Re: OpenSMTPd: Ignoring /etc/hosts file?

2021-09-12 Thread Aisha Tammy
Has been reported previously - 
https://github.com/OpenSMTPD/OpenSMTPD/issues/1115

The link also contains a workaround which may be useful for you.

Best,
Aisha

On 9/12/21 5:28 PM, Simon Hoffmann wrote:

Hey yall,

in my smtpd.conf file I have "relay smtps://host.domain.tld"

host.domain.tld does resolve to a public IP, and this needs to be a public IP on
public DNS.
However, OpenSMTPd needs to relay to the local IP address of the smarthost.
Since I have no DNS server running on that network, and i dont want to setup a 
DNS
server only for OpenSMTPd, I added an enty to /etc/hosts, assigning the local 
IP to
the FQDN.
When i ping the FQDN it correctly resolves to the internal IP of the smarthost.
However, OpenSMTPd ignores the entry in /etc/hosts and still tries to connect 
to the
public IP of the host.

Is this known that OpenSMTPd ingores /etc/hosts? Or is this a problem on Debian?
Is there a workaround? Specifying "relay smtps://192.168.158.1" will not work, 
as the
private IP is not part of the Cert.
Can I force OpenSMTPd to use the internal IP? Can I disable Cert checking for 
the
smarthost?

Thanks!

System details:

root@mx01:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:Debian GNU/Linux 11 (bullseye)
Release:11
Codename:   bullseye
root@mx01:~# smtpd -h
version: OpenSMTPD 6.8.0p2
usage: smtpd [-dFhnv] [-D macro=value] [-f file] [-P system] [-T trace]

root@mx01:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug ens192
iface ens192 inet dhcp


Any info else you need?

Cheers,

Simon




Re: Global IPv4 with ARP and wireguard peers

2021-05-13 Thread Aisha Tammy

On 5/13/21 3:14 PM, Rafael Possamai wrote:

Has anyone tried to get something like this to work?
I dont get why it works for a while and then suddenly stops working!?

Not with hacky ARP entries. I'd see if Frantech can get you a routed /30 or /29 
with your main v4 address as next hop. It's essentially same thing with v6, 
they route a /48 to your v6 address after you set it to next hop in the routed 
subnet settings (and configure the VM with that v6 address).


Yes, that would've been nice.

But turns out that the problem is on OpenBSD's end, as the same 
configuration works on Alpine.


Seems like openbsd.amsterdam has seen a similar issue - 
https://openbsd.amsterdam/known.html#Connectivity


Their solution to ping the gateway works for my case too, which is a 
better solution than adding/deleting ips/arp entries.


So it seems like this bug is still open.

Hope this helps some other person who comes looking :D

Aisha



Re: spamd IPv6 listener 6.9amd64

2021-05-12 Thread Aisha Tammy

afaik spamd(8) does not support ipv6 (yet).
I also do not know if there is any ongoing effort for ipv6 to be added.

On 5/12/21 9:24 AM, Martin wrote:

Hi list,

I can't find in spamd(8) how to enable IPv6 listener in addition to IPv4 one.

Is it possible to set spamd(8) to listen on both IPv4 and IPv6?

Martin





Global IPv4 with ARP and wireguard peers

2021-05-11 Thread Aisha Tammy

Hi all,
  I'm trying to give my wireguard peer a global IPv4 and IPv6.
The IPv6 is working fine, but the IPv4 doesn't work.

My VPS host (frantech) has provided me with two IPv4s,
198.98.53.194 (main IP through dhcp) and 198.98.61.217
which I can get on my vio0 interface with the configuration

/etc/hostname.vio0:

inet autoconf
inet alias 198.98.61.217 255.255.255.0 198.98.61.1
inet6 alias 2605:6400:10:c0::6942 48
inet6 alias 2605:6400:819e::6942 48
!route -n add -inet6 default 2605:6400:10::1


The above configuration works nicely if I want my VPS to get
both the IPs. But I want the 198.98.61.217 to go to my wireguard
peer. So I commented out the second line to get

inet autoconf
#inet alias 198.98.61.217 255.255.255.0 198.98.61.1
inet6 alias 2605:6400:10:c0::6942 48
inet6 alias 2605:6400:819e::6942 48
!route -n add -inet6 default 2605:6400:10::1

and in my wireguard config I have

/etc/hostname.wg0:

inet 10.42.69.1 255.255.255.255 10.42.69.1
inet6 alias 2605:6400:819e:4269:::4269 80
mtu 1420

wgkey  wgport 6969
wgpeer  wgpsk  wgaip 198.98.61.217/32 wgaip 
2605:6400:819e:4269:::1/80


up

!route -n add -inet 198.98.61.217/32 -iface 10.42.69.1
!route -n add -inet6 2605:6400:819e:4269:::/80 -iface 
2605:6400:819e:4269:::4269


After starting both the interfaces and wireguard interface on the peer,
I am able to ping the peers global IPv6 from a different VPS on vultr, 
but not the IPv4. I am able to ping the peers IPv4 from the frantech VPS

but I assume that is because I have a route set up.

So for this I tried adding an arp proxy entry, but that gives an error

$ arp -n -s 198.98.61.217 $(ifconfig vio0 | grep lladdr | awk '{print 
$2; }') pub

set: proxy entry exists for non 802 device

Now I tried to do weirder things, (1) I destroyed the wg0 interface, (2) 
added the arp entry, (3) deleted the arp entry, (4) started the wg0 
interface - and now I can ping the IPv4 from outside!!! But this 
only stays for ~10-15 minutes and after which it again stops working??


$ ifconfig wg0 destroy
$ arp -n -s 198.98.61.217 $(ifconfig vio0 | grep lladdr | awk '{print 
$2; }') pub

$ arp -n -d 198.98.61.217
$ sh /etc/netstart wg0

Has anyone tried to get something like this to work?
I dont get why it works for a while and then suddenly stops working!?
At least the fact that it is working for a while means it should be 
possible to do this but my networking knowledge falls short, maybe I'm 
missing something obvious, so I'd appreciate the help.


Thanks!
Aisha



Re: Making a portable version of imsg - where to find regression tests?

2020-12-12 Thread Aisha Tammy
On 12/12/20 6:18 PM, Ingo Schwarze wrote:
> Hi Aisha,
> 
> Aisha Tammy wrote on Sat, Dec 12, 2020 at 05:40:14PM -0500:
> 
>> I was trying to create a small standalone portable version of the
>> imsg utilities for linux and I managed to get it compiling (yea!!)
>> and have put it on github [1].
> 
> I freely admit i didn't look at that.
> 
>> It is also working with trivial test cases that I manually generated.
>> For completeness, I was also trying to find regression tests for imsg
>> but I couldn't find them in the source code (in fact, couldn't find
>> them for whole of libutil, make regress just does nothing).
> 
> OpenBSD never mixes regression tests into the main directories of the
> src tree.  All regression tests are in /usr/src/regress/.  In particular,
> those for libutil are in /usr/src/regress/lib/libutil/.
> 
>> Could anyone point to where I should look for these regression tests
> 
> If somebody wrote any regression tests for imsg, the place to put them
> would be /usr/src/regress/lib/libutil/imsg/.
> 
>> (if they exist?)
> 
> It doesn't appear there are any automated tests for imsg right now.
> Several parts of OpenBSD have regression tests, but not all have.
> 
> Yours,
>   Ingo
> 

Awesome, thanks a lot Inigo :D
That's very informative.

Cheers,
Aisha



Making a portable version of imsg - where to find regression tests?

2020-12-12 Thread Aisha Tammy
Hi,
  I was trying to create a small standalone portable version of the imsg 
utilities
for linux and I managed to get it compiling (yea!!) and have put it on github 
[1].
It is also working with trivial test cases that I manually generated.
For completeness, I was also trying to find regression tests for imsg but I 
couldn't
find them in the source code (in fact, couldn't find them for whole of libutil,
make regress just does nothing).
Could anyone point to where I should look for these regression tests (if they 
exist?)

