Re: question about man starttls and linking to cert.pem

[Gilles Chehade]

On Sun, Aug 11, 2019 at 07:17:06AM -0600, Todd C. Miller wrote:
> On Sat, 10 Aug 2019 22:22:05 -0400, "Ted Unangst" wrote:
> 
> > That entire section seems dumb and outdated. I would prefer we
> > simply not give any advice here. Users can figure out what they
> > need to do. Installing the public cert needs to be done on many
> > other machines, not just the one where its generated.
> 
> Fine with me.  I wonder if we shouldn't also mention acme-client
> here too.  Something for another diff...
> 

I was wondering the same actually.

It's interesting to have instruction for generating self-signed cert but
most people will want a cert that others will validate so it makes sense
to at least extend the man page (in another diff) in my opinion.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

Re: opensmtpd forwarding sent mail and extras-pgsql

[Gilles Chehade]

Howdie,

On Thu, Jun 06, 2019 at 08:17:52PM +, Benny wrote:
> First of all, I really appreciate your work on Opensmtpd. In the past few 
> days of planning and configurating(still working on it). I realize the beauty 
> in smtpd's simplicity.
> 

Thanks


> My quests were quite stupid as I didn't know imap mail clients send the 
> message to the smtp server and the imap as "Sent" for every outgoing email.
> 
> The man page from the port source was enough for my setup.
> 

I've seen more stupid quests so don't beat yourself up ;-)


> By the way, does Opensmtpd support milter for rspam now? I have seen blogs 
> about it being upstreamed, but found nothing from smtpd.conf(5).
> 

Since you're asking, I'll take the opportunity to provide details ;-)

OpenSMTPD supports a filtering interface that is different (and simpler)
than milters, so you won't be able to use the existing milter for rspamd
BUT writing a native filter is trivial (as in shell scripting trivial).

I wrote a native rspamd filter, with greylisting and dkim-signing logic,
all it took was an hour and a couple hundred lines of code. It won't get
released because it's just a proof-of-concept, lacking robustness, and I
don't feel like maintaining it, but there will surely be implementations
available soon after the release.

The code is already in current for the most part but there are still few
minor bugs to fix, things to change in the API, and you should stay away
of it if you can't write code at the moment.

Some people already wrote a few useful filters and are using them daily,
so this is more than usable at this point, my plan is for the filter API
to be made rock-solid for 6.6.


> Once again, thank you for this amazing piece of software.
> 

Thanks :-)


-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: opensmtpd forwarding sent mail and extras-pgsql

[Gilles Chehade]

On Mon, Jun 03, 2019 at 05:44:41PM +, Benny wrote:
> Hi,
> 

Hi,


> I am planning a mail server of opensmtpd and dovecot. I'd be glad to know if 
> there is any way to save a copy of mail to dovecot's "Sent" mail box before 
> relaying them out.
> 

sorry, I don't know dovecot enough for tricks and hacks.

it's possible that it's doable through some weird trick when smtpd would
notify dovecot somehow of messages that were sent, but I doubt it and it
is generally the mail user agent that does the link between mails it did
send over SMTP and copies it stores through IMAP.


> I am also not about find any docs on opensmtpd-extra-pgsql. Is there any 
> guide to link postgresql up with smtpd for virtual users?
> 

There's a man page but no guide no.

There are several tutorials for using SQLite and MySQL if you google and
they are pretty much identical in terms of configuration.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: Puffy Security smtpd out of date ( closed )

[Gilles Chehade]

On Mon, Mar 11, 2019 at 11:34:58AM +, Geir Svalland wrote:
> 
> On 2019-03-11 09:58, Janne Johansson wrote:
> > Den fre 8 mars 2019 kl 20:59 skrev Sean Kamath :
> >>> It's a shame good work like this is
> >>> of no use anymore. According to my opinion, it's well written and easy to 
> >>> follow.
> >>>
> >> So, I???ll take issue with the ???well written??? part of that.  It 
> >> doesn???t do much in the way of explaining anything, just a lot of ???put 
> >> this here???, ???put that there???.
> > The intro to The Book of PF has a REALLY good mantra here on the "This
> > is not a HOWTO"
> > https://home.nuug.no/~peter/pf/en/preface.html
> >
> > I feel it applies equally well to running your own mail server as
> > building your own firewall.
> 
> Well, that was your 2cents to the discussion.
> We all have a right to a opinion and we all are on different levels of 
> knowledge and might have different
> milestones when learning. Some times I like to dig deeper, and some 
> times I just want something up'n
> running as fast as possible in a somewhat safe and secure way. Then 
> taking care of the "why and what's."
> 
> I've been running both Sendmail and Postfix for years without any major 
> difficulties, but this is my first
> try on OpenSMTP.
> 
> After a couple of days of googling, I found this article :
> https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/
> 
> and got very surprised that none of the "know better's" didn't know 
> about this, or didn't care to
> enlighten me and pointing me in this direction. This was exactly what I 
> was looking for.
> 

glad it helps, though keep in mind that I'm writing about code that is on
my laptop or that's very very very fresh and likely to change.

we're nearly a year apart from that post and I can't even remember all of
the changes, fixes and improvements.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: OpenBSD 6.4 smtpd local mail delivery missing "From " when .forward (procmail)

[Gilles Chehade]

On Sun, Jan 27, 2019 at 12:42:23PM -0700, Steve Williams wrote:
> 
> Hi Gilles,
> 
> Thanks very much for the reply.?? I had looked in for some kind of flag that
> could be set in the procmail config file... I never thought it would be a
> command line argument to procmail :(?? I cannot believe I missed that.
> 
> I had even downloaded the smtpd source and saw that mail.local could only
> write to a file (not a stream)... and that's the only place in the source
> code where a "From " was written so I knew it wasn't going to be a smtpd
> configuration change.
> 
> Do you think a hint about the behaviour change might be worth a mention in
> the smptd.conf (5) man page??? I've been trying to come up with some
> non-procmail specific wording...I am not happy with the following wording,
> but something along these lines to give a clue that piping to a program
> won't have the same effect as writing to a physical file.
> 
>  mbox?? Deliver the message to the user's mbox 
> with
>  mail.local(8).?? mbox format is
> only honoured if final delivery is a file and not a program.
> ^^^
>

this isn't accurate, smtpd(8) doesn't write to a file.

smtpd doesn't know about an "mbox format", what it does is that it calls
mail.local(8) which is an mda that should really be called mail.mbox and
which itself writes to a file in mbox format.

I don't think its necessary to document this behaviour in smtpd.conf(5),
procmail is the only case I know where you may forget to pass the option
and be bit, which leads to threads like this where i'm given a chance to
discourage you from using procmail.
k

> Thanks for the heads up about fdm.?? I'll have a look at it.
> 
> Also, thanks for such an amazingly simple email program to configure.?? I
> have spent so many hours over the years researching (scratching my head) how
> to configure sendmail!?? A 4 line config file to have a functioning email
> configuration is pretty staggering!
> 

Cheers :-)


-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: OpenBSD 6.4 smtpd local mail delivery missing "From " when .forward (procmail)

[Gilles Chehade]

On Sat, Jan 26, 2019 at 08:53:06PM -0700, Steve Williams wrote:
> Hi,
> 
> I upgraded from OpenBSD 6.3 to OpenBSD 6.4 today.?? I upgraded all packages,
> switched to php7, etc.
> 
> I've been running OpenBSD since 2.7 so this is a very known process.
> 
> The upgrade went quite smoothly and is working fine except for my email.?? I
> have massaged the smtpd.conf file to comply with the OpenBSD 6.4 grammar.
> 
> I run a VERY simple smtpd configuration saving in mbox format.
> 
> I am also using procmail to direct emails into various folders, launched
> with a .forward.?? This has been working since about 2005 :), historically
> with sendmail and more recently, smtpd.
> 
> Unfortunately, email is being written to both my INBOX and the procmail the
> folders **incorrectly** post upgrade.
> 
> They are all missing the "From " line that is supposed to indicate the start
> of a new email message.
> 
> It seems like the email is being passed "raw" to procmail without being
> processed by "mail.local" ... or that's my interpretation.
> 

you need to tweak your procmail's command so it adds the From delimiter,
there's an option for that.

smtpd used to add the From delimiter for mda, which allowed procmail not
to require that option, however this wasn't correct and when we made the
mda improvements between 6.3 and 6.4, it became impossible to accomodate
procmail without introducing special cases and ugly hacks such as having
explicit search for the string 'procmail' in .forward files.

it wasn't worth it when people can just pass procmail an option.

also don't use procmail, it's trash and there are far better options for
you to use today, fdm being the first to come to mind :-)

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: OpenSMTPD??? how do I do these things, or do I just use postfix?

[Gilles Chehade]

On Sat, Jan 26, 2019 at 09:23:37PM +1000, Stuart Longland wrote:
> Hi Gilles,
> On 25/1/19 11:29 pm, Gilles Chehade wrote:
> > On Fri, Jan 25, 2019 at 11:15:47PM +1000, Stuart Longland wrote:
> >> First and foremost is the issue of backscatter-prevention.  I would like
> >> OpenSMTPD to validate the addresses passed to it before accepting them
> >> for relay to my primary MX.???
> > 
> > How you do it depends on which version you are running.
> > 
> > before 6.4:
> > 
> >   accept [...] recipient  [...]
> > 
> > 
> > after 6.4:
> > 
> >   match [..] rcpt-to  [...]
> > 
> > 
> > where table is a table containing a list of recipient addresses for that
> > rule to match.
> 
> That looks as if it'll do nicely.  I'll do some research into how the
> table is formatted??? but I'm guessing of the two formats supported, the
> array form `table mylist { value1, value2, value3 }` would be the form
> to use here?
> 

yes, if you use a static table:

 table foobar { a@b.c, b@c.d }

if the table is a file, then one address per-line, see table(5).


> >> Second is about how to define custom mail transports.  Rather than using
> >> SMTP/SSL like I am now, I'd like the emails destined for relay to my
> >> server, to be encrypted using a RSA key, (well, AES, then RSA encrypt
> >> the AES key) then either:
> >> - scp'd to a special spool directory on my Linux server??? OR if it
> >> happens to be down,
> >> - placed in a special directory on the VPS for my server to later ciphon
> >> down using `rsync --remove-source-files` over SSH.  (Basically, a bit
> >> like UUCP.)
> >>
> > 
> > no custom mail transports in smtpd.
> > 
> > a way to achieve what you want is to write a custom mda, and this is
> > actually how i did it to achieve a use-case similar to yours in the
> > past.
> 
> No problems, I'll have a closer look at how the MDA stuff works then. :-)
> 
> Really it's an `rmail` work-alike that I'll probably wind up writing,
> we'll see how it goes.
>

mda is basically a program that reads input from stdin and exits with the
proper status to report to the mta that delivery was successful, whatever
happens in between is up to you.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: OpenSMTPD??? how do I do these things, or do I just use postfix?

[Gilles Chehade]

On Fri, Jan 25, 2019 at 11:15:47PM +1000, Stuart Longland wrote:
> Hi all,
> 
> I've got a few silly questions regarding OpenSMTPD??? I'd ask on the
> opensmtpd misc mailing list, but my subscribe requests keep bouncing
> after a few days.  Since I'm running OpenSMTPD on OpenBSD, I figure
> they're on-topic here too.
> 

I can probably help with this ;-)


> [...]
>
> First and foremost is the issue of backscatter-prevention.  I would like
> OpenSMTPD to validate the addresses passed to it before accepting them
> for relay to my primary MX.  In Postfix I can put
> 
>   relay_recipient_maps = hash:/etc/postfix/valid_recipients
> 
> into /etc/postfix/main.cf and fill that valid_recipients file with
> 
>   f...@example.com x
>   b...@example.comx
> 
> I can come up with a full list -- no problem, but the question is how do
> I encode this list into the configuration of OpenSMTPD so that if the
> list contained f...@example.com and b...@example.com, but someone tries
> sending to foo...@example.com, that RCPT TO request is rejected before
> the email delivery begins.
> 

How you do it depends on which version you are running.

before 6.4:

  accept [...] recipient  [...]


after 6.4:

  match [..] rcpt-to  [...]


where table is a table containing a list of recipient addresses for that
rule to match.


> Second is about how to define custom mail transports.  Rather than using
> SMTP/SSL like I am now, I'd like the emails destined for relay to my
> server, to be encrypted using a RSA key, (well, AES, then RSA encrypt
> the AES key) then either:
> - scp'd to a special spool directory on my Linux server??? OR if it
> happens to be down,
> - placed in a special directory on the VPS for my server to later ciphon
> down using `rsync --remove-source-files` over SSH.  (Basically, a bit
> like UUCP.)
>

no custom mail transports in smtpd.

a way to achieve what you want is to write a custom mda, and this is
actually how i did it to achieve a use-case similar to yours in the
past.


-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: smtpd - help needed tranlsating to new virtual map syntax [FIXED]

[Gilles Chehade]

On Tue, Jan 22, 2019 at 01:11:44AM +0100, Eric Elena wrote:
> On Mon, 21 Jan 2019 11:08:02 +0100 Gilles Chehade wrote:
> > I may sound a bit harsh, but starting a thread with "this is my last try
> > or I'll switch" (as if it actually matters) right before telling someone
> > who wants to help you that you actually tried _nothing_ then blaming the
> > code improvements for a use-case that could have never worked because it
> > not only uses the wrong _documented_ mechanism but also because the code
> > to make your use-case work has never existed, kinds of irritates me.
> > 
> > I don't get royalties on smtpd install, please install whatever software
> > fits your use case, this is how proper engineering works.
> 
> First of all thank you Gilles (and all the others who contributed to
> this project) for your amazing work on OpenSMTPD!
> 
> That said, there is a kind of sender rewriting mechanism in OpenSMTP.
> Well, it works for me (tm) I'm not saying it's perfect, it might be an
> overkill but at least it does what I want it to do. The conf is
> included below (only the part for rewriting the sender
> address):
>
> [...]
>
> When a mail is received (listen on all):
> - check if it is rejected
> - if not, if the email if for toto@my.domain, forward it to the very
> same OpenSMTP daemon on port 10030 using the authenticated user foo and
> using masq@my.domain as the MAIL-FROM in the SMTP session (enveloppe)
> - when an email is received on port 10030, tag it with the label MASQ.
> The authenticated user is allowed to send an email as the user
> masq@my.domain. The keyword masquerade modifies the From header (the
> message itself) to match the address given in the SMTP session
> - at that point, the sender address is rewritten both in the SMTP
> session and the headers
> - if the email is for toto@my.domain and is tagged with the label MASQ,
> the virtual user address is expanded to the real email address
> - continue like a normal message
> 
> There is probably room for improvement but I hope this helps.
> 

indeed, a bit overkill and now that we have removed the blockers we must
come up with a simpler way to achieve that...

but what you did, that's smart :-)


-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: smtpd - help needed tranlsating to new virtual map syntax [FIXED]

[Gilles Chehade]

On Mon, Jan 21, 2019 at 01:04:16PM -0600, Adam Thompson wrote:
> 
> > Also, this is a recipient translation mechanism, similar to aliases, and
> > not a sender rewriting mechanism which we do not have at this point.
> > [...]
> > virtual _now_ only works on recipients, not senders ?
> > the virtual code hasn't changed, it works the way it always did.
> > 
> > there is no way it could ever do what you're describing or attempting to
> > do given that it doesn't operate at all anywhere near the message. there
> > is no way it has ever parsed:
> 
> This is all very surprising to hear.  The existing system works (somehow).
> So I am apparently misunderstanding what is happening, because with the
> configuration as shown, telling the various broken email senders to use that
> box as their mailhost _somehow_ fixes the bogus From: headers and envelopes.
> 

the entire virtual expansion happens between the client sending RCPT TO,
and the server responding Ok to that RCPT TO. virtual does not know of a
sender, never, and it is done before the message is actually received so
it doesn't know headers, which is why i'm 100% confident there isn't one
chance it could ever do what you describe.


> Oh, this just occurred to me as I'm writing:  I really hope I didn't switch
> to a different MTA on that system years ago, and then just forgot to check
> which MTA was actually running.  If that's the case, I'm not going to bother
> posting an update, because I'll be busy banging my head on the wall and then
> hiding in shame.
> 

that is a more likely possibility.


> > > I'm not convinced the new smtpd.conf grammar improves anything at
> > > all, but I assume it must help someone or it wouldn't have
> > > changed... but I believe my use case got thrown out with the
> > > bathwater, so to speak.  Oh, well.  :-(
> > This is bullshit.
> > The grammar doesn't reduce the functional scope, it can only expand it.
> 
> I'm taking your word for it - you will know far better than I do!
> 
> 
> > What you are describing has never existed in smtpd, there's never been
> > code to translate sender addresses and there's a good reason for that:
> 
> Good reasons aside, I still need to accommodate other vendor's broken mail
> implementations, because I can't fix them.  I know of multiple reasons
> source rewriting is a bad idea, in general, but I get paid to make stuff
> work, not just say that it's broken.
> 

oh, don't get me wrong, i'm not saying there's a good reason not to have
this rewriting, what i was saying is that there was a good reason why it
was not doable before the grammar change.

it is a useful feature which is part of my todo and which i will work on
as time allows.


> > it not considered doable before the grammar change...
> > But sure, blame it on the grammar.
> 
> I believed that the grammar change had rendered my use case impossible
> because  was now limited to local delivery methods.  Clearly I was
> wrong... and not even in the way I thought I might be wrong.
> 

yes, that's true.

using 'virtual' on relay rules didn't transform anything whatsoever, the
code had an explicit check to not enter the transformation lookups if we
were in a relay rule.

the new grammar just made it clear that what you were trying to do could
not work rather than accepting the criteria and disregarding it.


> > I may sound a bit harsh, but starting a thread with "this is my last try
> > or I'll switch" (as if it actually matters)
> 
> My apologies - that was meant to sound more like "I have a plan B so if this
> isn't possible, that's OK but I've wasted so much time on this I'm kinda
> running out of time, please tell me if I should just stop now and switch".
> I know *exactly* how much OpenBSD devs care if I use their code or not!  I
> do not want to be "that asshole", although it seems I've succeeded again -
> sorry.
> 
> Thank you for taking the time to reply.  Now I'm going to go check that mail
> server a 7,000,000th time, this time to see what MTA is actually *running*,
> not just *configured*.  I'm not sure whether I want it to be such a blatant
> mistake on my part or not... if yes, this all makes sense but I'm an idiot,
> whereas if no, then WTF, how is it working at all?
> 
> FWIW: I am much happier with OpenSMTPd than with other MTAs because of its
> forward-declarative configuration syntax.  Thank you for your work on
> bringing a modern, lean, secure(-er) MTA into existence.
> 

np ;-)



-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: smtpd - help needed tranlsating to new virtual map syntax [FIXED]

[Gilles Chehade]

sorry, I obviously f-up my last mail, this one is fixed ;-)


On Sun, Jan 20, 2019 at 04:14:05PM -0600, Adam Thompson wrote:
> As it turns out, no, that doesn't work.
> Trying to fix up broken sender mail domain-parts only simply gets me a "5.2.4 
> Mailing list expansion problem" error, with no debug output to suggest why.
> 
> In this test case, my translations map had:
> 
>   @bad.athompso.net @good.athompso.net
> 

What is a translation map ?

There is no such thing in OpenSMTPD (as of today).


> in it.  Obviously, this is a test setup :).
> Smtpd.conf itself consisted of:
> 
>   listen on all received-auth
>   smtp max-message-size 100M
>   table translations file:/etc/mail/translations  # ORIG->NEW 
> mappings
>   table allowed-hosts file:/etc/mail/allowed-hosts# Who can 
> connect?  (bare IP addresses or CIDR subnets)
>   action translate lmtp "/var/run/lmtp.sock" virtual
> # 1st pass on allowed rewrite mail
>   action forward forward-only 
> # and now it's not our problem anymore
>   match for any from local action forward # 2nd pass for 
> reinjected mail, this time just forward it
>   match for any from src  action translate # inbound mail 
> - hand it to LMTP, translating as we go
>
>


from table(5):

 Aliasing tables
 
 Aliasing tables are mappings that associate a recipient to one or many
 destinations.  They can be used in two contexts: primary domain aliases
 and virtual domain mapping.
 
 [...]
 
