Re: Update OpenBSD Remotely
On Sun, May 17, 2015 at 11:52:19PM +0100, Raf Czlonka wrote: > There are several things which this script does not check for - some of > those are on my TODO list: I didn't review your script, but I did ctrl+s... TODO item #0 should be to use signify with SHA256.sig rather than checking SHA256 directly. There's an example in the man page. :) SHA-256 checks if the files were downloaded properly, but it does not check if the files are from us. signify with SHA256.sig provides both integrity and authentication.
Re: Update OpenBSD Remotely
On 17-05-2015 11:08, Peter Leber wrote: > I recognize that there's m:tier's binary patching service > (https://stable.mtier.org), but the packages are signed > by m:tier rather than the OpenBSD project. While following m:tier's > binary patches is a good compromise to me, it's not a perfect solution. > I'm perfectly fine with running the -current flavour of OpenBSD feature- > and stability-wise, but I did not have the success of remotely triggering > a script, rebooting the machine and have an up and running updated > machine. > While I did find the autoinstall(8) feature, which, since 5.7, should be > able to trigger an automatic upgrade if the file /auto_upgrade.conf is > present, I did not see an effect in the bootup messages on the virtual > machine I'm using for testing things out. > Furthermore, I did find a tool named snap, aiming at making running > -current more enjoyable (see https://github.com/qbit/snap), but it does > also seem to be relying on the user to manually start the upgrading > process on system reboot, if I got everything correctly. Do you really need to follow -current? Because I've been using m:tier and their openup tool for years to follow -stable with no problems. I don't like the idea of automatic update + reboot. But it's doable with openup. I personally have it setup to run with -c from cron so it will mail me what changed. Following -current on a production or critical environment will prove to be a challenge. Unless you carefully test each snapshot and then have some tool like puppet to automate the upgrade with snap or other tool. Even with autoinstall(8). Cheers, Giancarlo Razzolini
Re: Update OpenBSD Remotely
On Sun, May 17, 2015, at 08:08 AM, Peter Leber wrote: > I want to build a test system based on OpenBSD 5.7 which updates > in an automated fashion. > The goal is to have a remotely located machine which runs OpenBSD 5.7 > and is constantly updated. While restarting the machine remotely via SSH > is perfectly fine to me, I do not want to access the machine locally in > order to interrupt the automatic reboot in order to trigger the manual > upgrading process. I'm fine with following -stable and -current alike. > > I recognize that there's m:tier's binary patching service > (https://stable.mtier.org), but the packages are signed > by m:tier rather than the OpenBSD project. While following m:tier's > binary patches is a good compromise to me, it's not a perfect solution. > I'm perfectly fine with running the -current flavour of OpenBSD feature- > and stability-wise, but I did not have the success of remotely triggering > a script, rebooting the machine and have an up and running updated > machine. > While I did find the autoinstall(8) feature, which, since 5.7, should be > able to trigger an automatic upgrade if the file /auto_upgrade.conf is > present, I did not see an effect in the bootup messages on the virtual > machine I'm using for testing things out. > Furthermore, I did find a tool named snap, aiming at making running > -current more enjoyable (see https://github.com/qbit/snap), but it does > also seem to be relying on the user to manually start the upgrading > process on system reboot, if I got everything correctly. Author of snap here. It depends, you can have it run things automatically for you.. or it can just install the sets. By default it will only install the sets. It's specifically designed to run with no external dependencies (nothing needs to be installed from ports) and can be run from cron. If you do use it via cron don't forget to run sysmerge! Let me know if you have any questions :D > > Is there someone aware of a procedure which could help me solving my > problem? > I thank you very much in advance. > > Peter
possible httpd Content-Length overflow
I'm not intimately familiar with the HTTP spec, but I'm having an issue transferring a large file (2GB) from httpd. Chrome starts streaming the file, but stops somewhere between 7-10 MB. Using the debugger, it appears that the "Content-Length" header is negative (-2095872469) in this case. A quick search of misc@ turned up nothing related to this, but maybe I missed it somewhere.
