Re: the whole greylisting, spam filtering thing
On 2017-09-29, Peter N. M. Hansteenwrote: > On 09/29/17 15:06, Markus Rosjat wrote: > >> my boss is getting on my nerves that greylisting is basically out of >> date because of things like outlook.com and mails ending up delayed for >> ever. So the next logical step would be to deploy a tool like rspamd or >> spamassasin to examin mail content. These tools need to be trained and >> if you have a small mailserver with less accounts this could take a >> while I imagine. > > It won't surprise anyone here that I disagree with the assertion that > greylisting is in any way outdated. Come back with that assertion when > the SMTP RFC is amended to drop the retry requirement. These senders do retry, but not always from the same source address. Are you aware of any requirement in RFC5321 about source addresses of retries? I didn't find any when I looked (or even a requirement that retries are done over the same IP protocol version). Greylisting still has its place, but with the way email operates today, exemptions are unavoidable if you have a requirement to communicate reliably with users of many email services. Especially with a strict per-host greylisting implementation, where you don't get any benefit from the common thing where senders often arrange to retry from within the same v4 /24. What you can do with rspamd is only greylist mail that looks spammy but isn't scored highly enough to block outright. (Or you could think of that as making an exemption for mail that doesn't look too spammy). This works quite well in my experience. Unfortunately it's a lot more complex to configure than spamd, though once you start adding scripts and trying to work out who to whitelist, the spamd setup doesn't seem quite so straightforward either. Most of the spam that reaches my mailbox is forwarded by a (high IP reputation) host that sits behind spamd. (I'm looking at you, Chinese state-owned enterprise trying to order a batch of fox fur from my @openbsd address! And others.) That's a lot trickier to block on my side without false positives..
Re: the whole greylisting, spam filtering thing
On 2017-09-29, Larry Hyneswrote: > Markus Rosjat wrote: >> my boss is getting on my nerves > > It may be mutual. > >> that greylisting is basically out of date because of things like >> outlook.com and mails ending up delayed for ever. So the next logical >> step would be to deploy a tool like rspamd or spamassasin to examin >> mail content. These tools need to be trained and if you have a small >> mailserver with less accounts this could take a while I imagine. > > Specifically in relation to rspamd: If you spend some time reading > the documentation on the rspamd website you might find that: > > 1. the weight of rules which classify messages as 'ham' or 'spam' > i.e. those rules which rely on the 'training' of messages, does not > have to be, in the overall context, critical. rspamd deploys a > boatload of 'tests', by default, and even more can be enabled, and > each of those can be assigned a score. hamminess or spamminess is > just one 'test'. +1. rspamd doesn't do badly even with little/no training for spam/ham. It does have problems with certain mail, for example it likes to have various MIME headers, so you may need to make some exemptions for things like daily/security mail output, or mail from people who don't use MIME MUAs. > 2. That the rspamd website specifically links to 'pre-built' ham > and spam databases which you are free to download and use. Definitely you would need to read documentation if using tools like rspamd or spamassassin.
OT: Re: Strange sed substitution removes text
howdee, i am not quoting any text, because this note is OffTopic-ish... i was looking at the comments from kshe regarding a full rewrite of the sed-utility... in particular, that there were obscure corner cases of tests that seemed to fail due to NULL or EOL or whatnot... apparently, sed is a Turing-complete language - and hence, given enough time/space/memory, will surely not give a single TRUE/FALSE answer to some questions... to be honest, i do not understand all of the details or theory, that are involved in the statements i _just_ made - but... since sed is a STREAM editor, and since sed-scripts are usually finite-length, then maybe there should be some way to enforce a limit (like was done for string-buffers) on the inputs... again, this is all just my pie-in-the-sky OT-commentary... sincerely, harold.
