Re: the whole greylisting, spam filtering thing

2017-09-29 Thread Stuart Henderson 
On 2017-09-29, Peter N. M. Hansteen  wrote:
> On 09/29/17 15:06, Markus Rosjat wrote:
>
>> my boss is getting on my nerves that greylisting is basically out of
>> date because of things like outlook.com and mails ending up delayed for
>> ever. So the next logical step would be to deploy a tool like rspamd or
>> spamassasin to examin mail content. These tools need to be trained and
>> if you have a small mailserver with less accounts this could take a
>> while I imagine.
>
> It won't surprise anyone here that I disagree with the assertion that
> greylisting is in any way outdated. Come back with that assertion when
> the SMTP RFC is amended to drop the retry requirement.

These senders do retry, but not always from the same source address.
Are you aware of any requirement in RFC5321 about source addresses
of retries? I didn't find any when I looked (or even a requirement that
retries are done over the same IP protocol version).

Greylisting still has its place, but with the way email operates today,
exemptions are unavoidable if you have a requirement to communicate
reliably with users of many email services. Especially with a strict
per-host greylisting implementation, where you don't get any benefit
from the common thing where senders often arrange to retry from within
the same v4 /24.

What you can do with rspamd is only greylist mail that looks spammy
but isn't scored highly enough to block outright. (Or you could think
of that as making an exemption for mail that doesn't look too spammy).
This works quite well in my experience. Unfortunately it's a lot more
complex to configure than spamd, though once you start adding
scripts and trying to work out who to whitelist, the spamd setup
doesn't seem quite so straightforward either.

Most of the spam that reaches my mailbox is forwarded by a (high
IP reputation) host that sits behind spamd. (I'm looking at you,
Chinese state-owned enterprise trying to order a batch of fox
fur from my @openbsd address! And others.) That's a lot trickier
to block on my side without false positives..

Re: the whole greylisting, spam filtering thing

2017-09-29 Thread Stuart Henderson 
On 2017-09-29, Larry Hynes  wrote:
> Markus Rosjat  wrote:
>> my boss is getting on my nerves
>
> It may be mutual.
>
>> that greylisting is basically out of date because of things like
>> outlook.com and mails ending up delayed for ever. So the next logical
>> step would be to deploy a tool like rspamd or spamassasin to examin
>> mail content. These tools need to be trained and if you have a small
>> mailserver with less accounts this could take a while I imagine.
>
> Specifically in relation to rspamd: If you spend some time reading
> the documentation on the rspamd website you might find that:
>
> 1. the weight of rules which classify messages as 'ham' or 'spam'
> i.e. those rules which rely on the 'training' of messages, does not
> have to be, in the overall context, critical. rspamd deploys a
> boatload of 'tests', by default, and even more can be enabled, and
> each of those can be assigned a score. hamminess or spamminess is
> just one 'test'.

+1. rspamd doesn't do badly even with little/no training for spam/ham.

It does have problems with certain mail, for example it likes to have various
MIME headers, so you may need to make some exemptions for things like
daily/security mail output, or mail from people who don't use MIME MUAs.

> 2. That the rspamd website specifically links to 'pre-built' ham
> and spam databases which you are free to download and use.

Definitely you would need to read documentation if using tools like
rspamd or spamassassin.

OT: Re: Strange sed substitution removes text

2017-09-29 Thread harold felton 
howdee,

i am not quoting any text, because this note is OffTopic-ish...

i was looking at the comments from kshe regarding a full rewrite
of the sed-utility...  in particular, that there were obscure corner
cases of tests that seemed to fail due to NULL or EOL or whatnot...

apparently, sed is a Turing-complete language - and hence,
given enough time/space/memory, will surely not give a single
TRUE/FALSE answer to some questions...

to be honest, i do not understand all of the details or theory,
that are involved in the statements i _just_ made - but...

since sed is a STREAM editor, and since sed-scripts are usually
finite-length, then maybe there should be some way to enforce
a limit (like was done for string-buffers) on the inputs...

again, this is all just my pie-in-the-sky OT-commentary...

sincerely, harold.

