Re: Virtual user and domain setup

2020-04-07 Thread Andrew Swartz 

Thanks for the follow-up.

I was planning on eventually switching to dovecot for delivery.  Thank 
you for figuring out that part!



-Andy


On 4/7/2020 11:01 AM, Leo Unglaub wrote:

Hey,
thank you s much for that snippet. I think i finally understood it 
and it works now. I had to addapt your config a little bit but it works 
now. I use basically your config with the action changed to the following:



action "local-lmtp" lmtp "/var/dovecot/lmtp" rcpt-to virtual 


At first i give it a try without the rcpt-to option to lmtp, but without 
that Dovecot always rejected the email for the user "vmail". But now 
with the rcpt-to it works perfectly.


Thank you all so much for the help and greetings from Vienna
Leo


Am 07.04.2020 um 01:36 schrieb Andrew Swartz:
This is one possible configuration which should do that which I think 
you are describing:


-

table vdomains file:/etc/mail/table_vmail_domains
table vaddr file:/etc/mail/table_vmail_addresses
table vmailstub   { '@' = vmail }

action "deliver_vmail" maildir 
"/home/vmail/domains/%{rcpt.domain:lowercase}/%{rcpt.user:lowercase|strip}" 
virtual 


match from any for domain  rcpt-to  action 
"deliver_vmail"


-

This setup accepts mail ONLY for virtual accounts and delivers it to a 
typical "vpopmail" maildir structure: "/home/vmail/domain/name"


You must create a system user "vmail" which does not receive any mail 
but is just the home folder for the mailboxes and the user for 
permission to deliver the mail.


Automate making the domains file with a script which extracts the 
unique domains from the addresses file.  The redundancy here is due to 
the smtpd.conf requirements (i.e. not because I think it's cool to 
have both domain and email address files).


If it's not clear, I can elaborate on how it works.

Re: Virtual user and domain setup

2020-04-06 Thread Andrew Swartz 
This is one possible configuration which should do that which I think 
you are describing:


-

table vdomains   file:/etc/mail/table_vmail_domains
table vaddr  file:/etc/mail/table_vmail_addresses
table vmailstub   { '@' = vmail }

action "deliver_vmail" maildir 
"/home/vmail/domains/%{rcpt.domain:lowercase}/%{rcpt.user:lowercase|strip}" 
virtual 


match from any for domain  rcpt-to  action "deliver_vmail"

-

This setup accepts mail ONLY for virtual accounts and delivers it to a 
typical "vpopmail" maildir structure: "/home/vmail/domain/name"


You must create a system user "vmail" which does not receive any mail 
but is just the home folder for the mailboxes and the user for 
permission to deliver the mail.


Automate making the domains file with a script which extracts the unique 
domains from the addresses file.  The redundancy here is due to the 
smtpd.conf requirements (i.e. not because I think it's cool to have both 
domain and email address files).


If it's not clear, I can elaborate on how it works.


-Andy



On 4/5/2020 4:24 AM, Leo Unglaub wrote:

Hey,
first of all i want to thank you all for your work on OpenSMTPD over 
all those years. It has powered my one domain very well over all those 
years. But now i have a problem with setting up virtual domains and 
users.


My goal is the following. I have the following domains:


foo.com
bar.com


With those domains i have the following email addresses:


us...@foo.com
us...@foo.com
us...@bar.com
us...@bar.com


But all those users dont exist on my machine as real users. I just 
want to recieve emails for those accounts and process them via lmtp to 
dovecot. So my action basically looks like that:



action "local_lmtp_deliver" lmtp "/var/dovecot/lmtp"


But when i trace the lookup from the smtpd i get the following:


b4e62ea90ed6c91d smtp connected address=local host=foo.com
lookup: match "local" as NETADDR in table static: -> true
lookup: match "foo.com" as DOMAIN in table static: -> 
true

rule #1 matched: match from any for any action local_lmtp_deliver
lookup: lookup "user1" as USERINFO in table getpwnam: -> none
b4e62ea90ed6c91d smtp failed-command command="RCPT TO: 
" result="550 Invalid recipient: "  
b4e62ea90ed6c91d smtp disconnected reason=disconnect

debug: control -> client: pipe closed
debug: clearing p=client, fd=11, pid=0


For some reason the user1 part is still getting resolved as a real 
user on the system. I read on the man page and found the "user 
username" option for the action. I did the following:


action "local_lmtp_deliver" lmtp "/var/dovecot/lmtp" rcpt-to user 
"dovecot-worker"
dovecot-worker is the account used by dovecot to handle all the email 
storage in /var/vmail. But i get the same error.