Re: the whole greylisting, spam filtering thing
On 09/29/17 15:06, Markus Rosjat wrote: > my boss is getting on my nerves that greylisting is basically out of > date because of things like outlook.com and mails ending up delayed for > ever. So the next logical step would be to deploy a tool like rspamd or > spamassasin to examin mail content. These tools need to be trained and > if you have a small mailserver with less accounts this could take a > while I imagine. It won't surprise anyone here that I disagree with the assertion that greylisting is in any way outdated. Come back with that assertion when the SMTP RFC is amended to drop the retry requirement. But there are actors in the email market that do not particularly care about standards compliance one way or the other, unfortunately (at least for those of us below critical mass in terms of volume) is to use the nospamd feature and not exposing those sending domains to greylisting at all. My sedimentary nospamd file, built on discovering SPF info for badly behaved domains, is available here https://home.nuug.no/~peter/nospamd - I only started commenting entries after a while, but it's a Works for me(tM) file. See man spamd for examples of how to include that in your config. If you want to build and maintain your own nospamd based on SPF records, Aaron Poffenberger's spf_fetch is very well worth looking into (see https://github.com/akpoff/spf_fetch) > So my question is, is there some source that you could use to train > these kind of tools (like a database that you could connect to for > training conntent ) or is every one here, that uses these tools, lucky > enough to have a shit load of users that do the training for your systems? Yes, you need content filtering too. As others have said, you won't be able to totally avoid the training effort based on local preferences, but with working greylisting in front of the content filtering, those servers will run a lot cooler than without. I suppose my long rant from a few years back is still relevant - https://bsdly.blogspot.no/2014/02/effective-spam-and-malware.html, for the fun parts of doing greytrapping see https://bsdly.blogspot.no/2013/05/keep-smiling-waste-spammers-time.html and https://bsdly.blogspot.no/2013/04/maintaining-publicly-available.html and of course https://bsdly.blogspot.no/2012/05/in-name-of-sane-email-setting-up-spamd.html might still be of some use. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: the whole greylisting, spam filtering thing
Hi Leo, Am 29.09.2017 um 16:57 schrieb Leo Unglaub: Hey, On 09/29/17 15:06, Markus Rosjat wrote: my boss is getting on my nerves that greylisting is basically out of date because of things like outlook.com and mails ending up delayed for ever. So the next logical step would be to deploy a tool like rspamd or spamassasin to examin mail content. These tools need to be trained and if you have a small mailserver with less accounts this could take a while I imagine i assume that your boss is not an engineer and also not very familiar with how emails work. Greylisting it clearly NOT out of date at all. Greylisting simply makes use of stuff that is defined in the SMTP RFC. Every email server is allowed to temporary deny the delivery of an email and ask the sending server for another try. well we use greylisting and I gave MS a free pass but sometimes it doesn't seem to work anyway but that's ok for me. The problem in this case is clearly Microsoft who has no idea how email is supposed to work. You have two options here. the customer will always complain no matter how often you explain the real problem :) A: Simply don't care about Microsoft and just send customers to a website where you describe the problem and tell them to contact Microsoft in order to fix there stuff. This works very well, my Company hosts around 2,3 Million mailboxes and we use Greylisting and customers are okay with it. B: You exclude the outlook.com outgoing servers from greylisting. Microsoft provides a list of IP addresses that they use for delivery: https://mail.live.com/mail/ipspace.aspx 65.54.190.0/26 65.54.190.64/26 65.54.190.128/26 65.54.190.192/26 65.55.116.0/26 65.55.111.64/26 65.55.116.64/26 65.55.111.128/26 65.55.34.0/26 65.55.34.64/26 65.55.34.128/26 65.55.34.192/26 65.55.90.0/26 65.55.90.64/26 65.55.90.128/26 65.55.90.192/26 65.54.51.64/26 65.54.61.64/26 207.46.66.0/28 157.55.0.192/26 157.55.1.128/26 157.55.2.0/26 157.55.2.64/26 Greetings Leo I also check the spf record files of MS and added them too so we will see what's going to happen. I need to move to a more up to date setup so I just check my options what's used these days and yes greylisting works for me as long as no office 365 is involved but a lot of business partners of our customers moving to 365 and the email solution so it becomes a problem for me too. It's just fustrating to see a mail greylisted from 40 different ips ... regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: the whole greylisting, spam filtering thing
