Re: Opensmtpd auth in 6.4
Hi, Do you get any errors using ’doas smtpd -n’? Can you tried to add this ‘listen’ statement in your smtpd.conf - (This is how I have my setup) listen on egress mask-src port submission tls-require pki mail.example.com auth Another option is to try a different password. Now, test the login credentials using the ‘openssl’ command as noted by Edgar in a previous email. Converting the plain text data to a ‘base64’, I use the following command on my MacBook. echo -n u...@example.com | base64 Base64 Output echo -n password | base64 Base64 Output openssl s_client -connect mail.example.com:587 -starttls smtp …….(SSL Output) 250 HELP Within the smtp session I enter the commands ‘ehlo’ and ‘auth login’ respectively; ehlo mail.example.com 250-mail.example.com Hello mail.example.com [x.x.x.x], pleased to meet you 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-SIZE 36700160 250-DSN 250-AUTH PLAIN LOGIN 250 HELP auth login 334 VXNlcm5hbWU6 Base64 Username (As noted above from the conversion of plain text to base64) 334 UGFzc3dvcmQ6 Base64 Password (As noted above from the conversion of plain text to base64) 235 2.0.0: Authentication succeeded Nino > On 14 Jan 2019, at 10:47 am, Flipchan wrote: > > I changed mask-src and tried some other stuff still without success when > using openssl ehlo test and auth login , all i get is authentication failed , > i have verified that the password is legit but no luck > > On January 12, 2019 11:37:42 PM GMT+01:00, Carlin Bingham > wrote: >> On Sat, Jan 12, 2019 at 05:36:11PM +0100, Flipchan wrote: >>> Hey, am tryin to upgrade my opensmtpd >>> email server running on openbsd 6.3 towards a new one on 6.4, >>> i have used a simple config with the new syntax: >>> cat /etc/mail/smtpd.conf >>> >>> table aliases file:/etc/mail/aliases >>> >>> #table other-relays file:/etc/mail/other-relays >>> >>> pki mail.example.com cert "/etc/ssl/mail.example.com.crt" >>> pki mail.example.com key "/etc/ssl/private/mail.example.com.key" >>> >>> listen on lo0 >>> listen on vio0 port 587 hostname example.com tls-require pki >> mail.example.com auth mask-source >> >> mask-source was changed to mask-src >> >> I think because mask-source is no longer a valid keyword its being >> interpreted as a parameter to auth. >> >> >> -- >> Carlin > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity.
ProtonMail login crashes Chromium / Iridium
G'Day All! On 6.4, Chromium or Iridium (Chrome fork) crashes when logging into ProtonMail. I'm wondering if anyone has encountered / solved this problem and can offer me some assistance. Steps to reproduce: * Install 6.4 + Chromium or Iridium Browsers * Attempt logging into https://mail.protonmail.com/login * Crashes browser session every time with the following console errors: <--- Last few GCs ---> [31167:0x1a47d7277000] 1154 ms: Scavenge 31.6 (42.8) -> 27.2 (44.3) MB, \ 4.4 / 0.1 ms (average mu = 1.000, current mu = 1.000) allocation failure [31167:0x1a47d7277000] 1276 ms: Mark-sweep 28.8 (44.3) -> 24.0 (46.8) MB, \ 9.2 / 1.7 ms (+ 42.9 ms in 229 steps since start of marking, biggest step \ 28.0 ms, walltime since start of marking 91 ms) (average mu = 1.000, \ current mu = 1.000) finalize incr <--- JS stacktrace ---> JS stack trace = 0: ExitFrame [pc: 0x1a4555f2c36e] 1: StubFrame [pc: 0x1a4555ea25c1] Security context: 0x13ff314ca999 https://mail.protonmail.com> 2: acquire_asm [0x3141c4f72239] [https://mail.protonmail.com/openpgp.min. \ b9a9a349934472bf2dd564a758152714785abb30.js:2] [bytecode=0x38c7fc1b8511 \ offset=125](this=0x18824bf14db1 ) 3: constructor(aka e) [0x2354541ee9a9] [https://mail.protonmail.com/ \ openpgp.min.b... Firefox works fine. Have followed the suggestion to edit memory limits in login.conf as per the following thread but no change. https://www.reddit.com/r/openbsd/comments/9devx1/openbsd_63_and_protonmail_login Just use my email alias or any common first name to replicate the fault. My system is OpenBSD 6.4 amd64 on Intel i5 with 8GB RAM. Regards, Paul Swanson
Re: Opensmtpd auth in 6.4
