6.0.3p1-2 - openssl api?
Hi, Noticed the ./config provides the following options for openssl: --with-libssl='/usr/lib/openssl-1.0' \ --with-cflags='-I/usr/include/openssl-1.0' What I could not figure from the man pages or wiki or the source package is whether that tells smptd only the path to the openssl libraries on the system or whether it also provides an API for smtpd to call openssl? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
6.0.3p1-2 - PAM authentication
Hi, been looking for guidance on PAM authentication. The spread is rather thin/sparse when searching the net for [ opensmtpd pam ] and basically boils down to https://github.com/OpenSMTPD/OpenSMTPD/issues/712. Another hint appears to be [ compile ] from the source package: [ --with-auth-pam=SERVICE Enable PAM authentication support (default=smtpd) ] The Archlinux package was compiled with [ --with-auth-pam \ ] and thus wondering whether it translates thus to [ --with-auth-pam=smtpd \ ] ? Apparently PAM needs to be configured on the system for smtpd. Would that suffice [ /etc/pam.d/spmtd ] reading ?: #%PAM-1.0 auth required pam_unix.so nullok account required pam_unix.so -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
On Jul 31, 2018 5:54 AM, ѽ҉ᶬḳ℠ wrote: > > > listen on eth0 inet4 port 587 smtps hostname mail mask-source tag lan > > > > > > Either you trimmed this config line or you're missing "auth". Otherwise I > > suspect you're running without authentication. > > > Uhum well, is there no PAM authentication? I was under the impression > that it gets PAM authenticated. Such is being compounded when using the > Thunderbird mail client and having the TB SMTP server -> authentication > method set to encrypted password which works without a hitch - no error > in Thunderbird and the message gets sent. > > Commonly TB displays an error if the chosen authentication method is not > available/supported on the smtp server but apparently not here. > However, now that you mentioned it I set the TB authentication method to > OAuth2 and again no error in TB and the message went. > > The spread is rather thin when searching the net for [ opensmtpd pam ] > and basically boils down to > https://github.com/OpenSMTPD/OpenSMTPD/issues/712 > > So, the package was compiled with: > > ./configure \ > --prefix=/usr \ > --sysconfdir=/etc/smtpd \ > --sbindir=/usr/bin \ > --libexecdir=/usr/lib/smtpd \ > --with-path-mbox=/var/spool/mail \ > --with-path-empty=/var/empty \ > --with-path-socket=/run \ > --with-path-CAfile=/etc/ssl/certs/ca-certificates.crt \ > --with-user-smtpd=smtpd \ > --with-user-queue=smtpq \ > --with-group-queue=smtpq \ > --with-auth-pam \ > --with-libssl='/usr/lib/openssl-1.0' \ > --with-cflags='-I/usr/include/openssl-1.0' > > but I do not understand the remainder instruction -> "and provide the > auth service name as parameter then configure the PAM side on your system"? > > "and provide the auth service name as parameter" - where and when is > that supposed to happen? > At compile ./config? Is it supposed to read like [ --with-auth-pam=smtpd > \ ] as opposed to just [ --with-auth-pam \ ]? > What if the [ auth service name ] was omitted -> does [ > --with-user-smtpd=smtpd ] suffice? > > "then configure the PAM side on your system" -> supposed that would be > something like [ /etc/pam.d/spmtd ] reading ?: > > #%PAM-1.0 > > auth required pam_unix.so nullok > account required pam_unix.so > > I know very little about Pam, so I'm not sure. I'd start a new thread with Pam in the subject line and maybe someone who knows can help out. > > > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > b��yǢ��m�+&j)[yƮ�쨹���r��y�h�+kiv��N�r��zǧu���[h�+��칻�&ޢ���kiv��
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
> listen on eth0 inet4 port 587 smtps hostname mail mask-source tag lan > > > Either you trimmed this config line or you're missing "auth". Otherwise I > suspect you're running without authentication. Uhum well, is there no PAM authentication? I was under the impression that it gets PAM authenticated. Such is being compounded when using the Thunderbird mail client and having the TB SMTP server -> authentication method set to encrypted password which works without a hitch - no error in Thunderbird and the message gets sent. Commonly TB displays an error if the chosen authentication method is not available/supported on the smtp server but apparently not here. However, now that you mentioned it I set the TB authentication method to OAuth2 and again no error in TB and the message went. The spread is rather thin when searching the net for [ opensmtpd pam ] and basically boils down to https://github.com/OpenSMTPD/OpenSMTPD/issues/712 