Hey, On 09/29/17 15:06, Markus Rosjat wrote: my boss is getting on my nerves that greylisting is basically out of date because of things like outlook.com and mails ending up delayed for ever. So the next logical step would be to deploy a tool like rspamd or spamassasin to examin mail content. These tools need to be trained and if you have a small mailserver with less accounts this could take a while I imagine i assume that your boss is not an engineer and also not very familiar with how emails work. Greylisting it clearly NOT out of date at all. Greylisting simply makes use of stuff that is defined in the SMTP RFC. Every email server is allowed to temporary deny the delivery of an email and ask the sending server for another try. The problem in this case is clearly Microsoft who has no idea how email is supposed to work. You have two options here. A: Simply don't care about Microsoft and just send customers to a website where you describe the problem and tell them to contact Microsoft in order to fix there stuff. This works very well, my Company hosts around 2,3 Million mailboxes and we use Greylisting and customers are okay with it. B: You exclude the outlook.com outgoing servers from greylisting. Microsoft provides a list of IP addresses that they use for delivery: https://mail.live.com/mail/ipspace.aspx 65.54.190.0/26 65.54.190.64/26 65.54.190.128/26 65.54.190.192/26 65.55.116.0/26 65.55.111.64/26 65.55.116.64/26 65.55.111.128/26 65.55.34.0/26 65.55.34.64/26 65.55.34.128/26 65.55.34.192/26 65.55.90.0/26 65.55.90.64/26 65.55.90.128/26 65.55.90.192/26 65.54.51.64/26 65.54.61.64/26 207.46.66.0/28 157.55.0.192/26 157.55.1.128/26 157.55.2.0/26 157.55.2.64/26 Greetings Leo
Re: the whole greylisting, spam filtering thing
Hi, Am 29.09.2017 um 15:39 schrieb Larry Hynes: Markus Rosjatwrote: my boss is getting on my nerves It may be mutual. of course but well :) that greylisting is basically out of date because of things like outlook.com and mails ending up delayed for ever. So the next logical step would be to deploy a tool like rspamd or spamassasin to examin mail content. These tools need to be trained and if you have a small mailserver with less accounts this could take a while I imagine. Specifically in relation to rspamd: If you spend some time reading the documentation on the rspamd website you might find that: 1. the weight of rules which classify messages as 'ham' or 'spam' i.e. those rules which rely on the 'training' of messages, does not have to be, in the overall context, critical. rspamd deploys a boatload of 'tests', by default, and even more can be enabled, and each of those can be assigned a score. hamminess or spamminess is just one 'test'. 2. That the rspamd website specifically links to 'pre-built' ham and spam databases which you are free to download and use. I'll check this out ! Thank you for the hint !!! regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Change Time zones cause ddb in 6.2 snapshot
snapshots/amd64/ Build date: 1506531075 - Wed Sep 27 16:51:15 UTC 2017 how to repeat the problem # config -ef /bsd [...] Enter 'help' for information ukc> timezone -480 timezone = -480, dst = 0 ukc> quit Saving modified kernel. reboot wait boot ... ... ddb>
Re: the whole greylisting, spam filtering thing
On Fri, Sep 29, 2017 at 03:06:29PM +0200, Markus Rosjat wrote: So my question is, is there some source that you could use to train these kind of tools (like a database that you could connect to for training conntent ) or is every one here, that uses these tools, lucky enough to have a shit load of users that do the training for your systems? some informations about this would be helpful As far as I understand it, the bayesnian lerning system learns stuff pertinent to your domain, so you have to train it. Spam at one domain might not be spam at another. My system has only a few email addresses, but I keep all my spam. I make sa-learn --spam read the spam, and sa-learn --ham the stuff I've filtered and examined that they are all not-spam. It doesn't take long. https://wiki.apache.org/spamassassin/BayesInSpamAssassin -- J.
Re: the whole greylisting, spam filtering thing
Markus Rosjatwrote: > my boss is getting on my nerves It may be mutual. > that greylisting is basically out of date because of things like > outlook.com and mails ending up delayed for ever. So the next logical > step would be to deploy a tool like rspamd or spamassasin to examin > mail content. These tools need to be trained and if you have a small > mailserver with less accounts this could take a while I imagine. Specifically in relation to rspamd: If you spend some time reading the documentation on the rspamd website you might find that: 1. the weight of rules which classify messages as 'ham' or 'spam' i.e. those rules which rely on the 'training' of messages, does not have to be, in the overall context, critical. rspamd deploys a boatload of 'tests', by default, and even more can be enabled, and each of those can be assigned a score. hamminess or spamminess is just one 'test'. 2. That the rspamd website specifically links to 'pre-built' ham and spam databases which you are free to download and use.