Cheers,
Aisha

PS: thanks a lot to all of the creators of imsg :D

[1] https://github.com/bsd-ac/imsg-compat


Re: OpenSMTPD and ldap+tls

2020-12-01 Thread Aisha Tammy
On 12/1/20 1:31 AM, Martijn van Duren wrote:
> Hello,
>
> There is table_ldap in the opensmtpd-extras package, but I've never used
> it, it's undocumented and I've heard that the author sees it as a proof
> of concept only at this point. So no idea how far this will take you,
> but it's your best shot. :-)
>
> A quick look through the source shows me the following snippet of the
> config parser:
>
> else if (!strcmp(key, "username"))
> read_value(, key, value);
> else if (!strcmp(key, "password"))
> read_value(, key, value);
> else if (!strcmp(key, "basedn"))
> read_value(, key, value);
> else if (!strcmp(key, "alias_filter"))
> read_value([LDAP_ALIAS].filter, key, value);
> else if (!strcmp(key, "alias_attributes")) {
> ldap_parse_attributes([LDAP_ALIAS],
> key, value, 1);
> } else if (!strcmp(key, "credentials_filter"))
> read_value([LDAP_CREDENTIALS].filter, key, 
> value);
> else if (!strcmp(key, "credentials_attributes")) {
> ldap_parse_attributes([LDAP_CREDENTIALS],
> key, value, 2);
> } else if (!strcmp(key, "domain_filter"))
> read_value([LDAP_DOMAIN].filter, key, value);
> else if (!strcmp(key, "domain_attributes")) {
> ldap_parse_attributes([LDAP_DOMAIN],
> key, value, 1);
> } else if (!strcmp(key, "userinfo_filter"))
> read_value([LDAP_USERINFO].filter, key, 
> value);
> else if (!strcmp(key, "userinfo_attributes")) {
> ldap_parse_attributes([LDAP_USERINFO],
> key, value, 3);
> } else if (!strcmp(key, "mailaddr_filter"))
> read_value([LDAP_MAILADDR].filter, key, 
> value);
> else if (!strcmp(key, "mailaddr_attributes")) {
>
> Hope this works for you.
>
> martijn@
>
> On Tue, 2020-12-01 at 09:02 +0300, Родин Максим wrote:
>> Hello
>> Is there a way to make opensmtpd work
>> with ldap aliases over a secure connection?
>>
>> I do not know where to find working examples of this
>> My current /etc/mail/ldap.conf look like this:
>>    1 url>>--->---ldap://ldap1.mydomain.ru
>>    2 basedn>->--->---dc=mydomain,dc=ru
>>    3 username>--->---cn=service,dc=mydomain,dc=ru
>>    4 password>--->---passpasspass
>>    5
>>    6 domain_filter>-->---(&(objectClass=domain)(dc=%s))
>>    7 domain_attributes>--dc
>>    8
>>    9 credentials_filter>-(&(objectClass=posixAccount)(uid=%s))
>>   10 credentials_attributes>-uid,userPassword
>>   11
>>   12 userinfo_filter>>---(&(objectClass=posixAccount)(uid=%s))
>>   13 userinfo_attributes>uid,uidNumber,gidNumber,homeDirectory
>>   14
>>   15 alias_filter>--->---(&(objectClass=nisMailAlias)(cn=%s))
>>   16 alias_attributes>---rfc822MailMember
>>
>> ldapd daemon is set up on another host to work over tls and ssl and
>> working correctly.
>>
>> If I change url to ldaps://ldap1.mydomain.ru
>> or to ldap+tls://ldap1.mydomain.ru
>> then smtpd -dv shows:
>> """
>> _____
>> vdomains[50952]: warn: ldap_parse_url fail
>> vdomains[50952]: warn: ldap_connect error
>> vdomains[50952]: fatal: failed to connect
>> """
>> _
>>
>

Is the table-procexec a viable alternative?
You can create shell wrappers to call ldap functions
and then call the shell wrappers from procexec with
the correct parameters.
This seems very possible, assuming table-procexec is usable.
Last time I checked, procexec didn't have a lot of documentation.

Best,
Aisha


Re: panic "locking against myself"

2020-11-29 Thread Aisha Tammy
On 11/29/20 7:09 PM, Ed Ahlsen-Girard wrote:
> I've had a couple of panics:
> 
> mtx(something) (address)
> locking against myself
> 
> 
> in the last
> couple of days. The most recent address was 0x821c63c8
> 
> How do this get tracked down? No core files from anything in the
> applicable time window. dmesg below signature.
> 

Was fixed in latest snapshot
During boot select bsd.rd and sysupgrade.
Should be fine.



List of files to remove for upgrade

2020-10-19 Thread Aisha Tammy

Hi,

  I'm wondering why the upgrade guide at 
https://www.openbsd.org/faq/upgrade68.html

doesn't contain more list of files to remove.

Sysclean gives out a lot more names, but I haven't removed them yet cuz I

trust the upgrade guide more as it is crosschecked by humans.

But was still curious why this is much smaller than 66->67.


Aisha



Re: OpenSMTP - Wrong user for Dovecot LMTP

2020-10-19 Thread Aisha Tammy

On 10/19/20 1:18 PM, Chris Bennett wrote:

On Mon, Oct 19, 2020 at 06:24:47AM -0400, Aisha Tammy wrote:

On 10/19/20 12:20 AM, Kastus Shchuka wrote:

On Sun, Oct 18, 2020 at 08:55:16PM -0400, Aisha Tammy wrote:

Hi,

   I just upgraded to 6.8 and the upgrade process has been super cool and 
simple :)

Unfortunately I seem to have hit some weird issue in OpenSMTPD where it has 
stopped
delivering the mail using Dovecots LMTP due to sending as wrong user.

osmtpd tries to send the mail as *_smtpd* even when configured to send as a
different user *excision*



Could it be this change: https://marc.info/?t=15878902902=1=2 ?



Well damn... That would indeed cause this error.
I guess a simple fix would be to add _smtpd to the socket group or change socket
group to _smtpd.

Another fix would be to have the whole virtual user system also be done using
_smtpd but I feel that keeping things with separate users is better.

Thanks a lot for the answer!

Aisha



Are you using Maildir and IMAP from dovecot? I am.
I've setup using vmail as the user for dovecot. Something similar to
your virtual user files, except that I have three files:
vdomains, vaddr and vusers.

vusers has the table you are using, except moving to user vmail instead
of excision, which doesn't matter. vdomains are the domains getting
mail.
vaddr are just the plain addresses used.

action a01 lmtp "/var/dovecot/lmtp" rcpt-to alias 
action a02 lmtp "/var/dovecot/lmtp" rcpt-to virtual 

match from any for local action a01
match from any for domain  rcpt-to  action a02

This works really well. I'm also using PostgreSQL for the users,
passwords and home folders for dovecot, which solves the upcoming
removal of bsdauth in dovecot.

However, unrelated I'm having trouble setting up auth for sending. There
are many conflicting examples which I can't sort out. I'll look over
what you've posted to see if that can work for me. I have four mail
domains on this server and I'm definitely missing some small piece of
the puzzle.

Regards,
Chris Bennett



Yea, take a look at my config, it allows senders to send from any of their
allowed aliases. like no...@domain1.com has an alias anothern...@domain2.org.
Then no...@domain1.com can both send and receive mails for anothernoob.

You have a create the virtuals table, and a reverse virtuals table, called 

in my config.

Though I don't use postgresql or anything... I just cooked up a small homegrown
scheme using openssh and passwd file format storage for users and passwords.
Everyone supports that, don't think its gonna be killed anytime soon :D

Aisha



Re: OpenSMTP - Wrong user for Dovecot LMTP

2020-10-19 Thread Aisha Tammy

On 10/19/20 12:20 AM, Kastus Shchuka wrote:

On Sun, Oct 18, 2020 at 08:55:16PM -0400, Aisha Tammy wrote:

Hi,

  I just upgraded to 6.8 and the upgrade process has been super cool and simple 
:)

Unfortunately I seem to have hit some weird issue in OpenSMTPD where it has 
stopped
delivering the mail using Dovecots LMTP due to sending as wrong user.

osmtpd tries to send the mail as *_smtpd* even when configured to send as a
different user *excision*



Could it be this change: https://marc.info/?t=15878902902=1=2 ?



Well damn... That would indeed cause this error.
I guess a simple fix would be to add _smtpd to the socket group or change socket
group to _smtpd.

Another fix would be to have the whole virtual user system also be done using
_smtpd but I feel that keeping things with separate users is better.

Thanks a lot for the answer!

Aisha



OpenSMTP - Wrong user for Dovecot LMTP

2020-10-18 Thread Aisha Tammy

Hi,

 I just upgraded to 6.8 and the upgrade process has been super cool and simple 
:)

Unfortunately I seem to have hit some weird issue in OpenSMTPD where it has 
stopped
delivering the mail using Dovecots LMTP due to sending as wrong user.

osmtpd tries to send the mail as *_smtpd* even when configured to send as a
different user *excision*

Relevant parts of the error output from the command
smtpd -dv -T stat -T lookup -T expand -T mproc -T rules