Re: the whole greylisting, spam filtering thing

2017-09-29 Thread Peter N. M. Hansteen 
On 09/29/17 15:06, Markus Rosjat wrote:

> my boss is getting on my nerves that greylisting is basically out of
> date because of things like outlook.com and mails ending up delayed for
> ever. So the next logical step would be to deploy a tool like rspamd or
> spamassasin to examin mail content. These tools need to be trained and
> if you have a small mailserver with less accounts this could take a
> while I imagine.

It won't surprise anyone here that I disagree with the assertion that
greylisting is in any way outdated. Come back with that assertion when
the SMTP RFC is amended to drop the retry requirement.

But there are actors in the email market that do not particularly care
about standards compliance one way or the other, unfortunately (at least
for those of us below critical mass in terms of volume) is to use the
nospamd feature and not exposing those sending domains to greylisting at
all. My sedimentary nospamd file, built on discovering SPF info for
badly behaved domains, is available here
https://home.nuug.no/~peter/nospamd - I only started commenting entries
after a while, but it's a Works for me(tM) file. See man spamd for
examples of how to include that in your config. If you want to build and
maintain your own nospamd based on SPF records, Aaron Poffenberger's
spf_fetch is very well worth looking into (see
https://github.com/akpoff/spf_fetch)

> So my question is, is there some source that you could use to  train
> these kind of tools (like a database that you could connect to for
> training conntent ) or is every one here, that uses these tools, lucky
> enough to have a shit load of users that do the training for your systems?

Yes, you need content filtering too. As others have said, you won't be
able to totally avoid the training effort based on local preferences,
but with working greylisting in front of the content filtering, those
servers will run a lot cooler than without.

I suppose my long rant from a few years back is still relevant -
https://bsdly.blogspot.no/2014/02/effective-spam-and-malware.html, for
the fun parts of doing greytrapping see
https://bsdly.blogspot.no/2013/05/keep-smiling-waste-spammers-time.html
and
https://bsdly.blogspot.no/2013/04/maintaining-publicly-available.html
and of course
https://bsdly.blogspot.no/2012/05/in-name-of-sane-email-setting-up-spamd.html
might still be of some use.

- P

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: the whole greylisting, spam filtering thing

2017-09-29 Thread Markus Rosjat 

Hi Leo,



Am 29.09.2017 um 16:57 schrieb Leo Unglaub:

Hey,

On 09/29/17 15:06, Markus Rosjat wrote:
my boss is getting on my nerves that greylisting is basically out of 
date because of things like outlook.com and mails ending up delayed 
for ever. So the next logical step would be to deploy a tool like 
rspamd or spamassasin to examin mail content. These tools need to be 
trained and if you have a small mailserver with less accounts this 
could take a while I imagine


i assume that your boss is not an engineer and also not very familiar 
with how emails work. Greylisting it clearly NOT out of date at all. 
Greylisting simply makes use of stuff that is defined in the SMTP RFC. 
Every email server is allowed to temporary deny the delivery of an email 
and ask the sending server for another try.




well we use greylisting and I gave MS a free pass but sometimes it 
doesn't seem to work anyway but that's ok for me.


The problem in this case is clearly Microsoft who has no idea how email 
is supposed to work. You have two options here.




the customer will always complain no matter how often you explain the 
real problem :)


A: Simply don't care about Microsoft and just send customers to a 
website where you describe the problem and tell them to contact 
Microsoft in order to fix there stuff. This works very well, my Company 
hosts around 2,3 Million mailboxes and we use Greylisting and customers 
are okay with it.