the whole greylisting, spam filtering thing
Hi there, my boss is getting on my nerves that greylisting is basically out of date because of things like outlook.com and mails ending up delayed for ever. So the next logical step would be to deploy a tool like rspamd or spamassasin to examin mail content. These tools need to be trained and if you have a small mailserver with less accounts this could take a while I imagine. So my question is, is there some source that you could use to train these kind of tools (like a database that you could connect to for training conntent ) or is every one here, that uses these tools, lucky enough to have a shit load of users that do the training for your systems? some informations about this would be helpful regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
thinkpad x270 - suspend and resume works - thanks
Hi! If you have a thinkpad x270, suspend and resume works now! Of course, by chance the video driver is a different one. This is OpenBSD -current with the last snapshot. dmesg and Xorg.0.log attached Pau = OpenBSD 6.2 (GENERIC.MP) #117: Thu Sep 28 11:57:37 MDT 2017 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8068124672 (7694MB) avail mem = 7816585216 (7454MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xbf0da000 (62 entries) bios0: vendor LENOVO version "R0IET43W (1.21 )" date 09/02/2017 bios0: LENOVO 20HNA004CD acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT SSDT BOOT BATB SSDT SSDT SSDT WSMT SSDT SSDT DBGP DBG2 MSDM ASF! FPDT UEFI acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4) RP02(S4) RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) RP09(S4) RP10(S4) RP11(S4) RP12(S4) RP13(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 2399 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2904.00 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: TSC frequency 290400 Hz cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 24MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2904.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2904.00 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 1, core 0, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2904.00 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins acpimcfg0 at acpi0 addr 0xf000, bus 0-63 acpiec0 at acpi0 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (RP01) acpiprt2 at acpi0: bus -1 (RP02) acpiprt3 at acpi0: bus 3 (RP03) acpiprt4 at acpi0: bus -1 (RP04) acpiprt5 at acpi0: bus 4 (RP05) acpiprt6 at acpi0: bus -1 (RP06) acpiprt7 at acpi0: bus -1 (RP07) acpiprt8 at acpi0: bus -1 (RP08) acpiprt9 at acpi0: bus -1 (RP09) acpiprt10 at acpi0: bus -1 (RP10) acpiprt11 at acpi0: bus -1 (RP11) acpiprt12 at acpi0: bus -1 (RP12) acpiprt13 at acpi0: bus -1 (RP13) acpiprt14 at acpi0: bus -1 (RP14) acpiprt15 at acpi0: bus -1 (RP15) acpiprt16 at acpi0: bus -1 (RP16) acpiprt17 at acpi0: bus -1 (RP17) acpiprt18 at acpi0: bus -1 (RP18) acpiprt19 at acpi0: bus -1 (RP19) acpiprt20 at acpi0: bus -1 (RP20) acpiprt21 at acpi0: bus -1 (RP21) acpiprt22 at acpi0: bus -1 (RP22) acpiprt23 at acpi0: bus -1 (RP23) acpiprt24 at acpi0: bus -1 (RP24) acpicpu0 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu2 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu3 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151
Re: Installer hangs - "already acking lease"
The issue are now fixed. https://marc.info/?l=openbsd-cvs=150663395424206=2 Thanks to K. R. Westerback! -- Eivind Eide "ONLY THOSE WHO ATTEMPT THE IMPOSSIBLE WILL ACHIEVE THE ABSURD" - Oceania Association of Autonomous Astronauts
IPsec (isakmpd) in rdomain non zero needs default route
