PHP 5.3.1 on OpenBSD 4.2
Hey there, I have a server that runs a OpenBSD 4.2 with a php of 5.2.3 and now I just need some information if it's possible to switch to php 5.3.1 without bigger problems or is it just not recommended? Some kind of help is most appreciated. Regards Markus
Re: PHP 5.3.1 on OpenBSD 4.2
On 02.10.2013 14:14, Otto Moerbeek wrote: On Wed, Oct 02, 2013 at 01:52:29PM +0200, Markus Rosjat wrote: Hey there, I have a server that runs a OpenBSD 4.2 with a php of 5.2.3 and now I just need some information if it's possible to switch to php 5.3.1 without bigger problems or is it just not recommended? Some kind of help is most appreciated. Regards Markus 4.2 is 5 years old you ar far better of to upgrade the whole machine. -Otto Hi Otto, yeah thats planned with new hardware but this is a kinda urgent situation so if its possible I need to do the upgrade on this OpenBSd version -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann, Kögler Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: PHP 5.3.1 on OpenBSD 4.2
On 03.10.2013 18:38, Kevin Chadwick wrote: Hi Otto, yeah thats planned with new hardware but this is a kinda urgent situation so if its possible I need to do the upgrade on this OpenBSd version Personally I'd still advocate getting a disk ready on 5.4/3 testing and swapping the disk as it is not much different and will be quicker than imaging, building rather than installing packages and testing on another machine and then swapping the disk. Lots of other less simple choices if you don't mind taking risks of unplanned downtime of course. You could even deploy carp and have next to no downtime if required. I have a image for a esxi so I will do the test on that and if I'm successful I just do it step by step on the server. This is maybe the easiest way to go here. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann, Kögler Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Apache2 config on OpenBSD 5.5
Hey there, its kinda confusing to see config files all over the place. I can find files in /etc/apache2 as well as in /var/www/conf. So first thing first. As I notices apache 1.3 insnt used in OpenBSD 5.5 right? So I can asume there should be no apache 1.3 running at all. Second I installed the apache2 package and got the config files at /etc/apache2 but when I did some changes I noticed they are not applied after restarting apache so I took a look around and found config files under /var/www/conf too which where used by the apachectl script. Beisde this I check my phpinfo() _I and got the info that Im running a apache 1.3 So what is the deal now, do I have a 1.3 installed by the default when I set up the system or is it just some weird mix up that happens because I installed the apache2 package? Another question would be the chroot, is the apache2 chrooted by the default still ? Oh and if someone has some helpful links on all this that would be extremly helpful. Regards Markus -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: new OpenSSL flaws
Am 06.06.2014 14:15, schrieb Kapetanakis Giannis: On 06/06/14 14:49, Dmitrij D. Czarkoff wrote: Eric Furman said: Given the current circumstances Libre.SSL WILL prevail. I hope you are right, but I actually believe that the circumstances of this thread may work against LibreSSL - most likely the time difference between vulnerability disclosure and patches for LibreSSL would be percieved as security risk. Let's hope then that when LibreSSL is in production it will not share the same vulnerabilities with OpenSSL. Otherwise, what's the point? G well I don't know much but the point in removing 90k of c code lines from something that is messed up means to make it more solid but that's just my point of view and I'm just a dummy -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
rsync -a doesnt keep owner and permissions
Hello, this has been asked befor though but since searching the net always tells me it should work but not when I try to do it .. I'll ask again. what I want to do is: - copy keep ownership and permission when I rsync a file or directory what I get is: - I have a user on both machines who is in wheel (this should make it possible to do this) - when I $sudo rsync -a /some/random/file me@remotemachine:/tmp I get the file synced - file has owner someone:someone and 0600 - when I check the permission and owner on the remote machine - file has owner me:wheel and 0644 what I can do but dont want to: - I can enable root ssh access - I rsync as root and the owner and permission gets copied even the user doesnt exist on the remote machine Is there any other thing I miss with the sudo approach? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: rsync -a doesnt keep owner and permissions
Am 19.08.2014 16:40, schrieb Erling Westenvik: On Tue, Aug 19, 2014 at 04:27:11PM +0200, Markus Rosjat wrote: Is there any other thing I miss with the sudo approach? Check out --usermap, --groupmap and --chown in the man page. Haven't tried them myself but AFAIK these options were added to rsync(1) late in 2013 or early in 2014. this may work on a one file or user directory base but if I want to sync a location like /var/www/htdocs this will be a bit overkill and no I don't want to write a script for this if I can avoid it. -- Vennlig hilsen/Kind regards Erling Westenvik -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: rsync -a doesnt keep owner and permissions
Am 19.08.2014 17:06, schrieb Adam Thompson: The remote rsync command runs as your user, not as root, and so cannot set ownership. IIRC there's an environment variable you can set that specifies how to invoke the remote rsync (post-ssh, there's an end var for establishing the ssh connection, too). Set that to sudo rsync, would be my guess. -Adam well I will give it a shot and this may be the missing piece here On August 19, 2014 9:27:11 AM CDT, Markus Rosjat ros...@ghweb.de wrote: Hello, this has been asked befor though but since searching the net always tells me it should work but not when I try to do it .. I'll ask again. what I want to do is: - copy keep ownership and permission when I rsync a file or directory what I get is: - I have a user on both machines who is in wheel (this should make it possible to do this) - when I $sudo rsync -a /some/random/file me@remotemachine:/tmp I get the file synced - file has owner someone:someone and 0600 - when I check the permission and owner on the remote machine - file has owner me:wheel and 0644 what I can do but dont want to: - I can enable root ssh access - I rsync as root and the owner and permission gets copied even the user doesnt exist on the remote machine Is there any other thing I miss with the sudo approach? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: rsync -a doesnt keep owner and permissions
Am 19.08.2014 17:14, schrieb Joseph Borg: Wouldn't something like duplicity work better for you in this case? Regards Sent from my iPad well as far as I understand its just another abstraction layer added to rsync and I don't want to install something that is basically using something I already have. But thanks for the sugession On 19 Aug 2014, at 16:53, Markus Rosjat ros...@ghweb.de wrote: Am 19.08.2014 16:40, schrieb Erling Westenvik: On Tue, Aug 19, 2014 at 04:27:11PM +0200, Markus Rosjat wrote: Is there any other thing I miss with the sudo approach? Check out --usermap, --groupmap and --chown in the man page. Haven't tried them myself but AFAIK these options were added to rsync(1) late in 2013 or early in 2014. this may work on a one file or user directory base but if I want to sync a location like /var/www/htdocs this will be a bit overkill and no I don't want to write a script for this if I can avoid it. -- Vennlig hilsen/Kind regards Erling Westenvik -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: rsync -a doesnt keep owner and permissions
Just a short heads up how I did it now and you guys might want to share your opinion on the security with this scenario. maschine A (from were I want to pull files): - root cant login over ssh - sync user can only connect with auth key and from host B - sync user is allowed to run rsync without pw (sudoer file) machine B (from where the rsync is initiated): - root cant login over ssh - sync users private key is here - sync user can login with pw Info to the network setup Machine A is only reachable to a firewall machine (not machine B !) From Firewall you cant login as the sync user on machine A (as mentioned above) Firewall directs traffic from outside only to Machine A Of Course you cant login as root on the Firewall So in my opinion it should be okay to give the sync user the right to run rsync with no passwd. And since we don't live in a world where we can secure something 100% I think the aproach here is still acceptable. But since a lot of more experienced out there (when it comes to security) I'm open to other suggestions Regards Am 19.08.2014 17:14, schrieb Joseph Borg: Wouldn't something like duplicity work better for you in this case? Regards Sent from my iPad On 19 Aug 2014, at 16:53, Markus Rosjat ros...@ghweb.de wrote: Am 19.08.2014 16:40, schrieb Erling Westenvik: On Tue, Aug 19, 2014 at 04:27:11PM +0200, Markus Rosjat wrote: Is there any other thing I miss with the sudo approach? Check out --usermap, --groupmap and --chown in the man page. Haven't tried them myself but AFAIK these options were added to rsync(1) late in 2013 or early in 2014. this may work on a one file or user directory base but if I want to sync a location like /var/www/htdocs this will be a bit overkill and no I don't want to write a script for this if I can avoid it. -- Vennlig hilsen/Kind regards Erling Westenvik -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: rsync -a doesnt keep owner and permissions
Am 21.08.2014 09:01, schrieb Janne Johansson: right to run rsync ..as root? Not that this is 0-days information, but scroll down to the rsync part (you can read the rest later, somewhat linux-centric on the tar part I guess) http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt Anyone that can control the contents of the dir, and later run rsync there may have a decent way to shell out and do whatever. Unless the specific rsync features are important to you, running chrooted internal-sftp for copying may be smarter. I need to backup stuff from Machine A to B , like the whole htdocs folder. I dont think I can skip the part where some user or root has to do the rsync job. So what I try to do is , minimize the points of abuse for this power. If you know a better way of syncing one machine to another plz tell me because if I can really skip the part where I have to give someone the right to act as root I'll do it. But with my understanding and what I have read so far it all melts down to the point when someone is telling you you can get this when you do it as root. 2014-08-21 8:47 GMT+02:00 Markus Rosjat ros...@ghweb.de: Just a short heads up how I did it now and you guys might want to share your opinion on the security with this scenario. maschine A (from were I want to pull files): - root cant login over ssh - sync user can only connect with auth key and from host B - sync user is allowed to run rsync without pw (sudoer file) machine B (from where the rsync is initiated): - root cant login over ssh - sync users private key is here - sync user can login with pw Info to the network setup Machine A is only reachable to a firewall machine (not machine B !) From Firewall you cant login as the sync user on machine A (as mentioned above) Firewall directs traffic from outside only to Machine A Of Course you cant login as root on the Firewall So in my opinion it should be okay to give the sync user the right to run rsync with no passwd. And since we don't live in a world where we can secure something 100% I think the aproach here is still acceptable. But since a lot of more experienced out there (when it comes to security) I'm open to other suggestions Regards Am 19.08.2014 17:14, schrieb Joseph Borg: Wouldn't something like duplicity work better for you in this case? Regards Sent from my iPad On 19 Aug 2014, at 16:53, Markus Rosjat ros...@ghweb.de wrote: Am 19.08.2014 16:40, schrieb Erling Westenvik: On Tue, Aug 19, 2014 at 04:27:11PM +0200, Markus Rosjat wrote: Is there any other thing I miss with the sudo approach? Check out --usermap, --groupmap and --chown in the man page. Haven't tried them myself but AFAIK these options were added to rsync(1) late in 2013 or early in 2014. this may work on a one file or user directory base but if I want to sync a location like /var/www/htdocs this will be a bit overkill and no I don't want to write a script for this if I can avoid it. -- Vennlig hilsen/Kind regards Erling Westenvik -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- May the most significant bit of your life be positive. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
remove swap partion after physical machine converted into vm
Hello, I simply dd'ed the HDD of our Server and converted the image to a virtual disk, I created a VM ans fired it up. Of course I get the information that the softraid can't find another disk but it's not really needed anymore. The problem I have now is with the swapmount for the 2nd (not present) HDD. I just get into singleuser mode can exit it and then the machine just boots up as expected. For convinience it would be nice to skip the part with the singleuser mode. So is there a way to remove the swap partion or remove the softraid without data loss? Regards Markus -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: remove swap partion after physical machine converted into vm