Re: Httpd perfect forward secrecy
> On Mon, May 18, 2015 at 07:43:26PM +0200, Martijn Rijkeboer wrote: >> Hi, >> >> I've just switched my webserver from 5.6/nginx to 5.7/httpd and was >> testing my TLS setup using SSL Labs[1]. The SSL Labs test indicates >> that my setup doesn't support forward secrecy. Is this not implemented >> in the 5.7 version of httpd or is my configuration wrong (included >> below)? > We disabled older cipher suites and protocols by default. Any new-ish > browser should prefer ECDHE over DHE. Thank you very much for your explanation. SSL labs flags this webserver as not supporting Forward Secrecy with the reference browsers, because one of the reference browsers doesn't work (IE 8-10 / Win 7). Since none of my users uses that browser I will stick to the sane defaults. > So if your really want to enable legacy DHE modes, set the following > in the server section: > > tls dhe "legacy" This doesn't help either, but as explained above that's no problem for me. Kind regards, Martijn Rijkeboer
Re: Httpd perfect forward secrecy
On Mon, May 18, 2015 at 07:43:26PM +0200, Martijn Rijkeboer wrote:
> Hi,
>
> I've just switched my webserver from 5.6/nginx to 5.7/httpd and was
> testing my TLS setup using SSL Labs[1]. The SSL Labs test indicates that
> my setup doesn't support forward secrecy. Is this not implemented in
> the 5.7 version of httpd or is my configuration wrong (included below)?
>
> OS: OpenBSD 5.7-stable AMD64
>
> Kind regards,
>
>
> Martijn Rijkeboer
>
We disabled older cipher suites and protocols by default. Any new-ish
browser should prefer ECDHE over DHE.
>From httpd.conf:
---snip---
dhe params
Specify the DHE parameters to use for DHE cipher suites.
Valid parameter values are none, legacy and auto. For
legacy a fixed key length of 1024 bits is used, whereas
for auto the key length is determined automatically. The
default is none, which disables DHE cipher suites.
ecdhe curve
Specify the ECDHE curve to use for ECDHE cipher suites.
Valid parameter values are none, auto and the short name
of any known curve. The default is auto.
---snap---
So if your really want to enable legacy DHE modes, set the following
in the server section:
tls dhe "legacy"
Reyk
>
> --- /etc/httpd.conf ---
>
> ext_addr="*"
>
> server "www.bunix.org" {
> listen on $ext_addr tls port 443
> tls certificate "/etc/ssl/www.bunix.org.crt.pem"
> tls key "/etc/ssl/private/www.bunix.org.key.pem"
>
> connection {
> max requests 500
> timeout 3600
> }
>
> root "/htdocs/www.bunix.org"
> }
>
> types {
> include "/usr/share/misc/mime.types"
> }
>
>
> -
>
> [1] https://www.ssllabs.com/ssltest/
>
--
Re: Httpd perfect forward secrecy
> I've just switched my webserver from 5.6/nginx to 5.7/httpd and was > testing my TLS setup using SSL Labs[1]. The SSL Labs test indicates > that my setup doesn't support forward secrecy. Is this not implemented > in the 5.7 version of httpd or is my configuration wrong (included > below)? In my previous message I have forgotten to mention that I also tried setting tls dhe to "auto", but that didn't help either. Kind regards, Martijn Rijkeboer
Re: Robustness in ports fetch program?
On Sun, May 17, 2015 at 08:18:06AM -0400, Alan Corey wrote:
> I don't think it did this back in 5.0 days or maybe earlier. I started
> with OpenBSD 2.7, I just usually attributed problems to being my fault.
> And I've always used the ports tree, not packages. Distfiles are often
> useful across OpenBSD versions, sometimes in FreeBSD, I've even built some
> under Linux.
>
> I didn't look at what FETCH_CMD was defined as by default, I just assumed
> defining something non-null changed it. I did notice that when it retries
> it's wrongly assumed there's a problem with the first source and gone to
> another.
>
> Does every developer have perfect internet? That's very frustrating, maybe
> counterproductive in testing. Try a modem, you can probably find a free
> one. Connection interruptions and resets happen many times a day.
> On May 17, 2015 1:22 AM, "Marc Espie" wrote:
Why are you ranting instead of providing the info I'm asking for ?!!!
JUST OVERRIDE THE DAMN FETCH_CMD!!!
put
FETCH_CMD = /usr/bin/ftp -v ${_PROGRESS} -k ${FTP_KEEPALIVE} -C
in /etc/mk.conf
so that *at least* we can see verbose output from your fetches.
