that they don't get burned at places like hotels that redirect outbound port 25 traffic to a local SMTP proxy, that won't have a clue how to authenticate the user anyways. -Chad
Watchdog card for OpenBSD
We've been having a locking up problem with our openbsd based router for a while now. I upgraded to 4.1 about a week ago and so far it has not locked. Later this week we have scheduled some time to take down the router and run some memory / disk tests on it to make sure its not a hardware issue. We are also going to dust it out since it is in a dusty environment. Anyway, we figured while it was down we could possible throw a watchdog card in. I noticed 4.1 added support for the Quancom PWDOG1... anyone have anything good or bad to say about it? I still have to get in to check for the reset pin on the motherboard. Regards, Bill
duplicate filenames, sftp to mounted CD
I just noticed this which seemed a little unusual, so thought I'd throw it out here in case anyone's interested in looking at it. I just mounted a CD on my desktop machine to copy some files across to my laptop (in this case OpenBSD 4.1 CD1, but the same happens with other CDs that I tried). I connected by sftp, changed directory, and listed files. This is what happened: sftp cd /cdrom sftp ls 4.1 4.1 HARDWARE HARDWARE PACKAGES PACKAGES PORTSPORTSREADME README SIZESSIZES TRANS.TBLTRANS.TBLetc etc song41.mp3 song41.mp3 song41.ogg song41.ogg sftp ls 4.1 4.1 HARDWARE HARDWARE PACKAGES PACKAGES PORTSPORTSREADME README SIZESSIZES TRANS.TBLTRANS.TBLetc etc song41.mp3 song41.mp3 song41.ogg song41.ogg sftp ls 4.1 HARDWARE PACKAGES PORTSREADME SIZES TRANS.TBLetc song41.mp3 song41.ogg sftp ls 4.1 4.1 4.1 HARDWARE HARDWARE HARDWARE PACKAGES PACKAGES PACKAGES PORTSPORTSPORTS README README README SIZESSIZESSIZES TRANS.TBLTRANS.TBLTRANS.TBLetc etc etc song41.mp3 song41.mp3 song41.mp3 song41.ogg song41.ogg song41.ogg sftp ls 4.1 HARDWARE PACKAGES PORTSREADME SIZES TRANS.TBLetc song41.mp3 song41.ogg sftp ls 4.1 4.1 4.1 HARDWARE HARDWARE HARDWARE PACKAGES PACKAGES PACKAGES PORTSPORTSPORTS README README README SIZESSIZESSIZES TRANS.TBLTRANS.TBLTRANS.TBLetc etc etc song41.mp3 song41.mp3 song41.mp3 song41.ogg song41.ogg song41.ogg sftp ls 4.1 HARDWARE PACKAGES PORTSREADME SIZES TRANS.TBLetc song41.mp3 song41.ogg sftp ls 4.1 4.1 4.1 4.1 HARDWARE HARDWARE HARDWARE HARDWARE PACKAGES PACKAGES PACKAGES PACKAGES PORTSPORTSPORTSPORTSREADME README README README SIZESSIZESSIZESSIZES TRANS.TBLTRANS.TBLTRANS.TBLTRANS.TBLetc etc etc etc song41.mp3 song41.mp3 song41.mp3 song41.mp3 song41.ogg song41.ogg song41.ogg song41.ogg I don't have any other machines with CD drives to try and replicate, but I don't see this when listing files with ls(1)/find(1)/shell builtins. OpenBSD 4.1-current (GENERIC.MP) #6: Tue May 8 01:24:00 BST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 1072164864 (1047036K) avail mem = 906682368 (885432K) using 22937 buffers containing 107425792 bytes (104908K) of memory mainbus0 (root) bios0 at mainbus0: SMBIOS rev. 2.2 @ 0xf (42 entries) acpi at mainbus0 not configured mainbus0: Intel MP Specification (Version 1.4) cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) 64 Processor 3700+, 2211.59 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: AMD erratum 89 present, BIOS upgrade may be