Re: email dkim signing failing with 6.8
Am 23.05.2021 um 12:32 schrieb flipchan: Yeah, it was all working until I upgraded to 6.8, can someone else that is running opensmtpd with dkim send me their smtpd.conf? I assume I have written some rule wrong, not sure where doe The config is all over the place. There is the rspamd filter and there is DKIM tagging with a match rules order that can't reach the tagging. It's like Martijn van Duren said, you are clearly using rspamd and not dkimproxy_out, which means your debugging is way off. But thinks got easier anyway. Please install filter-dkimsign. # pkg_add opensmtpd-filter-dkimsign Remove everything dkim and rspamd from your current smtpd.conf. Add filter "dkimsg" proc-exec "filter-dkimsign -d example.com -s default \ -k /var/dkimproxy/default.private -c relaxed/relaxed" \ user _dkimsign group _dkimsign and edit the line listen on vio0 port 587 hostname example.com tls-require pki mail.example.com auth filter "rspamd" to listen on vio0 port 587 hostname example.com tls-require pki mail.example.com auth filter "dkimsg" Or # cat /etc/mail/smtpd.conf table aliases file:/etc/mail/aliases pki mail.example.com cert "/etc/ssl/mail.example.com.crt" pki mail.example.com key "/etc/ssl/private/mail.example.com.key" filter "dkimsg" proc-exec "filter-dkimsign -d example.com -s default \ -k /var/dkimproxy/default.private -c relaxed/relaxed" \ user _dkimsign group _dkimsign listen on vio0 port 587 hostname example.com tls-require pki mail.example.com auth filter "dkimsg" listen on vio0 port 25 hostname example.com tls pki mail.example.com action "mbox" mbox alias action "relay" relay match from any for domain example.com action "mbox" match for local action "mbox" match auth from any for any action "relay" If you really need rspamd for spam filtering add it back in and add the filter only to "listen on vio0 port 25". Otherwise uninstall it, since even in "standby" it produces lots of DNS traffic. HTH
carp backup and disconnecting ssh session
Hi, I have a carp master and backup on a pair of one-armed Rapsberry Pi 4B devices (router1 and router2) and when I ssh to the backup using the carp IP as my gateway, it repeatedly throws me out after a few seconds with the message: My laptop's network config: --- IP: 192.168.4.109 Subnet mask: 255.255.255.0 Gateway: 192.168.4.1 Both RPI4s are connected to switchports with packets tagged for VLANs 2,3,4,6 and the network devices don't have IP configuration - everything is configured on VLAN interfaces with the single parent interface bse0. CARP failover actually works as expected, but as mentioned I am unable to maintain an ssh session with the backup "router2" while using the carp IPs as my network gateway. Network switch is a Zyxel GS1200-8 with firmware V2.00(ABME.0)C0. Loop prevention is enabled and I have also tested with it disabled to no avail. What happens: --- $ ssh 10.0.1.101 Last login: Sun May 23 17:44:21 2021 from 10.0.1.100 OpenBSD 6.9 (GENERIC.MP) #1134: Sun Apr 18 01:53:35 MDT 2021 router2# router2# client_loop: send disconnect: Broken pipe Router 1 network config: --- router1# cat hostname.bse0 up router1# cat hostname.vlan2 172.16.1.6/24 172.16.1.255 parent bse0 vnetid 2 group PFSYNC description "private segment with router2" router1# cat hostname.vlan3 10.0.1.100/24 10.0.1.255 parent bse0 vnetid 3 group INTERNAL description "router1 internal interface" router1# cat hostname.vlan4 192.168.1.252/24 192.168.1.255 parent bse0 vnetid 4 group OLDSHIT description "unmigrated shit" router1# cat hostname.vlan6 192.168.4.2/24 192.168.4.255 parent bse0 vnetid 6 group TCWIFI description "Time-Capsule Wifi" router1# cat hostname.carp4 192.168.1.1/24 carpdev vlan4 pass fukdissh1t vhid 41 advskew 1 description "TC-WIFI gateway" router1# cat hostname.carp6 192.168.4.1/24 carpdev vlan6 pass fukdissh1t vhid 61 advskew 1 description "TC-WIFI gateway" Router2 network config: --- router2# cat hostname.bse0 up router2# cat hostname.vlan2 172.16.1.7/24 172.16.1.255 parent bse0 vnetid 2 group PFSYNC description "private segment with router1" router2# cat hostname.vlan3 10.0.1.101/24 10.0.1.255 parent bse0 vnetid 3 group INTERNAL description "router2 internal interface" router2# cat hostname.vlan4 192.168.1.253/24 192.168.1.255 parent bse0 vnetid 4 group OLDSHIT description "unmigrated shit" router2# cat hostname.vlan6 192.168.4.3/24 192.168.4.255 parent bse0 vnetid 6 group TCWIFI description "Time-Capsule Wifi" router2# cat hostname.carp4 192.168.1.1/24 carpdev vlan4 pass fukdissh1t vhid 41 advskew 128 description "TC-WIFI gateway" router2# cat hostname.carp6 192.168.4.1/24 carpdev vlan6 pass fukdissh1t vhid 61 advskew 128 description "TC-WIFI gateway" Any tips much appreciated. -mike
