Re: Testing changes in current using a liveCD

[Walter Alejandro Iglesias]

After realizing that FuguIta runs stable and not current like I thought
(sorry for the noise) I decided to download a snapshot from an openbsd
mirror and to install it in my Thinkpad T410.  I indeed noticed an
improvement in the CPU temperature issue:

With 5.7 release after booting:

hw.sensors.fan0=3283 RPM
hw.sensors.temp0=43.00 degC
hw.sensors.itherm0.power0=5.00 W

With 5.8 Jun 18th snapshot idem:

hw.sensors.fan0=1981 RPM
hw.sensors.temp0=37.00 degC
hw.sensors.itherm0.power0=4.00 W

Even so there is no improvement in battery life.  Two hours maximum.


   ***

OFF TOPIC

I had to change my email address to be able to post this message; the
original address I'd subscribed to this mailing list was blacklisted
without apparent reason.  I asked for help sending a message to
owner-majord...@openbsd.org as pointed at in the majordomo web interface
(using this new address since the other is banned); no response.  So
I'll repeat here my suggestion to warn others about the issue: new users
of openbsd mailing lists should be aware about the long delays they'll
experience because of the spamd greylist settings, and, honestly, the
postmaster should consider if spam is really more annoying than
suffering this greylisting measure.


Walter

Re: Testing changes in current using a liveCD

[Walter Alejandro Iglesias]

On Sun, Jun 21, 2015 at 05:24:35PM -0400, Peter Pauly wrote:
 A twenty percent power reduction is no improvement? You have high
 expectations.

I know that my English is horrible :-) but what do you read below?

 On Sun, Jun 21, 2015 at 5:13 PM, Walter Alejandro Iglesias
 roque...@gmail.com wrote:
  I indeed noticed an improvement in the CPU temperature issue:

I ignore why (I'm not an engineer) the battery life didn't reflected
that improvement.  That's what I meant.


Walter



-- 
PLEASE, LET'S PRESERVE GOOD EMAIL PRACTICES
- Use plain text (no HTML please).
- Separate paragraphs with empty lines.
- Use hard wrapped lines at no more than 72 columns.
- Avoid top-posting.
- You'll find the above easy to accomplish by using a decent email
  client (i.e. Thunderbird, Claws mail, Mutt).

Testing changes in current using a liveCD

[Walter Alejandro Iglesias]

Hello,

I'd appreciate someone tell me if I'm doing something wrong.  I want to
test the latest ACPI changes in two Thinkpad I own (T410 and x201).
I assume:

  1. To test current I can just use the latest snapshot.

  2. FuguIta LiveCD is regularly updated to the latest snapshot.

In case I'm not wrong about some of those two assumptions.  I tested my
T410 and x201 with 5.7 release and June 17th 2015 snapshot without
noticing any differences.  I took in care the values showed by
hw.sensors and apm, for example with both (release and snapshot) in x201
the values are arround:

hw.sensors.fan0=3283 RPM
hw.sensors.temp0=43.00 degC
hw.sensors.itherm0.power0=5.00 W

Please tell me if I'm wrong in any step.


Walter




-- 
PLEASE, LET'S PRESERVE GOOD EMAIL PRACTICES
- Use plain text (no HTML please).
- Separate paragraphs with empty lines.
- Use hard wrapped lines at no more than 72 columns.
- Avoid top-posting.
- You'll find the above easy to accomplish by using a decent email
  client (i.e. Thunderbird, Claws mail, Mutt).

Testing USB webcam with mplayer

[Walter Alejandro Iglesias]

I've noticed a mplayer's issue on OpenBSD.  With different desktop
machines and usb webcams I've successfully tested the webcam with the
command:

$ mplayer tv://

But in all cases, when you press 'q' mplayer hangs for some seconds
before quitting.

Any idea of why this happens?


Walter



-- 
PLEASE, LET'S PRESERVE GOOD EMAIL PRACTICES
- Use plain text (no HTML please).
- Separate paragraphs with empty lines.
- Use hard wrapped lines at no more than 72 columns.
- Avoid top-posting.
- You'll find the above easy to accomplish by using a decent email
  client (i.e. Thunderbird, Claws mail, Mutt).

comsat-biff issue

[Walter Alejandro Iglesias]

Hello,

After running:

# cp /etc/example/inetd.conf /etc/
# /etc/rc.d/inetd -f start
$ biff y
$ echo Hello | mail -s 'testing biff' `whoami`

Biff should print its message and beep in login shells.  But nothing
happens.

Now I have installed:

OpenBSD 5.8-beta (GENERIC.MP) #1116: Wed Jul  1 12:50:20 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

With 5.7 amd64 release and older amd64 snapshots it didn't work either.
However it works ok in FuguIta (i386).


Walter



-- 
PLEASE, LET'S PRESERVE GOOD EMAIL PRACTICES
- Use plain text (no HTML please).
- Separate paragraphs with empty lines.
- Use hard wrapped lines at no more than 72 columns.
- Avoid top-posting.
- You'll find the above easy to accomplish by using a decent email
  client (i.e. Thunderbird, Claws mail, Mutt).

Re: CPU power consumption on thinkpad x201

[Walter Alejandro Iglesias]

On Wed, May 20, 2015 at 08:56:57PM -0600, Shaun Reiger wrote:
 Hello I'm trying to find out if the power consumption relating to the
 intel_powerclamp driver (Package Level C-state Idle Injection for
 Intel CPUs) was ever fixed. I'm current running 5.7 stable and I find
 my cpu is still consuming 6W of power in any state.  It was mentioned
 in the emails from last year that a Linux driver fixed this issue. Any
 updates on this issue would be great.

I had running OpenBSD in my Thinkpad T410 for some months suffering this
issue.

In the while I made tests with a Linux liveCD with 3.8 kernel.  With
intensive CPU usage, i.e. running mplayer without interruption, the
battery life (9 cell) was the same in both OSs, exactly two hours.  But
with light CPU usage (i.e. editing files with vi) OpenBSD still died
after two hours but with Linux I got around three and a half.

The 3.8 kernel hadn't the intel_powerclamp module.

Unfortunately I had to reinstall Linux.  Now running 3.10.17 with
intel_powerclamp module I get an average of three and a half hours of
battery life.  So it seems that it isn't the intel_powerclamp module
what make the difference, at least in T410 model.


Walter




-- 
PLEASE, LET'S PRESERVE GOOD EMAIL PRACTICES
- Use plain text (no HTML please).
- Separate paragraphs with empty lines.
- Use hard wrapped lines at no more than 72 columns.
- Avoid top-posting.
- You'll find the above easy to accomplish by using a decent email
  client (i.e. Thunderbird, Claws mail, Mutt).

Re: comsat-biff issue

[Walter Alejandro Iglesias]

Hello Todd,

On Mon, Jul 06, 2015 at 06:37:24AM -0600, Todd C. Miller wrote:
 Is your mail being delivered to /var/mail/yourname or do you have
 a .forward file?  The comsat daemon is notified by mail.local which
 delivers mail to the local mail spool.  If you have a .forward file,
 mail.local is not used and you won't get a biff notification.

Till you mentioned about it I've ignored the existence of
/usr/libexec/mail.local. :-)  I'm a new to OpenBSD.  Is it some kind of
procmail's alike functionality?

My configuration is almost the after-install defaults.  There's just
a /root/.forward created at install time pointing to my user.  I thought
about it, I tried removing that .forward file and removing aliases I'd
added later and logged in *only* root user I sent email from root to root
to find out if some variable set in my ~/.kshrc or ~/.profile could be
interfering.

I tried modifying the comsat line in inetd.conf, using just udp4,
removing the ip limit prefix, etc.  I've tried installing procmail
(telling smtpd to use it).  I did some tests stopping /etc/rc.d/inetd
and running inetd -d form the command line.

With the default inetd.conf, after sending a mail to myself:

# inetd -d
ADD: 127.0.0.1:comsat proto=udp, wait.max=1.256 user:group=root:wheel builtin=0 
server=/usr/libexec/comsat
ADD: ::1:comsat proto=udp6, wait.max=1.256 user:group=root:wheel builtin=0 
server=/usr/libexec/comsat
ADD: daytime proto=tcp, wait.max=0.256 user:group=root:wheel 
builtin=1959e0e08630 server=internal
ADD: daytime proto=tcp6, wait.max=0.256 user:group=root:wheel 
builtin=1959e0e08630 server=internal
someone wants comsat
14937 execv /usr/libexec/comsat

The last two lines appeared right after sending the email.  I understand
(in my ignorance) that means inetd *receives* the notification (from
mail.local?).  And the following is what netstat shows:

# netstat -a -p udp
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address  Foreign Address(state)
udp  0  0  localhost.biff *.*
udp  0  0  *.syslog   *.*
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address  Foreign Address(state)
udp6 0  0  localhost.biff *.*
udp6 0  0  *.syslog   *.*


And that's all that came to my mind (I've tried also opening and closing
my living room's window several times :-)).

I know biff isn't a big concern but I insisted because I thought it
could be a symptom of some other more important issue.



  - todd


Walter



-- 
PLEASE, LET'S PRESERVE GOOD EMAIL PRACTICES
- Use plain text (no HTML please).
- Separate paragraphs with empty lines.
- Use hard wrapped lines at no more than 72 columns.
- Avoid top-posting.
- You'll find the above easy to accomplish by using a decent email
  client (i.e. Thunderbird, Claws mail, Mutt).

Thinkpad Batteries

[Walter Alejandro Iglesias]

About Thinkpad's batteries.

A bit off-topic being a hardware specific question but taking in care
several people here say to use Thinkpads (and the cost of their
batteries) I think it'll be useful for everyone to share our experience.

My experience with these laptops is short, I bought a refurbished x201
in Jan 2014 and a T420, second hand too, in Sep 2014.  The first came
with a *new* 9-cell lenovo original battery that lasts almost 6 hours
long as who sold me had promised me.

I received the T420 with a used 6-cell lenovo original battery that gave
me barely 2 hours.  I presumed it'd give me 6 like the x201 with
a 9-cell one, so I bought through ebay a *supposed* lenovo original
new 9-cell battery that suddenly *died* after 15 days of use :-).  The
vendor refunded me the money so the second time I bought some of those
*trade-less* 9-cell ones you find in ebay.  That's the one I have in use
since Dec 2014.  Initially it lasted ~4.5 hours, but now, after 7 months
of use, it lasts no longer than 2 hours.

As I told you my experience with these laptops (and laptops in general)
is short so I don't know if I wasn't lucky or those in forums that
assure these batteries can give *15 hours* did the test in suspended to
RAM state :-).

Did some of you get 15 hours from some of these batteries?  If that's
true, what tech specs should I take in care at time to buy a new one?


Walter



-- 
PLEASE, LET'S PRESERVE GOOD EMAIL PRACTICES
- Use plain text (no HTML please).
- Separate paragraphs with empty lines.
- Use hard wrapped lines at no more than 72 columns.
- Avoid top-posting.
- You'll find the above easy to accomplish by using a decent email
  client (i.e. Thunderbird, Claws mail, Mutt).

Re: Thinkpad Batteries

[Walter Alejandro Iglesias]

On Mon, Jul 13, 2015 at 04:56:33PM +0200, Walter Alejandro Iglesias wrote:
 I bought a refurbished x201 in Jan 2014 and a T420...

Sorry, I'm getting old and idiot.  The laptop isn't a T420, it's a T410.


Walter

Re: Thinkpad Batteries

[Walter Alejandro Iglesias]

 This doesn't directly apply to OpenBSD, but it gives you an idea of
 the complexity:

 https://wiki.freebsd.org/TuningPowerConsumption

Good info.

Thanks,


Walter

Re: comsat-biff issue

[Walter Alejandro Iglesias]

Upgraded to latest snapshot and Biff is alive and barking again ;-).

Thanks Todd.


Walter

Re: Low brightness in text console

[Walter Alejandro Iglesias]

Another option (using current):

Section "Module"
Load"dri2"
Load"glamoregl"
EndSection

Section "Device"
Identifier  "Card0"
Driver  "intel"
BusID   "PCI:0:2:0"
Option  "AccelMethod"   "glamor"
EndSection

There are some Linux forums where people complain about experiencing
screen brightness issues using intel SNA acceleration.  Some of them got
them fixed by setting the "Backlight" option to the correct value as
explained in the intel(4) man page:

Option "Backlight" "string"
Override the probed backlight control interface. Sometimes the
automatically selected backlight interface may not correspond to
the correct, or simply most useful, interface available on the
system. This allows you to override that choice by specifying
the entry under /sys/class/backlight to use.

You won't find /sys/class/backlight in OpenBSD.  And setting the value
to "intel_backlight" as explained in some Linux wikis won't work since
in openbsd the interface seems to be wscons:

$ grep backlight /var/log/Xorg.0.log
[ 34783.393] (--) intel(0): found backlight control interface wscons

If after exiting X you run:

$ wsconsctl display.brightness

It'll return a value that doesn't correspond with the actual (very low)
brightness.  The wscons stored brightness value isn't reset but right
after you press the Fn+brightness keys.  I deduce SNA driver doesn't
pass wscons the brightness control properly.  Let's hope some expert
here tell us why. :-)


Walter

Re: Can't change screen brightness Acer Aspire ES1-411

[Walter Alejandro Iglesias]

Does this workaround work for you?

http://marc.info/?l=openbsd-misc=146520183827302=2
http://marc.info/?l=openbsd-misc=146523968007324=2

If it does then it's related to this bug:

http://marc.info/?l=openbsd-bugs=146451346724515


(I'm just an user, not a developer)

mailx umask

[Walter Alejandro Iglesias]

Some security concern

Wouldn't be better mailx to use umask 077 to save mbox files by default
as Mutt does (or to provide ~/.mailrc variable)?

Some shell scripts I've wrote

[Walter Alejandro Iglesias]

Hello,

Not what you asked for, but taking in care some people here complain
about not having a "desktop wireless connection app" as they got used by
the popular OSs, I'll share (shamelessly) what I improvised to solve my
specific needs with the aim to encourage others to write their own
solutions.

In my case, since I prefer to use ethernet cables and static IP
addresses for all machines in my home LAN, I wrote the following shell
scripts to connect my laptop in those occasions I'm out, in a bar or a
restaurant.  They are also intended to be useful individually; if at
some place I have an ethernet cable available, I directly run the second
one (dhcp-connect.sh) to establish a provisional dhcp connection, then
(optionally) when I shutdown the machine before living the place, the
third one (reset-LAN.sh) restores the LAN version of /etc/hosts and
/etc/resolv.conf so I don't need to bother about reseting them manually
when I'm back home.

I'm new to openbsd, it surely offers simpler ways to accomplish the same
tasks that I still ignore (advices welcome).


=
#!/bin/sh
# ~/bin/wifi.sh - occasional wireless connection in OpenBSD

[ "`whoami`" != "root" ] && { echo "You must be root"; exit 1; }

# PUT YOUR NORMAL USER HERE
user=morlock

# IMPORTANT: if you don't use dhcp in your home LAN save a copy of your
# LAN version of /etc/resolv.conf and /etc/hosts to this directory.
backdir=/home/$user/.wifi

[ ! -d $backdir ] && mkdir $backdir
rec=$backdir/stored
[ ! -e $rec ] && {
touch $rec
chmod 600 $rec
chown $user:$user $rec
}
tmp=/tmp/wifi-`date +%H%M%S`

# FUNCTIONS
cancel()
{
ifconfig $int -inet -inet6 -nwid -bssid -wpakey -nwkey
ifconfig $int down
[ -f $tmp ] && rm $tmp
[ -f $stored_tmp ] && rm $stored_tmp
exit 1
}

get_password()
{
if grep -i $bssid $rec; then
echo -n "Use the above \"$nwid\" stored password? [Y/n] "
read answer
if [ "$answer" != "n" ]; then
password=`grep -i $bssid $rec | awk '{ print $2 }'`
else
printf "$nwid $enc $message: "
read password
fi
else
printf "$nwid $enc $message: "
read password
fi
}

# SELECT WIRELESS INTERFACE
interfaces="`ifconfig wlan | awk -F: '/^[^\t]/ { print $1 }' | xargs`"
if [ ! "$interfaces" ]; then
echo "No wireless interfaces found." 1>&2
exit 1
elif [ `echo "$interfaces" | wc -w | xargs` -gt 1 ]; then
echo $interfaces
int=none
until echo $interfaces | grep -q $int; do
echo -n "Interface? "
read int
done
else
int=$interfaces
fi

trap cancel INT
ifconfig $int up
ifconfig $int -inet -inet6 -nwid -bssid -wpakey -nwkey

# SCAN AND CHOOSE AN ACCESS POINT
echo 'Scanning on '$int'...'
ifconfig $int scan | awk -F'\t' '/\tnwid/ { print $3 }' | nl -s') ' > $tmp
if [ `awk 'END { print NR }' $tmp` -eq 0 ]; then
echo "No access points found."
cancel
elif [ `awk 'END { print NR }' $tmp` -gt 1 ]; then
sed 's/\(.*\) nwid \(.*\) chan .*/\1 \2/' $tmp
ap=0
until egrep -q "^ *$ap\) nwid" $tmp ; do
echo -n "number? "
read ap
done
else
ap=`awk -F\) '{ print $1 }' $tmp | sed 's/ *//'`
fi

# GET AP DATA
bssid=`egrep '^ +'$ap')' $tmp | egrep -o '(..:){5}..' | tr "[a-f]" "[A-F]"`
nwid=`grep -i $bssid $tmp | sed 's/.* nwid \(.*\) chan .*/\1/' | sed 's/"//g'`
enc=`grep -i $bssid $tmp | awk -F, '{ print $NF }'`

case $enc in
wep)
key=nwkey
message="key (for HEX prefix 0x)"
get_password
;;
wpa*)
key=wpakey
message="passphrase"
get_password
;;
*)
key='-wpakey -nwkey'
password=''
;;
esac

# SET UP INTERFACE
ifconfig $int nwid "$nwid" $key $password || cancel

# CONNECTION ATTEMPT
/home/$user/bin/dhcp-connect.sh $int || cancel

# STORE PASSWORD
[ "$password" != "" ] && {
sed -i "/$bssid/d" $rec
echo -e "$bssid\t$password" > > $rec
}

# End of wifi.sh


===
#!/bin/sh
# ~/bin/dhcp-connect.sh
# Connect using dhcp and set hostname (OpenBSD version)

[ "`whoami`" != "root" ] && { echo "You must be root"; exit 1; }

# PUT YOUR NORMAL USER HERE
user=morlock

# IMPORTANT: if you don't use dhcp in your home LAN save a copy of your
# LAN version of /etc/resolv.conf and /etc/hosts to this directory.
backdir=/home/$user/.wifi

int=$1
[ "$int" ] || {
echo "Usage: `basename $0` "
exit 1
}

clean_start()
{
for i in `ps xw | grep dhclient | grep $int | \
awk '{ print $1 }'`
do
[ $i ] && kill $i
done
}
cancel()
{
clean_start
[ -f $backdir/hosts ] 

Re: Some shell scripts I've wrote

[Walter Alejandro Iglesias]

Sorry!

