Re: using SPF or DKIM instead of greylisting?
On Fri, May 30, 2014 at 11:26:18AM +0200, Ji Navr??til wrote: Hello, I???m using pf greylisting on OpenBSD. More and more emails from Google are delayed and few are not delivered at all. This https://support.google.com/mail/answer/180063 Google article suggest to replace greylisting with SPF or DKIM. What is your anti SPAM strategy please? Are available SPF and DKIM configurations examples for OpenSMTPD? Thak you for your recommendations. I only use greylisting and fopr big hosts like gmail and yahoo, I have a script that queries their SPF records to whitelist the MX servers that they advertise. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: using SPF or DKIM instead of greylisting?
V 30. května 2014 at 11:38:43, Gilles Chehade (gil...@poolp.org) napsáno: What is your anti SPAM strategy please? Are available SPF and DKIM configurations examples for OpenSMTPD? Thak you for your recommendations. I only use greylisting and fopr big hosts like gmail and yahoo, I have a script that queries their SPF records to whitelist the MX servers that they advertise. Thank you for quick reply. That looks as reasonable way for me. Could you share your script, please? Jiri Navratil
Re: using SPF or DKIM instead of greylisting?
On Fri, 30 May 2014 11:45:13 +0200, Ji=C5=99=C3=AD Navr=C3=A1til jiri@navr= atil.cz wrote: V 30. kv=C4=9Btna 2014 at 11:38:43, Gilles Chehade (gil...@poolp.org) naps=C3=A1no: What is your anti SPAM strategy please? Are available SPF and DKIM configurations examples for OpenSMTPD?=C2=A0 =C2=A0 Thak you for your recommendations.=C2=A0 =C2=A0 =20 I only use greylisting and fopr big hosts like gmail and yahoo, I have a script that queries their SPF records to whitelist the MX servers that they advertise.=C2=A0 =20 =20 Thank you for quick reply. =20 That looks as reasonable way for me. Could you share your script, please? I have quite the same setup than Gilles, though I'm lazier so I use the list from Peter N. M. Hansteen : http://www.bsdly.net/~peter/nospamd Jiri Navratil Cheers, --=20 Vigdis I am using bgp-spamd.net whitelisting for my domain in addition to spamd. It currently has ~ 91825 whitelisted ips. I had a similar experience with github trying to send a mail with different IP each time when spamd grey-trapped the first attempt. bgp-spamd whitelisted IPs had all the IPs with which github was trying to send mail. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Meaning of from local
The directive for from local in the smtpd.conf(5) man page states: The rule matches only locally originating connections. But what exactly does locally originating mean? My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay Should the mail server be relaying mail for this client? Is the client, which is on a different subnet than the mail server, considered local? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
From local means 2 things 1. From 127.0.0.0/8 or from authenticated, On May 30, 2014 5:09 AM, Clint Pachl pa...@ecentryx.com wrote: Clint Pachl wrote, On 05/30/14 05:02: The directive for from local in the smtpd.conf(5) man page states: The rule matches only locally originating connections. But what exactly does locally originating mean? My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay Should the mail server be relaying mail for this client? Is the client, which is on a different subnet than the mail server, considered local? I also forgot to add that this client is also authenticating with the mail server using this rule: listen on mail port submission tls-require pki tm auth passwd Perhaps a successfully authenticated session automatically makes the client local? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD Problem