B: You exclude the outlook.com outgoing servers from greylisting. 
Microsoft provides a list of IP addresses that they use for delivery:

https://mail.live.com/mail/ipspace.aspx


65.54.190.0/26
65.54.190.64/26
65.54.190.128/26
65.54.190.192/26
65.55.116.0/26
65.55.111.64/26
65.55.116.64/26
65.55.111.128/26
65.55.34.0/26
65.55.34.64/26
65.55.34.128/26
65.55.34.192/26
65.55.90.0/26
65.55.90.64/26
65.55.90.128/26
65.55.90.192/26
65.54.51.64/26
65.54.61.64/26
207.46.66.0/28
157.55.0.192/26
157.55.1.128/26
157.55.2.0/26
157.55.2.64/26


Greetings
Leo



I also check the spf record files of MS and added them too so we will 
see what's going to happen. I need to move to a more up to date setup so 
I just check my options what's used these days and yes greylisting works 
for me as long as no office 365 is involved but a lot of business 
partners of our customers moving to 365 and the email solution so it 
becomes a problem for me too. It's just fustrating to see a mail 
greylisted from 40 different ips ...


regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: the whole greylisting, spam filtering thing

2017-09-29 Thread Leo Unglaub 

Hey,

On 09/29/17 15:06, Markus Rosjat wrote:
my boss is getting on my nerves that greylisting is basically out of 
date because of things like outlook.com and mails ending up delayed for 
ever. So the next logical step would be to deploy a tool like rspamd or 
spamassasin to examin mail content. These tools need to be trained and 
if you have a small mailserver with less accounts this could take a 
while I imagine


i assume that your boss is not an engineer and also not very familiar 
with how emails work. Greylisting it clearly NOT out of date at all. 
Greylisting simply makes use of stuff that is defined in the SMTP RFC. 
Every email server is allowed to temporary deny the delivery of an email 
and ask the sending server for another try.


The problem in this case is clearly Microsoft who has no idea how email 
is supposed to work. You have two options here.


A: Simply don't care about Microsoft and just send customers to a 
website where you describe the problem and tell them to contact 
Microsoft in order to fix there stuff. This works very well, my Company 
hosts around 2,3 Million mailboxes and we use Greylisting and customers 
are okay with it.


B: You exclude the outlook.com outgoing servers from greylisting. 
Microsoft provides a list of IP addresses that they use for delivery:

https://mail.live.com/mail/ipspace.aspx


65.54.190.0/26
65.54.190.64/26
65.54.190.128/26
65.54.190.192/26
65.55.116.0/26
65.55.111.64/26
65.55.116.64/26
65.55.111.128/26
65.55.34.0/26
65.55.34.64/26
65.55.34.128/26
65.55.34.192/26
65.55.90.0/26
65.55.90.64/26
65.55.90.128/26
65.55.90.192/26
65.54.51.64/26
65.54.61.64/26
207.46.66.0/28
157.55.0.192/26
157.55.1.128/26
157.55.2.0/26
157.55.2.64/26


Greetings
Leo

Re: the whole greylisting, spam filtering thing

2017-09-29 Thread Markus Rosjat 

Hi,

Am 29.09.2017 um 15:39 schrieb Larry Hynes:

Markus Rosjat  wrote:

my boss is getting on my nerves


It may be mutual.



of course but well :)


that greylisting is basically out of date because of things like
outlook.com and mails ending up delayed for ever. So the next logical
step would be to deploy a tool like rspamd or spamassasin to examin
mail content. These tools need to be trained and if you have a small
mailserver with less accounts this could take a while I imagine.


Specifically in relation to rspamd: If you spend some time reading
the documentation on the rspamd website you might find that:

1. the weight of rules which classify messages as 'ham' or 'spam'
i.e. those rules which rely on the 'training' of messages, does not
have to be, in the overall context, critical. rspamd deploys a
boatload of 'tests', by default, and even more can be enabled, and
each of those can be assigned a score. hamminess or spamminess is
just one 'test'.

2. That the rspamd website specifically links to 'pre-built' ham
and spam databases which you are free to download and use.



I'll check this out !