 In a virtual domain context, the key is either a user part, a full email
 address or a catch all, following selection rules described in
 smtpd.conf(5), and the value is one or many recipients as described in
 aliases(5):

   user1   otheruser
   us...@example.org   otheruser1,otheruser2
   @example.orgotheru...@example.com
   @   catch...@example.com


You're feeding the virtual table with invalid values.

Also, this is a recipient translation mechanism, similar to aliases, and
not a sender rewriting mechanism which we do not have at this point.


> A cursory glance at the source code (yikes, it's been a long time since I was 
> a programmer) suggests that virtual now only works on recipients, not 
> senders.  Which is too bad for me, as that means I'll have to switch at least 
> one box to use Postfix.
>

virtual _now_ only works on recipients, not senders ?

the virtual code hasn't changed, it works the way it always did.

there is no way it could ever do what you're describing or attempting to
do given that it doesn't operate at all anywhere near the message. there
is no way it has ever parsed:

@bad.athompso.net @good.athompso.net

and the only thing that changed is that such errors are now visible from
the session as:

5.2.4 Mailing list expansion problem

instead of an invalid recipient error like it probably did in 6.3


> I'm not convinced the new smtpd.conf grammar improves anything at all, but I 
> assume it must help someone or it wouldn't have changed... but I believe my 
> use case got thrown out with the bathwater, so to speak.  Oh, well.  :-(
>

This is bullshit.

The grammar doesn't reduce the functional scope, it can only expand it.

What you are describing has never existed in smtpd, there's never been
code to translate sender addresses and there's a good reason for that:

it not considered doable before the grammar change...

But sure, blame it on the grammar.


> (If anyone cares, the bad sender addresses are mostly alerts coming from 
> older Sun ALOMs and at least one Lexmark printer that also sends email with 
> broken From addresses.)
> 

I may sound a bit harsh, but starting a thread with "this is my last try
or I'll switch" (as if it actually matters) right before telling someone
who wants to help you that you actually tried _nothing_ then blaming the
code improvements for a use-case that could have never worked because it
not only uses the wrong _documented_ mechanism but also because the code
to make your use-case work has never existed, kinds of irritates me.

I don't get royalties on smtpd install, please install whatever software
fits your use case, this is how proper engineering works.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: smtpd - help needed tranlsating to new virtual map syntax

[Gilles Chehade]

 @example.orgotheru...@example.com
   @   catch...@example.com


You're feeding the virtual table with invalid values.

Also, this is a recipient translation mechanism, similar to aliases, and
not a sender rewriting mechanism which we do not have at this point.


> A cursory glance at the source code (yikes, it's been a long time since I was 
> a programmer) suggests that virtual now only works on recipients, not 
> senders.  Which is too bad for me, as that means I'll have to switch at least 
> one box to use Postfix.
>

virtual _now_ only works on recipients, not senders ?

the virtual code hasn't changed, it works the way it always did.

there is no way it could ever do what you're describing or attempting to
do given that it doesn't operate at all anywhere near the message. there
is no way it has ever parsed:

@bad.athompso.net @good.athompso.net

and the only thing that changed is that such errors are now visible from
the session as:

5.2.4 Mailing list expansion problem

instead of an invalid recipient error like it probably did in 6.3


> I'm not convinced the new smtpd.conf grammar improves anything at all, but I 
> assume it must help someone or it wouldn't have changed... but I believe my 
> use case got thrown out with the bathwater, so to speak.  Oh, well.  :-(
>

This is bullshit.

The grammar doesn't reduce the functional scope, it can only expand it.

What you are describing has never existed in smtpd, there's never been
code to translate sender addresses and there's a good reason for that:

it not considered doable before the grammar change...

But sure, blame it on the grammar.


> (If anyone cares, the bad sender addresses are mostly alerts coming from 
> older Sun ALOMs and at least one Lexmark printer that also sends email with 
> broken From addresses.)
> 


I may sound a bit harsh, but starting a thread with "this is my last try
or I'll switch" (as if it actually matters) right before telling someone
who wants to help you that you actually tried _nothing_ then blaming the
code improvements for a use-case that could have never worked because it
not only uses the wrong _documented_ mechanism but also because the code
to make your use-case work has never existed, kinds of irritates me.

I don't get royalties on smtpd install, please install whatever software
fits your use case, this is how proper engineering works.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: Opensmtpd auth in 6.4

[Gilles Chehade]

On Mon, Jan 14, 2019 at 01:42:19PM +0100, Flipchan wrote:
> I tried to echo it another way (echo -ne '\user\passwd' | base64 )
> and then 
> auth plain string
> and it works
> 
> 
> Now im getting new errrors :/ or i think i have misconfigured match, i cant 
> send to external addresses, log:
> http://dpaste.com/2M8JMQC.txt
> 

you need a rule that matches auth, for example:

match auth from any for any action "relay"


> On January 14, 2019 1:10:24 PM GMT+01:00, Gilles Chehade  
> wrote:
> >On Mon, Jan 14, 2019 at 01:03:19PM +0100, Flipchan wrote:
> >> Seems like it adds "\^J" to the username , i base64 encode it using:
> >> echo "user" | base64 
> >> 
> >> Log from smtpd -dv -T smtp :
> >> http://dpaste.com/0CAVJFF.txt
> >> 
> >
> >honestly, i'm confused by what you're doing
> >
> >can you setup a temporary account, with a temporary password,
> >authenticate to it
> >using a regular MUA (whichever you want, just don't auth manually), 
> >then trash
> >the account and send us logs that aren't doctored ?
> >
> >
> >
> >> On January 14, 2019 9:41:42 AM GMT+01:00, Gilles Chehade
> > wrote:
> >> >On Sat, Jan 12, 2019 at 05:36:11PM +0100, Flipchan wrote:
> >> >> Hey, am tryin to upgrade my opensmtpd 
> >> >> email server running on openbsd 6.3 towards a new one on 6.4, 
> >> >> i have used a simple config with the new syntax:
> >> >>  cat /etc/mail/smtpd.conf 
> >> >> 
> >> >> table aliases file:/etc/mail/aliases 
> >> >> 
> >> >> #table other-relays file:/etc/mail/other-relays 
> >> >> 
> >> >> pki mail.example.com cert "/etc/ssl/mail.example.com.crt" 
> >> >> pki mail.example.com key "/etc/ssl/private/mail.example.com.key" 
> >> >> 
> >> >> listen on lo0 
> >> >> listen on vio0 port 587 hostname example.com tls-require pki
> >> >mail.example.com auth mask-source 
> >> >> listen on vio0 port 25 hostname example.com tls pki
> >mail.example.com 
> >> >> 
> >> >> action "mbox" mbox alias  
> >> >> action "relay" relay
> >> >> 
> >> >> match for local action "mbox" 
> >> >> match for any action "relay"
> >> >> match from any for domain example.com action "mbox" 
> >> >> 
> >> >> 
> >> >> i cant login with a users regular username and passwd which is
> >weird.
> >> >
> >> >> In the documentation it says that it is suppose to take regular
> >user
> >> >creds if not a table is defined which it is not.
> >> >>  https://man.openbsd.org/smtpd.conf#listen_on
> >> >> 
> >> >>  "Users are authenticated against either their own normal login
> >> >credentials or a credentials table authtable, the format of which is
> >> >described in table(5)."
> >> >> 
> >> >>  Does anyone know what im doing wrong here? 
> >> >> 
> >> >> maillog: 
> >> >> Jan 12 16:47:49 host smtpd[95842]: XXX smtp connected
> >> >address=ip host=ip Jan 12 16:47:49 host 
> >> >> smtpd[95842]: XXX smtp starttls address=ip host=ip
> >> >ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384,
> >bits=256"
> >> >Jan 12 16:47:49 host 
> >> >> smtpd[95842]: XXX smtp authentication user=user
> >> >address=ip host=ip result=permfail Jan 12 16:47:49 host 
> >> >> smtpd[95842]: XXX smtp failed-command address=ip
> >host=ip
> >> >command="AUTH PLAIN (...)" result="535 Authentication failed" Jan 12
> >> >16:47:49 host 
> >> >> smtpd[95842]: XXX smtp authentication user=user
> >> >address=ip host=ip result=permfail Jan 12 16:47:50 host 
> >> >> smtpd[95842]: XXX smtp failed-command address=ip
> >host=ip
> >> >command="AUTH LOGIN (password)" result="535 Authentication failed"
> >> >> 
> >> >
> >> >Hi,
> >> >
> >> >First of all, it should read mask-src and not mask-source, otherwise
> >> >the
> >> >auth keyword is assuming a table containing literal string
> >> >"mask-source"
> >> >and this will cause authentication to fail.
> >> >
> >> >A good method to troubleshoot, is to run smtpd in trace mode:
> >> >
> >> >  smtpd -dv -T smtp
> >> >
> >> >create a test user with a temporary password, so you can share the
> >> >trace
> >> >output here and we can try to figure out what's wrong ... but likely
> >> >the
> >> >mask-source issue is the cause here.
> >> >
> >> >
> >> >-- 
> >> >Gilles Chehade   @poolpOrg
> >> >
> >> >https://www.poolp.org tip me:
> >> >https://paypal.me/poolpOrg
> >> 
> >> -- 
> >> Sent from my Android device with K-9 Mail. Please excuse my brevity.
> >
> >-- 
> >Gilles Chehade  @poolpOrg
> >
> >https://www.poolp.org tip me:
> >https://paypal.me/poolpOrg
> 
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: Opensmtpd auth in 6.4

[Gilles Chehade]

On Mon, Jan 14, 2019 at 01:03:19PM +0100, Flipchan wrote:
> Seems like it adds "\^J" to the username , i base64 encode it using:
> echo "user" | base64 
> 
> Log from smtpd -dv -T smtp :
> http://dpaste.com/0CAVJFF.txt
> 

honestly, i'm confused by what you're doing

can you setup a temporary account, with a temporary password, authenticate to it
using a regular MUA (whichever you want, just don't auth manually),  then trash
the account and send us logs that aren't doctored ?



> On January 14, 2019 9:41:42 AM GMT+01:00, Gilles Chehade  
> wrote:
> >On Sat, Jan 12, 2019 at 05:36:11PM +0100, Flipchan wrote:
> >> Hey, am tryin to upgrade my opensmtpd 
> >> email server running on openbsd 6.3 towards a new one on 6.4, 
> >> i have used a simple config with the new syntax:
> >>  cat /etc/mail/smtpd.conf 
> >> 
> >> table aliases file:/etc/mail/aliases 
> >> 
> >> #table other-relays file:/etc/mail/other-relays 
> >> 
> >> pki mail.example.com cert "/etc/ssl/mail.example.com.crt" 
> >> pki mail.example.com key "/etc/ssl/private/mail.example.com.key" 
> >> 
> >> listen on lo0 
> >> listen on vio0 port 587 hostname example.com tls-require pki
> >mail.example.com auth mask-source 
> >> listen on vio0 port 25 hostname example.com tls pki mail.example.com 
> >> 
> >> action "mbox" mbox alias  
> >> action "relay" relay
> >> 
> >> match for local action "mbox" 
> >> match for any action "relay" 
> >> match from any for domain example.com action "mbox" 
> >> 
> >> 
> >> i cant login with a users regular username and passwd which is weird.
> >
> >> In the documentation it says that it is suppose to take regular user
> >creds if not a table is defined which it is not.
> >>  https://man.openbsd.org/smtpd.conf#listen_on
> >> 
> >>  "Users are authenticated against either their own normal login
> >credentials or a credentials table authtable, the format of which is
> >described in table(5)."
> >> 
> >>  Does anyone know what im doing wrong here? 
> >> 
> >> maillog: 
> >> Jan 12 16:47:49 host smtpd[95842]: XXX smtp connected
> >address=ip host=ip Jan 12 16:47:49 host 
> >> smtpd[95842]: XXX smtp starttls address=ip host=ip
> >ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256"
> >Jan 12 16:47:49 host 
> >> smtpd[95842]: XXX smtp authentication user=user
> >address=ip host=ip result=permfail Jan 12 16:47:49 host 
> >> smtpd[95842]: XXX smtp failed-command address=ip host=ip
> >command="AUTH PLAIN (...)" result="535 Authentication failed" Jan 12
> >16:47:49 host 
> >> smtpd[95842]: XXX smtp authentication user=user
> >address=ip host=ip result=permfail Jan 12 16:47:50 host 
> >> smtpd[95842]: XXX smtp failed-command address=ip host=ip
> >command="AUTH LOGIN (password)" result="535 Authentication failed"
> >> 
> >
> >Hi,
> >
> >First of all, it should read mask-src and not mask-source, otherwise
> >the
> >auth keyword is assuming a table containing literal string
> >"mask-source"
> >and this will cause authentication to fail.
> >
> >A good method to troubleshoot, is to run smtpd in trace mode:
> >
> >  smtpd -dv -T smtp
> >
> >create a test user with a temporary password, so you can share the
> >trace
> >output here and we can try to figure out what's wrong ... but likely
> >the
> >mask-source issue is the cause here.
> >
> >
> >-- 
> >Gilles Chehade  @poolpOrg
> >
> >https://www.poolp.org tip me:
> >https://paypal.me/poolpOrg
> 
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: Opensmtpd auth in 6.4

[Gilles Chehade]

On Sat, Jan 12, 2019 at 05:36:11PM +0100, Flipchan wrote:
> Hey, am tryin to upgrade my opensmtpd 
> email server running on openbsd 6.3 towards a new one on 6.4, 
> i have used a simple config with the new syntax:
>  cat /etc/mail/smtpd.conf 
> 
> table aliases file:/etc/mail/aliases 
> 
> #table other-relays file:/etc/mail/other-relays 
> 
> pki mail.example.com cert "/etc/ssl/mail.example.com.crt" 
> pki mail.example.com key "/etc/ssl/private/mail.example.com.key" 
> 
> listen on lo0 
> listen on vio0 port 587 hostname example.com tls-require pki mail.example.com 
> auth mask-source 
> listen on vio0 port 25 hostname example.com tls pki mail.example.com 
> 
> action "mbox" mbox alias  
> action "relay" relay
> 
> match for local action "mbox" 
> match for any action "relay" 
> match from any for domain example.com action "mbox" 
> 
> 
> i cant login with a users regular username and passwd which is weird. 
> In the documentation it says that it is suppose to take regular user creds if 
> not a table is defined which it is not.
>  https://man.openbsd.org/smtpd.conf#listen_on
> 
>  "Users are authenticated against either their own normal login credentials 
> or a credentials table authtable, the format of which is described in 
> table(5)."
> 
>  Does anyone know what im doing wrong here? 
> 
> maillog: 
> Jan 12 16:47:49 host smtpd[95842]: XXX smtp connected address=ip 
> host=ip Jan 12 16:47:49 host 
> smtpd[95842]: XXX smtp starttls address=ip host=ip 
> ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256" Jan 
> 12 16:47:49 host 
> smtpd[95842]: XXX smtp authentication user=user address=ip 
> host=ip result=permfail Jan 12 16:47:49 host 
> smtpd[95842]: XXX smtp failed-command address=ip host=ip 
> command="AUTH PLAIN (...)" result="535 Authentication failed" Jan 12 16:47:49 
> host 
> smtpd[95842]: XXX smtp authentication user=user address=ip 
> host=ip result=permfail Jan 12 16:47:50 host 
> smtpd[95842]: XXX smtp failed-command address=ip host=ip 
> command="AUTH LOGIN (password)" result="535 Authentication failed"
> 

Hi,

First of all, it should read mask-src and not mask-source, otherwise the
auth keyword is assuming a table containing literal string "mask-source"
and this will cause authentication to fail.

A good method to troubleshoot, is to run smtpd in trace mode:

  smtpd -dv -T smtp

create a test user with a temporary password, so you can share the trace
output here and we can try to figure out what's wrong ... but likely the
mask-source issue is the cause here.


-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: CVS: cvs.openbsd.org: src (maillog simplified)

[Gilles Chehade]

On Tue, Jan 01, 2019 at 01:14:54PM +0100, Walter Alejandro Iglesias wrote:
> On Fri, Dec 21, 2018 at 06:59:58PM +0100, Gilles Chehade wrote:
> > On Fri, Dec 21, 2018 at 06:56:57PM +0100, Walter Alejandro Iglesias wrote:
> > > Hello Gilles,
> > > 
> > > In article <20181221145201.ga90...@ams-1.poolp.org> Gilles Chehade 
> > >  wrote:
> > > > On Fri, Dec 21, 2018 at 07:41:41AM -0700, Gilles Chehade wrote:
> > > > > CVSROOT:  /cvs
> > > > > Module name:  src
> > > > > Changes by:   gil...@cvs.openbsd.org  2018/12/21 07:41:41
> > > > > 
> > > > > Modified files:
> > > > >   usr.sbin/smtpd : smtp_session.c 
> > > > > 
> > > > > Log message:
> > > > > start simplifying log lines, they're no longer intended to be 
> > > > > parseable, we
> > > > > have a reporting API for tools that want to analyze events, maillog 
> > > > > is just
> > > > > for us, hoomans.
> > > > > 
> > > > 
> > > > that was not the best way to phrase my commit log ... sorry
> > > > 
> > > > i meant they're no longer intended to be friendlier to scripts than to
> > > > humans: there will still be in a format that's easy to quickly script,
> > > > but they will hold information easily readable by humans, not a lot of
> > > > unrelated context infos so tools can generate dashboards out of single
> > > > lines.
> > > > 
> > > > logs for humans, event reports for tools.
> > > > 
> > > 
> > > Since long I've been greping IPs from spammers and attackers from
> > > /var/log/maillog, /var/log/authlog and /var/log/daemon using a shell
> > > script I wrote that automatically includes them in a file read by a pf
> > > table.  In the case of maillog, it relies in the address="" and host=""
> > > info currently included.
> > > 
> > > Will it appear sender's IP and hostname in /var/log/maillog after this
> > > change?
> > > 
> > 
> > yes, you'll still be able to grep that information from maillog
> 
> You selected carefully the words in your answer. :-)
> 

not really, I don't know what your scripts do and how you wrote them.

the sender IP and hostname appear in the log, they are just not repeated
on every single log line but that shouldn't prevent scripts from keeping
track of them.

anyways, as stated in the commit log and my follow up message:

"we have a reporting API for tools that want to analyse events, maillog
 is just for us, hoomans"

"logs for humans, event reports for tools"

the maillog format is going to go through many changes to simplify it,
remove redundant information, add missing information, etc... basing a
script on it is not recommended as we'll break them with every change.


> Indeed, I still can grep "IP" and "host" in maillog, but they are alone
> in a first line and the only way to associate them with the following
> lines containing the from= to= and result= (to know what "happened" with
> that connection) is by using the connection id, what will *painfully*
> overcomplicate my scripts.
> 

As you imagine, I can't take into account individual scripts.

Other people have asked that the port or listener tag appear in lines.
Should these appear on all lines too ?
And the cipher ? and the authenticated user ?
Why is the IP/host information more legitimate to be repeated than other
information on every single line ?
What about the fcrdns check which will appear on connect lines, does the
check have to appear on every line now ?
What about the spf check when it is added at some point ?

maillog is not a context-free format, where each individual line carries
all of the information so you don't have to look at previous lines. Line
should describe an event and carry informations related to THAT event.

The only guarantee I make on the format is that you can always find what
you're looking for with at most 2 grep, one to find a session id, one to
find the event you're looking for.

That being said, there's a new reporting mechanism which is intended for
scripts and tools. It comes with a format that's easily parsable, that's
going to be stabilized, versionned and which actually provides more info
than maillog. It doesn't solve your context-free issue but it can easily
be used to script an output that repeats the info you need on all lines,
to be fed to your existing scripts. I have such scripts myself.

If you describe how your scripts work, I can probably help you.