required cpu0: apic clock running at 201MHz mpbios: bus 0 is type PCI mpbios: bus 1 is type PCI mpbios: bus 2 is type PCI mpbios: bus 3 is type PCI mpbios: bus 4 is type PCI mpbios: bus 5 is type PCI mpbios: bus 6 is type ISA ioapic0 at mainbus0 apid 2 pa 0xfec0, version 11, 24 pins k8_powernow_init: cpusig: 20f71 brandid: 4 maxfid: e maxvid: 4 e 4 WARNING: k8pnow_hardcoded: USING FIXED P_STATE DATA PLEASE SEND YOUR DMESG TO [EMAIL PROTECTED] cpu0: Cool'n'Quiet K8 2211 MHz: speeds: 2200 2000 1800 1000 MHz pci0 at mainbus0 bus 0: configuration mode 1 NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3 nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2 iic0 at nviic0 iic1 at nviic0 admtemp0 at iic1 addr 0x4c: gl523sm ohci0 at pci0 dev 2 function 0 NVIDIA nForce4 USB rev 0xa2: apic 2 int 11 (irq 11), version 1.0, legacy support ehci0 at pci0 dev 2 function 1 NVIDIA nForce4 USB rev 0xa3: apic 2 int 3 (irq 3) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 uhub0: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 uhub0: 10 ports with 10 removable, self powered auich0 at pci0 dev 4
Re: OpenLDAP question
I still want to push this little points directly from the OpenLDAP faq: * back-ldbm is /obsolete/ and /should not be used/. *As a historical note, the back-ldbm code is a direct descendant of the original University of Michigan code. The age of the code and its byzantine data structures were becoming unmaintainable, and since back-bdb has proven itself to be more reliable, the decision was made to delete back-ldbm from the code base. *While BerkeleyDB supports this generic interface, it also offers a much richer API that has a lot more power and a lot more complexity. back-bdb is written specifically for the Berkeley DB /Transactional Data Store/ API. That is, back-bdb uses BDB's most advanced features to offer transactional consistency, durability, fine-grained locking, and other features that offer improved concurrency, reliability, and useability. // Dave Harrison wrote: Henning Brauer wrote: * Dave Harrison [EMAIL PROTECTED] [2007-05-21 08:26]: Henning Brauer wrote: * Uv Pzaf [EMAIL PROTECTED] [2007-05-20 23:12]: I wonder why OpenBSD packages (i.e. openldap-server-2.3.24.tgz) still uses ldbm as database backend especially since the OpenLDAP folks are stating that this is no good any more: (http://www.openldap.org/faq/data/cache/756.htm) and not bdb or hdb. because ldbm works fine, very much opposed to the other two you mention. My personal experiences with ldbm were equally fine, I recommend you use it unless you are performing frequent writes, or are in need of high performance lookups. Once I started making regular writes, ldbm started to pack it in rather frequently (db corruption) so I went to bdb, however bdb takes careful tuning to get right. now that is funny, in the, what, 5 years? of using openldap/ldbm, i have never seen database corruption. trying to use bdb, pretty much immediately. As I said, depends on how you're using it. After a year, as the usage grew, I found ldbm was corrupting regularly and bdb solved the problem nicely. 3 years later, bdb is still perfectly fine. Obviously the other, valid, concern is what the OpenLDAP project intends to support. With this kind of thing I think the mantra of YMMV is probably wise.