Re: email dkim signing failing with 6.8
Hello, 1. Install *opensmtpd-filter-dkimsign* 2. Read */usr/local/share/doc/pkg-readmes/opensmtpd-filter-dkimsign* I hope this is helpful. -dma On 5/23/21 6:32 AM, flipchan wrote: Yeah, it was all working until I upgraded to 6.8, can someone else that is running opensmtpd with dkim send me their smtpd.conf? I assume I have written some rule wrong, not sure where doe On 22/05/2021 13:05, Martijn van Duren wrote: I'm not sure what you're doing, but you show a piece of rspamd config for your signing, while you claim to use dkimproxy_out. I haven't used dkimproxy_out in a long time (basically since I wrote filter-dkimsign) but last time I used dkimproxy_in it worked as expected for rsa. Also note that dkimproxy doesn't have had a new release since 2011, which doesn't have to mean anything, but is usually not a great sign. If you really want to continue using dkimproxy I'd suggest running dkimproxy_out on the shell: /usr/local/bin/dkimproxy.out --conf_file=/etc/dkimproxy_out.conf --user=_dkimproxy --group=_dkimproxy and see what it spews out. Personally I'd replace dkimproxy with either (filter-)respamd or filter-dkimsign depending on your needs. martijn@ On Sat, 2021-05-22 at 11:44 +0200, flipchan wrote: Hi all, I upgraded from 6.6 to 6.8 and dkim magically stopped appending the dkim signatures to my emails. I have tried to debug it but im not really getting anywhere. dkimproxy_out is running without complains. Does anyone see what im doing wrong? mail# cat /etc/mail/smtpd.conf table aliases file:/etc/mail/aliases #table other-relays file:/etc/mail/other-relays pki mail.example.com cert "/etc/ssl/mail.example.com.crt" pki mail.example.com key "/etc/ssl/private/mail.example.com.key" filter "rspamd" proc-exec "/usr/local/libexec/smtpd/filter-rspamd" listen on vio0 port 587 hostname example.com tls-require pki mail.example.com auth filter "rspamd" #mask-src listen on vio0 port 25 hostname example.com tls pki mail.example.com filter "rspamd" # auth-optional #action "mbox" mbox alias #action "relay" relay #match for local action "mbox" #match for any action "relay" #match !from src mail-from "@example.com" for any \ # reject listen on lo0 port 10028 tag DKIM action "mbox" mbox alias action "relay" relay action "relay_dkim" relay host smtp://127.0.0.1:10027 match from any for domain example.com action "mbox" match auth from any for any action "relay" match for local action "mbox" match tag DKIM for any action "relay" #match tag dkim for any action "relay" #match tag DKIM for any action "outbound" #match for any action relay_dkim match auth from any for any action "relay_dkim" mail# dkim_signing.conf redis.conf mail# cat /etc/rspamd/local.d/dkim_signing.conf domain { example.com { path = "/var/dkimproxy/default.private"; selector = "default"; } } mail# uname -a OpenBSD mail.firosolutions.com 6.8 GENERIC#5 amd64 Thanks! Sincerely, Flipchan
Re: email dkim signing failing with 6.8
Yeah, it was all working until I upgraded to 6.8, can someone else that is running opensmtpd with dkim send me their smtpd.conf? I assume I have written some rule wrong, not sure where doe On 22/05/2021 13:05, Martijn van Duren wrote: I'm not sure what you're doing, but you show a piece of rspamd config for your signing, while you claim to use dkimproxy_out. I haven't used dkimproxy_out in a long time (basically since I wrote filter-dkimsign) but last time I used dkimproxy_in it worked as expected for rsa. Also note that dkimproxy doesn't have had a new release since 2011, which doesn't have to mean anything, but is usually not a