can you show your configuration file please ? Certainly: /etc/mail/smtpd.conf pki testweb.secure5.net certificate /etc/ssl/testweb.secure5.net.crt pki testweb.secure5.net key /etc/ssl/private/testweb.secure5.net.key listen on all tls smtps secure pki testweb.secure5.net auth-optional table aliases db:/etc/mail/aliases.db table src file:/etc/mail/relay accept from any for domain testweb.secure5.net virtual aliases deliver to mbox accept for local virtual aliases deliver to mbox accept from source src for any relay /etc/mail/relay 127.0.0.1 /etc/mail/aliases t...@testweb.secure5.net nj n...@testweb.secure5.net n...@obsd.com,n...@telin.com @testweb.secure5.netnj ... then the system aliases /-\ | Nicholas Janzen Personal Site: http://obsd.com| | Email: n...@obsd.comShort URL's: http://clearurl.net/ | | VE6OBS VE6TS (Basic+Advanced) Weather Site: http://nicholasjanzen.ca| | Balloon Site: http://arawr.ca | \-/ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
Actually, from local means 2 things: 1- from _any_ IP address that is assigned to the local machine 2- from clients that have authenticated themselves to the local machine Gilles On Fri, May 30, 2014 at 05:45:43AM -0700, Barbier, Jason wrote: From local means 2 things 1. From 127.0.0.0/8 or from authenticated, On May 30, 2014 5:09 AM, Clint Pachl pa...@ecentryx.com wrote: Clint Pachl wrote, On 05/30/14 05:02: The directive for from local in the smtpd.conf(5) man page states: The rule matches only locally originating connections. But what exactly does locally originating mean? My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will relay mail to the Internet for the client with the following single rule: accept from local for any relay Should the mail server be relaying mail for this client? Is the client, which is on a different subnet than the mail server, considered local? I also forgot to add that this client is also authenticating with the mail server using this rule: listen on mail port submission tls-require pki tm auth passwd Perhaps a successfully authenticated session automatically makes the client local? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD Problem
On Fri, May 30, 2014 at 07:22:28AM -0600, Nicholas Janzen wrote: can you show your configuration file please ? Certainly: [...] /etc/mail/relay 127.0.0.1 [...] when you use the local enqueuer with mutt, youe not connecting from 127.0.0.1 but you're using a unix socket, your ruleset says that it will only accept to relay from IP addresses listed in your /etc/mail/relay file, therefore the local enqueuer is rejected. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD Problem
when you use the local enqueuer with mutt, youe not connecting from 127.0.0.1 but you're using a unix socket, your ruleset says that it will only accept to relay from IP addresses listed in your /etc/mail/relay file, therefore the local enqueuer is rejected. Thanks, for your help, that was exactly what had happened: for the record, i added: accept for any relay and mail is now working. -- /-\ | Nicholas Janzen Personal Site: http://obsd.com| | Email: n...@obsd.comShort URL's: http://clearurl.net/ | | VE6OBS VE6TS (Basic+Advanced) Weather Site: http://nicholasjanzen.ca| | Balloon Site: http://arawr.ca | \-/ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPd as a backup MX
Hi Gilles, Is your machine named mx2.backdom.fr ? Your guess is perfectly right :) The machine is not named mx2.backdom.fr. The configuration file and logs are very important to debug this, there is so much we can guess :-p I will send these in private. Thank you, Denis -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
Panagiotis Atmatzidis wrote, On 05/30/14 05:58:
My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24. The OpenSMTPD
server is at 10.0.9.20. The email client is at 10.0.10.24. The mail server will
relay mail to the Internet for the client with the following single rule:
accept from local for any relay
No it will not accept emails from 10.0.9/24 or x.x.10/24
The problem is that the mail server *is* accepting/relaying mail from
the client which is on a different subnet. So this behavior doesn't seem
correct.
I discovered that authentication may be changing the behavior of from
local. But I'm not getting intuitive error messages (see below) from
smtpd, so I'm unsure of the exact behavior. I just want confirmation of
the meaning of from local with regards to successfully authenticated
clients regardless of their locality from the server.