Re: vpn in OBSD 4.1
Hi, On Fri, 11.05.2007 at 08:33:03 -0400, Lars D. Noodin [EMAIL PROTECTED] wrote: However, by connecting MS Windows machines into your VPN you neutralize many of the security benefits that you may have in place. I'd say that depends on your setup. Imho, for many people, using a VPN is meant to protect MS Windows machines from the outside, and we're using a third-party IPSEC client that can easily be configured to only allow the bare minimum of traffic to get the VPN going, and the IPSEC traffic itself. So, you're only in your VPN, wherever you are, at least in theory. Such a setup is routinely done in a way to the holes resulting from the design and production flaws permeating the entire brand, apparently the EULAs now grant remote admin rights to third parties. prevent such kind of access, too. But then, this requires that you have some other means of software installation, distribution etc.pp. for your Windows machines in place... Best, --Toni++
re0: watchdog timeout on landisk
Hi. I know this is not a proper bug report, but I wanted to know if other landisk owners experienced the infamous re0: watchdog timeout? When using the landisk as NFS server, I can't write to it without getting this error which basically cut the network for a minute. I have hundreds of entries like this in /var/log/messages and dmesg and of course, NFS experience is... well not pleasant ;) Known problem or bad landisk? -- Antoine
Re: smtp auth + greylisting
Trust me - bit the bullet and change to 587/465 anyway. we had to for road warriors because 25 is blocked in so many places anyway from walkups. You're better just getting your users to switch. * Chad M Stewart [EMAIL PROTECTED] [2007-05-22 12:46]: Since having users change their settings can be problematic in many environments, instead change the MX record. This way you can implement spamd right away and your users will not have to change anything. Though I would suggest moving the users to 587/465 in the future so that they don't get burned at places like hotels that redirect outbound port 25 traffic to a local SMTP proxy, that won't have a clue how to authenticate the user anyways. -Chad -- #!/usr/bin/perl if ((not 0 not 1) != (! 0 ! 1)) { print Larry and Tom must smoke some really primo stuff...\n; }
Re: Spamd default behaviour of accepting everything
Darth Lists wrote: Unfortunately, this little MS-behaviour is very likely to be the last straw that gets our greylisting turned off here. Despite my logs that prove that greylisting has removed over 95% of incoming spam before spamassassin has to deal with it, the fact that some legitimate mail is lost or overly delayed has been deemed unacceptable to the corporate masters. Well, I think greylisting is still useful. It is just that if you want to avoid losing mail or having it too much delayed, you should adjust the settings for greylisting from 1h/4h to 9min/36h. Many mailers have their queue runners at 15mins. Putting 36hours allows you to get mails from servers with common pools or weird retry delays. These values were just deduced from trial and error. Also greylisting should happen at RCPT TO, and probably not at DATA as there are some widely used MTAs that are buggy and choke when a 4xx error is sent in the DATA phase.
Re: smtp auth + greylisting
That's a really good point. However we have about 200 users we'd have to get to switch their mail settings - 99% of don't know what mail settings are of course. Changing ports could prove very painful. I will definitely consider it though, given how painful email is without greylisting. Best Regards, Stephen On 22-May-07, at 3:10 PM, Bob Beck wrote: Trust me - bit the bullet and change to 587/465 anyway. we had to for road warriors because 25 is blocked in so many places anyway from walkups. You're better just getting your users to switch. * Chad M Stewart [EMAIL PROTECTED] [2007-05-22 12:46]: Since having users change their settings can be problematic in many environments, instead change the MX record. This way you can implement spamd right away and your users will not have to change anything. Though I would suggest moving the users to 587/465 in the future so that they don't get burned at places like hotels that redirect outbound port 25 traffic to a local SMTP proxy, that won't have a clue how to authenticate the user anyways. -Chad -- #!/usr/bin/perl if ((not 0 not 1) != (! 0 ! 1)) { print Larry and Tom must smoke some really primo stuff...\n; }
Re: Spamd default behaviour of accepting everything
just deduced from trial and error. Also greylisting should happen at RCPT TO, and probably not at DATA as there are some widely used MTAs that are buggy and choke when a 4xx error is sent in the DATA phase. I've been running this at DATA for months, and not seen any issues with it. anyone here got hard evidence of such bugs - please show me. Or is this just uninformed speculation? -Bob
Re: smtp auth + greylisting
Write them step by step instructions, with screenshots for the client they use. Tell them they have 30 days (for example), remind them at 15 and the day before. I've done the above at several work sites (400ish and 50ish), and once management was on board, it was very simple. A tiny bit of work now, to solve many problems tomorrow. On 2007 May 22 (Tue) at 15:19:33 -0600 (-0600), Stephen Schaff wrote: :That's a really good point. However we have about 200 users we'd have :to get to switch their mail settings - 99% of don't know what mail :settings are of course. :Changing ports could prove very painful. I will definitely consider :it though, given how painful email is without greylisting. : : :Best Regards, :Stephen : :On 22-May-07, at 3:10 PM, Bob Beck wrote: : : : Trust me - bit the bullet and change to 587/465 anyway. :we had to for road warriors because 25 is blocked in so many :places anyway from walkups. You're better just getting your :users to switch. : : :* Chad M Stewart [EMAIL PROTECTED] [2007-05-22 12:46]: :Since having users change their settings can be problematic in many :environments, instead change the MX record. This way you can :implement spamd right away and your users will not have to change :anything. Though I would suggest moving the users to 587/465 in the :future so that they don't get burned at places like hotels that :redirect outbound port 25 traffic to a local SMTP proxy, that won't :have a clue how to authenticate the user anyways. : :-Chad : : :-- :#!/usr/bin/perl :if ((not 0 not 1) != (! 0 ! 1)) { : print Larry and Tom must smoke some really primo stuff...\n; :} : -- Kleptomaniac, n.: A rich thief. -- Ambrose Bierce, The Devil's Dictionary
Re: smtp auth + greylisting
Stephen Schaff wrote: That's a really good point. However we have about 200 users we'd have to get to switch their mail settings - 99% of don't know what mail settings are of course. Changing ports could prove very painful. I will definitely consider it though, given how painful email is without greylisting. Is all your users use the same client? If so, an easy capture of dialog box step by step put on a web site that users can see and do the same on their computers happen to be very efficient even for dummy users in remote area with many thousand users. Take a bit of time to do, but it hell save so much in the future that it's worth the two may be three hours it may take you, plus it's always good to point users back to that URL when they asked how to do it. (; Just an idea that save me countless hours in the pass!