Hello, I don't know if I should post this to misc@ or bugs@... If this is the wrong list tell me I'll file a proper bug report. I need to add a default route in rdomain 1 to be able to use the tunnels created by isakmpd. That is a bit weird, routes should be injected by isakmpd. Here is my test setup : ++ | em1 (rd1):192.168.0.1 em1(rd1)192.168.0.2 | ++ ++ | rtr1 | | rtr2 | | lo1 (rd1): 127.0.0.1 | | lo1 (rd1): 127.0.0.1 | | alias: 192.168.1.1 | | alias: 192.168.2.1 | ++ ++ on rtr 1 and 2 : created enc1 rdomain 1 up launched route -T 1 exec isakmpd -K tunnel conf rtr 1: ike esp from 192.168.1.0/24 to 192.168.2.0/24 local 192.168.0.2 peer 192.168.0.2 \ main auth hmac-md5 enc 3des group modp1024 lifetime 28800 \ quick auth hmac-md5 enc 3des group modp1024 lifetime 3600 psk "deadbeef" tunnel conf rtr 2: ike esp from 192.168.2.0/24 to 192.168.1.0/24 local 192.168.0.2 peer 192.168.0.1 \ main auth hmac-md5 enc 3des group modp1024 lifetime 28800 \ quick auth hmac-md5 enc 3des group modp1024 lifetime 3600 psk "deadbeef" routing table rt1 : Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface 127.0.0.1 127.0.0.1 UHhl 12 32768 1 lo1 192.168.0/24 192.168.0.1UCn10 - 4 em1 192.168.0.100:50:56:b4:7b:eb UHLl 0 37 - 1 em1 192.168.0.200:50:56:b4:77:82 UHLc 1 16 - 3 em1 192.168.0.255 192.168.0.1UHb00 - 1 em1 192.168.1.1192.168.1.1UHl07 32768 1 lo1 routing table rt2 : Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface 127.0.0.1 127.0.0.1 UHhl 12 32768 1 lo1 192.168.0/24 192.168.0.2UCn00 - 4 em1 192.168.0.200:50:56:b4:77:82 UHLl 0 245 - 1 em1 192.168.0.255 192.168.0.2UHb00 - 1 em1 192.168.2.1192.168.2.1UHl0 52 32768 1 lo1 flows rtr1 : # route -T1 exec ipsecctl -sf flow esp in from 192.168.2.0/24 to 192.168.1.0/24 peer 192.168.0.2 srcid 192.168.0.1/32 dstid 192.168.0.2/32 type use flow esp out from 192.168.1.0/24 to 192.168.2.0/24 peer 192.168.0.2 srcid 192.168.0.1/32 dstid 192.168.0.2/32 type require flows rtr2 : # route -T1 exec ipsecctl -sf flow esp in from 192.168.1.0/24 to 192.168.2.0/24 peer 192.168.0.1 srcid 192.168.0.2/32 dstid 192.168.0.1/32 type use flow esp out from 192.168.2.0/24 to 192.168.1.0/24 peer 192.168.0.1 srcid 192.168.0.2/32 dstid 192.168.0.1/32 type require On rtr1 : ping -V 1 -I 192.168.1.1 192.168.2.1 won't work until I do on both routers : route -T1 add default 127.0.0.1 My guess is that the problem is quite the same as with inter-domain routing with PF : destination lookup is done BEFORE processing by PF or IPSEC (explained here for PF : https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/). So when there is no default route, it fails. If this guess is right, the problem shoud also happen on rdomain 0. Could you fix the code to make it work without the default route ? Or, as I suspect, is this too difficult and I'll go with my workaround ? -- Cordialement, Pierre Bardou
Re: FF vs. Chrome/Chromium
On 2017-09-28, Boudewijn Dijkstrawrote: > Op Wed, 27 Sep 2017 16:44:01 +0200 schreef Theo de Raadt > : >>> Firefox has W^X compliance and so runs with the secure defaults. >> >> it uses page aliasing, which is a shitty way of being compliant > > Do you mean dual-mapping a.k.a. double-mapping? I found some old patches > using a temporarily file and mmap w/ fd to achieve this, but they never > went in. > > This blog: > https://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-firefox/ > suggests that it is simply switching between RW and RX using mprotect. > > Can you please elaborate? > > That was my understanding too, and that's what ktrace shows. ... 13015 firefox CALL mprotect(0x2c907b6eb000,0x1000,0x3 ) 13015 firefox RET mprotect 0 13015 firefox CALL mprotect(0x2c907b6eb000,0x1000,0x5 ) 13015 firefox RET mprotect 0 13015 firefox CALL mprotect(0x2c907b6eb000,0x1000,0x3 ) 13015 firefox RET mprotect 0 13015 firefox CALL mprotect(0x2c907b6eb000,0x1000,0x5 ) 13015 firefox RET mprotect 0 13015 firefox CALL mprotect(0x2c907b6eb000,0x1000,0x3 ) 13015 firefox RET mprotect 0 13015 firefox CALL mprotect(0x2c907b6eb000,0x1000,0x5 ) 13015 firefox RET mprotect 0 13015 firefox CALL mprotect(0x2c907b6eb000,0x1000,0x3 ) 13015 firefox RET mprotect 0 13015 firefox CALL mprotect(0x2c907b6eb000,0x1000,0x5 ) 13015 firefox RET mprotect 0 ...
