Re: 6.0.3p1-2 - PAM authentication
> been looking for guidance on PAM authentication. The spread is rather > thin/sparse when searching the net for [ opensmtpd pam ] and basically > boils down to > https://github.com/OpenSMTPD/OpenSMTPD/issues/712. > > Another hint appears to be [ compile ] from the source package: > > [ --with-auth-pam=SERVICE Enable PAM authentication support > (default=smtpd) ] > > The Archlinux package was compiled with > > [ --with-auth-pam \ ] and thus wondering whether it translates thus to [ > --with-auth-pam=smtpd \ ] ? > > Apparently PAM needs to be configured on the system for smtpd. Would > that suffice > > [ /etc/pam.d/spmtd ] reading ?: > > #%PAM-1.0 > > auth required pam_unix.so nullok > account required pam_unix.so > > Further reading into [ configure ] from the source package reveals at line 17439 [ if a service name is not set smtpd will be used ] Having then created [ /etc/pam.d/spmtd ] with the aforementioned content and added [ auth ] to the [ listen on ] directive in the smptd configuration gets PAM auth to work as expected. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - openssl api?
> Noticed the ./config provides the following options for openssl: > > --with-libssl='/usr/lib/openssl-1.0' \ > --with-cflags='-I/usr/include/openssl-1.0' > > What I could not figure from the man pages or wiki or the source package > is whether that tells smptd only the path to the openssl libraries on > the system or whether it also provides an API for smtpd to call openssl? It was tried to build with OpenSSL 1.1.0 but that failed. Reading on github it seems that OpenSSL 1.1.0 is not (yet) supported. That aside it seems that OpenSSL API call [ SSL_CTX_set1_groups_list ] is not implemented (with OpenSSL 1.0) and smptd relying solely on its own RSA crypto engine? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
On 01.08.18 14:48, ѽ҉ᶬḳ℠ wrote: Having sorted PAM SMTPAUTH the user/client 172.25.120.2 is now treated as server's local user and filter rules using from local are matched. Thence, amended [ accept from source 172.25.120.2 for any relay via smtp://127.0.0.1:10027 ] to [ accept from source 172.25.120.2 for any relay ] and DKIM is working now for that client as well. Appreciate the feedback/assistance provided here. The matching rule for you should now be: accept (from local) for any relay viasmtp://127.0.0.1:10027 This rule matching would again bypass DKIM and is redundant: accept from source 172.25.120.2 for any relay Good luck, Reio -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
>> Having sorted PAM SMTPAUTH the user/client 172.25.120.2 is now treated >> as server's local user and filter rules using from local are matched. >> Thence, amended >> >> [ accept from source 172.25.120.2 for any relay via >> smtp://127.0.0.1:10027 ] to [ accept from source 172.25.120.2 for any >> relay ] and DKIM is working now for that client as well. >> >> Appreciate the feedback/assistance provided here. > > The matching rule for you should now be: > > accept (from local) for any relay viasmtp://127.0.0.1:10027 > > This rule matching would again bypass DKIM and is redundant: > > accept from source 172.25.120.2 for any relay > The way is set and working now: listen on lo inet4 port 25 tls-require hostname mail mask-source tag lo listen on lo inet4 port 587 smtps hostname mail mask-source tag lo listen on eth0 inet4 port 25 tls-require auth hostname mail mask-source tag lan listen on eth0 inet4 port 587 smtps auth hostname mail mask-source tag lan listen on lo port 10028 mask-source tag DKIM accept tagged DKIM for any relay accept for any relay via smtp://127.0.0.1:10027 accept from local for any relay accept from source 172.25.120.2 for any relay -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
On 01.08.18 15:17, ѽ҉ᶬḳ℠ wrote: The matching rule for you should now be: accept (from local) for any relay viasmtp://127.0.0.1:10027 This rule matching would again bypass DKIM and is redundant: accept from source 172.25.120.2 for any relay The way is set and working now: accept for any relay via smtp://127.0.0.1:10027 The following 2 lines are redundant. The above will match first for authenticated submissions. accept from local for any relay accept from source 172.25.120.2 for any relay -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