Hi Josh, thx for the fast reply I will check the fstab out it may solve the problem regards Markus Am 27.08.2014 13:58, schrieb Josh Grosse: On 2014-08-27 05:15, Markus Rosjat wrote: Hello, I simply dd'ed the HDD of our Server and converted the image to a virtual disk, I created a VM ans fired it up. Of course I get the information that the softraid can't find another disk but it's not really needed anymore. The problem I have now is with the swapmount for the 2nd (not present) HDD. I just get into singleuser mode can exit it and then the machine just boots up as expected. For convinience it would be nice to skip the part with the singleuser mode. So is there a way to remove the swap partion or remove the softraid without data loss? Regards Markus Markus, With this minimal information, I would guess that your issue is/are non-existent partitions defined in your /etc/fstab configuration file. If that guess is correct, you will find the configuration definitions in the fstab(5) man page, and additional guidance on disk configuration in FAQ 14. If you want better information, post more information. The more detailed a problem report is, the more accurate and helpful responses will be. See http://www.openbsd.org/report.html and FAQ 2.4 -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
tools for monitoring network traffic
Hello, just a simple question with a properbly more complicated answer. Are there tools out there to simply monitor the network traffic for a webserver so you get information about which domain caused which traffic over a week or a day? I know I could go and reinvent the wheel by using pf and other tools but since Im a lazy guy I want to look for a solution that is already out there. Thx for the help :) Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
in need of openbsd as mailserver with ldap and courier
Hey there, is is more a request for hiring someone with the experience in setting up openbsd as a Mailserver with openLDAP and courier. Since we don't have the time and the resources to set a server up right now I thought I just ask this way. We are located in Dresden, Germany and looking for a company or a indepent. We would of course pay for the job. So if someone or a company in the area is intersted feel free to contact me. My Contact Information is in the footer of the mail. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Soekris 6501-70 mSATA and OpenBSD
Hi there, I have a new Soekris 6501-70 and a KingSpec 8gb mSATA drive. I can install OpenBSD 5.5 over PXE but after reboot it keeps hanging at the entry point msg. I actually did some research befor I ordered the mSATA device because I know Soekris 6501 has some isuess with them but KingSpec was one of the devices that seem to have no trouble with booting up. So simple question is there something I miss here that needs to be done befor I reboot after a fresh install to get the Soekris up and running? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
[Solved] Re: VS: Soekris 6501-70 mSATA and OpenBSD
Hi there, it seems the tip with the delay did the trick :) thx Markus Am 20.02.2015 um 08:34 schrieb Markus Rosjat: hi tuomas, I tried both default to com0 and not but same result but I will checkout the other settings maybe that does the trick :) thx for the quick reply regards Markus Am 20.02.2015 um 08:15 schrieb Tuomas Tonteri: Hi Markus, Just a quick reply - I've installed couple of those, but don't have any at hand right now. Sounds like you should check the boot menu: comBIOS Monitor. Press ? for help. show ConSpeed = 19200 ConLock = Enabled ConMute = Disabled BIOSentry = Enabled PCIROMS = Enabled PXEBoot = Disabled FLASH = Primary BootDelay = 20 FastBoot = Disabled BootPartition = Disabled BootDrive = 80 80 80 80 ShowPCI = Enabled Reset = Hard CpuSpeed = Default Set the BootDrive to 80 80 80 80 to only boot from the internal first disk. BootDelay helps too, so that the media has time to initialize itself, otherwise the boot often fails (not very much fun when you reboot it remotely and it hangs). Also hope that you have set the default openbsd console to com0. Using drive 0, partition 3. Loading. probing: pc0 com0 pci mem[620K 1022M a20=on] disk: hd0+ OpenBSD/i386 BOOT 3.21 switching console to com0 OpenBSD/i386 BOOT 3.21 boot booting hd0a:/bsd: 8404228+1102404 [52+381152+367486]=0x9c7d50 entry point at 0x200120 Br, Tuomas. -- Tuomas Tonteri www.elfcon.net / www.elfcloud.fi -Alkuperäinen viesti- Lähettäjä: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Puolesta Markus Rosjat Lähetetty: 20. helmikuutata 2015 9:06 Vastaanottaja: OpenBSD misc Aihe: Soekris 6501-70 mSATA and OpenBSD Hi there, I have a new Soekris 6501-70 and a KingSpec 8gb mSATA drive. I can install OpenBSD 5.5 over PXE but after reboot it keeps hanging at the entry point msg. I actually did some research befor I ordered the mSATA device because I know Soekris 6501 has some isuess with them but KingSpec was one of the devices that seem to have no trouble with booting up. So simple question is there something I miss here that needs to be done befor I reboot after a fresh install to get the Soekris up and running? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenBSD as a Mailserver
Hi there, what's the usual setup these days for mailserver ? I have a old machine and like to jump into the future :) old setup: OpenBSD 4.2 Courier Sendmail LDAP I would like to keep LDAP because I may want to migrate my mailboxes. thanks for the advice Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: OpenBSD as a Mailserver
Hey Marcus, thans for the informations, I just edit in my answers below . Regards Markus Am 25.03.2015 um 16:20 schrieb Marcus MERIGHI: ros...@ghweb.de (Markus Rosjat), 2015.03.25 (Wed) 13:58 (CET): what's the usual setup these days for mailserver ? below is only my impression of what the usual setup seems to be to me. I have a old machine and like to jump into the future :) old setup: OpenBSD 4.2 OpenBSD 5.6. Courier dovecot from ports/packages, LDAP flavour. Sendmail OpenSMTPd in base. LDAP isn't standard procedure there. But IIRC it works. Alternatively you could LDIF export and write an aliases file from there. LDAP ldap from base works for me, limited feature set compared to openldap. sorry it's of course openLDAP I'm running I would like to keep LDAP because I may want to migrate my mailboxes. I do not understand the above. In case openLDAP isn't state of the art and something else is prefered these days I would still like to use openLDAP so I can simply migrate existing mailboxes from the old system to the new system. Bye, Marcus !DSPAM:5512b14f32562575315746! -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
a few questions to httpd
Hi there, since 5.7 will not have a apache or a nginx as out of the box webserver it would be nice to know something about the new httpd. I try to google arround but I only found man pages. So I try to get some answers here. Is there some kind of documentation out there? If not - does it support chroot - can you define virtual host and does it support SNI I could guess of more but I think thats the most important stuff for me right now :) So if some of the insiders could shed some light on the subject would be cool Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a few questions to httpd
Okay I found some pdf (damn if you can't google it the right way ...) so I think I just solved this myself but if someone with experience in setting it up likes to give hints I'll gladly take tehm :) Regards Markus Am 01.04.2015 um 16:32 schrieb Markus Rosjat: Hi there, since 5.7 will not have a apache or a nginx as out of the box webserver it would be nice to know something about the new httpd. I try to google arround but I only found man pages. So I try to get some answers here. Is there some kind of documentation out there? If not - does it support chroot - can you define virtual host and does it support SNI I could guess of more but I think thats the most important stuff for me right now :) So if some of the insiders could shed some light on the subject would be cool Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a few questions to httpd
Am 01.04.2015 um 17:34 schrieb Peter J. Philipp: On Wed, Apr 01, 2015 at 05:21:47PM +0200, Markus Rosjat wrote: I'm a german , extremly lazy and a dummy by default (ask arround you'll see ) but like my previous mail said I just found a pdf that provides most of the answers I have ;) I'm a german too, but ask around we've been upgraded, we're europeans now! and that's your opinion (okay a worse big bang theory ref ) :-P Before Europe didn't want anything to do with us, but we got friends in the inner circle, just ask Greece! *still smiling from openbsd april 1st jokes* that's not going to happen someone has to be the sugardaddy for the EU :) -peter okay hope this was all german enough so I stop being the evil german an just looking forward to 05/2015 -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a few questions to httpd
Am 01.04.2015 um 16:51 schrieb Alexander Hall: On April 1, 2015 4:32:43 PM GMT+02:00, Markus Rosjat ros...@ghweb.de wrote: Hi there, since 5.7 will not have a apache or a nginx as out of the box webserver it would be nice to know something about the new httpd. I try to google arround but I only found man pages. So I try to get some answers here. It didn't occur to you to actually read said man pages? Some, if not all, of your questions might be answered right there... ;-) /Alexander I'm a german , extremly lazy and a dummy by default (ask arround you'll see ) but like my previous mail said I just found a pdf that provides most of the answers I have ;) Is there some kind of documentation out there? If not - does it support chroot - can you define virtual host and does it support SNI I could guess of more but I think thats the most important stuff for me right now :) So if some of the insiders could shed some light on the subject would be cool Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: [solved] a few question about sftp
okay short improvement maybe the wrong way but so you can revoke the exexute permission on others I changed ownership of /var/sftp to root:sftpuser and permission to 0710 Am 01.05.2015 um 15:46 schrieb Markus Rosjat: Am 01.05.2015 um 15:36 schrieb Markus Rosjat: well I got it running to a point were my user got loged in to his home dir. he is now chrooted to /var/sftp because this one is owned by root and not writeable for others. still can jump from home dir (well it's not really this home) /var/sftp/testsftp to the root (which is the actual home)/var/sftp is there something I can do to prevent this last no go ? okay if I revoke the read permission on /var/sftp it seems to work as I expect it so here is the setup if someone is interested: sshd_config: - no password auth - key auth - sftp is internal-sftp - match rule for group , see below Filesystem: - home owned by root:wheel 0711 - the user dir under home user:sftpuser 0750 (maybe later just 0700) Am 01.05.2015 um 15:15 schrieb Nick Holland: On 05/01/15 07:07, Markus Rosjat wrote: hi there, I just do some testing with sftp access and I stumbled about some things I dont get. if I use the chroot I would asume the user cant browse to the root dir but it seems he can. Do I get the whole chroot thing wrong here ? You get the idea, but you aren't implementing it right, and thus the chroot isn't working. since I want my user to have full acces to his home I use the following setup in sshd_config Match Group sftpuser ChrootDirectory /var/sftp ForceCommand internal-sftp -d %u AllowTCPForwarding no X11Forwarding no I set sshd up to just use key auth and gave the user a nologin because I just want him to use sftp. Ichecked it with a shell so I know the key gets accepted but with the nologin and sftp I cant log in. So it seems the statement we dont need a shell for sftp is not working. are you using internal-sftp? yes I used a diffrent home dir for the sftp users and applied suggested permissions and ownership but it doesnt seems to work /var/sftp - root:sftpuser 0100 changed that to root:wheel 0711 /var/sftp/testuser - testuser:sftpuser 0750 and I presume testuser is your login name? yeah like I said I like to give the user full access to his home the group permission may be removed if it works without man sshd_config search for ChrootDirectory. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group. You aren't doing that. no I just tell ssh that the home is the directory above and move the user to his real home Yes, that looks strange. Your SFTP user's home dir they will be chrooted in has to be owned by ... ROOT! AND they can't have permissions there! (Who's home is this anyway??) someone who dont need to live in the real home ;) Now...inside that directory, you can create writable directories. There is a reason for this (of course) -- you don't want your chroot user creating a /etc and /dev et al. directories which could be influencing other chroot'ed applications. Nick. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
openldap verver problem
hi there I'm running a 5.7 and installed openldap-server but I didn't noticed that Ineed a special package for cyrus-sasl for ldap. So I deleted the package and installed the right one. So now I got the problem that I always get complains regarding /usr/local/lib/libldap-2.4.so.13.0 for example a slapcat: # /usr/local/sbin/slapcat -a uid=2236 /usr/local/sbin/slapcat:/usr/local/lib/libldap-2.4.so.13.0: /usr/local/sbin/slapcat : WARNING: symbol(ldap_int_global_options) size mismatch, relink your program 5544d44d bdb_monitor_db_open: monitoring disabled; configure monitor database to enable okay the monitoring thing I need to figure out too but for now I would like to just get rid of the mismatch msg. Is there any sane solution or is this the point where I just throw away this vm and install a fresh system ? btw I used the packages and dodnt compile it from source. So is it better to just get the source and make it from scratch (regarding the monitoring stuff too )? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Dovecot with OpenLDAP