debug: mda: got message fd 21 for session 27dfd8470fcf834f evpid 
1140e2ecd415316b
debug: mda: querying mda fd for session 27dfd8470fcf834f evpid 1140e2ecd415316b
mproc: pony -> parent : 6168 IMSG_MDA_FORK
debug: smtpd: forking mda for session 27dfd8470fcf834f: excision as _smtpd
mproc: parent -> pony : 8 IMSG_MDA_FORK
debug: mda: got mda fd 22 for session 27dfd8470fcf834f evpid 1140e2ecd415316b
debug: smtpd: mda process done for session 27dfd8470fcf834f: exited abnormally
debug: mda: io disconnected on session 27dfd8470fcf834f
mproc: parent -> pony : 35 IMSG_MDA_DONE
mproc: pony -> queue : 53 IMSG_MDA_DELIVERY_TEMPFAIL
27dfd846f9575079 mda delivery evpid=1140e2ecd415316b from= to= rcpt= use
r=excision delay=2h10m40s result=TempFail stat=Error (temporary failure: "mail.lmtp: 
connect: Permission denied")
debug: mda: session 27dfd8470fcf834f done
mproc: pony -> control : 46 IMSG_STAT_DECREMENT
debug: mda: user "excision" becomes runnable
mproc: pony -> control : 45 IMSG_STAT_DECREMENT
debug: mda: all done for user ":excision"
mproc: pony -> control : 42 IMSG_STAT_DECREMENT
mproc: queue -> control : 57 IMSG_STAT_INCREMENT
ramstat: decrement: mda.envelope
ramstat: mda.envelope (0xe29944762c1): 1 -> 0
ramstat: decrement: mda.running
ramstat: mda.running (0xe29d4a91c41): 1 -> 0
ramstat: decrement: mda.user
ramstat: mda.user (0xe298f729481): 1 -> 0
mproc: queue -> control : 59 IMSG_STAT_INCREMENT
mproc: queue -> scheduler : 441 IMSG_QUEUE_DELIVERY_TEMPFAIL
ramstat: increment: queue.evpcache.load.hit
mproc: scheduler -> control : 61 IMSG_STAT_INCREMENT
ramstat: queue.evpcache.load.hit (0xe2a74f72f81): 111 -> 112
mproc: scheduler -> control : 61 IMSG_STAT_DECREMENT
ramstat: increment: queue.evpcache.update.hit
ramstat: queue.evpcache.update.hit (0xe29d4a91c41): 52 -> 53
ramstat: increment: scheduler.delivery.tempfail
ramstat: scheduler.delivery.tempfail (0xe2a74f72981): 45 -> 46
ramstat: decrement: scheduler.envelope.inflight
ramstat: scheduler.envelope.inflight (0xe2a74f72281): 1 -> 0
mproc: pony -> lka : 28 IMSG_GETNAMEINFO
mproc: pony -> control : 46 IMSG_STAT_INCREMENT

This is happening as the lmtp socket only has minimal permissions
 srw-rw  1 excision  excision 0B Oct 18 20:03 lmtp=

Relevant parts of my smtpd.conf

...
action "dovecot-lmtp" \
lmtp "/var/dovecot/lmtp" rcpt-to \
virtual 
...
#
# accept mail from outside sent to our
# BUT not those who are coming for key-submission
match   from any \
for domain  \
!rcpt-to  \
action "dovecot-lmtp"
...

Relevant parts of my virtuals table

ai...@aisha.cc  excision
...
open...@aisha.ccai...@aisha.cc
...


I've also attached the full files if needed and a larger log as well.

It's possible I've made some error, but then it was working until
yesterday.

Current workaround: chmod 666 /var/dovecot/lmtp
to allow _smtpd user to also write to the socket.
Very insecure, I know...

Hopefully, it is just me making a stupid error in the config :x

Thanks,
Aisha



ai...@aisha.cc  excision
postmas...@aisha.cc ai...@aisha.cc
ab...@aisha.cc  ai...@aisha.cc
n...@aisha.cc   ai...@aisha.cc
secur...@aisha.cc   ai...@aisha.cc
hostmas...@aisha.cc ai...@aisha.cc
use...@aisha.cc ai...@aisha.cc
n...@aisha.cc   ai...@aisha.cc
webmas...@aisha.cc  ai...@aisha.cc
dmarcrepo...@aisha.cc   ai...@aisha.cc
tlsrepo...@aisha.cc ai...@aisha.cc
ansim...@aisha.cc   ai...@aisha.cc
gen...@aisha.cc ai...@aisha.cc
open...@aisha.ccai...@aisha.cc
n...@aisha.cc   ai...@aisha.cc
faceb...@aisha.cc   ai...@aisha.cc
enigm...@aisha.cc   ai...@aisha.cc
testu...@aisha.cc   ai...@aisha.cc
e...@aisha.cc   ai...@aisha.cc
st...@aisha.cc  ai...@aisha.cc
git...@aisha.cc ai...@aisha.cc
n...@aisha.cc   ai...@aisha.cc
m...@aisha.cc   ai...@aisha.cc
freen...@a

Re: Any experience with 10Gbe?

2020-10-17 Thread Aisha Tammy
On 10/15/20 5:52 AM, Stuart Henderson wrote:
> On 2020-10-14, Rafael Possamai  wrote:
>>> I'm supporting a small business who needs more bandwidth due to the 
>>> work-from-home >situation. They've asked me to help them do the upgrade to 
>>> 10Gbe. I'd preferto keep them on an >OpenBSD router, since I love how 
>>> liuttle maintenance it needs, but I can't find any accounts of >someone 
>>> actually managing to get close to line speed above 1 Gbe.
>>>
>>> I don't want to just buy expensive hardware and hope that it works. Has 
>>> anyone here been able >to get close to 10 Gb/s networking with OpenBSD? I 
>>> don't need to be able to have more than a >few pf-rules.
>>
>> There is a talk on YouTube about using a few OpenBSD boxes with 10gb, maybe 
>> this helps somewhat. https://www.youtube.com/watch?v=veqKM4bHesM 
> 
> 10Gb ports work fine, passing full 10Gb of traffic on those ports not so
> much, and we're nowhere near passing 10Gb of small size packets. (the
> limit is more to do with packets per second than speed).
> 
> "do the upgrade to 10GbE" isn't specific enough as to what's needed to be
> able to give much usrful advice.
> 
> 
> 
Is there anything non technical that users can help with?
I know donating hardware is one but I don't know if thats what is needed
in this case?


Aisha



Re: routing ipv6 over wireguard

2020-08-27 Thread Aisha Tammy
On 8/27/20 7:07 AM, Simon Fryer wrote:
> All,
> 
> On Thu, 27 Aug 2020 at 08:17, Alarig Le Lay  wrote:
> 
>> Hi,
>>
>> On Tue 25 Aug 2020 15:27:27 GMT, Aisha Tammy wrote:
>>> (peer A)$ tcpdump -inet6 -i vio0 icmp6
>>> 15:23:04.918459 fe80::fc00:2ff:feee:5248 > ff02::1:ff42:6: icmp6:
>>> neighbor sol: who has 2001:19f0:5:5cd5::6942:6
>>>
>>> (a lot of such lines)
>>
>> It seems that you have been provided a *connected* /64, so the router
>> tried to do NDP for your peer, which isn’t possible because the peer
>> isn’t on the same L2.
>>
>> You have ask your provider to *route* you a range. Then, it will be your
>> VM that will manage it.
>>
> 
> Thank you very much. I have been struggling with exactly the same problem
> but with an Iked created IPSec tunnel. Off to raise a query with my
> provider.
> 
> Thanks again.
> 
> Simon.
> 

I found this out too when talking with ncon@ on irc.
He has sent a patch which should allow us to use ndp with wg, am not sure if ndp
works with (or is even designed to work with) ipsec ipv6.

My knowledge of network layers is on demand wikipedia/google, which I assume is
also most people attempting to set up tunnels XD
So these behaviours put me in a twist.

Should get solved soon though.

Aisha.



Re: routing ipv6 over wireguard

2020-08-25 Thread Aisha Tammy
On 8/25/20 3:27 PM, Aisha Tammy wrote:
> Hi all,
>   I'm having some trouble getting wireguard to work nicely.
> 
> Goal: Try to give public ipv6 addresses to my wireguard peers.
> 
> How I've tried to tackle it is by giving the ip6 to the peer and
> then adding a route to the peer for the ipv6.
> 
> My vps (peer A) has ipv6 subet - 2001:19f0:5:5cd5::0/64
> 
> And I give peer A on wg0 the address - 2001:19f0:5:5cd5::6942:6/112
Small correction, peer A was given the address - 2001:19f0:5:5cd5::6942:17/112

> I give peer B has been given ipv6 - 2001:19f0:5:5cd5::6942:6/128
> 
> I've used wg-quick for now so when I try to get the route 
> 
> (peer A)$ route get 2001:19f0:5:5cd5::6942:6
>route to: 2001:19f0:5:5cd5::6942:6
> destination: 2001:19f0:5:5cd5::6942:6
>mask: :::::::
>   interface: wg0
>  if address: 2001:19f0:5:5cd5::6942:17
>priority: 8 (static)
>   flags: 
>  use   mtuexpire
>   15 0 0
> 
> Everything seems fine for now, as I am also able to ping peer B from peer A!
> 
> But when I ping from any computer from outside the wireguard network 
> I don't get any pings back.
> 
> When I try to do some debugging via tcpdump on vio0 (egress interface)
> 
> (peer A)$ tcpdump -inet6 -i vio0 icmp6
> 15:23:04.918459 fe80::fc00:2ff:feee:5248 > ff02::1:ff42:6: icmp6: neighbor 
> sol: who has 2001:19f0:5:5cd5::6942:6
> 
> (a lot of such lines)
> 
> I am not sure what is happening here.
> Is adding a route to peer B on peer A not enough?
> Am unsure how to go about getting this to work >.<
> Any help would be nice.
> 
> Thanks,
> Aisha
> 



routing ipv6 over wireguard

2020-08-25 Thread Aisha Tammy
Hi all,
  I'm having some trouble getting wireguard to work nicely.

Goal: Try to give public ipv6 addresses to my wireguard peers.

How I've tried to tackle it is by giving the ip6 to the peer and
then adding a route to the peer for the ipv6.