> I don't know what's the opinion of the rest about this chang

Re: CVS: cvs.openbsd.org: src

[Gilles Chehade]

On Fri, Dec 21, 2018 at 06:56:57PM +0100, Walter Alejandro Iglesias wrote:
> Hello Gilles,
> 
> In article <20181221145201.ga90...@ams-1.poolp.org> Gilles Chehade 
>  wrote:
> > On Fri, Dec 21, 2018 at 07:41:41AM -0700, Gilles Chehade wrote:
> > > CVSROOT:  /cvs
> > > Module name:  src
> > > Changes by:   gil...@cvs.openbsd.org  2018/12/21 07:41:41
> > > 
> > > Modified files:
> > >   usr.sbin/smtpd : smtp_session.c 
> > > 
> > > Log message:
> > > start simplifying log lines, they're no longer intended to be parseable, 
> > > we
> > > have a reporting API for tools that want to analyze events, maillog is 
> > > just
> > > for us, hoomans.
> > > 
> > 
> > that was not the best way to phrase my commit log ... sorry
> > 
> > i meant they're no longer intended to be friendlier to scripts than to
> > humans: there will still be in a format that's easy to quickly script,
> > but they will hold information easily readable by humans, not a lot of
> > unrelated context infos so tools can generate dashboards out of single
> > lines.
> > 
> > logs for humans, event reports for tools.
> > 
> 
> Since long I've been greping IPs from spammers and attackers from
> /var/log/maillog, /var/log/authlog and /var/log/daemon using a shell
> script I wrote that automatically includes them in a file read by a pf
> table.  In the case of maillog, it relies in the address="" and host=""
> info currently included.
> 
> Will it appear sender's IP and hostname in /var/log/maillog after this
> change?
> 

yes, you'll still be able to grep that information from maillog

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

could use some spamdb output

[Gilles Chehade]

hello misc@,

If you are comfortable with sharing your spamdb output with me, it would
be very helpful in confirming or not some theories I have.

I do not need the sender/recipient parts, only the first two fields that
disclose if the connection is in GREY or WHITE list and IP address of MX
that initated the connection:

$ spamdb | grep -E '^(GREY|WHITE)\|' | cut -d\| -f1,2


Do not spam misc@ with that output, send it directly to me.

Thanks !

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: Core Dev?

[Gilles Chehade]

On Mon, Dec 03, 2018 at 08:40:50PM -0600, Vijay Sankar wrote:
> Well, (sorry if this is too much information) my kid started using OpenBSD
> at a very young age due to Antoine's gCompris package 10 or more years ago.
> Also, there is the very useful subscription for stable packages at
> mtier.org. So unless Theo de Raadt or Antoine Jacoutot say otherwise, I
> would think he is a core developer.
> 

Being a core developer, whatever that means, does not mean that anything
you write automatically becomes officialy supported by OpenBSD.

That being said you should ask ajacoutot@ because he is a core developer
whatever that means :-)



> On 12/3/18 6:17 PM, Ahmad Bilal wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> > 
> > Can anyone tell me,
> > Is Antoine Jacoutot a core openbsd developer?
> > 
> > And this is his account (not a impersonator?)
> > https://github.com/ajacoutot/aws-openbsd
> > 
> > Should I take it as a official way of running OpenBSD on AWS?
> > 
> > Sent with ProtonMail Secure Email.
> > -BEGIN PGP SIGNATURE-
> > Version: ProtonMail
> > Comment: https://protonmail.com
> > 
> > wsBcBAEBCAAQBQJcBceOCRD3irc5ItUgGgAAngIIAJVEZINkE1Md0/OGKeOQ
> > FX9BLNsAvLsmKZUEHIV4XnyM2kGe2kK/1uxfbboYD7oK6qnekVIDxRB4KjXz
> > xjhdRzlRkqS50DKFgmVT5z2FN34nDgdLRq3K+vO24jpYAWVYrrrgLsZkqpHp
> > YfNpOU1pMraiVWKWxEm1K8sqrIraunJoXU1DeBwsRveIm9W8lQhrakOK5w/A
> > LP7NegSZljctRmTvLDkSwkgdR9mH18y/DFAjj+TlA3oLNB+EkKGRgBxuEddb
> > BgoAU+9+PSgpoAUGXeWGlp/Q0caUP7lM/VlovbBJF8l+1uEZtc1euwtw8fo/
> > +cxZXDiMzDbouZAvSqG/60E=
> > =5R2I
> > -END PGP SIGNATURE-
> > 
> -- 
> Vijay Sankar
> ForeTell Technologies Limited
> vsan...@foretell.ca
> 

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: smtpd.conf and junk

[Gilles Chehade]

On Wed, Nov 21, 2018 at 09:21:46PM +0100, Thuban wrote:
> * Gilles Chehade  le [21-11-2018 21:06:39 +0100]:
> > On Wed, Nov 21, 2018 at 06:38:43PM +0100, Thuban wrote:
> > > * Edgar Pettijohn  le [21-11-2018 11:32:43 
> > > -0600]:
> > > > 
> > > > On Nov 21, 2018 8:22 AM, Thuban  wrote:
> > > > >
> > > > > Hi,
> > > > > I can't figure how to make this "junk" argument to work as 
> > > > > mentioned in The smtpd.conf manpages :
> > > > >
> > > > > If the junk argument is provided, the message will be
> > > > > moved to the Junk folder if it contains a positive X-Spam
> > > > > header.
> > > > >
> > > > >
> > > > > spams detected by spamassassin have multiple X-Spam-* headers, but 
> > > > > aren't placed
> > > > > into Junk folder.
> > > > >
> > > > > Any advice ?
> > > > >
> > > > >
> > > > >
> > > > > -- 
> > > > > ?? thuban
> > > > >
> > > > It looks for a header matching:
> > > > 
> > > > X-Spam: Yes
> > > > 
> > > > You may need to configure spamassassin to write it that way. I believe 
> > > > that the default is different, but I can't check right now.
> > > > 
> > > 
> > > I tried to add this in spamassassin.conf [0] :
> > > 
> > >   add_header spam X-Spam
> > > 
> > > But if you read the link [0] closely, it can't work because spamassassin 
> > > add
> > > headers "X-Spam-someting", never "X-Spam" : 
> > > 
> > >   All headers begin with X-Spam- (so a header_name Foo will generate a 
> > > header called X-Spam-Foo)
> > > 
> > > I guess the "junk" keyword in smtpd.conf was written to be handy, so I 
> > > miss
> > > something. Where ?
> > > 
> > 
> > You didn't miss anything, the maildir agent only supports X-Spam headers
> > as of today so this will need a diff to support SpamAssassin if it can't
> > generate a X-Spam header.
> > 
> 
> Okay, thanks, I doubt since english is not my main language.
> 
> > SpamAssassin wasn't a target when I wrote that feature but it's just one
> > diff away ;-)
> > 
> 
> Just need to check "X-Spam-Flag: YES" or "X-Spam-Status: Yes,.*" then.
> 
> Just curious, what was the target of that 'junk' feature ? rspamd ? Another ?
> 
> Regards.
> 

in -current, maildir junk now recognizes X-Spam-Flag: YES

cheers,

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: smtpd.conf and junk

[Gilles Chehade]

On Wed, Nov 21, 2018 at 09:21:46PM +0100, Thuban wrote:
> * Gilles Chehade  le [21-11-2018 21:06:39 +0100]:
> > On Wed, Nov 21, 2018 at 06:38:43PM +0100, Thuban wrote:
> > > * Edgar Pettijohn  le [21-11-2018 11:32:43 
> > > -0600]:
> > > > 
> > > > On Nov 21, 2018 8:22 AM, Thuban  wrote:
> > > > >
> > > > > Hi,
> > > > > I can't figure how to make this "junk" argument to work as 
> > > > > mentioned in The smtpd.conf manpages :
> > > > >
> > > > > If the junk argument is provided, the message will be
> > > > > moved to the Junk folder if it contains a positive X-Spam
> > > > > header.
> > > > >
> > > > >
> > > > > spams detected by spamassassin have multiple X-Spam-* headers, but 
> > > > > aren't placed
> > > > > into Junk folder.
> > > > >
> > > > > Any advice ?
> > > > >
> > > > >
> > > > >
> > > > > -- 
> > > > > ?? thuban
> > > > >
> > > > It looks for a header matching:
> > > > 
> > > > X-Spam: Yes
> > > > 
> > > > You may need to configure spamassassin to write it that way. I believe 
> > > > that the default is different, but I can't check right now.
> > > > 
> > > 
> > > I tried to add this in spamassassin.conf [0] :
> > > 
> > >   add_header spam X-Spam
> > > 
> > > But if you read the link [0] closely, it can't work because spamassassin 
> > > add
> > > headers "X-Spam-someting", never "X-Spam" : 
> > > 
> > >   All headers begin with X-Spam- (so a header_name Foo will generate a 
> > > header called X-Spam-Foo)
> > > 
> > > I guess the "junk" keyword in smtpd.conf was written to be handy, so I 
> > > miss
> > > something. Where ?
> > > 
> > 
> > You didn't miss anything, the maildir agent only supports X-Spam headers
> > as of today so this will need a diff to support SpamAssassin if it can't
> > generate a X-Spam header.
> > 
> 
> Okay, thanks, I doubt since english is not my main language.
> 
> > SpamAssassin wasn't a target when I wrote that feature but it's just one
> > diff away ;-)
> > 
> 
> Just need to check "X-Spam-Flag: YES" or "X-Spam-Status: Yes,.*" then.
> 

indeed, I think X-Spam-Flag is the right candidate.


> Just curious, what was the target of that 'junk' feature ? rspamd ? Another ?
> 

rspamd was my target yes

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: smtpd.conf and junk

[Gilles Chehade]

On Wed, Nov 21, 2018 at 06:38:43PM +0100, Thuban wrote:
> * Edgar Pettijohn  le [21-11-2018 11:32:43 -0600]:
> > 
> > On Nov 21, 2018 8:22 AM, Thuban  wrote:
> > >
> > > Hi,
> > > I can't figure how to make this "junk" argument to work as 
> > > mentioned in The smtpd.conf manpages :
> > >
> > > If the junk argument is provided, the message will be
> > > moved to the Junk folder if it contains a positive X-Spam
> > > header.
> > >
> > >
> > > spams detected by spamassassin have multiple X-Spam-* headers, but aren't 
> > > placed
> > > into Junk folder.
> > >
> > > Any advice ?
> > >
> > >
> > >
> > > -- 
> > > ?? thuban
> > >
> > It looks for a header matching:
> > 
> > X-Spam: Yes
> > 
> > You may need to configure spamassassin to write it that way. I believe that 
> > the default is different, but I can't check right now.
> > 
> 
> I tried to add this in spamassassin.conf [0] :
> 
>   add_header spam X-Spam
> 
> But if you read the link [0] closely, it can't work because spamassassin add
> headers "X-Spam-someting", never "X-Spam" : 
> 
>   All headers begin with X-Spam- (so a header_name Foo will generate a 
> header called X-Spam-Foo)
> 
> I guess the "junk" keyword in smtpd.conf was written to be handy, so I miss
> something. Where ?
> 

You didn't miss anything, the maildir agent only supports X-Spam headers
as of today so this will need a diff to support SpamAssassin if it can't
generate a X-Spam header.

SpamAssassin wasn't a target when I wrote that feature but it's just one
diff away ;-)

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: smtpd.conf and junk

[Gilles Chehade]

On Wed, Nov 21, 2018 at 03:22:45PM +0100, Thuban wrote:
> Hi,
> I can't figure how to make this "junk" argument to work as 
> mentioned in The smtpd.conf manpages :
> 
>   If the junk argument is provided, the message will be
>   moved to the Junk folder if it contains a positive X-Spam
>   header.
> 
> 
> spams detected by spamassassin have multiple X-Spam-* headers, but aren't 
> placed
> into Junk folder.
> 
> Any advice ?
> 

without seeing examples of these headers and your config, it's hard to
understand what's incorrect ;-)

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: "relay as" domain rewrite in new smtpd.conf syntax

[Gilles Chehade]

On Thu, Nov 08, 2018 at 12:40:51PM -0500, Allan Streib wrote:
> Prior to 6.4, in smtpd.conf(5), the relay directive supported the "as"
> parameter:
> 
> If the as parameter is specified, smtpd(8) will rewrite the sender
> advertised in the SMTP session. address may be a user, a domain
> prefixed with ???@???, or an email address, causing smtpd(8) to rewrite
> the user-part, the domain-part, or the entire address, respectively.
> 
> In the new smtpd.conf(5) syntax, how is that rewrite achieved,
> specifically the "@" prefix behavior to rewrite the domain part?
> 


 The relay delivery methods also support additional options:

 [...]
 
 mail-from mailaddr
 Use mailaddr as the MAIL FROM address within the SMTP
 transaction.


so this would be something like:

   action relay_00 relay mail-from "@foobar.org"
   
   match [...] action relay_00





-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

Re: spamd and google smtp ips

[Gilles Chehade]

On Tue, Oct 30, 2018 at 08:59:07PM +0100, Peter N. M. Hansteen wrote:
> On 10/30/18 8:46 PM, Chris Narkiewicz wrote:
> > W dniu 30/10/2018 o??19:31, Peter N. M. Hansteen pisze:
> >> yes, a well-known problem, and it's what nospamd (hinted at in the spamd
> >> man pages) is for.
> >>
> >> To some extent it helps to whitelist IP addresses and networks that
> >> domains list in their SPF info.
> > 
> > Yeah, I hoped there are some reputable sources of validated mail
> > sources based on SPF and DKIM.
> > 
> > I'll give a try to your compiled list, but the fact you maintain
> > it manually is a bit discouraging.
> 
> Fortunately MX records and by extension SPF info per domain changes
> infrequently enough that a semi-manually maintained list will be mostly
> right, most of the time.
> 
> But you're right in principle -- I *should* really take the time out to
> recreate the list of domains that went into it and just re-generate with
> smtpctl spf walk something like once per day or once per week.
> 

Like this ?

https://github.com/Mailbrix/lists

:-)

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: OpenSMTPd: "mail.lmtp: connect: Connection refused"

[Gilles Chehade]

On Wed, Oct 17, 2018 at 10:44:19PM +0300, Atanas Vladimirov wrote:
> Hi misc,
> 
> Please, let me know if this mailing list is not the right place for this
> question.
> 
> I'm following -current and I found that maybe something is wrong with my
> setup.
> When the server boots the first time after an upgrade the emails from the
> installer are lost because of `result=PermFail stat=Error ("mail.lmtp:
> connect: Connection refused")`.
> I did a few tests and the problem appears when the dovecot is not running
> (or before it's been started during the boot cycle).
> 

hi,

for the record, the mail.lmtp mda was being too strict about the connect
failures.

this was not an issue before because smtpd was being extremely cautious,
handling all MDA failures as TempFail but this came with other issues so
in 6.4 we aligned with Postfix handling only some exit codes as tempfail
and all others as permfail.

diff going to the tree in a minute, tested by Atanas ;-)

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Running your own mail server

[Gilles Chehade]

On Fri, Sep 28, 2018 at 12:25:12PM +0200, Aham Brahmasmi wrote:
> Craig,
> 
> Thank you for your exhaustive reply - the list of checks along with
> current workarounds to achieve them are very helpful. I now know that
> I need to learn even more.
> 

Indeed, interesting reading.


> > OpenSMTPd's filter interface is not yet usable (last update 12/2014):
> > http://www.poolp.org/posts/2014-12-12/the-state-of-filters/
> 
> Slide 73 of https://www.openbsd.org/papers/eurobsdcon2017-opensmtpd.pdf
> mentions smtpfd - smtp filtering daemon. The slides are informative in
> terms of the thinking behind filters that OpenSMTPD plans to introduce.
> Some of the changes proposed in that talk like the modified grammar are
> now in -current. I may be wrong here but the filter/smtpfd might have
> been held back for post-6.4 introduction.
> 

That is exactly the case.

I have a non-invasive implementation of filters which I'm happy with and
which I intend to commit shortly after OpenBSD 6.4 is tagged, so we have
a full release cycle to work on details, keywords and such, in order for
the feature to be production ready for 6.5.

I _do_ have filters on my laptop right now.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Issue with OpenSMTPD, procmail and comsat

[Gilles Chehade]

On Mon, Sep 03, 2018 at 12:25:55PM +0200, d.rausch...@gmail.com wrote:
> Hi Gilles,
> 
> On Sun, Sep 02, 2018 at 01:25:46PM +0200, Gilles Chehade wrote:
> > Can you provide me with the corrupt line procmail includes so I can
> > check if it is invalid indeed ?
> 
> The corrput line:
> 
> From d...@ws.lan  Mon Sep  3 12:12:34 2018
> 
> The differenc I encountered is with .forward to procmail there are
> TWO spaces between the email address and the date, without .forward to
> procmail there is only ONE space.
> 
> If I edit such a two spaced mail with vi(1) and concat it to
> /var/mail/$USER comsat(8) is silenced. No error message but ksh
> reports "you have mail in /var/mail/dra" as it should.
> 

interesting, it's not clear to me how this can happen but at least this
means the fix will not be a special case.

can you try:

procmail -f %{mbox.from} --

i'll try to reproduce the bug at home but I'm unable before tonight.



-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Issue with OpenSMTPD, procmail and comsat

[Gilles Chehade]

You forgot to mention what version of OpenBSD you are using ?

On Sun, Sep 02, 2018 at 01:03:48PM +0200, d.rausch...@gmail.com wrote:
> Hi,
> 
> I figured out an issue with opensmtpd, procmail, and comsat.
> The .forward for procamil must be
> 
> "|exec /usr/local/bin/procmail -f - || exit 75"
> 
> The -f - option makes procmail to include a dummy mail-from header
> line. But this line is corrupt. comsat(8) does not like this:
> 
> Sep  1 19:10:41 ws comsat[11416]: ':/var/mail/dra' is invalid
> 
> in /var/log/messages. But mutt can read this mail.
> 
> Without the -f - option in the .forward file my mailspool is corrupted
> because of the missin first line (mail-from header). The currect
> solution is: I have turned off comsat in inetd.conf. But i am
> unsatisfied with this. It would be better if opensmtpd would include
> the mail-from header if processinf the .forward to procmail.
> 

I don't like the idea that because procmail produces a corrupt line that
comsat doesn't understand, smtpd should have a special case and parse an
aliases mapping or forward files looking for the string "procmail".

If you're running current, you might want to try:

   "|exec /usr/local/bin/procmail -f %{mbox.from} || exit 75"

in case it helps procmail produce a correct sender.

Can you provide me with the corrupt line procmail includes so I can
check if it is invalid indeed ?

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: New laptop recommendations

[Gilles Chehade]

I love my DELL Latitude E7240 :-)


June 19, 2018 1:01 PM, "Jeffrey Joshua Rollin"  wrote:

> Definitely second the ThinkPad recommendations. I have an X230i, bought used, 
> on which I currently
> run OpenBSD 6.3, and an E550 on which I've used OpenBSD in the past; both run 
> perfectly as of 6.2,
> except for the fingerprint reader on the X (although to be fair I haven't 
> tried that again
> recently).
> 
> Jeff
> 
> ⁣Sent from Blue ​
> 
> On 19 Jun 2018, 11:51, at 11:51, Daniel Gracia  wrote:
> 
>> I would opt for a Thinkpad. Actually working with a T460s; runs like a
>> charm. If you are looking for mobility, a T series should fit. If you
>> need
>> more horsepower take a look at P series.
>> 
>> Of course those are my preferences, YMMV!
>> 
>> Regards.
>> 
>> El mar., 19 jun. 2018 a las 12:41, Rupert Gallagher
>> ()
>> escribió:
>> 
>>> I'm done with my 10 years old 1200EUR MacBookPro. It served me well,
>> 
>> every
>>> day, but is now falling apart, finally.
>>> 
>>> I would buy a new one if only Steve Jobs would be alive and keeping
>> 
>> Apple
>>> inspired. The new models are meticulously designed to make you
>> 
>> suffer:
>>> expensive, slow cpu, soldered ram, soldered disk, small disk, bad
>> 
>> keyboard
>>> keys, wifi only, must pay extra for standard connectors.
>>> 
>>> I have 1500EUR for a new laptop. What would you buy with it?


