Re: OpenSMTPD + rspamd to sign mail.

[latincom]

> On 8/12/21 5:09 AM, latin...@vcn.bc.ca wrote:
>> Hello
>>
>> After:
>> # pkg_add redis rspamd opensmtpd-filter-rspamd successfully
>>
>> i got:
>> # rcctl start rspamd
>> rspamd(failed)
>>
>> then I did:
>> # rspamd -d
>> 2021-08-12 09:23:41 #0(main) ; main; detect_priv: cannot run
>> rspamd workers as root user, please add -u and -g options to select a
>> proper unprivilleged user or specify --insecure flag
>>
>> How to interpret it please?
>>
>> I did # chown R spamd:_rspamd /etc/mail/dkim but it fails, then i did
>>   # chown -R root:_spamd /etc/mail/dkim and it worked; anyway i suppose
>> i
>> should do  rspamd:_rspamd to change -u and -g
>>
>> thanks for your attention.
>>
> What is the contents of your /etc/rc.d/rspamd file? It should include
> lines like:
>
>     daemon="/usr/local/bin/rspamd"
>     daemon_flags="-u _rspamd -g _rspamd"


#!/bin/ksh
#
# $OpenBSD: rspamd.rc,v 1.4 2019/10/29 22:50:14 sthen Exp $

daemon="/usr/local/bin/rspamd"
daemon_flags="-u _rspamd -g _rspamd"

. /etc/rc.d/rc.subr

pexp="rspamd: main process.*"

rc_pre() {
install -d /var/run/rspamd
}

rc_cmd $1


>
> Also, did you remember to enable the service with "rcctl enable rspamd"
>

Yes, i did it:

rcctl enable redis
rcctl enable rspamd

rcctl start redis
rcctl start rspamd

Thanks to respond.

Re: OpenSMTPD + rspamd to sign mail.

[Chris Eidem]

On 8/12/21 5:09 AM, latin...@vcn.bc.ca wrote:

Hello

After:
# pkg_add redis rspamd opensmtpd-filter-rspamd successfully

i got:
# rcctl start rspamd
rspamd(failed)

then I did:
# rspamd -d
2021-08-12 09:23:41 #0(main) ; main; detect_priv: cannot run
rspamd workers as root user, please add -u and -g options to select a
proper unprivilleged user or specify --insecure flag

How to interpret it please?

I did # chown R spamd:_rspamd /etc/mail/dkim but it fails, then i did
  # chown -R root:_spamd /etc/mail/dkim and it worked; anyway i suppose i
should do  rspamd:_rspamd to change -u and -g

thanks for your attention.

What is the contents of your /etc/rc.d/rspamd file? It should include 
lines like:


   daemon="/usr/local/bin/rspamd"
   daemon_flags="-u _rspamd -g _rspamd"

Also, did you remember to enable the service with "rcctl enable rspamd"

OpenSMTPD + rspamd to sign mail.

[latincom]

Hello

After:
# pkg_add redis rspamd opensmtpd-filter-rspamd successfully

i got:
# rcctl start rspamd
rspamd(failed)

then I did:
# rspamd -d
2021-08-12 09:23:41 #0(main) ; main; detect_priv: cannot run
rspamd workers as root user, please add -u and -g options to select a
proper unprivilleged user or specify --insecure flag

How to interpret it please?

I did # chown R spamd:_rspamd /etc/mail/dkim but it fails, then i did
 # chown -R root:_spamd /etc/mail/dkim and it worked; anyway i suppose i
should do  rspamd:_rspamd to change -u and -g

thanks for your attention.

[patch] use acme-client to sign certificated with ecdsa keys

[Renaud Allard]

Hello,

This is a short patch to let acme-client accept ECDSA keys now that 
letsencrypt accepts signing certificates with those keys. This 
functionality is present in certbot, so it might be a good idea to let 
acme-client accept that too.

The key needs to be generated manually
i.e.: openssl ecparam -genkey -name secp384r1 -out privkey.pem

Best Regards
Index: rsa.c
===
RCS file: /cvs/src/usr.sbin/acme-client/rsa.c,v
retrieving revision 1.7
diff -u -p -r1.7 rsa.c
--- rsa.c	28 Jul 2018 15:25:23 -	1.7
+++ rsa.c	22 May 2019 11:17:47 -
@@ -79,7 +79,8 @@ rsa_key_load(FILE *f, const char *fname)
 	if (pkey == NULL) {
 		warnx("%s: PEM_read_PrivateKey", fname);
 		return NULL;
-	} else if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA)
+	} else if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA ||
+		   EVP_PKEY_type(pkey->type) == EVP_PKEY_EC )
 		return pkey;
 
 	warnx("%s: unsupported key type", fname);


smime.p7s
Description: S/MIME Cryptographic Signature

Re: mail sign/encrypt

[Stuart Longland]

On 09/05/18 19:44, Rudolf Sykora wrote:
> I want a small thing, hence Thunderbird is out.
> Similarly, mutt does way too many things (it's not just MUA),
> similarly (al)pine. (And both use ncurses, which I also
> want to avoid).
> 
> For me mmh, mblaze or similar (eg. plan9 tools) is the way to go.
> Even snail is way too complex.

Agreed, it depends on your use case, but for sure Thunderbird is a
heavy-weight.  Turn on message filtering, and it has a particularly
nasty memory-leak I find: brings my desktop at work (with 16GB RAM) to
its knees after about 3 days running.

> So for now I sign and send email (prepared in message.txt) with this:
> 
> openssl smime -sign -in message.txt -text -signer sec/certCVUT.mycrt.pem \
> -inkey sec/certCVUT.mykey.pem -certfile sec/certCVUT.caChain.pem \
> -from rudolf.syk...@cvut.cz -to rsyk...@disroot.org \
> -subject "HI" | sendmail -t
> 
> where certCVUT.mycrt.pem contains my certificate,
> certCVUT.mykey.pem contains my private key, and
> certCVUT.caChain.pem contains the chain of ca's.
> All these can be obtained from the .p12 file using
> appropriate openssl commands.

As I say, it depends on whether you're after S/MIME or OpenPGP; and
Tony's advice was for OpenPGP.  Thunderbird on its own can do S/MIME.

For completeness; signing and encrypting an email using GnuPG and sendmail:

prepare message.txt; headers.txt, then

$ gpg --encrypt --clear-sign -a -r rsyk...@disroot.org < message.txt \
  | cat headers.txt - \
  | sendmail -t

would probably do the trick.  (Untested)
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.

Re: mail sign/encrypt

[Rudolf Sykora]

> > I'd suggest Thunderbird + Enigmail

I want a small thing, hence Thunderbird is out.
Similarly, mutt does way too many things (it's not just MUA),
similarly (al)pine. (And both use ncurses, which I also
want to avoid).

For me mmh, mblaze or similar (eg. plan9 tools) is the way to go.
Even snail is way too complex.

So for now I sign and send email (prepared in message.txt) with this:

openssl smime -sign -in message.txt -text -signer sec/certCVUT.mycrt.pem \
-inkey sec/certCVUT.mykey.pem -certfile sec/certCVUT.caChain.pem \
-from rudolf.syk...@cvut.cz -to rsyk...@disroot.org \
-subject "HI" | sendmail -t

where certCVUT.mycrt.pem contains my certificate,
certCVUT.mykey.pem contains my private key, and
certCVUT.caChain.pem contains the chain of ca's.
All these can be obtained from the .p12 file using
appropriate openssl commands.

Thanks
Ruda

Re: mail sign/encrypt

[Stuart Longland]

On 05/05/18 08:31, Tony Boston wrote:
> On 05/03/18 10:30, Rudolf Sykora wrote:
>> Hello misc,
>>
>> I'd like to be able to optionally
>> - sign my email,
>> - encrypt the email.
>>
>> I have a certificate in the .p12 form,
>> containing my private key and two certificates,
>> one of them mine.
>>
>> I want to prepare mail locally, i.e. to use
>> some simple locally installed MUA.
>>
>> Is there a way with the default "mail" program,
>> or do I have to install some more powerful MUA?
>>
>> Thanks
>> Ruda
>>
> 
> I'd suggest Thunderbird + Enigmail for that but that really depends on
> what machine you're running on or if you want to go for CLI only
> 
> just my 2 cents

It's also worth noting that this would encrypt/sign using the OpenPGP
standard.

The discussion of .p12 certificates makes me suspicious the author is
after S/MIME, which Thunderbird can do without any extensions.
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.

Re: mail sign/encrypt

[Tony Boston]

On 05/03/18 10:30, Rudolf Sykora wrote:
> Hello misc,
> 
> I'd like to be able to optionally
> - sign my email,
> - encrypt the email.
> 
> I have a certificate in the .p12 form,
> containing my private key and two certificates,
> one of them mine.
> 
> I want to prepare mail locally, i.e. to use
> some simple locally installed MUA.
> 
> Is there a way with the default "mail" program,
> or do I have to install some more powerful MUA?
> 
> Thanks
> Ruda
> 

I'd suggest Thunderbird + Enigmail for that but that really depends on
what machine you're running on or if you want to go for CLI only

just my 2 cents

-- 
Tony

GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580



signature.asc
Description: OpenPGP digital signature

Re: mail sign/encrypt

[Steffen Nurpmeso]

Hello again Rudolf.

