mailx : mime handling?
hi, how do mailx users currently handle mime?
Re: mailx : mime handling?
mayur...@devio.us (Mayuresh Kathe) wrote: hi, how do mailx users currently handle mime? I use nail. I think metamail OpenBSD port was broken, I tried it long ago and do not remember. Rodrigo.
Re: mailx : mime handling?
Mayuresh Kathe said: hi, how do mailx users currently handle mime? They don't. They install mutt, s-nail or whatever. -- Dmitrij D. Czarkoff
Re: Alternate authentication source in OpenSMTPd
I forgot to add that I also check this one out from the man page too. If the method of delivery is local, a user database may be specified to override the system database: [userbase table] Look up users in the table table instead of performing system lookups using the getpwnam(3) function. If that's the way to do so, any example for it's proper use? But unless I don't understand it right, that's for users instead of the password file on the system may be for virtual mailbox and all. I am not sure I understand it's use as there is already virtual and users alias and all available. Or may be it's use is for limited mailbox oppose to for every users in the password file? Best, Daniel On 9/25/13 4:15 AM, Daniel Ouellet wrote: Hi, Is this still true from the man himself: What is not yet possible is to use alternate authentication sources. http://marc.info/?l=openbsd-miscm=129230912814295w=2 I try any and every way I could think of without success. I thought that may be there was a way to do so using some kind of variation of this from the man page: accept from any for any relay via smtps+auth://label@localhost auth secrets and use the makemap to add users in it, but if there is a way, I can't figure it out for the love of me and if it is actually available, I would very much appreciate a clue stick! So, is this correct to assume the option to do so is still not available yet? Not a huge deal, I just would like to know so that I stop beating myself trying to get it to work. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Alternate authentication source in OpenSMTPd
Hi, Is this still true from the man himself: What is not yet possible is to use alternate authentication sources. http://marc.info/?l=openbsd-miscm=129230912814295w=2 I try any and every way I could think of without success. I thought that may be there was a way to do so using some kind of variation of this from the man page: accept from any for any relay via smtps+auth://label@localhost auth secrets and use the makemap to add users in it, but if there is a way, I can't figure it out for the love of me and if it is actually available, I would very much appreciate a clue stick! So, is this correct to assume the option to do so is still not available yet? Not a huge deal, I just would like to know so that I stop beating myself trying to get it to work. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Alternate authentication source in OpenSMTPd
On Wed, Sep 25, 2013 at 04:15:01AM -0400, Daniel Ouellet wrote:
Hi,
Hi,
Is this still true from the man himself:
What is not yet possible is to use alternate authentication sources.
http://marc.info/?l=openbsd-miscm=129230912814295w=2
It's officially still true, unofficially you can do it on recent
versions by declaring a table (i'll use a static table for the example
but you can use a file, db, sqlite or ldap one):
$ encrypt
mypassword
$2a$06$BTOM8Ck.HEInGF888KbjiORoXSOFT.McbLZIS85gMSmHTPA5Tds2S
$
smtpd.conf:
table mycreds { gilles = gilles:$2a$06$BTO[...]PA5Tds2S }
listen on [...] auth mycreds
and now, user 'gilles' can authenticate with password 'mypassword'
The feature has now stabilized, documented and will be officially
supported in the next stable release we do shortly after OpenBSD 5.4
I try any and every way I could think of without success. I thought that
may be there was a way to do so using some kind of variation of this
from the man page:
accept from any for any relay via smtps+auth://label@localhost auth
secrets
You won't have success with that because relaying auth and incoming auth
are completely unrelated, you're only adding one indirection to the
same issue.
However you successfully turned your setup into an open relay with:
from any for any
So, is this correct to assume the option to do so is still not available
yet? Not a huge deal, I just would like to know so that I stop beating
myself trying to get it to work.
summary:
For OpenSMTPD versions earlier than 5.3.3, it's correct to assume that.
For OpenSMTPD 5.3.3, it's a hidden feature that does work.
For next stable OpenSMTPD release, it'll no longer be hidden ;-)
--
Gilles Chehade
https://www.poolp.org @poolpOrg
Strange packets lost
Hello all, i have searched many options but i haven't any new idea. I have 4 openbsd routers (2 on each site). Each router create a GRE tunnel with it's pair. Here is the configuration: | S1R1 --- gre + ospf --- S2R1 | LAN S1 (OSPF RIP) | | LAN S2 (OSPF RIP) | S1R2 --- gre + ospf --- S2R2 | The routing rules are correct, ssh, http(s), smtp, ntp, ldap and many other protocols works as expected between the two sites. But i have a problem with my Avaya phones on S2 which need to contact the S1 gatekeeper. Some packets are lost, and (by sniffing every interface) i don't found where the packets goes. If i capture LAN S1 link, i have this capture: 10:06:24.003479 192.168.238.121.56641 192.168.106.38.411: S 2621611805:2621611805(0) win 5840 mss 1460,sackOK,timestamp 4294948803 0,nop,wscale 4 (DF) 10:06:24.003607 192.168.106.38.411 192.168.238.121.56641: S 3090220105:3090220105(0) ack 2621611806 win 5840 mss 1460,nop,wscale 7 (DF) 10:06:24.018842 192.168.238.121.56641 192.168.106.38.411: . ack 1 win 365 (DF) 10:06:24.023582 192.168.238.121.56641 192.168.106.38.411: P 1:74(73) ack 1 win 365 (DF) 10:06:24.023710 192.168.106.38.411 192.168.238.121.56641: . ack 74 win 46 (DF) 10:06:24.024086 192.168.106.38.411 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:06:24.024329 192.168.106.38.411 192.168.238.121.56641: . 1461:2921(1460) ack 74 win 46 (DF) 10:06:27.017704 192.168.106.38.411 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:06:33.017772 192.168.106.38.411 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:06:45.017907 192.168.106.38.411 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:07:09.018198 192.168.106.38.411 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:07:57.018732 192.168.106.38.411 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:08:24.019074 192.168.106.38.411 192.168.238.121.56641: FP 2921:4273(1352) ack 74 win 46 (DF) 10:08:24.034803 192.168.238.121.56641 192.168.106.38.411: . ack 1 win 365 (DF) If i capture the GRE tunnel i have this capture: 10:06:23.987975 192.168.238.121.56641 192.168.106.38.411: S 2621611805:2621611805(0) win 5840 mss 1460,sackOK,timestamp 4294948803 0,nop,wscale 4 (DF) 10:06:24.003614 192.168.106.38.411 192.168.238.121.56641: S 3090220105:3090220105(0) ack 2621611806 win 5840 mss 1460,nop,wscale 7 (DF) 10:06:24.018833 192.168.238.121.56641 192.168.106.38.411: . ack 1 win 365 (DF) 10:06:24.023573 192.168.238.121.56641 192.168.106.38.411: P 1:74(73) ack 1 win 365 (DF) 10:06:24.023716 192.168.106.38.411 192.168.238.121.56641: . ack 74 win 46 (DF) 10:08:24.019083 192.168.106.38.411 192.168.238.121.56641: FP 2921:4273(1352) ack 74 win 46 (DF) 10:08:24.034793 192.168.238.121.56641 192.168.106.38.411: . ack 1 win 365 (DF) A part of the TCP transaction disappear and i don't know why. Have you got ideas ??? -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr
Re: mailx : mime handling?