I changed mask-src and tried some other stuff still without success when using openssl ehlo test and auth login , all i get is authentication failed , i have verified that the password is legit but no luck On January 12, 2019 11:37:42 PM GMT+01:00, Carlin Bingham wrote: >On Sat, Jan 12, 2019 at 05:36:11PM +0100, Flipchan wrote: >> Hey, am tryin to upgrade my opensmtpd >> email server running on openbsd 6.3 towards a new one on 6.4, >> i have used a simple config with the new syntax: >> cat /etc/mail/smtpd.conf >> >> table aliases file:/etc/mail/aliases >> >> #table other-relays file:/etc/mail/other-relays >> >> pki mail.example.com cert "/etc/ssl/mail.example.com.crt" >> pki mail.example.com key "/etc/ssl/private/mail.example.com.key" >> >> listen on lo0 >> listen on vio0 port 587 hostname example.com tls-require pki >mail.example.com auth mask-source > >mask-source was changed to mask-src > >I think because mask-source is no longer a valid keyword its being >interpreted as a parameter to auth. > > >-- >Carlin -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Purpose of primary and secondary user groups
On Sun, Jan 13, 2019 at 6:13 AM Bryan Harris wrote: > Is there also a difference when creating a file in a folder with set GID > bit on that folder and owned by secondary group? I think in normal > behavior, if folder allows a user to create a file (sec. group w/ 770 > perm.) then the new file group will not take the group of the folder but > will take the group of the user's primary group. But if you have set GID > bit then the new file will take the group of the folder it's in (which > will be one of the user's secondary groups). > > I thought in OpenBSD there is also a flag to mount the filesystem to > always do this regardless of set GID but I can't remember. I don't see > it in the man page so maybe with all of this I'm really thinking of > Linux but I can't remember. > Nope. OpenBSD always uses the BSD behavior. The use of the SGID bit on directories to request BSD behavior was an addition in SystemV-based systems when enough of their devs and users yelled at them to Not Be Stupid And Provide the Better Behavior. I'm not sure who or when first added the mount option. Linux certainly has both of those, but is not the only one. Philip Guenther
Re: Blocking "shodan.io" - What are my options?
On Sun, Jan 13, 2019 at 08:04:32PM +0100, Radek wrote: > Hi, > > I would gladly play with your script. Would you please share it @misc. Maybe > our community could develope it further... > > On Sun, 13 Jan 2019 12:43:15 -0600 > ed...@pettijohn-web.com wrote: > > > On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote: > > > I knew it wouldn't trigger on the first attempt, but I had a sneaking > > > suspicion that you'd need something to listen on that port. Is there > > > a way to achieve what we seek, in that case, without userland tools? > > > > > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson > > > wrote: > > > > > > > > On 2019-01-09, Aaron Mason wrote: > > > > > Hi Jordan > > > > > > > > > > I've set it up to try it, but I'm not having much luck. Even when I > > > > > trigger more than one, it still doesn't populate the bad_hosts table, > > > > > even again when I extend the rate period to 86400 seconds. I've added > > > > > logging so I know the rule is triggering. See below. > > > > > > > > max-src-conn-rate is only triggered when a TCP connection is > > > > established, you need to have something listening (and it will only > > > > trigger on the *second* connection). > > > > > > > > > > > > > > > > > -- > > > Aaron Mason - Programmer, open source addict > > > I've taken my software vows - for beta or for worse > > > > > > > I wrote a little daemon to do what we're looking for. It listens on > > specified ports, accepts the connection and executes a script so you can > > either use something like logger or pfctl, etc to do what you want with > > the address it connected from. If anyone wants to play with it let me > > know and I'll send you the tarball. > > > > Edgar > > > > > -- > radek It can be obtained at http://www.pettijohn-web.com/void-1.0.0.tar.gz The manual isn't quite complete. The supplied script could really use some help as well as an rc script. The makefile is also cobbled together. It is pledged and unveiled. I think it can have a few of the pledges removed, but I haven't gotten that far. I think it is unveiled correctly, but this was my first time playing with it. The only requirement is libevent2 to aid in portability, which was the driving force behind executing a script so that it could tie into whatever packet filter is in use. Any constructive suggestions and patches are more than welcome. Enjoy. Edgar
Re: Blocking "shodan.io" - What are my options?
