BCC every email going through OpenSMTPd to a specific address
Hey fellow mailserver admins! I'm currently using OpenSMTPd as my internal mailserver for my company. As per regulations, I need to archive emails sent and received for specific amounts of time, depending on the type of mail. The mail archive software has a mode to pop/imap mails from a "collection inbox" and then sort to the users based on the from/to header. For incoming emails i can make it work by using virtual delivery method and specifying "username, journal" as the destination for each address. With this, all email will also be stored in the journal inbox, which is then used by my archive software. However, for outgoing emails this does not work. I currently need to configure each mail client for each employee to bcc the email itself to the journal address, which is a royal pain in some lower region and prone to errors, leaving me potentially with a fine or a lawsuit. Postfix has a setting "always_bcc" which bcc's every single mail ever going through the server. Does OpenSMTPd have something similar? Can I build something like this with a script and a filter? If so, how does the proc-exec filter work exactly? Does it need to return something? I cannot find a good explanation in the smtpd.conf manpage. Thanks! Cheers, Simon signature.asc Description: PGP signature
Re: Limit Mail Submission to inet4
> On Thu, Nov 18, 2021 at 10:55:00AM +0100, Simon Hoffmann wrote: > > > > > > > > > >GMail still wont accept my IPv6 submitted mails. > > > > > > Are you using ipv6 connectivity over tunnel from tunnelbroker.net? > > > > Nope. My relays have "real" IPv6 /64 networks assigned to their interfaces > > natively. > > > > However, I'd still like to only use IPv4 when sending messages. > > Why? Why not fix the IPv6 issue? Our servers deliver to gmail over IPv6 with > no issues. Hmm, thats interesting. The last time i googled it said that its a known issue with gmail and one should use IPv4. Also, the GMail help and the error message were all to no use. I will try sending via IPv6 later today and report back. If you like, you can lookup DNS recors for mxbackup.hetzner.hoffbox.net Should be correct. PTR has the same name as A/AAAa, A and are present... > > > Suggestions? > > Set a fixed IPv4 source address using the src parameter in the action > directive > of your smtpd.conf. Yeah, thats a good idea, thanks! Will be my fallback if i cant get v6 to work. signature.asc Description: PGP signature
Re: Limit Mail Submission to inet4
> > > >GMail still wont accept my IPv6 submitted mails. > > Hi, > > Are you using ipv6 connectivity over tunnel from tunnelbroker.net? Nope. My relays have "real" IPv6 /64 networks assigned to their interfaces natively. However, I'd still like to only use IPv4 when sending messages. Suggestions? Thanks! Simon signature.asc Description: PGP signature
Limit Mail Submission to inet4
Hey, the earlier versions of opensmtpd (with the old config file syntax: accept from...) had the option to specify limit mta inet4 domain.com (from memory), or limit mta inet4 in general, to limit everything to IPv4. With the newer versions (I'm running 6.8.0) this seems no longer possible? What was the reason to remove this? GMail still wont accept my IPv6 submitted mails. Or am I just blind? :) Thanks! Simon signature.asc Description: PGP signature
Re: OpenSMTPd: Ignoring /etc/hosts file?
> On Mon, Sep 13, 2021 at 12:28:04PM +0200, Simon Hoffmann wrote: > > > do you have "lookup file bind" record in your /etc/resolv.conf file? > > > > This option is not available in the current debian version. > > > FWIW, the equivalent setting on glibc-based Linux systems would be the > `hosts` line in /etc/nsswitch.conf: > > $ grep hosts /etc/nsswitch.conf > hosts: files dns > I had this setting, but it did not change the behaviour... signature.asc Description: PGP signature
Re: OpenSMTPd: Ignoring /etc/hosts file?