So i guess i am doing it all wrong. Could someone please be so kind 
and give me a hint in the right direction how the virtual user stuff 
is working in OpenSMTPD. Because i think i am lost here. I am doing 
something completely wrong.


I am on the latest OpenBSD release (including all syspatch).

Thanks so much!
Greetings
Leo

Re: Virtual domains & Virtual Users...

2019-11-24 Thread Andrew Swartz 


Try removing "rcpt-to " from the 2nd match line and see
what happens.

I put it there because, in my setup, that is the only thing which
prevents accepting mail for a valid virtual domain but invalid name. 
But your setup has a subsequent mapping lookup in the action line which
may (or may not) accomplish the same behavior.

I'm fairly confident that if you remove "rcpt-to " smtpd
will correctly receive and deliver mail with a valid virtual domain AND
valid name (because the address is present in ).  But I'm
unsure what will occur if the match line accepts the mail because the
domain is valid but then the mapping lookup in the action line fails
because the name is invalid and thus the address is not present in
.

If you try it without "rcpt-to " in the 2nd match line,
make sure you test for a virtual domain with both a valid name and an
invalid name.  I'm curious to hear the results.


-Andy
 



On 11/23/2019 4:51 PM, Implausibility wrote:
> With some help from Andrew off-list, he provided a config that works for what 
> I'm trying to do.  It's attached below.  Hopefully all you'd need to do to 
> duplicate my success is search-and-replace example.com for your own primary 
> (FQDN) mail server domain name (as long as it's called mail.youdomain.com).
>
> The secret is that there needs to be two tables -- one with a list of eMail 
> addresses to accept, and one that maps the accepted eMail addresses to a 
> local user mailbox.
>
> I'd prefer if this was more streamlined, so I didn't need to maintain two 
> separate lists, but I'm sure I can script around it.  Any refinements would 
> be greatly appreciated.  :D
>
> Thanks again Andrew! 
>
> # **
> #   $OpenBSD: smtpd.conf,v 1.11 2018/06/04 21:10:58 jmc Exp $
>
> # This is the smtpd server system-wide configuration file.
> # See smtpd.conf(5) for more information.
>
> table aliases file:/etc/mail/aliases
> table domains db:/etc/mail/domains.db
> table vusers_list file:/etc/mail/vusers_list
> table vusers_map file:/etc/mail/vusers_map
>
> action "local_mail" maildir junk alias 
> action "vusers_deliver" maildir junk virtual 
> action "outbound" relay helo mail.example.com
>
> pki mail.example.com cert "/etc/ssl/mail.example.comfullchain.pem"
> pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
>
> filter check_dyndns phase connect match rdns regex { 
> '.*\.dyn\..*','.*\.dsl\..*' } \
> disconnect "550 you look like a spammer"
>
> filter check_rdns phase connect match !rdns \
> disconnect "550 you look like a spammer"
>
> filter check_fcrdns phase connect match !fcrdns \
> disconnect "550 you look like a spammer"
>
> filter senderscore \
> proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 
> 5000"
>
> filter rspamd proc-exec "filter-rspamd"
>
> listen on all tls pki mail.example.com \
> filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
>
> listen on all port submission tls-require pki mail.example.com auth filter 
> rspamd
>
> match from any for domain "mail.example.com" action "local_mail"
> match from any for domain  rcpt-to  action 
> "vusers_deliver"
> match for local action "local_mail"
>
> match from any auth for any action "outbound"
> match for any action "outbound"
>
>
>
>
>

Re: Virtual domains & Virtual Users...

2019-11-23 Thread Andrew Swartz 
Where I said  "user virtual" I meant "user vmail".   I've not had enough
coffee yet.