So, the package was compiled with: ./configure \ --prefix=/usr \ --sysconfdir=/etc/smtpd \ --sbindir=/usr/bin \ --libexecdir=/usr/lib/smtpd \ --with-path-mbox=/var/spool/mail \ --with-path-empty=/var/empty \ --with-path-socket=/run \ --with-path-CAfile=/etc/ssl/certs/ca-certificates.crt \ --with-user-smtpd=smtpd \ --with-user-queue=smtpq \ --with-group-queue=smtpq \ --with-auth-pam \ --with-libssl='/usr/lib/openssl-1.0' \ --with-cflags='-I/usr/include/openssl-1.0' but I do not understand the remainder instruction -> "and provide the auth service name as parameter then configure the PAM side on your system"? "and provide the auth service name as parameter" - where and when is that supposed to happen? At compile ./config? Is it supposed to read like [ --with-auth-pam=smtpd \ ] as opposed to just [ --with-auth-pam \ ]? What if the [ auth service name ] was omitted -> does [ --with-user-smtpd=smtpd ] suffice? "then configure the PAM side on your system" -> supposed that would be something like [ /etc/pam.d/spmtd ] reading ?: #%PAM-1.0 auth required pam_unix.so nullok account required pam_unix.so -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
On Jul 31, 2018 1:54 AM, Reio Remma wrote: > > On 31.07.18 6:43, ѽ҉ᶬḳ℠ wrote: > >> From cli it is a different ip. Just add a relay via dkim to the line in > >>question then and see if that works. > >> > > So it is but why makes that difference considering the directives - > > particularly the [ any ] part should cover any (as in 172.25.120.2 for > > instance), or should it not? > > > > accept tagged DKIM for any relay > > accept for any relay via smtp://127.0.0.1:10027 > > The default "from" for accept is "from local", which means only > local/authenticated messages were relayed to DKIM. > > I suspect 172.25.120.2 was sending without authentication? > > from [ !] > local > The rule matches only locally originating > connections. > This is the default, > and may be omitted. > > Good luck! > Reio > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > That's why I like tagging everything. Don't have to worry about those little gotchas.
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
On 31.07.18 10:11, ѽ҉ᶬḳ℠ wrote: From cli it is a different ip. Just add a relay via dkim to the line in question then and see if that works. So it is but why makes that difference considering the directives - particularly the [ any ] part should cover any (as in 172.25.120.2 for instance), or should it not? accept tagged DKIM for any relay accept for any relay via smtp://127.0.0.1:10027 The default "from" for accept is "from local", which means only local/authenticated messages were relayed to DKIM. I suspect 172.25.120.2 was sending without authentication? from [ !] local The rule matches only locally originating connections. This is the default, and may be omitted. 172.25.120.2 gets authenticated by encrypted password over (START)TLS. I would not permit any client for sending messages without authentication first. listen on eth0 inet4 port 587 smtps hostname mail mask-source tag lan Either you trimmed this config line or you're missing "auth". Otherwise I suspect you're running without authentication.
Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy
>>> From cli it is a different ip. Just add a relay via dkim to the >>> line in question then and see if that works. >>> >> So it is but why makes that difference considering the directives - >> particularly the [ any ] part should cover any (as in 172.25.120.2 for >> instance), or should it not? >> >> accept tagged DKIM for any relay >> accept for any relay via smtp://127.0.0.1:10027 > > The default "from" for accept is "from local", which means only > local/authenticated messages were relayed to DKIM. > > I suspect 172.25.120.2 was sending without authentication? > > from [ !] > local > The rule matches only locally originating > connections. > This is the default, > and may be omitted. 172.25.120.2 gets authenticated by encrypted password over (START)TLS. I would not permit any client for sending messages without authentication first. I do comprehend what you are saying just: [ accept for any relay via smtp://127.0.0.1:10027 ] -> [ for any ] and omitting [ from ] in my logic would expand that source does not matter and the directive applies to any (unconditional) relay. Is my logic thus twisted? -> in the sequential order of directives/rules it comes prior the following and thus my understanding is that it should be processed prior those trailing. Again a miscomprehension on my part? [ accept from local for any relay ] [ accept from source 172.25.120.2 for any relay ]