Like I said, *the error comes from ftp*.
More accurately, fetch itself has the following logic:
for site in list
do
if FETCH_CMD -o file.part ${site}url
then
ck=`check_size file.part.part`
-> leading to "size does not match, hence rm file.part, hence retry"
fi
done
this is where your problem lies: ftp returns "everything okay", so the logic
assumes the file retrieved correctly, and when it finds out the size does not
match, it assumes a corrupted mirror, and hence deletes the partial file.
ftp(1)'s code is awful. I'm not wading thru those waters without more info.
GIVE ME WHATEVER FTP IS SAYING WHEN THINGS BREAK, when you tell it to be
verbose.
Httpd perfect forward secrecy
Hi,
I've just switched my webserver from 5.6/nginx to 5.7/httpd and was
testing my TLS setup using SSL Labs[1]. The SSL Labs test indicates that
my setup doesn't support forward secrecy. Is this not implemented in
the 5.7 version of httpd or is my configuration wrong (included below)?
OS: OpenBSD 5.7-stable AMD64
Kind regards,
Martijn Rijkeboer
--- /etc/httpd.conf ---
ext_addr="*"
server "www.bunix.org" {
listen on $ext_addr tls port 443
tls certificate "/etc/ssl/www.bunix.org.crt.pem"
tls key "/etc/ssl/private/www.bunix.org.key.pem"
connection {
max requests 500
timeout 3600
}
root "/htdocs/www.bunix.org"
}
types {
include "/usr/share/misc/mime.types"
}
-
[1] https://www.ssllabs.com/ssltest/
Re: spamd - whitelist sender email addresses
Hi Alex, On 2015-05-18 Mon 16:37 PM |, Alex Greif wrote: > On Mon, May 18, 2015 at 02:20:08PM +0100, Craig Skinner wrote: > > yes, this should help, in the case that the sender tries longer > than 4 hours. > RFC 5321, in section "4.5.4.1. Sending Strategy" has: ... .. Retries continue until the message is transmitted or the sender gives up; the give-up time generally needs to be at least 4-5 days. . > Are there any experiences, after how many hours/days the sender > side (at the large ones like google, yahoo, hotmail, etc) > gives up? > I didn't make notes on that, sorry. >From memory, they honour the 4 day rule. While 1 day greyexp time wasn't enough, 2 days works here for the big free mail providers. If that doesn't work for you, increase it to 3 days & try again. Once even a low (but regular) volume comes through, spamd auto whitelisting does the job without extra help. I created test Goatmail, Snotmail & Yahoons email accounts & mailed my boxes to test. Maybe you could try that from your friend's provider? See this recent thread: http://marc.info/?t=14245592082&r=1&w=2 SPF is open to abuse. Paul calculated gmail alone SPF lists 217088 total IPv4 addresses 29710560942849126597578981376 total IPv6 addresses http://marc.info/?l=openbsd-misc&m=142478407909186&w=2 That can't be an honest representation of legitimate SMTP servers to add to white lists. Plus all the other providers IP addresses Too much work maintaining, loading, parsing all that. Cool. -- We gave you an atomic bomb, what do you want, mermaids? -- I. I. Rabi to the Atomic Energy Commission
Re: Apache2 on 5.7 = certificate error
On Mon, 18 May 2015, Stefan Sperling wrote: > On Mon, May 18, 2015 at 10:04:03AM -0400, John Merriam wrote: > > I get the following error in the error_log when I try to start Apache2: > > > > [Mon May 18 09:51:43 2015] [error] Failed to configure CA certificate > > chain! > > > > The certificate is a wildcard certificate from RapidSSL. > > > > I have their 'intermediate CA bundle' from here: > > > > https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26459 > > > > in a file that is pointed to with the SSLCertificateChainFile directive in > > my Apache2 config. > > What does this file contain exactly? I believe mod_ssl expects the server > certificate followed by any intermediate CA certificates up to the root > CA cert, all in PEM format, in one file. > > It's very odd that the behaviour between 5.6 and 5.7 changed. > None of the upstream changes between 2.2.27 and 2.2.29 seem to apply. > http://www.apache.org/dist/httpd/CHANGES_2.2 > > Given your error message, the point of failure in mod_ssl is a call to > SSL_CTX_use_certificate_chain(), a function name which exists in mod_ssl > and also existed in LibreSSL for a brief period before 5.7. > During which time mod_ssl's version was renamed in our ports tree. > Before release, LibreSSL's function was renamed and mod_ssl's version > renamed back to its original name. This should not matter at all unless > something unexpected happened during release package builds (unlikely). > > Can you