On Wed, 25 Sep 2013, Dmitrij D. Czarkoff wrote: Mayuresh Kathe said: hi, how do mailx users currently handle mime? They don't. They install mutt, s-nail or whatever. pine/alpine Eric
Re: Alternate authentication source in OpenSMTPd
On 2013-09-25 Wed 11:39 AM |, Gilles Chehade wrote:
It's officially still true, unofficially you can do it on recent
versions by declaring a table (i'll use a static table for the example
but you can use a file, db, sqlite or ldap one):
$ encrypt
mypassword
$2a$06$BTOM8Ck.HEInGF888KbjiORoXSOFT.McbLZIS85gMSmHTPA5Tds2S
$
smtpd.conf:
table mycreds { gilles = gilles:$2a$06$BTO[...]PA5Tds2S }
listen on [...] auth mycreds
and now, user 'gilles' can authenticate with password 'mypassword'
Is this possible without TLS/SSL Gilles?
i.e; via CRAM-MD5 or DIGEST-MD5
Such as:
$ telnet localhost submission
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 teak.britvault.co.uk ESMTP Postfix
ehlo localhost
250-teak.britvault.co.uk
250-PIPELINING
250-SIZE 10485760
250-ETRN
250-AUTH CRAM-MD5
250-XVERP
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Regards,
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Alternate authentication source in OpenSMTPd
On Wed, Sep 25, 2013 at 01:03:45PM +0100, Craig R. Skinner wrote:
On 2013-09-25 Wed 11:39 AM |, Gilles Chehade wrote:
It's officially still true, unofficially you can do it on recent
versions by declaring a table (i'll use a static table for the example
but you can use a file, db, sqlite or ldap one):
$ encrypt
mypassword
$2a$06$BTOM8Ck.HEInGF888KbjiORoXSOFT.McbLZIS85gMSmHTPA5Tds2S
$
smtpd.conf:
table mycreds { gilles = gilles:$2a$06$BTO[...]PA5Tds2S }
listen on [...] auth mycreds
and now, user 'gilles' can authenticate with password 'mypassword'
Is this possible without TLS/SSL Gilles?
i.e; via CRAM-MD5 or DIGEST-MD5
nope, we only support AUTH PLAIN over a SSL/TLS connection at the moment
and unless someone writes it or I suddenly really need it, there is very
little chance that it's going to be implemented soon.
it's not part of any contributor's todo afaik
--
Gilles Chehade
https://www.poolp.org @poolpOrg
Re: Strange packets lost
On 25 September 2013 11:03, Loïc BLOT loic.b...@unix-experience.fr wrote: Hello all, i have searched many options but i haven't any new idea. I have 4 openbsd routers (2 on each site). Each router create a GRE tunnel with it's pair. Here is the configuration: | S1R1 --- gre + ospf --- S2R1 | LAN S1 (OSPF RIP) | | LAN S2 (OSPF RIP) | S1R2 --- gre + ospf --- S2R2 | The routing rules are correct, ssh, http(s), smtp, ntp, ldap and many other protocols works as expected between the two sites. But i have a problem with my Avaya phones on S2 which need to contact the S1 gatekeeper. Some packets are lost, and (by sniffing every interface) i don't found where the packets goes. If i capture LAN S1 link, i have this capture: 10:06:24.003479 192.168.238.121.56641 192.168.106.38.411: S 2621611805:2621611805(0) win 5840 mss 1460,sackOK,timestamp 4294948803 0,nop,wscale 4 (DF) 10:06:24.003607 192.168.106.38.411 192.168.238.121.56641: S 3090220105:3090220105(0) ack 2621611806 win 5840 mss 1460,nop,wscale 7 (DF) 10:06:24.018842 192.168.238.121.56641 192.168.106.38.411: . ack 1 win 365 (DF) 10:06:24.023582 192.168.238.121.56641 192.168.106.38.411: P 1:74(73) ack 1 win 365 (DF) 10:06:24.023710 192.168.106.38.411 192.168.238.121.56641: . ack 74 win 46 (DF) 10:06:24.024086 192.168.106.38.411 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:06:24.024329 192.168.106.38.411 192.168.238.121.56641: . 1461:2921(1460) ack 74 win 46 (DF) 10:06:27.017704 192.168.106.38.411 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:06:33.017772 192.168.106.38.411 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:06:45.017907 192.168.106.38.411 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:07:09.018198 192.168.106.38.411 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:07:57.018732 192.168.106.38.411 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:08:24.019074 192.168.106.38.411 192.168.238.121.56641: FP 2921:4273(1352) ack 74 win 46 (DF) 10:08:24.034803 192.168.238.121.56641 192.168.106.38.411: . ack 1 win 365 (DF) If i capture the GRE tunnel i have this capture: 10:06:23.987975 192.168.238.121.56641 192.168.106.38.411: S 2621611805:2621611805(0) win 5840 mss 1460,sackOK,timestamp 4294948803 0,nop,wscale 4 (DF) 10:06:24.003614 192.168.106.38.411 192.168.238.121.56641: S 3090220105:3090220105(0) ack 2621611806 win 5840 mss 1460,nop,wscale 7 (DF) 10:06:24.018833 192.168.238.121.56641 192.168.106.38.411: . ack 1 win 365 (DF) 10:06:24.023573 192.168.238.121.56641 192.168.106.38.411: P 1:74(73) ack 1 win 365 (DF) 10:06:24.023716 192.168.106.38.411 192.168.238.121.56641: . ack 74 win 46 (DF) 10:08:24.019083 192.168.106.38.411 192.168.238.121.56641: FP 2921:4273(1352) ack 74 win 46 (DF) 10:08:24.034793 192.168.238.121.56641 192.168.106.38.411: . ack 1 win 365 (DF) A part of the TCP transaction disappear and i don't know why. Have you got ideas ??? this looks like a classical mtu problem. gre tunnel lowers the mtu and your tcp traffic uses mss of 1460 bytes and sets DF. therefore it gets dropped once the router figures out it can't send that much data over the gre link. possible solutions are using path mtu discovery on clients or making sure their mtu is less than 1500 or doing forced fragmentation and defragmentation on the router or configuring the application to use smaller mss value (setsockopt TCP_MAXSEG).
Re: Interface input errors incrementing
On 20 September 2013 08:36, Darren Spruell phatbuck...@gmail.com wrote: Running 5.3 (release) i386 on a soekris net4521 with 2 connected sis(4). The device is a router/firewall on a home network with a cable Internet connection. One of these interfaces has in the last few weeks started to build higher rates of input errors as time increases between reboots. This seems to result in intermittent packet loss (5-10%) or increased latency (3-4x RTT) for routed traffic. When the situation is at it's worst we can reboot the host and then symptoms are gone for a short time before starting to occur again. This interface connects to an Ethernet tap that connects to a 10/100 LAN switch. Any idea what the issue could be? lots of hardware treats rx queue full event as an rx error. this condition is also triggered by the MCLGETI very often. we have seen this recently in the bge (if_bge.c rev1.334) and it's very well possible that it's the same problem here. please try to remove SIS_RXSTAT_OVERRUN from the SIS_RXSTAT_ERROR in /sys/dev/pci/if_sisreg.h and retry your test. i'm not 100% sure it's the case and it's what i think it is since NatSemi datasheets are rather vague in this regard. but it might shed some light on the problem.
Re: IPSec endpoints won't talk to each other
On 24 September 2013 16:35, Hugo Osvaldo Barrera h...@osvaldobarrera.com.ar wrote: On 2013-09-24 09:44, James Griffin wrote: * Hugo Osvaldo Barrera h...@osvaldobarrera.com.ar [2013-09-24 03:53:46 -0300]: Hi, I've been experimenting a bit with IPSec and creating a VPN using it. I've been successful, but have encountered an odd issue. I've two hosts, linking two networks: Host A's /etc/iked.conf: ikev2 active esp from 172.16.0.0/16 to 172.17.0.0/16 \ peer 174.136.104.18 psk a-test-key Host B's /etc/iked.conf: ikev2 esp from 172.17.0.0/16 to 172.16.0.0/16 \ peer 190.210.108.249 psk a-test-key (Of course those are not the real keys). I can ssh 172.17.0.1 from the 172.16.0.0 network fine and viceversa. So far so good. BUT I can't establish any TCP connection from Host A to Host B's public IP address and viceversa. So you can connect using internal addresses but not using public address. Just a thought, but have you opened the necessary ports on your router? What is your setup like? [ ... ] They're both connected directly to the internet with no router in front of them. With the tunnel disabled, everything works fine between both. -- Hugo Osvaldo Barrera [demime 1.01d removed an attachment of type application/pgp-signature] could you please tcpdump on enc and real interfaces on host A and see if your traffic (ssh, ping, traceroute) is sent encrypted or not and on which interface. and what does host B receive.