just a little update, dont know if it's the right approach Am 02.05.2015 um 19:37 schrieb Markus Rosjat: Hi there, once again some stupid questions :) 1. is there a sane example out there to configure dovecot with openldap on openbsd? - I try to get things running for hours now all I get is a nice log that tells me that to many files are open. And reading around point to some codesnippet which I cant even find in the config files. okay it seems dovecot runs root and not as the _dovecot user so applying a login class for the dovecote group only helps if you add root to it and nor it seems to start properly. So lets see how far we get to configure ldap with it. 2. is it worth the effort trying to get sendmail (the ldap flavour) installed or should I just skip it for a different program? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Dovecot with OpenLDAP
Hi there, once again some stupid questions :) 1. is there a sane example out there to configure dovecot with openldap on openbsd? - I try to get things running for hours now all I get is a nice log that tells me that to many files are open. And reading around point to some codesnippet which I cant even find in the config files. 2. is it worth the effort trying to get sendmail (the ldap flavour) installed or should I just skip it for a different program? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
disk quota clearification
Hi there, when I set a quota for a group does this mean the limit is added for the wohle group or is it added for each user in the group? like I set 100mb as limit for the group does every member now has a limit of 100mb or does it mean that all members have to share it? So 10 user can write till the 100mb are reached ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
[solved] disk quota clearification
Okay got the answer, group quota does work like a shared limit so all user of the group are bound to the group quota. regards markus Am 01.05.2015 um 18:56 schrieb Markus Rosjat: Hi there, when I set a quota for a group does this mean the limit is added for the wohle group or is it added for each user in the group? like I set 100mb as limit for the group does every member now has a limit of 100mb or does it mean that all members have to share it? So 10 user can write till the 100mb are reached ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
a few question about sftp
hi there, I just do some testing with sftp access and I stumbled about some things I dont get. if I use the chroot I would asume the user cant browse to the root dir but it seems he can. Do I get the whole chroot thing wrong here ? I set sshd up to just use key auth and gave the user a nologin because I just want him to use sftp. Ichecked it with a shell so I know the key gets accepted but with the nologin and sftp I cant log in. So it seems the statement we dont need a shell for sftp is not working. I used a diffrent home dir for the sftp users and applied suggested permissions and ownership but it doesnt seems to work /var/sftp - root:sftpuser 0100 /var/sftp/testuser - testuser:sftpuser 0750 the basic thing here is can I prevent a sftp user to browse higher then his own home dir (i dont want him to see my directory layout at all ). If this is possible can I just use key auth for this? and if the first 2 questions get a yes ... whats wrong with my setup :-P since this is just a test thing I can post the sshd_config if needed regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a few question about sftp
well I got it running to a point were my user got loged in to his home dir. he is now chrooted to /var/sftp because this one is owned by root and not writeable for others. still can jump from home dir (well it's not really this home) /var/sftp/testsftp to the root (which is the actual home)/var/sftp is there something I can do to prevent this last no go ? Am 01.05.2015 um 15:15 schrieb Nick Holland: On 05/01/15 07:07, Markus Rosjat wrote: hi there, I just do some testing with sftp access and I stumbled about some things I dont get. if I use the chroot I would asume the user cant browse to the root dir but it seems he can. Do I get the whole chroot thing wrong here ? You get the idea, but you aren't implementing it right, and thus the chroot isn't working. since I want my user to have full acces to his home I use the following setup in sshd_config Match Group sftpuser ChrootDirectory /var/sftp ForceCommand internal-sftp -d %u AllowTCPForwarding no X11Forwarding no I set sshd up to just use key auth and gave the user a nologin because I just want him to use sftp. Ichecked it with a shell so I know the key gets accepted but with the nologin and sftp I cant log in. So it seems the statement we dont need a shell for sftp is not working. are you using internal-sftp? yes I used a diffrent home dir for the sftp users and applied suggested permissions and ownership but it doesnt seems to work /var/sftp - root:sftpuser 0100 changed that to root:wheel 0711 /var/sftp/testuser - testuser:sftpuser 0750 and I presume testuser is your login name? yeah like I said I like to give the user full access to his home the group permission may be removed if it works without man sshd_config search for ChrootDirectory. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group. You aren't doing that. no I just tell ssh that the home is the directory above and move the user to his real home Yes, that looks strange. Your SFTP user's home dir they will be chrooted in has to be owned by ... ROOT! AND they can't have permissions there! (Who's home is this anyway??) someone who dont need to live in the real home ;) Now...inside that directory, you can create writable directories. There is a reason for this (of course) -- you don't want your chroot user creating a /etc and /dev et al. directories which could be influencing other chroot'ed applications. Nick. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
[solved] a few question about sftp
Am 01.05.2015 um 15:36 schrieb Markus Rosjat: well I got it running to a point were my user got loged in to his home dir. he is now chrooted to /var/sftp because this one is owned by root and not writeable for others. still can jump from home dir (well it's not really this home) /var/sftp/testsftp to the root (which is the actual home)/var/sftp is there something I can do to prevent this last no go ? okay if I revoke the read permission on /var/sftp it seems to work as I expect it so here is the setup if someone is interested: sshd_config: - no password auth - key auth - sftp is internal-sftp - match rule for group , see below Filesystem: - home owned by root:wheel 0711 - the user dir under home user:sftpuser 0750 (maybe later just 0700) Am 01.05.2015 um 15:15 schrieb Nick Holland: On 05/01/15 07:07, Markus Rosjat wrote: hi there, I just do some testing with sftp access and I stumbled about some things I dont get. if I use the chroot I would asume the user cant browse to the root dir but it seems he can. Do I get the whole chroot thing wrong here ? You get the idea, but you aren't implementing it right, and thus the chroot isn't working. since I want my user to have full acces to his home I use the following setup in sshd_config Match Group sftpuser ChrootDirectory /var/sftp ForceCommand internal-sftp -d %u AllowTCPForwarding no X11Forwarding no I set sshd up to just use key auth and gave the user a nologin because I just want him to use sftp. Ichecked it with a shell so I know the key gets accepted but with the nologin and sftp I cant log in. So it seems the statement we dont need a shell for sftp is not working. are you using internal-sftp? yes I used a diffrent home dir for the sftp users and applied suggested permissions and ownership but it doesnt seems to work /var/sftp - root:sftpuser 0100 changed that to root:wheel 0711 /var/sftp/testuser - testuser:sftpuser 0750 and I presume testuser is your login name? yeah like I said I like to give the user full access to his home the group permission may be removed if it works without man sshd_config search for ChrootDirectory. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group. You aren't doing that. no I just tell ssh that the home is the directory above and move the user to his real home Yes, that looks strange. Your SFTP user's home dir they will be chrooted in has to be owned by ... ROOT! AND they can't have permissions there! (Who's home is this anyway??) someone who dont need to live in the real home ;) Now...inside that directory, you can create writable directories. There is a reason for this (of course) -- you don't want your chroot user creating a /etc and /dev et al. directories which could be influencing other chroot'ed applications. Nick. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Dovecot with OpenLDAP
Am 03.05.2015 um 10:32 schrieb Stuart Henderson: On 2015-05-02, Markus Rosjat ros...@ghweb.de wrote: okay it seems dovecot runs root and not as the _dovecot user so applying a login class for the dovecote group only helps if you add root to it and nor it seems to start properly. How are you starting Dovecot? The login class mechanism is only used when started with rcctl or /etc.rc.d/dovecot. I enabled it with rcctl but like I said when I ps -aux use I get the info that the process is owned by root. So to fix the problem with teh open files I had to add root to _dovecot group to add the login class behaviour. So lets see how far we get to configure ldap with it. This is the same as on other OS. well I want to use existing database and a simple approach to copy the old db to the new installation seems to work beside some warnings I get for now but I think thats something I have to figure out 2. is it worth the effort trying to get sendmail (the ldap flavour) installed or should I just skip it for a different program? Use whichever MTA works best for you, there are several with LDAP support. well Im a bit scared when I see the sendmail setup from a old system I use as reference so I was just wondering if its worth to go the painful way to in trying to get it to work on a testsystem :-P -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Dovecot with OpenLDAP
okay openLDAP seems to be more tricky then expected ... I get the slapd running and with slapcat I can get information for a user but when I try to modify stuff with ldapmodify slapd instantly dies with a cant connect to server even the log shows I was connected befor I try to submit the changes. Like I said I just copied the openldap files from one machine to another and changed the config to fit the config of the old config. I tried some stuff from the net with recover and rebuild but this doesnt seem to work at all. does someone out there has another clue ? Am 03.05.2015 um 11:42 schrieb Markus Rosjat: Am 03.05.2015 um 10:32 schrieb Stuart Henderson: On 2015-05-02, Markus Rosjat ros...@ghweb.de wrote: okay it seems dovecot runs root and not as the _dovecot user so applying a login class for the dovecote group only helps if you add root to it and nor it seems to start properly. How are you starting Dovecot? The login class mechanism is only used when started with rcctl or /etc.rc.d/dovecot. I enabled it with rcctl but like I said when I ps -aux use I get the info that the process is owned by root. So to fix the problem with teh open files I had to add root to _dovecot group to add the login class behaviour. So lets see how far we get to configure ldap with it. This is the same as on other OS. well I want to use existing database and a simple approach to copy the old db to the new installation seems to work beside some warnings I get for now but I think thats something I have to figure out 2. is it worth the effort trying to get sendmail (the ldap flavour) installed or should I just skip it for a different program? Use whichever MTA works best for you, there are several with LDAP support. well Im a bit scared when I see the sendmail setup from a old system I use as reference so I was just wondering if its worth to go the painful way to in trying to get it to work on a testsystem :-P -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Question about PHP safe mode
Hey Guys, thanks for the response Am 23.06.2015 um 11:56 schrieb Heiko Zimmermann: Markus, are you kidding? http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-50739/PHP-PHP-5.2.5.html Im aware that php isn't a thing you want to use in a 5.2.4 but we don't have customers who are using php scripts anyway for now. Just one customer asked if we could switch off the safe_mode. And OpenBSD 4.2 is released Nov 1, 2007. You dont think it is important to upgrade? Sure it is, if you grand me 35h/day I will upgrade it right now ... Best Regards, Heiko Am 23.06.2015 um 11:44 schrieb Markus Rosjat: Hi there, just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP version. The safe_mode is on, a Costumer wants to have it off. Is there any security risk to it or do I need to check something on the system level to disable it but still have my environement secured ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Question about PHP safe mode