Thank you for the hint !!!

regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Change Time zones cause ddb in 6.2 snapshot

2017-09-29 Thread Fung 
snapshots/amd64/
Build date: 1506531075 - Wed Sep 27 16:51:15 UTC 2017

how to repeat the problem

# config -ef /bsd
[...]
Enter 'help' for information
ukc> timezone -480
timezone = -480, dst = 0
ukc> quit
Saving modified kernel.

reboot 

wait boot 
...
...
ddb>

Re: the whole greylisting, spam filtering thing

2017-09-29 Thread tech-lists 

On Fri, Sep 29, 2017 at 03:06:29PM +0200, Markus Rosjat wrote:


So my question is, is there some source that you could use to  train
these kind of tools (like a database that you could connect to for
training conntent ) or is every one here, that uses these tools, lucky
enough to have a shit load of users that do the training for your systems?

some informations about this would be helpful


As far as I understand it, the bayesnian lerning system learns stuff
pertinent to your domain, so you have to train it. Spam at one domain
might not be spam at another.

My system has only a few email addresses, but I keep all my spam. I
make sa-learn --spam read the spam, and sa-learn --ham the stuff I've
filtered and examined that they are all not-spam. It doesn't take
long.

https://wiki.apache.org/spamassassin/BayesInSpamAssassin
--
J.

Re: the whole greylisting, spam filtering thing

2017-09-29 Thread Larry Hynes 
Markus Rosjat  wrote:
> my boss is getting on my nerves

It may be mutual.

> that greylisting is basically out of date because of things like
> outlook.com and mails ending up delayed for ever. So the next logical
> step would be to deploy a tool like rspamd or spamassasin to examin
> mail content. These tools need to be trained and if you have a small
> mailserver with less accounts this could take a while I imagine.

Specifically in relation to rspamd: If you spend some time reading
the documentation on the rspamd website you might find that:

1. the weight of rules which classify messages as 'ham' or 'spam'
i.e. those rules which rely on the 'training' of messages, does not
have to be, in the overall context, critical. rspamd deploys a
boatload of 'tests', by default, and even more can be enabled, and
each of those can be assigned a score. hamminess or spamminess is
just one 'test'.

2. That the rspamd website specifically links to 'pre-built' ham
and spam databases which you are free to download and use.

the whole greylisting, spam filtering thing

2017-09-29 Thread Markus Rosjat 

Hi there,

my boss is getting on my nerves that greylisting is basically out of 
date because of things like outlook.com and mails ending up delayed for 
ever. So the next logical step would be to deploy a tool like rspamd or 
spamassasin to examin mail content. These tools need to be trained and 
if you have a small mailserver with less accounts this could take a 
while I imagine.


So my question is, is there some source that you could use to  train 
these kind of tools (like a database that you could connect to for 
training conntent ) or is every one here, that uses these tools, lucky 
enough to have a shit load of users that do the training for your systems?


some informations about this would be helpful

regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

thinkpad x270 - suspend and resume works - thanks

2017-09-29 Thread Pau 
Hi!

If you have a thinkpad x270, suspend and resume works now! Of course,
by chance the video driver is a different one.

This is OpenBSD -current with the last snapshot.