make it work by using alternative configuration options, such as > SSLCertificateFile and SSLCACertificateFile or SSLCACertificatePath? > Yes, it was very odd to me as well that it didn't work after the upgrade. I didn't change a single bit of my Apache2 config. I checked /usr/local/share/examples/apache2/conf/* for changes after the upgrade. Since there were none I didn't change anything. I just changed SSLCertificateChainFile to SSLCACertificateFile in my httpd-ssl.conf and it works! I should have thought of trying something like that... The file pointed to in my SSLCertificateChainFile (and now SSLCACertificateFile) directives contains: -BEGIN CERTIFICATE- MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS 1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh gP8L8mJMcCaY -END CERTIFICATE- -BEGIN CERTIFICATE- MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -END CERTIFICATE- which is the RapidSSL 'RSA SHA-2 (under SHA-1 Ro
Re: Apache2 on 5.7 = certificate error
On Mon, May 18, 2015 at 10:04:03AM -0400, John Merriam wrote: > I get the following error in the error_log when I try to start Apache2: > > [Mon May 18 09:51:43 2015] [error] Failed to configure CA certificate > chain! > > The certificate is a wildcard certificate from RapidSSL. > > I have their 'intermediate CA bundle' from here: > > https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26459 > > in a file that is pointed to with the SSLCertificateChainFile directive in > my Apache2 config. What does this file contain exactly? I believe mod_ssl expects the server certificate followed by any intermediate CA certificates up to the root CA cert, all in PEM format, in one file. It's very odd that the behaviour between 5.6 and 5.7 changed. None of the upstream changes between 2.2.27 and 2.2.29 seem to apply. http://www.apache.org/dist/httpd/CHANGES_2.2 Given your error message, the point of failure in mod_ssl is a call to SSL_CTX_use_certificate_chain(), a function name which exists in mod_ssl and also existed in LibreSSL for a brief period before 5.7. During which time mod_ssl's version was renamed in our ports tree. Before release, LibreSSL's function was renamed and mod_ssl's version renamed back to its original name. This should not matter at all unless something unexpected happened during release package builds (unlikely). Can you make it work by using alternative configuration options, such as SSLCertificateFile and SSLCACertificateFile or SSLCACertificatePath?
ASF, AMT and PCIe cards (Re: WOL support for bge driver)
On Mon, 18 May 2015, Stefan Sperling wrote: OTOH, many laptops nowadays ship with Intel AMT and suffer the same issue or worse. Yet we still run on them. Current AMT versions have an attack surface that dwarfs ASF's. Perhaps this is a lost cause and we'll simply have to accept that a lot of hardware is insecure by design. (I have borrowed another thread from tech@ for start this one.) This brings other questions. Are standalone PCIe cards safe from this? Many specification documents mention that they support at least ASF too. Don't they contain the same firmware (or most of it) as their onboard variants? What PCIe gigabit ethernet cards that are supported in OpenBSD are considered secure? Does anyone have a recommendation? Thank you. Regards, David
Re: spamd - whitelist sender email addresses
On Mon, May 18, 2015 at 02:20:08PM +0100, Craig Skinner wrote: Hi Craig, yes, this should help, in the case that the sender tries longer than 4 hours. Are there any experiences, after how many hours/days the sender side (at the large ones like google, yahoo, hotmail, etc) gives up? thanks, Alex. > On 2015-05-18 Mon 09:26 AM |, Alex Greif wrote: > > > > I am using spamd on a current installation in greylisting mode, > > and have have problems with large sites that have several > > SMTP servers but no SPF ip-address ranges. > > Hi Alex, > > Bumping up the spamd(8) greyexp time to 2-4 days works well (on 5.6): > > spamd_flags='-G 25:48:864 ...' > > > Sometimes I have more than 10 mail server IPs in the greylisted > > in spamdb, from the same (friend) email address, and the the > > sender side finally/unfortunately gives up, so that I don't get > > the mail. > > > > greyexp is 4 hours by default. > > Unless the same sending server in the pool retries within greyexp hours, > it will not be whitelisted. > > Increasing it to 2+ days works for gmail, yahoo, hotmail, etc > > It is slow to start with, but once a host is whitelisted, it just works. > > Cheers.