Here is my entire conf that allows the behavior described above:
### /etc/mail/smtpd.conf ###
table aliases /etc/mail/aliases
table domains /etc/mail/domains
table passwd/etc/mail/passwd
table users /etc/mail/users
pki tm certificate /etc/ssl/mail.targetmeister.com.crt
pki tm key /etc/ssl/private/mail.targetmeister.com.key
listen on localhost
listen on mail port smtp tls pki tm
listen on mail port submission tls-require pki tm auth passwd
accept from local for local alias aliases deliver to mbox
accept from any for domain domains virtual users \
deliver to maildir /var/spool/vmail/%{dest.domain}/%{dest.user}
accept from local for any relay
### END ###
And here is the session output from smtpd when a client on a different
subnet from the server submits an email for relay *with authentication*
on submission port 587:
# smtpd -d
info: OpenSMTPD 5.4.2 starting
info: startup
smtp-in: New session 49c757a0a5705603 from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 49c757a0a5705603: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Accepted authentication for user xx...@pachl.us on session
49c757a0a5705603
smtp-in: Accepted message 759ccb3c on session 49c757a0a5705603:
from=xx...@pachl.us, to=xx...@devio.us, size=219, ndest=1, proto=ESMTP
smtp-out: Connecting to smtp+tls://66.7.199.108:25 (devio.us) on session
e5969f5c34763839...
smtp-out: Connected on session e5969f5c34763839
smtp-out: Started TLS on session e5969f5c34763839: version=TLSv1/SSLv3,
cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
smtp-out: Server certificate verification failed on session e5969f5c34763839
relay: Ok for 759ccb3c571ca1f8: session=e5969f5c34763839,
from=xx...@pachl.us, to=xx...@devio.us, rcpt=-, source=10.0.9.20,
relay=66.7.199.108 (devio.us), delay=2s, stat=250 2.0.0 Ok: queued as
A9B071B5B88
smtp-out: Closing session e5969f5c34763839: 1 message sent.
But, if I make authentication optional (auth-optional) on submission
port and authentication on the client is turned off, I get the following
session output:
# smtpd -d
info: OpenSMTPD 5.4.2 starting
info: startup
smtp-in: New session 26c46acb7b5bf97b from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 26c46acb7b5bf97b: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Failed command on session 26c46acb7b5bf97b: RCPT
TO:xxx...@devio.us = 550 Invalid recipient
smtp-in: Received disconnect from session 26c46acb7b5bf97b
smtp-in: New session 26c46acc2bed96ec from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 26c46acc2bed96ec: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Failed command on session 26c46acc2bed96ec: RCPT
TO:xxx...@devio.us = 550 Invalid recipient
As you can see, it does not relay the mail. It instead gives me a 550
Invalid recipient error, which doesn't seem apropos. It seems the error
should mention a failure in authentication, permission, or credentials.
Bottom line is, it seems successful authentication makes a client
local. Is this correct?
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Meaning of from local
I apologize for the noise I've created. I did not read the documentation
closely. I found a definitive answer to my question in the listen on
directive, which states:
If the auth parameter is used, then a client may only start an SMTP
transaction after a successful authentication. Any remote sender that
passed SMTPAUTH is treated as if it was the server's local user that was
sending the mail. This means that filter rules using from local will
be matched.
I still think that the 550 Invalid recipient error isn't intuitive
when a client doesn't have the locality or the credentials required by
the mail server.
Thanks,
Clint
Clint Pachl wrote, On 05/30/14 16:26:
Panagiotis Atmatzidis wrote, On 05/30/14 05:58:
My network consists of two subnets: 10.0.9.0/24 and 10.0.10.0/24.
The OpenSMTPD server is at 10.0.9.20. The email client is at
10.0.10.24. The mail server will relay mail to the Internet for the
client with the following single rule:
accept from local for any relay
No it will not accept emails from 10.0.9/24 or x.x.10/24
The problem is that the mail server *is* accepting/relaying mail from
the client which is on a different subnet. So this behavior doesn't
seem correct.
I discovered that authentication may be changing the behavior of from
local. But I'm not getting intuitive error messages (see below) from
smtpd, so I'm unsure of the exact behavior. I just want confirmation
of the meaning of from local with regards to successfully
authenticated clients regardless of their locality from the server.