I have an entry in vimrc for my mail that replaces '>>' for '> >'.  That
screwed the code, it was a bad idea.  Here the corrected code:

=
#!/bin/sh
# ~/bin/wifi.sh - occasional wireless connection in OpenBSD

[ "`whoami`" != "root" ] && { echo "You must be root"; exit 1; }

# PUT YOUR NORMAL USER HERE
user=morlock

# IMPORTANT: if you don't use dhcp in your home LAN save a copy of your
# LAN version of /etc/resolv.conf and /etc/hosts to this directory.
backdir=/home/$user/.wifi

[ ! -d $backdir ] && mkdir $backdir
rec=$backdir/stored
[ ! -e $rec ] && {
touch $rec
chmod 600 $rec
chown $user:$user $rec
}
tmp=/tmp/wifi-`date +%H%M%S`

# FUNCTIONS
cancel()
{
ifconfig $int -inet -inet6 -nwid -bssid -wpakey -nwkey
ifconfig $int down
[ -f $tmp ] && rm $tmp
[ -f $stored_tmp ] && rm $stored_tmp
exit 1
}

get_password()
{
if grep -i $bssid $rec; then
echo -n "Use the above \"$nwid\" stored password? [Y/n] "
read answer
if [ "$answer" != "n" ]; then
password=`grep -i $bssid $rec | awk '{ print $2 }'`
else
printf "$nwid $enc $message: "
read password
fi
else
printf "$nwid $enc $message: "
read password
fi
}

# SELECT WIRELESS INTERFACE
interfaces="`ifconfig wlan | awk -F: '/^[^\t]/ { print $1 }' | xargs`"
if [ ! "$interfaces" ]; then
echo "No wireless interfaces found." 1>&2
exit 1
elif [ `echo "$interfaces" | wc -w | xargs` -gt 1 ]; then
echo $interfaces
int=none
until echo $interfaces | grep -q $int; do
echo -n "Interface? "
read int
done
else
int=$interfaces
fi

trap cancel INT
ifconfig $int up
ifconfig $int -inet -inet6 -nwid -bssid -wpakey -nwkey

# SCAN AND CHOOSE AN ACCESS POINT
echo 'Scanning on '$int'...'
ifconfig $int scan | awk -F'\t' '/\tnwid/ { print $3 }' | nl -s') ' > $tmp
if [ `awk 'END { print NR }' $tmp` -eq 0 ]; then
echo "No access points found."
cancel
elif [ `awk 'END { print NR }' $tmp` -gt 1 ]; then
sed 's/\(.*\) nwid \(.*\) chan .*/\1 \2/' $tmp
ap=0
until egrep -q "^ *$ap\) nwid" $tmp ; do
echo -n "number? "
read ap
done
else
ap=`awk -F\) '{ print $1 }' $tmp | sed 's/ *//'`
fi

# GET AP DATA
bssid=`egrep '^ +'$ap')' $tmp | egrep -o '(..:){5}..' | tr "[a-f]" "[A-F]"`
nwid=`grep -i $bssid $tmp | sed 's/.* nwid \(.*\) chan .*/\1/' | sed 's/"//g'`
enc=`grep -i $bssid $tmp | awk -F, '{ print $NF }'`

case $enc in
wep)
key=nwkey
message="key (for HEX prefix 0x)"
get_password
;;
wpa*)
key=wpakey
message="passphrase"
get_password
;;
*)
key='-wpakey -nwkey'
password=''
;;
esac

# SET UP INTERFACE
ifconfig $int nwid "$nwid" $key $password || cancel

# CONNECTION ATTEMPT
/home/$user/bin/dhcp-connect.sh $int || cancel

# STORE PASSWORD
[ "$password" != "" ] && {
sed -i "/$bssid/d" $rec
echo -e "$bssid\t$password" >> $rec
}

# End of wifi.sh


===
#!/bin/sh
# ~/bin/dhcp-connect.sh
# Connect using dhcp and set hostname (OpenBSD version)

[ "`whoami`" != "root" ] && { echo "You must be root"; exit 1; }

# PUT YOUR NORMAL USER HERE
user=morlock

# IMPORTANT: if you don't use dhcp in your home LAN save a copy of your
# LAN version of /etc/resolv.conf and /etc/hosts to this directory.
backdir=/home/$user/.wifi

int=$1
[ "$int" ] || {
echo "Usage: `basename $0` "
exit 1
}

clean_start()
{
for i in `ps xw | grep dhclient | grep $int | \
awk '{ print $1 }'`
do
[ $i ] && kill $i
done
}
cancel()
{
clean_start
[ -f $backdir/hosts ] && /home/$user/bin/reset-LAN.sh
exit 1
}
reset_LAN_at_shutdown()
{
[ ! -e /etc/rc.shutdown ] && {
echo "# /etc/rc.shutdown" > /etc/rc.shutdown
chmod 600 /etc/rc.shutdown
}
grep -q "# Reset LAN" /etc/rc.shutdown 2>/dev/null || {
echo >>/etc/rc.shutdown
echo '# Reset LAN' >>/etc/rc.shutdown
echo -n "[ -x /home/$user/bin/reset-LAN.sh ] && " \
>>/etc/rc.shutdown
echo "/home/$user/bin/reset-LAN.sh" >>/etc/rc.shutdown
}
}
dhclientConf()
{
grep -q "send host-name \"`hostname`\"" \
/etc/dhclient.conf 2>/dev/null ||
echo "send host-name \"`hostname`\";" \
>>/etc/dhclient.conf
}

clean_start
trap cancel INT

# Comment this if you think you don't need it
dhclientConf

# Attempt a connection

Re: X "si" keyboard layout changes in recent snapshots

[Walter Alejandro Iglesias]

Just guessing.  I've noticed this bug:

http://marc.info/?l=openbsd-bugs=146505858532099=2

disappeared after Aug 7 xkbcomp update.

Probably what you're experiencing is a side effect of that changes.

Re: splassert: yield message on 5 Feb snapshot (amd64)

[Walter Alejandro Iglesias]

Stefan Wollny wrote:

> at least with
> 
> $ dmesg | grep Open
> OpenBSD 6.0-current (GENERIC.MP) #166: Wed Feb  8 19:15:03 MST 2017
> 
> the issue still persists.

The patch that solve the issue (at least in my machine) was committed today:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_table.c.diff?r1=1.123=1.124

fmt replaces utf8 spaces for ascii ones

[Walter Alejandro Iglesias]

Hello,

Probably Ingo will know about this.

fmt, when using utf8 locale, replaces utf8 spaces for ascii ones (I use
utf8 spaces in html to get web browsers render doble space at the end of
a sentence).  This doesn't happen with LC_CTYPE=C.

Is this feature or a bug?

http 408 messages in httpd logs

[Walter Alejandro Iglesias]

Starting from Feb 11 my httpd logs are filled with 408 messages:

roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET / HTTP/1.1" 
200 2535
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET 
/en/styles.css HTTP/1.1" 200 282
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET 
/en/img/home-novelas.png HTTP/1.1" 200 1812
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET 
/en/img/home-comic.png HTTP/1.1" 200 2779
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET 
/en/img/at.png HTTP/1.1" 200 324
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET 
/en/img/home-devel.png HTTP/1.1" 200 4111
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET 
/en/img/home-articles.png HTTP/1.1" 200 5835
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET 
/en/img/home-about.jpg HTTP/1.1" 200 22211
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET 
/en/img/home-social.png HTTP/1.1" 200 2782
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " " 408 0
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " " 408 0
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " " 408 0
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " " 408 0
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " " 408 0
roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " " 408 0

This affects my main site only (I have other several virtual sites
hosted in that machine), the only one using ssl on 443 port.  As the
example shows, some of them come right before a same source IP
successful connection.  In fact, the hidden ip above is me browsing my
web site from another location.  Besides, I didn't notice any delay, the
pages are loaded as fast as before the messages started to appear.

Increasing the request time out (in /etc/httpd.conf):

  connection request timeout 120

seems (not sure) to reduce a bit the number of messages.

What intrigues me (and the reason I'm mentioning this here) is before
Feb 11th, the date the first appeared, there is none, passed that date
*all* requests generate that message.  I follow -current and upgrade
snapshots regularly.  Could be some change in the system the cause?

Re: http 408 messages in httpd logs

[Walter Alejandro Iglesias]

On Tue, Feb 14, 2017 at 11:34:02AM -0800, Reyk Floeter wrote:
> Yes, this is possible. Could you send me some more
> details including config?

I just sent another message with the whole logs that didn't reach misc@,
too heavy :-).  Here you go a simplified version:


OpenBSD 6.0-current (GENERIC.MP) #169: Mon Feb 13 17:44:12 MST 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP


# /etc/pf.conf
table  {
0.0.0.0/8
10.0.0.0/8
127.0.0.1/8
169.254.0.0/16
172.16.0.0/12
192.0.2.0/24
192.88.99.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4
}
table  persist file "/etc/port22"
table  persist file "/etc/port25"
set block-policy drop
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
antispoof log quick for egress
pass out quick all
pass in quick from { 192.168.1.1 192.168.1.102 192.168.1.103 } allow-opts
block quick inet proto udp from any to port \
{ bootps bootpc netbios-ns netbios-dgm }
block in log quick inet proto tcp from  to port ssh
block in log quick inet proto tcp from  to port smtp
block in log quick from { urpf-failed no-route  }
pass in quick proto tcp to port { http https smtp smtps pop3s ssh }
pass in quick inet proto icmp all icmp-type 8 code 0
block in log all


# /etc/httpd.conf
ext_addr="em0"
r_timeout="300"

types {
include "/usr/share/misc/mime.types"
}

server "roquesor.com" {
listen on $ext_addr port 80
connection request timeout $r_timeout
alias "www.roquesor.com"
alias "es.roquesor.com"
block return 301 "https://$SERVER_NAME$REQUEST_URI;
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
log {
access "roquesor.com-access.log"
error "roquesor.com-error.log"
}
root "/htdocs/roquesor.com"
}
server "en.roquesor.com" {
listen on $ext_addr port 80
connection request timeout $r_timeout
block return 301 "https://$SERVER_NAME$REQUEST_URI;
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
log {
access "roquesor.com-access.log"
error "roquesor.com-error.log"

}
root "/htdocs/roquesor.com/en"
}
server "roquesor.com" {
listen on $ext_addr tls port 443
connection request timeout $r_timeout
alias "www.roquesor.com"
alias "es.roquesor.com"
tls certificate "/etc/ssl/server.crt"
tls key "/etc/ssl/private/server.key"
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
log {
access "roquesor.com-SSL-access.log"
error "roquesor.com-SSL-error.log"
}
root "/htdocs/roquesor.com"
}
server "en.roquesor.com" {
listen on $ext_addr tls port 443
connection request timeout $r_timeout
tls certificate "/etc/ssl/server.crt"
tls key "/etc/ssl/private/server.key"
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
log {
access "roquesor.com-SSL-access.log"
error "roquesor.com-SSL-error.log"
}
root "/htdocs/roquesor.com/en"
}


$ cat /var/www/logs/roquesor.com-access.log | sed -E 's/([^ ] 
)([0-9]{1,3})\.(.*)/\1xxx.\3/'
Feb 12 00:00:01 server newsyslog[54883]: logfile turned over
roquesor.com xxx.249.75.40 - - [12/Feb/2017:00:03:02 +0100] " " 408 0
roquesor.com xxx.249.75.136 - - [12/Feb/2017:00:06:51 +0100] " " 408 0
roquesor.com xxx.249.75.58 - - [12/Feb/2017:00:10:18 +0100] " " 408 0
roquesor.com xxx.249.69.221 - - [12/Feb/2017:00:12:57 +0100] " " 408 0
roquesor.com xxx.249.75.47 - - [12/Feb/2017:00:13:01 +0100] " " 408 0
roquesor.com xxx.249.75.40 - - [12/Feb/2017:00:13:14 +0100] " " 408 0
roquesor.com xxx.249.69.233 - - [12/Feb/2017:00:15:23 +0100] " " 408 0
roquesor.com xxx.249.75.47 - - [12/Feb/2017:00:16:41 +0100] " " 408 0
www.roquesor.com xxx.180.228.163 - - [12/Feb/2017:00:18:04 +0100] "GET 
/robots.txt HTTP/1.1" 200 36
www.roquesor.com xxx.180.228.163 - - [12/Feb/2017:00:18:05 +0100] "GET 
/novelas.html HTTP/1.1" 200 1542
roquesor.com xxx.180.228.163 - - [12/Feb/2017:00:19:06 +0100] " " 408 0
roquesor.com xxx.249.75.47 - - [12/Feb/2017:00:19:53 +0100] " " 408 0
roquesor.com xxx.249.75.56 - - [12/Feb/2017:00:22:44 +0100] " " 408 0
roquesor.com xxx.249.69.183 - - [12/Feb/2017:00:23:08 +0100] " " 408 0
roquesor.com xxx.125.88.204 - - [12/Feb/2017:00:25:27 +0100] " " 408 0
roquesor.com xxx.249.75.43 - - [12/Feb/2017:00:25:56 +0100] " " 408 0
roquesor.com xxx.249.75.148 - - [12/Feb/2017:00:28:18 +0100] " " 408 0
roquesor.com xxx.249.69.183 - - [12/Feb/2017:00:28:21 +0100] " " 408 0

Re: http 408 messages in httpd logs

[Walter Alejandro Iglesias]

On Tue, Feb 14, 2017 at 02:34:24PM -0500, trondd wrote:
> On Tue, February 14, 2017 2:27 pm, trondd wrote:
> > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/server.c.diff?r1=1.106=1.107=h
> >
> > Unfortunately the commit message is not helpful here.
> >
> 
> Ah hah.  I knew it'd be somewhere:
> http://marc.info/?l=openbsd-cvs=148647072802851=2
> 
> I'd guess that the web browser was previously closing these connection
> long before the server was timing out.
> 


Trondd, big champ! :-)

Re: fmt replaces utf8 spaces for ascii ones

[Walter Alejandro Iglesias]

After investigating a bit I realized that what I called utf8 space is a
'nobreakspace' so it's ok fmt to replace them for ascii ones.  I made a
stupid question.  Sorry!

Re: fmt replaces utf8 spaces for ascii ones

[Walter Alejandro Iglesias]

On Sun, Feb 12, 2017 at 10:21:11PM -0800, Eric Pruitt wrote:
> Unfortunately I do not have access to an OpenBSD machine to verify
> whether or not its fmt does the correct thing.

By the way, if you try your example in openbsd take in care obsd printf
won't recognize \u00a0.  Use '\xc2\xa0' instead.

I was trying your example in a linux machine obtaining your same results.
But I did it mostly because I was curious about the other difference: the
GNU version inserts the new line 'in' the number assigned by -w, giving
you in this case a 19 wide line as result.  The obsd version breaks the
line in the following character giving you a 20 chars wide line.

Back to the original topic.  What made me hesitate if 'feature' or 'bug'
was the man page.  The following two paragraphs made me think converting
all spaces to ascii could be desired as a practical solution:

 fmt is meant to format mail messages prior to sending, but may also
 be useful for other simple tasks...