great sign. If you really want to continue using dkimproxy I'd suggest running dkimproxy_out on the shell: /usr/local/bin/dkimproxy.out --conf_file=/etc/dkimproxy_out.conf --user=_dkimproxy --group=_dkimproxy and see what it spews out. Personally I'd replace dkimproxy with either (filter-)respamd or filter-dkimsign depending on your needs. martijn@ On Sat, 2021-05-22 at 11:44 +0200, flipchan wrote: Hi all, I upgraded from 6.6 to 6.8 and dkim magically stopped appending the dkim signatures to my emails. I have tried to debug it but im not really getting anywhere. dkimproxy_out is running without complains. Does anyone see what im doing wrong? mail# cat /etc/mail/smtpd.conf table aliases file:/etc/mail/aliases #table other-relays file:/etc/mail/other-relays pki mail.example.com cert "/etc/ssl/mail.example.com.crt" pki mail.example.com key "/etc/ssl/private/mail.example.com.key" filter "rspamd" proc-exec "/usr/local/libexec/smtpd/filter-rspamd" listen on vio0 port 587 hostname example.com tls-require pki mail.example.com auth filter "rspamd" #mask-src listen on vio0 port 25 hostname example.com tls pki mail.example.com filter "rspamd" # auth-optional #action "mbox" mbox alias #action "relay" relay #match for local action "mbox" #match for any action "relay" #match !from src mail-from "@example.com" for any \ # reject listen on lo0 port 10028 tag DKIM action "mbox" mbox alias action "relay" relay action "relay_dkim" relay host smtp://127.0.0.1:10027 match from any for domain example.com action "mbox" match auth from any for any action "relay" match for local action "mbox" match tag DKIM for any action "relay" #match tag dkim for any action "relay" #match tag DKIM for any action "outbound" #match for any action relay_dkim match auth from any for any action "relay_dkim" mail# dkim_signing.conf redis.conf mail# cat /etc/rspamd/local.d/dkim_signing.conf domain { example.com { path = "/var/dkimproxy/default.private"; selector = "default"; } } mail# uname -a OpenBSD mail.firosolutions.com 6.8 GENERIC#5 amd64 Thanks! Sincerely, Flipchan
Re: pf: antispoof with dynamic IP address?
On 2021-05-22, Mogens Jensen wrote: > On Friday, May 21, 2021 8:22 AM, Peter N. M. Hansteen wrote: >> quoting pf.conf(5): >> >> " The antispoof directive expands to a set of filter rules which will block >> all traffic with a source IP from the network(s) directly connected to >> the specified interface(s) from entering the system through any other >> interface." >> >> This means essentially that the sample rules would fail to be effective >> only if the interface you antispoof for has switched networks. I think >> that is a relatively rare event for running firewalls and not doing a ruleset >> reload. > > I'm still struggling with understanding why it works, please bear with > me. > > Let's say I'm assigned dynamic IP address 192.0.2.5/24 from my ISP on > external interface em0. > > antispoof em0 inet > > Expands to: > > block drop in on ! em0 inet from 192.0.2.0/24 to any > block drop in inet from 192.0.2.5 to any > > At some point when the IP lease is renewed, the ISP has assigned an > address from another block e.g. 203.0.113.21/24. I would now think that > the block rules created by antispoof are obsolete as they are not > updated with the new address, but why should it still work without > interface name in parentheses? > > Thanks. > > Mogens Jensen > > "egress" is not really useful with antispoof anyway. antispoof generates a set of rules to block packets with local network addresses coming in on an unexpected interface (either the wrong internal interface, or an external interface). It does not generate rules to stop someone on an internal network sending packets from another invalid address. For example even listing all network interfaces in antispoof rules, someone on an internal network can still send traffic with a source address of (e.g.) 8.8.8.8. To prevent that you'll need "block by default / allow specific source" rules like "pass in on em0 from em0:network" (etc, for each interface), or "block in from urpf-failed" (which does a dynamic route lookup; simpler config but slightly higher per-connection overhead).