On 11/23/2019 9:23 AM, Andrew Swartz wrote:
> As a proof of concept, I have a setup doing that which I think you are
> trying to do:
>
> ---
> table vdomains     file:/etc/mail/table_vmail_domains
> table vaddr     file:/etc/mail/table_vmail_addresses
> table vmailstub { '@' = vmail }
> listen on em0
> action "deliver_vmail" maildir
> "/home/vmail/domains/%{rcpt.domain:lowercase}/%{rcpt.user:lowercase|strip}"
> virtual 
> match from any for domain  rcpt-to  action "deliver_vmail"
> ---
>
> I'm using 6.6.0.  For clarity I've included only the pertinent conf
> lines.  This config is successfully delivering the mail to the
> pure-virtual users in the desired directory heirarchy
> (/home/vmail/domains/example.com/user).  The only places these
> pure-virtual users exist is in the "vaddr" table and the directory
> heirarchy (they are also in an "auth" table for relaying, but I removed
> that for clarity).
>
> It took me a lot of trial and error to come up with the "virtual
> " at the end of the action.  It seems like "user virtual"
> should go there, but for unclear reasons that yields "** 550 Invalid
> recipient"; when I replace "user virtual" with "virtual "
> (which always returns "vmail") the mail is accepted (for users in the
> vaddr table) and delivered as desired.  Not an elegant solution, but it
> works.
>
> I've not installed/integrated dovecot yet.  I'm curious about
> suggestions for the best way to integrated dovecot and/or manage users
> in such a system.
>
>
> -Andy
>
>
> On 11/23/2019 7:08 AM, Implausibility wrote:
>> Hi again.
>>
>> My mail server has been running fine since last weekend, and I'm trying to 
>> expand its functionality by including the ability to send and receive mail 
>> for my list of domains, and for eMail addresses which forward to locally 
>> defined users -- but I can't seem to get it working, and I think the issue 
>> is my (mis-)understanding of how the match parameter works...
>>
>> In order to get virtual users working, I've added three lines to the config:
>>
>>> table vusers file:/etc/mail/vusers
>>> action "vusers" maildir junk virtual 
>>> match from any for domain  rcpt-to virtual  action "vusers"
>> I was able to get mail delivered for local users to my virtual domains 
>> previously without issue.  But I can't get virtual addresses working...
>>
>> I've tried a half a dozen varieties of the match command, and I keep getting 
>> 'syntax error', and it doesn't give me any hint as to what exactly the 
>> problem is.  I want to accept eMail from any destination, to the domains 
>> defined in the domains table, that are sending to recipients listed in the 
>> vusers table, to deliver them to the maildir for access via Dovecot IMAP.
>>
>> Any help in getting this working would be appreciated.
>>
>> Here's my config:
>>
>>> #   $OpenBSD: smtpd.conf,v 1.11 2018/06/04 21:10:58 jmc Exp $
>>>
>>> # This is the smtpd server system-wide configuration file.
>>> # See smtpd.conf(5) for more information.
>>>
>>> table aliases file:/etc/mail/aliases
>>> table domains db:/etc/mail/domains.db
>>> table vusers file:/etc/mail/vusers
>>>
>>> # To accept external mail, replace with: listen on all
>>> #
>>> # listen on all
>>>
>>> action "local_mail" maildir junk alias 
>>> action "vusers" maildir junk virtual 
>>> action "outbound" relay helo mail.example.com
>>>
>>> match from any for domain  action "local_mail"
>>> match for local action "local_mail"
>>> match for any action "outbound"
>>>
>>> pki mail.hottub.ca cert "/etc/ssl/mail.example.fullchain.pem"
>>> pki mail.hottub.ca key "/etc/ssl/private/mail.example.key"
>>>
>>> filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', 
>>> '.*\.dsl\..*' } \
>>> disconnect "550 you look like a spammer"
>>>
>>> filter check_rdns phase connect match !rdns \
>>> disconnect "550 you look like a spammer"
>>>
>>> filter check_fcrdns phase connect match !fcrdns \
>>> disconnect "550 you look like a spammer"
>>>
>>> filter senderscore \
>>> proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 
>>> 5000"
>>>
>>> filter rspamd proc-exec "filter-rspamd"
>>>
>>> listen on all tls pki mail.example.ca \
>>> filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
>>>
>>> listen on all port submission tls-require pki mail.hottub.ca auth filter 
>>> rspamd
>>>
>>> match from any for domain "mail.example.ca" action "local_mail"
>>> match from any for domain  rcpt-to virtual  action "vusers"
>>> match for local action "local_mail"
>>>
>>> match from any auth for any action "outbound"
>>> match for any action "outbound"
>>>
>>
>

Re: Virtual domains & Virtual Users...