Rudolf Sykora <rudolf.syk...@gmail.com> wrote:
 |I'd like to be able to optionally
 |- sign my email,
 |- encrypt the email.
 |
 |I have a certificate in the .p12 form,
 |containing my private key and two certificates,
 |one of them mine.
 |
 |I want to prepare mail locally, i.e. to use
 |some simple locally installed MUA.
 |
 |Is there a way with the default "mail" program,
 |or do I have to install some more powerful MUA?

S-nail can do that indeed, and once v14.9.10 finally really gets
included in ports (and brings in 30+ months of what i call
development), then you could even do at least some useful things
with the on-compose-..  hooks that you have suggested over two
years ago, too.

And i see potential for improvement, also of the manual.  Thanks.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

mail sign/encrypt

[Rudolf Sykora]

Hello misc,

I'd like to be able to optionally
- sign my email,
- encrypt the email.

I have a certificate in the .p12 form,
containing my private key and two certificates,
one of them mine.

I want to prepare mail locally, i.e. to use
some simple locally installed MUA.

Is there a way with the default "mail" program,
or do I have to install some more powerful MUA?

Thanks
Ruda

Re: How does dpb sign packages in 6.1 ?

[Noth]

Ok thanks Stuart & Marc, and of course I managed to pebkac through my 
ports update script... G.



On 05/04/17 10:43, Marc Espie wrote:

dpb no longer does.
Use pkg_sign(1) directly like sthen says.

Before, signing directly during pkg_create(1) made some sense, since
the archive was built just once with the signature inside.

Now that the signature is outside, there is no gain to having pkg_create(1)
sign directly, so that was scraped out.

Re: How does dpb sign packages in 6.1 ?

[Marc Espie]

dpb no longer does.
Use pkg_sign(1) directly like sthen says.

Before, signing directly during pkg_create(1) made some sense, since
the archive was built just once with the signature inside.

Now that the signature is outside, there is no gain to having pkg_create(1)
sign directly, so that was scraped out.

Re: How does dpb sign packages in 6.1 ?

[Stuart Henderson]

On 2017-04-04, Noth <nothingn...@citycable.ch> wrote:
>I'm trying to use dpb in 6.1-current, and my setup works till it 
> tries to sign the package it makes and then fails with this message:
..
> I've updated my signify keys and placed them in $CHROOT/etc/signify. I 
> can't work out what dpb is expecting now that we no longer have 
> SIGNING_PARAMETERS in mk.conf .

Use pkg_sign(1) separately after the build. For official builds this is
done on a different machine.

How does dpb sign packages in 6.1 ?

[Noth]

Hi all,


  I'm trying to use dpb in 6.1-current, and my setup works till it 
tries to sign the package it makes and then fails with this message:



==>  Building package for bzip2-1.0.6p8
Create /data/packages/amd64/all/bzip2-1.0.6p8.tgz
^Mreading plist|ESC[KESC[K^Mchecking 
dependencies|ESC[KESC[K^Mchecksumming|ESC[KESC[K^MESC[13C | 
0%ESC[K^MESC[13C** | 3%ESC[K^MESC[15C* | 6%ESC[K^MESC[16C** | 
9%ESC[K^MESC[18C** | 11%ESC[K^MESC[20C** | 14%ESC[K^MESC[22C* | 
17%ESC[K^MESC[23C** | 20%ESC[K^MESC[25C** | 23%ESC[K^MESC[27C** | 
26%ESC[K^MESC[29C*| 
29%ESC[K^MESC[30C**  | 
31%ESC[K^MESC[32C**| 
34%ESC[K^MESC[34C**  | 
37%ESC[K^MESC[36C* | 
40%ESC[K^MESC[37C**   | 
43%ESC[K^MESC[39C** | 
46%ESC[K^MESC[41C**   | 
49%ESC[K^MESC[43C*  | 
51%ESC[K^MESC[44C**| 
54%ESC[K^MESC[46C**  | 
57%ESC[K^MESC[48C**| 
60%ESC[K^MESC[50C*   | 
63%ESC[K^MESC[51C** | 
66%ESC[K^MESC[53C**   | 
69%ESC[K^MESC[55C** | 71%ESC[K^MESC[57C*
| 74%ESC[K^MESC[58C**  | 77%ESC[K^MESC[60C** | 
80%ESC[K^MESC[62C**  | 83%ESC[K^MESC[64C* | 
86%ESC[K^MESC[65C**   | 89%ESC[K^MESC[67C** | 
91%ESC[K^MESC[69C**   | 94%ESC[K^MESC[71C*  | 
97%ESC[K^MESC[72C**|100%ESC[K^MESC[K^Marchiving|ESC[KESC[K^MESC[10C | 
0%ESC[K^MESC[10C | 1%ESC[K^MESC[10C* | 1%ESC[K^MESC[11C** | 
11%ESC[K^MESC[17C** | 15%ESC[K^MESC[19C* | 15%ESC[K^MESC[20C* | 
17%ESC[K^MESC[21C** | 
38%ESC[K^MESC[35C   | 
58%ESC[K^MESC[47C*  | 
59%ESC[K^MESC[48C**| 
63%ESC[K^MESC[50C*   | 
64%ESC[K^MESC[51C***|100%ESC[K^MESC[Kfile:/data/packages/amd64/tmp/bzip2-1.0.6p8.tgz: 
unsigned package (signify(1) doesn't see old-style signatures)

Fatal error: Bad package /data/packages/amd64/tmp/bzip2-1.0.6p8.tgz
 at /usr/ports/infrastructure/bin/register-plist line 527.
*** Error 1 in archivers/bzip2 
(/usr/ports/infrastructure/mk/bsd.port.mk:1895 
'/data/packages/amd64/all/bzip2-1.0.6p8.tgz')
*** Error 1 in archivers/bzip2 
(/usr/ports/infrastructure/mk/bsd.port.mk:2416 '_internal-package')
*** Error 1 in archivers/bzip2 
(/usr/ports/infrastructure/mk/bsd.port.mk:2396 'package')

===> Exiting archivers/bzip2 with an error
*** Error 1 in /usr/ports (infrastructure/mk/bsd.port.subdir.mk:147 
'package')

Error: job failed 256

I've updated my signify keys and placed them in $CHROOT/etc/signify. I 
can't work out what dpb is expecting now that we no longer have 
SIGNING_PARAMETERS in mk.conf .


Any ideas?

Cheers,

Noth

Re: dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

On Wed, Nov 09, 2016 at 06:13:47PM +0100, Walter Alejandro Iglesias wrote:
> Taking in care /etc/rc.d/dkimproxy_out flags:
> 
> daemon_flags="--conf_file=/etc/dkimproxy_out.conf --user=_dkimproxy 
> --group=_dkimproxy"
> 
> These files should be owned by _dkimproxy user and group.
> 

It worked!


Big thanks trondd!  (Next time I promise to read the logs more carefully)

Re: dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

On Wed, Nov 09, 2016 at 11:57:18AM -0500, trondd wrote:
> Should also be in the maillog.

Hey, I think I found the problem:

Nov  9 10:37:12 server dkimproxy.out[38514]: signing error: Error: cannot read 
/var/dkimproxy/default.private: Permission denied


The permissions are:

# ls -l /var/dkimproxy/
total 8
-rw---  1 root  wheel  887 Nov  9 10:50 default.private
-rw---  1 root  wheel  313 Nov  9 10:50 default.txt


Taking in care /etc/rc.d/dkimproxy_out flags:

daemon_flags="--conf_file=/etc/dkimproxy_out.conf --user=_dkimproxy 
--group=_dkimproxy"

These files should be owned by _dkimproxy user and group.

Re: dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

trondd,

Your response was also useful to me in another more important way.

I took a look to the headers of your message and I observe gmail says
your dkim is correct:

Authentication-Results: mx.google.com;
dkim=pass header.i=@kagu-tsuchi.com;

However, I had to rescue your message from my gmail SPAM folder!

So, I wonder if all these efforts are in vain. :-)

(I'm starting to think spammers are sponsored by them)

Re: dkimproxy_out doesn't sign my outgoing messages

[trondd]