iked's ikev2 segfaults during connection initiation from strongswan
Hi! I'm trying to setup StrongSwan (oh, the pain...) to iked(8) IPsec. When trying to bring up the connection from the Linux end (ipsec up connection), the iked(8) at the OpenBSD (5.3-stable) endpoint segfaults. I'm trying to use certs and public keys for authentication for this host-to-host ESP tunnel connection. For the life of me I can not get a coredump from the ikev2 program, but attaching gdb to its PID won't give me a bt either because it can't seem to load the symbol table. I've recompiled iked from sources with CFLAGS=-g and without stripping, but still, no luck. The network looks like this: [ Linux StrongSwan ] -- [ NAT gw remote_ip ]O--Internetz--O[ firefly_ip ] | | `== IPsec IKEv2 ==' Here is the output of iked -dvv from the start until the sig11. I'm sorry about the anonimization, if it confuses the reader I'll gladly elaborate. # /sbin/iked -dvv firefly_ip = firefly_ip remote_ip = remote_ip /etc/iked.conf: loaded 1 configuration rules ca_reload: loaded ca file ecentrum_cacert.pem ca_reload: /O=eCentrum/OU=eCentrum Root CA/emailAddress=leva [at] ecentrum.hu/L=Szekesfehervar/ST=Fejer/C=HU/CN=... ca_reload: loaded 1 ca certificate ca_reload: loaded cert file ipsec_firefly_cert.pem ca_validate_cert: /C=HU/ST=Fejer/O=eCentrum/OU=IPsec IKEv2/CN=firefly_host/subjectAltName=firefly_ip ok config_getpolicy: received policy ikev2 test-ikev2 passive esp inet from firefly_ip to remote_ip local firefly_ip peer remote_ip ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 rsa config_getpfkey: received pfkey fd 4 config_getcompile: compilation done config_getsocket: received socket fd 11 config_getsocket: received socket fd 12 ikev2_dispatch_cert: updated local CERTREQ signatures length 20 config_getsocket: received socket fd 14 config_getsocket: received socket fd 20 ikev2_recv: INFORMATIONAL from initiator remote_ip:4761 to firefly_ip:4500 policy 'test-ikev2' id 2, 76 bytes ikev2_recv: ispi 0x0943538bae4b0ba0 rspi 0xea2c1a40848ed222 ikev2_recv: IKE_SA_INIT from initiator remote_ip:443 to firefly_ip:500 policy 'test-ikev2' id 0, 660 bytes ikev2_recv: ispi 0x12412ae4e06726b8 rspi 0x ikev2_policy2id: srcid FQDN/firefly_host length 23 ikev2_pld_parse: header ispi 0x12412ae4e06726b8 rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 660 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 276 ikev2_pld_sa: more 2 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x12412ae4e06726b8 0x remote_ip:443 ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x12412ae4e06726b8 0x firefly_ip:500 sa_state: INIT - SA_INIT ikev2_sa_negotiate: score 16 sa_stateok: SA_INIT flags 0x00, require 0x00 sa_stateflags: 0x00 - 0x08 sa (required 0x00 ) ikev2_sa_keys: SKEYSEED with 20 bytes ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 20 bytes ikev2_prfplus: T2 with 20 bytes ikev2_prfplus: T3 with 20 bytes ikev2_prfplus: T4 with 20 bytes ikev2_prfplus: T5 with 20 bytes ikev2_prfplus: T6 with 20 bytes ikev2_prfplus: T7 with 20 bytes ikev2_prfplus: Tn with 140 bytes ikev2_sa_keys: SK_d with 20 bytes ikev2_sa_keys: SK_ai with 20 bytes ikev2_sa_keys: SK_ar with 20 bytes ikev2_sa_keys: SK_ei with 16 bytes ikev2_sa_keys: SK_er with 16 bytes ikev2_sa_keys: SK_pi with 20 bytes ikev2_sa_keys: SK_pr with 20 bytes ikev2_add_proposals: length 44 ikev2_next_payload: length 48 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0x12412ae4e06726b8 0xe5db467165bf35cb firefly_ip:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local
Re: mailx : mime handling?
Eric Johnson eri...@mathlab.gruver.net wrote: On Wed, 25 Sep 2013, Dmitrij D. Czarkoff wrote: Mayuresh Kathe said: hi, how do mailx users currently handle mime? They don't. They install mutt, s-nail or whatever. pine/alpine Alpine is what I normally use. As imap client very nice, also for reading and adding attachments. But the program is huge. And it needs internet connections when it does not need it: when you are editing a mail and the connection is interrupted, it hangs, so that the writing is blocked. nail (heirloom mail) has also its defects. When you write a message and the autentification fails, it may happen that you lose the mail writen: it does not land in dead. letter. BTW, it would be good if the configuration file be called nailrc and not mailrc. The best seems to be mutt, but it has a strange configuration file. It would be nice if metamail works again. Perhaps to have something like an editor to be called with ~e (when EDITOR is set to it) in mail that allow to add attachments and to call another editor for writing the text. For reading IMAP it would be nice to have the possibility to mount the remote folder as a local file (no work in FUSE?). Another question is how to send with alternative smtp servers. Rodrigo.
Re: iked's ikev2 segfaults during connection initiation from strongswan
On 25 September 2013 14:41, LEVAI Daniel l...@ecentrum.hu wrote: Hi! I'm trying to setup StrongSwan (oh, the pain...) to iked(8) IPsec. When trying to bring up the connection from the Linux end (ipsec up connection), the iked(8) at the OpenBSD (5.3-stable) endpoint segfaults. I'm trying to use certs and public keys for authentication for this host-to-host ESP tunnel connection. For the life of me I can not get a coredump from the ikev2 program, but attaching gdb to its PID won't give me a bt either because it can't seem to load the symbol table. I've recompiled iked from sources with CFLAGS=-g and without stripping, but still, no luck. use CFLAGS=-g -DDEBUG to disable chroot and generate a core dump. The network looks like this: [ Linux StrongSwan ] -- [ NAT gw remote_ip ]O--Internetz--O[ firefly_ip ] | | `== IPsec IKEv2 ==' Here is the output of iked -dvv from the start until the sig11. I'm sorry about the anonimization, if it confuses the reader I'll gladly elaborate. you can also try iked -dvvT and see if that works.
Re: Strange packets lost
Hello,
you are totally right ! I haven't thought about layer 2 problems.
But the problem is partially resolve, i have strange things with DF.
Port 80 is no-df but not port 411 (avaya cfg).
Here is a fragment of my pf config:
set skip on lo
set block-policy drop
set limit { states 10, src-nodes 8, table-entries 60 }
match in scrub (no-df)
block in log all
pass out all
...
pass in quick inet from toip_area_v4 to toip_area_v4 scrub (no-df)
no state
Is something wrong ?
--
Best regards,
Loïc BLOT,
UNIX systems, security and network expert
http://www.unix-experience.fr
Le mercredi 25 septembre 2013 à 14:23 +0200, Mike Belopuhov a écrit :
On 25 September 2013He 11:03, Loïc BLOT loic.b...@unix-experience.fr wrote:
Hello all,
i have searched many options but i haven't any new idea.
I have 4 openbsd routers (2 on each site). Each router create a GRE
tunnel with it's pair.
Here is the configuration:
| S1R1 --- gre + ospf --- S2R1 |
LAN S1 (OSPF RIP) | | LAN S2 (OSPF RIP)
| S1R2 --- gre + ospf --- S2R2 |
The routing rules are correct, ssh, http(s), smtp, ntp, ldap and many
other protocols works as expected between the two sites.
But i have a problem with my Avaya phones on S2 which need to contact
the S1 gatekeeper. Some packets are lost, and (by sniffing every
interface) i don't found where the packets goes.
If i capture LAN S1 link, i have this capture:
10:06:24.003479 192.168.238.121.56641 192.168.106.38.411: S
2621611805:2621611805(0) win 5840 mss 1460,sackOK,timestamp 4294948803
0,nop,wscale 4 (DF)
10:06:24.003607 192.168.106.38.411 192.168.238.121.56641: S
3090220105:3090220105(0) ack 2621611806 win 5840 mss 1460,nop,wscale 7
(DF)
10:06:24.018842 192.168.238.121.56641 192.168.106.38.411: . ack 1 win
365 (DF)
10:06:24.023582 192.168.238.121.56641 192.168.106.38.411: P 1:74(73)
ack 1 win 365 (DF)
10:06:24.023710 192.168.106.38.411 192.168.238.121.56641: . ack 74 win
46 (DF)
10:06:24.024086 192.168.106.38.411 192.168.238.121.56641: .