2019-11-23 Thread Andrew Swartz 
As a proof of concept, I have a setup doing that which I think you are
trying to do:

---
table vdomains     file:/etc/mail/table_vmail_domains
table vaddr     file:/etc/mail/table_vmail_addresses
table vmailstub { '@' = vmail }
listen on em0
action "deliver_vmail" maildir
"/home/vmail/domains/%{rcpt.domain:lowercase}/%{rcpt.user:lowercase|strip}"
virtual 
match from any for domain  rcpt-to  action "deliver_vmail"
---

I'm using 6.6.0.  For clarity I've included only the pertinent conf
lines.  This config is successfully delivering the mail to the
pure-virtual users in the desired directory heirarchy
(/home/vmail/domains/example.com/user).  The only places these
pure-virtual users exist is in the "vaddr" table and the directory
heirarchy (they are also in an "auth" table for relaying, but I removed
that for clarity).

It took me a lot of trial and error to come up with the "virtual
" at the end of the action.  It seems like "user virtual"
should go there, but for unclear reasons that yields "** 550 Invalid
recipient"; when I replace "user virtual" with "virtual "
(which always returns "vmail") the mail is accepted (for users in the
vaddr table) and delivered as desired.  Not an elegant solution, but it
works.

I've not installed/integrated dovecot yet.  I'm curious about
suggestions for the best way to integrated dovecot and/or manage users
in such a system.


-Andy


On 11/23/2019 7:08 AM, Implausibility wrote:
> Hi again.
>
> My mail server has been running fine since last weekend, and I'm trying to 
> expand its functionality by including the ability to send and receive mail 
> for my list of domains, and for eMail addresses which forward to locally 
> defined users -- but I can't seem to get it working, and I think the issue is 
> my (mis-)understanding of how the match parameter works...
>
> In order to get virtual users working, I've added three lines to the config:
>
>> table vusers file:/etc/mail/vusers
>> action "vusers" maildir junk virtual 
>> match from any for domain  rcpt-to virtual  action "vusers"
> I was able to get mail delivered for local users to my virtual domains 
> previously without issue.  But I can't get virtual addresses working...
>
> I've tried a half a dozen varieties of the match command, and I keep getting 
> 'syntax error', and it doesn't give me any hint as to what exactly the 
> problem is.  I want to accept eMail from any destination, to the domains 
> defined in the domains table, that are sending to recipients listed in the 
> vusers table, to deliver them to the maildir for access via Dovecot IMAP.
>
> Any help in getting this working would be appreciated.
>
> Here's my config:
>
>> #   $OpenBSD: smtpd.conf,v 1.11 2018/06/04 21:10:58 jmc Exp $
>>
>> # This is the smtpd server system-wide configuration file.
>> # See smtpd.conf(5) for more information.
>>
>> table aliases file:/etc/mail/aliases
>> table domains db:/etc/mail/domains.db
>> table vusers file:/etc/mail/vusers
>>
>> # To accept external mail, replace with: listen on all
>> #
>> # listen on all
>>
>> action "local_mail" maildir junk alias 
>> action "vusers" maildir junk virtual 
>> action "outbound" relay helo mail.example.com
>>
>> match from any for domain  action "local_mail"
>> match for local action "local_mail"
>> match for any action "outbound"
>>
>> pki mail.hottub.ca cert "/etc/ssl/mail.example.fullchain.pem"
>> pki mail.hottub.ca key "/etc/ssl/private/mail.example.key"
>>
>> filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', 
>> '.*\.dsl\..*' } \
>> disconnect "550 you look like a spammer"
>>
>> filter check_rdns phase connect match !rdns \
>> disconnect "550 you look like a spammer"
>>
>> filter check_fcrdns phase connect match !fcrdns \
>> disconnect "550 you look like a spammer"
>>
>> filter senderscore \
>> proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 
>> 5000"
>>
>> filter rspamd proc-exec "filter-rspamd"
>>
>> listen on all tls pki mail.example.ca \
>> filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
>>
>> listen on all port submission tls-require pki mail.hottub.ca auth filter 
>> rspamd
>>
>> match from any for domain "mail.example.ca" action "local_mail"
>> match from any for domain  rcpt-to virtual  action "vusers"
>> match for local action "local_mail"
>>
>> match from any auth for any action "outbound"
>> match for any action "outbound"
>>
>
>

Re: need help

2019-10-05 Thread Andrew Swartz 

I've been lurking on this list for a long time but I've never posted.

I've attached a perl program I threw together a couple years ago which 
does recursive SPF resolution.  This might help your debugging.