 The program was designed to be simple and fast – for more complex
 operations, the standard text processors are likely to be more
 appropriate.

Re: fmt replaces utf8 spaces for ascii ones

[Walter Alejandro Iglesias]

On Sun, Feb 12, 2017 at 10:21:11PM -0800, Eric Pruitt wrote:
> On Sun, Feb 12, 2017 at 09:21:37PM +0100, Walter Alejandro Iglesias wrote:
> > After investigating a bit I realized that what I called utf8 space is a
> > 'nobreakspace' so it's ok fmt to replace them for ascii ones.  I made a
> > stupid question.  Sorry!
> 
> If that's the behavior you see, I think _that_ is a bug: the reason
> non-breaking spaces exist is so programs do not separate words at that
> character (https://en.wikipedia.org/wiki/Non-breaking_space). GNU fmt
> respects non-breaking spaces and handles them accordingly:
> 
> ~$ fmt --version | head -n1
> fmt (GNU coreutils) 8.25
> ~$ printf " XXX\u00a0XXX XXX" | fmt -w 20
> 
> XXX XXX
> XXX
> ~$ printf " XXX XXX XXX" | fmt -w 20
> 
> XXX
> XXX XXX
> 
> Unfortunately I do not have access to an OpenBSD machine to verify
> whether or not its fmt does the correct thing.
> 
> Eric


OpenBSD 6.0-current (GENERIC.MP) #0: Sat Feb 11 09:48:19 CET 2017
morl...@server.roquesor.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP

$ printf " XXX\u00a0XXX XXX" | LC_CTYPE=en_US.UTF-8 fmt -w 20
 XXX
XXX XXX
$ printf " XXX XXX XXX" | LC_CTYPE=en_US.UTF-8 fmt -w 20
 XXX
XXX XXX
$ printf " XXX\u00a0XXX XXX" | LC_CTYPE=C fmt -w 20

XXX XXX
XXX
$ printf " XXX XXX XXX" | LC_CTYPE=C fmt -w 20
 XXX
XXX XXX



Thanks Eric.

groff issue

[Walter Alejandro Iglesias]

I'm posting this here instead of asking directly to groff mailing list
because (I hate to say it) I can't reproduce this issue in Linux using
the same groff version (1.22.3).  I use groff every so often but, if I
remember well, I experienced the same with groff in openbsd years ago.
I mean, it isn't new.

On ps output, text isn't filled (justified) as groff should do by
default.  Even including the .fi option in macros has no effect.

Perhaps someone familiarized with groff can give me a clue (Ingo?).
Some library used by groff in openbsd?  Some compile option?

Re: groff issue (SOLVED)

[Walter Alejandro Iglesias]

On Fri, Sep 02, 2016 at 05:25:18PM +0200, Ingo Schwarze wrote:
> Hi Walter,
> 
> Walter Alejandro Iglesias wrote on Fri, Sep 02, 2016 at 05:11:57PM +0200:
> 
> > I'm posting this here instead of asking directly to groff mailing list
> 
> Correct choice.
> 
> > because (I hate to say it) I can't reproduce this issue in Linux using
> > the same groff version (1.22.3).  I use groff every so often but, if I
> > remember well, I experienced the same with groff in openbsd years ago.
> > I mean, it isn't new.
> > 
> > On ps output, text isn't filled (justified) as groff should do by
> > default.  Even including the .fi option in macros has no effect.
> 
> Filling (.fi) is indeed on by default, but .ad isn't.

According to what I'd read in the groff info page I'd tried adding
'.ad n' to my macros, but it didn't override the system wide settings.

> 
> > Perhaps someone familiarized with groff can give me a clue (Ingo?).
> > Some library used by groff in openbsd?  Some compile option?
> 
> No.  Pure run-time configuration.  Read
> 
>   /usr/local/share/doc/pkg-readmes/groff-1.22.3p2

Well, I'll explain what I did in case others need to know how to do it.

I copied the file /usr/local/share/groff/1.22.3/tmac/troffrc to my
$GROFF_TMAC_PATH and deleted these lines:

.ad l
.de ad

And problem solved.


> 
> Yours,
>   Ingo


Thanks!

Opinion about pflog

[Walter Alejandro Iglesias]

I know complaining is useless.  Forgive me this time.

I'm about to run my own web server using OpenBSD.  I'm giving my first
steps with pf.  I was very enthusiastic till I got to this point:

https://www.openbsd.org/faq/pf/logging.html

It says:

The log file written by pflogd is in binary format and cannot be
read using a text editor.

So, *binary* logs.  Sounds familiar to me.  And then:

   In many situations it is desirable to have the firewall logs available
   in ASCII format

And this "uncommon" practice among unix system administrators (sarcasm),
needs a "workaround".  You end with a file with a curious termination:

Create the file /var/log/pflog.txt ...


I must confess I'm one among those "run to the hills" paranoids.  I'm
not an expert, perhaps I'm judging pflog wrong but, anyway, I still
prefer the traditional way, using cat, grep and tail.

Re: Opinion about pflog

[Walter Alejandro Iglesias]

On Wed, Sep 28, 2016 at 02:36:10PM -0600, Theo de Raadt wrote:
> > So, *binary* logs.  Sounds familiar to me.  And then:
> 
> Your type of person seems familiar to be me.  Undeducated *check*
> opinioned *check*  Contrasting authoritatively without any education
> to back it up *check*
> 
> pflog generates pcap files.  that is the DEFACTO INDUSTRY format
> for packet logs, since they can be generated at extremely high speed
> without decomposition, and then can be analysed later, offline, using
> the pcap library with a sophisticated grammer and bpf executation
> engine.
> 
> So now get lost, grow up, go learn something,

Too late, I'm 49 years old and spent most of my life being a
professional musician (+20 years playing violoncello).  Being a musician
I had to work a lot for free like FOSS developers, so I think I
understand your bad temper, except I didn't become famous enough to
start being so concerned about the "uneducated opinion" of people about
my work.

I spent only the last six years of my life learning how to administer
unix-like systems.  Obviously not enough to feel myself entitled to give
an opinion here, so you're right.  It won't happen again.

I'll take this opportunity to express my opinion about this project but
from a point of view I think I'm entitled: the human aspect.

Even being myself, as you rightly said, an ignorant in the matter, I
felt treated by OpenBSD developers as an equal.  When I reported a bug
they answered me, and politely, even to personal messages.  Thanks to
all of them for making the difference.


***

Just for fun:

> There is no way to forgive people who intentionally step in the shit.

Breaking news, God isn't Argentinian, is Canadian!

Re: Opinion about pflog

[Walter Alejandro Iglesias]

To the other people who answer me here, sorry for the delay, I took some
time to calm down and not degrade myself to the level of discussion some
person here proposed me.


Martin Brandenburg,

I know what pcap files are, I used them.  But, as I said, I'm not an
expert, I didn't take in care that converting them to ASCII could mean
losing information (if I understand you well).

Thanks for the clarification.

***

R0me0 (private) and John Jansen,

I'd read the documentation before posting here.  Thanks anyway.

***

Frederick W. Soucy

You got the "idea behind" my message (by the way, I was aware about
utmp).  Taking in care I'm not in a Linux mailing list I avoided to
mention the abomination by its name :-).  That's why I'm a bit paranoid
and some times I'm sarcastic.  Sorry for that.

The point is, I ask myself the same a lot of unix users probably are
asking themselves, should I invest more time in educating myself in
practices that in two days could be declared obsolete?  Or should I
install MSWindows in my desktop and RedHat in my server and simply use
the casual WYSIWYG interface to read logs (it exists a port called
winpcap)?  Surely there are a lot of system administrators out there
that do this and win the same money than if dealing with pf or iptables
directly.  In theory FOSS projects should be against promoting this
tendency among users (very few understand why) but in practice happens
exactly the opposite, at all levels.


***

Peter Hansteen,

Thanks for your explanation.

As I told you in a private email there aren't the technical details but
some human attitudes what discourages me.  But I won't give up just
because one bad experience.  I'll probably buy your book about pf. ;-)



Thanks to all.


Walter

A detail about pf.conf

[Walter Alejandro Iglesias]

I post this here because I don't know if considering it bug.

To use a macro in the "file" table option I had to enclose double on
single quotes:

  blockIP='"/path/to/file"'
  table  persist file $blockIP

Any of these syntax examples return errors:

  blockIP="/path/to/file"
  blockIP=/path/to/file
  table  persist file "$blockIP"

Is /etc/acme-client.conf used by acme-client?

[Walter Alejandro Iglesias]

Does acme-client take in care /etc/acme-client.conf in any way?

Entries as the documented in acme-client.conf man page:

domain example.com {
alternative names { secure.example.com }
domain key /etc/ssl/private/example.com.key
domain certificate /etc/ssl/example.com.crt
sign with letsencrypt
}

seem to be ignored when you run acme-client.  And acme-client man page
doesn't explain how to call it or even mention a configuration file.

dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

Hi everyone,

First of all, is dkimproxy a work in progress?

If it's not, then the long one.  I've tried something similar to
the example in smtpd.conf(5).  Outgoing messages don't get signed.


# dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy

/etc/dkimproxy_out.conf
---
listen127.0.0.1:10027
relay 127.0.0.1:10028
domainmydomain.com
signature dkim(c=relaxed)
signature domainkeys(c=nofws)
keyfile   /var/dkimproxy/default.private
selector  default


/etc/mail/smptd.conf
---
egress_int="em0"
server="server.mydomain.com"
ca $server certificate "/etc/ssl/acme/chain.pem"

table aliases file:/etc/mail/aliases
table valiases file:/etc/mail/valiases
table vdomains file:/etc/mail/vdomains
table addresses file:/etc/mail/addresses
table users file:/etc/mail/users

pki $server certificate "/etc/ssl/acme/cert.pem"
pki $server key "/etc/ssl/acme/private/privkey.pem"

listen on lo0
listen on lo0 port 10028 tag DKIM
listen on $egress_int port 25 tls pki $server
listen on $egress_int port 465 smtps pki $server auth senders  masquerade

accept from any for domain  virtual  deliver to mbox
accept for local alias  deliver to mbox
accept tagged DKIM for any relay
accept from local sender  for any relay via smtp://127.0.0.1:10027


Do I need to do something else?  (running current)


Walter

Re: dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

On Wed, Nov 09, 2016 at 09:27:58AM -0500, trondd wrote:
> On Wed, November 9, 2016 9:14 am, Walter Alejandro Iglesias wrote:
> > Hi everyone,
> >
> > First of all, is dkimproxy a work in progress?
> >
> > If it's not, then the long one.  I've tried something similar to
> > the example in smtpd.conf(5).  Outgoing messages don't get signed.
> >
> >
> > # dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy
> >
> > /etc/dkimproxy_out.conf
> > ---
> > listen127.0.0.1:10027
> > relay 127.0.0.1:10028
> > domainmydomain.com
> > signature dkim(c=relaxed)
> > signature domainkeys(c=nofws)
> > keyfile   /var/dkimproxy/default.private
> > selector  default
> >
> >
> > /etc/mail/smptd.conf
> > ---
> > egress_int="em0"
> > server="server.mydomain.com"
> > ca $server certificate "/etc/ssl/acme/chain.pem"
> >
> > table aliases file:/etc/mail/aliases
> > table valiases file:/etc/mail/valiases
> > table vdomains file:/etc/mail/vdomains
> > table addresses file:/etc/mail/addresses
> > table users file:/etc/mail/users
> >
> > pki $server certificate "/etc/ssl/acme/cert.pem"
> > pki $server key "/etc/ssl/acme/private/privkey.pem"
> >
> > listen on lo0
> > listen on lo0 port 10028 tag DKIM
> > listen on $egress_int port 25 tls pki $server
> > listen on $egress_int port 465 smtps pki $server auth senders 
> > masquerade
> >
> > accept from any for domain  virtual  deliver to mbox
> > accept for local alias  deliver to mbox
> > accept tagged DKIM for any relay
> > accept from local sender  for any relay via
> > smtp://127.0.0.1:10027
> >
> >
> > Do I need to do something else?  (running current)
> >
> >
> > Walter
> >
> 
> Did you add the public key part to DNS for your domain?  What's going on
> in maillog?

I forgot to mention that, yes, I added the DNS record and checked its
validity using this site:

http://dkimcore.org/tools/keycheck.html

That tells me it's ok.  Then I been sending to this testing address:

check-a...@verifier.port25.com

where I'm told (in a replay to my same address) the message isn't signed.

/var/log/maillog just shows the message as correctly delivered:

Nov  9 14:16:39 server smtpd[68603]: 44fc40aeb913cba0 mta event=delivery 
evpid=1da22dbaa5825b53 from=<.*@mydomain.com> 
to=<check-a...@verifier.port25.com> rcpt=<-> source="192.168.1.101" 
relay="??.??.??.??" (verifier.port25.com)" delay=2s result="Ok" stat="250 2.6.0 
message received"


>  Are the mails being forwarded to dkimproxy_out and back into
> smtpd as expected?
> 

How can I check this?

Re: dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

trondd,

Your response was also useful to me in another more important way.

I took a look to the headers of your message and I observe gmail says
your dkim is correct:

Authentication-Results: mx.google.com;
dkim=pass header.i=@kagu-tsuchi.com;

However, I had to rescue your message from my gmail SPAM folder!

So, I wonder if all these efforts are in vain. :-)

(I'm starting to think spammers are sponsored by them)

Re: dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

On Wed, Nov 09, 2016 at 11:57:18AM -0500, trondd wrote:
> Should also be in the maillog.

Hey, I think I found the problem:

Nov  9 10:37:12 server dkimproxy.out[38514]: signing error: Error: cannot read 
/var/dkimproxy/default.private: Permission denied


The permissions are:

# ls -l /var/dkimproxy/
total 8
-rw---  1 root  wheel  887 Nov  9 10:50 default.private
-rw---  1 root  wheel  313 Nov  9 10:50 default.txt


Taking in care /etc/rc.d/dkimproxy_out flags:

daemon_flags="--conf_file=/etc/dkimproxy_out.conf --user=_dkimproxy 
--group=_dkimproxy"

These files should be owned by _dkimproxy user and group.

Re: dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

On Wed, Nov 09, 2016 at 06:13:47PM +0100, Walter Alejandro Iglesias wrote:
> Taking in care /etc/rc.d/dkimproxy_out flags:
> 
> daemon_flags="--conf_file=/etc/dkimproxy_out.conf --user=_dkimproxy 
> --group=_dkimproxy"
> 
> These files should be owned by _dkimproxy user and group.
> 

It worked!


Big thanks trondd!  (Next time I promise to read the logs more carefully)

Re: mailx as root ignores set keep

[Walter Alejandro Iglesias]

Hello trondd,

On Fri, Nov 25, 2016 at 11:03:49AM -0500, trondd wrote:
> On Fri, November 25, 2016 4:17 am, Walter Alejandro Iglesias wrote:
> > Is this on purpose?
> >
> > I've tried adding 'set keep' to /etc/mail.rc and /root/.mailrc
> > but mail(1) still removes empty mailbox files before quiting.
> >
> 
> Worked here.  How exactly are you reading mail?
> 

Have you tried running mail as root as I said in the subject?

For example, copy some mbox file to /tmp, then su to root and open the
file:

# mail -f /tmp/mbox

Delete all messages and quit.

Re: mailx as root ignores set keep

[Walter Alejandro Iglesias]

On Fri, Nov 25, 2016 at 01:13:17PM -0500, trondd wrote:
> On Fri, November 25, 2016 12:36 pm, Walter Alejandro Iglesias wrote:
> > Hello trondd,
> >
> > On Fri, Nov 25, 2016 at 11:03:49AM -0500, trondd wrote:
> >> On Fri, November 25, 2016 4:17 am, Walter Alejandro Iglesias wrote:
> >> > Is this on purpose?
> >> >
> >> > I've tried adding 'set keep' to /etc/mail.rc and /root/.mailrc
> >> > but mail(1) still removes empty mailbox files before quiting.
> >> >
> >>
> >> Worked here.  How exactly are you reading mail?
> >>
> >
> > Have you tried running mail as root as I said in the subject?
> >
> > For example, copy some mbox file to /tmp, then su to root and open the
> > file:
> >
> > # mail -f /tmp/mbox
> >
> 
> This makes a difference.  That's not a system mailbox.  'Keep' seems to
> only apply to a system mailbox and not to a "file".

I was running mailx as root for avoiding to login as other users each
time I wanted to check the content of spam.  And I couldn't reproduce
the issue as a normal user because in this case I was reading the user's
system mailbox (the one owned by the user) as you rightly noticed.

>  Though, it seems like it should.

I think it could be useful having the option.


I owe you two beers :-)

Re: How to detect this kind of attacks

[Walter Alejandro Iglesias]

On Sat, Nov 26, 2016 at 12:18:23PM +0100, Gilles Chehade wrote:
> There's not much you can do besides adding the offending addresses in a
> pf blacklist.

Yeah, that's what I thought (at least using opensmtpd, I guess what
Claus quoted is from actual sendmail man page).


Thanks to all for answering.