My vps (peer A) has ipv6 subet - 2001:19f0:5:5cd5::0/64

And I give peer A on wg0 the address - 2001:19f0:5:5cd5::6942:6/112
I give peer B has been given ipv6 - 2001:19f0:5:5cd5::6942:6/128

I've used wg-quick for now so when I try to get the route 

(peer A)$ route get 2001:19f0:5:5cd5::6942:6
   route to: 2001:19f0:5:5cd5::6942:6
destination: 2001:19f0:5:5cd5::6942:6
   mask: :::::::
  interface: wg0
 if address: 2001:19f0:5:5cd5::6942:17
   priority: 8 (static)
  flags: 
 use   mtuexpire
  15 0 0

Everything seems fine for now, as I am also able to ping peer B from peer A!

But when I ping from any computer from outside the wireguard network 
I don't get any pings back.

When I try to do some debugging via tcpdump on vio0 (egress interface)

(peer A)$ tcpdump -inet6 -i vio0 icmp6
15:23:04.918459 fe80::fc00:2ff:feee:5248 > ff02::1:ff42:6: icmp6: neighbor sol: 
who has 2001:19f0:5:5cd5::6942:6

(a lot of such lines)

I am not sure what is happening here.
Is adding a route to peer B on peer A not enough?
Am unsure how to go about getting this to work >.<
Any help would be nice.

Thanks,
Aisha



How do I expose wireguard peer with global static IPv6 without binat

2020-08-22 Thread Aisha Tammy





The basic question is per the subject line, filling in the details here



I have wireguard working with each peer having ipv4 and ipv6 addresses

and all of them are able to ping each other and also to the WAN through

the central peer.



The central peer is a vultr VPS and has a /64 prefix ipv6.

What I want to do:

 - give each peer their own global ipv6/128 address

   - use case

  anyone on those peers can host their own simple services

  e.g. nextcloud, syncthing, rubywarden, etc 





So currently my solution is to do a binat to each wireguard peer

by using pf binat-to



Given that one of the best uses ipv6 is to remove NAT, I'd like to

know how to do this without using binat-to.



I'm attaching my pf and wireguard configuration files



/etc/pf.conf -

##

open_tcp="{ 80, 443 }" # 6942 is ssh port

flood_tcp="{ 6942, 42069 }"

open_udp="{ 161 }" # use 161 for wireguard



# stop bruteforce attackers that try to hug of death

table  persist

table  persist file "/etc/pf-badhost.txt"



# options for pf performance

set loginterface egress

set block-policy drop

set syncookies adaptive (start 25%, end 12%)

set skip on {lo, wg0}



block in quick on egress from 

block out quick on egress from 

block in quick on egress from 

block out quick on egress to 



block drop



pass in on wg0



pass proto icmp

pass proto icmp6



pass in on egress proto tcp from any to any port $flood_tcp \

flags S/SA keep state \

(max-src-conn-rate 1/3, \

overload  flush global)



pass in on egress proto tcp from any to any port $open_tcp

pass in on egress proto udp from any to any port $open_udp



pass out

pass out on egress inet from wg0:network to any nat-to vio0



# nat to wireguard peers

anchor "wireguard/nat" 

load anchor "wireguard" from "/etc/pf.conf.anchor.wireguard"





pf.conf.anchor.wireguard - 

##



anchor "nat" {

pass on egress inet6 from fc00::6942:1 to any binat-to 
2001:19f0:5:5cd5::1

pass on egress inet6 from fc00::6942:2 to any binat-to 
2001:19f0:5:5cd5::2

}





/etc/hostname.wg0 - 

##

inet alias 10.7.0.17 255.255.255.0 10.7.0.255

inet6 alias fc00::6942:17 112

inet6 alias 2001:19f0:5:5cd5::4269 64

mtu 1420

up

!route -n add -inet6 fc00::6942:1/128 -iface fc00::6942:17

!route -n add -inet6 fc00::6942:2/128 -iface fc00::6942:17





/etc/hostname.vio0 -

##

dhcp

inet6 autoconf -autoconfprivacy -soii

inet6 alias 2001:19f0:5:5cd5::17 64

inet6 alias 2001:19f0:5:5cd5::1 64

inet6 alias 2001:19f0:5:5cd5::2 64





/etc/wireguard/bsdac-wg-central.conf (central peer file) - 

##

[Interface]

PrivateKey = MCdzcLt9EZ8ej5vQTHq9Ig6UM4L3C38aXgLebLIxyGw=

#Address = 10.7.0.17/24,fc00::6942:17/112

ListenPort = 161



[Peer]

PublicKey = 

PresharedKey = 

AllowedIps = 10.7.0.1/32,fc00::6942:1/128



[Peer]

PublicKey = 

PresharedKey = 

AllowedIps = 10.7.0.2/32,fc00::6942:2/128





/etc/wireguard/bsdac-wg-peer.conf - 

##





[Interface]

PrivateKey = 

Address = 10.7.0.1/32,fc00::6942:1/128

ListenPort = 161



[Peer]

# WireGuard server public key

PublicKey = 

PresharedKey = 

Endpoint = 

AllowedIPs = 10.7.0.0/24,fc00::6942:0/112

PersistentKeepalive = 25







Re: SSL error wth dovecot + roundcube

2020-07-09 Thread Aisha Tammy
OK I found the error, the error is definitely something on our side of the port 
and not because of roundcube/dovecot

When I turn peer verification off, roundcube is continues and establishes 
connection.
I think that the reason for this is that roundcube needs to access the CA cert 
files which are not inside the chroot /var/www/

I fixed the issue by copying the /etc/ssl/cert.pem file into the chroot 
location and pointing the ca-cert config options to the proper place

I really think this should be added to the README of the port.

I can send a diff later but hopefully the maintainer can just add a small note?

Aisha


On 7/8/20 8:57 PM, Aisha Tammy wrote:
> I'm trying to get roundcube setup on my server and everytime I try to connect 
> to dovecot, it gives a weird error on roundcubes side, in errors.log:
> 
> [08-Jul-2020 21:34:18 +]: <6q9plqno> IMAP Error: Login failed for 
> ai...@aisha.cc against imap.aisha.cc from 10.7.0.1(X-Forwarded-For: 
> 98.109.25.191). Could
> not connect to ssl://imap.aisha.cc:993: Unknown reason in 
> /roundcubemail/program/lib/Roundcube/rcube_imap.php on line 200 (POST 
> /?_task=login&_action=login)
> 
> On the interface I get:
>  Connection to storage server failed
> 
> On dovecots side, I get:
> Jul  8 20:28:59 mail dovecot: imap-login: Disconnected (no auth attempts in 0 
> secs): user=<>, rip=98.109.25.191, lip=108.61.81.40, TLS handshaking: 
> SSL_accept()
>  failed: error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown 
> ca: SSL alert number 48, session=
> 
> I think this might be some error with either ssl lib things in php or 
> something similar.
> (An unlikelier scenario is that I have some errors with my dovecot imap ssl, 
> but every other client, thunderbird/fairmail/k-9 mail are authenticating fine)
> 
> 
> Would love to get this fixed :(
> 
> Thanks
> Aisha
> 



SSL error wth dovecot + roundcube

2020-07-08 Thread Aisha Tammy
I'm trying to get roundcube setup on my server and everytime I try to connect 
to dovecot, it gives a weird error on roundcubes side, in errors.log:

[08-Jul-2020 21:34:18 +]: <6q9plqno> IMAP Error: Login failed for 
ai...@aisha.cc against imap.aisha.cc from 10.7.0.1(X-Forwarded-For: 
98.109.25.191). Could
not connect to ssl://imap.aisha.cc:993: Unknown reason in 
/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 200 (POST 
/?_task=login&_action=login)

On the interface I get:
 Connection to storage server failed

On dovecots side, I get:
Jul  8 20:28:59 mail dovecot: imap-login: Disconnected (no auth attempts in 0 
secs): user=<>, rip=98.109.25.191, lip=108.61.81.40, TLS handshaking: 
SSL_accept()
 failed: error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown ca: 
SSL alert number 48, session=

I think this might be some error with either ssl lib things in php or something 
similar.
(An unlikelier scenario is that I have some errors with my dovecot imap ssl, 
but every other client, thunderbird/fairmail/k-9 mail are authenticating fine)


Would love to get this fixed :(

Thanks
Aisha



Re: Disabling OpenBSD Login Prompt

2020-06-10 Thread Aisha Tammy
On 6/10/20 1:10 PM, Steve Williams wrote:
> On 10/06/2020 10:31 a.m., Aisha Tammy wrote:
>> On 6/10/20 10:46 AM, Steve Williams wrote:
>>> Hi,
>>>
>>> Do you have the proper ioctls to set baud rate, parity, start bits, stop 
>>> bits so that the serial port is configured correctly?
>>>
>>> What about flow control?  rts/cts, xon/xoff.
>>>
>>> Dealing with a serial port is it's own art.
>>>
>> Wow, this is really interesting.
>> I'm curious, do the display managers like gdm/xdm, etc also have
>> to handle this?
>> I'm asking cuz I'm porting a display manager for linux (nothing to
>> do with openbsd,  but this discussion was very related).
>> I'm in a very similar position where the simplest answer would be
>> to disable a getty at one of the tty's and start the login prompt
>> there (its a visual prompt).
>>
>> link to display manager, if my writing wasn't clear
>> https://git.sr.ht/~kennylevinsen/greetd
>>
>> Aisha
> The baud rate, etc is only applicable to things running over serial RS-232 
> (and 422) ports.  The original poster specified it is running on "com0".
> 
> A display manager would not (typically) be talking over a serial port 
> natively.  In the old days, X might be talking over a serial port using SLIP 
> or some such technology, but that has all gone the way of the dodo bird.
> 
Cool, got it.
Thanks a lot!