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd.conf new grammar

[Gilles Chehade]

On Sun, May 27, 2018 at 08:05:05AM -0500, ed...@pettijohn-web.com wrote:
> 
> On May 27, 2018 2:10 AM, viq <vic...@gmail.com> wrote:
> >
> > On 18-05-26 20:30:32, Amelia A Lewis wrote:
> > > On Sun, 27 May 2018 00:43:02 +0200, viq wrote:
> > > > Sorry, I've read the announcements, looked at man pages and examples,
> > > > but still didn't manage to figure out how to translate "deliver via 
> > > > dovecot
> > > > lmtp"
> > > > (to have sieve working) into the new syntax. So far my config was:
> > > > 
> > > > table vusers ldap:/etc/mail/ldap.conf
> > > > table vdomains ldap:/etc/mail/ldap.conf
> > > > table passwd ldap:/etc/mail/ldap.conf
> > > > 
> > > > accept from local for local virtual  deliver to lmtp
> > > > "/var/dovecot/lmtp"
> > > > accept from any for domain  virtual  deliver to lmtp
> > > > "/var/dovecot/lmtp"
> > > > 
> > > > 
> > > > I tried changing those into:
> > > > 
> > > > action "lmtp-local" mda "/usr/libexec/mail.lmtp -d /var/dovecot/lmtp"
> > > > virtual 
> > > > action "relay" relay
> > > > match from local for local action "lmtp-local"
> > > > match from any for domain  action "lmtp-local"
> > > > match from local for any action "relay"
> > > > 
> > > > 
> > > > but delivery attempts fail with Error ("mail.lmtp: sender must be 
> > > > specified
> > > > with -f")
> > > > 
> > > > What would be the proper config for this?
> > > 
> > > Good point (and I'm going to need it, too, when I get to that point, 
> > > for dovecot lmtp on one machine and dspam lmtp on another).
> > > 
> > > Gilles, shouldn't there be a keyword 'lmtp' to go along with 
> > > mbox/maildir/mda/relay/forward-only/expand-only? Comparing old (6.2) 
> > > smtp.conf(5) with the updated one linked from your article, it seems to 
> > > be the only missing method of delivery.
> > > 
> > > Or perhaps it just got skipped in the man page? viq, have you tried 
> > > 
> > > action "lmtp-local" lmtp "/var/dovecot/lmtp"
> > > 
> > > ?
> >
> > No, FAQ is very explict about it being removed:
> > http://www.openbsd.org/faq/current.html#r20180524
> >
> 
> That makes me sad :(.  That is a really ugly line in the config.
> 

ok, let me explain the issue and if you gals and guys come up with some
solution that isn't hackish, I won't oppose it :-)

mbox is easy, no parameters need to be exposed to config, we can easily
provide a syntaxic sugar:

   action foobar mbox = action foobar mda "/usr/libexec/mail.local ..."


maildir is easy, no parameters needs to be exposed to config ... except
for a single path that can be expressed as a STRING, we can easily give
syntax sugar too.

   action foobar maildir = action foobar mda "/usr/libexec/mail.maildir ..."
   action foobar maildir path = action foobar mda "/usr/libexec/mail.maildir 
path ..."


lmtp is not easy, it requires multiple parameters and people have a lot
of different use-cases with it. I can't easily provide a syntaxic sugar
and we must expose -d, -f, rcpt-to, etc... this isn't acceptable for me
so if you manage to make all options fit in one STRING I will be ok but
if I have to add keywords specific I won't.

Something like:

> > > action "lmtp-local" lmtp "/var/dovecot/lmtp"

would be fine by me, but people are using other parameters than just the
lmtp socket, or maybe we can provide a syntaxic sugar for this case, and
people using any other option must use the longer option ?

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: opensmtpd / ldap unreliable

[Gilles Chehade]

On Thu, May 24, 2018 at 11:45:40AM -0700, Paul B. Henson wrote:
> > From: Gilles Chehade
> > Sent: Wednesday, May 23, 2018 1:20 PM
> > 
> > That's bad but could easily be fixed if you want to help us
> 
> So I dropped in the latest table-ldap from git, and it still failed
> authentications after an LDAP server outage. It looks like the check is only
> in the table_ldap_check function? I'm not sure what that's for, but it
> doesn't seem to be called at all when doing authentication. I added a
> similar check into the table_ldap_lookup function, and also had to reorder
> the functions  in the file a bit due to errors like this:
> 
> table_ldap.c:92:15: warning: implicit declaration of function 'ldap_open' is
> invalid in C99 
>   [-Wimplicit-function-declaration]   
> 
> Afterwards, opensmtpd successfully reconnected to LDAP and performed
> authentication after an LDAP outage :).
> 
> users[14726]: debug: table_ldap: ldap_query:
> filter=(&(objectClass=uidObject)(uid=henson)), ret=0
> users[14726]: debug: table-ldap: reconnecting
> users[14726]: info: table-ldap: closed previous connection
> users[14726]: debug: ldap server accepted credentials
> users[14726]: debug: table_ldap: ldap_query:
> filter=(&(objectClass=uidObject)(uid=henson)), ret=1
> 
> 
> Here's what my changes currently are. I can submit a pull request on github
> if you'd like. Thanks.
> 

please do so we have more people able to test

I'll review shortly



> diff --git a/extras/tables/table-ldap/table_ldap.c
> b/extras/tables/table-ldap/table_ldap.c
> index 88c9ffd..9d20526 100644
> --- a/extras/tables/table-ldap/table_ldap.c
> +++ b/extras/tables/table-ldap/table_ldap.c
> @@ -74,45 +74,6 @@ table_ldap_update(void)
> return 1;
>  }
>  
> -static int
> -table_ldap_check(int service, struct dict *params, const char *key)
> -{
> -   int ret;
> -
> -   switch(service) {
> -   case K_ALIAS:
> -   case K_DOMAIN:
> -   case K_CREDENTIALS:
> -   case K_USERINFO:
> -   case K_MAILADDR:
> -   if ((ret = ldap_run_query(service, key, NULL, 0)) >= 0) {
> -   return ret;
> -   }
> -   log_debug("debug: table-ldap: reconnecting");
> -   if (!(ret = ldap_open())) {
> -   log_warnx("warn: table-ldap: failed to connect");
> -   }
> -   return ret;
> -   default:
> -   return -1;
> -   }
> -}
> -
> -static int
> -table_ldap_lookup(int service, struct dict *params, const char *key, char
> *dst, size_t sz)
> -{
> -   switch(service) {
> -   case K_ALIAS:
> -   case K_DOMAIN:
> -   case K_CREDENTIALS:
> -   case K_USERINFO:
> -   case K_MAILADDR:
> -   return ldap_run_query(service, key, dst, sz);
> -   default:
> -   return -1;
> -   }
> -}
> -
>  static int
>  table_ldap_fetch(int service, struct dict *params, char *dst, size_t sz)
>  {
> @@ -361,6 +322,32 @@ err:
> return 0;
>  }
>  
> +static int
> +table_ldap_lookup(int service, struct dict *params, const char *key, char
> *dst, size_t sz)
> +{
> +   int ret;
> +
> +   switch(service) {
> +   case K_ALIAS:
> +   case K_DOMAIN:
> +   case K_CREDENTIALS:
> +   case K_USERINFO:
> +   case K_MAILADDR:
> +   if ((ret = ldap_run_query(service, key, dst, sz)) > 0) {
> +   return ret;
> +   }
> +   log_debug("debug: table-ldap: reconnecting");
> +   if (!(ret = ldap_open())) {
> +   log_warnx("warn: table-ldap: failed to connect");
> +   return ret;
> +   }
> +   return ldap_run_query(service, key, dst, sz);
> +   default:
> +   return -1;
> +   }
> +}
> +
> +
>  static int
>  ldap_query(const char *filter, char **attributes, char ***outp, size_t n)
>  {
> @@ -498,6 +485,31 @@ end:
> return ret;
>  }
>  
> +static int
> +table_ldap_check(int service, struct dict *params, const char *key)
> +{
> +   int ret;
> +
> +   switch(service) {
> +   case K_ALIAS:
> +   case K_DOMAIN:
> +   case K_CREDENTIALS:
> +   case K_USERINFO:
> +   case K_MAILADDR:
> +   if ((ret = ldap_run_query(service, key, NULL, 0)) >= 0) {
> +   return ret;
> +   }
> +   log_debug("debug: table-ldap: reconnecting");
> +   if (!(ret = ldap_open())) {
> +   log_warnx("warn: table-ldap: failed to connect");
> +   }
> +   return ret;
> +   default:
> +   return -1;
> +   }
> +}
> +
> +
>  int
>  main(int argc, char **argv)
>  {
> 
> 

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Checking my new smtpd.conf syntax

[Gilles Chehade]

On Fri, May 25, 2018 at 09:37:07PM +0200, Walter Alejandro Iglesias wrote:
> On Fri, May 25, 2018 at 03:58:59PM +0300, Consus wrote:
> > On 14:31 Fri 25 May, Gilles Chehade wrote:
> > > On Fri, May 25, 2018 at 02:20:50PM +0200, Walter Alejandro Iglesias wrote:
> > > > Could someone tell me if my changes below are OK. :-)
> > > > 
> > > > The part I'm not clear is I read in current.html remote authenticated
> > > > users need a explicit rule.  Do I need to add some "match auth" rule?
> > > > 
> > > 
> > > yes.
> > > 
> > > before, "from local" would match authenticated users as if they had sent
> > > mail from the local machine but this led to being unable to express some
> > > setups where depending on the source you want to relay to different hubs
> > > even though users are authenticated.
> > > 
> > > 
> > > With this:
> > > 
> > > > match from local for local apply local_users
> > > > match from any for domain  virtual  apply 
> > > > local_users
> > > > match from local sender  for any apply remote_users
> > > 
> > > you need an additonal rule such as:
> > > 
> > > match auth from any sender  for any apply remote_users
> > > 
> > > 
> > > because:
> > > 
> > > > #accept from local sender  for any relay
> > > 
> > > no longer matches authenticated users
> > 
> > Ain't it "action local_users" instead of "apply local_users"? The man
> > page states "action".
> 
> I took the "apply" from here:
> 
>   https://undeadly.org/cgi?action=article;sid=20180430122930
> 
> Now reading this:
> 
>   https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/
> 
> I see I also have to change the "certificate" keyword to "cert" here:
> 
>   pki $server cert "/etc/ssl/server.crt"
> 
> 
> Gilles, I also saw the "ca" directive.  I've been using the acme
> certificates in pki directives, can I use them in the "ca" directive
> too? (any advantage in doing this?)
> 

don't touch a knob if you don't KNOW that you absolutely need it.

I know why some people would like to use a custom CA certificate instead
of the one shipped with the system, I don't know why YOU should do it so
if you are asking I can only guess you are going to break your setup.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Checking my new smtpd.conf syntax

[Gilles Chehade]

On Fri, May 25, 2018 at 09:27:21AM -0400, Amelia A Lewis wrote:
> On Fri, 25 May 2018 16:15:00 +0300, Consus wrote:
> > On 15:14 Fri 25 May, Gilles Chehade wrote:
> >> On Fri, May 25, 2018 at 03:58:59PM +0300, Consus wrote:
> >>> On 14:31 Fri 25 May, Gilles Chehade wrote:
> >>>> 
> >>>> you need an additonal rule such as:
> >>>> 
> >>>> match auth from any sender  for any apply remote_users
> >>>> 
> >>>> because:
> >>>> 
> >>>>> #accept from local sender  for any relay
> >>>> 
> >>>> no longer matches authenticated users
> >>> 
> >>> Ain't it "action local_users" instead of "apply local_users"? The man
> >>> page states "action".
> >> 
> >> oopsie, yes, action, forget about apply, it doesn't exist, I should not
> >> answer mail while talking on the phone :-)
> > 
> > Frankly, I like apply better :(
> 
> For what it's worth (this is *not* a democracy), I like apply better as 
> well. "action" to declare; "apply" to refer. There's then no 
> possibility that someone will attempt to create an action "inline" in a 
> match directive; the syntax of reference is 'keyword barename' while 
> the syntax of declaration is 'keyword uniquename activities'. Different 
> keywords makes it unambiguous for humans; can't use declaration syntax 
> where reference keyword is used.
> 
> I looked at your tests, Gilles, and was hopeful because they all use 
> 'apply'. I found that easier to understand. However ... chances are, if 
> the tests were created early, that others have already argued in favor 
> of using the same keyword for declarations and references.
> 

indeed, but at least your mail made me update the tests :-)

thanks!


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Checking my new smtpd.conf syntax

[Gilles Chehade]

On Fri, May 25, 2018 at 04:15:00PM +0300, Consus wrote:
> On 15:14 Fri 25 May, Gilles Chehade wrote:
> > On Fri, May 25, 2018 at 03:58:59PM +0300, Consus wrote:
> > > On 14:31 Fri 25 May, Gilles Chehade wrote:
> > > > On Fri, May 25, 2018 at 02:20:50PM +0200, Walter Alejandro Iglesias 
> > > > wrote:
> > > > > Could someone tell me if my changes below are OK. :-)
> > > > > 
> > > > > The part I'm not clear is I read in current.html remote authenticated
> > > > > users need a explicit rule.  Do I need to add some "match auth" rule?
> > > > > 
> > > > 
> > > > yes.
> > > > 
> > > > before, "from local" would match authenticated users as if they had sent
> > > > mail from the local machine but this led to being unable to express some
> > > > setups where depending on the source you want to relay to different hubs
> > > > even though users are authenticated.
> > > > 
> > > > 
> > > > With this:
> > > > 
> > > > > match from local for local apply local_users
> > > > > match from any for domain  virtual  apply 
> > > > > local_users
> > > > > match from local sender  for any apply remote_users
> > > > 
> > > > you need an additonal rule such as:
> > > > 
> > > > match auth from any sender  for any apply remote_users
> > > > 
> > > > 
> > > > because:
> > > > 
> > > > > #accept from local sender  for any relay
> > > > 
> > > > no longer matches authenticated users
> > > 
> > > Ain't it "action local_users" instead of "apply local_users"? The man
> > > page states "action".
> > 
> > oopsie, yes, action, forget about apply, it doesn't exist, I should not
> > answer mail while talking on the phone :-)
> 
> Frankly, I like apply better :(
> 

no matter the keywords, there's no way 100% people would be satisfied :)

be happy, first iteration was "match [...] => foobar", now 'action' does
not look so bad hu ?


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Checking my new smtpd.conf syntax

[Gilles Chehade]

On Fri, May 25, 2018 at 03:58:59PM +0300, Consus wrote:
> On 14:31 Fri 25 May, Gilles Chehade wrote:
> > On Fri, May 25, 2018 at 02:20:50PM +0200, Walter Alejandro Iglesias wrote:
> > > Could someone tell me if my changes below are OK. :-)
> > > 
> > > The part I'm not clear is I read in current.html remote authenticated
> > > users need a explicit rule.  Do I need to add some "match auth" rule?
> > > 
> > 
> > yes.
> > 
> > before, "from local" would match authenticated users as if they had sent
> > mail from the local machine but this led to being unable to express some
> > setups where depending on the source you want to relay to different hubs
> > even though users are authenticated.
> > 
> > 
> > With this:
> > 
> > > match from local for local apply local_users
> > > match from any for domain  virtual  apply local_users
> > > match from local sender  for any apply remote_users
> > 
> > you need an additonal rule such as:
> > 
> > match auth from any sender  for any apply remote_users
> > 
> > 
> > because:
> > 
> > > #accept from local sender  for any relay
> > 
> > no longer matches authenticated users
> 
> Ain't it "action local_users" instead of "apply local_users"? The man
> page states "action".

oopsie, yes, action, forget about apply, it doesn't exist, I should not
answer mail while talking on the phone :-)


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Checking my new smtpd.conf syntax

[Gilles Chehade]

On Fri, May 25, 2018 at 02:20:50PM +0200, Walter Alejandro Iglesias wrote:
> Could someone tell me if my changes below are OK. :-)
> 
> The part I'm not clear is I read in current.html remote authenticated
> users need a explicit rule.  Do I need to add some "match auth" rule?
> 

yes.

before, "from local" would match authenticated users as if they had sent
mail from the local machine but this led to being unable to express some
setups where depending on the source you want to relay to different hubs
even though users are authenticated.


With this:

> match from local for local apply local_users
> match from any for domain  virtual  apply local_users
> match from local sender  for any apply remote_users

you need an additonal rule such as:

match auth from any sender  for any apply remote_users


because:

> #accept from local sender  for any relay

no longer matches authenticated users



-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd.conf new grammar

[Gilles Chehade]

On Thu, May 24, 2018 at 04:38:17PM -0400, Rupert Gallagher wrote:
> On Thu, May 24, 2018 at 14:18, Gilles Chehade <gil...@poolp.org> wrote:
> 
> > In effect, instead of having:
> > accept from any for local deliver to mbox
> >
> > You will have:
> > action "my_action" mbox
> > match from any for local action "my_action"
> 
> It may solve some obscure technical problem, but is a horrible thing to read 
> and write. How about keeping the best of both worlds? Leave the old beautiful 
> PF-like syntax to humans, and translate it into the newEgyptian(tm) on the 
> fly?

It doesn't solve "obscure" technical problems, it solves _many_ issues a
lot of users have reported ranging from syntax ambiguity to envelopes on
disk not reflecting changes in configuration. One-line rules have lot of
consequences which go far beyond the configuration phase: the structures
are impacted, the ruleset evaluation is impacted, the aliases expansions
are impacted, the queue is impacted, format of envelopes are impacted, I
could go on and on since this impacts almost the entire daemon actually.


The impact is not just cosmethic stuff. I removed _hundreds_ of lines of
very unnecessary and complex code that was ONLY there to make the design
error work. Some of these removals led to concrete security improvements
like .forward files, written by untrusted users, be processed with their
privileges rather than _smtpd. Not doable with one-line rules.


I could write pages about the shortcomings from the previous config, and
pages about why it can't be made to work and why the new config fixes it
in the proper way. We tried hard to find ways to retain a one-line rules
configuration but after months we exhausted the ideas and we have a much
clearer understanding that it's NOT doable. Either we accept that, or we
are just going to grow more complex and slowly stop writing code because
every time you touch an area there's a risk you run into the complexity.


You don't have to trust my word:

> How about keeping the best of both worlds? Leave the old beautiful PF-like 
> syntax to humans,
> and translate it into the newEgyptian(tm) on the fly?

If this was possible, then you could easily write a translator that will
convert old grammar to new one without removing all the benefits and not
reintroducing the complex code.

By all means, show me, I'd be impressed for real.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

smtpd.conf new grammar

[Gilles Chehade]

Hi,

I have just committed a major change in smtpd that'll require smtpd.conf
to be rewritten before your update to the new code.

The new grammar is not TOO different from the former one, a lot of stuff
remains exactly identical, but the ruleset is now split into two parts:

- a named action
- a matching pattern which is associated to a named action

In effect, instead of having:

accept from any for local deliver to mbox


You will have:

action "my_action" mbox

match from any for local action "my_action"


There are a few keywords that have been shortened too but all in all the
switch to new grammar is easy, the smtpd.conf man page has been updated,
and it continues being improved thanks to ingo and jmc.

The man page by itself should be enough to do the switch.

Since this is quite a major change, I also wrote a post that describes a
conversion of my own complex smtpd.conf to new grammar:

https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/


I have also compiled a list of directives recognized by the parser which
I intend to use for regress tests:

https://poolp.org/~gilles/smtpd.conf


As for the reasons behind the change they are numerous, I explained some
at EuroBSDCon 2017, I explained some on my blog, the bottom line is that
while one-line rules were apparently an awesome idea, they were actually
a design error that had consequences on pretty much the entire daemon.

We didn't realize it until a few months ago, we tried hard to maintain a
one-line rule grammar but it became more and more obvious that this just
isn't doable without creating issues and unnecessary complexity.

The new grammar is cleaner, it helped remove ~700 lines of complex code,
made the handling of .forward files as well much safer, removed a lot of
very unpleasant side-effects most people didn't even realize existed ...
until they hit that one case for which we had no way to work around.


Anyways,
looking forward for you to test and report how it works for you :-)


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: opensmtpd / ldap unreliable

[Gilles Chehade]

On Wed, May 23, 2018 at 10:19:47PM +0200, Gilles Chehade wrote:
> On Tue, May 22, 2018 at 06:13:23PM -0700, Paul B. Henson wrote:
> > So I recently converted my opensmtpd server to use ldap as the backend
> > for user authentication. It seems it's a bit untolerant to ldap issues?
> >
> > [...]
> > 

Just to clarify, the "extras" are add-ons which we believe not to belong
in the smtpd code base, so the amount of efforts we pour on them is very
dependant on the interest of developers and the interest the community's
showing for the add-on, it's a community and volunteer driven effort.