Hi there, just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP version. The safe_mode is on, a Costumer wants to have it off. Is there any security risk to it or do I need to check something on the system level to disable it but still have my environement secured ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
spamdb log question
Hi there, just a simple question, is there a way to seperate the spamdb logs into logs for white-, grey- and blacklist entries? It would make the lookup make much easier when something goes wrong :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: spamdb log question
hi, well I have scripts to find some evil spammer and stuff when they manage to climb over the greywall :) I was just thinking maybe there is a way with pf or so to channel the entries in diffrent logfiles. But like I said befor I can live without it :) Am 01.07.2015 um 14:58 schrieb Chris Bennett: On Wed, Jul 01, 2015 at 11:01:18AM +0200, Markus Rosjat wrote: Hi there, just a simple question, is there a way to seperate the spamdb logs into logs for white-, grey- and blacklist entries? It would make the lookup make much easier when something goes wrong :) I just use: alias G='spamdb|grep SP;spamdb|grep PED;spamdb|grep G' when I want to peek at what is NOT WHITE on the log. This lets me quickly whitelist something new, like I just signed up or registered for a site. No way for me to know its IP address beforehand. You can write a very small perl or shell program to scan the database and append to your new logs. Keep this script running in the background. Have it regularly run spamdb, split off each WHITE, GREY, BLACK line. Check your new logfiles to see if any of these lines already exists, if not, append the new entry to appropriate log. There may also be other ways to accomplish this, see what others say. Chris Bennett -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: dhcpd.interfaces question
So if I want to have a vlan interface providing dhcp I need to put dhcpd_flags=vlanXX in rc.conf.local ? regards MArkus Am 27.07.2015 um 14:09 schrieb Jiri B: On Mon, Jul 27, 2015 at 02:02:45PM +0200, Markus Rosjat wrote: Hi there, I just want to setup a dhcp for a Vlan on a openbsd 5.5 box and somehow I can't find the dhcpd.interfaces file. Is there a change in the configuration since 5.x ? On a 4.9 installation I still have this file. No idea but putting interface name in 'dhcpd_flags' is the way to go. j. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
dhcpd.interfaces question
Hi there, I just want to setup a dhcp for a Vlan on a openbsd 5.5 box and somehow I can't find the dhcpd.interfaces file. Is there a change in the configuration since 5.x ? On a 4.9 installation I still have this file. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
odd behaviour of spamdb
hi there, I have a script the following script to delete spam mx ip from the spamd whitelist and write them in my own blacklist. After that I reload the blacklist with spamd- setup. This seems to work but I noticed when the same ip has another mail in the greylist the ip becomes whitelisted if the delivery attempt is successful (which it shouldnt in the first place because I trapped the ip and put it in my blacklist). This seems like an odd behaviour to me, its not the end of the world but it feels kinda wrong :) here is the script: ip_range=$1 for i in `spamdb | grep $ip_range | grep WHITE | awk -F | '{print $2}'`; do echo $i /usr/sbin/spamdb -d $i /usr/sbin/spamdb -a -t $i echo $i /etc/mail/blacksheep.txt done /usr/libexec/spamd-setup maybe someone give me some hints for improvement regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: odd behaviour of spamdb
Am 13.07.2015 um 10:07 schrieb patrick keshishian: On 7/13/15, Markus Rosjat ros...@ghweb.de wrote: hi there, I have a script the following script to delete spam mx ip from the spamd whitelist and write them in my own blacklist. After that I reload the blacklist with spamd- setup. This seems to work but I noticed when the same ip has another mail in the greylist the ip becomes whitelisted if the delivery attempt is successful (which it shouldnt in the first place because I trapped the ip and put it in my blacklist). This seems like an odd behaviour to me, its not the end of the world but it feels kinda wrong :) If i understand your message correctly, after removal of the ip from the WHITE list, it still remains in the GREY, which will be WHITE-listed again, on the next spamd scan (60 second interval), thus, allowing for the successful delivery. well after the first run of the script the ip should be trapped and in my opinion the grey mail shouldnt white list the ip again. I just saw this behaviour 2 times with the same ip because they sent the mail to 3 different mailaddresses. To see this with an IP that has been WHITE-listed, but still in the GREY, do: $ spamdb | grep $ip WHITE|$ip|... GREY|$ip|... $ spamdb -d $ip $ spamdb | grep $ip GREY|$ip|... $ sleep 60 $ spamdb | grep $ip WHITE|$ip|... GREY|$ip|... As a side note, your awk bit can be replaced by a `cut -d \| -f 2'. thanks for the hint :) --patrick here is the script: ip_range=$1 for i in `spamdb | grep $ip_range | grep WHITE | awk -F | '{print $2}'`; do echo $i /usr/sbin/spamdb -d $i /usr/sbin/spamdb -a -t $i echo $i /etc/mail/blacksheep.txt done /usr/libexec/spamd-setup maybe someone give me some hints for improvement regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
verification spamd and traffic
Hi there, I have a spamd running in greylisting mode and maintain my own blacklist that I update manually. So far so good yesterday I just did a quite radical adding to my blacklist :) and I noticed my outgoing traffic jumped from around 500mb per day to 3,2gb per day. I checked the traffic with tcpdump and it was no strange traffic going on just my mailports and the 25 for the spamd. So my question is, could the radical adding of IPs cause this (and yeah its a lot because I added some ranges)? As far as I understand it when some IP is on a blacklist it get redirected to spamd right away by pf and then I get some traffic going on. If a IP is not on the blacklist and not known Greylisting jumps in an sends the server away to come back later to decide if it goes through or on the blacklist. So by adding a lot of possible spammer on a black list in the first place I generate traffic with them. Could someone confirm this ? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Microsoft Now OpenBSD Foundation Gold Contributor
Am 08.07.2015 um 19:04 schrieb Jorge Gabriel Lopez Paramount: Quoting Christer Solskogen christer.solsko...@gmail.com: On Wed, Jul 8, 2015 at 4:49 PM, Gleydson Soares gsoa...@gmail.com wrote: Great news ! As I said on the OpenBSD facebook page: I have to say that I find it quite ironic of all of the vendors in the world, the foundation gets a huge donation from Microsoft which yet have implemented it yet. Huge kudos to Microsoft. I guess the next up is Oracle? :-) I do not find it ironic but suspicious and a little worrying, but have no good rant since I only have contributed buying a CD set and a rucksack. I would like to say only this: if people to not want big companies meddling with OpenBSD as it has been happening with Linux better its users support it. Well Microsoft has learn thnings in the past and they also hired enough guys to set them on the right track. It's just logical to found something you might want to learn/get know how from. I think I just saw an interview with theo de raadt where he stated that in his opinion MS is 2nd now when it come to getting security right on there OS. I think there is still a way to go and I'm not a MS fanboy but Microsoft showed they want to learn and if this means open up (and if it's just a little) they do that. I think a good example is SAMBA , as they were forced to cooperate with the samba team they could have send some guys that have no clue but no they send guys that were decent and know there stuff becuase they wanted to benefit from this. So why not be a little happy that the openbsd project got a contribution even from MS? but well maybe I get it all wrong ... regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Soekris 4501 and OpenBSd 5.7
Hi there, just a simple question, is it possible to install a 5.7 on a soekris 4501? It seems when I try to load the bsd.rd ftom the tftp server the soekris isnt able to handle it. I redirected the console but it get stuck on the entry point msg. Regards Markus -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Soekris 4501 and OpenBSd 5.7
yeah basically :-P but the hint with the version of the image seems to be the right thing to check. I had the image laying arround since earlier this yeah when I set up a 6501 so this should be a 64bit image and if I remember right 4501 is only capable of 32bit. So I'll give it a try with a 32bit image:) regards Markus Am 16.09.2015 um 18:30 schrieb Christian Weisgerber: On 2015-09-16, Devin Reade <g...@gno.org> wrote: I don't know about the 4501, but the 5501 works fine. Also, lunch was okay. Since we are talking about totally different things. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
vpn from subnet to subnet through a 3rd enpoint?
Hi there, as the subject states is it possible to do that ? My tunnels working from the 3rd subnet in each of the other 2 subnets and back from then. I really want to connect from subnet 1 to subnet 2 over the enpoint in the 3rd subnet. so subnet 1 <---> subnet 3 ; works fine subnet 2 <> subnet 3; works fine subnet 1 <---| subnet 3 |> subnet 2; isn't working all 3 endpoints running openBSD and ipsec, some advice would be cool :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: moving postgresql files to seperate mount
Hi all, thanks for the replies I will try to keep them in mind while I try to move my databases :) Regards Am 01.06.2016 um 17:22 schrieb trondd: On Wed, June 1, 2016 3:45 am, Markus Rosjat wrote: Hi there, just need some kind of acknowledgement for my workflow :) a naive approach would be: - extend the virtual disk - create a partition /var/postgresql (thats the folder under var right now) - move the files to the new partition - hope it works :-P So hope someone with experience in such scenario can give me a hint or too You're working with virtual machines? What I do is put /var/postgresql on it's own virtual disk. No growing the disk later then tacking on partitions as the data grows. If I need more space, add a new disk, copy the data, unmount the old, mount the new. Benefits I see of this approach: No possible problems resulting from changing the "physical" disk size. No leftover partitions in the middle of the disk. After a migration, the old disk is still there for an easy rollback. In the event of a problem with the server OS, or for testing, or for an easy upgrade via re-install, you can detach the postgres data disk (or copy it) and attach it to a new server OS install. Tim. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
moving postgresql files to seperate mount
Hi there, just need some kind of acknowledgement for my workflow :) a naive approach would be: - extend the virtual disk - create a partition /var/postgresql (thats the folder under var right now) - move the files to the new partition - hope it works :-P So hope someone with experience in such scenario can give me a hint or too Thanks and regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sendmail mx question
hi there, no the real setup is the other way arround 1 shit.example.not.nz. 10 # <<--- always defering server 2 smtp.example.not.nz. 5 # <<--- real server so the real smtp has the lower number but higher priority but like I said my sendmail always ends up with shit.example.not.nz. sendmail 8.14.1 ... yeah it's old, yeah need to update and yes no time for now :( Am 05.04.2016 um 16:01 schrieb Claus Assmann: On Tue, Apr 05, 2016, Craig Skinner wrote: 1 shit.example.not.nz. # <<--- always defering server 2 smtp.example.not.nz. # <<--- real server Your server connects to 'shit.example.not.nz', which defers the mail, telling your server to try again later. So,. your server tries again later!!! It has no need to try the backup MX machine, it got told to try Really? Which MTA does that? sendmail 8.x? Well, it would be nice if the OP provides some real info, but since he didn't do that, I didn't reply... -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
[solved] sendmail mx question
Hi, the problem is solved and of course it wasn't me :) after a few debugging sessions with christoph Viethen is it offical I behave like I should or at least my mx. Turns out the other side had a firewall that basically blocked the traffic to my server (yeah even whitelisting me in the begining didnt help). Fun part, the admin on the other end admited that he wasnt able to send mails to my mx ... thank god for enterpise solution like watchguard ... they keep everything away :) but after a few clicks the data began to flow! So thanks for all the help, especially to chris (from one german to another lol) Regards Markus Am 06.04.2016 um 16:43 schrieb Markus Rosjat: Hi Craig, yeah my server is fine in general but maybe the other adin just has some sort of own ways to blacklist so I might be on there list. I'll check this too but it seems it could be a routing problem to since the other mx sometimes talk and sometimes not (checked from other location to connect and I was able to connect only once). So I'll give the "nice" guy on the other and of the line a last hint and then I just leave it because I pretty much ruled all things that could go wrong out on my end. Regards Am 06.04.2016 um 16:25 schrieb Craig Skinner: Hi Markus, On 2016-04-06 Wed 09:29 AM |, Markus Rosjat wrote: Okay with some help from Christoph Viethen I did some testing and connfirmed a few things - sendmail -bt gave me the right order of the mx to talk to - I couldn't connect to the server with nc - I couldn't ping the server - nslookup gave me the correct IP to the server what really confuses me, and I only did that to have some other tool checking if it can connect to the mx in question, is the fact that a site like mxtoolbox can talk to the mx. They've probably got your IP address in a blacklist of some sort. Check your mail server's IP address on http://multirbl.valli.org/lookup/ (You might need to be delisted.) Otherwise, try traceroute (-I) from your mail server to theirs to find where the trail ends. Then contact them by phone/fax/freemail with your problem report. Cheers. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sendmail mx question