> do you have "lookup file bind" record in your /etc/resolv.conf file? This option is not available in the current debian version. And I have to admit I have no clue what did the dns resolving. NetworkManager was disabled, systemd-resolved was disabled, ... Changes to the /etc/resolv.conf file would be overwritten by DHCP... Really strange. For now its fixed, I will supply the fix in another mail. I should and will switch to OpenBSD tho in the near future. Thanks! signature.asc Description: PGP signature
Resolved: OpenSMTPd: Ignoring /etc/hosts file?
I managed to resolve this issue with some strange workaround. I must confess, I dont exactly know which service was handling DNS before, as NetworkManager and systemd-resolved were both disabled. /etc/resolv.conf was overwritten by each DHCP request. So I did the following. I configured systemd-resolved to also listen on 192.168.158.200:53, and to use 192.168.158.1 as DNS Server. I then set the 6 domain-name-server DNS option on DNS for the host 192.168.158.200 to point to 192.168.158.200 (127.0.0.1 was not allowed). So each DNS request is not sent to 192.168.158.200:53, which is the local systemd-resolved. This then looks at the /etc/hosts file for matches, and forwards queries to 192.168.158.1 if no matches are found. Now OpenSMTP connects to the internal IP, but can still use SSL/TLS and verify the certificate. Strange strange... When I have some more time I will switch OS to OpenBSD. Thanks for your help! Simon > > Hey yall, > > in my smtpd.conf file I have "relay smtps://host.domain.tld" > > host.domain.tld does resolve to a public IP, and this needs to be a public IP > on > public DNS. > However, OpenSMTPd needs to relay to the local IP address of the smarthost. > Since I have no DNS server running on that network, and i dont want to setup > a DNS > server only for OpenSMTPd, I added an enty to /etc/hosts, assigning the local > IP to > the FQDN. > When i ping the FQDN it correctly resolves to the internal IP of the > smarthost. > However, OpenSMTPd ignores the entry in /etc/hosts and still tries to connect > to the > public IP of the host. > > Is this known that OpenSMTPd ingores /etc/hosts? Or is this a problem on > Debian? > Is there a workaround? Specifying "relay smtps://192.168.158.1" will not > work, as the > private IP is not part of the Cert. > Can I force OpenSMTPd to use the internal IP? Can I disable Cert checking for > the > smarthost? > > Thanks! > > System details: > > root@mx01:~# lsb_release -a > No LSB modules are available. > Distributor ID: Debian > Description:Debian GNU/Linux 11 (bullseye) > Release:11 > Codename: bullseye > root@mx01:~# smtpd -h > version: OpenSMTPD 6.8.0p2 > usage: smtpd [-dFhnv] [-D macro=value] [-f file] [-P system] [-T trace] > > root@mx01:~# cat /etc/network/interfaces > # This file describes the network interfaces available on your system > # and how to activate them. For more information, see interfaces(5). > > source /etc/network/interfaces.d/* > > # The loopback network interface > auto lo > iface lo inet loopback > > # The primary network interface > allow-hotplug ens192 > iface ens192 inet dhcp > > > Any info else you need? > > Cheers, > > Simon signature.asc Description: PGP signature
Re: OpenSMTPd: Ignoring /etc/hosts file?