None of the add-ons are part of the opensmtpd roadmap, some became quite
popular like table-sqlite or table-passwd and are well maintained, other
have very few users who aren't pushing much for improvement, so the code
doesn't evolve much and/or we are not aware of shortcomings.

If you want proper ldap support, become active and it will happen :-)x


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: opensmtpd / ldap unreliable

[Gilles Chehade]

On Tue, May 22, 2018 at 06:13:23PM -0700, Paul B. Henson wrote:
> So I recently converted my opensmtpd server to use ldap as the backend
> for user authentication. It seems it's a bit untolerant to ldap issues?
> 

yes most likely


If the ldap server isn't available when opensmtpd is started, it says it
> started:
> 
> # /etc/rc.d/smtpd start
> smtpd(ok)
> 
> But it isn't there:
> 
> # ps -aux | grep smtpd
> root 89090  0.0  0.0   304  1208 p6  S+p5:52PM0:00.00 grep smtpd
> 
> And it's not really obvious why:
> 
> May 22 17:52:51 bart smtpd[46044]: info: OpenSMTPD 6.0.4 starting
> May 22 17:52:51 bart smtpd[23325]: warn: table-proc: pipe closed
> May 22 17:52:51 bart smtpd[23325]: lookup: table-proc: exiting
> May 22 17:52:51 bart smtpd[73239]: smtpd: process lka socket closed
> 

not good


> Starting in debug mode:
> 
> # smtpd -d
> info: OpenSMTPD 6.0.4 starting
> users[43283]: debug: reading key "url" -> "ldap://localhost:3389;
> users[43283]: debug: reading key "basedn" ->
> users[43283]: debug: reading key "username" ->
> users[43283]: debug: reading key "password" ->
> users[43283]: debug: reading key "credentials_filter" -> 
> "(&(objectClass=uidObject)(uid=%s))"
> users[43283]: debug: parsing attribute "credentials_attributes" (2) -> 
> "uid,description"
> users[43283]: debug: done reading config
> users[43283]: warn: aldap_parse
> users[43283]: fatal: failed to connect
> warn: table-proc: pipe closed
> lookup: table-proc: exiting
> smtpd: process lka socket closed
> 
> You can see it looks like it fails to connect to the ldap server at
> startup and just dies.
> 
> Further, if the ldap server is up at startup, but ever restarts or has
> the connection broken, authentication just fails:
> 
> May 21 13:22:10 bart smtpd[42132]: warn: user credentials lookup fail for 
> users:henson
> 
> The opensmtpd process needs to be restarted before authentication works
> again.
> 

not good


> In debug mode, it shows:
> 
> users[7295]: debug: table_ldap: ldap_query:
> filter=(&(objectClass=uidObject)(uid=henson)), ret=0
> 5e46e2fabbf8d72e smtp event=authentication user=henson
> address=134.71.249.41 host=134.71.249.41 result=permfail
> 
> Is it expected that the ldap support is currently not production ready?
> I see in a presentation from back in 2013 that ldap was classified
> experimental at the time, but it's not clear if that's still the case.
> 

Yes, sadly

I wrote the initial ldap support but I don't use ldap myself and I could
not get any user to spend time with me testing related diffs more than a
couple times, so...


> I see in the repo at
> 
> https://github.com/OpenSMTPD/OpenSMTPD-extras/blob/master/extras/tables/table-ldap/table_ldap.c
> 
> there's a change to add ldap reconnection support:
> 
> https://github.com/OpenSMTPD/OpenSMTPD-extras/commit/04e4c521b34d1987af915ff97dcb0d87daf122b0#diff-369c0fcbfbc85bf2cdad7dba1131b872
> 
> but it's dated 7/27/2017, and the last github release seems to be
> 201601072302 (although the openbsd port appears to be 201703132115, I
> guess it's not downloading it from github?).
> 

It's been a while since the last -extras release indeed,
I suppose the openbsd port pulls from github, I dunno really


> It looks like the code in head still fails to start if the ldap server
> isn't available when opensmtpd is started though.
> 

That's bad but could easily be fixed if you want to help us


> Is anybody using opensmtpd with ldap in production? If so, how are you
> working around this issue?
> 

That would be a bad idea... it's experimental :-p



-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: SMTP client added to -current

[Gilles Chehade]

On Thu, May 10, 2018 at 10:18:32AM -0400, Predrag Punosevac wrote:
> 
> I was wondering if somebody could give me some insight into how is the
> new SMTP client related to OpenSMTPD?
>

Eric wrote code to simplify the SMTP client engine in OpenSMTPD and help
with the cleanup I mentionned at EuroBSDCon'17.

His code happens to be standalone enough that he wrote an SMTP client on
top of it so we have a proper tool to perform SMTP sessions because that
is a recurring need and we kept using shitty scripts or manual sessions.
I'm not only talking as a developer here but as a mail admin too.

The SMTP client code he wrote is going to be what OpenSMTPD uses in some
months to replace our ageing SMTP client layer.

He did not write a tool, he wrote an SMTP engine THEN he wrote a tool on
top of it and committed both the engine and the tool.


> I would think one could create a
> "new" SMTP client by a straight forward surgery on OpenSMTPD.
>

Yes, that's doable.

Except that the code he would have surgically extracted is the code that
will soon get replaced with the code he committed.


> How does the new SMTP client compare to DragonFly Mail Agent (dma)?
>

The new SMTP client is a simple tool to perform an SMTP session and does
nothing more than that. If a use-case involves doing an SMTP session AND
something else, the tool became the wrong tool at AND.

I'm not familiar at all with dma but I assume it does a bit more.


> As most
> machines these days just need to send an e-mail to the relaying SMTP
> server are there plans to make new SMTP client default instead of full
> blown OpenSMTPD.
>

That is doubtful.

I do not think most machines just need to send an e-mail to the relaying
SMTP server, most machines would also need the mail to be retried if the
server is unreachable, sender to be notified if the mail ttl is reached,
handle local aliases, .forward, etc... it goes FAR beyond that tool.

Now I may be biased but I think a "full blown" OpenSMTPD does not have a
huge overhead given how we fought feature creep. I don't think you would
have a much simpler code path if you used OpenSMTPD or added server code
in front of this new SMTP client to allow enqueuing.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: OpenSMTPd maillist "compatible" manager Majordomo or what?

[Gilles Chehade]

On Tue, Mar 20, 2018 at 10:38:43AM +, Craig Skinner wrote:
> Hi Denis,
> 
> The OpenSMTPd mailing lists are mlmmj powered.
> 
> http://www.OpenSMTPd.Org/list.html
> 
> Join OpenSMTPd's misc@ list and ask OpenSMTPd questions there.
> 

mlmmj is a nice choice because it's simple and you can easily set it up
from within a ~/.forward file rather than /etc/mail/aliases which has a
huge security benefit.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd fails to start

[Gilles Chehade]

I will remember that promise.

On Tue, Jan 23, 2018 at 01:37:37AM -0800, Jordan Geoghegan wrote:
> Thank you Gilles! I knew it was going to be something irritatingly obvious.
> I owe you a beer.
> 
> Cheers,
> 
> Jordan Geoghegan
> 
> 
> # pkg_add opensmtpd-extras
> quirks-2.367 signed on 2017-10-03T11:21:28Z
> opensmtpd-extras-2017031321...:gettext-0.19.8.1p1: ok
> opensmtpd-extras-2017031321...:libffi-3.2.1p2: ok
> opensmtpd-extras-2017031321...:python-2.7.14: ok
> opensmtpd-extras-201703132115p1: ok
> --- +python-2.7.14 ---
> If you want to use this package as your default system python, as root
> create symbolic links like so (overwriting any previous default):
>  ln -sf /usr/local/bin/python2.7 /usr/local/bin/python
>  ln -sf /usr/local/bin/python2.7-2to3 /usr/local/bin/2to3
>  ln -sf /usr/local/bin/python2.7-config /usr/local/bin/python-config
>  ln -sf /usr/local/bin/pydoc2.7  /usr/local/bin/pydoc
> # rcctl restart smtpd
> smtpd(ok)
> #
> 
> 
> On 01/23/18 01:31, Gilles Chehade wrote:
> > On Tue, Jan 23, 2018 at 01:21:22AM -0800, Jordan Geoghegan wrote:
> > > Hi Gilles,
> > > 
> > > The output of the command you sent:
> > > 
> > > # smtpd -dv
> > > smtpd: table_create: backend "passwd" does not exist
> > > 
> > > I'm not sure what this means, as /etc/mail/passwd does indeed exist.
> > > 
> > > Thanks for the fast response!
> > > 
> > you need to install the opensmtpd-extras package from ports to use
> > the table-passwd add-on
> > 
> > 
> > 
> 

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd fails to start

[Gilles Chehade]

On Tue, Jan 23, 2018 at 01:21:22AM -0800, Jordan Geoghegan wrote:
> Hi Gilles,
> 
> The output of the command you sent:
> 
> # smtpd -dv
> smtpd: table_create: backend "passwd" does not exist
> 
> I'm not sure what this means, as /etc/mail/passwd does indeed exist.
> 
> Thanks for the fast response!
> 

you need to install the opensmtpd-extras package from ports to use
the table-passwd add-on



-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd fails to start

[Gilles Chehade]

you almost managed to give enough information to troubleshoot...

... except for logs displaying the problem :-)

`smtpd -dv` will provide useful information

On Mon, Jan 22, 2018 at 11:40:48PM -0800, Jordan Geoghegan wrote:
> Hi all,
> 
> I was hoping someone could point me in the right direction here. I cannot
> for the life of me get smptd to start. It always fails when running # rcctl
> restart smtpd, or when stopping and starting separately.
> 
>  I've been looking to move to OpenSMTP for my mail needs, so I can get my
> family and I's mail out of the cloud (yuck). The end goal is to set up a
> basic IMAP mail server enabling my family to easily connect from their
> various devices. I've been attempting to follow this guide on the OpenSMTP
> website: https://www.opensmtpd.org/faq/example1.html
> 
> I have of course RTFM, and I have also tried guides such as this, to no
> avail:
> 
> https://frozen-geek.net/openbsd-email-server-1/
> 
> http://technoquarter.blogspot.ca/
> <https://frozen-geek.net/openbsd-email-server-1/>
> 
> 
> I feel as if I'm missing something obvious here.
> 
> My config/steps taken are listed below. I have tried this on both i386 bare
> metal and on amd64 VM using vmm. Please let me know if a dmesg would be
> helpful. The logs show nothing as to why its failing. Any help would be much
> appreciated.
> 
> Cheers,
> 
> Jordan Geoghegan
> 
> *My smtpd.conf is as follows (scrubbed of personal info):*
> 
> # pki setup
> pki mail.mydomain.ca certificate "/etc/ssl/mail.mydomain.ca.crt"
> pki mail.mydomain.ca key "/etc/ssl/private/mail.mydomain.ca.key"
> 
> # tables setup
> table aliases file:/etc/mail/aliases
> table domains file:/etc/mail/domains
> table passwd passwd:/etc/mail/passwd
> table virtuals file:/etc/mail/virtuals
> 
> # listen ports setup
> listen on lo0
> listen on egress port 25 tls pki mail.mydomain.ca
> listen on egress port 587 tls-require pki mail.mydomain.ca auth 
> 
> 
> # allow local messages
> accept from local for local alias  deliver to lmtp 
> "/var/dovecot/lmtp" rcpt-to
> # allow virtual domains
> accept from any for domain  virtual  deliver to lmtp 
> "/var/dovecot/lmtp" rcpt-to
> # allow outgoing mails
> accept from local for any relay
> 
> *SSL keys and self signed certs were generated as per man smtpd.conf(5):*
> 
> # openssl genrsa -out /etc/ssl/private/mail.mydomain.ca key 4096
># openssl req -new -x509 -key 
> /etc/ssl/private/mail.mydomain.ca.key \
>-out /etc/ssl/mail.mydomain.ca.crt -days 365
># chmod 600 /etc/ssl/mail.mydomain.ca.crt
># chmod 600 /etc/ssl/private/mail.mydomain.ca.key
> 
> 
> *I then fill out my /etc/mail/aliases*
> 
> vmail:/dev/null
> root: jordan
> jordan:   jor...@mydomain.ca
> 
> 
> *and fill /etc/mail/domains with my domain info*
> 
> mydomain.ca
> mydomain.com
> myotherdomain.ca
> myotherdomain.com
> 
> (there's no change if just one or multiple domains listed)
> 
> *And the /etc/mail/passwd info is generated using $ smtpctl encrypt (am
> I supposed to be using my actual system login password here? I did just to
> be sure)***
> jor...@mydomain.ca:$2b$...encrypted...password...::
> 
> *My /etc/mail/virtuals looks like: *
> ab...@mydomain.ca jor...@mydomain.ca
> postmas...@mydomain.cajor...@mydomain.ca
> webmas...@mydomain.ca jor...@mydomain.ca
> jor...@mydomain.cavmail
> 
> 
> *Dovecot starts without complaint with this config:*
> 
> 
> passdb {
>     args = scheme=blf-crypt /etc/mail/passwd
> driver = passwd-file
> }
> 
> userdb {
> args = uid=vmail gid=vmail home=/var/vmail/%d/%n
> driver = static
> }
> service imap-login {
>   inet_listener imap {
> address = *
> port = 143
>   }
>   inet_listener imaps {
> address = *
> port = 993
>   }
> }
> ~
> 
> 

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Does OpenSMTPD support accented characters in email addresses?

[Gilles Chehade]

On Mon, Dec 18, 2017 at 01:59:24PM -0700, LD wrote:
> Trying to send accented characters using OpenBSD's (v5.9) email server I get
> a "501 5.1.3: Recipient address syntax error" because the local part of the
> address has an "??" ("e" with an acute accent) in the name. Does OpenSMTPD
> support these characters? How can I enable this on my server?
> 
> At the EHLO prompt I get:
> 250-server_name.example.com Hello test.me [127.0.0.1], pleased to meet you
> 250-8BITMIME
> 250-ENHANCEDSTATUSCODES
> 250-SIZE 36700160
> 250-DSN
> 250 HELP
> 
> I think I should see a "SMTPUTF8" extension in this list. Is that correct?
> 

smtpd doesn't support SMTPUTF8 yet, correct.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: [PATCH] Off-by-one bug in httpd, ldapd, relayd, smtpd, switchd and ypldap

[Gilles Chehade]

22
> diff -u -p -r1.22 parse.y
> --- usr.sbin/ypldap/parse.y   30 May 2017 09:33:31 -  1.22
> +++ usr.sbin/ypldap/parse.y   19 Aug 2017 20:15:33 -
> @@ -171,7 +171,7 @@ port      : PORT STRING   
> {
>   free($2);
>   }
>   | PORT NUMBER   {
> - if ($2 <= 0 || $2 >= (int)USHRT_MAX) {
> + if ($2 <= 0 || $2 > (int)USHRT_MAX) {
>   yyerror("invalid port: %lld", $2);
>   YYERROR;
>   }
> 

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Mastering opensmtpd rules

[Gilles Chehade]

On Tue, Aug 15, 2017 at 01:29:16PM +0200, Walter Alejandro Iglesias wrote:
> > 
> >   accept from any for any virtual  [...]
> > 
> 
> Besides, after modifying that rule in the file I also had to change the
> order.  Since rules below the "catch-all" one never get evaluated, it
> has forcibly to be the last one:
> 
>[...]
>accept from local for local alias  deliver to mbox
>accept from local sender  for any relay
>accept from any for any virtual  deliver to mbox
># End of file
> 

Not a truth written in stone but, usually, having the "from any for any"
rule in a config file is a sign that user failed to write ruleset and is
using this as a fallback. The earliest the rules match the envelope, the
better, as it indicates that the rule was written to match precisely.

Most rulesets should finish with a relay (via?) rule from local for any.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Mastering opensmtpd rules

[Gilles Chehade]

On Tue, Aug 15, 2017 at 09:22:41AM +0200, Walter Alejandro Iglesias wrote:
> Hello everyone,
> 
> I'd appreciate experienced opensmtpd users tell me if I'm understanding
> well the mechanism in the following rule.
> 
> Currently, in my smtpd.conf I have this line:
> 
>   accept from any for domain  virtual  deliver to mbox
> 
> But since all keys in my "valiases" table are full email addresses, in
> the form:
> 
>   u...@example.orguser
> 
> I'm thinking the use of "vdomains" table is redundant.  I could safely
> simplify the rule to:
> 
>   accept from any for any virtual  deliver to mbox
> 
> 
> Am I wrong in this assumption?
>

kind of, smtpd.conf being a first match ruleset it is impossible to make
this kind of analysis without having your other rules too.

in this case, this may or may not give the desired behavior depending on
rules following it because envelope matching happens _before_ virtual is
even evaluated.

with:

accept from any for domain  [...]

you will only match envelopes for the domains in , it allows a
different rule to match other domains:

accept from any for domain  [...]
accept from any for domain foobar.org [...]

with:

accept from any for any [...]

you will match all envelopes so you're essentially creating a catch-all.


virtual happens AFTER a rule has been matched so if you recipient is not
found the RCPT will be rejected, smtpd will not search for another rule.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: multiple relays in smtpd.conf

[Gilles Chehade]

On Wed, Aug 02, 2017 at 02:47:27PM +0200, Christian Gut wrote:
> 
> > On 2.Aug. 2017, at 14:09, Gilles Chehade <gil...@poolp.org> wrote:
> > 
> > On Wed, Aug 02, 2017 at 01:47:09PM +0200, Kirill Miazine wrote:
> >> * Eric Faurot [2017-08-02 13:24]:
> >>> On Wed, Aug 02, 2017 at 11:44:47AM +0200, Christian Gut wrote:
> >>>> Hi List,
> >>>> 
> >>>> is it possible to have multiple relays (you might want to say smart 
> >>>> hosts) in smtpd?
> >>>> 
> >>>> I currently use the following line:
> >>>> 
> >>>> accept from local for any relay via smarthost.example.org 
> >>>> <http://smarthost.example.org/>
> >>>> 
> >>>> Now I would like to have multiple smart hosts in there for backup 
> >>>> reasons, if one of the smart hosts is in maintainance. Is something like 
> >>>> this possible?
> >>>> 
> >>>> accept from local for any relay via { smarthost1.example.org 
> >>>> <http://smarthost1.example.org/>, smarthost2.example.org 
> >>>> <http://smarthost2.example.org/> }
> >>>> 
> >>>> Kind Regards,
> >>>> Christian
> >>>> 
> >>> It's not possible at the moment.  There is ongoing work to support this 
> >>> feature,
> >>> along with other improvements. But it's quite a big change, and we can't 
> >>> give an
> >>> ETA right now.
> >> 
> >> what about defining a new name in DNS containing addresses of all
> >> smarthosts as a workaround for the OP for now?
> >> 
> > 
> > This can work in some use-cases, this is exactly what a co-worker did to
> > work around the limitation.
> 
> How will smtpd operate then? Does it use the DNS records in a round robin 
> fashion or does it try them one after another if they fail?
> 

smtpd maintains states about its routes to a destination.

what will happen is that it will resolve your relay hostname into all of
its addresses and attempts to route to them. if a route is broken, it is
marked as such for a small period and reattempted later, meanwhile there
will be routes that aren't marked as broken and which smtpd will be able
to use.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: multiple relays in smtpd.conf

[Gilles Chehade]

On Wed, Aug 02, 2017 at 01:47:09PM +0200, Kirill Miazine wrote:
> * Eric Faurot [2017-08-02 13:24]:
> > On Wed, Aug 02, 2017 at 11:44:47AM +0200, Christian Gut wrote:
> >> Hi List,
> >>
> >> is it possible to have multiple relays (you might want to say smart hosts) 
> >> in smtpd?
> >>
> >> I currently use the following line:
> >>
> >> accept from local for any relay via smarthost.example.org 
> >> <http://smarthost.example.org/>
> >>
> >> Now I would like to have multiple smart hosts in there for backup reasons, 
> >> if one of the smart hosts is in maintainance. Is something like this 
> >> possible?
> >>
> >> accept from local for any relay via { smarthost1.example.org 
> >> <http://smarthost1.example.org/>, smarthost2.example.org 
> >> <http://smarthost2.example.org/> }
> >>
> >> Kind Regards,
> >> Christian
> >>
> > It's not possible at the moment.  There is ongoing work to support this 
> > feature,
> > along with other improvements. But it's quite a big change, and we can't 
> > give an
> > ETA right now.
> 
> what about defining a new name in DNS containing addresses of all
> smarthosts as a workaround for the OP for now?
> 

This can work in some use-cases, this is exactly what a co-worker did to
work around the limitation.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: multiple relays in smtpd.conf

[Gilles Chehade]

On Wed, Aug 02, 2017 at 11:44:47AM +0200, Christian Gut wrote:
> Hi List,
> 
> is it possible to have multiple relays (you might want to say smart hosts) in 
> smtpd?
> 
> I currently use the following line:
> 
> accept from local for any relay via smarthost.example.org 
> <http://smarthost.example.org/>
> 
> Now I would like to have multiple smart hosts in there for backup reasons, if 
> one of the smart hosts is in maintainance. Is something like this possible?
> 
> accept from local for any relay via { smarthost1.example.org 
> <http://smarthost1.example.org/>, smarthost2.example.org 
> <http://smarthost2.example.org/> }
> 

Hi,

Unfortunately it's not possible as of today.