Aisha

> Cheers,
> Steve W.
> 
> 
> 
>>
>>> Cheers,
>>> Steve W.
>>>
>>> On 10/06/2020 3:03 a.m., Valdrin MUJA wrote:
>>>> Hi Misc,
>>>>
>>>> I want to disable OpenBSD Login prompt at startup -and also after logging 
>>>> out-. Because I want to run my external program instead of ksh. There is 
>>>> an login prompt also in my program and I want to use it.
>>>>
>>>> I updated the /etc/ttys ;
>>>>
>>>> valdrin# cat /etc/ttys
>>>> #
>>>> #   $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $
>>>> #
>>>> # name  getty   type    status  comments
>>>> #
>>>> console "/usr/libexec/getty std.9600"   vt220   off secure
>>>> ttyC0   "/usr/libexec/getty std.9600"   vt220   on  secure
>>>> ttyC1   "/usr/libexec/getty std.9600"   vt220   on  secure
>>>> ttyC2   "/usr/libexec/getty std.9600"   vt220   on  secure
>>>> ttyC3   "/usr/libexec/getty std.9600"   vt220   on  secure
>>>> ttyC4   "/usr/libexec/getty std.9600"   vt220   off secure
>>>> ttyC5   "/usr/libexec/getty std.9600"   vt220   on  secure
>>>> ttyC6   "/usr/libexec/getty std.9600"   vt220   off secure
>>>> ttyC7   "/usr/libexec/getty std.9600"   vt220   off secure
>>>> ttyC8   "/usr/libexec/getty std.9600"   vt220   off secure
>>>> ttyC9   "/usr/libexec/getty std.9600"   vt220   off secure
>>>> ttyCa   "/usr/libexec/getty std.9600"   vt220   off secure
>>>> ttyCb   "/usr/libexec/getty std.9600"   vt220   off secure
>>>> tty00   "/root/myprogram"   vt220    on secure
>>>> tty01   "/usr/libexec/getty std.9600"   unknown off
>>>> tty02   "/usr/libexec/getty std.9600"   unknown off
>>>> tty03   "/usr/libexec/getty std.9600"   unknown off
>>>> tty04   "/usr/libexec/getty std.9600"   unknown off
>>>> tty05   "/usr/libexec/getty std.9600"   unknown off
>>>> tty06   "/usr/libexec/getty std.9600"   unknown off
>>>> tty07   "/usr/libexec/getty std.9600"   unknown off
>>>>
>>>> I'm connected the device with com0 port so I updated the tty00 to run my 
>>>> external program. However; system is stucking after date appears on 
>>>> startup.
>>>>
>>>>
>>>> starting network
>>>> reordering libraries: done.
>>>> starting early daemons: syslogd ntpd.
>>>> starting RPC daemons:.
>>>> savecore: no core dump
>>>> checking quotas: done.
>>>> clearing /tmp
>>>> kern.securelevel: 0 -> 1
>>>> creating runtime link editor directory cache.
>>>> preserving editor files.
>>>> starting network daemons: sshd.
>>>> starting local daemons: cron.
>>>> Wed Jun 10 10:27:04 +03 2020
>>>>
>>>>
>>>> Also, I tried "chsh" and "chpass" , but still OpenBSD login prompt 
>>>> appears.. How can I overcome this issue?
>>>>
>>>> Thanks..
>>>>
> 



Re: Disabling OpenBSD Login Prompt

2020-06-10 Thread Aisha Tammy
On 6/10/20 10:46 AM, Steve Williams wrote:
> Hi,
> 
> Do you have the proper ioctls to set baud rate, parity, start bits, stop bits 
> so that the serial port is configured correctly?
> 
> What about flow control?  rts/cts, xon/xoff.
> 
> Dealing with a serial port is it's own art.
> 
Wow, this is really interesting.
I'm curious, do the display managers like gdm/xdm, etc also have 
to handle this?
I'm asking cuz I'm porting a display manager for linux (nothing to 
do with openbsd,  but this discussion was very related).
I'm in a very similar position where the simplest answer would be 
to disable a getty at one of the tty's and start the login prompt 
there (its a visual prompt).

link to display manager, if my writing wasn't clear
https://git.sr.ht/~kennylevinsen/greetd

Aisha


> Cheers,
> Steve W.
> 
> On 10/06/2020 3:03 a.m., Valdrin MUJA wrote:
>> Hi Misc,
>>
>> I want to disable OpenBSD Login prompt at startup -and also after logging 
>> out-. Because I want to run my external program instead of ksh. There is an 
>> login prompt also in my program and I want to use it.
>>
>> I updated the /etc/ttys ;
>>
>> valdrin# cat /etc/ttys
>> #
>> #   $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $
>> #
>> # name  getty   type    status  comments
>> #
>> console "/usr/libexec/getty std.9600"   vt220   off secure
>> ttyC0   "/usr/libexec/getty std.9600"   vt220   on  secure
>> ttyC1   "/usr/libexec/getty std.9600"   vt220   on  secure
>> ttyC2   "/usr/libexec/getty std.9600"   vt220   on  secure
>> ttyC3   "/usr/libexec/getty std.9600"   vt220   on  secure
>> ttyC4   "/usr/libexec/getty std.9600"   vt220   off secure
>> ttyC5   "/usr/libexec/getty std.9600"   vt220   on  secure
>> ttyC6   "/usr/libexec/getty std.9600"   vt220   off secure
>> ttyC7   "/usr/libexec/getty std.9600"   vt220   off secure
>> ttyC8   "/usr/libexec/getty std.9600"   vt220   off secure
>> ttyC9   "/usr/libexec/getty std.9600"   vt220   off secure
>> ttyCa   "/usr/libexec/getty std.9600"   vt220   off secure
>> ttyCb   "/usr/libexec/getty std.9600"   vt220   off secure
>> tty00   "/root/myprogram"   vt220    on secure
>> tty01   "/usr/libexec/getty std.9600"   unknown off
>> tty02   "/usr/libexec/getty std.9600"   unknown off
>> tty03   "/usr/libexec/getty std.9600"   unknown off
>> tty04   "/usr/libexec/getty std.9600"   unknown off
>> tty05   "/usr/libexec/getty std.9600"   unknown off
>> tty06   "/usr/libexec/getty std.9600"   unknown off
>> tty07   "/usr/libexec/getty std.9600"   unknown off
>>
>> I'm connected the device with com0 port so I updated the tty00 to run my 
>> external program. However; system is stucking after date appears on startup.
>>
>>
>> starting network
>> reordering libraries: done.
>> starting early daemons: syslogd ntpd.
>> starting RPC daemons:.
>> savecore: no core dump
>> checking quotas: done.
>> clearing /tmp
>> kern.securelevel: 0 -> 1
>> creating runtime link editor directory cache.
>> preserving editor files.
>> starting network daemons: sshd.
>> starting local daemons: cron.
>> Wed Jun 10 10:27:04 +03 2020
>>
>>
>> Also, I tried "chsh" and "chpass" , but still OpenBSD login prompt appears.. 
>> How can I overcome this issue?
>>
>> Thanks..
>>
> 



LDAP database choice

2020-05-20 Thread Aisha Tammy
Hi all,
  Is there any particular reason why ldapd has its own version of btree.c
instead of using the db.h standard btree ?

Aisha



Re: fde nightmare

2020-05-15 Thread Aisha Tammy
On 5/15/20 5:00 AM, fossfo...@unixism.xyz wrote:
> Well as it turns out, my key was intact :)
> 
> As it turns out, my passphrase didn't actually change at all, and
> every time I tried to enter it, I was in dvorak mode, where I typed
> it in qwerty originally.  This will doubtlessly be my embarrassment
> of the year, but it does feel like a mountain has been lifted from
> my shoulders.
> 
> Phew.  Fossforus
> 

I'm really glad for you :)

Aisha (epsilonKNOT)



Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

2020-05-09 Thread Aisha Tammy
On 5/8/20 3:16 PM, Martin wrote:
> Which 'quantum' resistant algorithms can be used right now to prevent data 
> decryption in future by 'quantum' computers (when they can do this) of 
> currently collected data flows?
this is so dumb.
worry about this when there are computers which can actually add two numbers 
quantoonly.

aisha

> 
> Martin
> 



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-08 Thread Aisha Tammy
On 5/7/20 7:02 PM, Aaron Mason wrote:
> On Fri, May 8, 2020 at 2:30 AM jeanfrancois  wrote:
>>
>> As long as there's no material published it's worth just any other word.
>>
> 
> To quote Douglas Adams on whether you can trust people on the
> internet, "of course not, it's just people talking".
> 


wait a minute. you are on the internet, I am on the internet.
I CAN"T TRUST ANYONE. MY LIFE IS FALLING APART.
but then I shouldn't trust what you said too.
Ah, okok, i'll not trust what you said
*promptly goes to the nearest zebra crossing to get killed*