dmesg and Xorg.0.log attached

Pau

=
OpenBSD 6.2 (GENERIC.MP) #117: Thu Sep 28 11:57:37 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8068124672 (7694MB)
avail mem = 7816585216 (7454MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xbf0da000 (62 entries)
bios0: vendor LENOVO version "R0IET43W (1.21 )" date 09/02/2017
bios0: LENOVO 20HNA004CD
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT SSDT
BOOT BATB SSDT SSDT SSDT WSMT SSDT SSDT DBGP DBG2 MSDM ASF! FPDT UEFI
acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4)
RP02(S4) RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) RP09(S4)
RP10(S4) RP11(S4) RP12(S4) RP13(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2904.00 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 290400 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2904.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2904.00 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz, 2904.00 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
acpimcfg0 at acpi0 addr 0xf000, bus 0-63
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus 3 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiprt5 at acpi0: bus 4 (RP05)
acpiprt6 at acpi0: bus -1 (RP06)
acpiprt7 at acpi0: bus -1 (RP07)
acpiprt8 at acpi0: bus -1 (RP08)
acpiprt9 at acpi0: bus -1 (RP09)
acpiprt10 at acpi0: bus -1 (RP10)
acpiprt11 at acpi0: bus -1 (RP11)
acpiprt12 at acpi0: bus -1 (RP12)
acpiprt13 at acpi0: bus -1 (RP13)
acpiprt14 at acpi0: bus -1 (RP14)
acpiprt15 at acpi0: bus -1 (RP15)
acpiprt16 at acpi0: bus -1 (RP16)
acpiprt17 at acpi0: bus -1 (RP17)
acpiprt18 at acpi0: bus -1 (RP18)
acpiprt19 at acpi0: bus -1 (RP19)
acpiprt20 at acpi0: bus -1 (RP20)
acpiprt21 at acpi0: bus -1 (RP21)
acpiprt22 at acpi0: bus -1 (RP22)
acpiprt23 at acpi0: bus -1 (RP23)
acpiprt24 at acpi0: bus -1 (RP24)
acpicpu0 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151
mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151
mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151
mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151

Re: Installer hangs - "already acking lease"

2017-09-29 Thread Eivind Eide 
The issue are now fixed.
https://marc.info/?l=openbsd-cvs=150663395424206=2

Thanks to K. R. Westerback!


-- 



Eivind Eide

"ONLY THOSE WHO ATTEMPT THE IMPOSSIBLE WILL ACHIEVE THE ABSURD"
- Oceania Association of Autonomous Astronauts

IPsec (isakmpd) in rdomain non zero needs default route

2017-09-29 Thread BARDOU Pierre 
Hello, 

I don't know if I should post this to misc@ or bugs@...
If this is the wrong list tell me I'll file a proper bug report.

I need to add a default route in rdomain 1 to be able to use the tunnels 
created by isakmpd.
That is a bit weird, routes should be injected by isakmpd.

Here is my test setup :
++
| em1 (rd1):192.168.0.1  em1(rd1)192.168.0.2 |
++   ++
|  rtr1  |   |  rtr2  |
| lo1 (rd1): 127.0.0.1   |   | lo1 (rd1): 127.0.0.1   |
| alias: 192.168.1.1 |   | alias: 192.168.2.1 |
++   ++
on rtr 1 and 2 :
created enc1 rdomain 1 up
launched route -T 1 exec isakmpd -K

tunnel conf rtr 1:
ike esp from 192.168.1.0/24 to 192.168.2.0/24 local 192.168.0.2 peer 
192.168.0.2 \
main auth hmac-md5 enc 3des group modp1024 lifetime 28800 \
quick auth hmac-md5 enc 3des group modp1024 lifetime 3600 psk "deadbeef"

tunnel conf rtr 2:
ike esp from 192.168.2.0/24 to 192.168.1.0/24 local 192.168.0.2 peer 
192.168.0.1 \
main auth hmac-md5 enc 3des group modp1024 lifetime 28800 \
quick auth hmac-md5 enc 3des group modp1024 lifetime 3600 psk "deadbeef"

routing table rt1 :
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
127.0.0.1  127.0.0.1  UHhl   12 32768 1 lo1
192.168.0/24   192.168.0.1UCn10 - 4 em1
192.168.0.100:50:56:b4:7b:eb  UHLl   0   37 - 1 em1
192.168.0.200:50:56:b4:77:82  UHLc   1   16 - 3 em1
192.168.0.255  192.168.0.1UHb00 - 1 em1
192.168.1.1192.168.1.1UHl07 32768 1 lo1