I'm currently working on making this possible, like I was actually doing
work for that yesterday, but it's not as easy as it looks like and there
is no chance it can make it before 6.3

I have a big interest in this working so this is among my top prio work.

Gilles

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd vs. uw-imap locking

[Gilles Chehade]

On Sun, Jul 30, 2017 at 07:47:15PM -0400, gwes wrote:
> smtpd locks user mailboxes in /var/mail using lockspool(1)
> uw-imapd locks using its own dotfile locker mlock(not the syscall)
> 

Actually, it is mail.local that does the locking, smtpd knows nothing at
all regarding /var/mail as it is an MDA thing.

mailbox locking is complex to be done right with all the NFS horror, and
mail.local, which was already used with Sendmail, solved issue for us so
we decided not to introduce unnecessary bugs :-)


> Before I go into uw-imapd and do some nasty additions and
> if()s:
> does anyone else care?
> does anyone else use uw-imap?
> has anyone attacked this problem?
> is there anywhere else to ask these questions?
> 
> switch(answers) {
> *, *, *, yes: go there
> no, *, *, no: go do ugly coding in the dark
> *, *, yes, *: may I please see what you did?
> yes, yes, no, *: please get in touch
> default: go do ugly coding
> }
> 
> I'm not interested in any other server unless it is
> at least as lightweight as uw-imap. Courier, Cyrus,
> etc. are obese by comparison.
> 

To be honest, after having used wu-imapd and courier, I'd give Dovecot a
go if only because of privileges separation and a more modern design for
such an exposed target.

Also, mbox is really a left-over from the past and unless you are forced
to use it, switching to maildir has many advantages ranging from being a
lock-less delivery method to being easier to manage as an admin.

That being said: no, no, no, * because I'm curious.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Happy birthday Theo!

[Gilles Chehade]

On Thu, May 25, 2017 at 04:20:37PM -0700,  sharon s. wrote:
> At some point.. birthdays stop being happy. only speaking from
> experience.. :)
> 

that reads like an early stage of depression ?

you may want to M-x doctor ;-)

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd aliases file issue

[Gilles Chehade]

Much better :-)

You don’t need to restart the daemon, you simply need to tell it through 
smtpctl that the table aliases needs to be reloaded:

$ doas smtpctl update table aliases

Gilles


> On 11 May 2017, at 08:17, Ajitabh Pandey <ajitabhpan...@gmail.com> wrote:
> 
> Hi Gilles,
> 
> I did not change anything from the default. But I realise all may not be
> using default file like me and may not know what is in it. Here is a copy
> of the contents just for reference. The problem is solved by restarting the
> smtpd as sugested by Edgar.
> 
> $ doas cat /etc/mail/smtpd.conf
> 
> table aliases file:/etc/mail/aliases
> listen on lo0
> accept for local alias  deliver to mbox
> accept from local for any relay
> 
> Regards.
> -- 
> ~ajitabhpandey
> 
> On Wed, May 10, 2017 at 5:25 PM, Gilles Chehade <gil...@poolp.org> wrote:
> 
>> On Wed, May 10, 2017 at 04:32:55PM +0530, Ajitabh Pandey wrote:
>>> 
>>> If my understanding about how this should work incorrect? If not then
>> what
>>> am I doing wrong?
>>> 
>> 
>> What you are doing wrong is not showing your configuration file so we're
>> able to check if it does what you think it is doing
>> 
>> 
>> --
>> Gilles Chehade
>> 
>> https://www.poolp.org  @poolpOrg
>> 
> 
> 
> 
> -- 
> Ajitabh Pandey
> http://ajitabhpandey.info/ | http://unixclinic.net/ |
> http://buddingthoughts.info
> ICQ - 150615062
> Registered Linux User - 240748

Re: smtpd aliases file issue

[Gilles Chehade]

Obviously you don’t need to restart the daemon to pickup new aliases.

If you are using a plain file aliases map it can be reloaded atomically at 
runtime using smtpctl.
If you are using a db file, it can be rebuilt using the newaliases / makemap 
utility.

I can’t tell you which one to use because you still didn’t show your config,
but just for documentation purpose: you’re not doing it right.

Gilles


> On 11 May 2017, at 08:13, Ajitabh Pandey  wrote:
> 
> Thanks Edgar. That worked. This is what I was missing.
> 
> I actually removed my .forward from the user01 account now and directly
> updated the aliases file to forward email to external email address.
> 
> Just for documentation purpose, here are the steps -
> 
> $ doas vi /etc/mail/aliases file
> $ doas newaliases
> $ doas rcctl restart smtpd
> 
> Regards.
> -- 
> ~ajitabhpandey
> 
> On Wed, May 10, 2017 at 4:58 PM, Edgar Pettijohn  >
> wrote:
> 
>> Did you restart smtpd?
>> 
>> Sent from BlueMail > >
>> On May 10, 2017, at 6:03 AM, Ajitabh Pandey > >
>> wrote:
>>> 
>>> Hello,
>>> 
>>> On an OpenBSD 6.1, I have default smtpd setup.
>>> 
>>> I placed a .forward file in root's home and am able to receive the emails
>>> on an external address.
>>> 
>>> I then removed the .forward from root's home and then placed a .forward in
>>> the home directory of normal user account (say user01). Emails directly
>>> send to user01 are being forwarded to external email address as expected.
>>> 
>>> Next I edited the /etc/mail/aliases file and uncomment the line with root's
>>> name in it and placed an entry like -
>>> 
>>> root: user01
>>> 
>>> After saving the file, I ran newaliases to generate /etc/mail/aliases.db
>>> file.
>>> 
>>> This should forward all email's destined for root to user01 and
>>> consequently to external email address as user01's home has a .forward file
>>> in it.
>>> 
>>> This is not happening. Any email sent to root is being delivered to the
>>> mailbox of root and the smtpd logs in /var/log/maillog confirmed the same.
>>> 
>>> If my understanding about how this should work incorrect? If not then what
>>> am I doing wrong?
>>> 
>>> Thanks and Regards.
>>> 
>>> 
> 
> 
> -- 
> Ajitabh Pandey
> http://ajitabhpandey.info/  | 
> http://unixclinic.net/  |
> http://buddingthoughts.info 
> ICQ - 150615062
> Registered Linux User - 240748

Re: smtpd aliases file issue

[Gilles Chehade]

On Wed, May 10, 2017 at 04:32:55PM +0530, Ajitabh Pandey wrote:
> 
> If my understanding about how this should work incorrect? If not then what
> am I doing wrong?
> 

What you are doing wrong is not showing your configuration file so we're
able to check if it does what you think it is doing


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd log: certificate verification failed

[Gilles Chehade]

On Thu, Apr 20, 2017 at 02:59:10PM +0200, Walter Alejandro Iglesias wrote:
> Hello everyone,
> 
> Just to be sure, when I get this message:
> 
> maillog:Apr 20 13:53:03 server smtpd[99586]: smtp-out: Server certificate 
> verification failed on session 81c5fc1509d4c884
> 
> Is it about my server cert or the remote one?
> 

remote one, it means that when trying to verify the certificate that was
presented by the remote server, the verification failed


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: OpenSMTPD "syntax error" and other problems

[Gilles Chehade]

On Mon, Jan 16, 2017 at 09:36:10AM -0500, aretes27...@mypacks.net wrote:
> The "smtpd.conf" man page states:
> 
> relay [backup [mx]] [as address] ...
> ...
> If the as parameter is specified, smtpd(8) will rewrite the sender advertised
> in the SMTP session. address may be a user, a domain prefixed with ???@???, or
> an email address, causing smtpd(8) to rewrite the user-part, the domain-part,
> or the entire address, respectively.
> ...
> 
> I tried this:
> 
> relay as "@my-domain.com"
> 
> But I get a "syntax error"?
> 

Yes, keep reading this mail and find your error at the bottom of it.


> MS Outlook users get "550 Invalid recipient" errors when trying to send mail
> outside of our domain. The mail log entries are like:
>
> Jan 16 07:36:28 myserver smtpd[70549]: b76cb7a2aa7f61b8 smtp
> event=failed-command command="RCPT TO: <some.b...@somewhere.com>" result="550
> Invalid recipient"
>
> Using the command "mail" to compose a message and send it works.
> 

This probably means a configuration issue but you didn't provide
enough log context to figure it out.

I'll take a wild guess:

You're connecting over SMTP and the ruleset considers your client
as a non-local one which ...


> My "smtp.conf" is:
> 
> listen on all
> pki mail.example.com certificate "/etc/ssl/my-domain.com.crt"
> pki mail.example.com key "/etc/ssl/my-domain.com.key"
> 
> table aliases file:/etc/mail/aliases
> 
> accept from any for domain "my-domain.com" alias  deliver to mbox
> accept for local alias  deliver to mbox
> accept from local for any relay
> 

... is not allowed to relay based on this configuration ...

> # relay
> 
> relay as "@my-domain.com"
> 

... and this is where you get your syntax error, "relay as" is parameter
to accept, it should read:

   accept [...] relay as [...]


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Is using dkim really worth?

[Gilles Chehade]

On Sat, Dec 10, 2016 at 11:51:34AM +0100, Walter Alejandro Iglesias wrote:
> I mentioned this in other thread, now I'll ask this question directly.
> 
> I was running my own mail server for a while but not enough to make a
> conclusion.  I'd appreciate the opinion of the experienced.
> 
> I'm noticing messages with no spf or dkim records reach my gmail inbox.
> At the same time, messages with spf and dkim 'pass' state go to gmail
> spam (among them messages sent to me from people in this list).
> 
> So, in general and based on your experience, do you think using dkim
> (that implies daemon, port redirections, etc.) is really worth?
> 

Depends on your volume and who you intend to send to.

To be honest, setting up both SPF and DKIM takes a couple minutes and it
will probably avoid some delivery issues which will waste much more than
that to fix when they happen.

I can understand why someone would be reluctant to setup dmarc, but dkim
and spf are really a no brainer.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: How to detect this kind of attacks

[Gilles Chehade]

On Sat, Nov 26, 2016 at 12:08:37PM +0100, Walter Alejandro Iglesias wrote:
> Hello everyone,
> 
> Is there a way to detect on the fly spam attacks like the pasted below
> (maillog)?  It seems pf max-src-conn-rate takes in care only the
> "connected" event.
> 

There's not much you can do besides adding the offending addresses in a
pf blacklist.


> I obscured the recipients.  Basically sorted addresses of the same target 
> Chinese host.
> 

Been receiving lots of these from chinese hosts in the last few days too


> Nov 26 05:59:42 server smtpd[55880]: 3bcc430eee258cd7 smtp event=connected 
> address=119.141.24.19 host=119.141.24.19
> Nov 26 05:59:46 server smtpd[55880]: 3bcc430eee258cd7 smtp 
> event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT 
> TO:" result="550 Invalid recipient"
> Nov 26 05:59:49 server smtpd[55880]: 3bcc430eee258cd7 smtp 
> event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT 
> TO:" result="550 Invalid recipient"
> Nov 26 05:59:50 server smtpd[55880]: 3bcc430eee258cd7 smtp 
> event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT 
> TO:" result="550 Invalid recipient"
> Nov 26 05:59:51 server smtpd[55880]: 3bcc430eee258cd7 smtp 
> event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT 
> TO:" result="550 Invalid recipient"
> Nov 26 05:59:52 server smtpd[55880]: 3bcc430eee258cd7 smtp 
> event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT 
> TO:" result="550 Invalid recipient"
> Nov 26 05:59:53 server smtpd[55880]: 3bcc430eee258cd7 smtp 
> event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT 
> TO:" result="550 Invalid recipient"
> Nov 26 05:59:53 server smtpd[55880]: 3bcc430eee258cd7 smtp 
> event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT 
> TO:" result="550 Invalid recipient"
> Nov 26 05:59:54 server smtpd[55880]: 3bcc430eee258cd7 smtp 
> event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT 
> TO:" result="550 Invalid recipient"
> [...] *a hundred of more one second frequency entries here*
> Nov 26 06:06:55 server smtpd[55880]: 3bcc430eee258cd7 smtp 
> event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT 
> TO:" result="550 Invalid recipient"
> Nov 26 06:06:56 server smtpd[55880]: 3bcc430eee258cd7 smtp 
> event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT 
> TO:" result="550 Invalid recipient"
> Nov 26 06:06:56 server smtpd[55880]: 3bcc430eee258cd7 smtp 
> event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT 
> TO:" result="550 Invalid recipient"
> Nov 26 06:06:57 server smtpd[55880]: 3bcc430eee258cd7 smtp event=closed 
> address=119.141.24.19 host=119.141.24.19 reason=disconnect
> 

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: FW: smtpd dies on current

[Gilles Chehade]

On Fri, Nov 11, 2016 at 09:33:11AM -0600, Ted Wynnychenko wrote:
> I tried sending this to bugs@, but it does not seem to have been accepted.
> So, I decide to send it to misc@.
> I hope that's ok.
> 

Yes, I'm looking into it but it seems that it crashes within libcrypto
as I'm unable to reproduce with current smtpd and older libcrypto, and
able to reproduce with recent libcrypto.

I'm investigating this

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: OpenBSD 6.0-stable smtpd queue encryption

[Gilles Chehade]

, write last chunk if any and perform authentication check */
-   if (!EVP_DecryptFinal(, out + len, ))
+   if (!EVP_DecryptFinal_ex(, out + len, ))
goto end;
ret = len + olen;
 


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: DMARC and misc@ (and likely other OpenBSD lists)

[Gilles Chehade]

On Fri, Aug 26, 2016 at 09:46:35AM +0200, Peter Hessler wrote:
> On 2016 Aug 26 (Fri) at 08:25:56 +0200 (+0200), Peter N. M. Hansteen wrote:
> :If the OpenBSD list admins are reading this: would it be possible to
> :make a similar change in the OpenBSD mailing list configuration?
> 
> This is exactly why I hate DMARC.  Some tiny bullshit change, that
> requires everyone in the world to catch up to it.
> 
> Fuck you Google.  Fuck you Yahoo.  Clean up your own houses before you
> shit on ours.
> 

so much hate :-p

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: DigitalOcean and OpenBSD

[Gilles Chehade]

On Thu, Aug 25, 2016 at 12:22:21PM +0300, li...@wrant.com wrote:
> Wed, 24 Aug 2016 18:59:46 -0300 "R0me0 ***" <knight@gmail.com>
> [...]
> > Thank you everyone that gime directions really appreciated ( all those in
> > pvt as well )
> > 
> > Cheers guys !
> 
> Thu, 25 Aug 2016 11:07:17 +0800 Tinker <ti...@openmailbox.org>
> [...]
> > Guys, www.kimsufi.com is the best combination of inexpensive and 
> > reliable, for dedicated servers.
> 
> Hi R0me0,
> 
> Indeed, recommending even more self managed affordable SSD servers:
> 
> OVH: SoYouStart, FR (EUR)
> [https://www.soyoustart.com/ie/essential-servers/]
> 
> OVH: SoYouStart, CA (USD)
> [https://www.soyoustart.com/us/essential-servers/]
> 
> NB: Not affiliate, years of OpenBSD in KVM on SSD servers reliably.
> 

As a former customer, I would recommand against them.

There are other alternatives with better hardware, services and policies
within the same price ranges. online.net to name one, hetzner.de to name
another one.

I'm only commenting because your mail didn't mention competitors and I'd
hate the idea that people went there by default, but I'm off this thread
now ;-)

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Thinking about writing something I'm calling wifid

[Gilles Chehade]

On Tue, Aug 02, 2016 at 04:58:18PM +0200, Kamil Cholewi??ski wrote:
> On Tue, 02 Aug 2016, Theo de Raadt <dera...@openbsd.org> wrote:
> > The kernel should have a better way of exporting stations it knows about
> > live, rather than userland forcing channel hops and station changes out
> > of sync with the kernel.
> 
> Perhaps overloading kevent? EVFILT_IEEE80211?
> 

:-|

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: opensmtd failing and a work a round

[Gilles Chehade]

On Wed, Jun 15, 2016 at 07:33:47PM +, Peter Fraser wrote:
> I apologize for the missing newlines in the earlier messages
> 
> opensmtpd has a bug, that I know is being worked on. It leave streams open
> that should be closed and will eventually stop listening for new connections.
> 
> The only fix I know at the moment is to restart opensmtpd.
> 

Just to clarify since your mail might confuse people:

The bug triggers in the filter code which is NOT production-ready and we
enabled with an EXPERIMENTAL note in the release mail so developers help
spot bugs and improve the API.

If you need a stable setup, don't use filters before we announce that it
is a stable feature.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: SMTPD - Auth Error 535 5.7.8

[Gilles Chehade]

On Sun, May 22, 2016 at 05:04:02PM -0500, Patrick Dohman wrote:
> After migrating to a new ISP SMTPD relay TLS Auth no longer functions as
> expected.
> 
> Essentially the same configuration in conjunction with a different mail server
> works as needed.
> 
> Hoping to clarify if cipher type is an issue & if so how a cipher list is
> configured.
> 

nope, the problem seems to be that you credentials are rejected:

> May 22 14:49:41 Firewall smtpd[5565]: smtp-out: Connecting to
> tls://205.219.233.9:587 (mail.centurylink.net) on session 678c450539abbe1e...
> May 22 14:49:41 Firewall smtpd[5565]: smtp-out: Connected on session
> 678c450539abbe1e
> May 22 14:49:41 Firewall smtpd[5565]: smtp-out: Started TLS on session
> 678c450539abbe1e: version=TLSv1/SSLv3, cipher=AES256-GCM-SHA384, bits=256
> May 22 14:49:41 Firewall smtpd[5565]: smtp-out: Server certificate
> verification succeeded on session 678c450539abbe1e

here the connection has been established and TLS negotiated


> May 22 14:49:41 Firewall smtpd[5565]: smtp-out: Error on session
> 678c450539abbe1e: AUTH rejected: 535 5.7.8 Sorry.

here the remote server replied that it didn't accept your AUTH
which is basically your credentials

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Suggestion: new webpage for openbsd.org

[Gilles Chehade]

On Sun, May 22, 2016 at 07:34:19PM +1000, bytevolc...@safe-mail.net wrote:
> On Fri, 20 May 2016 03:50:51 +0300
> li...@wrant.com wrote:
> 
> > Interesting, the moment some other systems started swapping designs,
> > the moment their public knew they've sold out and commercialised in.
> 
> This is a good point; I have certainly noticed this on a lot of other
> sites and projects. As soon as they "upgrade" to "Web 2.0" (with all
> the image-buttons-for-links, rounded corners, low-contrast text,
> JavaScript galore, etc), it's easy to predict the fate of that project.
> 

aren't you guys even slightly tired of the bullshit ?

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Happy Birthday Theo!

[Gilles Chehade]

On Thu, May 19, 2016 at 10:57:57AM +0100, Kevin Chadwick wrote:
> Happy Birthday
> 
> 
>if (pledge("fun relax", NULL) == -1)   {
> err(1, "pledge");
>       }
> 

KNF, dammit...

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Suggestion: new webpage for openbsd.org

[Gilles Chehade]

On Wed, May 18, 2016 at 06:08:52PM +0200, Joakim Frosteg??rd wrote:
>
> [...]
> 
> @Gilles Chehade:
> If you're not being sarcastic, I would be happy to contribute to that
> project as well.
> 

Didn't know I came off sarcastic naturally, achievement unlocked !