On Wed, November 9, 2016 11:39 am, Walter Alejandro Iglesias wrote:
> On Wed, Nov 09, 2016 at 09:27:58AM -0500, trondd wrote:
>> On Wed, November 9, 2016 9:14 am, Walter Alejandro Iglesias wrote:
>> > Hi everyone,
>> >
>> > First of all, is dkimproxy a work in progress?
>> >
>> > If it's not, then the long one.  I've tried something similar to
>> > the example in smtpd.conf(5).  Outgoing messages don't get signed.
>> >
>> >
>> > # dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy
>> >
>> > /etc/dkimproxy_out.conf
>> > ---
>> > listen127.0.0.1:10027
>> > relay 127.0.0.1:10028
>> > domainmydomain.com
>> > signature dkim(c=relaxed)
>> > signature domainkeys(c=nofws)
>> > keyfile   /var/dkimproxy/default.private
>> > selector  default
>> >
>> >
>> > /etc/mail/smptd.conf
>> > ---
>> > egress_int="em0"
>> > server="server.mydomain.com"
>> > ca $server certificate "/etc/ssl/acme/chain.pem"
>> >
>> > table aliases file:/etc/mail/aliases
>> > table valiases file:/etc/mail/valiases
>> > table vdomains file:/etc/mail/vdomains
>> > table addresses file:/etc/mail/addresses
>> > table users file:/etc/mail/users
>> >
>> > pki $server certificate "/etc/ssl/acme/cert.pem"
>> > pki $server key "/etc/ssl/acme/private/privkey.pem"
>> >
>> > listen on lo0
>> > listen on lo0 port 10028 tag DKIM
>> > listen on $egress_int port 25 tls pki $server
>> > listen on $egress_int port 465 smtps pki $server auth senders 
>> > masquerade
>> >
>> > accept from any for domain  virtual  deliver to
>> mbox
>> > accept for local alias  deliver to mbox
>> > accept tagged DKIM for any relay
>> > accept from local sender  for any relay via
>> > smtp://127.0.0.1:10027
>> >
>> >
>> > Do I need to do something else?  (running current)
>> >
>> >
>> >Walter
>> >
>>
>> Did you add the public key part to DNS for your domain?  What's going on
>> in maillog?
>
> I forgot to mention that, yes, I added the DNS record and checked its
> validity using this site:
>
> http://dkimcore.org/tools/keycheck.html
>
> That tells me it's ok.  Then I been sending to this testing address:
>
> check-a...@verifier.port25.com
>
> where I'm told (in a replay to my same address) the message isn't signed.
>
> /var/log/maillog just shows the message as correctly delivered:
>
> Nov  9 14:16:39 server smtpd[68603]: 44fc40aeb913cba0 mta event=delivery
> evpid=1da22dbaa5825b53 from=<.*@mydomain.com>
> to= rcpt=<-> source="192.168.1.101"
> relay="??.??.??.??" (verifier.port25.com)" delay=2s result="Ok" stat="250
> 2.6.0 message received"
>
>
>>  Are the mails being forwarded to dkimproxy_out and back into
>> smtpd as expected?
>>
>
> How can I check this?
>

Should also be in the maillog.  You should see smtpd accept the initial
connection and relay it to 127.0.0.1 10027.  Then accept a new connection
from 127.0.0.1 or localhost and relay to the destination.

If you don't see that, you can use tcpdump to see if the proxy is ever
contacted.  You can also trace which rules smtpd matched on.  man smtpctl
and search for trace.

I run this at home, but can't access the machine from where I am.  I can
double check your configs later.

Re: dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

On Wed, Nov 09, 2016 at 09:27:58AM -0500, trondd wrote:
> On Wed, November 9, 2016 9:14 am, Walter Alejandro Iglesias wrote:
> > Hi everyone,
> >
> > First of all, is dkimproxy a work in progress?
> >
> > If it's not, then the long one.  I've tried something similar to
> > the example in smtpd.conf(5).  Outgoing messages don't get signed.
> >
> >
> > # dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy
> >
> > /etc/dkimproxy_out.conf
> > ---
> > listen127.0.0.1:10027
> > relay 127.0.0.1:10028
> > domainmydomain.com
> > signature dkim(c=relaxed)
> > signature domainkeys(c=nofws)
> > keyfile   /var/dkimproxy/default.private
> > selector  default
> >
> >
> > /etc/mail/smptd.conf
> > ---
> > egress_int="em0"
> > server="server.mydomain.com"
> > ca $server certificate "/etc/ssl/acme/chain.pem"
> >
> > table aliases file:/etc/mail/aliases
> > table valiases file:/etc/mail/valiases
> > table vdomains file:/etc/mail/vdomains
> > table addresses file:/etc/mail/addresses
> > table users file:/etc/mail/users
> >
> > pki $server certificate "/etc/ssl/acme/cert.pem"
> > pki $server key "/etc/ssl/acme/private/privkey.pem"
> >
> > listen on lo0
> > listen on lo0 port 10028 tag DKIM
> > listen on $egress_int port 25 tls pki $server
> > listen on $egress_int port 465 smtps pki $server auth senders 
> > masquerade
> >
> > accept from any for domain  virtual  deliver to mbox
> > accept for local alias  deliver to mbox
> > accept tagged DKIM for any relay
> > accept from local sender  for any relay via
> > smtp://127.0.0.1:10027
> >
> >
> > Do I need to do something else?  (running current)
> >
> >
> > Walter
> >
> 
> Did you add the public key part to DNS for your domain?  What's going on
> in maillog?

I forgot to mention that, yes, I added the DNS record and checked its
validity using this site:

http://dkimcore.org/tools/keycheck.html

That tells me it's ok.  Then I been sending to this testing address:

check-a...@verifier.port25.com

where I'm told (in a replay to my same address) the message isn't signed.

/var/log/maillog just shows the message as correctly delivered:

Nov  9 14:16:39 server smtpd[68603]: 44fc40aeb913cba0 mta event=delivery 
evpid=1da22dbaa5825b53 from=<.*@mydomain.com> 
to= rcpt=<-> source="192.168.1.101" 
relay="??.??.??.??" (verifier.port25.com)" delay=2s result="Ok" stat="250 2.6.0 
message received"


>  Are the mails being forwarded to dkimproxy_out and back into
> smtpd as expected?
> 

How can I check this?

Re: dkimproxy_out doesn't sign my outgoing messages

[trondd]

On Wed, November 9, 2016 9:14 am, Walter Alejandro Iglesias wrote:
> Hi everyone,
>
> First of all, is dkimproxy a work in progress?
>
> If it's not, then the long one.  I've tried something similar to
> the example in smtpd.conf(5).  Outgoing messages don't get signed.
>
>
> # dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy
>
> /etc/dkimproxy_out.conf
> ---
> listen127.0.0.1:10027
> relay 127.0.0.1:10028
> domainmydomain.com
> signature dkim(c=relaxed)
> signature domainkeys(c=nofws)
> keyfile   /var/dkimproxy/default.private
> selector  default
>
>
> /etc/mail/smptd.conf
> ---
> egress_int="em0"
> server="server.mydomain.com"
> ca $server certificate "/etc/ssl/acme/chain.pem"
>
> table aliases file:/etc/mail/aliases
> table valiases file:/etc/mail/valiases
> table vdomains file:/etc/mail/vdomains
> table addresses file:/etc/mail/addresses
> table users file:/etc/mail/users
>
> pki $server certificate "/etc/ssl/acme/cert.pem"
> pki $server key "/etc/ssl/acme/private/privkey.pem"
>
> listen on lo0
> listen on lo0 port 10028 tag DKIM
> listen on $egress_int port 25 tls pki $server
> listen on $egress_int port 465 smtps pki $server auth senders 
> masquerade
>
> accept from any for domain  virtual  deliver to mbox
> accept for local alias  deliver to mbox
> accept tagged DKIM for any relay
> accept from local sender  for any relay via
> smtp://127.0.0.1:10027
>
>
> Do I need to do something else?  (running current)
>
>
>   Walter
>

Did you add the public key part to DNS for your domain?  What's going on
in maillog?  Are the mails being forwarded to dkimproxy_out and back into
smtpd as expected?

dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

Hi everyone,

First of all, is dkimproxy a work in progress?

If it's not, then the long one.  I've tried something similar to
the example in smtpd.conf(5).  Outgoing messages don't get signed.


# dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy

/etc/dkimproxy_out.conf
---
listen127.0.0.1:10027
relay 127.0.0.1:10028
domainmydomain.com
signature dkim(c=relaxed)
signature domainkeys(c=nofws)
keyfile   /var/dkimproxy/default.private
selector  default


/etc/mail/smptd.conf
---
egress_int="em0"
server="server.mydomain.com"
ca $server certificate "/etc/ssl/acme/chain.pem"

table aliases file:/etc/mail/aliases
table valiases file:/etc/mail/valiases
table vdomains file:/etc/mail/vdomains
table addresses file:/etc/mail/addresses
table users file:/etc/mail/users

pki $server certificate "/etc/ssl/acme/cert.pem"
pki $server key "/etc/ssl/acme/private/privkey.pem"

listen on lo0
listen on lo0 port 10028 tag DKIM
listen on $egress_int port 25 tls pki $server
listen on $egress_int port 465 smtps pki $server auth senders  masquerade

accept from any for domain  virtual  deliver to mbox
accept for local alias  deliver to mbox
accept tagged DKIM for any relay
accept from local sender  for any relay via smtp://127.0.0.1:10027


Do I need to do something else?  (running current)


Walter

# sign

[Max Power]

Hi guys!
In Enghlish_US way, you have no certainties.
# symbol, I've always named 'hash',
but from recent research I found which is also named:
number, pound, octothorpe, octothorp, octothorn...

which is the exact name for it? (In computer way naturally...)

Thanks for reply.

Re: # sign

[Terry Tyson]

On 6/17/2015 12:52 PM, Max Power wrote:

Hi guys!
In Enghlish_US way, you have no certainties.
# symbol, I've always named 'hash',
but from recent research I found which is also named:
number, pound, octothorpe, octothorp, octothorn...

which is the exact name for it? (In computer way naturally...)

Thanks for reply.




hash

Re: # sign

[Miod Vallat]

 hash
 
 
 Wikipedia says that he use of hash for this sign may have come
 from Baudot, which predated both ASCII and EBCDIC.
 
I thought everyone here knew that this sign is actually historically
called `sliced unicorn hearts' after the specific pattern their heart
display when thinly sliced.

Oh, I'd kill for a unicorn heart carpaccio, right now. It's been too
long since I last had some.