Okay with some help from Christoph Viethen I did some testing and connfirmed a few things - sendmail -bt gave me the right order of the mx to talk to - I couldn't connect to the server with nc - I couldn't ping the server - nslookup gave me the correct IP to the server what really confuses me, and I only did that to have some other tool checking if it can connect to the mx in question, is the fact that a site like mxtoolbox can talk to the mx. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sendmail mx question
Hi Craig, yeah my server is fine in general but maybe the other adin just has some sort of own ways to blacklist so I might be on there list. I'll check this too but it seems it could be a routing problem to since the other mx sometimes talk and sometimes not (checked from other location to connect and I was able to connect only once). So I'll give the "nice" guy on the other and of the line a last hint and then I just leave it because I pretty much ruled all things that could go wrong out on my end. Regards Am 06.04.2016 um 16:25 schrieb Craig Skinner: Hi Markus, On 2016-04-06 Wed 09:29 AM |, Markus Rosjat wrote: Okay with some help from Christoph Viethen I did some testing and connfirmed a few things - sendmail -bt gave me the right order of the mx to talk to - I couldn't connect to the server with nc - I couldn't ping the server - nslookup gave me the correct IP to the server what really confuses me, and I only did that to have some other tool checking if it can connect to the mx in question, is the fact that a site like mxtoolbox can talk to the mx. They've probably got your IP address in a blacklist of some sort. Check your mail server's IP address on http://multirbl.valli.org/lookup/ (You might need to be delisted.) Otherwise, try traceroute (-I) from your mail server to theirs to find where the trail ends. Then contact them by phone/fax/freemail with your problem report. Cheers. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
openbsd 4.7 virtual machine on hyper-v
Hi there, I ported a vm from vmware to hyper-v. the machine boots up, weel some services are failing for now but thats not the issue. I can dont get the network adapter working properly. I get the nic and I changed some stuff like ip, mygate added a new default route but I cant really ping anything (not from or to the machine). PF is disabled for now so Im sure thats not the problem, I wrote some post on the net about problems with openBSD and hyper-v so general question is... is hyper-v able to run a openbsd vm at all? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: openbsd 4.7 virtual machine on hyper-v
thanks for the info brian, well it's an internally used machine with some stuff on it that would cost more time to upgrade then to keep it running as it is. regards MArkus Am 01.03.2016 um 14:27 schrieb Brian Conway: If this is the de interface from hyper-v, there were fixes for it a release or two back. 4.7 is ancient, you need to upgrade. Brian Conway On Mar 1, 2016 7:10 AM, "Markus Rosjat" <ros...@ghweb.de> wrote: Hi there, I ported a vm from vmware to hyper-v. the machine boots up, weel some services are failing for now but thats not the issue. I can dont get the network adapter working properly. I get the nic and I changed some stuff like ip, mygate added a new default route but I cant really ping anything (not from or to the machine). PF is disabled for now so Im sure thats not the problem, I wrote some post on the net about problems with openBSD and hyper-v so general question is... is hyper-v able to run a openbsd vm at all? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
sendmail mx question
Hi there, this more a mail about confirming the problem isn't on my site here. So that's the case: I have a mail to deliver to a domain that has two mx record but the 2nd record isn't really a mx (so I got told but the need to keep that for some reasons). So far so good the priority on the 2nd mx is also lower so my sendmail daemon should figure to send to the server with the highest priority but it does not. So here is what I have done to get my server to try to deliver the mail to the right server: - restarted sendmail - restarted named Is there something I can do still to get my sendmail to deliver to the mailsserver with the higher priority? I talked to the guy on the other "Mailserver" side and he says we are the only one who have a problem since they deployed that setup in 2014. But on my side it's the same, this is the only domain where this is happening at all. I'm greatful for any advice regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sendmail mx question
Hi peter, yeah my server does retries but always ends up on the mailserver with the lower priority :( Am 05.04.2016 um 12:44 schrieb Peter N. M. Hansteen: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/05/16 11:55, Markus Rosjat wrote: I have a mail to deliver to a domain that has two mx record but the 2nd record isn't really a mx (so I got told but the need to keep that for some reasons). I would question their competence right there. If it's an MX, it needs to actually handle mail. (Ok, there is the slightly perverse case where the only thing actually listening on port 25 is spamd(8), but stil l) So far so good the priority on the 2nd mx is also lower so my sendmail daemon should figure to send to the server with the highest priority but it does not. So here is what I have done to get my server to try to deliver the mail to the right server: - restarted sendmail - restarted named Is there something I can do still to get my sendmail to deliver to the mailsserver with the higher priority? As long as your side keeps retrying, it will eventually manage to deliver to the one that actually accepts mail. But please tell the other side to just fix their setup. I talked to the guy on the other "Mailserver" side and he says we are the only one who have a problem since they deployed that setup in 2014. The only one seeing the problem? No. The only one looking into the problem and telling them about it? Quite possible. As in, most people wouldn't know what to look for, and in most cases mail would eventually be delivered anyway, but delivery would not happen immediatel y. The only advice I can offer is to check that your side has a reasonable retry period (IIRC default setups for all the MTAs on OpenBSD come with reasonable settings, but do check), and tell the other side that for their own sake they need to fix their setup. - -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. iQIcBAEBCAAGBQJXA5b6AAoJELJiGF9h4DyeEZcQAKYk4YkkCCO9EgETSGYKamBv QcuKObvhSyRSYyjcq3evOBv7q274KiYsawKfd5IolRzJdCfqGSXIo1OQ6OFnaW1h qJ0buVybiA9tD/uuLHy3o7zjg9uhjjhXakHUYrVSECt0M0iKIb52d9Kg1FdwAJ4V XEB3mJb3GKJCJbAprWJF/qmntgKrJuzKY1n+S8upbj7Y+c04mZEINA2xTZjjUMw2 xMrCwvaSyMy9DKuRTXSGzhDY3T3dpZT/ls+WfMGK3SR/aKKfo6Qng4m2MMHOABsH ohQYPZMUeEFfeS+VZ52unXhW4/zMX6QpKmKK2F9Ol9z/mNn9WSqqNIOXWRk9usYs x5Kxob4kcHWO8gZ7ezlxRbzJJe9o/HBdb+cqAaa9PyGkUCiXMucW0u3+CVDtJu65 QBQiK8ayxxlqRX1G1Ewuwg+by6JQbO4C6s772Xh+2PJAQAn/YdRx1H6/Wy44JXqw vBNIGBIEudHMj/6qWD3vRqhoabxQsO4a+VcVpOgakLe/iINcfn9BhhvG4CWOiTav L2mK12JqJpF4RHM9lkA6ZLgxssaGrOZYa8hbFMU5aNGUNoxPgtN4JUhmun570ohN /PPZhZIuVBqXYSYJrc98/RsoGFjdbmsuXn0QLD0BQXVezjSpbRitIHfwOX22Qwxc 1cb/xrz6XWNt0eJJMqSv =P8Om -END PGP SIGNATURE- -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenBSd 5.9 on Hyper-V
Hi there, as the Topic says a short question about openBSD and Hyper-V. In older Versions of OpenBSD it was not possible to detect the virtual network swhitch of the hyper-v, is this fixed by now and if so can I find some guidence on how to configure the Hyper-V VM to make openBSD aware ? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: ftp/www.openbsd.org will be down for an upgrade today.
HEy, sorry found my mistake :) had some urls referred that seems to be no longer available so I removed them from the config. regards Markus Am 10.05.2016 um 06:36 schrieb Bob Beck: it has been back for quite some time On Mon, May 9, 2016 at 1:02 PM, Markus Rosjat <ros...@ghweb.de> wrote: Hi there, just a short question about the site coming up again. Since our spamd-setup tries to get some blacklists form the site I was wondering if there is any info about the the time schedule for the maintenance? Regards Markus Am 08.05.2016 um 23:44 schrieb Stefan Wollny: Am 05/08/16 um 20:03 schrieb Bob Beck: There will be an extended downtime of the main ftp and www sites for an upgrade today starting in approximately one hour's time from now. The mirror sites should be unaffected - so use a mirror if you discover the main site is unavailable today. Anyone know of an up2date mirror of 'current.html'? (Google just found one with the latest entries from 2005...) :-( TIA. STEFAN -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: ftp/www.openbsd.org will be down for an upgrade today.
Hi there, just a short question about the site coming up again. Since our spamd-setup tries to get some blacklists form the site I was wondering if there is any info about the the time schedule for the maintenance? Regards Markus Am 08.05.2016 um 23:44 schrieb Stefan Wollny: Am 05/08/16 um 20:03 schrieb Bob Beck: There will be an extended downtime of the main ftp and www sites for an upgrade today starting in approximately one hour's time from now. The mirror sites should be unaffected - so use a mirror if you discover the main site is unavailable today. Anyone know of an up2date mirror of 'current.html'? (Google just found one with the latest entries from 2005...) :-( TIA. STEFAN -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
strange behaviour spamd
Hi there, I noticed that a trapped ip gets whitelisted when there are still greylisted messages. this shouldn't happen when I use the -a -t switches to trap the ip or do I miss something here ? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: strange behaviour spamd
This seems flawed , because when I see a spammer sending a mail to 10 addresses and I trap the spammer IP the grey entries shouldn't over ride the Trap entry at all. I even put the ip on my personal blacklist and called the spamd-setup to take effect. At this point the grey entries shouldnt be delivered in my opinion. Am 22.07.2016 um 09:54 schrieb Peter Hessler: Greytrap addresses only trap the systems when it has not been seen before. In your case, they arlready have a GREY entry, so they have been seen and the trapping won't take effect. On 2016 Jul 21 (Thu) at 17:34:37 +0200 (+0200), Markus Rosjat wrote: :Hi there, : :I noticed that a trapped ip gets whitelisted when there are still greylisted :messages. this shouldn't happen when I use the -a -t switches to trap the ip :or do I miss something here ? : :Regards : :-- :Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de : :G+H Webservice GbR Gorzolla, Herrmann :K??nigsbr??cker Str. 70, 01099 Dresden : :http://www.ghweb.de :fon: +49 351 8107220 fax: +49 351 8107227 : :Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you :print it, think about your responsibility and commitment to the ENVIRONMENT : -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Testing stability of internet connection for VPn tunnel
Hey there, like the topic says I just need to get an idea how to really check if the internet connection can handle the traffic over my vpn tunnel. I was thinking of doing a ping with a bigger size of payload and check how many packages get droped over a fixed amount of time but if there is a better and more reliable way to do this then it wood be most appreciated to hear it :) Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Testing stability of internet connection for VPn tunnel
Hi there, maybe its important to notice that the provider change also changed the way we connect to the net. we had a provider router that was basically transperent so my soekris could add a static route with her internal ip and it worked. now we have a modem7router that is not transperent and not manageable at all (telecolumbus for the german readers). so I can define a route with the internal ip as gateway but its not really working for me, at least not with a ping. Beside that the traffic is going through somehow maybe because pf is doing some of the work here. So maybe someone out there has some ideas how to overcome this problem too. Regards Markus Am 24.01.2017 um 10:05 schrieb Markus Rosjat: Hey there, like the topic says I just need to get an idea how to really check if the internet connection can handle the traffic over my vpn tunnel. I was thinking of doing a ping with a bigger size of payload and check how many packages get droped over a fixed amount of time but if there is a better and more reliable way to do this then it wood be most appreciated to hear it :) Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP
Hi Craig, I will check it out, for now Im glad about the input I got here from all of you :) The list ist in a lot of cases the right place to get help! For me its hard to battle with some of these things because its not my main focus. In the end I try to write some code in c# or python. But since I'm the only guy that wants to battle the the cmd on a openBSD box, in a world surrounded by windows environments ... I try to do my best ;) I will take all the input I got and try to make something out of it :) if someone whats to share more insights plz do so ;) regards Markus Am 28.01.2017 um 15:05 schrieb Craig Skinner: Hi Markus, On 2017-01-27 Fri 12:24 PM |, Markus Rosjat wrote: I dont like the idea of one single virtual user handling all the traffic to the maildirectories. Me neither. Here, all users have proper shell accounts & SSH access, for mutt, etc. Stop Dovecot, unmount /var/mail (where mail stays), dump(1). No SQL "spool". There is no LDAP nor SQL, it is all simple stuff;- *) The MTA delivers via LMTP to Dovecot - which sieves mail. (Thunderbird & other mail clients have a sieve plugin.) *) Users IMAP/POP/SMTP auth via an individual passwd file, which they change via a script (which calls pwqcheck(1) in ports). /etc/passwd is _NOT_ used for mail authentication. (MTA SMTP submission port auth relaying is validated by Dovecot too.) No webmail; everybody is expected to have their own IMAP/POP/SSH device. <postmaster@box:~ 0>$ doveconf -n # 2.2.24 (a82c823): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.14 (099a97c) # OS: OpenBSD 6.0 i386 ffs auth_mechanisms = cram-md5 apop auth_username_format = %Ln first_valid_uid = 1000 listen = * mail_location = maildir:/var/mail/%u managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext mbox_write_locks = fcntl mmap_disable = yes namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = \Archive } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Templates { auto = subscribe } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /var/dovecot/auth.d/%u/passwd.CRAM-MD5 driver = passwd-file } passdb { args = /var/dovecot/auth.d/%u/passwd.CLEAR driver = passwd-file skip = authenticated } plugin { sieve = file:/var/mail/%u/sieve/;active=active.sieve } protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = _postfix mode = 0660 user = _postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = _postfix mode = 0660 user = _postfix } } service managesieve-login { inet_listener sieve { port = 4190 } } ssl = no userdb { args = blocking=no driver = passwd result_failure = return-fail } protocol lmtp { mail_plugins = " sieve" postmaster_address = postmaster } In the future I hope to be able to deploy OpenSMTPd, when the filtering & other work has stabilised. Cheers, -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP
Hi there, so my question is what is the best strategy to migrate an exsiting LDAP directory from a system that has sendmail and courier running to a system with openSMTP and Dovecot. Old system: - Has systemaccount that match LDAP account - system accounts to handle access to the filesystem - LDAP account to auth with courier/sendmail New Sytem should: - use old system accounts - use old LDAP dir to auth with OpenSMTP/Dovecot Additional Questions: - is it possible to migrate old maildirs to use with dovecot I dont want to set up just one virtual user to handle dovecot delivery since I already have the LDAP users. I tested to set permissions on directories and files for a LDAP user that has no systemaccount counterpart and it seems to work but it doesn't feel right to do so in a production environement :) If someone could give some advice or point in the right direction it would be much appreciated. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP
Hi Kim, I dont like the idea of one single virtual user handling all the traffic to the maildirectories. I did read about it but it feels strange to me. On the other hand I'm only the guy who has topick up old things and gets tasked to maked them working with new parts :( Am 27.01.2017 um 10:48 schrieb Kim Zeitler: Hi Markus On 01/27/17 09:44, Markus Rosjat wrote: Hi there, so my question is what is the best strategy to migrate an exsiting LDAP directory from a system that has sendmail and courier running to a system with openSMTP and Dovecot. Couple of years ago we changed from Courier to Dovecot and in short we wouldn't go back. As setup we hold all our users in LDAP except for system users (_*, root, ...) and have a dedicated server for mail running postfix as MTA and dovecot. We started from Postfix+Courier with the LDAP users as system users. The users could log into their accounts via ssh and do what ever they wanted. This configuration caused some problems with performance and also caused some permission problems as the dovecot process had to run as the user. Now Dovecot has direct access to the LDAP using the users as virtual users, all maildirs belong to the dovecot user _vmail. Postfix distinguishes between local users and ldap users, local users are directly delivered via local delivery, ldap users relayed to dovecot's lmtp server. - is it possible to migrate old maildirs to use with dovecot It is possible, Maildir can be used directly, mbox transferred. There also exists an courier-dovecot-migrate script that rewrites couriers index et. al. for dovecot. (https://wiki2.dovecot.org/Migration/Courier) You might want to move courier's flat maildir format to a file system format I dont want to set up just one virtual user to handle dovecot delivery since I already have the LDAP users. I tested to set permissions on directories and files for a LDAP user that has no systemaccount counterpart and it seems to work but it doesn't feel right to do so in a production environement :) See my comment further up to using an _vmail user Cheers Kim [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s] -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Simple example for httpd fastcgi
Hi mark, I saw that befor and did the steps for python like there and I can thest my script by chroot but I cant really figure what to do in the httpd config to get my script called when I surf it to it over the browser. regards Markus Am 05.11.2016 um 21:16 schrieb Mark Willson: On 05/11/2016, 20:10, "Markus Rosjat" <owner-m...@openbsd.org on behalf of ros...@ghweb.de> wrote: Hi there, Is there some how-to or examples out there to get a clue how to configure httpd to run python scripts ? Regards Markus Von meinem Samsung GerÀt gesendet. Markus, This might help … http://hydrus.org.uk/journal/openbsd-httpd.html -mark -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Simple example for httpd fastcgi
Well do it mean I have to have a folder /var/www/cgi-bin/hydrus/data to put my scripts ord does it mean I need to have a cgi-bin folder unter /var/www/htdocs/hydrus/data regards Markus Am 06.11.2016 um 16:37 schrieb Mark Willson: -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Markus Rosjat Sent: 06 November 2016 13:56 To: misc@openbsd.org Subject: Re: Simple example for httpd fastcgi Hi mark, I saw that befor and did the steps for python like there and I can thest my script by chroot but I cant really figure what to do in the httpd config to get my script called when I surf it to it over the browser. regards Markus Am 05.11.2016 um 21:16 schrieb Mark Willson: On 05/11/2016, 20:10, "Markus Rosjat" <owner-m...@openbsd.org on behalf of ros...@ghweb.de> wrote: Hi there, Is there some how-to or examples out there to get a clue how to configure httpd to run python scripts ? Regards Markus Von meinem Samsung GerÀt gesendet. Markus, This might help … http://hydrus.org.uk/journal/openbsd-httpd.html -mark Markus, Here's what the key portion of the httpd.conf file contains: # A name-based "virtual" server server "chrome.hydrus.org.uk" { alias "chrome" listen on * port 80 root "/hydrus/data" log access "hydrus-access.log" log error "hydrus-error.log" location "/cgi-bin/*" { fastcgi root "/hydrus/data" } } Hope that helps. -mark -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Simple example for httpd fastcgi
Hi there, Is there some how-to or examples out there to get a clue how to configure httpd to run python scripts ? Regards Markus Von meinem Samsung Gerät gesendet.
error creating ca cert for iked
hi there, maybe I did it wrong but I got the following error: $ doas ikectl ca ikectl.ca create Generating RSA private key, 2048 bit long modulus +++ +++ e is 65537 (0x10001) error on line 27 of /etc/ssl/ikectl.ca/ca-ssl.cnf 34161266967200:error:0EFFF068:configuration file routines:CRYPTO_internal:variable has no value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27 error on line 27 of config file '/etc/ssl/ikectl.ca/ca-ext.cnf' Using configuration from /etc/ssl/ikectl.ca/ca-revoke-ssl.cnf error on line 27 of config file '/etc/ssl/ikectl.ca/ca-revoke-ssl.cnf' 5307585036640:error:0EFFF068:configuration file routines:CRYPTO_internal:variable has no value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27 Im running on current snapshot from 2017-03-25 this also overrides changes made in the cnf files regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: error creating ca cert for iked
Hi Andrei, okay I will take a look if I can find a diff to apply it, there is always a first time for it :) or I just try to upgrade to a latest snapshot. regards MArkus Am 27.03.2017 um 21:02 schrieb Andrei-Marius Radu: Hi Markus, I've sent a diff to bugs@ yesterday which fixes this issue for me. Cheers, Andrei. On Mon, Mar 27, 2017, at 20:43, Markus Rosjat wrote: hi there, maybe I did it wrong but I got the following error: $ doas ikectl ca ikectl.ca create Generating RSA private key, 2048 bit long modulus +++ +++ e is 65537 (0x10001) error on line 27 of /etc/ssl/ikectl.ca/ca-ssl.cnf 34161266967200:error:0EFFF068:configuration file routines:CRYPTO_internal:variable has no value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27 error on line 27 of config file '/etc/ssl/ikectl.ca/ca-ext.cnf' Using configuration from /etc/ssl/ikectl.ca/ca-revoke-ssl.cnf error on line 27 of config file '/etc/ssl/ikectl.ca/ca-revoke-ssl.cnf' 5307585036640:error:0EFFF068:configuration file routines:CRYPTO_internal:variable has no value:/usr/src/lib/libcrypto/conf/conf_def.c:563:line 27 Im running on current snapshot from 2017-03-25 this also overrides changes made in the cnf files regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: UEFI and Hyper-v
Hi, that's an answer I can go with, I just needed some kind of acknowledgement that it's not totally my fault :-) regards Markus Am 27.03.2017 um 10:53 schrieb Reyk Floeter: On Mon, Mar 27, 2017 at 10:46:00AM +0200, Reyk Floeter wrote: btw. Is there any reason or benefit to use Gen 2? AFAIK, it is only for Windows for secure boot etc. I think Gen 1 is fine for OpenBSD, you even have the hvn(4) and the hyperv(4) drivers now. Even the latest machines in Azure are Gen 1-based. On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote: like the topic says I look for some feedback here. I try to set up a Gen 2 And you shouldn't get confused by the naming: "Gen 1" and "Gen 2" implies that one is better than the other. This doesn't seem to be the case - they are just different in regards to legacy devices. Gen 2 is a bit like HVPVM in in Xen (or was it PVHVM?). Gen 2 requires UEFI and PV drivers, while Gen 1 does not require them. And we still miss a PV storage driver (aka. "hvs(4)") for Hyper-V, it wouldn't support the disk. OpenBSD requires Gen 1 and the pciide(4) emulation on Hyper-V. Reyk On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote: Hi there, like the topic says I look for some feedback here. I try to set up a Gen 2 Hyper-V VM (Gen 1 is really not a problem) so I need to boot with a UEFI Medium. Since the normal iso doesnt provide that I took the following approch: 1. I created a USB stick from installXX.fs 2. verified that I could boot from the stick 3. created a VHDX from the stick 4. Attached it to a Gen 2 VM 5. booted the VM and here Im stuck for now It starts to bood but instead of showing me all the nice dmesg stuff I would expect it just went black. but the rest of the way would look like this 6. Install OpenBSD on another VHDX 7. dettach the first VHDX So the question really is, do I miss a step or is it just not possible at the moment to get it working with Gen 2 VMs? The secure boot feature of the VM is disabled. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann K??nigsbr??cker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
UEFI and Hyper-v
Hi there, like the topic says I look for some feedback here. I try to set up a Gen 2 Hyper-V VM (Gen 1 is really not a problem) so I need to boot with a UEFI Medium. Since the normal iso doesnt provide that I took the following approch: 1. I created a USB stick from installXX.fs 2. verified that I could boot from the stick 3. created a VHDX from the stick 4. Attached it to a Gen 2 VM 5. booted the VM and here Im stuck for now It starts to bood but instead of showing me all the nice dmesg stuff I would expect it just went black. but the rest of the way would look like this 6. Install OpenBSD on another VHDX 7. dettach the first VHDX So the question really is, do I miss a step or is it just not possible at the moment to get it working with Gen 2 VMs? The secure boot feature of the VM is disabled. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
SG driver header
Hi there, On a linux system I have the sg diver and sg.h in place to pass a cdb to the ioctl . Is SG3 also present on OpenBSD if not what header do I need on open bsd ? Regards Markus Von meinem Samsung Gerät gesendet.