1:1461(1460) ack 74 win 46 (DF)
10:06:24.024329 192.168.106.38.411 192.168.238.121.56641: .
1461:2921(1460) ack 74 win 46 (DF)
10:06:27.017704 192.168.106.38.411 192.168.238.121.56641: .
1:1461(1460) ack 74 win 46 (DF)
10:06:33.017772 192.168.106.38.411 192.168.238.121.56641: .
1:1461(1460) ack 74 win 46 (DF)
10:06:45.017907 192.168.106.38.411 192.168.238.121.56641: .
1:1461(1460) ack 74 win 46 (DF)
10:07:09.018198 192.168.106.38.411 192.168.238.121.56641: .
1:1461(1460) ack 74 win 46 (DF)
10:07:57.018732 192.168.106.38.411 192.168.238.121.56641: .
1:1461(1460) ack 74 win 46 (DF)
10:08:24.019074 192.168.106.38.411 192.168.238.121.56641: FP
2921:4273(1352) ack 74 win 46 (DF)
10:08:24.034803 192.168.238.121.56641 192.168.106.38.411: . ack 1 win
365 (DF)
If i capture the GRE tunnel i have this capture:
10:06:23.987975 192.168.238.121.56641 192.168.106.38.411: S
2621611805:2621611805(0) win 5840 mss 1460,sackOK,timestamp 4294948803
0,nop,wscale 4 (DF)
10:06:24.003614 192.168.106.38.411 192.168.238.121.56641: S
3090220105:3090220105(0) ack 2621611806 win 5840 mss 1460,nop,wscale 7
(DF)
10:06:24.018833 192.168.238.121.56641 192.168.106.38.411: . ack 1 win
365 (DF)
10:06:24.023573 192.168.238.121.56641 192.168.106.38.411: P 1:74(73)
ack 1 win 365 (DF)
10:06:24.023716 192.168.106.38.411 192.168.238.121.56641: . ack 74 win
46 (DF)
10:08:24.019083 192.168.106.38.411 192.168.238.121.56641: FP
2921:4273(1352) ack 74 win 46 (DF)
10:08:24.034793 192.168.238.121.56641 192.168.106.38.411: . ack 1 win
365 (DF)
A part of the TCP transaction disappear and i don't know why.
Have you got ideas ???
this looks like a classical mtu problem. gre tunnel lowers the mtu
and your tcp traffic uses mss of 1460 bytes and sets DF. therefore
it gets dropped once the router figures out it can't send that much
data over the gre link.
possible solutions are using path mtu discovery on clients or making
sure their mtu is less than 1500 or doing forced fragmentation and
defragmentation on the router or configuring the application to use
smaller mss value (setsockopt TCP_MAXSEG).
Re: iked's ikev2 segfaults during connection initiation from strongswan
On sze, szept 25, 2013 at 14:57:13 +0200, Mike Belopuhov wrote:
On 25 September 2013 14:41, LEVAI Daniel l...@ecentrum.hu wrote:
Hi!
I'm trying to setup StrongSwan (oh, the pain...) to iked(8) IPsec. When
trying to bring up the connection from the Linux end (ipsec up
connection), the iked(8) at the OpenBSD (5.3-stable) endpoint
segfaults. I'm trying to use certs and public keys for authentication
for this host-to-host ESP tunnel connection.
For the life of me I can not get a coredump from the ikev2 program, but
attaching gdb to its PID won't give me a bt either because it can't seem
to load the symbol table. I've recompiled iked from sources with
CFLAGS=-g and without stripping, but still, no luck.
use CFLAGS=-g -DDEBUG to disable chroot and generate a core dump.
Thanks! Here is gdb's output:
# gdb /sbin/iked iked.core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i386-unknown-openbsd5.3...
Core was generated by `iked'.
Program terminated with signal 11, Segmentation fault.
#0 0x1c01726b in ikev2_msg_send (env=0x86e6b000, msg=0xcfbeee10) at
/usr/src/sbin/iked/ikev2_msg.c:296
296 m-msg_exchange = hdr-ike_exchange;
(gdb) list
291
292 if ((m = ikev2_msg_copy(env, msg)) == NULL) {
293 log_debug(%s: failed to copy a message, __func__);
294 return (-1);
295 }
296 m-msg_exchange = hdr-ike_exchange;
297
298 if (hdr-ike_flags IKEV2_FLAG_RESPONSE) {
299 TAILQ_INSERT_TAIL(sa-sa_responses, m, msg_entry);
300 timer_initialize(env, m-msg_timer,
(gdb) bt
#0 0x1c01726b in ikev2_msg_send (env=0x86e6b000, msg=0xcfbeee10) at
/usr/src/sbin/iked/ikev2_msg.c:296
#1 0x1c01836b in ikev2_msg_send_encrypt (env=0x86e6b000, sa=0x89ed,
ep=0xcfbef134, exchange=35 '#', firstpayload=36 '$', response=1) at
/usr/src/sbin/iked/ikev2_msg.c:625
#2 0x1c0106c2 in ikev2_resp_ike_auth (env=0x86e6b000, sa=0x89ed) at
/usr/src/sbin/iked/ikev2.c:1993
#3 0x1c00bdef in ikev2_ike_auth (env=0x86e6b000, sa=0x89ed, msg=0x0) at
/usr/src/sbin/iked/ikev2.c:566
#4 0x1c00ab98 in ikev2_dispatch_cert (fd=32, p=0x3c03e558, imsg=0xcfbef644) at
/usr/src/sbin/iked/ikev2.c:234
#5 0x1c0282b9 in proc_dispatch (fd=32, event=2, arg=0x3c03e558) at
/usr/src/sbin/iked/proc.c:324
#6 0x1c032885 in event_base_loop (base=0x7cfd0c00, flags=0) at
/usr/src/lib/libevent/event.c:402
#7 0x1c032b2a in event_loop (flags=0) at /usr/src/lib/libevent/event.c:478
#8 0x1c032b42 in event_dispatch () at /usr/src/lib/libevent/event.c:416
#9 0x1c028180 in proc_run (ps=0x86e6b4e0, p=0x3c03e47c, procs=0x3c03e520,
nproc=3, init=0, arg=0x0) at /usr/src/sbin/iked/proc.c:276
#10 0x1c00a69c in ikev2 (ps=0x86e6b4e0, p=0x3c03e47c) at
/usr/src/sbin/iked/ikev2.c:114
#11 0x1c027976 in proc_init (ps=0x86e6b4e0, p=0x3c03e47c, nproc=3) at
/usr/src/sbin/iked/proc.c:61
#12 0x1c00955a in main (argc=2, argv=0xcfbefc18) at
/usr/src/sbin/iked/iked.c:157
(gdb) bt full
#0 0x1c01726b in ikev2_msg_send (env=0x86e6b000, msg=0xcfbeee10) at
/usr/src/sbin/iked/ikev2_msg.c:296
sa = (struct iked_sa *) 0x89ed
buf = (struct ibuf *) 0x7eda8500
natt = 0
isnatt = 1
hdr = (struct ike_header *) 0x818dc000
m = (struct iked_message *) 0x87268c00
__func__ = ikev2_msg_send
#1 0x1c01836b in ikev2_msg_send_encrypt (env=0x86e6b000, sa=0x89ed,
ep=0xcfbef134, exchange=35 '#', firstpayload=36 '$', response=1) at
/usr/src/sbin/iked/ikev2_msg.c:625
resp = {msg_data = 0x7eda8500, msg_offset = 4, msg_local = {ss_len = 16
'\020', ss_family = 2 '\002', __ss_pad1 = \021\224N\203WÃ, __ss_pad2 = 0,
__ss_pad3 = '\0' repeats 239 times}, msg_locallen = 16, msg_peer =
{ss_len = 16 '\020', ss_family = 2 '\002', __ss_pad1 = \022\231[Rj\202,
__ss_pad2 = 0,
__ss_pad3 = '\0' repeats 239 times}, msg_peerlen = 16, msg_sock = 0x0,
msg_fd = 12, msg_response = 1, msg_natt = 0, msg_error = 0, msg_e = 0,
msg_parent = 0xcfbeee10,
msg_policy = 0x0, msg_sa = 0x89ed, msg_msgid = 1, msg_exchange = 0 '\0',
msg_proposals = {tqh_first = 0x0, tqh_last = 0xcfbef050}, msg_rekey = {spi = 0,
spi_size = 0 '\0',
spi_protoid = 0 '\0'}, msg_nonce = 0x0, msg_ke = 0x0, msg_auth = {id_type =
0 '\0', id_offset = 0 '\0', id_buf = 0x0}, msg_id = {id_type = 0 '\0',
id_offset = 0 '\0',
id_buf = 0x0}, msg_cert = {id_type = 0 '\0', id_offset = 0 '\0', id_buf =
0x0}, msg_prop = 0x0, msg_attrlength = 0, msg_timer = {tmr_ev = {ev_next =
{tqe_next = 0x0,
tqe_prev = 0x0}, ev_active_next = {tqe_next = 0x0, tqe_prev = 0x0},
ev_signal_next = {tqe_next = 0x0, tqe_prev =
Re: mailx : mime handling?