How to detect this kind of attacks

[Walter Alejandro Iglesias]

Hello everyone,

Is there a way to detect on the fly spam attacks like the pasted below
(maillog)?  It seems pf max-src-conn-rate takes in care only the
"connected" event.

I obscured the recipients.  Basically sorted addresses of the same target 
Chinese host.

Nov 26 05:59:42 server smtpd[55880]: 3bcc430eee258cd7 smtp event=connected 
address=119.141.24.19 host=119.141.24.19
Nov 26 05:59:46 server smtpd[55880]: 3bcc430eee258cd7 smtp event=failed-command 
address=119.141.24.19 host=119.141.24.19 command="RCPT TO:" 
result="550 Invalid recipient"
Nov 26 05:59:49 server smtpd[55880]: 3bcc430eee258cd7 smtp event=failed-command 
address=119.141.24.19 host=119.141.24.19 command="RCPT TO:" 
result="550 Invalid recipient"
Nov 26 05:59:50 server smtpd[55880]: 3bcc430eee258cd7 smtp event=failed-command 
address=119.141.24.19 host=119.141.24.19 command="RCPT TO:" 
result="550 Invalid recipient"
Nov 26 05:59:51 server smtpd[55880]: 3bcc430eee258cd7 smtp event=failed-command 
address=119.141.24.19 host=119.141.24.19 command="RCPT TO:" 
result="550 Invalid recipient"
Nov 26 05:59:52 server smtpd[55880]: 3bcc430eee258cd7 smtp event=failed-command 
address=119.141.24.19 host=119.141.24.19 command="RCPT TO:" 
result="550 Invalid recipient"
Nov 26 05:59:53 server smtpd[55880]: 3bcc430eee258cd7 smtp event=failed-command 
address=119.141.24.19 host=119.141.24.19 command="RCPT TO:" 
result="550 Invalid recipient"
Nov 26 05:59:53 server smtpd[55880]: 3bcc430eee258cd7 smtp event=failed-command 
address=119.141.24.19 host=119.141.24.19 command="RCPT TO:" 
result="550 Invalid recipient"
Nov 26 05:59:54 server smtpd[55880]: 3bcc430eee258cd7 smtp event=failed-command 
address=119.141.24.19 host=119.141.24.19 command="RCPT TO:" 
result="550 Invalid recipient"
[...] *a hundred of more one second frequency entries here*
Nov 26 06:06:55 server smtpd[55880]: 3bcc430eee258cd7 smtp event=failed-command 
address=119.141.24.19 host=119.141.24.19 command="RCPT TO:" 
result="550 Invalid recipient"
Nov 26 06:06:56 server smtpd[55880]: 3bcc430eee258cd7 smtp event=failed-command 
address=119.141.24.19 host=119.141.24.19 command="RCPT TO:" 
result="550 Invalid recipient"
Nov 26 06:06:56 server smtpd[55880]: 3bcc430eee258cd7 smtp event=failed-command 
address=119.141.24.19 host=119.141.24.19 command="RCPT TO:" 
result="550 Invalid recipient"
Nov 26 06:06:57 server smtpd[55880]: 3bcc430eee258cd7 smtp event=closed 
address=119.141.24.19 host=119.141.24.19 reason=disconnect

mailx as root ignores set keep

[Walter Alejandro Iglesias]

Is this on purpose?

I've tried adding 'set keep' to /etc/mail.rc and /root/.mailrc
but mail(1) still removes empty mailbox files before quiting.

Is using dkim really worth?

[Walter Alejandro Iglesias]

I mentioned this in other thread, now I'll ask this question directly.

I was running my own mail server for a while but not enough to make a
conclusion.  I'd appreciate the opinion of the experienced.

I'm noticing messages with no spf or dkim records reach my gmail inbox.
At the same time, messages with spf and dkim 'pass' state go to gmail
spam (among them messages sent to me from people in this list).

So, in general and based on your experience, do you think using dkim
(that implies daemon, port redirections, etc.) is really worth?

Re: Is using dkim really worth?

[Walter Alejandro Iglesias]

On Sat, Dec 10, 2016 at 01:11:30PM +0100, Gilles Chehade wrote:
> On Sat, Dec 10, 2016 at 11:51:34AM +0100, Walter Alejandro Iglesias wrote:
> > I mentioned this in other thread, now I'll ask this question directly.
> > 
> > I was running my own mail server for a while but not enough to make a
> > conclusion.  I'd appreciate the opinion of the experienced.
> > 
> > I'm noticing messages with no spf or dkim records reach my gmail inbox.
> > At the same time, messages with spf and dkim 'pass' state go to gmail
> > spam (among them messages sent to me from people in this list).
> > 
> > So, in general and based on your experience, do you think using dkim
> > (that implies daemon, port redirections, etc.) is really worth?
> > 
>
> Depends on your volume and who you intend to send to.
>
> To be honest, setting up both SPF and DKIM takes a couple minutes and it
> will probably avoid some delivery issues which will waste much more than
> that to fix when they happen.

I installed dkim because I've read on internet is, among other things,
what gmail, hotmail, etc. (what most people use) take in care.  Not
exactly what I observe happens in practice as I explained above (I told
you I rescued a message of yours from gmail spam, remember?).

>
> I can understand why someone would be reluctant to setup dmarc, but dkim
> and spf are really a no brainer.

You say this because you surely are quite familiarized with all this
stuff! :-)

Anyway It wasn't my point how difficult is to setting it up (I have it
working since months) but if it's worth adding complexity.

>
> -- 
> Gilles Chehade
>
> https://www.poolp.org  @poolpOrg


Thanks for answering me!

Re: Too small default root partition

[Walter Alejandro Iglesias]

On Mon, Dec 12, 2016 at 11:32:07AM +0100, Stefan Sperling wrote:
> On Mon, Dec 12, 2016 at 11:26:31AM +0100, Walter Alejandro Iglesias wrote:
> > # du -cs /bin /sbin /dev /bsd*
> > 20800   /bsd
> > 15552   /bsd.rd
> > 20704   /bsd.sp
> > 1932484 /dev
>
> There is something in your /dev that does not belong there.
>
> On my system:
> $ du -cs /dev
> 68  /dev
> 68  total
>

Right.  Yesterday I was trying to dd a usb stick memory, perhaps some
mistake I did in the command line created this file in /dev:

# ls -lh /dev/sd1
-rw-r--r--  1 root  wheel   943M Dec 11 17:19 /dev/sd1



Big thanks Stefan!

makefs and mkhybrid

[Walter Alejandro Iglesias]

Question:

Is the lately included makefs intended to be a replacement for mkhybrid?
Is it already reliable or a work in progress?


Issue:

I noticed two issues in mkhybrid (not present in J. Schilling's
mkisofs) I don't know if considering them bugs.

   It ignores the '-quiet' option.

   It lets residual ".rr_moved" directories (this happens in makefs too).

Too small default root partition

[Walter Alejandro Iglesias]

It seems the size picked by the partitioner at install time for / isn't
large enough (I choose the defaults except I enlarged /var to run a web
server).


OpenBSD 6.0-current (GENERIC.MP) #25: Fri Dec  9 16:53:25 MST 2016

# dmesg | grep sd0 | grep MB | uniq
sd0: 476940MB, 512 bytes/sector, 976773168 sector

# df /
Filesystem  512-blocks  Used Avail Capacity  Mounted on
/dev/sd0a  2057756   2056792   -101920   105%/

# du -cs /bin /sbin /dev /bsd*
20800   /bsd
15552   /bsd.rd
20704   /bsd.sp
1932484 /dev
30100   /sbin
10308   /bin
2029948 total


Note I listed with 'du' only indispensable files and directories.  The
larger is /dev.


What's the more convenient solution in this case?

Re: spamd and outlook.com

[Walter Alejandro Iglesias]

Stuart Henderson wrote:

> On 2017-04-21, Craig Skinner  wrote:
> > Email is not instant messaging.
> >
> > Customers need educated to that fact.
> 
> How do you educate them to that when they send to their gmail account
> and it shows up on their phone within seconds?

We, at school, used the pen as blowgun.

Re: smtpd log: certificate verification failed

[Walter Alejandro Iglesias]

On Thu, Apr 20, 2017 at 03:08:30PM +0200, Gilles Chehade wrote:
> On Thu, Apr 20, 2017 at 02:59:10PM +0200, Walter Alejandro Iglesias wrote:
> > Hello everyone,
> > 
> > Just to be sure, when I get this message:
> > 
> > maillog:Apr 20 13:53:03 server smtpd[99586]: smtp-out: Server certificate 
> > verification failed on session 81c5fc1509d4c884
> > 
> > Is it about my server cert or the remote one?
> > 
> 
> remote one, it means that when trying to verify the certificate that was
> presented by the remote server, the verification failed

OK.  Thank you!


> 
> 
> -- 
> Gilles Chehade
> 
> https://www.poolp.org  @poolpOrg

smtpd log: certificate verification failed

[Walter Alejandro Iglesias]

Hello everyone,

Just to be sure, when I get this message:

maillog:Apr 20 13:53:03 server smtpd[99586]: smtp-out: Server certificate 
verification failed on session 81c5fc1509d4c884

Is it about my server cert or the remote one?

Re: Helping out

[Walter Alejandro Iglesias]

Hello Bryan and Radoslav,

In article <20170802015654.ga64...@c.brycv.com> you wrote:
> On Tue, Aug 01, 2017 at 08:19:23PM -0400, Radoslav_Mirza wrote:
> > Dear Group, Are there any places to start helping out for a beginner?
> > Any junior jobs or todo lists?
> > 
> > I have a new Ryzen 1700 running OpenBSD so maybe I could help with
> > some benchmark tests etc.
> > 
> > Any pointers of where to go would be great!
> 
> There was a recent discussion about ProtonMail not sending plain text
> email which this list expects. I would suggest sending with another
> address and sending in plain text. Check the archives for more info
> about it but base64 encoded emails (like from ProtonMail) will likely be
> ignored. Hopefully ProtonMail will correct this problem but they have
> "started" on it for more than a year.

The first time I looked at the base64 encoded text pasted by Mihai
Popescu's (the first noticing this issue):

https://marc.info/?l=openbsd-misc=149984510728808=2

I saw the message was written in English, what made me think protonmail
was doing something wrong, but more late I realized I'd overlooked the
first line, the quoted text reference author's name contained *one*
non-ascii character. :-)

To see it yourself:

$ cat file-containing-only-base64-part | openssl enc -base64 -d

This means what proton mail did in this case isn't incorrect.

As far as I understand, the purpose of this encoding (as the whole MIME
standard) is to send all messages through the net in plain ascii, to
assure compatibility among all servers.  For example if I typed here any
non ascii character (what could happen even by accident when you use a
non English keyboard), Mutt, the MUA I use, would send the body of this
message quoted-printable encoded (the one used for low utf8 density
languages as Spanish; base64 is used i.e. for Russian).  The same would
happen if some non-ascii character is in some sender's name in the
quoted text references; your MUA would detect that character and
automatically would send the body of your message encoded.  Despite
base64, quoted-printable would still be readable.

Where is the problem.  I guess developers here, when they don't have any
MUA from packages installed, are forced to use the one in base,
mailx(1), which doesn't support MIME.  If this is the case, they'd have
troubles reading non ascii characters sent as is anyway.  So, the best
workaround, whatever MUA you use, is to avoid using non-ascii characters
when you post to these lists (even in your name).

Said that I still find annoying top-posting and not hard wrapped lines.
But protonmail isn't the only one doing this. ;-)

(I'd add more common practices you can't blame MUAs as not using double
spaces after sentences, writing all in lowercase; the time they save
writing is charged to the reader.)



> 
> Bryan
> 
> 

Re: Mastering opensmtpd rules

[Walter Alejandro Iglesias]

On Tue, Aug 15, 2017 at 05:10:00PM +0200, Gilles Chehade wrote:
> On Tue, Aug 15, 2017 at 01:29:16PM +0200, Walter Alejandro Iglesias wrote:
> > > 
> > >   accept from any for any virtual  [...]
> > > 
> > 
> > Besides, after modifying that rule in the file I also had to change the
> > order.  Since rules below the "catch-all" one never get evaluated, it
> > has forcibly to be the last one:
> > 
> >[...]
> >accept from local for local alias  deliver to mbox
> >accept from local sender  for any relay
> >accept from any for any virtual  deliver to mbox
> ># End of file
> > 
> 
> Not a truth written in stone but, usually, having the "from any for any"
> rule in a config file is a sign that user failed to write ruleset and is
> using this as a fallback.

The word "mastering" I used in the subject may lead to confusion.  I
should've written "starting with" instead. :-)

My smtpd.conf is not a finished work.  Step by step.

> The earliest the rules match the envelope, the
> better, as it indicates that the rule was written to match precisely.
> 

My intention was to find the way to support the "postmaster" address,
that RFC requires to be supported even *with no domain specification.*
I wasn't able to figure out how to solve this while the "domain" table
was included in the rule.  Without that table now I can add to the
"valiases" file this:

postmaster  myuser
s...@site1.com  ...
s...@site2.com  ...

To make available any of this addresses:

postmaster@[IP_ADDRESS]
postmas...@site1.com
postmas...@site2.com

> Most rulesets should finish with a relay (via?) rule from local for any.

That's the way I had it, but I couldn't send mail when preceded by "from
any to any" rule.  I know my current solution is sloppy, I'll try to
study a bit more and improve my configuration.  Thank you for your help.

> 
> 
> -- 
> Gilles Chehade
> 
> https://www.poolp.org  @poolpOrg

Mastering opensmtpd rules

[Walter Alejandro Iglesias]

Hello everyone,

I'd appreciate experienced opensmtpd users tell me if I'm understanding
well the mechanism in the following rule.

Currently, in my smtpd.conf I have this line:

  accept from any for domain  virtual  deliver to mbox

But since all keys in my "valiases" table are full email addresses, in
the form:

  u...@example.org  user

I'm thinking the use of "vdomains" table is redundant.  I could safely
simplify the rule to:

  accept from any for any virtual  deliver to mbox


Am I wrong in this assumption?

Re: Mastering opensmtpd rules

[Walter Alejandro Iglesias]

Hi Gilles,

On Tue, Aug 15, 2017 at 11:15:32AM +0200, Gilles Chehade wrote:
> On Tue, Aug 15, 2017 at 09:22:41AM +0200, Walter Alejandro Iglesias wrote:
> > Hello everyone,
> > 
> > I'd appreciate experienced opensmtpd users tell me if I'm understanding
> > well the mechanism in the following rule.
> > 
> > Currently, in my smtpd.conf I have this line:
> > 
> >   accept from any for domain  virtual  deliver to mbox
> > 
> > But since all keys in my "valiases" table are full email addresses, in
> > the form:
> > 
> >   u...@example.org  user
> > 
> > I'm thinking the use of "vdomains" table is redundant.  I could safely
> > simplify the rule to:
> > 
> >   accept from any for any virtual  deliver to mbox
> > 
> > 
> > Am I wrong in this assumption?
> >
> 
> kind of, smtpd.conf being a first match ruleset it is impossible to make
> this kind of analysis without having your other rules too.

Sorry, I should've added it's the only "from any" rule I have:


# /etc/mail/smptd.conf

egress_int="em0"
server="server.roquesor.com"

table aliases file:/etc/mail/aliases
table valiases file:/etc/mail/valiases
table vdomains file:/etc/mail/vdomains
table addresses file:/etc/mail/addresses
table users file:/etc/mail/users

pki $server certificate "/etc/ssl/server.crt"
pki $server key "/etc/ssl/private/server.key"

listen on lo0
listen on $egress_int port 25 tls pki $server
listen on $egress_int port 465 smtps pki $server auth \
senders  masquerade

accept from local for local alias  deliver to mbox
accept from any for domain  virtual  deliver to mbox
accept from local sender  for any relay

# End of file


> 
> in this case, this may or may not give the desired behavior depending on
> rules following it because envelope matching happens _before_ virtual is
> even evaluated.
> 
> with:
> 
> accept from any for domain  [...]
> 
> you will only match envelopes for the domains in , it allows a
> different rule to match other domains:
> 
> accept from any for domain  [...]
> accept from any for domain foobar.org [...]
> 
> with:
> 
> accept from any for any [...]
> 
> you will match all envelopes so you're essentially creating a catch-all.
> 
> 
> virtual happens AFTER a rule has been matched so if you recipient is not
> found the RCPT will be rejected, smtpd will not search for another rule.

If I'm understanding you well then it's what I want.

My question was if the "virtual" entry in the rule is enough to reject
not matching recipients.  For example, having this rule:

  accept from any for any virtual  [...]

and a "valiases" file containing only this line:

  l...@foobar.org   user

will messages sent to i.e. l...@foobar2.org or l...@foobar3.org be
rejected?



> 
> 
> -- 
> Gilles Chehade
> 
> https://www.poolp.org  @poolpOrg

Re: Mastering opensmtpd rules

[Walter Alejandro Iglesias]

> 
>   accept from any for any virtual  [...]
> 

Besides, after modifying that rule in the file I also had to change the
order.  Since rules below the "catch-all" one never get evaluated, it
has forcibly to be the last one:

   [...]
   accept from local for local alias  deliver to mbox
   accept from local sender  for any relay
   accept from any for any virtual  deliver to mbox
   # End of file

New question, do I really need a AAAA record?