routing table rt2 :
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
127.0.0.1  127.0.0.1  UHhl   12 32768 1 lo1
192.168.0/24   192.168.0.2UCn00 - 4 em1
192.168.0.200:50:56:b4:77:82  UHLl   0  245 - 1 em1
192.168.0.255  192.168.0.2UHb00 - 1 em1
192.168.2.1192.168.2.1UHl0   52 32768 1 lo1

flows rtr1 :
# route -T1 exec ipsecctl -sf
flow esp in from 192.168.2.0/24 to 192.168.1.0/24 peer 192.168.0.2 srcid 
192.168.0.1/32 dstid 192.168.0.2/32 type use
flow esp out from 192.168.1.0/24 to 192.168.2.0/24 peer 192.168.0.2 srcid 
192.168.0.1/32 dstid 192.168.0.2/32 type require

flows rtr2 :
# route -T1 exec ipsecctl -sf
flow esp in from 192.168.1.0/24 to 192.168.2.0/24 peer 192.168.0.1 srcid 
192.168.0.2/32 dstid 192.168.0.1/32 type use
flow esp out from 192.168.2.0/24 to 192.168.1.0/24 peer 192.168.0.1 srcid 
192.168.0.2/32 dstid 192.168.0.1/32 type require

On rtr1 :
ping -V 1 -I 192.168.1.1 192.168.2.1 
won't work until I do on both routers :
route -T1 add default 127.0.0.1

My guess is that the problem is quite the same as with inter-domain routing 
with PF : destination lookup is done BEFORE processing by PF or IPSEC 
(explained here for PF : 
https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/).
 So when there is no default route, it fails. If this guess is right, the 
problem shoud also happen on rdomain 0.

Could you fix the code to make it work without the default route ?
Or, as I suspect, is this too difficult and I'll go with my workaround ?

--
Cordialement,
Pierre Bardou

Re: FF vs. Chrome/Chromium

2017-09-29 Thread Stuart Henderson 
On 2017-09-28, Boudewijn Dijkstra  wrote:
> Op Wed, 27 Sep 2017 16:44:01 +0200 schreef Theo de Raadt  
>:
>>> Firefox has W^X compliance and so runs with the secure defaults.
>>
>> it uses page aliasing, which is a shitty way of being compliant
>
> Do you mean dual-mapping a.k.a. double-mapping?  I found some old patches  
> using a temporarily file and mmap w/ fd to achieve this, but they never  
> went in.
>
> This blog:
> https://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-firefox/
> suggests that it is simply switching between RW and RX using mprotect.
>
> Can you please elaborate?
>
>

That was my understanding too, and that's what ktrace shows.

...
 13015 firefox  CALL  mprotect(0x2c907b6eb000,0x1000,0x3)
 13015 firefox  RET   mprotect 0
 13015 firefox  CALL  mprotect(0x2c907b6eb000,0x1000,0x5)
 13015 firefox  RET   mprotect 0
 13015 firefox  CALL  mprotect(0x2c907b6eb000,0x1000,0x3)
 13015 firefox  RET   mprotect 0
 13015 firefox  CALL  mprotect(0x2c907b6eb000,0x1000,0x5)
 13015 firefox  RET   mprotect 0
 13015 firefox  CALL  mprotect(0x2c907b6eb000,0x1000,0x3)
 13015 firefox  RET   mprotect 0
 13015 firefox  CALL  mprotect(0x2c907b6eb000,0x1000,0x5)
 13015 firefox  RET   mprotect 0
 13015 firefox  CALL  mprotect(0x2c907b6eb000,0x1000,0x3)
 13015 firefox  RET   mprotect 0
 13015 firefox  CALL  mprotect(0x2c907b6eb000,0x1000,0x5)
 13015 firefox  RET   mprotect 0
...

Re: OpenBSD 6.1/i386 hangs on reboot

2017-09-29 Thread Infoomatic 

I have tried the latest snapshot and ... thanks for fixing this! reboot and 
shutdown are now working again on my 16 year old notebook!