It would be nice if metamail works again. Perhaps to have something like an editor to be called with ~e (when EDITOR is set to it) in mail that allow to add attachments and to call another editor for writing the text. For reading IMAP it would be nice to have the possibility to mount the remote folder as a local file (no work in FUSE?). Another question is how to send with alternative smtp servers. I use fetchmail for getting my external folders with imap. It is really simple and fits fine with the rest of my mail system. -- Roberto E. Vargas Caballero k...@shike2.com http://www.shike2.com
Re: mailx : mime handling?
I like both pine/alpine; Both compile with no tweaking. Richard On Wed, 25 Sep 2013, Eric Johnson wrote: On Wed, 25 Sep 2013, Dmitrij D. Czarkoff wrote: Mayuresh Kathe said: hi, how do mailx users currently handle mime? They don't. They install mutt, s-nail or whatever. pine/alpine Eric
OpenBSD5.3/PF Settings help request
Dear Sir/Madame, I am a student in pending Master's degree in Network and Security at University of Valenciennes (France), I am currently encountering problems while setting up a Firewall with Packet Filter on OpenBSD 5.3. I wall a PC with 3 network interfaces ( xl0 : connected to WAN , xl1 : connected to WLAN , xl2 : connected to LAN ). I need that this PC works like a firewall. I have installed OpenBSD and setting up rules in /etc/pf.conf (please to find attached to this mail my pf.conf file it is commented in French, if any questions just let me know). The problem is : The Firewall has Internet and hosts on WLAN and LAN can't connect to internet. I don't know if my NAT and Filtering rules are not matching. My /etc/resolv.conf has an ADSL internet Box address and DNS is working correctly. My xl0 interface has got IP from DHCP server from the ADSL Internet Box so no need to create a file /etc/mygate to specify the ADSL Internet Box default gateway. The command route show shows me my default gateway. I have contacted http://www.evolix.fr/ one of the OpenBSD support link http://www.openbsd.org/support.html in Marseille (France) they have read the file but they can't find the problem. I will be grateful if you could help me. Please find attached my pf.conf file. I am looking forward to reading from you as soon as possible. Kind regards, -- Adelin Balou Etudiant en 2ème Année de Master Sécurité et Réseaux. Institut des Sciences et Techniques de Valenciennes Université de Valenciennes et du Hainaut-Cambrésis Téléphone : +33 3 27 27 07 22 Mobile : +33 6 17 46 10 72 [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf]
Re: OpenBSD5.3/PF Settings help request
On Wed, Sep 25 2013 at 40:16, Adelin Balou wrote: Dear Sir/Madame, I am a student in pending Master's degree in Network and Security at University of Valenciennes (France), I am currently encountering problems while setting up a Firewall with Packet Filter on OpenBSD 5.3. I wall a PC with 3 network interfaces ( xl0 : connected to WAN , xl1 : connected to WLAN , xl2 : connected to LAN ). I need that this PC works like a firewall. I have installed OpenBSD and setting up rules in /etc/pf.conf (please to find attached to this mail my pf.conf file it is commented in French, if any questions just let me know). The problem is : The Firewall has Internet and hosts on WLAN and LAN can't connect to internet. I don't know if my NAT and Filtering rules are not matching. My /etc/resolv.conf has an ADSL internet Box address and DNS is working correctly. My xl0 interface has got IP from DHCP server from the ADSL Internet Box so no need to create a file /etc/mygate to specify the ADSL Internet Box default gateway. The command route show shows me my default gateway. Hi, Did you enable IP forwarding in sysctl.conf? DNS has nothing to do with packets going through a firewall. I have contacted http://www.evolix.fr/ one of the OpenBSD support link http://www.openbsd.org/support.html in Marseille (France) they have read the file but they can't find the problem. I will be grateful if you could help me. Please find attached my pf.conf file. Attachements are blocked on this list ;-) You can read the PF book http://home.nuug.no/~peter/pf/ to find good informations on PF. Regards, Claer
Re: OpenBSD5.3/PF Settings help request
On Wed, Sep 25, 2013 at 04:40:37PM +0200, Adelin Balou wrote: The problem is : The Firewall has Internet and hosts on WLAN and LAN can't connect to internet. I don't know if my NAT and Filtering rules are not matching. My /etc/resolv.conf has an ADSL internet Box address and DNS is working correctly. My xl0 interface has got IP from DHCP server from the ADSL Internet Box so no need to create a file /etc/mygate to specify the ADSL Internet Box default gateway. The command route show shows me my default gateway. Have you enabled ip forwarding? $ grep net.inet.ip.forwarding /etc/sysctl.conf net.inet.ip.forwarding=1 Rergards Erling I have contacted http://www.evolix.fr/ one of the OpenBSD support link http://www.openbsd.org/support.html in Marseille (France) they have read the file but they can't find the problem. I will be grateful if you could help me. Please find attached my pf.conf file. I am looking forward to reading from you as soon as possible. Kind regards, -- Adelin Balou Etudiant en 2??me Ann??e de Master S??curit?? et R??seaux. Institut des Sciences et Techniques de Valenciennes Universit?? de Valenciennes et du Hainaut-Cambr??sis T??l??phone : +33 3 27 27 07 22 Mobile : +33 6 17 46 10 72 [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf]
Re: OpenBSD5.3/PF Settings help request
On 25 September 2013 16:40, Adelin Balou adelin.ba...@etu.univ-valenciennes.fr wrote: Dear Sir/Madame, I am a student in pending Master's degree in Network and Security at University of Valenciennes (France), I am currently encountering problems while setting up a Firewall with Packet Filter on OpenBSD 5.3. I wall a PC with 3 network interfaces ( xl0 : connected to WAN , xl1 : connected to WLAN , xl2 : connected to LAN ). I need that this PC works like a firewall. I have installed OpenBSD and setting up rules in /etc/pf.conf (please to find attached to this mail my pf.conf file it is commented in French, if any questions just let me know). The problem is : The Firewall has Internet and hosts on WLAN and LAN can't connect to internet. I don't know if my NAT and Filtering rules are not matching. Add the 'log' keyword to the rules you want to verify and run tcpdump on the pflog0 interface. When you're done, don't forget to remove the log keyword, or you might end up filling your disk with logs. Another way to see if it matches is to look at the counters for each rule when running pfctl -vvsr My /etc/resolv.conf has an ADSL internet Box address and DNS is working correctly. My xl0 interface has got IP from DHCP server from the ADSL Internet Box so no need to create a file /etc/mygate to specify the ADSL Internet Box default gateway. The command route show shows me my default gateway. I have contacted http://www.evolix.fr/ one of the OpenBSD support link http://www.openbsd.org/support.html in Marseille (France) they have read the file but they can't find the problem. I will be grateful if you could help me. Please find attached my pf.conf file. I am looking forward to reading from you as soon as possible. Kind regards, -- Adelin Balou Etudiant en 2ème Année de Master Sécurité et Réseaux. Institut des Sciences et Techniques de Valenciennes Université de Valenciennes et du Hainaut-Cambrésis Téléphone : +33 3 27 27 07 22 Mobile : +33 6 17 46 10 72 [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf]
Re: OpenBSD5.3/PF Settings help request
Hi, Adelin Balou adelin.ba...@etu.univ-valenciennes.fr writes: [...] Please find attached my pf.conf file. [...] [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf] No attachment allowed here. -- jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: OpenBSD5.3/PF Settings help request
2013/9/25 Erling Westenvik erling.westen...@gmail.com On Wed, Sep 25, 2013 at 04:40:37PM +0200, Adelin Balou wrote: The problem is : The Firewall has Internet and hosts on WLAN and LAN can't connect to internet. I don't know if my NAT and Filtering rules are not matching. My /etc/resolv.conf has an ADSL internet Box address and DNS is working correctly. My xl0 interface has got IP from DHCP server from the ADSL Internet Box so no need to create a file /etc/mygate to specify the ADSL Internet Box default gateway. The command route show shows me my default gateway. Have you enabled ip forwarding? $ grep net.inet.ip.forwarding /etc/sysctl.conf net.inet.ip.forwarding=1 The output from: sysctl net.inet.ip.forwarding would almost be more interresting, since the above file is only valid if you have rebooted the box since last changing that line. I assume you already knew that of course, but for the archives... -- May the most significant bit of your life be positive.