[Walter Alejandro Iglesias]

Hi Stuart,

In article  you wrote:
> On 2017-08-10, Rui Ribeiro  wrote:
> > An email server in a residential setting will fail PTR unless you are
> > working with a medium sized/an ISP that cares about their customers.
> >
> > see answer here
> > https://unix.stackexchange.com/questions/371329/bind-proper-reverse-config
> 
> You can't expect to reliably deliver email unless you have a PTR record and
> an A/ record (at least within the same domain, though in some cases
> the full hostname needs to match).
> 

At this point things got a bit confusing.  First of all I don't run my
own DNS server, I use the free dns service from the registrar company
where I bought my domain names.  There I configured the records I need
for the web and mail servers I run at home.  Then, asking my ISP to add
a PTR record on *their* DNS was the first thing I did when I contracted
the service, and was the first thing I checked again last weekend after
the problem I explain in this thread happened.  Despite the negative
results the website someone recommended me shows (dnsinspect.com) I
think my PTR is working well, you can use host(1), dig(1) or nslookup(1)
to check my IP (185.37.212.61) against yours or any public DNS to
corroborate it.  Or simply put the IP in your browser URL bar, press
ENTER and see if it resolves to my web site. :-)

Stated the above, now the new question.  By A/ records I understand
you mean the records on *my* side (not my ISP's), don't you?  Well,
since I'm not using ipv6 I didn't added any  record.  Do you
recommend me to add it, anyways?

Re: New question, do I really need a AAAA record?

[Walter Alejandro Iglesias]

In article  you wrote:
> Hi Stuart,
> 
> In article  you wrote:
> > On 2017-08-10, Rui Ribeiro  wrote:
> > > An email server in a residential setting will fail PTR unless you are
> > > working with a medium sized/an ISP that cares about their customers.
> > >
> > > see answer here
> > > https://unix.stackexchange.com/questions/371329/bind-proper-reverse-config
> > 
> > You can't expect to reliably deliver email unless you have a PTR record and
> > an A/ record (at least within the same domain, though in some cases
> > the full hostname needs to match).
> > 
> 
> At this point things got a bit confusing.  First of all I don't run my
> own DNS server, I use the free dns service from the registrar company
> where I bought my domain names.  There I configured the records I need
> for the web and mail servers I run at home.  Then, asking my ISP to add
> a PTR record on *their* DNS was the first thing I did when I contracted
> the service, and was the first thing I checked again last weekend after
> the problem I explain in this thread happened.  Despite the negative
> results the website someone recommended me shows (dnsinspect.com) I
> think my PTR is working well, you can use host(1), dig(1) or nslookup(1)
> to check my IP (185.37.212.61) against yours or any public DNS to
> corroborate it.  Or simply put the IP in your browser URL bar, press
> ENTER and see if it resolves to my web site. :-)
> 
> Stated the above, now the new question.  By A/ records I understand
> you mean the records on *my* side (not my ISP's), don't you?  Well,
> since I'm not using ipv6 I didn't added any  record.  Do you
> recommend me to add it, anyways?
> 
> 

Sorry, I think I didn't formulate the question well.  What I meant was,
do I need also a static ipv6 to be considered by big smtp servers as a
legal sender?

Re: New question, do I really need a AAAA record?

[Walter Alejandro Iglesias]

On Thu, Aug 10, 2017 at 07:26:16PM +0100, Stuart Henderson wrote:
> Rephrasing: if you make an outgoing SMTP connection, a reverse DNS PTR
> record should exist for the source address you're connecting from (whether
> that's v4 or v6), and an A (for v4) or  (for v6) lookup for the name
> in that PTR should give back the same address.
> 
> For your example:
> 
> 185.37.212.61 -> server.roquesor.com
> server.roquesor.com -> 185.37.212.61
> 
> That looks good.
> 
> If you are making outgoing SMTP connections from a v6 address, then you
> should have matching PTR+ as well.

OK.  Huff!, it's just I got dizzy.  After all the advises I got in
this thread I started to doubt even about my existence. :-)


Thank you Stuart!

SSH: lost connection after restarting pf.

[Walter Alejandro Iglesias]

Yesterday while copying a big file from one machine to another in my LAN
I noticed that restarting pf:

  # pfctl -d && pfctl -e -f /etc/pf.conf

scp stops and quits showing this message:

  - stalled - Conection reset by 192.168.1.*  Lost connection


Is this expected or is a bug?

Re: SSH: lost connection after restarting pf.

[Walter Alejandro Iglesias]

On Sat, Aug 12, 2017 at 11:08:23AM +0200, Walter Alejandro Iglesias wrote:
> Yesterday while copying a big file from one machine to another in my LAN
> I noticed that restarting pf:
> 
>   # pfctl -d && pfctl -e -f /etc/pf.conf

I assume it's not necessary to say I'm doing this without changing any
rule on pf.conf. :-)


> 
> scp stops and quits showing this message:
> 
>   - stalled - Conection reset by 192.168.1.*  Lost connection
> 
> 
> Is this expected or is a bug?
> 
> 

Re: SSH: lost connection after restarting pf.

[Walter Alejandro Iglesias]

In article <5127ac707aa6f...@server.roquesor.com> you wrote:
> Hi Stuart,
> 
> In article <slrnootn18.31bc@naiad.spacehopper.org> you wrote:
> > On 2017-08-12, Walter Alejandro Iglesias <w...@roquesor.com> wrote:
> > > Yesterday while copying a big file from one machine to another in my LAN
> > > I noticed that restarting pf:
> > >
> > >   # pfctl -d && pfctl -e -f /etc/pf.conf
> > >
> > > scp stops and quits showing this message:
> > >
> > >   - stalled - Conection reset by 192.168.1.*  Lost connection
> > >
> > >
> > > Is this expected or is a bug?
> > >
> > >
> > >
> > 
> > Expected.
> > 
> > PF is a state-inspecting firewall and verifies things like TCP sequence
> > numbers; it needs to see the initial connection handshake to pick up the
> > wscale value.
> > 
> > I would recommend just reloading the ruleset rather than disabling and
> > re-enabling PF first.
> > 
> > 
> 
> I have this rule:
> 
> block in log quick inet proto tcp from  to port ssh
> 
> That reads IPs from a the "port22" file which is updated from a script
> in a cronjob.  I ignore which command to use to re-read that file
> without causing the interrupt.
> 
> 
> 

You mean doing only this?

# pfctl -f /etc/pf.conf

Re: SSH: lost connection after restarting pf.

[Walter Alejandro Iglesias]

Hi Stuart,

In article <slrnootn18.31bc@naiad.spacehopper.org> you wrote:
> On 2017-08-12, Walter Alejandro Iglesias <w...@roquesor.com> wrote:
> > Yesterday while copying a big file from one machine to another in my LAN
> > I noticed that restarting pf:
> >
> >   # pfctl -d && pfctl -e -f /etc/pf.conf
> >
> > scp stops and quits showing this message:
> >
> >   - stalled - Conection reset by 192.168.1.*  Lost connection
> >
> >
> > Is this expected or is a bug?
> >
> >
> >
> 
> Expected.
> 
> PF is a state-inspecting firewall and verifies things like TCP sequence
> numbers; it needs to see the initial connection handshake to pick up the
> wscale value.
> 
> I would recommend just reloading the ruleset rather than disabling and
> re-enabling PF first.
> 
> 

I have this rule:

block in log quick inet proto tcp from  to port ssh

That reads IPs from a the "port22" file which is updated from a script
in a cronjob.  I ignore which command to use to re-read that file
without causing the interrupt.

Re: SSH: lost connection after restarting pf. [SOLVED]

[Walter Alejandro Iglesias]

In article <20170812123632.p7zgt2l4kz43y...@symphytum.spacehopper.org> you 
wrote:
> On 2017/08/12 14:33, Walter Alejandro Iglesias wrote:
> > In article <5127ac707aa6f...@server.roquesor.com> you wrote:
> > > Hi Stuart,
> > > 
> > > In article <slrnootn18.31bc@naiad.spacehopper.org> you wrote:
> > > > On 2017-08-12, Walter Alejandro Iglesias <w...@roquesor.com> wrote:
> > > > > Yesterday while copying a big file from one machine to another in my 
> > > > > LAN
> > > > > I noticed that restarting pf:
> > > > >
> > > > >   # pfctl -d && pfctl -e -f /etc/pf.conf
> > > > >
> > > > > scp stops and quits showing this message:
> > > > >
> > > > >   - stalled - Conection reset by 192.168.1.*  Lost connection
> > > > >
> > > > >
> > > > > Is this expected or is a bug?
> > > > >
> > > > >
> > > > >
> > > > 
> > > > Expected.
> > > > 
> > > > PF is a state-inspecting firewall and verifies things like TCP sequence
> > > > numbers; it needs to see the initial connection handshake to pick up the
> > > > wscale value.
> > > > 
> > > > I would recommend just reloading the ruleset rather than disabling and
> > > > re-enabling PF first.
> > > > 
> > > > 
> > > 
> > > I have this rule:
> > > 
> > > block in log quick inet proto tcp from  to port ssh
> > > 
> > > That reads IPs from a the "port22" file which is updated from a script
> > > in a cronjob.  I ignore which command to use to re-read that file
> > > without causing the interrupt.
> > > 
> > > 
> > > 
> > 
> > You mean doing only this?
> > 
> > # pfctl -f /etc/pf.conf
> 
> Yes.
> 
> 

I just tried it and works OK.  Thank you very much.

How about to let this die?

[Walter Alejandro Iglesias]

Guys,

The issue was solved after the fist answer (Martijn van Duren's).

Everyone's opinions have been very useful.  But since this is not
OpenBSD related I propose to let it die.

Re: gmail and hotmail blocking mail sent from my IP

[Walter Alejandro Iglesias]

Hello Rupert,

In article 

Re: gmail and hotmail blocking mail sent from my IP

[Walter Alejandro Iglesias]

In article <20170808121343.46a8ddb9@fir.internal> you wrote:
> Hi Walter:
> 
> On Sun, 6 Aug 2017 19:45:22 +0200 Walter Alejandro Iglesias wrote:
> > What determines those "ranges", who regulates that?
> 
> Some ISPs submit IP blocks to various blacklists. e.g:
> https://www.Spamhaus.Org/faq/section/Spamhaus%20PBL#242
> http://www.Sorbs.Net/faq/dul.shtml
> 
> Asking your ISP to exclude your addresses might help.


I sent an email to my ISP, they don't even know about this lists. :-)

Besides, I sent an email to spamhaus.org suggesting them not to include
static IPs in their PBL list by default as they do.


I'll take this chance to share my thinking with everyone here.

I understand that given everyone uses gmail, hotmail or mail provided by
some multinational hosting service they assume mail coming from
residential connections cannot be other thing but spam sent from hacked
machines.  But someone paying for a static IP in a residential
connection is the opposite case.  When you have to deal with thousands
of users you resort to any trick you find on the Internet and start to
blindly blacklist all; this is a big servers problem.  And the more
users you have to deal with the worse.  On the contrary, from my part, I
have just a pair of personal addresses, so it's not a big deal for me to
audit my server and use more sane, less harmful and, overall, more
effective measures to filter spam and to prevent spam be sent from my
machine.  And I think this is the direction everyone should point to
instead of resting day after day more and more on big companies for
everything.  In general, everyone should tend to decentralize instead of
monopolize.  The real problem is the passive attitude most people assume
in the use of the Internet (and life in general but I don't want to bore
you with cheap philosophy. :-))


> 
> Regards,


Thank you for your advice.

gmail and hotmail blocking mail sent from my IP

[Walter Alejandro Iglesias]

Hello everyone,

I was using smtpd(8) (static IP and FQDN resolving direct and reverse)
for a year without problems.  Today sending from my server (from the
same address I'm using now) to gmail and hotmail they answered the
following (MAILER-DAEMON answer).

Sending to gmail addresses:

  *@gmail.com: 550-5.7.1 [185.37.212.61] The IP you're using to send
  mail is not authorized to send email directly to our servers.  Please
  use the SMTP relay at your service provider instead. Learn more at
  https://support.google.com/mail/?p=NotAuthorizedError
  e1si6736354wra.236 - gsmtp

Sending to hotmail:

  *@hotmail.com: 550 DY-001 (SNT004-MC3F42) Unfortunately, messages from
  185.37.212.61 weren't sent. Please contact your Internet service
  provider. You can tell them that Hotmail does not relay
  dynamically-assigned IP ranges. You can also refer your provider to
  http://mail.live.com/mail/troubleshooting.aspx#errors.


On the hotmail link above the explanaition for code DY-001 is:

  Mail rejected by Outlook.com for policy reasons. We generally do not
  accept email from dynamic IP's as they are not typically used to
  deliver unauthenticated SMTP email to an Internet mail server. If you
  are not an email/network admin please contact your Email/Internet
  Service Provider for help. http://www.spamhaus.org maintains lists of
  dynamic and residential IP addresses.

It doesn't happen with yahoo.

I visited spamhaus.org site and found out my IP is included in a list
called PBL that, as they  explain is not a spammers list, it just
includes dynamic and "non mail server IP ranges".

Does someone here know what is "non mail server IP ranges" about?  Or,
how could my static IP could be taken as dynamic (some DNS faliure at my
ISP end?).

Re: gmail and hotmail blocking mail sent from my IP

[Walter Alejandro Iglesias]

Hi Martijn,

On Sun, Aug 06, 2017 at 05:09:10PM +0200, Martijn van Duren wrote:
> Not an authority on this, so take my reply for what you want.
> 
> As far as I know this list is used to keep track of ip-addresses by ISPs
> for home-addresses, which are not intended to be used for outgoing mail.
> 
> You can whitelist your ip-address on this list yourself and all should
> be back to normal.

I just did it from spamhause site.

> 
> I faced the same issues and adding my ip did solve the 550s.
> 
> Do note that my ip gets removed every year and thus should be re-added
> ever year.

I'll take this in care.  Thank you!



> 
> Sincerely,
> 
> martijn@
> 

Re: gmail and hotmail blocking mail sent from my IP

[Walter Alejandro Iglesias]

On Sun, Aug 06, 2017 at 06:02:25PM +0200, Jesper Wallin wrote:
> Like Martijn pointed out, you're sending mail from a IP which is not
> intended for mail-servers.

This was my main question.  What is an "IP intended for mail-servers"?

Re: gmail and hotmail blocking mail sent from my IP

[Walter Alejandro Iglesias]

Hi Gareth,

On Sun, Aug 06, 2017 at 04:12:45PM +0100, Gareth Nelson wrote:
> I'm assuming that you have your SPF records setup correctly.
> 

I did that at first, and all the tricks (dkim, etc) they ask to make you
appear as a legal sender, but after confirming my mail still went to
SPAM in both (gmail, hotmail) I remove all that trickery.

Re: gmail and hotmail blocking mail sent from my IP

[Walter Alejandro Iglesias]

Hi Niels,

On Sun, Aug 06, 2017 at 07:19:04PM +0200, Niels Kobschätzki wrote:
> 
> > On 6. Aug 2017, at 18:40, Walter Alejandro Iglesias <w...@roquesor.com> 
> > wrote:
> > 
> >> On Sun, Aug 06, 2017 at 06:02:25PM +0200, Jesper Wallin wrote:
> >> Like Martijn pointed out, you're sending mail from a IP which is not
> >> intended for mail-servers.
> > 
> > This was my main question.  What is an "IP intended for mail-servers"?
> 
> The question should be "what are IPs **not** intended for mail-servers?"
> 
> The ranges of ISPs for home-users and the dsl-, cable-, whatever-connection 
> are well-known and pretty much on all of the blacklists since the only thing 
> you can usually expect from them is spam from botnets. Legitimate mails are 
> rather rare from those ranges, thus they get blocked. 

I cannot tell what happens in pratice, I've never run a big mail server.
But the reasons that come to my mind someone wants to run their own
server (at home or at a small enterprise) are opposed to what you state.
Why would you want to send spam from the fixed IP you're paying for (in
my case 5 euros mouth)?

The question is still unanswered.  What determines those "ranges", who
regulates that?


> To not get blocked by google and hotmail you need an IP from some
> hosting-provider, university or something like this;

Which is the procedure followed by those entities to get an IP in what
you called the "authorized range"?  Authorized by who?


> a PTR-record for your server

I already have this.


> and at least an SPF-, even better a DKIM-record.

I had these at first and removed them after seeing they don't help.


> And if you
> ever send out mail, you maybe want a secondary IP for temporary
> failover-cases if you land  temporarily on a black list.