>>> listen on eth0 inet4 port 587 smtps hostname mail mask-source tag lan >>> >>> >>> Either you trimmed this config line or you're missing "auth". Otherwise I >>> suspect you're running without authentication. >> >> Uhum well, is there no PAM authentication? I was under the impression >> that it gets PAM authenticated. Such is being compounded when using the >> Thunderbird mail client and having the TB SMTP server -> authentication >> method set to encrypted password which works without a hitch - no error >> in Thunderbird and the message gets sent. >> >> Commonly TB displays an error if the chosen authentication method is not >> available/supported on the smtp server but apparently not here. >> However, now that you mentioned it I set the TB authentication method to >> OAuth2 and again no error in TB and the message went. >> >> The spread is rather thin when searching the net for [ opensmtpd pam ] >> and basically boils down to >> https://github.com/OpenSMTPD/OpenSMTPD/issues/712 >> >> So, the package was compiled with: >> >> ./configure \ >> --prefix=/usr \ >> --sysconfdir=/etc/smtpd \ >> --sbindir=/usr/bin \ >> --libexecdir=/usr/lib/smtpd \ >> --with-path-mbox=/var/spool/mail \ >> --with-path-empty=/var/empty \ >> --with-path-socket=/run \ >> --with-path-CAfile=/etc/ssl/certs/ca-certificates.crt \ >> --with-user-smtpd=smtpd \ >> --with-user-queue=smtpq \ >> --with-group-queue=smtpq \ >> --with-auth-pam \ >> --with-libssl='/usr/lib/openssl-1.0' \ >> --with-cflags='-I/usr/include/openssl-1.0' >> >> but I do not understand the remainder instruction -> "and provide the >> auth service name as parameter then configure the PAM side on your system"? >> >> "and provide the auth service name as parameter" - where and when is >> that supposed to happen? >> At compile ./config? Is it supposed to read like [ --with-auth-pam=smtpd >> \ ] as opposed to just [ --with-auth-pam \ ]? >> What if the [ auth service name ] was omitted -> does [ >> --with-user-smtpd=smtpd ] suffice? >> >> "then configure the PAM side on your system" -> supposed that would be >> something like [ /etc/pam.d/spmtd ] reading ?: >> >> #%PAM-1.0 >> >> auth required pam_unix.so nullok >> account required pam_unix.so >> >> > I know very little about Pam, so I'm not sure. I'd start a new thread with > Pam in the subject line and maybe someone who knows can help out. Having sorted PAM SMTPAUTH the user/client 172.25.120.2 is now treated as server's local user and filter rules using from local are matched. Thence, amended [ accept from source 172.25.120.2 for any relay via smtp://127.0.0.1:10027 ] to [ accept from source 172.25.120.2 for any relay ] and DKIM is working now for that client as well. Appreciate the feedback/assistance provided here. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
Le 01/08/2018 à 14:17, ѽ҉ᶬḳ℠ a écrit : >>> Having sorted PAM SMTPAUTH the user/client 172.25.120.2 is now treated >>> as server's local user and filter rules using from local are matched. >>> Thence, amended >>> >>> [ accept from source 172.25.120.2 for any relay via >>> smtp://127.0.0.1:10027 ] to [ accept from source 172.25.120.2 for any >>> relay ] and DKIM is working now for that client as well. >>> >>> Appreciate the feedback/assistance provided here. >> The matching rule for you should now be: >> >> accept (from local) for any relay viasmtp://127.0.0.1:10027 >> >> This rule matching would again bypass DKIM and is redundant: >> >> accept from source 172.25.120.2 for any relay >> > The way is set and working now: > > listen on lo inet4 port 25 tls-require hostname mail mask-source tag lo `tls-require` on `lo` is a bit strange… `mask-source` too. > listen on lo inet4 port 587 smtps hostname mail mask-source tag lo > listen on eth0 inet4 port 25 tls-require auth hostname mail mask-source tag > lan Do you intend to receive mail from other mail servers? Because using `auth` here will prevent that. `tls-require` likely too in my experience (unfortunately a lot of mail providers still don’t use TLS at all). Also I’m not sure `mask-source` is relevant here, but I might be wrong. > listen on eth0 inet4 port 587 smtps auth hostname mail mask-source tag lan > listen on lo port 10028 mask-source tag DKIM > > accept tagged DKIM for any relay > accept for any relay via smtp://127.0.0.1:10027 > accept from local for any relay > accept from source 172.25.120.2 for any relay Those last two lines are useless: everything that would match them will already have matched one of the first two. Regards, Bruno signature.asc Description: OpenPGP digital signature
lmtps
Hi, dovecot supports TLS over LMTP(S). Been searching the net but could not find a trace about smtpd support for lmtps and hence wondering whether such implemented? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: lmtps
On 08/01/18 19:09, ѽ҉ᶬḳ℠ wrote: yes I guess this is you: https://github.com/OpenSMTPD/OpenSMTPD/issues/868 ? lmpts implementation in dovecot and postfix does not serve a practical purpose? What if dovecot and the mta are not on the same server? from the lmtp rfc The LMTP protocol SHOULD NOT be used over wide area networks. You don't really need to do secure lmtp because lmtp primarily runs on a trusted network anyway. In fact, if you're running smtp and dovecot on the same server, just use lmtp over a Unix domain socket. Hi, dovecot supports TLS over LMTP(S). Been searching the net but could not find a trace about smtpd support for lmtps and hence wondering whether such implemented?