Re: ssh tunnel device forwarding dies occasionally
On Mon, May 21, 2007 at 12:50:05AM +0200, Martin Toft wrote: On Sun, May 20, 2007 at 12:02:11PM -0700, Myk Taylor wrote: I used to have this problem as well. It went away when I upgraded the remote endpoint (your AP, in this model) to OpenSSH_4.5p1. Okay. Thanks for the advice :) I'll try to test it during the next couple of days or so and report back here, if it also solves the problem for me. First, I need to figure out a setup to test it in, as 4.4p1 is the newest for OpenWrt at the moment. I'm thinking in the lines of establishing the tunnel to a recent OpenBSD box on the AP's WAN-side (running an open WLAN for a while...). Martin As promised I will report back... My test was concluded after only 167MB of random data: $ scp testbox:testdata /dev/null testdata 83% 167MB 0.0KB/s -stalled - Instead of my AP, I used an available FreeBSD box with OpenSSH 4.5p1 as remote endpoint for the tunnel -- the problem didn't disappear. The testbed: Laptop --WLAN-- AP --LAN-- FreeBSD box --LAN-- Internet I think I will drop it now and look into IPSec or OpenVPN. That way I will also avoid TCP-over-TCP problems. I am pretty sure that it isn't TCP-over-TCP problems that I am fighting against in my ssh-based VPN setup, as my ssh control connection doesn't die -- only the tunnel device forwarding part. Not only are the connections through the tunnel stalled, it is also not possible to establish new connections through it. Martin
Re: smtp auth + greylisting
arlo guthrie ... We walked in, sat down, Obie brought up the the help desk page with the twenty seven 800 x 600 colour glossy screenshots with circles and arrows and a paragraph below each one explaining what each one was to be used to show Windows users what to do. Luser came in and said My mail's broke, We all looked up, and Obie turned his monitor with the twenty seven 800x600 colour glossy screenshots, and the luser walked over with his laptop and sat down in front of Obie. Obie looked at the laptop and proceeded to talk to the luser for the better part of 30 minutes then looked at the luser, then looked at the twenty seven 800x600 colour glossy pictures, then looked at the luser and began to cry, 'cause Obie came to the realization that it was a typical case of American mouth breathing Windows luser, and there wasn't nothing he could do about it, and the luser wasn't going to look at the 27 800x600 colour glossy screenshots with the circles and arrows and a paragraph on the back of each one showing Windows users what to do. And we was reprimanded for having a system that was so darned difficult to use and so unhelpful, and told to litter the site with more flash.. But that's not what I came to tell you about... .. /arlo guthrie Sorry, couldn't resist... http://helpdesk.ualberta.ca/email :) -Bob * Peter Hessler [EMAIL PROTECTED] [2007-05-22 15:43]: Write them step by step instructions, with screenshots for the client they use. Tell them they have 30 days (for example), remind them at 15 and the day before. I've done the above at several work sites (400ish and 50ish), and once management was on board, it was very simple. A tiny bit of work now, to solve many problems tomorrow.