Re: console prompt disappeared after login
On Mon, 18 May 2015 14:21:39 +0100 Pedro Tender wrote: > I'm not having problems with ksh nor zsh, going in and out of X (xfce). > âTTY's working fine.â > > > On Mon, May 18, 2015 at 12:56 PM, dan mclaughlin > wrote: > > > On Mon, 18 May 2015 11:24:13 +0100 Pedro Tender > > wrote: > > > I've updated another machine today to latest snapshot and it is fixed. > > > Have you tried the 18th May (ftp3.eu) snapshot ? > > > > > > > > > > > > On Sun, May 17, 2015 at 10:51 PM, dan mclaughlin < > > thev...@openmailbox.org> > > > wrote: > > > > > > > On Sun, 17 May 2015 14:29:07 - "Maurits Fennis" > > > > wrote: > > > > > > just not the TTY's > > > > > > > > > > same here. > > > > > > > > > > -- > > > > > Maurits Fennis > > > > > > > > > > () ascii ribbon campaign > > > > > /\ www.asciiribbon.org > > > > > > > > > > > > > here too. i just submitted a bug report "problems with console output". > > > > > > > it's a partial fix. the console works until you switch to X, which works > > fine until you switch back to console, then nothing displays right. > > > > my original bug report didn't go thru, so i'll retry. > i tried the same site, and i'm using ksh as well, though i am using fvwm as my window manager. looking further into it, my problem may be unrelated. it was just that i discovered it at the same time, and maybe conflated them. i reverted to an older snapshot that gives the the same problem as well. i think it has to do with the vesa driver.
Apache2 on 5.7 = certificate error
Hello. I have upgraded my home server from OpenBSD 5.6 to 5.7. It is amd64 and it is on -stable with -stable ports. Everything is working fine after the upgrade except SSL in Apache2 (apache-httpd package/port). I get the following error in the error_log when I try to start Apache2: [Mon May 18 09:51:43 2015] [error] Failed to configure CA certificate chain! The certificate is a wildcard certificate from RapidSSL. I have their 'intermediate CA bundle' from here: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26459 in a file that is pointed to with the SSLCertificateChainFile directive in my Apache2 config. This worked fine with the old Apache2 in 5.6. I've tried several different things to try to convince it to work but nothing has done the trick yet. I use the same certificate in sendmail and dovecot on the same server and it is working fine with those two daemons. Any ideas or suggestions as to what the problem may be or where I should start digging? Thanks! -- John Merriam
Re: console prompt disappeared after login
I'm not having problems with ksh nor zsh, going in and out of X (xfce). âTTY's working fine.â On Mon, May 18, 2015 at 12:56 PM, dan mclaughlin wrote: > On Mon, 18 May 2015 11:24:13 +0100 Pedro Tender > wrote: > > I've updated another machine today to latest snapshot and it is fixed. > > Have you tried the 18th May (ftp3.eu) snapshot ? > > > > > > > > On Sun, May 17, 2015 at 10:51 PM, dan mclaughlin < > thev...@openmailbox.org> > > wrote: > > > > > On Sun, 17 May 2015 14:29:07 - "Maurits Fennis" > > > wrote: > > > > > just not the TTY's > > > > > > > > same here. > > > > > > > > -- > > > > Maurits Fennis > > > > > > > > () ascii ribbon campaign > > > > /\ www.asciiribbon.org > > > > > > > > > > here too. i just submitted a bug report "problems with console output". > > > > it's a partial fix. the console works until you switch to X, which works > fine until you switch back to console, then nothing displays right. > > my original bug report didn't go thru, so i'll retry.