Re: # sign

[Mikkel C. Simonsen]

Max Power wrote:

which is the exact name for it? (In computer way naturally...)


Havelåge - the Danish way.

Best regards,

Mikkel C. Simonsen

Re: # sign

[Josh Grosse]

On 2015-06-17 13:58, Terry Tyson wrote:

On 6/17/2015 12:52 PM, Max Power wrote:

Hi guys!
In Enghlish_US way, you have no certainties.
# symbol, I've always named 'hash',
but from recent research I found which is also named:
number, pound, octothorpe, octothorp, octothorn...

which is the exact name for it? (In computer way naturally...)

Thanks for reply.


Computer way?  Which computer?

If you mean ASCII representation, # would be 0010 0011.
If instead you prefer EBCDIC, # would be 0111 1011.


hash



Wikipedia says that he use of hash for this sign may have come
from Baudot, which predated both ASCII and EBCDIC.

Re: Daemons can't have hyphen (-) sign in the name

[Igor Konforti]

Well I guess that explains :S

Thanks

On Sun, Mar 15, 2015 at 7:24 PM, Antoine Jacoutot ajacou...@bsdfrog.org
wrote:

 On Sun, Mar 15, 2015 at 07:08:52PM +0200, Igor Konforti wrote:
  I was writing Deamon by name /etc/rc.d/example-client and all a time I
  was getting error that ${daemon_user} is client
 
  After looking at source code of rc.subr
  

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc.d/rc.subr?rev=1.92conten
t-type=text/x-cvsweb-markup
 
  I
  saw the following:
 
 
  ```
   _name=$(basename $0)
  eval _rcuser=\${${_name}_user}
  [ -n ${_rcuser} ]  daemon_user=${_rcuser}
  ```
 
  So, if we have  a deamon by name example-client because of eval there
  will be always $daemon_user:
 
  ```
  -bash-4.2# eval _rcuser=\${example-client_user}
  -bash-4.2# echo $_rcuser
  client_user
  ```
 
 
  I'm not sure if this is bug or the feature, therefore I'm posting this in
  misc but if you guys confirm it is a bug I'll send it to bugs@
  This of course can be really fixed really easy.

 man rc.subr:

 ...
 DESCRIPTION
  Apart from a few notable exceptions, rc scripts must follow this
 naming
  policy:

  1.   Use the same name as the daemon it is referring to.
  2.   Dashes (‘-’) have to be converted to underscores (‘_’).

 --
 Antoine

Daemons can't have hyphen (-) sign in the name

[Igor Konforti]

I was writing Deamon by name /etc/rc.d/example-client and all a time I
was getting error that ${daemon_user} is client

After looking at source code of rc.subr
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc.d/rc.subr?rev=1.92content-type=text/x-cvsweb-markup
I
saw the following:


```
 _name=$(basename $0)
eval _rcuser=\${${_name}_user}
[ -n ${_rcuser} ]  daemon_user=${_rcuser}
```

So, if we have  a deamon by name example-client because of eval there
will be always $daemon_user:

```
-bash-4.2# eval _rcuser=\${example-client_user}
-bash-4.2# echo $_rcuser
client_user
```


I'm not sure if this is bug or the feature, therefore I'm posting this in
misc but if you guys confirm it is a bug I'll send it to bugs@
This of course can be really fixed really easy.

Regards

Re: Daemons can't have hyphen (-) sign in the name

[Antoine Jacoutot]

On Sun, Mar 15, 2015 at 07:08:52PM +0200, Igor Konforti wrote:
 I was writing Deamon by name /etc/rc.d/example-client and all a time I
 was getting error that ${daemon_user} is client
 
 After looking at source code of rc.subr
 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc.d/rc.subr?rev=1.92content-type=text/x-cvsweb-markup
 I
 saw the following:
 
 
 ```
  _name=$(basename $0)
 eval _rcuser=\${${_name}_user}
 [ -n ${_rcuser} ]  daemon_user=${_rcuser}
 ```
 
 So, if we have  a deamon by name example-client because of eval there
 will be always $daemon_user:
 
 ```
 -bash-4.2# eval _rcuser=\${example-client_user}
 -bash-4.2# echo $_rcuser
 client_user
 ```
 
 
 I'm not sure if this is bug or the feature, therefore I'm posting this in
 misc but if you guys confirm it is a bug I'll send it to bugs@
 This of course can be really fixed really easy.

man rc.subr:

...
DESCRIPTION
 Apart from a few notable exceptions, rc scripts must follow this naming
 policy:

 1.   Use the same name as the daemon it is referring to.
 2.   Dashes (‘-’) have to be converted to underscores (‘_’).

-- 
Antoine

Sign A Rama souhaite s'implanter dans votre ville

[Franchise Sign A Rama]

Si ce message ne s'affiche pas correctement, cliquez ICI (
http://www.benoitfougerais.fr/Franchise/Signarama/Emailing/SAR-NewsLetter201
0.html )

(
https://spreadsheets.google.com/viewform?hl=frcfg=trueformkey=dEFkaDNXWXNn
TDRMOHRiSXFXOVJLa2c6MA )

Votre parcours vous donne maintenant la confiance et lenvie de vous investir
pour votre compte ?Vous jtes un organisateur au tempirament commercial ?
Meneur diquipe ?

Alors rencontrons-nous !

Je suis Olivier Fossat, Franchiseur de SIGNARAMA en France. SIGNARAMA est le
1er riseau mondial de communication visuelle depuis 25 ans. Nos produits sont
partout. Vous les utilisez ` chaque minute sans y prjter attention et navez,
bien sur, jamais mesuri la valeur de notre activiti jusqu` ce mail !

Au del` des chiffres, notre mitier est trhs attachant car la relation client y
est trhs personnelle.

Nos clients, tous dirigeants, commergants, artisans nous enrichissent de tous
les mitiers quils exercent et cest dabord leur confiance quils nous
accordent.

De plus, tous nos produits portent de la valeur car ils sont faits sur mesure
:

nous y mettons notre icoute, notre criativiti et rialisons des solutions qui
aident nos clients ` faire

la diffirence dans leurs entreprises :

Chartes graphiques, enseignes, flottes de vihicules, de vitrines,
signalitique, PLV.

Nous sommes le spicialiste du service, le meilleur avantage concurrentiel qui
soit !

Je vous invite ` me laisser vos coordonnies pour jtre contacti.
https://spreadsheets.google.com/viewform?hl=frcfg=trueformkey=dEFkaDNXWXNnT
DRMOHRiSXFXOVJLa2c6MA

[demime 1.01d removed an attachment of type image/png which had a name of 
SAR-Banniere2.png]

[demime 1.01d removed an attachment of type image/png which had a name of 
SAR-IMGnews.png]

Re: Real men don't attack sign men

[Breen Ouellette]

Marc Balmer wrote:

Richard Stallman wrote:

I doubt someone who is truly unfriendly could organize a 
hackathon, a friendly social event.


He may be perfectly friendly to others.  What is relevant is that he
tends to be unfriendly to me.


What is relevant is that you are a hypocrite and come to our
mailing lists talking bullshit about OpenBSD.  You do not only
offend Theo, but all of the OpenBSD / OpenSSH developers.


And many of the OpenBSD users, as well, who appreciate the work done by 
the OpenBSD developers and do not wish to see the project slagged off 
the cuff by people in the spotlight.


Breeno

Re: Real men don't attack sign men

[Richard Stallman]

I doubt someone who is truly unfriendly could organize a hackathon, a 
friendly social event.

He may be perfectly friendly to others.  What is relevant is that he
tends to be unfriendly to me.

The same argument could be made about your unfriendliness. We could not 
talk to you since you have *proven* to be unfriendly:

http://z505.com/images/gnu-sign.png

I criticized ATI firmly when it refused to release the specs for its
chips.  I'm happy to say that in October another ATI speaker came to
MIT and announced that ATI was supporting development of free drivers.
I shook his hand.  I was also told that my protest had made an
impression at ATI, so I think it played a role in bringing about the
change in policies.

However, that was nothing on the scale of unfriendliness compared to
what Theo has said to me -- both in this discussion, and previously.
I used the word unfriendly as a deliberate understatement, because I
did not want to start an argument about that side issue.  (Others
chose, in a hypersensitive fashion, to do so anyway.)

I reserve my unfriendliness, such as it is, for the enemies of the
free software movement -- which does not include OpenBSD.  I have
never urged people not to use OpenBSD.  I do not campaign against
OpenBSD and never did.

Re: Real men don't attack sign men

[Marc Balmer]

Richard Stallman wrote:

I doubt someone who is truly unfriendly could organize a hackathon, a 
friendly social event.


He may be perfectly friendly to others.  What is relevant is that he
tends to be unfriendly to me.


What is relevant is that you are a hypocrite and come to our
mailing lists talking bullshit about OpenBSD.  You do not only
offend Theo, but all of the OpenBSD / OpenSSH developers.

We put a lot of effort into making a free operating system which
is accompanied by a free ports system.  Your stanzas are just
pure insult.

Someone acting like you must not complain about Theo being unfriendly.
You call for it.  Theo is only being direct and he is right.



The same argument could be made about your unfriendliness. We could not 
talk to you since you have *proven* to be unfriendly:


http://z505.com/images/gnu-sign.png

I criticized ATI firmly when it refused to release the specs for its
chips.  I'm happy to say that in October another ATI speaker came to
MIT and announced that ATI was supporting development of free drivers.
I shook his hand.  I was also told that my protest had made an
impression at ATI, so I think it played a role in bringing about the
change in policies.

However, that was nothing on the scale of unfriendliness compared to
what Theo has said to me -- both in this discussion, and previously.
I used the word unfriendly as a deliberate understatement, because I
did not want to start an argument about that side issue.  (Others
chose, in a hypersensitive fashion, to do so anyway.)

I reserve my unfriendliness, such as it is, for the enemies of the
free software movement -- which does not include OpenBSD.  I have
never urged people not to use OpenBSD.  I do not campaign against
OpenBSD and never did.

Re: Real men don't attack sign men

[L]

Not calling someone unfriendly and just focusing on the 
conversation/technical details at hand, would be much more friendly.. 
even considering friendship wasn't the subject of discussion in the 
first place.


Someone else attacked me on this list for not discussing this with
Theo.  I explained the reason in the gentlest way I could think of.


The same argument could be made about your unfriendliness. We could not 
talk to you since you have *proven* to be unfriendly:


http://z505.com/images/gnu-sign.png

Any programmer or philosopher worth his salt can appear critical, 
analytical, or unfriendly at times. Security experts especially.


I doubt someone who is truly unfriendly could organize a hackathon, a 
friendly social event. Remember, this is just email after all, Stallman. 
Take some of it with a grain of salt.


Any time someone brings up the fact that openbsd has unfriendly 
programmers, we are to call them on it.


Label it as:
The OpenBSD Cliche

Cliche: an idea that has been overused to the point of losing its 
intended force or novelty,


That way, when anyone regurgitates this same old tired openbsd 
programmers are unfriendly argument, we can redirect them to a FUQ or FAQ.


An example demonstration of this:

Bum Bum wrote in message:
 blah blah blah OpenBSD programmers are unfriendly blah blah blah
  blah blah blah blah blah Not friendly blah blah Don't use it blah
  blah blah Because they are unfriendly blah blah blah

Hello Bum Bum, that is an invalid argument. Please see:
The OpenBSD Cliche.

It is in the FUQ under the beaten dead horse section.

Regards,
L505

A philosopher who did not hurt anyone's feelings was not doing his job.
--Plato (source: Wikipedia)

A programmer who did not hurt anyone's feelings was not doing his job.
--L505 (source: Z505)

Re: sign and timestamp

[Douglas A. Tutty]

On Thu, Oct 04, 2007 at 05:03:41PM +0200, G?bri M?t? wrote:
 
 There'll be two main servers, a web server and a sql server. We have to
 insert a timestamp and a signature in the specified rows of tables.
 Periodically the sql server will make pdf documents from the data and we
 have to sign and timestamp these docs too. I also have to set up a
 firewall and a backup server, both of them will be OBSD.
 After what all of You wrote i guess one of the OBSD servers will act as
 the timestamping machine with the method of issuing a time file
 periodically, sign and hash it. I can setup a script for that, and
 another one for verification. Thats the easiest way i guess.
 
 As for why i dont want to use a public time stamping service: its much
 more flexible to do it on our own, and much more faster, and there are
 other reasons. Of course the results dont have to be verified buy total
 strangers, just those who work with the data from day-to-day.
 

I'm not clear on what you will gain over just having all the boxes
running ntp and having the SQL server inserting a time value on each row
of the table, and having each row be non-alterable (other than, of
course, by root), and having a time stamp put on the pdf document.  

Typical uses for real time stamps are for audit purposes.  The only
reason for an audit trail is to prove that records havnen't been altered
either accidentally or intentionally/maliciously by someone within the
organization.  If this is for internal auditing only and your internal
audit department requires something more than just a time-entry in an
SQL file, then they should have sole controll over the server that does
the time stamping.  Nobody outside of the audit department should have
any root privlidges.  In which case, a dedicated dot-matrix printer that
prints the file name, hash, and time stamp of files as they are received for
stamping, would be prudent.  Put multi-part paper in the printer and
take a copy off-site (to the off-site auditors?) regularily.

In any event, your system (policy, protocols, etc) should be approved by
the people who will be needing to verify the veracity of the timestamps.

Doug.

Re: sign and timestamp

[Joachim Schipper]

On Wed, Oct 03, 2007 at 05:21:09PM -0700, Ted Unangst wrote:
 On 10/3/07, Gabri Mati [EMAIL PROTECTED] wrote:
  I've read a lot about timestamping a document, but dunno how it works in
  practice. How can i apply a timestamp to a digitally signed or encrypted
  document? Like i encrypt or sign a document with gnupg, but before the
  process how can i timestamp it?
 
 you cannot provably timestamp anything.  you can only provide copies
 or hashes at the time you would like to prove creation, either by
 sending it to the person you want to prove it to or a trusted third
 party.  or generally publishing it, and hoping you can gather enough
 witnesses to testify when they first saw it.

One solution is making sure it ends up on multiple public archives. Some
clueful idiot spammed full-disclosure [1] with a `month of random
hashes', which appears to have put a stop to the clueless idiots that
posted hashes of their 'discoveries'.

It shouldn't be too difficult to find an abandoned Usenet group that is
still in Google's index, though, and if you use a sane posting frequency
- once a week, or perhaps once a day - this is nowhere near as evil as
the UUencoded pink bits that make up the majority of a Usenet feed
nowadays. (Which should not be mistaken as this not being evil.)

Be prepared for some cooks to harass you because you are obviously
working for the CIA/Mossad/terrorists/greys, though. (Why do you hate
America/Israel/Freedom/Humanity?!)

(And all this is just a roundabout way of telling you that an external
stamping service makes a lot more sense. What are you *really* trying to
do?)

Joachim

[1] A security-related mailing list. Unmoderated, so vulnerabilities
come through quickly but get lost in the diarrhea.

-- 
TFMotD: rwalld, rpc.rwalld (8) - write messages to users currently
logged in server

Re: sign and timestamp

[Gábri Máté]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

There'll be two main servers, a web server and a sql server. We have to
insert a timestamp and a signature in the specified rows of tables.
Periodically the sql server will make pdf documents from the data and we
have to sign and timestamp these docs too. I also have to set up a
firewall and a backup server, both of them will be OBSD.
After what all of You wrote i guess one of the OBSD servers will act as
the timestamping machine with the method of issuing a time file
periodically, sign and hash it. I can setup a script for that, and
another one for verification. Thats the easiest way i guess.

As for why i dont want to use a public time stamping service: its much
more flexible to do it on our own, and much more faster, and there are
other reasons. Of course the results dont have to be verified buy total
strangers, just those who work with the data from day-to-day.


Gabri Mate
[EMAIL PROTECTED]
DUOSOL Bt.
http://www.duosol.hu


Douglas A. Tutty mrta:
 On Wed, Oct 03, 2007 at 09:45:30PM +0200, G?bri M?t? wrote:
 A service will gather data in a database and this data has to be signed
 and timestamped for security reasons, and the archives of these data are
 also need to signed and timestamped. The data will be used for internal
 purposes, so another internal server can issue the signs and stamps.

 
 OK.  This service gathering the data: is it your own dedicated server or
 is it an external service provider.  Assuming that you don't controll
 (in a security sense) the database itself (if you did, why bother with
 this?).
 
 If I understand correclty:  Database the data-gatherer can query.  You
 set up a dedicated, physically secure box and provide it with a secure
 source of time (GPS?).  
 
 Assuming that you don't want the latency for them to email the box a
 hash, have the box append a time stamp, sign it, and mail it back.  You
 need a dedicated channel from the time server to the data-gatherer of
 latency low enough to meet the time-stamp requirements.  
 
 Do you need to send the timestamp back to the data-gatherer or will they
 be sending the data to you by a slower method?  
 
 You could either write a dedicated server or set up a lpd hack.  
 
 They gather the data, tarball it, take a hash and put it in an index
 file (like an MD5SUM file in an ftp archive).  They send a file
 containing only the hash and the unique tarball file name to the lpr on
 the time server.  A dummy spool there hands the file to a 'filter' that
 takes that file, extracts the md5sum, file name, appends the time, and
 appends that whole line to a file.  For hard copy, each line could be
 printed to dedicated dot-matrix printer as it is generated.
 
 Or your time server is running a database and the data-gather can issue
 the SQL insert query directly and the database system itself fills in a
 time-stamp field.
 
 Doug.
iD8DBQFHBQDN8najRxwF9nkRAttfAKCJWn8wZuFbBH9Bjg+3jACkYaAw0gCbB+1Z
2eANpaLE6INNbm1DYeDw0xc=
=JOK6
-END PGP SIGNATURE-

sign and timestamp

[Gábri Máté]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hey there!

I've read a lot about timestamping a document, but dunno how it works in
practice. How can i apply a timestamp to a digitally signed or encrypted
document? Like i encrypt or sign a document with gnupg, but before the
process how can i timestamp it?
Sorry for the stupid question but i really can't imagine it.

- --
Gabri Mate
[EMAIL PROTECTED]
iD8DBQFHA8Gh8najRxwF9nkRAiceAKC5E4GSj9DyBFhADFhB7oBLBKvUZQCgs+ct
hGyUmMhM39QHXhf/XadvH+o=
=SFZt
-END PGP SIGNATURE-

Re: sign and timestamp

[Gábri Máté]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sorry i wasn't totally specific. Yes, later on the reciever need to
verify the timestamp. I was looking for an oss application but couldn't
find any for timestamping.

Gabri Mate
[EMAIL PROTECTED]
DUOSOL Bt.
http://www.duosol.hu


Douglas A. Tutty mrta:
 On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote:
 I've read a lot about timestamping a document, but dunno how it works in
 practice. How can i apply a timestamp to a digitally signed or encrypted
 document? Like i encrypt or sign a document with gnupg, but before the
 process how can i timestamp it?
 Sorry for the stupid question but i really can't imagine it.

 
 I suppose the first question is: is the time stamp for info only or does
 the recipient have to verify the accuracy of the timestamp?  I.e. lets
 say you take the file you want to encrypt and sign, put it in a tarball
 that will protect the file's modification time, and encrypt and sign
 that.  This gives the recipient your opinion on the timestamp and
 protects it from being changed enroute.  However, the recipient can't
 verify that you or your system are telling the truth.
 
 I don't know if there's an accepted strategy, but if I had to create one
 from scratch, off the top of my head I'm thinking some time of time
 server.  It would have to publish a signed file of the current time, say
 once per minute, so that you could include the hash in the above noted
 tarball.  The recipient could note the time of that hash file, query the
 time server for the matching hash and compare the two.  If they match,
 then the time matches.
 
 This would have to be a time server that is trusted by the recipient.  
 
 I'll be interested to hear from someone who really knows about this.
 
 Doug.
iD8DBQFHA+E08najRxwF9nkRAkZnAJ9F83yBOJ7KhTgUngOtFAcCWJeDcwCeOEUS
MxT2+9gw9WpbIi6BXfeeSSc=
=0rKL
-END PGP SIGNATURE-

Re: sign and timestamp

[Douglas A. Tutty]

On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote:
 I've read a lot about timestamping a document, but dunno how it works in
 practice. How can i apply a timestamp to a digitally signed or encrypted
 document? Like i encrypt or sign a document with gnupg, but before the
 process how can i timestamp it?
 Sorry for the stupid question but i really can't imagine it.
 

I suppose the first question is: is the time stamp for info only or does
the recipient have to verify the accuracy of the timestamp?  I.e. lets
say you take the file you want to encrypt and sign, put it in a tarball
that will protect the file's modification time, and encrypt and sign
that.  This gives the recipient your opinion on the timestamp and
protects it from being changed enroute.  However, the recipient can't
verify that you or your system are telling the truth.

I don't know if there's an accepted strategy, but if I had to create one
from scratch, off the top of my head I'm thinking some time of time
server.  It would have to publish a signed file of the current time, say
once per minute, so that you could include the hash in the above noted
tarball.  The recipient could note the time of that hash file, query the
time server for the matching hash and compare the two.  If they match,
then the time matches.

This would have to be a time server that is trusted by the recipient.  

I'll be interested to hear from someone who really knows about this.

Doug.

Re: sign and timestamp

[Douglas A. Tutty]

Without a mutually-trusted source of time cookies, it depends on
specific needs.

Further infomation on the nature of the transaction is required since I
haven't heard of a pre-packaged oss application.

Doug.



On Wed, Oct 03, 2007 at 08:36:37PM +0200, G?bri M?t? wrote:
 Sorry i wasn't totally specific. Yes, later on the reciever need to
 verify the timestamp. I was looking for an oss application but couldn't
 find any for timestamping.
 
 
 Douglas A. Tutty ?rta:
  On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote:
  I've read a lot about timestamping a document, but dunno how it works in
  practice. How can i apply a timestamp to a digitally signed or encrypted
  document? Like i encrypt or sign a document with gnupg, but before the
  process how can i timestamp it?
  Sorry for the stupid question but i really can't imagine it.
 
  
  I suppose the first question is: is the time stamp for info only or does
  the recipient have to verify the accuracy of the timestamp?  I.e. lets
  say you take the file you want to encrypt and sign, put it in a tarball
  that will protect the file's modification time, and encrypt and sign
  that.  This gives the recipient your opinion on the timestamp and
  protects it from being changed enroute.  However, the recipient can't
  verify that you or your system are telling the truth.
  
  I don't know if there's an accepted strategy, but if I had to create one
  from scratch, off the top of my head I'm thinking some time of time
  server.  It would have to publish a signed file of the current time, say
  once per minute, so that you could include the hash in the above noted
  tarball.  The recipient could note the time of that hash file, query the
  time server for the matching hash and compare the two.  If they match,
  then the time matches.
  
  This would have to be a time server that is trusted by the recipient.  
  
  I'll be interested to hear from someone who really knows about this.
  
  Doug.
  
  
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.5 (GNU/Linux)
 
 iD8DBQFHA+E08najRxwF9nkRAkZnAJ9F83yBOJ7KhTgUngOtFAcCWJeDcwCeOEUS
 MxT2+9gw9WpbIi6BXfeeSSc=
 =0rKL
 -END PGP SIGNATURE-

Re: sign and timestamp

[Joachim Schipper]

On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote:
 Hey there!
 
 I've read a lot about timestamping a document, but dunno how it works in
 practice. How can i apply a timestamp to a digitally signed or encrypted
 document? Like i encrypt or sign a document with gnupg, but before the
 process how can i timestamp it?
 Sorry for the stupid question but i really can't imagine it.

The Big G is your friend [1]:

http://www.itconsult.co.uk/stamper.htm

(Obviously, one could sent them a hash instead of the original if one
were afraid of sending data unencrypted over the net.)

Joachim

[1] Trust The Computer. The Computer is Your Friend.

-- 
TFMotD: h2xs (1) - convert .h C header files to Perl extensions

Re: sign and timestamp

[Gábri Máté]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

A service will gather data in a database and this data has to be signed
and timestamped for security reasons, and the archives of these data are
also need to signed and timestamped. The data will be used for internal
purposes, so another internal server can issue the signs and stamps.


Gabri Mate
[EMAIL PROTECTED]
DUOSOL Bt.
http://www.duosol.hu


Douglas A. Tutty mrta:
 Without a mutually-trusted source of time cookies, it depends on
 specific needs.
 
 Further infomation on the nature of the transaction is required since I
 haven't heard of a pre-packaged oss application.
 
 Doug.
 
 
 
 On Wed, Oct 03, 2007 at 08:36:37PM +0200, G?bri M?t? wrote:
 Sorry i wasn't totally specific. Yes, later on the reciever need to
 verify the timestamp. I was looking for an oss application but couldn't
 find any for timestamping.

  
 Douglas A. Tutty ?rta:
 On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote:
 I've read a lot about timestamping a document, but dunno how it works in
 practice. How can i apply a timestamp to a digitally signed or encrypted
 document? Like i encrypt or sign a document with gnupg, but before the
 process how can i timestamp it?
 Sorry for the stupid question but i really can't imagine it.

 I suppose the first question is: is the time stamp for info only or does
 the recipient have to verify the accuracy of the timestamp?  I.e. lets
 say you take the file you want to encrypt and sign, put it in a tarball
 that will protect the file's modification time, and encrypt and sign
 that.  This gives the recipient your opinion on the timestamp and
 protects it from being changed enroute.  However, the recipient can't
 verify that you or your system are telling the truth.

 I don't know if there's an accepted strategy, but if I had to create one
 from scratch, off the top of my head I'm thinking some time of time
 server.  It would have to publish a signed file of the current time, say
 once per minute, so that you could include the hash in the above noted
 tarball.  The recipient could note the time of that hash file, query the
 time server for the matching hash and compare the two.  If they match,
 then the time matches.

 This would have to be a time server that is trusted by the recipient.  

 I'll be interested to hear from someone who really knows about this.

 Doug.


 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.5 (GNU/Linux)

 iD8DBQFHA+E08najRxwF9nkRAkZnAJ9F83yBOJ7KhTgUngOtFAcCWJeDcwCeOEUS
 MxT2+9gw9WpbIi6BXfeeSSc=
 =0rKL
 -END PGP SIGNATURE-
iD8DBQFHA/Fa8najRxwF9nkRAhEEAJ4+TygfHgFyHF5ih+UElEVQoiSrFQCgrMpq
JzzHM57RLOmKE4dWMOCCalA=
=HV+v
-END PGP SIGNATURE-

Re: sign and timestamp

[Stuart Henderson]

On 2007/10/03 21:36, Joachim Schipper wrote:
 On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote:
  Hey there!
  
  I've read a lot about timestamping a document, but dunno how it works in
  practice. How can i apply a timestamp to a digitally signed or encrypted
  document? Like i encrypt or sign a document with gnupg, but before the
  process how can i timestamp it?

google/patent search: haber stornetta

dead trees: there's a little section in Applied Cryptography
(surprise!), the basics are fairly obvious (send TTP a hash, they
append a timestamp and sign the lot) but to prevent collusion
between sender and TTP additional measures are normally used.

 The Big G is your friend [1]:
 
 http://www.itconsult.co.uk/stamper.htm

Now it's October 2007 and RIPA part III is in force, .uk is not
a great jurisdiction to be hosting cryptographic services.

Re: sign and timestamp

[Gábri Máté]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Yes, but i wan't to solve this without an outsider for practical reasons.

Gabri Mate
[EMAIL PROTECTED]
DUOSOL Bt.
http://www.duosol.hu


Joachim Schipper mrta:
 On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote:
 Hey there!

 I've read a lot about timestamping a document, but dunno how it works in
 practice. How can i apply a timestamp to a digitally signed or encrypted
 document? Like i encrypt or sign a document with gnupg, but before the
 process how can i timestamp it?
 Sorry for the stupid question but i really can't imagine it.
 
 The Big G is your friend [1]:
 
 http://www.itconsult.co.uk/stamper.htm
 
 (Obviously, one could sent them a hash instead of the original if one
 were afraid of sending data unencrypted over the net.)
 
   Joachim
 
 [1] Trust The Computer. The Computer is Your Friend.
iD8DBQFHA/488najRxwF9nkRAk/sAKCFzKm7tBxsNHwFCYFdtHP8NWClXwCbBWcC
jHWm4T+Eimk1p1ZQ2GyoKqc=
=s5sI
-END PGP SIGNATURE-

Re: sign and timestamp

[Steve McConville]

 I don't know if there's an accepted strategy, but if I had to create one
 from scratch, off the top of my head I'm thinking some time of time
 server.  It would have to publish a signed file of the current time, say
 once per minute, so that you could include the hash in the above noted
 tarball.  The recipient could note the time of that hash file, query the
 time server for the matching hash and compare the two.  If they match,
 then the time matches.

Slightly OT...

That (and variations therof) would work for a 'not earlier than' lower
bound, but I'm pretty sure there is a good theoretical reason why 'not
later than' shouldn't be possible without a third party, making
timestamping (in the sense of having happened in this given interval)
impossible. I am open to contradiction though :)

-- 
steev
http://www.daikaiju.org.uk/~steve/

Re: sign and timestamp

[Joachim Schipper]

On Wed, Oct 03, 2007 at 10:40:28PM +0200, G?bri M?t? wrote:
 Yes, but i wan't to solve this without an outsider for practical reasons.
 
 Gabri Mate
 [EMAIL PROTECTED]
 DUOSOL Bt.
 http://www.duosol.hu
 
 
 Joachim Schipper mrta:
  On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote:
  Hey there!
 
  I've read a lot about timestamping a document, but dunno how it works in
  practice. How can i apply a timestamp to a digitally signed or encrypted
  document? Like i encrypt or sign a document with gnupg, but before the
  process how can i timestamp it?
  Sorry for the stupid question but i really can't imagine it.
  
  The Big G is your friend [1]:
  
  http://www.itconsult.co.uk/stamper.htm
  
  (Obviously, one could sent them a hash instead of the original if one
  were afraid of sending data unencrypted over the net.)
  
  Joachim
  
  [1] Trust The Computer. The Computer is Your Friend.
 iD8DBQFHA/488najRxwF9nkRAk/sAKCFzKm7tBxsNHwFCYFdtHP8NWClXwCbBWcC
 jHWm4T+Eimk1p1ZQ2GyoKqc=
 =s5sI
 -END PGP SIGNATURE-

Perhaps off-topic, but do consider improving your signal-to-noise ratio;
I count one useful, albeit misspelled, line - remove the (non-delimited)
sig, broken PGP signature, and useless cruft from replied messages.

What you want to do is a lot more complicated. The easiest solution I
can think of is chaining. For instance, given data_1, data_2, ...,
data_n which must be signed on date_1, date_2, ..., date_n, define

hash_0 = SOME_VALUE
hash_i+1 = f(hash_i ++ data_i+1 ++ date_i+1)

Here, f() is a hash function, for instance RIPEMD-160 or SHA2-256, and
++ denotes some mixing operation (XOR might be a good bet).

Suppose you provide someone with frequent values of hash_i. If you later
make a false claim about either data_j or date_j, and the other person
has hash_i, hash_k, data_1, ..., data_k, and date_i, ..., date_k,, where
i  j = k, then you would be quickly found out.

Of course, more sophisticated algorithms can do the same thing, but
without revealing quite this much. Go read a good book; Practical
Cryptography provides a good overview.

Joachim

Disclaimer: I am not a cryptographer, crypto is hard, and I'm tired. So
no guarantees that the above actually works.

-- 
PotD: x11/matchbox/matchbox-window-manager - window manager with a
classic pda management policy

Re: sign and timestamp

[Ted Unangst]

On 10/3/07, Gabri Mati [EMAIL PROTECTED] wrote:
 I've read a lot about timestamping a document, but dunno how it works in
 practice. How can i apply a timestamp to a digitally signed or encrypted
 document? Like i encrypt or sign a document with gnupg, but before the
 process how can i timestamp it?

you cannot provably timestamp anything.  you can only provide copies
or hashes at the time you would like to prove creation, either by
sending it to the person you want to prove it to or a trusted third
party.  or generally publishing it, and hoping you can gather enough
witnesses to testify when they first saw it.

Re: sign and timestamp

[Douglas A. Tutty]

On Wed, Oct 03, 2007 at 09:45:30PM +0200, G?bri M?t? wrote:
 
 A service will gather data in a database and this data has to be signed
 and timestamped for security reasons, and the archives of these data are
 also need to signed and timestamped. The data will be used for internal
 purposes, so another internal server can issue the signs and stamps.
 

OK.  This service gathering the data: is it your own dedicated server or
is it an external service provider.  Assuming that you don't controll
(in a security sense) the database itself (if you did, why bother with
this?).

If I understand correclty:  Database the data-gatherer can query.  You
set up a dedicated, physically secure box and provide it with a secure
source of time (GPS?).  

Assuming that you don't want the latency for them to email the box a
hash, have the box append a time stamp, sign it, and mail it back.  You
need a dedicated channel from the time server to the data-gatherer of
latency low enough to meet the time-stamp requirements.  

Do you need to send the timestamp back to the data-gatherer or will they
be sending the data to you by a slower method?  

You could either write a dedicated server or set up a lpd hack.  

They gather the data, tarball it, take a hash and put it in an index
file (like an MD5SUM file in an ftp archive).  They send a file
containing only the hash and the unique tarball file name to the lpr on
the time server.  A dummy spool there hands the file to a 'filter' that
takes that file, extracts the md5sum, file name, appends the time, and
appends that whole line to a file.  For hard copy, each line could be
printed to dedicated dot-matrix printer as it is generated.

Or your time server is running a database and the data-gather can issue
the SQL insert query directly and the database system itself fills in a
time-stamp field.

Doug.

Please sign in your USAA account, verify and update your profile immediately

[United Services Automobile Association]

USAA Member Home

[IMAGE]

[IMAGE]

Dear USAA. member, 

 Our policy is to protect personal or financial information of USAA
members. 

It has come to our attention that your account information needs to be 
updated due to inactive members, frauds and spoof reports. 
If you could please take 5-10 minutes out of your online experience and 
renew service.

Once you have updated your records, your USAA session will not be
interrupted
and will continue as normal.

Please sign in your USAA account, verify and update your profile by
clicking this link:

https://www.usaa.com/inet/ent_logon/Logon

Thanks for your patience as we work together to protect your
account.Security Departament,
United Services Automobile Association

Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]

[Claudio Jeker]

On Wed, Nov 02, 2005 at 12:34:29AM +0100, per engelbrecht wrote:
 Hi all
 
 [20051019 snap i386]
 
 I've made a setup with two identical bgp routers. On each router there's 
 3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting 
 these routers and finally pipes backwards to the internal nets. Part of 
 bgpd.conf further down.
 I'm replacing a single router (no ospf) fbsd/zebra setup.
 

That should be no problem.

 
 Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 
 'no synchronization' option for this connection. Do I need it at all.
 Been poking around in /usr/src/usr.sbin/bgpd without solving it, but 
 it's needed in zebra and Cisco IOS hence the question.
 A: ?
 

There is no 'no synchronization' option. We never enforce the
synchronisation of iBGP with an IGP. That's retarded. Like pumping 170'000
routes into OSPF and thinking all will be fine. Sure you may get bitten if
you have routers that do not run iBGP in between the two iBGP routers but
that's more a design problem and is solvable.

 
 Q: adding md5sig password, how can I activate these stepwise without 
 having to take bgpd down/up and affecting all connections - ospfctl does 
 not seem have it as an option. Would like to add md5sig one carrier at a 
 time on a live system.
 A: ?
 

Just add the 'tcp md5sig password fluffy' to a neighbor and
bgpctl reload. Afterwards a bgpctl neighbor fluffy_peer clear will clear
the session and activate tcp md5. You can do that one peer at a time.

 
 Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and 
 internal intfaces in area 0.0.0.1 (and from ospfd.conf)
 [...]
 fib-update yes
 redistribute connected
 [...]
 This is about redistributing routes - will the above let BGP and OSPF 
 play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS
 A: ?
 

redistribute ospf is currently not implemented. bgpd is currently not
able to redistribute routes added by ospfd. This is on the todo list.

 
 Q: default gateway is added to the routing table after all interfaces 
 are configured. BGP is adding information into the routing table and so 
 does OSPF (updates). That's 3 times redistributing of routes between 
 different protocols and with 3 different administrative distances but 
 still in/from the same table. Since directly connected (0) or static (1) 
 connections are superior to e.g. eBGP (20) and OSPF (110) then should or 
 shouldn't /etc/mygate be removed from a BGP router before putting it 
 into production. Will it/can it mock the routing decision despite 
 'weight' in bgpd.conf due to the lower distance.
 A: ?
 

Neither ospfd nor bgpd know about administrative distances. Currently it
is only save to use the two together if there are no equal routes. If
both bgpd and ospfd try to add the same route to the kernel routing table
it will result in undefined behaviour. (mostly the first one wins).
Again this is on the todo list (even before the redistribute thing).


 
 Part of bgpd.conf:
 
 [...]
 neighbor $peer0 {
 remote-as ABCD
 descrebgp sucks
 set nexthop aaa.aaa.aaa.aab
 multihop 10
 local-address aaa.aaa.aaa.aaa
 announce self
 announce IPv6 none
 enforce neighbor-as yes
 set weight 100
 #tcp md5sig password HotPotatoes
 }
 ...
 ...
 neighbor $carp {
 remote-as our_own_AS
 descrinternal
 local-address 172.16.0.1
 depend on em5

I think this is not doing what you think. depend on is only useful on
carp(4) interfaces. It does not make sense for physical interfaces.

 announce all

That's actually the default :)

 announce IPv6 none
 enforce neighbor-as no

That one as well.

 set weight 200
 #tcp md5sig password NoPotatoes
 }
 
 I have a:
 deny from any prefix 172.16.0.0/12 prefixlen = 12
 but the carp interface uses a /8 i.e. should be safe :)
 

Iick. That will cause troubles with everything in the 172/8 range.
You can add a rule like:
allow from $carp prefix 172.16.0.0/24
afterwards. That would be much nicer.


-- 
:wq Claudio

Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]

[per engelbrecht]

Claudio Jeker wrote:

On Wed, Nov 02, 2005 at 12:34:29AM +0100, per engelbrecht wrote:


Hi all

[20051019 snap i386]

I've made a setup with two identical bgp routers. On each router there's 
3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting 
these routers and finally pipes backwards to the internal nets. Part of 
bgpd.conf further down.

I'm replacing a single router (no ospf) fbsd/zebra setup.




That should be no problem.


Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 
'no synchronization' option for this connection. Do I need it at all.
Been poking around in /usr/src/usr.sbin/bgpd without solving it, but 
it's needed in zebra and Cisco IOS hence the question.

A: ?




There is no 'no synchronization' option. We never enforce the
synchronisation of iBGP with an IGP. That's retarded. Like pumping 170'000
routes into OSPF and thinking all will be fine. Sure you may get bitten if
you have routers that do not run iBGP in between the two iBGP routers but
that's more a design problem and is solvable.


Hi Claudio

Most documentation on BGP or OSPF is geared towards IOS systems or pro 
ISO systems like Zebra, with whatever options and syntax that comes with 
the territory. Finding alternatives for options like e.g. 'no 
synchronization' and'no auto-summary' when changing from (in my case) 
Zebra to OpenBGPD, is not covered too well in a otherwise fine 
documentation, but thank you for clarifying.
A small paragraph in the bgpd.conf man page for people comming to 
OpenBGPD dealing with this would be nice.





Q: adding md5sig password, how can I activate these stepwise without 
having to take bgpd down/up and affecting all connections - ospfctl does 
not seem have it as an option. Would like to add md5sig one carrier at a 
time on a live system.

A: ?




Just add the 'tcp md5sig password fluffy' to a neighbor and
bgpctl reload. Afterwards a bgpctl neighbor fluffy_peer clear will clear
the session and activate tcp md5. You can do that one peer at a time.


Check.
(thank you)




Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and 
internal intfaces in area 0.0.0.1 (and from ospfd.conf)

[...]
fib-update yes
redistribute connected
[...]
This is about redistributing routes - will the above let BGP and OSPF 
play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS

A: ?




redistribute ospf is currently not implemented. bgpd is currently not
able to redistribute routes added by ospfd. This is on the todo list.


Perfect.




Q: default gateway is added to the routing table after all interfaces 
are configured. BGP is adding information into the routing table and so 
does OSPF (updates). That's 3 times redistributing of routes between 
different protocols and with 3 different administrative distances but 
still in/from the same table. Since directly connected (0) or static (1) 
connections are superior to e.g. eBGP (20) and OSPF (110) then should or 
shouldn't /etc/mygate be removed from a BGP router before putting it 
into production. Will it/can it mock the routing decision despite 
'weight' in bgpd.conf due to the lower distance.

A: ?




Neither ospfd nor bgpd know about administrative distances. Currently it
is only save to use the two together if there are no equal routes. If
both bgpd and ospfd try to add the same route to the kernel routing table
it will result in undefined behaviour. (mostly the first one wins).
Again this is on the todo list (even before the redistribute thing).


I guess reading BGP from Cisco literature would match learning TCP/IP 
with books from Microsoft ...
The BGP implementation in Cisco IOS uses a administrative distance, 
hence the question.


I you mean equal routes from a 'weight' point of view, then I have a 
problem. So fare all my peers have the same weight.







Part of bgpd.conf:

[...]
neighbor $peer0 {
   remote-as ABCD
   descrebgp sucks
   set nexthop aaa.aaa.aaa.aab
   multihop 10
   local-address aaa.aaa.aaa.aaa
   announce self
   announce IPv6 none
   enforce neighbor-as yes
   set weight 100
   #tcp md5sig password HotPotatoes
}
...
...
neighbor $carp {
   remote-as our_own_AS
   descrinternal
   local-address 172.16.0.1
   depend on em5



I think this is not doing what you think. depend on is only useful on
carp(4) interfaces. It does not make sense for physical interfaces.


I have carp1 on em5. I'll change em5  carp1 right away. Thank you.





   announce all



That's actually the default :)


I know. In every conf file I write what I want it to do (even defaults) 
and remove anything else. Makes it easy to parse for !me without having 
to know system 'default'.






   announce IPv6 none
   enforce neighbor-as no



That one as well.


Ditto.
:)





   set weight 200
   #tcp md5sig password NoPotatoes
}

I have a:
deny from any prefix 172.16.0.0/12 prefixlen = 12
but the carp interface uses a /8 i.e. should be safe :)




Iick. That will cause troubles with 

Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]

[Henning Brauer]

* per engelbrecht [EMAIL PROTECTED] [2005-11-02 00:52]:
 I've made a setup with two identical bgp routers. On each router there's 
 3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting 
 these routers and finally pipes backwards to the internal nets. Part of 
 bgpd.conf further down.
 I'm replacing a single router (no ospf) fbsd/zebra setup.

should just work.

 Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 
 'no synchronization' option for this connection. Do I need it at all.
 Been poking around in /usr/src/usr.sbin/bgpd without solving it, but 
 it's needed in zebra and Cisco IOS hence the question.

not needed. retarded idea in the first place...
I mean, you don't need ip classless on OpenBSD either to tell it 
we're not in the 80s any more :)

 Q: adding md5sig password, how can I activate these stepwise without 
 having to take bgpd down/up and affecting all connections - ospfctl does 
 not seem have it as an option. Would like to add md5sig one carrier at a 
 time on a live system.

# bgpctl reload
next time the session(s) in question traverses IDLE the settings become 
active. you can force that using
# bgpctl neighbor foo clear

-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]

[per engelbrecht]

Hi all

[20051019 snap i386]

I've made a setup with two identical bgp routers. On each router there's 
3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting 
these routers and finally pipes backwards to the internal nets. Part of 
bgpd.conf further down.

I'm replacing a single router (no ospf) fbsd/zebra setup.


Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 
'no synchronization' option for this connection. Do I need it at all.
Been poking around in /usr/src/usr.sbin/bgpd without solving it, but 
it's needed in zebra and Cisco IOS hence the question.

A: ?


Q: adding md5sig password, how can I activate these stepwise without 
having to take bgpd down/up and affecting all connections - ospfctl does 
not seem have it as an option. Would like to add md5sig one carrier at a 
time on a live system.

A: ?


Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and 
internal intfaces in area 0.0.0.1 (and from ospfd.conf)

[...]
fib-update yes
redistribute connected
[...]
This is about redistributing routes - will the above let BGP and OSPF 
play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS

A: ?


Q: default gateway is added to the routing table after all interfaces 
are configured. BGP is adding information into the routing table and so 
does OSPF (updates). That's 3 times redistributing of routes between 
different protocols and with 3 different administrative distances but 
still in/from the same table. Since directly connected (0) or static (1) 
connections are superior to e.g. eBGP (20) and OSPF (110) then should or 
shouldn't /etc/mygate be removed from a BGP router before putting it 
into production. Will it/can it mock the routing decision despite 
'weight' in bgpd.conf due to the lower distance.

A: ?


Part of bgpd.conf:

[...]
neighbor $peer0 {
remote-as ABCD
descrebgp sucks
set nexthop aaa.aaa.aaa.aab
multihop 10
local-address aaa.aaa.aaa.aaa
announce self
announce IPv6 none
enforce neighbor-as yes
set weight 100
#tcp md5sig password HotPotatoes
}
...
...
neighbor $carp {
remote-as our_own_AS
descrinternal
local-address 172.16.0.1
depend on em5
announce all
announce IPv6 none
enforce neighbor-as no
set weight 200
#tcp md5sig password NoPotatoes
}

I have a:
deny from any prefix 172.16.0.0/12 prefixlen = 12
but the carp interface uses a /8 i.e. should be safe :)


/per
[EMAIL PROTECTED]