Re: OpenIKED and Windows 10 Client
well I put the CA certs in the trusted CA Folder and the cert for the machine in "Eigene Zertifikate" in the local machine store it seems to be a problem on the windows site thought regards markus Am 12.04.2017 um 11:49 schrieb Martijn van Duren: On 04/12/17 11:42, Stuart Henderson wrote: On 2017-04-11, Markus Rosjat <ros...@ghweb.de> wrote: I think the problem is with the windows site because it tells me there is no certificate to be found. I added the certificate to local machine store -> own certificates (at least in the german UI is no personal folder) I think you're adding this cert to the wrong one of the many cert stores on Windows. It worked for me in trusted CAs, though there may be a better option that also works. One thing that also bit me was that I had to put them in the system-wide store and not in the personal store. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Topics for revised PF and networking tutorial
Since not everyone can attend to this Conference will there be a recording of this session? I use pf not so much on a daily basis but I would like to get more insight too ;) And I admit I'm more the visual guy regards Markus Am 07.04.2017 um 06:25 schrieb li...@wrant.com: Wed, 5 Apr 2017 17:46:18 +0200 Marko Cupać <marko.cu...@mimar.rs> On Sat, 1 Apr 2017 10:52:20 +0200 "Peter N. M. Hansteen" <pe...@bsdly.net> wrote: Hi, I thought I'd like to give you a heads up that there will be a "PF and networking" tutorial at BSDCan 2017 in Ottawa this June. The session will however not be the Nth rerun of the old one, we're starting from scratch this time, and were looking for input on what to include. Do you have questions on PF and related matters, or are there specific topics you would like to see covered? We want to hear from you, either contact us directly at the reply-to address use the list. Queueing. Prioritization. Throttling. Hi Peter, misc@, I would second the coherent practical examples in: queues, priorities, bandwidth caps, normalisation & reordering to have quality of service. And all required steps to achieve an advanced fully functional feature full typical home, office, lab, ISP, enterprise, etc setups iterative, each time incrementally enhancing the previous set of tricks and skill one game at a time, much more a practical hands on approach to the PF. Including performing common tasks of monitoring, maintenance, upgrade, conflict resolve, capturing, post processing, sanitation, enhancement. My personal interests have always been practical application examples, especially these extending the previous ones in a connected structure. From the default rule set after installation, through getting Internet working, and then fixing most common pitfalls of poor packet scheduler practices (or lack of) in (dumb) broadband equipment.. through solving all aspects to realisation of complete deployments, as YOU learned it. The PF features got implemented over time, to solve real actual needs. The typical new user begins with small common tasks up to their needs. The full example shows a complete configuration addressing most needs. The best tutorials give a practical approach to fulfil the real needs. I dream of a revised PF and networking tutorial from sketch to artist. Thank you ALL for the hard work over the years to complement OpenBSD.. Kind regards, Anton Lazarov I have hard time configuring these since years now. The fact (or is it rumour?) that prio works only when physical interface bandwidth is saturated couldn't be read in manpages, pf faq, or other 'official' docs, I heard about it by chance: [https://marc.info/?l=openbsd-misc=145261341431381=2] I still haven't found a way to throttle down queues to desired values without using fixed min and max values. Adding NAT to the mix complicates things further. What about queueing of traffic inside GRE tunnels in transport mode protected with IPSEC? Where to read about it? Optimistic me believes that devs are too busy making stuff work and have no time to explain it to us poor admins (by means of manpages, faqs or howtos). But how can I know how to use it if I can't read about it anywhere? Pessimistic me starts to notice that less and less free knowledge can be found around the 'net. If I want answers to my questions, is the best way to start saving money for paying OpenBSD consultants hourly rates for tuition? If there's any way I could help, don't hesitate to contact me. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/ -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenIKED and Windows 10 Client
length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 ikev2_pld_ke: dh group MODP_1024 reserved 0 b836f509 cffb767b 195b214e eec0bee4 8f09d051 65e86ede 333fc989 630171d3 7b4c945f 2c2077b5 2c567d35 9940a34b a2d230ee 1f8b213b 51a10c60 ddc0d559 f1781eda 6b48ce2a 16515961 9ffbd6bb 54df7651 68d64454 69ce7224 02690945 612c6ec1 33fd3d66 87860737 8c583e5a 5a6fcde6 2b707d59 00ebb905 5dc5d63d ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 37bcd238 7a7330f8 b316abe2 c70a206a 2d57e73a 3a3c3bfc 2cac3049 c0493e7b ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP 440c65e1 bb0e01db 450305c7 8580e958 e677a0ad ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP 3c4291d3 331a1068 29e4cfb5 e916aca9 fb61b15c ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25 ikev2_pld_certreq: type X509_CERT length 20 599ac30f ca3aaba9 dfd60bd8 7cdca0c7 8c679fe8 ikev2_msg_send: IKE_SA_INIT response from 192.168.0.73:500 to 192.168.0.72:500 msgid 0, 325 bytes config_free_proposals: free 0xa3bec71f800 -- end debug output regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
spamd and outlook.com
Hi there, so if you have spamd in place in greylisting mode and you have customers that work with people who use Office365 as a service you will get calls that emails are delayed for a freaking long time and if you check the ip range that outlook.com could send from you get scared. So what are the strategies out there to handle this kind of situation? Do you let them all pass and trust that microsoft is protecting there service enough to stop spamming from hijacked machines that use office365 ? Do you gradually grand access to a new ip rang if you see its tring to reach your server and let the rest be? Just curious here I had a case where you could dig the mx for a domain and it was a outlook.com server. It was whitelisted in my system but it seems MS is using this mx to retrieve mail and still send mails even from that domain with other mx in diffrent ranges. So you see 30 grey entries from diffent mx that trying to reach the customers mailbox. I'm a little reluctant to whitelist a shitload of ips just to get rid of a 1 or 2 day delay in delivering the message and yes this was the case regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: spamd and outlook.com
hey peter, like your pf book very much helped me a lot to grasp some stuff :) fot the host solution I already did this but skiped the part with following the includes. MS is providing a list of there possible ip ranges here https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx and thats just scary ... Am 21.04.2017 um 11:59 schrieb Peter N. M. Hansteen: On Fri, Apr 21, 2017 at 11:25:14AM +0200, Markus Rosjat wrote: so if you have spamd in place in greylisting mode and you have customers that work with people who use Office365 as a service you will get calls that emails are delayed for a freaking long time and if you check the ip range that outlook.com could send from you get scared. start with $ host -ttxt outlook.com and follow the includes to the very end. Then weep. TL;DR: last time I looked that expanded to eighty-some *networks* of varying sizes. https://github.com/akpoff/spf_fetch fed the relevant domains is one solution, and in addition you will find my collection of manually maintained SPF sedimentation is available at https://home.nuug.no/~peter/nospamd The problem is that the 'architects' behind outlook.com and their ilk are really not on board with the idea that having some tiny bit of control over where your mail comes from is a good idea, but they were made to comply with the SPF/DKIM/DMARC scheme (straight out of the Rube Goldberg school of engineering), which is one of those endless and endlessly tiresome artifacts of the "something has to be done", "this is something" 'system architect' responses. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: spamd and outlook.com
Like I said I had one case where I had the same message send from 20 different outlook.com servers that's just stupid Regards Markus Ursprüngliche Nachricht Von: Edgar Pettijohn <ed...@pettijohn-web.com> Datum: 21.04.17 15:20 (GMT+01:00) An: misc@openbsd.org Betreff: Re: spamd and outlook.com On 04/21/17 07:12, Reyk Floeter wrote: > On Fri, Apr 21, 2017 at 01:52:05PM +0200, Boudewijn Dijkstra wrote: >> Op Fri, 21 Apr 2017 12:16:31 +0200 schreef Reyk Floeter <r...@openbsd.org>: >>> On Fri, Apr 21, 2017 at 11:59:20AM +0200, Peter N. M. Hansteen wrote: >>>> On Fri, Apr 21, 2017 at 11:25:14AM +0200, Markus Rosjat wrote: >>> I use the attached script to fetch the SPF entries recursively, in a >>> plain text format that can be fed into pfctl. >> Have you tried mx3a.certifiedfactory.info ? ;) >> > great > > I think you got something wrong: > > I don't use this simple script automatically or for "untrusted > domains", I just use it _manually_ and for _well-known_ offenders like > outlook.com that break greylisting. SPF is not a security solution, > but it is a band-aid that helps to handle these stupid cloud-based MTAs. > > The script below fixes it - or akpoff's slightly more complicated (and > probably more correct) version. > > Reyk > > ---snip--- > #!/usr/bin/perl > > # Copyright (c) 2016, 2017 Reyk Floeter <r...@openbsd.org> > # > # Permission to use, copy, modify, and distribute this software for any > # purpose with or without fee is hereby granted, provided that the above > # copyright notice and this permission notice appear in all copies. > # > # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES > # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF > # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR > # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES > # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN > # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF > # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. > > $domain = shift @ARGV or die "usage: $0 domain"; > %seen = {}; > > sub parsespf > { > my $domain = shift; > my @foo = `nslookup -q=TXT $domain`; > my @results = (); > > foreach (@foo) { > next if not /$domain\ttext/; > next if not s/$domain\ttext = "v=spf1([^"]+)"/$1/; > > @results = split /\s+/; > foreach (@results) { > next if /.all/; > if (s/^ip[46]://) { > print "$_\n"; > } elsif (s/^(redirect|include)[:=]//) { > print "\n#$_\n"; > if (!$seen{$_}) { > $seen{$_} = true; > parsespf($_); > } > } > } > } > } > > parsespf($domain); > > 0; I'm glad I'm not the only one with this problem. I started off just adding individual ip's to my nospamd as needed, but they deliver mail so stupidly. One message may get sent from in my experience 4 different ip's so they get trapped each time and I'm guessing they eventually give up. Luckily https://home.nuug.no/~peter/nospamd came across my screen one day. It seems to have cured my problem. Thanks Peter!