Hi, I would gladly play with your script. Would you please share it @misc. Maybe our community could develope it further... On Sun, 13 Jan 2019 12:43:15 -0600 ed...@pettijohn-web.com wrote: > On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote: > > I knew it wouldn't trigger on the first attempt, but I had a sneaking > > suspicion that you'd need something to listen on that port. Is there > > a way to achieve what we seek, in that case, without userland tools? > > > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson > > wrote: > > > > > > On 2019-01-09, Aaron Mason wrote: > > > > Hi Jordan > > > > > > > > I've set it up to try it, but I'm not having much luck. Even when I > > > > trigger more than one, it still doesn't populate the bad_hosts table, > > > > even again when I extend the rate period to 86400 seconds. I've added > > > > logging so I know the rule is triggering. See below. > > > > > > max-src-conn-rate is only triggered when a TCP connection is > > > established, you need to have something listening (and it will only > > > trigger on the *second* connection). > > > > > > > > > > > > -- > > Aaron Mason - Programmer, open source addict > > I've taken my software vows - for beta or for worse > > > > I wrote a little daemon to do what we're looking for. It listens on > specified ports, accepts the connection and executes a script so you can > either use something like logger or pfctl, etc to do what you want with > the address it connected from. If anyone wants to play with it let me > know and I'll send you the tarball. > > Edgar > -- radek
Re: Blocking "shodan.io" - What are my options?
On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote: > I knew it wouldn't trigger on the first attempt, but I had a sneaking > suspicion that you'd need something to listen on that port. Is there > a way to achieve what we seek, in that case, without userland tools? > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson wrote: > > > > On 2019-01-09, Aaron Mason wrote: > > > Hi Jordan > > > > > > I've set it up to try it, but I'm not having much luck. Even when I > > > trigger more than one, it still doesn't populate the bad_hosts table, > > > even again when I extend the rate period to 86400 seconds. I've added > > > logging so I know the rule is triggering. See below. > > > > max-src-conn-rate is only triggered when a TCP connection is > > established, you need to have something listening (and it will only > > trigger on the *second* connection). > > > > > > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse > I wrote a little daemon to do what we're looking for. It listens on specified ports, accepts the connection and executes a script so you can either use something like logger or pfctl, etc to do what you want with the address it connected from. If anyone wants to play with it let me know and I'll send you the tarball. Edgar
Re: Purpose of primary and secondary user groups
On 12/30/2018 12:33 AM, Philip Guenther wrote: On Sat, Dec 29, 2018 at 11:29 AM Ipsen S Ripsbusker < ip...@ripsbusker.no.eu.org> wrote: Aside from compatibility, what is the purpose of primary groups, compared to secondary groups? Said otherwise, why do we have both primary and secondary groups rather than only secondary groups? Yet another phrasing: Why do I need to set a primary group? Secondary groups can only be set, all at once, when running as root (e.g., login, sshd), while the primary group can be altered by setgid binaries and then switched among using set*gid(2). For filesystem objects like files and directories, the BSD behavior is for the object to get its group from the directory in which it was created, ignoring the groups of the process that created it. On more SysV-like systems the default is to take the primary