> Has been reported previously - > https://github.com/OpenSMTPD/OpenSMTPD/issues/1115 Thanks for the link, this did not come up in my searches. However, > The link also contains a workaround which may be useful for you. the only "workaround" I could find was to specify the internal IP instead of the hostname. I've tried this before and I've tried this just now, in both cases it does not work, because, as I said, the private IP is not part of the certificate and OpenSMTPd checks the certificate. Is there a way to disable cert checking? Log output: Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta connecting address=smtp+tls://192.168.158.1:25 host=uhura.hoffmann.computer Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta connected Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta tls ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta ssl_check_name: no match for '192.168.158.1' in cert Sep 13 10:04:54 mx01 smtpd[25157]: 10ba299cf5ba5905 mta error reason=SSL certificate check failed Sep 13 10:04:54 mx01 smtpd[25157]: smtp-out: Disabling route [] <-> 192.168.158.1 (uhura.hoffmann.computer) for 15s Sep 13 10:04:56 mx01 smtpd[25157]: smtp-out: No valid route for [connector:[]->[relay:192.168.158.1,port=25,smtp+tls,mx,heloname=mx01.klm.hoffbox.net],0x0] Thanks, Simon > > Best, > Aisha > > On 9/12/21 5:28 PM, Simon Hoffmann wrote: > > Hey yall, > > > > in my smtpd.conf file I have "relay smtps://host.domain.tld" > > > > host.domain.tld does resolve to a public IP, and this needs to be a public > > IP on > > public DNS. > > However, OpenSMTPd needs to relay to the local IP address of the smarthost. > > Since I have no DNS server running on that network, and i dont want to > > setup a DNS > > server only for OpenSMTPd, I added an enty to /etc/hosts, assigning the > > local IP to > > the FQDN. > > When i ping the FQDN it correctly resolves to the internal IP of the > > smarthost. > > However, OpenSMTPd ignores the entry in /etc/hosts and still tries to > > connect to the > > public IP of the host. > > > > Is this known that OpenSMTPd ingores /etc/hosts? Or is this a problem on > > Debian? > > Is there a workaround? Specifying "relay smtps://192.168.158.1" will not > > work, as the > > private IP is not part of the Cert. > > Can I force OpenSMTPd to use the internal IP? Can I disable Cert checking > > for the > > smarthost? > > > > Thanks! > > > > System details: > > > > root@mx01:~# lsb_release -a > > No LSB modules are available. > > Distributor ID: Debian > > Description:Debian GNU/Linux 11 (bullseye) > > Release:11 > > Codename: bullseye > > root@mx01:~# smtpd -h > > version: OpenSMTPD 6.8.0p2 > > usage: smtpd [-dFhnv] [-D macro=value] [-f file] [-P system] [-T trace] > > > > root@mx01:~# cat /etc/network/interfaces > > # This file describes the network interfaces available on your system > > # and how to activate them. For more information, see interfaces(5). > > > > source /etc/network/interfaces.d/* > > > > # The loopback network interface > > auto lo > > iface lo inet loopback > > > > # The primary network interface > > allow-hotplug ens192 > > iface ens192 inet dhcp > > > > > > Any info else you need? > > > > Cheers, > > > > Simon > signature.asc Description: PGP signature
OpenSMTPd: Ignoring /etc/hosts file?
Hey yall, in my smtpd.conf file I have "relay smtps://host.domain.tld" host.domain.tld does resolve to a public IP, and this needs to be a public IP on public DNS. However, OpenSMTPd needs to relay to the local IP address of the smarthost. Since I have no DNS server running on that network, and i dont want to setup a DNS server only for OpenSMTPd, I added an enty to /etc/hosts, assigning the local IP to the FQDN. When i ping the FQDN it correctly resolves to the internal IP of the smarthost. However, OpenSMTPd ignores the entry in /etc/hosts and still tries to connect to the public IP of the host. Is this known that OpenSMTPd ingores /etc/hosts? Or is this a problem on Debian? Is there a workaround? Specifying "relay smtps://192.168.158.1" will not work, as the private IP is not part of the Cert. Can I force OpenSMTPd to use the internal IP? Can I disable Cert checking for the smarthost? Thanks! System details: root@mx01:~# lsb_release -a No LSB modules are available. Distributor ID: Debian Description:Debian GNU/Linux 11 (bullseye) Release:11 Codename: bullseye root@mx01:~# smtpd -h version: OpenSMTPD 6.8.0p2 usage: smtpd [-dFhnv] [-D macro=value] [-f file] [-P system] [-T trace] root@mx01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug ens192 iface ens192 inet dhcp Any info else you need? Cheers, Simon signature.asc Description: PGP signature