Gnome would not start
Hello, I did all the steps from this tutorial (http://callfortesting.org/gnome3) And I did all the steps that the pkg-readmes/gnome-3.6 says. But still I see a login screen from xdm and fvvm starts up. How can I take care that gnome is starting. Roelof
Re: mailx : mime handling?
On Wed, 25 Sep 2013, Eric Johnson wrote: pine/alpine 2nd, 3rd. pine/alpine is much more flexible that Mutt, as it can handle mutliple 'personalities'. Lee
Re: mailx : mime handling?
hru...@gmail.com said: It would be nice if metamail works again. Perhaps to have something like an editor to be called with ~e (when EDITOR is set to it) in mail that allow to add attachments and to call another editor for writing the text. And you don't need threaded view for IMAP? For reading IMAP it would be nice to have the possibility to mount the remote folder as a local file (no work in FUSE?). You have mail/isync and mail/offlineimap for that. I use the former, and it does the trick. Another question is how to send with alternative smtp servers. OpenSMTPd sends my mail via Google's SMTP for me (though you may obsorve in the headers of this message that it doesn't try to hide my IP and hostname). Sendmail also supports this. In the end I use mutt in always disconnected mode, and it feels quite good. (Or would feel if Google's IMAP wasn't so brain-damaged and unconformant.) -- Dmitrij D. Czarkoff
Re: mailx : mime handling?
Dmitrij D. Czarkoff czark...@gmail.com wrote: And you don't need threaded view for IMAP? I dont need it, because I never had it and never used it. Perhaps a good thing to have. For reading IMAP it would be nice to have the possibility to mount the remote folder as a local file (no work in FUSE?). You have mail/isync and mail/offlineimap for that. I use the former, and it does the trick. I used fetchmail (recommended here by Roberto Vargas) and I have very good experience with it. Would isync or offlineimap do a better work? The idea is not to syncronize remote and local mailfolders, but to read the headers and only download the messages that one wants to read. That is also what imap is for. Perhaps this problem will some day be solved with the plan9 for the user space port. Another question is how to send with alternative smtp servers. OpenSMTPd sends my mail via Google's SMTP for me (though you may obsorve in the headers of this message that it doesn't try to hide my IP and hostname). Sendmail also supports this. I did configure sendmail to do it, it was not trivial. But I cannot decide at the moment of sending a mail, what smtp server I want to use. to change the configuration of sendmail only for sending a mail is too much. In hairloom mailx (nail) you can define different accounts in the configuration file, they contain a key, the imap and smtp server to use, as also data for the authentification. When calling nail, you can give it with the option -A the key of the account to use. If you use normal mail, it will take the same configuration file and complain because of these data: that is why I said that the configuration file should have another name than mailx. In the end I use mutt in always disconnected mode, and it feels quite good. (Or would feel if Google's IMAP wasn't so brain-damaged and unconformant.) I suspect mutt is the better mail program, although more complicated, less intuitive to use and configure. I gave up the search for the perfect mail program. Rodrigo.
Re: Alternate authentication source in OpenSMTPd
Thanks Gilles!
I will test, but I sure can also wait for the 5.4 to be out as it is
just around the corner anyway!
Many thanks for the wonderful work!
Daniel
On 9/25/13 5:39 AM, Gilles Chehade wrote:
On Wed, Sep 25, 2013 at 04:15:01AM -0400, Daniel Ouellet wrote:
Hi,
Hi,
Is this still true from the man himself:
What is not yet possible is to use alternate authentication sources.
http://marc.info/?l=openbsd-miscm=129230912814295w=2
It's officially still true, unofficially you can do it on recent
versions by declaring a table (i'll use a static table for the example
but you can use a file, db, sqlite or ldap one):
$ encrypt
mypassword
$2a$06$BTOM8Ck.HEInGF888KbjiORoXSOFT.McbLZIS85gMSmHTPA5Tds2S
$
smtpd.conf:
table mycreds { gilles = gilles:$2a$06$BTO[...]PA5Tds2S }
listen on [...] auth mycreds
and now, user 'gilles' can authenticate with password 'mypassword'
The feature has now stabilized, documented and will be officially
supported in the next stable release we do shortly after OpenBSD 5.4
I try any and every way I could think of without success. I thought that
may be there was a way to do so using some kind of variation of this
from the man page:
accept from any for any relay via smtps+auth://label@localhost auth
secrets
You won't have success with that because relaying auth and incoming auth
are completely unrelated, you're only adding one indirection to the
same issue.
However you successfully turned your setup into an open relay with:
from any for any
So, is this correct to assume the option to do so is still not available
yet? Not a huge deal, I just would like to know so that I stop beating
myself trying to get it to work.
summary:
For OpenSMTPD versions earlier than 5.3.3, it's correct to assume that.
For OpenSMTPD 5.3.3, it's a hidden feature that does work.
For next stable OpenSMTPD release, it'll no longer be hidden ;-)
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: mailx : mime handling?
hru...@gmail.com said: The idea is not to syncronize remote and local mailfolders, but to read the headers and only download the messages that one wants to read. Then all you need is IMAP - almost every mail client caches headers and only download the messages' bodies when requested. I did configure sendmail to do it, it was not trivial. But I cannot decide at the moment of sending a mail, what smtp server I want to use. to change the configuration of sendmail only for sending a mail is too much. With OpenSMTPd you may have a set of rules based on sender and alter From in the message headers when composing. -- Dmitrij D. Czarkoff
Re: mailx : mime handling?
hruodr at gmail.com writes: In hairloom mailx (nail) you can define different accounts in the configuration file, they contain a key, the imap and smtp server to use, as also data for the authentification. When calling nail, you can give it with the option -A the key of the account to use. If you use normal mail, it will take the same configuration file and complain because of these data: that is why I said that the configuration file should have another name than mailx. In ~/.mailrc: set NAIL_EXTRA_RC=~/.file-with-nail-specific-configs should help you out. --steffen
Re: Verified OS concerns
Things change, computer dev evolves too openbsd dev team uses audit code with great success but many industrial domains uses new technics like static analysis with success too for exemple in avionics soft : astrée is a tool that certified Airbus plane software with static analysis read astree web page http://www.astree.ens.fr/ in such domain perfection could not exist : church gödel turing in 1930 ... but it could be interesting for the core team to have a static analysis tool to test OpenBSD kernel code it will not be a simple task for sure but it's for my own opinion a necessity and keep openBSD far beyond ... some researchers still have this in mind ... openbsd superlinthttp://kindsoftware.com/documents/proposals/superlint.html in short and private joke : openbsd, (model) checks your 6 ! ... (release) ;) Iki
Re: iked's ikev2 segfaults during connection initiation from strongswan
Hi,
On 25.09.2013, at 15:23, LEVAI Daniel l...@ecentrum.hu wrote:
On sze, szept 25, 2013 at 14:57:13 +0200, Mike Belopuhov wrote:
On 25 September 2013 14:41, LEVAI Daniel l...@ecentrum.hu wrote:
Hi!