(sorry I just had to)



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-07 Thread Aisha Tammy
On 5/7/20 11:11 AM, Kevin Chadwick wrote:
> On 2020-05-07 14:10, Consus wrote:
>> On Thu, May 07, 2020 at 04:00:15PM +0200, i...@aulix.com wrote:
>>> Dear OpenBSD fans,
>>>
>>> Can you please comment negative appraisal from the following website:
>>>
>>> https://isopenbsdsecu.re/quotes/
>>>
>>> I did not want to hurt anyone, just looking for a secure OS and
>>> OpenBSD looked very nice to me before I have found this website.
>>
> 
> Perhaps you could cite which part as the parts I read should seem without 
> merit
> to anybody?
> 
>> The fun thing to do: offer $50k rewards for code execution
>> vulnerabilities and wait for results.
>>
> 
> "Apple has lately been slapping proprietary mitigations around like there’s no
> tomorrow. But thing is, mitigations are often delicate creatures, with rather
> fragile assumptions. Having too many of them in one place can easily make them
> break one another, as happened here with execute-only memory vs PAN."
> 
> I am sure that examples of mitigations leveraging and protecting each other, 
> or
> an exploit failing because of multiple mitigations is far more common than 
> them
> hurting each other.
> 
> "I put a lot more faith in privilege separation and reduction than in all the
> mitigations. I’d be really impressed by a move to a safe language… most 
> everyone
> is late to that party, so it’s a chance for someone to pull ahead if they 
> wanted
> bragging rights"
> 
> I wouldn't want to read an OS written in Rust and I would love to see secure
> developments in C even if it hampers potential performance. Things like Go are
> not suitable for an OS with many small programs.
> 
Curious about why... though admittedly I have never written or read rust in 
great detail.
Genuinely curious why, I thought it was supposed to be pretty nice with thread 
safety and
all that jazz.

> Also, OpenBSD is one of the pioneers of privilege separation and most Go
> programs are not privilege separated at all.
> 
> I quickly lost interest, sorry. IMO, the main thing that causes exploitations 
> is
> carelessness. OpenBSD cares and is careful!
> 

Aisha



Re: wireguard on i386

2020-05-06 Thread Aisha Tammy
On 5/6/20 12:22 PM, Stuart Henderson wrote:
> On 2020-05-06, infoomatic  wrote:
>> Hi,
>>
>> I realized wireguard is not available as binary package for i386. Since
>> this is my only 32bit machine I would setup 32bit VM to build the
>> package. Is it possible to compile it from ports for 32bit? (or is the
>> missing package a sign that it's not available for 32bit architecture?)
> 
> Use wiresep, wireguard-go does not build on i386 (but even on archs
> where both are available, wiresep has several advantages).
> 
> 
Ooof, seems like the change for removing ONLY_FOR_ARCHS had to be rolled back.
Very unfortunate :(



Re: wireguard on i386

2020-05-06 Thread Aisha Tammy
On 5/6/20 9:58 AM, infoomatic wrote:
> Hi,
> 
> I realized wireguard is not available as binary package for i386. Since
> this is my only 32bit machine I would setup 32bit VM to build the
> package.
There are two packages wireguard-tools and wireguard-go

Both have been recently updated to work on all platforms, if you are running
-current you should have them available. I don't think they have been backported
to 6.6

 Is it possible to compile it from ports for 32bit? (or is the
> missing package a sign that it's not available for 32bit architecture?)
> 
Yes, both of them can be compiled manually, take a look at the Makefile[1]
to see what the build time dependencies are
> thanks,
> 
> infoomatic
> 

[1]https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/wireguard-go/



Re: Sound is good on OpenBSD

2020-04-28 Thread Aisha Tammy


On 4/28/20 9:22 AM, David Demelier wrote:
> Le 28/04/2020 à 14:01, Yury Grebenkin a écrit :
>> OpenBSD gives a better sound experience on my machine than several
>> Linux distributions I have used and FreeBSD. Just want to say thank
>> you to all the people involved and state the fact that OpenBSD does
>> make a difference.
> 
> The audio stack is definitely better as we have the clean and simple sndio 
> interface while Linux has to deal with ALSA, Jack, PulseAudio and maybe 
> pipewire at some point.

jack is there on openbsd right. Does it provide considerable more benefits?

> 
> That said, I personally have stuttering when playing music on OpenBSD and 
> doing some CPU “intensive” tasks like many firefox tabs opened. I'd be glad 
> to see if it works better for you and if you tweak the system to avoid that.
> 



Re: Porting Jitsi to OpenBSD

2020-04-24 Thread Aisha Tammy
based af
will do

On 4/24/20 8:36 AM, Daniel Jakots wrote:
> On Fri, 24 Apr 2020 08:25:51 -0400, Aisha Tammy 
> wrote:
> 
>> Hey all,
>> I'm hoping to port jitsi and wanted to know if anyone else is already
>> working on a port so that I don't do work that might be unnecessary.
> 
> 
> This kind of email should go on ports@.
> Since misc@ has a very low SNR [1] don't assume anyone seriously
> working on OpenBSD is actually reading this particular mailing-list.
> 
> [1]: https://en.wikipedia.org/wiki/Signal-to-noise_ratio
> 
> Cheers,
> Daniel
> 



Porting Jitsi to OpenBSD

2020-04-24 Thread Aisha Tammy
Hey all,
I'm hoping to port jitsi and wanted to know if anyone else is already working 
on a port so
that I don't do work that might be unnecessary.

Cheers,
Aisha



Re: Comments in source code

2020-04-23 Thread Aisha Tammy
Thanks a lot for responding, I've had some food so am feeling a lot less
frustrated :D

> On 4/23/20 12:10 PM, Stuart Henderson wrote:
> 
> It's often considered better if code is clear enough to stand by itself,
> keeping comments for the less common cases which can't be figured out
> from reading the code. And that way you aren't at risk of assuming

But like, not all code is simple enough to understand by just reading it.
Comments can do more than just explain api, they can help explain 
how the code itself is working.
I have been reading diff, sdiff diff3 and other string algorithms to understand
how to make it as fast as their GNU counterparts and they are not the simplest 
to read, even when knowing the actual string algorithms pretty well.

> something which is implied by the comment but isn't actually in the code
> (either never was, or the code changed but the comment didn't keep up).
> 

And about comments being left behind in code changing, I feel like that is 
easily
changed by people making sure that they also read comments while coding. I 
don't 
think that is a good enough excuse about not commenting.

> If you aren't already, you should be looking at commit messages from
> where the relevant code was touched. That is often where you'll find the
> explanations you seek.
> 
I have been reading them, Commit messages don't explain algorithms very clearly.
I agree this is a very specific use case but definitely something that could be 
improved.
Some of the things I've been considering useful (in this specific scenario for 
diff3)
- explanation for merge function, what it does
- in merge function, explain how empty for loop is used, as this is a very big 
loop
  with a lot of cases

IMO, any function with a lot of cases should have a small explanation about 
what it 
is doing, so the code is a lot more lit.

Cheers,
Aisha



Comments in source code

2020-04-23 Thread Aisha Tammy
Hey devs and all,
  I'm kind of new to OpenBSD, only working on ports so far so take 
what I say with chill.
I've been reading the source code in GIT and felt a real lack of comments
explaining what the code is doing. Is this something encouraged in obsd?
I would really like to have something more than super condensed one line
explanations like in style(9).

Just wanted to express my frustration and also to ask if there is any
better way to understand how the code is working? I feel like this
would deter a lot of new contributors, me including. 

Hopefully I don't sound too negative. I'm willing to send patches which
just add comments and explanations, if there is any interest from the devs.

Best,
Aisha



Re: Wine for OpenBSD?

2020-04-11 Thread Aisha Tammy
wooosh

wine is not there on openbsd 
its not going to be there on openbsd

reasons are too long for me to write this early in the morning, plz google-fu 
them

On 4/11/20 8:32 AM, Nikita Stepanov wrote:
> I mean� 
> https://en.m.wikipedia.org/wiki/Wine_(software)
> 18:30, 11 апреля 2020 г., Peter Nicolai Mathias Hansteen
> :
> 
> 
> 
> � 11. apr. 2020 kl. 12:15 skrev Nikita Stepanov 
> :
> 
> � Wine for OpenBSD?
> 
> 
> 
>   Oh, OpenBSD goes well with most kinds of wine, just don’t overdo
>   it. Same with beer, liquors as always.
> 
>   All the best,
> 
>   —
>   Peter N. M. Hansteen, member of the first RFC 1149 implementation
>   team
>   http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
>   "Remember to set the evil bit on all malicious network traffic"
>   delilah spamd[29949]: 85.152.224.147: disconnected after 42673
>   seconds.
> 



Re: Contributing to spamd

2020-04-03 Thread Aisha Tammy
Oh that is really good to hear :)
Thanks a lot phessler!

Here is to hoping it can be included in the next release.