Here is my entire conf that allows the behavior described above:
### /etc/mail/smtpd.conf ###
table aliases /etc/mail/aliases
table domains /etc/mail/domains
table passwd/etc/mail/passwd
table users /etc/mail/users
pki tm certificate /etc/ssl/mail.targetmeister.com.crt
pki tm key /etc/ssl/private/mail.targetmeister.com.key
listen on localhost
listen on mail port smtp tls pki tm
listen on mail port submission tls-require pki tm auth passwd
accept from local for local alias aliases deliver to mbox
accept from any for domain domains virtual users \
deliver to maildir /var/spool/vmail/%{dest.domain}/%{dest.user}
accept from local for any relay
### END ###
And here is the session output from smtpd when a client on a different
subnet from the server submits an email for relay *with
authentication* on submission port 587:
# smtpd -d
info: OpenSMTPD 5.4.2 starting
info: startup
smtp-in: New session 49c757a0a5705603 from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 49c757a0a5705603: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Accepted authentication for user xx...@pachl.us on session
49c757a0a5705603
smtp-in: Accepted message 759ccb3c on session 49c757a0a5705603:
from=xx...@pachl.us, to=xx...@devio.us, size=219, ndest=1,
proto=ESMTP
smtp-out: Connecting to smtp+tls://66.7.199.108:25 (devio.us) on
session e5969f5c34763839...
smtp-out: Connected on session e5969f5c34763839
smtp-out: Started TLS on session e5969f5c34763839:
version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
smtp-out: Server certificate verification failed on session
e5969f5c34763839
relay: Ok for 759ccb3c571ca1f8: session=e5969f5c34763839,
from=xx...@pachl.us, to=xx...@devio.us, rcpt=-,
source=10.0.9.20, relay=66.7.199.108 (devio.us), delay=2s, stat=250
2.0.0 Ok: queued as A9B071B5B88
smtp-out: Closing session e5969f5c34763839: 1 message sent.
But, if I make authentication optional (auth-optional) on submission
port and authentication on the client is turned off, I get the
following session output:
# smtpd -d
info: OpenSMTPD 5.4.2 starting
info: startup
smtp-in: New session 26c46acb7b5bf97b from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 26c46acb7b5bf97b: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Failed command on session 26c46acb7b5bf97b: RCPT
TO:xxx...@devio.us = 550 Invalid recipient
smtp-in: Received disconnect from session 26c46acb7b5bf97b
smtp-in: New session 26c46acc2bed96ec from host 10.0.10.24 [10.0.10.24]
smtp-in: Started TLS on session 26c46acc2bed96ec: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp-in: Failed command on session 26c46acc2bed96ec: RCPT
TO:xxx...@devio.us = 550 Invalid recipient
As you can see, it does not relay the mail. It instead gives me a 550
Invalid recipient error, which doesn't seem apropos. It seems the
error should mention a failure in authentication, permission, or
credentials.
Bottom line is, it seems successful authentication makes a client
local. Is this correct?
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: using SPF or DKIM instead of greylisting?
On Fri, May 30, 2014 at 11:35:45AM +0200, Gilles Chehade wrote: On Fri, May 30, 2014 at 11:26:18AM +0200, Ji Navr??til wrote: Hello, I???m using pf greylisting on OpenBSD. More and more emails from Google are delayed and few are not delivered at all. This https://support.google.com/mail/answer/180063 Google article suggest to replace greylisting with SPF or DKIM. What is your anti SPAM strategy please? Are available SPF and DKIM configurations examples for OpenSMTPD? Thak you for your recommendations. I only use greylisting and fopr big hosts like gmail and yahoo, I have a script that queries their SPF records to whitelist the MX servers that they advertise. I tried to do this, but there were just too many to keep track of, and I noticed that a fair amount of the hosts connecting weren't even in the SPF. Greylisting became less and less helpful, unfortunately. I've been running blacklist-only for a few years. Luckily, I don't have a busy host. -- John D. Verne j...@clevermonkey.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