I have just two personal addresses.  I don't need that complication.  :-)



> 
> Niels

Re: gmail and hotmail blocking mail sent from my IP

[Walter Alejandro Iglesias]

In article <slrnooes63.31bc@naiad.spacehopper.org> you wrote:
> On 2017-08-06, Walter Alejandro Iglesias <w...@roquesor.com> wrote:
> > I visited spamhaus.org site and found out my IP is included in a list
> > called PBL that, as they  explain is not a spammers list, it just
> > includes dynamic and "non mail server IP ranges".
> >
> > Does someone here know what is "non mail server IP ranges" about?  Or,
> > how could my static IP could be taken as dynamic (some DNS faliure at my
> > ISP end?).
> 
> You should add ypur IP to dnswl.org. I can't guarantes it will help
> everywhere, but it will help some places and won't hurt others.
> 
> 

I'll take a look to dnswl.org.  Thanks.

It seems that after removing my IP from spamhaus pbl the issue is fixed.

Re: SSH: lost connection after restarting pf. [SOLVED]

[Walter Alejandro Iglesias]

On Fri, Aug 18, 2017 at 07:31:05PM +0200, Otto Moerbeek wrote:
> On Sat, Aug 12, 2017 at 02:40:41PM +0200, Walter Alejandro Iglesias wrote:
> 
> > In article <20170812123632.p7zgt2l4kz43y...@symphytum.spacehopper.org> you 
> > wrote:
> > > On 2017/08/12 14:33, Walter Alejandro Iglesias wrote:
> > > > In article <5127ac707aa6f...@server.roquesor.com> you wrote:
> > > > > Hi Stuart,
> > > > > 
> > > > > In article <slrnootn18.31bc@naiad.spacehopper.org> you wrote:
> > > > > > On 2017-08-12, Walter Alejandro Iglesias <w...@roquesor.com> wrote:
> > > > > > > Yesterday while copying a big file from one machine to another in 
> > > > > > > my LAN
> > > > > > > I noticed that restarting pf:
> > > > > > >
> > > > > > >   # pfctl -d && pfctl -e -f /etc/pf.conf
> > > > > > >
> > > > > > > scp stops and quits showing this message:
> > > > > > >
> > > > > > >   - stalled - Conection reset by 192.168.1.*  Lost connection
> > > > > > >
> > > > > > >
> > > > > > > Is this expected or is a bug?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > 
> > > > > > Expected.
> > > > > > 
> > > > > > PF is a state-inspecting firewall and verifies things like TCP 
> > > > > > sequence
> > > > > > numbers; it needs to see the initial connection handshake to pick 
> > > > > > up the
> > > > > > wscale value.
> > > > > > 
> > > > > > I would recommend just reloading the ruleset rather than disabling 
> > > > > > and
> > > > > > re-enabling PF first.
> > > > > > 
> > > > > > 
> > > > > 
> > > > > I have this rule:
> > > > > 
> > > > > block in log quick inet proto tcp from  to port ssh
> > > > > 
> > > > > That reads IPs from a the "port22" file which is updated from a script
> > > > > in a cronjob.  I ignore which command to use to re-read that file
> > > > > without causing the interrupt.
> > > > > 
> > > > > 
> > > > > 
> > > > 
> > > > You mean doing only this?
> > > > 
> > > > # pfctl -f /etc/pf.conf
> > > 
> > > Yes.
> > > 
> > > 
> > 
> > I just tried it and works OK.  Thank you very much.
> > 
> 
> A bit reply late due to vacation...
> 
> I would like to stress that disable and then a reload is a
> dangerous practise. Apart from the fact that it looses state it also
> will leave pf disabled if you made a syntax error in your ruleset.

Yes, I was worried about that.

> 
> Please just do a reload: it is much more safer: it will first
> validate the new ruleset and then *atomically* replace the old with
> the new ruleset, leaving intact any relevant state information.

I don't remember exactly what made me think that in the specific case of
tables reading IP lists from files a reload wasn't enough.  Something
wrong I did while testing lead me to wrong conclusions. :-)


Thank you!


> 
>   -Otto


Walter

mime headers quoted-printable

[Walter Alejandro Iglesias]

Hello everyone,

With mailx(1) in mind and resurrecting the few I know about C I wrote
the code pasted below.  It encodes mail headers in MIME quoted-printable
format.  Unless I'm missing something it complies with all stated here:

https://www.ietf.org/rfc/rfc2047.txt

You can pipe to it a line or the whole meassage, it only processes
headers leaving the body untouched.  The problem is, so far, it assumes
all 8bit chars are utf8.  Even when openbsd now only supports utf8
locale you can still enter iso-latin characters while your LC_CTYPE is
set to C, what means if eventually you judge it could be adapted to
patch mailx some non valid utf8 characters check would be mandatory.

So at this point I'm not sure it'll be a good deal since, as far as I
know, to make it able to check for non valid UTF-8 characters would take
more lines of code than the program itself.

I wrote also an encoder to the body, a base64 version and some decoders
but for now I'll show you only this one to not clutter the message.

I'd appreciate your opinion and advice about what can I do from now
(don't hesitate in being frank if you think it's useless).


/*
 * MIME encode mail headers quoted-printable.
 *
 * BUG: it assumes all non ascii characters are UTF-8.
 */

#include 

#define ASCII   0x7f
#define IN  1
#define OUT 0

int
main()
{
int c, i, n, nl, eightbit, encode, body;
unsigned char s[256];

i = n = nl = 0;
encode = eightbit = body = OUT;

while ((c = getchar()) != EOF) {
if (body == IN)
putchar(c);
else if (c == '\n' || c == ' ') {
s[i] = '\0';
if (eightbit == IN) {
if (encode == IN)
printf("=20?= ");
printf("=?UTF-8?Q?");
while (n < i) {
if (s[n] > ASCII ||
s[n] == '=' ||
s[n] == '?' ||
s[n] == '\t') {
printf("=%02X", s[n]);
} else
printf("%c", s[n]);
++n;
}
n = 0;
encode = IN;

if (c == '\n') {
printf("?=");
putchar(c);
encode = OUT;
}

eightbit = OUT;
} else {
if (encode == IN)
printf("?= ");
printf("%s", s);
putchar(c);
encode = OUT;
}
i = 0;
if (c == '\n')
++nl;
else
nl = 0;
if (nl > 1)
body = IN;
} else {
if (c > ASCII)
eightbit = IN;
s[i] = c;
++i;
}
}

return 0;
}

Re: mime headers quoted-printable

[Walter Alejandro Iglesias]

I was pointed out words (no spaces) longer than 256 characters produce a
buffer overflow with my previous version.

I scanned  my saved (since ~ 2005) mbox for header lines without spaces
longer than 256 and found several.  Most of them are non wrapped base64
encoded text, a few are "References:" separated with commas instead of
spaces.  So I think I can just ignore those lines.

Besides that, the new version below has a limit.  No more buffer
overflow.

By the way, I can make it wrap lines bigger than 76 columns as the
standards ask, but looking at mailx code I observed it already takes
care of that.


/*
 * MIME encode mail header quoted-printable. (VERSION 2)
 *
 * BUG: it assumes all non ascii characters are UTF-8.
 */

#include 

#define ASCII   0x7f
#define IN  1
#define OUT 0
#define MAX 256

int
main()
{
int c, i, n, nl, eightbit, encode, body;
unsigned char s[MAX];

i = n = nl = 0;
encode = eightbit = body = OUT;

while ((c = getchar()) != EOF) {
if (body == IN)
putchar(c);
else if (c == '\n' || c == ' ') {
s[i] = '\0';
if (eightbit == IN) {
if (encode == IN)
printf("=20?= ");
printf("=?UTF-8?Q?");
while (n < i) {
if (s[n] > ASCII ||
s[n] == '=' ||
s[n] == '?' ||
s[n] == '\t') {
printf("=%02X", s[n]);
} else
printf("%c", s[n]);
++n;
}
n = 0;
encode = IN;

if (c == '\n') {
printf("?=");
putchar(c);
encode = OUT;
}

eightbit = OUT;
} else {
if (encode == IN)
printf("?= ");
printf("%s", s);
putchar(c);
encode = OUT;
}
i = 0;
if (c == '\n')
++nl;
else
nl = 0;
if (nl > 1)
body = IN;
} else {
if (c > ASCII)
eightbit = IN;
if (i >= MAX) {
s[i] = '\0';
printf("%s", s);
i = 0;
}
s[i] = c;

++i;
}
}

return 0;
}

Re: OpenBSD 6.1: httpd.conf macro usage and string concatenation

[Walter Alejandro Iglesias]

In article <39c822f4-07f1-3544-0a8e-b75446f94...@4ss.de> you wrote:
> Hi!
> 
> I thought I could copy the same static server definition block and only
> change a unique macro definition at the top of each server. But this is
> not working:
> 
> ##
> # from httpd.conf
> ##
> # [...]
> 
> # macro definition
> certroot="/etc/ssl/httpd"
> docroot="/htdocs"
> 
> domain="domain.tld"
> server $domain{
>  listen on * tls port 443
>  tls certificate $certroot/$domain/$domain.pem
>  tls key $certroot/$domain/$domain.key
>  root $docroot/$domain
> }
> 
> domain="anotherdomain.tld"
> server $domain{
>  listen on * tls port 443
>  tls certificate $certroot/$domain/$domain.pem
>  tls key $certroot/$domain/$domain.key
>  root $docroot/$domain
> }
> 
> # [...]
> ##
> 
> The idea was if you have a lot of server definitions you could keep
> static the parts that are the same and just change the macro for each
> server the line above the server block.
> 
> Because httpd.conf man page says "Macros are not expanded inside
> quotes." I cannot use 'root "$docroot/$domain"'. But 'root
> $docroot/$domain' isn't accepted either. Does that mean I cannot use
> Macros for parts of the config file that reference to files or folders,
> because Macros are not expanded inside quotes but keywords with file or
> folder options require enclosing quotes? If that's the case I don't
> understand what Macros are good for.
> 
> Thanks in advance!
> 
> T.
> 
> 

There is another problem I mentioned here time ago.  Macros have
problems with slashes.  The same happens in pf.conf (and perhaps with
smtpd.conf too).  Unless it was already fixed, when you want to add a
path to a macro you must enclose it within double and single quotes:

certroot='"/etc/ssl/httpd"'

Then $certroot is expanded to "/etc/ssl/httpd" including the doble
quotes.

Re: mime headers quoted-printable

[Walter Alejandro Iglesias]

An overlook I can't figure out why didn't core dumped.

--- encode-qprint-header.c  Wed May 24 22:04:24 2017
+++ encode-qprint-header.c  Wed May 24 22:03:49 2017
@@ -66,13 +66,12 @@ main()
} else {
if (c > ASCII)
eightbit = IN;
-   if (i >= MAX) {
+   if (i >= MAX - 1) {
s[i] = '\0';
printf("%s", s);
i = 0;
}
s[i] = c;
-
++i;
}
}

Re: mime headers quoted-printable

[Walter Alejandro Iglesias]

Inspired in the new utf8 man page (thanks tedu@) I think I found a
solution to the charset issue.

New version:


/*
 * MIME encode mail header quoted-printable.
 *
 */

#include 

#define ASCII   0x7f
#define IN  1
#define OUT 0
#define MAX 1024

int
main()
{
int c, i, n, nl, count, isutf8, eightbit, encode, body;
unsigned char s[MAX];

i = n = nl = count = 0;
encode = eightbit = body = isutf8 = OUT;

while ((c = getchar()) != EOF) {
if (body == IN)
putchar(c);
else if (c == '\n' || c == ' ') {
s[i] = '\0';
if (eightbit == IN) {
if (encode == IN)
printf("=20?= ");
if (isutf8 == OUT)
printf("=?ISO-8859-1?Q?");
else
printf("=?UTF-8?Q?");

while (n < i) {
if (s[n] > ASCII ||
s[n] == '=' ||
s[n] == '?' ||
s[n] == '\t')
printf("=%02X", s[n++]);
else
printf("%c", s[n++]);
}
n = 0;
encode = IN;

if (c == '\n') {
printf("?=");
putchar(c);
encode = OUT;
}

eightbit = OUT;
} else {
if (encode == IN)
printf("?= ");
printf("%s", s);
putchar(c);
encode = OUT;
}
i = 0;
if (c == '\n')
++nl;
else
nl = 0;
if (nl > 1)
body = IN;
} else {
if (c > ASCII) {
eightbit = IN;
++count;
if (count == 1) {
if (c != 0xc2 &&
c != 0xc3 &&
c != 0xe2)
isutf8 = OUT;
else
isutf8 = IN;
}
} else
count = 0;
if (i >= MAX - 1) {
s[i] = '\0';
printf("%s", s);
i = 0;
}
s[i++] = c;
}
}

return 0;
}

Re: Do I need slaacd(8) up and running?

[Walter Alejandro Iglesias]

On Sat, Nov 11, 2017 at 05:58:59AM -0700, Theo de Raadt wrote:
> >A question to the experts here.
> >
> >My home router (a crappy one provided by my ISP) has ipv6 disabled, at
> >least it's what its guied configuration tells me. :-)  And I have ipv6
> >disabled in all my LAN machines.  The laptop I use with OpenBSD has
> >slaacd(8) up and running by default, even when I didn't configure any
> >interface to use ipv6 at install time.
> >
> >Under the above conditions, do I still need slaacd running?
> 
> Yes, absolutely.
> 
> Otherwise one day you will configure up v6 on an interface and
> come whining about how your custom configuration isn't do inet6
> boohoohoo.

OK.  You assume I'm an asshole.

> 
> You need it.  And don't go writing some balony blog saying you don't
> need it.

I don't need blogs. :-)


Look, I'm very happy with OpenBSD (*honestly*) in the technical as well
as in the human aspect.  The *only one* negative point I found till now
in this project is your attitude.  The next time you want to insult me
do it in private, in that way you won't harm the project (taking in care
the other people working hard on it).

Do I need slaacd(8) up and running?

[Walter Alejandro Iglesias]

A question to the experts here.

My home router (a crappy one provided by my ISP) has ipv6 disabled, at
least it's what its guied configuration tells me. :-)  And I have ipv6
disabled in all my LAN machines.  The laptop I use with OpenBSD has
slaacd(8) up and running by default, even when I didn't configure any
interface to use ipv6 at install time.

Under the above conditions, do I still need slaacd running?

Re: Do I need slaacd(8) up and running?

[Walter Alejandro Iglesias]

On Sat, Nov 11, 2017 at 04:57:14PM -0700, Theo de Raadt wrote:
> >On Sat, Nov 11, 2017 at 05:58:59AM -0700, Theo de Raadt wrote:
> >> >A question to the experts here.
> >> >
> >> >My home router (a crappy one provided by my ISP) has ipv6 disabled, at
> >> >least it's what its guied configuration tells me. :-)  And I have ipv6
> >> >disabled in all my LAN machines.  The laptop I use with OpenBSD has
> >> >slaacd(8) up and running by default, even when I didn't configure any
> >> >interface to use ipv6 at install time.
> >> >
> >> >Under the above conditions, do I still need slaacd running?
> >> 
> >> Yes, absolutely.
> >> 
> >> Otherwise one day you will configure up v6 on an interface and
> >> come whining about how your custom configuration isn't do inet6
> >> boohoohoo.
> >
> >OK.  You assume I'm an asshole.
> >
> >> 
> >> You need it.  And don't go writing some balony blog saying you don't
> >> need it.
> >
> >I don't need blogs. :-)
> >
> >
> >Look, I'm very happy with OpenBSD (*honestly*) in the technical as well
> >as in the human aspect.  The *only one* negative point I found till now
> >in this project is your attitude.  The next time you want to insult me
> >do it in private, in that way you won't harm the project (taking in care
> >the other people working hard on it).
> 
> Terribly sad you are such a sensitive soul.

Uh, your sarcasms hurt my delicate soul. :-)

I don't usually come here to whine.  I've always kept my systems as
default as possible.  I've never written any article about OpenBSD.
Obviously it's not about me and *that's the bad news*.  Whether or not
you're right about users in general, there are more than one OS out
there with long tradition and experience in developing with the
assumption users are a bunch of irresponsible idiots.  And they count
with a stronger infrastructure than yours.  It's not clever to compete
with those monsters using their same strategy.

Re: mandoc output paper size

[Walter Alejandro Iglesias]

In article <20171026083919.ga38...@www.stare.cz> Jan Stary  
wrote:
> I am not sure whether man -Tpdf and man -Tps honour the paper size.

I think it does.

I don't have a printer at hand to verify it but if in the gv(1) menu
I select alternativelly A4 (or Letter) and Default I can see how the
page get resized (or not) depending on the 'ouput paper' man.conf
setting.