I'm trying to setup StrongSwan (oh, the pain...) to iked(8) IPsec. When
trying to bring up the connection from the Linux end (ipsec up
connection), the iked(8) at the OpenBSD (5.3-stable) endpoint
segfaults. I'm trying to use certs and public keys for authentication
for this host-to-host ESP tunnel connection.
For the life of me I can not get a coredump from the ikev2 program, but
attaching gdb to its PID won't give me a bt either because it can't seem
to load the symbol table. I've recompiled iked from sources with
CFLAGS=-g and without stripping, but still, no luck.
use CFLAGS=-g -DDEBUG to disable chroot and generate a core dump.
Thanks! Here is gdb's output:
# gdb /sbin/iked iked.core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i386-unknown-openbsd5.3...
Core was generated by `iked'.
Program terminated with signal 11, Segmentation fault.
#0 0x1c01726b in ikev2_msg_send (env=0x86e6b000, msg=0xcfbeee10) at
/usr/src/sbin/iked/ikev2_msg.c:296
296 m-msg_exchange = hdr-ike_exchange;
this shouldn't fail, it sounds like memory corruption somewhere else.
but can you also print *m and *hdr in gdb?
Reyk
(gdb) list
291
292 if ((m = ikev2_msg_copy(env, msg)) == NULL) {
293 log_debug(%s: failed to copy a message, __func__);
294 return (-1);
295 }
296 m-msg_exchange = hdr-ike_exchange;
297
298 if (hdr-ike_flags IKEV2_FLAG_RESPONSE) {
299 TAILQ_INSERT_TAIL(sa-sa_responses, m, msg_entry);
300 timer_initialize(env, m-msg_timer,
(gdb) bt
#0 0x1c01726b in ikev2_msg_send (env=0x86e6b000, msg=0xcfbeee10) at
/usr/src/sbin/iked/ikev2_msg.c:296
#1 0x1c01836b in ikev2_msg_send_encrypt (env=0x86e6b000, sa=0x89ed,
ep=0xcfbef134, exchange=35 '#', firstpayload=36 '$', response=1) at
/usr/src/sbin/iked/ikev2_msg.c:625
#2 0x1c0106c2 in ikev2_resp_ike_auth (env=0x86e6b000, sa=0x89ed) at
/usr/src/sbin/iked/ikev2.c:1993
#3 0x1c00bdef in ikev2_ike_auth (env=0x86e6b000, sa=0x89ed, msg=0x0) at
/usr/src/sbin/iked/ikev2.c:566
#4 0x1c00ab98 in ikev2_dispatch_cert (fd=32, p=0x3c03e558, imsg=0xcfbef644)
at /usr/src/sbin/iked/ikev2.c:234
#5 0x1c0282b9 in proc_dispatch (fd=32, event=2, arg=0x3c03e558) at
/usr/src/sbin/iked/proc.c:324
#6 0x1c032885 in event_base_loop (base=0x7cfd0c00, flags=0) at
/usr/src/lib/libevent/event.c:402
#7 0x1c032b2a in event_loop (flags=0) at /usr/src/lib/libevent/event.c:478
#8 0x1c032b42 in event_dispatch () at /usr/src/lib/libevent/event.c:416
#9 0x1c028180 in proc_run (ps=0x86e6b4e0, p=0x3c03e47c, procs=0x3c03e520,
nproc=3, init=0, arg=0x0) at /usr/src/sbin/iked/proc.c:276
#10 0x1c00a69c in ikev2 (ps=0x86e6b4e0, p=0x3c03e47c) at
/usr/src/sbin/iked/ikev2.c:114
#11 0x1c027976 in proc_init (ps=0x86e6b4e0, p=0x3c03e47c, nproc=3) at
/usr/src/sbin/iked/proc.c:61
#12 0x1c00955a in main (argc=2, argv=0xcfbefc18) at
/usr/src/sbin/iked/iked.c:157
(gdb) bt full
#0 0x1c01726b in ikev2_msg_send (env=0x86e6b000, msg=0xcfbeee10) at
/usr/src/sbin/iked/ikev2_msg.c:296
sa = (struct iked_sa *) 0x89ed
buf = (struct ibuf *) 0x7eda8500
natt = 0
isnatt = 1
hdr = (struct ike_header *) 0x818dc000
m = (struct iked_message *) 0x87268c00
__func__ = ikev2_msg_send
#1 0x1c01836b in ikev2_msg_send_encrypt (env=0x86e6b000, sa=0x89ed,
ep=0xcfbef134, exchange=35 '#', firstpayload=36 '$', response=1) at
/usr/src/sbin/iked/ikev2_msg.c:625
resp = {msg_data = 0x7eda8500, msg_offset = 4, msg_local = {ss_len = 16
'\020', ss_family = 2 '\002', __ss_pad1 = \021\224N\203WÃ, __ss_pad2 = 0,
__ss_pad3 = '\0' repeats 239 times}, msg_locallen = 16, msg_peer =
{ss_len = 16 '\020', ss_family = 2 '\002', __ss_pad1 = \022\231[Rj\202,
__ss_pad2 = 0,
__ss_pad3 = '\0' repeats 239 times}, msg_peerlen = 16, msg_sock = 0x0,
msg_fd = 12, msg_response = 1, msg_natt = 0, msg_error = 0, msg_e = 0,
msg_parent = 0xcfbeee10,
msg_policy = 0x0, msg_sa = 0x89ed, msg_msgid = 1, msg_exchange = 0 '\0',
msg_proposals = {tqh_first = 0x0, tqh_last = 0xcfbef050}, msg_rekey = {spi =
0, spi_size = 0 '\0',
spi_protoid = 0 '\0'}, msg_nonce = 0x0, msg_ke = 0x0, msg_auth = {id_type
= 0 '\0', id_offset = 0 '\0', id_buf = 0x0}, msg_id = {id_type = 0 '\0',
id_offset = 0 '\0',
id_buf = 0x0}, msg_cert = {id_type = 0 '\0',
Re: mailx : mime handling?
Steffen Daode Nurpmeso said: In ~/.mailrc: set NAIL_EXTRA_RC=~/.file-with-nail-specific-configs should help you out. Or just export NAILRC=~/.nailrc in ~/.kshrc, ~/.bashrc or wherever you set your environment. -- Dmitrij D. Czarkoff
Re: Gnome would not start
Roelof Wobben wrote: Hello, I did all the steps from this tutorial (http://callfortesting.org/gnome3) And I did all the steps that the pkg-readmes/gnome-3.6 says. But still I see a login screen from xdm and fvvm starts up. How can I take care that gnome is starting. Roelof I suspect you need to learn the difference between startx/.xinitrc and xdm/.xsession. The website's FAQ, section 11.5 Customizing X, is probably a good start.
Re: Interface input errors incrementing
On 2013-09-25, Darren Spruell phatbuck...@gmail.com wrote: On Tue, Sep 24, 2013 at 5:18 AM, Stuart Henderson s...@spacehopper.org wrote: On 2013-09-24, Darren Spruell phatbuck...@gmail.com wrote: On Fri, Sep 20, 2013 at 12:13 PM, Alexey E. Suslikov alexey.susli...@gmail.com wrote: Any idea what the issue could be? could you provide netstat -s output after several hours? To circle back, errors started building again and below is netstat -s. As Chris suggested I'll try a snapshot and see if issue surfaces again. Are you certain your cabling and switch are OK? No. I've got to swap them out to see but wanted to first check out the firewall due to fact that rebooting it clears the issue for a few days. What do you mean by ethernet tap? One of these units: http://auctionimages.s3.amazonaws.com/1936/20572/14577108.jpg It sends a copy of network traffic from link between firewall and LAN switch to an IDS sensor. I'll also need to verify it along with the switch (it's a layer 1 device and passes through link negotiation but could still introduce errors I believe). +-++--++-+++ | cable modem || firewall || tap || switch | +-++--++-+++ | | | | | | ++ | \.|| \___| sensor | || ++ I thought so, but then I noticed you were using autoneg and I was under the (possibly mistaken) impression that these didn't work properly with autoneg. (though I'm also a bit unsure whether sis works properly *without* autoneg as I seem to remember some problem in that area ;)
Re: mailx : mime handling?