Re: Spamd default behaviour of accepting everything
Bob Beck wrote: just deduced from trial and error. Also greylisting should happen at RCPT TO, and probably not at DATA as there are some widely used MTAs that are buggy and choke when a 4xx error is sent in the DATA phase. I've been running this at DATA for months, and not seen any issues with it. anyone here got hard evidence of such bugs - please show me. Or is this just uninformed speculation? -Bob With Mdaemon, the problem is fixed in version 9.02 and onwards (http://tweakers.net/meuktracker/12778/MDaemon-9.0.4.html search for 4xx)
Re: Spamd default behaviour of accepting everything
I manage about 30 mail servers, all using greylisting for years (not OpenBSD spamd, but a version running in the MTA). But as I greylist at RCPT TO, I only noticed the problem it when clamav did go down and the server was producing a 4xx error at DATA when it should have scanned the mail. I have definately seen issues here with other implemntations, because the 4XX code given, the XX's matter... Have you seen this with OpenBSD spamd? (As opposed to something else..) Also, as an idea, I found it quite useful to whitelist only with a triplet (from, to, IP), and not just the IP. Why? Because some people are behind a firewall which allows them to go out with the same IP as their mail server (yes, IPs are expensive in Europe), so windows spamware is going out with the same IP than their mailserver and so bypasses the filter. I find this exceedingly unhelpful. as it makes the database huge and does unnecessarily delay mail. Generally either a service is reasonably well run, or it isn't. This also prevents the ease of spamlogd pre-whitelisting stuff going out. It sounds like you're speaking on this topic without any actual experience with OpenBSD spamd, but rather something like postfix or the sendmail-milter implementation. -Bob
solar power / openbsd handheld
We have a need for a low power OpenBSD device or handheld that can connect to a small SCADA device (serial or USB) to collect some temperature and voltage data, plus control one light switch, on a remote solar powered wifi repeater tower. Any suggestions on the lowest powered OpenBSD runnable box we can expect to find for such a job, one that we can connect to the repeater by ethernet, or even wireless? Austin
Re: Spamd default behaviour of accepting everything
Bob Beck wrote: I have definately seen issues here with other implemntations, because the 4XX code given, the XX's matter... Have you seen this with OpenBSD spamd? (As opposed to something else..) I have seen this with 451 errors, not on spamd but with the exact same error code as the one used for spamd. spamd error: 451 Temporary failure, please try again later. error with exim: 451 Temporary local problem - please try later It sounds like you're speaking on this topic without any actual experience with OpenBSD spamd, but rather something like postfix or the sendmail-milter implementation. Indeed, but the error code is the same at the same time during the transaction, so I don't see any reason why the behavior would be different. For Mdaemon, you can check the changelogs from version 9.0.2 as they acknowledge the problem. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: solar power / openbsd handheld
On 2007/05/22 15:54, Austin Hook wrote: We have a need for a low power OpenBSD device or handheld that can connect to a small SCADA device (serial or USB) to collect some temperature and voltage data, plus control one light switch, on a remote solar powered wifi repeater tower. Soekris 4501 or 4801 would be ideal, they use around 5W and have a fairly flexible DC-DC converter onboard. GPIO lines are supported by gpioctl(8) and easy to control, even from a shell script or cronjob. Have a look at owsbm(4) too.
Re: smtp auth + greylisting
Ah, yes. That refers to normal instructions, usually by corporations that charge you obscene amounts of money to send you gibberish. But it is possible to write instructions that people can follow. And if you get mgmt to agree, you can require people read your instructions. Do this, or your email will stop working. No, I'm not kidding. :) It can be similar to pulling teeth to get them trained well, but then they can solve problems on their own, freeing you to solve the difficult and interesting problems, rather than spending all of your time configuring printers and email clients. Of course, this all depends on the quality of your documentation... On 2007 May 22 (Tue) at 16:08:10 -0600 (-0600), Bob Beck wrote: :arlo guthrie : :... : We walked in, sat down, Obie brought up the the help desk page with :the twenty seven 800 x 600 colour glossy screenshots with circles and :arrows and a paragraph below each one explaining what each one was to :be used to show Windows users what to do. Luser came in and said My :mail's broke, We all looked up, and Obie turned his monitor with the :twenty seven 800x600 colour glossy screenshots, and the luser walked :over with his laptop and sat down in front of Obie. Obie looked at the :laptop and proceeded to talk to the luser for the better part of 30 :minutes then looked at the luser, then looked at the twenty seven :800x600 colour glossy pictures, then looked at the luser and began to :cry, 'cause Obie came to the realization that it was a typical case of :American mouth breathing Windows luser, and there wasn't nothing he :could do about it, and the luser wasn't going to look at the 27 :800x600 colour glossy screenshots with the circles and arrows and a :paragraph on the back of each one showing Windows users what to do. :And we was reprimanded for having a system that was so darned :difficult to use and so unhelpful, and told to litter the site with :more flash.. : :But that's not what I came to tell you about... :.. : :/arlo guthrie : :Sorry, couldn't resist... http://helpdesk.ualberta.ca/email :) : : -Bob : : :* Peter Hessler [EMAIL PROTECTED] [2007-05-22 15:43]: : Write them step by step instructions, with screenshots for the client : they use. Tell them they have 30 days (for example), remind them at 15 : and the day before. : : I've done the above at several work sites (400ish and 50ish), and once : management was on board, it was very simple. A tiny bit of work now, to : solve many problems tomorrow. : : -- A reactionary is a man whose political opinions always manage to keep up with yesterday.
Re: solar power / openbsd handheld
Hi, We have a need for a low power OpenBSD device or handheld that can connect to a small SCADA device (serial or USB) to collect some temperature and voltage data, plus control one light switch, on a remote solar powered wifi repeater tower. Any suggestions on the lowest powered OpenBSD runnable box we can expect to find for such a job, one that we can connect to the repeater by ethernet, or even wireless? Sharp Zaurus with Display off and maybe Midrodrive replaced with a CF should be very low power. -sm
Re: smtp auth + greylisting
On Tue, 22 May 2007 16:08:10 -0600, Bob Beck wrote: arlo guthrie ... We walked in, sat down, Obie brought up the the help desk page with 8snip And you can get anything you want at Bob Beck's Restaurant, as long as it's moose! Loved it Bob! You are not just a good coder. Thanks, the day just got better, _Rod Depressed? Me? Don't make me laugh! :Spike Milligan:1918-2002:
Re: US Export of Cryptography
On 5/19/07, Reiner Jung [EMAIL PROTECTED] wrote: At the moment the OpenBSD core system is not controlled by the EAR so long you don't download it from a US server. As a private person it is not a problem, but when a company want use OpenBSD and there is US crypto in, the thing will become very complicated and OpenBSD will be automatically restricted. At the moment OpenBSD is the only modern Operation system which is in the core free from export restrictions. So is theere any mechanism in ports whereby we can disable such software from being downloaded from a U.S server? Wouldn't it be useful to have some thing like that if it is not there already? Thank you so much :-) Kind Regards Siju
Re: solar power / openbsd handheld
We have a need for a low power OpenBSD device or handheld that can connect to a small SCADA device (serial or USB) to collect some temperature and voltage data, plus control one light switch, on a remote solar powered wifi repeater tower. Soekris 4501 or 4801 would be ideal, they use around 5W and have a fairly flexible DC-DC converter onboard. GPIO lines are supported by gpioctl(8) and easy to control, even from a shell script or cronjob. Have a look at owsbm(4) too. The Soekris is the fastest and easiest (and likely also the cheapest) device to use. You may have to factor in a different weatherproof enclosure and possibly a temperature-controlled resistive heating element/pad, depending on the installation location and method. The archives of the Soekris mailing lists has a number of references to similar installations.
Re: solar power / openbsd handheld
Thus Austin Hook [EMAIL PROTECTED] spake on Tue, 22 May 2007 15:54:32 -0700 (MST): We have a need for a low power OpenBSD device or handheld that can connect to a small SCADA device (serial or USB) to collect some temperature and voltage data, plus control one light switch, on a remote solar powered wifi repeater tower. Any suggestions on the lowest powered OpenBSD runnable box we can expect to find for such a job, one that we can connect to the repeater by ethernet, or even wireless? Austin Hi, have a look at http://pcengines.ch/alix.htm It's predecessor, WRAP, works still very very well for me as OpenBSD router (for years now); as alix is the next thing to come, I guess the superb outdoor enclosures will be 'ported' for it ;) http://pcengines.ch/case2c1.htm HTH, Timo btw: Mine runs as a way-below 10 Watts SMTP, IMAP, DNS, DHCP server using a MicroDrive ;) -- Hello, he lied. -- Don Carpenter quoting a Hollywood agent