Walter

Re: mandoc output paper size

[Walter Alejandro Iglesias]

In article  Mike Williams 
 wrote:
> Hiya
> 
> On 10/27/17 14:31, Ingo Schwarze wrote:
> > [ sending this particular one back to the list
> >   because it contains something useful for everyone and nothing private ]
> 
> Replying to list to archive comments even if not acted on.
> 
> > Hi Jan,
> >
> > Jan Stary wrote on Fri, Oct 27, 2017 at 12:46:00PM +0200:
> >
> >> I produced a PS output with "man -Tps rm > rm.ps",
> >> with output paper set to a3, a4, and a5 in man.conf.
> >> This results, respectively, in
> >>
> >>  %%DocumentMedia: Default 841 1190 0 () ()
> >>  %%DocumentMedia: Default 595 841 0 () ()
> >>  %%DocumentMedia: Default 419 595 0 () ()
> >>
> >> which apparently are the right dimensions. However,
> >> the Minolta will print all of them on A4 paper,
> >> although it does have a stash of A3 and A5 too.
> >>
> >> That's where I thought it might take a hint from the DSC comment,
> >> if I changed the "Default" to "A3" or "A4" or "A5", or if mandoc(1)
> >> itself put that in the DSC comments. I rewrote it manually before
> >> each printing, but the Minolta still prints them all on an A4:
> >
> > That's interesting, but anecdotal.  It is neither surprising that
> > a specific printer selects paper as configured (in whichever way),
> > as opposed to inspecting fikes it is sent; nor would it be surprising
> > if other printers, or even the same one, or printer drivers on the
> > print server, could be configured to inspect the contents of
> > PostScript files to select paper.
> >
> > The trouble is, i just don't know what firmwares and softwares do,
> > what they should do according to standards, and where to look for
> > standards in this respect.
> >
> > Does anybody else know?
> 
> The DSC comments are not part of the PS specification (the reference 
> manual quoted earlier) and a PS interpreter would not normally take 
> notice of the them.  The comments are aimed at document printing systems 
> which can just look for the comments and manage the printing of the file 
> amongst other files and a range of available printers - such as queuing 
> for a printer which supports/has the media listed by the DSC comment.
> 
> Some PS interpreters may look for and act on the comments, but this 
> would not be "standard" behaviour.  For the %%DocumentMedia: comment the 
> name used is for human consumption, it is the numeric values that are 
> used for any media handling decisions.  The %%DocumentMedia: comment 
> lists all media sizes used by the document but does not say which page 
> uses which size of media so could not be used to select media for any 
> particular page.  If the  media size is important for a page then there 
> should be a PS setpagedevice call like the following:
> 
> <>setpagedevice

In my other message I was about to mention that in the document
generated by groff I inspected, besides the comment, I found this other
line:

  %%BeginFeature: *PageSize Default
  << /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice

It's in the place I put an image.  I tried modifying the values here too
to see if this line was taken in care by gv too, but it seems it's not.


> 
> The PS interpreter will perform media selection based on the values - 
> use matching media, next largest, scale/rotate content, ask operator, 
> etc. - see section 6.2.1 of the PS reference manual for way more detail.
> 
> This is what is needed for the Minolta printer to use the other media 
> sizes it has available.  A quick edit of the PS file to add the above 
> line with the appropriate media sizes for A3 or A5 should prove that.
> 
> Basically don't rely on DSC comments to do media selection.
> 
> I don't know gv but it will be working as a virtual printer with some 
> standard media sizes to use when rendering a file.  It sounds like it 
> adds the list of media from any %%DocumentMedia: comments to provide 
> additional media sizes it may not have by default.  Ah, in the State 
> menu there is the option "Respect document structure".  If I unselect 
> this the page size used by gv changes from the letter used in the -Tps 
> output to the default A4 used by gv.
> 
> It may be useful to use a media name such as man-A4, man-letter, etc. 
> (to indicate the source of the file and media size used) for any systems 
> that do process the DCS comments.  That will avoid duplicates appearing 
> in generated media lists.
> 
> As for PDF, no there is no way to name the media size being used.  There 
> is no equivalent of the DSC comments for PDF.  Media selection is always 
> done based the dimensions in the /MediaBox array, the same way as the 
> /PageSize array in PS, and it is up to the processor to decide how to 
> handle the media size request.
> 
> Finally, the -Tpdf output is not a valid PDF.  It is missing the endobj 
> keyword from several of the object definitions.  This will cause 
> warnings or errors when processing.  I 

Re: Viewport for man.openbsd.org -- readability on phones

[Walter Alejandro Iglesias]

In article <20180518004729.gl68...@athene.usta.de> Ingo Schwarze 
 wrote:
> Hi Aner,
> 
> Aner Perez wrote on Thu, May 17, 2018 at 06:32:44PM -0400:
> > On 05/17/2018 05:22 PM, x...@dr.com wrote:
> >> "Ingo Schwarze"  wrote:
> 
> >>> Absolutely not.
> >>> Mandoc output is not optimized for any device.
> >>>
> >>> Which elements or rules in the current HTML or CSS code
> >>> make you think it is optimized or it discriminates against
> >>> any device?
> 
> >> I don't know which element or rule is the problem, however
> >> if I delete mandoc.css the text does fill the screen.
> >> 
> >> I understand that what I am trying to do is not supported,
> >> so I'll do something else instead.
> 
> > First non-comment line of mandoc.css says:
> > 
> > html {max-width: 100ex; }
> > 
> > Removing this line allows the use of the full browser width.
> 
> That is a very useful bit of information.
> Thanks for investigating and reporting it.
> 
> For testing purposes, i removed that line from
>   https://man.openbsd.org/mandoc.css
> 
> xcv@, could you check with your phone whether this solves
> your original issue?
> 
> > I'm sure that it was put there for a reason
> > (maybe to approximate the width of a terminal?).
> 
> Correct.  The original reason was that for -T ascii and -T utf8
> output, the default is -O width=78.  The reason for that is that
> it's conventional wisom in typography that readability of text
> suffers with excessive column width - even though some recent
> research raises doubts whether that is really true.  Either way,
> people tend to feel strongly about it.

If text is too wide, each time your sight jumps from the end to the
beginning of the other line it loses track of in which one it was.  When
it's too narrow (as used in news papers) your sight has to jump
continuously.  That's why in books you generally see lines not narrower
than 60 columns and not wider than 78, that's the comfortable range.

Perhaps I'm wrong assuming this happens to other people.  I'd like to
know if that recent research you mention took in care nowadays most
people read no more than one line at a time. :-)  Web sites are designed
to look pretty, text is there just for SEO.  I mean the oppinion of most
people about what is comfortable while reading doesn't tell the truth.

> 
> I must say i never particularly liked that line in the CSS file.
> It always felt like fiddling with details that it might be better
> not to touch, given that display devices running browsers differ
> more than terminal emulators.  And here we are with a suspicion
> that it actually causes accessibility issues, even if the suspicion
> is still unconfirmed...

It's not a mandoc problem.  That line is a workaround, so even when I
prefer that behavior I'm not against removing it.

> 
> Depending on the feedback i get here with respect to how
>   https://man.openbsd.org/
> now looks, i shall consider deleting the offending line for good.
> 
> In general, i like the idea of making things better by *removing*
> harmful tweaks rather than adding new goo...

Have you added apple-touch-icon.png in all required sizes?  No?  Why do
you resist to innovation, to "new technologies"?  Here you have a guide:

https://developer.apple.com/library/content/documentation/AppleApplications/Reference/SafariWebContent/ConfiguringWebApplications/ConfiguringWebApplications.html

:-)


> 
> Yours,
>   Ingo
> 
> 


Walter

Checking my new smtpd.conf syntax

[Walter Alejandro Iglesias]

Could someone tell me if my changes below are OK. :-)

The part I'm not clear is I read in current.html remote authenticated
users need a explicit rule.  Do I need to add some "match auth" rule?


# /etc/mail/smptd.conf

egress_int="em0"
server="server.roquesor.com"

table aliases   file:/etc/mail/aliases
table valiases  file:/etc/mail/valiases
table vdomains  file:/etc/mail/vdomains
table addresses file:/etc/mail/addresses
table users file:/etc/mail/users

pki $server certificate "/etc/ssl/server.crt"
pki $server key "/etc/ssl/private/server.key"

listen on lo0
listen on $egress_int port 25 tls pki $server
listen on $egress_int port 465 smtps pki $server auth \
senders  masquerade

# Old
#accept from local for local alias  deliver to mbox
#accept from any for domain  virtual  deliver to mbox
#accept from local sender  for any relay

# New
action local_users mbox alias 
action remote_users relay

match from local for local apply local_users
match from any for domain  virtual  apply local_users
match from local sender  for any apply remote_users

# End of file

Re: Checking my new smtpd.conf syntax

[Walter Alejandro Iglesias]

On Fri, May 25, 2018 at 03:58:59PM +0300, Consus wrote:
> On 14:31 Fri 25 May, Gilles Chehade wrote:
> > On Fri, May 25, 2018 at 02:20:50PM +0200, Walter Alejandro Iglesias wrote:
> > > Could someone tell me if my changes below are OK. :-)
> > > 
> > > The part I'm not clear is I read in current.html remote authenticated
> > > users need a explicit rule.  Do I need to add some "match auth" rule?
> > > 
> > 
> > yes.
> > 
> > before, "from local" would match authenticated users as if they had sent
> > mail from the local machine but this led to being unable to express some
> > setups where depending on the source you want to relay to different hubs
> > even though users are authenticated.
> > 
> > 
> > With this:
> > 
> > > match from local for local apply local_users
> > > match from any for domain  virtual  apply local_users
> > > match from local sender  for any apply remote_users
> > 
> > you need an additonal rule such as:
> > 
> > match auth from any sender  for any apply remote_users
> > 
> > 
> > because:
> > 
> > > #accept from local sender  for any relay
> > 
> > no longer matches authenticated users
> 
> Ain't it "action local_users" instead of "apply local_users"? The man
> page states "action".

I took the "apply" from here:

  https://undeadly.org/cgi?action=article;sid=20180430122930

Now reading this:

  https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/

I see I also have to change the "certificate" keyword to "cert" here:

  pki $server cert "/etc/ssl/server.crt"


Gilles, I also saw the "ca" directive.  I've been using the acme
certificates in pki directives, can I use them in the "ca" directive
too? (any advantage in doing this?)



Walter

Re: Checking my new smtpd.conf syntax

[Walter Alejandro Iglesias]

On Sat, May 26, 2018 at 08:15:18AM +0200, Gilles Chehade wrote:
> > Gilles, I also saw the "ca" directive.  I've been using the acme
> > certificates in pki directives, can I use them in the "ca" directive
> > too? (any advantage in doing this?)
> > 
> 
> don't touch a knob if you don't KNOW that you absolutely need it.
> 
> I know why some people would like to use a custom CA certificate instead
> of the one shipped with the system, I don't know why YOU should do it so
> if you are asking I can only guess you are going to break your setup.

First of all, each one is responsible of what they do with their system,
it's the nature of free software, isn't it?  Don't be afraid, if I break
my setup I won't sue you. :-)

In the past I used the defunct StartSSL(TM) certificates with Apache and
Sendmail during years.  In the case of a mail server I thought that, by
logic, to present something that certificates your identity (what a CA
is for, isn't it?) should be one among the more acceptable ways to avoid
your messages be considered SPAM.

What I'm not clear about is what Let's Encrypt does (differently).  And,
logically, I'm not clear about what your software does in this case.
And over all I'm not clear about (and probably nobody is at this stage)
what mail servers do and why with their SPAM filters.  That was the aim
of my question.

By the way, your messages got to my server but not to misc@ (at least I
can't not read them through gmane), I guess they got trapped in spamd
daemon.


> 
> 
> -- 
> Gilles Chehade
> 
> https://www.poolp.org  @poolpOrg


Walter

Re: Checking my new smtpd.conf syntax

[Walter Alejandro Iglesias]

On Sat, May 26, 2018 at 12:35:57PM +0200, Walter Alejandro Iglesias wrote:
> On Sat, May 26, 2018 at 08:15:18AM +0200, Gilles Chehade wrote:
> > > Gilles, I also saw the "ca" directive.  I've been using the acme
> > > certificates in pki directives, can I use them in the "ca" directive
> > > too? (any advantage in doing this?)
> > > 
> > 
> > don't touch a knob if you don't KNOW that you absolutely need it.
> > 
> > I know why some people would like to use a custom CA certificate instead
> > of the one shipped with the system, I don't know why YOU should do it so
> > if you are asking I can only guess you are going to break your setup.
> 
> First of all, each one is responsible of what they do with their system,
> it's the nature of free software, isn't it?  Don't be afraid, if I break
> my setup I won't sue you. :-)
> 
> In the past I used the defunct StartSSL(TM) certificates with Apache and
> Sendmail during years.  In the case of a mail server I thought that, by
> logic, to present something that certificates your identity (what a CA
> is for, isn't it?) should be one among the more acceptable ways to avoid
> your messages be considered SPAM.
> 
> What I'm not clear about is what Let's Encrypt does (differently).  And,
> logically, I'm not clear about what your software does in this case.
> And over all I'm not clear about (and probably nobody is at this stage)
> what mail servers do and why with their SPAM filters.  That was the aim
> of my question.
> 
> By the way, your messages got to my server but not to misc@ (at least I
> can't not read them through gmane), I guess they got trapped in spamd
> daemon.

Let me add something more about what I know.

Each software (i.e. apache, ngnix, uw-imap, sendmail, etc) requires a
different setup to get the certificates working.  In some cases you need
to put chain and cert in one file, in others (uw-imap) you need to
include the key in a same one file.

I just expected you could tell me (or point me where this is documented)
what to do in opensmptd case.  The explanaintion in starttls(8) isn't
enough.

For example, what does the smptd.conf "ca" directive expect?, a root
certificates bundle?  Intermediate certificates?  What does the software
use in case you don't set this option?, the system provided
/etc/ssl/cert.pem?

I'll tell you what I been doing so far.  When time ago I started using
opensmtpd with the certs downloaded with acme-client, *after some trial
and error* I got it working with this set up:

Here I use the "full chain" certificate:

  pki $server cert "/etc/ssl/server.crt"

Here the key:

  pki $server key "/etc/ssl/private/server.key"

I got smtpd.conf working thanks to the man page

[Walter Alejandro Iglesias]

Just in case it could be useful to others.

After upgrading the snaptshot requiring the new version of smtpd.conf
it happend that the new rules I'd written (included the last one Gilles
passed me) were all wrong.

I could get it working thanks to the man page.  The result:

# OLD
accept from local for local alias  deliver to mbox
accept from any for domain  virtual  deliver to mbox
accept from local sender  for any relay


# FIST ATTEMPT (smtpd -n told me the three last lines were wrong)
action local_users mbox alias 
action remote_users relay

match from local for local apply local_users
match from any for domain  virtual  apply local_users
match from local sender  for any apply remote_users
match auth from any sender  for any apply remote_users


# NOW WORKING
action "local" mbox alias 
action "virtual" mbox virtual 
action "relay" relay

match from local for local action "local"
match from any for domain  action "virtual"
match mail-from  for any action "relay"
match auth mail-from  for any action "relay"


My advice to others is not to pay attention to anything but the man
page, checking one by one each option you used in the old configuration,
if it still exists, if it was replaced and finally *where* to pass it,
if to match or to action.  Doing it in that order you'll probably go
faster. :-)

As you see above I had to replace "sender" for "mail-from" and to create
a third action to pass the virtual aliases table that in the first
attempt I'd wrongly included it in the match.

Re: kernel panic while reproducing video with mpv

[Walter Alejandro Iglesias]

Hi Visa,

On Sun, Jun 24, 2018 at 05:54:15PM +, Visa Hankala wrote:
> On Sun, Jun 24, 2018 at 12:37:45PM +0200, Walter Alejandro Iglesias wrote:
> > panic: mtx 0x81c86470: locking against myself
> > Stopped at  db_enter+0x12:  popq%r11
> > TIDPIDUID PRFLAGS PFLAGS  CPU  COMMAND
> >  104021  96401   1000 0x3  0x4002  mpv
> > *402610  50624   10000x32  00K Xorg
> >   
> > db_enter() at db_enter+0x12
> > panic() at panic+0x138
> > __mtx_enter_try(53b9235709d40154) at __mtx_enter_try+0xb5
> > _mtx_enter(81cf3e60,81a5d6a2,0) at _mtx_enter+0x5a
> > printf(c9ef1007dec621e0) at printf+0x70
> > witness_checkorder(2e4447d1b3cbb9af,81c2ac7c,32a,0,81da6d00)
> >  at 
> > witness_checkorder+0x943
> > ___mp_lock(8000330cd760,d,7) at ___mp_lock+0x70
> > selwakeup(e80faaebded7c1a2) at selwakeup+0x9c
> > ptsstart(8ce5939828d5e23) at ptsstart+0x79
> > tputchar(174549bf676e909c,80afa400) at tputchar+0x85
> > kputchar(75d50501b895e9e4,0,81a5d6a2) at kputchar+0x91
> > kprintf() at kprintf+0xe8
> > printf(c9ef1007dec621e0) at printf+0x85
> > witness_checkorder(2e4447d1b3cba2fe,81af9df1,298,81c8a678,ff
> > ff81c8a688) at witness_checkorder+0x943
> > end trace frame: 0x80003302e978, count: 0
> 
> If the panic happens again, please run the following commands in ddb(4)
> and post the output:
> 
> show locks
> show all locks

The true is it happend twice.  On the first one fsck(8) couldn't recover
my root file system.  After rebooting I couldn't even log in (as user or
root) and I had to reinstall.  That's way I'm not confident about
"voluntary" reproducing the bug. :-)  But if it happens again take for
sure I'll send you the output of those commands (and per cpu traces).