Thanks a lot again,
Aisha

On 4/3/20 12:28 PM, Denis Fondras wrote:
> On Fri, Apr 03, 2020 at 08:54:22AM -0400, Aisha Tammy wrote:
>> Hi devs and all,
>>   I have been using spamd for quite a while and have been loving it.
>> I've seen that spamd currently only supports ipv4 and have been
>> wondering if it was possible to extend it to ipv6. I know that workforce
>> is always limited so I wanted to know if there is anyway to contribute
>> help towards this :)
>> I admit I'm not the most knowledgeable about ipv6 so I was wondering if
>> there is any small place to start to contribute to spamd and build up
>> from there.
>> Hoping for some positive response.
>>
>> Thanks a lot for your work and hope you are safe,
>> Aisha
>>
> 
> phessler@ did almost all the work. There are still one issue so it did not get
> in.
> 



Re: Contributing to spamd

2020-04-03 Thread Aisha Tammy
Thanks a lot Ingo.
I'm currently looking through spamd.c and trying to learn.
I'm way too far behind to send any patches yet, lol.
I'll slowly work to it.

Much appreciated,
Aisha

On 4/3/20 9:40 AM, Ingo Schwarze wrote:
> Hi Aisha,
> 
> Aisha Tammy wrote on Fri, Apr 03, 2020 at 08:54:22AM -0400:
> 
>>   I have been using spamd for quite a while and have been loving it.
>> I've seen that spamd currently only supports ipv4 and have been
>> wondering if it was possible to extend it to ipv6. I know that workforce
>> is always limited so I wanted to know if there is anyway to contribute
>> help towards this :)
> 
> The way to contribute to OpenBSD is by sending patches - ideally
> small, incremental patches that work and are well tested, but when
> you get stuck, you can also send something like: "I hope to do
> FOOBAR, and here is what i have so far; the FOO part already seems
> to work in my preliminary testing, but i have doubts whether my
> approach to the BAR part is ideal.  Feedback is welcome."
> 
>> I admit I'm not the most knowledgeable about ipv6 so I was wondering if
>> there is any small place to start to contribute to spamd and build up
>> from there.
>> Hoping for some positive response.
> 
> Being able to learn on your own is among the key qualifications
> required to contribute to OpenBSD.  Learning by doing is recommended:
> First find an issue you would like to fix.  Good judgement of your
> own abilities is essential here: don't pick a task so much over
> your head that you have no chance of ever getting it done.  Picking
> something *slightly* more difficult than what you have experience
> with may be OK if you are willing to learn and can tolerate the
> frustration that unavoidably comes with the first try likely not
> being good enough for commit yet.  Then again, getting used to the
> the processes of sending patches, receiving feeback, and improving
> and re-sending the patches such that they get ready for commit may
> also require some effort, so it is not a bad idea to start with
> tasks you are absolutely sure you can easily manage, until you get
> used to the processes, then progress to more difficult stuff in order
> to learn and grow.
> 
> When asking questions, be as specific as possible, ideally showing
> specific patches or specific sequences of commands and asking
> specific questions about them.
> 
> Avoid questions similar to "what should i do" or "where should i
> start" or "is there a todo list".  That depends on what you are
> interested in and what your abilities are, and you need to know
> that yourself, no one else who doesn't know you personally can help
> you with that.
> 
> Sorry that i can't give you specifics about spamd(8), but your
> question wasn't very specific anyway.  In general, seamless IPv6
> support is welcome in OpenBSD, but i'm not sure about the requirements
> of spamd(8) in particular since i never used it nor worked on it.
> 
> Yours,
>   Ingo
> 



Contributing to spamd

2020-04-03 Thread Aisha Tammy
Hi devs and all,
  I have been using spamd for quite a while and have been loving it.
I've seen that spamd currently only supports ipv4 and have been
wondering if it was possible to extend it to ipv6. I know that workforce
is always limited so I wanted to know if there is anyway to contribute
help towards this :)
I admit I'm not the most knowledgeable about ipv6 so I was wondering if
there is any small place to start to contribute to spamd and build up
from there.
Hoping for some positive response.

Thanks a lot for your work and hope you are safe,
Aisha



Re: High CPU usage with docker on alpine linux vmm

2020-02-25 Thread aisha
It doesn't seem like adding apmd and changing to 2000Hz made any 
difference.

tsc is still unstable and containerd is till using >70% CPU.

Hoping that vmd/vmm can soon run linux systems.

Thanks a lot for the work so far.

---
Aisha
blog.aisha.cc

On 2020-02-25 02:26, Mike Larkin wrote:

On Mon, Feb 24, 2020 at 09:56:31PM -0500, aisha wrote:

Hi all,

 I am running obsd -current and was trying to get alpine vmm to work, 
more

specifically to learn docker.

I'm noticing a very high CPU usage when I get docker running, which is
without any containers

Steps to reproduce:

1) Install alpine in a vmm

2) Install docker and start (first need to enable community repo)

apk add docker

rc-service docker start

Expected: Docker starts, life goes on

Reality:  Docker starts, CPU usage in vmm goes to ~75-90%, containerd 
is
using all the memory. Also, tsc is marked as unstable in dmesg for 
alpine


[ 0.00] tsc: Fast TSC calibration failed
[ 0.03] tsc: Using PIT calibration value
[ 0.03] tsc: Detected 18090.273 MHz processor
[ 0.02] clocksource: tsc-early: mask: 0x 
max_cycles:

0x104c2d0d539a, max_idle_ns: 440795933422 ns
[ 0.311645] clocksource: Switched to clocksource tsc-early
[ 0.510259] clocksource: timekeeping watchdog on CPU0: Marking 
clocksource

'tsc-early' as unstable because the skew is too large:
[ 0.510259] clocksource: 'tsc-early' cs_now: 5174087c0cc cs_last:
516d7de6c74 mask: 
[ 0.510259] tsc: Marking TSC unstable due to clocksource watchdog
[ 0.510654] TSC found unstable after boot, most likely due to broken 
BIOS.

Use 'tsc=unstable'.

This is a pretty crippling bug, as I am unable to do a lot more things 
on my
VM or on my actual machine, given that my plan was to run multiple 
VMs,

which has now been lost in the midst of clock errors and syncings.

Would love to know how anyone has managed to get this to work.



You might try a 2000HZ host machine and also force apm -H before 
running VMs.


For HZ, see param.c

-ml



Cheers,
Aisha


OpenBSD 6.6-current (GENERIC.MP) #653: Thu Feb 20 21:40:37 MST 2020
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34059407360 (32481MB)
avail mem = 33014579200 (31485MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb500 (59 entries)
bios0: vendor Intel Corp. version 
"S1200RP.86B.03.03.0003.121820151104" date

12/18/2015
bios0: Intel Corporation S1200RP
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S1 S3 S5
acpi0: tables DSDT FACP APIC SPMI FPDT MCFG WDDT HPET SSDT BOOT SSDT 
SSDT

SSDT SSDT SSDT SSDT DMAR HEST BERT ERST EINJ
acpi0: wakeup devices PEG0(S3) PEGP(S3) PEG1(S3) PEGP(S3) PEG2(S3) 
PEGP(S3)
RP01(S3) PXSX(S3) RP02(S3) PXSX(S3) RP03(S3) PXSX(S3) RP04(S3) 
PXSX(S3)

RP05(S3) PXSX(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz, 3193.05 MHz, 06-3c-03
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz, 3192.62 MHz, 06-3c-03
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN

cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz, 3192.62 MHz, 06-3c-03
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN

cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mai

High CPU usage with docker on alpine linux vmm

2020-02-24 Thread aisha

Hi all,

 I am running obsd -current and was trying to get alpine vmm to work, 
more specifically to learn docker.


I'm noticing a very high CPU usage when I get docker running, which is 
without any containers


Steps to reproduce:

1) Install alpine in a vmm

2) Install docker and start (first need to enable community repo)

apk add docker

rc-service docker start

Expected: Docker starts, life goes on

Reality:  Docker starts, CPU usage in vmm goes to ~75-90%, containerd is 
using all the memory. Also, tsc is marked as unstable in dmesg for 
alpine


[ 0.00] tsc: Fast TSC calibration failed
[ 0.03] tsc: Using PIT calibration value
[ 0.03] tsc: Detected 18090.273 MHz processor
[ 0.02] clocksource: tsc-early: mask: 0x max_cycles: 
0x104c2d0d539a, max_idle_ns: 440795933422 ns

[ 0.311645] clocksource: Switched to clocksource tsc-early
[ 0.510259] clocksource: timekeeping watchdog on CPU0: Marking 
clocksource 'tsc-early' as unstable because the skew is too large:
[ 0.510259] clocksource: 'tsc-early' cs_now: 5174087c0cc cs_last: 
516d7de6c74 mask: 

[ 0.510259] tsc: Marking TSC unstable due to clocksource watchdog
[ 0.510654] TSC found unstable after boot, most likely due to broken 
BIOS. Use 'tsc=unstable'.


This is a pretty crippling bug, as I am unable to do a lot more things 
on my VM or on my actual machine, given that my plan was to run multiple 
VMs, which has now been lost in the midst of clock errors and syncings.


Would love to know how anyone has managed to get this to work.


Cheers,
Aisha


OpenBSD 6.6-current (GENERIC.MP) #653: Thu Feb 20 21:40:37 MST 2020
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34059407360 (32481MB)
avail mem = 33014579200 (31485MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb500 (59 entries)
bios0: vendor Intel Corp. version "S1200RP.86B.03.03.0003.121820151104" 
date 12/18/2015

bios0: Intel Corporation S1200RP
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S1 S3 S5
acpi0: tables DSDT FACP APIC SPMI FPDT MCFG WDDT HPET SSDT BOOT SSDT 
SSDT SSDT SSDT SSDT SSDT DMAR HEST BERT ERST EINJ
acpi0: wakeup devices PEG0(S3) PEGP(S3) PEG1(S3) PEGP(S3) PEG2(S3) 
PEGP(S3) RP01(S3) PXSX(S3) RP02(S3) PXSX(S3) RP03(S3) PXSX(S3) RP04(S3) 
PXSX(S3) RP05(S3) PXSX(S3) [...]

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz, 3193.05 MHz, 06-3c-03
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz, 3192.62 MHz, 06-3c-03
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN

cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz, 3192.62 MHz, 06-3c-03
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN

cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz, 3192.62 MHz, 06-3c-03
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP

Re: rspamd stop rc script doesn't work in OpenBSD 6.6

2020-02-09 Thread aisha
You need to use pkill -9 to kill rspamd, which i think should be added 
to the stop part of the rspamd daemon.


At least this is what I have been using, any other methods would be nice 
to know.


---
Aisha
blog.aisha.cc

On 2020-02-09 14:38, Özgür Kazancci wrote:

Hi Stephan,

I got the same trouble. Fresh installation of OpenBSD 6.6 and
redis+rspamd. Was google-ing regarding that issue and got your
workaround.

What you mean by "if you enable rspamd etc on boot by rcctl.."? Mine,
is already enabled (I issued rcctl enable rspamd after the
installation)

Thank you,
Ozgur.



On 29/10/2019 23:44, List wrote:

Hi,
I am myself running a MX that uses rspamd + postfix.
I did have the same issue. Especially when running rspamd and adding
redis to the setup.
I think what causes the problem is rspamd which uses JITs. These JITS
break W^X. If you enable rspamd etc on boot by (rcctl enable ...). And
reboot.. Everything works fine. At least for me did.
Don't hesitate asking.

Kind regards,
Stephan




Re: updating calibre port

2020-02-02 Thread aisha

So while crawling the interwebs i found something similar:

https://github.com/janeczku/calibre-web

Would love to see anyones thought on this.

Going to install this and see.

---
Aisha
blog.aisha.cc

On 2020-02-01 20:30, Stuart Henderson wrote:

On 2020-02-01, aisha  wrote:

Hi all,

  I had a request for updating the calibre port to the newer versions 
as

I am running a small calibre library server.

Thanks a lot!



It's not likely to happen anytime soon. Updating to new calibre,
including all the required dependencies (which includes updating Qt and
py-qt5 and porting qtwebengine) is probably several weeks worth of
full-time work for an experienced porter.




updating calibre port

2020-02-01 Thread aisha
Hi all, 


 I had a request for updating the calibre port to the newer versions as
I am running a small calibre library server. 


Thanks a lot!

--
Aisha
blog.aisha.cc


Re: How did it happen?

2020-01-31 Thread aisha

Really great article.
Was very fun to read.

And again thanks for your work on osmtpd, am actually sending from a 
server set up from your poolp post :D


Sucks about the bug, but logic errors are the wurst.

Take care.

---
Aisha
blog.aisha.cc

On 2020-01-31 13:48, gil...@poolp.org wrote:

January 30, 2020 4:44 PM, gil...@poolp.org wrote:


It depends on your configuration, not all setups are vulnerable.

I think I recall your name from the comments on my tutorial and this 
is a
setup that would not be vulnerable for example. The bug still exists, 
but

it can't be used to exploit the same code path.

You should update, this is not something you want to rely on.

I'm writing a _very_ detailed post-mortem which will go into the 
details,
I just want to give it a few days to make sure it is as informative as 
it

should.




As promised, I have written a (too much ?) detailed write-up about the
recent event:

https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/

Hope it clarifies what happened and plans for the future.

Gilles




Re: FreeBSD daemon(8)-like command for OpenBSD

2020-01-27 Thread aisha

I generally do this on a user level with some editors like emacs,
cuz I run spacemacs which is prone to crashes, cuz of over 9000 plugins

Small improvement: Keep a PID file, along with pgrep, because of 
multiple emacs-server instances


It has worked a bit better than simple pgrep

If anyone has any improvements, would love to know.

---
Aisha
blog.aisha.cc

On 2020-01-27 18:21, dagricha...@speakeasy.net wrote:

Irresponsible people like myself have been known to put cron jobs in
place to look for, and if necessary restart crashy daemons.

This could referred to as a kludge, though many would argue that is to
mild an aspersion to cast upon it.


PID=`pgrep gloob`
if [ -z "$PID" ]  
     then
     
    /usr/local/bin/gloob -f poor_security_a_bad_idea_to_run.conf

     fi


Dag H. Richards - Distinguished Dunning-Kruger Fellow 2020 

as seen on unixadminsgonewild.com
 



On Mon, 27 Jan 2020 22:41:00 +0100, Ingo Schwarze  
wrote:


Hi Patrick,

Patrick Kristiansen wrote on Mon, Jan 27, 2020 at 08:13:28PM +0100:


Is there something like the FreeBSD daemon(8) command for OpenBSD,
which can run a process in the background and restart it if it
crashes?


Absolutely not, we are strongly convinced this is an utterly stupid
idea and a serious security risk.

If a daemon crashes, it has a bug. Many bugs that cause crashes
are also exploitable. So if a daemon crashes, you first have to
understand why it crashed, fix or at least mitigate the bug, and
can only restart it afterwards.

Restarting it automatically is an irresponsible thing to do.

If a daemon keeps crashing so frequently that you can only run it
in production with automatic restarts, then running it at all is
irresponsible in the first place.

Yours,
Ingo

Hi Patrick,

Patrick Kristiansen wrote on Mon, Jan 27, 2020 at 08:13:28PM +0100:


Is there something like the FreeBSD daemon(8) command for OpenBSD,
which can run a process in the background and restart it if it
crashes?


Absolutely not, we are strongly convinced this is an utterly stupid
idea and a serious security risk.

If a daemon crashes, it has a bug. Many bugs that cause crashes
are also exploitable. So if a daemon crashes, you first have to
understand why it crashed, fix or at least mitigate the bug, and
can only restart it afterwards.

Restarting it automatically is an irresponsible thing to do.

If a daemon keeps crashing so frequently that you can only run it
in production with automatic restarts, then running it at all is
irresponsible in the first place.

Yours,
Ingo
 




Re: for those looking for hardware to build an OBSD router/firewall

2020-01-26 Thread aisha
I'm not sure why this would be better than just buying an old intel/AMD 
machine and adding an extra NIC to it?
It won't be the prettiest looking machine but will definitely get the 
job done.


---
Aisha
blog.aisha.cc

On 2020-01-24 04:52, myml...@gmx.com wrote:

Hi All,

I've been looking for hardware to replace my 15 year old i386 pc based
openbsd firewall with 6 interfaces with something smaller and with less
power draw for a while, a long while..:).

I researched and saw things from lanner, axiomtek and portwell, but 
they

were mad expensive.

I have seen lots of other recommendations for ubiquit, netgate, APU and
soekris etc, all with less than desirable specs.

I found this protectli, 6 port intel based device. (wish they had an
8/10/12 port like ubiquiti)  https://protectli.com/product/fw6c/ It
works flawlessly with openbsd... Diving in a little bit deeper, I found
that this thing is a rebranded Chinese product by a company called
yanling.

I bought from the US company because i'm not familiar with alibaba and
the delivery time.

You can get the same device here
https://www.alibaba.com/product-detail/Yanling-7th-i5-7200u-Dual-Core_60781226010.html?spm=a2700.galleryofferlist.0.0.245b478f2nsJ3S
for
for 250 less.

ps. they also have options with lesser cpus and less interfaces for 
much

cheaper!

Here's the dmesg:


OpenBSD 6.6-current (GENERIC.MP) #613: Thu Jan 16 13:52:56 MST 2020

dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

real mem = 8487612416 (8094MB)
avail mem = 8217923584 (7837MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x8d318000 (86 entries)
bios0: vendor American Megatrends Inc. version "5.12" date 07/08/2019
bios0: Protectli FW6
acpi0 at bios0: ACPI 6.1
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC FPDT MCFG SSDT FIDT SSDT HPET SSDT SSDT
UEFI SSDT LPIT WSMT SSDT SSDT SSDT SSDT DBGP DBG2 DMAR ASF!
acpi0: wakeup devices PS2K(S0) PS2M(S0) RP09(S0) PXSX(S0) RP10(S0)
PXSX(S0) RP11(S0) PXSX(S0) RP12(S0) PXSX(S0) RP13(S0) PXSX(S0) RP01(S0)
PXSX(S0) RP02(S0) PXSX(S0) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2395.20 MHz, 06-8e-09
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2394.43 MHz, 06-8e-09
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2394.43 MHz, 06-8e-09
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2394.43 MHz, 06-8e-09
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,