Re: lmtps
yes > I guess this is you: https://github.com/OpenSMTPD/OpenSMTPD/issues/868 ? lmpts implementation in dovecot and postfix does not serve a practical purpose? What if dovecot and the mta are not on the same server? > You don't really need to do secure lmtp because lmtp primarily runs on a > trusted network anyway. In fact, if you're running smtp and dovecot on the > same server, just use lmtp over a Unix domain socket. > >> Hi, >> >> dovecot supports TLS over LMTP(S). Been searching the net but could not >> find a trace about smtpd support for lmtps and hence wondering whether >> such implemented? > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: lmtps
Sure and makes certainly sense, but you can still have (V)LAN servers with different subnets and not necessarily everything on a single server/subnet. > from the lmtp rfc > >The LMTP protocol SHOULD NOT be used over wide area networks. >>> You don't really need to do secure lmtp because lmtp primarily runs on a >>> trusted network anyway. In fact, if you're running smtp and dovecot on the >>> same server, just use lmtp over a Unix domain socket. >>> Hi, dovecot supports TLS over LMTP(S). Been searching the net but could not find a trace about smtpd support for lmtps and hence wondering whether such implemented? > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
> The following 2 lines are redundant. The above will match first for > authenticated submissions. > >> accept from local for any relay >> accept from source 172.25.120.2 for any relay > Thanks for pointing that out, the logic apparently escaped me. Keeps he code tidy and prevents redundancy. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
>> The way is set and working now: >> >> listen on lo inet4 port 25 tls-require hostname mail mask-source tag lo > `tls-require` on `lo` is a bit strange… `mask-source` too. Of course it is, [ tls-require ] at least. That is now removed thus. [ mask-source ] for lo/127.0.0.1 is perhaps a little silly indeed but it does not cause any harm I suppose. >> listen on lo inet4 port 587 smtps hostname mail mask-source tag lo >> listen on eth0 inet4 port 25 tls-require auth hostname mail mask-source tag >> lan > Do you intend to receive mail from other mail servers? Because using > `auth` here will prevent that. `tls-require` likely too in my experience > (unfortunately a lot of mail providers still don’t use TLS at all). Also > I’m not sure `mask-source` is relevant here, but I might be wrong. eth0 ports 25/587 are only for lan clients and those are supporting TLS/SMTPAUTH For receiving from WAN there are: listen on eth0 inet4 port 40025 tls hostname foo.bar tag wan listen on eth0 inet4 port 40587 smtps hostname foo.bar tag wan On the WAN iface the netfilter rules are forwarding WAN ports 25/587 to the smtpd server ports 40025/40587 with the smtpd server deployed in an unprivileged LXC container. > >> listen on eth0 inet4 port 587 smtps auth hostname mail mask-source tag lan >> listen on lo port 10028 mask-source tag DKIM >> >> accept tagged DKIM for any relay >> accept for any relay via smtp://127.0.0.1:10027 >> accept from local for any relay >> accept from source 172.25.120.2 for any relay > Those last two lines are useless: everything that would match them will > already have matched one of the first two. > Yes, the other list subscriber Reio kindly pointed that one out too, and those two lines were purged meantime. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org