> 
> It is not clear from the stack trace why the system begins to report
> a lock order problem in the first place (the first witness_checkorder
> and the printf at the end of the stack trace).
> 
> The panic itself is related to the problem of using other kernel
> subsystems from WITNESS. I will try to make a fix that should prevent
> the panic in most cases.


Thanks!

Walter

Re: mandoc output paper size

[Walter Alejandro Iglesias]

In article <20171026193138.ga41...@www.stare.cz> Jan Stary  
wrote:
> > > > In the ps file generated by mandoc you should have this line:
> > > > 
> > > >   %%DocumentMedia: Default 595 841 0 () ()
> > > > 
> > > > Where 595 841 correspond to A4.  If you set output paper to "letter"
> > > > that line will say:
> > > > 
> > > >   %%DocumentMedia: Default 612 790 0 () ()
> 
> Yes. It seems that these are just _comments_ to the PS interpreter
> and the "Default" is just an arbitrary given name, right?
> (Sorry, I don't know the language.) So GV just shows that,
> but it does not _determine_ the actual media size, right?
> Looking at term_ps.c, mandoc writes "Default ... " for every paper size.
> 

First of all, I'm just a user like you trying to figure out how things
work.  So, don't expect from me some deep analysis, for that Ingo is the
right person.

I answered you - based in what I intuitively observed - that mandoc
honors the paper size, and explained you why I think so.

I know about postcript language as much as you, as well as what gv takes
in care to print the document on the screen, so first I grep in the
ps file for 'a4|letter' strings and got nothing, then searching on the
Internet I found the dots equivalence and repeated the search this time
using '595 841|612 790'.  I did the same with documents generated by GNU
roff.  I found the "comment" I mentioned in the other message, so
I opened the ps file with vi(1), changed those numbers, and then
I opened the modified file with gv.  That's how I found out gv takes in
care that "comment" to figure out physical page dimensions.

As far as I understand postscript draws page contents using coordinates
and using the postscript dot as unit (as Ingo explained).  What gv does
is just trying to figure out the best way to print the document on
screen; when you select A4|Letter in the menu it only modifies the page,
the rest of dimensions stay the same.  Ingo will correct me if I'm wrong
about this, we're talking specifically about how gv shows you the
document in screen, it shouldn't affect how the document is printed on
paper (what I *guess* gv does in this case is to send the postscript
file "as is" to lpr or cups.)

Finally, "default" means "default". :-)  Perhaps (guessing again), since
page size use is related to region settings, who designed postscript
(hence gv) thought convenient to honor some wide system setting (based
on locale?).


> Jan
> 
> 

Walter

Re: mandoc output paper size

[Walter Alejandro Iglesias]

In article <20171027104221.gd9...@www.stare.cz> Jan Stary  wrote:
> On Oct 27 12:12:21, w...@roquesor.com wrote:
> > In article <20171026193138.ga41...@www.stare.cz> Jan Stary  
> > wrote:
> > > > > > In the ps file generated by mandoc you should have this line:
> > > > > > 
> > > > > >   %%DocumentMedia: Default 595 841 0 () ()
> > > > > > 
> > > > > > Where 595 841 correspond to A4.  If you set output paper to "letter"
> > > > > > that line will say:
> > > > > > 
> > > > > >   %%DocumentMedia: Default 612 790 0 () ()
> > > 
> > > Yes. It seems that these are just _comments_ to the PS interpreter
> > > and the "Default" is just an arbitrary given name, right?
> > > (Sorry, I don't know the language.) So GV just shows that,
> > > but it does not _determine_ the actual media size, right?
> > > Looking at term_ps.c, mandoc writes "Default ... " for every paper size.
> > > 
> > 
> > First of all, I'm just a user like you trying to figure out how things
> > work.  So, don't expect from me some deep analysis, for that Ingo is the
> > right person.
> > 
> > I answered you - based in what I intuitively observed - that mandoc
> > honors the paper size, and explained you why I think so.
> > 
> > I know about postcript language as much as you, as well as what gv takes
> > in care to print the document on the screen, so first I grep in the
> > ps file for 'a4|letter' strings and got nothing, then searching on the
> > Internet I found the dots equivalence and repeated the search this time
> > using '595 841|612 790'.  I did the same with documents generated by GNU
> > roff.  I found the "comment" I mentioned in the other message, so
> > I opened the ps file with vi(1), changed those numbers, and then
> > I opened the modified file with gv.  That's how I found out gv takes in
> > care that "comment" to figure out physical page dimensions.
> 
> Apparently, it does not: the dimensions are given explicitly in e.g.
> "%%DocumentMedia: Default 595 841 0 () ()", and the "Default"
> could just as well be "Foobar", as Ingo explained.
> 

That's the "comment" we're talking about since the beginning of the
thread, aren't we?  As I told you what I modified to do the test was the
numbers.

> > Finally, "default" means "default". :-)  Perhaps (guessing again), since
> > page size use is related to region settings, who designed postscript
> > (hence gv) thought convenient to honor some wide system setting (based
> > on locale?).
> 
> With output paper set to A3, A4, A5 in man.conf, "man -Tps rm > rm.ps"
> will produce a PostScript file with the correct dimensions,
> calling all the formats "Default". A printer (such us my Minolta)
> will print them all on A4, although it does have A3 and A5 paper too.
> Changing the "%%DocumentMedia: Default ..." line manualy to "A3" or "A5"
> does not change that.
> 
> I am not saying mandoc should write A3 or A4 or A5 instead of Default
> (it's the actual dimensions that matter), but perhaps such a DSC comment
> might help some appications. Apparently not GV, which just repeats the name,
> and not my Minolta, which prints on A4 anyway.

You know, too much people developing software without caring about what
others did before.  Who developed your Minolta software is not an
exception. ;-)


> 
> Jan
> 
> 

Walter

Re: mandoc output paper size

[Walter Alejandro Iglesias]

In article <20171026122507.ga13...@www.stare.cz> Jan Stary  
wrote:
> On Oct 26 11:36:45, w...@roquesor.com wrote:
> > In article <20171026083919.ga38...@www.stare.cz> Jan Stary  
> > wrote:
> > > I am not sure whether man -Tpdf and man -Tps honour the paper size.
> > 
> > I think it does.
> > 
> > I don't have a printer at hand to verify it but if in the gv(1) menu
> > I select alternativelly A4 (or Letter) and Default
> 
> You can "select alternatively" whatever you want in the gv(1) window,
> but that don't make it so. My point is that files which really are A4
> just already say so in the gv(1) box, without "selecting it alternatively".

In the ps file generated by mandoc you should have this line:

  %%DocumentMedia: Default 595 841 0 () ()

Where 595 841 correspond to A4.  If you set output paper to "letter"
that line will say:

  %%DocumentMedia: Default 612 790 0 () ()



As a side note.  You made me realize of something I didn't notice when
I migrated to openbsd; I have files generated with GNU roff that
defaults to letter size.  This doesn't happen on Linux, I ignore why.


> 
> > I can see how the page get resized (or not)
> > depending on the 'ouput paper' man.conf setting.
> 
> Yes it does. But why does it say e.g. "y841x595" instead of A4?
> (Maybe "A4" is just a shorthand for that, I don't know).
> 
> Jan
> 
> 

Sent here by mistake (instead to bugs@) Sorry!

[Walter Alejandro Iglesias]

In article <a67500574d104...@server.roquesor.com> Walter Alejandro Iglesias 
<w...@roquesor.com> wrote:
> Hi Ruben,
> 
> In article 
> <caenp9cg+b-5b+8r3w9eaebodaxeybrdhg7jhfgq2ascrbfg...@mail.gmail.com> Ruben 
> Miller <rubenmil...@gmail.com> wrote:
> > In article 
> > <CAEnp9CEpPEJxkWkxLu1qmP8qTA4Ti4+6hCFrGqYy1+WZ0dBy=a...@gmail.com>
> > Ruben Miller <rubenmil...@gmail.com> wrote:
> > >The speed is not a problem, since the bug is triggered because cwm raise
> > > two windows in every cycle.
> > > Just start the cycle with seamonkey selected, so it's always the previous
> > > window.
> > 
> > Just in case, the idea is cycling without releasing ALT, so the client with
> > WM_TAKE_FOCUS is always behind the new one.
> 
> First of all, I'm not a developer but since I made that diff I'm trying
> to help.
> 
> No idea in which way it's related but I could easily reproduce the issue
> you describe after setting back SNA acceleration in my xorg.conf (since
> my graphic card has some issue with the default acceleration I have to
> use UXA.)
> 
> Wait to Okan Demirmen (cwm maintainer) to get a good answer. :-)
> 
> 

I sent this here by mistake.


Sorry!

Re: cwm 6.2: Windows losing focus while cycling (ALT-TAB)

[Walter Alejandro Iglesias]

Hi Ruben,

In article  
Ruben Miller  wrote:
> In article 
> Ruben Miller  wrote:
> >The speed is not a problem, since the bug is triggered because cwm raise
> > two windows in every cycle.
> > Just start the cycle with seamonkey selected, so it's always the previous
> > window.
> 
> Just in case, the idea is cycling without releasing ALT, so the client with
> WM_TAKE_FOCUS is always behind the new one.

First of all, I'm not a developer but since I made that diff I'm trying
to help.

No idea in which way it's related but I could easily reproduce the issue
you describe after setting back SNA acceleration in my xorg.conf (since
my graphic card has some issue with the default acceleration I have to
use UXA.)

Wait to Okan Demirmen (cwm maintainer) to get a good answer. :-)

Re: mandoc output paper size

[Walter Alejandro Iglesias]

On Thu, Oct 26, 2017 at 07:24:43PM +0200, Ingo Schwarze wrote:
> Hi Walter,
> 
> Walter Alejandro Iglesias wrote on Thu, Oct 26, 2017 at 05:44:16PM +0200:
> 
> > I have files generated with GNU roff that defaults to letter size.
> 
> That's the upstream (GNU troff) default when you compile GNU troff
> from the git repository with automake and autoconf.  If i understand
> correctly, it is the GNU troff default because it is also the default
> used by GNU autoconf in general.
> 
> > This doesn't happen on Linux, I ignore why.
> 
> I doubt this has anything to do with Linux (neither the kernel nor
> whatever C library or userland applications are used).  But it may
> depend on whatever operating system distribution you are using.  It
> is well-known that many Lnux distributions engage in tweaking
> upstream defaults, even those settings that are more or less a
> matter of personal preference.

By "linux" I meant distributions.

> 
> > This is set in DESC config files.
> > 
> > $ grep -ER 'papersize (letter|a4)' /usr/local/share/groff/*
> > /usr/local/share/groff/1.22.3/font/devdvi/DESC:papersize letter
> > /usr/local/share/groff/1.22.3/font/devlj4/DESC:papersize letter
> > /usr/local/share/groff/1.22.3/font/devps/DESC:papersize letter
> > /usr/local/share/groff/1.22.3/font/devlbp/DESC:papersize letter
> > /usr/local/share/groff/1.22.3/font/devpdf/DESC:papersize letter
> 
> That is automatically generated at GNU troff build time, controlled
> by files generated by autoconf, controlled by files generated by
> automake, controlled by files autogenerated by whatever (insert
> your favourite rabbit hole here).
> 
> In any case, the fact that groff defaults to "papersize letter" is
> the reason why mandoc(1) does the same.  Unless there are strong
> reasons to diverge, mandoc aims for compatibility with groff.

Yes, I figured out it was an option selected at compile time (curiously
in Slackware, being american, groff is compiled to use a4).

What moved me to test this on Linux is I remember using the
/etc/papersize file there.  But it seems groff and gv ignore that file
(I mean on linux).


> 
> Yours,
>   Ingo

Thank you Ingo.

Re: mandoc output paper size

[Walter Alejandro Iglesias]

Answering myself.

In article <a675001fecbb3...@server.roquesor.com> Walter Alejandro Iglesias 
<w...@roquesor.com> wrote:
> As a side note.  You made me realize of something I didn't notice when
> I migrated to openbsd; I have files generated with GNU roff that
> defaults to letter size.  This doesn't happen on Linux, I ignore why.

This is set in DESC config files.

$ grep -ER 'papersize (letter|a4)' /usr/local/share/groff/*
/usr/local/share/groff/1.22.3/font/devdvi/DESC:papersize letter
/usr/local/share/groff/1.22.3/font/devlj4/DESC:papersize letter
/usr/local/share/groff/1.22.3/font/devps/DESC:papersize letter
/usr/local/share/groff/1.22.3/font/devlbp/DESC:papersize letter
/usr/local/share/groff/1.22.3/font/devpdf/DESC:papersize letter

Re: mandoc output paper size

[Walter Alejandro Iglesias]

In article <20171026104155982590.bfb59...@talsever.com> Amelia A Lewis 
<amyz...@talsever.com> wrote:
> On Thu, 26 Oct 2017 16:14:36 +0200 (CEST), Walter Alejandro Iglesias 
> wrote:
> > In the ps file generated by mandoc you should have this line:
> > 
> >   %%DocumentMedia: Default 595 841 0 () ()
> > 
> > Where 595 841 correspond to A4.  If you set output paper to "letter"
> > that line will say:
> > 
> >   %%DocumentMedia: Default 612 790 0 () ()
> 
> So these measures are in points?

I took it from here:

https://www.gnu.org/software/gv/manual/gv.html#Paper-Keywords-and-paper-size-in-points


> 
> https://en.wikipedia.org/wiki/Point_(typography)
> 

kernel panic while reproducing video with mpv

[Walter Alejandro Iglesias]

Hello,

I had a kernel panic while reproducing a video with mpv.

It's my first kernel panic with OpenBSD, so I didn't know how to use
ddb(4).  Since I'm running my http and smtp server in this machine I
cannot entertain myself too much reproducing the panic to get more info.
That's why I don't include the per cpu trace and other additonal info as
explained in ddb.html, sorry!  But, if you need it let me knonw and I'll
try my best.


Message automatically dumped:
===
panic: mtx 0x81c86470: locking against myself
Stopped at  db_enter+0x12:  popq%r11
TIDPIDUID PRFLAGS PFLAGS  CPU  COMMAND  
 
 104021  96401   1000 0x3  0x4002  mpv  
  
*402610  50624   10000x32  00K Xorg 
  
db_enter() at db_enter+0x12
panic() at panic+0x138
__mtx_enter_try(53b9235709d40154) at __mtx_enter_try+0xb5
_mtx_enter(81cf3e60,81a5d6a2,0) at _mtx_enter+0x5a
printf(c9ef1007dec621e0) at printf+0x70
witness_checkorder(2e4447d1b3cbb9af,81c2ac7c,32a,0,81da6d00) at 
witness_checkorder+0x943
___mp_lock(8000330cd760,d,7) at ___mp_lock+0x70
selwakeup(e80faaebded7c1a2) at selwakeup+0x9c
ptsstart(8ce5939828d5e23) at ptsstart+0x79
tputchar(174549bf676e909c,80afa400) at tputchar+0x85
kputchar(75d50501b895e9e4,0,81a5d6a2) at kputchar+0x91
kprintf() at kprintf+0xe8
printf(c9ef1007dec621e0) at printf+0x85
witness_checkorder(2e4447d1b3cba2fe,81af9df1,298,81c8a678,ff
ff81c8a688) at witness_checkorder+0x943
end trace frame: 0x80003302e978, count: 0


dmesg:
===
OpenBSD 6.3-current (GENERIC.MP) #48: Fri Jun 22 14:11:27 MDT 2018
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 6210174976 (5922MB)
avail mem = 5960577024 (5684MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries)
bios0: vendor LENOVO version "6IET85WW (1.45 )" date 02/14/2013
bios0: LENOVO 2537EY8
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! SLIC BOOT SSDT TCPA SSDT S
SDT SSDT
acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4) EXP3(S4) EXP4
(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz, 2793.56 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,
PERF,ITSC,SENSOR,ARAT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 132MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz, 2793.00 MHz
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,
PERF,ITSC,SENSOR,ARAT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz, 2793.00 MHz
cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,
PERF,ITSC,SENSOR,ARAT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 5 (application processor)
cpu3: Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz, 2793.00 MHz
cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,
PERF,ITSC,SENSOR,ARAT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 2, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
, remapped to apid 1
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpiprt2 at acpi0: bus 2 (EXP1)
acpiprt3 at acpi0: bus 3 (EXP2)
acpiprt4 at acpi0: bus -1 (EXP3)
acpiprt5 at acpi0: bus 5 (EXP4)
acpiprt6 at acpi0: bus 13 (EXP5)
acpicpu0 at acpi0: C3(350@245 mwait.3@0x20), C2(500@205 mwait.3@0x10), C1(1000@3
 mwait.1), PSS
acpicpu1 at 

Re: what would a POP3s daemon best look like?

[Walter Alejandro Iglesias]

Hi Todd,

Not an expert here and just to be sure, :-)

In article <21bf906b4c6c6...@sudo.ws> Todd C. Miller  
wrote:
> I don't think there is much interest in having a pop3 daemon in
> base due to the use of plain-text passwords

I've been assuming that running pop3d(8) from ports, listening in 995
only and with 110 port firewalled my passwords aren't traveling in plain
text.  Am I assuming right?


Walter