Re: OpenBSD 6.1/i386 hangs on reboot
I have tried the latest snapshot and ... thanks for fixing this! reboot and shutdown are now working again on my 16 year old notebook! > Gesendet: Freitag, 12. Mai 2017 um 22:06 Uhr > Von: Infoomatic> An: "OpenBSD Misc" > Betreff: OpenBSD 6.1/i386 hangs on reboot > > I wanted to try to resolve the issue I just posted and tried to reboot, > however the machine hangs and shows: > > syncing disks... done > ehci0: reset timeout > rebooting... > > even pushing the power button long does not switch off the machin, I have to > unplug the powersupply and remove the battery. Anyone with the same errors? > >
Re: relayd TLS load balancer for multiple websites
On 2017-09-28, Darren Tuckerwrote: > On 28 September 2017 at 06:32, mabi wrote: >> Thanks for the pointer regarding SNI not being supported in relayd. I will >> go on and find another solution, probably HAproxy. > > For a small number of domains it would probably be feasible to get a > single certificate with multiple SANs. Letsencrypt at least supports > this as long as all of the domains map (or can be made to map) to the > place requesting the certificate. With the dns-01 challenge type they don't need to be mapped to the same place at all. Though the normal http-01 challenge requests don't use TLS, so it should be easy enough to proxy them, even with relayd.
Re: Mount LUKS and truecrypt external volumes
> There aren't any in ports. It might be worth trying porting FUSE-based > implementations, though FUSE on OpenBSD is missing a few things so > porting might be a bit awkward, and it's not the most reliable thing > in the world ever, but it mostly works (at least it doesn't trigger > panics all that often any more). > got it. > If you want high quality FDE on OpenBSD, use softraid(4) crypto. > thanks.
Re: relayd TLS load balancer for multiple websites
28 septembre 2017 15:50 "mabi"a écrit: > Thanks for the pointer regarding SNI not being supported in relayd. I will go > on and find another > solution, probably HAproxy. > >> Original Message >> Subject: Re: relayd TLS load balancer for multiple websites >> Local Time: September 28, 2017 3:02 PM >> UTC Time: September 28, 2017 1:02 PM >> From: mcmer-open...@tor.at >> To: mabi >> openbsd-misc >> >> m...@protonmail.ch (mabi), 2017.09.28 (Thu) 13:32 (CEST): >>> I was wondering if it is possible to use relayd as load balancer with >>> TLS termination for multiple different websites residing on different >>> server. >> >> With a public IP per website: yes. Else: no. >> >> reyk@, 2014-07-24, "no SNI yet" >> https://marc.info/?l=openbsd-misc=140621533620964 >> >> recent thread: >> https://marc.info/?l=openbsd-misc=150599591326006 >> >> Marcus >> >> btw, protonmail"s "text/plain, base64, utf-8" reportedly keeps people >> from seeing these messages. Hi, I use Nginx for this, in production, since many years, it's simple and works well. Comete
Re: Crypto softraid is supported on GPT/UEFI boot and not just on BIOS/MBR boot, right?
2017-09-29 3:31 GMT+02:00 Nick Holland: > > By that logic, we should have quit using cheap disks when they went over > 32MB. Or 120MB. Or 504MB. Or 128GB. Or ... > I have MBRs on 4TB SoftRaid volumes, works fine. > > fdisk, make the "entire" disk (welllthe first 2TB) OpenBSD. > disklabel, change the boundaries of the OpenBSD part to be the entire > disk. Done. > > I seem to recall that "trick" on the 2G boundary, or if it was the 8G IDE limit, or the 33G. disklabel being "better" than fdisk at accepting larger-than-some-artificial-limit seems to be a tradition. ;) -- May the most significant bit of your life be positive.