> Gesendet: Freitag, 12. Mai 2017 um 22:06 Uhr
> Von: Infoomatic 
> An: "OpenBSD Misc" 
> Betreff: OpenBSD 6.1/i386 hangs on reboot
>
> I wanted to try to resolve the issue I just posted and tried to reboot, 
> however the machine hangs and shows:
> 
> syncing disks... done
> ehci0: reset timeout
> rebooting...
> 
> even pushing the power button long does not switch off the machin, I have to 
> unplug the powersupply and remove the battery. Anyone with the same errors?
> 
>

Re: relayd TLS load balancer for multiple websites

2017-09-29 Thread Stuart Henderson 
On 2017-09-28, Darren Tucker  wrote:
> On 28 September 2017 at 06:32, mabi  wrote:
>> Thanks for the pointer regarding SNI not being supported in relayd. I will 
>> go on and find another solution, probably HAproxy.
>
> For a small number of domains it would probably be feasible to get a
> single certificate with multiple SANs.  Letsencrypt at least supports
> this as long as all of the domains map (or can be made to map) to the
> place requesting the certificate.

With the dns-01 challenge type they don't need to be mapped to the same
place at all. Though the normal http-01 challenge requests don't use TLS,
so it should be easy enough to proxy them, even with relayd.

Re: Mount LUKS and truecrypt external volumes

2017-09-29 Thread x9p 

> There aren't any in ports. It might be worth trying porting FUSE-based
> implementations, though FUSE on OpenBSD is missing a few things so
> porting might be a bit awkward, and it's not the most reliable thing
> in the world ever, but it mostly works (at least it doesn't trigger
> panics all that often any more).
>

got it.

> If you want high quality FDE on OpenBSD, use softraid(4) crypto.
>

thanks.

Re: relayd TLS load balancer for multiple websites

2017-09-29 Thread Comète 
28 septembre 2017 15:50 "mabi"  a écrit:

> Thanks for the pointer regarding SNI not being supported in relayd. I will go 
> on and find another
> solution, probably HAproxy.
> 
>>  Original Message 
>> Subject: Re: relayd TLS load balancer for multiple websites
>> Local Time: September 28, 2017 3:02 PM
>> UTC Time: September 28, 2017 1:02 PM
>> From: mcmer-open...@tor.at
>> To: mabi 
>> openbsd-misc 
>> 
>> m...@protonmail.ch (mabi), 2017.09.28 (Thu) 13:32 (CEST):
>>> I was wondering if it is possible to use relayd as load balancer with
>>> TLS termination for multiple different websites residing on different
>>> server.
>> 
>> With a public IP per website: yes. Else: no.
>> 
>> reyk@, 2014-07-24, "no SNI yet"
>> https://marc.info/?l=openbsd-misc=140621533620964
>> 
>> recent thread:
>> https://marc.info/?l=openbsd-misc=150599591326006
>> 
>> Marcus
>> 
>> btw, protonmail"s "text/plain, base64, utf-8" reportedly keeps people
>> from seeing these messages.

Hi,

I use Nginx for this, in production, since many years, it's simple and works 
well.

Comete

Re: Crypto softraid is supported on GPT/UEFI boot and not just on BIOS/MBR boot, right?

2017-09-29 Thread Janne Johansson 
2017-09-29 3:31 GMT+02:00 Nick Holland :

>
> By that logic, we should have quit using cheap disks when they went over
> 32MB.  Or 120MB.  Or 504MB.  Or 128GB.  Or ...
> I have MBRs on 4TB SoftRaid volumes, works fine.
>
> fdisk, make the "entire" disk (welllthe first 2TB) OpenBSD.
> disklabel, change the boundaries of the OpenBSD part to be the entire
> disk.  Done.
>
>
I seem to recall that "trick" on the 2G boundary, or if it was the 8G IDE
limit, or the 33G.
disklabel being "better" than fdisk at accepting
larger-than-some-artificial-limit seems to
be a tradition. ;)


-- 
May the most significant bit of your life be positive.