On Wed, 25 Sep 2013, Dmitrij D. Czarkoff wrote: Mayuresh Kathe said: hi, how do mailx users currently handle mime? They don't. They install mutt, s-nail or whatever. That is not true! NetBSD version of mailx does support MIME. Porting MIME support to OpenBSD version of mailx was long time on my todo list. However due to my day job and the fact that s-nail is not anymore orphaned it went to the back burner. I looked the NetBSD code and most likely it would talk one afternoon for an experienced OpenBSD hacker to compile that thing on OpenBSD. Cheers, Predrag
Re: Gnome would not start
On 2013-09-25, Roelof Wobben rwob...@hotmail.com wrote: Hello, I did all the steps from this tutorial (http://callfortesting.org/gnome3) And I did all the steps that the pkg-readmes/gnome-3.6 says. But still I see a login screen from xdm and fvvm starts up. How can I take care that gnome is starting. Roelof Those instructions assume you are not running xdm; either disable it (xdm_flags=NO in rc.conf.local) or edit .xsession instead of .xinitrc. However I would recommend avoiding 3rd party instructions which may or may not be in-sync with the version you have installed. Instead, after you have run pkg_add gnome, just follow the pkg-readme instructions (specifically the GDM section).
Re: pure_ftpd other option(style) not work
On 2013-09-24, =?ISO-8859-1?B?RnVuZw==?= fungm...@qq.com wrote: if add other flags like -o, for example , change /etc/rc.d/pure_ftpd -daemon_flags=-A -B -H -u1000 +daemon_flags=-o -A -B -H -u1000 Don't do this. Set pure_ftpd_flags=... in /etc/rc.conf.local instead.
Re: Gnome would not start
To: misc@openbsd.org From: s...@spacehopper.org Subject: Re: Gnome would not start Date: Wed, 25 Sep 2013 20:36:04 + On 2013-09-25, Roelof Wobben rwob...@hotmail.com wrote: Hello, I did all the steps from this tutorial (http://callfortesting.org/gnome3) And I did all the steps that the pkg-readmes/gnome-3.6 says. But still I see a login screen from xdm and fvvm starts up. How can I take care that gnome is starting. Roelof Those instructions assume you are not running xdm; either disable it (xdm_flags=NO in rc.conf.local) or edit .xsession instead of .xinitrc. However I would recommend avoiding 3rd party instructions which may or may not be in-sync with the version you have installed. Instead, after you have run pkg_add gnome, just follow the pkg-readme instructions (specifically the GDM section). As I said I followed all the steps from the pkg-readme and the only thing that the gnome readme says was to add gdm in rc.conf.local in the pkg_scripts line. Tommorrow I will look if there is a gdm readme. I also noticed that avahi-deamon is failing on startup. So I will look into the avahi-deamon readme also. Roelof
Re: iked's ikev2 segfaults during connection initiation from strongswan
Reyk Floeter reyk at openbsd.org writes: #0 0x1c01726b in ikev2_msg_send (env=0x86e6b000, msg=0xcfbeee10) at /usr/src/sbin/iked/ikev2_msg.c:296 296 m-msg_exchange = hdr-ike_exchange; this shouldn't fail, it sounds like memory corruption somewhere else. this reminds http://www.openbsd.org/cgi-bin/cvsweb/src/sys/arch/amd64/amd64/amd64errata.c.diff?r1=1.3;r2=1.4 having static somewhere else may obfuscate trace results.
Gnome would not start
On Wednesday, September 25, 2013, Roelof Wobben wrote: To: misc@openbsd.org From: s...@spacehopper.org Subject: Re: Gnome would not start Date: Wed, 25 Sep 2013 20:36:04 + On 2013-09-25, Roelof Wobben rwob...@hotmail.com wrote: Hello, I did all the steps from this tutorial ( http://callfortesting.org/gnome3) And I did all the steps that the pkg-readmes/gnome-3.6 says. But still I see a login screen from xdm and fvvm starts up. How can I take care that gnome is starting. Roelof Those instructions assume you are not running xdm; either disable it (xdm_flags=NO in rc.conf.local) or edit .xsession instead of .xinitrc. However I would recommend avoiding 3rd party instructions which may or may not be in-sync with the version you have installed. Instead, after you have run pkg_add gnome, just follow the pkg-readme instructions (specifically the GDM section). As I said I followed all the steps from the pkg-readme and the only thing that the gnome readme says was to add gdm in rc.conf.local in the pkg_scripts line. Tommorrow I will look if there is a gdm readme. i don't use gnome, but tried setting it up for my dad a few weeks ago for the first time, and i recall mention of requiring 3d acceleration and as such access to /dev/drm (iirc?). so adding gdm to rc.conf.local isn't the only thing it talks about. --patrick I also noticed that avahi-deamon is failing on startup. So I will look into the avahi-deamon readme also. Roelof
software stack for portable application
I have a software project that is initially targeted at Linux but that I would like to have running on OpenBSD as well. This being new development, I have the flexibility of selecting the software stack and I'd prefer to use one that minimizes the pain of making it work on other platforms. Primary concern are workstation-based platforms (OS-X and MS) but I'd prefer to avoid shooting myself in the foot for IOS/Android if at all feasible. So I'm soliciting recommendations for a software stack that will work on Linux and OpenBSD, and hopefully others. From a broad perspective, I'm looking at: - C/C++ source language - graphical client abstraction (thick client, not browser based) - network abstraction - threading abstraction - local disk I/O - minimizing dependencies on any particular window manager - libraries/frameworks that are sufficiently mainstream as to be unlikely to be abandon-ware in five years' time - open source licensed (preferably BSD/Apache style, LGPL would be ok, GPL if necessary) A bit of reading has me leaning toward basing things on Qt4 and the Boost libraries, however if people know of warts when using those on OpenBSD, or if there are additional/alternate solutions then I'd prefer to find out about them now rather than later. Thanks in advance, Devin
ospfd and testing link flapping
I have an OpenBSD box running 5.3 with multiple nics.
When I ifconfig down one of the transit links ospfd adds another route
instead of changing because the route is marked down in the kernel. When I
ifconfig up the link the original route and new one are both installed in
the routing table now. If I cycle down/up with ifconfig again now I get
multipath flags and eventually bgpd will freak out and quit because of this.
From digging around in the code:
In send_rtmsg in kroute.c shows how the route gets added:
...
retry:
if (writev(fd, iov, iovcnt) == -1) {
if (errno == ESRCH) {
if (hdr.rtm_type == RTM_CHANGE) {
hdr.rtm_type = RTM_ADD;
goto retry;
} else if (hdr.rtm_type == RTM_DELETE) {
log_info(route %s/%u vanished before delete,
inet_ntoa(kroute-prefix),
kroute-prefixlen);
return (0);
}
}
It can't find the route because it's marked down and switches from CHANGE
to ADD and retries.
I see related threads but nothing with a definite fix:
http://marc.info/?l=openbsd-miscm=130710530911754w=2
http://marc.info/?l=openbsd-miscm=133759959417744w=2
http://marc.info/?l=openbsd-miscm=134892435720437w=2
^-- this one seems the most promising but it's a big patch for me to
integrate myself since it's for ospf6d
I've been banging my head all day trying to figure out a fix or workaround.
Let me know if you need more specifics/configs etc.
dmo
Re: mailx : mime handling?
Predrag Punosevac punoseva...@gmail.com wrote: That is not true! NetBSD version of mailx does support MIME. Porting [...] I looked the NetBSD code and most likely it would talk one afternoon for an experienced OpenBSD hacker to compile that thing on OpenBSD. But what speaks against my solution? mailx allows you to pass mails through filters, allows you to call external editors with ~e and ~v. And that should be enough to read and write mails with mime, to use pgp, etc, if you have the appropriate external programs. On the other side, if you begin adding mime, the you should follow adding pgp, etc, and the we have another inflated mail program. I think, people that do not use mailx, do it, because they like other programs. Inflating mailx will not bring them to use it. And the external programs are also usefull iin other contexts for everybody. Rodrigo.
nitpicky : cwm menu font
how do i find out which font is being used by xterm under cwm under openbsd? then i could use that same font (and size) for the cwm menu to give me a consistent user experience. ;)