Re: spamd - whitelist sender email addresses
On 2015-05-18 Mon 09:26 AM |, Alex Greif wrote: > > I am using spamd on a current installation in greylisting mode, > and have have problems with large sites that have several > SMTP servers but no SPF ip-address ranges. Hi Alex, Bumping up the spamd(8) greyexp time to 2-4 days works well (on 5.6): spamd_flags='-G 25:48:864 ...' > Sometimes I have more than 10 mail server IPs in the greylisted > in spamdb, from the same (friend) email address, and the the > sender side finally/unfortunately gives up, so that I don't get > the mail. > greyexp is 4 hours by default. Unless the same sending server in the pool retries within greyexp hours, it will not be whitelisted. Increasing it to 2+ days works for gmail, yahoo, hotmail, etc It is slow to start with, but once a host is whitelisted, it just works. Cheers. -- The sooner you make your first 5000 mistakes, the sooner you will be able to correct them. -- Nicolaides
Re: Error when compiling libcrypto after 003_openssl.patch
On 5/17/2015 11:13 PM, Michael McConville wrote: Patch 002 applied and built cleanly, and patch 003 applied without issue. However, I get the error shown below when I attempt to build libcrypto for patch 003. ... Has anyone else experienced this? Any ideas about what might be causing it? Yes, I experienced this too. I just upgraded a 5.6 i386 server last night using the bsd.rd install kernel and the upgrade went fine. All the package updates were ok too. I then started patching and ran into the exact same problem with patch 003 (002 was ok).
Re: console prompt disappeared after login
On Mon, 18 May 2015 11:24:13 +0100 Pedro Tender wrote: > I've updated another machine today to latest snapshot and it is fixed. > Have you tried the 18th May (ftp3.eu) snapshot ? > > > > On Sun, May 17, 2015 at 10:51 PM, dan mclaughlin > wrote: > > > On Sun, 17 May 2015 14:29:07 - "Maurits Fennis" > > wrote: > > > > just not the TTY's > > > > > > same here. > > > > > > -- > > > Maurits Fennis > > > > > > () ascii ribbon campaign > > > /\ www.asciiribbon.org > > > > > > > here too. i just submitted a bug report "problems with console output". > it's a partial fix. the console works until you switch to X, which works fine until you switch back to console, then nothing displays right. my original bug report didn't go thru, so i'll retry.
Re: spamd - whitelist sender email addresses
On Mon, 18 May 2015 09:26:13 +0200 Alex Greif wrote: > Hi, > I am using spamd on a current installation in greylisting mode, > and have have problems with large sites that have several > SMTP servers but no SPF ip-address ranges. > Sometimes I have more than 10 mail server IPs in the greylisted > in spamdb, from the same (friend) email address, and the the > sender side finally/unfortunately gives up, so that I don't get > the mail. > > Is there a way to define a list of (friendly) sender email addresses > or domains in the following form: > some.fri...@domail1.com > @freinds-domain.com > > so that spamd ignores greylisting the IPs of the hosts, where these > specified senders come from? > > thanks, > Alex. I personally use the bgpd solution to obtain a solid list of hosts http://bgp-spamd.net/index.html They synchronize around 200k white listed hosts by now. Those hosts went through the regular spamd process on a more widely used mail server hence I prefer that solution to manually hunting for those services that deliver with a pool of servers. Regards, Adam
Re: console prompt disappeared after login
I've updated another machine today to latest snapshot and it is fixed. Have you tried the 18th May (ftp3.eu) snapshot ? On Sun, May 17, 2015 at 10:51 PM, dan mclaughlin wrote: > On Sun, 17 May 2015 14:29:07 - "Maurits Fennis" > wrote: > > > just not the TTY's > > > > same here. > > > > -- > > Maurits Fennis > > > > () ascii ribbon campaign > > /\ www.asciiribbon.org > > > > here too. i just submitted a bug report "problems with console output".
Da man passing an other year
Happy Birthday Theo. Rod/ *** NOTE *** Please DO NOT CC me. I subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: console prompt disappeared after login
On Sun, 17 May 2015 14:29:07 - "Maurits Fennis" wrote: > > just not the TTY's > > same here. > > -- > Maurits Fennis > > () ascii ribbon campaign > /\ www.asciiribbon.org > here too. i just submitted a bug report "problems with console output".