Re: OpenIKED and Windows 10 Client
As I stated befor I did all the cert installing for the local machine store I will try to create some more certs with diffrent "names" just to see if this makes a diffrence. I might be wrong what the real FQDN is or better what windows believe it should be :) regards Markus Am 12.04.2017 um 17:21 schrieb Bobby Johnson: If you're doing pure certificate auth, not eap I think you need both certs. They do need to be installed under the local computer account. Install the CA cert in the trusted root CA store, put the machine cert in the personal store. I also think it may be necessary to put the full asn1_dn of the server and client certs in the src_id and dst_id lines of the iked config. On Wed, Apr 12, 2017 at 6:45 AM, Stuart Henderson <s...@spacehopper.org> wrote: On 2017-04-12, Markus Rosjat <ros...@ghweb.de> wrote: Am 12.04.2017 um 11:49 schrieb Martijn van Duren: On 04/12/17 11:42, Stuart Henderson wrote: On 2017-04-11, Markus Rosjat <ros...@ghweb.de> wrote: I think the problem is with the windows site because it tells me there is no certificate to be found. I added the certificate to local machine store -> own certificates (at least in the german UI is no personal folder) I think you're adding this cert to the wrong one of the many cert stores on Windows. It worked for me in trusted CAs, though there may be a better option that also works. One thing that also bit me was that I had to put them in the system-wide store and not in the personal store. well I put the CA certs in the trusted CA Folder and the cert for the machine in "Eigene Zertifikate" in the local machine store it seems to be a problem on the windows site thought You only want the CA certificate, not the machine certificate. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: OpenIKED and Windows 10 Client
just to be clear I don't need to install the client cert on the openbsd machine? And since this is eating up my time I might switch back to ikev1 and isakmpd. At least there I know I get it done regards markus Am 13.04.2017 um 10:13 schrieb Markus Rosjat: As I stated befor I did all the cert installing for the local machine store I will try to create some more certs with diffrent "names" just to see if this makes a diffrence. I might be wrong what the real FQDN is or better what windows believe it should be :) regards Markus Am 12.04.2017 um 17:21 schrieb Bobby Johnson: If you're doing pure certificate auth, not eap I think you need both certs. They do need to be installed under the local computer account. Install the CA cert in the trusted root CA store, put the machine cert in the personal store. I also think it may be necessary to put the full asn1_dn of the server and client certs in the src_id and dst_id lines of the iked config. On Wed, Apr 12, 2017 at 6:45 AM, Stuart Henderson <s...@spacehopper.org> wrote: On 2017-04-12, Markus Rosjat <ros...@ghweb.de> wrote: Am 12.04.2017 um 11:49 schrieb Martijn van Duren: On 04/12/17 11:42, Stuart Henderson wrote: On 2017-04-11, Markus Rosjat <ros...@ghweb.de> wrote: I think the problem is with the windows site because it tells me there is no certificate to be found. I added the certificate to local machine store -> own certificates (at least in the german UI is no personal folder) I think you're adding this cert to the wrong one of the many cert stores on Windows. It worked for me in trusted CAs, though there may be a better option that also works. One thing that also bit me was that I had to put them in the system-wide store and not in the personal store. well I put the CA certs in the trusted CA Folder and the cert for the machine in "Eigene Zertifikate" in the local machine store it seems to be a problem on the windows site thought You only want the CA certificate, not the machine certificate. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: ipsec ... again
hi, comments below Am 19.04.2017 um 23:23 schrieb Remi Locherer: here is the ipsec.conf on the openbsd machine ike from {10.10.10.0/24} to 10.10.15.0/24 \ You need to add "peer AA.BB.CC.DD" here. why, it's a passive setup the active site can have the peer part or did this change lately ? If you control both ends of the VPN I recommend you choose stronger cyphers. Check the defaults of OpenBSD or the recommendation of ENISA: https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 I start with a simple setup using a stronger cypher will be the next step after I confirmed my setup works How do you start isakmpd? This should configure your system to start isakmpd and load the ipsec rules during boot: # rcctl enable isakmpd # rcctl set isakmpd flags -vK # rcctl enable ipsec I just us the -K flag and here is the pf.conf Add the log keyword to your pf rules. Without that it's hard to debug. Also check man ipsec.conf for a full example. if there is no traffic it seems kinda useless trying to log it at that point. I tried tailing the daemon log but it wasn't to helpful either. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Running OpenBSD on Hypervisor
Hi there, just like to get opinions or examples of OpenBSd as guest on a hypervisor. I had it running on a VMware Host but since the free version is missing quiet a lot features I was wondering where to look at. I also tried Hyper-V from MS and this looks qiet ok. So if the "virtual" guys like to share there expericence it would be nice. Im open for every thing so KVM or BHive are points Ive looked at but haven't tried for now. thanks for the input regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Running OpenBSD on Hypervisor
Hi, ok it's not nice to ask general things I got it :( So basically I like to know what kind of Hypervisors are used out there and work for people. With that input I can look more closely into some of the Options and check out if the fit my needs. I was not fully aware that there is a OpenBSD version too. Since I plan to just run OpenBSd guest I take a look there too. In the end I want to figure out which of these options come close to things I want to do. So if VMware wants me to pay a shitload of money just to get replication without inventing the wheel again to make it work on a free version I like to take a look at hypervisor that can do it or is at least not that costly. I hope this explains my question somewhat more :( sorry for the bad english Im just a german and we are mainly evil then skilled at languages :) Am 08.03.2017 um 16:35 schrieb Reyk Floeter: Hi, what exactly is your question? Nowadays OpenBSD runs by default on: - OpenBSD vmm - Xen (HVM modes) - Hyper-V - VMware - KVM - VirtualBox - bhyve - qemu (also aarch64 and others) - sun4v logical domains - ... We have PV drivers for all of them in GENERIC. Reyk Am 08.03.2017 um 07:07 schrieb Markus Rosjat <ros...@ghweb.de>: Hi there, just like to get opinions or examples of OpenBSd as guest on a hypervisor. I had it running on a VMware Host but since the free version is missing quiet a lot features I was wondering where to look at. I also tried Hyper-V from MS and this looks qiet ok. So if the "virtual" guys like to share there expericence it would be nice. Im open for every thing so KVM or BHive are points Ive looked at but haven't tried for now. thanks for the input regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
ipsec ... again
Hi there, since my attempt with ikev2 failed I thought I go back to ikev1 but it seems since the last time I used it something has changed with that too. I simply try to set up a site to site tunnel with a PSK here is the ipsec.conf on the openbsd machine ike from {10.10.10.0/24} to 10.10.15.0/24 \ main auth hmac-sha1 enc blowfish group modp1024\ quick auth hmac-sha1 enc blowfish group modp1024\ psk "my_psk" and here is the pf.conf ### define networks ## tun_in="10.10.15.0/24" tun_end="{10.10.10.0/24}" # simple ipsec pass in proto { esp ah } to ($ext_if) pass in on $ext_if proto udp from any to port {500 4500} keep state pass in on enc0 proto ipencap pass in on enc0 from {$tun_in} to $tun_end pass out proto {esp ah} pass out on enc0 from $tun_end to {$tun_in} this works at least for a openbsd 5.6 and a srewsoft client (this is basically my other endpoint). with this setup Im not able to connect to a openBSD 6.1 and the logs don't show anything helpfull so the question is where do I need to do the rewriting and is there some example beside the ipsec.conf in /etc/examples ? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Opensmtpd-extras documentation
Hi there, Is there some documentation on the ldapFilter ? It's kinda frustrating to see a 535 Auth failed even you are sure you got the right credentials. I have openldap running but without some basic info on how to pass looked up information on to smtpd I'm lost here Regards Markus Von meinem Samsung Gerät gesendet.
Re: Opensmtpd-extras documentation
ok turns out it's not a LDAP problem at all ... since openSMTPD doesn't authenticate with a plain password at all it will always fail. regards markus Am 31.07.2017 um 17:44 schrieb Markus Rosjat: Hi there, Is there some documentation on the ldapFilter ? It's kinda frustrating to see a 535 Auth failed even you are sure you got the right credentials. I have openldap running but without some basic info on how to pass looked up information on to smtpd I'm lost here Regards Markus Von meinem Samsung Gerät gesendet. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
maildrop-postfix question
Hi there, I try to get maildrop to work with postfix so I installed the maildrop-postfix package and did the config in the main.cf strange part is that maildrop still try to use authdeamon ... well I thought okay install courier-utils because it seems both things are related and I get all the authtools but they dont work because authdeamon isn't there still. so the basic question here is, what to enable with rcctl to get authdeamon up and running or if this isnt the way to go with maildrop and postfix, what is it to get rid of logs like Command output: ERR: authdaemon: s_connect() failed: No such file or directory /usr/local/bin/maildrop: Temporary authentication failure. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenSMTP and OpenLDAP
Hi there, I was just wondering if does two work together at all? I saw examples with ldapd that ships with the OS but not with OpenLDAP. Since I try to get my user table defined, and the man only has options for db and file, whats the way to go here if there is a way at all? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: OpenSMTP and OpenLDAP
well it seems no one has an answer to that so while you see always examples for ldapd I confused still since man smtpd.conf states you should use file:/ or db:/ to define a table and not any other otion like ldap:/ is mentioned at all. So lets refine the question ... Is LDAP supported in OpenSMTP at all? And if so, where to find a piece of information how to configure it? regards MArkus Am 25.07.2017 um 10:50 schrieb Markus Rosjat: Hi there, I was just wondering if does two work together at all? I saw examples with ldapd that ships with the OS but not with OpenLDAP. Since I try to get my user table defined, and the man only has options for db and file, whats the way to go here if there is a way at all? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: OpenSMTP and OpenLDAP
Hey hendrik, This was a hint I was looking for thought! I will check that out :) Regards Markus Ursprüngliche Nachricht Von: Henrik Friedrichsen <hen...@diff.cc> Datum: 25.07.17 19:15 (GMT+01:00) An: misc@openbsd.org Cc: ros...@ghweb.de Betreff: Re: OpenSMTP and OpenLDAP Hey, On Tue, Jul 25, 2017 at 10:50:32AM +0200, Markus Rosjat wrote: > I was just wondering if does two work together at all? I saw examples with > ldapd that ships with the OS but not with OpenLDAP. Since I try to get my > user table defined, and the man only has options for db and file, whats the > way to go here if there is a way at all? The OpenSMTPD-extras package should have an LDAP filter. I have no experience with it and whether it works with OpenLDAP, but it might be starting point: https://github.com/OpenSMTPD/OpenSMTPD-extras/tree/master/extras/tables/table-ldap
Relayd 2 domains on 2 seperate vm
Hi there, since Im discovering the possibilities for having a few vm behind 1 external ip I was wondering if this kind of setup is possible with relayd? so I was thinking: 1 gateway with openbsd and relayd and the external IP 2 vm each with a httpd running hosting a domain behind that gateway I dont want loadbalancing here! I need to seperate the hosting of the domain to diffrent machines because of som software that is running on one of the machines but is not needed on the other one. Is this kind of setup pissible or do I need to look for some other piece of software then relayd? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Relayd 2 domains on 2 seperate vm
Hi denis, this seems to look like it I will give it a try :) Im fairly new to this subject so sorry if I asked a simple question but as far as searching on the net goes most of the time I end up with a load balancing example :) regards MArkus Am 26.04.2017 um 11:01 schrieb Denis Fondras: I dont want loadbalancing here! I need to seperate the hosting of the domain to diffrent machines because of som software that is running on one of the machines but is not needed on the other one. Something like that ? # cat /etc/relayd.conf ext_addr="185.xxx.xxx.xxx" table { 192.168.1.31 } table { 192.168.1.21 } http protocol "httpsproxy" { match request quick header "Host" value "app.mydomain.fr" forward to match request quick header "Host" value "app2-0.mydomain.fr" forward to match request quick header "Host" value "www.mydomain.fr" forward to match request quick header "Host" value "app2-1.mydomain.fr" forward to } relay "proxy" { listen on $ext_addr port 443 tls protocol "httpsproxy" forward with tls to port 443 forward with tls to port 443 } -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenLDAP and filesystem permission
Hi there, I basically want to know if its okay to set permission on a file or directory for a LDAP user even if there is no local user on this machine. Hope someone understand what I mean, background is setting up a mailserver with usermanagement over LDAP. The naive way for me would be creating a local user with the same name like the one in the LDAP db. So I can set the permissions on the Maildirs for the local user. This leaves me with maintaining LDAP and Local user but if I could just use only the LDAP user this would be nice ( it works at least in my test env) but is this considerd secure or should I stick with the LDAP+local User approach? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: torrent downloads
Hi, I think it's kinda pointless to have a torrent for this. You got enough good mirrors to download from anyway. And nowadays it's not a biggy to download a iso or so of somewhat 200mb. and yes I'm the proud owner of some awesome puffy shirts too (if someone is concerned about the download part :-P ) regards markus Am 27.04.2017 um 13:55 schrieb Thuban: Hello, I was wondering if there is any particular reason explaining why there is no torrent file to retrieve OpenBSD *.fs and *.iso. I've been looking on the list and only found this site that doesn't seems up to date [1]. If the reason is a lack of human ressources, I think I can handle it. Regards. [1] : http://openbsd.somedomain.net/ -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
relayd splice timeout
Hi there, I was playing arround wit relayd just to get a feeling for it. So I started with relaying a ssh connection to a machine behind my gateway. But it seems there is some kind of config value I miss because after like 8 minutes the open ssh connection gets suddenly closed. Running relayd in foreground shows a splice timeout. So question is, can I and if so where can I adjust the timeout value. SSH might be a bad example for relayd use but its the easiest starting point thought. Better to discover stuff befor a setup gets more complicated. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd splice timeout
Ursprüngliche Nachricht Von: Hiltjo Posthuma <hil...@codemadness.org> Datum: 28.04.17 11:34 (GMT+01:00) An: Markus Rosjat <ros...@ghweb.de> Cc: misc@openbsd.org Betreff: Re: relayd splice timeout On Thu, Apr 27, 2017 at 07:11:56PM +0200, Markus Rosjat wrote: > Hi there, > > I was playing arround wit relayd just to get a feeling for it. So I started > with relaying a ssh connection to a machine behind my gateway. > > But it seems there is some kind of config value I miss because after like 8 > minutes the open ssh connection gets suddenly closed. Running relayd in > foreground shows a splice timeout. > > So question is, can I and if so where can I adjust the timeout value. > > SSH might be a bad example for relayd use but its the easiest starting point > thought. Better to discover stuff befor a setup gets more complicated. > > Regards > > -- > Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you > print it, think about your responsibility and commitment to the ENVIRONMENT > Hey, Have you tried "session timeout"? They can be used for relays and redirections. See the RELAYS and REDIRECTIONS section in relayd.conf(5). -- Kind regards, Hiltjo Hi, I'll will give it a try and check if it makes a difference. Thanks for the hint
OpenBSDI 6.1 some Warnings when using OpenLDAP Tools
Hi there, this is more an info then a problem though since it seems to work. When I use the slap tool like slapcat I get a size mismatch warning like this slapcat:/usr/local/lib/libicuuc.so.12.0: /usr/local/lib/libicudata.so.12.0 : WARNING: symbol(icudt58_dat) size mismatch, relink your program It's a fresh install from the ports so some of the maintainers might like to know that. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT