Re: using SPF or DKIM instead of greylisting?
On Fri, May 30, 2014 at 11:26:18AM +0200, Ji Navr??til wrote: Hello, I???m using pf greylisting on OpenBSD. More and more emails from Google are delayed and few are not delivered at all. This https://support.google.com/mail/answer/180063 Google article suggest to replace greylisting with SPF or DKIM. What is your anti SPAM strategy please? Are available SPF and DKIM configurations examples for OpenSMTPD? Thak you for your recommendations. I only use greylisting and fopr big hosts like gmail and yahoo, I have a script that queries their SPF records to whitelist the MX servers that they advertise. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: using SPF or DKIM instead of greylisting?
V 30. května 2014 at 11:38:43, Gilles Chehade (gil...@poolp.org) napsáno: What is your anti SPAM strategy please? Are available SPF and DKIM configurations examples for OpenSMTPD? Thak you for your recommendations. I only use greylisting and fopr big hosts like gmail and yahoo, I have a script that queries their SPF records to whitelist the MX servers that they advertise. Thank you for quick reply. That looks as reasonable way for me. Could you share your script, please? Jiri Navratil
Re: using SPF or DKIM instead of greylisting?
On Fri, 30 May 2014 11:45:13 +0200, Ji=C5=99=C3=AD Navr=C3=A1til jiri@navr= atil.cz wrote: V 30. kv=C4=9Btna 2014 at 11:38:43, Gilles Chehade (gil...@poolp.org) naps=C3=A1no: What is your anti SPAM strategy please? Are available SPF and DKIM configurations examples for OpenSMTPD?=C2=A0 =C2=A0 Thak you for your recommendations.=C2=A0 =C2=A0 =20 I only use greylisting and fopr big hosts like gmail and yahoo, I have a script that queries their SPF records to whitelist the MX servers that they advertise.=C2=A0 =20 =20 Thank you for quick reply. =20 That looks as reasonable way for me. Could you share your script, please? I have quite the same setup than Gilles, though I'm lazier so I use the list from Peter N. M. Hansteen : http://www.bsdly.net/~peter/nospamd Jiri Navratil Cheers, --=20 Vigdis I am using bgp-spamd.net whitelisting for my domain in addition to spamd. It currently has ~ 91825 whitelisted ips. I had a similar experience with github trying to send a mail with different IP each time when spamd grey-trapped the first attempt. bgp-spamd whitelisted IPs had all the IPs with which github was trying to send mail. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Meaning of from local
The directive for from local in the smtpd.conf(5) man page states: The rule matches only locally originating connections. But what exactly does locally originating mean? My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay Should the mail server be relaying mail for this client? Is the client, which is on a different subnet than the mail server, considered local? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
From local means 2 things 1. From 127.0.0.0/8 or from authenticated, On May 30, 2014 5:09 AM, Clint Pachl pa...@ecentryx.com wrote: Clint Pachl wrote, On 05/30/14 05:02: The directive for from local in the smtpd.conf(5) man page states: The rule matches only locally originating connections. But what exactly does locally originating mean? My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay Should the mail server be relaying mail for this client? Is the client, which is on a different subnet than the mail server, considered local? I also forgot to add that this client is also authenticating with the mail server using this rule: listen on mail port submission tls-require pki tm auth passwd Perhaps a successfully authenticated session automatically makes the client local? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD Problem
can you show your configuration file please ? Certainly: /etc/mail/smtpd.conf pki testweb.secure5.net certificate /etc/ssl/testweb.secure5.net.crt pki testweb.secure5.net key /etc/ssl/private/testweb.secure5.net.key listen on all tls smtps secure pki testweb.secure5.net auth-optional table aliases db:/etc/mail/aliases.db table src file:/etc/mail/relay accept from any for domain testweb.secure5.net virtual aliases deliver to mbox accept for local virtual aliases deliver to mbox accept from source src for any relay /etc/mail/relay 127.0.0.1 /etc/mail/aliases t...@testweb.secure5.net nj n...@testweb.secure5.net n...@obsd.com,n...@telin.com @testweb.secure5.netnj ... then the system aliases /-\ | Nicholas Janzen Personal Site: http://obsd.com| | Email: n...@obsd.comShort URL's: http://clearurl.net/ | | VE6OBS VE6TS (Basic+Advanced) Weather Site: http://nicholasjanzen.ca| | Balloon Site: http://arawr.ca | \-/ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
Actually, from local means 2 things: 1- from _any_ IP address that is assigned to the local machine 2- from clients that have authenticated themselves to the local machine Gilles On Fri, May 30, 2014 at 05:45:43AM -0700, Barbier, Jason wrote: From local means 2 things 1. From 127.0.0.0/8 or from authenticated, On May 30, 2014 5:09 AM, Clint Pachl pa...@ecentryx.com wrote: Clint Pachl wrote, On 05/30/14 05:02: The directive for from local in the smtpd.conf(5) man page states: The rule matches only locally originating connections. But what exactly does locally originating mean? My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay Should the mail server be relaying mail for this client? Is the client, which is on a different subnet than the mail server, considered local? I also forgot to add that this client is also authenticating with the mail server using this rule: listen on mail port submission tls-require pki tm auth passwd Perhaps a successfully authenticated session automatically makes the client local? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD Problem
On Fri, May 30, 2014 at 07:22:28AM -0600, Nicholas Janzen wrote: can you show your configuration file please ? Certainly: [...] /etc/mail/relay 127.0.0.1 [...] when you use the local enqueuer with mutt, youe not connecting from 127.0.0.1 but you're using a unix socket, your ruleset says that it will only accept to relay from IP addresses listed in your /etc/mail/relay file, therefore the local enqueuer is rejected. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD Problem
when you use the local enqueuer with mutt, youe not connecting from 127.0.0.1 but you're using a unix socket, your ruleset says that it will only accept to relay from IP addresses listed in your /etc/mail/relay file, therefore the local enqueuer is rejected. Thanks, for your help, that was exactly what had happened: for the record, i added: accept for any relay and mail is now working. -- /-\ | Nicholas Janzen Personal Site: http://obsd.com| | Email: n...@obsd.comShort URL's: http://clearurl.net/ | | VE6OBS VE6TS (Basic+Advanced) Weather Site: http://nicholasjanzen.ca| | Balloon Site: http://arawr.ca | \-/ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPd as a backup MX
Hi Gilles, Is your machine named mx2.backdom.fr ? Your guess is perfectly right :) The machine is not named mx2.backdom.fr. The configuration file and logs are very important to debug this, there is so much we can guess :-p I will send these in private. Thank you, Denis -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
Panagiotis Atmatzidis wrote, On 05/30/14 05:58: My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay No it will not accept emails from 10.0.9/24 or x.x.10/24 The problem is that the mail server *is* accepting/relaying mail from the client which is on a different subnet. So this behavior doesn't seem correct. I discovered that authentication may be changing the behavior of from local. But I'm not getting intuitive error messages (see below) from smtpd, so I'm unsure of the exact behavior. I just want confirmation of the meaning of from local with regards to successfully authenticated clients regardless of their locality from the server. Here is my entire conf that allows the behavior described above: ### /etc/mail/smtpd.conf ### table aliases /etc/mail/aliases table domains /etc/mail/domains table passwd/etc/mail/passwd table users /etc/mail/users pki tm certificate /etc/ssl/mail.targetmeister.com.crt pki tm key /etc/ssl/private/mail.targetmeister.com.key listen on localhost listen on mail port smtp tls pki tm listen on mail port submission tls-require pki tm auth passwd accept from local for local alias aliases deliver to mbox accept from any for domain domains virtual users \ deliver to maildir /var/spool/vmail/%{dest.domain}/%{dest.user} accept from local for any relay ### END ### And here is the session output from smtpd when a client on a different subnet from the server submits an email for relay *with authentication* on submission port 587: # smtpd -d info: OpenSMTPD 5.4.2 starting info: startup smtp-in: New session 49c757a0a5705603 from host 10.0.10.24 [10.0.10.24] smtp-in: Started TLS on session 49c757a0a5705603: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Accepted authentication for user xx...@pachl.us on session 49c757a0a5705603 smtp-in: Accepted message 759ccb3c on session 49c757a0a5705603: from=xx...@pachl.us, to=xx...@devio.us, size=219, ndest=1, proto=ESMTP smtp-out: Connecting to smtp+tls://66.7.199.108:25 (devio.us) on session e5969f5c34763839... smtp-out: Connected on session e5969f5c34763839 smtp-out: Started TLS on session e5969f5c34763839: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 smtp-out: Server certificate verification failed on session e5969f5c34763839 relay: Ok for 759ccb3c571ca1f8: session=e5969f5c34763839, from=xx...@pachl.us, to=xx...@devio.us, rcpt=-, source=10.0.9.20, relay=66.7.199.108 (devio.us), delay=2s, stat=250 2.0.0 Ok: queued as A9B071B5B88 smtp-out: Closing session e5969f5c34763839: 1 message sent. But, if I make authentication optional (auth-optional) on submission port and authentication on the client is turned off, I get the following session output: # smtpd -d info: OpenSMTPD 5.4.2 starting info: startup smtp-in: New session 26c46acb7b5bf97b from host 10.0.10.24 [10.0.10.24] smtp-in: Started TLS on session 26c46acb7b5bf97b: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Failed command on session 26c46acb7b5bf97b: RCPT TO:xxx...@devio.us = 550 Invalid recipient smtp-in: Received disconnect from session 26c46acb7b5bf97b smtp-in: New session 26c46acc2bed96ec from host 10.0.10.24 [10.0.10.24] smtp-in: Started TLS on session 26c46acc2bed96ec: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Failed command on session 26c46acc2bed96ec: RCPT TO:xxx...@devio.us = 550 Invalid recipient As you can see, it does not relay the mail. It instead gives me a 550 Invalid recipient error, which doesn't seem apropos. It seems the error should mention a failure in authentication, permission, or credentials. Bottom line is, it seems successful authentication makes a client local. Is this correct? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
I apologize for the noise I've created. I did not read the documentation closely. I found a definitive answer to my question in the listen on directive, which states: If the auth parameter is used, then a client may only start an SMTP transaction after a successful authentication. Any remote sender that passed SMTPAUTH is treated as if it was the server's local user that was sending the mail. This means that filter rules using from local will be matched. I still think that the 550 Invalid recipient error isn't intuitive when a client doesn't have the locality or the credentials required by the mail server. Thanks, Clint Clint Pachl wrote, On 05/30/14 16:26: Panagiotis Atmatzidis wrote, On 05/30/14 05:58: My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay No it will not accept emails from 10.0.9/24 or x.x.10/24 The problem is that the mail server *is* accepting/relaying mail from the client which is on a different subnet. So this behavior doesn't seem correct. I discovered that authentication may be changing the behavior of from local. But I'm not getting intuitive error messages (see below) from smtpd, so I'm unsure of the exact behavior. I just want confirmation of the meaning of from local with regards to successfully authenticated clients regardless of their locality from the server. Here is my entire conf that allows the behavior described above: ### /etc/mail/smtpd.conf ### table aliases /etc/mail/aliases table domains /etc/mail/domains table passwd/etc/mail/passwd table users /etc/mail/users pki tm certificate /etc/ssl/mail.targetmeister.com.crt pki tm key /etc/ssl/private/mail.targetmeister.com.key listen on localhost listen on mail port smtp tls pki tm listen on mail port submission tls-require pki tm auth passwd accept from local for local alias aliases deliver to mbox accept from any for domain domains virtual users \ deliver to maildir /var/spool/vmail/%{dest.domain}/%{dest.user} accept from local for any relay ### END ### And here is the session output from smtpd when a client on a different subnet from the server submits an email for relay *with authentication* on submission port 587: # smtpd -d info: OpenSMTPD 5.4.2 starting info: startup smtp-in: New session 49c757a0a5705603 from host 10.0.10.24 [10.0.10.24] smtp-in: Started TLS on session 49c757a0a5705603: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Accepted authentication for user xx...@pachl.us on session 49c757a0a5705603 smtp-in: Accepted message 759ccb3c on session 49c757a0a5705603: from=xx...@pachl.us, to=xx...@devio.us, size=219, ndest=1, proto=ESMTP smtp-out: Connecting to smtp+tls://66.7.199.108:25 (devio.us) on session e5969f5c34763839... smtp-out: Connected on session e5969f5c34763839 smtp-out: Started TLS on session e5969f5c34763839: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 smtp-out: Server certificate verification failed on session e5969f5c34763839 relay: Ok for 759ccb3c571ca1f8: session=e5969f5c34763839, from=xx...@pachl.us, to=xx...@devio.us, rcpt=-, source=10.0.9.20, relay=66.7.199.108 (devio.us), delay=2s, stat=250 2.0.0 Ok: queued as A9B071B5B88 smtp-out: Closing session e5969f5c34763839: 1 message sent. But, if I make authentication optional (auth-optional) on submission port and authentication on the client is turned off, I get the following session output: # smtpd -d info: OpenSMTPD 5.4.2 starting info: startup smtp-in: New session 26c46acb7b5bf97b from host 10.0.10.24 [10.0.10.24] smtp-in: Started TLS on session 26c46acb7b5bf97b: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Failed command on session 26c46acb7b5bf97b: RCPT TO:xxx...@devio.us = 550 Invalid recipient smtp-in: Received disconnect from session 26c46acb7b5bf97b smtp-in: New session 26c46acc2bed96ec from host 10.0.10.24 [10.0.10.24] smtp-in: Started TLS on session 26c46acc2bed96ec: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Failed command on session 26c46acc2bed96ec: RCPT TO:xxx...@devio.us = 550 Invalid recipient As you can see, it does not relay the mail. It instead gives me a 550 Invalid recipient error, which doesn't seem apropos. It seems the error should mention a failure in authentication, permission, or credentials. Bottom line is, it seems successful authentication makes a client local. Is this correct? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: using SPF or DKIM instead of greylisting?
On Fri, May 30, 2014 at 11:35:45AM +0200, Gilles Chehade wrote: On Fri, May 30, 2014 at 11:26:18AM +0200, Ji Navr??til wrote: Hello, I???m using pf greylisting on OpenBSD. More and more emails from Google are delayed and few are not delivered at all. This https://support.google.com/mail/answer/180063 Google article suggest to replace greylisting with SPF or DKIM. What is your anti SPAM strategy please? Are available SPF and DKIM configurations examples for OpenSMTPD? Thak you for your recommendations. I only use greylisting and fopr big hosts like gmail and yahoo, I have a script that queries their SPF records to whitelist the MX servers that they advertise. I tried to do this, but there were just too many to keep track of, and I noticed that a fair amount of the hosts connecting weren't even in the SPF. Greylisting became less and less helpful, unfortunately. I've been running blacklist-only for a few years. Luckily, I don't have a busy host. -- John D. Verne j...@clevermonkey.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org