For this type of testing, pass it a domain on STDIN:
echo 'gmail.com' | spf2ip.pl

I use it to create a daily whitelist of frequent domain IP's.  I use it 
by calling it with a filename argument. It reads the file which has a 
domain on each line, iterates through all the domains, recursively 
resolving each, and creating a long list of all the SPF IP's of all the 
domains in the file.


In default mode, it adds enough comments to explain how it generates the 
results.  For example, here is the output of the above command:


# echo 'gmail.com' | spf2ip.pl

#
# gmail.com
#
#  [REDIRECT=] _spf.google.com (depth=1)
#  [INCLUDE:] _netblocks.google.com (depth=2)
35.190.247.0/24
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
108.177.8.0/21
173.194.0.0/16
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19
#  [INCLUDE:] _netblocks2.google.com (depth=2)
#  [INCLUDE:] _netblocks3.google.com (depth=2)
172.217.0.0/19
172.217.32.0/20
172.217.128.0/19
172.217.160.0/20
172.217.192.0/19
108.177.96.0/19
35.191.0.0/16
130.211.0.0/22




SPF resolution of "microsoft.com" returns 76 IP's.

Adding a "-d" argument will output a lot more debug info, whereas "-q' 
suppresses any debug info and only outputs IP's.  The header of the perl 
file does some explanation, but it was only intended for me to read, so 
it is not a super thorough explanation.


And yes, it looks like a stereotypical perl program (ugly, quick, and 
functional).


Hope this helps,
-Andy







On 9/30/2019 7:21 AM, gil...@poolp.org wrote:

September 30, 2019 4:25 PM, "Denis Fondras"  wrote:


On Mon, Sep 30, 2019 at 01:55:28PM +, gil...@poolp.org wrote:


Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future release,
but for this I need a bit of help to make sure my SPF resolver works fine.

I have created a repository with a standalone executable that performs the
SPF lookup and checks if an IP address is allowed to send on behalf of the
sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md

If you could test and report issues, it would be nice,


It seems IPv6 check is broken :

$ dig ledeuns.net TXT +short
"v=spf1 ip4:185.22.129.11 ip6:2a00:6060:1::1 ip6:2a00:6060:::1005:ff02 -all"

$ ./spf ledeuns.net 185.22.129.1
checking if 185.22.129.1 can send for ledeuns.net: fail
$ ./spf ledeuns.net 185.22.129.11
checking if 185.22.129.11 can send for ledeuns.net: pass
$ ./spf ledeuns.net 2a00:6060:1::1
checking if 2a00:6060:1::1 can send for ledeuns.net: fail



will fix that, thanks



#!/usr/bin/perl

# PURPOSE/FUNCTION
# This program performs recursive DNS lookups of spf records (which are in TXT 
records)
# and keeps recursing until numeric addresses are reached.  Tested with IP4, 
but the regex's
# ~should~ function with IP6 addresses.

# INPUT
# filename: text file, one domain per line, # and blank lines ignored.
# STDIN: list of one or more domans to lookup

#OUTPUT
# single numeric address per line
# recursive comments will be included if ($DomainNameComments == 1)

# DEPENDENCIES:
# 1. PERL installed at the above target.
# 2. 'dig' command.

# ASSUMPTIONS:
# 1. This program DOES do recursive spf resolution (i.e. a reverse lookup of 
ALL spf-authorized sending IP's.)
# 2. This program does NOT do forward MX resolutions (i.e. lookup of where to 
send mail).

use Switch;

# Global variable which is the final product.
my @IPlist;
my $DomainNameComments = 1;
my @DomainNames;

my $ARGERROR=0;
# The HASH for the command line settings (i.e. arguments).
my %settings =  (   -q  =>  0,  # "quiet" which 
suppresses comments in output.
-d  =>  0   # 
"debug" which adds debug info to the output.
);
# Iterate through the args, confirming accuracy and making settings.
foreach my $arg (@ARGV) {
if (exists $settings{$arg}) { 
$settings{$arg} =  1;
}
else {
print "\'$arg\' is invalid argument!\n";
$ARGERROR++;
}
}
# Exit if any invalid arguments.
if ($ARGERROR) { exit; }


# Read domain names from STDIN.
foreach my $line (  ) {
chomp( $line );
foreach my $arg (split(' ',$line)) {
push(@DomainNames,$arg);
}