group of the process that created it. However, for objects that exist in the kernel but not the filesystem such as pipes, sockets, and SysV shared memory segments, semaphores, and message queues, the common behavior is to take the primary group of the process that created it. This doesn't have much effect other than fstat() for pipes and sockets, but for SysV stuff it affects what operations processes can perform. Philip Guenther Is there also a difference when creating a file in a folder with set GID bit on that folder and owned by secondary group? I think in normal behavior, if folder allows a user to create a file (sec. group w/ 770 perm.) then the new file group will not take the group of the folder but will take the group of the user's primary group. But if you have set GID bit then the new file will take the group of the folder it's in (which will be one of the user's secondary groups). I thought in OpenBSD there is also a flag to mount the filesystem to always do this regardless of set GID but I can't remember. I don't see it in the man page so maybe with all of this I'm really thinking of Linux but I can't remember. V/r, Bryan
Re: Backlight on Dell Laptop not adjusting brightness
Hello Paul, On my new Dell Latitude Bios, there is an option to turn on/off (using Fn 7 keys) the backlight. It works well with stock install and fw_update. Hope this is useful, Good luck, Rajesh Original Message From: j...@posteo.de Sent: January 13, 2019 07:53 To: misc@openbsd.org Subject: Re: Backlight on Dell Laptop not adjusting brightness Hi, I use https://github.com/jcs/intel_backlight_fbsd to change the display brightness of my XPS. Maybe have a look at that. Cheers, Jan On 01/11, Paul Swanson wrote: > Ted, thanks for those tips. > > I'll get stuck into it and report back once I've made some progress. > > Paul Swanson > > > Sent from ProtonMail, encrypted email based in Switzerland. > > ‐‐‐ Original Message ‐‐‐ > On Friday, January 11, 2019 7:28 PM, Ted Unangst wrote: > > > Paul Swanson wrote: > > > > > $ wsconsctl display.brightness=5 > > > display.brightness -> 5.00% > > > This laptop is essentially all Intel Skylake under the hood some I'm > > > wondering > > > why it's not playing nice like on the Lenovo / ThinkPads. > > > Below is my dmesg and also Xorg.0.log. > > > "DELLABC6" at acpi0 not configured > > > "DELLABCE" at acpi0 not configured > > > "INT3400" at acpi0 not configured > > > acpivideo0 at acpi0: GFX0 > > > acpivout0 at acpivideo0: LCD_ > > > > I went back and reread this. In theory, acpivout should support backlight > > control. That's another place to look and see what's really happening. > >
Re: Backlight on Dell Laptop not adjusting brightness
Hi, I use https://github.com/jcs/intel_backlight_fbsd to change the display brightness of my XPS. Maybe have a look at that. Cheers, Jan On 01/11, Paul Swanson wrote: > Ted, thanks for those tips. > > I'll get stuck into it and report back once I've made some progress. > > Paul Swanson > > > Sent from ProtonMail, encrypted email based in Switzerland. > > ‐‐‐ Original Message ‐‐‐ > On Friday, January 11, 2019 7:28 PM, Ted Unangst wrote: > > > Paul Swanson wrote: > > > > > $ wsconsctl display.brightness=5 > > > display.brightness -> 5.00% > > > This laptop is essentially all Intel Skylake under the hood some I'm > > > wondering > > > why it's not playing nice like on the Lenovo / ThinkPads. > > > Below is my dmesg and also Xorg.0.log. > > > "DELLABC6" at acpi0 not configured > > > "DELLABCE" at acpi0 not configured > > > "INT3400" at acpi0 not configured > > > acpivideo0 at acpi0: GFX0 > > > acpivout0 at acpivideo0: LCD_ > > > > I went back and reread this. In theory, acpivout should support backlight > > control. That's another place to look and see what's really happening. > >