Re: spamd - whitelist sender email addresses
On Mon, May 18, 2015 at 10:52:52AM +0200, Peter N. M. Hansteen wrote: > On Mon, May 18, 2015 at 10:05:45AM +0200, Alex Greif wrote: > > But in some cases, the sender mail server tried so often from different > > SMTP IPs, and finally gave up with an error to the sender. Then the sender > > and > > receiver persons are quite unhappy, and a lot of time is vasted. > > In most cases the MXes will be in an identifiable IP address range such as > 194.54.104.64/26 (just a random example) you can add to a PF table > > > Another problem with IPs is that the SMTP servers often change, so that IPs > > get > > obsolete, or new ones are set up. > > Again, unless they jump to addresses in totally unrelated ranges, something > like > the nospamd example in the spamd man page should do the trick. (I make my > nospamd > file available at http://www.bsdly.net/~peter/nospamd if you want to start > from a > working examplei in addition to the rules from the man page) > thanks, I will do it as you suggested. And will keep an eye on "spamdb|grep GREY" output. Alex.
Re: spamd - whitelist sender email addresses
On Mon, May 18, 2015 at 10:05:45AM +0200, Alex Greif wrote: > But in some cases, the sender mail server tried so often from different > SMTP IPs, and finally gave up with an error to the sender. Then the sender and > receiver persons are quite unhappy, and a lot of time is vasted. In most cases the MXes will be in an identifiable IP address range such as 194.54.104.64/26 (just a random example) you can add to a PF table > Another problem with IPs is that the SMTP servers often change, so that IPs > get > obsolete, or new ones are set up. Again, unless they jump to addresses in totally unrelated ranges, something like the nospamd example in the spamd man page should do the trick. (I make my nospamd file available at http://www.bsdly.net/~peter/nospamd if you want to start from a working examplei in addition to the rules from the man page) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd - whitelist sender email addresses
On Mon, May 18, 2015 at 09:46:19AM +0200, Peter N. M. Hansteen wrote: > On Mon, May 18, 2015 at 09:26:13AM +0200, Alex Greif wrote: > > I am using spamd on a current installation in greylisting mode, > > and have have problems with large sites that have several > > SMTP servers but no SPF ip-address ranges. > > Sometimes I have more than 10 mail server IPs in the greylisted > > in spamdb, from the same (friend) email address, and the the > > sender side finally/unfortunately gives up, so that I don't get > > the mail. > > In cases like these, it's probably best to try to identify the likely > IP address range(s) where their outgoing MXes live, and add those > ranges to a nospamd table. I think the spamd man page has a useful example. > > In addition you can add hosts to the spamd whitelist using spamdb, ie > > $ sudo spamdb -a nn.mm.xx.yy > that is exactly what I am currently doing ... trying to collect all valid IPs an dfeeding them in nospamdb table and adding to the whitelist. But in some cases, the sender mail server tried so often from different SMTP IPs, and finally gave up with an error to the sender. Then the sender and receiver persons are quite unhappy, and a lot of time is vasted. Another problem with IPs is that the SMTP servers often change, so that IPs get obsolete, or new ones are set up. Thanks, ALex.
Re: spamd - whitelist sender email addresses
On Mon, May 18, 2015 at 09:26:13AM +0200, Alex Greif wrote: > I am using spamd on a current installation in greylisting mode, > and have have problems with large sites that have several > SMTP servers but no SPF ip-address ranges. > Sometimes I have more than 10 mail server IPs in the greylisted > in spamdb, from the same (friend) email address, and the the > sender side finally/unfortunately gives up, so that I don't get > the mail. In cases like these, it's probably best to try to identify the likely IP address range(s) where their outgoing MXes live, and add those ranges to a nospamd table. I think the spamd man page has a useful example. In addition you can add hosts to the spamd whitelist using spamdb, ie $ sudo spamdb -a nn.mm.xx.yy -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
spamd - whitelist sender email addresses
Hi, I am using spamd on a current installation in greylisting mode, and have have problems with large sites that have several SMTP servers but no SPF ip-address ranges. Sometimes I have more than 10 mail server IPs in the greylisted in spamdb, from the same (friend) email address, and the the sender side finally/unfortunately gives up, so that I don't get the mail. Is there a way to define a list of (friendly) sender email addresses or domains in the following form: some.fri...@domail1.com @freinds-domain.com so that spamd ignores greylisting the IPs of the hosts, where these specified senders come from? thanks, Alex.