I wasn't sarcastic, nope ;-)


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Suggestion: new webpage for openbsd.org

[Gilles Chehade]

On Tue, May 17, 2016 at 09:11:44AM +0200, Joakim Frosteg??rd wrote:
> Hi,
> 
> I???ve made a responsive new webpage replacement for the
> in my opinion somewhat aged openbsd.org <http://openbsd.org/>.
> 
> It???s available at http://greatest-ape.github.io/openbsd-site/public_html/
> <http://greatest-ape.github.io/openbsd-site/public_html/>
> with the repo at https://github.com/greatest-ape/openbsd-site
> <https://github.com/greatest-ape/openbsd-site> .
> 
> The idea is to replace index.html but for all other pages just
> replace the stylesheets. In so far, I???ve included a few other
> pages, including plat.html, goals.html and alpha.html.
> 
> I???ve tried to keep the page without bells and whistles, that is:
> * Just static HTML and CSS
> * No frameworks
> * No javascript
> * Minimalist design
> 
> though I have included the Apache 2-licensed Open Sans
> from Google Fonts. If you like the page, I guess we could
> build our own font instead of using the google repository.
> 
> Is this the right place to post this? Are you (the openbsd devs)
> interested in this at all?
> 
> If yes, we would also need to make sure that the creator of
> the nice openbsd logo included is happy with us using it for
> the webpage. Apart from that, I would be happy to license
> my work under BSD, MIT or whatever you want.
> 

I don't know if it's of any interest for openbsd.org, but I would not be
opposed to use this for opensmtpd.org :-p

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: OpenSMTPD with filter-spamassassin / max-children

[Gilles Chehade]

On Tue, Apr 19, 2016 at 06:23:18PM +0200, Joerg Jung wrote:
> > Am 18.04.2016 um 16:56 schrieb ML mail <mlnos...@yahoo.com>:
> >
> > I have configured OpenSMTPD on OpenBSD 5.9 with the filter-spamassassin as a
> relay for a few of my webapp servers and have the problem when a webapp
> suddently sends over 30 mails at the same time. Basically the problem is that
> as I have configured spamd with 30 as max-children, as soon as I receive 30
> mails at the same time OpenSMTPD stops answering because all spamd childs are
> in busy state. This means that as long as all spamd child are in busy state I
> can not receive any more mails during that time.
> 
> So you get what you configured/requested.
> 
> > So in theory I would just raise the max-children setting of spamassassin but
> then it just postpones the problem really... so is there maybe another way to
> deal better with that issue?
> 
> Not really.
> 
> If these are your own web servers they
> will not send spam, right?
> So considering skip the filtering for them?
> 
> There is a max-inflight limit in smtpd.conf(5)
> which you may want to lower (below your 30).
> 

Generally speaking, I'd really avoid playing with max-inflight, it is a
scheduler knob from developers to developers.

Tweaking it for one particular case means it is tweaked for all cases.


> Also, the most recent git head of -extras contains
> a limit option which restricts the messages piped
> to spamassassin based on their size. The idea is:
> fewer/smaller mails are checked (fast),
> assuming that larger ones are rarely spam.
> 

much better strategy, maybe it should also contain a max session count
to tempfail incoming mail if there are already enough pending sessions
I don't know.

What I know is that max-inflight is not THE solution for sure.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd : reject with a message

[Gilles Chehade]

On Wed, Apr 13, 2016 at 06:14:36PM +, Peter Fraser wrote:
> Is there any method of added extra information when rejecting an email with
> smtpd
> 
> I am looking for an equivalent effect to the .REDIRECT or error  message in
> sendmail's virtualusertable
> 
> for example I had the following in sendmail's virtualusertable.
> 
> @thinkage.on.ca   error:5.1.1:553 " Please use 
> thinkage.ca not
> thinkage.on.ca"
> 
> and
> 
> t...@thinkage.ca  supp...@thinkage.ca.REDIRECT
> 

from aliases(5):

 error:code message
 
A status code and message to return.  The code must be 3 digits,
starting 4XX (TempFail) or 5XX (PermFail).  The message must be
present and can be freely chosen.

note that only single-line messages are supported (for now ?)


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: OpenSMTPD on OpenBSD 5.9

[Gilles Chehade]

On Wed, Apr 13, 2016 at 03:15:59PM +1100, Rod Whitworth wrote:
> On Sun, 10 Apr 2016 12:31:35 +1100, Rod Whitworth wrote:
> 
> >On Sat, 9 Apr 2016 10:12:23 -0500, Edgar Pettijohn wrote:
> >
> >>On 04/08/16 23:25, Rod Whitworth wrote:
> >>> I'm trying to replace Postfix with OpenSMTPD and I'm having a battle.
> >>>
> >>> I don't seem to be able to get the clues to match the hardware and the
> >>> configure recipes that I need.
> >>>
> >>> The most up to date I can find breaks at the second stanza and I can
> >>> guess that the instructions for configuring for PF are for OpenBSD 5.6
> >>> means that I should find a up to date have clue set.
> >>>
> >>> Does anyone have pointer to a rescue?
> >>>
> >>> Rod/
> >>> (who doesn't want to revert to Postfix..)
> >>>
> >>> *** NOTE *** Please DO NOT CC me. I  subscribed to the list.
> >>> Mail to the sender address that does not originate at the list server is 
> >>> tarpitted. The reply-to: address is provided for those who feel compelled 
> >>> to reply off list. Thankyou.
> >>>
> >>> Rod/
> >>> ---
> >>> This life is not the real thing.
> >>> It is not even in Beta.
> >>> If it was, then OpenBSD would already have a man page for it.
> >>>
> >>I think you may need to describe what you are trying to achieve. Perhaps 
> >>your old postfix configuration as well.
> >>
> >
> >What I am trying to achieve is a copy of the up-to-date instructions.
> >
> >As I said the most recent copy is around 5.6.
> >I am running 5.9.
> >
> >The most recent recipe is written by someone who makes considerable
> >mods and I like to   refrain from making changes until I find a change
> >that appears to have a solid reason.
> >
> >Postfix is no help in getting OpenSMTPD working. Believe me and I've
> >been running Postfix since about OpenBSD 2.5 and doing it for some
> >large businesses.
> >
> >The present instructions for OpenSMTPD go likes this:
> >1 Install some packages (3)
> >
> >2 Create Maildir
> >
> >Crash. Well it doesn't work as it is suppose to.
> >
> >Study further and realise that you need up to date instructions.
> >
> >So try to install 5.9 OpenBSD and run
> >http://puffysecurity.com/wiki/opensmtpd.html
> >
> >Lots-a-luck.
> >
> >Rod/
> >
> >From the land "down under": Australia.
> >Do we look  from up over?
> >
> 
> Well it seems I must go to Postfix..
>

Postfix is good software, nice choice.


> What I needed was a version 5.9 as distributed not a hero's advanced
> version already heading to 6.0. That is for developers and I respect
> them but they are not for me: I'm not that smart.
> 
> There are some (apart from the 5.9+ code) which are not for me as they
> are (a) not 5.9 code or (b) not polished trying to try for 5.9
> 

After reading the whole thread, I still don't understand your problem,
what you're trying to achieve and what information you're looking for.


> I would love to see someone reply telling me that I have bad eyes and a
> 5.9 is running and it's getting it correct.
>

I'd love to tell you that you have bad eyes, but not knowing what is
your problem nor what you're trying to achieve, I wouldn't know what
I should look for.


> Meanwhile I have to bring up a new server and Postfix seems to be the
> only candidate.
> 
> At least I can build a mailserver that works on that.
> 

Again, good choice, if you're comfortable with running Postfix and you
can't get OpenSMTPD running, I don't know why you're struggling :-)


> Sorry for the noise
> 

np


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: OT: Looking for email host with qmail like minus-addressing for custom domain

[Gilles Chehade]

On Thu, Mar 03, 2016 at 02:02:22PM -0600, Claus wrote:
> On 3/3/2016 3:14 AM, Gilles Chehade wrote:
> >On Thu, Mar 03, 2016 at 01:54:16AM +0100, ropers wrote:
> >Won't question your need however this + vs - thing has come up often and
> >I'd like to stress out that even though both - and + are valid, use of -
> >introduces ambiguity given that - is allowed in usernames:
> >
> > $ doas useradd -m foo
> > $ doas useradd -m foo-bar
> >
> >Who should get mail for foo-bar@ ?
> >
> >This just doesn't happen with + because:
> >
> >$ doas useradd -m bar
> >$ doas useradd -m bar+baz
> >useradd: `bar+baz' is not a valid login name
> >$
> 
> Seriously, do email hosting providers create local accounts for their users?
> I don't have a clue but I highly doubt it due the need to host multiple
> domains.
> 

My comment wasn't focused on email providers but on email in general ;-)

The default setup for all MTA's that I know of is to map user part of an
email address to a system username. That's been the case since the first
day I got interested in hosting (pre 2k) and is still the case today. It
was the case for my .edu when I was a student & it was the case for many
of the places I worked for since then.


> The ambiguity is there unless the domain owner doesn't allow dashes in
> account names, and I can afford to make that rule for my domain.  Of course
> that doesn't help me if no one supports that. :(
> 

Indeed, but the fact no one supports that should also hint you that this
is going against ... what everyone else does, so it's quite expected you
are going to be in a painful journey ;)


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: OT: Looking for email host with qmail like minus-addressing for custom domain

[Gilles Chehade]

On Thu, Mar 03, 2016 at 01:39:54PM -0700, Andy Bradford wrote:
> Thus said Gilles Chehade on Thu, 03 Mar 2016 10:14:48 +0100:
> 
> > Who should get mail for foo-bar@ ?
> 
> The MTA will decide who will get foo-bar@.
> 

How ?


> > This just doesn't happen with + because:
> 
> It also doesn't happen with an MTA that can figure these things out.
>

How ?


> I don't see this as necessarily an argument for or against - vs +
> 

too bad, it means my friend jean-pierre will not be able to be hosted by
you if you already host my other friend jean ;-)


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: OT: Looking for email host with qmail like minus-addressing for custom domain

[Gilles Chehade]

On Thu, Mar 03, 2016 at 01:54:16AM +0100, ropers wrote:
> On 2 March 2016 at 23:59, Jason Barbier <jab...@serversave.us> wrote:
> 
> > [You're] probably going to have to suck it up at some point and use +
> > [delimiters] like most people have moved to doing since according to the
> > RFC - is a valid email address char.
> >
> 
> So is +.
> http://tools.ietf.org/html/rfc3696#section-3
> - is not any more legal than +, just maybe more common, and you're still
> more likely to encounter non-RFC compliant implementations that don't deal
> with plus correctly, especially in web form email "verification" scripts --
> but many of those suck monkey balls anyway.
> 

Won't question your need however this + vs - thing has come up often and
I'd like to stress out that even though both - and + are valid, use of -
introduces ambiguity given that - is allowed in usernames:

$ doas useradd -m foo
$ doas useradd -m foo-bar

Who should get mail for foo-bar@ ?

This just doesn't happen with + because:

$ doas useradd -m bar
$ doas useradd -m bar+baz
useradd: `bar+baz' is not a valid login name
$

Now as far as your issue is concerned, what you could do if you can't go
without - is to take an account anywhere that supports + then just setup
a simple mail forwarder at a vps host to rewrite - to +, this way you'll
be able to transition without being limited in hosting choices.

just my opinion ;)

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Fwd: CVS: cvs.openbsd.org: src

[Gilles Chehade]

On Mon, Nov 30, 2015 at 05:45:25PM -0500, Daniel Ouellet wrote:
> On 11/30/15 4:58 PM, Joerg Jung wrote:
> > On Mon, Nov 30, 2015 at 04:48:05PM -0500, Daniel Ouellet wrote:
> >> Even removed the table password?
> > 
> > Yes.
> >  
> >> NO way anymore to have difference password for emails then the system
> >> password without smtp-extra install?
> > 
> > You may want to read table(5) the section about credentials tables.
> >  
> >> I can understand may be sqlite and ldap, but as a base system having
> >> different password from the system was and is very useful and I do it on
> >> all systems.
> > 
> > Still possible.
> > 
> >> Or am I missing something or miss understand the commit?
> > 
> > Yes, it looks like you never used table-passwd, 
> > that is why it is removed.
> 
> May be I miss used the name. Good to know.
>

yes, the name is confusing, table-passwd is not what you want.


> I was just starting to switch all my servers to use sqlite however
> because sqlite was in the base system too and it was easier to use after
> it wad configure. (:<
> 
> Oh well.
> 
> I will switch back to makemap then.
> 
> I hope I understand your explication as this being still valid:
> 
> table vusers db:/etc/mail/vusers.db
> table vdomains db:/etc/mail/vdomains.db
> 

yes, this is still valid


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd with accept from any for domain alias relay via smtp://127.0.0.1:10025 doesn't support check?

[Gilles Chehade]

On Fri, Oct 30, 2015 at 03:56:23AM -0400, Daniel Ouellet wrote:
> Isn't the long form domain  alias  should be supported
> here for the relay configuration in smtpd.conf
> 
> In the man(5) smtpd.conf page I see this form as valid:
> 
> accept from any for domain  alias  deliver to maildir
> accept from any for domain  virtual  deliver to \
>   maildir
> 
> So, I would have expected to be able to use these forms:
> accept from any for domain  alias  relay via \
>   smtp://127.0.0.1:10025
> accept from any for domain  virtual  relay via \
>   smtp://127.0.0.1:10025
> 
> However it doesn't accept and I need to use this instead:
> 
> accept from any for domain  relay via smtp://127.0.0.1:10025
> accept from any for domain  relay via smtp://127.0.0.1:10025
> 
> The users, or aliases part is not accepted.
> 
> Any thoughts on this? The reason I asked is that, let say you have a not
> valid users if I can check the users BEFORE doing the local relay, it
> avoid the additional processing and would be rejected right away oppose
> to be after it is locally processed no?
> 

Then you should use the 'recipient' keyword:

 accept [...] for domain  recipient  [...]

Goal of aliases / virtual is to resolve a user-part/address into a
local delivery ... which makes no sense if your mail is not local.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Is OpenSMTPD worthy of OpenBSD inclusion?

[Gilles Chehade]

lopers work for him.

At the same time, they can browse our tracker to see how many times
you have requested something and how many times we worked on it. It
sure seems ungrateful in retrospect given that on some of them, you
are bitching that we don't go fast enough.


> But I think it's time we take a step back and reassess the situation.
> There are some critical questions that need to be answered. What
> accounts for the high proportion of security vulnerabilities in a
> project renowned for its brilliant developers and stringent review
> processes? Do the OpenSMTPD developers have time -- and have they
> displayed a presence of necessary free time -- to keep the project
> healthy and moving toward stability at an acceptable pace? Have the
> correct standards of releases been applied to the OpenSMTPD release
> process?
>

That will be the only thing we agree upon.

We had to do a huge refactor to add filters and we knew in advance
it would span over several releases, breaking smtpd for OpenBSD.

We decided to take this development to a private repository and we
made a public mirror as people were asking for snapshots to test.
You should know, you *really* wanted filters right ?

This resulted in two branches, making it twice as hard for us to
work correctly and preventing other OpenBSD developers from taking
a look at our changes.

This is not how OpenBSD works and this is not how we want to work.

We're currently discussing how to come back home, micro-diff by
micro-diff. the filters code is trickier to split and we have a
bit of work to make it reviewable. the easy way would be to not
support it, but you'd prefer that we keep it right ?

This is how we want to work. With other OpenBSD hackers.


> And most importantly: should OpenSMTPD continue to be a part of the
> core OpenBSD project? Or should it rather spend some time maturing and
> securing commitments from developers for maintaining it in a
> consistent manner, before being accepted by such a reputable
> organization as OpenBSD?
> 

You have some nerve.

"securing commitments from developers for maintaining it" ?

You weren't complaining much about our commitments when we were working
on your feature requests and you were talking to us like we were your
employees using big words. Care to remind me who was commiting to work
on that masquerade or senders map feature that was so critical to your
infrastructure ? Who actually ping-ed you to let you know that the long
awaited feature was going to be part of a snapshot ?

You did complain alright, the project wasn't moving fast enough.
But that was before you complained it was moving to fast.


> Finally, if OpenSMTPD does continue to exist as a part of core
> OpenBSD, I would strongly recommend some effort is organized to bring
> top quality code reviewers and auditors to the source code, in order
> to give the project the eyeballs it deserves. It would be a great
> boost in confidence for many who use - or hoped to someday use -
> OpenSMTPD to see that intelligent minds, capable of securing large
> codebases, have put their efforts into making it secure.
>

We agree again.

The more eyeballs, the better.

Except that when we get help from external eyeballs you're unhappy.
Or is there another reason ?


> I hope this can begin some discussion on the best way forward toward
> making OpenSMTPD a piece of infrastructure we can trust. My best
> wishes for the project.
> 

I'd be happy to believe you, and people may, but you're not sincere.

People may think you sent this mail out of nowhere but you did right
after I told you something unpleasant. Just a coincidence, right ?

While you were telling eric that you liked our work and that you had
respect for it, you drafted this, sent it and linked on so many site
that people started telling me in private that a psycho had a grudge
against us.

At least be honest about your motives.

You told me once that you were a "security expert" and that we could
sit around a beer so you'd tell me what's wrong in our design. If it
is true that you want the project to succeed and if you really are a
security expert then the project would have surely made a better use
of a design analysis report than this mail.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Opensmtpd+user forom "table baseuser"

[Gilles Chehade]

On Thu, Oct 01, 2015 at 06:05:57AM +0200, Krzysztof Strzeszewski wrote:
> Hi,
> I add in my smtpd.conf:
> 
> table users file:/path/to/file
> accept userbase 
> 
> but smtpd get users from local system:
> 
> "getpwnam:  -> 0"
> 
> what is wrong?
> 

unless you provide the full configuration file and some logs, this is
not enough to even begin to understand what happened.

on the top of my head: you're not matching the rule you think you are



-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Show us your /etc/profile

[Gilles Chehade]

On Fri, Jul 31, 2015 at 05:25:49PM -0300, listas...@dna.uba.ar wrote:
 Hello everybody
 

Hello,

 alias ducks='du -cks * |sort -rn |head -11'
 

I'm stealing this one ;-)

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Sluggish/laggy browser behaviour

[Gilles Chehade]

On Wed, Jul 29, 2015 at 12:46:01AM -0700, Nathan Van Ymeren wrote:
 On Wed, 29 Jul 2015 02:35:39 -0400
 Brad Smith b...@comstyle.com wrote:
 
  Give up. The developers don't care in a functional manner. They won't
  listen to the obvious issues (and there are) and would rather attack
  you then admit the obvious.
  
 
 I don't think anyone's attacked me here, developer or not?
 

Disregard, some people have trouble understanding that harsh reactions
are not really the result of reporting issues.

Some people report many issues and never get a harsh reaction, while a
few people always get harsh reactions when posting to the lists.

I guess it's simpler to assume the problem is with the other people on
the list rather than adjust a shitty attitude ;-)

Reporting issues is one of the best way for a non-developer to help us
and I think it's pretty clear to everyone that OpenBSD and all related
projects don't tend to hide issues under the carpet.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: elementary opensmtpd setting on rental server

[Gilles Chehade]

On Fri, Jul 24, 2015 at 02:09:53AM +0900, Tuyosi Takesima wrote:
 thanks for Denis
 
 |Tell me if I'm wrong but you don't listen on port 25 or 465.
 your advise is great !
 
 /etc/mail/smtpd.conf  is rewriten .
 listen on lo0
 listen on em0 port 25-to recieve mail from gmx
 listen on em0 port 465  -to recieve mail from gmail
 table aliases db:/etc/mail/aliases.db
 
 accept from any for domain aoiXXX.mydns.jp   alias aliases
 deliver to maildir
 accept from any for domain aoiXXX.mydns.jp
 deliver to maildir
 
 accept for localalias aliases
 deliver to maildir
 accept for local
 deliver to maildir
 
 reject from any for any
 --
 
 then  i can get mails from x...@gmail.com  x...@gmx.com .
 buti cannot send mails to x...@gmail.com  x...@gmx.com .
 
 but this is great progress .
 

Jumping in to put an end to this thread:

Let's look at what you want to do:

  send mail to @gmail.com  @gmx.de

Then, let's check if your ruleset has any rule matching these:

 accept from any for domain aoiXXX.mydns.jp [...] - no
 accept from any for domain aoiXXX.mydns.jp [...] - no
 accept for local [...] - no
 accept for local [...] - no
 reject from any for any - yes

Your ruleset doesn't allow for your own users to send mail to anything
but your local domains.

You need a rule that states:

accept from local for any relay

It needs to be at the bottom of your config, right where you added this
reject rule (which serves no purpose btw since this is the default).


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: GROUP CHANGED

[Gilles Chehade]

On Sun, Jun 14, 2015 at 04:32:18PM +0200, Max Power wrote:
 Hi guys!
 
 I copied my files from Debian [ext4] to my new server OpenBSD [5.7 amd64],
 and I found that all files of 'ROOT' group were imported [in OpenBSD] in
 the 'Wheel' group.
 Why is this?
 
 [Owner is the same, there is no change.]
 
 Thank fro reply.
 

wheel is the new root.

https://en.wikipedia.org/wiki/Wheel_(Unix_term)

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Logjam Attack: is OpenIKED and OpenSMTPD vulnerable?

[Gilles Chehade]

On Wed, May 20, 2015 at 11:55:42PM +0200, L.R. D.S. wrote:
 Anyone write today on @misc and @tech about this, so I'll ask just to make 
 sure: 
 is OpenIKED and/or OpenSMTPD vulnerable to this new Logjam Attack?
 This vulnerability allow a man-in-the-middle attacker to downgrade 
 vulnerable TLS 
 connections to 512-bit export-grade cryptography and [Since] Millions of 
 HTTPS, 
 SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key 
 exchange
 [using it] an attacker can quickly break individual connections [...] 
 attacks on 
 VPNs are consistent with having achieved such a break.[1]. They have a proof 
 of 
 concept[2] and a research paper[3].
 

As far as OpenSMTPD is concerned:

The attack affects any server that supports DHE_EXPORT ciphers,
 and affects all modern web browsers. (from weakdh.org)

The default cipher-suite is HIGH:!aNULL:!MD5 which doesn't support any
DHE_EXPORT cipher (obvious but verified with both LibreSSL and OpenSSL):

$ openssl ciphers HIGH:!aNULL:!MD5|grep EXPORT
$


Millions of HTTPS, SSH, and VPN servers all use the same prime numbers
 for Diffie-Hellman key exchange. [...]

Yes, there is a very popular set of 512-bits DH parameters that everyone
uses because it was considered safe to share the params if generated the
right way. It is part of tons of examples, documented as safe to reuse
and it ended pretty much everywhere (openssl s_server to name one).

We have switched to 1024-bits DH parameters 4 years ago:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl.c.diff?r1=1.31r2=1.32f=h

The DH parameters were generated by myself on a safe machine, so there's
very very low chances millions of servers are sharing the same ones ;)

The article suggests that 1024-bits DH isn't enough and that you need it
to be at least 2048-bits, however before we bump this default, we need a
fair amount of testing: last time I tried, it broke A LOT of exchanges.

Discussions will take place with regard to what we'll do anways...


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd(8): running as backup MX with +TAG addresses

[Gilles Chehade]

On Sat, Dec 27, 2014 at 11:56:29AM +, Florian Obser wrote:
 Hi,
 
 so I want to run smtpd(8) as a backup MX and configure the list of
 valid email addresses so that the backup MX rejects invalid
 email addresses on accepting the message and not bounce
 the mail alter on when it tries to deliver to the primary
 mail server.
 Currently I have this:
 accept from any for domain domains recipient recipients \
   relay backup hostname primary.mx.example.com
 
 Assuming I have example.com in the domains table and
 u...@example.com in the recipient table smptd rejects
 rcpt to: user+...@example.com
 with
 550 Invalid recipient
 
 rcpt to: u...@example.com
 works just fine.
 
 This is on -current.
 
 How can I get +TAG to work on the backup MX?
 

At the moment, recipient is unaware of + tagging you can only backup
a full domain or specific untagged recipients.

This doesn't seem too hard to implement though, I'll see if I can get it
done this week.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd(8): running as backup MX with +TAG addresses

[Gilles Chehade]

On Sat, Dec 27, 2014 at 11:56:29AM +, Florian Obser wrote:
 Hi,
 
 so I want to run smtpd(8) as a backup MX and configure the list of
 valid email addresses so that the backup MX rejects invalid
 email addresses on accepting the message and not bounce
 the mail alter on when it tries to deliver to the primary
 mail server.
 Currently I have this:
 accept from any for domain domains recipient recipients \
   relay backup hostname primary.mx.example.com
 
 Assuming I have example.com in the domains table and
 u...@example.com in the recipient table smptd rejects
 rcpt to: user+...@example.com
 with
 550 Invalid recipient
 
 rcpt to: u...@example.com
 works just fine.
 
 This is on -current.
 
 How can I get +TAG to work on the backup MX?
 

This diff should do the trick.
It teaches sender and recipient how to cope with tags in addresses.

Let me know how it goes for you.


diff --git a/smtpd/table.c b/smtpd/table.c
index 66fdb7a..cc61e74 100644
--- a/smtpd/table.c
+++ b/smtpd/table.c
@@ -347,6 +347,12 @@ table_update(struct table *t)
return (t-t_backend-update(t));
 }
 
+
+/*
+ * quick reminder:
+ * in *_match() s1 comes from session, s2 comes from table
+ */
+
 int
 table_domain_match(const char *s1, const char *s2)
 {
@@ -358,6 +364,7 @@ table_mailaddr_match(const char *s1, const char *s2)
 {
struct mailaddr m1;
struct mailaddr m2;
+   char   *p;
 
if (! text_to_mailaddr(m1, s1))
return 0;
@@ -367,9 +374,17 @@ table_mailaddr_match(const char *s1, const char *s2)
if (! table_domain_match(m1.domain, m2.domain))
return 0;
 
-   if (m2.user[0])
+   if (m2.user[0]) {
+   /* if address from table has a tag, we must respect it */
+   if (strchr(m2.user, '+') == NULL) {
+   /* otherwise, strip tag from session address if any */
+   p = strchr(m1.user, '+');
+   if (p)
+   *p = '\0';
+   }
if (strcasecmp(m1.user, m2.user))
return 0;
+   }
return 1;
 }
 


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: OpenSMTPD: SMTP_LIMIT_MAIL and SMTP_LIMIT_RCPT

[Gilles Chehade]

On Mon, Dec 08, 2014 at 11:00:50AM +0100, mxb wrote:
 Hello @list,
 
 are there any plans for those constants to be configurable via smtpd.conf?
 

yes, they are actually already configurable in my sandbox thanks to a
diff from a user, however not committed to OpenBSD yet.

out of curiosity, why are you unhappy with the defaults ?


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: OpenSMTPD: SMTP_LIMIT_MAIL and SMTP_LIMIT_RCPT

[Gilles Chehade]

Stupid question but... why not catch the 4xx error and reestablish a new
connection ?

The limits are here for a purpose and bumping them to work-around a lack
of check in some PHP code doesn't strike me as a good idea.

No matter the value you set, value + 1 will still hit the check, while a
very large value will open your servers to some attacks.


On Mon, Dec 08, 2014 at 11:24:21AM +0100, mxb wrote:
 We do a lot of bulk mails and not via local smtp, eg. PHP-code talks directly 
 to opensmtpd.
 opensmtpd used as internal relay/smart host.
 
 I had to higher limits for those two in order to escape
 452 4.5.3 Too many recipients: Too many messages sent ???
 
 //mxb
 
  On 8 dec 2014, at 11:14, Gilles Chehade gil...@poolp.org wrote:
  
  On Mon, Dec 08, 2014 at 11:00:50AM +0100, mxb wrote:
  Hello @list,
  
  are there any plans for those constants to be configurable via smtpd.conf?
  
  
  yes, they are actually already configurable in my sandbox thanks to a
  diff from a user, however not committed to OpenBSD yet.
  
  out of curiosity, why are you unhappy with the defaults ?
  
  
  -- 
  Gilles Chehade
  
  https://www.poolp.org  @poolpOrg
 

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd: mail stuck in queue

[Gilles Chehade]

On Sat, Nov 29, 2014 at 02:13:46AM +0200, Liviu Daia wrote:
 On 28 November 2014, Gilles Chehade gil...@poolp.org wrote:
  On Thu, Nov 27, 2014 at 10:00:19PM -0500, Hugo Villeneuve wrote:
 [...]
   No, it is not proper behavior. As a store and forward system with
   potentially 4-5 days between submission and delivery, any MTA needs
   to be able to adapt in configuration changes across a long period.
  
 
  So, because a MTA configuration may change across a long period of
  time and that during these changes sometimes someone will decide that
  a mail that used to be ok to relay no longer is or should no longer
  be relayed the same way, you're advocating that we should add logic
  to the MTA for taking guesses at what it should do and adapt to all
  possible changes ?
 [...]
 
 No: the original HELO, FROM, and RCPT TO should be saved in the
 queue file, and there should be a command to re-queue the message.  Then
 when a message is re-queued the entire envelope is resolved again from
 scratch, according to the current config: problem solved.


Well, that depends how you define the problem ;-)

I'm not against having a command to re-enqueue, that is actually what I
suggested myself. YES, WE SHOULD HAVE A COMMAND TO REENQUEUE.

I'm against having the daemon execute the command automatically, and the
reason is that in the if you resolve again from scratch case, you have
some things that are going to be changed and others that aren't.

Since problem is solved according to you, can you tell me which ones ?

I mentionned aliases yesterday, with your method we would resolve again,
so we would go through aliases expansion again. Let's put aside the fact
that everyone would get a mail twice because we're going to be adding an
insane amount of kludge anyway so a few to work around this special case
isn't an issue anymore.

You have resolved again so that the routing method changes, yet you have
decided that expansions caused by the previous routing method should not
be rollbacked.

How do we decide what needs to be rollbacked and what doesn't ?

Can you provide a list we can all agree upon ?

Are you comfortable with taking decisions away from the admin and making
the software take them instead... to cope with changes the admin will do
to the configuration ? Is it ok if the software decides that all mail is
going to dev/null because of a config change and without admin having an
option to actually validate ?


 This is essentially what Postfix does, and I have yet to hear anybody
 arguing it should do something else. :)
 

Are you confident that this behaviour in Postfix is the same as that of
Sendmail, Exim, Qmail to name the most common ?

Just asking because you seem to imply that Postfix is doing things right
and I'd like to hear about what makes its resolving again strategy any
better than the others then.

As for hearing people argue, I don't consider this as a sign of doing
things right. I work with Linux daily, I'm constantly irritated by some
things I have to cope with, and you have yet to hear me argue about it.
My mailbox is full of comments about people irritated about other MTA's
but it has no technical value whatsoever.


Ps: I won't be home before Monday so expect delays in my replies.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd: mail stuck in queue

[Gilles Chehade]

On Fri, Nov 28, 2014 at 01:31:53AM +0100, Alexander Hall wrote:
 Hi,
 
 I noticed a box of mine having had a misconfigured mail relay, resulting in
 lots of mail queuing up. Now, after fixing the configuration, new mail are
 properly sent.
 
 However, it seems the invalid 'mta-relay' setting, as seen in the envelopes
 of the queued mail does not get revised while issuing 'smtpctl schedule
 ...'. Thus, the old mail stays in the queue.
 
 Any pointers on how to proceed is appreciated, possibly including cluesticks
 as of why the observed behaviour might be the proper one.
 

The observed behaviour may not be the proper one, but at some point we had to
take a decision as to how smart the daemon should try to be:

You send a mail, OpenSMTPD accepts it and tells you it will take care of it.

Now, you change the ruleset, how far should OpenSMTPD go to determine itself
what needs to be changed ?

Are aliases it expanded still valid, should they be reprocessed or removed ?
If reprocessed, we may end up sending mail to people who originally were not
meant to receive it, if removed we may end up deleting mail that some people
were meant to receive. How do we decide what is the right behaviour ?

If a mail that was accepted would be discarded now, do you still send it, or
do you trash it despite the fact you acknowledge you would send it before ?

There are many other cases, such as local deliveries turning into relaying,
or the opposite, which lead to funky situations where there's no way we can
figure out how to automagically fix the envelopes.

So from there, we have two paths:

1- we consider that an envelope is processed according to the rule it has
   matched when it was accepted;

2- we reevaluate the rules every time we process an envelope and we try to
   guess what most people expect in every possible combination of a config
   change ... I can tell you right away that last time we discussed this,
   we couldn't even get 3 people to agree on the action to take in one of
   the simplest case ...


I prefer 1- because:

a- changing your config in incompatible ways that cause an envelope to no
   longer be routable is not something you do on a regular basis, and the
   clusterfuck kludge required to add smartness to cope with these few
   times will be a pain for everyone for very small arguable gain.

b- if you change your config and it leads to a situation where smtpd is
   no longer able to route an envelope, then it's probably up to the admin
   and not the software to decide if/how the envelope should be dealt with.
   some admins will want mails to be routed, others will not, there's no
   way for the software to automatically decide what the correct answer is.

c- no matter what changes you make, the behaviour is predictible: an
   envelope is processed the way it was told to process it when the daemon
   accepted it. things may change and may no longer be what you want, but
   there's no guessing how things will be handled.


Now do we want to prevent you from reevaluating mails that are already in
queue ?

Nope, but IMO the proper fix is not to turn the daemon into a smart guesser
but rather to enhance smtpctl so that when an admin makes a config change,
(s)he can decide to reevalute or not some envelopes or not.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd: mail stuck in queue

[Gilles Chehade]

On Thu, Nov 27, 2014 at 10:00:19PM -0500, Hugo Villeneuve wrote:
 On Fri, Nov 28, 2014 at 01:31:53AM +0100, Alexander Hall wrote:
  Hi,
  
  I noticed a box of mine having had a misconfigured mail relay, resulting 
  in lots of mail queuing up. Now, after fixing the configuration, new 
  mail are properly sent.
  
  However, it seems the invalid 'mta-relay' setting, as seen in the 
  envelopes of the queued mail does not get revised while issuing 'smtpctl 
  schedule ...'. Thus, the old mail stays in the queue.
 
 I saw that too while configuring my first smtpd attempt (5.6-stable/sparc).
 It made me realize that smtpd is still a young MTA.
 
  
  Any pointers on how to proceed is appreciated, possibly including 
  cluesticks as of why the observed behaviour might be the proper one.
 
 No, it is not proper behavior. As a store and forward system with
 potentially 4-5 days between submission and delivery, any MTA needs
 to be able to adapt in configuration changes across a long period.
 

So, because a MTA configuration may change across a long period of time
and that during these changes sometimes someone will decide that a mail
that used to be ok to relay no longer is or should no longer be relayed
the same way, you're advocating that we should add logic to the MTA for
taking guesses at what it should do and adapt to all possible changes ?

If a configuration change means that no envelopes is routable anymore,
should the software decide to adapt and trash the entire queue without
an admin intervention ? are you comfortable with that ?

If the admin is already changing the config, doesn't it make more sense
that ... (s)he decides what to do with envelopes that are affected by
these changes ?


 I haven't tested the HEAD release yet and didn't found anything in
 smptd and smtpctl manual page how to fix it in stable.
 
 My guess is that you will have to resubmit them. Parse smtpctl
 show queue output, pick field 1,5,6 and then refeed the output of
 smtpctl show message field1 to sendmail -f field5 -- field6 for
 each line. Then delete the stuck ones. (Yeah test that first.)
 
 Good luck.
 
 Hopefully it will get fixed.
 

As I wrote in the other mail, I think the proper fix is to provide admin
the right tool.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: move to git?

[Gilles Chehade]

On Wed, Sep 24, 2014 at 02:29:02PM +0200, Harald Dunkel wrote:
 Hi folks,
 
 Google didn't tell if this has been discussed before, so I wonder
 if you have considered moving from CVS to git?
 

no, this was never discussed before and google doesn't know about it:

http://www.lmgtfy.com/?q=openbsd+git

2nd link.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: Help w/ masquerade feature now that sendmail[1] has been removed from base

[Gilles Chehade]

On Tue, Sep 16, 2014 at 09:41:20AM -0400, RD Thrush wrote:
 sendmail's masquerade function is missing from OpenSMTPD.
 What are the plans for masquerade?
 Update OpenSMTPD or create a sendmail port or document the smtpd filter API 
 or ???
 I've previously asked for help on the opensmtpd-misc mailing list[2].


As I already told you very recently, the plan is to provide masquerading through
a filter. As I also told you, the filter API is pretty much there and masquerade
feature just needs eric and I to find time to complete it.

Given that we're swamped until October, unless someone does it before we do, the
masquerading feature will not be available before mid-October.

If the feature is critical to you and you cannot wait until we complete it, then
clearly the best thing to do is to install a package for another MTA...


 Searching the archives shows that work (on masquerade) was started but 
 appears to have stopped.
 Apparently, masquerade functionality would be possible using the 
 (undocumented) OpenSMTPD filter API.


It has not stopped, it has paused because of summer vacations and daytime work.
You have asked me many times about it and I have told you the current state 
many times.

And YES, _again_, the API is not documented because while it is there and it is
working, we have not decided that it is final and we don't want people to start
assuming the interface is stable.

It shouldn't prevent anyone aware of the possible interface change from writing
filters, there are very few simple functions and some filters skeletons to work
with for anyone knowing a bit of C.


 ericfaurot(2014-02-28) i have a filter-masquerade which is basically working 
 but needs polishing.
 It will be a nice test case for the filter framework.
 /blockquote


There you go.

I know we don't work as fast as you'd like but things are moving forward and
they do at our pace, asking again and again and again is not going to make a
change in how fast we work.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: dual separator?

[Gilles Chehade]

Hi,

On Fri, Aug 22, 2014 at 12:17:54PM -0500, Adam Thompson wrote:
 On 14-08-22 12:09 PM, Claus Assmann wrote:
 On Fri, Aug 22, 2014, Adam Thompson wrote:
 I have a large number of email tags, but use both + and - as a
 separator.
 So far, I'm entering all the - ones into aliases; is there a better way to
 do this?
 In postfix, I was able to use a regex to manipulate incoming addresses to
 Hmm, it might be help to answer your question if you tell us which MTA
 you are using... (or you could switch to postfix...)
 
 Oops... that was meant to go to m...@opensmtpd.org, not misc@openbsd.org.
 That should have made it blindingly obvious, but I'm now using smtpd(8).
 And I've also discovered that the RHS in aliases(5) must be a bare userid,
 and putting a + in there causes newaliases(8) to fail. Not sure why that
 would be intended behaviour, but not sure it's a bug either.
 

There is currently no way of specifying the delimiter, it can only be +
someone opened a ticket on our tracker and after we discuss it it might
change

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: openssh

[Gilles Chehade]

On Thu, Jul 03, 2014 at 10:32:42AM +0200, Henning Brauer wrote:
 * Mihai Popescu mih...@gmail.com [2014-07-02 17:05]:
  Better buy a hardisk, copy your data and mail it abroad. Seriously.
 
 A truck full of harddisks is a transport link with fantastic bandwidth.
 Latency kinda sucks, tho.
 

Sadly, French researchers have found _at least_ one way to DDoS
this transport and make it unusable with very few resources:

 http://french.about.com/od/vocabulary/a/operationescargot.htm

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: OpenSMTPD recipient table with db file

[Gilles Chehade]

On Mon, Jun 02, 2014 at 10:15:15PM +0200, Martijn Rijkeboer wrote:
 Hi,
 
 When I try to use a db file for my recipient table I get invalid use of
 table recipients as RECIPIENT parameter. When I use a plain file it
 works. I've created the db file with makemap -t set recipients. Is this
 on purpose or is it a bug?
 
 Using a plain file:
   table recipients file:/etc/mail/recipients
   accept from any for any recipient recipients relay via ...
 
 Using a db file:
   table recipients db:/etc/mail/recipients.db
   accept from any for any recipient recipients relay via ...
 
 OS: OpenBSD 5.5 AMD64.
 
 Kind regards,
 

Hi,

support for recipient using db tables has been added after 5.5:


http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/table_db.c.diff?r1=1.5;r2=1.6;f=h

the diff will apply as is on smtpd from 5.5 so you can backport it



-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg